Implement TLS 1.3 anti-downgrade signal. Change-Id: Ib4739350948ec339457d993daef582748ed8f100 Reviewed-on: https://boringssl-review.googlesource.com/30924 Commit-Queue: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 6b0d9bb..047101e 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -3664,10 +3664,14 @@ OPENSSL_EXPORT void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx, int allowed); -// SSL_is_draft_downgrade returns one if the TLS 1.3 anti-downgrade mechanism -// would have aborted |ssl|'s handshake and zero otherwise. -OPENSSL_EXPORT int SSL_is_draft_downgrade(const SSL *ssl); +// SSL_CTX_set_ignore_tls13_downgrade configures whether connections on |ctx| +// ignore the downgrade signal in the server's random value. +OPENSSL_EXPORT void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx, + int ignore); +// SSL_is_tls13_downgrade returns one if the TLS 1.3 anti-downgrade +// mechanism would have aborted |ssl|'s handshake and zero otherwise. +OPENSSL_EXPORT int SSL_is_tls13_downgrade(const SSL *ssl); // Deprecated functions. @@ -4773,6 +4777,7 @@ #define SSL_R_UNKNOWN_CERT_COMPRESSION_ALG 294 #define SSL_R_INVALID_SIGNATURE_ALGORITHM 295 #define SSL_R_DUPLICATE_SIGNATURE_ALGORITHM 296 +#define SSL_R_TLS13_DOWNGRADE 297 #define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000 #define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc index cb9b6de..ebf86a9 100644 --- a/ssl/handshake_client.cc +++ b/ssl/handshake_client.cc
@@ -588,19 +588,23 @@ OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE); - // Measure, but do not enforce, the TLS 1.3 anti-downgrade feature, with a - // different value. - // - // For draft TLS 1.3 versions, it is not safe to deploy this feature. However, - // some TLS terminators are non-compliant and copy the origin server's value, - // so we wish to measure eventual compatibility impact. + // Enforce the TLS 1.3 anti-downgrade feature. if (!ssl->s3->initial_handshake_complete && - hs->max_version >= TLS1_3_VERSION && - OPENSSL_memcmp(ssl->s3->server_random + SSL3_RANDOM_SIZE - - sizeof(kDraftDowngradeRandom), - kDraftDowngradeRandom, - sizeof(kDraftDowngradeRandom)) == 0) { - ssl->s3->draft_downgrade = true; + ssl_supports_version(hs, TLS1_3_VERSION)) { + static_assert( + sizeof(kTLS12DowngradeRandom) == sizeof(kTLS13DowngradeRandom), + "downgrade signals have different size"); + auto suffix = + MakeConstSpan(ssl->s3->server_random, sizeof(ssl->s3->server_random)) + .subspan(SSL3_RANDOM_SIZE - sizeof(kTLS13DowngradeRandom)); + if (suffix == kTLS12DowngradeRandom || suffix == kTLS13DowngradeRandom) { + ssl->s3->tls13_downgrade = true; + if (!ssl->ctx->ignore_tls13_downgrade) { + OPENSSL_PUT_ERROR(SSL, SSL_R_TLS13_DOWNGRADE); + ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); + return ssl_hs_error; + } + } } if (!ssl->s3->initial_handshake_complete && ssl->session != NULL && @@ -1477,18 +1481,32 @@ static bool can_false_start(const SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - // False Start only for TLS 1.2 with an ECDHE+AEAD cipher. + // False Start bypasses the Finished check's downgrade protection. This can + // enable attacks where we send data under weaker settings than supported + // (e.g. the Logjam attack). Thus we require TLS 1.2 with an ECDHE+AEAD + // cipher, our strongest settings before TLS 1.3. + // + // Now that TLS 1.3 exists, we would like to avoid similar attacks between + // TLS 1.2 and TLS 1.3, but there are too many TLS 1.2 deployments to + // sacrifice False Start on them. TLS 1.3's downgrade signal fixes