From 08f92585dea81862ad38aa399c867a25254b22f4 Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Tue, 4 Jan 2022 10:34:16 +0000
Subject: [PATCH] Only allow zero length key shares when we know we're doing
 HRR.

ok inoguchi@ tb@
---
 lib/libssl/ssl_tlsext.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index 3da8ebc46c6..c97ade8bdd9 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.101 2021/11/01 16:37:17 jsing Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.102 2022/01/04 10:34:16 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1558,8 +1558,10 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
 		goto err;
 
 	if (CBS_len(cbs) == 0) {
-		/* HRR does not include an actual key share. */
-		/* XXX - we should know that we are in a HRR... */
+		/* HRR does not include an actual key share, only the group. */
+		if (msg_type != SSL_TLSEXT_MSG_HRR)
+			return 0;
+
 		S3I(s)->hs.tls13.server_group = group;
 		return 1;
 	}
-- 
2.20.1