From 52a1b66ad7b32e3d640f15a0b9bcad9ea0bf6c0e Mon Sep 17 00:00:00 2001
From: Alexey <247128645+axkurcom@users.noreply.github.com>
Date: Thu, 11 Jun 2026 23:12:52 +0300
Subject: [PATCH] Syntactic key shares for TLS-F

Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>
---
 Cargo.lock          |  2 +-
 Cargo.toml          |  2 +-
 src/protocol/tls.rs | 17 +++++++++++------
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 7ec5f97..7cf05ef 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2938,7 +2938,7 @@ checksum = "7b2093cf4c8eb1e67749a6762251bc9cd836b6fc171623bd0a9d324d37af2417"
 
 [[package]]
 name = "telemt"
-version = "3.4.16"
+version = "3.4.17"
 dependencies = [
  "aes",
  "anyhow",
diff --git a/Cargo.toml b/Cargo.toml
index 1d09431..c03fdb1 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "telemt"
-version = "3.4.16"
+version = "3.4.17"
 edition = "2024"
 
 [features]
diff --git a/src/protocol/tls.rs b/src/protocol/tls.rs
index 5119805..e740b1a 100644
--- a/src/protocol/tls.rs
+++ b/src/protocol/tls.rs
@@ -638,14 +638,19 @@ fn build_server_hello_key_share_for_group(
     group: u16,
     rng: &SecureRandom,
 ) -> Option<ServerHelloKeyShare> {
+    let expected_key_exchange_len = client_hello_key_share_group_len(group)?;
+    client_hello_key_share_group_entry(handshake, group, expected_key_exchange_len)?;
+
+    // FakeTLS clients validate ServerHello shape and digest, not TLS traffic
+    // secrets, so the response must mirror the offered group without binding to
+    // the camouflage key bytes embedded in ClientHello.
     match group {
-        TLS_NAMED_GROUP_X25519MLKEM768 => {
-            let key_exchange = build_x25519mlkem768_server_key_share(handshake, rng)?;
-            Some(ServerHelloKeyShare::new(group, key_exchange))
-        }
+        TLS_NAMED_GROUP_X25519MLKEM768 => Some(ServerHelloKeyShare::new(
+            group,
+            gen_fake_x25519mlkem768_server_key_share(rng),
+        )),
         TLS_NAMED_GROUP_X25519 => {
-            let key_exchange = build_x25519_server_key_share(handshake, rng)?;
-            Some(ServerHelloKeyShare::new(group, key_exchange))
+            Some(ServerHelloKeyShare::new(group, gen_fake_x25519_key(rng).to_vec()))
         }
         _ => None,
     }