git.ipfire.org Git - thirdparty/openssl.git/commit

author	Clemens Lang <cllang@redhat.com>
	Fri, 21 Nov 2025 15:00:08 +0000 (16:00 +0100)
committer	Tomas Mraz <tomas@openssl.org>
	Fri, 28 Nov 2025 16:31:53 +0000 (17:31 +0100)
commit	5375e940e22de80ad8c6e865a08db13762242eee
tree	650950e0d3342ea3b76a5e43083726b14624467e	tree \| snapshot
parent	b35f6b5e470139d3c950784b29430aa8fbbde88f	commit \| diff

Do not make key share choice in tls1_set_groups()

tls1_set_groups(), which is used by SSL_CTX_set1_groups() does not check
whether the NIDs passed as argument actually have an implementation
available in any of the currently loaded providers. It is not simple to
add this check, either, because it would require access to the SSL_CTX,
which this function does not receive. There are legacy callers that do
not have an SSL_CTX pointer and are public API.

This becomes a problem, when an application sets the first group to one
that is not supported by the current configuration, and can trigger
sending of an empty key share.

Set the first entry of the key share list to 0 (and the key share list
length to 1) to signal to tls1_construct_ctos_key_share that it should
pick the first supported group and generate a key share for that. See
also tls1_get_requested_keyshare_groups, which documents this special
case.

See: https://issues.redhat.com/browse/RHEL-128018
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29192)

ssl/t1_lib.c		diff \| blob \| blame \| history
test/sslapitest.c		diff \| blob \| blame \| history