Index: third_party/tlslite/patches/tls13_intolerance.patch |
diff --git a/third_party/tlslite/patches/tls13_intolerance.patch b/third_party/tlslite/patches/tls13_intolerance.patch |
new file mode 100644 |
index 0000000000000000000000000000000000000000..6f19571c787276518478d03eee9cb696e53bff16 |
--- /dev/null |
+++ b/third_party/tlslite/patches/tls13_intolerance.patch |
@@ -0,0 +1,66 @@ |
+diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py |
+index 82e8c075fe2a..8fb75d0948e4 100644 |
+--- a/third_party/tlslite/tlslite/constants.py |
++++ b/third_party/tlslite/tlslite/constants.py |
+@@ -58,6 +58,7 @@ class ExtensionType: # RFC 6066 / 4366 |
+ signed_cert_timestamps = 18 # RFC 6962 |
+ extended_master_secret = 23 # RFC 7627 |
+ token_binding = 24 # draft-ietf-tokbind-negotiation |
++ supported_versions = 43 # draft-ietf-tls-tls13-18 |
+ tack = 0xF300 |
+ supports_npn = 13172 |
+ channel_id = 30032 |
+diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py |
+index ac7e563021d9..b29db939c2a8 100644 |
+--- a/third_party/tlslite/tlslite/messages.py |
++++ b/third_party/tlslite/tlslite/messages.py |
+@@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg): |
+ self.tb_client_params = [] |
+ self.support_signed_cert_timestamps = False |
+ self.status_request = False |
++ self.has_supported_versions = False |
+ self.ri = False |
+ |
+ def create(self, version, random, session_id, cipher_suites, |
+@@ -251,6 +252,11 @@ class ClientHello(HandshakeMsg): |
+ if extLength != 1 or p.getFixBytes(extLength)[0] != 0: |
+ raise SyntaxError() |
+ self.ri = True |
++ elif extType == ExtensionType.supported_versions: |
++ # Ignore the extension, but make a note of it for |
++ # intolerance simulation. |
++ self.has_supported_versions = True |
++ _ = p.getFixBytes(extLength) |
+ else: |
+ _ = p.getFixBytes(extLength) |
+ index2 = p.index |
+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
+index 8ba1c6e636ab..2309d4fa8f3a 100644 |
+--- a/third_party/tlslite/tlslite/tlsconnection.py |
++++ b/third_party/tlslite/tlslite/tlsconnection.py |
+@@ -1457,6 +1457,15 @@ class TLSConnection(TLSRecordLayer): |
+ self._handshakeDone(resumed=False) |
+ |
+ |
++ def _isIntolerant(self, settings, clientHello): |
++ if settings.tlsIntolerant is None: |
++ return False |
++ clientVersion = clientHello.client_version |
++ if clientHello.has_supported_versions: |
++ clientVersion = (3, 4) |
++ return clientVersion >= settings.tlsIntolerant |
++ |
++ |
+ def _serverGetClientHello(self, settings, certChain, verifierDB, |
+ sessionCache, anon, fallbackSCSV): |
+ #Tentatively set version to most-desirable version, so if an error |
+@@ -1480,8 +1489,7 @@ class TLSConnection(TLSRecordLayer): |
+ yield result |
+ |
+ #If simulating TLS intolerance, reject certain TLS versions. |
+- elif (settings.tlsIntolerant is not None and |
+- clientHello.client_version >= settings.tlsIntolerant): |
++ elif self._isIntolerant(settings, clientHello): |
+ if settings.tlsIntoleranceType == "alert": |
+ for result in self._sendError(\ |
+ AlertDescription.handshake_failure): |