1 files changed, 27 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index dfb1d7ddb6..ce43a89ca7 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.63 2020/01/30 16:25:09 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.64 2020/03/06 16:36:47 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -873,6 +873,32 @@ ssl3_get_server_hello(SSL *s)
            sizeof(s->s3->server_random), NULL))
                goto err;
+        if (!SSL_IS_DTLS(s) && !ssl_enabled_version_range(s, NULL, &max_version))
+                goto err;
+        if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION &&
+            s->version < max_version) {
+                /*
+                 * RFC 8446 section 4.1.3. We must not downgrade if the server
+                 * random value contains the TLS 1.2 or TLS 1.1 magical value.
+                 */
+                if (!CBS_skip(&server_random,
+                    CBS_len(&server_random) - sizeof(tls13_downgrade_12)))
+                        goto err;
+                if (s->version == TLS1_2_VERSION &&
+                    CBS_mem_equal(&server_random, tls13_downgrade_12,
+                    sizeof(tls13_downgrade_12))) {
+                        al = SSL_AD_ILLEGAL_PARAMETER;
+                        SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
+                        goto f_err;
+                }
+                if (CBS_mem_equal(&server_random, tls13_downgrade_11,
+                    sizeof(tls13_downgrade_11))) {
+                        al = SSL_AD_ILLEGAL_PARAMETER;
+                        SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
+                        goto f_err;
+                }
+        }
        /* Session ID. */
        if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
                goto truncated;

diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index dfb1d7ddb6..ce43a89ca7 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_clnt.c,v 1.63 2020/01/30 16:25:09 jsing Exp $ */	1	/* $OpenBSD: ssl_clnt.c,v 1.64 2020/03/06 16:36:47 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -873,6 +873,32 @@ ssl3_get_server_hello(SSL *s)
873	sizeof(s->s3->server_random), NULL))	873	sizeof(s->s3->server_random), NULL))
874	goto err;	874	goto err;
875		875
		876	if (!SSL_IS_DTLS(s) && !ssl_enabled_version_range(s, NULL, &max_version))
		877	goto err;
		878	if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION &&
		879	s->version < max_version) {
		880	/*
		881	* RFC 8446 section 4.1.3. We must not downgrade if the server
		882	* random value contains the TLS 1.2 or TLS 1.1 magical value.
		883	*/
		884	if (!CBS_skip(&server_random,
		885	CBS_len(&server_random) - sizeof(tls13_downgrade_12)))
		886	goto err;
		887	if (s->version == TLS1_2_VERSION &&
		888	CBS_mem_equal(&server_random, tls13_downgrade_12,
		889	sizeof(tls13_downgrade_12))) {
		890	al = SSL_AD_ILLEGAL_PARAMETER;
		891	SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
		892	goto f_err;
		893	}
		894	if (CBS_mem_equal(&server_random, tls13_downgrade_11,
		895	sizeof(tls13_downgrade_11))) {
		896	al = SSL_AD_ILLEGAL_PARAMETER;
		897	SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
		898	goto f_err;
		899	}
		900	}
		901
876	/* Session ID. */	902	/* Session ID. */
877	if (!CBS_get_u8_length_prefixed(&cbs, &session_id))	903	if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
878	goto truncated;	904	goto truncated;