TLS: negotiate group before looking for early share

peterdettman · peterdettman · commit 87f631790990 · 2025-05-27T10:29:02.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java b/tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java
@@ -10,9 +10,6 @@
 
 import org.bouncycastle.tls.crypto.TlsAgreement;
 import org.bouncycastle.tls.crypto.TlsCrypto;
-import org.bouncycastle.tls.crypto.TlsDHConfig;
-import org.bouncycastle.tls.crypto.TlsECConfig;
-import org.bouncycastle.tls.crypto.TlsKemConfig;
 import org.bouncycastle.tls.crypto.TlsSecret;
 import org.bouncycastle.util.Arrays;
 
@@ -219,7 +216,7 @@ protected ServerHello generate13ServerHello(ClientHello clientHello, HandshakeMe
             }
             this.retryCookie = null;
 
-            clientShare = TlsUtils.selectKeyShare(clientShares, retryGroup);
+            clientShare = TlsUtils.getRetryKeyShare(clientShares, retryGroup);
             if (null == clientShare)
             {
                 throw new TlsFatalAlert(AlertDescription.illegal_parameter);
@@ -297,17 +294,18 @@ protected ServerHello generate13ServerHello(ClientHello clientHello, HandshakeMe
             int[] clientSupportedGroups = securityParameters.getClientSupportedGroups();
             int[] serverSupportedGroups = securityParameters.getServerSupportedGroups();
 
-            clientShare = TlsUtils.selectKeyShare(crypto, serverVersion, clientShares, clientSupportedGroups,
+            int selectedGroup = TlsUtils.selectKeyShareGroup(crypto, serverVersion, clientSupportedGroups,
                 serverSupportedGroups);
+            if (selectedGroup < 0)
+            {
+                throw new TlsFatalAlert(AlertDescription.handshake_failure);
+            }
+
+            clientShare = TlsUtils.findEarlyKeyShare(clientShares, selectedGroup);
 
             if (null == clientShare)
             {
-                this.retryGroup = TlsUtils.selectKeyShareGroup(crypto, serverVersion, clientSupportedGroups,
-                    serverSupportedGroups);
-                if (retryGroup < 0)
-                {
-                    throw new TlsFatalAlert(AlertDescription.handshake_failure);
-                }
+                this.retryGroup = selectedGroup;
 
                 this.retryCookie = tlsServerContext.getNonceGenerator().generateNonce(16);
 
diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java b/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java
@@ -5449,37 +5449,30 @@ else if (NamedGroup.refersToASpecificKem(keyShareGroup))
         return null;
     }
 
-    static KeyShareEntry selectKeyShare(Vector clientShares, int keyShareGroup)
+    static KeyShareEntry findEarlyKeyShare(Vector clientShares, int keyShareGroup)
     {
-        if (null != clientShares && 1 == clientShares.size())
+        if (null != clientShares)
         {
-            KeyShareEntry clientShare = (KeyShareEntry)clientShares.elementAt(0);
-            if (null != clientShare && clientShare.getNamedGroup() == keyShareGroup)
+            for (int i = 0; i < clientShares.size(); ++i)
             {
-                return clientShare;
+                KeyShareEntry clientShare = (KeyShareEntry)clientShares.elementAt(i);
+                if (null != clientShare && clientShare.getNamedGroup() == keyShareGroup)
+                {
+                    return clientShare;
+                }
             }
         }
         return null;
     }
 
