Skip to content

Commit c2a040c

Browse files
bwesterbLekensteyn
authored andcommitted
Use server's preferred key agreement
In contrast to upstream Go, we will send an HelloRetryRequest and accept an extra roundtrip if there is a more preferred group, than the one the client has provided a keyshare for in the initial ClientHello. Cf. https://datatracker.ietf.org/doc/draft-davidben-tls-key-share-prediction/
1 parent 5249464 commit c2a040c

File tree

2 files changed

+13
-13
lines changed

2 files changed

+13
-13
lines changed

src/crypto/tls/handshake_server_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1932,6 +1932,7 @@ func TestAESCipherReorderingTLS13(t *testing.T) {
19321932
supportedVersions: []uint16{VersionTLS13},
19331933
compressionMethods: []uint8{compressionNone},
19341934
keyShares: []keyShare{{group: X25519, data: pk.PublicKey().Bytes()}},
1935+
supportedCurves: []CurveID{X25519},
19351936
},
19361937
}
19371938

src/crypto/tls/handshake_server_tls13.go

Lines changed: 12 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -256,33 +256,32 @@ func (hs *serverHandshakeStateTLS13) processClientHello() error {
256256
}
257257
}
258258

259-
// Pick the ECDHE group in server preference order, but give priority to
260-
// groups with a key share, to avoid a HelloRetryRequest round-trip.
259+
// Pick group by server preference. In contrast to upstream Go, we will
260+
// send an HelloRetryRequest and accept an extra roundtrip if there is
261+
// a more preferred group, than those for which the client has sent
262+
// a keyshare in the initial ClientHello.
263+
// Cf. https://datatracker.ietf.org/doc/draft-davidben-tls-key-share-prediction/
261264
var selectedGroup CurveID
262265
var clientKeyShare *keyShare
263266
GroupSelection:
264267
for _, preferredGroup := range supportedCurves {
265-
for _, ks := range hs.clientHello.keyShares {
266-
if ks.group == preferredGroup {
267-
selectedGroup = ks.group
268-
clientKeyShare = &ks
269-
break GroupSelection
270-
}
271-
}
272-
if selectedGroup != 0 {
273-
continue
274-
}
275268
for _, group := range hs.clientHello.supportedCurves {
276269
if group == preferredGroup {
277270
selectedGroup = group
278-
break
271+
break GroupSelection
279272
}
280273
}
281274
}
282275
if selectedGroup == 0 {
283276
c.sendAlert(alertHandshakeFailure)
284277
return errors.New("tls: no ECDHE curve supported by both client and server")
285278
}
279+
for _, ks := range hs.clientHello.keyShares {
280+
if ks.group == selectedGroup {
281+
clientKeyShare = &ks
282+
break
283+
}
284+
}
286285
if clientKeyShare == nil {
287286
if err := hs.doHelloRetryRequest(selectedGroup); err != nil {
288287
return err

0 commit comments

Comments
 (0)