OLD | NEW |
(Empty) | |
| 1 diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/
tlslite/TLSConnection.py |
| 2 index d2270a9..e6ce187 100644 |
| 3 --- a/third_party/tlslite/tlslite/TLSConnection.py |
| 4 +++ b/third_party/tlslite/tlslite/TLSConnection.py |
| 5 @@ -937,7 +937,8 @@ class TLSConnection(TLSRecordLayer): |
| 6 certChain=None, privateKey=None, reqCert=False, |
| 7 sessionCache=None, settings=None, checker=None, |
| 8 reqCAs=None, tlsIntolerant=0, |
| 9 - signedCertTimestamps=None): |
| 10 + signedCertTimestamps=None, |
| 11 + fallbackSCSV=False): |
| 12 """Perform a handshake in the role of server. |
| 13 |
| 14 This function performs an SSL or TLS handshake. Depending on |
| 15 @@ -1022,7 +1023,8 @@ class TLSConnection(TLSRecordLayer): |
| 16 """ |
| 17 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, |
| 18 certChain, privateKey, reqCert, sessionCache, settings, |
| 19 - checker, reqCAs, tlsIntolerant, signedCertTimestamps): |
| 20 + checker, reqCAs, tlsIntolerant, signedCertTimestamps, |
| 21 + fallbackSCSV): |
| 22 pass |
| 23 |
| 24 |
| 25 @@ -1030,7 +1032,8 @@ class TLSConnection(TLSRecordLayer): |
| 26 certChain=None, privateKey=None, reqCert=False, |
| 27 sessionCache=None, settings=None, checker=None, |
| 28 reqCAs=None, tlsIntolerant=0, |
| 29 - signedCertTimestamps=None): |
| 30 + signedCertTimestamps=None, |
| 31 + fallbackSCSV=False): |
| 32 """Start a server handshake operation on the TLS connection. |
| 33 |
| 34 This function returns a generator which behaves similarly to |
| 35 @@ -1049,7 +1052,8 @@ class TLSConnection(TLSRecordLayer): |
| 36 sessionCache=sessionCache, settings=settings, |
| 37 reqCAs=reqCAs, |
| 38 tlsIntolerant=tlsIntolerant, |
| 39 - signedCertTimestamps=signedCertTimestamps) |
| 40 + signedCertTimestamps=signedCertTimestamps, |
| 41 + fallbackSCSV=fallbackSCSV) |
| 42 for result in self._handshakeWrapperAsync(handshaker, checker): |
| 43 yield result |
| 44 |
| 45 @@ -1057,7 +1061,8 @@ class TLSConnection(TLSRecordLayer): |
| 46 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, |
| 47 certChain, privateKey, reqCert, |
| 48 sessionCache, settings, reqCAs, |
| 49 - tlsIntolerant, signedCertTimestamps): |
| 50 + tlsIntolerant, signedCertTimestamps, |
| 51 + fallbackSCSV): |
| 52 |
| 53 self._handshakeStart(client=False) |
| 54 |
| 55 @@ -1141,12 +1146,18 @@ class TLSConnection(TLSRecordLayer): |
| 56 yield result |
| 57 |
| 58 #If client's version is too high, propose my highest version |
| 59 - elif clientHello.client_version > settings.maxVersion: |
| 60 + if clientHello.client_version > settings.maxVersion: |
| 61 self.version = settings.maxVersion |
| 62 - |
| 63 else: |
| 64 #Set the version to the client's version |
| 65 self.version = clientHello.client_version |
| 66 + if (fallbackSCSV and |
| 67 + clientHello.client_version < settings.maxVersion): |
| 68 + for cipherSuite in clientHello.cipher_suites: |
| 69 + if cipherSuite == 0x5600: |
| 70 + for result in self._sendError(\ |
| 71 + AlertDescription.inappropriate_fallback): |
| 72 + yield result |
| 73 |
| 74 #Get the client nonce; create server nonce |
| 75 clientRandom = clientHello.random |
| 76 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py |
| 77 index b5a345a..23e3dcb 100644 |
| 78 --- a/third_party/tlslite/tlslite/constants.py |
| 79 +++ b/third_party/tlslite/tlslite/constants.py |
| 80 @@ -91,6 +91,7 @@ class AlertDescription: |
| 81 protocol_version = 70 |
| 82 insufficient_security = 71 |
| 83 internal_error = 80 |
| 84 + inappropriate_fallback = 86 |
| 85 user_canceled = 90 |
| 86 no_renegotiation = 100 |
| 87 unknown_srp_username = 120 |
| 88 diff --git a/third_party/tlslite/tlslite/errors.py b/third_party/tlslite/tlslite
/errors.py |
| 89 index c7f7ba8..45087e6 100644 |
| 90 --- a/third_party/tlslite/tlslite/errors.py |
| 91 +++ b/third_party/tlslite/tlslite/errors.py |
| 92 @@ -48,6 +48,7 @@ class TLSAlert(TLSError): |
| 93 AlertDescription.protocol_version: "protocol_version",\ |
| 94 AlertDescription.insufficient_security: "insufficient_security",\ |
| 95 AlertDescription.internal_error: "internal_error",\ |
| 96 + AlertDescription.inappropriate_fallback: "inappropriate_fallback",\ |
| 97 AlertDescription.user_canceled: "user_canceled",\ |
| 98 AlertDescription.no_renegotiation: "no_renegotiation",\ |
| 99 AlertDescription.unknown_srp_username: "unknown_srp_username",\ |
OLD | NEW |