| OLD | NEW |
|---|
| 1 # Authors: | 1 # Authors: |
| 2 # Trevor Perrin | 2 # Trevor Perrin |
| 3 # Google - added reqCAs parameter | 3 # Google - added reqCAs parameter |
| 4 # Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support | 4 # Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support |
| 5 # Dimitris Moraitis - Anon ciphersuites | 5 # Dimitris Moraitis - Anon ciphersuites |
| 6 # Martin von Loewis - python 3 port | 6 # Martin von Loewis - python 3 port |
| 7 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 | 7 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 |
| 8 # | 8 # |
| 9 # See the LICENSE file for legal information regarding use of this file. | 9 # See the LICENSE file for legal information regarding use of this file. |
| 10 | 10 |
| (...skipping 1439 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1450 srpUsername, clientCertChain, serverCertChain, | 1450 srpUsername, clientCertChain, serverCertChain, |
| 1451 tackExt, serverHello.tackExt!=None, serverName) | 1451 tackExt, serverHello.tackExt!=None, serverName) |
| 1452 | 1452 |
| 1453 #Add the session object to the session cache | 1453 #Add the session object to the session cache |
| 1454 if sessionCache and sessionID: | 1454 if sessionCache and sessionID: |
| 1455 sessionCache[sessionID] = self.session | 1455 sessionCache[sessionID] = self.session |
| 1456 | 1456 |
| 1457 self._handshakeDone(resumed=False) | 1457 self._handshakeDone(resumed=False) |
| 1458 | 1458 |
| 1459 | 1459 |
| 1460 def _isIntolerant(self, settings, clientHello): |
| 1461 if settings.tlsIntolerant is None: |
| 1462 return False |
| 1463 clientVersion = clientHello.client_version |
| 1464 if clientHello.has_supported_versions: |
| 1465 clientVersion = (3, 4) |
| 1466 return clientVersion >= settings.tlsIntolerant |
| 1467 |
| 1468 |
| 1460 def _serverGetClientHello(self, settings, certChain, verifierDB, | 1469 def _serverGetClientHello(self, settings, certChain, verifierDB, |
| 1461 sessionCache, anon, fallbackSCSV): | 1470 sessionCache, anon, fallbackSCSV): |
| 1462 #Tentatively set version to most-desirable version, so if an error | 1471 #Tentatively set version to most-desirable version, so if an error |
| 1463 #occurs parsing the ClientHello, this is what we'll use for the | 1472 #occurs parsing the ClientHello, this is what we'll use for the |
| 1464 #error alert | 1473 #error alert |
| 1465 self.version = settings.maxVersion | 1474 self.version = settings.maxVersion |
| 1466 | 1475 |
| 1467 #Get ClientHello | 1476 #Get ClientHello |
| 1468 for result in self._getMsg(ContentType.handshake, | 1477 for result in self._getMsg(ContentType.handshake, |
| 1469 HandshakeType.client_hello): | 1478 HandshakeType.client_hello): |
| 1470 if result in (0,1): yield result | 1479 if result in (0,1): yield result |
| 1471 else: break | 1480 else: break |
| 1472 clientHello = result | 1481 clientHello = result |
| 1473 | 1482 |
| 1474 #If client's version is too low, reject it | 1483 #If client's version is too low, reject it |
| 1475 if clientHello.client_version < settings.minVersion: | 1484 if clientHello.client_version < settings.minVersion: |
| 1476 self.version = settings.minVersion | 1485 self.version = settings.minVersion |
| 1477 for result in self._sendError(\ | 1486 for result in self._sendError(\ |
| 1478 AlertDescription.protocol_version, | 1487 AlertDescription.protocol_version, |
| 1479 "Too old version: %s" % str(clientHello.client_version)): | 1488 "Too old version: %s" % str(clientHello.client_version)): |
| 1480 yield result | 1489 yield result |
| 1481 | 1490 |
| 1482 #If simulating TLS intolerance, reject certain TLS versions. | 1491 #If simulating TLS intolerance, reject certain TLS versions. |
| 1483 elif (settings.tlsIntolerant is not None and | 1492 elif self._isIntolerant(settings, clientHello): |
| 1484 clientHello.client_version >= settings.tlsIntolerant): | |
| 1485 if settings.tlsIntoleranceType == "alert": | 1493 if settings.tlsIntoleranceType == "alert": |
| 1486 for result in self._sendError(\ | 1494 for result in self._sendError(\ |
| 1487 AlertDescription.handshake_failure): | 1495 AlertDescription.handshake_failure): |
| 1488 yield result | 1496 yield result |
| 1489 elif settings.tlsIntoleranceType == "close": | 1497 elif settings.tlsIntoleranceType == "close": |
| 1490 self._abruptClose() | 1498 self._abruptClose() |
| 1491 raise TLSUnsupportedError("Simulating version intolerance") | 1499 raise TLSUnsupportedError("Simulating version intolerance") |
| 1492 elif settings.tlsIntoleranceType == "reset": | 1500 elif settings.tlsIntoleranceType == "reset": |
| 1493 self._abruptClose(reset=True) | 1501 self._abruptClose(reset=True) |
| 1494 raise TLSUnsupportedError("Simulating version intolerance") | 1502 raise TLSUnsupportedError("Simulating version intolerance") |
| (...skipping 583 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2078 seed += bytearray(2) | 2086 seed += bytearray(2) |
| 2079 seed[len(seed) - 2] = len(context) >> 8 | 2087 seed[len(seed) - 2] = len(context) >> 8 |
| 2080 seed[len(seed) - 1] = len(context) & 0xFF | 2088 seed[len(seed) - 1] = len(context) & 0xFF |
| 2081 seed += context | 2089 seed += context |
| 2082 if self.version in ((3,1), (3,2)): | 2090 if self.version in ((3,1), (3,2)): |
| 2083 return PRF(self.session.masterSecret, label, seed, length) | 2091 return PRF(self.session.masterSecret, label, seed, length) |
| 2084 elif self.version == (3,3): | 2092 elif self.version == (3,3): |
| 2085 return PRF_1_2(self.session.masterSecret, label, seed, length) | 2093 return PRF_1_2(self.session.masterSecret, label, seed, length) |
| 2086 else: | 2094 else: |
| 2087 raise AssertionError() | 2095 raise AssertionError() |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2800853008:
Add a dedicated error code for TLS 1.3 interference. (Closed)
