Files
wolfssl/tests/api/test_dtls.h
T
Juliusz Sosinowicz 130f683d8c Validate minDowngrade in wolfSSL_SetSession before reusing version
When resuming a session wolfSSL_SetSession unconditionally
overwrote ssl->version with the version stored in the cached
session, even if that version was below the WOLFSSL's configured
minDowngrade. The overwritten version then fed straight into
SendClientHello, so a client configured to require TLS 1.2 or
higher could still emit a ClientHello advertising e.g. TLS 1.0
when resuming an old cached session. The ServerHello path catches
the actual downgrade, but the ClientHello version is already a
protocol-conformance issue and can confuse middleboxes.

Reject the session if its stored minor version is below
ssl->options.minDowngrade. The check is DTLS-aware: DTLS minor
versions decrease as the protocol version increases, so the
direction of the comparison is flipped for DTLS.

F-2105
2026-05-14 14:07:53 +02:00

98 lines
5.1 KiB
C

/* test_dtls.h
*
* Copyright (C) 2006-2026 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifndef TESTS_API_DTLS_H
#define TESTS_API_DTLS_H
int test_dtls12_basic_connection_id(void);
int test_dtls13_basic_connection_id(void);
int test_dtls13_hrr_want_write(void);
int test_dtls13_every_write_want_write(void);
int test_wolfSSL_dtls_cid_parse(void);
int test_wolfSSL_dtls_set_pending_peer(void);
int test_dtls13_epochs(void);
int test_dtls13_ack_order(void);
int test_dtls13_ack_overflow(void);
int test_dtls13_ack_dup_write_counter(void);
int test_dtls_version_checking(void);
int test_dtls_short_ciphertext(void);
int test_dtls12_record_length_mismatch(void);
int test_dtls12_short_read(void);
int test_dtls13_longer_length(void);
int test_dtls13_short_read(void);
int test_records_span_network_boundaries(void);
int test_dtls_record_cross_boundaries(void);
int test_dtls_rtx_across_epoch_change(void);
int test_dtls13_ch2_rtx_no_ch1(void);
int test_dtls13_frag_ch2_with_ch1_rtx(void);
int test_dtls_drop_client_ack(void);
int test_dtls_bogus_finished_epoch_zero(void);
int test_dtls_replay(void);
int test_dtls_srtp(void);
int test_dtls_timeout(void);
int test_dtls_certreq_order(void);
int test_dtls_memio_wolfio(void);
int test_dtls_memio_wolfio_stateless(void);
int test_dtls_mtu_fragment_headroom(void);
int test_dtls_mtu_split_messages(void);
int test_dtls13_min_rtx_interval(void);
int test_dtls13_no_session_id_echo(void);
int test_dtls13_oversized_cert_chain(void);
int test_dtls_set_session_min_downgrade(void);
#define TEST_DTLS_DECLS \
TEST_DECL_GROUP("dtls", test_dtls12_basic_connection_id), \
TEST_DECL_GROUP("dtls", test_dtls13_basic_connection_id), \
TEST_DECL_GROUP("dtls", test_dtls13_hrr_want_write), \
TEST_DECL_GROUP("dtls", test_dtls13_every_write_want_write), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_cid_parse), \
TEST_DECL_GROUP("dtls", test_wolfSSL_dtls_set_pending_peer), \
TEST_DECL_GROUP("dtls", test_dtls13_epochs), \
TEST_DECL_GROUP("dtls", test_dtls13_ack_order), \
TEST_DECL_GROUP("dtls", test_dtls13_ack_overflow), \
TEST_DECL_GROUP("dtls", test_dtls13_ack_dup_write_counter), \
TEST_DECL_GROUP("dtls", test_dtls_version_checking), \
TEST_DECL_GROUP("dtls", test_dtls_short_ciphertext), \
TEST_DECL_GROUP("dtls", test_dtls12_record_length_mismatch), \
TEST_DECL_GROUP("dtls", test_dtls12_short_read), \
TEST_DECL_GROUP("dtls", test_dtls13_longer_length), \
TEST_DECL_GROUP("dtls", test_dtls13_short_read), \
TEST_DECL_GROUP("dtls", test_records_span_network_boundaries), \
TEST_DECL_GROUP("dtls", test_dtls_record_cross_boundaries), \
TEST_DECL_GROUP("dtls", test_dtls_rtx_across_epoch_change), \
TEST_DECL_GROUP("dtls", test_dtls13_ch2_rtx_no_ch1), \
TEST_DECL_GROUP("dtls", test_dtls13_frag_ch2_with_ch1_rtx), \
TEST_DECL_GROUP("dtls", test_dtls_drop_client_ack), \
TEST_DECL_GROUP("dtls", test_dtls_bogus_finished_epoch_zero), \
TEST_DECL_GROUP("dtls", test_dtls_replay), \
TEST_DECL_GROUP("dtls", test_dtls_srtp), \
TEST_DECL_GROUP("dtls", test_dtls_certreq_order), \
TEST_DECL_GROUP("dtls", test_dtls_timeout), \
TEST_DECL_GROUP("dtls", test_dtls_memio_wolfio), \
TEST_DECL_GROUP("dtls", test_dtls_mtu_fragment_headroom), \
TEST_DECL_GROUP("dtls", test_dtls_mtu_split_messages), \
TEST_DECL_GROUP("dtls", test_dtls_memio_wolfio_stateless), \
TEST_DECL_GROUP("dtls", test_dtls13_min_rtx_interval), \
TEST_DECL_GROUP("dtls", test_dtls13_no_session_id_echo), \
TEST_DECL_GROUP("dtls", test_dtls13_oversized_cert_chain), \
TEST_DECL_GROUP("dtls", test_dtls_set_session_min_downgrade)
#endif /* TESTS_API_DTLS_H */