feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

DoHelloVerifyRequest: only do DTLS 1.3 version check

Browse Source
This commit is contained in:
Juliusz Sosinowicz
2023-07-28 22:22:08 +02:00
parent 27a59761b9
commit 724fe53379
2 changed files with 42 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/internal.c
View File

@@ -27700,9 +27700,11 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType,
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_TLS13) #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_TLS13)
if (IsAtLeastTLSv1_3(ssl->version) && ssl->options.dtls) { if (IsAtLeastTLSv1_3(ssl->version) && ssl->options.dtls) {
/* we sent a TLSv1.3 ClientHello but received a /* we sent a TLSv1.3 ClientHello but received a
* HELLO_VERIFY_REQUEST */ * HELLO_VERIFY_REQUEST. We only check if DTLSv1_3_MINOR is the
* min downgrade option as per the server_version field comments in
* https://www.rfc-editor.org/rfc/rfc6347#section-4.2.1 */
if (!ssl->options.downgrade || if (!ssl->options.downgrade ||
ssl->options.minDowngrade < pv.minor) ssl->options.minDowngrade <= DTLSv1_3_MINOR)
return VERSION_ERROR; return VERSION_ERROR;
} }
#endif /* defined(WOLFSSL_DTLS13) && defined(WOLFSSL_TLS13) */ #endif /* defined(WOLFSSL_DTLS13) && defined(WOLFSSL_TLS13) */

38
tests/api.c
View File

@@ -63135,6 +63135,43 @@ static int test_TLSX_CA_NAMES_bad_extension(void)
return EXPECT_RESULT(); return EXPECT_RESULT();
} }
#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_TLS12) && \
defined(HAVE_IO_TESTS_DEPENDENCIES)
static void test_dtls_1_0_hvr_downgrade_ctx_ready(WOLFSSL_CTX* ctx)
{
AssertIntEQ(wolfSSL_CTX_SetMinVersion(ctx, WOLFSSL_DTLSV1_2),
WOLFSSL_SUCCESS);
}
static int test_dtls_1_0_hvr_downgrade(void)
{
EXPECT_DECLS;
callback_functions func_cb_client;
callback_functions func_cb_server;
XMEMSET(&func_cb_client, 0, sizeof(callback_functions));
XMEMSET(&func_cb_server, 0, sizeof(callback_functions));
func_cb_client.doUdp = func_cb_server.doUdp = 1;
func_cb_server.method = wolfDTLSv1_2_server_method;
func_cb_client.method = wolfDTLS_client_method;
func_cb_client.ctx_ready = test_dtls_1_0_hvr_downgrade_ctx_ready;
test_wolfSSL_client_server_nofail(&func_cb_client, &func_cb_server);
ExpectIntEQ(func_cb_client.return_code, TEST_SUCCESS);
ExpectIntEQ(func_cb_server.return_code, TEST_SUCCESS);
return EXPECT_RESULT();
}
#else
static int test_dtls_1_0_hvr_downgrade(void)
{
EXPECT_DECLS;
return EXPECT_RESULT();
}
#endif
/*----------------------------------------------------------------------------* /*----------------------------------------------------------------------------*
| Main | Main
*----------------------------------------------------------------------------*/ *----------------------------------------------------------------------------*/
@@ -64387,6 +64424,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_SCR_after_resumption), TEST_DECL(test_wolfSSL_SCR_after_resumption),
TEST_DECL(test_dtls_no_extensions), TEST_DECL(test_dtls_no_extensions),
TEST_DECL(test_TLSX_CA_NAMES_bad_extension), TEST_DECL(test_TLSX_CA_NAMES_bad_extension),
TEST_DECL(test_dtls_1_0_hvr_downgrade),
/* This test needs to stay at the end to clean up any caches allocated. */ /* This test needs to stay at the end to clean up any caches allocated. */
TEST_DECL(test_wolfSSL_Cleanup) TEST_DECL(test_wolfSSL_Cleanup)
}; };