commit d9e572d3e64bd44757ce536a73a79503d5bf4491
author Robert Sloan <varomodt@google.com> Mon Aug 27 12:27:00 2018 -0700
committer Robert Sloan <varomodt@google.com> Mon Aug 27 13:16:47 2018 -0700
tree 9fadcf0d34cf18320701edc474a0130fe06d99d9
parent bfcf3a72c0bcb62cfde80e932db0668a7f96c0f8

external/boringssl: Sync to 9c969bf4919e82c7fa8e1d32d0c7c81654027683.

This includes the following changes:

https://boringssl.googlesource.com/boringssl/+log/8625ec4b436ccb4098ed4aac10891eff8372be41..9c969bf4919e82c7fa8e1d32d0c7c81654027683

Test: BoringSSL CTS Presubmits
Change-Id: I1da35d99383d154945bbd60b9fbad5e21ed9d161

src/ssl/handshake_server.cc

diff --git a/src/ssl/handshake_server.cc b/src/ssl/handshake_server.cc
index 0159c9e..f0ed0d8 100644
--- a/src/ssl/handshake_server.cc
+++ b/src/ssl/handshake_server.cc
@@ -702,15 +702,17 @@
     return ssl_hs_error;
   }
 
-  // Implement the TLS 1.3 anti-downgrade feature, but with a different value.
-  //
-  // For draft TLS 1.3 versions, it is not safe to deploy this feature. However,
-  // some TLS terminators are non-compliant and copy the origin server's value,
-  // so we wish to measure eventual compatibility impact.
-  if (hs->max_version >= TLS1_3_VERSION) {
-    OPENSSL_memcpy(ssl->s3->server_random + SSL3_RANDOM_SIZE -
-                       sizeof(kDraftDowngradeRandom),
-                   kDraftDowngradeRandom, sizeof(kDraftDowngradeRandom));
+  // Implement the TLS 1.3 anti-downgrade feature.
+  if (ssl_supports_version(hs, TLS1_3_VERSION)) {
+    if (ssl_protocol_version(ssl) == TLS1_2_VERSION) {
+      OPENSSL_memcpy(ssl->s3->server_random + SSL3_RANDOM_SIZE -
+                         sizeof(kTLS13DowngradeRandom),
+                     kTLS13DowngradeRandom, sizeof(kTLS13DowngradeRandom));
+    } else {
+      OPENSSL_memcpy(ssl->s3->server_random + SSL3_RANDOM_SIZE -
+                         sizeof(kTLS12DowngradeRandom),
+                     kTLS12DowngradeRandom, sizeof(kTLS12DowngradeRandom));
+    }
   }
 
   const SSL_SESSION *session = hs->new_session.get();