From de386d55909057ffcff13ef21111fb7125494f9e Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Fri, 17 Nov 2023 09:14:36 +0100
Subject: [PATCH 1/3] Add TLS::Group_Params::to_algorithm_spec()

This was required because the brainpool curves have two distinct sets
of code points. For TLS 1.2 (and earlier) they are defined in RFC 7027
and for TLS 1.3 in RFC 8734.
---
 src/lib/tls/tls_algos.cpp     |  7 +++++++
 src/lib/tls/tls_algos.h       |  7 ++++++-
 src/lib/tls/tls_callbacks.cpp | 10 +++++-----
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/lib/tls/tls_algos.cpp b/src/lib/tls/tls_algos.cpp
index 41958402c0a..0b143eb830d 100644
--- a/src/lib/tls/tls_algos.cpp
+++ b/src/lib/tls/tls_algos.cpp
@@ -267,4 +267,11 @@ std::optional<std::string> Group_Params::to_string() const {
    }
 }
 
+std::optional<std::string> Group_Params::to_algorithm_spec() const {
+   switch(m_code) {
+      default:
+         return to_string();
+   }
+}
+
 }  // namespace Botan::TLS
diff --git a/src/lib/tls/tls_algos.h b/src/lib/tls/tls_algos.h
index a13bf9bca08..13e1bad462d 100644
--- a/src/lib/tls/tls_algos.h
+++ b/src/lib/tls/tls_algos.h
@@ -186,9 +186,14 @@ class BOTAN_PUBLIC_API(3, 2) Group_Params final {
 
       constexpr bool is_kem() const { return is_pure_kyber() || is_pqc_hybrid(); }
 
-      // Returns std::nullopt if the param has no known name
+      // Returns a unique name for the group param, std::nullopt otherwise  if
+      // the param has no known name.
       std::optional<std::string> to_string() const;
 
+      // Returns the string that is typically used to instantiate the algorithm.
+      // This might not be unique across specific code points.
+      std::optional<std::string> to_algorithm_spec() const;
+
    private:
       Group_Params_Code m_code;
 };
diff --git a/src/lib/tls/tls_callbacks.cpp b/src/lib/tls/tls_callbacks.cpp
index b6c4769e82d..c2480454aaf 100644
--- a/src/lib/tls/tls_callbacks.cpp
+++ b/src/lib/tls/tls_callbacks.cpp
@@ -153,7 +153,7 @@ bool TLS::Callbacks::tls_verify_message(const Public_Key& key,
 std::unique_ptr<Private_Key> TLS::Callbacks::tls_kem_generate_key(TLS::Group_Params group, RandomNumberGenerator& rng) {
 #if defined(BOTAN_HAS_KYBER)
    if(group.is_pure_kyber()) {
-      return std::make_unique<Kyber_PrivateKey>(rng, KyberMode(group.to_string().value()));
+      return std::make_unique<Kyber_PrivateKey>(rng, KyberMode(group.to_algorithm_spec().value()));
    }
 #endif
 
@@ -181,7 +181,7 @@ KEM_Encapsulation TLS::Callbacks::tls_kem_encapsulate(TLS::Group_Params group,
 
 #if defined(BOTAN_HAS_KYBER)
          if(group.is_pure_kyber()) {
-            return std::make_unique<Kyber_PublicKey>(encoded_public_key, KyberMode(group.to_string().value()));
+            return std::make_unique<Kyber_PublicKey>(encoded_public_key, KyberMode(group.to_algorithm_spec().value()));
          }
 #endif
 
@@ -231,7 +231,7 @@ DL_Group get_dl_group(const std::variant<TLS::Group_Params, DL_Group>& group) {
    // groups.
    return std::visit(
       overloaded{[](const DL_Group& dl_group) { return dl_group; },
-                 [&](TLS::Group_Params group_param) { return DL_Group(group_param.to_string().value()); }},
+                 [&](TLS::Group_Params group_param) { return DL_Group(group_param.to_algorithm_spec().value()); }},
       group);
 }
 
@@ -248,7 +248,7 @@ std::unique_ptr<PK_Key_Agreement_Key> TLS::Callbacks::tls_generate_ephemeral_key
    const auto group_params = std::get<TLS::Group_Params>(group);
 
    if(group_params.is_ecdh_named_curve()) {
-      const EC_Group ec_group(group_params.to_string().value());
+      const EC_Group ec_group(group_params.to_algorithm_spec().value());
       return std::make_unique<ECDH_PrivateKey>(rng, ec_group);
    }
 
