| Index: third_party/tlslite/patches/reset_on_intolerance.patch
|
| diff --git a/third_party/tlslite/patches/reset_on_intolerance.patch b/third_party/tlslite/patches/reset_on_intolerance.patch
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..d520853b483cb6848334bab5e7effe9579138f8a
|
| --- /dev/null
|
| +++ b/third_party/tlslite/patches/reset_on_intolerance.patch
|
| @@ -0,0 +1,165 @@
|
| +diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
|
| +index e0bc0e6..5a493ba 100644
|
| +--- a/third_party/tlslite/tlslite/handshakesettings.py
|
| ++++ b/third_party/tlslite/tlslite/handshakesettings.py
|
| +@@ -92,6 +92,20 @@ class HandshakeSettings(object):
|
| + The default is (3,2). (WARNING: Some servers may (improperly)
|
| + reject clients which offer support for TLS 1.1. In this case,
|
| + try lowering maxVersion to (3,1)).
|
| ++
|
| ++ @type tlsIntolerant: tuple
|
| ++ @ivar tlsIntolerant: TLS version intolerance for servers.
|
| ++
|
| ++ If tlsIntolerant is not None, the server will simulate TLS version
|
| ++ intolerance by returning a fatal handshake_failure alert or a TCP reset to
|
| ++ all TLS versions tlsIntolerant or higher.
|
| ++
|
| ++ @type resetOnIntolerance: bool
|
| ++ @ivar resetOnIntolerance: Whether to send a TCP reset on TLS intolerance.
|
| ++
|
| ++ If resetOnIntolerance is True, the server will simulate TLS version
|
| ++ intolerance with a TCP reset rather than with a fatal handshake_failuer
|
| ++ alert.
|
| +
|
| + @type useExperimentalTackExtension: bool
|
| + @ivar useExperimentalTackExtension: Whether to enabled TACK support.
|
| +@@ -109,6 +123,8 @@ class HandshakeSettings(object):
|
| + self.certificateTypes = CERTIFICATE_TYPES
|
| + self.minVersion = (3,0)
|
| + self.maxVersion = (3,2)
|
| ++ self.tlsIntolerant = None
|
| ++ self.resetOnIntolerance = False
|
| + self.useExperimentalTackExtension = False
|
| +
|
| + # Validates the min/max fields, and certificateTypes
|
| +@@ -124,6 +140,8 @@ class HandshakeSettings(object):
|
| + other.certificateTypes = self.certificateTypes
|
| + other.minVersion = self.minVersion
|
| + other.maxVersion = self.maxVersion
|
| ++ other.tlsIntolerant = self.tlsIntolerant
|
| ++ other.resetOnIntolerance = self.resetOnIntolerance
|
| +
|
| + if not cipherfactory.tripleDESPresent:
|
| + other.cipherNames = [e for e in self.cipherNames if e != "3des"]
|
| +diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
|
| +index e6f7820..c02a586 100644
|
| +--- a/third_party/tlslite/tlslite/tlsconnection.py
|
| ++++ b/third_party/tlslite/tlslite/tlsconnection.py
|
| +@@ -1065,7 +1065,7 @@ class TLSConnection(TLSRecordLayer):
|
| + reqCAs = None,
|
| + tacks=None, activationFlags=0,
|
| + nextProtos=None, anon=False,
|
| +- tlsIntolerant=None, signedCertTimestamps=None,
|
| ++ signedCertTimestamps=None,
|
| + fallbackSCSV=False, ocspResponse=None):
|
| + """Perform a handshake in the role of server.
|
| +
|
| +@@ -1135,11 +1135,6 @@ class TLSConnection(TLSRecordLayer):
|
| + clients through the Next-Protocol Negotiation Extension,
|
| + if they support it.
|
| +
|
| +- @type tlsIntolerant: (int, int) or None
|
| +- @param tlsIntolerant: If tlsIntolerant is not None, the server will
|
| +- simulate TLS version intolerance by returning a fatal handshake_failure
|
| +- alert to all TLS versions tlsIntolerant or higher.
