Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/tlslite/patches/fallback_scsv.patch

Issue 210323002: Update tlslite to 0.4.6. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Executable bit and --similarity=80 Created 6 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « third_party/tlslite/patches/close_notify.patch ('k') | third_party/tlslite/patches/fix_test_file.patch » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/ tlslite/TLSConnection.py 1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl ite/constants.py
2 index d2270a9..e6ce187 100644 2 index b3bad2d..d132b78 100755
3 --- a/third_party/tlslite/tlslite/TLSConnection.py 3 --- a/third_party/tlslite/tlslite/constants.py
4 +++ b/third_party/tlslite/tlslite/TLSConnection.py 4 +++ b/third_party/tlslite/tlslite/constants.py
5 @@ -937,7 +937,8 @@ class TLSConnection(TLSRecordLayer): 5 @@ -106,6 +106,7 @@ class AlertDescription:
6 certChain=None, privateKey=None, reqCert=False, 6 protocol_version = 70
7 sessionCache=None, settings=None, checker=None, 7 insufficient_security = 71
8 reqCAs=None, tlsIntolerant=0, 8 internal_error = 80
9 - signedCertTimestamps=None): 9 + inappropriate_fallback = 86
10 + signedCertTimestamps=None, 10 user_canceled = 90
11 no_renegotiation = 100
12 unknown_psk_identity = 115
13 @@ -117,6 +118,9 @@ class CipherSuite:
14 # We actually don't do any renegotiation, but this
15 # prevents renegotiation attacks
16 TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF
17 +
18 + # draft-bmoeller-tls-downgrade-scsv-01
19 + TLS_FALLBACK_SCSV = 0x5600
20
21 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A
22 TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D
23 diff --git a/third_party/tlslite/tlslite/errors.py b/third_party/tlslite/tlslite /errors.py
24 index 22c298c..001ef33 100755
25 --- a/third_party/tlslite/tlslite/errors.py
26 +++ b/third_party/tlslite/tlslite/errors.py
27 @@ -63,6 +63,7 @@ class TLSAlert(TLSError):
28 AlertDescription.protocol_version: "protocol_version",\
29 AlertDescription.insufficient_security: "insufficient_security",\
30 AlertDescription.internal_error: "internal_error",\
31 + AlertDescription.inappropriate_fallback: "inappropriate_fallback",\
32 AlertDescription.user_canceled: "user_canceled",\
33 AlertDescription.no_renegotiation: "no_renegotiation",\
34 AlertDescription.unknown_psk_identity: "unknown_psk_identity"}
35 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/ tlslite/tlsconnection.py
36 index 45b0bbb..bd92161 100755
37 --- a/third_party/tlslite/tlslite/tlsconnection.py
38 +++ b/third_party/tlslite/tlslite/tlsconnection.py
39 @@ -966,7 +966,8 @@ class TLSConnection(TLSRecordLayer):
40 reqCAs = None,
41 tacks=None, activationFlags=0,
42 nextProtos=None, anon=False,
43 - tlsIntolerant=None, signedCertTimestamps=None):
44 + tlsIntolerant=None, signedCertTimestamps=None,
11 + fallbackSCSV=False): 45 + fallbackSCSV=False):
12 """Perform a handshake in the role of server. 46 """Perform a handshake in the role of server.
13 47
14 This function performs an SSL or TLS handshake. Depending on 48 This function performs an SSL or TLS handshake. Depending on
15 @@ -1014,6 +1014,19 @@ class TLSConnection(TLSRecordLayer): 49 @@ -1045,6 +1046,11 @@ class TLSConnection(TLSRecordLayer):
16 binary 8-bit string) that will be sent as a TLS extension whenever 50 binary 8-bit string) that will be sent as a TLS extension whenever
17 the client announces support for the extension. 51 the client announces support for the extension.
18 52
19 + @type tlsIntolerant: int
20 + @param tlsIntolerant: if non-zero, the server will simulate TLS
21 + version intolerance by returning a fatal, handshake_failure alert.
22 + The versions to which it's intolerant vary depending on the value:
23 + 1: reject all TLS versions.
