Implement FALLBACK_SCSV client-side

include/polarssl/config.h

@@ -811,6 +811,23 @@
  */
 //#define POLARSSL_SSL_DEBUG_ALL
 
+/**
+ * \def POLARSSL_SSL_FALLBACK_SCSV
+ *
+ * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
+ *
+ * For servers, it is recommended to always enable this, unless you support
+ * only one version of TLS, or know for sure that none of your clients
+ * implements a fallback strategy.
+ *
+ * For clients, you only need this if you're using a fallback strategy, which
+ * is not recommended in the first place, unless you absolutely need it to
+ * interoperate with buggy (version-intolerant) servers.
+ *
+ * Comment this macro to disable support for FALLBACK_SCSV
+ */
+#define POLARSSL_SSL_FALLBACK_SCSV
+
 /**
  * \def POLARSSL_SSL_HW_RECORD_ACCEL
  *

include/polarssl/ssl.h

@@ -206,6 +206,9 @@
 #define SSL_IS_CLIENT                   0
 #define SSL_IS_SERVER                   1
 
+#define SSL_IS_NOT_FALLBACK             0
+#define SSL_IS_FALLBACK                 1
+
 #define SSL_COMPRESS_NULL               0
 #define SSL_COMPRESS_DEFLATE            1
 
@@ -308,6 +311,7 @@
  * Signaling ciphersuite values (SCSV)
  */
 #define SSL_EMPTY_RENEGOTIATION_INFO    0xFF   /**< renegotiation info ext */
+#define SSL_FALLBACK_SCSV               0x5600 /**< draft-ietf-tls-downgrade-scsv-00 */
 
 /*
  * Supported Signature and Hash algorithms (For TLS 1.2)
@@ -697,6 +701,10 @@ struct _ssl_context
     int min_major_ver;          /*!< min. major version used          */
     int min_minor_ver;          /*!< min. minor version used          */
 
+#if defined(POLARSSL_SSL_FALLBACK_SCSV) && defined(POLARSSL_SSL_CLI_C)
+    char fallback;              /*!< flag for fallback connections    */
+#endif
+
     /*
      * Callbacks (RNG, debug, I/O, verification)
      */
@@ -1367,7 +1375,6 @@ const char *ssl_get_alpn_protocol( const ssl_context *ssl );
  */
 void ssl_set_max_version( ssl_context *ssl, int major, int minor );
 
-
 /**
  * \brief          Set the minimum accepted SSL/TLS protocol version
  *                 (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
@@ -1383,6 +1390,29 @@ void ssl_set_max_version( ssl_context *ssl, int major, int minor );
  */
 void ssl_set_min_version( ssl_context *ssl, int major, int minor );
 
+#if defined(POLARSSL_SSL_FALLBACK_SCSV) && defined(POLARSSL_SSL_CLI_C)
+/**
+ * \brief          Set the fallback flag (client-side only).
+ *                 (Default: SSL_IS_NOT_FALLBACK).
+ *
+ * \note           Set to SSL_IS_FALLBACK when preparing a fallback
+ *                 connection, that is a connection with max_version set to a
+ *                 lower value than the value you're willing to use. Such
+ *                 fallback connections are not recommended but are sometimes
+ *                 necessary to interoperate with buggy (version-intolerant)
+ *                 servers.
+ *
+ * \warning        You should NOT set this to SSL_IS_FALLBACK for
+ *                 non-fallback connections! This would appear to work for a
+ *                 while, then cause failures when the server is upgraded to
+ *                 support a newer TLS version.
+ *
+ * \param ssl      SSL context
+ * \param fallback SSL_IS_NOT_FALLBACK or SSL_IS_FALLBACK
+ */
+void ssl_set_fallback( ssl_context *ssl, char fallback );
+#endif /* POLARSSL_SSL_FALLBACK_SCSV && POLARSSL_SSL_CLI_C */
+
 #if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
 /**
  * \brief          Set the maximum fragment length to emit and/or negotiate