@@ -303,7 +303,7 @@ secure_vector<uint8_t> TLS::Callbacks::tls_ephemeral_key_agreement(
    const auto group_params = std::get<TLS::Group_Params>(group);
 
    if(group_params.is_ecdh_named_curve()) {
-      const EC_Group ec_group(group_params.to_string().value());
+      const EC_Group ec_group(group_params.to_algorithm_spec().value());
       ECDH_PublicKey peer_key(ec_group, ec_group.OS2ECP(public_value));
       policy.check_peer_key_acceptable(peer_key);
 

From 64f12039d5284651e117898ba27e87af7b11ed08 Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Thu, 7 Dec 2023 14:53:43 +0100
Subject: [PATCH 2/3] TLS::Group_Params::usable_in_version()

---
 src/lib/tls/msg_client_hello.cpp              | 22 ++++++++++++++-----
 .../tls/tls13/tls_extensions_key_share.cpp    | 15 ++++++++-----
 src/lib/tls/tls_algos.cpp                     | 14 ++++++++++++
 src/lib/tls/tls_algos.h                       |  4 ++++
 src/lib/tls/tls_extensions.cpp                |  2 +-
 src/lib/tls/tls_extensions.h                  |  7 ++++--
 src/tests/test_tls_messages.cpp               |  2 +-
 7 files changed, 52 insertions(+), 14 deletions(-)

diff --git a/src/lib/tls/msg_client_hello.cpp b/src/lib/tls/msg_client_hello.cpp
index 7c4c548591f..f9484863321 100644
--- a/src/lib/tls/msg_client_hello.cpp
+++ b/src/lib/tls/msg_client_hello.cpp
@@ -419,11 +419,13 @@ void Client_Hello_12::add_tls12_supported_groups_extensions(const Policy& policy
    //    A client that offers a group MUST be able and willing to perform a DH
    //    key exchange using that group.
    //
-   // We don't support hybrid key exchange in TLS 1.2
+   // We don't support hybrid key exchange in TLS 1.2, and we should not offer
+   // any groups that are not available in TLS 1.2 (e.g. brainpool curves with)
+   // TLS 1.3 wire codes.
    const std::vector<Group_Params> kex_groups = policy.key_exchange_groups();
    std::vector<Group_Params> compatible_kex_groups;
    std::copy_if(kex_groups.begin(), kex_groups.end(), std::back_inserter(compatible_kex_groups), [](const auto group) {
-      return !group.is_post_quantum();
+      return group.usable_in_version(Protocol_Version::TLS_V12);
    });
 
    auto supported_groups = std::make_unique<Supported_Groups>(std::move(compatible_kex_groups));
@@ -762,9 +764,19 @@ Client_Hello_13::Client_Hello_13(const Policy& policy,
       m_data->extensions().add(new Server_Name_Indicator(hostname));
    }
 
-   m_data->extensions().add(new Supported_Groups(policy.key_exchange_groups()));
-
-   m_data->extensions().add(new Key_Share(policy, cb, rng));
+   const auto available_groups = policy.key_exchange_groups();
+   std::vector<Group_Params> compatible_kex_groups;
+   std::copy_if(available_groups.begin(),
+                available_groups.end(),
+                std::back_inserter(compatible_kex_groups),
+                [&](const auto group) {
+                   // If we allow the legacy TLS 1.2, we won't filter out any
+                   // groups, in case the server might negotiate TLS 1.2.
+                   return policy.allow_tls12() || group.usable_in_version(Protocol_Version::TLS_V13);
+                });
+   m_data->extensions().add(new Supported_Groups(std::move(compatible_kex_groups)));
+
+   m_data->extensions().add(new Key_Share(compatible_kex_groups, policy, cb, rng));
 
    m_data->extensions().add(new Supported_Versions(Protocol_Version::TLS_V13, policy));
 
diff --git a/src/lib/tls/tls13/tls_extensions_key_share.cpp b/src/lib/tls/tls13/tls_extensions_key_share.cpp
index c7a0da1a3d2..358e292297b 100644
--- a/src/lib/tls/tls13/tls_extensions_key_share.cpp
+++ b/src/lib/tls/tls13/tls_extensions_key_share.cpp
@@ -226,8 +226,10 @@ class Key_Share_ClientHello {
          }
       }
 
