wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5203 from dgarske/zd14289

Browse Source 
Fix the supported version extension to always check minDowngrade
This commit is contained in:
Sean Parkinson
2022-06-03 08:31:36 +10:00
committed by GitHub
parent a6465c2bd0 2dd27c8d4a
commit ee78e63b87
1 changed files with 80 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
src/tls.c
View File

@ -5642,43 +5642,56 @@ static int TLSX_SupportedVersions_GetSize(void* data, byte msgType, word16* pSz)
/* TLS v1.2 and TLS v1.3 */ /* TLS v1.2 and TLS v1.3 */
int cnt = 0; int cnt = 0;
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) if ((ssl->options.minDowngrade <= TLSv1_3_MINOR)
if ((ssl->options.mask & SSL_OP_NO_TLSv1_3) == 0 && #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
(ssl->options.minDowngrade <= TLSv1_3_MINOR)) defined(WOLFSSL_WPAS_SMALL)
&& (ssl->options.mask & SSL_OP_NO_TLSv1_3) == 0
#endif #endif
cnt++; ) {
cnt++;
}
if (ssl->options.downgrade) { if (ssl->options.downgrade) {
#ifndef WOLFSSL_NO_TLS12 #ifndef WOLFSSL_NO_TLS12
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) if ((ssl->options.minDowngrade <= TLSv1_2_MINOR)
if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == 0 && #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
(ssl->options.minDowngrade <= TLSv1_2_MINOR)) defined(WOLFSSL_WPAS_SMALL)
#endif && (ssl->options.mask & SSL_OP_NO_TLSv1_2) == 0
cnt++; #endif
#endif ) {
#ifndef NO_OLD_TLS
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == 0 &&
(ssl->options.minDowngrade <= TLSv1_1_MINOR))
#endif
cnt++;
#ifdef WOLFSSL_ALLOW_TLSV10
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
if ((ssl->options.mask & SSL_OP_NO_TLSv1) == 0 &&
(ssl->options.minDowngrade <= TLSv1_MINOR))
#endif
cnt++; cnt++;
}
#endif
#ifndef NO_OLD_TLS
if ((ssl->options.minDowngrade <= TLSv1_1_MINOR)
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
defined(WOLFSSL_WPAS_SMALL)
&& (ssl->options.mask & SSL_OP_NO_TLSv1_1) == 0
#endif
) {
cnt++;
}
#ifdef WOLFSSL_ALLOW_TLSV10
if ((ssl->options.minDowngrade <= TLSv1_MINOR)
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
defined(WOLFSSL_WPAS_SMALL)
&& (ssl->options.mask & SSL_OP_NO_TLSv1) == 0
#endif
) {
cnt++;
}
#endif
#endif #endif
#endif
} }
*pSz += (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN); *pSz += (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN);
} }
else if (msgType == server_hello || msgType == hello_retry_request) else if (msgType == server_hello || msgType == hello_retry_request) {
*pSz += OPAQUE16_LEN; *pSz += OPAQUE16_LEN;
else }
else {
return SANITY_MSG_E; return SANITY_MSG_E;
}
return 0; return 0;
} }
@ -5700,60 +5713,65 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output,
if (msgType == client_hello) { if (msgType == client_hello) {
major = ssl->ctx->method->version.major; major = ssl->ctx->method->version.major;
cnt = output++; cnt = output++;
*cnt = 0; *cnt = 0;
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
if ((ssl->options.mask & SSL_OP_NO_TLSv1_3) == 0 && if ((ssl->options.minDowngrade <= TLSv1_3_MINOR)
(ssl->options.minDowngrade <= TLSv1_3_MINOR)) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
defined(WOLFSSL_WPAS_SMALL)
&& (ssl->options.mask & SSL_OP_NO_TLSv1_3) == 0
#endif #endif
{ ) {
*cnt += OPAQUE16_LEN; *cnt += OPAQUE16_LEN;
#ifdef WOLFSSL_TLS13_DRAFT #ifdef WOLFSSL_TLS13_DRAFT
/* The TLS draft major number. */ /* The TLS draft major number. */
*(output++) = TLS_DRAFT_MAJOR; *(output++) = TLS_DRAFT_MAJOR;
/* Version of draft supported. */ /* Version of draft supported. */
*(output++) = TLS_DRAFT_MINOR; *(output++) = TLS_DRAFT_MINOR;
#else #else
*(output++) = major; *(output++) = major;
*(output++) = (byte)TLSv1_3_MINOR; *(output++) = (byte)TLSv1_3_MINOR;
#endif #endif
} }
if (ssl->options.downgrade) { if (ssl->options.downgrade) {
#ifndef WOLFSSL_NO_TLS12 #ifndef WOLFSSL_NO_TLS12
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) if ((ssl->options.minDowngrade <= TLSv1_2_MINOR)
if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == 0 && #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
(ssl->options.minDowngrade <= TLSv1_2_MINOR)) defined(WOLFSSL_WPAS_SMALL)
#endif && (ssl->options.mask & SSL_OP_NO_TLSv1_2) == 0
{ #endif
) {
*cnt += OPAQUE16_LEN; *cnt += OPAQUE16_LEN;
*(output++) = major; *(output++) = major;
*(output++) = (byte)TLSv1_2_MINOR; *(output++) = (byte)TLSv1_2_MINOR;
} }
#endif
#ifndef NO_OLD_TLS
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == 0 &&
(ssl->options.minDowngrade <= TLSv1_1_MINOR))
#endif #endif
{
#ifndef NO_OLD_TLS
if ((ssl->options.minDowngrade <= TLSv1_1_MINOR)
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
defined(WOLFSSL_WPAS_SMALL)
&& (ssl->options.mask & SSL_OP_NO_TLSv1_1) == 0
#endif
) {
*cnt += OPAQUE16_LEN; *cnt += OPAQUE16_LEN;
*(output++) = major; *(output++) = major;
*(output++) = (byte)TLSv1_1_MINOR; *(output++) = (byte)TLSv1_1_MINOR;
} }
#ifdef WOLFSSL_ALLOW_TLSV10 #ifdef WOLFSSL_ALLOW_TLSV10
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) if ((ssl->options.minDowngrade <= TLSv1_MINOR)
if ((ssl->options.mask & SSL_OP_NO_TLSv1) == 0 && #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
(ssl->options.minDowngrade <= TLSv1_MINOR)) defined(WOLFSSL_WPAS_SMALL)
#endif && (ssl->options.mask & SSL_OP_NO_TLSv1) == 0
{ #endif
) {
*cnt += OPAQUE16_LEN; *cnt += OPAQUE16_LEN;
*(output++) = major; *(output++) = major;
*(output++) = (byte)TLSv1_MINOR; *(output++) = (byte)TLSv1_MINOR;
} }
#endif
#endif #endif
#endif
} }
*pSz += (word16)(OPAQUE8_LEN + *cnt); *pSz += (word16)(OPAQUE8_LEN + *cnt);