OLD | NEW |
1 diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlsl
ite/tlslite/handshakesettings.py | 1 diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlsl
ite/tlslite/handshakesettings.py |
2 index e0bc0e6..0d4ccf2 100644 | 2 index 7998e2e..2e9e06d 100644 |
3 --- a/third_party/tlslite/tlslite/handshakesettings.py | 3 --- a/third_party/tlslite/tlslite/handshakesettings.py |
4 +++ b/third_party/tlslite/tlslite/handshakesettings.py | 4 +++ b/third_party/tlslite/tlslite/handshakesettings.py |
5 @@ -18,6 +18,7 @@ ALL_MAC_NAMES = ["sha", "md5"] | 5 @@ -19,6 +19,7 @@ ALL_MAC_NAMES = ["sha", "sha256", "md5"] |
6 KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] | 6 KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] |
7 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] | 7 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] |
8 CERTIFICATE_TYPES = ["x509"] | 8 CERTIFICATE_TYPES = ["x509"] |
9 +TLS_INTOLERANCE_TYPES = ["alert", "close", "reset"] | 9 +TLS_INTOLERANCE_TYPES = ["alert", "close", "reset"] |
10 | 10 |
11 class HandshakeSettings(object): | 11 class HandshakeSettings(object): |
12 """This class encapsulates various parameters that can be used with | 12 """This class encapsulates various parameters that can be used with |
13 @@ -92,6 +93,21 @@ class HandshakeSettings(object): | 13 @@ -91,6 +92,21 @@ class HandshakeSettings(object): |
14 The default is (3,2). (WARNING: Some servers may (improperly) | 14 version, a protocol_version alert will be signalled. The default is (3,3). |
15 reject clients which offer support for TLS 1.1. In this case, | 15 (WARNING: Some servers may (improperly) reject clients which offer support |
16 try lowering maxVersion to (3,1)). | 16 for TLS 1.1. In this case, try lowering maxVersion to (3,1)). |
17 + | 17 + |
18 + @type tlsIntolerant: tuple | 18 + @type tlsIntolerant: tuple |
19 + @ivar tlsIntolerant: The TLS ClientHello version which the server | 19 + @ivar tlsIntolerant: The TLS ClientHello version which the server |
20 + simulates intolerance of. | 20 + simulates intolerance of. |
21 + | 21 + |
22 + If tlsIntolerant is not None, the server will simulate TLS version | 22 + If tlsIntolerant is not None, the server will simulate TLS version |
23 + intolerance by aborting the handshake in response to all TLS versions | 23 + intolerance by aborting the handshake in response to all TLS versions |
24 + tlsIntolerant or higher. | 24 + tlsIntolerant or higher. |
25 + | 25 + |
26 + @type tlsIntoleranceType: str | 26 + @type tlsIntoleranceType: str |
27 + @ivar tlsIntoleranceType: How the server should react when simulating TLS | 27 + @ivar tlsIntoleranceType: How the server should react when simulating TLS |
28 + intolerance. | 28 + intolerance. |
29 + | 29 + |
30 + The allowed values are "alert" (return a fatal handshake_failure alert), | 30 + The allowed values are "alert" (return a fatal handshake_failure alert), |
31 + "close" (abruptly close the connection), and "reset" (send a TCP reset). | 31 + "close" (abruptly close the connection), and "reset" (send a TCP reset). |
32 | 32 |
33 @type useExperimentalTackExtension: bool | 33 @type useExperimentalTackExtension: bool |
34 @ivar useExperimentalTackExtension: Whether to enabled TACK support. | 34 @ivar useExperimentalTackExtension: Whether to enabled TACK support. |
