BASELINE: Update Chromium to 59.0.3071.134

Change-Id: Id02ef6fb2204c5fd21668a1c3e6911c83b17585a
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>

6 files changed, 86 insertions, 2 deletions

diff --git a/chromium/third_party/tlslite/OWNERS b/chromium/third_party/tlslite/OWNERS
index 42d0d3b58b3..019db92cacc 100644
--- a/chromium/third_party/tlslite/OWNERS
+++ b/chromium/third_party/tlslite/OWNERS
@@ -1,3 +1,5 @@
 agl@chromium.org
 davidben@chromium.org
 rsleevi@chromium.org
+
+# COMPONENT: Internals>Network>SSL
diff --git a/chromium/third_party/tlslite/README.chromium b/chromium/third_party/tlslite/README.chromium
index c2d1f271d3f..c6104f54377 100644
--- a/chromium/third_party/tlslite/README.chromium
+++ b/chromium/third_party/tlslite/README.chromium
@@ -56,3 +56,4 @@ Local Modifications:
 - patches/token_binding_version.patch: Update Token Binding version number.
 - patches/renegotiation_indication.patch: Implement the renegotiation
   indication extension (RFC 5746) without supporting renegotiation.
+- patches/tls13_intolerance.patch: Extend the intolerance simulation to TLS 1.3.
diff --git a/chromium/third_party/tlslite/patches/tls13_intolerance.patch b/chromium/third_party/tlslite/patches/tls13_intolerance.patch
new file mode 100644
index 00000000000..6f19571c787
--- /dev/null
+++ b/chromium/third_party/tlslite/patches/tls13_intolerance.patch
@@ -0,0 +1,66 @@
+diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
+index 82e8c075fe2a..8fb75d0948e4 100644
+--- a/third_party/tlslite/tlslite/constants.py
++++ b/third_party/tlslite/tlslite/constants.py
+@@ -58,6 +58,7 @@ class ExtensionType:    # RFC 6066 / 4366
+     signed_cert_timestamps = 18  # RFC 6962
+     extended_master_secret = 23  # RFC 7627
+     token_binding = 24           # draft-ietf-tokbind-negotiation
++    supported_versions = 43      # draft-ietf-tls-tls13-18
+     tack = 0xF300
+     supports_npn = 13172
+     channel_id = 30032
+diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
+index ac7e563021d9..b29db939c2a8 100644
+--- a/third_party/tlslite/tlslite/messages.py
++++ b/third_party/tlslite/tlslite/messages.py
+@@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg):
+         self.tb_client_params = []
+         self.support_signed_cert_timestamps = False
+         self.status_request = False
++        self.has_supported_versions = False
+         self.ri = False
+ 
+     def create(self, version, random, session_id, cipher_suites,
+@@ -251,6 +252,11 @@ class ClientHello(HandshakeMsg):
+                         if extLength != 1 or p.getFixBytes(extLength)[0] != 0:
+                             raise SyntaxError()
+                         self.ri = True
++                    elif extType == ExtensionType.supported_versions:
++                        # Ignore the extension, but make a note of it for
++                        # intolerance simulation.
++                        self.has_supported_versions = True
++                        _ = p.getFixBytes(extLength)
+                     else:
+                         _ = p.getFixBytes(extLength)
+                     index2 = p.index
+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
+index 8ba1c6e636ab..2309d4fa8f3a 100644
+--- a/third_party/tlslite/tlslite/tlsconnection.py
++++ b/third_party/tlslite/tlslite/tlsconnection.py
+@@ -1457,6 +1457,15 @@ class TLSConnection(TLSRecordLayer):
+         self._handshakeDone(resumed=False)
+ 
+ 
++    def _isIntolerant(self, settings, clientHello):
++        if settings.tlsIntolerant is None:
++            return False
++        clientVersion = clientHello.client_version
++        if clientHello.has_supported_versions:
++            clientVersion = (3, 4)
++        return clientVersion >= settings.tlsIntolerant
++
++
+     def _serverGetClientHello(self, settings, certChain, verifierDB,
+                                 sessionCache, anon, fallbackSCSV):
+         #Tentatively set version to most-desirable version, so if an error
+@@ -1480,8 +1489,7 @@ class TLSConnection(TLSRecordLayer):
+                 yield result
+ 
+         #If simulating TLS intolerance, reject certain TLS versions.
+-        elif (settings.tlsIntolerant is not None and
+-              clientHello.client_version >= settings.tlsIntolerant):
++        elif self._isIntolerant(settings, clientHello):
+             if settings.tlsIntoleranceType == "alert":
+                 for result in self._sendError(\
+                     AlertDescription.handshake_failure):
diff --git a/chromium/third_party/tlslite/tlslite/constants.py b/chromium/third_party/tlslite/tlslite/constants.py
index 82e8c075fe2..8fb75d0948e 100644
--- a/chromium/third_party/tlslite/tlslite/constants.py
+++ b/chromium/third_party/tlslite/tlslite/constants.py
@@ -58,6 +58,7 @@ class ExtensionType:    # RFC 6066 / 4366
     signed_cert_timestamps = 18  # RFC 6962
     extended_master_secret = 23  # RFC 7627
     token_binding = 24           # draft-ietf-tokbind-negotiation
+    supported_versions = 43      # draft-ietf-tls-tls13-18
     tack = 0xF300
     supports_npn = 13172
     channel_id = 30032
diff --git a/chromium/third_party/tlslite/tlslite/messages.py b/chromium/third_party/tlslite/tlslite/messages.py
index ac7e563021d..b29db939c2a 100644
--- a/chromium/third_party/tlslite/tlslite/messages.py
+++ b/chromium/third_party/tlslite/tlslite/messages.py
@@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg):
         self.tb_client_params = []
         self.support_signed_cert_timestamps = False
         self.status_request = False
+        self.has_supported_versions = False
         self.ri = False
 
