Add server side support for TLSv1.3 downgrade mechanism
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3022)
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index d584bd7..0490813 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1094,7 +1094,8 @@
} else
i = 1;
- if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)) <= 0)
+ if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random),
+ DOWNGRADE_NONE) <= 0)
return 0;
/*-
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 849310e..41a3751 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1295,6 +1295,7 @@
# error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
#endif
+/* Must be in order high to low */
static const version_info tls_version_table[] = {
#ifndef OPENSSL_NO_TLS1_3
{TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
@@ -1328,6 +1329,7 @@
# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
#endif
+/* Must be in order high to low */
static const version_info dtls_version_table[] = {
#ifndef OPENSSL_NO_DTLS1_2
{DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
@@ -1510,6 +1512,20 @@
return 1;
}
+static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
+{
+ if (vers == TLS1_2_VERSION
+ && ssl_version_supported(s, TLS1_3_VERSION)) {
+ *dgrd = DOWNGRADE_TO_1_2;
+ } else if (!SSL_IS_DTLS(s) && vers < TLS1_2_VERSION
+ && (ssl_version_supported(s, TLS1_2_VERSION)
+ || ssl_version_supported(s, TLS1_3_VERSION))) {
+ *dgrd = DOWNGRADE_TO_1_1;
+ } else {
+ *dgrd = DOWNGRADE_NONE;
+ }
+}
+
/*
* ssl_choose_server_version - Choose server (D)TLS version. Called when the
* client HELLO is received to select the final server protocol version and
@@ -1519,7 +1535,7 @@
*
* Returns 0 on success or an SSL error reason number on failure.
*/
-int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello)
+int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
{
/*-
* With version-flexible methods we have an initial state with:
@@ -1544,6 +1560,7 @@
if (!SSL_IS_TLS13(s)) {
if (version_cmp(s, client_version, s->version) < 0)
return SSL_R_WRONG_SSL_VERSION;
+ *dgrd = DOWNGRADE_NONE;
/*
* If this SSL handle is not from a version flexible method we don't
* (and never did) check min/max FIPS or Suite B constraints. Hope
@@ -1620,6 +1637,7 @@
return SSL_R_UNSUPPORTED_PROTOCOL;
return 0;
}
+ check_for_downgrade(s, best_vers, dgrd);
s->version = best_vers;
s->method = best_method;
return 0;
@@ -1646,6 +1664,7 @@
continue;
method = vent->smeth();
if (ssl_method_error(s, method) == 0) {
+ check_for_downgrade(s, vent->version, dgrd);
s->version = vent->version;
s->method = method;
return 0;
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index ffb0685..e2c4799 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1476,6 +1476,7 @@
STACK_OF(SSL_CIPHER) *ciphers = NULL;
STACK_OF(SSL_CIPHER) *scsvs = NULL;
CLIENTHELLO_MSG *clienthello = s->clienthello;
+ DOWNGRADE dgrd = DOWNGRADE_NONE;
*al = SSL_AD_INTERNAL_ERROR;
/* Finished parsing the ClientHello, now we can start processing it */
@@ -1516,7 +1517,7 @@
* versions are potentially compatible. Version negotiation comes later.
*/
if (!SSL_IS_DTLS(s)) {
- protverr = ssl_choose_server_version(s, clienthello);
+ protverr = ssl_choose_server_version(s, clienthello, &dgrd);
} else if (s->method->version != DTLS_ANY_VERSION &&
DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
protverr = SSL_R_VERSION_TOO_LOW;
@@ -1565,7 +1566,7 @@
s->d1->cookie_verified = 1;
}
if (s->method->version == DTLS_ANY_VERSION) {
- protverr = ssl_choose_server_version(s, clienthello);
+ protverr = ssl_choose_server_version(s, clienthello, &dgrd);
if (protverr != 0) {
SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
s->version = s->client_version;
@@ -1722,7 +1723,7 @@
{
unsigned char *pos;
pos = s->s3->server_random;
- if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
+ if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
goto err;
}
}