35 @@ -109,6 +125,8 @@ class HandshakeSettings(object): | 35 @@ -108,6 +124,8 @@ class HandshakeSettings(object): |
36 self.certificateTypes = CERTIFICATE_TYPES | 36 self.certificateTypes = CERTIFICATE_TYPES |
37 self.minVersion = (3,0) | 37 self.minVersion = (3,1) |
38 self.maxVersion = (3,2) | 38 self.maxVersion = (3,3) |
39 + self.tlsIntolerant = None | 39 + self.tlsIntolerant = None |
40 + self.tlsIntoleranceType = 'alert' | 40 + self.tlsIntoleranceType = 'alert' |
41 self.useExperimentalTackExtension = False | 41 self.useExperimentalTackExtension = False |
42 | 42 |
43 # Validates the min/max fields, and certificateTypes | 43 # Validates the min/max fields, and certificateTypes |
44 @@ -124,6 +142,8 @@ class HandshakeSettings(object): | 44 @@ -123,6 +141,8 @@ class HandshakeSettings(object): |
45 other.certificateTypes = self.certificateTypes | 45 other.certificateTypes = self.certificateTypes |
46 other.minVersion = self.minVersion | 46 other.minVersion = self.minVersion |
47 other.maxVersion = self.maxVersion | 47 other.maxVersion = self.maxVersion |
48 + other.tlsIntolerant = self.tlsIntolerant | 48 + other.tlsIntolerant = self.tlsIntolerant |
49 + other.tlsIntoleranceType = self.tlsIntoleranceType | 49 + other.tlsIntoleranceType = self.tlsIntoleranceType |
50 | 50 |
51 if not cipherfactory.tripleDESPresent: | 51 if not cipherfactory.tripleDESPresent: |
52 other.cipherNames = [e for e in self.cipherNames if e != "3des"] | 52 other.cipherNames = [e for e in self.cipherNames if e != "3des"] |
53 @@ -165,6 +185,10 @@ class HandshakeSettings(object): | 53 @@ -164,6 +184,10 @@ class HandshakeSettings(object): |
54 if s not in CERTIFICATE_TYPES: | 54 if s not in CERTIFICATE_TYPES: |
55 raise ValueError("Unknown certificate type: '%s'" % s) | 55 raise ValueError("Unknown certificate type: '%s'" % s) |
56 | 56 |
57 + if other.tlsIntoleranceType not in TLS_INTOLERANCE_TYPES: | 57 + if other.tlsIntoleranceType not in TLS_INTOLERANCE_TYPES: |
58 + raise ValueError( | 58 + raise ValueError( |
59 + "Unknown TLS intolerance type: '%s'" % other.tlsIntoleranceType
) | 59 + "Unknown TLS intolerance type: '%s'" % other.tlsIntoleranceType
) |
60 + | 60 + |
61 if other.minVersion > other.maxVersion: | 61 if other.minVersion > other.maxVersion: |
62 raise ValueError("Versions set incorrectly") | 62 raise ValueError("Versions set incorrectly") |
63 | 63 |
64 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py | 64 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
65 index 044ad59..7c1572f 100644 | 65 index f8547d5..4f3ba1c 100644 |
66 --- a/third_party/tlslite/tlslite/tlsconnection.py | 66 --- a/third_party/tlslite/tlslite/tlsconnection.py |
67 +++ b/third_party/tlslite/tlslite/tlsconnection.py | 67 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
68 @@ -1065,7 +1065,7 @@ class TLSConnection(TLSRecordLayer): | 68 @@ -1073,7 +1073,7 @@ class TLSConnection(TLSRecordLayer): |
69 reqCAs = None, reqCertTypes = None, | 69 reqCAs = None, reqCertTypes = None, |
70 tacks=None, activationFlags=0, | 70 tacks=None, activationFlags=0, |
71 nextProtos=None, anon=False, | 71 nextProtos=None, anon=False, |
72 - tlsIntolerant=None, signedCertTimestamps=None, | 72 - tlsIntolerant=None, signedCertTimestamps=None, |
