Merge pull request #2977 from SparkiDev/tlsx_ks_ecc_fix

KeyShare ECC shift index range check

src/tls.c

@@ -8131,13 +8131,17 @@ int TLSX_KeyShare_Establish(WOLFSSL *ssl)
         if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group))
             return BAD_KEY_SHARE_DATA;
 
-    #ifdef OPENSSL_EXTRA
         if ((clientKSE->group & NAMED_DH_MASK) == 0) {
-            /* Check if server supports group. */
+            /* Check max value supported. */
-            if (ssl->ctx->disabledCurves & (1 << clientKSE->group))
+            if (clientKSE->group > WOLFSSL_ECC_MAX) {
                 continue;
+            }
+        #ifdef OPENSSL_EXTRA
+            /* Check if server supports group. */
+            if (ssl->ctx->disabledCurves & ((word32)1 << clientKSE->group))
+                continue;
+        #endif
         }
-    #endif
         if (!TLSX_KeyShare_IsSupported(clientKSE->group))
             continue;
 

wolfssl/ssl.h

@@ -3032,6 +3032,7 @@ enum {
     WOLFSSL_ECC_BRAINPOOLP512R1 = 28,
     WOLFSSL_ECC_X25519    = 29,
     WOLFSSL_ECC_X448      = 30,
+    WOLFSSL_ECC_MAX       = 30,
 
     WOLFSSL_FFDHE_2048    = 256,
     WOLFSSL_FFDHE_3072    = 257,