Correct alert type for missing supported_versions in HRR and avoid sending duplicate protocol_version alerts.#10811
Open
kareem-wolfssl wants to merge 2 commits into
Open
Correct alert type for missing supported_versions in HRR and avoid sending duplicate protocol_version alerts.#10811kareem-wolfssl wants to merge 2 commits into
kareem-wolfssl wants to merge 2 commits into
Conversation
…ed_versions in HelloRetryRequest for TLS 1.3. Partially fixes wolfSSL#10746.
DoTls13ClientHello was explicitly sending a protocol_version alert, then returning VERSION_ERROR which TranslateErrorToAlert then mapped to protocol_version, causing a duplicate alert to be sent. Remove all protocol_version alerts from DoTls13ClientHello itself and instead return VERSION_ERROR and allow TranslateErrorToAlert to handle sending the alerts. Fixes wolfSSL#10746.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR targets TLS 1.3 client compliance with RFC 8446 when processing HelloRetryRequest (HRR) messages that omit the mandatory supported_versions extension, specifically correcting the alert description and preventing duplicate protocol_version alerts.
Changes:
- Adjusts HRR handling to return an error that maps to the
missing_extensionalert whensupported_versionsis absent. - Removes several direct
SendAlert(... protocol_version ...)calls inDoTls13ServerHello()to avoid sending duplicate fatal alerts in some call paths.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
5453
to
5456
| if (args->pv.major != ssl->version.major || | ||
| args->pv.minor != tls12minor) { | ||
| SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version); | ||
| WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); | ||
| return VERSION_ERROR; |
Comment on lines
5603
to
5608
| if (!ssl->options.downgrade) { | ||
| WOLFSSL_MSG("Server trying to downgrade to version less than " | ||
| "TLS v1.3"); | ||
| SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version); | ||
| WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); | ||
| return VERSION_ERROR; | ||
| } |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes #10746
Testing
Built in tests + provided reproducer
Checklist