Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/tlslite/patches/fallback_scsv.patch

Issue 858373002: Update third_party/tlslite to 0.4.8. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Finish fixing client auth Created 5 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/tlslite/patches/dhe_rsa.patch ('k') | third_party/tlslite/patches/ignore_write_failure.patch » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl ite/constants.py 1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl ite/constants.py
2 index b3bad2d..d132b78 100755 2 index 8720de6..69e6067 100644
3 --- a/third_party/tlslite/tlslite/constants.py 3 --- a/third_party/tlslite/tlslite/constants.py
4 +++ b/third_party/tlslite/tlslite/constants.py 4 +++ b/third_party/tlslite/tlslite/constants.py
5 @@ -106,6 +106,7 @@ class AlertDescription: 5 @@ -107,6 +107,7 @@ class AlertDescription:
6 protocol_version = 70 6 protocol_version = 70
7 insufficient_security = 71 7 insufficient_security = 71
8 internal_error = 80 8 internal_error = 80
9 + inappropriate_fallback = 86 9 + inappropriate_fallback = 86
10 user_canceled = 90 10 user_canceled = 90
11 no_renegotiation = 100 11 no_renegotiation = 100
12 unknown_psk_identity = 115 12 unknown_psk_identity = 115
13 @@ -117,6 +118,9 @@ class CipherSuite: 13 @@ -118,6 +119,9 @@ class CipherSuite:
14 # We actually don't do any renegotiation, but this 14 # We actually don't do any renegotiation, but this
15 # prevents renegotiation attacks 15 # prevents renegotiation attacks
16 TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF 16 TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF
17 + 17 +
18 + # draft-bmoeller-tls-downgrade-scsv-01 18 + # draft-ietf-tls-downgrade-scsv-03
19 + TLS_FALLBACK_SCSV = 0x5600 19 + TLS_FALLBACK_SCSV = 0x5600
20 20
21 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A 21 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A
22 TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D 22 TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D
23 diff --git a/third_party/tlslite/tlslite/errors.py b/third_party/tlslite/tlslite /errors.py 23 diff --git a/third_party/tlslite/tlslite/errors.py b/third_party/tlslite/tlslite /errors.py
24 index 22c298c..001ef33 100755 24 index 22c298c..001ef33 100644
25 --- a/third_party/tlslite/tlslite/errors.py 25 --- a/third_party/tlslite/tlslite/errors.py
26 +++ b/third_party/tlslite/tlslite/errors.py 26 +++ b/third_party/tlslite/tlslite/errors.py
27 @@ -63,6 +63,7 @@ class TLSAlert(TLSError): 27 @@ -63,6 +63,7 @@ class TLSAlert(TLSError):
28 AlertDescription.protocol_version: "protocol_version",\ 28 AlertDescription.protocol_version: "protocol_version",\
29 AlertDescription.insufficient_security: "insufficient_security",\ 29 AlertDescription.insufficient_security: "insufficient_security",\
30 AlertDescription.internal_error: "internal_error",\ 30 AlertDescription.internal_error: "internal_error",\
31 + AlertDescription.inappropriate_fallback: "inappropriate_fallback",\ 31 + AlertDescription.inappropriate_fallback: "inappropriate_fallback",\
32 AlertDescription.user_canceled: "user_canceled",\ 32 AlertDescription.user_canceled: "user_canceled",\
33 AlertDescription.no_renegotiation: "no_renegotiation",\ 33 AlertDescription.no_renegotiation: "no_renegotiation",\
34 AlertDescription.unknown_psk_identity: "unknown_psk_identity"} 34 AlertDescription.unknown_psk_identity: "unknown_psk_identity"}
35 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/ tlslite/tlsconnection.py 35 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/ tlslite/tlsconnection.py
36 index 45b0bbb..bd92161 100755 36 index 4dedc5f..0563fb5f 100644
37 --- a/third_party/tlslite/tlslite/tlsconnection.py 37 --- a/third_party/tlslite/tlslite/tlsconnection.py
38 +++ b/third_party/tlslite/tlslite/tlsconnection.py 38 +++ b/third_party/tlslite/tlslite/tlsconnection.py
39 @@ -966,7 +966,8 @@ class TLSConnection(TLSRecordLayer): 39 @@ -969,7 +969,8 @@ class TLSConnection(TLSRecordLayer):
40 reqCAs = None, 40 reqCAs = None,
41 tacks=None, activationFlags=0, 41 tacks=None, activationFlags=0,
42 nextProtos=None, anon=False, 42 nextProtos=None, anon=False,
43 - tlsIntolerant=None, signedCertTimestamps=None): 43 - tlsIntolerant=None, signedCertTimestamps=None):
44 + tlsIntolerant=None, signedCertTimestamps=None, 44 + tlsIntolerant=None, signedCertTimestamps=None,
45 + fallbackSCSV=False): 45 + fallbackSCSV=False):
46 """Perform a handshake in the role of server. 46 """Perform a handshake in the role of server.
