diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-07-12 14:07:37 +0200 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-07-17 10:29:26 +0000 |
commit | ec02ee4181c49b61fce1c8fb99292dbb8139cc90 (patch) | |
tree | 25cde714b2b71eb639d1cd53f5a22e9ba76e14ef /chromium/third_party/tlslite | |
parent | bb09965444b5bb20b096a291445170876225268d (diff) | |
download | qtwebengine-chromium-ec02ee4181c49b61fce1c8fb99292dbb8139cc90.tar.gz |
BASELINE: Update Chromium to 59.0.3071.134
Change-Id: Id02ef6fb2204c5fd21668a1c3e6911c83b17585a
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
Diffstat (limited to 'chromium/third_party/tlslite')
-rw-r--r-- | chromium/third_party/tlslite/OWNERS | 2 | ||||
-rw-r--r-- | chromium/third_party/tlslite/README.chromium | 1 | ||||
-rw-r--r-- | chromium/third_party/tlslite/patches/tls13_intolerance.patch | 66 | ||||
-rw-r--r-- | chromium/third_party/tlslite/tlslite/constants.py | 1 | ||||
-rw-r--r-- | chromium/third_party/tlslite/tlslite/messages.py | 6 | ||||
-rw-r--r-- | chromium/third_party/tlslite/tlslite/tlsconnection.py | 12 |
6 files changed, 86 insertions, 2 deletions
diff --git a/chromium/third_party/tlslite/OWNERS b/chromium/third_party/tlslite/OWNERS index 42d0d3b58b3..019db92cacc 100644 --- a/chromium/third_party/tlslite/OWNERS +++ b/chromium/third_party/tlslite/OWNERS @@ -1,3 +1,5 @@ agl@chromium.org davidben@chromium.org rsleevi@chromium.org + +# COMPONENT: Internals>Network>SSL diff --git a/chromium/third_party/tlslite/README.chromium b/chromium/third_party/tlslite/README.chromium index c2d1f271d3f..c6104f54377 100644 --- a/chromium/third_party/tlslite/README.chromium +++ b/chromium/third_party/tlslite/README.chromium @@ -56,3 +56,4 @@ Local Modifications: - patches/token_binding_version.patch: Update Token Binding version number. - patches/renegotiation_indication.patch: Implement the renegotiation indication extension (RFC 5746) without supporting renegotiation. +- patches/tls13_intolerance.patch: Extend the intolerance simulation to TLS 1.3. diff --git a/chromium/third_party/tlslite/patches/tls13_intolerance.patch b/chromium/third_party/tlslite/patches/tls13_intolerance.patch new file mode 100644 index 00000000000..6f19571c787 --- /dev/null +++ b/chromium/third_party/tlslite/patches/tls13_intolerance.patch @@ -0,0 +1,66 @@ +diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py +index 82e8c075fe2a..8fb75d0948e4 100644 +--- a/third_party/tlslite/tlslite/constants.py ++++ b/third_party/tlslite/tlslite/constants.py +@@ -58,6 +58,7 @@ class ExtensionType: # RFC 6066 / 4366 + signed_cert_timestamps = 18 # RFC 6962 + extended_master_secret = 23 # RFC 7627 + token_binding = 24 # draft-ietf-tokbind-negotiation ++ supported_versions = 43 # draft-ietf-tls-tls13-18 + tack = 0xF300 + supports_npn = 13172 + channel_id = 30032 +diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py +index ac7e563021d9..b29db939c2a8 100644 +--- a/third_party/tlslite/tlslite/messages.py ++++ b/third_party/tlslite/tlslite/messages.py +@@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg): + self.tb_client_params = [] + self.support_signed_cert_timestamps = False + self.status_request = False ++ self.has_supported_versions = False + self.ri = False + + def create(self, version, random, session_id, cipher_suites, +@@ -251,6 +252,11 @@ class ClientHello(HandshakeMsg): + if extLength != 1 or p.getFixBytes(extLength)[0] != 0: + raise SyntaxError() + self.ri = True ++ elif extType == ExtensionType.supported_versions: ++ # Ignore the extension, but make a note of it for ++ # intolerance simulation. ++ self.has_supported_versions = True ++ _ = p.getFixBytes(extLength) + else: + _ = p.getFixBytes(extLength) + index2 = p.index +diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py +index 