From: Kenjiro Nakayama Subject: [PATCH] libressl: tlsexttest: verify key share group 29 is selected as expected To: tech@openbsd.org Cc: Kenjiro Nakayama Date: Sat, 3 May 2025 16:49:43 +0900 The test case comment states that we should select the key share for group 29 when it is the most preferred group, but the test only checked that some key share was selected, not that it was the correct one. Add an explicit check that tls_key_share_group() returns 29 to ensure the correct key share group is selected. This avoids silent acceptance of incorrect group selection and aligns the test behavior with the intent described in the comment. --- src/regress/lib/libssl/tlsext/tlsexttest.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c index 32bad7e..20f8d42 100644 --- a/src/regress/lib/libssl/tlsext/tlsexttest.c +++ b/src/regress/lib/libssl/tlsext/tlsexttest.c @@ -3740,6 +3740,11 @@ test_tlsext_keyshare_client(void) FAIL("Did not select a key share"); goto done; } + if (tls_key_share_group(ssl->s3->hs.key_share) != 29) { + FAIL("wrong key share group: got %d, expected 29\n", + tls_key_share_group(ssl->s3->hs.key_share)); + goto done; + } /* * Pretend the client did not send the supported groups extension. We -- 2.39.5 (Apple Git-154)