root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Fail immediately if we have no key shares to send 

If we are configured in such a way that we have no valid key shares to
send in the ClientHello we should immediately abort the connection.

Fixes #28281

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28283)
This commit is contained in:
Matt Caswell 2025-08-15 16:43:49 +01:00
parent 257ac12798
commit 47b0f172aa
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ssl/statem/extensions_clnt.c
View File

@ -745,6 +745,7 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
/* SSLfatal() already called */
return EXT_RETURN_FAIL;
}
valid_keyshare++;
} else {
if (s->ext.supportedgroups == NULL) /* use default */
add_only_one = 1;
@ -766,13 +767,18 @@ EXT_RETURN tls_construct_ctos_key_share(SSL_CONNECTION *s, WPACKET *pkt,
/* SSLfatal() already called */
return EXT_RETURN_FAIL;
}
valid_keyshare++;
if (add_only_one)
break;
valid_keyshare++;
}
}
if (valid_keyshare == 0) {
/* No key shares were allowed */
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_KEY_SHARE);
return EXT_RETURN_FAIL;
}
if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
return EXT_RETURN_FAIL;