forked from wolfSSL/wolfssl
not send smaller versions than minimum downgradable version as supportedversion ext
This commit is contained in:
Hideki Miyazaki
@ -974,7 +974,7 @@ static int ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
|
|||||||
/* 4. add the same message into Japanese section */
|
/* 4. add the same message into Japanese section */
|
||||||
/* (will be translated later) */
|
/* (will be translated later) */
|
||||||
/* 5. add printf() into suitable position of Usage() */
|
/* 5. add printf() into suitable position of Usage() */
|
||||||
static const char* client_usage_msg[][68] = {
|
static const char* client_usage_msg[][69] = {
|
||||||
/* English */
|
/* English */
|
||||||
{
|
{
|
||||||
" NOTE: All files relative to wolfSSL home dir\n", /* 0 */
|
" NOTE: All files relative to wolfSSL home dir\n", /* 0 */
|
||||||
@ -1160,6 +1160,13 @@ static const char* client_usage_msg[][68] = {
|
|||||||
!defined(WOLFSENTRY_NO_JSON)
|
!defined(WOLFSENTRY_NO_JSON)
|
||||||
"--wolfsentry-config <file> Path for JSON wolfSentry config\n",
|
"--wolfsentry-config <file> Path for JSON wolfSentry config\n",
|
||||||
/* 68 */
|
/* 68 */
|
||||||
|
#endif
|
||||||
|
#ifndef WOLFSSL_TLS13
|
||||||
|
"-7 Set minimum downgrade protocol version [0-3] "
|
||||||
|
" SSLv3(0) - TLS1.2(3)\n",
|
||||||
|
#else
|
||||||
|
"-7 Set minimum downgrade protocol version [0-4] "
|
||||||
|
" SSLv3(0) - TLS1.3(4)\n", /* 69 */
|
||||||
#endif
|
#endif
|
||||||
NULL,
|
NULL,
|
||||||
},
|
},
|
||||||
@ -1350,7 +1357,14 @@ static const char* client_usage_msg[][68] = {
|
|||||||
#if defined(WOLFSSL_WOLFSENTRY_HOOKS) && !defined(NO_FILESYSTEM) && \
|
#if defined(WOLFSSL_WOLFSENTRY_HOOKS) && !defined(NO_FILESYSTEM) && \
|
||||||
!defined(WOLFSENTRY_NO_JSON)
|
!defined(WOLFSENTRY_NO_JSON)
|
||||||
"--wolfsentry-config <file> wolfSentry コンフィグファイル\n",
|
"--wolfsentry-config <file> wolfSentry コンフィグファイル\n",
|
||||||
/* 68 */
|
/* 68 */
|
||||||
|
#endif
|
||||||
|
#ifndef WOLFSSL_TLS13
|
||||||
|
"-7 最小ダウングレード可能なプロトコルバージョンを設定します [0-3] "
|
||||||
|
" SSLv3(0) - TLS1.2(3)\n",
|
||||||
|
#else
|
||||||
|
"-7 最小ダウングレード可能なプロトコルバージョンを設定します [0-4] "
|
||||||
|
" SSLv3(0) - TLS1.3(4)\n", /* 69 */
|
||||||
#endif
|
#endif
|
||||||
NULL,
|
NULL,
|
||||||
},
|
},
|
||||||
@ -1534,6 +1548,7 @@ static void Usage(void)
|
|||||||
!defined(WOLFSENTRY_NO_JSON)
|
!defined(WOLFSENTRY_NO_JSON)
|
||||||
printf("%s", msg[++msgid]); /* --wolfsentry-config */
|
printf("%s", msg[++msgid]); /* --wolfsentry-config */
|
||||||
#endif
|
#endif
|
||||||
|
printf("%s", msg[++msgid]); /* -7 */
|
||||||
}
|
}
|
||||||
|
|
||||||
THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
|
THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
|
||||||
|
|||||||
@ -676,7 +676,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519,
|
|||||||
/* 4. add the same message into Japanese section */
|
/* 4. add the same message into Japanese section */
|
||||||
/* (will be translated later) */
|
/* (will be translated later) */
|
||||||
/* 5. add printf() into suitable position of Usage() */
|
/* 5. add printf() into suitable position of Usage() */
|
||||||
static const char* server_usage_msg[][58] = {
|
static const char* server_usage_msg[][59] = {
|
||||||
/* English */
|
/* English */
|
||||||
{
|
{
|
||||||
" NOTE: All files relative to wolfSSL home dir\n", /* 0 */
