| Index: third_party/tlslite/patches/tls_intolerant.patch
|
| diff --git a/third_party/tlslite/patches/tls_intolerant.patch b/third_party/tlslite/patches/tls_intolerant.patch
|
| index 53fe4d4c9005feb412ae98c67b3061c42337c1c3..23723342de6df576b9471a37218f22ad160c8e7b 100644
|
| --- a/third_party/tlslite/patches/tls_intolerant.patch
|
| +++ b/third_party/tlslite/patches/tls_intolerant.patch
|
| @@ -1,62 +1,93 @@
|
| -Index: third_party/tlslite/tlslite/TLSConnection.py
|
| -===================================================================
|
| ---- third_party/tlslite/tlslite/TLSConnection.py (revision 134128)
|
| -+++ third_party/tlslite/tlslite/TLSConnection.py (working copy)
|
| -@@ -932,7 +932,7 @@
|
| - def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
|
| - certChain=None, privateKey=None, reqCert=False,
|
| +diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
|
| +index e8dd859..8415592 100755
|
| +--- a/third_party/tlslite/tlslite/tlsconnection.py
|
| ++++ b/third_party/tlslite/tlslite/tlsconnection.py
|
| +@@ -965,7 +965,8 @@ class TLSConnection(TLSRecordLayer):
|
| sessionCache=None, settings=None, checker=None,
|
| -- reqCAs=None):
|
| -+ reqCAs=None, tlsIntolerant=0):
|
| + reqCAs = None,
|
| + tacks=None, activationFlags=0,
|
| +- nextProtos=None, anon=False):
|
| ++ nextProtos=None, anon=False,
|
| ++ tlsIntolerant=None):
|
| """Perform a handshake in the role of server.
|
|
|
| This function performs an SSL or TLS handshake. Depending on
|
| -@@ -1012,14 +1012,14 @@
|
| - """
|
| - for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
|
| +@@ -1034,6 +1035,11 @@ class TLSConnection(TLSRecordLayer):
|
| + clients through the Next-Protocol Negotiation Extension,
|
| + if they support it.
|
| +
|
| ++ @type tlsIntolerant: (int, int) or None
|
| ++ @param tlsIntolerant: If tlsIntolerant is not None, the server will
|
| ++ simulate TLS version intolerance by returning a fatal handshake_failure
|
| ++ alert to all TLS versions tlsIntolerant or higher.
|
| ++
|
| + @raise socket.error: If a socket error occurs.
|
| + @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
|
| + without a preceding alert.
|
| +@@ -1045,7 +1051,7 @@ class TLSConnection(TLSRecordLayer):
|
| certChain, privateKey, reqCert, sessionCache, settings,
|
| -- checker, reqCAs):
|
| -+ checker, reqCAs, tlsIntolerant):
|
| + checker, reqCAs,
|
| + tacks=tacks, activationFlags=activationFlags,
|
| +- nextProtos=nextProtos, anon=anon):
|
| ++ nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant):
|
| pass
|
|
|
|
|
| - def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
|
| - certChain=None, privateKey=None, reqCert=False,
|
| +@@ -1054,7 +1060,8 @@ class TLSConnection(TLSRecordLayer):
|
| sessionCache=None, settings=None, checker=None,
|
| -- reqCAs=None):
|
| -+ reqCAs=None, tlsIntolerant=0):
|
| + reqCAs=None,
|
| + tacks=None, activationFlags=0,
|
| +- nextProtos=None, anon=False
|
| ++ nextProtos=None, anon=False,
|
| ++ tlsIntolerant=None
|
| + ):
|
| """Start a server handshake operation on the TLS connection.
|
|
|
| - This function returns a generator which behaves similarly to
|
| -@@ -1036,14 +1036,15 @@
|
| - verifierDB=verifierDB, certChain=certChain,
|
| - privateKey=privateKey, reqCert=reqCert,
|
| - sessionCache=sessionCache, settings=settings,
|
| -- reqCAs=reqCAs)
|
| -+ reqCAs=reqCAs,
|
| +@@ -1073,7 +1080,8 @@ class TLSConnection(TLSRecordLayer):
|
| + sessionCache=sessionCache, settings=settings,
|
| + reqCAs=reqCAs,
|
| + tacks=tacks, activationFlags=activationFlags,
|
| +- nextProtos=nextProtos, anon=anon)
|
| ++ nextProtos=nextProtos, anon=anon,
|
| + tlsIntolerant=tlsIntolerant)
|
| for result in self._handshakeWrapperAsync(handshaker, checker):
|
| yield result
|
|
|
| -
|
| - def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
|
| +@@ -1082,7 +1090,8 @@ class TLSConnection(TLSRecordLayer):
|
| certChain, privateKey, reqCert, sessionCache,
|
| -- settings, reqCAs):
|
| -+ settings, reqCAs, tlsIntolerant):
|
| + settings, reqCAs,
|
| + tacks, activationFlags,
|
| +- nextProtos, anon):
|
| ++ nextProtos, anon,
|
| ++ tlsIntolerant):
|
|
|
| self._handshakeStart(client=False)
|
|
|
| -@@ -1111,6 +1112,17 @@
|
| +@@ -1114,7 +1123,7 @@ class TLSConnection(TLSRecordLayer):
|
| + # Handle ClientHello and resumption
|
| + for result in self._serverGetClientHello(settings, certChain,\
|
| + verifierDB, sessionCache,
|
| +- anon):
|
| ++ anon, tlsIntolerant):
|
| + if result in (0,1): yield result
|
| + elif result == None:
|
| + self._handshakeDone(resumed=True)
|
| +@@ -1211,7 +1220,7 @@ class TLSConnection(TLSRecordLayer):
|
| +
|
| +
|
| + def _serverGetClientHello(self, settings, certChain, verifierDB,
|
| +- sessionCache, anon):
|
| ++ sessionCache, anon, tlsIntolerant):
|
| + #Initialize acceptable cipher suites
|
| + cipherSuites = []
|
| + if verifierDB:
|
| +@@ -1246,6 +1255,13 @@ class TLSConnection(TLSRecordLayer):
|
| "Too old version: %s" % str(clientHello.client_version)):
|
| yield result
|
|
|
| -+ #If tlsIntolerant is nonzero, reject certain TLS versions.
|
| -+ #1: reject all TLS versions.
|
| -+ #2: reject TLS 1.1 or higher.
|
| -+ #3: reject TLS 1.2 or higher.
|
| -+ if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or
|
| -+ tlsIntolerant == 2 and clientHello.client_version > (3, 1) or
|
| -+ tlsIntolerant == 3 and clientHello.client_version > (3, 2)):
|
| ++ #If simulating TLS intolerance, reject certain TLS versions.
|
| ++ elif (tlsIntolerant is not None and
|
| ++ clientHello.client_version >= tlsIntolerant):
|
| + for result in self._sendError(\
|
| + AlertDescription.handshake_failure):
|
| + yield result
|
|
|
Chromium Code Reviews
Issue 210323002:
Update tlslite to 0.4.6. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src