src/third_party/tlslite/patches/tls_intolerant.patch

   1 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
   2 index e8dd859..8415592 100755
   3 --- a/third_party/tlslite/tlslite/tlsconnection.py
   4 +++ b/third_party/tlslite/tlslite/tlsconnection.py
   5 @@ -965,7 +965,8 @@ class TLSConnection(TLSRecordLayer):
   6                          sessionCache=None, settings=None, checker=None,
   7                          reqCAs = None,
   8                          tacks=None, activationFlags=0,
   9 -                        nextProtos=None, anon=False):
  10 +                        nextProtos=None, anon=False,
  11 +                        tlsIntolerant=None):
  12          """Perform a handshake in the role of server.
  13
  14          This function performs an SSL or TLS handshake.  Depending on
  15 @@ -1034,6 +1035,11 @@ class TLSConnection(TLSRecordLayer):
  16          clients through the Next-Protocol Negotiation Extension,
  17          if they support it.
  18
  19 +        @type tlsIntolerant: (int, int) or None
  20 +        @param tlsIntolerant: If tlsIntolerant is not None, the server will
  21 +        simulate TLS version intolerance by returning a fatal handshake_failure
  22 +        alert to all TLS versions tlsIntolerant or higher.
  23 +
  24          @raise socket.error: If a socket error occurs.
  25          @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
  26          without a preceding alert.
  27 @@ -1045,7 +1051,7 @@ class TLSConnection(TLSRecordLayer):
  28                  certChain, privateKey, reqCert, sessionCache, settings,
  29                  checker, reqCAs,
  30                  tacks=tacks, activationFlags=activationFlags,
  31 -                nextProtos=nextProtos, anon=anon):
  32 +                nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant):
  33              pass
  34
  35
  36 @@ -1054,7 +1060,8 @@ class TLSConnection(TLSRecordLayer):
  37                               sessionCache=None, settings=None, checker=None,
  38                               reqCAs=None,
  39                               tacks=None, activationFlags=0,
  40 -                             nextProtos=None, anon=False
  41 +                             nextProtos=None, anon=False,
  42 +                             tlsIntolerant=None
  43                               ):
  44          """Start a server handshake operation on the TLS connection.
  45
  46 @@ -1073,7 +1080,8 @@ class TLSConnection(TLSRecordLayer):
  47              sessionCache=sessionCache, settings=settings,
  48              reqCAs=reqCAs,
  49              tacks=tacks, activationFlags=activationFlags,
  50 -            nextProtos=nextProtos, anon=anon)
  51 +            nextProtos=nextProtos, anon=anon,
  52 +            tlsIntolerant=tlsIntolerant)
  53          for result in self._handshakeWrapperAsync(handshaker, checker):
  54              yield result
  55
  56 @@ -1082,7 +1090,8 @@ class TLSConnection(TLSRecordLayer):
  57                               certChain, privateKey, reqCert, sessionCache,
  58                               settings, reqCAs,
  59                               tacks, activationFlags,
  60 -                             nextProtos, anon):
  61 +                             nextProtos, anon,
  62 +                             tlsIntolerant):
  63
  64          self._handshakeStart(client=False)
  65
  66 @@ -1114,7 +1123,7 @@ class TLSConnection(TLSRecordLayer):
  67          # Handle ClientHello and resumption
  68          for result in self._serverGetClientHello(settings, certChain,\
  69                                              verifierDB, sessionCache,
  70 -                                            anon):
  71 +                                            anon, tlsIntolerant):
  72              if result in (0,1): yield result
  73              elif result == None:
  74                  self._handshakeDone(resumed=True)
  75 @@ -1211,7 +1220,7 @@ class TLSConnection(TLSRecordLayer):
  76
  77
  78      def _serverGetClientHello(self, settings, certChain, verifierDB,
  79 -                                sessionCache, anon):
  80 +                                sessionCache, anon, tlsIntolerant):
  81          #Initialize acceptable cipher suites
  82          cipherSuites = []
  83          if verifierDB:
  84 @@ -1246,6 +1255,13 @@ class TLSConnection(TLSRecordLayer):
  85                    "Too old version: %s" % str(clientHello.client_version)):
  86                  yield result
  87
  88 +        #If simulating TLS intolerance, reject certain TLS versions.
  89 +        elif (tlsIntolerant is not None and
  90 +            clientHello.client_version >= tlsIntolerant):
  91 +            for result in self._sendError(\
  92 +                    AlertDescription.handshake_failure):
  93 +                yield result
  94 +
  95          #If client's version is too high, propose my highest version
  96          elif clientHello.client_version > settings.maxVersion:
  97              self.version = settings.maxVersion