Blame SOURCES/gnutls-3.7.2-key-share-ecdhx.patch

8b9ea0
From c9e072236c4e1c290f38aee819ecaff8398e2a16 Mon Sep 17 00:00:00 2001
8b9ea0
From: Daiki Ueno <ueno@gnu.org>
8b9ea0
Date: Fri, 25 Jun 2021 08:39:12 +0200
8b9ea0
Subject: [PATCH] key_share: treat X25519 and X448 as same PK type when
8b9ea0
 advertising
8b9ea0
8b9ea0
Previously, if both X25519 and X448 groups were enabled in the
8b9ea0
priority string, the client sent both algorithms in a key_share
8b9ea0
extension, while it was only capable of handling one algorithm from
8b9ea0
the same (Edwards curve) category.  This adds an extra check so the
8b9ea0
client should send either X25519 or X448.
8b9ea0
8b9ea0
Signed-off-by: Daiki Ueno <ueno@gnu.org>
8b9ea0
---
8b9ea0
 lib/ext/key_share.c     | 24 +++++++++++++++++++++---
8b9ea0
 tests/tls13/key_share.c |  3 +++
8b9ea0
 2 files changed, 24 insertions(+), 3 deletions(-)
8b9ea0
8b9ea0
diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
8b9ea0
index a8c4bb5cf..a4db3af95 100644
8b9ea0
--- a/lib/ext/key_share.c
8b9ea0
+++ b/lib/ext/key_share.c
8b9ea0
@@ -656,6 +656,18 @@ key_share_recv_params(gnutls_session_t session,
8b9ea0
 	return 0;
8b9ea0
 }
8b9ea0
 
8b9ea0
+static inline bool
8b9ea0
+pk_type_is_ecdhx(gnutls_pk_algorithm_t pk)
8b9ea0
+{
8b9ea0
+	return pk == GNUTLS_PK_ECDH_X25519 || pk == GNUTLS_PK_ECDH_X448;
8b9ea0
+}
8b9ea0
+
8b9ea0
+static inline bool
8b9ea0
+pk_type_equal(gnutls_pk_algorithm_t a, gnutls_pk_algorithm_t b)
8b9ea0
+{
8b9ea0
+	return a == b || (pk_type_is_ecdhx(a) && pk_type_is_ecdhx(b));
8b9ea0
+}
8b9ea0
+
8b9ea0
 /* returns data_size or a negative number on failure
8b9ea0
  */
8b9ea0
 static int
8b9ea0
@@ -710,12 +722,18 @@ key_share_send_params(gnutls_session_t session,
8b9ea0
 			/* generate key shares for out top-(max_groups) groups
8b9ea0
 			 * if they are of different PK type. */
8b9ea0
 			for (i = 0; i < session->internals.priorities->groups.size; i++) {
8b9ea0
+				unsigned int j;
8b9ea0
+
8b9ea0
 				group = session->internals.priorities->groups.entry[i];
8b9ea0
 
8b9ea0
-				if (generated == 1 && group->pk == selected_groups[0])
8b9ea0
-					continue;
8b9ea0
-				else if (generated == 2 && (group->pk == selected_groups[1] || group->pk == selected_groups[0]))
8b9ea0
+				for (j = 0; j < generated; j++) {
8b9ea0
+					if (pk_type_equal(group->pk, selected_groups[j])) {
8b9ea0
+						break;
8b9ea0
+					}
8b9ea0
+				}
8b9ea0
+				if (j < generated) {
8b9ea0
 					continue;
8b9ea0
+				}
8b9ea0
 
8b9ea0
 				selected_groups[generated] = group->pk;
8b9ea0
 
8b9ea0
diff --git a/tests/tls13/key_share.c b/tests/tls13/key_share.c
8b9ea0
index 7f8f6295c..816a7d9b5 100644
8b9ea0
--- a/tests/tls13/key_share.c
8b9ea0
+++ b/tests/tls13/key_share.c
8b9ea0
@@ -124,6 +124,7 @@ unsigned int tls_id_to_group[] = {
8b9ea0
 	[23] = GNUTLS_GROUP_SECP256R1,
8b9ea0
 	[24] = GNUTLS_GROUP_SECP384R1,
8b9ea0
 	[29] = GNUTLS_GROUP_X25519,
8b9ea0
+	[30] = GNUTLS_GROUP_X448,
8b9ea0
 	[0x100] = GNUTLS_GROUP_FFDHE2048,
8b9ea0
 	[0x101] = GNUTLS_GROUP_FFDHE3072
8b9ea0
 };
8b9ea0
@@ -315,11 +316,13 @@ void doit(void)
8b9ea0
 	start("two groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
8b9ea0
 	start("two groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
8b9ea0
 	start("two groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X25519, 2);
8b9ea0
+	start("two groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X448, 2);
8b9ea0
 	start("two groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_FFDHE2048, 2);
8b9ea0
 
8b9ea0
 	start("three groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
8b9ea0
 	start("three groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
8b9ea0
 	start("three groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X25519, 3);
8b9ea0
+	start("three groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X448, 3);
8b9ea0
 	start("three groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_FFDHE2048, 3);
8b9ea0
 
8b9ea0
 	/* test default behavior */
8b9ea0
-- 
8b9ea0
2.31.1
8b9ea0