BCJSSE: optionally prefer server's supported_groups order

peterdettman · peterdettman · commit da49073f942e · 2025-05-27T19:07:05.000+07:00
- see BCSSLParameters.useNamedGroupsOrder property
diff --git a/tls/src/main/java/org/bouncycastle/jsse/BCSSLParameters.java b/tls/src/main/java/org/bouncycastle/jsse/BCSSLParameters.java
@@ -37,6 +37,7 @@ private static <T> List<T> copyList(Collection<T> list)
     private List<BCSNIServerName> serverNames;
     private List<BCSNIMatcher> sniMatchers;
     private boolean useCipherSuitesOrder;
+    private boolean useNamedGroupsOrder;
     private boolean enableRetransmissions = true;
     private int maximumPacketSize = 0;
     private String[] applicationProtocols = TlsUtils.EMPTY_STRINGS;
@@ -189,6 +190,16 @@ public void setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
         this.useCipherSuitesOrder = useCipherSuitesOrder;
     }
 
+    public boolean getUseNamedGroupsOrder()
+    {
+        return useNamedGroupsOrder;
+    }
+
+    public void setUseNamedGroupsOrder(boolean useNamedGroupsOrder)
+    {
+        this.useNamedGroupsOrder = useNamedGroupsOrder;
+    }
+
     public boolean getEnableRetransmissions()
     {
         return enableRetransmissions;
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLParameters.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLParameters.java
@@ -40,6 +40,7 @@ private static <T> List<T> copyList(Collection<T> list)
     private List<BCSNIServerName> sniServerNames;
     private List<BCSNIMatcher> sniMatchers;
     private boolean useCipherSuitesOrder = false;
+    private boolean useNamedGroupsOrder = false;
     private boolean enableRetransmissions = true;
     private int maximumPacketSize = 0;
     private String[] applicationProtocols = TlsUtils.EMPTY_STRINGS;
@@ -69,6 +70,7 @@ ProvSSLParameters copy()
         p.sniServerNames = sniServerNames;
         p.sniMatchers = sniMatchers;
         p.useCipherSuitesOrder = useCipherSuitesOrder;
+        p.useNamedGroupsOrder = useNamedGroupsOrder;
         p.enableRetransmissions = enableRetransmissions;
         p.maximumPacketSize = maximumPacketSize;
         p.applicationProtocols = applicationProtocols;
@@ -214,6 +216,16 @@ public void setUseCipherSuitesOrder(boolean useCipherSuitesOrder)
         this.useCipherSuitesOrder = useCipherSuitesOrder;
     }
 
+    public boolean getUseNamedGroupsOrder()
+    {
+        return useNamedGroupsOrder;
+    }
+
+    public void setUseNamedGroupsOrder(boolean useNamedGroupsOrder)
+    {
+        this.useNamedGroupsOrder = useNamedGroupsOrder;
+    }
+
     public boolean getEnableRetransmissions()
     {
         return enableRetransmissions;
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java
@@ -313,6 +313,12 @@ protected boolean preferLocalCipherSuites()
         return sslParameters.getUseCipherSuitesOrder();
     }
 
+    @Override
+    public boolean preferLocalSupportedGroups()
+    {
+        return sslParameters.getUseNamedGroupsOrder();
+    }
+
     @Override
     protected boolean selectCipherSuite(int cipherSuite) throws IOException
     {
diff --git a/tls/src/main/java/org/bouncycastle/tls/AbstractTlsServer.java b/tls/src/main/java/org/bouncycastle/tls/AbstractTlsServer.java
@@ -155,6 +155,11 @@ protected boolean preferLocalCipherSuites()
         return false;
     }
 
+    public boolean preferLocalSupportedGroups()
+    {
+        return false;
+    }
+
     protected boolean selectCipherSuite(int cipherSuite) throws IOException
     {
         this.selectedCipherSuite = cipherSuite;
diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsServer.java b/tls/src/main/java/org/bouncycastle/tls/TlsServer.java
@@ -13,6 +13,8 @@
 public interface TlsServer
     extends TlsPeer
 {
+    boolean preferLocalSupportedGroups();
+
     void init(TlsServerContext context);
 
