Temporary remove the TLS 1.3 anti-downgrade mechanism.
This mechanism is incompatible with deploying draft versions of TLS 1.3.
Suppose a draft M client talks to a draft N server, M != N. (Either M or
N could also be the final standard revision should there be lingering
draft clients or servers.) The server will notice the mismatch and
pretend ClientHello.version is TLS 1.2, not TLS 1.3. But this will
trigger anti-downgrade signal and cause an interop failure! And if it
doesn't trigger, all the clever tricks around ServerHello.random being
signed in TLS 1.2 are moot.
We'll put this back when the dust has settled.
Change-Id: Ic3cf72b7c31ba91e5cca0cfd7a3fca830c493a43
Reviewed-on: https://boringssl-review.googlesource.com/11005
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index 237f452..93562e57 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -880,20 +880,8 @@
/* Copy over the server random. */
memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);
- /* Check for a TLS 1.3 downgrade signal. See draft-ietf-tls-tls13-14.
- *
- * TODO(davidben): Also implement the TLS 1.1 sentinel when things have
- * settled down. */
- static const uint8_t kDowngradeTLS12[8] = {0x44, 0x4f, 0x57, 0x4e,
- 0x47, 0x52, 0x44, 0x01};
- if (real_max_version >= TLS1_3_VERSION &&
- ssl3_protocol_version(ssl) <= TLS1_2_VERSION &&
- memcmp(ssl->s3->server_random + SSL3_RANDOM_SIZE - 8, kDowngradeTLS12,
- 8) == 0) {
- al = SSL_AD_ILLEGAL_PARAMETER;
- OPENSSL_PUT_ERROR(SSL, SSL_R_DOWNGRADE_DETECTED);
- goto f_err;
- }
+ /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
+ * 1.3 is finalized and we are not implementing a draft version. */
if (!ssl->s3->initial_handshake_complete && ssl->session != NULL &&
ssl->session->session_id_length != 0 &&
diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c
index f041129..20986ec 100644
--- a/ssl/handshake_server.c
+++ b/ssl/handshake_server.c
@@ -870,20 +870,8 @@
return -1;
}
- /* Fill in the TLS 1.2 downgrade signal. See draft-ietf-tls-tls13-14.
- *
- * TODO(davidben): Also implement the TLS 1.1 sentinel when things have
- * settled down. */
- uint16_t min_version, max_version;
- if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
- return -1;
- }
- if (max_version >= TLS1_3_VERSION &&
- ssl3_protocol_version(ssl) <= TLS1_2_VERSION) {
- static const uint8_t kDowngradeTLS12[8] = {0x44, 0x4f, 0x57, 0x4e,
- 0x47, 0x52, 0x44, 0x01};
- memcpy(ssl->s3->server_random + SSL3_RANDOM_SIZE - 8, kDowngradeTLS12, 8);
- }
+ /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
+ * 1.3 is finalized and we are not implementing a draft version. */
const SSL_SESSION *session = ssl->s3->new_session;
if (ssl->session != NULL) {
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 7d2a6bf..5d77113 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -4207,8 +4207,8 @@
NegotiateVersion: VersionTLS12,
},
},
- shouldFail: true,
- expectedError: ":DOWNGRADE_DETECTED:",
+ // TODO(davidben): This test should fail once TLS 1.3 is final
+ // and the fallback signal restored.
})
testCases = append(testCases, testCase{
testType: serverTest,
@@ -4218,8 +4218,8 @@
SendClientVersion: VersionTLS12,
},
},
- shouldFail: true,
- expectedLocalError: "tls: downgrade from TLS 1.3 detected",
+ // TODO(davidben): This test should fail once TLS 1.3 is final
+ // and the fallback signal restored.
})
// Test that FALLBACK_SCSV is sent and that the downgrade signal works
@@ -4236,8 +4236,8 @@
"-max-version", strconv.Itoa(VersionTLS13),
"-fallback-version", strconv.Itoa(VersionTLS12),
},
- shouldFail: true,
- expectedError: ":DOWNGRADE_DETECTED:",
+ // TODO(davidben): This test should fail once TLS 1.3 is final
+ // and the fallback signal restored.
})
testCases = append(testCases, testCase{
name: "Downgrade-TLS12-Client-FallbackEqualsMax",