47 47
48 This function performs an SSL or TLS handshake. Depending on 48 This function performs an SSL or TLS handshake. Depending on
49 @@ -1045,6 +1046,11 @@ class TLSConnection(TLSRecordLayer): 49 @@ -1048,6 +1049,11 @@ class TLSConnection(TLSRecordLayer):
50 binary 8-bit string) that will be sent as a TLS extension whenever 50 binary 8-bit string) that will be sent as a TLS extension whenever
51 the client announces support for the extension. 51 the client announces support for the extension.
52 52
53 + @type fallbackSCSV: bool 53 + @type fallbackSCSV: bool
54 + @param fallbackSCSV: if true, the server will implement 54 + @param fallbackSCSV: if true, the server will implement
55 + TLS_FALLBACK_SCSV and thus reject connections using less than the 55 + TLS_FALLBACK_SCSV and thus reject connections using less than the
56 + server's maximum TLS version that include this cipher suite. 56 + server's maximum TLS version that include this cipher suite.
57 + 57 +
58 @raise socket.error: If a socket error occurs. 58 @raise socket.error: If a socket error occurs.
59 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed 59 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
60 without a preceding alert. 60 without a preceding alert.
61 @@ -1057,7 +1063,8 @@ class TLSConnection(TLSRecordLayer): 61 @@ -1060,7 +1066,8 @@ class TLSConnection(TLSRecordLayer):
62 checker, reqCAs, 62 checker, reqCAs,
63 tacks=tacks, activationFlags=activationFlags, 63 tacks=tacks, activationFlags=activationFlags,
64 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, 64 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
65 - signedCertTimestamps=signedCertTimestamps): 65 - signedCertTimestamps=signedCertTimestamps):
66 + signedCertTimestamps=signedCertTimestamps, 66 + signedCertTimestamps=signedCertTimestamps,
67 + fallbackSCSV=fallbackSCSV): 67 + fallbackSCSV=fallbackSCSV):
68 pass 68 pass
69 69
70 70
71 @@ -1068,7 +1075,8 @@ class TLSConnection(TLSRecordLayer): 71 @@ -1071,7 +1078,8 @@ class TLSConnection(TLSRecordLayer):
72 tacks=None, activationFlags=0, 72 tacks=None, activationFlags=0,
73 nextProtos=None, anon=False, 73 nextProtos=None, anon=False,
74 tlsIntolerant=None, 74 tlsIntolerant=None,
75 - signedCertTimestamps=None 75 - signedCertTimestamps=None
76 + signedCertTimestamps=None, 76 + signedCertTimestamps=None,
77 + fallbackSCSV=False 77 + fallbackSCSV=False
78 ): 78 ):
79 """Start a server handshake operation on the TLS connection. 79 """Start a server handshake operation on the TLS connection.
