diff options
author | Matt Caswell <matt@openssl.org> | 2022-09-30 14:21:50 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2022-10-12 15:55:58 +0100 |
commit | 247b8e52527ed4facd9ff07cdef0df819193c0c3 (patch) | |
tree | 7dc5711c86a6b4b1cbeb25cd218010b0ac0625ab /ssl/statem | |
parent | f78c51995e35889d39cb0bdadcbfa3e144bd8a29 (diff) | |
download | openssl-new-247b8e52527ed4facd9ff07cdef0df819193c0c3.tar.gz |
Ensure that the key share group is allowed for our protocol version
We should never send or accept a key share group that is not in the
supported groups list or a group that isn't suitable for use in TLSv1.3
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/19317)
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/extensions_clnt.c | 8 | ||||
-rw-r--r-- | ssl/statem/extensions_srvr.c | 9 |
2 files changed, 15 insertions, 2 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 18bcba036f..de71363fc1 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -687,6 +687,10 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt, if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED)) continue; + if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION, + 0, NULL)) + continue; + curve_id = pgroups[i]; break; } @@ -1806,7 +1810,9 @@ int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt, break; } if (i >= num_groups - || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) { + || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) + || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, + 0, NULL)) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); return 0; } diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 6a488a8737..c743d43c3d 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -655,7 +655,14 @@ int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt, } /* Check if this share is for a group we can use */ - if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) { + if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1) + || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED) + /* + * We tolerate but ignore a group id that we don't think is + * suitable for TLSv1.3 + */ + || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION, + 0, NULL)) { /* Share not suitable */ continue; } |