| OLD | NEW |
|---|
| (Empty) | |
| 1 diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlsl
ite/tlslite/handshakesettings.py |
| 2 index e0bc0e6..5a493ba 100644 |
| 3 --- a/third_party/tlslite/tlslite/handshakesettings.py |
| 4 +++ b/third_party/tlslite/tlslite/handshakesettings.py |
| 5 @@ -92,6 +92,20 @@ class HandshakeSettings(object): |
| 6 The default is (3,2). (WARNING: Some servers may (improperly) |
| 7 reject clients which offer support for TLS 1.1. In this case, |
| 8 try lowering maxVersion to (3,1)). |
| 9 + |
| 10 + @type tlsIntolerant: tuple |
| 11 + @ivar tlsIntolerant: TLS version intolerance for servers. |
| 12 + |
| 13 + If tlsIntolerant is not None, the server will simulate TLS version |
| 14 + intolerance by returning a fatal handshake_failure alert or a TCP reset to |
| 15 + all TLS versions tlsIntolerant or higher. |
| 16 + |
| 17 + @type resetOnIntolerance: bool |
| 18 + @ivar resetOnIntolerance: Whether to send a TCP reset on TLS intolerance. |
| 19 + |
| 20 + If resetOnIntolerance is True, the server will simulate TLS version |
| 21 + intolerance with a TCP reset rather than with a fatal handshake_failuer |
| 22 + alert. |
| 23 |
| 24 @type useExperimentalTackExtension: bool |
| 25 @ivar useExperimentalTackExtension: Whether to enabled TACK support. |
| 26 @@ -109,6 +123,8 @@ class HandshakeSettings(object): |
| 27 self.certificateTypes = CERTIFICATE_TYPES |
| 28 self.minVersion = (3,0) |
| 29 self.maxVersion = (3,2) |
| 30 + self.tlsIntolerant = None |
| 31 + self.resetOnIntolerance = False |
| 32 self.useExperimentalTackExtension = False |
| 33 |
| 34 # Validates the min/max fields, and certificateTypes |
| 35 @@ -124,6 +140,8 @@ class HandshakeSettings(object): |
| 36 other.certificateTypes = self.certificateTypes |
| 37 other.minVersion = self.minVersion |
| 38 other.maxVersion = self.maxVersion |
| 39 + other.tlsIntolerant = self.tlsIntolerant |
| 40 + other.resetOnIntolerance = self.resetOnIntolerance |
| 41 |
| 42 if not cipherfactory.tripleDESPresent: |
| 43 other.cipherNames = [e for e in self.cipherNames if e != "3des"] |
| 44 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
| 45 index e6f7820..c02a586 100644 |
| 46 --- a/third_party/tlslite/tlslite/tlsconnection.py |
| 47 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| 48 @@ -1065,7 +1065,7 @@ class TLSConnection(TLSRecordLayer): |
| 49 reqCAs = None, |
| 50 tacks=None, activationFlags=0, |
| 51 nextProtos=None, anon=False, |
| 52 - tlsIntolerant=None, signedCertTimestamps=None, |
| 53 + signedCertTimestamps=None, |
| 54 fallbackSCSV=False, ocspResponse=None): |
| 55 """Perform a handshake in the role of server. |
| 56 |
| 57 @@ -1135,11 +1135,6 @@ class TLSConnection(TLSRecordLayer): |
| 58 clients through the Next-Protocol Negotiation Extension, |
| 59 if they support it. |
| 60 |
| 61 - @type tlsIntolerant: (int, int) or None |
| 62 - @param tlsIntolerant: If tlsIntolerant is not None, the server will |
| 63 - simulate TLS version intolerance by returning a fatal handshake_failure |
| 64 - alert to all TLS versions tlsIntolerant or higher. |
| 65 - |
| 66 @type signedCertTimestamps: str |
| 67 @param signedCertTimestamps: A SignedCertificateTimestampList (as a |
| 68 binary 8-bit string) that will be sent as a TLS extension whenever |
| 69 @@ -1171,7 +1166,7 @@ class TLSConnection(TLSRecordLayer): |
| 70 certChain, privateKey, reqCert, sessionCache, settings, |
| 71 checker, reqCAs, |
| 72 tacks=tacks, activationFlags=activationFlags, |
| 73 - nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
| 74 + nextProtos=nextProtos, anon=anon, |
| 75 signedCertTimestamps=signedCertTimestamps, |
| 76 fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse): |
