Skip to content

Added check in TLX_Parse to check if KeyShare extension is present SupportedGroups must be present too (and viceversa) #9250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
douzzer merged 1 commit into from
Oct 1, 2025
Merged

Added check in TLX_Parse to check if KeyShare extension is present SupportedGroups must be present too (and viceversa) #9250

douzzer merged 1 commit into from
Oct 1, 2025

Conversation

@gasbytes
Copy link
Contributor

@gasbytes gasbytes commented Sep 26, 2025
edited
Loading

Description

Added check in TLX_Parse to check if KeyShare extension is present SupportedGroups must be present too (and viceversa)

From RFC 8446 Section 9.2.

Addresses #9247

Testing

From the instructions in #9247.

default config:
./configure

run server:
./build/examples/server/server -v 4 -l 'TLS_AES_128_GCM_SHA256' -p 3000 --force-curve SECP256R

send client hello from another window:
echo "16030300ab010000a703030101010101010101010101010101010101010101010101010101010101010101200303030303030303030303030303030303030303030303030303030303030303000213010100005c000d000600040401080400330047004500170041040c901d423c831ca85e27c73c263ba132721bb9d7a84c4f0380b2a6756fd601331c8870234dec878504c174144fa4b14b66a651691606d8173e55bd37e381569e002b0003020304" | xxd -r -p | nc 127.0.0.1 3000

with the patch applied it rejects the Client Hello with -422 as error (MISSING_HANDSHAKE_DATA).

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@gasbytes gasbytes self-assigned this Sep 26, 2025
@gasbytes
Copy link
Contributor Author

gasbytes commented Sep 29, 2025

Jenkins retest this please:

Found unhandled hudson.remoting.RequestAbortedException exception:
java.io.StreamCorruptedException: invalid stream header: 636F7272
hudson.remoting.Request.abort(Request.java:358)
hudson.remoting.Channel.terminate(Channel.java:1196)
hudson.remoting.SynchronousCommandTransport$ReaderThread.run(SynchronousCommandTransport.java:95)

@gasbytes
Added check in TLX_Parse to check if KeyShare extension is present
be02b1e 
SupportedGroups must be present too (and viceversa).
From RFC 8446 Section 9.2.
@gasbytes
Copy link
Contributor Author

gasbytes commented Sep 29, 2025

Jenkins retest this please:

Timeout has been exceeded

@gasbytes gasbytes marked this pull request as ready for review September 29, 2025 13:35
@gasbytes gasbytes assigned rizlik and wolfSSL-Bot and unassigned gasbytes Sep 29, 2025
@douzzer douzzer merged commit d5750ac into wolfSSL:master Oct 1, 2025
402 of 405 checks passed
@gasbytes gasbytes mentioned this pull request Oct 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@douzzer douzzer douzzer approved these changes

@wolfSSL-Bot wolfSSL-Bot Awaiting requested review from wolfSSL-Bot

@rizlik rizlik Awaiting requested review from rizlik

@julek-wolfssl julek-wolfssl Awaiting requested review from julek-wolfssl

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gasbytes @douzzer @rizlik @wolfSSL-Bot