patches/tls13_intolerance.patch - chromium/src/third_party/tlslite - Git at Google

 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
 index 82e8c075fe2a..8fb75d0948e4 100644
 --- a/third_party/tlslite/tlslite/constants.py
 +++ b/third_party/tlslite/tlslite/constants.py
 @@ -58,6 +58,7 @@ class ExtensionType:    # RFC 6066 / 4366
      signed_cert_timestamps = 18  # RFC 6962
      extended_master_secret = 23  # RFC 7627
      token_binding = 24           # draft-ietf-tokbind-negotiation
 +    supported_versions = 43      # RFC 8446
      tack = 0xF300
      supports_npn = 13172
      channel_id = 30032
 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
 index ac7e563021d9..b29db939c2a8 100644
 --- a/third_party/tlslite/tlslite/messages.py
 +++ b/third_party/tlslite/tlslite/messages.py
 @@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg):
          self.tb_client_params = []
          self.support_signed_cert_timestamps = False
          self.status_request = False
 +        self.has_supported_versions = False
          self.ri = False

      def create(self, version, random, session_id, cipher_suites,
 @@ -251,6 +252,11 @@ class ClientHello(HandshakeMsg):
                          if extLength != 1 or p.getFixBytes(extLength)[0] != 0:
                              raise SyntaxError()
                          self.ri = True
 +                    elif extType == ExtensionType.supported_versions:
 +                        # Ignore the extension, but make a note of it for
 +                        # intolerance simulation.
 +                        self.has_supported_versions = True
 +                        _ = p.getFixBytes(extLength)
                      else:
                          _ = p.getFixBytes(extLength)
                      index2 = p.index
 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
 index 8ba1c6e636ab..2309d4fa8f3a 100644
 --- a/third_party/tlslite/tlslite/tlsconnection.py
 +++ b/third_party/tlslite/tlslite/tlsconnection.py
 @@ -1457,6 +1457,15 @@ class TLSConnection(TLSRecordLayer):
          self._handshakeDone(resumed=False)


 +    def _isIntolerant(self, settings, clientHello):
 +        if settings.tlsIntolerant is None:
 +            return False
 +        clientVersion = clientHello.client_version
 +        if clientHello.has_supported_versions:
 +            clientVersion = (3, 4)
 +        return clientVersion >= settings.tlsIntolerant
 +
 +
      def _serverGetClientHello(self, settings, certChain, verifierDB,
                                  sessionCache, anon, fallbackSCSV):
          #Tentatively set version to most-desirable version, so if an error
 @@ -1480,8 +1489,7 @@ class TLSConnection(TLSRecordLayer):
                  yield result

          #If simulating TLS intolerance, reject certain TLS versions.
 -        elif (settings.tlsIntolerant is not None and
 -              clientHello.client_version >= settings.tlsIntolerant):
 +        elif self._isIntolerant(settings, clientHello):
              if settings.tlsIntoleranceType == "alert":
                  for result in self._sendError(\
                      AlertDescription.handshake_failure):
	diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
	index 82e8c075fe2a..8fb75d0948e4 100644
	--- a/third_party/tlslite/tlslite/constants.py
	+++ b/third_party/tlslite/tlslite/constants.py
	@@ -58,6 +58,7 @@ class ExtensionType: # RFC 6066 / 4366
	signed_cert_timestamps = 18 # RFC 6962
	extended_master_secret = 23 # RFC 7627
	token_binding = 24 # draft-ietf-tokbind-negotiation
	+ supported_versions = 43 # RFC 8446
	tack = 0xF300
	supports_npn = 13172
	channel_id = 30032
	diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
	index ac7e563021d9..b29db939c2a8 100644
	--- a/third_party/tlslite/tlslite/messages.py
	+++ b/third_party/tlslite/tlslite/messages.py
	@@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg):
	self.tb_client_params = []
	self.support_signed_cert_timestamps = False
	self.status_request = False
	+ self.has_supported_versions = False
	self.ri = False

	def create(self, version, random, session_id, cipher_suites,
	@@ -251,6 +252,11 @@ class ClientHello(HandshakeMsg):
	if extLength != 1 or p.getFixBytes(extLength)[0] != 0:
	raise SyntaxError()
	self.ri = True
	+ elif extType == ExtensionType.supported_versions:
	+ # Ignore the extension, but make a note of it for
	+ # intolerance simulation.
	+ self.has_supported_versions = True
	+ _ = p.getFixBytes(extLength)
	else:
	_ = p.getFixBytes(extLength)
	index2 = p.index
	diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
	index 8ba1c6e636ab..2309d4fa8f3a 100644
	--- a/third_party/tlslite/tlslite/tlsconnection.py
	+++ b/third_party/tlslite/tlslite/tlsconnection.py
	@@ -1457,6 +1457,15 @@ class TLSConnection(TLSRecordLayer):
	self._handshakeDone(resumed=False)


	+ def _isIntolerant(self, settings, clientHello):
	+ if settings.tlsIntolerant is None:
	+ return False
	+ clientVersion = clientHello.client_version
	+ if clientHello.has_supported_versions:
	+ clientVersion = (3, 4)
	+ return clientVersion >= settings.tlsIntolerant
	+
	+
	def _serverGetClientHello(self, settings, certChain, verifierDB,
	sessionCache, anon, fallbackSCSV):
	#Tentatively set version to most-desirable version, so if an error
	@@ -1480,8 +1489,7 @@ class TLSConnection(TLSRecordLayer):
	yield result

	#If simulating TLS intolerance, reject certain TLS versions.
	- elif (settings.tlsIntolerant is not None and
	- clientHello.client_version >= settings.tlsIntolerant):
	+ elif self._isIntolerant(settings, clientHello):
	if settings.tlsIntoleranceType == "alert":
	for result in self._sendError(\
	AlertDescription.handshake_failure):