Add checking int the client to check the magic values which are

set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per RFC 8446 section 4.1.3 ok jsing@
author: beck <> 2020-01-23 07:30:55 +0000
committer: beck <> 2020-01-23 07:30:55 +0000
commit: d0a2a4304e8bc55b8e532933c8af4982563b033b (patch)
tree: 3c6241065cc972e1b55e086b389921e9aa5eb52d /src/lib/libssl/tls13_lib.c
parent: a47fd2152ee5040be19d80d3d11f26ce798836f5 (diff)
download: openbsd-d0a2a4304e8bc55b8e532933c8af4982563b033b.tar.gz
openbsd-d0a2a4304e8bc55b8e532933c8af4982563b033b.tar.bz2
openbsd-d0a2a4304e8bc55b8e532933c8af4982563b033b.zip
1 files changed, 9 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index de3e840a84..5d8c359014 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.23 2020/01/23 05:08:30 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.24 2020/01/23 07:30:55 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -24,6 +24,14 @@
 #include "ssl_locl.h"
 #include "tls13_internal.h"
+/*
+ * RFC 8446 section 4.1.3, magic values which must be set by the
+ * server in server random if it is willing to downgrade but supports
+ * tls v1.3
+ */
+uint8_t tls13_downgrade_12[8] = {0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01};
+uint8_t tls13_downgrade_11[8] = {0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00};
 const EVP_AEAD *
 tls13_cipher_aead(const SSL_CIPHER *cipher)
 {
author	beck <>	2020-01-23 07:30:55 +0000
committer	beck <>	2020-01-23 07:30:55 +0000
commit	d0a2a4304e8bc55b8e532933c8af4982563b033b (patch)
tree	3c6241065cc972e1b55e086b389921e9aa5eb52d /src/lib/libssl/tls13_lib.c
parent	a47fd2152ee5040be19d80d3d11f26ce798836f5 (diff)
download	openbsd-d0a2a4304e8bc55b8e532933c8af4982563b033b.tar.gz openbsd-d0a2a4304e8bc55b8e532933c8af4982563b033b.tar.bz2 openbsd-d0a2a4304e8bc55b8e532933c8af4982563b033b.zip