Don't send supported groups if no-ec and we're doing DTLS
authorMatt Caswell <matt@openssl.org>
Thu, 11 Jun 2020 15:47:50 +0000 (16:47 +0100)
committerMatt Caswell <matt@openssl.org>
Fri, 19 Jun 2020 09:19:32 +0000 (10:19 +0100)
The supported_groups extension only supported EC groups in DTLS.
Therefore we shouldn't send it in a no-ec build.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)

ssl/statem/extensions_clnt.c

index dbdedad..abff069 100644 (file)
@@ -211,7 +211,7 @@ EXT_RETURN tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt,
     }
 
 #if defined(OPENSSL_NO_EC)
-    if (max_version < TLS1_3_VERSION)
+    if (SSL_IS_DTLS(s) || max_version < TLS1_3_VERSION)
         return EXT_RETURN_NOT_SENT;
 #else
     if (!use_ecc(s, min_version, max_version) && max_version < TLS1_3_VERSION)