From e38fea8ab2345f2aa1f0e22c653f526261b451aa Mon Sep 17 00:00:00 2001
From: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
Date: Mon, 9 Dec 2024 10:56:28 +0100
Subject: [PATCH] First cut at DTLS1.3 tracker

Signed-off-by: Michael Baentsch <57787676+baentsch@users.noreply.github.com>
---
 .circleci/config.yml                          |   4 +-
 .github/workflows/linux.yml                   |   2 +-
 .github/workflows/windows.yml                 |   2 +-
 .../group_assignments.fragment                |   4 +-
 oqsprov/oqsprov_capabilities.c                | 106 +++++++++---------
 scripts/fullbuild.sh                          |   3 +
 test/tlstest_helpers.c                        |   8 +-
 7 files changed, 66 insertions(+), 63 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 456813c8..00029830 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -53,9 +53,9 @@ jobs:
               equal: [ openssl@3, << parameters.OPENSSL_PREINSTALL >> ]
           steps:
             - run:
-                name: Clone and build OpenSSL(3) master
+                name: Clone and build OpenSSL(3) dtls-1.3 feature branch
                 command: |
-                   git clone --branch master https://github.com/openssl/openssl.git openssl &&
+                   git clone --branch feature/dtls-1.3 https://github.com/openssl/openssl.git openssl &&
                    cd openssl && ./config --prefix=$(echo $(pwd)/../.local) && make -j 18 && make install_sw && cd ..
             - run:
                name: Build OQS-OpenSSL provider
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 0b3981e5..c96c3f36 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -38,7 +38,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ossl-branch: [openssl-3.3.2, master]
+        ossl-branch: [feature/dtls-1.3]
         libjade-build:
           - "ON" 
           - "OFF"
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 3747c7a2..d9876120 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -39,7 +39,7 @@ jobs:
           repository: openssl/openssl
           path: openssl
           # TODO: Revert ref tag once openssl master doesn't crash any more
-          ref: openssl-3.3.0
+          ref: feature/dtls-1.3
       - name: checkout liboqs
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
         with:
diff --git a/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment b/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment
index 227c59e2..7e94628c 100644
--- a/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment
+++ b/oqs-template/oqsprov/oqsprov_capabilities.c/group_assignments.fragment
@@ -1,7 +1,7 @@
 {% for kem in config['kems'] %}
-   { {{ kem['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, -1, -1, 1 },
+   { {{ kem['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1 },
 {% for hybrid in kem['hybrids'] %}
-   { {{ hybrid['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, -1, -1, 1 },
+   { {{ hybrid['nid'] }}, {{ kem['bit_security'] }}, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1 },
 {%- endfor %}
 {%- endfor %}
 
diff --git a/oqsprov/oqsprov_capabilities.c b/oqsprov/oqsprov_capabilities.c
index a809aa08..1b21fb1c 100644
--- a/oqsprov/oqsprov_capabilities.c
+++ b/oqsprov/oqsprov_capabilities.c
@@ -35,77 +35,77 @@ typedef struct oqs_group_constants_st {
 static OQS_GROUP_CONSTANTS oqs_group_list[] = {
     // ad-hoc assignments - take from OQS generate data structures
     ///// OQS_TEMPLATE_FRAGMENT_GROUP_ASSIGNMENTS_START
-    {65024, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {65024, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F00, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F80, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {65025, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F00, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F80, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {65025, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F01, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F81, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {65026, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F01, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F81, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {65026, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F02, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F82, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0203, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F02, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F82, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0203, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F03, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F83, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0204, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F03, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F83, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0204, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F04, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0205, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F04, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0205, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F05, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x023A, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F05, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x023A, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F3A, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F39, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x023C, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F3A, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F39, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x023C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F3C, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F90, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x6399, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x639A, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x023D, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F3C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F90, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x6399, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x639A, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x023D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F3D, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {512, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F3D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {512, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F4B, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FB6, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {513, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F4B, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FB6, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {513, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F4C, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FB7, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x11ec, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x11eb, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {514, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F4C, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FB7, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x11ec, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x11eb, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {514, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F4D, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2F4E, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0241, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F4D, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2F4E, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0241, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F41, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FAE, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0242, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F41, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FAE, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0242, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F42, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FAF, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0243, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F42, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FAF, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0243, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F43, 256, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0244, 128, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F43, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0244, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F44, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FB0, 128, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0245, 192, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F44, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FB0, 128, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0245, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F45, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x2FB1, 192, TLS1_3_VERSION, 0, -1, -1, 1},
-    {0x0246, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F45, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x2FB1, 192, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
+    {0x0246, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
 
-    {0x2F46, 256, TLS1_3_VERSION, 0, -1, -1, 1},
+    {0x2F46, 256, TLS1_3_VERSION, 0, DTLS1_3_VERSION, 0, 1},
     ///// OQS_TEMPLATE_FRAGMENT_GROUP_ASSIGNMENTS_END
 };
 
diff --git a/scripts/fullbuild.sh b/scripts/fullbuild.sh
index 41eb3b0b..d9bd1dd9 100755
--- a/scripts/fullbuild.sh
+++ b/scripts/fullbuild.sh
@@ -12,6 +12,9 @@
 # EnvVar OPENSSL_BRANCH: Defines branch/release of openssl; if set, forces source-build of OpenSSL3
 # EnvVar liboqs_DIR: If set, needs to point to a directory where liboqs has been installed to
 
+# Track openssl dtls-1.3 feature branch
+OPENSSL_BRANCH="feature/dtls-1.3"
+
 if [[ "$OSTYPE" == "darwin"* ]]; then
    SHLIBEXT="dylib"
    STATLIBEXT="dylib"
diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c
index 93626f54..42f8a487 100644
--- a/test/tlstest_helpers.c
+++ b/test/tlstest_helpers.c
@@ -56,10 +56,10 @@ int create_tls1_3_ctx_pair(OSSL_LIB_CTX *libctx, SSL_CTX **sctx, SSL_CTX **cctx,
         goto err;
 
     SSL_CTX_set_options(serverctx, SSL_OP_ALLOW_CLIENT_RENEGOTIATION);
-    SSL_CTX_set_min_proto_version(serverctx, TLS1_3_VERSION);
-    SSL_CTX_set_max_proto_version(serverctx, TLS1_3_VERSION);
-    SSL_CTX_set_min_proto_version(clientctx, TLS1_3_VERSION);
-    SSL_CTX_set_max_proto_version(clientctx, TLS1_3_VERSION);
+    SSL_CTX_set_min_proto_version(serverctx, DTLS1_3_VERSION);
+    SSL_CTX_set_max_proto_version(serverctx, DTLS1_3_VERSION);
+    SSL_CTX_set_min_proto_version(clientctx, DTLS1_3_VERSION);
+    SSL_CTX_set_max_proto_version(clientctx, DTLS1_3_VERSION);
 
     if (!SSL_CTX_use_certificate_file(serverctx, certfile, SSL_FILETYPE_PEM))
         goto err;