From ea5d8ce45b83916f868fd037d6c8bc117c9ee610 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Tue, 17 Jul 2018 14:08:11 +0200
Subject: ssl: Implement downgrade protection mechanism (TLS 1.3)

If negotiating TLS 1.2, TLS 1.3 servers MUST set the last eight bytes
of their Random value to the bytes:

  44 4F 57 4E 47 52 44 01

If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2
servers SHOULD set the last eight bytes of their Random value to the
bytes:

  44 4F 57 4E 47 52 44 00

Change-Id: If35112f63f42a9af351f4ca9b1846fd3f5b08167
---
 lib/ssl/src/ssl_connection.erl | 67 +++++++++++++++++++++++++++++++++++++++---
 lib/ssl/src/ssl_internal.hrl   | 15 ++++++++++
 lib/ssl/src/tls_handshake.erl  | 28 ++++++++++++++++++
 3 files changed, 106 insertions(+), 4 deletions(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index bd17f19d10..5c7f76a28b 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -1515,13 +1515,18 @@ do_server_hello(Type, #hello_extensions{next_protocol_negotiation = NextProtocol
 		    ServerHelloExt,
 		#state{negotiated_version = Version,
 		       session = #session{session_id = SessId},
-		       connection_states = ConnectionStates0}
+		       connection_states = ConnectionStates0,
+                       ssl_options = #ssl_options{versions = [HighestVersion|_]}}
 		= State0, Connection) when is_atom(Type) ->
-
+    %% TLS 1.3 - Section 4.1.3
+    %% Override server random values for TLS 1.3 downgrade protection mechanism.
+    ConnectionStates1 = update_server_random(ConnectionStates0, Version, HighestVersion),
+    State1 = State0#state{connection_states = ConnectionStates1},
     ServerHello =
-	ssl_handshake:server_hello(SessId, ssl:tls_version(Version), ConnectionStates0, ServerHelloExt),
+	ssl_handshake:server_hello(SessId, ssl:tls_version(Version),
+                                   ConnectionStates1, ServerHelloExt),
     State = server_hello(ServerHello,
-			 State0#state{expecting_next_protocol_negotiation =
+			 State1#state{expecting_next_protocol_negotiation =
 					  NextProtocols =/= undefined}, Connection),
     case Type of
 	new ->
@@ -1530,6 +1535,60 @@ do_server_hello(Type, #hello_extensions{next_protocol_negotiation = NextProtocol
 	    resumed_server_hello(State, Connection)
     end.
 
+update_server_random(#{pending_read := #{security_parameters := ReadSecParams0} =
+                           ReadState0,
+                       pending_write := #{security_parameters := WriteSecParams0} =
+                           WriteState0} = ConnectionStates,
+                     Version, HighestVersion) ->
+    ReadRandom = override_server_random(
+                   ReadSecParams0#security_parameters.server_random,
+                   Version,
+                   HighestVersion),
+    WriteRandom = override_server_random(
+                    WriteSecParams0#security_parameters.server_random,
+                    Version,
+                    HighestVersion),
+    ReadSecParams = ReadSecParams0#security_parameters{server_random = ReadRandom},
+    WriteSecParams = WriteSecParams0#security_parameters{server_random = WriteRandom},
+    ReadState = ReadState0#{security_parameters => ReadSecParams},
+    WriteState = WriteState0#{security_parameters => WriteSecParams},
+
+    ConnectionStates#{pending_read => ReadState, pending_write => WriteState}.
+
+%% TLS 1.3 - Section 4.1.3
+%%
+%% If negotiating TLS 1.2, TLS 1.3 servers MUST set the last eight bytes
+%% of their Random value to the bytes:
+%%
+%%   44 4F 57 4E 47 52 44 01
+%%
+%% If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2
+%% servers SHOULD set the last eight bytes of their Random value to the
+%% bytes:
+%%
+%%   44 4F 57 4E 47 52 44 00
+override_server_random(<<Random0:24/binary,_:8/binary>> = Random, {M,N}, {Major,Minor})
+  when Major > 3 orelse Major =:= 3 andalso Minor >= 4 -> %% TLS 1.3 or above
+    if M =:= 3 andalso N =:= 3 ->                         %% Negotating TLS 1.2
+            Down = ?RANDOM_OVERRIDE_TLS12,
+            <<Random0/binary,Down/binary>>;
+       M =:= 3 andalso N < 3 ->                           %% Negotating TLS 1.1 or prior
+            Down = ?RANDOM_OVERRIDE_TLS11,
+            <<Random0/binary,Down/binary>>;
+       true ->
+            Random
+    end;
+override_server_random(<<Random0:24/binary,_:8/binary>> = Random, {M,N}, {Major,Minor})
+  when Major =:= 3 andalso Minor =:= 3 ->   %% TLS 1.2
+    if M =:= 3 andalso N < 3 ->             %% Negotating TLS 1.1 or prior
+            Down = ?RANDOM_OVERRIDE_TLS11,
+            <<Random0/binary,Down/binary>>;
+       true ->
+            Random
+    end;
+override_server_random(Random, _, _) ->
+    Random.
+
 new_server_hello(#server_hello{cipher_suite = CipherSuite,
 			      compression_method = Compression,
 			      session_id = SessionId},
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index 2e1a928a62..0d3093c1ae 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -90,6 +90,21 @@
 -define(ALL_DATAGRAM_SUPPORTED_VERSIONS, ['dtlsv1.2', dtlsv1]).
 -define(MIN_DATAGRAM_SUPPORTED_VERSIONS, [dtlsv1]).
 