24 + 2: reject TLS 1.1 or higher.
25 + 3: reject TLS 1.2 or higher.
26 +
27 + @type fallbackSCSV: bool 53 + @type fallbackSCSV: bool
28 + @param fallbackSCSV: if true, the server will implement 54 + @param fallbackSCSV: if true, the server will implement
29 + TLS_FALLBACK_SCSV and thus reject connections using less than the 55 + TLS_FALLBACK_SCSV and thus reject connections using less than the
30 + server's maximum TLS version that include this cipher suite. 56 + server's maximum TLS version that include this cipher suite.
31 + 57 +
32 @raise socket.error: If a socket error occurs. 58 @raise socket.error: If a socket error occurs.
33 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed 59 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
34 without a preceding alert. 60 without a preceding alert.
35 @@ -1022,7 +1023,8 @@ class TLSConnection(TLSRecordLayer): 61 @@ -1057,7 +1063,8 @@ class TLSConnection(TLSRecordLayer):
36 """ 62 checker, reqCAs,
37 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, 63 tacks=tacks, activationFlags=activationFlags,
38 certChain, privateKey, reqCert, sessionCache, settings, 64 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
39 - checker, reqCAs, tlsIntolerant, signedCertTimestamps): 65 - signedCertTimestamps=signedCertTimestamps):
40 + checker, reqCAs, tlsIntolerant, signedCertTimestamps, 66 + signedCertTimestamps=signedCertTimestamps,
41 + fallbackSCSV): 67 + fallbackSCSV=fallbackSCSV):
42 pass 68 pass
43 69
44 70
45 @@ -1030,7 +1032,8 @@ class TLSConnection(TLSRecordLayer): 71 @@ -1068,7 +1075,8 @@ class TLSConnection(TLSRecordLayer):
46 certChain=None, privateKey=None, reqCert=False, 72 tacks=None, activationFlags=0,
47 sessionCache=None, settings=None, checker=None, 73 nextProtos=None, anon=False,
48 reqCAs=None, tlsIntolerant=0, 74 tlsIntolerant=None,
49 - signedCertTimestamps=None): 75 - signedCertTimestamps=None
50 + signedCertTimestamps=None, 76 + signedCertTimestamps=None,
51 + fallbackSCSV=False): 77 + fallbackSCSV=False
78 ):
52 """Start a server handshake operation on the TLS connection. 79 """Start a server handshake operation on the TLS connection.
53 80
54 This function returns a generator which behaves similarly to 81 @@ -1089,7 +1097,8 @@ class TLSConnection(TLSRecordLayer):
55 @@ -1049,7 +1052,8 @@ class TLSConnection(TLSRecordLayer): 82 tacks=tacks, activationFlags=activationFlags,
56 sessionCache=sessionCache, settings=settings, 83 nextProtos=nextProtos, anon=anon,
57 reqCAs=reqCAs,
58 tlsIntolerant=tlsIntolerant, 84 tlsIntolerant=tlsIntolerant,
59 - signedCertTimestamps=signedCertTimestamps) 85 - signedCertTimestamps=signedCertTimestamps)
60 + signedCertTimestamps=signedCertTimestamps, 86 + signedCertTimestamps=signedCertTimestamps,
61 + fallbackSCSV=fallbackSCSV) 87 + fallbackSCSV=fallbackSCSV)
62 for result in self._handshakeWrapperAsync(handshaker, checker): 88 for result in self._handshakeWrapperAsync(handshaker, checker):
63 yield result 89 yield result
64 90
65 @@ -1057,7 +1061,8 @@ class TLSConnection(TLSRecordLayer): 91 @@ -1099,7 +1108,7 @@ class TLSConnection(TLSRecordLayer):
66 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, 92 settings, reqCAs,
67 certChain, privateKey, reqCert, 93 tacks, activationFlags,
68 sessionCache, settings, reqCAs, 94 nextProtos, anon,
69 - tlsIntolerant, signedCertTimestamps): 95 - tlsIntolerant, signedCertTimestamps):
70 + tlsIntolerant, signedCertTimestamps, 96 + tlsIntolerant, signedCertTimestamps, fallbackSCSV) :
71 + fallbackSCSV):
