diff options
| author |   beck <beck@openbsd.org> | 2020-01-23 07:30:55 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2020-01-23 07:30:55 +0000 |
| commit | 709e85ff7aac016d54db6ea4e81f77a9ba741d54 (patch) | |
| tree | 067a358f840e0010c61c82baaa7c3b1f779bf6bb /lib/libssl/tls13_lib.c | |
| parent | do not Xr both pppx and pppac in SEE ALSO, since they are the same page; (diff) | |
| download | wireguard-openbsd-709e85ff7aac016d54db6ea4e81f77a9ba741d54.tar.xz wireguard-openbsd-709e85ff7aac016d54db6ea4e81f77a9ba741d54.zip | |
Add checking int the client to check the magic values which are
set by a 1.3 server when it downgrades to tls 1.2 or 1.1 as per
RFC 8446 section 4.1.3
ok jsing@
Diffstat (limited to 'lib/libssl/tls13_lib.c')
| -rw-r--r-- | lib/libssl/tls13_lib.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c index de3e840a84f..5d8c3590145 100644 --- a/lib/libssl/tls13_lib.c +++ b/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.23 2020/01/23 05:08:30 jsing Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.24 2020/01/23 07:30:55 beck Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * Copyright (c) 2019 Bob Beck <beck@openbsd.org> @@ -24,6 +24,14 @@ #include "ssl_locl.h" #include "tls13_internal.h" +/* + * RFC 8446 section 4.1.3, magic values which must be set by the + * server in server random if it is willing to downgrade but supports + * tls v1.3 + */ +uint8_t tls13_downgrade_12[8] = {0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01}; +uint8_t tls13_downgrade_11[8] = {0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00}; + const EVP_AEAD * tls13_cipher_aead(const SSL_CIPHER *cipher) { |