From f7f2a01d6364f10f353652e29555e6c66aec9b6d Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Wed, 22 Mar 2017 08:52:54 +0000
Subject: Add server side support for TLSv1.3 downgrade mechanism

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3022)
---
 ssl/s3_lib.c | 32 +++++++++++++++++++++++++++-----
 1 file changed, 27 insertions(+), 5 deletions(-)

(limited to 'ssl/s3_lib.c')

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 1669652644..3feb628809 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -48,6 +48,7 @@
  */
 
 #include <stdio.h>
+#include <assert.h>
 #include <openssl/objects.h>
 #include "ssl_locl.h"
 #include <openssl/md5.h>
@@ -4007,9 +4008,10 @@ long ssl_get_algorithm2(SSL *s)
  * Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 on
  * failure, 1 on success.
  */
-int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len)
+int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len,
+                          DOWNGRADE dgrd)
 {
-    int send_time = 0;
+    int send_time = 0, ret;
 
     if (len < 4)
         return 0;
@@ -4022,9 +4024,29 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len)
         unsigned char *p = result;
         l2n(Time, p);
         /* TODO(size_t): Convert this */
-        return RAND_bytes(p, (int)(len - 4));
-    } else
-        return RAND_bytes(result, (int)len);
+        ret = RAND_bytes(p, (int)(len - 4));
+    } else {
+        ret = RAND_bytes(result, (int)len);
+    }
+#ifndef OPENSSL_NO_TLS13DOWNGRADE
+    if (ret) {
+        static const unsigned char tls11downgrade[] = {
+            0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00
+        };
+        static const unsigned char tls12downgrade[] = {
+            0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01
+        };
+
+        assert(sizeof(tls11downgrade) < len && sizeof(tls12downgrade) < len);
+        if (dgrd == DOWNGRADE_TO_1_2)
+            memcpy(result + len - sizeof(tls12downgrade), tls12downgrade,
+                   sizeof(tls12downgrade));
+        else if (dgrd == DOWNGRADE_TO_1_1)
+            memcpy(result + len - sizeof(tls11downgrade), tls11downgrade,
+                   sizeof(tls11downgrade));
+    }
+#endif
+    return ret;
 }
 
 int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
-- 
cgit v1.2.3