-      Key_Share_ClientHello(const Policy& policy, Callbacks& cb, RandomNumberGenerator& rng) {
-         const auto supported = policy.key_exchange_groups();
+      Key_Share_ClientHello(const std::vector<Group_Params>& supported_groups,
+                            const Policy& policy,
+                            Callbacks& cb,
+                            RandomNumberGenerator& rng) {
          const auto offers = policy.key_exchange_groups_to_offer();
 
          // RFC 8446 P. 48
@@ -241,7 +243,7 @@ class Key_Share_ClientHello {
          //
          // ... hence, we're going through the supported groups and find those that
          //     should be used to offer a key exchange. This will satisfy above spec.
-         for(const auto group : supported) {
+         for(const auto group : supported_groups) {
             if(std::find(offers.begin(), offers.end(), group) == offers.end()) {
                continue;
             }
@@ -424,8 +426,11 @@ Key_Share::Key_Share(TLS_Data_Reader& reader, uint16_t extension_size, Handshake
 }
 
 // ClientHello
-Key_Share::Key_Share(const Policy& policy, Callbacks& cb, RandomNumberGenerator& rng) :
-      m_impl(std::make_unique<Key_Share_Impl>(Key_Share_ClientHello(policy, cb, rng))) {}
+Key_Share::Key_Share(const std::vector<Group_Params>& supported_groups,
+                     const Policy& policy,
+                     Callbacks& cb,
+                     RandomNumberGenerator& rng) :
+      m_impl(std::make_unique<Key_Share_Impl>(Key_Share_ClientHello(supported_groups, policy, cb, rng))) {}
 
 // HelloRetryRequest
 Key_Share::Key_Share(Named_Group selected_group) :
diff --git a/src/lib/tls/tls_algos.cpp b/src/lib/tls/tls_algos.cpp
index 0b143eb830d..5fc6c5a5f53 100644
--- a/src/lib/tls/tls_algos.cpp
+++ b/src/lib/tls/tls_algos.cpp
@@ -8,6 +8,7 @@
 
 #include <botan/ec_group.h>
 #include <botan/exceptn.h>
+#include <botan/tls_version.h>
 #include <botan/internal/fmt.h>
 
 namespace Botan::TLS {
@@ -274,4 +275,17 @@ std::optional<std::string> Group_Params::to_algorithm_spec() const {
    }
 }
 
+bool Group_Params::usable_in_version(const Protocol_Version& version) const {
+   // The wire codes for brainpool differ between TLS 1.2 and 1.3 for
+   // "historical" reasons. When negotiating the respective protocol version,
+   // we should use the appropriate wire code.
+   //
+   // Also KEM-based key exchanges are not implemented for TLS 1.2.
+   if(version.is_pre_tls_13()) {
+      return !is_post_quantum();
+   } else {
+      return true;
+   }
+}
+
 }  // namespace Botan::TLS
diff --git a/src/lib/tls/tls_algos.h b/src/lib/tls/tls_algos.h
index 13e1bad462d..e457c907273 100644
--- a/src/lib/tls/tls_algos.h
+++ b/src/lib/tls/tls_algos.h
@@ -18,6 +18,8 @@
 
 namespace Botan::TLS {
 
+class Protocol_Version;
+
 enum class Cipher_Algo {
    CHACHA20_POLY1305,
 
@@ -146,6 +148,8 @@ class BOTAN_PUBLIC_API(3, 2) Group_Params final {
 
       constexpr uint16_t wire_code() const { return static_cast<uint16_t>(m_code); }
 
+      bool usable_in_version(const Protocol_Version& version) const;
+
       constexpr bool is_x25519() const { return m_code == Group_Params_Code::X25519; }
 
       constexpr bool is_ecdh_named_curve() const {
diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp
index 5460f02f614..dbb8509d8fe 100644
--- a/src/lib/tls/tls_extensions.cpp
+++ b/src/lib/tls/tls_extensions.cpp
@@ -483,7 +483,7 @@ Certificate_Type Certificate_Type_Base::selected_certificate_type() const {
    return m_certificate_types.front();
 }
 
