diff options
| -rw-r--r-- | net/test/base_test_server.cc | 10 | ||||
| -rw-r--r-- | net/test/base_test_server.h | 15 | ||||
| -rwxr-xr-x | net/tools/testserver/testserver.py | 9 | ||||
| -rw-r--r-- | net/url_request/url_request_unittest.cc | 4 | ||||
| -rw-r--r-- | third_party/tlslite/patches/tls_intolerant.patch | 28 | ||||
| -rw-r--r-- | third_party/tlslite/tlslite/TLSConnection.py | 12 |
6 files changed, 53 insertions, 25 deletions
diff --git a/net/test/base_test_server.cc b/net/test/base_test_server.cc index 07bef89..323ff70 100644 --- a/net/test/base_test_server.cc +++ b/net/test/base_test_server.cc @@ -59,7 +59,7 @@ BaseTestServer::HTTPSOptions::HTTPSOptions() request_client_certificate(false), bulk_ciphers(HTTPSOptions::BULK_CIPHER_ANY), record_resume(false), - tls_intolerant(false) {} + tls_intolerant(TLS_INTOLERANT_NONE) {} BaseTestServer::HTTPSOptions::HTTPSOptions( BaseTestServer::HTTPSOptions::ServerCertificate cert) @@ -67,7 +67,7 @@ BaseTestServer::HTTPSOptions::HTTPSOptions( request_client_certificate(false), bulk_ciphers(HTTPSOptions::BULK_CIPHER_ANY), record_resume(false), - tls_intolerant(false) {} + tls_intolerant(TLS_INTOLERANT_NONE) {} BaseTestServer::HTTPSOptions::~HTTPSOptions() {} @@ -377,8 +377,10 @@ bool BaseTestServer::GenerateArguments(base::DictionaryValue* arguments) const { arguments->Set("ssl-bulk-cipher", bulk_cipher_values.release()); if (https_options_.record_resume) arguments->Set("https-record-resume", base::Value::CreateNullValue()); - if (https_options_.tls_intolerant) - arguments->Set("tls-intolerant", base::Value::CreateNullValue()); + if (https_options_.tls_intolerant != HTTPSOptions::TLS_INTOLERANT_NONE) { + arguments->Set("tls-intolerant", + base::Value::CreateIntegerValue(https_options_.tls_intolerant)); + } } return true; } diff --git a/net/test/base_test_server.h b/net/test/base_test_server.h index f7d5654..9456f37 100644 --- a/net/test/base_test_server.h +++ b/net/test/base_test_server.h @@ -85,6 +85,15 @@ class BaseTestServer { BULK_CIPHER_3DES = (1 << 3), }; + // NOTE: the values of these enumerators are passed to the the Python test + // server. Do not change them. + enum TLSIntolerantLevel { + TLS_INTOLERANT_NONE = 0, + TLS_INTOLERANT_ALL = 1, // Intolerant of all TLS versions. + TLS_INTOLERANT_TLS1_1 = 2, // Intolerant of TLS 1.1 or higher. + TLS_INTOLERANT_TLS1_2 = 3, // Intolerant of TLS 1.2 or higher. + }; + // Initialize a new HTTPSOptions using CERT_OK as the certificate. HTTPSOptions(); @@ -127,9 +136,9 @@ class BaseTestServer { // /ssl-session-cache. bool record_resume; - // If true, the server will abort any TLS handshake in order to test - // SSLv3 fallback. - bool tls_intolerant; + // If not TLS_INTOLERANT_NONE, the server will abort any handshake that + // negotiates an intolerant TLS version in order to test version fallback. + TLSIntolerantLevel tls_intolerant; }; // Pass as the 'host' parameter during construction to server on 127.0.0.1 diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py index 9fc92ee..82e9b61 100755 --- a/net/tools/testserver/testserver.py +++ b/net/tools/testserver/testserver.py @@ -2177,9 +2177,12 @@ if __name__ == '__main__': 'automatically generated certificate. One of ' '[ok,revoked,invalid]') option_parser.add_option('', '--tls-intolerant', dest='tls_intolerant', - const=True, default=False, action='store_const', - help='If true, TLS connections will be aborted ' - ' in order to test SSLv3 fallback.') + default='0', type='int', + help='If nonzero, certain TLS connections will be' + ' aborted in order to test version fallback. 1' + ' means all TLS versions will be aborted. 2 means' + ' TLS 1.1 or higher will be aborted. 3 means TLS' + ' 1.2 or higher will be aborted.') option_parser.add_option('', '--https-record-resume', dest='record_resume', const=True, default=False, action='store_const', help='Record resumption cache events rather than' diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc index b1c3b07..aae4b4e 100644 --- a/net/url_request/url_request_unittest.cc +++ b/net/url_request/url_request_unittest.cc @@ -1734,7 +1734,7 @@ TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) { TEST_F(HTTPSRequestTest, SSLv3Fallback) { TestServer::HTTPSOptions https_options( TestServer::HTTPSOptions::CERT_OK); - https_options.tls_intolerant = true; + https_options.tls_intolerant = TestServer::HTTPSOptions::TLS_INTOLERANT_ALL; TestServer