tls: report CurveIDs for TLS <1.2 kexes (#132)

src/crypto/tls/cfkem_test.go

@@ -31,7 +31,7 @@ func testHybridKEX(t *testing.T, scheme kem.Scheme, clientPQ, serverPQ,
 	}
 	clientConfig.CFEventHandler = func(ev CFEvent) {
 		switch e := ev.(type) {
-		case CFEventTLS13NegotiatedKEX:
+		case CFEventTLSNegotiatedNamedKEX:
 			clientSelectedKEX = &e.KEX
 		case CFEventTLS13HRR:
 			retry = true
@@ -75,31 +75,25 @@ func testHybridKEX(t *testing.T, scheme kem.Scheme, clientPQ, serverPQ,
 	var expectedKEX CurveID
 	var expectedRetry bool
 
-	if clientPQ && serverPQ {
+	if clientPQ && serverPQ && !clientTLS12 && !serverTLS12 {
 		expectedKEX = kemSchemeKeyToCurveID(scheme)
 	} else {
 		expectedKEX = X25519
 	}
-	if clientPQ && !serverPQ {
+	if !clientTLS12 && clientPQ && !serverPQ {
 		expectedRetry = true
 	}
 
-	if !serverTLS12 && !clientTLS12 {
-		if clientSelectedKEX == nil {
-			t.Error("No TLS 1.3 KEX happened?")
-		}
+	if clientSelectedKEX == nil {
+		t.Error("No KEX happened?")
+	}
 
-		if *clientSelectedKEX != expectedKEX {
-			t.Errorf("failed to negotiate: expected %d, got %d",
-				expectedKEX, *clientSelectedKEX)
-		}
-		if expectedRetry != retry {
-			t.Errorf("Expected retry=%v, got retry=%v", expectedRetry, retry)
-		}
-	} else {
-		if clientSelectedKEX != nil {
-			t.Error("TLS 1.3 KEX happened?")
-		}
+	if *clientSelectedKEX != expectedKEX {
+		t.Errorf("failed to negotiate: expected %d, got %d",
+			expectedKEX, *clientSelectedKEX)
+	}
+	if expectedRetry != retry {
+		t.Errorf("Expected retry=%v, got retry=%v", expectedRetry, retry)
 	}
 }
 

src/crypto/tls/handshake_client.go

@@ -582,6 +582,12 @@ func (hs *clientHandshakeState) doFullHandshake() error {
 			return err
 		}
 
+		if eccKex, ok := keyAgreement.(*ecdheKeyAgreement); ok {
+			c.handleCFEvent(CFEventTLSNegotiatedNamedKEX{
+				KEX: eccKex.params.CurveID(),
+			})
+		}
+
 		msg, err = c.readHandshake()
 		if err != nil {
 			return err

src/crypto/tls/handshake_client_tls13.go

@@ -518,7 +518,7 @@ func (hs *clientHandshakeStateTLS13) processServerHello() error {
 		return errors.New("tls: server selected unsupported group")
 	}
 
-	c.handleCFEvent(CFEventTLS13NegotiatedKEX{
+	c.handleCFEvent(CFEventTLSNegotiatedNamedKEX{
 		KEX: hs.serverHello.serverShare.group,
 	})
 

src/crypto/tls/handshake_server.go

@@ -638,6 +638,11 @@ func (hs *serverHandshakeState) doFullHandshake() error {
 		c.sendAlert(alertHandshakeFailure)
 		return err
 	}
+	if eccKex, ok := keyAgreement.(*ecdheKeyAgreement); ok {
+		c.handleCFEvent(CFEventTLSNegotiatedNamedKEX{
+			KEX: eccKex.params.CurveID(),
+		})
+	}
 	hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
 	if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
 		c.sendAlert(alertInternalError)

src/crypto/tls/handshake_server_tls13.go

@@ -308,7 +308,7 @@ GroupSelection:
 	}
 
 	c.serverName = hs.clientHello.serverName
-	c.handleCFEvent(CFEventTLS13NegotiatedKEX{
+	c.handleCFEvent(CFEventTLSNegotiatedNamedKEX{
 		KEX: selectedGroup,
 	})
 

src/crypto/tls/tls_cf.go

@@ -219,14 +219,18 @@ func (e CFEventECHPublicNameMismatch) Name() string {
 	return "ech public name does not match outer sni"
 }
 
-// CFEventTLS13NegotiatedKEX is emitted when a key agreement mechanism has been
-// established.
-type CFEventTLS13NegotiatedKEX struct {
+// For backwards compatibility.
+type CFEventTLS13NegotiatedKEX = CFEventTLSNegotiatedNamedKEX
+
+// CFEventTLSNegotiatedNamedKEX is emitted when a key agreement mechanism has been
+// established that uses a named group. This includes all key agreements
+// in TLSv1.3, but excludes RSA and DH in TLS 1.2 and earlier.
+type CFEventTLSNegotiatedNamedKEX struct {
 	KEX CurveID
 }
 
-func (e CFEventTLS13NegotiatedKEX) Name() string {
-	return "CFEventTLS13NegotiatedKEX"
+func (e CFEventTLSNegotiatedNamedKEX) Name() string {
+	return "CFEventTLSNegotiatedNamedKEX"
 }
 
 // CFEventTLS13HRR is emitted when a HRR is sent or received