commit 723b508188cb54f847c27725a0202a1f307ed12f
author David Benjamin <davidben@google.com> Mon Jan 27 15:36:43 2025 -0500
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Mon Jan 27 13:19:48 2025 -0800
tree d6c57e1d42bc8b635976cb5c13914364e29e253a
parent afa405fd7c904aa577cae29cefcf9ca83bdf0784

runner: Only require a curve match in TLS 1.3 when doing key shares

The TLS-PAKE machinery will not use key shares. Moving this allows the
client to not send supported_groups when it doesn't need to.

Change-Id: I7291f6afc31d67bbfa6b810a945280bad1ac3ad6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/75727
Commit-Queue: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>

ssl/test/runner/handshake_server.go

diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 3ba14e3..609ec80 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -590,22 +590,6 @@
 	hs.finishedHash.discardHandshakeBuffer()
 	hs.writeClientHash(hs.clientHello.marshal())
 
-	supportedCurve := false
-	var selectedCurve CurveID
-	preferredCurves := config.curvePreferences()
-	for _, curve := range hs.clientHello.supportedCurves {
-		if slices.Contains(preferredCurves, curve) {
-			supportedCurve = true
-			selectedCurve = curve
-			break
-		}
-	}
-
-	if !supportedCurve {
-		c.sendAlert(alertHandshakeFailure)
-		return errors.New("tls: no curve supported by both client and server")
-	}
-
 	pskIdentities := hs.clientHello.pskIdentities
 	pskKEModes := hs.clientHello.pskKEModes
 
@@ -724,8 +708,24 @@
 		helloRetryRequest.customExtension = config.Bugs.CustomHelloRetryRequestExtension
 	}
 
+	var selectedCurve CurveID
 	var selectedKeyShare *keyShareEntry
 	if hs.hello.hasKeyShare {
+		// Select the matching curve.
+		supportedCurve := false
+		preferredCurves := config.curvePreferences()
+		for _, curve := range hs.clientHello.supportedCurves {
+			if slices.Contains(preferredCurves, curve) {
+				supportedCurve = true
+				selectedCurve = curve
+				break
+			}
+		}
+		if !supportedCurve {
+			c.sendAlert(alertHandshakeFailure)
+			return errors.New("tls: no curve supported by both client and server")
+		}
+
 		// Look for the key share corresponding to our selected curve.
 		for i := range hs.clientHello.keyShares {
 			if hs.clientHello.keyShares[i].group == selectedCurve {