Incorporate DTLS review comments

Frauschi · Frauschi · commit ff819b00b111 · 2026-02-26T18:03:50.000+01:00
diff --git a/src/dtls.c b/src/dtls.c
@@ -829,8 +829,8 @@ static int SendStatelessReplyDtls13(const WOLFSSL* ssl, WolfSSL_CH* ch)
             * extension is present. */
             TLSX* ksExt = TLSX_Find(parsedExts, TLSX_KEY_SHARE);
             KeyShareEntry* kse = (KeyShareEntry*)ksExt->data;
-            if (WOLFSSL_NAMED_GROUP_IS_PQC(kse->group) ||
-                WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(kse->group)) {
+            if (kse != NULL && (WOLFSSL_NAMED_GROUP_IS_PQC(kse->group) ||
+                                WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(kse->group))){
                 /* Allow fragmentation of the second ClientHello due to the
                 * large PQC key share. */
                 wolfSSL_dtls13_allow_ch_frag((WOLFSSL*)ssl, 1);
diff --git a/src/tls.c b/src/tls.c
@@ -10272,7 +10272,19 @@ int TLSX_KeyShare_Parse_ClientHello(const WOLFSSL* ssl,
         offset += ret;
     }
 
-    if (ssl->hrr_keyshare_group != 0 && seenGroupsCnt > 0) {
+    if (ssl->hrr_keyshare_group != 0) {
+#ifdef WOLFSSL_DTLS
+        /* In case of stateless DTLSv1.3, the ssl->hrr_keyshare_group variable
+         * may already been set without further proceeding the handshake, so we
+         * never received the second ClientHello with the selected group.
+         * Hence, when we receive another ClientHello message with an empty key
+         * share, we do not consider that as an error here.
+         */
+        if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version) &&
+            !ssl->options.dtlsStateful && seenGroupsCnt == 0) {
+            return 0;
+        }
+#endif
         /*
          * https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8
          *   when sending the new ClientHello, the client MUST
diff --git a/tests/api.c b/tests/api.c
@@ -29130,6 +29130,10 @@ static int test_dtls13_bad_epoch_ch(void)
     WOLFSSL *ssl_s = NULL;
     struct test_memio_ctx test_ctx;
     const int EPOCH_OFF = 3;
+    int groups[] = {
+        WOLFSSL_ECC_SECP256R1,
+        WOLFSSL_ECC_SECP384R1,
+    };
 
     XMEMSET(&test_ctx, 0, sizeof(test_ctx));
     ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
@@ -29139,6 +29143,9 @@ static int test_dtls13_bad_epoch_ch(void)
      *  with just one message */
     ExpectIntEQ(wolfSSL_disable_hrr_cookie(ssl_s), WOLFSSL_SUCCESS);
 
+    /* Set client groups to traditional only to avoid CH fragmentation */
+    ExpectIntEQ(wolfSSL_set_groups(ssl_c, groups, 2), WOLFSSL_SUCCESS);
+
     ExpectIntNE(wolfSSL_connect(ssl_c), WOLFSSL_SUCCESS);
     ExpectIntEQ(wolfSSL_get_error(ssl_c, WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)),
         WOLFSSL_ERROR_WANT_READ);
@@ -29161,9 +29168,6 @@ static int test_dtls13_bad_epoch_ch(void)
     /* resend the CH */
     ExpectIntEQ(wolfSSL_dtls_got_timeout(ssl_c), WOLFSSL_SUCCESS);
 
-    /* Re-enable HRR cookie to account for potential CH fragmentation */
-    ExpectIntEQ(wolfSSL_send_hrr_cookie(ssl_s, NULL, 0), WOLFSSL_SUCCESS);
-
     ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
 
     wolfSSL_free(ssl_c);