     /**
diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java b/tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java
@@ -293,9 +293,10 @@ protected ServerHello generate13ServerHello(ClientHello clientHello, HandshakeMe
 
             int[] clientSupportedGroups = securityParameters.getClientSupportedGroups();
             int[] serverSupportedGroups = securityParameters.getServerSupportedGroups();
+            boolean useServerOrder = tlsServer.preferLocalSupportedGroups();
 
             int selectedGroup = TlsUtils.selectKeyShareGroup(crypto, serverVersion, clientSupportedGroups,
-                serverSupportedGroups);
+                serverSupportedGroups, useServerOrder);
             if (selectedGroup < 0)
             {
                 throw new TlsFatalAlert(AlertDescription.handshake_failure);
diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java b/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java
@@ -5479,19 +5479,22 @@ static KeyShareEntry getRetryKeyShare(Vector clientShares, int keyShareGroup)
     }
 
     static int selectKeyShareGroup(TlsCrypto crypto, ProtocolVersion negotiatedVersion,
-        int[] clientSupportedGroups, int[] serverSupportedGroups)
+        int[] clientSupportedGroups, int[] serverSupportedGroups, boolean useServerOrder)
     {
         if (!isNullOrEmpty(clientSupportedGroups) && !isNullOrEmpty(serverSupportedGroups))
         {
-            for (int i = 0; i < clientSupportedGroups.length; ++i)
+            int[] ordered = useServerOrder ? serverSupportedGroups : clientSupportedGroups;
+            int[] unordered = useServerOrder ? clientSupportedGroups : serverSupportedGroups;
+
+            for (int i = 0; i < ordered.length; ++i)
             {
-                int group = clientSupportedGroups[i];
+                int candidate = ordered[i];
 
-                if (NamedGroup.canBeNegotiated(group, negotiatedVersion) &&
-                    Arrays.contains(serverSupportedGroups, group) &&
-                    supportsKeyShareGroup(crypto, group))
+                if (Arrays.contains(unordered, candidate) &&
+                    NamedGroup.canBeNegotiated(candidate, negotiatedVersion) &&
+                    supportsKeyShareGroup(crypto, candidate))
                 {
-                    return group;
+                    return candidate;
                 }
             }
         }
diff --git a/tls/src/main/jdk1.5/org/bouncycastle/jsse/provider/SSLParametersUtil.java b/tls/src/main/jdk1.5/org/bouncycastle/jsse/provider/SSLParametersUtil.java
@@ -79,6 +79,7 @@ static BCSSLParameters getParameters(ProvSSLParameters prov)
         ssl.setServerNames(prov.getServerNames());
         ssl.setSNIMatchers(prov.getSNIMatchers());
         ssl.setUseCipherSuitesOrder(prov.getUseCipherSuitesOrder());
+        ssl.setUseNamedGroupsOrder(prov.getUseNamedGroupsOrder());
         ssl.setApplicationProtocols(prov.getApplicationProtocols());
         ssl.setEnableRetransmissions(prov.getEnableRetransmissions());
         ssl.setMaximumPacketSize(prov.getMaximumPacketSize());
@@ -180,6 +181,11 @@ static SSLParameters getSSLParameters(ProvSSLParameters prov)
 
         // Unsupported as of JDK 21
 
+//        if (null != setUseNamedGroupsOrder)
+//        {
+//            set(ssl, setUseNamedGroupsOrder, prov.getUseNamedGroupsOrder());
+//        }
+
 //        if (null != setSignatureSchemesCert)
 //        {
 //            set(ssl, setSignatureSchemesCert, prov.getSignatureSchemesCert());
@@ -286,6 +292,11 @@ static BCSSLParameters importSSLParameters(SSLParameters ssl)
 
