wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Check for TLS downgrade

Browse Source
This commit is contained in:
Tesfa Mael
2021-04-22 14:52:57 -07:00
parent 67277d13cd
commit 0c16ef4b29
4 changed files with 51 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
examples/client/client.c
View File

@@ -19,7 +19,6 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/ */
#ifdef HAVE_CONFIG_H #ifdef HAVE_CONFIG_H
#include <config.h> #include <config.h>
#endif #endif
@@ -1521,6 +1520,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
int ch; int ch;
#endif #endif
int version = CLIENT_INVALID_VERSION; int version = CLIENT_INVALID_VERSION;
int minVersion = CLIENT_INVALID_VERSION;
int setMinVersion = 0;
int usePsk = 0; int usePsk = 0;
int useAnon = 0; int useAnon = 0;
int sendGET = 0; int sendGET = 0;
@@ -1719,7 +1720,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
while ((ch = mygetopt(argc, argv, "?:" while ((ch = mygetopt(argc, argv, "?:"
"ab:c:defgh:i;jk:l:mnop:q:rstu;v:wxyz" "ab:c:defgh:i;jk:l:mnop:q:rstu;v:wxyz"
"A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:" "A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:"
"01:23:45689" "01:23:4567:89"
"@#")) != -1) { "@#")) != -1) {
switch (ch) { switch (ch) {
case '?' : case '?' :
@@ -2186,7 +2187,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
nonBlocking = 1; nonBlocking = 1;
simulateWantWrite = 1; simulateWantWrite = 1;
break; break;
case '7' :
setMinVersion = 1;
minVersion = atoi(myoptarg);
if (minVersion < 0 || minVersion > 4) {
Usage();
XEXIT_T(MY_EX_USAGE);
}
break;
case '8' : case '8' :
#ifdef HAVE_CURVE448 #ifdef HAVE_CURVE448
useX448 = 1; useX448 = 1;
@@ -2466,9 +2474,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("unable to get ctx"); err_sys("unable to get ctx");
} }
#endif #endif
if (setMinVersion) {
if (simulateWantWrite) wolfSSL_CTX_SetMinVersion(ctx, minVersion);
{ }
if (simulateWantWrite) {
wolfSSL_CTX_SetIOSend(ctx, SimulateWantWriteIOSendCb); wolfSSL_CTX_SetIOSend(ctx, SimulateWantWriteIOSendCb);
} }

4
src/tls13.c
View File

@@ -3116,6 +3116,10 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
ssl->version.minor = pv.minor; ssl->version.minor = pv.minor;
} }
if (foundVersion && ssl->options.downgrade && (pv.minor < ssl->options.minDowngrade)) {
return VERSION_ERROR;
}
/* Parse and handle extensions. */ /* Parse and handle extensions. */
ret = TLSX_Parse(ssl, input + i, totalExtSz, *extMsgType, NULL); ret = TLSX_Parse(ssl, input + i, totalExtSz, *extMsgType, NULL);
if (ret != 0) if (ret != 0)

2
tests/suites.c
View File

@@ -82,6 +82,8 @@ static int GetTlsVersion(const char* line)
if (begin) { if (begin) {
begin += 3; begin += 3;
if (*begin == 'd' || *begin == 'e')
begin += 2;
version = atoi(begin); version = atoi(begin);
} }

30
tests/test-tls-downgrade.conf Normal file
View File

@@ -0,0 +1,30 @@
# server TLSv1.3
-v 4
-l ECDHE-RSA-AES256-GCM-SHA384
-H exitWithRet
# client TLSv1.2, should fail
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-H exitWithRet
# server TLSv1.2
-v 3
-l ECDHE-RSA-AES256-GCM-SHA384
-H exitWithRet
# client TLSv1.3, should fail
-v 4
-l ECDHE-RSA-AES256-GCM-SHA384
-H exitWithRet
# server TLSv1.2
-v d 3
-l ECDHE-RSA-AES256-GCM-SHA384
-H exitWithRet
# client TLSv1.3 with downgrade option, set downgrade to TLSv1.3, should fail
-7 4
-v d 4
-l ECDHE-RSA-AES256-GCM-SHA384
-H exitWithRet