mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 22:40:48 +02:00
130f683d8c
When resuming a session wolfSSL_SetSession unconditionally overwrote ssl->version with the version stored in the cached session, even if that version was below the WOLFSSL's configured minDowngrade. The overwritten version then fed straight into SendClientHello, so a client configured to require TLS 1.2 or higher could still emit a ClientHello advertising e.g. TLS 1.0 when resuming an old cached session. The ServerHello path catches the actual downgrade, but the ClientHello version is already a protocol-conformance issue and can confuse middleboxes. Reject the session if its stored minor version is below ssl->options.minDowngrade. The check is DTLS-aware: DTLS minor versions decrease as the protocol version increases, so the direction of the comparison is flipped for DTLS. F-2105
57 lines
2.6 KiB
C
57 lines
2.6 KiB
C
/* test_tls.h
|
|
*
|
|
* Copyright (C) 2006-2026 wolfSSL Inc.
|
|
*
|
|
* This file is part of wolfSSL.
|
|
*
|
|
* wolfSSL is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* wolfSSL is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
|
*/
|
|
|
|
#ifndef TESTS_API_TEST_TLS_H
|
|
#define TESTS_API_TEST_TLS_H
|
|
|
|
int test_utils_memio_move_message(void);
|
|
int test_tls12_unexpected_ccs(void);
|
|
int test_tls13_unexpected_ccs(void);
|
|
int test_tls12_curve_intersection(void);
|
|
int test_tls12_dhe_rsa_pss_sigalg(void);
|
|
int test_tls13_curve_intersection(void);
|
|
int test_tls_certreq_order(void);
|
|
int test_tls12_bad_cv_sig_alg(void);
|
|
int test_tls12_no_null_compression(void);
|
|
int test_tls12_etm_failed_resumption(void);
|
|
int test_tls_set_session_min_downgrade(void);
|
|
int test_tls_set_curves_list_ecc_fallback(void);
|
|
int test_tls12_corrupted_finished(void);
|
|
int test_tls12_peerauth_failsafe(void);
|
|
|
|
#define TEST_TLS_DECLS \
|
|
TEST_DECL_GROUP("tls", test_utils_memio_move_message), \
|
|
TEST_DECL_GROUP("tls", test_tls12_unexpected_ccs), \
|
|
TEST_DECL_GROUP("tls", test_tls13_unexpected_ccs), \
|
|
TEST_DECL_GROUP("tls", test_tls12_curve_intersection), \
|
|
TEST_DECL_GROUP("tls", test_tls12_dhe_rsa_pss_sigalg), \
|
|
TEST_DECL_GROUP("tls", test_tls13_curve_intersection), \
|
|
TEST_DECL_GROUP("tls", test_tls_certreq_order), \
|
|
TEST_DECL_GROUP("tls", test_tls12_bad_cv_sig_alg), \
|
|
TEST_DECL_GROUP("tls", test_tls12_no_null_compression), \
|
|
TEST_DECL_GROUP("tls", test_tls12_etm_failed_resumption), \
|
|
TEST_DECL_GROUP("tls", test_tls_set_session_min_downgrade), \
|
|
TEST_DECL_GROUP("tls", test_tls_set_curves_list_ecc_fallback), \
|
|
TEST_DECL_GROUP("tls", test_tls12_corrupted_finished), \
|
|
TEST_DECL_GROUP("tls", test_tls12_peerauth_failsafe)
|
|
|
|
#endif /* TESTS_API_TEST_TLS_H */
|