         // Unsupported as of JDK 21
 
+//        if (null != getUseNamedGroupsOrder)
+//        {
+//            bc.setUseNamedGroupsOrder((Boolean)get(ssl, getUseNamedGroupsOrder));
+//        }
+
 //        if (null != getSignatureSchemesCert)
 //        {
 //            bc.setSignatureSchemesCert((String[])get(ssl, getSignatureSchemesCert));
@@ -344,6 +355,8 @@ static void setParameters(ProvSSLParameters prov, BCSSLParameters ssl)
 
         prov.setUseCipherSuitesOrder(ssl.getUseCipherSuitesOrder());
 
+        prov.setUseNamedGroupsOrder(ssl.getUseNamedGroupsOrder());
+
         String[] applicationProtocols = ssl.getApplicationProtocols();
         if (null != applicationProtocols)
         {
@@ -469,6 +482,11 @@ static void setSSLParameters(ProvSSLParameters prov, SSLParameters ssl)
 
         // Unsupported as of JDK 21
 
+//        if (null != getUseNamedGroupsOrder)
+//        {
+//            prov.setUseNamedGroupsOrder((Boolean)get(ssl, getUseNamedGroupsOrder));
+//        }
+        
 //        if (null != getSignatureSchemesCert)
 //        {
 //            prov.setSignatureSchemesCert((String[])get(ssl, getSignatureSchemesCert));
diff --git a/tls/src/main/jdk1.9/org/bouncycastle/jsse/provider/SSLParametersUtil.java b/tls/src/main/jdk1.9/org/bouncycastle/jsse/provider/SSLParametersUtil.java
@@ -50,6 +50,7 @@ static BCSSLParameters getParameters(ProvSSLParameters prov)
         ssl.setServerNames(prov.getServerNames());
         ssl.setSNIMatchers(prov.getSNIMatchers());
         ssl.setUseCipherSuitesOrder(prov.getUseCipherSuitesOrder());
+        ssl.setUseNamedGroupsOrder(prov.getUseNamedGroupsOrder());
         ssl.setApplicationProtocols(prov.getApplicationProtocols());
         ssl.setEnableRetransmissions(prov.getEnableRetransmissions());
         ssl.setMaximumPacketSize(prov.getMaximumPacketSize());
@@ -132,6 +133,11 @@ static SSLParameters getSSLParameters(ProvSSLParameters prov)
 
         // Unsupported as of JDK 21
 
+//        if (null != setUseNamedGroupsOrder)
+//        {
+//            set(ssl, setUseNamedGroupsOrder, prov.getUseNamedGroupsOrder());
+//        }
+
 //        if (null != setSignatureSchemesCert)
 //        {
 //            set(ssl, setSignatureSchemesCert, prov.getSignatureSchemesCert());
@@ -224,6 +230,11 @@ static BCSSLParameters importSSLParameters(SSLParameters ssl)
 
         // Unsupported as of JDK 21
 
+//        if (null != getUseNamedGroupsOrder)
+//        {
+//            bc.setUseNamedGroupsOrder((Boolean)get(ssl, getUseNamedGroupsOrder));
+//        }
+
 //        if (null != getSignatureSchemesCert)
 //        {
 //            bc.setSignatureSchemesCert((String[])get(ssl, getSignatureSchemesCert));
@@ -282,6 +293,8 @@ static void setParameters(ProvSSLParameters prov, BCSSLParameters ssl)
 
         prov.setUseCipherSuitesOrder(ssl.getUseCipherSuitesOrder());
 
+        prov.setUseNamedGroupsOrder(ssl.getUseNamedGroupsOrder());
+
         String[] applicationProtocols = ssl.getApplicationProtocols();
         if (null != applicationProtocols)
         {
@@ -393,6 +406,11 @@ static void setSSLParameters(ProvSSLParameters prov, SSLParameters ssl)
 
