From a7f52c976c8e8b953ae14909faf12d7f2ebbccd4 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 15 Aug 2025 17:12:11 +0100
Subject: [PATCH] Test setting a client to send a key share not allowed in
 TLSv1.3

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28283)

(cherry picked from commit 9226b3e8f4cb4dfb8a43fd2790ef506f75a11e76)
---
 test/tls13groupselection_test.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/test/tls13groupselection_test.c b/test/tls13groupselection_test.c
index 01d1eded5f8..351b3102c70 100644
--- a/test/tls13groupselection_test.c
+++ b/test/tls13groupselection_test.c
@@ -311,17 +311,17 @@ static const struct tls13groupselection_test_st tls13groupselection_tests[] =
         { "X25519:secp256r1:X448:secp521r1:-X448:-secp256r1:-X25519:-secp521r1",
           "",
           CLIENT_PREFERENCE,
-          NEGOTIATION_FAILURE
+          NEGOTIATION_FAILURE, INIT
         },
         { "secp384r1:secp521r1:X25519", /* test 39 */
           "prime256v1:X448",
           CLIENT_PREFERENCE,
-          NEGOTIATION_FAILURE
+          NEGOTIATION_FAILURE, INIT
         },
         { "secp521r1:secp384r1:X25519", /* test 40 */
           "prime256v1:X448",
           SERVER_PREFERENCE,
-          NEGOTIATION_FAILURE
+          NEGOTIATION_FAILURE, INIT
         },
         /*
          * These are allowed
@@ -340,6 +340,15 @@ static const struct tls13groupselection_test_st tls13groupselection_tests[] =
           SERVER_PREFERENCE,
           "secp521r1", SH
         },
+        /*
+         * Not a syntax error, but invalid because brainpoolP256r1 is the only
+         * key share and is not valid in TLSv1.3
+         */
+        { "*brainpoolP256r1:X25519", /* test 43 */
+          "X25519",
+          SERVER_PREFERENCE,
+          NEGOTIATION_FAILURE, INIT
+        }
     };
 
 static void server_response_check_cb(int write_p, int version,
@@ -489,6 +498,10 @@ static int test_groupnegotiation(const struct tls13groupselection_test_st *curre
             ok = 1;
     } else {
         TEST_false_or_end(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE));
+        if (test_type == TEST_NEGOTIATION_FAILURE &&
+                !TEST_int_eq((int)current_test_vector->expected_server_response,
+                             (int)server_response))
+            goto end;
         ok = 1;
     }
 
-- 
2.47.3