summaryrefslogtreecommitdiffstats
path: root/ssl
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2021-03-04 16:33:26 +0000
committerMatt Caswell <matt@openssl.org>2021-03-08 15:32:04 +0000
commit9afc6c54314f94c0dcb4168d01554497bfaeae4f (patch)
tree57fd8eedcd2c24b41011d3c938cfd23e5cea800c /ssl
parent7bc0fdd3fd4535e06c35b92d71afab9a6de94cc5 (diff)
Fix the check for suitable groups and TLSv1.3
If we have TLSv1.3 enabled then we must have at least one TLSv1.3 capable group available. This check was not always working Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/14430)
Diffstat (limited to 'ssl')
-rw-r--r--ssl/statem/extensions_clnt.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index b216e29f26..cac713fff0 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -234,7 +234,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
}
}
if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
- if (added == 0 || (tls13added == 0 && max_version == TLS1_3_VERSION))
+ if (added == 0)
SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
"No groups enabled for max supported SSL/TLS version");
else
@@ -242,6 +242,12 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
return EXT_RETURN_FAIL;
}
+ if (tls13added == 0 && max_version == TLS1_3_VERSION) {
+ SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_SUITABLE_GROUPS,
+ "No groups enabled for max supported SSL/TLS version");
+ return EXT_RETURN_FAIL;
+ }
+
return EXT_RETURN_SENT;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-14 16:18:51 +0000