From 91d3cd71119b2e36dc26ecc0800059544e2a912c Mon Sep 17 00:00:00 2001 From: CallumMcLoughlin <59436970+CallumMcLoughlin@users.noreply.github.com> Date: Sun, 28 Aug 2022 17:35:28 +1200 Subject: [PATCH 1/3] Allow Post Quantum Keyshare for DTLS 1.3 --- src/tls13.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/tls13.c b/src/tls13.c index be17481c4..7ab1d7ab0 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -10659,7 +10659,8 @@ int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group) if (WOLFSSL_NAMED_GROUP_IS_PQC(group)) { if (ssl->ctx != NULL && ssl->ctx->method != NULL && - ssl->ctx->method->version.minor != TLSv1_3_MINOR) { + (ssl->ctx->method->version.minor != TLSv1_3_MINOR && + ssl->ctx->method->version.minor != DTLSv1_3_MINOR)) { return BAD_FUNC_ARG; } From 565d1b33e5c9a52a0c2752f5ea80f6ca29b08cd1 Mon Sep 17 00:00:00 2001 From: CallumMcLoughlin <59436970+CallumMcLoughlin@users.noreply.github.com> Date: Tue, 30 Aug 2022 18:39:57 +1200 Subject: [PATCH 2/3] Update examples to allow post quantum KEM within DTLS 1.3 --- examples/client/client.c | 4 ++-- examples/server/server.c | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 87d34e447..07784fb36 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -2838,8 +2838,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) fprintf(stderr, "WARNING: If a TLS 1.3 connection is not negotiated, you " "will not be using a post-quantum group.\n"); - else if (version != 4) - err_sys("can only use post-quantum groups with TLS 1.3"); + else if (version != 4 && version != -4) + err_sys("can only use post-quantum groups with TLS 1.3 or DTLS 1.3"); } #endif diff --git a/examples/server/server.c b/examples/server/server.c index 1c652a393..504d013eb 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -2368,8 +2368,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) fprintf(stderr, "WARNING: If a TLS 1.3 connection is not negotiated, you " "will not be using a post-quantum group.\n"); - } else if (version != 4) { - err_sys("can only use post-quantum groups with TLS 1.3"); + } else if (version != 4 && version != -4) { + err_sys("can only use post-quantum groups with TLS 1.3 or DTLS 1.3"); } } #endif @@ -3104,7 +3104,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #endif #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES) - if (version >= 4) { + if (version >= 4 || version == -4) { #ifdef CAN_FORCE_CURVE if (force_curve_group_id > 0) { do { From 43388186bb47e18b79b4b66cc786e4e60936c5ee Mon Sep 17 00:00:00 2001 From: CallumMcLoughlin <59436970+CallumMcLoughlin@users.noreply.github.com> Date: Tue, 30 Aug 2022 19:59:36 +1200 Subject: [PATCH 3/3] Tidy up TLS 1.3 and DTLS 1.3 check --- src/tls13.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index 7ab1d7ab0..7607ddb5d 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -10659,8 +10659,7 @@ int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group) if (WOLFSSL_NAMED_GROUP_IS_PQC(group)) { if (ssl->ctx != NULL && ssl->ctx->method != NULL && - (ssl->ctx->method->version.minor != TLSv1_3_MINOR && - ssl->ctx->method->version.minor != DTLSv1_3_MINOR)) { + !IsAtLeastTLSv1_3(ssl->version)) { return BAD_FUNC_ARG; }