| Index: third_party/tlslite/patches/intolerance_options.patch
|
| diff --git a/third_party/tlslite/patches/intolerance_options.patch b/third_party/tlslite/patches/intolerance_options.patch
|
| index 0bee1d634246527948595f2a080c4fbf52738140..2aee3c6f8d593b78a030586f4dd2babfc4a73fce 100644
|
| --- a/third_party/tlslite/patches/intolerance_options.patch
|
| +++ b/third_party/tlslite/patches/intolerance_options.patch
|
| @@ -1,8 +1,8 @@
|
| diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
|
| -index e0bc0e6..0d4ccf2 100644
|
| +index 7998e2e..2e9e06d 100644
|
| --- a/third_party/tlslite/tlslite/handshakesettings.py
|
| +++ b/third_party/tlslite/tlslite/handshakesettings.py
|
| -@@ -18,6 +18,7 @@ ALL_MAC_NAMES = ["sha", "md5"]
|
| +@@ -19,6 +19,7 @@ ALL_MAC_NAMES = ["sha", "sha256", "md5"]
|
| KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]
|
| CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
|
| CERTIFICATE_TYPES = ["x509"]
|
| @@ -10,10 +10,10 @@ index e0bc0e6..0d4ccf2 100644
|
|
|
| class HandshakeSettings(object):
|
| """This class encapsulates various parameters that can be used with
|
| -@@ -92,6 +93,21 @@ class HandshakeSettings(object):
|
| - The default is (3,2). (WARNING: Some servers may (improperly)
|
| - reject clients which offer support for TLS 1.1. In this case,
|
| - try lowering maxVersion to (3,1)).
|
| +@@ -91,6 +92,21 @@ class HandshakeSettings(object):
|
| + version, a protocol_version alert will be signalled. The default is (3,3).
|
| + (WARNING: Some servers may (improperly) reject clients which offer support
|
| + for TLS 1.1. In this case, try lowering maxVersion to (3,1)).
|
| +
|
| + @type tlsIntolerant: tuple
|
| + @ivar tlsIntolerant: The TLS ClientHello version which the server
|
| @@ -32,16 +32,16 @@ index e0bc0e6..0d4ccf2 100644
|
|
|
| @type useExperimentalTackExtension: bool
|
| @ivar useExperimentalTackExtension: Whether to enabled TACK support.
|
| -@@ -109,6 +125,8 @@ class HandshakeSettings(object):
|
| +@@ -108,6 +124,8 @@ class HandshakeSettings(object):
|
| self.certificateTypes = CERTIFICATE_TYPES
|
| - self.minVersion = (3,0)
|
| - self.maxVersion = (3,2)
|
| + self.minVersion = (3,1)
|
| + self.maxVersion = (3,3)
|
| + self.tlsIntolerant = None
|
| + self.tlsIntoleranceType = 'alert'
|
| self.useExperimentalTackExtension = False
|
|
|
| # Validates the min/max fields, and certificateTypes
|
| -@@ -124,6 +142,8 @@ class HandshakeSettings(object):
|
| +@@ -123,6 +141,8 @@ class HandshakeSettings(object):
|
| other.certificateTypes = self.certificateTypes
|
| other.minVersion = self.minVersion
|
| other.maxVersion = self.maxVersion
|
| @@ -50,7 +50,7 @@ index e0bc0e6..0d4ccf2 100644
|
|
|
| if not cipherfactory.tripleDESPresent:
|
| other.cipherNames = [e for e in self.cipherNames if e != "3des"]
|
| -@@ -165,6 +185,10 @@ class HandshakeSettings(object):
|
| +@@ -164,6 +184,10 @@ class HandshakeSettings(object):
|
| if s not in CERTIFICATE_TYPES:
|
| raise ValueError("Unknown certificate type: '%s'" % s)
|
|
|
| @@ -62,10 +62,10 @@ index e0bc0e6..0d4ccf2 100644
|
| raise ValueError("Versions set incorrectly")
|
|
|
| diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
|
| -index 044ad59..7c1572f 100644
|
| +index f8547d5..4f3ba1c 100644
|
| --- a/third_party/tlslite/tlslite/tlsconnection.py
|
| +++ b/third_party/tlslite/tlslite/tlsconnection.py
|
| -@@ -1065,7 +1065,7 @@ class TLSConnection(TLSRecordLayer):
|
| +@@ -1073,7 +1073,7 @@ class TLSConnection(TLSRecordLayer):
|
| reqCAs = None, reqCertTypes = None,
|
| tacks=None, activationFlags=0,
|
| nextProtos=None, anon=False,
|
| @@ -74,7 +74,7 @@ index 044ad59..7c1572f 100644
|
| fallbackSCSV=False, ocspResponse=None):
|
| """Perform a handshake in the role of server.
|
|
|
| -@@ -1139,11 +1139,6 @@ class TLSConnection(TLSRecordLayer):
|
| +@@ -1147,11 +1147,6 @@ class TLSConnection(TLSRecordLayer):
|
| clients through the Next-Protocol Negotiation Extension,
|
| if they support it.
