Skip to content

Commit a490d4f

Browse files
JacobBarthelmehJacobBarthelmeh
authored
Merge pull request #7628 from SparkiDev/alert_after_ch
TLS: wrong TLS version in alert after ClientHello
2 parents 5aca239 + d7d8d14 commit a490d4f

2 files changed

Lines changed: 43 additions & 1 deletion

File tree

src/internal.c

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11449,7 +11449,20 @@ static int GetRecordHeader(WOLFSSL* ssl, word32* inOutIdx,
1144911449
}
1145011450
}
1145111451
#endif /* WOLFSSL_DTLS13 */
11452-
else {
11452+
/* Don't care about protocol version being lower than expected on alerts
11453+
* sent back before version negotitation. */
11454+
else if (!(ssl->options.side == WOLFSSL_CLIENT_END &&
11455+
ssl->options.connectState == CLIENT_HELLO_SENT &&
11456+
rh->type == alert &&
11457+
rh->pvMajor == ssl->version.major &&
11458+
#ifdef WOLFSSL_DTLS
11459+
((ssl->options.dtls && rh->pvMinor == DTLS_MINOR) ||
11460+
(!ssl->options.dtls &&
11461+
rh->pvMinor < ssl->version.minor))
11462+
#else
11463+
rh->pvMinor < ssl->version.minor
11464+
#endif
11465+
)) {
1145311466
WOLFSSL_MSG("SSL version error");
1145411467
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
1145511468
return VERSION_ERROR; /* only use requested version */

tests/api.c

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72168,6 +72168,34 @@ static int test_dtls_no_extensions(void)
7216872168
return EXPECT_RESULT();
7216972169
}
7217072170

72171+
static int test_tls_alert_no_server_hello(void)
72172+
{
72173+
EXPECT_DECLS;
72174+
#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && !defined(WOLFSSL_NO_TLS12)
72175+
WOLFSSL *ssl_c = NULL;
72176+
WOLFSSL_CTX *ctx_c = NULL;
72177+
struct test_memio_ctx test_ctx;
72178+
unsigned char alert_msg[] = { 0x15, 0x03, 0x01, 0x00, 0x02, 0x02, 0x28 };
72179+
72180+
XMEMSET(&test_ctx, 0, sizeof(test_ctx));
72181+
ssl_c = NULL;
72182+
ctx_c = NULL;
72183+
72184+
ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, NULL, &ssl_c, NULL,
72185+
wolfTLSv1_2_client_method, NULL), 0);
72186+
72187+
XMEMCPY(test_ctx.c_buff, alert_msg, sizeof(alert_msg));
72188+
test_ctx.c_len = sizeof(alert_msg);
72189+
72190+
ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
72191+
ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), FATAL_ERROR);
72192+
72193+
wolfSSL_free(ssl_c);
72194+
wolfSSL_CTX_free(ctx_c);
72195+
#endif
72196+
return EXPECT_RESULT();
72197+
}
72198+
7217172199
static int test_TLSX_CA_NAMES_bad_extension(void)
7217272200
{
7217372201
EXPECT_DECLS;
@@ -75755,6 +75783,7 @@ TEST_CASE testCases[] = {
7575575783
TEST_DECL(test_dtls_ipv6_check),
7575675784
TEST_DECL(test_wolfSSL_SCR_after_resumption),
7575775785
TEST_DECL(test_dtls_no_extensions),
75786+
TEST_DECL(test_tls_alert_no_server_hello),
7575875787
TEST_DECL(test_TLSX_CA_NAMES_bad_extension),
7575975788
TEST_DECL(test_dtls_1_0_hvr_downgrade),
7576075789
TEST_DECL(test_session_ticket_no_id),

0 commit comments

Comments
 (0)