test_server(https_options, FilePath(FILE_PATH_LITERAL("net/data/ssl"))); ASSERT_TRUE(test_server.Start()); @@ -1751,6 +1751,8 @@ TEST_F(HTTPSRequestTest, SSLv3Fallback) { EXPECT_EQ(1, d.response_started_count()); EXPECT_NE(0, d.bytes_received()); + EXPECT_EQ(SSL_CONNECTION_VERSION_SSL3, + SSLConnectionStatusToVersion(r.ssl_info().connection_status)); EXPECT_TRUE(r.ssl_info().connection_status & SSL_CONNECTION_SSL3_FALLBACK); } diff --git a/third_party/tlslite/patches/tls_intolerant.patch b/third_party/tlslite/patches/tls_intolerant.patch index 506b4d3c..53fe4d4c 100644 --- a/third_party/tlslite/patches/tls_intolerant.patch +++ b/third_party/tlslite/patches/tls_intolerant.patch @@ -1,17 +1,17 @@ -diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py -index 7e38a23..02c7478 100644 ---- a/third_party/tlslite/tlslite/TLSConnection.py -+++ b/third_party/tlslite/tlslite/TLSConnection.py -@@ -932,7 +932,7 @@ class TLSConnection(TLSRecordLayer): +Index: third_party/tlslite/tlslite/TLSConnection.py +=================================================================== +--- third_party/tlslite/tlslite/TLSConnection.py (revision 134128) ++++ third_party/tlslite/tlslite/TLSConnection.py (working copy) +@@ -932,7 +932,7 @@ def handshakeServer(self, sharedKeyDB=None, verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None, - reqCAs=None): -+ reqCAs=None, tlsIntolerant=False): ++ reqCAs=None, tlsIntolerant=0): """Perform a handshake in the role of server. This function performs an SSL or TLS handshake. Depending on -@@ -1012,14 +1012,14 @@ class TLSConnection(TLSRecordLayer): +@@ -1012,14 +1012,14 @@ """ for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, certChain, privateKey, reqCert, sessionCache, settings, @@ -24,11 +24,11 @@ index 7e38a23..02c7478 100644 certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None, - reqCAs=None): -+ reqCAs=None, tlsIntolerant=False): ++ reqCAs=None, tlsIntolerant=0): """Start a server handshake operation on the TLS connection. This function returns a generator which behaves similarly to -@@ -1036,14 +1036,15 @@ class TLSConnection(TLSRecordLayer): +@@ -1036,14 +1036,15 @@ verifierDB=verifierDB, certChain=certChain, privateKey=privateKey, reqCert=reqCert, sessionCache=sessionCache, settings=settings, @@ -46,11 +46,17 @@ index 7e38a23..02c7478 100644 self._handshakeStart(client=False) -@@ -1111,6 +1112,11 @@ class TLSConnection(TLSRecordLayer): +@@ -1111,6 +1112,17 @@ "Too old version: %s" % str(clientHello.client_version)): yield result -+ if tlsIntolerant and clientHello.client_version > (3, 0): ++ #If tlsIntolerant is nonzero, reject certain TLS versions. ++ #1: reject all TLS versions. ++ #2: reject TLS 1.1 or higher. ++ #3: reject TLS 1.2 or higher. ++ if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or ++ tlsIntolerant == 2 and clientHello.client_version > (3, 1) or ++ tlsIntolerant == 3 and clientHello.client_version > (3, 2)): + for result in self._sendError(\ + AlertDescription.handshake_failure): + yield result diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py index 02c7478..f8811a9 100644 --- a/third_party/tlslite/tlslite/TLSConnection.py +++ b/third_party/tlslite/tlslite/TLSConnection.py @@ -932,7 +932,7 @@ class TLSConnection(TLSRecordLayer): def handshakeServer(self, sharedKeyDB=None, verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None, - reqCAs=None, tlsIntolerant=False): + reqCAs=None, tlsIntolerant=0): """Perform a handshake in the role of server. This function performs an SSL or TLS handshake. Depending on @@ -1019,7 +1019,7 @@ class TLSConnection(TLSRecordLayer): def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None, - reqCAs=None, tlsIntolerant=False): + reqCAs=None, tlsIntolerant=0): """Start a server handshake operation on the TLS connection. This function returns a generator which behaves similarly to @@ -1112,7 +1112,13 @@ class TLSConnection(TLSRecordLayer): "Too old version: %s" % str(clientHello.client_version)): yield result - if tlsIntolerant and clientHello.client_version > (3, 0): + #If tlsIntolerant is nonzero, reject certain TLS versions. + #1: reject all TLS versions. + #2: reject TLS 1.1 or higher. + #3: reject TLS 1.2 or higher. + if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or + tlsIntolerant == 2 and clientHello.client_version > (3, 1) or + tlsIntolerant == 3 and clientHello.client_version > (3, 2)): for result in self._sendError(\ AlertDescription.handshake_failure): yield result |