1 files changed, 92 insertions, 41 deletions

diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index acd9f14f7b..2abc678ed9 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -35,6 +35,7 @@
 -include("ssl_internal.hrl").
 -include("ssl_srp.hrl").
 -include_lib("public_key/include/public_key.hrl").
+-include_lib("kernel/include/logger.hrl").
 
 %% Setup
 
@@ -59,7 +60,7 @@
 
 %% Help functions for tls|dtls_connection.erl
 -export([handle_session/7, ssl_config/3,
-	 prepare_connection/2, hibernate_after/3, map_extensions/1]).
+	 prepare_connection/2, hibernate_after/3]).
 
 %% General gen_statem state functions with extra callback argument 
 %% to determine if it is an SSL/TLS or DTLS gen_statem machine
@@ -344,7 +345,9 @@ handle_own_alert(Alert, _, StateName,
 	    ignore
     end,
     try %% Try to tell the local user
-	log_alert(SslOpts#ssl_options.log_alert, Role, Connection:protocol_name(), StateName, Alert#alert{role = Role}),
+	log_alert(SslOpts#ssl_options.log_level, Role,
+	          Connection:protocol_name(), StateName,
+	          Alert#alert{role = Role}),
 	handle_normal_shutdown(Alert,StateName, State)
     catch _:_ ->
 	    ok
@@ -375,9 +378,10 @@ handle_alert(#alert{level = ?FATAL} = Alert, StateName,
 		    protocol_cb = Connection,
 		    ssl_options = SslOpts, start_or_recv_from = From, host = Host,
 		    port = Port, session = Session, user_application = {_Mon, Pid},
-		    role = Role, socket_options = Opts, tracker = Tracker} = State) ->
+		    role = Role, socket_options = Opts, 
+                    tracker = Tracker} = State) ->
     invalidate_session(Role, Host, Port, Session),
-    log_alert(SslOpts#ssl_options.log_alert, Role, Connection:protocol_name(), 
+    log_alert(SslOpts#ssl_options.log_level, Role, Connection:protocol_name(), 
               StateName, Alert#alert{role = opposite_role(Role)}),
     Pids = Connection:pids(State),
     alert_user(Pids, Transport, Tracker, Socket, StateName, Opts, Pid, From, Alert, Role, Connection),
@@ -391,7 +395,7 @@ handle_alert(#alert{level = ?WARNING, description = ?CLOSE_NOTIFY} = Alert,
 handle_alert(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert, StateName, 
 	     #state{role = Role, ssl_options = SslOpts, protocol_cb = Connection, 
                     renegotiation = {true, internal}} = State) ->
-    log_alert(SslOpts#ssl_options.log_alert, Role, 
+    log_alert(SslOpts#ssl_options.log_level, Role, 
               Connection:protocol_name(), StateName, Alert#alert{role = opposite_role(Role)}),
     handle_normal_shutdown(Alert, StateName, State),
     stop({shutdown, peer_close}, State);
@@ -400,7 +404,7 @@ handle_alert(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert,
 	     #state{role = Role,
                     ssl_options = SslOpts, renegotiation = {true, From},
 		    protocol_cb = Connection} = State0) ->
-    log_alert(SslOpts#ssl_options.log_alert,  Role,
+    log_alert(SslOpts#ssl_options.log_level,  Role,
               Connection:protocol_name(), StateName, Alert#alert{role = opposite_role(Role)}),
     gen_statem:reply(From, {error, renegotiation_rejected}),
     State1 = Connection:reinit_handshake_data(State0),
@@ -411,8 +415,9 @@ handle_alert(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert,
 	     #state{role = Role,
                     ssl_options = SslOpts, renegotiation = {true, From},
 		    protocol_cb = Connection} = State0) ->
-    log_alert(SslOpts#ssl_options.log_alert,  Role,
-              Connection:protocol_name(), StateName, Alert#alert{role = opposite_role(Role)}),
+    log_alert(SslOpts#ssl_options.log_level, Role,
+              Connection:protocol_name(), StateName,
+              Alert#alert{role = opposite_role(Role)}),
     gen_statem:reply(From, {error, renegotiation_rejected}),
     {Record, State1} = Connection:next_record(State0),
     %% Go back to connection!
@@ -422,8 +427,9 @@ handle_alert(#alert{level = ?WARNING, description = ?NO_RENEGOTIATION} = Alert,
 %% Gracefully log and ignore all other warning alerts
 handle_alert(#alert{level = ?WARNING} = Alert, StateName,
 	     #state{ssl_options = SslOpts, protocol_cb = Connection, role = Role} = State0) ->
-    log_alert(SslOpts#ssl_options.log_alert,  Role,
-              Connection:protocol_name(), StateName, Alert#alert{role = opposite_role(Role)}),
+    log_alert(SslOpts#ssl_options.log_level, Role,
+              Connection:protocol_name(), StateName,
+              Alert#alert{role = opposite_role(Role)}),
     {Record, State} = Connection:next_record(State0),
     Connection:next_event(StateName, Record, State).
 
