Merge pull request #9754 from julek-wolfssl/zd/21171

Add check for KS in SH
This commit is contained in:
Sean Parkinson
2026-02-11 09:11:05 +10:00
committed by GitHub
4 changed files with 6 additions and 2 deletions
+2
View File
@@ -10094,6 +10094,8 @@ int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length,
if (length < OPAQUE16_LEN)
return BUFFER_ERROR;
ssl->options.shSentKeyShare = 1;
/* The data is the named group the server wants to use. */
ato16(input, &group);
+2 -1
View File
@@ -5559,7 +5559,8 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
ssl->options.pskNegotiated == 0 &&
#endif
ssl->session->namedGroup == 0) {
(ssl->session->namedGroup == 0 ||
ssl->options.shSentKeyShare == 0)) {
return EXT_MISSING;
}
+1 -1
View File
@@ -28906,7 +28906,7 @@ static int test_TLSX_CA_NAMES_bad_extension(void)
ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
#ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(OUT_OF_ORDER_E));
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(EXT_MISSING));
#else
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(BUFFER_ERROR));
#endif
+1
View File
@@ -5107,6 +5107,7 @@ struct Options {
word16 hrrSentCookie:1; /* HRR sent with cookie */
#endif
word16 hrrSentKeyShare:1; /* HRR sent with key share */
word16 shSentKeyShare:1; /* SH sent with key share */
#endif
word16 returnOnGoodCh:1;
word16 disableRead:1;