73 + signedCertTimestamps=None, | 73 + signedCertTimestamps=None, |
74 fallbackSCSV=False, ocspResponse=None): | 74 fallbackSCSV=False, ocspResponse=None): |
75 """Perform a handshake in the role of server. | 75 """Perform a handshake in the role of server. |
76 | 76 |
77 @@ -1139,11 +1139,6 @@ class TLSConnection(TLSRecordLayer): | 77 @@ -1147,11 +1147,6 @@ class TLSConnection(TLSRecordLayer): |
78 clients through the Next-Protocol Negotiation Extension, | 78 clients through the Next-Protocol Negotiation Extension, |
79 if they support it. | 79 if they support it. |
80 | 80 |
81 - @type tlsIntolerant: (int, int) or None | 81 - @type tlsIntolerant: (int, int) or None |
82 - @param tlsIntolerant: If tlsIntolerant is not None, the server will | 82 - @param tlsIntolerant: If tlsIntolerant is not None, the server will |
83 - simulate TLS version intolerance by returning a fatal handshake_failure | 83 - simulate TLS version intolerance by returning a fatal handshake_failure |
84 - alert to all TLS versions tlsIntolerant or higher. | 84 - alert to all TLS versions tlsIntolerant or higher. |
85 - | 85 - |
86 @type signedCertTimestamps: str | 86 @type signedCertTimestamps: str |
87 @param signedCertTimestamps: A SignedCertificateTimestampList (as a | 87 @param signedCertTimestamps: A SignedCertificateTimestampList (as a |
88 binary 8-bit string) that will be sent as a TLS extension whenever | 88 binary 8-bit string) that will be sent as a TLS extension whenever |
89 @@ -1175,7 +1170,7 @@ class TLSConnection(TLSRecordLayer): | 89 @@ -1183,7 +1178,7 @@ class TLSConnection(TLSRecordLayer): |
90 certChain, privateKey, reqCert, sessionCache, settings, | 90 certChain, privateKey, reqCert, sessionCache, settings, |
91 checker, reqCAs, reqCertTypes, | 91 checker, reqCAs, reqCertTypes, |
92 tacks=tacks, activationFlags=activationFlags, | 92 tacks=tacks, activationFlags=activationFlags, |
93 - nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, | 93 - nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
94 + nextProtos=nextProtos, anon=anon, | 94 + nextProtos=nextProtos, anon=anon, |
95 signedCertTimestamps=signedCertTimestamps, | 95 signedCertTimestamps=signedCertTimestamps, |
96 fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse): | 96 fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse): |
97 pass | 97 pass |
98 @@ -1187,7 +1182,6 @@ class TLSConnection(TLSRecordLayer): | 98 @@ -1195,7 +1190,6 @@ class TLSConnection(TLSRecordLayer): |
99 reqCAs=None, reqCertTypes=None, | 99 reqCAs=None, reqCertTypes=None, |
100 tacks=None, activationFlags=0, | 100 tacks=None, activationFlags=0, |
101 nextProtos=None, anon=False, | 101 nextProtos=None, anon=False, |
102 - tlsIntolerant=None, | 102 - tlsIntolerant=None, |
103 signedCertTimestamps=None, | 103 signedCertTimestamps=None, |
104 fallbackSCSV=False, | 104 fallbackSCSV=False, |
105 ocspResponse=None | 105 ocspResponse=None |
106 @@ -1210,7 +1204,6 @@ class TLSConnection(TLSRecordLayer): | 106 @@ -1218,7 +1212,6 @@ class TLSConnection(TLSRecordLayer): |
107 reqCAs=reqCAs, reqCertTypes=reqCertTypes, | 107 reqCAs=reqCAs, reqCertTypes=reqCertTypes, |
108 tacks=tacks, activationFlags=activationFlags, | 108 tacks=tacks, activationFlags=activationFlags, |
109 nextProtos=nextProtos, anon=anon, | 109 nextProtos=nextProtos, anon=anon, |