+%% TLS 1.3 - Section 4.1.3
+%%
+%% If negotiating TLS 1.2, TLS 1.3 servers MUST set the last eight bytes
+%% of their Random value to the bytes:
+%%
+%%   44 4F 57 4E 47 52 44 01
+%%
+%% If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2
+%% servers SHOULD set the last eight bytes of their Random value to the
+%% bytes:
+%%
+%%   44 4F 57 4E 47 52 44 00
+-define(RANDOM_OVERRIDE_TLS12, <<16#44,16#4F,16#57,16#4E,16#47,16#52,16#44,16#01>>).
+-define(RANDOM_OVERRIDE_TLS11, <<16#44,16#4F,16#57,16#4E,16#47,16#52,16#44,16#00>>).
+
 -define('24H_in_msec', 86400000).
 -define('24H_in_sec', 86400).
 
diff --git a/lib/ssl/src/tls_handshake.erl b/lib/ssl/src/tls_handshake.erl
index 39f0c1680b..7004c7a2f4 100644
--- a/lib/ssl/src/tls_handshake.erl
+++ b/lib/ssl/src/tls_handshake.erl
@@ -106,6 +106,34 @@ client_hello(Host, Port, ConnectionStates,
 %% Description: Handles a received hello message
 %%--------------------------------------------------------------------
 
+
+%% TLS 1.3 - Section 4.1.3
+%% TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below
+%% MUST check that the last eight bytes are not equal to either of these
+%% values.
+hello(#server_hello{server_version = {Major, Minor},
+                    random = <<_:24/binary,Down:8/binary>>},
+      #ssl_options{versions = [{M,N}|_]}, _, _)
+  when (M > 3 orelse M =:= 3 andalso N >= 4) andalso  %% TLS 1.3 client
+       (Major =:= 3 andalso Minor =:= 3 andalso       %% Negotiating TLS 1.2
+        Down =:= ?RANDOM_OVERRIDE_TLS12) orelse
+
+       (M > 3 orelse M =:= 3 andalso N >= 4) andalso  %% TLS 1.3 client
+       (Major =:= 3 andalso Minor < 3 andalso         %% Negotiating TLS 1.1 or prior
+        Down =:= ?RANDOM_OVERRIDE_TLS11) ->
+    ?ALERT_REC(?FATAL, ?ILLEGAL_PARAMETER);
+
+%% TLS 1.2 clients SHOULD also check that the last eight bytes are not
+%% equal to the second value if the ServerHello indicates TLS 1.1 or below.
+hello(#server_hello{server_version = {Major, Minor},
+                    random = <<_:24/binary,Down:8/binary>>},
+      #ssl_options{versions = [{M,N}|_]}, _, _)
+  when (M =:= 3 andalso N =:= 3) andalso              %% TLS 1.2 client
+       (Major =:= 3 andalso Minor < 3 andalso         %% Negotiating TLS 1.1 or prior
+        Down =:= ?RANDOM_OVERRIDE_TLS11) ->
+    ?ALERT_REC(?FATAL, ?ILLEGAL_PARAMETER);
+
+
 %% TLS 1.3 - 4.2.1.  Supported Versions
 %% If the "supported_versions" extension in the ServerHello contains a
 %% version not offered by the client or contains a version prior to TLS
-- 
cgit v1.2.3