Skip to content

Correct alert type for missing supported_versions in HRR and avoid sending duplicate protocol_version alerts. #10811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kareem-wolfssl wants to merge 2 commits into
base: master
Choose a base branch
from
+17 −6
Open

Correct alert type for missing supported_versions in HRR and avoid sending duplicate protocol_version alerts. #10811

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e68904e
Send missing_extension alert when the server does not include support…
kareem-wolfssl Jun 29, 2026
4252dfa
Avoid sending duplicate protocol_version alert in DoTls13ClientHello.
kareem-wolfssl Jun 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 17 additions & 6 deletions src/tls13.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5452,7 +5452,6 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,

if (args->pv.major != ssl->version.major ||
args->pv.minor != tls12minor) {
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
Comment on lines 5453 to 5456
}
Expand Down Expand Up @@ -5557,14 +5556,14 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif
ssl->options.haveEMS = 0;
if (args->pv.minor < ssl->options.minDowngrade) {
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}
#ifndef WOLFSSL_NO_TLS12
ssl->options.tls1_3 = 0;
return DoServerHello(ssl, input, inOutIdx, helloSz);
#else
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
#endif
}
Expand All @@ -5586,10 +5585,24 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
return ret;
}
if (!foundVersion) {
/* RFC 8446 4.1.4: "The server's extensions MUST contain
* 'supported_versions'." (also 9.2: "supported_versions" is
* REQUIRED for all ... HelloRetryRequest messages). The HRR random
* unambiguously identifies a TLS 1.3 server, so its absence is not
* a downgrade attempt but a missing mandatory extension, which per
* the "missing_extension" alert definition must be reported as
* such. Return INCOMPLETE_DATA (which maps to a missing_extension
* alert) and let the caller emit the alert via
* TranslateErrorToAlert(). */
if (*extMsgType == hello_retry_request) {
WOLFSSL_MSG("HelloRetryRequest missing supported_versions "
"extension");
WOLFSSL_ERROR_VERBOSE(INCOMPLETE_DATA);
return INCOMPLETE_DATA;
}
if (!ssl->options.downgrade) {
WOLFSSL_MSG("Server trying to downgrade to version less than "
"TLS v1.3");
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}
Comment on lines 5603 to 5608
Expand All @@ -5608,14 +5621,12 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,

if (!ssl->options.dtls &&
args->pv.minor < ssl->options.minDowngrade) {
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}

if (ssl->options.dtls &&
args->pv.minor > ssl->options.minDowngrade) {
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
return VERSION_ERROR;
}
Expand Down
Loading