OLD | NEW |
1 Index: third_party/tlslite/tlslite/TLSConnection.py | 1 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
2 =================================================================== | 2 index e8dd859..8415592 100755 |
3 --- third_party/tlslite/tlslite/TLSConnection.py» (revision 134128) | 3 --- a/third_party/tlslite/tlslite/tlsconnection.py |
4 +++ third_party/tlslite/tlslite/TLSConnection.py» (working copy) | 4 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
5 @@ -932,7 +932,7 @@ | 5 @@ -965,7 +965,8 @@ class TLSConnection(TLSRecordLayer): |
6 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, | |
7 certChain=None, privateKey=None, reqCert=False, | |
8 sessionCache=None, settings=None, checker=None, | 6 sessionCache=None, settings=None, checker=None, |
9 - reqCAs=None): | 7 reqCAs = None, |
10 + reqCAs=None, tlsIntolerant=0): | 8 tacks=None, activationFlags=0, |
| 9 - nextProtos=None, anon=False): |
| 10 + nextProtos=None, anon=False, |
| 11 + tlsIntolerant=None): |
11 """Perform a handshake in the role of server. | 12 """Perform a handshake in the role of server. |
12 | 13 |
13 This function performs an SSL or TLS handshake. Depending on | 14 This function performs an SSL or TLS handshake. Depending on |
14 @@ -1012,14 +1012,14 @@ | 15 @@ -1034,6 +1035,11 @@ class TLSConnection(TLSRecordLayer): |
15 """ | 16 clients through the Next-Protocol Negotiation Extension, |
16 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, | 17 if they support it. |
| 18 |
| 19 + @type tlsIntolerant: (int, int) or None |
| 20 + @param tlsIntolerant: If tlsIntolerant is not None, the server will |
| 21 + simulate TLS version intolerance by returning a fatal handshake_failure |
| 22 + alert to all TLS versions tlsIntolerant or higher. |
| 23 + |
| 24 @raise socket.error: If a socket error occurs. |
| 25 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
| 26 without a preceding alert. |
| 27 @@ -1045,7 +1051,7 @@ class TLSConnection(TLSRecordLayer): |
17 certChain, privateKey, reqCert, sessionCache, settings, | 28 certChain, privateKey, reqCert, sessionCache, settings, |
18 - checker, reqCAs): | 29 checker, reqCAs, |
19 + checker, reqCAs, tlsIntolerant): | 30 tacks=tacks, activationFlags=activationFlags, |
| 31 - nextProtos=nextProtos, anon=anon): |
| 32 + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant): |
20 pass | 33 pass |
21 | 34 |
22 | 35 |
23 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, | 36 @@ -1054,7 +1060,8 @@ class TLSConnection(TLSRecordLayer): |
24 certChain=None, privateKey=None, reqCert=False, | |
25 sessionCache=None, settings=None, checker=None, | 37 sessionCache=None, settings=None, checker=None, |
26 - reqCAs=None): | 38 reqCAs=None, |
27 + reqCAs=None, tlsIntolerant=0): | 39 tacks=None, activationFlags=0, |
| 40 - nextProtos=None, anon=False |
| 41 + nextProtos=None, anon=False, |
| 42 + tlsIntolerant=None |
| 43 ): |
28 """Start a server handshake operation on the TLS connection. | 44 """Start a server handshake operation on the TLS connection. |
29 | 45 |
30 This function returns a generator which behaves similarly to | 46 @@ -1073,7 +1080,8 @@ class TLSConnection(TLSRecordLayer): |
31 @@ -1036,14 +1036,15 @@ | 47 sessionCache=sessionCache, settings=settings, |
32 verifierDB=verifierDB, certChain=certChain, | 48 reqCAs=reqCAs, |
33 privateKey=privateKey, reqCert=reqCert, | 49 tacks=tacks, activationFlags=activationFlags, |
34 sessionCache=sessionCache, settings=settings, | 50 - nextProtos=nextProtos, anon=anon) |
35 - reqCAs=reqCAs) | 51 + nextProtos=nextProtos, anon=anon, |
36 + reqCAs=reqCAs, | |
37 + tlsIntolerant=tlsIntolerant) | 52 + tlsIntolerant=tlsIntolerant) |
38 for result in self._handshakeWrapperAsync(handshaker, checker): | 53 for result in self._handshakeWrapperAsync(handshaker, checker): |
39 yield result | 54 yield result |
40 | 55 |
41 | 56 @@ -1082,7 +1090,8 @@ class TLSConnection(TLSRecordLayer): |
42 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, | |
43 certChain, privateKey, reqCert, sessionCache, | 57 certChain, privateKey, reqCert, sessionCache, |
44 - settings, reqCAs): | 58 settings, reqCAs, |
45 + settings, reqCAs, tlsIntolerant): | 59 tacks, activationFlags, |
| 60 - nextProtos, anon): |
| 61 + nextProtos, anon, |
| 62 + tlsIntolerant): |
46 | 63 |
47 self._handshakeStart(client=False) | 64 self._handshakeStart(client=False) |
48 | 65 |
49 @@ -1111,6 +1112,17 @@ | 66 @@ -1114,7 +1123,7 @@ class TLSConnection(TLSRecordLayer): |
| 67 # Handle ClientHello and resumption |
| 68 for result in self._serverGetClientHello(settings, certChain,\ |
| 69 verifierDB, sessionCache, |
| 70 - anon): |
| 71 + anon, tlsIntolerant): |
| 72 if result in (0,1): yield result |
| 73 elif result == None: |
| 74 self._handshakeDone(resumed=True) |
| 75 @@ -1211,7 +1220,7 @@ class TLSConnection(TLSRecordLayer): |
| 76 |
| 77 |
| 78 def _serverGetClientHello(self, settings, certChain, verifierDB, |
| 79 - sessionCache, anon): |
| 80 + sessionCache, anon, tlsIntolerant): |
| 81 #Initialize acceptable cipher suites |
| 82 cipherSuites = [] |
| 83 if verifierDB: |
| 84 @@ -1246,6 +1255,13 @@ class TLSConnection(TLSRecordLayer): |
50 "Too old version: %s" % str(clientHello.client_version)): | 85 "Too old version: %s" % str(clientHello.client_version)): |
51 yield result | 86 yield result |
52 | 87 |
53 + #If tlsIntolerant is nonzero, reject certain TLS versions. | 88 + #If simulating TLS intolerance, reject certain TLS versions. |
54 + #1: reject all TLS versions. | 89 + elif (tlsIntolerant is not None and |
55 + #2: reject TLS 1.1 or higher. | 90 + clientHello.client_version >= tlsIntolerant): |
56 + #3: reject TLS 1.2 or higher. | |
57 + if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or | |
58 + tlsIntolerant == 2 and clientHello.client_version > (3, 1) or | |
59 + tlsIntolerant == 3 and clientHello.client_version > (3, 2)): | |
60 + for result in self._sendError(\ | 91 + for result in self._sendError(\ |
61 + AlertDescription.handshake_failure): | 92 + AlertDescription.handshake_failure): |
62 + yield result | 93 + yield result |
63 + | 94 + |
64 #If client's version is too high, propose my highest version | 95 #If client's version is too high, propose my highest version |
65 elif clientHello.client_version > settings.maxVersion: | 96 elif clientHello.client_version > settings.maxVersion: |
66 self.version = settings.maxVersion | 97 self.version = settings.maxVersion |
OLD | NEW |