diff options
author | Matt Caswell <matt@openssl.org> | 2021-03-04 16:33:26 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2021-03-08 15:32:04 +0000 |
commit | 9afc6c54314f94c0dcb4168d01554497bfaeae4f (patch) | |
tree | 57fd8eedcd2c24b41011d3c938cfd23e5cea800c /ssl/statem | |
parent | 7bc0fdd3fd4535e06c35b92d71afab9a6de94cc5 (diff) |
Fix the check for suitable groups and TLSv1.3
If we have TLSv1.3 enabled then we must have at least one TLSv1.3 capable
group available. This check was not always working
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/14430)
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/extensions_clnt.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index b216e29f26..cac713fff0 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -234,7 +234,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, } } if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) { - if (added == 0 || (tls13added == 0 && max_version == TLS1_3_VERSION)) + if (added == 0) SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, "No groups enabled for max supported SSL/TLS version"); else @@ -242,6 +242,12 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, return EXT_RETURN_FAIL; } + if (tls13added == 0 && max_version == TLS1_3_VERSION) { + SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS, + "No groups enabled for max supported SSL/TLS version"); + return EXT_RETURN_FAIL; + } + return EXT_RETURN_SENT; } |