diff options
| author | Péter Dimitrov <[email protected]> | 2018-07-17 14:08:11 +0200 |
|---|---|---|
| committer | Péter Dimitrov <[email protected]> | 2018-07-19 15:30:59 +0200 |
| commit | ea5d8ce45b83916f868fd037d6c8bc117c9ee610 (patch) | |
| tree | 974f211e28079893218dbb87c7e951f5cd5519d2 /lib/ssl/src/tls_handshake.erl | |
| parent | 84a4a9b5b14b5b035e1b8e2699203015f4df16d4 (diff) | |
| download | otp-ea5d8ce45b83916f868fd037d6c8bc117c9ee610.tar.gz otp-ea5d8ce45b83916f868fd037d6c8bc117c9ee610.tar.bz2 otp-ea5d8ce45b83916f868fd037d6c8bc117c9ee610.zip | |
ssl: Implement downgrade protection mechanism (TLS 1.3)
If negotiating TLS 1.2, TLS 1.3 servers MUST set the last eight bytes
of their Random value to the bytes:
44 4F 57 4E 47 52 44 01
If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2
servers SHOULD set the last eight bytes of their Random value to the
bytes:
44 4F 57 4E 47 52 44 00
Change-Id: If35112f63f42a9af351f4ca9b1846fd3f5b08167
Diffstat (limited to 'lib/ssl/src/tls_handshake.erl')
| -rw-r--r-- | lib/ssl/src/tls_handshake.erl | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl index 39f0c1680b..7004c7a2f4 100644 --- a/lib/ssl/src/tls_handshake.erl +++ b/lib/ssl/src/tls_handshake.erl @@ -106,6 +106,34 @@ client_hello(Host, Port, ConnectionStates, %% Description: Handles a received hello message %%-------------------------------------------------------------------- + +%% TLS 1.3 - Section 4.1.3 +%% TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below +%% MUST check that the last eight bytes are not equal to either of these +%% values. +hello(#server_hello{server_version = {Major, Minor}, + random = <<_:24/binary,Down:8/binary>>}, + #ssl_options{versions = [{M,N}|_]}, _, _) + when (M > 3 orelse M =:= 3 andalso N >= 4) andalso %% TLS 1.3 client + (Major =:= 3 andalso Minor =:= 3 andalso %% Negotiating TLS 1.2 + Down =:= ?RANDOM_OVERRIDE_TLS12) orelse + + (M > 3 orelse M =:= 3 andalso N >= 4) andalso %% TLS 1.3 client + (Major =:= 3 andalso Minor < 3 andalso %% Negotiating TLS 1.1 or prior + Down =:= ?RANDOM_OVERRIDE_TLS11) -> + ?ALERT_REC(?FATAL, ?ILLEGAL_PARAMETER); + +%% TLS 1.2 clients SHOULD also check that the last eight bytes are not +%% equal to the second value if the ServerHello indicates TLS 1.1 or below. +hello(#server_hello{server_version = {Major, Minor}, + random = <<_:24/binary,Down:8/binary>>}, + #ssl_options{versions = [{M,N}|_]}, _, _) + when (M =:= 3 andalso N =:= 3) andalso %% TLS 1.2 client + (Major =:= 3 andalso Minor < 3 andalso %% Negotiating TLS 1.1 or prior + Down =:= ?RANDOM_OVERRIDE_TLS11) -> + ?ALERT_REC(?FATAL, ?ILLEGAL_PARAMETER); + + %% TLS 1.3 - 4.2.1. Supported Versions %% If the "supported_versions" extension in the ServerHello contains a %% version not offered by the client or contains a version prior to TLS |