3 files changed, 30 insertions, 3 deletions

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index cab113b8c3..477cca2e04 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.30 2020/01/23 06:15:44 beck Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.31 2020/01/23 07:30:55 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -285,6 +285,22 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
                 goto err;
 
         if (tls13_server_hello_is_legacy(cbs)) {
+                /*
+                 * RFC 8446 section 4.1.3, We must not downgrade if
+                 * the server random value contains the TLS 1.2 or 1.1
+                 * magical value.
+                 */
+                if (!CBS_skip(&server_random, CBS_len(&server_random) -
+                    sizeof(tls13_downgrade_12)))
+                        goto err;
+                if (CBS_mem_equal(&server_random, tls13_downgrade_12,
+                    sizeof(tls13_downgrade_12)) ||
+                    CBS_mem_equal(&server_random, tls13_downgrade_11,
+                    sizeof(tls13_downgrade_11))) {
+                        ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
+                        goto err;
+                }
+
                 if (!CBS_skip(cbs, CBS_len(cbs)))
                         goto err;
                 return tls13_use_legacy_client(ctx);
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 12ba5750a0..f11d96f2ea 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.48 2020/01/23 05:08:30 jsing Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.49 2020/01/23 07:30:55 beck Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -305,6 +305,9 @@ int tls13_error_setx(struct tls13_error *error, int code, int subcode,
         tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \
             (fmt), __VA_ARGS__)
 
+extern uint8_t tls13_downgrade_12[8];
+extern uint8_t tls13_downgrade_11[8];
+
 __END_HIDDEN_DECLS
 
 #endif
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index de3e840a84..5d8c359014 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.23 2020/01/23 05:08:30 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.24 2020/01/23 07:30:55 beck Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -24,6 +24,14 @@
 #include "ssl_locl.h"
 #include "tls13_internal.h"
 
+/*
+ * RFC 8446 section 4.1.3, magic values which must be set by the
+ * server in server random if it is willing to downgrade but supports
+ * tls v1.3
+ */
+uint8_t tls13_downgrade_12[8] = {0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01};
+uint8_t tls13_downgrade_11[8] = {0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00};
+
 const EVP_AEAD *
 tls13_cipher_aead(const SSL_CIPHER *cipher)
 {