|
| +-
|
| + @type signedCertTimestamps: str
|
| + @param signedCertTimestamps: A SignedCertificateTimestampList (as a
|
| + binary 8-bit string) that will be sent as a TLS extension whenever
|
| +@@ -1171,7 +1166,7 @@ class TLSConnection(TLSRecordLayer):
|
| + certChain, privateKey, reqCert, sessionCache, settings,
|
| + checker, reqCAs,
|
| + tacks=tacks, activationFlags=activationFlags,
|
| +- nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
|
| ++ nextProtos=nextProtos, anon=anon,
|
| + signedCertTimestamps=signedCertTimestamps,
|
| + fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse):
|
| + pass
|
| +@@ -1183,7 +1178,6 @@ class TLSConnection(TLSRecordLayer):
|
| + reqCAs=None,
|
| + tacks=None, activationFlags=0,
|
| + nextProtos=None, anon=False,
|
| +- tlsIntolerant=None,
|
| + signedCertTimestamps=None,
|
| + fallbackSCSV=False,
|
| + ocspResponse=None
|
| +@@ -1206,7 +1200,6 @@ class TLSConnection(TLSRecordLayer):
|
| + reqCAs=reqCAs,
|
| + tacks=tacks, activationFlags=activationFlags,
|
| + nextProtos=nextProtos, anon=anon,
|
| +- tlsIntolerant=tlsIntolerant,
|
| + signedCertTimestamps=signedCertTimestamps,
|
| + fallbackSCSV=fallbackSCSV,
|
| + ocspResponse=ocspResponse)
|
| +@@ -1219,7 +1212,7 @@ class TLSConnection(TLSRecordLayer):
|
| + settings, reqCAs,
|
| + tacks, activationFlags,
|
| + nextProtos, anon,
|
| +- tlsIntolerant, signedCertTimestamps, fallbackSCSV,
|
| ++ signedCertTimestamps, fallbackSCSV,
|
| + ocspResponse):
|
| +
|
| + self._handshakeStart(client=False)
|
| +@@ -1255,7 +1248,7 @@ class TLSConnection(TLSRecordLayer):
|
| + # Handle ClientHello and resumption
|
| + for result in self._serverGetClientHello(settings, certChain,\
|
| + verifierDB, sessionCache,
|
| +- anon, tlsIntolerant, fallbackSCSV):
|
| ++ anon, fallbackSCSV):
|
| + if result in (0,1): yield result
|
| + elif result == None:
|
| + self._handshakeDone(resumed=True)
|
| +@@ -1370,7 +1363,7 @@ class TLSConnection(TLSRecordLayer):
|
| +
|
| +
|
| + def _serverGetClientHello(self, settings, certChain, verifierDB,
|
| +- sessionCache, anon, tlsIntolerant, fallbackSCSV):
|
| ++ sessionCache, anon, fallbackSCSV):
|
| + #Initialize acceptable cipher suites
|
| + cipherSuites = []
|
| + if verifierDB:
|
| +@@ -1407,11 +1400,15 @@ class TLSConnection(TLSRecordLayer):
|
| + yield result
|
| +
|
| + #If simulating TLS intolerance, reject certain TLS versions.
|
| +- elif (tlsIntolerant is not None and
|
| +- clientHello.client_version >= tlsIntolerant):
|
| +- for result in self._sendError(\
|
| ++ elif (settings.tlsIntolerant is not None and
|
| ++ clientHello.client_version >= settings.tlsIntolerant):
|
| ++ if settings.resetOnIntolerance:
|
| ++ self._abortWithReset()
|
| ++ raise TLSUnsupportedError('Simulating version intolerance')
|
| ++ else:
|
| ++ for result in self._sendError(\
|
| + AlertDescription.handshake_failure):
|
| +- yield result
|
| ++ yield result
|
| +
|
| + #If client's version is too high, propose my highest version
|
| + elif clientHello.client_version > settings.maxVersion:
|
| +diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
|
| +index 8b92221..a164236 100644
|
| +--- a/third_party/tlslite/tlslite/tlsrecordlayer.py
|
| ++++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
|
| +@@ -19,6 +19,7 @@ from .constants import *
|
| + from .utils.cryptomath import getRandomBytes
|
| +
|
| + import socket
|
| ++import struct
|
| + import errno
|
| + import traceback
|
| +
|
| +@@ -521,6 +522,12 @@ class TLSRecordLayer(object):
|
| + self._shutdown(False)
|
| + raise TLSLocalAlert(alert, errorStr)
|
| +
|
| ++ def _abortWithReset(self):
|
| ++ #Set an SO_LINGER timeout of 0 to send a TCP RST.
|
| ++ self.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER,
|
| ++ struct.pack('ii', 1, 0))
|
| ++ self._shutdown(False)
|
| ++
|
| + def _sendMsgs(self, msgs):
|
| + randomizeFirstBlock = True
|
| + for msg in msgs:
|
|
|
Chromium Code Reviews
Issue 280853002:
Preserve transport errors for OpenSSL sockets. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src