patches/tls_intolerant.patch - chromium/src/third_party/tlslite - Git at Google

 Index: third_party/tlslite/tlslite/TLSConnection.py
 ===================================================================
 --- third_party/tlslite/tlslite/TLSConnection.py	(revision 134128)
 +++ third_party/tlslite/tlslite/TLSConnection.py	(working copy)
 @@ -932,7 +932,7 @@
      def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
                          certChain=None, privateKey=None, reqCert=False,
                          sessionCache=None, settings=None, checker=None,
 -                        reqCAs=None):
 +                        reqCAs=None, tlsIntolerant=0):
          """Perform a handshake in the role of server.

          This function performs an SSL or TLS handshake.  Depending on
 @@ -1012,14 +1012,14 @@
          """
          for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
                  certChain, privateKey, reqCert, sessionCache, settings,
 -                checker, reqCAs):
 +                checker, reqCAs, tlsIntolerant):
              pass


      def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
                               certChain=None, privateKey=None, reqCert=False,
                               sessionCache=None, settings=None, checker=None,
 -                             reqCAs=None):
 +                             reqCAs=None, tlsIntolerant=0):
          """Start a server handshake operation on the TLS connection.

          This function returns a generator which behaves similarly to
 @@ -1036,14 +1036,15 @@
              verifierDB=verifierDB, certChain=certChain,
              privateKey=privateKey, reqCert=reqCert,
              sessionCache=sessionCache, settings=settings,
 -            reqCAs=reqCAs)
 +            reqCAs=reqCAs,
 +            tlsIntolerant=tlsIntolerant)
          for result in self._handshakeWrapperAsync(handshaker, checker):
              yield result


      def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
                               certChain, privateKey, reqCert, sessionCache,
 -                             settings, reqCAs):
 +                             settings, reqCAs, tlsIntolerant):

          self._handshakeStart(client=False)

 @@ -1111,6 +1112,17 @@
                    "Too old version: %s" % str(clientHello.client_version)):
                  yield result

 +        #If tlsIntolerant is nonzero, reject certain TLS versions.
 +        #1: reject all TLS versions.
 +        #2: reject TLS 1.1 or higher.
 +        #3: reject TLS 1.2 or higher.
 +        if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or
 +            tlsIntolerant == 2 and clientHello.client_version > (3, 1) or
 +            tlsIntolerant == 3 and clientHello.client_version > (3, 2)):
 +            for result in self._sendError(\
 +                    AlertDescription.handshake_failure):
 +                yield result
 +
          #If client's version is too high, propose my highest version
          elif clientHello.client_version > settings.maxVersion:
              self.version = settings.maxVersion
	Index: third_party/tlslite/tlslite/TLSConnection.py
	===================================================================
	--- third_party/tlslite/tlslite/TLSConnection.py (revision 134128)
	+++ third_party/tlslite/tlslite/TLSConnection.py (working copy)
	@@ -932,7 +932,7 @@
	def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
	certChain=None, privateKey=None, reqCert=False,
	sessionCache=None, settings=None, checker=None,
	- reqCAs=None):
	+ reqCAs=None, tlsIntolerant=0):
	"""Perform a handshake in the role of server.

	This function performs an SSL or TLS handshake. Depending on
	@@ -1012,14 +1012,14 @@
	"""
	for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
	certChain, privateKey, reqCert, sessionCache, settings,
	- checker, reqCAs):
	+ checker, reqCAs, tlsIntolerant):
	pass


	def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
	certChain=None, privateKey=None, reqCert=False,
	sessionCache=None, settings=None, checker=None,
	- reqCAs=None):
	+ reqCAs=None, tlsIntolerant=0):
	"""Start a server handshake operation on the TLS connection.

	This function returns a generator which behaves similarly to
	@@ -1036,14 +1036,15 @@
	verifierDB=verifierDB, certChain=certChain,
	privateKey=privateKey, reqCert=reqCert,
	sessionCache=sessionCache, settings=settings,
	- reqCAs=reqCAs)
	+ reqCAs=reqCAs,
	+ tlsIntolerant=tlsIntolerant)
	for result in self._handshakeWrapperAsync(handshaker, checker):
	yield result


	def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
	certChain, privateKey, reqCert, sessionCache,
	- settings, reqCAs):
	+ settings, reqCAs, tlsIntolerant):

	self._handshakeStart(client=False)

	@@ -1111,6 +1112,17 @@
	"Too old version: %s" % str(clientHello.client_version)):
	yield result

	+ #If tlsIntolerant is nonzero, reject certain TLS versions.
	+ #1: reject all TLS versions.
	+ #2: reject TLS 1.1 or higher.
	+ #3: reject TLS 1.2 or higher.
	+ if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or
	+ tlsIntolerant == 2 and clientHello.client_version > (3, 1) or
	+ tlsIntolerant == 3 and clientHello.client_version > (3, 2)):
	+ for result in self._sendError(\
	+ AlertDescription.handshake_failure):
	+ yield result
	+
	#If client's version is too high, propose my highest version
	elif clientHello.client_version > settings.maxVersion:
	self.version = settings.maxVersion