OLD | NEW |
(Empty) | |
| 1 diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlsl
ite/tlslite/handshakesettings.py |
| 2 index e0bc0e6..0d4ccf2 100644 |
| 3 --- a/third_party/tlslite/tlslite/handshakesettings.py |
| 4 +++ b/third_party/tlslite/tlslite/handshakesettings.py |
| 5 @@ -18,6 +18,7 @@ ALL_MAC_NAMES = ["sha", "md5"] |
| 6 KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] |
| 7 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] |
| 8 CERTIFICATE_TYPES = ["x509"] |
| 9 +TLS_INTOLERANCE_TYPES = ["alert", "close", "reset"] |
| 10 |
| 11 class HandshakeSettings(object): |
| 12 """This class encapsulates various parameters that can be used with |
| 13 @@ -92,6 +93,21 @@ class HandshakeSettings(object): |
| 14 The default is (3,2). (WARNING: Some servers may (improperly) |
| 15 reject clients which offer support for TLS 1.1. In this case, |
| 16 try lowering maxVersion to (3,1)). |
| 17 + |
| 18 + @type tlsIntolerant: tuple |
| 19 + @ivar tlsIntolerant: The TLS ClientHello version which the server |
| 20 + simulates intolerance of. |
| 21 + |
| 22 + If tlsIntolerant is not None, the server will simulate TLS version |
| 23 + intolerance by aborting the handshake in response to all TLS versions |
| 24 + tlsIntolerant or higher. |
| 25 + |
| 26 + @type tlsIntoleranceType: str |
| 27 + @ivar tlsIntoleranceType: How the server should react when simulating TLS |
| 28 + intolerance. |
| 29 + |
| 30 + The allowed values are "alert" (return a fatal handshake_failure alert), |
| 31 + "close" (abruptly close the connection), and "reset" (send a TCP reset). |
| 32 |
| 33 @type useExperimentalTackExtension: bool |
| 34 @ivar useExperimentalTackExtension: Whether to enabled TACK support. |
| 35 @@ -109,6 +125,8 @@ class HandshakeSettings(object): |
| 36 self.certificateTypes = CERTIFICATE_TYPES |
| 37 self.minVersion = (3,0) |
| 38 self.maxVersion = (3,2) |
| 39 + self.tlsIntolerant = None |
| 40 + self.tlsIntoleranceType = 'alert' |
| 41 self.useExperimentalTackExtension = False |
| 42 |
| 43 # Validates the min/max fields, and certificateTypes |
| 44 @@ -124,6 +142,8 @@ class HandshakeSettings(object): |
| 45 other.certificateTypes = self.certificateTypes |
| 46 other.minVersion = self.minVersion |
| 47 other.maxVersion = self.maxVersion |
| 48 + other.tlsIntolerant = self.tlsIntolerant |
| 49 + other.tlsIntoleranceType = self.tlsIntoleranceType |
| 50 |
| 51 if not cipherfactory.tripleDESPresent: |
| 52 other.cipherNames = [e for e in self.cipherNames if e != "3des"] |
| 53 @@ -165,6 +185,10 @@ class HandshakeSettings(object): |
| 54 if s not in CERTIFICATE_TYPES: |
| 55 raise ValueError("Unknown certificate type: '%s'" % s) |
| 56 |
| 57 + if other.tlsIntoleranceType not in TLS_INTOLERANCE_TYPES: |
| 58 + raise ValueError( |
| 59 + "Unknown TLS intolerance type: '%s'" % other.tlsIntoleranceType
) |
| 60 + |
| 61 if other.minVersion > other.maxVersion: |
| 62 raise ValueError("Versions set incorrectly") |
| 63 |
| 64 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
| 65 index 044ad59..7c1572f 100644 |
| 66 --- a/third_party/tlslite/tlslite/tlsconnection.py |
| 67 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| 68 @@ -1065,7 +1065,7 @@ class TLSConnection(TLSRecordLayer): |
| 69 reqCAs = None, reqCertTypes = None, |
| 70 tacks=None, activationFlags=0, |
| 71 nextProtos=None, anon=False, |
| 72 - tlsIntolerant=None, signedCertTimestamps=None, |
| 73 + signedCertTimestamps=None, |
| 74 fallbackSCSV=False, ocspResponse=None): |
| 75 """Perform a handshake in the role of server. |
| 76 |
| 77 @@ -1139,11 +1139,6 @@ class TLSConnection(TLSRecordLayer): |
| 78 clients through the Next-Protocol Negotiation Extension, |
| 79 if they support it. |
| 80 |
| 81 - @type tlsIntolerant: (int, int) or None |
| 82 - @param tlsIntolerant: If tlsIntolerant is not None, the server will |
| 83 - simulate TLS version intolerance by returning a fatal handshake_failure |
| 84 - alert to all TLS versions tlsIntolerant or higher. |
| 85 - |
| 86 @type signedCertTimestamps: str |
| 87 @param signedCertTimestamps: A SignedCertificateTimestampList (as a |
| 88 binary 8-bit string) that will be sent as a TLS extension whenever |
| 89 @@ -1175,7 +1170,7 @@ class TLSConnection(TLSRecordLayer): |
| 90 certChain, privateKey, reqCert, sessionCache, settings, |