@@ -844,7 +850,9 @@ certify(internal, #certificate_request{} = CertRequest,
 	       role = client,
 	       ssl_options = #ssl_options{signature_algs = SupportedHashSigns},
 	       negotiated_version = Version} = State0, Connection) ->
-    case ssl_handshake:select_hashsign(CertRequest, Cert, SupportedHashSigns, ssl:tls_version(Version)) of
+    case ssl_handshake:select_hashsign(CertRequest, Cert,
+                                       SupportedHashSigns,
+                                       ssl:tls_version(Version)) of
 	#alert {} = Alert ->
 	    handle_own_alert(Alert, Version, ?FUNCTION_NAME, State0);
 	NegotiatedHashSign -> 
@@ -1262,7 +1270,7 @@ handle_info({ErrorTag, Socket, econnaborted}, StateName,
 handle_info({ErrorTag, Socket, Reason}, StateName, #state{socket = Socket,
 							  error_tag = ErrorTag} = State)  ->
     Report = io_lib:format("SSL: Socket error: ~p ~n", [Reason]),
-    error_logger:error_report(Report),
+    ?LOG_ERROR(Report),
     handle_normal_shutdown(?ALERT_REC(?FATAL, ?CLOSE_NOTIFY), StateName, State),
     stop(normal, State);
 
@@ -1306,7 +1314,7 @@ handle_info({cancel_start_or_recv, _RecvFrom}, StateName, State) ->
 
 handle_info(Msg, StateName, #state{socket = Socket, error_tag = Tag} = State) ->
     Report = io_lib:format("SSL: Got unexpected info: ~p ~n", [{Msg, Tag, Socket}]),
-    error_logger:info_report(Report),
+    ?LOG_NOTICE(Report),
     {next_state, StateName, State}.
 
 %%====================================================================
@@ -1421,17 +1429,22 @@ security_info(#state{connection_states = ConnectionStates}) ->
 	ssl_record:current_connection_state(ConnectionStates, read),
     [{client_random, ClientRand}, {server_random, ServerRand}, {master_secret, MasterSecret}].
 
-do_server_hello(Type, #hello_extensions{next_protocol_negotiation = NextProtocols} =
+do_server_hello(Type, #{next_protocol_negotiation := NextProtocols} =
 		    ServerHelloExt,
 		#state{negotiated_version = Version,
 		       session = #session{session_id = SessId},
-		       connection_states = ConnectionStates0}
+		       connection_states = ConnectionStates0,
+                       ssl_options = #ssl_options{versions = [HighestVersion|_]}}
 		= State0, Connection) when is_atom(Type) ->
-
+    %% TLS 1.3 - Section 4.1.3
+    %% Override server random values for TLS 1.3 downgrade protection mechanism.
+    ConnectionStates1 = update_server_random(ConnectionStates0, Version, HighestVersion),
+    State1 = State0#state{connection_states = ConnectionStates1},
     ServerHello =
-	ssl_handshake:server_hello(SessId, ssl:tls_version(Version), ConnectionStates0, ServerHelloExt),
+	ssl_handshake:server_hello(SessId, ssl:tls_version(Version),
+                                   ConnectionStates1, ServerHelloExt),
     State = server_hello(ServerHello,
-			 State0#state{expecting_next_protocol_negotiation =
+			 State1#state{expecting_next_protocol_negotiation =
 					  NextProtocols =/= undefined}, Connection),
     case Type of
 	new ->
@@ -1440,6 +1453,60 @@ do_server_hello(Type, #hello_extensions{next_protocol_negotiation = NextProtocol
 	    resumed_server_hello(State, Connection)
     end.
 
