Refactor the sending of server supported groups

Author: peterdettman

tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java

@@ -319,6 +319,25 @@ protected ServerHello generate13ServerHello(ClientHello clientHello, HandshakeMe
 
         tlsServer.getServerExtensionsForConnection(serverEncryptedExtensions);
 
+        /*
+         * RFC 8446 4.2.7. As of TLS 1.3, servers are permitted to send the "supported_groups" extension to
+         * the client. [..] If the server has a group it prefers to the ones in the "key_share" extension
+         * but is still willing to accept the ClientHello, it SHOULD send "supported_groups" to update the
+         * client's view of its preferences; this extension SHOULD contain all groups the server supports,
+         * regardless of whether they are currently supported by the client.
+         */
+        if (!afterHelloRetryRequest)
+        {
+            int[] serverSupportedGroups = securityParameters.getServerSupportedGroups();
+
+            if (!TlsUtils.isNullOrEmpty(serverSupportedGroups) &&
+                clientShare.getNamedGroup() != serverSupportedGroups[0] &&
+                !serverEncryptedExtensions.containsKey(TlsExtensionsUtils.EXT_supported_groups))
+            {
+                TlsExtensionsUtils.addSupportedGroupsExtension(serverEncryptedExtensions, serverSupportedGroups);
+            }
+        }
+
         ProtocolVersion serverLegacyVersion = ProtocolVersion.TLSv12;
         TlsExtensionsUtils.addSupportedVersionsExtensionServer(serverHelloExtensions, serverVersion);
 
@@ -392,28 +411,6 @@ protected ServerHello generate13ServerHello(ClientHello clientHello, HandshakeMe
             TlsExtensionsUtils.addKeyShareServerHello(serverHelloExtensions, serverShare);
 
             sharedSecret = agreement.calculateSecret();
-
-            /*
-             * RFC 8446 4.2.7. As of TLS 1.3, servers are permitted to send the "supported_groups" extension to
-             * the client. Clients MUST NOT act upon any information found in "supported_groups" prior to
-             * successful completion of the handshake but MAY use the information learned from a successfully
-             * completed handshake to change what groups they use in their "key_share" extension in subsequent
-             * connections. If the server has a group it prefers to the ones in the "key_share" extension but is
-             * still willing to accept the ClientHello, it SHOULD send "supported_groups" to update the client's
-             * view of its preferences; this extension SHOULD contain all groups the server supports, regardless
-             * of whether they are currently supported by the client.
-             */
-            if (!afterHelloRetryRequest)
-            {
-                int[] serverSupportedGroups = securityParameters.getServerSupportedGroups();
-
-                if (!TlsUtils.isNullOrEmpty(serverSupportedGroups) &&
-                    namedGroup != serverSupportedGroups[0] &&
-                    !serverEncryptedExtensions.containsKey(TlsExtensionsUtils.EXT_supported_groups))
-                {
-                    TlsExtensionsUtils.addSupportedGroupsExtension(serverEncryptedExtensions, serverSupportedGroups);
-                }
-            }
         }
 
         TlsUtils.establish13PhaseSecrets(tlsServerContext, pskEarlySecret, sharedSecret);