From c9e072236c4e1c290f38aee819ecaff8398e2a16 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Fri, 25 Jun 2021 08:39:12 +0200
Subject: [PATCH] key_share: treat X25519 and X448 as same PK type when
 advertising

Previously, if both X25519 and X448 groups were enabled in the
priority string, the client sent both algorithms in a key_share
extension, while it was only capable of handling one algorithm from
the same (Edwards curve) category.  This adds an extra check so the
client should send either X25519 or X448.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 lib/ext/key_share.c     | 24 +++++++++++++++++++++---
 tests/tls13/key_share.c |  3 +++
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c
index a8c4bb5cf..a4db3af95 100644
--- a/lib/ext/key_share.c
+++ b/lib/ext/key_share.c
@@ -656,6 +656,18 @@ key_share_recv_params(gnutls_session_t session,
 	return 0;
 }
 
+static inline bool
+pk_type_is_ecdhx(gnutls_pk_algorithm_t pk)
+{
+	return pk == GNUTLS_PK_ECDH_X25519 || pk == GNUTLS_PK_ECDH_X448;
+}
+
+static inline bool
+pk_type_equal(gnutls_pk_algorithm_t a, gnutls_pk_algorithm_t b)
+{
+	return a == b || (pk_type_is_ecdhx(a) && pk_type_is_ecdhx(b));
+}
+
 /* returns data_size or a negative number on failure
  */
 static int
@@ -710,12 +722,18 @@ key_share_send_params(gnutls_session_t session,
 			/* generate key shares for out top-(max_groups) groups
 			 * if they are of different PK type. */
 			for (i = 0; i < session->internals.priorities->groups.size; i++) {
+				unsigned int j;
+
 				group = session->internals.priorities->groups.entry[i];
 
-				if (generated == 1 && group->pk == selected_groups[0])
-					continue;
-				else if (generated == 2 && (group->pk == selected_groups[1] || group->pk == selected_groups[0]))
+				for (j = 0; j < generated; j++) {
+					if (pk_type_equal(group->pk, selected_groups[j])) {
+						break;
+					}
+				}
+				if (j < generated) {
 					continue;
+				}
 
 				selected_groups[generated] = group->pk;
 
diff --git a/tests/tls13/key_share.c b/tests/tls13/key_share.c
index 7f8f6295c..816a7d9b5 100644
--- a/tests/tls13/key_share.c
+++ b/tests/tls13/key_share.c
@@ -124,6 +124,7 @@ unsigned int tls_id_to_group[] = {
 	[23] = GNUTLS_GROUP_SECP256R1,
 	[24] = GNUTLS_GROUP_SECP384R1,
 	[29] = GNUTLS_GROUP_X25519,
+	[30] = GNUTLS_GROUP_X448,
 	[0x100] = GNUTLS_GROUP_FFDHE2048,
 	[0x101] = GNUTLS_GROUP_FFDHE3072
 };
@@ -315,11 +316,13 @@ void doit(void)
 	start("two groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
 	start("two groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_SECP256R1, 2);
 	start("two groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X25519, 2);
+	start("two groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_X448, 2);
 	start("two groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP2, GNUTLS_GROUP_FFDHE2048, 2);
 
 	start("three groups: default secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
 	start("three groups: secp256r1", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_SECP256R1, 3);
 	start("three groups: x25519", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X25519, 3);
+	start("three groups: x448", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X448:+GROUP-X25519:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-FFDHE2048", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_X448, 3);
 	start("three groups: ffdhe2048", "NORMAL:-KX-ALL:+DHE-RSA:+ECDHE-RSA:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-SECP256R1:+GROUP-SECP384R1:+GROUP-X25519:+GROUP-FFDHE3072", GNUTLS_KEY_SHARE_TOP3, GNUTLS_GROUP_FFDHE2048, 3);
 
 	/* test default behavior */
-- 
2.31.1