From 3e31621f571ccca134ceeb41602148ae4dce042c Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@cloudflare.com>
Date: Mon, 5 Dec 2016 12:15:16 -0500
Subject: [PATCH] crypto/tls: pick the first group the client sent a key share
 for

Fixes NCC-2016-002
---
 13.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/13.go b/13.go
index f50741d..f65237d 100644
--- a/13.go
+++ b/13.go
@@ -31,11 +31,12 @@ func (hs *serverHandshakeState) doTLS13Handshake() error {
 	// that the client provided a keyShare for, so to avoid a round-trip.
 	// After that the order of CurvePreferences is respected.
 	var ks keyShare
+CurvePreferenceLoop:
 	for _, curveID := range config.curvePreferences() {
 		for _, keyShare := range hs.clientHello.keyShares {
 			if curveID == keyShare.group {
 				ks = keyShare
-				break
+				break CurvePreferenceLoop
 			}
 		}
 	}