-Supported_Groups::Supported_Groups(const std::vector<Group_Params>& groups) : m_groups(groups) {}
+Supported_Groups::Supported_Groups(std::vector<Group_Params> groups) : m_groups(std::move(groups)) {}
 
 const std::vector<Group_Params>& Supported_Groups::groups() const {
    return m_groups;
diff --git a/src/lib/tls/tls_extensions.h b/src/lib/tls/tls_extensions.h
index 7d8f0f5d5b4..f97b62bd067 100644
--- a/src/lib/tls/tls_extensions.h
+++ b/src/lib/tls/tls_extensions.h
@@ -331,7 +331,7 @@ class BOTAN_UNSTABLE_API Supported_Groups final : public Extension {
 
       std::vector<uint8_t> serialize(Connection_Side whoami) const override;
 
-      explicit Supported_Groups(const std::vector<Group_Params>& groups);
+      explicit Supported_Groups(std::vector<Group_Params> groups);
 
       Supported_Groups(TLS_Data_Reader& reader, uint16_t extension_size);
 
@@ -827,7 +827,10 @@ class BOTAN_UNSTABLE_API Key_Share final : public Extension {
       Key_Share(TLS_Data_Reader& reader, uint16_t extension_size, Handshake_Type message_type);
 
       // constructor used for ClientHello msg
-      Key_Share(const Policy& policy, Callbacks& cb, RandomNumberGenerator& rng);
+      Key_Share(const std::vector<Group_Params>& supported_groups,
+                const Policy& policy,
+                Callbacks& cb,
+                RandomNumberGenerator& rng);
 
       // constructor used for HelloRetryRequest msg
       explicit Key_Share(Named_Group selected_group);
diff --git a/src/tests/test_tls_messages.cpp b/src/tests/test_tls_messages.cpp
index 716b4d0f3ac..d383f562d08 100644
--- a/src/tests/test_tls_messages.cpp
+++ b/src/tests/test_tls_messages.cpp
@@ -230,7 +230,7 @@ class TLS_Key_Share_CH_Generation_Test final : public Text_Based_Test {
          Botan_Tests::Fixed_Output_RNG rng;
          rng.add_entropy(rng_data.data(), rng_data.size());
 
-         Botan::TLS::Key_Share share(policy, cb, rng);
+         Botan::TLS::Key_Share share(policy.key_exchange_groups(), policy, cb, rng);
          const auto serialized_buffer = share.serialize(Botan::TLS::Connection_Side::Client);
 
          result.test_eq("key_share_CH_offers test", serialized_buffer, expected_key_share);

From 72a98101856d21f48f57df5af59c05344e56ae56 Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Fri, 17 Nov 2023 09:17:21 +0100
Subject: [PATCH 3/3] introduce TLS 1.3 specific code points for brainpool (RFC
 8734)

---
 src/lib/tls/tls_algos.cpp                   | 32 +++++++++++++++++++--
 src/lib/tls/tls_algos.h                     | 11 ++++++-
 src/lib/tls/tls_policy.cpp                  |  5 ++--
 src/lib/tls/tls_policy.h                    |  3 ++
 src/tests/data/tls-policy/bsi.txt           |  2 +-
 src/tests/data/tls-policy/datagram.txt      |  2 +-
 src/tests/data/tls-policy/default.txt       |  2 +-
 src/tests/data/tls-policy/default_tls13.txt |  2 +-
 src/tests/data/tls-policy/strict.txt        |  2 +-
 src/tests/data/tls-policy/strict_tls13.txt  |  2 +-
 10 files changed, 52 insertions(+), 11 deletions(-)

