From bcec335856233cbcea4d96e3d43e1b43b8fe4182 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 1 Nov 2016 13:24:02 +0000
Subject: [PATCH] Add key_share info to the ServerHello

Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 ssl/ssl_locl.h |  2 ++
 ssl/t1_lib.c   | 42 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 105a487c7e..ec0d0b4824 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1299,6 +1299,8 @@ typedef struct ssl3_state_st {
 
     /* For clients: peer temporary key */
 # if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
+    /* The group_id for the DH/ECDH key */
+    unsigned int group_id;
     EVP_PKEY *peer_tmp;
 # endif
 
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 37e6841d7e..11c8399a28 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1648,6 +1648,47 @@ int ssl_add_serverhello_tlsext(SSL *s, WPACKET *pkt, int *al)
         }
     }
 #endif
+
+    if (s->version == TLS1_3_VERSION) {
+        unsigned char *encodedPoint;
+        size_t encoded_pt_len = 0;
+        EVP_PKEY *ckey = NULL, *skey = NULL;
+
+        ckey = s->s3->peer_tmp;
+        if (ckey == NULL) {
+            SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
+
+        if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share)
+                || !WPACKET_start_sub_packet_u16(pkt)
+                || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) {
+            SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
+
+        skey = ssl_generate_pkey(ckey);
+
+        /* Generate encoding of server key */
+        encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint);
+        if (encoded_pt_len == 0) {
+            SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_EC_LIB);
+            EVP_PKEY_free(skey);
+            return 0;
+        }
+
+        if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len)
+                || !WPACKET_close(pkt)) {
+            SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+            EVP_PKEY_free(skey);
+            OPENSSL_free(encodedPoint);
+            return 0;
+        }
+
+        s->s3->tmp.pkey = skey;
+        OPENSSL_free(encodedPoint);
+    }
+
     if (!custom_ext_add(s, 1, pkt, al)) {
         SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
         return 0;
@@ -2293,6 +2334,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, CLIENTHELLO_MSG *hello, int *al)
                     EVP_PKEY_CTX_free(pctx);
                     pctx = NULL;
                 }
+                s->s3->group_id = group_id;
 
                 if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
                         PACKET_data(&encoded_pt),
-- 
2.25.1