|
" NOTE: All files relative to wolfSSL home dir\n", /* 0 */
|
||||||
@ -815,6 +815,14 @@ static const char* server_usage_msg[][58] = {
|
|||||||
"--wolfsentry-config <file> Path for JSON wolfSentry config\n",
|
"--wolfsentry-config <file> Path for JSON wolfSentry config\n",
|
||||||
/* 58 */
|
/* 58 */
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifndef WOLFSSL_TLS13
|
||||||
|
"-7 Set minimum downgrade protocol version [0-3] "
|
||||||
|
" SSLv3(0) - TLS1.2(3)\n",
|
||||||
|
#else
|
||||||
|
"-7 Set minimum downgrade protocol version [0-4] "
|
||||||
|
" SSLv3(0) - TLS1.3(4)\n", /* 59 */
|
||||||
|
#endif
|
||||||
NULL,
|
NULL,
|
||||||
},
|
},
|
||||||
#ifndef NO_MULTIBYTE_PRINT
|
#ifndef NO_MULTIBYTE_PRINT
|
||||||
@ -962,6 +970,13 @@ static const char* server_usage_msg[][58] = {
|
|||||||
#if defined(WOLFSSL_WOLFSENTRY_HOOKS) && !defined(NO_FILESYSTEM) && !defined(WOLFSENTRY_NO_JSON)
|
#if defined(WOLFSSL_WOLFSENTRY_HOOKS) && !defined(NO_FILESYSTEM) && !defined(WOLFSENTRY_NO_JSON)
|
||||||
"--wolfsentry-config <file> wolfSentry コンフィグファイル\n",
|
"--wolfsentry-config <file> wolfSentry コンフィグファイル\n",
|
||||||
/* 58 */
|
/* 58 */
|
||||||
|
#endif
|
||||||
|
#ifndef WOLFSSL_TLS13
|
||||||
|
"-7 最小ダウングレード可能なプロトコルバージョンを設定します [0-3] "
|
||||||
|
" SSLv3(0) - TLS1.2(3)\n",
|
||||||
|
#else
|
||||||
|
"-7 最小ダウングレード可能なプロトコルバージョンを設定します [0-4] "
|
||||||
|
" SSLv3(0) - TLS1.3(4)\n", /* 59 */
|
||||||
#endif
|
#endif
|
||||||
NULL,
|
NULL,
|
||||||
},
|
},
|
||||||
@ -1103,6 +1118,7 @@ static void Usage(void)
|
|||||||
!defined(WOLFSENTRY_NO_JSON)
|
!defined(WOLFSENTRY_NO_JSON)
|
||||||
printf("%s", msg[++msgId]); /* --wolfsentry-config */
|
printf("%s", msg[++msgId]); /* --wolfsentry-config */
|
||||||
#endif
|
#endif
|
||||||
|
printf("%s", msg[++msgId]); /* -7 */
|
||||||
}
|
}
|
||||||
|
|
||||||
THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
|
THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
|
||||||
@ -1118,7 +1134,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
|
|||||||
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
|
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
|
||||||
wolfsentry_errcode_t wolfsentry_ret;
|
wolfsentry_errcode_t wolfsentry_ret;
|
||||||
#endif
|
#endif
|
||||||
|
int minVersion = SERVER_INVALID_VERSION;
|
||||||
|
int setMinVersion = 0;
|
||||||
int useWebServerMsg = 0;
|
int useWebServerMsg = 0;
|
||||||
char input[SRV_READ_SZ];
|
char input[SRV_READ_SZ];
|
||||||
#ifndef WOLFSSL_VXWORKS
|
#ifndef WOLFSSL_VXWORKS
|
||||||
@ -1782,7 +1799,14 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
|
|||||||
nonBlocking = 1;
|
nonBlocking = 1;
|
||||||
simulateWantWrite = 1;
|
simulateWantWrite = 1;
|
||||||
break;
|
break;
|
||||||
|
case '7' :
|
||||||
|
setMinVersion = 1;
|
||||||
|
minVersion = atoi(myoptarg);
|
||||||
|
if (minVersion < 0 || minVersion > 4) {
|
||||||
|
Usage();
|
||||||
|
XEXIT_T(MY_EX_USAGE);
|
||||||
|
}
|
||||||
|
break;
|
||||||
case '8' :
|
case '8' :
|
||||||
#ifdef HAVE_CURVE448
|
#ifdef HAVE_CURVE448
|
||||||
useX448 = 1;
|
useX448 = 1;
|
||||||
@ -1979,6 +2003,10 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
|
|||||||
#endif /* WOLFSSL_STATIC_MEMORY */
|
#endif /* WOLFSSL_STATIC_MEMORY */
|
||||||
if (ctx == NULL)
|
if (ctx == NULL)
|
||||||
err_sys_ex(catastrophic, "unable to get ctx");
|
