From 2e68d19baa1dd9f1c5e5f544dc3004683c5f618e Mon Sep 17 00:00:00 2001
From: beck <>
Date: Thu, 23 Jan 2020 08:04:50 +0000
Subject: If we are building a legacy server hello, check to see if we are
 downgrading from TLS 1.3. If we are, set the last 8 bytes of the
 server_random value to the required values as per RFC 8446 section 4.1.3
 indicating that we deliberately meant to downgrade.

ok jsing@
---
 src/lib/libssl/ssl_srvr.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 809f589653..26b24f4f22 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.68 2019/04/22 15:12:20 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.69 2020/01/23 08:04:50 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1042,6 +1042,25 @@ ssl3_get_client_hello(SSL *s)
 	 */
 	arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
 
+	if (s->internal->tls13 != NULL) {
+		/*
+		 * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3
+		 * we must set the last 8 bytes of the server random to magical
+		 * values to indicate we meant to downgrade.
+		 */
+		size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12);
+		uint8_t *magic = &s->s3->server_random[index];
+		if (s->version == TLS1_2_VERSION) {
+			/* Indicate we chose to downgrade to 1.2. */
+			memcpy(magic, tls13_downgrade_12,
+			    sizeof(tls13_downgrade_12));
+		} else {
+			/* Indicate we chose to downgrade to 1.1 or lower */
+			memcpy(magic, tls13_downgrade_11,
+			    sizeof(tls13_downgrade_11));
+		}
+	}
+
 	if (!s->internal->hit && s->internal->tls_session_secret_cb) {
 		SSL_CIPHER *pref_cipher = NULL;
 
-- 
cgit v1.2.3-55-g6feb