Incorrect error message on HelloRetryRequest with reused named group (secp256r1)

[GSoJC234]

Version

v5.8.2

Description

When a TLS 1.3 client sends secp256r1 in its initial ClientHello key_share, and the server responds with a HelloRetryRequest that (incorrectly) requests the same group secp256r1 again, wolfSSL logs the error message:

TLS handshake failed: The Key Share data contains group that wasn't in Client Hello

The current message is misleading — it suggests the group was absent from ClientHello, while the actual violation is that it was already present. It should instead correctly indicate that the group was in ClientHello.key_share, for clarity and correctness.

The expected error message should be:

TLS handshake failed: The Key Share data in HelloRetryRequest message contains group that was in ClientHello.

Steps to Reproduce

1. Build and run wolfSSL with TLS 1.3 enabled (./configure --enable-tls13 --enable-debug).
2. Client sends ClientHello with secp256r1 in key_share.
3. Server responds with HelloRetryRequest selecting secp256r1 again (which violates the spec).
4. Client fails handshake and logs the error message.

Environment

• wolfSSL version: e.g. 5.8.2
• OS / platform: macOS (Sequoia 15.2) with arm64 (Apple M2)
• Compiler version: Apple clang version 17.0.0

[kareem-wolfssl]

Hi @GSoJC234 ,

Thanks for the report. Looks like this error case is using the return code BAD_KEY_SHARE_DATA which is shared with other Key Share failures. wolfSSL_ERR_reason_error_string is currently giving the string "The Key Share data contains group that wasn't in Client Hello" for this error code as you've found. I will look into adjusting the error message returned by wolfSSL_ERR_reason_error_string.