     def create(self, version, random, session_id, cipher_suites,
@@ -251,6 +252,11 @@ class ClientHello(HandshakeMsg):
                         if extLength != 1 or p.getFixBytes(extLength)[0] != 0:
                             raise SyntaxError()
                         self.ri = True
+                    elif extType == ExtensionType.supported_versions:
+                        # Ignore the extension, but make a note of it for
+                        # intolerance simulation.
+                        self.has_supported_versions = True
+                        _ = p.getFixBytes(extLength)
                     else:
                         _ = p.getFixBytes(extLength)
                     index2 = p.index
diff --git a/chromium/third_party/tlslite/tlslite/tlsconnection.py b/chromium/third_party/tlslite/tlslite/tlsconnection.py
index 8ba1c6e636a..2309d4fa8f3 100644
--- a/chromium/third_party/tlslite/tlslite/tlsconnection.py
+++ b/chromium/third_party/tlslite/tlslite/tlsconnection.py
@@ -1457,6 +1457,15 @@ class TLSConnection(TLSRecordLayer):
         self._handshakeDone(resumed=False)
 
 
+    def _isIntolerant(self, settings, clientHello):
+        if settings.tlsIntolerant is None:
+            return False
+        clientVersion = clientHello.client_version
+        if clientHello.has_supported_versions:
+            clientVersion = (3, 4)
+        return clientVersion >= settings.tlsIntolerant
+
+
     def _serverGetClientHello(self, settings, certChain, verifierDB,
                                 sessionCache, anon, fallbackSCSV):
         #Tentatively set version to most-desirable version, so if an error
@@ -1480,8 +1489,7 @@ class TLSConnection(TLSRecordLayer):
                 yield result
 
         #If simulating TLS intolerance, reject certain TLS versions.
-        elif (settings.tlsIntolerant is not None and
-              clientHello.client_version >= settings.tlsIntolerant):
+        elif self._isIntolerant(settings, clientHello):
             if settings.tlsIntoleranceType == "alert":
                 for result in self._sendError(\
                     AlertDescription.handshake_failure):