OLD | NEW |
1 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py | 1 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
2 index e8dd859..8415592 100755 | 2 index e7c6834..0e78753 100644 |
3 --- a/third_party/tlslite/tlslite/tlsconnection.py | 3 --- a/third_party/tlslite/tlslite/tlsconnection.py |
4 +++ b/third_party/tlslite/tlslite/tlsconnection.py | 4 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
5 @@ -965,7 +965,8 @@ class TLSConnection(TLSRecordLayer): | 5 @@ -968,7 +968,8 @@ class TLSConnection(TLSRecordLayer): |
6 sessionCache=None, settings=None, checker=None, | 6 sessionCache=None, settings=None, checker=None, |
7 reqCAs = None, | 7 reqCAs = None, |
8 tacks=None, activationFlags=0, | 8 tacks=None, activationFlags=0, |
9 - nextProtos=None, anon=False): | 9 - nextProtos=None, anon=False): |
10 + nextProtos=None, anon=False, | 10 + nextProtos=None, anon=False, |
11 + tlsIntolerant=None): | 11 + tlsIntolerant=None): |
12 """Perform a handshake in the role of server. | 12 """Perform a handshake in the role of server. |
13 | 13 |
14 This function performs an SSL or TLS handshake. Depending on | 14 This function performs an SSL or TLS handshake. Depending on |
15 @@ -1034,6 +1035,11 @@ class TLSConnection(TLSRecordLayer): | 15 @@ -1037,6 +1038,11 @@ class TLSConnection(TLSRecordLayer): |
16 clients through the Next-Protocol Negotiation Extension, | 16 clients through the Next-Protocol Negotiation Extension, |
17 if they support it. | 17 if they support it. |
18 | 18 |
19 + @type tlsIntolerant: (int, int) or None | 19 + @type tlsIntolerant: (int, int) or None |
20 + @param tlsIntolerant: If tlsIntolerant is not None, the server will | 20 + @param tlsIntolerant: If tlsIntolerant is not None, the server will |
21 + simulate TLS version intolerance by returning a fatal handshake_failure | 21 + simulate TLS version intolerance by returning a fatal handshake_failure |
22 + alert to all TLS versions tlsIntolerant or higher. | 22 + alert to all TLS versions tlsIntolerant or higher. |
23 + | 23 + |
24 @raise socket.error: If a socket error occurs. | 24 @raise socket.error: If a socket error occurs. |
25 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed | 25 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
26 without a preceding alert. | 26 without a preceding alert. |
27 @@ -1045,7 +1051,7 @@ class TLSConnection(TLSRecordLayer): | 27 @@ -1048,7 +1054,7 @@ class TLSConnection(TLSRecordLayer): |
28 certChain, privateKey, reqCert, sessionCache, settings, | 28 certChain, privateKey, reqCert, sessionCache, settings, |
29 checker, reqCAs, | 29 checker, reqCAs, |
30 tacks=tacks, activationFlags=activationFlags, | 30 tacks=tacks, activationFlags=activationFlags, |
31 - nextProtos=nextProtos, anon=anon): | 31 - nextProtos=nextProtos, anon=anon): |
32 + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant): | 32 + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant): |
33 pass | 33 pass |
34 | 34 |
35 | 35 |
36 @@ -1054,7 +1060,8 @@ class TLSConnection(TLSRecordLayer): | 36 @@ -1057,7 +1063,8 @@ class TLSConnection(TLSRecordLayer): |
37 sessionCache=None, settings=None, checker=None, | 37 sessionCache=None, settings=None, checker=None, |
38 reqCAs=None, | 38 reqCAs=None, |
39 tacks=None, activationFlags=0, | 39 tacks=None, activationFlags=0, |
40 - nextProtos=None, anon=False | 40 - nextProtos=None, anon=False |
41 + nextProtos=None, anon=False, | 41 + nextProtos=None, anon=False, |
42 + tlsIntolerant=None | 42 + tlsIntolerant=None |
43 ): | 43 ): |
44 """Start a server handshake operation on the TLS connection. | 44 """Start a server handshake operation on the TLS connection. |
45 | 45 |
46 @@ -1073,7 +1080,8 @@ class TLSConnection(TLSRecordLayer): | 46 @@ -1076,7 +1083,8 @@ class TLSConnection(TLSRecordLayer): |
