boringssl/ssl
David Benjamin 6df6540766 Add a draft TLS 1.3 anti-downgrade signal.
TLS 1.3 includes a server-random-based anti-downgrade signal, as a
workaround for TLS 1.2's ServerKeyExchange signature failing to cover
the entire handshake. However, because TLS 1.3 draft versions are each
doomed to die, we cannot deploy it until the final RFC. (Suppose a
draft-TLS-1.3 client checked the signal and spoke to a final-TLS-1.3
server. The server would correctly negotiate TLS 1.2 and send the
signal. But the client would then break. An anologous situation exists
with reversed roles.)

However, it appears that Cisco devices have non-compliant TLS 1.2
implementations[1] and copy over another server's server-random when
acting as a TLS terminator (client and server back-to-back).

Hopefully they are the only ones doing this. Implement a
measurement-only version with a different value. This sentinel must not
be enforced, but it will tell us whether enforcing it will cause
problems.

[1] https://www.ietf.org/mail-archive/web/tls/current/msg25168.html

Bug: 226
Change-Id: I976880bdb2ef26f51592b2f6b3b97664342679c8
Reviewed-on: https://boringssl-review.googlesource.com/24284
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2017-12-21 01:50:33 +00:00
..
test Add a draft TLS 1.3 anti-downgrade signal. 2017-12-21 01:50:33 +00:00
bio_ssl.cc Switch a number of files to C++. 2017-07-12 20:54:02 +00:00
CMakeLists.txt Migrate TLS 1.2 and below state machines to the new style. 2017-08-29 19:23:22 +00:00
custom_extensions.cc Rename ssl3_send_alert and ssl3_protocol_version. 2017-10-12 16:24:35 +00:00
d1_both.cc Give DTLS1_STATE a destructor. 2017-10-25 03:23:26 +00:00
d1_lib.cc Give DTLS1_STATE a destructor. 2017-10-25 03:23:26 +00:00
d1_pkt.cc Make SSL3_BUFFER a proper C++ class. 2017-10-24 17:32:45 +00:00
d1_srtp.cc Clear a goto in d1_srtp.cc. 2017-09-22 15:15:48 +00:00
dtls_method.cc Remove supports_cipher hook. 2017-11-01 16:44:46 +00:00
dtls_record.cc Give DTLS1_STATE a destructor. 2017-10-25 03:23:26 +00:00
handshake_client.cc Add a draft TLS 1.3 anti-downgrade signal. 2017-12-21 01:50:33 +00:00
handshake_server.cc Add a draft TLS 1.3 anti-downgrade signal. 2017-12-21 01:50:33 +00:00
handshake.cc Implement PR 1091 (TLS 1.3 draft '22'). 2017-11-11 06:24:55 +00:00
internal.h Add a draft TLS 1.3 anti-downgrade signal. 2017-12-21 01:50:33 +00:00
s3_both.cc Revert "Pack encrypted handshake messages together." 2017-10-27 14:36:37 +00:00
s3_lib.cc Add a draft TLS 1.3 anti-downgrade signal. 2017-12-21 01:50:33 +00:00
s3_pkt.cc Remove deprecated TLS 1.3 variants. 2017-12-18 21:20:32 +00:00
span_test.cc Add bssl::SealRecord and bssl::OpenRecord. 2017-07-24 20:14:08 +00:00
ssl_aead_ctx.cc Remove deprecated TLS 1.3 variants. 2017-12-18 21:20:32 +00:00
ssl_asn1.cc Support high tag numbers in CBS/CBB. 2017-11-22 22:34:05 +00:00
ssl_buffer.cc Move init_buf and rwstate into SSL3_STATE. 2017-10-24 18:55:05 +00:00
ssl_cert.cc Adding support for draft 21 as a TLS 1.3 variant. 2017-11-01 21:32:36 +00:00
ssl_cipher.cc Move the SSL_eNULL special-case into the matching function. 2017-11-01 16:45:06 +00:00
ssl_file.cc Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
ssl_key_share.cc Support additional curve names. 2017-11-03 01:32:49 +00:00
ssl_lib.cc Add a draft TLS 1.3 anti-downgrade signal. 2017-12-21 01:50:33 +00:00
ssl_privkey.cc Unwind legacy SSL_PRIVATE_KEY_METHOD hooks. 2017-11-21 17:48:09 +00:00
ssl_session.cc Use more scopers. 2017-10-24 17:50:05 +00:00
ssl_stat.cc Use more scopers. 2017-10-24 17:50:05 +00:00
ssl_test.cc Remove deprecated TLS 1.3 variants. 2017-12-18 21:20:32 +00:00
ssl_transcript.cc Adding support for draft 21 as a TLS 1.3 variant. 2017-11-01 21:32:36 +00:00
ssl_versions.cc Remove deprecated TLS 1.3 variants. 2017-12-18 21:20:32 +00:00
ssl_x509.cc Have fun with lock scopers. 2017-09-28 17:49:37 +00:00
t1_enc.cc SSL_export_keying_material should work in half-RTT. 2017-12-18 16:53:13 +00:00
t1_lib.cc Move early_data_accepted to ssl->s3. 2017-12-19 15:44:38 +00:00
tls13_both.cc Add a draft TLS 1.3 anti-downgrade signal. 2017-12-21 01:50:33 +00:00
tls13_client.cc Move early_data_accepted to ssl->s3. 2017-12-19 15:44:38 +00:00
tls13_enc.cc Remove deprecated TLS 1.3 variants. 2017-12-18 21:20:32 +00:00
tls13_server.cc Move early_data_accepted to ssl->s3. 2017-12-19 15:44:38 +00:00
tls_method.cc Remove supports_cipher hook. 2017-11-01 16:44:46 +00:00
tls_record.cc Remove deprecated TLS 1.3 variants. 2017-12-18 21:20:32 +00:00