From 3dc2c2828b900f18e7890cf81e4bd582a844c040 Mon Sep 17 00:00:00 2001 From: jsing Date: Sun, 14 Jun 2026 15:51:17 +0000 Subject: [PATCH] Correct secondary key share handling for HelloRetryRequests. With the introduction of a secondary key share, we fail to ensure that the HelloRetryRequest does not specify the group that was used for the secondary key share. We also fail to free the secondary key share early in this case, meaning that it lingers in memory until the SSL is reset or freed. Fix both of these issues. ok tb@ --- lib/libssl/tls13_client.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c index d6507178560..fec3e825fe7 100644 --- a/lib/libssl/tls13_client.c +++ b/lib/libssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.107 2026/06/14 14:53:07 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.108 2026/06/14 15:51:17 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -460,9 +460,19 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; return 0; } + if (ctx->hs->tls13.key_share != NULL && + ctx->hs->tls13.server_group == tls_key_share_group(ctx->hs->tls13.key_share)) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + return 0; + } - /* Switch to new key share. */ + /* Free original key shares. */ tls_key_share_free(ctx->hs->key_share); + ctx->hs->key_share = NULL; + tls_key_share_free(ctx->hs->tls13.key_share); + ctx->hs->tls13.key_share = NULL; + + /* Create new key share for server selected group. */ if ((ctx->hs->key_share = tls_key_share_new(ctx->hs->tls13.server_group)) == NULL) return 0;