this, but + // |SSL_CTX_set_ignore_tls13_downgrade| can disable it due to compatibility + // issues. + // + // |SSL_CTX_set_ignore_tls13_downgrade| normally still retains Finished-based + // downgrade protection, but False Start bypasses that. Thus, we disable False + // Start based on the TLS 1.3 downgrade signal, even if otherwise unenforced. if (SSL_is_dtls(ssl) || SSL_version(ssl) != TLS1_2_VERSION || hs->new_cipher->algorithm_mkey != SSL_kECDHE || - hs->new_cipher->algorithm_mac != SSL_AEAD) { + hs->new_cipher->algorithm_mac != SSL_AEAD || + ssl->s3->tls13_downgrade) { return false; } // Additionally require ALPN or NPN by default. // // TODO(davidben): Can this constraint be relaxed globally now that cipher - // suite requirements have been relaxed? + // suite requirements have been tightened? if (!ssl->ctx->false_start_allowed_without_alpn && ssl->s3->alpn_selected.empty() && ssl->s3->next_proto_negotiated.empty()) {
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc index 0159c9e..f0ed0d8 100644 --- a/ssl/handshake_server.cc +++ b/ssl/handshake_server.cc
@@ -702,15 +702,17 @@ return ssl_hs_error; } - // Implement the TLS 1.3 anti-downgrade feature, but with a different value. - // - // For draft TLS 1.3 versions, it is not safe to deploy this feature. However, - // some TLS terminators are non-compliant and copy the origin server's value, - // so we wish to measure eventual compatibility impact. - if (hs->max_version >= TLS1_3_VERSION) { - OPENSSL_memcpy(ssl->s3->server_random + SSL3_RANDOM_SIZE - - sizeof(kDraftDowngradeRandom), - kDraftDowngradeRandom, sizeof(kDraftDowngradeRandom)); + // Implement the TLS 1.3 anti-downgrade feature. + if (ssl_supports_version(hs, TLS1_3_VERSION)) { + if (ssl_protocol_version(ssl) == TLS1_2_VERSION) { + OPENSSL_memcpy(ssl->s3->server_random + SSL3_RANDOM_SIZE - + sizeof(kTLS13DowngradeRandom), + kTLS13DowngradeRandom, sizeof(kTLS13DowngradeRandom)); + } else { + OPENSSL_memcpy(ssl->s3->server_random + SSL3_RANDOM_SIZE - + sizeof(kTLS12DowngradeRandom), + kTLS12DowngradeRandom, sizeof(kTLS12DowngradeRandom)); + } } const SSL_SESSION *session = hs->new_session.get();
diff --git a/ssl/internal.h b/ssl/internal.h index f886070..e612f6d 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -1018,7 +1018,8 @@ #define SSL_MAX_HANDSHAKE_FLIGHT 7 extern const uint8_t kHelloRetryRequest[SSL3_RANDOM_SIZE]; -extern const uint8_t kDraftDowngradeRandom[8]; +extern const uint8_t kTLS12DowngradeRandom[8]; +extern const uint8_t kTLS13DowngradeRandom[8]; // ssl_max_handshake_message_len returns the maximum number of bytes permitted // in a handshake message for |ssl|. @@ -2139,9 +2140,8 @@ // early_data_accepted is true if early data was accepted by the server. bool early_data_accepted : 1; - // draft_downgrade is whether the TLS 1.3 anti-downgrade logic would have - // fired, were it not a draft. - bool draft_downgrade : 1; + // tls13_downgrade is whether the TLS 1.3 anti-downgrade logic fired. + bool tls13_downgrade : 1; // token_binding_negotiated is set if Token Binding was negotiated. bool token_binding_negotiated : 1; @@ -3055,6 +3055,10 @@ // |SSL_MODE_ENABLE_FALSE_START| is enabled) is allowed without ALPN. bool false_start_allowed_without_alpn : 1; + // ignore_tls13_downgrade is whether a connection should continue when the + // server random signals a downgrade. + bool ignore_tls13_downgrade:1; + // handoff indicates that a server should stop after receiving the // ClientHello and pause the handshake in such a way that |SSL_get_error| // returns |SSL_HANDOFF|.
