From 8a0cd220d06752b3c6248e8cbd137204294ca943 Mon Sep 17 00:00:00 2001
From: Peter Dettman <peter.dettman@bouncycastle.org>
Date: Sun, 17 Jan 2016 19:10:00 +0700
Subject: draft-ietf-tls-downgrade-scsv => RFC 7507

---
 crypto/src/crypto/tls/AbstractTlsClient.cs  |  6 +++---
 crypto/src/crypto/tls/AbstractTlsServer.cs  |  8 ++++----
 crypto/src/crypto/tls/AlertDescription.cs   |  4 ++--
 crypto/src/crypto/tls/CipherSuite.cs        | 10 +++++-----
 crypto/src/crypto/tls/DtlsClientProtocol.cs |  9 +++++----
 crypto/src/crypto/tls/TlsClientProtocol.cs  |  9 +++++----
 6 files changed, 24 insertions(+), 22 deletions(-)

(limited to 'crypto')

diff --git a/crypto/src/crypto/tls/AbstractTlsClient.cs b/crypto/src/crypto/tls/AbstractTlsClient.cs
index fedca0934..ee7a93803 100644
--- a/crypto/src/crypto/tls/AbstractTlsClient.cs
+++ b/crypto/src/crypto/tls/AbstractTlsClient.cs
@@ -89,9 +89,9 @@ namespace Org.BouncyCastle.Crypto.Tls
         public virtual bool IsFallback
         {
             /*
-             * draft-ietf-tls-downgrade-scsv-00 4. [..] is meant for use by clients that repeat a
-             * connection attempt with a downgraded protocol in order to avoid interoperability problems
-             * with legacy servers.
+             * RFC 7507 4. The TLS_FALLBACK_SCSV cipher suite value is meant for use by clients that
+             * repeat a connection attempt with a downgraded protocol (perform a "fallback retry") in
+             * order to work around interoperability problems with legacy servers.
              */
             get { return false; }
         }
diff --git a/crypto/src/crypto/tls/AbstractTlsServer.cs b/crypto/src/crypto/tls/AbstractTlsServer.cs
index 9f549cfd1..d87a294f0 100644
--- a/crypto/src/crypto/tls/AbstractTlsServer.cs
+++ b/crypto/src/crypto/tls/AbstractTlsServer.cs
@@ -113,10 +113,10 @@ namespace Org.BouncyCastle.Crypto.Tls
         public virtual void NotifyFallback(bool isFallback)
         {
             /*
-             * draft-ietf-tls-downgrade-scsv-00 3. If TLS_FALLBACK_SCSV appears in
-             * ClientHello.cipher_suites and the highest protocol version supported by the server is
-             * higher than the version indicated in ClientHello.client_version, the server MUST respond
-             * with an inappropriate_fallback alert.
+             * RFC 7507 3. If TLS_FALLBACK_SCSV appears in ClientHello.cipher_suites and the highest
+             * protocol version supported by the server is higher than the version indicated in
+             * ClientHello.client_version, the server MUST respond with a fatal inappropriate_fallback
+             * alert [..].
              */
             if (isFallback && MaximumVersion.IsLaterVersionOf(mClientVersion))
                 throw new TlsFatalAlert(AlertDescription.inappropriate_fallback);
diff --git a/crypto/src/crypto/tls/AlertDescription.cs b/crypto/src/crypto/tls/AlertDescription.cs
index 49de60cea..4e2464b50 100644
--- a/crypto/src/crypto/tls/AlertDescription.cs
+++ b/crypto/src/crypto/tls/AlertDescription.cs
@@ -215,13 +215,13 @@ namespace Org.BouncyCastle.Crypto.Tls
         public const byte unknown_psk_identity = 115;
 
         /*
-         * draft-ietf-tls-downgrade-scsv-00
+         * RFC 7507
          */
 
