| OLD | NEW |
|---|
| 1 """ | 1 """ |
| 2 MAIN CLASS FOR TLS LITE (START HERE!). | 2 MAIN CLASS FOR TLS LITE (START HERE!). |
| 3 """ | 3 """ |
| 4 from __future__ import generators | 4 from __future__ import generators |
| 5 | 5 |
| 6 import socket | 6 import socket |
| 7 from utils.compat import formatExceptionTrace | 7 from utils.compat import formatExceptionTrace |
| 8 from TLSRecordLayer import TLSRecordLayer | 8 from TLSRecordLayer import TLSRecordLayer |
| 9 from Session import Session | 9 from Session import Session |
| 10 from constants import * | 10 from constants import * |
| (...skipping 914 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 925 | 925 |
| 926 #Mark the connection as open | 926 #Mark the connection as open |
| 927 self.session._setResumable(True) | 927 self.session._setResumable(True) |
| 928 self._handshakeDone(resumed=False) | 928 self._handshakeDone(resumed=False) |
| 929 | 929 |
| 930 | 930 |
| 931 | 931 |
| 932 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, | 932 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, |
| 933 certChain=None, privateKey=None, reqCert=False, | 933 certChain=None, privateKey=None, reqCert=False, |
| 934 sessionCache=None, settings=None, checker=None, | 934 sessionCache=None, settings=None, checker=None, |
| 935 reqCAs=None): | 935 reqCAs=None, tlsIntolerant=False): |
| 936 """Perform a handshake in the role of server. | 936 """Perform a handshake in the role of server. |
| 937 | 937 |
| 938 This function performs an SSL or TLS handshake. Depending on | 938 This function performs an SSL or TLS handshake. Depending on |
| 939 the arguments and the behavior of the client, this function can | 939 the arguments and the behavior of the client, this function can |
| 940 perform a shared-key, SRP, or certificate-based handshake. It | 940 perform a shared-key, SRP, or certificate-based handshake. It |
| 941 can also perform a combined SRP and server-certificate | 941 can also perform a combined SRP and server-certificate |
| 942 handshake. | 942 handshake. |
| 943 | 943 |
| 944 Like any handshake function, this can be called on a closed | 944 Like any handshake function, this can be called on a closed |
| 945 TLS connection, or on a TLS connection that is already open. | 945 TLS connection, or on a TLS connection that is already open. |
| (...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1005 | 1005 |
| 1006 @raise socket.error: If a socket error occurs. | 1006 @raise socket.error: If a socket error occurs. |
| 1007 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed | 1007 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
| 1008 without a preceding alert. | 1008 without a preceding alert. |
| 1009 @raise tlslite.errors.TLSAlert: If a TLS alert is signalled. | 1009 @raise tlslite.errors.TLSAlert: If a TLS alert is signalled. |
| 1010 @raise tlslite.errors.TLSAuthenticationError: If the checker | 1010 @raise tlslite.errors.TLSAuthenticationError: If the checker |
| 1011 doesn't like the other party's authentication credentials. | 1011 doesn't like the other party's authentication credentials. |
| 1012 """ | 1012 """ |
| 1013 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, | 1013 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, |
| 1014 certChain, privateKey, reqCert, sessionCache, settings, | 1014 certChain, privateKey, reqCert, sessionCache, settings, |
| 1015 checker, reqCAs): | 1015 checker, reqCAs, tlsIntolerant): |
| 1016 pass | 1016 pass |
| 1017 | 1017 |
| 1018 | 1018 |
| 1019 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, | 1019 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, |
| 1020 certChain=None, privateKey=None, reqCert=False, | 1020 certChain=None, privateKey=None, reqCert=False, |
| 1021 sessionCache=None, settings=None, checker=None, | 1021 sessionCache=None, settings=None, checker=None, |
| 1022 reqCAs=None): | 1022 reqCAs=None, tlsIntolerant=False): |
| 1023 """Start a server handshake operation on the TLS connection. | 1023 """Start a server handshake operation on the TLS connection. |
| 1024 | 1024 |
| 1025 This function returns a generator which behaves similarly to | 1025 This function returns a generator which behaves similarly to |
| 1026 handshakeServer(). Successive invocations of the generator | 1026 handshakeServer(). Successive invocations of the generator |
| 1027 will return 0 if it is waiting to read from the socket, 1 if it is | 1027 will return 0 if it is waiting to read from the socket, 1 if it is |
| 1028 waiting to write to the socket, or it will raise StopIteration | 1028 waiting to write to the socket, or it will raise StopIteration |
| 1029 if the handshake operation is complete. | 1029 if the handshake operation is complete. |
| 1030 | 1030 |
| 1031 @rtype: iterable | 1031 @rtype: iterable |
| 1032 @return: A generator; see above for details. | 1032 @return: A generator; see above for details. |
| 1033 """ | 1033 """ |
