Further rework due to review (sanity check eccCurves instead of keySh…

…ares)
tlsfuzzer · Oct 27, 2020 · 739e372 · 739e372
1 parent a665537
commit 739e372
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/tlslite/handshakesettings.py b/tlslite/handshakesettings.py
@@ -51,7 +51,7 @@
                  "brainpoolP384r1": ('BRAINPOOLP384r1',),
                  "brainpoolP512r1": ('BRAINPOOLP512r1',)}
 # list of supported groups in TLS 1.3 as per RFC 8446, chapter 4.2.7. (excluding private use here)
-TLS13_PERMITTED_GROUPS = ["secp256r1", "scep384r1", "secp521r1",
+TLS13_PERMITTED_GROUPS = ["secp256r1", "secp384r1", "secp521r1",
                           "x25519", "x448", "ffdhe2048",
                           "ffdhe3072", "ffdhe4096", "ffdhe6144",
                           "ffdhe8192"]
@@ -460,11 +460,11 @@ def _sanityCheckECDHSettings(other):
             raise ValueError("Unknown FFDHE group name: '{0}'"
                              .format(unknownDHGroup))
 
-        # TLS 1.3 limits the allowed groups in client key share advertisement (RFC 8446,ch. 4.2.7.)
+        # TLS 1.3 limits the allowed groups (RFC 8446,ch. 4.2.7.)
         if other.maxVersion == (3, 4):
-            forbiddenGroup = HandshakeSettings._not_matching(other.keyShares, TLS13_PERMITTED_GROUPS)
+            forbiddenGroup = HandshakeSettings._not_matching(other.eccCurves, TLS13_PERMITTED_GROUPS)
             if forbiddenGroup:
-                raise ValueError("Client advertisment of the following groups is forbidden in TLS 1.3: {0}"
+                raise ValueError("The following enabled groups are forbidden in TLS 1.3: {0}"
                                  .format(forbiddenGroup))
 
     @staticmethod