Ensure that ClientCurveGuess is a subsequence of CurvePreferences

src/crypto/tls/cfgo_test.go

@@ -5,5 +5,5 @@ package tls
 import "testing"
 
 func TestCfgoBuildTag(t *testing.T) {
-    t.Error("Build tag cfgo is expected to be set for this toolchain")
+	t.Error("Build tag cfgo is expected to be set for this toolchain")
 }

src/crypto/tls/handshake_client.go

@@ -154,6 +154,30 @@ func (c *Conn) makeClientHello(minVersion uint16) (*clientHelloMsg, clientKeySha
 
 		hello.keyShares = make([]keyShare, 0, len(curveIDs))
 
+		// Check whether ClientCurveGuess is a subsequence of CurvePreferences
+		// as is required by RFC8446 §4.2.8
+		offset := 0
+		curvePreferences := config.curvePreferences()
+		found := 0
+	CurveGuessCheck:
+		for _, curveID := range curveIDs {
+			for {
+				if offset == len(curvePreferences) {
+					break CurveGuessCheck
+				}
+
+				if curvePreferences[offset] == curveID {
+					found++
+					break
+				}
+
+				offset++
+			}
+		}
+		if found != len(curveIDs) {
+			return nil, nil, errors.New("tls: ClientCurveGuess not a subsequence of CurvePreferences")
+		}
+
 		for _, curveID := range curveIDs {
 			var (
 				singleSecret interface{}
@@ -164,17 +188,6 @@ func (c *Conn) makeClientHello(minVersion uint16) (*clientHelloMsg, clientKeySha
 				return nil, nil, errors.New("tls: ClientCurveGuess contains duplicate")
 			}
 
-			ok := false
-			for _, curveID2 := range config.curvePreferences() {
-				if curveID2 == curveID {
-					ok = true
-					break
-				}
-			}
-			if !ok {
-				return nil, nil, errors.New("tls: ClientCurveGuess contains curve not in CurvePreferences")
-			}
-
 			if scheme := curveIdToCirclScheme(curveID); scheme != nil {
 				pk, sk, err := generateKemKeyPair(scheme, curveID, config.rand())
 				if err != nil {