From d35a3f1e690684ed501979f43392b8d01492e2dc Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Thu, 8 Mar 2018 09:00:36 +1000 Subject: [PATCH] Fixes from code review If doing TLS v1.3 and version on ServerHello is below TLS v1.2 then handle message with old code. If doing TLS v1.3, downgrading and version ClientHello is less than minimum downgrade then this is a version error. --- src/tls.c | 10 ++++------ src/tls13.c | 8 ++++++++ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/tls.c b/src/tls.c index f30261d19..05a83577e 100644 --- a/src/tls.c +++ b/src/tls.c @@ -4641,10 +4641,9 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL *ssl, byte* input, if (!ssl->options.downgrade) continue; -#ifdef NO_OLD_TLS - if (minor < TLSv1_2_MINOR) + if (minor < ssl->options.minDowngrade) continue; -#endif + /* Downgrade the version. */ ssl->version.minor = minor; } @@ -4695,10 +4694,9 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL *ssl, byte* input, if (!ssl->options.downgrade) return VERSION_ERROR; -#ifdef NO_OLD_TLS - if (minor < TLSv1_2_MINOR) + if (minor < ssl->options.minDowngrade) return VERSION_ERROR; -#endif + /* Downgrade the version. */ ssl->version.minor = minor; } diff --git a/src/tls13.c b/src/tls13.c index d21b23d70..35c3ed481 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -2643,6 +2643,11 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, return VERSION_ERROR; } #else + if (pv.major == ssl->version.major && pv.minor < TLSv1_2_MINOR && + ssl->options.downgrade) { + ssl->version = pv; + return DoServerHello(ssl, input, inOutIdx, helloSz); + } if (pv.major != ssl->version.major || pv.minor != TLSv1_2_MINOR) return VERSION_ERROR; #endif @@ -3626,6 +3631,9 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, "TLS v1.3"); return VERSION_ERROR; } + + if (pv.minor < ssl->options.minDowngrade) + return VERSION_ERROR; ssl->version.minor = pv.minor; }