-Index: third_party/tlslite/tlslite/TLSConnection.py
-===================================================================
---- third_party/tlslite/tlslite/TLSConnection.py (revision 134128)
-+++ third_party/tlslite/tlslite/TLSConnection.py (working copy)
-@@ -932,7 +932,7 @@
- def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
- certChain=None, privateKey=None, reqCert=False,
+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
+index e8dd859..8415592 100755
+--- a/third_party/tlslite/tlslite/tlsconnection.py
++++ b/third_party/tlslite/tlslite/tlsconnection.py
+@@ -965,7 +965,8 @@ class TLSConnection(TLSRecordLayer):
sessionCache=None, settings=None, checker=None,
-- reqCAs=None):
-+ reqCAs=None, tlsIntolerant=0):
+ reqCAs = None,
+ tacks=None, activationFlags=0,
+- nextProtos=None, anon=False):
++ nextProtos=None, anon=False,
++ tlsIntolerant=None):
"""Perform a handshake in the role of server.
This function performs an SSL or TLS handshake. Depending on
-@@ -1012,14 +1012,14 @@
- """
- for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
+@@ -1034,6 +1035,11 @@ class TLSConnection(TLSRecordLayer):
+ clients through the Next-Protocol Negotiation Extension,
+ if they support it.
+
++ @type tlsIntolerant: (int, int) or None
++ @param tlsIntolerant: If tlsIntolerant is not None, the server will
++ simulate TLS version intolerance by returning a fatal handshake_failure
++ alert to all TLS versions tlsIntolerant or higher.
++
+ @raise socket.error: If a socket error occurs.
+ @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
+ without a preceding alert.
+@@ -1045,7 +1051,7 @@ class TLSConnection(TLSRecordLayer):
certChain, privateKey, reqCert, sessionCache, settings,
-- checker, reqCAs):
-+ checker, reqCAs, tlsIntolerant):
+ checker, reqCAs,
+ tacks=tacks, activationFlags=activationFlags,
+- nextProtos=nextProtos, anon=anon):
++ nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant):
pass
- def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
- certChain=None, privateKey=None, reqCert=False,
+@@ -1054,7 +1060,8 @@ class TLSConnection(TLSRecordLayer):
sessionCache=None, settings=None, checker=None,
-- reqCAs=None):
-+ reqCAs=None, tlsIntolerant=0):
+ reqCAs=None,
+ tacks=None, activationFlags=0,
+- nextProtos=None, anon=False
++ nextProtos=None, anon=False,
++ tlsIntolerant=None
+ ):
"""Start a server handshake operation on the TLS connection.
- This function returns a generator which behaves similarly to
-@@ -1036,14 +1036,15 @@
- verifierDB=verifierDB, certChain=certChain,
- privateKey=privateKey, reqCert=reqCert,
- sessionCache=sessionCache, settings=settings,
-- reqCAs=reqCAs)
-+ reqCAs=reqCAs,
+@@ -1073,7 +1080,8 @@ class TLSConnection(TLSRecordLayer):
+ sessionCache=sessionCache, settings=settings,
+ reqCAs=reqCAs,
+ tacks=tacks, activationFlags=activationFlags,
+- nextProtos=nextProtos, anon=anon)
++ nextProtos=nextProtos, anon=anon,
+ tlsIntolerant=tlsIntolerant)
for result in self._handshakeWrapperAsync(handshaker, checker):
yield result
-
- def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
+@@ -1082,7 +1090,8 @@ class TLSConnection(TLSRecordLayer):
certChain, privateKey, reqCert, sessionCache,
-- settings, reqCAs):
-+ settings, reqCAs, tlsIntolerant):
+ settings, reqCAs,
+ tacks, activationFlags,
+- nextProtos, anon):
++ nextProtos, anon,
++ tlsIntolerant):
self._handshakeStart(client=False)
-@@ -1111,6 +1112,17 @@
+@@ -1114,7 +1123,7 @@ class TLSConnection(TLSRecordLayer):
+ # Handle ClientHello and resumption
+ for result in self._serverGetClientHello(settings, certChain,\
+ verifierDB, sessionCache,
+- anon):
++ anon, tlsIntolerant):
+ if result in (0,1): yield result
+ elif result == None:
+ self._handshakeDone(resumed=True)
+@@ -1211,7 +1220,7 @@ class TLSConnection(TLSRecordLayer):
+
+
+ def _serverGetClientHello(self, settings, certChain, verifierDB,
+- sessionCache, anon):
++ sessionCache, anon, tlsIntolerant):
+ #Initialize acceptable cipher suites
+ cipherSuites = []
+ if verifierDB:
+@@ -1246,6 +1255,13 @@ class TLSConnection(TLSRecordLayer):
"Too old version: %s" % str(clientHello.client_version)):
yield result
-+ #If tlsIntolerant is nonzero, reject certain TLS versions.
-+ #1: reject all TLS versions.
-+ #2: reject TLS 1.1 or higher.
-+ #3: reject TLS 1.2 or higher.
-+ if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or
-+ tlsIntolerant == 2 and clientHello.client_version > (3, 1) or
-+ tlsIntolerant == 3 and clientHello.client_version > (3, 2)):
++ #If simulating TLS intolerance, reject certain TLS versions.
++ elif (tlsIntolerant is not None and
++ clientHello.client_version >= tlsIntolerant):
+ for result in self._sendError(\
+ AlertDescription.handshake_failure):
+ yield result
projects / platform / framework / web / crosswalk.git / blobdiff