[Bug]: Handshake failure when ClientHello contains multiple PQC/hybrid key shares

[bercj]

Contact Details

alessandro.bertea@rub.de

Version

5.9.1

Description

When a client sends multiple key shares that include a mix of hybrid PQC and pure ML-KEM (e.g. SecP384R1_MLKEM1024 + MLKEM1024), the server side handling in wolfSSL appears to be order-dependent and leads to handshake failure.

I tested two ClientHello key_share orderings:

** Case 1 **
key_share: [hybrid group, mlkem_group]

• Server selects hybrid group and sends its key_share in ServerHello
• Decryption of records on client side fail
• Evidence of state corruption: Debug logs show the derived KE Secret on the wolfSSL side is only 32 bytes long despite the server sending SecP384R1_MLKEM1024 as its key_share.

** Case 2 **
key_share: [mlkem_group, hybrid_group]

• Server outputs SSL_accept error -132, Buffer error, output too small or input too big
• Server terminates connection

Expected Behavior

• The server should parse all key shares safely
• The server should select a single key share preference
• It should perform the key exchange math only once, based on the selected group
• Behavior should be strictly independent of key share ordering

Suspected Root Cause
In TLSX_KeyShareEntry_Parse():
ret = TLSX_KeyShare_Use(ssl, group, keLen, ke, kse, extensions);

For PQC/hybrid groups on the server side, TLSX_KeyShare_Use() (or the block immediately preceding it) appears to perform the PQC encapsulation eagerly during the parsing phase. The resulting shared secret is written directly into the global handshake state.

Because there is no "final selection" phase that separates parsing from math execution, processing multiple PQC key shares causes wolfSSL to recompute and destructively overwrite previously computed cryptographic values and buffers

There does not appear to be a guard preventing multiple key shares from:

• Recomputing the shared secret
• Overwriting previously computed values

Reproduction steps

1. Configure wolfSSL with hybrid and pure ML-KEM enabled
2. Use the built-in test server
3. Send crafted ClientHello with multiple key shares:
   • One hybrid group (e.g. SecP384R1_MLKEM1024)
   • One pure PQC group (e.g. MLKEM1024)

Relevant log output

[cpsource]

Took a crack at this. Root-cause analysis, proposed fix, a self-contained reproducer, and an automated BEFORE/AFTER verification script are all below. (Queried gh first — no existing PR references this issue and no other issue mentions it.)

---

The bug

When a TLS 1.3 ClientHello contains more than one key share and any of
them is a post-quantum KEM (ML-KEM) or hybrid PQC group (e.g. both
SecP384R1_MLKEM1024 and MLKEM1024), the wolfSSL server corrupts its own
handshake state. The symptom depends on ordering:

• Hybrid then pure ML-KEM: server sends hybrid in ServerHello, but the
  client cannot decrypt handshake records. Debug logs show the server's
  KE Secret is only 32 bytes even though the selected group is
  SecP384R1_MLKEM1024 (which should produce an 80-byte shared secret:
  48 for P-384 + 32 for ML-KEM1024).
• Pure ML-KEM then hybrid: server emits
  SSL_accept error -132, Buffer error, output too small or input too big
  (BUFFER_E) and terminates.

Upstream status

Checked on 2026-04-23 with gh:

• Issue opened 2026-04-23 by bercj, no comments, no assignee,
  no linked PRs, no label-based triage beyond bug.
• gh pr list --repo wolfSSL/wolfssl --state all --search "10287" →
  no PRs reference this issue number (open or closed).
• gh search issues --repo wolfSSL/wolfssl --include-prs "10287" →
  only this issue itself surfaces. No other issue mentions it.
• Keyword searches for the affected functions
  (TLSX_KeyShareEntry_Parse, TLSX_KeyShare_HandlePqc) and
  phrases ("multiple key shares", "multiple key shares PQC") turn up
  no in-flight or landed work. The one historical hit is PR DTLS 1.3 stateless server ClientHello parsing #5910
  ("DTLS 1.3 stateless server ClientHello parsing", merged 2023),
  which is unrelated — it addresses the DTLS stateless cookie flow,
  not the eager-encap bug.

Conclusion: nothing upstream already addresses this. The patch in this
directory is the first concrete fix being offered.

Root cause

The reporter's diagnosis is correct. Reading src/tls.c:

Eager encapsulation during parse

TLSX_KeyShareEntry_Parse at src/tls.c:10365-10386:

#if defined(WOLFSSL_HAVE_MLKEM)
    if ((WOLFSSL_NAMED_GROUP_IS_PQC(group)
    #if !defined(WOLFSSL_ASYNC_CRYPT)
         || WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(group)
    #endif
        ) && ssl->options.side == WOLFSSL_SERVER_END) {
        /* When handling a key share containing a KEM public key on the server
         * end, we have to perform the encapsulation immediately ... */
        ke = (byte *)&input[offset];
    } else

The comment openly acknowledges it performs encapsulation immediately in
the parse loop. This then reaches TLSX_KeyShare_Use
(src/tls.c:11128-11164), which dispatches to
TLSX_KeyShare_HandlePqcKeyServer or TLSX_KeyShare_HandlePqcHybridKeyServer
right there — before the server has decided which group it will actually use.

Shared state gets clobbered

Both handlers write to ssl->arrays->preMasterSecret /
ssl->arrays->preMasterSz and set ssl->namedGroup
(src/tls.c:10767 and src/tls.c:11047). Per-entry state
(keyShareEntry->pubKey = ciphertext) is fine, but the singletons on
ssl get overwritten each iteration. Whichever PQC/hybrid entry is
processed last wins.

Selection happens afterwards, by server preference

Parse is followed by TLSX_KeyShare_Establish
(src/tls.c:11814) → TLSX_KeyShare_Choose (src/tls.c:11612), which uses
TLSX_KeyShare_GroupRank against the server's preference list, not the
client's order. So the selected group can differ from the last-parsed
group.

The concrete failure modes

• Case 1 (hybrid first, pure second): Choose picks hybrid (higher server
  rank). But preMasterSecret was last written by the pure-ML-KEM
  encapsulation (32 bytes). ServerHello correctly contains the hybrid
  ciphertext (from hybrid_kse->pubKey, which was stored per-entry). Client
  derives the hybrid 80-byte secret; server has the 32-byte pure-KEM
  secret. HKDF keys diverge. Record decryption fails on the client side.
  Exactly matches the reporter's observation.

• Case 2 (pure first, hybrid second): ssl->arrays->preMasterSz is left
  at 32 from the pure ML-KEM call. The hybrid handler then re-enters with
  stale state. At TLSX_KeyShare_HandlePqcHybridKeyServer:10920 the length
  check len != pubSz + ecc_kse->pubKeyLen or the
  preMasterSz + ssSzPqc > ENCRYPT_LEN guard at tls.c:11000 trips, or the
  ECDH processing writes past the short buffer — producing BUFFER_E
  (-132, "output too small or input too big"). The specific trip point
  varies by build config but all stem from the stale preMasterSz.

Secondary concern — DoS amplification

Independent of correctness, the eager design also means a client can force
the server to perform multiple expensive KEM encapsulations and ECDH
operations per ClientHello by listing several PQC/hybrid groups. Only one
is ever used. Low magnification but worth fixing.

Why the current design exists

The comment at tls.c:10371-10383 explains the author's rationale: they
wanted to avoid storing a copy of the large KEM public key (ML-KEM1024
pubkeys are 1568 bytes) by pointing directly into the inbound record buffer
and consuming the data immediately. That's a reasonable memory optimization
in the single-key-share case, but it paints the code into a corner the
moment more than one PQC-ish key share shows up. The async hybrid path
already deferred encapsulation to TLSX_KeyShare_Setup (see the
WOLFSSL_ASYNC_CRYPT branch at tls.c:11760-11764) — so the design
precedent for deferred encap is already in the codebase.