         // Unsupported as of JDK 21
 
+//        if (null != getUseNamedGroupsOrder)
+//        {
+//            prov.setUseNamedGroupsOrder((Boolean)get(ssl, getUseNamedGroupsOrder));
+//        }
+
 //        if (null != getSignatureSchemesCert)
 //        {
 //            prov.setSignatureSchemesCert((String[])get(ssl, getSignatureSchemesCert));

Original file line number	Diff line number	Diff line change
`@@ -313,6 +313,12 @@ protected boolean preferLocalCipherSuites()`
`313`	`313`	`return sslParameters.getUseCipherSuitesOrder();`
`314`	`314`	`}`
`315`	`315`
	`316`	`+ @Override`
	`317`	`+ public boolean preferLocalSupportedGroups()`
	`318`	`+ {`
	`319`	`+ return sslParameters.getUseNamedGroupsOrder();`
	`320`	`+ }`
	`321`	`+`
`316`	`322`	`@Override`
`317`	`323`	`protected boolean selectCipherSuite(int cipherSuite) throws IOException`
`318`	`324`	`{`
Original file line number	Diff line number	Diff line change
`@@ -155,6 +155,11 @@ protected boolean preferLocalCipherSuites()`
`155`	`155`	`return false;`
`156`	`156`	`}`
`157`	`157`
	`158`	`+ public boolean preferLocalSupportedGroups()`
	`159`	`+ {`
	`160`	`+ return false;`
	`161`	`+ }`
	`162`	`+`
`158`	`163`	`protected boolean selectCipherSuite(int cipherSuite) throws IOException`
`159`	`164`	`{`
`160`	`165`	`this.selectedCipherSuite = cipherSuite;`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,8 @@`
`13`	`13`	`public interface TlsServer`
`14`	`14`	`extends TlsPeer`
`15`	`15`	`{`
	`16`	`+ boolean preferLocalSupportedGroups();`
	`17`	`+`
`16`	`18`	`void init(TlsServerContext context);`
`17`	`19`
`18`	`20`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -5479,19 +5479,22 @@ static KeyShareEntry getRetryKeyShare(Vector clientShares, int keyShareGroup)`
`5479`	`5479`	`}`
`5480`	`5480`
`5481`	`5481`	`static int selectKeyShareGroup(TlsCrypto crypto, ProtocolVersion negotiatedVersion,`
`5482`		`- int[] clientSupportedGroups, int[] serverSupportedGroups)`
	`5482`	`+ int[] clientSupportedGroups, int[] serverSupportedGroups, boolean useServerOrder)`
`5483`	`5483`	`{`
`5484`	`5484`	`if (!isNullOrEmpty(clientSupportedGroups) && !isNullOrEmpty(serverSupportedGroups))`
`5485`	`5485`	`{`
`5486`		`- for (int i = 0; i < clientSupportedGroups.length; ++i)`
	`5486`	`+ int[] ordered = useServerOrder ? serverSupportedGroups : clientSupportedGroups;`
	`5487`	`+ int[] unordered = useServerOrder ? clientSupportedGroups : serverSupportedGroups;`
	`5488`	`+`
	`5489`	`+ for (int i = 0; i < ordered.length; ++i)`
`5487`	`5490`	`{`
`5488`		`- int group = clientSupportedGroups[i];`
	`5491`	`+ int candidate = ordered[i];`
`5489`	`5492`
`5490`		`- if (NamedGroup.canBeNegotiated(group, negotiatedVersion) &&`
`5491`		`- Arrays.contains(serverSupportedGroups, group) &&`
`5492`		`- supportsKeyShareGroup(crypto, group))`
	`5493`	`+ if (Arrays.contains(unordered, candidate) &&`
	`5494`	`+ NamedGroup.canBeNegotiated(candidate, negotiatedVersion) &&`
	`5495`	`+ supportsKeyShareGroup(crypto, candidate))`
`5493`	`5496`	`{`
`5494`		`- return group;`
	`5497`	`+ return candidate;`
`5495`	`5498`	`}`
`5496`	`5499`	`}`
`5497`	`5500`	`}`