Ensure that the key share group is allowed for our protocol version

We should never send or accept a key share group that is not in the supported groups list or a group that isn't suitable for use in TLSv1.3 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/19317)
author: Matt Caswell <matt@openssl.org> 2022-09-30 14:21:50 +0100
committer: Matt Caswell <matt@openssl.org> 2022-10-12 15:55:58 +0100
commit: 247b8e52527ed4facd9ff07cdef0df819193c0c3 (patch)
tree: 7dc5711c86a6b4b1cbeb25cd218010b0ac0625ab /ssl/statem
parent: f78c51995e35889d39cb0bdadcbfa3e144bd8a29 (diff)
download: openssl-new-247b8e52527ed4facd9ff07cdef0df819193c0c3.tar.gz
2 files changed, 15 insertions, 2 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 18bcba036f..de71363fc1 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -687,6 +687,10 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
             if (!tls_group_allowed(s, pgroups[i], SSL_SECOP_CURVE_SUPPORTED))
                 continue;
 
+            if (!tls_valid_group(s, pgroups[i], TLS1_3_VERSION, TLS1_3_VERSION,
+                                 0, NULL))
+                continue;
+
             curve_id = pgroups[i];
             break;
         }
@@ -1806,7 +1810,9 @@ int tls_parse_stoc_key_share(SSL_CONNECTION *s, PACKET *pkt,
                 break;
         }
         if (i >= num_groups
-                || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)) {
+                || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
+                || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
+                                    0, NULL)) {
             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE);
             return 0;
         }
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 6a488a8737..c743d43c3d 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -655,7 +655,14 @@ int tls_parse_ctos_key_share(SSL_CONNECTION *s, PACKET *pkt,
         }
 
         /* Check if this share is for a group we can use */
-        if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)) {
+        if (!check_in_list(s, group_id, srvrgroups, srvr_num_groups, 1)
+                || !tls_group_allowed(s, group_id, SSL_SECOP_CURVE_SUPPORTED)
+                   /*
+                    * We tolerate but ignore a group id that we don't think is
+                    * suitable for TLSv1.3
+                    */
+                || !tls_valid_group(s, group_id, TLS1_3_VERSION, TLS1_3_VERSION,
+                                    0, NULL)) {
             /* Share not suitable */
             continue;
         }
author	Matt Caswell <matt@openssl.org>	2022-09-30 14:21:50 +0100
committer	Matt Caswell <matt@openssl.org>	2022-10-12 15:55:58 +0100
commit	247b8e52527ed4facd9ff07cdef0df819193c0c3 (patch)
tree	7dc5711c86a6b4b1cbeb25cd218010b0ac0625ab /ssl/statem
parent	f78c51995e35889d39cb0bdadcbfa3e144bd8a29 (diff)
download	openssl-new-247b8e52527ed4facd9ff07cdef0df819193c0c3.tar.gz