Skip to content

Commit

Permalink
Update key share group ranking algorithm
Browse files Browse the repository at this point in the history
In case no user group ranking is set, all groups are now ranked equally
instead of the order in the `preferredGroup` array. This is the
behavior already indicated in the comment header of the function.

This change is necessary for applications that do not set their own
group ranking (via `wolfSSL_CTX_set_groups()` for example). When such an
application creates a TLS server and receives a ClientHello message with
multiple key shares, now the first key share is selected instead of the
one with the lowest index in the `preferredGroup` array.

Recent browsers with PQC support place two key shares in their
ClientHello message: a hybrid PQC + X25519 one and at least one
classic-only one. The hybrid one is the first one, indicating a
preference. Without this change, however, always the classic-only key
share has been selected, as these algorithms have a lower index in the
`preferredGroup` array compared to the PQC hybrids.

Tested using a patched version of NGINX.

This change also results in a different selection of a key share group
in case of a HelloRetryRequest message. For the tests, where static
ephemeral keys are used (`WOLFSSL_STATIC_EPHEMERAL`), an additional
check is necessary to make sure the correct key is used for the ECDH
calculation.

Signed-off-by: Tobias Frauenschläger <[email protected]>
  • Loading branch information
Frauschi committed Nov 18, 2024
1 parent 7d07edf commit e589708
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions src/tls.c
Original file line number Diff line number Diff line change
Expand Up @@ -7901,7 +7901,7 @@ static int TLSX_KeyShare_GenEccKey(WOLFSSL *ssl, KeyShareEntry* kse)

#ifdef WOLFSSL_STATIC_EPHEMERAL
ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_ECDH, kse->key);
if (ret != 0)
if (ret != 0 || eccKey->dp->id != curveId)
#endif
{
/* set curve info for EccMakeKey "peer" info */
Expand Down Expand Up @@ -10561,8 +10561,7 @@ static int TLSX_KeyShare_GroupRank(const WOLFSSL* ssl, int group)
byte numGroups;

if (ssl->numGroups == 0) {
groups = preferredGroup;
numGroups = PREFERRED_GROUP_SZ;
return 0;
}
else {
groups = ssl->group;
Expand Down

0 comments on commit e589708

Please sign in to comment.