From dee74e98dd93d1e0eefd0e1ca14f4dd12ed6a568 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Fri, 2 Mar 2018 09:56:03 +1000
Subject: [PATCH 1/4] Fix downgrading when WOLFSSL_TLS13 is defined (despite
 NO_OLD_TLS being defined)

---
 src/tls.c   | 4 ++--
 src/tls13.c | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/tls.c b/src/tls.c
index c6bf6cdc2..f30261d19 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -9008,7 +9008,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
             InitSSL_Method(method, MakeTLSv1_1());
     #endif
 #endif
-#ifndef NO_OLD_TLS
+#if !defined(NO_OLD_TLS) || defined(WOLFSSL_TLS13)
             method->downgrade = 1;
 #endif
         }
@@ -9132,7 +9132,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
             #error Must have SHA256, SHA384 or SHA512 enabled for TLS 1.2
     #endif
 #endif
-#ifndef NO_OLD_TLS
+#if !defined(NO_OLD_TLS) || defined(WOLFSSL_TLS13)
             method->downgrade = 1;
 #endif
             method->side      = WOLFSSL_SERVER_END;
diff --git a/src/tls13.c b/src/tls13.c
index 0b80cd5f9..d21b23d70 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -3622,7 +3622,8 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
     if (TLSX_Find(ssl->extensions, TLSX_SUPPORTED_VERSIONS) == NULL) {
         if (!ssl->options.downgrade) {
-            WOLFSSL_MSG("Client trying to connect with lesser version");
+            WOLFSSL_MSG("Client trying to connect with lesser version than "
+                        "TLS v1.3");
             return VERSION_ERROR;
         }
         ssl->version.minor = pv.minor;

From 317c890961797c0d6d798819bf5f0bc9aa42469d Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Mon, 5 Mar 2018 10:01:40 +1000
Subject: [PATCH 2/4] Fix minimum downgrade when NO_OLD_TLS is defined

---
 wolfssl/internal.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index c057557ba..4e3bc0d80 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1261,7 +1261,11 @@ enum Misc {
 
 /* minimum Downgrade Minor version */
 #ifndef WOLFSSL_MIN_DOWNGRADE
-    #define WOLFSSL_MIN_DOWNGRADE TLSv1_MINOR
+    #ifndef NO_OLD_TLS
+        #define WOLFSSL_MIN_DOWNGRADE TLSv1_MINOR
+    #else
+        #define WOLFSSL_MIN_DOWNGRADE TLSv1_2_MINOR
+    #endif
 #endif
 
 /* Set max implicit IV size for AEAD cipher suites */

From d35a3f1e690684ed501979f43392b8d01492e2dc Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Thu, 8 Mar 2018 09:00:36 +1000
Subject: [PATCH 3/4] Fixes from code review

If doing TLS v1.3 and version on ServerHello is below TLS v1.2 then
handle message with old code.
If doing TLS v1.3, downgrading and version ClientHello is less than
minimum downgrade then this is a version error.
---
 src/tls.c   | 10 ++++------
 src/tls13.c |  8 ++++++++
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/tls.c b/src/tls.c
index f30261d19..05a83577e 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -4641,10 +4641,9 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL *ssl, byte* input,
                 if (!ssl->options.downgrade)
                     continue;
 
-#ifdef NO_OLD_TLS
-                if (minor < TLSv1_2_MINOR)
+                if (minor < ssl->options.minDowngrade)
                     continue;
-#endif
+
                 /* Downgrade the version. */
                 ssl->version.minor = minor;
             }
@@ -4695,10 +4694,9 @@ static int TLSX_SupportedVersions_Parse(WOLFSSL *ssl, byte* input,
             if (!ssl->options.downgrade)
                 return VERSION_ERROR;
 
-#ifdef NO_OLD_TLS
-            if (minor < TLSv1_2_MINOR)
+            if (minor < ssl->options.minDowngrade)
                 return VERSION_ERROR;
-#endif
+
             /* Downgrade the version. */
             ssl->version.minor = minor;
         }
diff --git a/src/tls13.c b/src/tls13.c
index d21b23d70..35c3ed481 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -2643,6 +2643,11 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         return VERSION_ERROR;
     }
 #else
+    if (pv.major == ssl->version.major  && pv.minor < TLSv1_2_MINOR &&
+                                                       ssl->options.downgrade) {
+        ssl->version = pv;
+        return DoServerHello(ssl, input, inOutIdx, helloSz);
+    }
     if (pv.major != ssl->version.major || pv.minor != TLSv1_2_MINOR)
         return VERSION_ERROR;
 #endif
@@ -3626,6 +3631,9 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
                         "TLS v1.3");
             return VERSION_ERROR;
         }
+
+        if (pv.minor < ssl->options.minDowngrade)
+            return VERSION_ERROR;
         ssl->version.minor = pv.minor;
     }
 

From d6ffa0dd8e3d9d5c3388befe2254b3b4d2c14871 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Thu, 8 Mar 2018 15:05:36 +1000
Subject: [PATCH 4/4] Fix downgrade when doing TLS v1.3

---
 src/tls13.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tls13.c b/src/tls13.c
index 35c3ed481..242e1a2c1 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -2645,7 +2645,7 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 #else
     if (pv.major == ssl->version.major  && pv.minor < TLSv1_2_MINOR &&
                                                        ssl->options.downgrade) {
-        ssl->version = pv;
+        ssl->version.minor = TLSv1_2_MINOR;
         return DoServerHello(ssl, input, inOutIdx, helloSz);
     }
     if (pv.major != ssl->version.major || pv.minor != TLSv1_2_MINOR)