[openssl/openssl] 98f43f: Don't ask for an invalid group in an HRR
Matt Caswell
noreply at github.com
Fri Jun 23 13:41:11 UTC 2023
Branch: refs/heads/openssl-3.1
Home: https://github.com/openssl/openssl
Commit: 98f43f44eab0610d34de5b6a396014b329451874
https://github.com/openssl/openssl/commit/98f43f44eab0610d34de5b6a396014b329451874
Author: Matt Caswell <matt at openssl.org>
Date: 2023-06-23 (Fri, 23 Jun 2023)
Changed paths:
M ssl/statem/extensions.c
Log Message:
-----------
Don't ask for an invalid group in an HRR
If the client sends us a group in a key_share that is in our
supported_groups list but is otherwise not suitable (e.g. not compatible
with TLSv1.3) we reject it. We should not ask for that same group again
in a subsequent HRR.
Fixes #21157
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/21163)
(cherry picked from commit 7a949ae5f1799a6629cf6deb44ae0f38455a73dd)
Commit: 7df9bd366c7136abaa8deef978270809ba082595
https://github.com/openssl/openssl/commit/7df9bd366c7136abaa8deef978270809ba082595
Author: Matt Caswell <matt at openssl.org>
Date: 2023-06-23 (Fri, 23 Jun 2023)
Changed paths:
M test/recipes/70-test_tls13hrr.t
Log Message:
-----------
Add a test for an invalid group in the HRR
Test that if the client sends a key share for a group in the server's
supported_group list but is otherwise invalid, that we don't select it
in the HRR.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/21163)
(cherry picked from commit adf33f9e268b17ec1b4739707abb40b03b21ea6a)
Compare: https://github.com/openssl/openssl/compare/f9b7ca187196...7df9bd366c71
More information about the openssl-commits
mailing list