Proposed fix

Defer encapsulation of PQC/hybrid key shares to TLSX_KeyShare_Setup, so it
runs exactly once for exactly the group that TLSX_KeyShare_Choose picks.
Three touch points:

1. TLSX_KeyShareEntry_Parse — always malloc-and-copy the client's raw
   public key into keyShareEntry->ke, regardless of group. Drop the
   ke = &input[offset] shortcut. This costs one allocation per entry (for
   ML-KEM1024 that's 1568 bytes, tolerable) in exchange for correctness.

2. TLSX_KeyShare_Use — remove the server-side PQC/hybrid dispatch.
   The function becomes purely "store client pubkey or generate own
   keypair." No crypto output.

3. TLSX_KeyShare_Setup — for the chosen clientKSE, if the group is
   PQC or hybrid on the server side, call the existing handler
   (TLSX_KeyShare_HandlePqcKeyServer /
   TLSX_KeyShare_HandlePqcHybridKeyServer) with clientKSE->ke as input.
   This extends the existing async-hybrid pattern at
   tls.c:11760-11764 to cover non-async hybrid and non-async pure PQC.

After the fix:

• Parse is side-effect-free for ssl->arrays->preMasterSecret,
  ssl->namedGroup, and per-entry ciphertexts.
• TLSX_KeyShare_Choose picks by server preference over the full list.
• TLSX_KeyShare_Setup runs exactly one encapsulation, for the chosen
  group, writing exactly one shared secret to preMasterSecret.
• The existing async hybrid path now matches the rest; the special-case
  #if defined(WOLFSSL_ASYNC_CRYPT) conditional around hybrid encap
  disappears.

Caveats and risks

• Memory: one XMALLOC(keLen) per parsed PQC key share, freed when the
  extension list is torn down (TLSX_KeyShare_FreeAll). For ML-KEM1024
  that's 1568 bytes × N entries. N is bounded by
  MAX_KEYSHARE_NAMED_GROUPS, so worst-case is modest.
• WOLFSSL_MLKEM_NO_ENCAPSULATE build: the current eager block is
  guarded by !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) in
  TLSX_KeyShare_Use:11128. After the fix the same guard must be applied
  in TLSX_KeyShare_Setup so this build configuration keeps compiling.
• Stateless parse (cookie extension): TLS 1.3 stateless parse invokes
  TLSX_KeyShareEntry_Parse without an ssl->arrays — confirmed by the
  existing code paths that test seenGroups != NULL before recording
  groups. The fix must preserve that the stateless path doesn't touch
  ssl->arrays. Since the fix removes writes to ssl->arrays from parse,
  the stateless path is strictly safer, not worse.
• HelloRetryRequest: after HRR the server clears prior state and
  re-parses the second ClientHello. Current code's eager encap is
  re-entered; with the fix, parse is side-effect-free and Setup still runs
  once. No regression.

Tests to add

Not yet included in the patch — rough sketch for follow-up:

1. Build a ClientHello in-memory with both SecP384R1_MLKEM1024 and
   MLKEM1024 in the key_share extension, in both orderings. Feed to a
   wolfSSL server via memio. Assert the server produces a valid
   ServerHello and the handshake completes (client can decrypt the
   EncryptedExtensions record).
2. Assert that after parsing a multi-PQC ClientHello (server side),
   ssl->arrays->preMasterSz == 0 — i.e. parse truly is side-effect-free.
3. Assert that exactly one call to wc_KyberKey_Encapsulate is made per
   handshake regardless of how many ML-KEM entries were in the ClientHello
   (via a crypto-callback mock or a counter).

Files touched by the proposed patch

• src/tls.c — three functions: TLSX_KeyShareEntry_Parse,
  TLSX_KeyShare_Use, TLSX_KeyShare_Setup.

See issue-10287.patch alongside this file.

Appendix — end-to-end verification

The reproducer in issue-10287-test.c now does the full TLS 1.3 client
side well enough to prove the fix works, not just reproduce the setup.

What the test does

1. Generates ephemeral client keys and keeps the private halves:
   one P-384 keypair and two independent ML-KEM 1024 keypairs (one to
   embed inside the hybrid key share, one for the pure key share).
2. Hand-builds a TLS 1.3 ClientHello that offers both groups in a
   caller-chosen order. The cipher-suite list is restricted to
   TLS_AES_128_GCM_SHA256 (0x1301) so the key schedule is fixed
   (SHA-256 / AES-128-GCM).
3. Sends the ClientHello over plain TCP to a running wolfSSL test
   server.
4. Parses the ServerHello, reads the chosen group and the server's
   key_exchange payload.
5. Computes the shared secret the TLS 1.3 key schedule expects:
   • For ML_KEM_1024: KEM-Decap(client_mlkem_priv, server_ct) — 32 bytes.
   • For SecP384R1_MLKEM1024: ECDH(client_p384_priv, server_p384_pub) || KEM-Decap(client_mlkem_priv, server_ct) — 48 + 32 = 80 bytes.
6. Runs the RFC 8446 §7.1 key schedule to derive the server's
   handshake AEAD key and IV:
   early_secret → derived → handshake_secret → s_hs_traffic → server_key / server_iv
   using wc_Tls13_HKDF_Extract and wc_Tls13_HKDF_Expand_Label with
   the transcript hash over ClientHello || ServerHello.
7. Skips the ChangeCipherSpec record (sequence number doesn't advance
   for plaintext records) and attempts AES-128-GCM decryption of the
   server's first AppData record using the derived server_key and
   server_iv (seq = 0).
8. PASS: decryption tag verifies and the plaintext's first
   handshake message is EncryptedExtensions (type 8).
   FAIL: tag mismatch or the server dropped the connection with an
   alert/BUFFER_E before sending any encrypted record.

Observed results

Running with --enable-mlkem --enable-tls-mlkem-standalone --enable-pqc-hybrids:

Scenario	Unpatched (buggy) server	Patched server
Case 1 (hybrid-first)	FAIL — ServerHello announced SecP384R1_MLKEM1024, AES-GCM tag mismatch (-180) on first encrypted record. Server had eagerly-encap'd both; preMasterSecret was overwritten by the pure-KEM result, so server's derived keys disagree with the 80-byte hybrid secret the client computes.	PASS — decrypted EncryptedExtensions cleanly.
Case 2 (pqc-first)	FAIL — server-side SSL_accept error -132, Buffer error, output too small or input too big, TCP connection dropped before any ServerHello. Exactly the symptom the reporter observed.	PASS — server picks ML_KEM_1024 (first in client order), decrypted EncryptedExtensions cleanly.

So the reproducer doesn't just show that the ClientHello is accepted —
it proves that the server's internal preMasterSecret is numerically
consistent with the chosen group's shared secret only after the patch.

Running the test harness

test.sh alongside this README automates the entire BEFORE/AFTER
verification. From the wolfSSL repo root:

./issue-10287/test.sh

What it does, in order:

1. Resets src/tls.c to the clean (unpatched) state via git checkout.
2. Runs ./configure --enable-mlkem --enable-tls-mlkem-standalone --enable-pqc-hybrids so both PQC groups are built in.
3. Builds wolfSSL, then compiles issue-10287-test.c against the
   in-tree libwolfssl.
4. BEFORE pass: starts ./examples/server/server -v 4 -p 11111, runs
   issue-10287-test --hybrid-first, pkills the server, starts a
   fresh server, runs issue-10287-test --pqc-first, pkills again.
   Both runs are expected to FAIL (the bug manifests).
5. Applies issue-10287.patch and rebuilds wolfSSL.
6. AFTER pass: same spawn / run / pkill dance for both orderings.
   Both runs are expected to PASS.
7. Prints a colored 4-line summary (BEFORE×AFTER × Case 1×Case 2).
8. On exit (success or failure), restores src/tls.c to whatever
   state it was in before the script ran — if the patch was applied
   beforehand, it gets re-applied and a final rebuild runs. This is
   done via a trap so even an early abort still cleans up.

Prerequisites:

• Run from a clone that has git available (the script uses
  git checkout, git apply).
• pkill / pgrep installed (standard on Linux).
• Port 11111 free.

