crypto/tls: simplify supported points handling to match BoringSSL

BoGo: PointFormat-Server-*

handshake_server.go

@@ -185,18 +185,20 @@ func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {
 	}
 	c.haveVers = true
 
-	supportedCurve := false
 	preferredCurves := c.config.curvePreferences()
 Curves:
 	for _, curve := range hs.clientHello.supportedCurves {
 		for _, supported := range preferredCurves {
 			if supported == curve {
-				supportedCurve = true
+				hs.ellipticOk = true
 				break Curves
 			}
 		}
 	}
 
+	// If present, the supported points extension must include uncompressed.
+	// Can be absent. This behavior mirrors BoringSSL.
+	if hs.clientHello.supportedPoints != nil {
 		supportedPointFormat := false
 		for _, pointFormat := range hs.clientHello.supportedPoints {
 			if pointFormat == pointFormatUncompressed {
@@ -204,9 +206,11 @@ Curves:
 				break
 			}
 		}
-	// TLS 1.3 has removed point format negotiation.
+		if !supportedPointFormat {
-	supportedPointFormat = supportedPointFormat || c.vers >= VersionTLS13
+			c.sendAlert(alertHandshakeFailure)
-	hs.ellipticOk = supportedCurve && supportedPointFormat
+			return false, errors.New("tls: client does not support uncompressed points")
+		}
+	}
 
 	foundCompression := false
 	// We only support null compression, so check that the client offered it.