From d7033684835fbe673f22522f38a247f53b908aa9 Mon Sep 17 00:00:00 2001
From: Theo Buehler <tb@cvs.openbsd.org>
Date: Fri, 6 Mar 2020 16:36:48 +0000
Subject: RFC 8446, section 4.1.3: If a TLSv1.2 client receives a ServerHello
 for TLSv1.1 or below, it should check whether the server's random value
 contains the magic downgrade protection cookie and in that case abort the
 handshake with an illegal parameter alert.

ok inoguchi, jsing
---
 lib/libssl/ssl_clnt.c | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

(limited to 'lib/libssl')

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index dfb1d7ddb6d..ce43a89ca73 100644
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.63 2020/01/30 16:25:09 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.64 2020/03/06 16:36:47 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -873,6 +873,32 @@ ssl3_get_server_hello(SSL *s)
 	    sizeof(s->s3->server_random), NULL))
 		goto err;
 
+	if (!SSL_IS_DTLS(s) && !ssl_enabled_version_range(s, NULL, &max_version))
+		goto err;
+	if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION &&
+	    s->version < max_version) {
+		/*
+		 * RFC 8446 section 4.1.3. We must not downgrade if the server
+		 * random value contains the TLS 1.2 or TLS 1.1 magical value.
+		 */
+		if (!CBS_skip(&server_random,
+		    CBS_len(&server_random) - sizeof(tls13_downgrade_12)))
+			goto err;
+		if (s->version == TLS1_2_VERSION &&
+		    CBS_mem_equal(&server_random, tls13_downgrade_12,
+		    sizeof(tls13_downgrade_12))) {
+			al = SSL_AD_ILLEGAL_PARAMETER;
+			SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
+			goto f_err;
+		}
+		if (CBS_mem_equal(&server_random, tls13_downgrade_11,
+		    sizeof(tls13_downgrade_11))) {
+			al = SSL_AD_ILLEGAL_PARAMETER;
+			SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
+			goto f_err;
+		}
+	}
+
 	/* Session ID. */
 	if (!CBS_get_u8_length_prefixed(&cbs, &session_id))
 		goto truncated;
-- 
cgit v1.2.3