|
|
|
| @@ -86,7 +86,7 @@ index 044ad59..7c1572f 100644
|
| @type signedCertTimestamps: str
|
| @param signedCertTimestamps: A SignedCertificateTimestampList (as a
|
| binary 8-bit string) that will be sent as a TLS extension whenever
|
| -@@ -1175,7 +1170,7 @@ class TLSConnection(TLSRecordLayer):
|
| +@@ -1183,7 +1178,7 @@ class TLSConnection(TLSRecordLayer):
|
| certChain, privateKey, reqCert, sessionCache, settings,
|
| checker, reqCAs, reqCertTypes,
|
| tacks=tacks, activationFlags=activationFlags,
|
| @@ -95,7 +95,7 @@ index 044ad59..7c1572f 100644
|
| signedCertTimestamps=signedCertTimestamps,
|
| fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse):
|
| pass
|
| -@@ -1187,7 +1182,6 @@ class TLSConnection(TLSRecordLayer):
|
| +@@ -1195,7 +1190,6 @@ class TLSConnection(TLSRecordLayer):
|
| reqCAs=None, reqCertTypes=None,
|
| tacks=None, activationFlags=0,
|
| nextProtos=None, anon=False,
|
| @@ -103,7 +103,7 @@ index 044ad59..7c1572f 100644
|
| signedCertTimestamps=None,
|
| fallbackSCSV=False,
|
| ocspResponse=None
|
| -@@ -1210,7 +1204,6 @@ class TLSConnection(TLSRecordLayer):
|
| +@@ -1218,7 +1212,6 @@ class TLSConnection(TLSRecordLayer):
|
| reqCAs=reqCAs, reqCertTypes=reqCertTypes,
|
| tacks=tacks, activationFlags=activationFlags,
|
| nextProtos=nextProtos, anon=anon,
|
| @@ -111,7 +111,7 @@ index 044ad59..7c1572f 100644
|
| signedCertTimestamps=signedCertTimestamps,
|
| fallbackSCSV=fallbackSCSV,
|
| ocspResponse=ocspResponse)
|
| -@@ -1223,7 +1216,7 @@ class TLSConnection(TLSRecordLayer):
|
| +@@ -1231,7 +1224,7 @@ class TLSConnection(TLSRecordLayer):
|
| settings, reqCAs, reqCertTypes,
|
| tacks, activationFlags,
|
| nextProtos, anon,
|
| @@ -120,7 +120,7 @@ index 044ad59..7c1572f 100644
|
| ocspResponse):
|
|
|
| self._handshakeStart(client=False)
|
| -@@ -1261,7 +1254,7 @@ class TLSConnection(TLSRecordLayer):
|
| +@@ -1269,7 +1262,7 @@ class TLSConnection(TLSRecordLayer):
|
| # Handle ClientHello and resumption
|
| for result in self._serverGetClientHello(settings, certChain,\
|
| verifierDB, sessionCache,
|
| @@ -129,7 +129,7 @@ index 044ad59..7c1572f 100644
|
| if result in (0,1): yield result
|
| elif result == None:
|
| self._handshakeDone(resumed=True)
|
| -@@ -1376,7 +1369,7 @@ class TLSConnection(TLSRecordLayer):
|
| +@@ -1384,7 +1377,7 @@ class TLSConnection(TLSRecordLayer):
|
|
|
|
|
| def _serverGetClientHello(self, settings, certChain, verifierDB,
|
| @@ -138,7 +138,7 @@ index 044ad59..7c1572f 100644
|
| #Initialize acceptable cipher suites
|
| cipherSuites = []
|
| if verifierDB:
|
| -@@ -1413,11 +1406,21 @@ class TLSConnection(TLSRecordLayer):
|
| +@@ -1421,11 +1414,21 @@ class TLSConnection(TLSRecordLayer):
|
| yield result
|
|
|
| #If simulating TLS intolerance, reject certain TLS versions.
|
| @@ -165,10 +165,10 @@ index 044ad59..7c1572f 100644
|
| #If client's version is too high, propose my highest version
|
| elif clientHello.client_version > settings.maxVersion:
|
| diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
|
| -index 370dc9a..23c2a2f 100644
|
| +index 3584726..eda11e6 100644
|
| --- a/third_party/tlslite/tlslite/tlsrecordlayer.py
|
| +++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
|
| -@@ -19,6 +19,7 @@ from .constants import *
|
| +@@ -20,6 +20,7 @@ from .constants import *
|
| from .utils.cryptomath import getRandomBytes
|
|
|
| import socket
|
| @@ -176,7 +176,7 @@ index 370dc9a..23c2a2f 100644
|
| import errno
|
| import traceback
|
|
|
| -@@ -523,6 +524,13 @@ class TLSRecordLayer(object):
|
| +@@ -527,6 +528,13 @@ class TLSRecordLayer(object):
|
| self._shutdown(False)
|
| raise TLSLocalAlert(alert, errorStr)
|
|
|
|
|
Chromium Code Reviews
Issue 858373002:
Update third_party/tlslite to 0.4.8. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master