err_sys_ex(catastrophic, "unable to get ctx");
|
||||||
|
|
||||||
|
if (setMinVersion) {
|
||||||
|
wolfSSL_CTX_SetMinVersion(ctx, minVersion);
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
|
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
|
||||||
if (wolfsentry_setup(&wolfsentry, wolfsentry_config_path,
|
if (wolfsentry_setup(&wolfsentry, wolfsentry_config_path,
|
||||||
|
|||||||
24
src/tls.c
24
src/tls.c
@ -5969,26 +5969,30 @@ static int TLSX_SupportedVersions_GetSize(void* data, byte msgType, word16* pSz)
|
|||||||
int cnt = 0;
|
int cnt = 0;
|
||||||
|
|
||||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
||||||
if ((ssl->options.mask & SSL_OP_NO_TLSv1_3) == 0)
|
if ((ssl->options.mask & SSL_OP_NO_TLSv1_3) == 0 &&
|
||||||
|
(ssl->options.minDowngrade <= TLSv1_3_MINOR))
|
||||||
#endif
|
#endif
|
||||||
cnt++;
|
cnt++;
|
||||||
|
|
||||||
if (ssl->options.downgrade) {
|
if (ssl->options.downgrade) {
|
||||||
#ifndef WOLFSSL_NO_TLS12
|
#ifndef WOLFSSL_NO_TLS12
|
||||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
||||||
if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == 0)
|
if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == 0 &&
|
||||||
|
(ssl->options.minDowngrade <= TLSv1_2_MINOR))
|
||||||
#endif
|
#endif
|
||||||
cnt++;
|
cnt++;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifndef NO_OLD_TLS
|
#ifndef NO_OLD_TLS
|
||||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
||||||
if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == 0)
|
if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == 0 &&
|
||||||
|
(ssl->options.minDowngrade <= TLSv1_1_MINOR))
|
||||||
#endif
|
#endif
|
||||||
cnt++;
|
cnt++;
|
||||||
#ifdef WOLFSSL_ALLOW_TLSV10
|
#ifdef WOLFSSL_ALLOW_TLSV10
|
||||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
||||||
if ((ssl->options.mask & SSL_OP_NO_TLSv1) == 0)
|
if ((ssl->options.mask & SSL_OP_NO_TLSv1) == 0 &&
|
||||||
|
(ssl->options.minDowngrade <= TLSv1_MINOR))
|
||||||
#endif
|
#endif
|
||||||
cnt++;
|
cnt++;
|
||||||
#endif
|
#endif
|
||||||
@ -6026,7 +6030,8 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output,
|
|||||||
cnt = output++;
|
cnt = output++;
|
||||||
*cnt = 0;
|
*cnt = 0;
|
||||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
||||||
if ((ssl->options.mask & SSL_OP_NO_TLSv1_3) == 0)
|
if ((ssl->options.mask & SSL_OP_NO_TLSv1_3) == 0 &&
|
||||||
|
(ssl->options.minDowngrade <= TLSv1_3_MINOR))
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
*cnt += OPAQUE16_LEN;
|
*cnt += OPAQUE16_LEN;
|
||||||
@ -6043,7 +6048,8 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output,
|
|||||||
if (ssl->options.downgrade) {
|
if (ssl->options.downgrade) {
|
||||||
#ifndef WOLFSSL_NO_TLS12
|
#ifndef WOLFSSL_NO_TLS12
|
||||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
||||||
if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == 0)
|
if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == 0 &&
|
||||||
|
(ssl->options.minDowngrade <= TLSv1_2_MINOR))
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
*cnt += OPAQUE16_LEN;
|
*cnt += OPAQUE16_LEN;
|
||||||
@ -6054,7 +6060,8 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output,
|
|||||||
|
|
||||||
#ifndef NO_OLD_TLS
|
#ifndef NO_OLD_TLS
|
||||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
||||||
if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == 0)
