Skip to content

Commit

Permalink
TLS: Improve default server DH group selection
Browse files Browse the repository at this point in the history
  • Loading branch information
@peterdettman
peterdettman committed May 30, 2024
1 parent 80f81a5 commit 7f49a54
Showing 1 changed file with 39 additions and 13 deletions.
52 changes: 39 additions & 13 deletions tls/src/main/java/org/bouncycastle/tls/AbstractTlsServer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,16 @@ protected String getDetailMessageNoCipherSuite()
return "No selectable cipher suite";
}

protected int getMaximumDefaultCurveBits()
{
return NamedGroup.getCurveBits(NamedGroup.secp521r1);
}

protected int getMaximumDefaultFiniteFieldBits()
{
return NamedGroup.getFiniteFieldBits(NamedGroup.ffdhe8192);
}

protected int getMaximumNegotiableCurveBits()
{
int maxBits = 0;
Expand All @@ -96,7 +106,7 @@ protected int getMaximumNegotiableCurveBits()
* extensions. In this case, the server is free to choose any one of the elliptic curves or point
* formats [...].
*/
maxBits = NamedGroup.getMaximumCurveBits();
maxBits = getMaximumDefaultCurveBits();
}
return maxBits;
}
Expand All @@ -121,7 +131,7 @@ protected int getMaximumNegotiableFiniteFieldBits()
* entirely or contains no FFDHE groups (i.e., no codepoints between 256 and 511, inclusive), then
* the server [...] MAY select an FFDHE cipher suite and offer an FFDHE group of its choice [...].
*/
maxBits = NamedGroup.getMaximumFiniteFieldBits();
maxBits = getMaximumDefaultFiniteFieldBits();
}
return maxBits;
}
Expand Down Expand Up @@ -153,22 +163,32 @@ protected boolean selectCipherSuite(int cipherSuite) throws IOException

protected int selectDH(int minimumFiniteFieldBits)
{
boolean anyPeerFF = false;
int[] clientSupportedGroups = context.getSecurityParametersHandshake().getClientSupportedGroups();
if (clientSupportedGroups == null)
{
return selectDHDefault(minimumFiniteFieldBits);
}

// Try to find a supported named group of the required size from the client's list.
for (int i = 0; i < clientSupportedGroups.length; ++i)
if (clientSupportedGroups != null)
{
int namedGroup = clientSupportedGroups[i];
if (NamedGroup.getFiniteFieldBits(namedGroup) >= minimumFiniteFieldBits)
// Try to find a supported named group of the required size from the client's list.
for (int i = 0; i < clientSupportedGroups.length; ++i)
{
return namedGroup;
int namedGroup = clientSupportedGroups[i];
anyPeerFF |= NamedGroup.isFiniteField(namedGroup);

if (NamedGroup.getFiniteFieldBits(namedGroup) >= minimumFiniteFieldBits)
{
// This default server implementation supports all NamedGroup finite fields
return namedGroup;
}
}
}

if (!anyPeerFF)
{
/*
* RFC 7919 4. If [...] the Supported Groups extension is either absent from the ClientHello
* entirely or contains no FFDHE groups (i.e., no codepoints between 256 and 511, inclusive), then
* the server [...] MAY select an FFDHE cipher suite and offer an FFDHE group of its choice [...].
*/
return selectDHDefault(minimumFiniteFieldBits);
}
return -1;
}

Expand All @@ -187,6 +207,11 @@ protected int selectECDH(int minimumCurveBits)
int[] clientSupportedGroups = context.getSecurityParametersHandshake().getClientSupportedGroups();
if (clientSupportedGroups == null)
{
/*
* RFC 4492 4. A client that proposes ECC cipher suites may choose not to include these
* extensions. In this case, the server is free to choose any one of the elliptic curves or point
* formats [...].
*/
return selectECDHDefault(minimumCurveBits);
}

Expand All @@ -196,6 +221,7 @@ protected int selectECDH(int minimumCurveBits)
int namedGroup = clientSupportedGroups[i];
if (NamedGroup.getCurveBits(namedGroup) >= minimumCurveBits)
{
// This default server implementation supports all NamedGroup curves
return namedGroup;
}
}
Expand Down

0 comments on commit 7f49a54

Please sign in to comment.