Extend the enterprise policy for SSL overrides to the "danger" command
[chromium-blink-merge.git] / third_party / tlslite / patches / tls_intolerant.patch
blobf9c826768b855b942cb277c1808eacad6886c525
1 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
2 index e7c6834..0e78753 100644
3 --- a/third_party/tlslite/tlslite/tlsconnection.py
4 +++ b/third_party/tlslite/tlslite/tlsconnection.py
5 @@ -968,7 +968,8 @@ class TLSConnection(TLSRecordLayer):
6 sessionCache=None, settings=None, checker=None,
7 reqCAs = None,
8 tacks=None, activationFlags=0,
9 - nextProtos=None, anon=False):
10 + nextProtos=None, anon=False,
11 + tlsIntolerant=None):
12 """Perform a handshake in the role of server.
14 This function performs an SSL or TLS handshake. Depending on
15 @@ -1037,6 +1038,11 @@ class TLSConnection(TLSRecordLayer):
16 clients through the Next-Protocol Negotiation Extension,
17 if they support it.
19 + @type tlsIntolerant: (int, int) or None
20 + @param tlsIntolerant: If tlsIntolerant is not None, the server will
21 + simulate TLS version intolerance by returning a fatal handshake_failure
22 + alert to all TLS versions tlsIntolerant or higher.
24 @raise socket.error: If a socket error occurs.
25 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
26 without a preceding alert.
27 @@ -1048,7 +1054,7 @@ class TLSConnection(TLSRecordLayer):
28 certChain, privateKey, reqCert, sessionCache, settings,
29 checker, reqCAs,
30 tacks=tacks, activationFlags=activationFlags,
31 - nextProtos=nextProtos, anon=anon):
32 + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant):
33 pass
36 @@ -1057,7 +1063,8 @@ class TLSConnection(TLSRecordLayer):
37 sessionCache=None, settings=None, checker=None,
38 reqCAs=None,
39 tacks=None, activationFlags=0,
40 - nextProtos=None, anon=False
41 + nextProtos=None, anon=False,
42 + tlsIntolerant=None
44 """Start a server handshake operation on the TLS connection.
46 @@ -1076,7 +1083,8 @@ class TLSConnection(TLSRecordLayer):
47 sessionCache=sessionCache, settings=settings,
48 reqCAs=reqCAs,
49 tacks=tacks, activationFlags=activationFlags,
50 - nextProtos=nextProtos, anon=anon)
51 + nextProtos=nextProtos, anon=anon,
52 + tlsIntolerant=tlsIntolerant)
53 for result in self._handshakeWrapperAsync(handshaker, checker):
54 yield result
56 @@ -1085,7 +1093,8 @@ class TLSConnection(TLSRecordLayer):
57 certChain, privateKey, reqCert, sessionCache,
58 settings, reqCAs,
59 tacks, activationFlags,
60 - nextProtos, anon):
61 + nextProtos, anon,
62 + tlsIntolerant):
64 self._handshakeStart(client=False)
66 @@ -1117,7 +1126,7 @@ class TLSConnection(TLSRecordLayer):
67 # Handle ClientHello and resumption
68 for result in self._serverGetClientHello(settings, certChain,\
69 verifierDB, sessionCache,
70 - anon):
71 + anon, tlsIntolerant):
72 if result in (0,1): yield result
73 elif result == None:
74 self._handshakeDone(resumed=True)
75 @@ -1214,7 +1223,7 @@ class TLSConnection(TLSRecordLayer):
78 def _serverGetClientHello(self, settings, certChain, verifierDB,
79 - sessionCache, anon):
80 + sessionCache, anon, tlsIntolerant):
81 #Initialize acceptable cipher suites
82 cipherSuites = []
83 if verifierDB:
84 @@ -1249,6 +1258,13 @@ class TLSConnection(TLSRecordLayer):
85 "Too old version: %s" % str(clientHello.client_version)):
86 yield result
88 + #If simulating TLS intolerance, reject certain TLS versions.
89 + elif (tlsIntolerant is not None and
90 + clientHello.client_version >= tlsIntolerant):
91 + for result in self._sendError(\
92 + AlertDescription.handshake_failure):
93 + yield result
95 #If client's version is too high, propose my highest version
96 elif clientHello.client_version > settings.maxVersion:
97 self.version = settings.maxVersion