+update_server_random(#{pending_read := #{security_parameters := ReadSecParams0} =
+                           ReadState0,
+                       pending_write := #{security_parameters := WriteSecParams0} =
+                           WriteState0} = ConnectionStates,
+                     Version, HighestVersion) ->
+    ReadRandom = override_server_random(
+                   ReadSecParams0#security_parameters.server_random,
+                   Version,
+                   HighestVersion),
+    WriteRandom = override_server_random(
+                    WriteSecParams0#security_parameters.server_random,
+                    Version,
+                    HighestVersion),
+    ReadSecParams = ReadSecParams0#security_parameters{server_random = ReadRandom},
+    WriteSecParams = WriteSecParams0#security_parameters{server_random = WriteRandom},
+    ReadState = ReadState0#{security_parameters => ReadSecParams},
+    WriteState = WriteState0#{security_parameters => WriteSecParams},
+
+    ConnectionStates#{pending_read => ReadState, pending_write => WriteState}.
+
+%% TLS 1.3 - Section 4.1.3
+%%
+%% If negotiating TLS 1.2, TLS 1.3 servers MUST set the last eight bytes
+%% of their Random value to the bytes:
+%%
+%%   44 4F 57 4E 47 52 44 01
+%%
+%% If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2
+%% servers SHOULD set the last eight bytes of their Random value to the
+%% bytes:
+%%
+%%   44 4F 57 4E 47 52 44 00
+override_server_random(<<Random0:24/binary,_:8/binary>> = Random, {M,N}, {Major,Minor})
+  when Major > 3 orelse Major =:= 3 andalso Minor >= 4 -> %% TLS 1.3 or above
+    if M =:= 3 andalso N =:= 3 ->                         %% Negotating TLS 1.2
+            Down = ?RANDOM_OVERRIDE_TLS12,
+            <<Random0/binary,Down/binary>>;
+       M =:= 3 andalso N < 3 ->                           %% Negotating TLS 1.1 or prior
+            Down = ?RANDOM_OVERRIDE_TLS11,
+            <<Random0/binary,Down/binary>>;
+       true ->
+            Random
+    end;
+override_server_random(<<Random0:24/binary,_:8/binary>> = Random, {M,N}, {Major,Minor})
+  when Major =:= 3 andalso Minor =:= 3 ->   %% TLS 1.2
+    if M =:= 3 andalso N < 3 ->             %% Negotating TLS 1.1 or prior
+            Down = ?RANDOM_OVERRIDE_TLS11,
+            <<Random0/binary,Down/binary>>;
+       true ->
+            Random
+    end;
+override_server_random(Random, _, _) ->
+    Random.
+
 new_server_hello(#server_hello{cipher_suite = CipherSuite,
 			      compression_method = Compression,
 			      session_id = SessionId},
@@ -2286,22 +2353,6 @@ hibernate_after(connection = StateName,
 hibernate_after(StateName, State, Actions) ->
     {next_state, StateName, State, Actions}.
 
-map_extensions(#hello_extensions{renegotiation_info = RenegotiationInfo,
-                                 signature_algs = SigAlg,          
-                                 alpn = Alpn,
-                                 next_protocol_negotiation = Next, 
-                                 srp = SRP,
-                                 ec_point_formats = ECPointFmt,
-                                 elliptic_curves = ECCCurves,
-                                 sni = SNI}) ->
-    #{renegotiation_info => ssl_handshake:extension_value(RenegotiationInfo),
-      signature_algs =>  ssl_handshake:extension_value(SigAlg),
-      alpn =>  ssl_handshake:extension_value(Alpn),
-      srp  => ssl_handshake:extension_value(SRP),
-      next_protocol => ssl_handshake:extension_value(Next),
-      ec_point_formats  => ssl_handshake:extension_value(ECPointFmt),
-      elliptic_curves => ssl_handshake:extension_value(ECCCurves),
-      sni => ssl_handshake:extension_value(SNI)}.
 
 terminate_alert(normal) ->
     ?ALERT_REC(?WARNING, ?CLOSE_NOTIFY);
@@ -2318,7 +2369,7 @@ handle_trusted_certs_db(#state{ssl_options =
 handle_trusted_certs_db(#state{cert_db_ref = Ref,
 			       cert_db = CertDb,
 			       ssl_options = #ssl_options{cacertfile = <<>>}}) when CertDb =/= undefined ->
-    %% Certs provided as DER directly can not be shared
+    %% Certs provided as DER directly cannot be shared
     %% with other connections and it is safe to delete them when the connection ends.
     ssl_pkix_db:remove_trusted_certs(Ref, CertDb);
 handle_trusted_certs_db(#state{file_ref_db = undefined}) ->
@@ -2645,14 +2696,14 @@ alert_user(Pids, Transport, Tracker, Socket, Active, Pid, From, Alert, Role, Con
 							Transport, Socket, Connection, Tracker), ReasonCode})
     end.
 
-log_alert(true, Role, ProtocolName, StateName, #alert{role = Role} = Alert) ->
+log_alert(Level, Role, ProtocolName, StateName, #alert{role = Role} = Alert) ->
     Txt = ssl_alert:own_alert_txt(Alert),
-    error_logger:info_report(io_lib:format("~s ~p: In state ~p ~s\n", [ProtocolName, Role, StateName, Txt]));
-log_alert(true, Role, ProtocolName, StateName, Alert) ->
+    Report = io_lib:format("~s ~p: In state ~p ~s\n", [ProtocolName, Role, StateName, Txt]),
+    ssl_logger:notice(Level, Report);
+log_alert(Level, Role, ProtocolName, StateName, Alert) ->
     Txt = ssl_alert:alert_txt(Alert),
-    error_logger:info_report(io_lib:format("~s ~p: In state ~p ~s\n", [ProtocolName, Role, StateName, Txt]));
-log_alert(false, _, _, _, _) ->
-    ok.
+    Report = io_lib:format("~s ~p: In state ~p ~s\n", [ProtocolName, Role, StateName, Txt]),
+    ssl_logger:notice(Level, Report).
 
 invalidate_session(client, Host, Port, Session) ->
     ssl_manager:invalidate_session(Host, Port, Session);