| 91 checker, reqCAs, reqCertTypes, |
| 92 tacks=tacks, activationFlags=activationFlags, |
| 93 - nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
| 94 + nextProtos=nextProtos, anon=anon, |
| 95 signedCertTimestamps=signedCertTimestamps, |
| 96 fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse): |
| 97 pass |
| 98 @@ -1187,7 +1182,6 @@ class TLSConnection(TLSRecordLayer): |
| 99 reqCAs=None, reqCertTypes=None, |
| 100 tacks=None, activationFlags=0, |
| 101 nextProtos=None, anon=False, |
| 102 - tlsIntolerant=None, |
| 103 signedCertTimestamps=None, |
| 104 fallbackSCSV=False, |
| 105 ocspResponse=None |
| 106 @@ -1210,7 +1204,6 @@ class TLSConnection(TLSRecordLayer): |
| 107 reqCAs=reqCAs, reqCertTypes=reqCertTypes, |
| 108 tacks=tacks, activationFlags=activationFlags, |
| 109 nextProtos=nextProtos, anon=anon, |
| 110 - tlsIntolerant=tlsIntolerant, |
| 111 signedCertTimestamps=signedCertTimestamps, |
| 112 fallbackSCSV=fallbackSCSV, |
| 113 ocspResponse=ocspResponse) |
| 114 @@ -1223,7 +1216,7 @@ class TLSConnection(TLSRecordLayer): |
| 115 settings, reqCAs, reqCertTypes, |
| 116 tacks, activationFlags, |
| 117 nextProtos, anon, |
| 118 - tlsIntolerant, signedCertTimestamps, fallbackSCSV, |
| 119 + signedCertTimestamps, fallbackSCSV, |
| 120 ocspResponse): |
| 121 |
| 122 self._handshakeStart(client=False) |
| 123 @@ -1261,7 +1254,7 @@ class TLSConnection(TLSRecordLayer): |
| 124 # Handle ClientHello and resumption |
| 125 for result in self._serverGetClientHello(settings, certChain,\ |
| 126 verifierDB, sessionCache, |
| 127 - anon, tlsIntolerant, fallbackSCSV): |
| 128 + anon, fallbackSCSV): |
| 129 if result in (0,1): yield result |
| 130 elif result == None: |
| 131 self._handshakeDone(resumed=True) |
| 132 @@ -1376,7 +1369,7 @@ class TLSConnection(TLSRecordLayer): |
| 133 |
| 134 |
| 135 def _serverGetClientHello(self, settings, certChain, verifierDB, |
| 136 - sessionCache, anon, tlsIntolerant, fallbackSCSV
): |
| 137 + sessionCache, anon, fallbackSCSV): |
| 138 #Initialize acceptable cipher suites |
| 139 cipherSuites = [] |
| 140 if verifierDB: |
| 141 @@ -1413,11 +1406,21 @@ class TLSConnection(TLSRecordLayer): |
| 142 yield result |
| 143 |
| 144 #If simulating TLS intolerance, reject certain TLS versions. |
| 145 - elif (tlsIntolerant is not None and |
| 146 - clientHello.client_version >= tlsIntolerant): |
| 147 - for result in self._sendError(\ |
| 148 + elif (settings.tlsIntolerant is not None and |
| 149 + clientHello.client_version >= settings.tlsIntolerant): |
| 150 + if settings.tlsIntoleranceType == "alert": |
| 151 + for result in self._sendError(\ |
| 152 AlertDescription.handshake_failure): |
| 153 - yield result |
| 154 + yield result |
| 155 + elif settings.tlsIntoleranceType == "close": |
| 156 + self._abruptClose() |
| 157 + raise TLSUnsupportedError("Simulating version intolerance") |
| 158 + elif settings.tlsIntoleranceType == "reset": |
| 159 + self._abruptClose(reset=True) |
| 160 + raise TLSUnsupportedError("Simulating version intolerance") |
| 161 + else: |
| 162 + raise ValueError("Unknown intolerance type: '%s'" % |
| 163 + settings.tlsIntoleranceType) |
| 164 |
| 165 #If client's version is too high, propose my highest version |
| 166 elif clientHello.client_version > settings.maxVersion: |
| 167 diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite
/tlslite/tlsrecordlayer.py |
| 168 index 370dc9a..23c2a2f 100644 |
| 169 --- a/third_party/tlslite/tlslite/tlsrecordlayer.py |
| 170 +++ b/third_party/tlslite/tlslite/tlsrecordlayer.py |
| 171 @@ -19,6 +19,7 @@ from .constants import * |
| 172 from .utils.cryptomath import getRandomBytes |
| 173 |
| 174 import socket |
| 175 +import struct |
| 176 import errno |
| 177 import traceback |
| 178 |
| 179 @@ -523,6 +524,13 @@ class TLSRecordLayer(object): |
| 180 self._shutdown(False) |
| 181 raise TLSLocalAlert(alert, errorStr) |
| 182 |
| 183 + def _abruptClose(self, reset=False): |
| 184 + if reset: |
| 185 + #Set an SO_LINGER timeout of 0 to send a TCP RST. |
| 186 + self.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, |
| 187 + struct.pack('ii', 1, 0)) |
| 188 + self._shutdown(False) |
| 189 + |
| 190 def _sendMsgs(self, msgs): |
| 191 randomizeFirstBlock = True |
| 192 for msg in msgs: |
OLD | NEW |