feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #1595 from SparkiDev/tls13_cipher_down

Browse Source 
Fix for downgrading from TLS 1.3 due to old cipher suite
This commit is contained in:
toddouska
2018-06-12 08:24:26 -07:00
committed by GitHub
parent f2a20c4232 fcd2234841
commit 29410ada1e
4 changed files with 86 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
scripts/tls13.test
View File

@ -137,6 +137,38 @@ if [ $? -ne 0 ]; then
exit 1
fi
echo ""
echo "Find usable TLS 1.2 cipher suite"
for CS in ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256
do
echo $CS
./examples/client/client -e | grep $CS >/dev/null
if [ "$?" = "0" ]; then
TLS12_CS=$CS
break
fi
done
if [ "$TLS12_CS" != "" ]; then
# TLS 1.3 downgrade server and client - no common TLS 1.3 ciphers
echo -e "\n\nTLS v1.3 downgrade server and client - no common TLS 1.3 ciphers"
port=0
SERVER_CS="TLS13-AES256-GCM-SHA384:$TLS12_CS"
CLIENT_CS="TLS13-AES128-GCM-SHA256:$TLS12_CS"
./examples/server/server -v d -l $SERVER_CS -R $ready_file -p $port &
server_pid=$!
create_port
./examples/client/client -v d -l $CLIENT_CS -p $port
RESULT=$?
remove_ready_file
if [ $RESULT -eq 0 ]; then
echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers"
do_cleanup
exit 1
fi
echo ""
else
echo "No usable TLS 1.2 cipher suite found"
fi
fi
do_cleanup

64
src/internal.c
View File

@ -16749,36 +16749,6 @@ void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo,
XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN);
i += RAN_LEN;
if (!ssl->options.resuming) {
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->ctx->method->version)) {
/* TLS v1.3 capable client not allowed to downgrade when
* connecting to TLS v1.3 capable server unless cipher suite
* demands it.
*/
if (XMEMCMP(input + i - (TLS13_DOWNGRADE_SZ + 1),
tls13Downgrade, TLS13_DOWNGRADE_SZ) == 0 &&
(*(input + i - 1) == 0 || *(input + i - 1) == 1)) {
SendAlert(ssl, alert_fatal, illegal_parameter);
return VERSION_ERROR;
}
}
else
#endif
if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
ssl->ctx->method->version.minor == TLSv1_2_MINOR) {
/* TLS v1.2 capable client not allowed to downgrade when
* connecting to TLS v1.2 capable server.
*/
if (XMEMCMP(input + i - (TLS13_DOWNGRADE_SZ + 1),
tls13Downgrade, TLS13_DOWNGRADE_SZ) == 0 &&
*(input + i - 1) == 0) {
SendAlert(ssl, alert_fatal, illegal_parameter);
return VERSION_ERROR;
}
}
}
/* session id */
ssl->arrays->sessionIDSz = input[i++];
@ -16947,7 +16917,37 @@ void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo,
{
int ret;
if (ssl->options.resuming) {
if (!ssl->options.resuming) {
byte* down = ssl->arrays->serverRandom + RAN_LEN -
TLS13_DOWNGRADE_SZ - 1;
byte vers = ssl->arrays->serverRandom[RAN_LEN - 1];
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->ctx->method->version)) {
/* TLS v1.3 capable client not allowed to downgrade when
* connecting to TLS v1.3 capable server unless cipher suite
* demands it.
*/
if (XMEMCMP(down, tls13Downgrade, TLS13_DOWNGRADE_SZ) == 0 &&
(vers == 0 || vers == 1)) {
SendAlert(ssl, alert_fatal, illegal_parameter);
return VERSION_ERROR;
}
}
else
#endif
if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
ssl->ctx->method->version.minor == TLSv1_2_MINOR) {
/* TLS v1.2 capable client not allowed to downgrade when
* connecting to TLS v1.2 capable server.
*/
if (XMEMCMP(down, tls13Downgrade, TLS13_DOWNGRADE_SZ) == 0 &&
vers == 0) {
SendAlert(ssl, alert_fatal, illegal_parameter);
return VERSION_ERROR;
}
}
}
else {
if (DSH_CheckSessionId(ssl)) {
if (SetCipherSpecs(ssl) == 0) {
@ -23342,7 +23342,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
args->output, args->sigSz,
HashAlgoToType(args->hashAlgo));
if (ret != 0)
return ret;
goto exit_dcv;
}
else
#endif

16
src/tls.c
View File

@ -5270,34 +5270,38 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL* ssl, byte* input,
continue;
/* No upgrade allowed. */
if (ssl->version.minor > minor)
if (minor > ssl->version.minor)
continue;
/* Check downgrade. */
if (ssl->version.minor < minor) {
if (minor < ssl->version.minor) {
if (!ssl->options.downgrade)
continue;
if (minor < ssl->options.minDowngrade)
continue;
if (newMinor == 0 && minor > ssl->options.oldMinor) {
/* Downgrade the version. */
ssl->version.minor = minor;
}
}
if (minor >= TLSv1_3_MINOR) {
if (!ssl->options.tls1_3) {
ssl->options.tls1_3 = 1;
TLSX_Push(&ssl->extensions, TLSX_SUPPORTED_VERSIONS, ssl,
ssl->heap);
#ifndef WOLFSSL_TLS13_DRAFT_18
TLSX_SetResponse(ssl, TLSX_SUPPORTED_VERSIONS);
#endif
}
if (minor > newMinor) {
ssl->version.minor = minor;
newMinor = minor;
}
else if (ssl->options.oldMinor < minor)
}
else if (minor > ssl->options.oldMinor)
ssl->options.oldMinor = minor;
if (newMinor != 0 && ssl->options.oldMinor != 0)
break;
}
}
#ifndef WOLFSSL_TLS13_DRAFT_18

22
src/tls13.c
View File

@ -3972,31 +3972,9 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
/* Check that the negotiated ciphersuite matches protocol version. */
if (IsAtLeastTLSv1_3(ssl->version)) {
if (ssl->options.cipherSuite0 != TLS13_BYTE) {
#ifndef WOLFSSL_NO_TLS12
TLSX* ext;
if (!ssl->options.downgrade) {
WOLFSSL_MSG("Negotiated ciphersuite from lesser version "
"than TLS v1.3");
return VERSION_ERROR;
}
WOLFSSL_MSG("Downgrading protocol due to cipher suite");
if (pv.minor < ssl->options.minDowngrade)
return VERSION_ERROR;
ssl->version.minor = ssl->options.oldMinor;
/* Downgrade from TLS v1.3 */
ssl->options.tls1_3 = 0;
ext = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_VERSIONS);
if (ext != NULL)
ext->resp = 0;
#else
WOLFSSL_MSG("Negotiated ciphersuite from lesser version than "
"TLS v1.3");
return VERSION_ERROR;
#endif
}
}
/* VerifyServerSuite handles when version is less than 1.3 */