RFC 8446, section 4.1.3: If a TLSv1.2 client receives a ServerHello for

TLSv1.1 or below, it should check whether the server's random value contains the magic downgrade protection cookie and in that case abort the handshake with an illegal parameter alert. ok inoguchi, jsing
author: tb <> 2020-03-06 16:36:47 +0000
committer: tb <> 2020-03-06 16:36:47 +0000
commit: 9ad7f732b50e06beb7ceecfd95ddf0814ae3fee2 (patch)
tree: f194956f6cc45bdd486f4e083b6e524918c304a6
parent: 6326e46ece7f938469b33d5f69c4d12688618e6e (diff)
download: openbsd-9ad7f732b50e06beb7ceecfd95ddf0814ae3fee2.tar.gz
openbsd-9ad7f732b50e06beb7ceecfd95ddf0814ae3fee2.tar.bz2
openbsd-9ad7f732b50e06beb7ceecfd95ddf0814ae3fee2.zip
1 files changed, 27 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index dfb1d7ddb6..ce43a89ca7 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.63 2020/01/30 16:25:09 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.64 2020/03/06 16:36:47 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -873,6 +873,32 @@ ssl3_get_server_hello(SSL *s)
            sizeof(s->s3->server_random), NULL))
                goto err;
+        if (!SSL_IS_DTLS(s) && !ssl_enabled_version_range(s, NULL, &max_version))
+                goto err;
+        if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION &&
+            s->version < max_version) {
+                /*
+                 * RFC 8446 section 4.1.3. We must not downgrade if the server
+                 * random value contains the TLS 1.2 or TLS 1.1 magical value.
+                 */
+                if (!CBS_skip(&server_random,
+                    CBS_len(&server_random) - sizeof(tls13_downgrade_12)))
+                        goto err;
+                if (s->version == TLS1_2_VERSION &&
+                    CBS_mem_equal(&server_random, tls13_downgrade_12,
+                    sizeof(tls13_downgrade_12))) {
+                        al = SSL_AD_ILLEGAL_PARAMETER;
+                        SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
+                        goto f_err;
+                }
+                if (CBS_mem_equal(&server_random, tls13_downgrade_11,
+                    sizeof(tls13_downgrade_11))) {
+                        al = SSL_AD_ILLEGAL_PARAMETER;
+                        SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
+                        goto f_err;
+                }
+        }
        /* Session ID. */
        if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
                goto truncated;
author	tb <>	2020-03-06 16:36:47 +0000
committer	tb <>	2020-03-06 16:36:47 +0000
commit	9ad7f732b50e06beb7ceecfd95ddf0814ae3fee2 (patch)
tree	f194956f6cc45bdd486f4e083b6e524918c304a6
parent	6326e46ece7f938469b33d5f69c4d12688618e6e (diff)
download	openbsd-9ad7f732b50e06beb7ceecfd95ddf0814ae3fee2.tar.gz openbsd-9ad7f732b50e06beb7ceecfd95ddf0814ae3fee2.tar.bz2 openbsd-9ad7f732b50e06beb7ceecfd95ddf0814ae3fee2.zip

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index dfb1d7ddb6..ce43a89ca7 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.63 2020/01/30 16:25:09 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.64 2020/03/06 16:36:47 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -873,6 +873,32 @@ ssl3_get_server_hello(SSL *s)
873	sizeof(s->s3->server_random), NULL))	873	sizeof(s->s3->server_random), NULL))
874	goto err;	874	goto err;
875		875
		876	if (!SSL_IS_DTLS(s) && !ssl_enabled_version_range(s, NULL, &max_version))
		877	goto err;
		878	if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION &&
		879	s->version < max_version) {
		880	/*
		881	* RFC 8446 section 4.1.3. We must not downgrade if the server
		882	* random value contains the TLS 1.2 or TLS 1.1 magical value.
		883	*/
		884	if (!CBS_skip(&server_random,
		885	CBS_len(&server_random) - sizeof(tls13_downgrade_12)))
		886	goto err;
		887	if (s->version == TLS1_2_VERSION &&
		888	CBS_mem_equal(&server_random, tls13_downgrade_12,
		889	sizeof(tls13_downgrade_12))) {
		890	al = SSL_AD_ILLEGAL_PARAMETER;
		891	SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
		892	goto f_err;
		893	}
		894	if (CBS_mem_equal(&server_random, tls13_downgrade_11,
		895	sizeof(tls13_downgrade_11))) {
		896	al = SSL_AD_ILLEGAL_PARAMETER;
		897	SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
		898	goto f_err;
		899	}
		900	}
		901
876	/* Session ID. */	902	/* Session ID. */
877	if (!CBS_get_u8_length_prefixed(&cbs, &session_id))	903	if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
878	goto truncated;	904	goto truncated;