Golang crypto/tls: server responds with HRR even if there is no overlap between key_share and supported_groups

Go version

go version go1.21.6 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/ueno/.cache/go-build'
GOENV='/home/ueno/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/ueno/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/ueno/go'
GOPRIVATE=''
GOPROXY='direct'
GOROOT='/usr/lib/golang'
GOSUMDB='off'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/usr/lib/golang/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.6'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2458375021=/tmp/go-build -gno-record-gcc-switches'

What did you do?

1. Set up a simple TLS server backed by crypto/tls, following the instruction
2. Access the server offering "key_share" and "supported_groups" extensions with no overlap of EC groups, using a tlsfuzzer test script for example (PYTHONPATH=. python ./scripts/test-tls13-obsolete-curves.py --relaxed -a handshake_failure 'secp192r1 in key_share and secp256r1 in supported_groups (inconsistent extensions)')

What did you see happen?

The server responds with a HelloRetryRequest.

What did you expect to see?

The server should abort the handshake with illegal_parameter alert, as suggested in RFC 8446 4.2.8:

Clients MUST NOT offer any KeyShareEntry values for groups not listed in the client's "supported_groups" extension. Servers MAY check for violations of these rules and abort the handshake with an "illegal_parameter" alert if one is violated.

As this is a "MAY", it might not be a strict requirement for servers though.

Comment From: thanm

@FiloSottile @rolandshoemaker @golang/security per owners

Comment From: gopherbot

Change https://go.dev/cl/586655 mentions this issue: crypto/tls: fix group selection logic

Comment From: gopherbot

Change https://go.dev/cl/594835 mentions this issue: crypto/tls: add support for -expect-no-hrr to bogo_shim_test