diff --git a/ssl/s3_lib.cc b/ssl/s3_lib.cc index 9e4d7d8..0b24f94 100644 --- a/ssl/s3_lib.cc +++ b/ssl/s3_lib.cc
@@ -177,7 +177,7 @@ key_update_pending(false), wpend_pending(false), early_data_accepted(false), - draft_downgrade(false), + tls13_downgrade(false), token_binding_negotiated(false) {} SSL3_STATE::~SSL3_STATE() {}
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc index 8d2f134..a126561 100644 --- a/ssl/ssl_lib.cc +++ b/ssl/ssl_lib.cc
@@ -546,6 +546,7 @@ ed25519_enabled(false), rsa_pss_rsae_certs_enabled(true), false_start_allowed_without_alpn(false), + ignore_tls13_downgrade(false), handoff(false), enable_early_data(false) { CRYPTO_MUTEX_init(&lock); @@ -2639,7 +2640,11 @@ ctx->false_start_allowed_without_alpn = !!allowed; } -int SSL_is_draft_downgrade(const SSL *ssl) { return ssl->s3->draft_downgrade; } +int SSL_is_tls13_downgrade(const SSL *ssl) { return ssl->s3->tls13_downgrade; } + +void SSL_CTX_set_ignore_tls13_downgrade(SSL_CTX *ctx, int ignore) { + ctx->ignore_tls13_downgrade = !!ignore; +} void SSL_set_shed_handshake_config(SSL *ssl, int enable) { if (!ssl->config) {
diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc index 26173d3..dc12559 100644 --- a/ssl/test/bssl_shim.cc +++ b/ssl/test/bssl_shim.cc
@@ -620,9 +620,9 @@ return false; } - if (config->expect_draft_downgrade != !!SSL_is_draft_downgrade(ssl)) { - fprintf(stderr, "Got %sdraft downgrade signal, but wanted the opposite.\n", - SSL_is_draft_downgrade(ssl) ? "" : "no "); + if (config->expect_tls13_downgrade != !!SSL_is_tls13_downgrade(ssl)) { + fprintf(stderr, "Got %s downgrade signal, but wanted the opposite.\n", + SSL_is_tls13_downgrade(ssl) ? "" : "no "); return false; }
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go index f2bb9dc..a627df9 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go
@@ -1587,13 +1587,17 @@ // that many bytes. PadClientHello int - // SendDraftTLS13DowngradeRandom, if true, causes the server to send the - // draft TLS 1.3 anti-downgrade signal. - SendDraftTLS13DowngradeRandom bool + // SendTLS13DowngradeRandom, if true, causes the server to send the + // TLS 1.3 anti-downgrade signal. + SendTLS13DowngradeRandom bool - // ExpectDraftTLS13DowngradeRandom, if true, causes the client to - // require the server send the draft TLS 1.3 anti-downgrade signal. - ExpectDraftTLS13DowngradeRandom bool + // CheckTLS13DowngradeRandom, if true, causes the client to check the + // TLS 1.3 anti-downgrade signal regardless of its variant. + CheckTLS13DowngradeRandom bool + + // IgnoreTLS13DowngradeRandom, if true, causes the client to ignore the + // TLS 1.3 anti-downgrade signal. + IgnoreTLS13DowngradeRandom bool // SendCompressedCoordinates, if true, causes ECDH key shares over NIST // curves to use compressed coordinates. @@ -2063,8 +2067,6 @@ // See draft-ietf-tls-tls13-16, section 6.3.1.2. downgradeTLS13 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01} downgradeTLS12 = []byte{0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00} - - downgradeTLS13Draft = []uint8{0x95, 0xb9, 0x9f, 0x87, 0x22, 0xfe, 0x9b, 0x64} ) func containsGREASE(values []uint16) bool {
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go index 614671d..847c61a 100644 --- a/ssl/test/runner/handshake_client.go +++ b/ssl/test/runner/handshake_client.go