Expected output (abbreviated):

==================== BEFORE (unpatched / buggy) — expected: both FAIL ====================
  --- Case 1 (hybrid-first) ---
  ... FAIL: AES-GCM decrypt returned -180 ...
  --- Case 2 (pqc-first) ---
  ... FAIL: server closed connection with no record
==================== AFTER (patched) — expected: both PASS ====================
  --- Case 1 (hybrid-first) ---
  ... PASS: decrypted server's first encrypted record ...
  --- Case 2 (pqc-first) ---
  ... PASS: decrypted server's first encrypted record ...
==================== Summary ====================
  BEFORE  hybrid-first : FAIL (expected)
  BEFORE  pqc-first    : FAIL (expected)
  AFTER   hybrid-first : PASS (expected)
  AFTER   pqc-first    : PASS (expected)
Overall: all four outcomes as expected.

Script exit status is 0 only when all four outcomes match expectation,
1 otherwise — so it can be used as a regression gate.

---

issue-10287.patch — 147-line fix in src/tls.c (three functions)

diff --git a/src/tls.c b/src/tls.c
index 0f6fd90f7..ecae4627a 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -10362,42 +10362,21 @@ static int TLSX_KeyShareEntry_Parse(const WOLFSSL* ssl, const byte* input,
         *seenGroupsCnt = i + 1;
     }
 
-#if defined(WOLFSSL_HAVE_MLKEM)
-    if ((WOLFSSL_NAMED_GROUP_IS_PQC(group)
-    #if !defined(WOLFSSL_ASYNC_CRYPT)
-         || WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(group)
-    #endif
-        ) && ssl->options.side == WOLFSSL_SERVER_END) {
-        /* When handling a key share containing a KEM public key on the server
-         * end, we have to perform the encapsulation immediately in order to
-         * send the resulting ciphertext back to the client in the ServerHello
-         * message. As the public key is not stored and we do not modify it, we
-         * don't have to create a copy of it.
-         * In case of a hybrid key exchange, the ECDH part is also performed
-         * immediately (to not split the generation of the master secret).
-         * Hence, we also don't have to store this public key either.
-         *
-         * When WOLFSSL_ASYNC_CRYPT is enabled, this handling is not possible
-         * for the hybrid case, as the ECC part is performed asynchronously,
-         * requiring the key share data to be stored.
-         */
-        ke = (byte *)&input[offset];
-    } else
-#endif
-    {
-        /* Store a copy in the key share object. */
-        ke = (byte*)XMALLOC(keLen, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
-        if (ke == NULL)
-            return MEMORY_E;
-        XMEMCPY(ke, &input[offset], keLen);
-    }
+    /* Store a copy of the client's raw key share in the entry. KEM/hybrid
+     * encapsulation on the server side used to run eagerly here, but that
+     * corrupted ssl->arrays->preMasterSecret and ssl->namedGroup when the
+     * ClientHello contained multiple PQC/hybrid key shares (issue #10287).
+     * Encapsulation is now deferred to TLSX_KeyShare_Setup(), which runs
+     * exactly once for the group TLSX_KeyShare_Choose() picks. */
+    ke = (byte*)XMALLOC(keLen, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
+    if (ke == NULL)
+        return MEMORY_E;
+    XMEMCPY(ke, &input[offset], keLen);
 
     /* Populate a key share object in the extension. */
     ret = TLSX_KeyShare_Use(ssl, group, keLen, ke, kse, extensions);
     if (ret != 0) {
-        if (ke != &input[offset]) {
-            XFREE(ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
-        }
+        XFREE(ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
         return ret;
     }
 
@@ -11125,44 +11104,10 @@ int TLSX_KeyShare_Use(const WOLFSSL* ssl, word16 group, word16 len, byte* data,
     }
 
 
-#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE)
-    if (ssl->options.side == WOLFSSL_SERVER_END &&
-            WOLFSSL_NAMED_GROUP_IS_PQC(group)) {
-        if (TLSX_IsGroupSupported(group)) {
-            ret = TLSX_KeyShare_HandlePqcKeyServer((WOLFSSL*)ssl,
-                                                   keyShareEntry,
-                                                   data, len,
-                                                   ssl->arrays->preMasterSecret,
-                                                   &ssl->arrays->preMasterSz);
-            if (ret != 0)
-                return ret;
-        }
-        else {
-            XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
-            keyShareEntry->ke = NULL;
-            keyShareEntry->keLen = 0;
-        }
-    }
-    else
-#if !defined(WOLFSSL_ASYNC_CRYPT)
-    if (ssl->options.side == WOLFSSL_SERVER_END &&
-             WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(group)) {
-        if (TLSX_IsGroupSupported(group)) {
-            ret = TLSX_KeyShare_HandlePqcHybridKeyServer((WOLFSSL*)ssl,
-                                                         keyShareEntry,
-                                                         data, len);
-            if (ret != 0)
-                return ret;
-        }
-        else {
-            XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
-            keyShareEntry->ke = NULL;
-            keyShareEntry->keLen = 0;
-        }
-    }
-    else
-#endif
-#endif
+    /* Server-side PQC / hybrid encapsulation used to run eagerly here,
+     * clobbering ssl->arrays->preMasterSecret when the ClientHello contained
+     * multiple PQC/hybrid entries (issue #10287). Deferred to
+     * TLSX_KeyShare_Setup(). */
     if (data != NULL) {
         XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
         keyShareEntry->ke = data;
@@ -11744,26 +11689,24 @@ int TLSX_KeyShare_Setup(WOLFSSL *ssl, KeyShareEntry* clientKSE)
         return ret;
 
     if (clientKSE->key == NULL) {
-#ifdef WOLFSSL_HAVE_MLKEM
-        if (WOLFSSL_NAMED_GROUP_IS_PQC(clientKSE->group)
-    #if !defined(WOLFSSL_ASYNC_CRYPT)
-            || WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(clientKSE->group)
-    #endif
-        ) {
-            /* Going to need the public key (AKA ciphertext). */
-            serverKSE->pubKey = clientKSE->pubKey;
-            clientKSE->pubKey = NULL;
-            serverKSE->pubKeyLen = clientKSE->pubKeyLen;
-            clientKSE->pubKeyLen = 0;
+#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE)
+        if (WOLFSSL_NAMED_GROUP_IS_PQC(clientKSE->group)) {
+            /* Encapsulate against the client's KEM public key. Writes the
+             * shared secret into ssl->arrays->preMasterSecret and the
+             * ciphertext into serverKSE->pubKey. */
+            ret = TLSX_KeyShare_HandlePqcKeyServer(ssl, serverKSE,
+                    clientKSE->ke, clientKSE->keLen,
+                    ssl->arrays->preMasterSecret,
+                    &ssl->arrays->preMasterSz);
         }
-        else
-    #if defined(WOLFSSL_ASYNC_CRYPT)
-        if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(clientKSE->group)) {
+        else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(clientKSE->group)) {
+            /* Hybrid: run ECDH + KEM encap. Writes the concatenated
+             * shared secret into preMasterSecret and the concatenated
+             * server pubkey + KEM ciphertext into serverKSE->pubKey. */
             ret = TLSX_KeyShare_HandlePqcHybridKeyServer(ssl, serverKSE,
                     clientKSE->ke, clientKSE->keLen);
         }
         else
-    #endif
 #endif
         {
             ret = TLSX_KeyShare_GenKey(ssl, serverKSE);

issue-10287-test.c — self-contained TLS 1.3 reproducer that decrypts the server's first encrypted record