47 sessionCache=sessionCache, settings=settings, | 47 sessionCache=sessionCache, settings=settings, |
48 reqCAs=reqCAs, | 48 reqCAs=reqCAs, |
49 tacks=tacks, activationFlags=activationFlags, | 49 tacks=tacks, activationFlags=activationFlags, |
50 - nextProtos=nextProtos, anon=anon) | 50 - nextProtos=nextProtos, anon=anon) |
51 + nextProtos=nextProtos, anon=anon, | 51 + nextProtos=nextProtos, anon=anon, |
52 + tlsIntolerant=tlsIntolerant) | 52 + tlsIntolerant=tlsIntolerant) |
53 for result in self._handshakeWrapperAsync(handshaker, checker): | 53 for result in self._handshakeWrapperAsync(handshaker, checker): |
54 yield result | 54 yield result |
55 | 55 |
56 @@ -1082,7 +1090,8 @@ class TLSConnection(TLSRecordLayer): | 56 @@ -1085,7 +1093,8 @@ class TLSConnection(TLSRecordLayer): |
57 certChain, privateKey, reqCert, sessionCache, | 57 certChain, privateKey, reqCert, sessionCache, |
58 settings, reqCAs, | 58 settings, reqCAs, |
59 tacks, activationFlags, | 59 tacks, activationFlags, |
60 - nextProtos, anon): | 60 - nextProtos, anon): |
61 + nextProtos, anon, | 61 + nextProtos, anon, |
62 + tlsIntolerant): | 62 + tlsIntolerant): |
63 | 63 |
64 self._handshakeStart(client=False) | 64 self._handshakeStart(client=False) |
65 | 65 |
66 @@ -1114,7 +1123,7 @@ class TLSConnection(TLSRecordLayer): | 66 @@ -1117,7 +1126,7 @@ class TLSConnection(TLSRecordLayer): |
67 # Handle ClientHello and resumption | 67 # Handle ClientHello and resumption |
68 for result in self._serverGetClientHello(settings, certChain,\ | 68 for result in self._serverGetClientHello(settings, certChain,\ |
69 verifierDB, sessionCache, | 69 verifierDB, sessionCache, |
70 - anon): | 70 - anon): |
71 + anon, tlsIntolerant): | 71 + anon, tlsIntolerant): |
72 if result in (0,1): yield result | 72 if result in (0,1): yield result |
73 elif result == None: | 73 elif result == None: |
74 self._handshakeDone(resumed=True) | 74 self._handshakeDone(resumed=True) |
75 @@ -1211,7 +1220,7 @@ class TLSConnection(TLSRecordLayer): | 75 @@ -1214,7 +1223,7 @@ class TLSConnection(TLSRecordLayer): |
76 | 76 |
77 | 77 |
78 def _serverGetClientHello(self, settings, certChain, verifierDB, | 78 def _serverGetClientHello(self, settings, certChain, verifierDB, |
79 - sessionCache, anon): | 79 - sessionCache, anon): |
80 + sessionCache, anon, tlsIntolerant): | 80 + sessionCache, anon, tlsIntolerant): |
81 #Initialize acceptable cipher suites | 81 #Initialize acceptable cipher suites |
82 cipherSuites = [] | 82 cipherSuites = [] |
83 if verifierDB: | 83 if verifierDB: |
84 @@ -1246,6 +1255,13 @@ class TLSConnection(TLSRecordLayer): | 84 @@ -1249,6 +1258,13 @@ class TLSConnection(TLSRecordLayer): |
85 "Too old version: %s" % str(clientHello.client_version)): | 85 "Too old version: %s" % str(clientHello.client_version)): |
86 yield result | 86 yield result |
87 | 87 |
88 + #If simulating TLS intolerance, reject certain TLS versions. | 88 + #If simulating TLS intolerance, reject certain TLS versions. |
89 + elif (tlsIntolerant is not None and | 89 + elif (tlsIntolerant is not None and |
90 + clientHello.client_version >= tlsIntolerant): | 90 + clientHello.client_version >= tlsIntolerant): |
91 + for result in self._sendError(\ | 91 + for result in self._sendError(\ |
92 + AlertDescription.handshake_failure): | 92 + AlertDescription.handshake_failure): |
93 + yield result | 93 + yield result |
94 + | 94 + |
95 #If client's version is too high, propose my highest version | 95 #If client's version is too high, propose my highest version |
96 elif clientHello.client_version > settings.maxVersion: | 96 elif clientHello.client_version > settings.maxVersion: |
97 self.version = settings.maxVersion | 97 self.version = settings.maxVersion |
OLD | NEW |