72 97
73 self._handshakeStart(client=False) 98 self._handshakeStart(client=False)
74 99
75 @@ -1141,12 +1146,18 @@ class TLSConnection(TLSRecordLayer): 100 @@ -1134,7 +1143,7 @@ class TLSConnection(TLSRecordLayer):
76 yield result 101 # Handle ClientHello and resumption
102 for result in self._serverGetClientHello(settings, certChain,\
103 verifierDB, sessionCache,
104 - anon, tlsIntolerant):
105 + anon, tlsIntolerant, fallbackSCSV):
106 if result in (0,1): yield result
107 elif result == None:
108 self._handshakeDone(resumed=True)
109 @@ -1234,7 +1243,7 @@ class TLSConnection(TLSRecordLayer):
77 110
78 #If client's version is too high, propose my highest version 111
79 - elif clientHello.client_version > settings.maxVersion: 112 def _serverGetClientHello(self, settings, certChain, verifierDB,
80 + if clientHello.client_version > settings.maxVersion: 113 - sessionCache, anon, tlsIntolerant):
114 + sessionCache, anon, tlsIntolerant, fallbackSCSV ):
115 #Initialize acceptable cipher suites
116 cipherSuites = []
117 if verifierDB:
118 @@ -1280,6 +1289,13 @@ class TLSConnection(TLSRecordLayer):
119 elif clientHello.client_version > settings.maxVersion:
81 self.version = settings.maxVersion 120 self.version = settings.maxVersion
82 - 121
122 + #Detect if the client performed an inappropriate fallback.
123 + elif fallbackSCSV and clientHello.client_version < settings.maxVersion:
124 + if CipherSuite.TLS_FALLBACK_SCSV in clientHello.cipher_suites:
125 + for result in self._sendError(\
126 + AlertDescription.inappropriate_fallback):
127 + yield result
128 +
83 else: 129 else:
84 #Set the version to the client's version 130 #Set the version to the client's version
85 self.version = clientHello.client_version 131 self.version = clientHello.client_version
86 + if (fallbackSCSV and
87 + clientHello.client_version < settings.maxVersion):
88 + for cipherSuite in clientHello.cipher_suites:
89 + if cipherSuite == 0x5600:
90 + for result in self._sendError(\
91 + AlertDescription.inappropriate_fallback):
92 + yield result
93
94 #Get the client nonce; create server nonce
95 clientRandom = clientHello.random
96 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl ite/constants.py
97 index b5a345a..23e3dcb 100644
98 --- a/third_party/tlslite/tlslite/constants.py
99 +++ b/third_party/tlslite/tlslite/constants.py
100 @@ -91,6 +91,7 @@ class AlertDescription:
101 protocol_version = 70
102 insufficient_security = 71
103 internal_error = 80
104 + inappropriate_fallback = 86
105 user_canceled = 90
106 no_renegotiation = 100
107 unknown_srp_username = 120
108 diff --git a/third_party/tlslite/tlslite/errors.py b/third_party/tlslite/tlslite /errors.py
109 index c7f7ba8..45087e6 100644
110 --- a/third_party/tlslite/tlslite/errors.py
111 +++ b/third_party/tlslite/tlslite/errors.py
112 @@ -48,6 +48,7 @@ class TLSAlert(TLSError):
113 AlertDescription.protocol_version: "protocol_version",\
114 AlertDescription.insufficient_security: "insufficient_security",\
115 AlertDescription.internal_error: "internal_error",\
116 + AlertDescription.inappropriate_fallback: "inappropriate_fallback",\
117 AlertDescription.user_canceled: "user_canceled",\
118 AlertDescription.no_renegotiation: "no_renegotiation",\
119 AlertDescription.unknown_srp_username: "unknown_srp_username",\
OLDNEW
« no previous file with comments | « third_party/tlslite/patches/close_notify.patch ('k') | third_party/tlslite/patches/fix_test_file.patch » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698