|
if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == 0 &&
|
||||||
|
(ssl->options.minDowngrade <= TLSv1_1_MINOR))
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
*cnt += OPAQUE16_LEN;
|
*cnt += OPAQUE16_LEN;
|
||||||
@ -6063,7 +6070,8 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output,
|
|||||||
}
|
}
|
||||||
#ifdef WOLFSSL_ALLOW_TLSV10
|
#ifdef WOLFSSL_ALLOW_TLSV10
|
||||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
||||||
if ((ssl->options.mask & SSL_OP_NO_TLSv1) == 0)
|
if ((ssl->options.mask & SSL_OP_NO_TLSv1) == 0 &&
|
||||||
|
(ssl->options.minDowngrade <= TLSv1_MINOR))
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
*cnt += OPAQUE16_LEN;
|
*cnt += OPAQUE16_LEN;
|
||||||
|
|||||||
@ -3450,10 +3450,6 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
return VERSION_ERROR;
|
return VERSION_ERROR;
|
||||||
ssl->version.minor = args->pv.minor;
|
ssl->version.minor = args->pv.minor;
|
||||||
}
|
}
|
||||||
if (foundVersion && ssl->options.downgrade &&
|
|
||||||
(args->pv.minor < ssl->options.minDowngrade)) {
|
|
||||||
return VERSION_ERROR;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Advance state and proceed */
|
/* Advance state and proceed */
|
||||||
|
|||||||
@ -38,7 +38,79 @@
|
|||||||
-v d
|
-v d
|
||||||
-r
|
-r
|
||||||
|
|
||||||
# lcient TLSv1.3 downgrade and resume
|
# cient TLSv1.3 downgrade and resume
|
||||||
-v 3
|
-v 3
|
||||||
-r
|
-r
|
||||||
|
|
||||||
|
# server TLSv1.3
|
||||||
|
-v 4
|
||||||
|
-l TLS13-AES128-GCM-SHA256
|
||||||
|
-H exitWithRet
|
||||||
|
|
||||||
|
# client TLSv1.2, should fail
|
||||||
|
-v 3
|
||||||
|
-l ECDHE-RSA-AES256-GCM-SHA384
|
||||||
|
-H exitWithRet
|
||||||
|
|
||||||
|
# server TLSv1.2
|
||||||
|
-v 3
|
||||||
|
-l ECDHE-RSA-AES256-GCM-SHA384
|
||||||
|
-H exitWithRet
|
||||||
|
|
||||||
|
# client TLSv1.3, should fail
|
||||||
|
-v 4
|
||||||
|
-l TLS13-AES128-GCM-SHA256
|
||||||
|
-H exitWithRet
|
||||||
|
|
||||||
|
# server TLSv1.2
|
||||||
|
-v 3
|
||||||
|
-l ECDHE-RSA-AES256-GCM-SHA384
|
||||||
|
-H exitWithRet
|
||||||
|
|
||||||
|
# client
|
||||||
|
# enable downgrade
|
||||||
|
# minimum downgradable TLSv 1.3
|
||||||
|
# expect to be failure
|
||||||
|
-7 4
|
||||||
|
-v d
|
||||||
|
-l TLS13-AES128-GCM-SHA256
|
||||||
|
-H exitWithRet
|
||||||
|
|
||||||
|
# server
|
||||||
|
# enable downgrade
|
||||||
|
# minimum downgradable TLSv 1.3
|
||||||
|
-7 4
|
||||||
|
-v d
|
||||||
|
-l TLS13-AES128-GCM-SHA256
|
||||||
|
|
||||||
|
# client
|
||||||
|
# enable downgrade
|
||||||
|
# minimum downgradable TLSv 1.3
|
||||||
|
-7 4
|
||||||
|
-v d
|
||||||
|
-l TLS13-AES128-GCM-SHA256
|
||||||
|
|
||||||
|
# server
|
||||||
|
# enable downgrade
|
||||||
|
# minimum downgradable TLSv 1.2
|
||||||
|
-7 3
|
||||||
|
-v d
|
||||||
|
-l ECDHE-RSA-AES256-GCM-SHA384
|
||||||
|
|
||||||
|
# client TLSv 1.2
|
||||||
|
-v 3
|
||||||
|
-l ECDHE-RSA-AES256-GCM-SHA384
|
||||||
|
|
||||||
|
# server
|
||||||
|
# enable downgrade
|
||||||
|
# minimum downgradable TLSv 1.3
|
||||||
|
# expect to be failure
|
||||||
|
-7 4
|
||||||
|
-v d
|
||||||
|
-l TLS13-AES128-GCM-SHA256
|
||||||
|
-H exitWithRet
|
||||||
|
|
||||||
|
# client TLSv 1.2
|
||||||
|
-v 3
|
||||||
|
-l ECDHE-RSA-AES256-GCM-SHA384
|
||||||
|
-H exitWithRet
|
||||||
|
|||||||
Reference in New Issue
Block a user