Merge pull request #8777 from rizlik/dtls_reject_v11

Drop DTLS packets with bogus minor version number
2025-05-16 14:45:25 -05:00 · 2025-05-16 14:45:25 -05:00 · 91af9073b0
parent e67536cb15 22f41a8dbb
commit 91af9073b0
4 changed files with 55 additions and 0 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -11788,6 +11788,10 @@ static int GetDtlsRecordHeader(WOLFSSL* ssl, word32* inOutIdx,
    *inOutIdx += ENUM_LEN + VERSION_SZ;
    ato16(ssl->buffers.inputBuffer.buffer + *inOutIdx, &ssl->keys.curEpoch);

+    if (rh->pvMajor == DTLS_MAJOR && rh->pvMinor == DTLS_BOGUS_MINOR) {
+        return SEQUENCE_ERROR;
+    }
+
 #ifdef WOLFSSL_DTLS_CID
    if (rh->type == dtls12_cid && (cidSz = DtlsGetCidRxSize(ssl)) == 0)
        return DTLS_CID_ERROR;
--- a/tests/api.c
+++ b/tests/api.c
@ -68025,6 +68025,7 @@ TEST_CASE testCases[] = {
    TEST_DECL(test_wolfSSL_dtls_cid_parse),
    TEST_DECL(test_dtls13_epochs),
    TEST_DECL(test_dtls13_ack_order),
+    TEST_DECL(test_dtls_version_checking),
    TEST_DECL(test_ocsp_status_callback),
    TEST_DECL(test_ocsp_basic_verify),
    TEST_DECL(test_ocsp_response_parsing),
--- a/tests/api/test_dtls.c
+++ b/tests/api/test_dtls.c
@ -727,3 +727,52 @@ int test_dtls13_ack_order(void)
 #endif
    return EXPECT_RESULT();
 }
+
+int test_dtls_version_checking(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS)
+    WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
+    WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+    struct test_memio_ctx test_ctx;
+
+    XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+
+    ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
+                    wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method),
+        0);
+
+    /* CH */
+    ExpectIntEQ(wolfSSL_connect(ssl_c), WOLFSSL_FATAL_ERROR);
+    ExpectIntEQ(wolfSSL_get_error(ssl_c, WOLFSSL_FATAL_ERROR),
+        WOLFSSL_ERROR_WANT_READ);
+
+    /* modify CH DTLS header to have version 1.1 (0xfe, 0xfe) */
+    ExpectIntGE(test_ctx.s_len, 3);
+    if (EXPECT_SUCCESS()) {
+        test_ctx.s_buff[1] = 0xfe;
+        test_ctx.s_buff[2] = 0xfe;
+    }
+
+    ExpectIntEQ(wolfSSL_accept(ssl_s), WOLFSSL_FATAL_ERROR);
+    ExpectIntEQ(wolfSSL_get_error(ssl_s, WOLFSSL_FATAL_ERROR),
+        WOLFSSL_ERROR_WANT_READ);
+    /* server should drop the message */
+    ExpectIntEQ(test_ctx.c_len, 0);
+
+    wolfSSL_free(ssl_c);
+    ssl_c = wolfSSL_new(ctx_c);
+    ExpectNotNull(ssl_c);
+    wolfSSL_SetIOWriteCtx(ssl_c, &test_ctx);
+    wolfSSL_SetIOReadCtx(ssl_c, &test_ctx);
+
+    /* try again */
+    ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
+
+    wolfSSL_free(ssl_c);
+    wolfSSL_CTX_free(ctx_c);
+    wolfSSL_free(ssl_s);
+    wolfSSL_CTX_free(ctx_s);
+#endif /* HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES && WOLFSSL_DTLS */
+    return EXPECT_RESULT();
+}
--- a/tests/api/test_dtls.h
+++ b/tests/api/test_dtls.h
@ -27,5 +27,6 @@ int test_dtls13_basic_connection_id(void);
 int test_wolfSSL_dtls_cid_parse(void);
 int test_dtls13_epochs(void);
 int test_dtls13_ack_order(void);
+int test_dtls_version_checking(void);

 #endif /* TESTS_API_DTLS_H */