TLS: 1.3 server may send supported_groups

peterdettman · peterdettman · commit dcdbca512459 · 2025-05-27T11:04:27.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsExtensionsUtils.java b/tls/src/main/java/org/bouncycastle/tls/TlsExtensionsUtils.java
@@ -250,6 +250,11 @@ public static void addSupportedGroupsExtension(Hashtable extensions, Vector name
         extensions.put(EXT_supported_groups, createSupportedGroupsExtension(namedGroups));
     }
 
+    public static void addSupportedGroupsExtension(Hashtable extensions, int[] namedGroups) throws IOException
+    {
+        extensions.put(EXT_supported_groups, createSupportedGroupsExtension(namedGroups));
+    }
+
     public static void addSupportedPointFormatsExtension(Hashtable extensions, short[] ecPointFormats)
         throws IOException
     {
@@ -934,6 +939,16 @@ public static byte[] createSupportedGroupsExtension(Vector namedGroups) throws I
         return TlsUtils.encodeUint16ArrayWithUint16Length(values);
     }
 
+    public static byte[] createSupportedGroupsExtension(int[] namedGroups) throws IOException
+    {
+        if (TlsUtils.isNullOrEmpty(namedGroups))
+        {
+            throw new TlsFatalAlert(AlertDescription.internal_error);
+        }
+
+        return TlsUtils.encodeUint16ArrayWithUint16Length(namedGroups);
+    }
+
     public static byte[] createSupportedPointFormatsExtension(short[] ecPointFormats) throws IOException
     {
         if (ecPointFormats == null || !Arrays.contains(ecPointFormats, ECPointFormat.uncompressed))
diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java b/tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java
@@ -311,22 +311,6 @@ protected ServerHello generate13ServerHello(ClientHello clientHello, HandshakeMe
 
                 return generate13HelloRetryRequest(clientHello);
             }
-
-            if (clientShare.getNamedGroup() != serverSupportedGroups[0])
-            {
-                /*
-                 * TODO[tls13] RFC 8446 4.2.7. As of TLS 1.3, servers are permitted to send the
-                 * "supported_groups" extension to the client. Clients MUST NOT act upon any
-                 * information found in "supported_groups" prior to successful completion of the
-                 * handshake but MAY use the information learned from a successfully completed
-                 * handshake to change what groups they use in their "key_share" extension in
-                 * subsequent connections. If the server has a group it prefers to the ones in the
-                 * "key_share" extension but is still willing to accept the ClientHello, it SHOULD
-                 * send "supported_groups" to update the client's view of its preferences; this
-                 * extension SHOULD contain all groups the server supports, regardless of whether
-                 * they are currently supported by the client.
-                 */
-            }
         }
 
 
@@ -408,6 +392,28 @@ protected ServerHello generate13ServerHello(ClientHello clientHello, HandshakeMe
             TlsExtensionsUtils.addKeyShareServerHello(serverHelloExtensions, serverShare);
 
             sharedSecret = agreement.calculateSecret();
+
+            /*
+             * RFC 8446 4.2.7. As of TLS 1.3, servers are permitted to send the "supported_groups" extension to
+             * the client. Clients MUST NOT act upon any information found in "supported_groups" prior to
+             * successful completion of the handshake but MAY use the information learned from a successfully
+             * completed handshake to change what groups they use in their "key_share" extension in subsequent
+             * connections. If the server has a group it prefers to the ones in the "key_share" extension but is
+             * still willing to accept the ClientHello, it SHOULD send "supported_groups" to update the client's
+             * view of its preferences; this extension SHOULD contain all groups the server supports, regardless
+             * of whether they are currently supported by the client.
+             */
+            if (!afterHelloRetryRequest)
+            {
+                int[] serverSupportedGroups = securityParameters.getServerSupportedGroups();
+
+                if (!TlsUtils.isNullOrEmpty(serverSupportedGroups) &&
+                    namedGroup != serverSupportedGroups[0] &&
+                    !serverEncryptedExtensions.containsKey(TlsExtensionsUtils.EXT_supported_groups))
+                {
+                    TlsExtensionsUtils.addSupportedGroupsExtension(serverEncryptedExtensions, serverSupportedGroups);
+                }
+            }
         }
 
         TlsUtils.establish13PhaseSecrets(tlsServerContext, pskEarlySecret, sharedSecret);