/* Reproducer for wolfSSL issue #10287.
 *
 *   "Handshake failure when ClientHello contains multiple PQC/hybrid
 *    key shares"
 *
 * What this test does:
 *
 *   1. Connects to a wolfSSL test server over plain TCP.
 *   2. Sends a hand-crafted TLS 1.3 ClientHello with two key_share
 *      entries (SecP384R1_MLKEM1024 and ML_KEM_1024) in a chosen order.
 *   3. Parses the ServerHello and reports which group the server chose.
 *   4. Runs the TLS 1.3 key schedule (RFC 8446 §7.1) on the client side
 *      using the saved ephemeral private keys:
 *          shared_secret = (ECDH || KEM-Decap)     for hybrid
 *                         = KEM-Decap              for pure ML-KEM
 *          early_secret     = HKDF-Extract(0, 0)
 *          derived          = Derive-Secret(early_secret, "derived", "")
 *          handshake_secret = HKDF-Extract(derived, shared_secret)
 *          s_hs_traffic     = Derive-Secret(handshake_secret,
 *                                           "s hs traffic",
 *                                           ClientHello || ServerHello)
 *          server_key       = HKDF-Expand-Label(s_hs_traffic, "key", "", 16)
 *          server_iv        = HKDF-Expand-Label(s_hs_traffic, "iv",  "", 12)
 *   5. Skips any ChangeCipherSpec record and attempts to AES-128-GCM
 *      decrypt the server's first Application Data record (the
 *      EncryptedExtensions flight) using server_key / server_iv.
 *   6. Reports PASS if decryption succeeds (the first plaintext byte
 *      must be 0x08 = EncryptedExtensions), FAIL if it doesn't.
 *
 * On a buggy server the ServerHello announces one group but
 * ssl->arrays->preMasterSecret was clobbered by a later eager encap, so
 * the server's derived keys disagree with what we compute here → decrypt
 * fails. On a patched server the shared secret matches → decrypt
 * succeeds.
 *
 * Usage:
 *     ./examples/server/server -v 4 -p 11111 &    # test server
 *     gcc issue-10287-test.c -lwolfssl -lm -o issue-10287-test
 *     ./issue-10287-test --hybrid-first
 *     ./issue-10287-test --pqc-first
 *
 * Restrictions:
 *   - Forces TLS_AES_128_GCM_SHA256 (0x1301) so the key schedule is
 *     fixed: SHA-256 / AES-128-GCM.
 *   - Does not complete the handshake; closes the TCP socket after
 *     decrypting (or failing to decrypt) the first AppData record.
 */

#include <wolfssl/options.h>
#include <wolfssl/ssl.h>
#include <wolfssl/wolfcrypt/aes.h>
#include <wolfssl/wolfcrypt/ecc.h>
#include <wolfssl/wolfcrypt/kdf.h>
#include <wolfssl/wolfcrypt/mlkem.h>
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/sha256.h>
#include <wolfssl/wolfcrypt/types.h>

#include <arpa/inet.h>
#include <netinet/in.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <unistd.h>

#define DEFAULT_HOST "127.0.0.1"
#define DEFAULT_PORT 11111

#define GROUP_SECP384R1_MLKEM1024  0x11EDu
#define GROUP_ML_KEM_1024          0x0202u

#define P384_PUB_LEN        97
#define P384_SS_LEN         48
#define MLKEM1024_PUB_LEN   1568
#define MLKEM1024_CT_LEN    1568
#define MLKEM1024_SS_LEN    32
#define HYBRID_KE_LEN       (P384_PUB_LEN + MLKEM1024_PUB_LEN)  /* client pub */
#define HYBRID_CT_LEN       (P384_PUB_LEN + MLKEM1024_CT_LEN)    /* server key_exchange */

#define SHA256_LEN          32
#define AES128_KEY_LEN      16
#define AEAD_IV_LEN         12
#define AEAD_TAG_LEN        16

#define TLS_PROTOCOL       "tls13 "
#define TLS_PROTOCOL_LEN   6

/* ----------------- append-only byte buffer ----------------- */

typedef struct {
    unsigned char* data;
    size_t         len;
    size_t         cap;
} buf_t;

static int buf_reserve(buf_t* b, size_t add)
{
    if (b->len + add <= b->cap) return 0;
    size_t newcap = b->cap ? b->cap * 2 : 4096;
    while (newcap < b->len + add) newcap *= 2;
    unsigned char* p = realloc(b->data, newcap);
    if (!p) return -1;
    b->data = p; b->cap = newcap;
    return 0;
}
static int buf_u8 (buf_t* b, unsigned v)
    { if (buf_reserve(b,1)) return -1; b->data[b->len++] = (unsigned char)v; return 0; }
static int buf_u16(buf_t* b, unsigned v)
    { if (buf_reserve(b,2)) return -1;
      b->data[b->len++] = (unsigned char)(v >> 8);
      b->data[b->len++] = (unsigned char)(v     ); return 0; }
static int buf_u24(buf_t* b, unsigned v)
    { if (buf_reserve(b,3)) return -1;
      b->data[b->len++] = (unsigned char)(v >> 16);
      b->data[b->len++] = (unsigned char)(v >>  8);
      b->data[b->len++] = (unsigned char)(v      ); return 0; }
static int buf_bytes(buf_t* b, const void* p, size_t n)
    { if (buf_reserve(b,n)) return -1; memcpy(b->data + b->len, p, n); b->len += n; return 0; }
static void buf_fill_u16(buf_t* b, size_t mark)
    { size_t v = b->len - mark - 2;
      b->data[mark    ] = (unsigned char)(v >> 8);
      b->data[mark + 1] = (unsigned char)(v     ); }
static void buf_fill_u24(buf_t* b, size_t mark)
    { size_t v = b->len - mark - 3;
      b->data[mark    ] = (unsigned char)(v >> 16);
      b->data[mark + 1] = (unsigned char)(v >>  8);
      b->data[mark + 2] = (unsigned char)(v      ); }

/* ----------------- ephemeral keys (client side) ----------------- */

typedef struct {
    ecc_key   p384;                          /* private + public */
    MlKemKey* mlkem_hybrid;                  /* private for hybrid's KEM half */
    MlKemKey* mlkem_pure;                    /* private for pure KEM entry */
    unsigned char p384_pub      [P384_PUB_LEN];
    unsigned char mlkem_hybrid_pub[MLKEM1024_PUB_LEN];
    unsigned char mlkem_pure_pub  [MLKEM1024_PUB_LEN];
    int p384_inited;
} ephemeral_keys_t;

static int gen_keys(ephemeral_keys_t* k, WC_RNG* rng)
{
    memset(k, 0, sizeof(*k));

    if (wc_ecc_init(&k->p384) != 0) return -1;
    k->p384_inited = 1;
    /* Attach the RNG so wc_ecc_shared_secret doesn't fail with
     * MISSING_RNG_E when it does side-channel-resistant scalar mult. */
    if (wc_ecc_set_rng(&k->p384, rng) != 0) return -1;
    if (wc_ecc_make_key_ex(rng, 48, &k->p384, ECC_SECP384R1) != 0) return -1;
    word32 p384_len = P384_PUB_LEN;
    if (wc_ecc_export_x963(&k->p384, k->p384_pub, &p384_len) != 0) return -1;
    if (p384_len != P384_PUB_LEN) return -1;

    k->mlkem_hybrid = wc_MlKemKey_New(WC_ML_KEM_1024, NULL, INVALID_DEVID);
    if (!k->mlkem_hybrid) return -1;
    if (wc_MlKemKey_MakeKey(k->mlkem_hybrid, rng) != 0) return -1;
    if (wc_MlKemKey_EncodePublicKey(k->mlkem_hybrid, k->mlkem_hybrid_pub,
                                    MLKEM1024_PUB_LEN) != 0) return -1;

    k->mlkem_pure = wc_MlKemKey_New(WC_ML_KEM_1024, NULL, INVALID_DEVID);
    if (!k->mlkem_pure) return -1;
    if (wc_MlKemKey_MakeKey(k->mlkem_pure, rng) != 0) return -1;
    if (wc_MlKemKey_EncodePublicKey(k->mlkem_pure, k->mlkem_pure_pub,
                                    MLKEM1024_PUB_LEN) != 0) return -1;
    return 0;
}

static void free_keys(ephemeral_keys_t* k)
{
    if (k->p384_inited)   wc_ecc_free(&k->p384);
    if (k->mlkem_hybrid)  wc_MlKemKey_Delete(k->mlkem_hybrid, NULL);
    if (k->mlkem_pure)    wc_MlKemKey_Delete(k->mlkem_pure,   NULL);
}

