| diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py |
| index b3bad2d..d132b78 100755 |
| --- a/third_party/tlslite/tlslite/constants.py |
| +++ b/third_party/tlslite/tlslite/constants.py |
| @@ -106,6 +106,7 @@ class AlertDescription: |
| protocol_version = 70 |
| insufficient_security = 71 |
| internal_error = 80 |
| + inappropriate_fallback = 86 |
| user_canceled = 90 |
| no_renegotiation = 100 |
| unknown_psk_identity = 115 |
| @@ -117,6 +118,9 @@ class CipherSuite: |
| # We actually don't do any renegotiation, but this |
| # prevents renegotiation attacks |
| TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF |
| + |
| + # draft-bmoeller-tls-downgrade-scsv-01 |
| + TLS_FALLBACK_SCSV = 0x5600 |
| |
| TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A |
| TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D |
| diff --git a/third_party/tlslite/tlslite/errors.py b/third_party/tlslite/tlslite/errors.py |
| index 22c298c..001ef33 100755 |
| --- a/third_party/tlslite/tlslite/errors.py |
| +++ b/third_party/tlslite/tlslite/errors.py |
| @@ -63,6 +63,7 @@ class TLSAlert(TLSError): |
| AlertDescription.protocol_version: "protocol_version",\ |
| AlertDescription.insufficient_security: "insufficient_security",\ |
| AlertDescription.internal_error: "internal_error",\ |
| + AlertDescription.inappropriate_fallback: "inappropriate_fallback",\ |
| AlertDescription.user_canceled: "user_canceled",\ |
| AlertDescription.no_renegotiation: "no_renegotiation",\ |
| AlertDescription.unknown_psk_identity: "unknown_psk_identity"} |
| diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
| index 45b0bbb..bd92161 100755 |
| --- a/third_party/tlslite/tlslite/tlsconnection.py |
| +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| @@ -966,7 +966,8 @@ class TLSConnection(TLSRecordLayer): |
| reqCAs = None, |
| tacks=None, activationFlags=0, |
| nextProtos=None, anon=False, |
| - tlsIntolerant=None, signedCertTimestamps=None): |
| + tlsIntolerant=None, signedCertTimestamps=None, |
| + fallbackSCSV=False): |
| """Perform a handshake in the role of server. |
| |
| This function performs an SSL or TLS handshake. Depending on |
| @@ -1045,6 +1046,11 @@ class TLSConnection(TLSRecordLayer): |
| binary 8-bit string) that will be sent as a TLS extension whenever |
| the client announces support for the extension. |
| |
| + @type fallbackSCSV: bool |
| + @param fallbackSCSV: if true, the server will implement |
| + TLS_FALLBACK_SCSV and thus reject connections using less than the |
| + server's maximum TLS version that include this cipher suite. |
| + |
| @raise socket.error: If a socket error occurs. |
| @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
| without a preceding alert. |
| @@ -1057,7 +1063,8 @@ class TLSConnection(TLSRecordLayer): |
| checker, reqCAs, |
| tacks=tacks, activationFlags=activationFlags, |
| nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
| - signedCertTimestamps=signedCertTimestamps): |
| + signedCertTimestamps=signedCertTimestamps, |
| + fallbackSCSV=fallbackSCSV): |
| pass |
| |
| |
| @@ -1068,7 +1075,8 @@ class TLSConnection(TLSRecordLayer): |
| tacks=None, activationFlags=0, |
| nextProtos=None, anon=False, |
| tlsIntolerant=None, |
| - signedCertTimestamps=None |
| + signedCertTimestamps=None, |
| + fallbackSCSV=False |
| ): |
| """Start a server handshake operation on the TLS connection. |
| |
| @@ -1089,7 +1097,8 @@ class TLSConnection(TLSRecordLayer): |
| tacks=tacks, activationFlags=activationFlags, |
| nextProtos=nextProtos, anon=anon, |
| tlsIntolerant=tlsIntolerant, |
| - signedCertTimestamps=signedCertTimestamps) |
| + signedCertTimestamps=signedCertTimestamps, |
| + fallbackSCSV=fallbackSCSV) |
| for result in self._handshakeWrapperAsync(handshaker, checker): |
| yield result |
| |
| @@ -1099,7 +1108,7 @@ class TLSConnection(TLSRecordLayer): |
| settings, reqCAs, |
| tacks, activationFlags, |
| nextProtos, anon, |
| - tlsIntolerant, signedCertTimestamps): |
| + tlsIntolerant, signedCertTimestamps, fallbackSCSV): |
| |
| self._handshakeStart(client=False) |
| |
| @@ -1134,7 +1143,7 @@ class TLSConnection(TLSRecordLayer): |
| # Handle ClientHello and resumption |
| for result in self._serverGetClientHello(settings, certChain,\ |
| verifierDB, sessionCache, |
| - anon, tlsIntolerant): |
| + anon, tlsIntolerant, fallbackSCSV): |
| if result in (0,1): yield result |
| elif result == None: |
| self._handshakeDone(resumed=True) |
| @@ -1234,7 +1243,7 @@ class TLSConnection(TLSRecordLayer): |
| |
| |
| def _serverGetClientHello(self, settings, certChain, verifierDB, |
| - sessionCache, anon, tlsIntolerant): |
| + sessionCache, anon, tlsIntolerant, fallbackSCSV): |
| #Initialize acceptable cipher suites |
| cipherSuites = [] |
| if verifierDB: |
| @@ -1280,6 +1289,13 @@ class TLSConnection(TLSRecordLayer): |
| elif clientHello.client_version > settings.maxVersion: |
| self.version = settings.maxVersion |
| |
| + #Detect if the client performed an inappropriate fallback. |
| + elif fallbackSCSV and clientHello.client_version < settings.maxVersion: |
| + if CipherSuite.TLS_FALLBACK_SCSV in clientHello.cipher_suites: |
| + for result in self._sendError(\ |
| + AlertDescription.inappropriate_fallback): |
| + yield result |
| + |
| else: |
| #Set the version to the client's version |
| self.version = clientHello.client_version |
