net: add test for TLS_FALLBACK_SCSV

third_party/tlslite/patches/fallback_scsv.patch

Index: third_party/tlslite/patches/fallback_scsv.patch
diff --git a/third_party/tlslite/patches/fallback_scsv.patch b/third_party/tlslite/patches/fallback_scsv.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3cfb67a63db6f8b9af90ae495ed4c3605e006c45
--- /dev/null
+++ b/third_party/tlslite/patches/fallback_scsv.patch
@@ -0,0 +1,99 @@
+diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py
+index d2270a9..e6ce187 100644
+--- a/third_party/tlslite/tlslite/TLSConnection.py
++++ b/third_party/tlslite/tlslite/TLSConnection.py
+@@ -937,7 +937,8 @@ class TLSConnection(TLSRecordLayer):
+                         certChain=None, privateKey=None, reqCert=False,
+                         sessionCache=None, settings=None, checker=None,
+                         reqCAs=None, tlsIntolerant=0,
+-                        signedCertTimestamps=None):
++                        signedCertTimestamps=None,
++                        fallbackSCSV=False):
+         """Perform a handshake in the role of server.
+ 
+         This function performs an SSL or TLS handshake.  Depending on
+@@ -1022,7 +1023,8 @@ class TLSConnection(TLSRecordLayer):
+         """
+         for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
+                 certChain, privateKey, reqCert, sessionCache, settings,
+-                checker, reqCAs, tlsIntolerant, signedCertTimestamps):
++                checker, reqCAs, tlsIntolerant, signedCertTimestamps,
++                fallbackSCSV):
+             pass
+ 
+ 
+@@ -1030,7 +1032,8 @@ class TLSConnection(TLSRecordLayer):
+                              certChain=None, privateKey=None, reqCert=False,
+                              sessionCache=None, settings=None, checker=None,
+                              reqCAs=None, tlsIntolerant=0,
+-                             signedCertTimestamps=None):
++                             signedCertTimestamps=None,
++                             fallbackSCSV=False):
+         """Start a server handshake operation on the TLS connection.
+ 
+         This function returns a generator which behaves similarly to
+@@ -1049,7 +1052,8 @@ class TLSConnection(TLSRecordLayer):
+             sessionCache=sessionCache, settings=settings,
+             reqCAs=reqCAs,
+             tlsIntolerant=tlsIntolerant,
+-            signedCertTimestamps=signedCertTimestamps)
++            signedCertTimestamps=signedCertTimestamps,
++            fallbackSCSV=fallbackSCSV)
+         for result in self._handshakeWrapperAsync(handshaker, checker):
+             yield result
+ 
+@@ -1057,7 +1061,8 @@ class TLSConnection(TLSRecordLayer):
+     def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
+                                     certChain, privateKey, reqCert,
+                                     sessionCache, settings, reqCAs,
+-                                    tlsIntolerant, signedCertTimestamps):
++                                    tlsIntolerant, signedCertTimestamps,
++                                    fallbackSCSV):
+ 
+         self._handshakeStart(client=False)
+ 
+@@ -1141,12 +1146,18 @@ class TLSConnection(TLSRecordLayer):
+                 yield result
+ 
+         #If client's version is too high, propose my highest version
+-        elif clientHello.client_version > settings.maxVersion:
++        if clientHello.client_version > settings.maxVersion:
+             self.version = settings.maxVersion
+-
+         else:
+             #Set the version to the client's version
+             self.version = clientHello.client_version
++            if (fallbackSCSV and
++                clientHello.client_version < settings.maxVersion):
++                for cipherSuite in clientHello.cipher_suites:
++                    if cipherSuite == 0x5600:
++                        for result in self._sendError(\
++                                AlertDescription.inappropriate_fallback):
++                            yield result
+ 
+         #Get the client nonce; create server nonce
+         clientRandom = clientHello.random
+diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
+index b5a345a..23e3dcb 100644
+--- a/third_party/tlslite/tlslite/constants.py
++++ b/third_party/tlslite/tlslite/constants.py
+@@ -91,6 +91,7 @@ class AlertDescription:
+     protocol_version = 70
+     insufficient_security = 71
+     internal_error = 80
++    inappropriate_fallback = 86
+     user_canceled = 90
+     no_renegotiation = 100
+     unknown_srp_username = 120
+diff --git a/third_party/tlslite/tlslite/errors.py b/third_party/tlslite/tlslite/errors.py
+index c7f7ba8..45087e6 100644
+--- a/third_party/tlslite/tlslite/errors.py
++++ b/third_party/tlslite/tlslite/errors.py
+@@ -48,6 +48,7 @@ class TLSAlert(TLSError):
+         AlertDescription.protocol_version: "protocol_version",\
+         AlertDescription.insufficient_security: "insufficient_security",\
+         AlertDescription.internal_error: "internal_error",\
++        AlertDescription.inappropriate_fallback: "inappropriate_fallback",\
+         AlertDescription.user_canceled: "user_canceled",\
+         AlertDescription.no_renegotiation: "no_renegotiation",\
+         AlertDescription.unknown_srp_username: "unknown_srp_username",\