/* ----------------- ClientHello construction ----------------- */

/* Returns the byte offset in `ch` where the Handshake body starts (after
 * the 5-byte TLS record header). The caller uses this offset when
 * building the transcript hash. */
static int build_client_hello(buf_t* ch, const ephemeral_keys_t* k,
                              int pqc_first, WC_RNG* rng,
                              size_t* out_hs_offset)
{
    unsigned char random[32];
    if (wc_RNG_GenerateBlock(rng, random, sizeof(random)) != 0) return -1;

    /* Record header. */
    if (buf_u8 (ch, 22))      return -1;
    if (buf_u16(ch, 0x0301))  return -1;
    size_t rec_len_mark = ch->len;
    if (buf_u16(ch, 0))       return -1;

    /* Handshake header. The handshake body (msg_type .. end) is what's
     * used for transcript_hash. */
    *out_hs_offset = ch->len;
    if (buf_u8 (ch, 1))       return -1;      /* client_hello */
    size_t hs_len_mark = ch->len;
    if (buf_u24(ch, 0))       return -1;

    /* Body. */
    if (buf_u16(ch, 0x0303))                   return -1;
    if (buf_bytes(ch, random, sizeof(random))) return -1;
    if (buf_u8(ch, 0))                         return -1;

    /* cipher_suites: force TLS_AES_128_GCM_SHA256 only. */
    if (buf_u16(ch, 2))            return -1;
    if (buf_u16(ch, 0x1301))       return -1;

    /* legacy_compression_methods */
    if (buf_u8(ch, 1))             return -1;
    if (buf_u8(ch, 0))             return -1;

    /* extensions */
    size_t ext_len_mark = ch->len;
    if (buf_u16(ch, 0))            return -1;

    /* supported_versions [43] = 0x0304 */
    if (buf_u16(ch, 43))           return -1;
    if (buf_u16(ch, 3))            return -1;
    if (buf_u8 (ch, 2))            return -1;
    if (buf_u16(ch, 0x0304))       return -1;

    /* supported_groups [10]: both */
    if (buf_u16(ch, 10))                          return -1;
    if (buf_u16(ch, 6))                           return -1;
    if (buf_u16(ch, 4))                           return -1;
    if (buf_u16(ch, GROUP_SECP384R1_MLKEM1024))   return -1;
    if (buf_u16(ch, GROUP_ML_KEM_1024))           return -1;

    /* signature_algorithms [13] */
    if (buf_u16(ch, 13))           return -1;
    if (buf_u16(ch, 12))           return -1;
    if (buf_u16(ch, 10))           return -1;
    if (buf_u16(ch, 0x0804))       return -1;
    if (buf_u16(ch, 0x0403))       return -1;
    if (buf_u16(ch, 0x0503))       return -1;
    if (buf_u16(ch, 0x0401))       return -1;
    if (buf_u16(ch, 0x0501))       return -1;

    /* psk_key_exchange_modes [45] */
    if (buf_u16(ch, 45))           return -1;
    if (buf_u16(ch, 2))            return -1;
    if (buf_u8 (ch, 1))            return -1;
    if (buf_u8 (ch, 1))            return -1;

    /* key_share [51] */
    if (buf_u16(ch, 51))           return -1;
    size_t ks_ext_len_mark = ch->len;
    if (buf_u16(ch, 0))            return -1;
    size_t ks_list_len_mark = ch->len;
    if (buf_u16(ch, 0))            return -1;

    /* entry: pure ML-KEM */
    #define APPEND_PURE()                                              \
        do {                                                           \
            if (buf_u16(ch, GROUP_ML_KEM_1024))          return -1;    \
            if (buf_u16(ch, MLKEM1024_PUB_LEN))          return -1;    \
            if (buf_bytes(ch, k->mlkem_pure_pub,                       \
                          MLKEM1024_PUB_LEN))            return -1;    \
        } while (0)
    /* entry: hybrid (ECC first, per pqc_first=0) */
    #define APPEND_HYBRID()                                            \
        do {                                                           \
            if (buf_u16(ch, GROUP_SECP384R1_MLKEM1024))  return -1;    \
            if (buf_u16(ch, HYBRID_KE_LEN))              return -1;    \
            if (buf_bytes(ch, k->p384_pub, P384_PUB_LEN))return -1;    \
            if (buf_bytes(ch, k->mlkem_hybrid_pub,                     \
                          MLKEM1024_PUB_LEN))            return -1;    \
        } while (0)

    if (pqc_first) { APPEND_PURE();   APPEND_HYBRID(); }
    else           { APPEND_HYBRID(); APPEND_PURE();   }

    #undef APPEND_PURE
    #undef APPEND_HYBRID

    buf_fill_u16(ch, ks_list_len_mark);
    buf_fill_u16(ch, ks_ext_len_mark);
    buf_fill_u16(ch, ext_len_mark);
    buf_fill_u24(ch, hs_len_mark);
    buf_fill_u16(ch, rec_len_mark);
    return 0;
}

/* ----------------- socket I/O ----------------- */

static int connect_tcp(const char* host, int port)
{
    int fd = socket(AF_INET, SOCK_STREAM, 0);
    if (fd < 0) { perror("socket"); return -1; }
    struct sockaddr_in sa;
    memset(&sa, 0, sizeof(sa));
    sa.sin_family = AF_INET;
    sa.sin_port   = htons(port);
    if (inet_pton(AF_INET, host, &sa.sin_addr) != 1) {
        fprintf(stderr, "invalid host: %s\n", host);
        close(fd); return -1;
    }
    if (connect(fd, (struct sockaddr*)&sa, sizeof(sa)) < 0) {
        perror("connect"); close(fd); return -1;
    }
    struct timeval tv = { .tv_sec = 5, .tv_usec = 0 };
    setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv));
    return fd;
}

static int send_all(int fd, const unsigned char* p, size_t n)
{
    while (n) {
        ssize_t w = send(fd, p, n, 0);
        if (w <= 0) { perror("send"); return -1; }
        p += w; n -= w;
    }
    return 0;
}

static ssize_t read_record(int fd, unsigned char* out, size_t cap)
{
    unsigned char hdr[5];
    size_t got = 0;
    while (got < 5) {
        ssize_t r = recv(fd, hdr + got, 5 - got, 0);
        if (r <= 0) return r;
        got += r;
    }
    size_t rlen = ((size_t)hdr[3] << 8) | hdr[4];
    if (5 + rlen > cap) { fprintf(stderr, "record too big: %zu\n", rlen); return -1; }
    memcpy(out, hdr, 5);
    got = 0;
    while (got < rlen) {
        ssize_t r = recv(fd, out + 5 + got, rlen - got, 0);
        if (r <= 0) return r;
        got += r;
    }
    return (ssize_t)(5 + rlen);
}

/* ----------------- ServerHello parse ----------------- */

typedef struct {
    unsigned       group;
    unsigned       cipher;
    const unsigned char* key_exchange;   /* into record buffer */
    size_t               key_exchange_len;
} server_hello_t;

static int parse_server_hello(const unsigned char* rec, size_t rec_len,
                              server_hello_t* sh)
{
    if (rec_len < 5 + 4) return -1;
    if (rec[0] != 22)    return -1;

    const unsigned char* hs  = rec + 5;
    size_t hs_len = ((size_t)hs[1] << 16) | ((size_t)hs[2] << 8) | hs[3];
    if (hs[0] != 2 || 4 + hs_len > rec_len - 5) return -1;

    const unsigned char* p   = hs + 4;
    const unsigned char* end = hs + 4 + hs_len;

    p += 2;  /* legacy_version */
    p += 32; /* random */
    if (p >= end) return -1;
    unsigned sid_len = *p++;
    p += sid_len;
    if (p + 2 > end) return -1;
    sh->cipher = ((unsigned)p[0] << 8) | p[1];
    p += 2;
    p += 1;  /* compression method */
    if (p + 2 > end) return -1;
    unsigned ext_total = ((unsigned)p[0] << 8) | p[1];
    p += 2;

    const unsigned char* ep   = p;
    const unsigned char* eend = p + ext_total;
    sh->group = 0;
    sh->key_exchange = NULL;
    sh->key_exchange_len = 0;

    while (ep + 4 <= eend) {
        unsigned type = ((unsigned)ep[0] << 8) | ep[1];
        unsigned elen = ((unsigned)ep[2] << 8) | ep[3];
        ep += 4;
        if (ep + elen > eend) break;
        if (type == 51) {            /* key_share */
            if (elen < 4) return -1;
            sh->group = ((unsigned)ep[0] << 8) | ep[1];
            unsigned ke_len = ((unsigned)ep[2] << 8) | ep[3];
            if (4 + ke_len > elen)  return -1;
            sh->key_exchange     = ep + 4;
            sh->key_exchange_len = ke_len;
        }
        ep += elen;
    }
    return 0;
}

