From ea5d8ce45b83916f868fd037d6c8bc117c9ee610 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Tue, 17 Jul 2018 14:08:11 +0200
Subject: ssl: Implement downgrade protection mechanism (TLS 1.3)

If negotiating TLS 1.2, TLS 1.3 servers MUST set the last eight bytes
of their Random value to the bytes:

  44 4F 57 4E 47 52 44 01

If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2
servers SHOULD set the last eight bytes of their Random value to the
bytes:

  44 4F 57 4E 47 52 44 00

Change-Id: If35112f63f42a9af351f4ca9b1846fd3f5b08167
---
 lib/ssl/src/tls_handshake.erl | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

(limited to 'lib/ssl/src/tls_handshake.erl')

diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl
index 39f0c1680b..7004c7a2f4 100644
--- a/lib/ssl/src/tls_handshake.erl
+++ b/lib/ssl/src/tls_handshake.erl
@@ -106,6 +106,34 @@ client_hello(Host, Port, ConnectionStates,
 %% Description: Handles a received hello message
 %%--------------------------------------------------------------------
 
+
+%% TLS 1.3 - Section 4.1.3
+%% TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below
+%% MUST check that the last eight bytes are not equal to either of these
+%% values.
+hello(#server_hello{server_version = {Major, Minor},
+                    random = <<_:24/binary,Down:8/binary>>},
+      #ssl_options{versions = [{M,N}|_]}, _, _)
+  when (M > 3 orelse M =:= 3 andalso N >= 4) andalso  %% TLS 1.3 client
+       (Major =:= 3 andalso Minor =:= 3 andalso       %% Negotiating TLS 1.2
+        Down =:= ?RANDOM_OVERRIDE_TLS12) orelse
+
+       (M > 3 orelse M =:= 3 andalso N >= 4) andalso  %% TLS 1.3 client
+       (Major =:= 3 andalso Minor < 3 andalso         %% Negotiating TLS 1.1 or prior
+        Down =:= ?RANDOM_OVERRIDE_TLS11) ->
+    ?ALERT_REC(?FATAL, ?ILLEGAL_PARAMETER);
+
+%% TLS 1.2 clients SHOULD also check that the last eight bytes are not
+%% equal to the second value if the ServerHello indicates TLS 1.1 or below.
+hello(#server_hello{server_version = {Major, Minor},
+                    random = <<_:24/binary,Down:8/binary>>},
+      #ssl_options{versions = [{M,N}|_]}, _, _)
+  when (M =:= 3 andalso N =:= 3) andalso              %% TLS 1.2 client
+       (Major =:= 3 andalso Minor < 3 andalso         %% Negotiating TLS 1.1 or prior
+        Down =:= ?RANDOM_OVERRIDE_TLS11) ->
+    ?ALERT_REC(?FATAL, ?ILLEGAL_PARAMETER);
+
+
 %% TLS 1.3 - 4.2.1.  Supported Versions
 %% If the "supported_versions" extension in the ServerHello contains a
 %% version not offered by the client or contains a version prior to TLS
-- 
cgit v1.2.3