diff options
| author | tb <> | 2020-03-06 16:31:30 +0000 |
|---|---|---|
| committer | tb <> | 2020-03-06 16:31:30 +0000 |
| commit | 6326e46ece7f938469b33d5f69c4d12688618e6e (patch) | |
| tree | a651d369793dfeaba4db323fa66c76dc4b761c94 | |
| parent | 26ef5580166bc8d9119f867542fa40e12a4b18a4 (diff) | |
| download | openbsd-6326e46ece7f938469b33d5f69c4d12688618e6e.tar.gz openbsd-6326e46ece7f938469b33d5f69c4d12688618e6e.tar.bz2 openbsd-6326e46ece7f938469b33d5f69c4d12688618e6e.zip | |
TLSv1.3 servers that intend to downgrade are required to set the last
eight bytes of the server's random to a magic cookie (RFC 8446, 4.1.3).
The TLSv1.3 spec changes the TLSv1.2 spec in that it recommends that
TLSv1.2 servers that negotiate TLSv1.1 or below do the same. This gives
a limited additional protection against downgrade attacks beyond what is
already present in the Finished exchange.
The TLSv1.3 part was already implemented in Hobart and can be trivially
modified to do the TLSv1.2 bit as well.
ok inoguchi, jsing
| -rw-r--r-- | src/lib/libssl/ssl_srvr.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index e55b6beed1..c9c24f0453 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_srvr.c,v 1.72 2020/02/16 14:33:04 inoguchi Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.73 2020/03/06 16:31:30 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -801,7 +801,7 @@ ssl3_get_client_hello(SSL *s) | |||
| 801 | STACK_OF(SSL_CIPHER) *ciphers = NULL; | 801 | STACK_OF(SSL_CIPHER) *ciphers = NULL; |
| 802 | unsigned long alg_k; | 802 | unsigned long alg_k; |
| 803 | const SSL_METHOD *method; | 803 | const SSL_METHOD *method; |
| 804 | uint16_t shared_version; | 804 | uint16_t max_version, shared_version; |
| 805 | 805 | ||
| 806 | /* | 806 | /* |
| 807 | * We do this so that we will respond with our native type. | 807 | * We do this so that we will respond with our native type. |
| @@ -1042,11 +1042,15 @@ ssl3_get_client_hello(SSL *s) | |||
| 1042 | */ | 1042 | */ |
| 1043 | arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); | 1043 | arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); |
| 1044 | 1044 | ||
| 1045 | if (s->internal->tls13 != NULL) { | 1045 | if (!SSL_IS_DTLS(s) && !ssl_enabled_version_range(s, NULL, &max_version)) |
| 1046 | goto err; | ||
| 1047 | if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION && | ||
| 1048 | s->version < max_version) { | ||
| 1046 | /* | 1049 | /* |
| 1047 | * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3 | 1050 | * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3 |
| 1048 | * we must set the last 8 bytes of the server random to magical | 1051 | * we must set the last 8 bytes of the server random to magical |
| 1049 | * values to indicate we meant to downgrade. | 1052 | * values to indicate we meant to downgrade. For TLS 1.2 it is |
| 1053 | * recommended that we do the same. | ||
| 1050 | */ | 1054 | */ |
| 1051 | size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12); | 1055 | size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12); |
| 1052 | uint8_t *magic = &s->s3->server_random[index]; | 1056 | uint8_t *magic = &s->s3->server_random[index]; |