Temporary remove the TLS 1.3 anti-downgrade mechanism.

This mechanism is incompatible with deploying draft versions of TLS 1.3. Suppose a draft M client talks to a draft N server, M != N. (Either M or N could also be the final standard revision should there be lingering draft clients or servers.) The server will notice the mismatch and pretend ClientHello.version is TLS 1.2, not TLS 1.3. But this will trigger anti-downgrade signal and cause an interop failure! And if it doesn't trigger, all the clever tricks around ServerHello.random being signed in TLS 1.2 are moot. We'll put this back when the dust has settled. Change-Id: Ic3cf72b7c31ba91e5cca0cfd7a3fca830c493a43 Reviewed-on: https://boringssl-review.googlesource.com/11005 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 년 전 · 5510863fbd
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -880,20 +880,8 @@ static int ssl3_get_server_hello(SSL *ssl) {
  /* Copy over the server random. */
  memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);

  /* Check for a TLS 1.3 downgrade signal. See draft-ietf-tls-tls13-14.
   *
   * TODO(davidben): Also implement the TLS 1.1 sentinel when things have
   * settled down. */
  static const uint8_t kDowngradeTLS12[8] = {0x44, 0x4f, 0x57, 0x4e,
                                             0x47, 0x52, 0x44, 0x01};
  if (real_max_version >= TLS1_3_VERSION &&
      ssl3_protocol_version(ssl) <= TLS1_2_VERSION &&
      memcmp(ssl->s3->server_random + SSL3_RANDOM_SIZE - 8, kDowngradeTLS12,
             8) == 0) {
    al = SSL_AD_ILLEGAL_PARAMETER;
    OPENSSL_PUT_ERROR(SSL, SSL_R_DOWNGRADE_DETECTED);
    goto f_err;
  }
  /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
   * 1.3 is finalized and we are not implementing a draft version. */

  if (!ssl->s3->initial_handshake_complete && ssl->session != NULL &&
      ssl->session->session_id_length != 0 &&
--- a/ssl/handshake_server.c
+++ b/ssl/handshake_server.c
@@ -870,20 +870,8 @@ static int ssl3_send_server_hello(SSL *ssl) {
    return -1;
  }

  /* Fill in the TLS 1.2 downgrade signal. See draft-ietf-tls-tls13-14.
   *
   * TODO(davidben): Also implement the TLS 1.1 sentinel when things have
   * settled down. */
  uint16_t min_version, max_version;
  if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
    return -1;
  }
  if (max_version >= TLS1_3_VERSION &&
      ssl3_protocol_version(ssl) <= TLS1_2_VERSION) {
    static const uint8_t kDowngradeTLS12[8] = {0x44, 0x4f, 0x57, 0x4e,
                                               0x47, 0x52, 0x44, 0x01};
    memcpy(ssl->s3->server_random + SSL3_RANDOM_SIZE - 8, kDowngradeTLS12, 8);
  }
  /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
   * 1.3 is finalized and we are not implementing a draft version. */

  const SSL_SESSION *session = ssl->s3->new_session;
  if (ssl->session != NULL) {
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -4207,8 +4207,8 @@ func addVersionNegotiationTests() {
 				NegotiateVersion: VersionTLS12,
 			},
 		},
 		shouldFail:    true,
 		expectedError: ":DOWNGRADE_DETECTED:",
 		// TODO(davidben): This test should fail once TLS 1.3 is final
 		// and the fallback signal restored.
 	})
 	testCases = append(testCases, testCase{
 		testType: serverTest,
@@ -4218,8 +4218,8 @@ func addVersionNegotiationTests() {
 				SendClientVersion: VersionTLS12,
 			},
 		},
 		shouldFail:         true,
 		expectedLocalError: "tls: downgrade from TLS 1.3 detected",
 		// TODO(davidben): This test should fail once TLS 1.3 is final
 		// and the fallback signal restored.
 	})

 	// Test that FALLBACK_SCSV is sent and that the downgrade signal works
@@ -4236,8 +4236,8 @@ func addVersionNegotiationTests() {
 			"-max-version", strconv.Itoa(VersionTLS13),
 			"-fallback-version", strconv.Itoa(VersionTLS12),
 		},
 		shouldFail:    true,
 		expectedError: ":DOWNGRADE_DETECTED:",
 		// TODO(davidben): This test should fail once TLS 1.3 is final
 		// and the fallback signal restored.
 	})
 	testCases = append(testCases, testCase{
 		name: "Downgrade-TLS12-Client-FallbackEqualsMax",