From: Matt Caswell <matt@openssl.org>
Date: Fri, 9 Jun 2023 08:09:06 +0000 (+0100)
Subject: Don't ask for an invalid group in an HRR
X-Git-Tag: openssl-3.2.0-alpha1~606
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a949ae5f1799a6629cf6deb44ae0f38455a73dd;p=thirdparty%2Fopenssl.git

Don't ask for an invalid group in an HRR

If the client sends us a group in a key_share that is in our
supported_groups list but is otherwise not suitable (e.g. not compatible
with TLSv1.3) we reject it. We should not ask for that same group again
in a subsequent HRR.

Fixes #21157

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21163)
---

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 3bb7c4af262..0a64ca22469 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1449,7 +1449,11 @@ static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent)
                     group_id = pgroups[i];
 
                     if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
-                                      1))
+                                      1)
+                            && tls_group_allowed(s, group_id,
+                                                 SSL_SECOP_CURVE_SUPPORTED)
+                            && tls_valid_group(s, group_id, TLS1_3_VERSION,
+                                               TLS1_3_VERSION, 0, NULL))
                         break;
                 }