| 1034 handshaker = self._handshakeServerAsyncHelper(\ | 1034 handshaker = self._handshakeServerAsyncHelper(\ |
| 1035 sharedKeyDB=sharedKeyDB, | 1035 sharedKeyDB=sharedKeyDB, |
| 1036 verifierDB=verifierDB, certChain=certChain, | 1036 verifierDB=verifierDB, certChain=certChain, |
| 1037 privateKey=privateKey, reqCert=reqCert, | 1037 privateKey=privateKey, reqCert=reqCert, |
| 1038 sessionCache=sessionCache, settings=settings, | 1038 sessionCache=sessionCache, settings=settings, |
| 1039 reqCAs=reqCAs) | 1039 reqCAs=reqCAs, |
| 1040 tlsIntolerant=tlsIntolerant) |
| 1040 for result in self._handshakeWrapperAsync(handshaker, checker): | 1041 for result in self._handshakeWrapperAsync(handshaker, checker): |
| 1041 yield result | 1042 yield result |
| 1042 | 1043 |
| 1043 | 1044 |
| 1044 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, | 1045 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, |
| 1045 certChain, privateKey, reqCert, sessionCache, | 1046 certChain, privateKey, reqCert, sessionCache, |
| 1046 settings, reqCAs): | 1047 settings, reqCAs, tlsIntolerant): |
| 1047 | 1048 |
| 1048 self._handshakeStart(client=False) | 1049 self._handshakeStart(client=False) |
| 1049 | 1050 |
| 1050 if (not sharedKeyDB) and (not verifierDB) and (not certChain): | 1051 if (not sharedKeyDB) and (not verifierDB) and (not certChain): |
| 1051 raise ValueError("Caller passed no authentication credentials") | 1052 raise ValueError("Caller passed no authentication credentials") |
| 1052 if certChain and not privateKey: | 1053 if certChain and not privateKey: |
| 1053 raise ValueError("Caller passed a certChain but no privateKey") | 1054 raise ValueError("Caller passed a certChain but no privateKey") |
| 1054 if privateKey and not certChain: | 1055 if privateKey and not certChain: |
| 1055 raise ValueError("Caller passed a privateKey but no certChain") | 1056 raise ValueError("Caller passed a privateKey but no certChain") |
| 1056 if reqCAs and not reqCert: | 1057 if reqCAs and not reqCert: |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1104 clientHello = result | 1105 clientHello = result |
| 1105 | 1106 |
| 1106 #If client's version is too low, reject it | 1107 #If client's version is too low, reject it |
| 1107 if clientHello.client_version < settings.minVersion: | 1108 if clientHello.client_version < settings.minVersion: |
| 1108 self.version = settings.minVersion | 1109 self.version = settings.minVersion |
| 1109 for result in self._sendError(\ | 1110 for result in self._sendError(\ |
| 1110 AlertDescription.protocol_version, | 1111 AlertDescription.protocol_version, |
| 1111 "Too old version: %s" % str(clientHello.client_version)): | 1112 "Too old version: %s" % str(clientHello.client_version)): |
| 1112 yield result | 1113 yield result |
| 1113 | 1114 |
| 1115 if tlsIntolerant and clientHello.client_version > (3, 0): |
| 1116 for result in self._sendError(\ |
| 1117 AlertDescription.handshake_failure): |
| 1118 yield result |
| 1119 |
| 1114 #If client's version is too high, propose my highest version | 1120 #If client's version is too high, propose my highest version |
| 1115 elif clientHello.client_version > settings.maxVersion: | 1121 elif clientHello.client_version > settings.maxVersion: |
| 1116 self.version = settings.maxVersion | 1122 self.version = settings.maxVersion |
| 1117 | 1123 |
| 1118 else: | 1124 else: |
| 1119 #Set the version to the client's version | 1125 #Set the version to the client's version |
| 1120 self.version = clientHello.client_version | 1126 self.version = clientHello.client_version |
| 1121 | 1127 |
| 1122 #Get the client nonce; create server nonce | 1128 #Get the client nonce; create server nonce |
| 1123 clientRandom = clientHello.random | 1129 clientRandom = clientHello.random |
| (...skipping 479 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1603 if len(publicKey) < settings.minKeySize: | 1609 if len(publicKey) < settings.minKeySize: |
| 1604 for result in self._sendError(AlertDescription.handshake_failure, | 1610 for result in self._sendError(AlertDescription.handshake_failure, |
| 1605 "Other party's public key too small: %d" % len(publicKey)): | 1611 "Other party's public key too small: %d" % len(publicKey)): |
| 1606 yield result | 1612 yield result |
| 1607 if len(publicKey) > settings.maxKeySize: | 1613 if len(publicKey) > settings.maxKeySize: |
| 1608 for result in self._sendError(AlertDescription.handshake_failure, | 1614 for result in self._sendError(AlertDescription.handshake_failure, |
| 1609 "Other party's public key too large: %d" % len(publicKey)): | 1615 "Other party's public key too large: %d" % len(publicKey)): |
| 1610 yield result | 1616 yield result |
| 1611 | 1617 |
| 1612 yield publicKey, certChain | 1618 yield publicKey, certChain |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10218007:
net: don't remember TLS intolerant servers. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src