diff --git a/ssl/internal.h b/ssl/internal.h index 568b225ea97..df5cf15c69d 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -753,7 +753,7 @@ size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher); // AES in hardware is available. const SSL_CIPHER *ssl_choose_tls13_cipher( const STACK_OF(SSL_CIPHER) *client_cipher_suites, bool has_aes_hw, uint16_t version, - uint16_t group_id, const STACK_OF(SSL_CIPHER) *tls13_ciphers); + const STACK_OF(SSL_CIPHER) *tls13_ciphers); // Transcript layer. diff --git a/ssl/s3_both.cc b/ssl/s3_both.cc index d09954daaf2..fbb1f8de528 100644 --- a/ssl/s3_both.cc +++ b/ssl/s3_both.cc @@ -687,7 +687,7 @@ class CipherScorer { const SSL_CIPHER *ssl_choose_tls13_cipher( const STACK_OF(SSL_CIPHER) *client_cipher_suites, bool has_aes_hw, uint16_t version, - uint16_t group_id, const STACK_OF(SSL_CIPHER) *tls13_ciphers) { + const STACK_OF(SSL_CIPHER) *tls13_ciphers) { const SSL_CIPHER *best = nullptr; CipherScorer scorer(has_aes_hw); diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc index fd52f5c9cbe..95452fb1ced 100644 --- a/ssl/tls13_server.cc +++ b/ssl/tls13_server.cc @@ -110,7 +110,7 @@ static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs, return 1; } -static const SSL_CIPHER *choose_tls13_cipher(const SSL *ssl, uint16_t group_id) { +static const SSL_CIPHER *choose_tls13_cipher(const SSL *ssl) { STACK_OF(SSL_CIPHER) *tls13_ciphers = nullptr; if (ssl->ctx->tls13_cipher_list && ssl->ctx->tls13_cipher_list.get()->ciphers && @@ -122,7 +122,7 @@ static const SSL_CIPHER *choose_tls13_cipher(const SSL *ssl, uint16_t group_id) ssl->config->aes_hw_override ? ssl->config->aes_hw_override_value : EVP_has_aes_hardware(), - ssl_protocol_version(ssl), group_id, tls13_ciphers); + ssl_protocol_version(ssl), tls13_ciphers); } static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) { @@ -227,13 +227,6 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { client_hello.session_id_len); hs->session_id_len = client_hello.session_id_len; - uint16_t group_id; - if (!tls1_get_shared_group(hs, &group_id)) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP); - ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - return ssl_hs_error; - } - if (!ssl_parse_client_cipher_list(ssl, &client_hello, &ssl->client_cipher_suites)) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); @@ -241,7 +234,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { } // Negotiate the cipher suite. - hs->new_cipher = choose_tls13_cipher(ssl, group_id); + hs->new_cipher = choose_tls13_cipher(ssl); if (hs->new_cipher == NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); @@ -581,7 +574,6 @@ static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) { ScopedCBB cbb; CBB body, session_id, extensions; - uint16_t group_id; if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || !CBB_add_u16(&body, TLS1_2_VERSION) || !CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) || @@ -589,14 +581,13 @@ static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) { !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) || !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) || !CBB_add_u8(&body, 0 /* no compression */) || - !tls1_get_shared_group(hs, &group_id) || !CBB_add_u16_length_prefixed(&body, &extensions) || !CBB_add_u16(&extensions, TLSEXT_TYPE_supported_versions) || !CBB_add_u16(&extensions, 2 /* length */) || !CBB_add_u16(&extensions, ssl->version) || !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) || !CBB_add_u16(&extensions, 2 /* length */) || - !CBB_add_u16(&extensions, group_id)) { + !CBB_add_u16(&extensions, hs->new_session->group_id)) { return ssl_hs_error; } if (hs->ech_is_inner) {