55 lines
1.6 KiB
Diff
55 lines
1.6 KiB
Diff
From bd164884f258d99ca876f6cdcdf9bd0dcceee6ad Mon Sep 17 00:00:00 2001
|
|
From: Tomas Mraz <tomas@openssl.org>
|
|
Date: Fri, 29 Apr 2022 16:36:36 +0200
|
|
Subject: [PATCH] Do not send an empty supported groups extension
|
|
|
|
This allows handshake to proceed if the maximum TLS version enabled is <1.3
|
|
|
|
Fixes #13583
|
|
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
(Merged from https://github.com/openssl/openssl/pull/18213)
|
|
---
|
|
CHANGES | 24 ++++++++++++++----------
|
|
ssl/statem/extensions_clnt.c | 16 +++++++++++++++-
|
|
2 files changed, 29 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
|
|
index 9d38ac23b5..036a9b3c48 100644
|
|
--- a/ssl/statem/extensions_clnt.c
|
|
+++ b/ssl/statem/extensions_clnt.c
|
|
@@ -118,6 +118,8 @@ static int use_ecc(SSL *s)
|
|
int i, end, ret = 0;
|
|
unsigned long alg_k, alg_a;
|
|
STACK_OF(SSL_CIPHER) *cipher_stack = NULL;
|
|
+ const uint16_t *pgroups = NULL;
|
|
+ size_t num_groups, j;
|
|
|
|
/* See if we support any ECC ciphersuites */
|
|
if (s->version == SSL3_VERSION)
|
|
@@ -139,7 +141,19 @@ static int use_ecc(SSL *s)
|
|
}
|
|
|
|
sk_SSL_CIPHER_free(cipher_stack);
|
|
- return ret;
|
|
+ if (!ret)
|
|
+ return 0;
|
|
+
|
|
+ /* Check we have at least one EC supported group */
|
|
+ tls1_get_supported_groups(s, &pgroups, &num_groups);
|
|
+ for (j = 0; j < num_groups; j++) {
|
|
+ uint16_t ctmp = pgroups[j];
|
|
+
|
|
+ if (tls_curve_allowed(s, ctmp, SSL_SECOP_CURVE_SUPPORTED))
|
|
+ return 1;
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
}
|
|
|
|
EXT_RETURN tls_construct_ctos_ec_pt_formats(SSL *s, WPACKET *pkt,
|
|
--
|
|
2.17.1
|
|
|