110 - tlsIntolerant=tlsIntolerant, | 110 - tlsIntolerant=tlsIntolerant, |
111 signedCertTimestamps=signedCertTimestamps, | 111 signedCertTimestamps=signedCertTimestamps, |
112 fallbackSCSV=fallbackSCSV, | 112 fallbackSCSV=fallbackSCSV, |
113 ocspResponse=ocspResponse) | 113 ocspResponse=ocspResponse) |
114 @@ -1223,7 +1216,7 @@ class TLSConnection(TLSRecordLayer): | 114 @@ -1231,7 +1224,7 @@ class TLSConnection(TLSRecordLayer): |
115 settings, reqCAs, reqCertTypes, | 115 settings, reqCAs, reqCertTypes, |
116 tacks, activationFlags, | 116 tacks, activationFlags, |
117 nextProtos, anon, | 117 nextProtos, anon, |
118 - tlsIntolerant, signedCertTimestamps, fallbackSCSV, | 118 - tlsIntolerant, signedCertTimestamps, fallbackSCSV, |
119 + signedCertTimestamps, fallbackSCSV, | 119 + signedCertTimestamps, fallbackSCSV, |
120 ocspResponse): | 120 ocspResponse): |
121 | 121 |
122 self._handshakeStart(client=False) | 122 self._handshakeStart(client=False) |
123 @@ -1261,7 +1254,7 @@ class TLSConnection(TLSRecordLayer): | 123 @@ -1269,7 +1262,7 @@ class TLSConnection(TLSRecordLayer): |
124 # Handle ClientHello and resumption | 124 # Handle ClientHello and resumption |
125 for result in self._serverGetClientHello(settings, certChain,\ | 125 for result in self._serverGetClientHello(settings, certChain,\ |
126 verifierDB, sessionCache, | 126 verifierDB, sessionCache, |
127 - anon, tlsIntolerant, fallbackSCSV): | 127 - anon, tlsIntolerant, fallbackSCSV): |
128 + anon, fallbackSCSV): | 128 + anon, fallbackSCSV): |
129 if result in (0,1): yield result | 129 if result in (0,1): yield result |
130 elif result == None: | 130 elif result == None: |
131 self._handshakeDone(resumed=True) | 131 self._handshakeDone(resumed=True) |
132 @@ -1376,7 +1369,7 @@ class TLSConnection(TLSRecordLayer): | 132 @@ -1384,7 +1377,7 @@ class TLSConnection(TLSRecordLayer): |
133 | 133 |
134 | 134 |
135 def _serverGetClientHello(self, settings, certChain, verifierDB, | 135 def _serverGetClientHello(self, settings, certChain, verifierDB, |
136 - sessionCache, anon, tlsIntolerant, fallbackSCSV
): | 136 - sessionCache, anon, tlsIntolerant, fallbackSCSV
): |
137 + sessionCache, anon, fallbackSCSV): | 137 + sessionCache, anon, fallbackSCSV): |
138 #Initialize acceptable cipher suites | 138 #Initialize acceptable cipher suites |
139 cipherSuites = [] | 139 cipherSuites = [] |
140 if verifierDB: | 140 if verifierDB: |
141 @@ -1413,11 +1406,21 @@ class TLSConnection(TLSRecordLayer): | 141 @@ -1421,11 +1414,21 @@ class TLSConnection(TLSRecordLayer): |
142 yield result | 142 yield result |
143 | 143 |
144 #If simulating TLS intolerance, reject certain TLS versions. | 144 #If simulating TLS intolerance, reject certain TLS versions. |
145 - elif (tlsIntolerant is not None and | 145 - elif (tlsIntolerant is not None and |
146 - clientHello.client_version >= tlsIntolerant): | 146 - clientHello.client_version >= tlsIntolerant): |
147 - for result in self._sendError(\ | 147 - for result in self._sendError(\ |
148 + elif (settings.tlsIntolerant is not None and | 148 + elif (settings.tlsIntolerant is not None and |
149 + clientHello.client_version >= settings.tlsIntolerant): | 149 + clientHello.client_version >= settings.tlsIntolerant): |