80 80
81 @@ -1089,7 +1097,8 @@ class TLSConnection(TLSRecordLayer): 81 @@ -1092,7 +1100,8 @@ class TLSConnection(TLSRecordLayer):
82 tacks=tacks, activationFlags=activationFlags, 82 tacks=tacks, activationFlags=activationFlags,
83 nextProtos=nextProtos, anon=anon, 83 nextProtos=nextProtos, anon=anon,
84 tlsIntolerant=tlsIntolerant, 84 tlsIntolerant=tlsIntolerant,
85 - signedCertTimestamps=signedCertTimestamps) 85 - signedCertTimestamps=signedCertTimestamps)
86 + signedCertTimestamps=signedCertTimestamps, 86 + signedCertTimestamps=signedCertTimestamps,
87 + fallbackSCSV=fallbackSCSV) 87 + fallbackSCSV=fallbackSCSV)
88 for result in self._handshakeWrapperAsync(handshaker, checker): 88 for result in self._handshakeWrapperAsync(handshaker, checker):
89 yield result 89 yield result
90 90
91 @@ -1099,7 +1108,7 @@ class TLSConnection(TLSRecordLayer): 91 @@ -1102,7 +1111,7 @@ class TLSConnection(TLSRecordLayer):
92 settings, reqCAs, 92 settings, reqCAs,
93 tacks, activationFlags, 93 tacks, activationFlags,
94 nextProtos, anon, 94 nextProtos, anon,
95 - tlsIntolerant, signedCertTimestamps): 95 - tlsIntolerant, signedCertTimestamps):
96 + tlsIntolerant, signedCertTimestamps, fallbackSCSV) : 96 + tlsIntolerant, signedCertTimestamps, fallbackSCSV) :
97 97
98 self._handshakeStart(client=False) 98 self._handshakeStart(client=False)
99 99
100 @@ -1134,7 +1143,7 @@ class TLSConnection(TLSRecordLayer): 100 @@ -1137,7 +1146,7 @@ class TLSConnection(TLSRecordLayer):
101 # Handle ClientHello and resumption 101 # Handle ClientHello and resumption
102 for result in self._serverGetClientHello(settings, certChain,\ 102 for result in self._serverGetClientHello(settings, certChain,\
103 verifierDB, sessionCache, 103 verifierDB, sessionCache,
104 - anon, tlsIntolerant): 104 - anon, tlsIntolerant):
105 + anon, tlsIntolerant, fallbackSCSV): 105 + anon, tlsIntolerant, fallbackSCSV):
106 if result in (0,1): yield result 106 if result in (0,1): yield result
107 elif result == None: 107 elif result == None:
108 self._handshakeDone(resumed=True) 108 self._handshakeDone(resumed=True)
109 @@ -1234,7 +1243,7 @@ class TLSConnection(TLSRecordLayer): 109 @@ -1237,7 +1246,7 @@ class TLSConnection(TLSRecordLayer):
110 110
111 111
112 def _serverGetClientHello(self, settings, certChain, verifierDB, 112 def _serverGetClientHello(self, settings, certChain, verifierDB,
113 - sessionCache, anon, tlsIntolerant): 113 - sessionCache, anon, tlsIntolerant):
114 + sessionCache, anon, tlsIntolerant, fallbackSCSV ): 114 + sessionCache, anon, tlsIntolerant, fallbackSCSV ):
115 #Initialize acceptable cipher suites 115 #Initialize acceptable cipher suites
116 cipherSuites = [] 116 cipherSuites = []
117 if verifierDB: 117 if verifierDB:
118 @@ -1280,6 +1289,14 @@ class TLSConnection(TLSRecordLayer): 118 @@ -1283,6 +1292,14 @@ class TLSConnection(TLSRecordLayer):
119 elif clientHello.client_version > settings.maxVersion: 119 elif clientHello.client_version > settings.maxVersion:
120 self.version = settings.maxVersion 120 self.version = settings.maxVersion
121 121
122 + #Detect if the client performed an inappropriate fallback. 122 + #Detect if the client performed an inappropriate fallback.
123 + elif fallbackSCSV and clientHello.client_version < settings.maxVersion: 123 + elif fallbackSCSV and clientHello.client_version < settings.maxVersion:
124 + self.version = clientHello.client_version 124 + self.version = clientHello.client_version
125 + if CipherSuite.TLS_FALLBACK_SCSV in clientHello.cipher_suites: 125 + if CipherSuite.TLS_FALLBACK_SCSV in clientHello.cipher_suites:
126 + for result in self._sendError(\ 126 + for result in self._sendError(\
127 + AlertDescription.inappropriate_fallback): 127 + AlertDescription.inappropriate_fallback):
128 + yield result 128 + yield result
129 + 129 +
130 else: 130 else:
131 #Set the version to the client's version 131 #Set the version to the client's version
132 self.version = clientHello.client_version 132 self.version = clientHello.client_version
OLDNEW
« no previous file with comments | « third_party/tlslite/patches/dhe_rsa.patch ('k') | third_party/tlslite/patches/ignore_write_failure.patch » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698