aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/tls/msg_server_hello.cpp39
-rw-r--r--src/lib/tls/tls_client.cpp6
-rw-r--r--src/lib/tls/tls_messages.h2
3 files changed, 45 insertions, 2 deletions
diff --git a/src/lib/tls/msg_server_hello.cpp b/src/lib/tls/msg_server_hello.cpp
index f24ddeb07..651fd14f8 100644
--- a/src/lib/tls/msg_server_hello.cpp
+++ b/src/lib/tls/msg_server_hello.cpp
@@ -1,6 +1,6 @@
/*
* TLS Server Hello and Server Hello Done
-* (C) 2004-2011,2015,2016 Jack Lloyd
+* (C) 2004-2011,2015,2016,2019 Jack Lloyd
* 2016 Matthias Gierlings
* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
*
@@ -20,6 +20,35 @@ namespace Botan {
namespace TLS {
+namespace {
+
+const uint64_t DOWNGRADE_TLS11 = 0x444F574E47524400;
+//const uint64_t DOWNGRADE_TLS12 = 0x444F574E47524401;
+
+std::vector<uint8_t>
+make_server_hello_random(RandomNumberGenerator& rng,
+ Protocol_Version offered_version,
+ const Policy& policy)
+ {
+ auto random = make_hello_random(rng, policy);
+
+ if((offered_version == Protocol_Version::TLS_V10 ||
+ offered_version == Protocol_Version::TLS_V11) &&
+ policy.allow_tls12())
+ {
+ store_be(DOWNGRADE_TLS11, &random[24]);
+ }
+
+ if(offered_version == Protocol_Version::DTLS_V10 && policy.allow_dtls12())
+ {
+ store_be(DOWNGRADE_TLS11, &random[24]);
+ }
+
+ return random;
+ }
+
+}
+
// New session case
Server_Hello::Server_Hello(Handshake_IO& io,
Handshake_Hash& hash,
@@ -32,7 +61,7 @@ Server_Hello::Server_Hello(Handshake_IO& io,
const std::string next_protocol) :
m_version(server_settings.protocol_version()),
m_session_id(server_settings.session_id()),
- m_random(make_hello_random(rng, policy)),
+ m_random(make_server_hello_random(rng, m_version, policy)),
m_ciphersuite(server_settings.ciphersuite()),
m_comp_method(0)
{
@@ -185,6 +214,12 @@ std::vector<uint8_t> Server_Hello::serialize() const
return buf;
}
+bool Server_Hello::random_signals_downgrade() const
+ {
+ const uint64_t last8 = load_be<uint64_t>(m_random.data(), 3);
+ return (last8 == DOWNGRADE_TLS11);
+ }
+
/*
* Create a new Server Hello Done message
*/
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp
index 12c95595d..10bd34226 100644
--- a/src/lib/tls/tls_client.cpp
+++ b/src/lib/tls/tls_client.cpp
@@ -309,6 +309,12 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
"Server replied with non-null compression method");
}
+ if(state.client_hello()->version() > state.server_hello()->version())
+ {
+ if(state.server_hello()->random_signals_downgrade())
+ throw TLS_Exception(Alert::ILLEGAL_PARAMETER, "Downgrade attack detected");
+ }
+
auto client_extn = state.client_hello()->extension_types();
auto server_extn = state.server_hello()->extension_types();
diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h
index e67b82888..fc95a1c02 100644
--- a/src/lib/tls/tls_messages.h
+++ b/src/lib/tls/tls_messages.h
@@ -297,6 +297,8 @@ class BOTAN_UNSTABLE_API Server_Hello final : public Handshake_Message
return false;
}
+ bool random_signals_downgrade() const;
+
Server_Hello(Handshake_IO& io,
Handshake_Hash& hash,
const Policy& policy,