From 88b9801066a02214b56aa85fd09d1b6a438b1b87 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Fri, 21 Feb 2025 13:44:05 +0100
Subject: [PATCH] TLS EMS: Set haveEMS when we negotiate TLS 1.3

---
 src/ssl_sess.c           | 11 +++++-
 tests/api.c              |  1 +
 tests/api/test_tls_ext.c | 72 ++++++++++++++++++++++++++++++++++++++++
 tests/api/test_tls_ext.h |  1 +
 4 files changed, 84 insertions(+), 1 deletion(-)

diff --git a/src/ssl_sess.c b/src/ssl_sess.c
index 7054b52ad1..628505a101 100644
--- a/src/ssl_sess.c
+++ b/src/ssl_sess.c
@@ -3565,7 +3565,16 @@ void SetupSession(WOLFSSL* ssl)
     session->side = (byte)ssl->options.side;
     if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL)
         XMEMCPY(session->masterSecret, ssl->arrays->masterSecret, SECRET_LEN);
-    session->haveEMS = ssl->options.haveEMS;
+    /* RFC8446 Appendix D.
+     *   implementations which support both TLS 1.3 and earlier versions SHOULD
+     *   indicate the use of the Extended Master Secret extension in their APIs
+     *   whenever TLS 1.3 is used.
+     * Set haveEMS so that we send the extension in subsequent connections that
+     * offer downgrades. */
+    if (IsAtLeastTLSv1_3(ssl->version))
+        session->haveEMS = 1;
+    else
+        session->haveEMS = ssl->options.haveEMS;
 #ifdef WOLFSSL_SESSION_ID_CTX
     /* If using compatibility layer then check for and copy over session context
      * id. */
diff --git a/tests/api.c b/tests/api.c
index 81f3a9b5d0..2e5a5f9c9a 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -95326,6 +95326,7 @@ TEST_CASE testCases[] = {
     /* Uses Assert in handshake callback. */
     TEST_DECL(test_wolfSSL_set_alpn_protos),
 #endif
+    TEST_DECL(test_tls_ems_downgrade),
     TEST_DECL(test_wolfSSL_DisableExtendedMasterSecret),
     TEST_DECL(test_wolfSSL_wolfSSL_UseSecureRenegotiation),
     TEST_DECL(test_wolfSSL_SCR_Reconnect),
diff --git a/tests/api/test_tls_ext.c b/tests/api/test_tls_ext.c
index ed57f075fc..127901de9b 100644
--- a/tests/api/test_tls_ext.c
+++ b/tests/api/test_tls_ext.c
@@ -35,9 +35,81 @@
     #include <wolfcrypt/src/misc.c>
 #endif
 
+#include <wolfssl/internal.h>
 #include <tests/unit.h>
+#include <tests/utils.h>
 #include <tests/api/test_tls_ext.h>
 
+int test_tls_ems_downgrade(void)
+{
+    EXPECT_DECLS;
+#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12) && \
+        defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES)
+    struct test_memio_ctx test_ctx;
+    WOLFSSL_CTX *ctx_c = NULL;
+    WOLFSSL_CTX *ctx_s = NULL;
+    WOLFSSL *ssl_c = NULL;
+    WOLFSSL *ssl_s = NULL;
+    WOLFSSL_SESSION* session = NULL;
+    /* TLS EMS extension in binary form */
+    const char ems_ext[] = { 0x00, 0x17, 0x00, 0x00 };
+    char data = 0;
+
+    XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+
+    ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
+            wolfTLS_client_method, wolfTLS_server_method), 0);
+
+    ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
+    ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
+
+    /* Verify that the EMS extension is present in Client's message */
+    ExpectNotNull(mymemmem(test_ctx.s_buff, test_ctx.s_len,
+            ems_ext, sizeof(ems_ext)));
+
+    ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
+    ExpectIntEQ(wolfSSL_version(ssl_c), TLS1_3_VERSION);
+
+    /* Do a round of reads to exchange the ticket message */
+    ExpectIntEQ(wolfSSL_read(ssl_s, &data, sizeof(data)), -1);
+    ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ);
+    ExpectIntEQ(wolfSSL_read(ssl_c, &data, sizeof(data)), -1);
+    ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
+
+    ExpectNotNull(session = wolfSSL_get1_session(ssl_c));
+    ExpectTrue(session->haveEMS);
+
+    wolfSSL_free(ssl_c);
+    ssl_c = NULL;
+    wolfSSL_free(ssl_s);
+    ssl_s = NULL;
+
+    ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s,
+            wolfTLS_client_method, wolfTLS_server_method), 0);
+
+    /* Resuming the connection */
+    ExpectIntEQ(wolfSSL_set_session(ssl_c, session), WOLFSSL_SUCCESS);
+    ExpectIntEQ(wolfSSL_connect(ssl_c), -1);
+    ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ);
+
+    /* Verify that the EMS extension is still present in the resumption CH
+     * even though we used TLS 1.3 */
+    ExpectNotNull(mymemmem(test_ctx.s_buff, test_ctx.s_len,
+            ems_ext, sizeof(ems_ext)));
+
+    ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
+    ExpectIntEQ(wolfSSL_version(ssl_c), TLS1_3_VERSION);
+
+    wolfSSL_SESSION_free(session);
+    wolfSSL_free(ssl_c);
+    wolfSSL_free(ssl_s);
+    wolfSSL_CTX_free(ctx_c);
+    wolfSSL_CTX_free(ctx_s);
+#endif
+    return EXPECT_RESULT();
+}
+
+
 int test_wolfSSL_DisableExtendedMasterSecret(void)
 {
     EXPECT_DECLS;
diff --git a/tests/api/test_tls_ext.h b/tests/api/test_tls_ext.h
index 49bd5c0381..b91114b7d5 100644
--- a/tests/api/test_tls_ext.h
+++ b/tests/api/test_tls_ext.h
@@ -22,6 +22,7 @@
 #ifndef TESTS_API_TEST_TLS_EMS_H
 #define TESTS_API_TEST_TLS_EMS_H
 
+int test_tls_ems_downgrade(void);
 int test_wolfSSL_DisableExtendedMasterSecret(void);
 
 #endif /* TESTS_API_TEST_TLS_EMS_H */