diff options
Diffstat (limited to 'src/lib')
-rw-r--r-- | src/lib/tls/msg_server_hello.cpp | 39 | ||||
-rw-r--r-- | src/lib/tls/tls_client.cpp | 6 | ||||
-rw-r--r-- | src/lib/tls/tls_messages.h | 2 |
3 files changed, 45 insertions, 2 deletions
diff --git a/src/lib/tls/msg_server_hello.cpp b/src/lib/tls/msg_server_hello.cpp index f24ddeb07..651fd14f8 100644 --- a/src/lib/tls/msg_server_hello.cpp +++ b/src/lib/tls/msg_server_hello.cpp @@ -1,6 +1,6 @@ /* * TLS Server Hello and Server Hello Done -* (C) 2004-2011,2015,2016 Jack Lloyd +* (C) 2004-2011,2015,2016,2019 Jack Lloyd * 2016 Matthias Gierlings * 2017 Harry Reimann, Rohde & Schwarz Cybersecurity * @@ -20,6 +20,35 @@ namespace Botan { namespace TLS { +namespace { + +const uint64_t DOWNGRADE_TLS11 = 0x444F574E47524400; +//const uint64_t DOWNGRADE_TLS12 = 0x444F574E47524401; + +std::vector<uint8_t> +make_server_hello_random(RandomNumberGenerator& rng, + Protocol_Version offered_version, + const Policy& policy) + { + auto random = make_hello_random(rng, policy); + + if((offered_version == Protocol_Version::TLS_V10 || + offered_version == Protocol_Version::TLS_V11) && + policy.allow_tls12()) + { + store_be(DOWNGRADE_TLS11, &random[24]); + } + + if(offered_version == Protocol_Version::DTLS_V10 && policy.allow_dtls12()) + { + store_be(DOWNGRADE_TLS11, &random[24]); + } + + return random; + } + +} + // New session case Server_Hello::Server_Hello(Handshake_IO& io, Handshake_Hash& hash, @@ -32,7 +61,7 @@ Server_Hello::Server_Hello(Handshake_IO& io, const std::string next_protocol) : m_version(server_settings.protocol_version()), m_session_id(server_settings.session_id()), - m_random(make_hello_random(rng, policy)), + m_random(make_server_hello_random(rng, m_version, policy)), m_ciphersuite(server_settings.ciphersuite()), m_comp_method(0) { @@ -185,6 +214,12 @@ std::vector<uint8_t> Server_Hello::serialize() const return buf; } +bool Server_Hello::random_signals_downgrade() const + { + const uint64_t last8 = load_be<uint64_t>(m_random.data(), 3); + return (last8 == DOWNGRADE_TLS11); + } + /* * Create a new Server Hello Done message */ diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp index 12c95595d..10bd34226 100644 --- a/src/lib/tls/tls_client.cpp +++ b/src/lib/tls/tls_client.cpp @@ -309,6 +309,12 @@ void Client::process_handshake_msg(const Handshake_State* active_state, "Server replied with non-null compression method"); } + if(state.client_hello()->version() > state.server_hello()->version()) + { + if(state.server_hello()->random_signals_downgrade()) + throw TLS_Exception(Alert::ILLEGAL_PARAMETER, "Downgrade attack detected"); + } + auto client_extn = state.client_hello()->extension_types(); auto server_extn = state.server_hello()->extension_types(); diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h index e67b82888..fc95a1c02 100644 --- a/src/lib/tls/tls_messages.h +++ b/src/lib/tls/tls_messages.h @@ -297,6 +297,8 @@ class BOTAN_UNSTABLE_API Server_Hello final : public Handshake_Message return false; } + bool random_signals_downgrade() const; + Server_Hello(Handshake_IO& io, Handshake_Hash& hash, const Policy& policy, |