8ba1c6e636ab..2309d4fa8f3a 100644 +--- a/third_party/tlslite/tlslite/tlsconnection.py ++++ b/third_party/tlslite/tlslite/tlsconnection.py +@@ -1457,6 +1457,15 @@ class TLSConnection(TLSRecordLayer): + self._handshakeDone(resumed=False) + + ++ def _isIntolerant(self, settings, clientHello): ++ if settings.tlsIntolerant is None: ++ return False ++ clientVersion = clientHello.client_version ++ if clientHello.has_supported_versions: ++ clientVersion = (3, 4) ++ return clientVersion >= settings.tlsIntolerant ++ ++ + def _serverGetClientHello(self, settings, certChain, verifierDB, + sessionCache, anon, fallbackSCSV): + #Tentatively set version to most-desirable version, so if an error +@@ -1480,8 +1489,7 @@ class TLSConnection(TLSRecordLayer): + yield result + + #If simulating TLS intolerance, reject certain TLS versions. +- elif (settings.tlsIntolerant is not None and +- clientHello.client_version >= settings.tlsIntolerant): ++ elif self._isIntolerant(settings, clientHello): + if settings.tlsIntoleranceType == "alert": + for result in self._sendError(\ + AlertDescription.handshake_failure): diff --git a/chromium/third_party/tlslite/tlslite/constants.py b/chromium/third_party/tlslite/tlslite/constants.py index 82e8c075fe2..8fb75d0948e 100644 --- a/chromium/third_party/tlslite/tlslite/constants.py +++ b/chromium/third_party/tlslite/tlslite/constants.py @@ -58,6 +58,7 @@ class ExtensionType: # RFC 6066 / 4366 signed_cert_timestamps = 18 # RFC 6962 extended_master_secret = 23 # RFC 7627 token_binding = 24 # draft-ietf-tokbind-negotiation + supported_versions = 43 # draft-ietf-tls-tls13-18 tack = 0xF300 supports_npn = 13172 channel_id = 30032 diff --git a/chromium/third_party/tlslite/tlslite/messages.py b/chromium/third_party/tlslite/tlslite/messages.py index ac7e563021d..b29db939c2a 100644 --- a/chromium/third_party/tlslite/tlslite/messages.py +++ b/chromium/third_party/tlslite/tlslite/messages.py @@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg): self.tb_client_params = [] self.support_signed_cert_timestamps = False self.status_request = False + self.has_supported_versions = False self.ri = False def create(self, version, random, session_id, cipher_suites, @@ -251,6 +252,11 @@ class ClientHello(HandshakeMsg): if extLength != 1 or p.getFixBytes(extLength)[0] != 0: raise SyntaxError() self.ri = True + elif extType == ExtensionType.supported_versions: + # Ignore the extension, but make a note of it for + # intolerance simulation. + self.has_supported_versions = True + _ = p.getFixBytes(extLength) else: _ = p.getFixBytes(extLength) index2 = p.index diff --git a/chromium/third_party/tlslite/tlslite/tlsconnection.py b/chromium/third_party/tlslite/tlslite/tlsconnection.py index 8ba1c6e636a..2309d4fa8f3 100644 --- a/chromium/third_party/tlslite/tlslite/tlsconnection.py +++ b/chromium/third_party/tlslite/tlslite/tlsconnection.py @@ -1457,6 +1457,15 @@ class TLSConnection(TLSRecordLayer): self._handshakeDone(resumed=False) + def _isIntolerant(self, settings, clientHello): + if settings.tlsIntolerant is None: + return False + clientVersion = clientHello.client_version + if clientHello.has_supported_versions: + clientVersion = (3, 4) + return clientVersion >= settings.tlsIntolerant + + def _serverGetClientHello(self, settings, certChain, verifierDB, sessionCache, anon, fallbackSCSV): #Tentatively set version to most-desirable version, so if an error @@ -1480,8 +1489,7 @@ class TLSConnection(TLSRecordLayer): yield result #If simulating TLS intolerance, reject certain TLS versions. - elif (settings.tlsIntolerant is not None and - clientHello.client_version >= settings.tlsIntolerant): + elif self._isIntolerant(settings, clientHello): if settings.tlsIntoleranceType == "alert": for result in self._sendError(\ AlertDescription.handshake_failure): |