Add TLS v1.3 downgrade indicator

author: Jack Lloyd <[email protected]> 2019-07-12 08:50:59 -0400
committer: Jack Lloyd <[email protected]> 2019-07-12 08:51:09 -0400
commit: b5f3463555f56fb11563e3cec8a1a0d5ecfffe48 (patch)
tree: b3f6c84461892cd66987270584e0fc22e46172f2
parent: 7ce479e51f0d43df600c620c6c6de721809b1546 (diff)
5 files changed, 48 insertions, 3 deletions
diff --git a/src/bogo_shim/bogo_shim.cpp b/src/bogo_shim/bogo_shim.cpp
index d6ea52025..16da0f9e8 100644
--- a/src/bogo_shim/bogo_shim.cpp
+++ b/src/bogo_shim/bogo_shim.cpp
@@ -104,6 +104,7 @@ std::string map_to_bogo_error(const std::string& e)
          { "Client version TLS v1.1 is unacceptable by policy", ":UNSUPPORTED_PROTOCOL:" },
          { "Client: No certificates sent by server", ":DECODE_ERROR:" },
          { "Counterparty sent inconsistent key and sig types", ":WRONG_SIGNATURE_TYPE:" },
+         { "Downgrade attack detected", ":TLS13_DOWNGRADE:" },
          { "Empty ALPN protocol not allowed", ":PARSE_TLSEXT:" },
          { "Encoding error: Cannot encode PSS string, output length too small", ":NO_COMMON_SIGNATURE_ALGORITHMS:" },
          { "Expected TLS but got a record with DTLS version", ":WRONG_VERSION_NUMBER:" },
diff --git a/src/bogo_shim/config.json b/src/bogo_shim/config.json
index d43fefb73..afbdd9822 100644
--- a/src/bogo_shim/config.json
+++ b/src/bogo_shim/config.json
@@ -27,7 +27,8 @@
 
         "SupportedVersionSelection-TLS12": "We just ignore the version extension in this case",
 
-        "Downgrade*": "The 1.3 downgrade indicator is not implemented",
+        "Downgrade-*-Client-Ignore": "Not possible to ignore downgrade indicator",
+        "Downgrade-TLS12-*": "Not a downgrade when we don't support v1.3",
 
         "*SSL3*": "No SSLv3",
         "*SSLv3*": "No SSLv3",
diff --git a/src/lib/tls/msg_server_hello.cpp b/src/lib/tls/msg_server_hello.cpp
index f24ddeb07..651fd14f8 100644
--- a/src/lib/tls/msg_server_hello.cpp
+++ b/src/lib/tls/msg_server_hello.cpp
@@ -1,6 +1,6 @@
 /*
 * TLS Server Hello and Server Hello Done
-* (C) 2004-2011,2015,2016 Jack Lloyd
+* (C) 2004-2011,2015,2016,2019 Jack Lloyd
 *     2016 Matthias Gierlings
 *     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
 *
@@ -20,6 +20,35 @@ namespace Botan {
 
 namespace TLS {
 
+namespace {
+
+const uint64_t DOWNGRADE_TLS11 = 0x444F574E47524400;
+//const uint64_t DOWNGRADE_TLS12 = 0x444F574E47524401;
+
+std::vector<uint8_t>
+make_server_hello_random(RandomNumberGenerator& rng,
+                         Protocol_Version offered_version,
+                         const Policy& policy)
+   {
+   auto random = make_hello_random(rng, policy);
+
+   if((offered_version == Protocol_Version::TLS_V10 ||
+       offered_version == Protocol_Version::TLS_V11) &&
+      policy.allow_tls12())
+      {
+      store_be(DOWNGRADE_TLS11, &random[24]);
+      }
+
+   if(offered_version == Protocol_Version::DTLS_V10 && policy.allow_dtls12())
+      {
+      store_be(DOWNGRADE_TLS11, &random[24]);
+      }
+
+   return random;
+   }
+
+}
+
 // New session case
 Server_Hello::Server_Hello(Handshake_IO& io,
                            Handshake_Hash& hash,
@@ -32,7 +61,7 @@ Server_Hello::Server_Hello(Handshake_IO& io,
                            const std::string next_protocol) :
    m_version(server_settings.protocol_version()),
    m_session_id(server_settings.session_id()),
-   m_random(make_hello_random(rng, policy)),
+   m_random(make_server_hello_random(rng, m_version, policy)),
    m_ciphersuite(server_settings.ciphersuite()),
    m_comp_method(0)
    {
@@ -185,6 +214,12 @@ std::vector<uint8_t> Server_Hello::serialize() const
    return buf;
    }
 
+bool Server_Hello::random_signals_downgrade() const
+   {
+   const uint64_t last8 = load_be<uint64_t>(m_random.data(), 3);
+   return (last8 == DOWNGRADE_TLS11);
+   }
+
 /*
 * Create a new Server Hello Done message
 */
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp
index 12c95595d..10bd34226 100644
--- a/src/lib/tls/tls_client.cpp
+++ b/src/lib/tls/tls_client.cpp
@@ -309,6 +309,12 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
                              "Server replied with non-null compression method");
          }
 
+      if(state.client_hello()->version() > state.server_hello()->version())
+         {
+         if(state.server_hello()->random_signals_downgrade())
+            throw TLS_Exception(Alert::ILLEGAL_PARAMETER, "Downgrade attack detected");
+         }
+
       auto client_extn = state.client_hello()->extension_types();
       auto server_extn = state.server_hello()->extension_types();
 
diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h
index e67b82888..fc95a1c02 100644
--- a/src/lib/tls/tls_messages.h
+++ b/src/lib/tls/tls_messages.h
@@ -297,6 +297,8 @@ class BOTAN_UNSTABLE_API Server_Hello final : public Handshake_Message
          return false;
          }
 
+      bool random_signals_downgrade() const;
+
       Server_Hello(Handshake_IO& io,
                    Handshake_Hash& hash,
                    const Policy& policy,
author	Jack Lloyd <[email protected]>	2019-07-12 08:50:59 -0400
committer	Jack Lloyd <[email protected]>	2019-07-12 08:51:09 -0400
commit	b5f3463555f56fb11563e3cec8a1a0d5ecfffe48 (patch)
tree	b3f6c84461892cd66987270584e0fc22e46172f2
parent	7ce479e51f0d43df600c620c6c6de721809b1546 (diff)