diff --git a/src/lib/tls/tls_algos.cpp b/src/lib/tls/tls_algos.cpp
index 5fc6c5a5f53..b80b9ac4ae0 100644
--- a/src/lib/tls/tls_algos.cpp
+++ b/src/lib/tls/tls_algos.cpp
@@ -154,6 +154,15 @@ std::optional<Group_Params> Group_Params::from_string(std::string_view group_nam
    if(group_name == "brainpool512r1") {
       return Group_Params::BRAINPOOL512R1;
    }
+   if(group_name == "brainpool256r1tls13") {
+      return Group_Params::BRAINPOOL256R1_TLS13;
+   }
+   if(group_name == "brainpool384r1tls13") {
+      return Group_Params::BRAINPOOL384R1_TLS13;
+   }
+   if(group_name == "brainpool512r1tls13") {
+      return Group_Params::BRAINPOOL512R1_TLS13;
+   }
    if(group_name == "x25519") {
       return Group_Params::X25519;
    }
@@ -225,6 +234,12 @@ std::optional<std::string> Group_Params::to_string() const {
          return "brainpool384r1";
       case Group_Params::BRAINPOOL512R1:
          return "brainpool512r1";
+      case Group_Params::BRAINPOOL256R1_TLS13:
+         return "brainpool256r1tls13";
+      case Group_Params::BRAINPOOL384R1_TLS13:
+         return "brainpool384r1tls13";
+      case Group_Params::BRAINPOOL512R1_TLS13:
+         return "brainpool512r1tls13";
       case Group_Params::X25519:
          return "x25519";
 
@@ -270,6 +285,17 @@ std::optional<std::string> Group_Params::to_string() const {
 
 std::optional<std::string> Group_Params::to_algorithm_spec() const {
    switch(m_code) {
+      // Brainpool curves have two sets of code points. See RFCs 7027 and 8734.
+      case Group_Params::BRAINPOOL256R1:
+      case Group_Params::BRAINPOOL256R1_TLS13:
+         return "brainpool256r1";
+      case Group_Params::BRAINPOOL384R1:
+      case Group_Params::BRAINPOOL384R1_TLS13:
+         return "brainpool384r1";
+      case Group_Params::BRAINPOOL512R1:
+      case Group_Params::BRAINPOOL512R1_TLS13:
+         return "brainpool512r1";
+
       default:
          return to_string();
    }
@@ -282,9 +308,11 @@ bool Group_Params::usable_in_version(const Protocol_Version& version) const {
    //
    // Also KEM-based key exchanges are not implemented for TLS 1.2.
    if(version.is_pre_tls_13()) {
-      return !is_post_quantum();
+      return !is_post_quantum() && m_code != Group_Params_Code::BRAINPOOL256R1_TLS13 &&
+             m_code != Group_Params_Code::BRAINPOOL384R1_TLS13 && m_code != Group_Params_Code::BRAINPOOL512R1_TLS13;
    } else {
-      return true;
+      return m_code != Group_Params_Code::BRAINPOOL256R1 && m_code != Group_Params_Code::BRAINPOOL384R1 &&
+             m_code != Group_Params_Code::BRAINPOOL512R1;
    }
 }
 
diff --git a/src/lib/tls/tls_algos.h b/src/lib/tls/tls_algos.h
index e457c907273..6131a194a89 100644
--- a/src/lib/tls/tls_algos.h
+++ b/src/lib/tls/tls_algos.h
@@ -93,6 +93,13 @@ enum class Group_Params_Code : uint16_t {
 
    X25519 = 29,
 
+   // The original brainpool code points (see above) were deprecated by IETF
+   // and should therefore not be used in TLS 1.3 and above.
+   // RFC 8734 re-introduced them for TLS 1.3, as new code points. -.-
+   BRAINPOOL256R1_TLS13 = 31,
+   BRAINPOOL384R1_TLS13 = 32,
+   BRAINPOOL512R1_TLS13 = 33,
+
    FFDHE_2048 = 256,
    FFDHE_3072 = 257,
    FFDHE_4096 = 258,
@@ -155,7 +162,9 @@ class BOTAN_PUBLIC_API(3, 2) Group_Params final {
       constexpr bool is_ecdh_named_curve() const {
          return m_code == Group_Params_Code::SECP256R1 || m_code == Group_Params_Code::SECP384R1 ||
                 m_code == Group_Params_Code::SECP521R1 || m_code == Group_Params_Code::BRAINPOOL256R1 ||
-                m_code == Group_Params_Code::BRAINPOOL384R1 || m_code == Group_Params_Code::BRAINPOOL512R1;
+                m_code == Group_Params_Code::BRAINPOOL384R1 || m_code == Group_Params_Code::BRAINPOOL512R1 ||
+                m_code == Group_Params_Code::BRAINPOOL256R1_TLS13 ||
+                m_code == Group_Params_Code::BRAINPOOL384R1_TLS13 || m_code == Group_Params_Code::BRAINPOOL512R1_TLS13;
       }
 
       constexpr bool is_in_ffdhe_range() const {
diff --git a/src/lib/tls/tls_policy.cpp b/src/lib/tls/tls_policy.cpp
index 57591667d7c..4b0d69194d0 100644
--- a/src/lib/tls/tls_policy.cpp
+++ b/src/lib/tls/tls_policy.cpp
@@ -162,8 +162,9 @@ std::vector<Group_Params> Policy::key_exchange_groups() const {
       Group_Params::X25519,
 #endif
 
