Use server's preferred key agreement

bwesterb · bwesterb · commit 85849707b899 · 2023-12-06T13:31:01.000+01:00
In contrast to upstream Go, we will send an HelloRetryRequest and accept an extra roundtrip if there is a more preferred group, than the one the client has provided a keyshare for in the initial ClientHello. Cf. https://datatracker.ietf.org/doc/draft-davidben-tls-key-share-prediction/
diff --git a/src/crypto/tls/handshake_server_test.go b/src/crypto/tls/handshake_server_test.go
@@ -1930,6 +1930,7 @@ func TestAESCipherReorderingTLS13(t *testing.T) {
 					supportedVersions:  []uint16{VersionTLS13},
 					compressionMethods: []uint8{compressionNone},
 					keyShares:          []keyShare{{group: X25519, data: pk.PublicKey().Bytes()}},
+					supportedCurves:    []CurveID{X25519},
 				},
 			}
 
diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
@@ -256,33 +256,32 @@ func (hs *serverHandshakeStateTLS13) processClientHello() error {
 		}
 	}
 
-	// Pick the ECDHE group in server preference order, but give priority to
-	// groups with a key share, to avoid a HelloRetryRequest round-trip.
+	// Pick group by server preference. In contrast to upstream Go, we will
+	// send an HelloRetryRequest and accept an extra roundtrip if there is
+	// a more preferred group, than those for which the client has sent
+	// a keyshare in the initial ClientHello.
+	// Cf. https://datatracker.ietf.org/doc/draft-davidben-tls-key-share-prediction/
 	var selectedGroup CurveID
 	var clientKeyShare *keyShare
 GroupSelection:
 	for _, preferredGroup := range supportedCurves {
-		for _, ks := range hs.clientHello.keyShares {
-			if ks.group == preferredGroup {
-				selectedGroup = ks.group
-				clientKeyShare = &ks
-				break GroupSelection
-			}
-		}
-		if selectedGroup != 0 {
-			continue
-		}
 		for _, group := range hs.clientHello.supportedCurves {
 			if group == preferredGroup {
 				selectedGroup = group
-				break
+				break GroupSelection
 			}
 		}
 	}
 	if selectedGroup == 0 {
 		c.sendAlert(alertHandshakeFailure)
 		return errors.New("tls: no ECDHE curve supported by both client and server")
 	}
+	for _, ks := range hs.clientHello.keyShares {
+		if ks.group == selectedGroup {
+			clientKeyShare = &ks
+			break
+		}
+	}
 	if clientKeyShare == nil {
 		if err := hs.doHelloRetryRequest(selectedGroup); err != nil {
 			return err

Original file line number	Diff line number	Diff line change
`@@ -1930,6 +1930,7 @@ func TestAESCipherReorderingTLS13(t *testing.T) {`
`1930`	`1930`	`supportedVersions: []uint16{VersionTLS13},`
`1931`	`1931`	`compressionMethods: []uint8{compressionNone},`
`1932`	`1932`	`keyShares: []keyShare{{group: X25519, data: pk.PublicKey().Bytes()}},`
	`1933`	`+ supportedCurves: []CurveID{X25519},`
`1933`	`1934`	`},`
`1934`	`1935`	`}`
`1935`	`1936`