Merge pull request #7628 from SparkiDev/alert_after_ch

TLS: wrong TLS version in alert after ClientHello
wolfSSL · Jul 2, 2024 · a490d4f · a490d4f
2 parents 5aca239 + d7d8d14
commit a490d4f
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 1 deletion.
diff --git a/src/internal.c b/src/internal.c
@@ -11449,7 +11449,20 @@ static int GetRecordHeader(WOLFSSL* ssl, word32* inOutIdx,
  }
  }
 #endif /* WOLFSSL_DTLS13 */
- else {
+ /* Don't care about protocol version being lower than expected on alerts
+ * sent back before version negotitation. */
+ else if (!(ssl->options.side == WOLFSSL_CLIENT_END &&
+ ssl->options.connectState == CLIENT_HELLO_SENT &&
+ rh->type == alert &&
+ rh->pvMajor == ssl->version.major &&
+ #ifdef WOLFSSL_DTLS
+ ((ssl->options.dtls && rh->pvMinor == DTLS_MINOR) ||
+ (!ssl->options.dtls &&
+ rh->pvMinor < ssl->version.minor))
+ #else
+ rh->pvMinor < ssl->version.minor
+ #endif
+ )) {
  WOLFSSL_MSG("SSL version error");
  WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
  return VERSION_ERROR; /* only use requested version */

diff --git a/tests/api.c b/tests/api.c
@@ -72168,6 +72168,34 @@ static int test_dtls_no_extensions(void)
  return EXPECT_RESULT();
 }
 
+static int test_tls_alert_no_server_hello(void)
+{
+ EXPECT_DECLS;
+#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && !defined(WOLFSSL_NO_TLS12)
+ WOLFSSL *ssl_c = NULL;
+ WOLFSSL_CTX *ctx_c = NULL;
+ struct test_memio_ctx test_ctx;
+ unsigned char alert_msg[] = { 0x15, 0x03, 0x01, 0x00, 0x02, 0x02, 0x28 };
+
+ XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+ ssl_c = NULL;
+ ctx_c = NULL;
+
+ ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, NULL, &ssl_c, NULL,
+ wolfTLSv1_2_client_method, NULL), 0);
+
+ XMEMCPY(test_ctx.c_buff, alert_msg, sizeof(alert_msg));
+ test_ctx.c_len = sizeof(alert_msg);
+
+ ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
+ ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), FATAL_ERROR);
+
+ wolfSSL_free(ssl_c);
+ wolfSSL_CTX_free(ctx_c);
+#endif
+ return EXPECT_RESULT();
+}
+
 static int test_TLSX_CA_NAMES_bad_extension(void)
 {
  EXPECT_DECLS;
@@ -75755,6 +75783,7 @@ TEST_CASE testCases[] = {
  TEST_DECL(test_dtls_ipv6_check),
  TEST_DECL(test_wolfSSL_SCR_after_resumption),
  TEST_DECL(test_dtls_no_extensions),
+ TEST_DECL(test_tls_alert_no_server_hello),
  TEST_DECL(test_TLSX_CA_NAMES_bad_extension),
  TEST_DECL(test_dtls_1_0_hvr_downgrade),
  TEST_DECL(test_session_ticket_no_id),