From 6326e46ece7f938469b33d5f69c4d12688618e6e Mon Sep 17 00:00:00 2001 From: tb <> Date: Fri, 6 Mar 2020 16:31:30 +0000 Subject: TLSv1.3 servers that intend to downgrade are required to set the last eight bytes of the server's random to a magic cookie (RFC 8446, 4.1.3). The TLSv1.3 spec changes the TLSv1.2 spec in that it recommends that TLSv1.2 servers that negotiate TLSv1.1 or below do the same. This gives a limited additional protection against downgrade attacks beyond what is already present in the Finished exchange. The TLSv1.3 part was already implemented in Hobart and can be trivially modified to do the TLSv1.2 bit as well. ok inoguchi, jsing --- src/lib/libssl/ssl_srvr.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index e55b6beed1..c9c24f0453 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.72 2020/02/16 14:33:04 inoguchi Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.73 2020/03/06 16:31:30 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -801,7 +801,7 @@ ssl3_get_client_hello(SSL *s) STACK_OF(SSL_CIPHER) *ciphers = NULL; unsigned long alg_k; const SSL_METHOD *method; - uint16_t shared_version; + uint16_t max_version, shared_version; /* * We do this so that we will respond with our native type. @@ -1042,11 +1042,15 @@ ssl3_get_client_hello(SSL *s) */ arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); - if (s->internal->tls13 != NULL) { + if (!SSL_IS_DTLS(s) && !ssl_enabled_version_range(s, NULL, &max_version)) + goto err; + if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION && + s->version < max_version) { /* * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3 * we must set the last 8 bytes of the server random to magical - * values to indicate we meant to downgrade. + * values to indicate we meant to downgrade. For TLS 1.2 it is + * recommended that we do the same. */ size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12); uint8_t *magic = &s->s3->server_random[index]; -- cgit v1.2.3-55-g6feb