@@ -602,23 +602,23 @@ return fmt.Errorf("tls: server sent non-matching version %x vs %x", serverWireVersion, serverHello.vers) } + _, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false) // Check for downgrade signals in the server random, per // draft-ietf-tls-tls13-16, section 4.1.3. - if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 { - if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) { - c.sendAlert(alertProtocolVersion) - return errors.New("tls: downgrade from TLS 1.3 detected") + if (supportsTLS13 || c.config.Bugs.CheckTLS13DowngradeRandom) && !c.config.Bugs.IgnoreTLS13DowngradeRandom { + if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 { + if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) { + c.sendAlert(alertProtocolVersion) + return errors.New("tls: downgrade from TLS 1.3 detected") + } } - } - if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 { - if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS12) { - c.sendAlert(alertProtocolVersion) - return errors.New("tls: downgrade from TLS 1.2 detected") + if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 { + if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS12) { + c.sendAlert(alertProtocolVersion) + return errors.New("tls: downgrade from TLS 1.2 detected") + } } } - if c.config.Bugs.ExpectDraftTLS13DowngradeRandom && !bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13Draft) { - return errors.New("tls: server did not send draft TLS 1.3 anti-downgrade signal") - } suite := mutualCipherSuite(hello.cipherSuites, serverHello.cipherSuite) if suite == nil {
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go index 2ba438a..bdf72ae 100644 --- a/ssl/test/runner/handshake_server.go +++ b/ssl/test/runner/handshake_server.go
@@ -1170,16 +1170,18 @@ c.sendAlert(alertInternalError) return false, err } + + _, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false) + // Signal downgrades in the server random, per draft-ietf-tls-tls13-16, // section 4.1.3. - if c.vers <= VersionTLS12 && config.maxVersion(c.isDTLS) >= VersionTLS13 { - copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13) - } - if c.vers <= VersionTLS11 && config.maxVersion(c.isDTLS) == VersionTLS12 { - copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS12) - } - if config.Bugs.SendDraftTLS13DowngradeRandom { - copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13Draft) + if supportsTLS13 || config.Bugs.SendTLS13DowngradeRandom { + if c.vers <= VersionTLS12 && config.maxVersion(c.isDTLS) >= VersionTLS13 { + copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13) + } + if c.vers <= VersionTLS11 && config.maxVersion(c.isDTLS) == VersionTLS12 { + copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS12) + } } if len(hs.clientHello.sessionId) == 0 && c.config.Bugs.ExpectClientHelloSessionID {
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index 5ac6ec4..7c5b84c 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go
@@ -5683,7 +5683,8 @@ config: Config{ TLS13Variant: vers.tls13Variant, Bugs: ProtocolBugs{ - SendSupportedVersions: []uint16{0x1111, vers.wire(protocol), 0x2222}, + SendSupportedVersions: []uint16{0x1111, vers.wire(protocol), 0x2222}, + IgnoreTLS13DowngradeRandom: true, }, }, expectedVersion: vers.version, @@ -5723,8 +5724,9 @@ config: Config{ MaxVersion: VersionTLS13, Bugs: ProtocolBugs{ - SendClientVersion: 0x0304, - OmitSupportedVersions: true, + SendClientVersion: 0x0304, + OmitSupportedVersions: true, + IgnoreTLS13DowngradeRandom: true, }, }, expectedVersion: VersionTLS12, @@ -5735,8 +5737,9 @@ name: "ConflictingVersionNegotiation", config: Config{ Bugs: ProtocolBugs{ - SendClientVersion: VersionTLS12, - SendSupportedVersions: []uint16{VersionTLS11}, + SendClientVersion: VersionTLS12, + SendSupportedVersions: []uint16{VersionTLS11}, + IgnoreTLS13DowngradeRandom: true, }, }, // The extension takes precedence over the ClientHello version. @@ -5748,8 +5751,9 @@ name: "ConflictingVersionNegotiation-2", config: Config{ Bugs: ProtocolBugs{ - SendClientVersion: VersionTLS11, - SendSupportedVersions: []uint16{VersionTLS12}, + SendClientVersion: VersionTLS11, + SendSupportedVersions: []uint16{VersionTLS12}, + IgnoreTLS13DowngradeRandom: true, }, }, // The extension takes precedence over the ClientHello version. @@ -5790,8 +5794,9 @@ name: "MinorVersionTolerance", config: Config{ Bugs: ProtocolBugs{ - SendClientVersion: 0x03ff, - OmitSupportedVersions: true, + SendClientVersion: 0x03ff, + OmitSupportedVersions: true, + IgnoreTLS13DowngradeRandom: true, }, }, expectedVersion: VersionTLS12, @@ -5801,8 +5806,9 @@ name: "MajorVersionTolerance", config: Config{ Bugs: ProtocolBugs{ - SendClientVersion: 0x0400, - OmitSupportedVersions: true, + SendClientVersion: 0x0400, + OmitSupportedVersions: true, + IgnoreTLS13DowngradeRandom: true, }, }, // TLS 1.3 must be negotiated with the supported_versions @@ -5893,9 +5899,10 @@ NegotiateVersion: VersionTLS12, }, }, - expectedVersion: VersionTLS12, - // TODO(davidben): This test should fail once TLS 1.3 is final - // and the fallback signal restored. + tls13Variant: TLS13RFC, + expectedVersion: VersionTLS12, + shouldFail: true, + expectedLocalError: "remote error: illegal parameter", }) testCases = append(testCases, testCase{ testType: serverTest, @@ -5905,30 +5912,103 @@ SendSupportedVersions: []uint16{VersionTLS12}, }, }, - expectedVersion: VersionTLS12, - // TODO(davidben): This test should fail once TLS 1.3 is final - // and the fallback signal restored. + tls13Variant: TLS13RFC, + expectedVersion: VersionTLS12, + shouldFail: true, + expectedLocalError: "tls: downgrade from TLS 1.3 detected", }) testCases = append(testCases, testCase{ - name: "Draft-Downgrade-Client", + name: "Downgrade-TLS11-Client", config: Config{ - MaxVersion: VersionTLS12, Bugs: ProtocolBugs{ - SendDraftTLS13DowngradeRandom: true, + NegotiateVersion: VersionTLS11, }, }, - flags: []string{"-expect-draft-downgrade"}, + tls13Variant: TLS13RFC, + expectedVersion: VersionTLS11, + shouldFail: true, + expectedLocalError: "remote error: illegal parameter", }) testCases = append(testCases, testCase{ testType: serverTest, - name: "Draft-Downgrade-Server", + name: "Downgrade-TLS11-Server", config: Config{ - MaxVersion: VersionTLS12, Bugs: ProtocolBugs{ - ExpectDraftTLS13DowngradeRandom: true, + SendSupportedVersions: []uint16{VersionTLS11}, }, }, + tls13Variant: TLS13RFC, + expectedVersion: VersionTLS11, + shouldFail: true, + expectedLocalError: "tls: downgrade from TLS 1.2 detected", + }) + + // Test that the draft TLS 1.3 variants don't trigger the downgrade logic. + testCases = append(testCases, testCase{ + name: "Downgrade-Draft-Client", + config: Config{ + Bugs: ProtocolBugs{ + NegotiateVersion: VersionTLS12, + SendTLS13DowngradeRandom: true, + }, + }, + tls13Variant: TLS13Draft28, + expectedVersion: VersionTLS12, + }) + testCases = append(testCases, testCase{ + testType: serverTest, + name: "Downgrade-Draft-Server", + config: Config{ + Bugs: ProtocolBugs{ + CheckTLS13DowngradeRandom: true, + }, + }, + tls13Variant: TLS13Draft28, + expectedVersion: VersionTLS13, + }) + + // Test that False Start is disabled when the downgrade logic triggers. + testCases = append(testCases, testCase{ + name: "Downgrade-FalseStart", + config: Config{ + NextProtos: []string{"foo"}, + Bugs: ProtocolBugs{ + NegotiateVersion: VersionTLS12, + ExpectFalseStart: true, + AlertBeforeFalseStartTest: alertAccessDenied, + }, + }, + tls13Variant: TLS13RFC, + expectedVersion: VersionTLS12, + flags: []string{ + "-false-start", + "-advertise-alpn", "\x03foo", + "-ignore-tls13-downgrade", + }, + shimWritesFirst: true, + shouldFail: true, + expectedError: ":TLSV1_ALERT_ACCESS_DENIED:", + expectedLocalError: "tls: peer did not false start: EOF", + }) + + testCases = append(testCases, testCase{ + name: "Downgrade-FalseStart-Draft", + config: Config{ + MaxVersion: VersionTLS13, + CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, + NextProtos: []string{"foo"}, + Bugs: ProtocolBugs{ + ExpectFalseStart: true, + }, + }, + flags: []string{ + "-false-start", + "-select-next-proto", "foo", + "-max-version", strconv.Itoa(VersionTLS12), + }, + shimWritesFirst: true, + resumeSession: true, }) // SSL 3.0 support has been removed. Test that the shim does not
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc index 30cb98c..ef24ca0 100644 --- a/ssl/test/test_config.cc +++ b/ssl/test/test_config.cc
@@ -133,7 +133,8 @@ { "-use-custom-verify-callback", &TestConfig::use_custom_verify_callback }, { "-allow-false-start-without-alpn", &TestConfig::allow_false_start_without_alpn }, - { "-expect-draft-downgrade", &TestConfig::expect_draft_downgrade }, + { "-ignore-tls13-downgrade", &TestConfig::ignore_tls13_downgrade }, + { "-expect-tls13-downgrade", &TestConfig::expect_tls13_downgrade }, { "-handoff", &TestConfig::handoff }, { "-no-rsa-pss-rsae-certs", &TestConfig::no_rsa_pss_rsae_certs }, { "-use-ocsp-callback", &TestConfig::use_ocsp_callback }, @@ -1271,6 +1272,10 @@ SSL_CTX_set_false_start_allowed_without_alpn(ssl_ctx.get(), 1); } + if (ignore_tls13_downgrade) { + SSL_CTX_set_ignore_tls13_downgrade(ssl_ctx.get(), 1); + } + if (use_ocsp_callback) { SSL_CTX_set_tlsext_status_cb(ssl_ctx.get(), LegacyOCSPCallback); }
diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h index 835d29d..b65ca42 100644 --- a/ssl/test/test_config.h +++ b/ssl/test/test_config.h
@@ -156,7 +156,8 @@ bool use_custom_verify_callback = false; std::string expect_msg_callback; bool allow_false_start_without_alpn = false; - bool expect_draft_downgrade = false; + bool ignore_tls13_downgrade = false; + bool expect_tls13_downgrade = false; bool handoff = false; bool no_rsa_pss_rsae_certs = false; bool use_ocsp_callback = false;
diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc index d6ebb4c..ce9dd3c 100644 --- a/ssl/tls13_both.cc +++ b/ssl/tls13_both.cc
@@ -43,12 +43,11 @@ 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, }; -// This value was selected by truncating the SHA-256 hash of "Draft TLS 1.3 -// Downgrade" to 8 bytes: -// -// echo -n 'Draft TLS 1.3 Downgrade' | sha256sum | head -c 16 -const uint8_t kDraftDowngradeRandom[8] = {0x95, 0xb9, 0x9f, 0x87, - 0x22, 0xfe, 0x9b, 0x64}; +const uint8_t kTLS12DowngradeRandom[8] = {0x44, 0x4f, 0x57, 0x4e, + 0x47, 0x52, 0x44, 0x00}; + +const uint8_t kTLS13DowngradeRandom[8] = {0x44, 0x4f, 0x57, 0x4e, + 0x47, 0x52, 0x44, 0x01}; bool tls13_get_cert_verify_signature_input(