-         Group_Params::SECP256R1, Group_Params::BRAINPOOL256R1, Group_Params::SECP384R1, Group_Params::BRAINPOOL384R1,
-         Group_Params::SECP521R1, Group_Params::BRAINPOOL512R1,
+         Group_Params::SECP256R1, Group_Params::BRAINPOOL256R1, Group_Params::BRAINPOOL256R1_TLS13,
+         Group_Params::SECP384R1, Group_Params::BRAINPOOL384R1, Group_Params::BRAINPOOL384R1_TLS13,
+         Group_Params::SECP521R1, Group_Params::BRAINPOOL512R1, Group_Params::BRAINPOOL512R1_TLS13,
 
          Group_Params::FFDHE_2048, Group_Params::FFDHE_3072, Group_Params::FFDHE_4096, Group_Params::FFDHE_6144,
          Group_Params::FFDHE_8192,
diff --git a/src/lib/tls/tls_policy.h b/src/lib/tls/tls_policy.h
index 28e2886c159..fa081d139e7 100644
--- a/src/lib/tls/tls_policy.h
+++ b/src/lib/tls/tls_policy.h
@@ -561,8 +561,11 @@ class BOTAN_PUBLIC_API(2, 0) BSI_TR_02102_2 : public Policy {
 
       std::vector<Group_Params> key_exchange_groups() const override {
          return std::vector<Group_Params>({Group_Params::BRAINPOOL512R1,
+                                           Group_Params::BRAINPOOL512R1_TLS13,
                                            Group_Params::BRAINPOOL384R1,
+                                           Group_Params::BRAINPOOL384R1_TLS13,
                                            Group_Params::BRAINPOOL256R1,
+                                           Group_Params::BRAINPOOL256R1_TLS13,
                                            Group_Params::SECP521R1,
                                            Group_Params::SECP384R1,
                                            Group_Params::SECP256R1,
diff --git a/src/tests/data/tls-policy/bsi.txt b/src/tests/data/tls-policy/bsi.txt
index c06cd9b9951..1d941f14ba9 100644
--- a/src/tests/data/tls-policy/bsi.txt
+++ b/src/tests/data/tls-policy/bsi.txt
@@ -10,7 +10,7 @@ signature_hashes = SHA-512 SHA-384 SHA-256
 macs = AEAD SHA-384 SHA-256
 key_exchange_methods = ECDH DH ECDHE_PSK
 signature_methods = ECDSA RSA DSA
-key_exchange_groups = brainpool512r1 brainpool384r1 brainpool256r1 secp521r1 secp384r1 secp256r1 ffdhe/ietf/4096 ffdhe/ietf/3072
+key_exchange_groups = brainpool512r1 brainpool512r1tls13 brainpool384r1 brainpool384r1tls13 brainpool256r1 brainpool256r1tls13 secp521r1 secp384r1 secp256r1 ffdhe/ietf/4096 ffdhe/ietf/3072
 minimum_signature_strength = 120
 minimum_dh_group_size = 3000
 minimum_dsa_group_size = 3000
diff --git a/src/tests/data/tls-policy/datagram.txt b/src/tests/data/tls-policy/datagram.txt
index 57a897856b1..506451a4ebd 100644
--- a/src/tests/data/tls-policy/datagram.txt
+++ b/src/tests/data/tls-policy/datagram.txt
@@ -9,7 +9,7 @@ macs = AEAD
 signature_hashes = SHA-512 SHA-384 SHA-256
 signature_methods = ECDSA RSA
 key_exchange_methods = ECDH DH
-key_exchange_groups = x25519 secp256r1 brainpool256r1 secp384r1 brainpool384r1 secp521r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
+key_exchange_groups = x25519 secp256r1 brainpool256r1 brainpool256r1tls13 secp384r1 brainpool384r1 brainpool384r1tls13 secp521r1 brainpool512r1 brainpool512r1tls13 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
 allow_insecure_renegotiation = false
 include_time_in_hello_random = true
 allow_server_initiated_renegotiation = false
diff --git a/src/tests/data/tls-policy/default.txt b/src/tests/data/tls-policy/default.txt
