wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 12:14:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Implement TLS v1.3 specified downgrade protection mechanism

Browse Source 
TLS v1.2 implementations whould implement the downgrade protection
mechanism too and so is included.
This commit is contained in:
Sean Parkinson
2017-06-02 14:05:47 +10:00
parent 38c6d2e3eb
commit 642795db1b
3 changed files with 58 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
examples/client/client.c
View File

@@ -1520,12 +1520,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
if (!helloRetry) { if (!helloRetry) {
if (onlyKeyShare == 0 || onlyKeyShare == 2) { if (onlyKeyShare == 0 || onlyKeyShare == 2) {
#ifdef HAVE_CURVE25519
if (useX25519) { if (useX25519) {
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519)
!= SSL_SUCCESS) { != SSL_SUCCESS) {
err_sys("unable to use curve secp256r1"); err_sys("unable to use curve secp256r1");
} }
} }
#endif
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_SECP256R1) if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_SECP256R1)
!= SSL_SUCCESS) { != SSL_SUCCESS) {
err_sys("unable to use curve secp256r1"); err_sys("unable to use curve secp256r1");
@@ -1951,11 +1953,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif #endif
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
#ifdef HAVE_CURVE25519
if (useX25519) { if (useX25519) {
if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) != SSL_SUCCESS) { if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ECC_X25519) != SSL_SUCCESS) {
err_sys("unable to use curve secp256r1"); err_sys("unable to use curve secp256r1");
} }
} }
#endif
if (wolfSSL_UseKeyShare(sslResume, if (wolfSSL_UseKeyShare(sslResume,
WOLFSSL_ECC_SECP256R1) != SSL_SUCCESS) { WOLFSSL_ECC_SECP256R1) != SSL_SUCCESS) {
err_sys("unable to use curve secp256r1"); err_sys("unable to use curve secp256r1");

52
src/internal.c
View File

@@ -143,6 +143,12 @@ enum cipherState {
CIPHER_STATE_END, CIPHER_STATE_END,
}; };
/* Server random bytes for TLS v1.3 described downgrade protection mechanism. */
static const byte tls13Downgrade[7] = {
0x44, 0x4f, 0x47, 0x4e, 0x47, 0x52, 0x44
};
#define TLS13_DOWNGRADE_SZ sizeof(tls13Downgrade)
#ifndef NO_OLD_TLS #ifndef NO_OLD_TLS
static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
@@ -15741,6 +15747,33 @@ void PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo,
XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN); XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN);
i += RAN_LEN; i += RAN_LEN;
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->ctx->method->version)) {
/* TLS v1.3 capable client not allowed to downgrade when connecting
* to TLS v1.3 capable server.
*/
if (XMEMCMP(input + i - (TLS13_DOWNGRADE_SZ + 1),
tls13Downgrade, TLS13_DOWNGRADE_SZ) == 0 &&
(*(input + i - 1) == 0 || *(input + i - 1) == 1)) {
SendAlert(ssl, alert_fatal, illegal_parameter);
return VERSION_ERROR;
}
}
else
#endif
if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
ssl->ctx->method->version.minor == TLSv1_2_MINOR) {
/* TLS v1.2 capable client not allowed to downgrade when connecting
* to TLS v1.2 capable server.
*/
if (XMEMCMP(input + i - (TLS13_DOWNGRADE_SZ + 1),
tls13Downgrade, TLS13_DOWNGRADE_SZ) == 0 &&
*(input + i - 1) == 0) {
SendAlert(ssl, alert_fatal, illegal_parameter);
return VERSION_ERROR;
}
}
/* session id */ /* session id */
ssl->arrays->sessionIDSz = input[i++]; ssl->arrays->sessionIDSz = input[i++];
@@ -19049,7 +19082,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif /* NO_WOLFSSL_CLIENT */ #endif /* NO_WOLFSSL_CLIENT */
#ifndef NO_WOLFSSL_SERVER #ifndef NO_WOLFSSL_SERVER
int SendServerHello(WOLFSSL* ssl) int SendServerHello(WOLFSSL* ssl)
@@ -19138,6 +19170,24 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if (ret != 0) if (ret != 0)
return ret; return ret;
#ifdef WOLFSSL_TLS13
if (IsAtLeastTLSv1_3(ssl->ctx->method->version)) {
/* TLS v1.3 capable server downgraded. */
XMEMCPY(output + idx + RAN_LEN - (TLS13_DOWNGRADE_SZ + 1),
tls13Downgrade, TLS13_DOWNGRADE_SZ);
output[idx + RAN_LEN - 1] = IsAtLeastTLSv1_2(ssl);
}
else
#endif
if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
ssl->ctx->method->version.minor == TLSv1_2_MINOR &&
!IsAtLeastTLSv1_2(ssl)) {
/* TLS v1.2 capable server downgraded. */
XMEMCPY(output + idx + RAN_LEN - (TLS13_DOWNGRADE_SZ + 1),
tls13Downgrade, TLS13_DOWNGRADE_SZ);
output[idx + RAN_LEN - 1] = 0;
}
/* store info in SSL for later */ /* store info in SSL for later */
XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN); XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
idx += RAN_LEN; idx += RAN_LEN;

2
src/tls13.c
View File

@@ -2027,7 +2027,6 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
/* Server random - keep for debugging. */ /* Server random - keep for debugging. */
XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN); XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN);
i += RAN_LEN; i += RAN_LEN;
/* TODO: [TLS13] Check last 8 bytes. */
/* Set the cipher suite from the message. */ /* Set the cipher suite from the message. */
ssl->options.cipherSuite0 = input[i++]; ssl->options.cipherSuite0 = input[i++];
@@ -2671,7 +2670,6 @@ int SendTls13ServerHello(WOLFSSL* ssl)
output[idx++] = TLS_DRAFT_MAJOR; output[idx++] = TLS_DRAFT_MAJOR;
output[idx++] = TLS_DRAFT_MINOR; output[idx++] = TLS_DRAFT_MINOR;
/* TODO: [TLS13] Last 8 bytes have special meaning. */
/* Generate server random. */ /* Generate server random. */
ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN); ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN);
if (ret != 0) if (ret != 0)