OLD | NEW |
1 # Authors: | 1 # Authors: |
2 # Trevor Perrin | 2 # Trevor Perrin |
3 # Google - added reqCAs parameter | 3 # Google - added reqCAs parameter |
4 # Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support | 4 # Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support |
5 # Dimitris Moraitis - Anon ciphersuites | 5 # Dimitris Moraitis - Anon ciphersuites |
6 # Martin von Loewis - python 3 port | 6 # Martin von Loewis - python 3 port |
7 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 | 7 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 |
8 # | 8 # |
9 # See the LICENSE file for legal information regarding use of this file. | 9 # See the LICENSE file for legal information regarding use of this file. |
10 | 10 |
(...skipping 1439 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1450 srpUsername, clientCertChain, serverCertChain, | 1450 srpUsername, clientCertChain, serverCertChain, |
1451 tackExt, serverHello.tackExt!=None, serverName) | 1451 tackExt, serverHello.tackExt!=None, serverName) |
1452 | 1452 |
1453 #Add the session object to the session cache | 1453 #Add the session object to the session cache |
1454 if sessionCache and sessionID: | 1454 if sessionCache and sessionID: |
1455 sessionCache[sessionID] = self.session | 1455 sessionCache[sessionID] = self.session |
1456 | 1456 |
1457 self._handshakeDone(resumed=False) | 1457 self._handshakeDone(resumed=False) |
1458 | 1458 |
1459 | 1459 |
| 1460 def _isIntolerant(self, settings, clientHello): |
| 1461 if settings.tlsIntolerant is None: |
| 1462 return False |
| 1463 clientVersion = clientHello.client_version |
| 1464 if clientHello.has_supported_versions: |
| 1465 clientVersion = (3, 4) |
| 1466 return clientVersion >= settings.tlsIntolerant |
| 1467 |
| 1468 |
1460 def _serverGetClientHello(self, settings, certChain, verifierDB, | 1469 def _serverGetClientHello(self, settings, certChain, verifierDB, |
1461 sessionCache, anon, fallbackSCSV): | 1470 sessionCache, anon, fallbackSCSV): |
1462 #Tentatively set version to most-desirable version, so if an error | 1471 #Tentatively set version to most-desirable version, so if an error |
1463 #occurs parsing the ClientHello, this is what we'll use for the | 1472 #occurs parsing the ClientHello, this is what we'll use for the |
1464 #error alert | 1473 #error alert |
1465 self.version = settings.maxVersion | 1474 self.version = settings.maxVersion |
1466 | 1475 |
1467 #Get ClientHello | 1476 #Get ClientHello |
1468 for result in self._getMsg(ContentType.handshake, | 1477 for result in self._getMsg(ContentType.handshake, |
1469 HandshakeType.client_hello): | 1478 HandshakeType.client_hello): |
1470 if result in (0,1): yield result | 1479 if result in (0,1): yield result |
1471 else: break | 1480 else: break |
1472 clientHello = result | 1481 clientHello = result |
1473 | 1482 |
1474 #If client's version is too low, reject it | 1483 #If client's version is too low, reject it |
1475 if clientHello.client_version < settings.minVersion: | 1484 if clientHello.client_version < settings.minVersion: |
1476 self.version = settings.minVersion | 1485 self.version = settings.minVersion |
1477 for result in self._sendError(\ | 1486 for result in self._sendError(\ |
1478 AlertDescription.protocol_version, | 1487 AlertDescription.protocol_version, |
1479 "Too old version: %s" % str(clientHello.client_version)): | 1488 "Too old version: %s" % str(clientHello.client_version)): |
1480 yield result | 1489 yield result |
1481 | 1490 |
1482 #If simulating TLS intolerance, reject certain TLS versions. | 1491 #If simulating TLS intolerance, reject certain TLS versions. |
1483 elif (settings.tlsIntolerant is not None and | 1492 elif self._isIntolerant(settings, clientHello): |
1484 clientHello.client_version >= settings.tlsIntolerant): | |
1485 if settings.tlsIntoleranceType == "alert": | 1493 if settings.tlsIntoleranceType == "alert": |
1486 for result in self._sendError(\ | 1494 for result in self._sendError(\ |
1487 AlertDescription.handshake_failure): | 1495 AlertDescription.handshake_failure): |
1488 yield result | 1496 yield result |
1489 elif settings.tlsIntoleranceType == "close": | 1497 elif settings.tlsIntoleranceType == "close": |
1490 self._abruptClose() | 1498 self._abruptClose() |
1491 raise TLSUnsupportedError("Simulating version intolerance") | 1499 raise TLSUnsupportedError("Simulating version intolerance") |
1492 elif settings.tlsIntoleranceType == "reset": | 1500 elif settings.tlsIntoleranceType == "reset": |
1493 self._abruptClose(reset=True) | 1501 self._abruptClose(reset=True) |
1494 raise TLSUnsupportedError("Simulating version intolerance") | 1502 raise TLSUnsupportedError("Simulating version intolerance") |
(...skipping 583 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2078 seed += bytearray(2) | 2086 seed += bytearray(2) |
2079 seed[len(seed) - 2] = len(context) >> 8 | 2087 seed[len(seed) - 2] = len(context) >> 8 |
2080 seed[len(seed) - 1] = len(context) & 0xFF | 2088 seed[len(seed) - 1] = len(context) & 0xFF |
2081 seed += context | 2089 seed += context |
2082 if self.version in ((3,1), (3,2)): | 2090 if self.version in ((3,1), (3,2)): |
2083 return PRF(self.session.masterSecret, label, seed, length) | 2091 return PRF(self.session.masterSecret, label, seed, length) |
2084 elif self.version == (3,3): | 2092 elif self.version == (3,3): |
2085 return PRF_1_2(self.session.masterSecret, label, seed, length) | 2093 return PRF_1_2(self.session.masterSecret, label, seed, length) |
2086 else: | 2094 else: |
2087 raise AssertionError() | 2095 raise AssertionError() |
OLD | NEW |