diff options
Diffstat (limited to 'chromium/third_party/tlslite/patches/tls_intolerant.patch')
-rw-r--r-- | chromium/third_party/tlslite/patches/tls_intolerant.patch | 105 |
1 files changed, 68 insertions, 37 deletions
diff --git a/chromium/third_party/tlslite/patches/tls_intolerant.patch b/chromium/third_party/tlslite/patches/tls_intolerant.patch index 53fe4d4c900..23723342de6 100644 --- a/chromium/third_party/tlslite/patches/tls_intolerant.patch +++ b/chromium/third_party/tlslite/patches/tls_intolerant.patch @@ -1,62 +1,93 @@ -Index: third_party/tlslite/tlslite/TLSConnection.py -=================================================================== ---- third_party/tlslite/tlslite/TLSConnection.py (revision 134128) -+++ third_party/tlslite/tlslite/TLSConnection.py (working copy) -@@ -932,7 +932,7 @@ - def handshakeServer(self, sharedKeyDB=None, verifierDB=None, - certChain=None, privateKey=None, reqCert=False, +diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py +index e8dd859..8415592 100755 +--- a/third_party/tlslite/tlslite/tlsconnection.py ++++ b/third_party/tlslite/tlslite/tlsconnection.py +@@ -965,7 +965,8 @@ class TLSConnection(TLSRecordLayer): sessionCache=None, settings=None, checker=None, -- reqCAs=None): -+ reqCAs=None, tlsIntolerant=0): + reqCAs = None, + tacks=None, activationFlags=0, +- nextProtos=None, anon=False): ++ nextProtos=None, anon=False, ++ tlsIntolerant=None): """Perform a handshake in the role of server. This function performs an SSL or TLS handshake. Depending on -@@ -1012,14 +1012,14 @@ - """ - for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, +@@ -1034,6 +1035,11 @@ class TLSConnection(TLSRecordLayer): + clients through the Next-Protocol Negotiation Extension, + if they support it. + ++ @type tlsIntolerant: (int, int) or None ++ @param tlsIntolerant: If tlsIntolerant is not None, the server will ++ simulate TLS version intolerance by returning a fatal handshake_failure ++ alert to all TLS versions tlsIntolerant or higher. ++ + @raise socket.error: If a socket error occurs. + @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed + without a preceding alert. +@@ -1045,7 +1051,7 @@ class TLSConnection(TLSRecordLayer): certChain, privateKey, reqCert, sessionCache, settings, -- checker, reqCAs): -+ checker, reqCAs, tlsIntolerant): + checker, reqCAs, + tacks=tacks, activationFlags=activationFlags, +- nextProtos=nextProtos, anon=anon): ++ nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant): pass - def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, - certChain=None, privateKey=None, reqCert=False, +@@ -1054,7 +1060,8 @@ class TLSConnection(TLSRecordLayer): sessionCache=None, settings=None, checker=None, -- reqCAs=None): -+ reqCAs=None, tlsIntolerant=0): + reqCAs=None, + tacks=None, activationFlags=0, +- nextProtos=None, anon=False ++ nextProtos=None, anon=False, ++ tlsIntolerant=None + ): """Start a server handshake operation on the TLS connection. - This function returns a generator which behaves similarly to -@@ -1036,14 +1036,15 @@ - verifierDB=verifierDB, certChain=certChain, - privateKey=privateKey, reqCert=reqCert, - sessionCache=sessionCache, settings=settings, -- reqCAs=reqCAs) -+ reqCAs=reqCAs, +@@ -1073,7 +1080,8 @@ class TLSConnection(TLSRecordLayer): + sessionCache=sessionCache, settings=settings, + reqCAs=reqCAs, + tacks=tacks, activationFlags=activationFlags, +- nextProtos=nextProtos, anon=anon) ++ nextProtos=nextProtos, anon=anon, + tlsIntolerant=tlsIntolerant) for result in self._handshakeWrapperAsync(handshaker, checker): yield result - - def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, +@@ -1082,7 +1090,8 @@ class TLSConnection(TLSRecordLayer): certChain, privateKey, reqCert, sessionCache, -- settings, reqCAs): -+ settings, reqCAs, tlsIntolerant): + settings, reqCAs, + tacks, activationFlags, +- nextProtos, anon): ++ nextProtos, anon, ++ tlsIntolerant): self._handshakeStart(client=False) -@@ -1111,6 +1112,17 @@ +@@ -1114,7 +1123,7 @@ class TLSConnection(TLSRecordLayer): + # Handle ClientHello and resumption + for result in self._serverGetClientHello(settings, certChain,\ + verifierDB, sessionCache, +- anon): ++ anon, tlsIntolerant): + if result in (0,1): yield result + elif result == None: + self._handshakeDone(resumed=True) +@@ -1211,7 +1220,7 @@ class TLSConnection(TLSRecordLayer): + + + def _serverGetClientHello(self, settings, certChain, verifierDB, +- sessionCache, anon): ++ sessionCache, anon, tlsIntolerant): + #Initialize acceptable cipher suites + cipherSuites = [] + if verifierDB: +@@ -1246,6 +1255,13 @@ class TLSConnection(TLSRecordLayer): "Too old version: %s" % str(clientHello.client_version)): yield result -+ #If tlsIntolerant is nonzero, reject certain TLS versions. -+ #1: reject all TLS versions. -+ #2: reject TLS 1.1 or higher. -+ #3: reject TLS 1.2 or higher. -+ if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or -+ tlsIntolerant == 2 and clientHello.client_version > (3, 1) or -+ tlsIntolerant == 3 and clientHello.client_version > (3, 2)): ++ #If simulating TLS intolerance, reject certain TLS versions. ++ elif (tlsIntolerant is not None and ++ clientHello.client_version >= tlsIntolerant): + for result in self._sendError(\ + AlertDescription.handshake_failure): + yield result |