diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py index e7c6834..0e78753 100644 --- a/third_party/tlslite/tlslite/tlsconnection.py +++ b/third_party/tlslite/tlslite/tlsconnection.py @@ -968,7 +968,8 @@ class TLSConnection(TLSRecordLayer): sessionCache=None, settings=None, checker=None, reqCAs = None, tacks=None, activationFlags=0, - nextProtos=None, anon=False): + nextProtos=None, anon=False, + tlsIntolerant=None): """Perform a handshake in the role of server. This function performs an SSL or TLS handshake. Depending on @@ -1037,6 +1038,11 @@ class TLSConnection(TLSRecordLayer): clients through the Next-Protocol Negotiation Extension, if they support it. + @type tlsIntolerant: (int, int) or None + @param tlsIntolerant: If tlsIntolerant is not None, the server will + simulate TLS version intolerance by returning a fatal handshake_failure + alert to all TLS versions tlsIntolerant or higher. + @raise socket.error: If a socket error occurs. @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed without a preceding alert. @@ -1048,7 +1054,7 @@ class TLSConnection(TLSRecordLayer): certChain, privateKey, reqCert, sessionCache, settings, checker, reqCAs, tacks=tacks, activationFlags=activationFlags, - nextProtos=nextProtos, anon=anon): + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant): pass @@ -1057,7 +1063,8 @@ class TLSConnection(TLSRecordLayer): sessionCache=None, settings=None, checker=None, reqCAs=None, tacks=None, activationFlags=0, - nextProtos=None, anon=False + nextProtos=None, anon=False, + tlsIntolerant=None ): """Start a server handshake operation on the TLS connection. @@ -1076,7 +1083,8 @@ class TLSConnection(TLSRecordLayer): sessionCache=sessionCache, settings=settings, reqCAs=reqCAs, tacks=tacks, activationFlags=activationFlags, - nextProtos=nextProtos, anon=anon) + nextProtos=nextProtos, anon=anon, + tlsIntolerant=tlsIntolerant) for result in self._handshakeWrapperAsync(handshaker, checker): yield result @@ -1085,7 +1093,8 @@ class TLSConnection(TLSRecordLayer): certChain, privateKey, reqCert, sessionCache, settings, reqCAs, tacks, activationFlags, - nextProtos, anon): + nextProtos, anon, + tlsIntolerant): self._handshakeStart(client=False) @@ -1117,7 +1126,7 @@ class TLSConnection(TLSRecordLayer): # Handle ClientHello and resumption for result in self._serverGetClientHello(settings, certChain,\ verifierDB, sessionCache, - anon): + anon, tlsIntolerant): if result in (0,1): yield result elif result == None: self._handshakeDone(resumed=True) @@ -1214,7 +1223,7 @@ class TLSConnection(TLSRecordLayer): def _serverGetClientHello(self, settings, certChain, verifierDB, - sessionCache, anon): + sessionCache, anon, tlsIntolerant): #Initialize acceptable cipher suites cipherSuites = [] if verifierDB: @@ -1249,6 +1258,13 @@ class TLSConnection(TLSRecordLayer): "Too old version: %s" % str(clientHello.client_version)): yield result + #If simulating TLS intolerance, reject certain TLS versions. + elif (tlsIntolerant is not None and + clientHello.client_version >= tlsIntolerant): + for result in self._sendError(\ + AlertDescription.handshake_failure): + yield result + #If client's version is too high, propose my highest version elif clientHello.client_version > settings.maxVersion: self.version = settings.maxVersion