         /**
          * If TLS_FALLBACK_SCSV appears in ClientHello.cipher_suites and the highest protocol version
          * supported by the server is higher than the version indicated in ClientHello.client_version,
-         * the server MUST respond with an inappropriate_fallback alert.
+         * the server MUST respond with a fatal inappropriate_fallback alert [..].
          */
         public const byte inappropriate_fallback = 86;
 
diff --git a/crypto/src/crypto/tls/CipherSuite.cs b/crypto/src/crypto/tls/CipherSuite.cs
index 1ed0a5ef3..5aa556389 100644
--- a/crypto/src/crypto/tls/CipherSuite.cs
+++ b/crypto/src/crypto/tls/CipherSuite.cs
@@ -330,6 +330,11 @@ namespace Org.BouncyCastle.Crypto.Tls
         public const int TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 = 0xC0AE;
         public const int TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF;
 
+        /*
+         * RFC 7507
+         */
+        public const int TLS_FALLBACK_SCSV = 0x5600;
+
         /*
          * draft-ietf-tls-chacha20-poly1305-04
          */
@@ -341,11 +346,6 @@ namespace Org.BouncyCastle.Crypto.Tls
         public const int DRAFT_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAD;
         public const int DRAFT_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAE;
 
-        /*
-         * draft-ietf-tls-downgrade-scsv-00
-         */
-        public const int TLS_FALLBACK_SCSV = 0x5600;
-
         public static bool IsScsv(int cipherSuite)
         {
             switch (cipherSuite)
diff --git a/crypto/src/crypto/tls/DtlsClientProtocol.cs b/crypto/src/crypto/tls/DtlsClientProtocol.cs
index 7cb554ae8..abb402077 100644
--- a/crypto/src/crypto/tls/DtlsClientProtocol.cs
+++ b/crypto/src/crypto/tls/DtlsClientProtocol.cs
@@ -431,10 +431,11 @@ namespace Org.BouncyCastle.Crypto.Tls
                 }
 
                 /*
-                 * draft-ietf-tls-downgrade-scsv-00 4. If a client sends a ClientHello.client_version
-                 * containing a lower value than the latest (highest-valued) version supported by the
-                 * client, it SHOULD include the TLS_FALLBACK_SCSV cipher suite value in
-                 * ClientHello.cipher_suites.
+                 * RFC 7507 4. If a client sends a ClientHello.client_version containing a lower value
+                 * than the latest (highest-valued) version supported by the client, it SHOULD include
+                 * the TLS_FALLBACK_SCSV cipher suite value in ClientHello.cipher_suites [..]. (The
+                 * client SHOULD put TLS_FALLBACK_SCSV after all cipher suites that it actually intends
+                 * to negotiate.)
                  */
                 if (fallback && !Arrays.Contains(state.offeredCipherSuites, CipherSuite.TLS_FALLBACK_SCSV))
                 {
diff --git a/crypto/src/crypto/tls/TlsClientProtocol.cs b/crypto/src/crypto/tls/TlsClientProtocol.cs
index c2447e434..4c2a0a545 100644
--- a/crypto/src/crypto/tls/TlsClientProtocol.cs
+++ b/crypto/src/crypto/tls/TlsClientProtocol.cs
@@ -871,10 +871,11 @@ namespace Org.BouncyCastle.Crypto.Tls
                 }
 
                 /*
-                 * draft-ietf-tls-downgrade-scsv-00 4. If a client sends a ClientHello.client_version
-                 * containing a lower value than the latest (highest-valued) version supported by the
-                 * client, it SHOULD include the TLS_FALLBACK_SCSV cipher suite value in
-                 * ClientHello.cipher_suites.
+                 * RFC 7507 4. If a client sends a ClientHello.client_version containing a lower value
+                 * than the latest (highest-valued) version supported by the client, it SHOULD include
+                 * the TLS_FALLBACK_SCSV cipher suite value in ClientHello.cipher_suites [..]. (The
+                 * client SHOULD put TLS_FALLBACK_SCSV after all cipher suites that it actually intends
+                 * to negotiate.)
                  */
                 if (fallback && !Arrays.Contains(mOfferedCipherSuites, CipherSuite.TLS_FALLBACK_SCSV))
                 {
-- 
cgit 1.4.1