Home Explore Help
Register Sign In
OWEALs
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
2
0
Fork 0
Files Issues 8 Wiki
Browse Source

Check for TLS downgrade

Tesfa Mael 3 years ago
parent
67277d13cd
commit
0c16ef4b29
4 changed files with 51 additions and 6 deletions
Split View Show Diff Stats
  1. 15 6
      examples/client/client.c
  2. 4 0
      src/tls13.c
  3. 2 0
      tests/suites.c
  4. 30 0
      tests/test-tls-downgrade.conf

+ 15 - 6
examples/client/client.c
View File 

@@ -19,7 +19,6 @@
 
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
 
  */
 
 
-
 
 #ifdef HAVE_CONFIG_H
 
         #include <config.h>
 
 #endif
 
@@ -1521,6 +1520,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
     int    ch;
 
 #endif
 
     int    version = CLIENT_INVALID_VERSION;
 
+    int    minVersion = CLIENT_INVALID_VERSION;
 
+    int    setMinVersion = 0;
 
     int    usePsk   = 0;
 
     int    useAnon  = 0;
 
     int    sendGET  = 0;
 
@@ -1719,7 +1720,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
     while ((ch = mygetopt(argc, argv, "?:"
 
             "ab:c:defgh:i;jk:l:mnop:q:rstu;v:wxyz"
 
             "A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:"
 
-            "01:23:45689"
 
+            "01:23:4567:89"
 
             "@#")) != -1) {
 
         switch (ch) {
 
             case '?' :
 
@@ -2186,7 +2187,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
                 nonBlocking = 1;
 
                 simulateWantWrite = 1;
 
                 break;
 
-
 
+            case '7' :
 
+                setMinVersion = 1;
 
+                minVersion = atoi(myoptarg);
 
+                if (minVersion < 0 || minVersion > 4) {
 
+                    Usage();
 
+                    XEXIT_T(MY_EX_USAGE);
 
+                }
 
+                break;
 
             case '8' :
 
                 #ifdef HAVE_CURVE448
 
                     useX448 = 1;
 
@@ -2466,9 +2474,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
             err_sys("unable to get ctx");
 
     }
 
 #endif
 
-
 
-    if (simulateWantWrite)
 
-    {
 
+    if (setMinVersion) {
 
+        wolfSSL_CTX_SetMinVersion(ctx, minVersion);
 
+    }
 
+    if (simulateWantWrite) {
 
         wolfSSL_CTX_SetIOSend(ctx, SimulateWantWriteIOSendCb);
 
     }

+ 4 - 0
src/tls13.c
View File 

@@ -3116,6 +3116,10 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
             ssl->version.minor = pv.minor;
 
         }
 
 
+        if (foundVersion && ssl->options.downgrade && (pv.minor < ssl->options.minDowngrade)) {
 
+            return VERSION_ERROR;
 
+        }
 
+
 
         /* Parse and handle extensions. */
 
         ret = TLSX_Parse(ssl, input + i, totalExtSz, *extMsgType, NULL);
 
         if (ret != 0)

+ 2 - 0
tests/suites.c
View File 

@@ -82,6 +82,8 @@ static int GetTlsVersion(const char* line)
 
 
     if (begin) {
 
         begin += 3;
 
+        if (*begin == 'd' || *begin == 'e')
 
+            begin += 2;
 
 
         version = atoi(begin);
 
     }

+ 30 - 0
tests/test-tls-downgrade.conf
View File 

@@ -0,0 +1,30 @@
 
+# server TLSv1.3
 
+-v 4
 
+-l ECDHE-RSA-AES256-GCM-SHA384
 
+-H exitWithRet
 
+
 
+# client TLSv1.2, should fail
 
+-v 3
 
+-l ECDHE-RSA-AES256-GCM-SHA384
 
+-H exitWithRet
 
+
 
+# server TLSv1.2 
+-v 3
 
+-l ECDHE-RSA-AES256-GCM-SHA384
 
+-H exitWithRet
 
+
 
+# client TLSv1.3, should fail
 
+-v 4
 
+-l ECDHE-RSA-AES256-GCM-SHA384
 
+-H exitWithRet
 
+
 
+# server TLSv1.2 
+-v d 3
 
+-l ECDHE-RSA-AES256-GCM-SHA384
 
+-H exitWithRet
 
+
 
+# client TLSv1.3 with downgrade option, set downgrade to TLSv1.3, should fail
 
+-7 4
 
+-v d 4
 
+-l ECDHE-RSA-AES256-GCM-SHA384
 
+-H exitWithRet