Don't ask for an invalid group in an HRR

If the client sends us a group in a key_share that is in our supported_groups list but is otherwise not suitable (e.g. not compatible with TLSv1.3) we reject it. We should not ask for that same group again in a subsequent HRR. Fixes #21157 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/21163)
2025-02-17 14:32:04 +08:00 · 2023-06-09 09:09:06 +01:00 · 2023-06-09 09:09:06 +01:00 · 7a949ae5f1
commit 7a949ae5f1
parent a02571a024
1 changed files with 5 additions and 1 deletions
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@ -1449,7 +1449,11 @@ static int final_key_share(SSL_CONNECTION *s, unsigned int context, int sent)
                    group_id = pgroups[i];

                    if (check_in_list(s, group_id, clntgroups, clnt_num_groups,
-                                      1))
+                                      1)
+                            && tls_group_allowed(s, group_id,
+                                                 SSL_SECOP_CURVE_SUPPORTED)
+                            && tls_valid_group(s, group_id, TLS1_3_VERSION,
+                                               TLS1_3_VERSION, 0, NULL))
                        break;
                }