commit 1f61f0d7c381184b3c0ed2fcfe79eba37bab5b56
author David Benjamin <davidben@google.com> Sun Jul 10 12:20:35 2016 -0400
committer David Benjamin <davidben@google.com> Tue Jul 12 19:17:43 2016 +0000
tree 579c572d78702fe5485c46c0cc72321336afa5f3
parent 0a8deb23350d30db06cb6f90e15c7ee9bd9e2933

Implement TLS 1.3's downgrade signal.

For now, skip the 1.2 -> 1.1 signal since that will affect shipping
code. We may as well enable it too, but wait until things have settled
down. This implements the version in draft-14 since draft-13's isn't
backwards-compatible.

Change-Id: I46be43e6f4c5203eb4ae006d1c6a2fe7d7a949ec
Reviewed-on: https://boringssl-review.googlesource.com/8724
Reviewed-by: David Benjamin <davidben@google.com>

ssl/handshake_client.c

diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index 774754a..0f9a26e 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -635,8 +635,7 @@
   /* If resending the ClientHello in DTLS after a HelloVerifyRequest, don't
    * renegerate the client_random. The random must be reused. */
   if ((!SSL_IS_DTLS(ssl) || !ssl->d1->send_cookie) &&
-      !ssl_fill_hello_random(ssl->s3->client_random,
-                             sizeof(ssl->s3->client_random), 0 /* client */)) {
+      !RAND_bytes(ssl->s3->client_random, sizeof(ssl->s3->client_random))) {
     goto err;
   }
 
@@ -763,15 +762,16 @@
 
   server_version = ssl->method->version_from_wire(server_wire_version);
 
+  uint16_t min_version, max_version;
+  if (!ssl_get_version_range(ssl, &min_version, &max_version) ||
+      server_version < min_version || server_version > max_version) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
+    al = SSL_AD_PROTOCOL_VERSION;
+    goto f_err;
+  }
+
   assert(ssl->s3->have_version == ssl->s3->initial_handshake_complete);
   if (!ssl->s3->have_version) {
-    uint16_t min_version, max_version;
-    if (!ssl_get_version_range(ssl, &min_version, &max_version) ||
-        server_version < min_version || server_version > max_version) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
-      al = SSL_AD_PROTOCOL_VERSION;
-      goto f_err;
-    }
     ssl->version = server_wire_version;
     ssl->s3->enc_method = ssl3_get_enc_method(server_version);
     assert(ssl->s3->enc_method != NULL);
@@ -787,6 +787,21 @@
   /* Copy over the server random. */
   memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);
 
+  /* Check for a TLS 1.3 downgrade signal. See draft-ietf-tls-tls13-14.
+   *
+   * TODO(davidben): Also implement the TLS 1.1 sentinel when things have
+   * settled down. */
+  static const uint8_t kDowngradeTLS12[8] = {0x44, 0x4f, 0x57, 0x4e,
+                                             0x47, 0x52, 0x44, 0x01};
+  if (max_version >= TLS1_3_VERSION &&
+      ssl3_protocol_version(ssl) <= TLS1_2_VERSION &&
+      memcmp(ssl->s3->server_random + SSL3_RANDOM_SIZE - 8, kDowngradeTLS12,
+             8) == 0) {
+    al = SSL_AD_ILLEGAL_PARAMETER;
+    OPENSSL_PUT_ERROR(SSL, SSL_R_DOWNGRADE_DETECTED);
+    goto f_err;
+  }
+
   assert(ssl->session == NULL || ssl->session->session_id_length > 0);
   if (!ssl->s3->initial_handshake_complete && ssl->session != NULL &&
       CBS_mem_equal(&session_id, ssl->session->session_id,