/* ----------------- compute shared secret ----------------- */

static int compute_shared_secret(ephemeral_keys_t* k,
                                 const server_hello_t* sh,
                                 unsigned char* ss, size_t* ss_len)
{
    if (sh->group == GROUP_ML_KEM_1024) {
        if (sh->key_exchange_len != MLKEM1024_CT_LEN) {
            fprintf(stderr, "bad pure-KEM ct len: %zu\n",
                sh->key_exchange_len);
            return -1;
        }
        int ret = wc_MlKemKey_Decapsulate(k->mlkem_pure, ss,
                        sh->key_exchange, MLKEM1024_CT_LEN);
        if (ret != 0) return ret;
        *ss_len = MLKEM1024_SS_LEN;
        return 0;
    }
    if (sh->group == GROUP_SECP384R1_MLKEM1024) {
        if (sh->key_exchange_len != HYBRID_CT_LEN) {
            fprintf(stderr, "bad hybrid ct len: %zu\n",
                sh->key_exchange_len);
            return -1;
        }
        /* Layout is ecc-first (pqc_first=0 for SecP384R1_MLKEM1024): the
         * server's ECC public key comes first, then the KEM ciphertext. */
        const unsigned char* server_p384 = sh->key_exchange;
        const unsigned char* server_ct   = sh->key_exchange + P384_PUB_LEN;

        ecc_key peer;
        int ret = wc_ecc_init(&peer);
        if (ret != 0) { fprintf(stderr, "  wc_ecc_init: %d\n", ret); return ret; }
        ret = wc_ecc_import_x963_ex(server_p384, P384_PUB_LEN, &peer,
                                    ECC_SECP384R1);
        if (ret != 0) { fprintf(stderr, "  wc_ecc_import_x963_ex: %d\n", ret); }
        if (ret == 0) {
            word32 outSz = P384_SS_LEN;
            ret = wc_ecc_shared_secret(&k->p384, &peer, ss, &outSz);
            if (ret != 0) { fprintf(stderr, "  wc_ecc_shared_secret: %d\n", ret); }
            if (ret == 0 && outSz != P384_SS_LEN) {
                fprintf(stderr, "  p384 outSz unexpected: %u\n", outSz);
                ret = -1;
            }
        }
        wc_ecc_free(&peer);
        if (ret != 0) return ret;

        ret = wc_MlKemKey_Decapsulate(k->mlkem_hybrid,
                    ss + P384_SS_LEN, server_ct, MLKEM1024_CT_LEN);
        if (ret != 0) { fprintf(stderr, "  wc_MlKemKey_Decapsulate: %d\n", ret); return ret; }

        *ss_len = P384_SS_LEN + MLKEM1024_SS_LEN;   /* 48 + 32 = 80 */
        return 0;
    }
    fprintf(stderr, "unexpected chosen group 0x%04x\n", sh->group);
    return -1;
}

/* ----------------- TLS 1.3 key schedule (RFC 8446 §7.1) ----------------- */

static int hkdf_expand_label(const unsigned char* prk, word32 prk_len,
                             const char* label,
                             const unsigned char* info, word32 info_len,
                             unsigned char* out, word32 out_len)
{
    return wc_Tls13_HKDF_Expand_Label(
        out, out_len,
        prk, prk_len,
        (const byte*)TLS_PROTOCOL, TLS_PROTOCOL_LEN,
        (const byte*)label, (word32)strlen(label),
        info, info_len,
        WC_SHA256);
}

static int derive_secret(const unsigned char* prk, const char* label,
                         const unsigned char* messages, size_t messages_len,
                         unsigned char out[SHA256_LEN])
{
    unsigned char hash[SHA256_LEN];
    int ret = wc_Sha256Hash(messages, (word32)messages_len, hash);
    if (ret != 0) return ret;
    return hkdf_expand_label(prk, SHA256_LEN, label, hash, SHA256_LEN,
                             out, SHA256_LEN);
}

static int derive_server_handshake(const unsigned char* shared_secret,
                                   size_t ss_len,
                                   const unsigned char* ch_body,
                                   size_t ch_body_len,
                                   const unsigned char* sh_body,
                                   size_t sh_body_len,
                                   unsigned char server_key[AES128_KEY_LEN],
                                   unsigned char server_iv [AEAD_IV_LEN])
{
    unsigned char zero[SHA256_LEN] = {0};
    unsigned char early_secret     [SHA256_LEN];
    unsigned char derived          [SHA256_LEN];
    unsigned char handshake_secret [SHA256_LEN];
    unsigned char s_hs_traffic     [SHA256_LEN];
    int ret;

    /* early_secret = HKDF-Extract(salt=0, IKM=0) */
    ret = wc_Tls13_HKDF_Extract(early_secret,
              zero, SHA256_LEN, zero, SHA256_LEN, WC_SHA256);
    if (ret != 0) return ret;

    /* derived = Derive-Secret(early_secret, "derived", "") */
    ret = derive_secret(early_secret, "derived", (const unsigned char*)"", 0,
                        derived);
    if (ret != 0) return ret;

    /* handshake_secret = HKDF-Extract(salt=derived, IKM=shared_secret) */
    ret = wc_Tls13_HKDF_Extract(handshake_secret,
              derived, SHA256_LEN,
              (byte*)shared_secret, (word32)ss_len, WC_SHA256);
    if (ret != 0) return ret;

    /* transcript_hash = SHA256(CH_body || SH_body) */
    unsigned char transcript[SHA256_LEN];
    wc_Sha256 sha;
    ret = wc_InitSha256(&sha);
    if (ret != 0) return ret;
    wc_Sha256Update(&sha, ch_body, (word32)ch_body_len);
    wc_Sha256Update(&sha, sh_body, (word32)sh_body_len);
    wc_Sha256Final(&sha, transcript);
    wc_Sha256Free(&sha);

    /* s_hs_traffic = HKDF-Expand-Label(handshake_secret, "s hs traffic",
     *                                   transcript_hash, hash_len) */
    ret = hkdf_expand_label(handshake_secret, SHA256_LEN,
                            "s hs traffic", transcript, SHA256_LEN,
                            s_hs_traffic, SHA256_LEN);
    if (ret != 0) return ret;

    /* key = HKDF-Expand-Label(s_hs_traffic, "key", "", 16) */
    ret = hkdf_expand_label(s_hs_traffic, SHA256_LEN, "key",
                            NULL, 0, server_key, AES128_KEY_LEN);
    if (ret != 0) return ret;

    /* iv  = HKDF-Expand-Label(s_hs_traffic, "iv",  "", 12) */
    return hkdf_expand_label(s_hs_traffic, SHA256_LEN, "iv",
                             NULL, 0, server_iv, AEAD_IV_LEN);
}

/* ----------------- AES-128-GCM decrypt a TLS 1.3 AppData record ----- */

static int decrypt_record(const unsigned char server_key[AES128_KEY_LEN],
                          const unsigned char server_iv [AEAD_IV_LEN],
                          uint64_t seq_num,
                          const unsigned char* rec, size_t rec_len,
                          unsigned char* plain, size_t* plain_len)
{
    if (rec_len < 5 + AEAD_TAG_LEN) return -1;
    const unsigned char* aad = rec;            /* the 5-byte record header */
    const unsigned char* payload = rec + 5;
    size_t payload_len = rec_len - 5;
    size_t ciphertext_len = payload_len - AEAD_TAG_LEN;
    const unsigned char* tag = payload + ciphertext_len;

    unsigned char nonce[AEAD_IV_LEN];
    memcpy(nonce, server_iv, AEAD_IV_LEN);
    for (int i = 0; i < 8; i++) {
        unsigned char b = (unsigned char)(seq_num >> (56 - i * 8));
        nonce[AEAD_IV_LEN - 8 + i] ^= b;
    }

