src/third_party/tlslite/patches/tls_intolerant.patch

   1 Index: third_party/tlslite/tlslite/TLSConnection.py
   2 ===================================================================
   3 --- third_party/tlslite/tlslite/TLSConnection.py        (revision 134128)
   4 +++ third_party/tlslite/tlslite/TLSConnection.py        (working copy)
   5 @@ -932,7 +932,7 @@
   6      def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
   7                          certChain=None, privateKey=None, reqCert=False,
   8                          sessionCache=None, settings=None, checker=None,
   9 -                        reqCAs=None):
  10 +                        reqCAs=None, tlsIntolerant=0):
  11          """Perform a handshake in the role of server.
  12
  13          This function performs an SSL or TLS handshake.  Depending on
  14 @@ -1012,14 +1012,14 @@
  15          """
  16          for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
  17                  certChain, privateKey, reqCert, sessionCache, settings,
  18 -                checker, reqCAs):
  19 +                checker, reqCAs, tlsIntolerant):
  20              pass
  21
  22
  23      def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
  24                               certChain=None, privateKey=None, reqCert=False,
  25                               sessionCache=None, settings=None, checker=None,
  26 -                             reqCAs=None):
  27 +                             reqCAs=None, tlsIntolerant=0):
  28          """Start a server handshake operation on the TLS connection.
  29
  30          This function returns a generator which behaves similarly to
  31 @@ -1036,14 +1036,15 @@
  32              verifierDB=verifierDB, certChain=certChain,
  33              privateKey=privateKey, reqCert=reqCert,
  34              sessionCache=sessionCache, settings=settings,
  35 -            reqCAs=reqCAs)
  36 +            reqCAs=reqCAs,
  37 +            tlsIntolerant=tlsIntolerant)
  38          for result in self._handshakeWrapperAsync(handshaker, checker):
  39              yield result
  40
  41
  42      def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
  43                               certChain, privateKey, reqCert, sessionCache,
  44 -                             settings, reqCAs):
  45 +                             settings, reqCAs, tlsIntolerant):
  46
  47          self._handshakeStart(client=False)
  48
  49 @@ -1111,6 +1112,17 @@
  50                    "Too old version: %s" % str(clientHello.client_version)):
  51                  yield result
  52
  53 +        #If tlsIntolerant is nonzero, reject certain TLS versions.
  54 +        #1: reject all TLS versions.
  55 +        #2: reject TLS 1.1 or higher.
  56 +        #3: reject TLS 1.2 or higher.
  57 +        if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or
  58 +            tlsIntolerant == 2 and clientHello.client_version > (3, 1) or
  59 +            tlsIntolerant == 3 and clientHello.client_version > (3, 2)):
  60 +            for result in self._sendError(\
  61 +                    AlertDescription.handshake_failure):
  62 +                yield result
  63 +
  64          #If client's version is too high, propose my highest version
  65          elif clientHello.client_version > settings.maxVersion:
  66              self.version = settings.maxVersion