Home | History | Annotate | Download | only in patches
      1 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
      2 index e8dd859..8415592 100755
      3 --- a/third_party/tlslite/tlslite/tlsconnection.py
      4 +++ b/third_party/tlslite/tlslite/tlsconnection.py
      5 @@ -965,7 +965,8 @@ class TLSConnection(TLSRecordLayer):
      6                          sessionCache=None, settings=None, checker=None,
      7                          reqCAs = None, 
      8                          tacks=None, activationFlags=0,
      9 -                        nextProtos=None, anon=False):
     10 +                        nextProtos=None, anon=False,
     11 +                        tlsIntolerant=None):
     12          """Perform a handshake in the role of server.
     13  
     14          This function performs an SSL or TLS handshake.  Depending on
     15 @@ -1034,6 +1035,11 @@ class TLSConnection(TLSRecordLayer):
     16          clients through the Next-Protocol Negotiation Extension, 
     17          if they support it.
     18  
     19 +        @type tlsIntolerant: (int, int) or None
     20 +        @param tlsIntolerant: If tlsIntolerant is not None, the server will
     21 +        simulate TLS version intolerance by returning a fatal handshake_failure
     22 +        alert to all TLS versions tlsIntolerant or higher.
     23 +
     24          @raise socket.error: If a socket error occurs.
     25          @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
     26          without a preceding alert.
     27 @@ -1045,7 +1051,7 @@ class TLSConnection(TLSRecordLayer):
     28                  certChain, privateKey, reqCert, sessionCache, settings,
     29                  checker, reqCAs, 
     30                  tacks=tacks, activationFlags=activationFlags, 
     31 -                nextProtos=nextProtos, anon=anon):
     32 +                nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant):
     33              pass
     34  
     35  
     36 @@ -1054,7 +1060,8 @@ class TLSConnection(TLSRecordLayer):
     37                               sessionCache=None, settings=None, checker=None,
     38                               reqCAs=None, 
     39                               tacks=None, activationFlags=0,
     40 -                             nextProtos=None, anon=False
     41 +                             nextProtos=None, anon=False,
     42 +                             tlsIntolerant=None
     43                               ):
     44          """Start a server handshake operation on the TLS connection.
     45  
     46 @@ -1073,7 +1080,8 @@ class TLSConnection(TLSRecordLayer):
     47              sessionCache=sessionCache, settings=settings, 
     48              reqCAs=reqCAs, 
     49              tacks=tacks, activationFlags=activationFlags, 
     50 -            nextProtos=nextProtos, anon=anon)
     51 +            nextProtos=nextProtos, anon=anon,
     52 +            tlsIntolerant=tlsIntolerant)
     53          for result in self._handshakeWrapperAsync(handshaker, checker):
     54              yield result
     55  
     56 @@ -1082,7 +1090,8 @@ class TLSConnection(TLSRecordLayer):
     57                               certChain, privateKey, reqCert, sessionCache,
     58                               settings, reqCAs, 
     59                               tacks, activationFlags, 
     60 -                             nextProtos, anon):
     61 +                             nextProtos, anon,
     62 +                             tlsIntolerant):
     63  
     64          self._handshakeStart(client=False)
     65  
     66 @@ -1114,7 +1123,7 @@ class TLSConnection(TLSRecordLayer):
     67          # Handle ClientHello and resumption
     68          for result in self._serverGetClientHello(settings, certChain,\
     69                                              verifierDB, sessionCache,
     70 -                                            anon):
     71 +                                            anon, tlsIntolerant):
     72              if result in (0,1): yield result
     73              elif result == None:
     74                  self._handshakeDone(resumed=True)                
     75 @@ -1211,7 +1220,7 @@ class TLSConnection(TLSRecordLayer):
     76  
     77  
     78      def _serverGetClientHello(self, settings, certChain, verifierDB,
     79 -                                sessionCache, anon):
     80 +                                sessionCache, anon, tlsIntolerant):
     81          #Initialize acceptable cipher suites
     82          cipherSuites = []
     83          if verifierDB:
     84 @@ -1246,6 +1255,13 @@ class TLSConnection(TLSRecordLayer):
     85                    "Too old version: %s" % str(clientHello.client_version)):
     86                  yield result
     87  
     88 +        #If simulating TLS intolerance, reject certain TLS versions.
     89 +        elif (tlsIntolerant is not None and
     90 +            clientHello.client_version >= tlsIntolerant):
     91 +            for result in self._sendError(\
     92 +                    AlertDescription.handshake_failure):
     93 +                yield result
     94 +
     95          #If client's version is too high, propose my highest version
     96          elif clientHello.client_version > settings.maxVersion:
     97              self.version = settings.maxVersion
     98