    Aes aes;
    int ret = wc_AesInit(&aes, NULL, INVALID_DEVID);
    if (ret != 0) return ret;
    ret = wc_AesGcmSetKey(&aes, server_key, AES128_KEY_LEN);
    if (ret == 0) {
        ret = wc_AesGcmDecrypt(&aes, plain, payload, (word32)ciphertext_len,
                               nonce, AEAD_IV_LEN,
                               tag, AEAD_TAG_LEN,
                               aad, 5);
    }
    wc_AesFree(&aes);
    if (ret != 0) return ret;
    *plain_len = ciphertext_len;
    return 0;
}

/* ----------------- main ----------------- */

static void usage(const char* prog)
{
    fprintf(stderr,
      "usage: %s [--hybrid-first|--pqc-first] [--host H] [--port P]\n"
      "       --pqc-first is the default (reporter's Case 2).\n", prog);
}

int main(int argc, char** argv)
{
    const char* host = DEFAULT_HOST;
    int port         = DEFAULT_PORT;
    int pqc_first    = 1;

    for (int i = 1; i < argc; i++) {
        if      (!strcmp(argv[i], "--pqc-first"))    pqc_first = 1;
        else if (!strcmp(argv[i], "--hybrid-first")) pqc_first = 0;
        else if (!strcmp(argv[i], "--host") && i + 1 < argc) host = argv[++i];
        else if (!strcmp(argv[i], "--port") && i + 1 < argc) port = atoi(argv[++i]);
        else { usage(argv[0]); return 2; }
    }

    if (wolfSSL_Init() != WOLFSSL_SUCCESS) {
        fprintf(stderr, "wolfSSL_Init failed\n");
        return 2;
    }

    WC_RNG rng;
    if (wc_InitRng(&rng) != 0) { fprintf(stderr, "InitRng failed\n"); return 2; }

    ephemeral_keys_t k;
    if (gen_keys(&k, &rng) != 0) {
        fprintf(stderr, "gen_keys failed\n"); return 2;
    }

    buf_t ch = {0};
    size_t ch_hs_offset = 0;
    if (build_client_hello(&ch, &k, pqc_first, &rng, &ch_hs_offset) != 0) {
        fprintf(stderr, "build_client_hello failed\n"); return 2;
    }

    printf("issue-10287 reproducer\n");
    printf("  ordering : %s\n",
        pqc_first ? "[ML_KEM_1024, SecP384R1_MLKEM1024] (Case 2)"
                  : "[SecP384R1_MLKEM1024, ML_KEM_1024] (Case 1)");
    printf("  target   : %s:%d\n", host, port);
    printf("  ClientHello length = %zu bytes\n", ch.len);

    int fd = connect_tcp(host, port);
    if (fd < 0) return 2;
    if (send_all(fd, ch.data, ch.len) != 0) { close(fd); return 2; }

    unsigned char rec[20000];
    ssize_t n = read_record(fd, rec, sizeof(rec));
    if (n <= 0) {
        printf("FAIL: server closed connection with no record\n");
        close(fd); return 1;
    }
    if (rec[0] != 22) {
        printf("FAIL: expected handshake record, got content_type=%u\n", rec[0]);
        close(fd); return 1;
    }

    server_hello_t sh;
    if (parse_server_hello(rec, (size_t)n, &sh) != 0) {
        printf("FAIL: could not parse ServerHello\n");
        close(fd); return 1;
    }
    printf("  chosen cipher = 0x%04x\n", sh.cipher);
    printf("  chosen group  = 0x%04x %s\n", sh.group,
        sh.group == GROUP_SECP384R1_MLKEM1024 ? "(SecP384R1_MLKEM1024)" :
        sh.group == GROUP_ML_KEM_1024         ? "(ML_KEM_1024)"         : "");

    if (sh.cipher != 0x1301) {
        printf("FAIL: expected TLS_AES_128_GCM_SHA256 (offered only 0x1301)\n");
        close(fd); return 1;
    }

    /* Compute shared secret from my private + server's key_exchange. */
    unsigned char shared_secret[128];
    size_t ss_len = 0;
    if (compute_shared_secret(&k, &sh, shared_secret, &ss_len) != 0) {
        printf("FAIL: compute_shared_secret\n");
        close(fd); return 1;
    }
    printf("  shared_secret length = %zu bytes\n", ss_len);

    /* Derive server handshake traffic key + IV. */
    size_t ch_body_len = ch.len - ch_hs_offset;
    size_t sh_body_len = (size_t)n - 5;
    unsigned char server_key[AES128_KEY_LEN];
    unsigned char server_iv [AEAD_IV_LEN];
    if (derive_server_handshake(shared_secret, ss_len,
                                ch.data + ch_hs_offset, ch_body_len,
                                rec + 5, sh_body_len,
                                server_key, server_iv) != 0) {
        printf("FAIL: derive_server_handshake\n");
        close(fd); return 1;
    }

    /* Skip any ChangeCipherSpec record, find the first AppData record
     * and try to decrypt it. seq_num starts at 0 for the first encrypted
     * record under the server_handshake_traffic_secret. */
    uint64_t seq = 0;
    unsigned char plain[20000];
    int got_result = 0;
    int pass = 0;
    while (!got_result) {
        n = read_record(fd, rec, sizeof(rec));
        if (n <= 0) {
            printf("FAIL: server hung up before sending AppData\n");
            break;
        }
        if (rec[0] == 20) {
            printf("  (skipping ChangeCipherSpec)\n");
            continue;
        }
        if (rec[0] != 23) {
            printf("FAIL: unexpected content_type=%u before AppData\n", rec[0]);
            break;
        }
        size_t pl;
        int ret = decrypt_record(server_key, server_iv, seq, rec, (size_t)n,
                                 plain, &pl);
        if (ret != 0) {
            printf("FAIL: AES-GCM decrypt returned %d -- server's handshake "
                   "keys disagree with what the client computes.\n"
                   "       This is the issue #10287 symptom: the server's\n"
                   "       preMasterSecret was overwritten by the wrong key "
                   "share.\n", ret);
            break;
        }
        if (pl < 1) {
            printf("FAIL: decrypted record is empty\n");
            break;
        }
        /* Strip trailing zero padding; real content type is the last
         * non-zero byte. */
        size_t end = pl - 1;
        while (end > 0 && plain[end] == 0) end--;
        unsigned char inner_type = plain[end];
        if (inner_type != 22) {
            printf("FAIL: decrypted inner content_type=%u, expected handshake(22)\n",
                   inner_type);
            break;
        }
        if (end < 1 || plain[0] != 8) {
            printf("FAIL: first handshake type inside record is %u, "
                   "expected EncryptedExtensions(8)\n", plain[0]);
            break;
        }
        printf("PASS: decrypted server's first encrypted record; first "
               "handshake message is EncryptedExtensions (type 8).\n"
               "      Server's preMasterSecret matches the chosen group's "
               "shared secret -- issue #10287 is NOT manifesting.\n");
        pass = 1;
        got_result = 1;
    }

    free(ch.data);
    free_keys(&k);
    wc_FreeRng(&rng);
    wolfSSL_Cleanup();
    close(fd);
    return pass ? 0 : 1;
}

test.sh — BEFORE/AFTER harness (configures tree, builds, runs both orderings against unpatched server, applies patch, reruns, summarises)

#!/bin/bash
# End-to-end BEFORE/AFTER runner for wolfSSL issue #10287.
#
# What this script does:
#   1. Ensures src/tls.c is clean (no issue-10287 patch applied).
#   2. Configures wolfSSL with --enable-mlkem --enable-tls-mlkem-standalone
#      --enable-pqc-hybrids, then builds.
#   3. Builds the reproducer in this directory (issue-10287-test).
#   4. BEFORE: runs both orderings against an unpatched test server,
#      pkill'ing the server between each run. Expected result: both FAIL.
#   5. Applies issue-10287.patch and rebuilds wolfSSL.
#   6. AFTER: runs both orderings against the patched test server, again
#      pkill'ing between runs. Expected result: both PASS.
#   7. Restores src/tls.c to its pre-script state.
#
# Exit code: 0 if BEFORE fails twice and AFTER passes twice (the
# expected outcome), 1 otherwise.