index 3a5dd16dd1a..9a467e4425d 100644
--- a/src/tests/data/tls-policy/default.txt
+++ b/src/tests/data/tls-policy/default.txt
@@ -9,7 +9,7 @@ macs = AEAD SHA-256 SHA-384 SHA-1
 signature_hashes = SHA-512 SHA-384 SHA-256
 signature_methods = ECDSA RSA
 key_exchange_methods = ECDH DH
-key_exchange_groups = x25519 secp256r1 brainpool256r1 secp384r1 brainpool384r1 secp521r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
+key_exchange_groups = x25519 secp256r1 brainpool256r1 brainpool256r1tls13 secp384r1 brainpool384r1 brainpool384r1tls13 secp521r1 brainpool512r1 brainpool512r1tls13 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
 allow_insecure_renegotiation = false
 include_time_in_hello_random = true
 allow_server_initiated_renegotiation = false
diff --git a/src/tests/data/tls-policy/default_tls13.txt b/src/tests/data/tls-policy/default_tls13.txt
index 09970c70f70..b542a8d569f 100644
--- a/src/tests/data/tls-policy/default_tls13.txt
+++ b/src/tests/data/tls-policy/default_tls13.txt
@@ -9,7 +9,7 @@ macs = AEAD SHA-256 SHA-384 SHA-1
 signature_hashes = SHA-512 SHA-384 SHA-256
 signature_methods = ECDSA RSA
 key_exchange_methods = ECDH DH
-key_exchange_groups = x25519 secp256r1 brainpool256r1 secp384r1 brainpool384r1 secp521r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
+key_exchange_groups = x25519 secp256r1 brainpool256r1 brainpool256r1tls13 secp384r1 brainpool384r1 brainpool384r1tls13 secp521r1 brainpool512r1 brainpool512r1tls13 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
 allow_insecure_renegotiation = false
 include_time_in_hello_random = true
 allow_server_initiated_renegotiation = false
diff --git a/src/tests/data/tls-policy/strict.txt b/src/tests/data/tls-policy/strict.txt
index ed324be1c61..621543a608d 100644
--- a/src/tests/data/tls-policy/strict.txt
+++ b/src/tests/data/tls-policy/strict.txt
@@ -9,7 +9,7 @@ macs = AEAD
 signature_hashes = SHA-512 SHA-384
 signature_methods = ECDSA RSA
 key_exchange_methods = ECDH
-key_exchange_groups = x25519 secp256r1 brainpool256r1 secp384r1 brainpool384r1 secp521r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
+key_exchange_groups = x25519 secp256r1 brainpool256r1 brainpool256r1tls13 secp384r1 brainpool384r1 brainpool384r1tls13 secp521r1 brainpool512r1 brainpool512r1tls13 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
 allow_insecure_renegotiation = false
 include_time_in_hello_random = true
 allow_server_initiated_renegotiation = false
diff --git a/src/tests/data/tls-policy/strict_tls13.txt b/src/tests/data/tls-policy/strict_tls13.txt
index 30c5de059c0..4643cd6462a 100644
--- a/src/tests/data/tls-policy/strict_tls13.txt
+++ b/src/tests/data/tls-policy/strict_tls13.txt
@@ -9,7 +9,7 @@ macs = AEAD
 signature_hashes = SHA-512 SHA-384
 signature_methods = ECDSA RSA
 key_exchange_methods = ECDH
-key_exchange_groups = x25519 secp256r1 brainpool256r1 secp384r1 brainpool384r1 secp521r1 brainpool512r1 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
+key_exchange_groups = x25519 secp256r1 brainpool256r1 brainpool256r1tls13 secp384r1 brainpool384r1 brainpool384r1tls13 secp521r1 brainpool512r1 brainpool512r1tls13 ffdhe/ietf/2048 ffdhe/ietf/3072 ffdhe/ietf/4096 ffdhe/ietf/6144 ffdhe/ietf/8192
 allow_insecure_renegotiation = false
 include_time_in_hello_random = true
 allow_server_initiated_renegotiation = false