chromium/third_party/tlslite/patches/tls_intolerant.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

Index: third_party/tlslite/tlslite/TLSConnection.py
===================================================================
--- third_party/tlslite/tlslite/TLSConnection.py	(revision 134128)
+++ third_party/tlslite/tlslite/TLSConnection.py	(working copy)
@@ -932,7 +932,7 @@
     def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
                         certChain=None, privateKey=None, reqCert=False,
                         sessionCache=None, settings=None, checker=None,
-                        reqCAs=None):
+                        reqCAs=None, tlsIntolerant=0):
         """Perform a handshake in the role of server.
 
         This function performs an SSL or TLS handshake.  Depending on
@@ -1012,14 +1012,14 @@
         """
         for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
                 certChain, privateKey, reqCert, sessionCache, settings,
-                checker, reqCAs):
+                checker, reqCAs, tlsIntolerant):
             pass
 
 
     def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
                              certChain=None, privateKey=None, reqCert=False,
                              sessionCache=None, settings=None, checker=None,
-                             reqCAs=None):
+                             reqCAs=None, tlsIntolerant=0):
         """Start a server handshake operation on the TLS connection.
 
         This function returns a generator which behaves similarly to
@@ -1036,14 +1036,15 @@
             verifierDB=verifierDB, certChain=certChain,
             privateKey=privateKey, reqCert=reqCert,
             sessionCache=sessionCache, settings=settings,
-            reqCAs=reqCAs)
+            reqCAs=reqCAs,
+            tlsIntolerant=tlsIntolerant)
         for result in self._handshakeWrapperAsync(handshaker, checker):
             yield result
 
 
     def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
                              certChain, privateKey, reqCert, sessionCache,
-                             settings, reqCAs):
+                             settings, reqCAs, tlsIntolerant):
 
         self._handshakeStart(client=False)
 
@@ -1111,6 +1112,17 @@
                   "Too old version: %s" % str(clientHello.client_version)):
                 yield result
 
+        #If tlsIntolerant is nonzero, reject certain TLS versions.
+        #1: reject all TLS versions.
+        #2: reject TLS 1.1 or higher.
+        #3: reject TLS 1.2 or higher.
+        if (tlsIntolerant == 1 and clientHello.client_version > (3, 0) or
+            tlsIntolerant == 2 and clientHello.client_version > (3, 1) or
+            tlsIntolerant == 3 and clientHello.client_version > (3, 2)):
+            for result in self._sendError(\
+                    AlertDescription.handshake_failure):
+                yield result
+
         #If client's version is too high, propose my highest version
         elif clientHello.client_version > settings.maxVersion:
             self.version = settings.maxVersion