| 77 pass |
| 78 @@ -1183,7 +1178,6 @@ class TLSConnection(TLSRecordLayer): |
| 79 reqCAs=None, |
| 80 tacks=None, activationFlags=0, |
| 81 nextProtos=None, anon=False, |
| 82 - tlsIntolerant=None, |
| 83 signedCertTimestamps=None, |
| 84 fallbackSCSV=False, |
| 85 ocspResponse=None |
| 86 @@ -1206,7 +1200,6 @@ class TLSConnection(TLSRecordLayer): |
| 87 reqCAs=reqCAs, |
| 88 tacks=tacks, activationFlags=activationFlags, |
| 89 nextProtos=nextProtos, anon=anon, |
| 90 - tlsIntolerant=tlsIntolerant, |
| 91 signedCertTimestamps=signedCertTimestamps, |
| 92 fallbackSCSV=fallbackSCSV, |
| 93 ocspResponse=ocspResponse) |
| 94 @@ -1219,7 +1212,7 @@ class TLSConnection(TLSRecordLayer): |
| 95 settings, reqCAs, |
| 96 tacks, activationFlags, |
| 97 nextProtos, anon, |
| 98 - tlsIntolerant, signedCertTimestamps, fallbackSCSV, |
| 99 + signedCertTimestamps, fallbackSCSV, |
| 100 ocspResponse): |
| 101 |
| 102 self._handshakeStart(client=False) |
| 103 @@ -1255,7 +1248,7 @@ class TLSConnection(TLSRecordLayer): |
| 104 # Handle ClientHello and resumption |
| 105 for result in self._serverGetClientHello(settings, certChain,\ |
| 106 verifierDB, sessionCache, |
| 107 - anon, tlsIntolerant, fallbackSCSV): |
| 108 + anon, fallbackSCSV): |
| 109 if result in (0,1): yield result |
| 110 elif result == None: |
| 111 self._handshakeDone(resumed=True) |
| 112 @@ -1370,7 +1363,7 @@ class TLSConnection(TLSRecordLayer): |
| 113 |
| 114 |
| 115 def _serverGetClientHello(self, settings, certChain, verifierDB, |
| 116 - sessionCache, anon, tlsIntolerant, fallbackSCSV
): |
| 117 + sessionCache, anon, fallbackSCSV): |
| 118 #Initialize acceptable cipher suites |
| 119 cipherSuites = [] |
| 120 if verifierDB: |
| 121 @@ -1407,11 +1400,15 @@ class TLSConnection(TLSRecordLayer): |
| 122 yield result |
| 123 |
| 124 #If simulating TLS intolerance, reject certain TLS versions. |
| 125 - elif (tlsIntolerant is not None and |
| 126 - clientHello.client_version >= tlsIntolerant): |
| 127 - for result in self._sendError(\ |
| 128 + elif (settings.tlsIntolerant is not None and |
| 129 + clientHello.client_version >= settings.tlsIntolerant): |
| 130 + if settings.resetOnIntolerance: |
| 131 + self._abortWithReset() |
| 132 + raise TLSUnsupportedError('Simulating version intolerance') |
| 133 + else: |
| 134 + for result in self._sendError(\ |
| 135 AlertDescription.handshake_failure): |
| 136 - yield result |
| 137 + yield result |
| 138 |
| 139 #If client's version is too high, propose my highest version |
| 140 elif clientHello.client_version > settings.maxVersion: |
| 141 diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite
/tlslite/tlsrecordlayer.py |
| 142 index 8b92221..a164236 100644 |
| 143 --- a/third_party/tlslite/tlslite/tlsrecordlayer.py |
| 144 +++ b/third_party/tlslite/tlslite/tlsrecordlayer.py |
| 145 @@ -19,6 +19,7 @@ from .constants import * |
| 146 from .utils.cryptomath import getRandomBytes |
| 147 |
| 148 import socket |
| 149 +import struct |
| 150 import errno |
| 151 import traceback |
| 152 |
| 153 @@ -521,6 +522,12 @@ class TLSRecordLayer(object): |
| 154 self._shutdown(False) |
| 155 raise TLSLocalAlert(alert, errorStr) |
| 156 |
| 157 + def _abortWithReset(self): |
| 158 + #Set an SO_LINGER timeout of 0 to send a TCP RST. |
| 159 + self.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, |
| 160 + struct.pack('ii', 1, 0)) |
| 161 + self._shutdown(False) |
| 162 + |
| 163 def _sendMsgs(self, msgs): |
| 164 randomizeFirstBlock = True |
| 165 for msg in msgs: |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 280853002:
Preserve transport errors for OpenSSL sockets. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src