mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-07 08:40:52 +02:00
Merge pull request #9754 from julek-wolfssl/zd/21171
Add check for KS in SH
This commit is contained in:
@@ -10094,6 +10094,8 @@ int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length,
|
||||
if (length < OPAQUE16_LEN)
|
||||
return BUFFER_ERROR;
|
||||
|
||||
ssl->options.shSentKeyShare = 1;
|
||||
|
||||
/* The data is the named group the server wants to use. */
|
||||
ato16(input, &group);
|
||||
|
||||
|
||||
+2
-1
@@ -5559,7 +5559,8 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
||||
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
||||
ssl->options.pskNegotiated == 0 &&
|
||||
#endif
|
||||
ssl->session->namedGroup == 0) {
|
||||
(ssl->session->namedGroup == 0 ||
|
||||
ssl->options.shSentKeyShare == 0)) {
|
||||
return EXT_MISSING;
|
||||
}
|
||||
|
||||
|
||||
+1
-1
@@ -28906,7 +28906,7 @@ static int test_TLSX_CA_NAMES_bad_extension(void)
|
||||
|
||||
ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
|
||||
#ifndef WOLFSSL_DISABLE_EARLY_SANITY_CHECKS
|
||||
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(OUT_OF_ORDER_E));
|
||||
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(EXT_MISSING));
|
||||
#else
|
||||
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WC_NO_ERR_TRACE(BUFFER_ERROR));
|
||||
#endif
|
||||
|
||||
@@ -5107,6 +5107,7 @@ struct Options {
|
||||
word16 hrrSentCookie:1; /* HRR sent with cookie */
|
||||
#endif
|
||||
word16 hrrSentKeyShare:1; /* HRR sent with key share */
|
||||
word16 shSentKeyShare:1; /* SH sent with key share */
|
||||
#endif
|
||||
word16 returnOnGoodCh:1;
|
||||
word16 disableRead:1;
|
||||
|
||||
Reference in New Issue
Block a user