-    static KeyShareEntry selectKeyShare(TlsCrypto crypto, ProtocolVersion negotiatedVersion, Vector clientShares,
-        int[] clientSupportedGroups, int[] serverSupportedGroups)
+    static KeyShareEntry getRetryKeyShare(Vector clientShares, int keyShareGroup)
     {
-        if (null != clientShares && !isNullOrEmpty(clientSupportedGroups) && !isNullOrEmpty(serverSupportedGroups))
+        if (null != clientShares && 1 == clientShares.size())
         {
-            for (int i = 0; i < clientShares.size(); ++i)
+            KeyShareEntry clientShare = (KeyShareEntry)clientShares.elementAt(0);
+            if (null != clientShare && clientShare.getNamedGroup() == keyShareGroup)
             {
-                KeyShareEntry clientShare = (KeyShareEntry)clientShares.elementAt(i);
-
-                int group = clientShare.getNamedGroup();
-
-                if (NamedGroup.canBeNegotiated(group, negotiatedVersion) &&
-                    Arrays.contains(serverSupportedGroups, group) &&
-                    Arrays.contains(clientSupportedGroups, group) &&
-                    supportsKeyShareGroup(crypto, group))
-                {
-                    return clientShare;
-                }
+                return clientShare;
             }
         }
         return null;

Original file line number	Diff line number	Diff line change
`@@ -5449,37 +5449,30 @@ else if (NamedGroup.refersToASpecificKem(keyShareGroup))`
`5449`	`5449`	`return null;`
`5450`	`5450`	`}`
`5451`	`5451`
`5452`		`- static KeyShareEntry selectKeyShare(Vector clientShares, int keyShareGroup)`
	`5452`	`+ static KeyShareEntry findEarlyKeyShare(Vector clientShares, int keyShareGroup)`
`5453`	`5453`	`{`
`5454`		`- if (null != clientShares && 1 == clientShares.size())`
	`5454`	`+ if (null != clientShares)`
`5455`	`5455`	`{`
`5456`		`- KeyShareEntry clientShare = (KeyShareEntry)clientShares.elementAt(0);`
`5457`		`- if (null != clientShare && clientShare.getNamedGroup() == keyShareGroup)`
	`5456`	`+ for (int i = 0; i < clientShares.size(); ++i)`
`5458`	`5457`	`{`
`5459`		`- return clientShare;`
	`5458`	`+ KeyShareEntry clientShare = (KeyShareEntry)clientShares.elementAt(i);`
	`5459`	`+ if (null != clientShare && clientShare.getNamedGroup() == keyShareGroup)`
	`5460`	`+ {`
	`5461`	`+ return clientShare;`
	`5462`	`+ }`
`5460`	`5463`	`}`
`5461`	`5464`	`}`
`5462`	`5465`	`return null;`
`5463`	`5466`	`}`
`5464`	`5467`
`5465`		`- static KeyShareEntry selectKeyShare(TlsCrypto crypto, ProtocolVersion negotiatedVersion, Vector clientShares,`
`5466`		`- int[] clientSupportedGroups, int[] serverSupportedGroups)`
	`5468`	`+ static KeyShareEntry getRetryKeyShare(Vector clientShares, int keyShareGroup)`
`5467`	`5469`	`{`
`5468`		`- if (null != clientShares && !isNullOrEmpty(clientSupportedGroups) && !isNullOrEmpty(serverSupportedGroups))`
	`5470`	`+ if (null != clientShares && 1 == clientShares.size())`
`5469`	`5471`	`{`
`5470`		`- for (int i = 0; i < clientShares.size(); ++i)`
	`5472`	`+ KeyShareEntry clientShare = (KeyShareEntry)clientShares.elementAt(0);`
	`5473`	`+ if (null != clientShare && clientShare.getNamedGroup() == keyShareGroup)`
`5471`	`5474`	`{`
`5472`		`- KeyShareEntry clientShare = (KeyShareEntry)clientShares.elementAt(i);`
`5473`		`-`
`5474`		`- int group = clientShare.getNamedGroup();`
`5475`		`-`
`5476`		`- if (NamedGroup.canBeNegotiated(group, negotiatedVersion) &&`
`5477`		`- Arrays.contains(serverSupportedGroups, group) &&`
`5478`		`- Arrays.contains(clientSupportedGroups, group) &&`
`5479`		`- supportsKeyShareGroup(crypto, group))`
`5480`		`- {`
`5481`		`- return clientShare;`
`5482`		`- }`
	`5475`	`+ return clientShare;`
`5483`	`5476`	`}`
`5484`	`5477`	`}`
`5485`	`5478`	`return null;`