Google Git
Sign in
chromium / chromium / src / third_party / tlslite / 7eeab74ea2dbd602e31a021ed26e96205eb18b3b^! / .
commit7eeab74ea2dbd602e31a021ed26e96205eb18b3b[log] [tgz]
authorwtc@chromium.org <wtc@chromium.org@4ff67af0-8c30-449e-8e8b-ad334ec8d88c>Wed May 23 18:32:23 2012
committerwtc@chromium.org <wtc@chromium.org@4ff67af0-8c30-449e-8e8b-ad334ec8d88c>Wed May 23 18:32:23 2012
tree577fbb82a3235e41198c5abec985d569a88fac86
parent03d499491d741c6d638a3dfc9094f30c0cab8961 [diff]
Improve the TLS intolerant server testing support added in r134129
(http://codereview.chromium.org/10218007).

Add the ability to simulate a server that is intolerant of only a
particular version of TLS. This will allow us to test the handling
of a TLS 1.1 intolerant server.

R=agl@chromium.org,phajdan.jr@chromium.org
BUG=126340
TEST=none

Review URL: https://chromiumcodereview.appspot.com/10412042

git-svn-id: http://src.chromium.org/svn/trunk/src/third_party/tlslite@138537 4ff67af0-8c30-449e-8e8b-ad334ec8d88c

diff --git a/patches/tls_intolerant.patch b/patches/tls_intolerant.patch
index 506b4d3..53fe4d4 100644
--- a/patches/tls_intolerant.patch
+++ b/patches/tls_intolerant.patch

@@ -1,17 +1,17 @@
-diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py
-index 7e38a23..02c7478 100644
---- a/third_party/tlslite/tlslite/TLSConnection.py
-+++ b/third_party/tlslite/tlslite/TLSConnection.py
-@@ -932,7 +932,7 @@ class TLSConnection(TLSRecordLayer):
+Index: third_party/tlslite/tlslite/TLSConnection.py
+===================================================================
+--- third_party/tlslite/tlslite/TLSConnection.py	(revision 134128)
++++ third_party/tlslite/tlslite/TLSConnection.py	(working copy)
+@@ -932,7 +932,7 @@
      def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
                          certChain=None, privateKey=None, reqCert=False,
                          sessionCache=None, settings=None, checker=None,
 -                        reqCAs=None):
-+                        reqCAs=None, tlsIntolerant=False):
++                        reqCAs=None, tlsIntolerant=0):
          """Perform a handshake in the role of server.
  
          This function performs an SSL or TLS handshake.  Depending on
-@@ -1012,14 +1012,14 @@ class TLSConnection(TLSRecordLayer):
+@@ -1012,14 +1012,14 @@
          """
          for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
                  certChain, privateKey, reqCert, sessionCache, settings,
@@ -24,11 +24,11 @@
                               certChain=None, privateKey=None, reqCert=False,
                               sessionCache=None, settings=None, checker=None,
 -                             reqCAs=None):
-+                             reqCAs=None, tlsIntolerant=False):
++                             reqCAs=None, tlsIntolerant=0):
          """Start a server handshake operation on the TLS connection.
  
          This function returns a generator which behaves similarly to
-@@ -1036,14 +1036,15 @@ class TLSConnection(TLSRecordLayer):
+@@ -1036,14 +1036,15 @@
              verifierDB=verifierDB, certChain=certChain,
              privateKey=privateKey, reqCert=reqCert,
              sessionCache=sessionCache, settings=settings,
@@ -46,11 +46,17 @@
  
          self._handshakeStart(client=False)
  
-@@ -1111,6 +1112,11 @@ class TLSConnection(TLSRecordLayer):
+@@ -1111,6 +1112,17 @@
                    "Too old version: %s" % str(clientHello.client_version)):
                  yield result
  
-+        if tlsIntolerant and clientHello.client_version > (3, 0):
++        #If tlsIntolerant is nonzero, reject certain TLS versions.
++        #1: reject all TLS versions.
++        #2: reject TLS 1.1 or higher.
++        #3: reject TLS 1.2 or higher.
++        if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or
++            tlsIntolerant == 2 and clientHello.client_version > (3, 1) or
++            tlsIntolerant == 3 and clientHello.client_version > (3, 2)):
 +            for result in self._sendError(\
 +                    AlertDescription.handshake_failure):
 +                yield result

diff --git a/tlslite/TLSConnection.py b/tlslite/TLSConnection.py
index 02c7478..f8811a9 100644
--- a/tlslite/TLSConnection.py
+++ b/tlslite/TLSConnection.py

@@ -932,7 +932,7 @@
     def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
                         certChain=None, privateKey=None, reqCert=False,
                         sessionCache=None, settings=None, checker=None,
-                        reqCAs=None, tlsIntolerant=False):
+                        reqCAs=None, tlsIntolerant=0):
         """Perform a handshake in the role of server.
 
         This function performs an SSL or TLS handshake.  Depending on
@@ -1019,7 +1019,7 @@
     def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
                              certChain=None, privateKey=None, reqCert=False,
                              sessionCache=None, settings=None, checker=None,
-                             reqCAs=None, tlsIntolerant=False):
+                             reqCAs=None, tlsIntolerant=0):
         """Start a server handshake operation on the TLS connection.
 
         This function returns a generator which behaves similarly to
@@ -1112,7 +1112,13 @@
                   "Too old version: %s" % str(clientHello.client_version)):
                 yield result
 
-        if tlsIntolerant and clientHello.client_version > (3, 0):
+        #If tlsIntolerant is nonzero, reject certain TLS versions.
+        #1: reject all TLS versions.
+        #2: reject TLS 1.1 or higher.
+        #3: reject TLS 1.2 or higher.
+        if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or
+            tlsIntolerant == 2 and clientHello.client_version > (3, 1) or
+            tlsIntolerant == 3 and clientHello.client_version > (3, 2)):
             for result in self._sendError(\
                     AlertDescription.handshake_failure):
                 yield result