150 + if settings.tlsIntoleranceType == "alert": | 150 + if settings.tlsIntoleranceType == "alert": |
151 + for result in self._sendError(\ | 151 + for result in self._sendError(\ |
152 AlertDescription.handshake_failure): | 152 AlertDescription.handshake_failure): |
153 - yield result | 153 - yield result |
154 + yield result | 154 + yield result |
155 + elif settings.tlsIntoleranceType == "close": | 155 + elif settings.tlsIntoleranceType == "close": |
156 + self._abruptClose() | 156 + self._abruptClose() |
157 + raise TLSUnsupportedError("Simulating version intolerance") | 157 + raise TLSUnsupportedError("Simulating version intolerance") |
158 + elif settings.tlsIntoleranceType == "reset": | 158 + elif settings.tlsIntoleranceType == "reset": |
159 + self._abruptClose(reset=True) | 159 + self._abruptClose(reset=True) |
160 + raise TLSUnsupportedError("Simulating version intolerance") | 160 + raise TLSUnsupportedError("Simulating version intolerance") |
161 + else: | 161 + else: |
162 + raise ValueError("Unknown intolerance type: '%s'" % | 162 + raise ValueError("Unknown intolerance type: '%s'" % |
163 + settings.tlsIntoleranceType) | 163 + settings.tlsIntoleranceType) |
164 | 164 |
165 #If client's version is too high, propose my highest version | 165 #If client's version is too high, propose my highest version |
166 elif clientHello.client_version > settings.maxVersion: | 166 elif clientHello.client_version > settings.maxVersion: |
167 diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite
/tlslite/tlsrecordlayer.py | 167 diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite
/tlslite/tlsrecordlayer.py |
168 index 370dc9a..23c2a2f 100644 | 168 index 3584726..eda11e6 100644 |
169 --- a/third_party/tlslite/tlslite/tlsrecordlayer.py | 169 --- a/third_party/tlslite/tlslite/tlsrecordlayer.py |
170 +++ b/third_party/tlslite/tlslite/tlsrecordlayer.py | 170 +++ b/third_party/tlslite/tlslite/tlsrecordlayer.py |
171 @@ -19,6 +19,7 @@ from .constants import * | 171 @@ -20,6 +20,7 @@ from .constants import * |
172 from .utils.cryptomath import getRandomBytes | 172 from .utils.cryptomath import getRandomBytes |
173 | 173 |
174 import socket | 174 import socket |
175 +import struct | 175 +import struct |
176 import errno | 176 import errno |
177 import traceback | 177 import traceback |
178 | 178 |
179 @@ -523,6 +524,13 @@ class TLSRecordLayer(object): | 179 @@ -527,6 +528,13 @@ class TLSRecordLayer(object): |
180 self._shutdown(False) | 180 self._shutdown(False) |
181 raise TLSLocalAlert(alert, errorStr) | 181 raise TLSLocalAlert(alert, errorStr) |
182 | 182 |
183 + def _abruptClose(self, reset=False): | 183 + def _abruptClose(self, reset=False): |
184 + if reset: | 184 + if reset: |
185 + #Set an SO_LINGER timeout of 0 to send a TCP RST. | 185 + #Set an SO_LINGER timeout of 0 to send a TCP RST. |
186 + self.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, | 186 + self.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, |
187 + struct.pack('ii', 1, 0)) | 187 + struct.pack('ii', 1, 0)) |
188 + self._shutdown(False) | 188 + self._shutdown(False) |
189 + | 189 + |
190 def _sendMsgs(self, msgs): | 190 def _sendMsgs(self, msgs): |
191 randomizeFirstBlock = True | 191 randomizeFirstBlock = True |
192 for msg in msgs: | 192 for msg in msgs: |
OLD | NEW |