OLD | NEW |
(Empty) | |
| 1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py |
| 2 index 82e8c075fe2a..8fb75d0948e4 100644 |
| 3 --- a/third_party/tlslite/tlslite/constants.py |
| 4 +++ b/third_party/tlslite/tlslite/constants.py |
| 5 @@ -58,6 +58,7 @@ class ExtensionType: # RFC 6066 / 4366 |
| 6 signed_cert_timestamps = 18 # RFC 6962 |
| 7 extended_master_secret = 23 # RFC 7627 |
| 8 token_binding = 24 # draft-ietf-tokbind-negotiation |
| 9 + supported_versions = 43 # draft-ietf-tls-tls13-18 |
| 10 tack = 0xF300 |
| 11 supports_npn = 13172 |
| 12 channel_id = 30032 |
| 13 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py |
| 14 index ac7e563021d9..b29db939c2a8 100644 |
| 15 --- a/third_party/tlslite/tlslite/messages.py |
| 16 +++ b/third_party/tlslite/tlslite/messages.py |
| 17 @@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg): |
| 18 self.tb_client_params = [] |
| 19 self.support_signed_cert_timestamps = False |
| 20 self.status_request = False |
| 21 + self.has_supported_versions = False |
| 22 self.ri = False |
| 23 |
| 24 def create(self, version, random, session_id, cipher_suites, |
| 25 @@ -251,6 +252,11 @@ class ClientHello(HandshakeMsg): |
| 26 if extLength != 1 or p.getFixBytes(extLength)[0] != 0: |
| 27 raise SyntaxError() |
| 28 self.ri = True |
| 29 + elif extType == ExtensionType.supported_versions: |
| 30 + # Ignore the extension, but make a note of it for |
| 31 + # intolerance simulation. |
| 32 + self.has_supported_versions = True |
| 33 + _ = p.getFixBytes(extLength) |
| 34 else: |
| 35 _ = p.getFixBytes(extLength) |
| 36 index2 = p.index |
| 37 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
| 38 index 8ba1c6e636ab..2309d4fa8f3a 100644 |
| 39 --- a/third_party/tlslite/tlslite/tlsconnection.py |
| 40 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| 41 @@ -1457,6 +1457,15 @@ class TLSConnection(TLSRecordLayer): |
| 42 self._handshakeDone(resumed=False) |
| 43 |
| 44 |
| 45 + def _isIntolerant(self, settings, clientHello): |
| 46 + if settings.tlsIntolerant is None: |
| 47 + return False |
| 48 + clientVersion = clientHello.client_version |
| 49 + if clientHello.has_supported_versions: |
| 50 + clientVersion = (3, 4) |
| 51 + return clientVersion >= settings.tlsIntolerant |
| 52 + |
| 53 + |
| 54 def _serverGetClientHello(self, settings, certChain, verifierDB, |
| 55 sessionCache, anon, fallbackSCSV): |
| 56 #Tentatively set version to most-desirable version, so if an error |
| 57 @@ -1480,8 +1489,7 @@ class TLSConnection(TLSRecordLayer): |
| 58 yield result |
| 59 |
| 60 #If simulating TLS intolerance, reject certain TLS versions. |
| 61 - elif (settings.tlsIntolerant is not None and |
| 62 - clientHello.client_version >= settings.tlsIntolerant): |
| 63 + elif self._isIntolerant(settings, clientHello): |
| 64 if settings.tlsIntoleranceType == "alert": |
| 65 for result in self._sendError(\ |
| 66 AlertDescription.handshake_failure): |
OLD | NEW |