Fail immediately if we have no key shares to send

If we are configured in such a way that we have no valid key shares to
send in the ClientHello we should immediately abort the connection.

Fixes #28281

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28283)

diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 3746554c7783c64869ceee368fcbbcd40ea02779..0dc418a8cbb4ed61cd987c8808c795aec554ad09 100644 (file)
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -745,6 +745,7 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
             /* SSLfatal() already called */
             return EXT_RETURN_FAIL;
         }
+        valid_keyshare++;
     } else {
         if (s->ext.supportedgroups == NULL) /* use default */
             add_only_one = 1;
@@ -766,13 +767,18 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
                 /* SSLfatal() already called */
                 return EXT_RETURN_FAIL;
             }
+            valid_keyshare++;
             if (add_only_one)
                 break;
-
-            valid_keyshare++;
         }
     }
 
+    if (valid_keyshare == 0) {
+        /* No key shares were allowed */
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
+        return EXT_RETURN_FAIL;
+    }
+
     if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
         return EXT_RETURN_FAIL;