set -u

# Resolve repo root from this script's location.
HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO="$(cd "$HERE/.." && pwd)"
cd "$REPO"

TEST_BIN="$HERE/issue-10287-test"
PATCH="$HERE/issue-10287.patch"
LIB_DIR="$REPO/src/.libs"
SERVER="$REPO/examples/server/server"
CFG_FLAGS="--enable-mlkem --enable-tls-mlkem-standalone --enable-pqc-hybrids"
PORT=11111
SRV_LOG="/tmp/wolfsrv-10287.log"
CFG_LOG="/tmp/wolfssl-cfg-10287.log"
BLD_LOG="/tmp/wolfssl-build-10287.log"

red()   { printf '\033[31m%s\033[0m' "$*"; }
green() { printf '\033[32m%s\033[0m' "$*"; }
bold()  { printf '\033[1m%s\033[0m'  "$*"; }

section() { echo; echo "==================== $* ===================="; }

kill_server() {
    pkill -f "examples/server/server" 2>/dev/null || true
    # Give the OS a moment to release the port.
    for _ in 1 2 3 4 5; do
        if ! pgrep -f "examples/server/server" >/dev/null; then break; fi
        sleep 0.2
    done
}

# Remember whether the patch was already applied when we started so we
# can put the tree back exactly as we found it.
PATCH_PREEXISTING=0
if grep -q "issue #10287" "$REPO/src/tls.c" 2>/dev/null; then
    PATCH_PREEXISTING=1
fi

restore_tree() {
    kill_server
    echo
    echo "Restoring tree to pre-script state..."
    # Start from clean and re-apply only if it was applied before.
    git -C "$REPO" checkout -- src/tls.c
    if [ "$PATCH_PREEXISTING" = "1" ]; then
        git -C "$REPO" apply "$PATCH" || echo "  WARN: could not re-apply patch"
        make -C "$REPO" -j"$(nproc)" >"$BLD_LOG" 2>&1 \
            || echo "  WARN: final rebuild failed (see $BLD_LOG)"
    else
        make -C "$REPO" -j"$(nproc)" >"$BLD_LOG" 2>&1 || true
    fi
}
trap restore_tree EXIT

# ---------- build (unpatched) ----------

section "Reset src/tls.c to clean state"
git -C "$REPO" checkout -- src/tls.c
if grep -q "issue #10287" "$REPO/src/tls.c"; then
    echo "ERROR: src/tls.c still has patch markers after checkout."
    exit 1
fi

section "Configure wolfSSL ($CFG_FLAGS)"
./configure $CFG_FLAGS >"$CFG_LOG" 2>&1 || {
    echo "configure failed; tail of $CFG_LOG:"
    tail -30 "$CFG_LOG"
    exit 1
}
grep -E "ML-KEM  standalone|PQ/T hybrids" "$CFG_LOG" | head -3

section "Build wolfSSL (unpatched)"
make -j"$(nproc)" >"$BLD_LOG" 2>&1 || {
    echo "build failed; tail of $BLD_LOG:"
    tail -40 "$BLD_LOG"
    exit 1
}
echo "  libwolfssl built: $(ls -la $LIB_DIR/libwolfssl.so* 2>/dev/null | head -1)"

section "Build reproducer"
gcc -Wall -Wextra -I"$REPO" -L"$LIB_DIR" \
    "$HERE/issue-10287-test.c" -lwolfssl -lm -o "$TEST_BIN"
echo "  built $TEST_BIN"

# ---------- run helper ----------

# run_case <label> <flag>  ->  prints captured output, returns test exit code
run_case() {
    local label="$1" flag="$2"
    kill_server
    echo; echo "  --- $label ---"
    "$SERVER" -v 4 -p "$PORT" >"$SRV_LOG" 2>&1 &
    local srvpid=$!
    # Wait until the server has bound.
    for _ in 1 2 3 4 5 6 7 8 9 10; do
        grep -q "listening on port" "$SRV_LOG" && break
        sleep 0.2
    done

    LD_LIBRARY_PATH="$LIB_DIR" "$TEST_BIN" "$flag" 2>&1
    local rc=$?
    echo "  reproducer exit = $rc"
    kill_server
    echo "  server log tail : $(tail -1 "$SRV_LOG")"
    return $rc
}

# ---------- BEFORE ----------

section "BEFORE (unpatched / buggy) — expected: both FAIL"
run_case "Case 1 (hybrid-first)" "--hybrid-first"
RC_BEF_HYBRID=$?
run_case "Case 2 (pqc-first)"    "--pqc-first"
RC_BEF_PQC=$?

# ---------- apply patch ----------

section "Apply issue-10287.patch and rebuild"
git -C "$REPO" apply "$PATCH" || {
    echo "git apply failed"
    exit 1
}
grep -c "issue #10287" "$REPO/src/tls.c" | xargs -I{} echo "  patch markers in src/tls.c: {}"
make -j"$(nproc)" >"$BLD_LOG" 2>&1 || {
    echo "patched build failed; tail of $BLD_LOG:"
    tail -40 "$BLD_LOG"
    exit 1
}

# ---------- AFTER ----------

section "AFTER (patched) — expected: both PASS"
run_case "Case 1 (hybrid-first)" "--hybrid-first"
RC_AFT_HYBRID=$?
run_case "Case 2 (pqc-first)"    "--pqc-first"
RC_AFT_PQC=$?

# ---------- summary ----------

section "Summary"
fmt_expected_fail() { [ "$1" != "0" ] && green "FAIL (expected)" || red "PASS (UNEXPECTED — bug did not trigger)"; }
fmt_expected_pass() { [ "$1"  = "0" ] && green "PASS (expected)" || red "FAIL (UNEXPECTED — fix did not hold)"; }

printf "  BEFORE  hybrid-first : "; fmt_expected_fail "$RC_BEF_HYBRID"; echo
printf "  BEFORE  pqc-first    : "; fmt_expected_fail "$RC_BEF_PQC";    echo
printf "  AFTER   hybrid-first : "; fmt_expected_pass "$RC_AFT_HYBRID"; echo
printf "  AFTER   pqc-first    : "; fmt_expected_pass "$RC_AFT_PQC";    echo

OK=1
[ "$RC_BEF_HYBRID" = "0" ] && OK=0
[ "$RC_BEF_PQC"    = "0" ] && OK=0
[ "$RC_AFT_HYBRID" = "0" ] || OK=0
[ "$RC_AFT_PQC"    = "0" ] || OK=0

if [ "$OK" = "1" ]; then
    echo; bold "Overall: all four outcomes as expected."; echo
    exit 0
else
    echo; bold "Overall: at least one outcome was UNEXPECTED."; echo
    exit 1
fi

Happy to turn this into a PR if useful.

[Frauschi]

Hi @bercj,

my name is Tobias and I'm from the wolfSSL team. Thank you very much for your bug report! I opened #10299 to fix the issue together with a regression test. Also thanks to @cpsource for the analysis and fix proposal!

@bercj At wolfSSL, we always like to learn about the projects wolfssl is used. Do you mind telling us what you are currently creating with PQC and wolfssl?

Best regards,
Tobias Frauenschläger

[bercj]

Hi @Frauschi,

Certainly. I identified this issue while conducting research for my bachelor's thesis at Ruhr-University Bochum. My thesis analyzes current PQC deployment across various TLS libraries and the internet.

I'm glad the report was helpul for the wolfSSL implementation.

Best regards,
Alessandro

[Frauschi]

That sounds very intriguing! If you have any other interesting insights about our PQC implementations you want to share, feel free to email them to facts@wolfssl.com. We are always happy to hear such things.

I will close this issue as resolved once the PR is merged to the master branch.

Best regards,
Tobias