third_party/tlslite/patches/tls-srp-rfc5054.patch - Issue 6804032: Add TLS-SRP (RFC 5054) support

Unified Diff: third_party/tlslite/patches/tls-srp-rfc5054.patch

Issue 6804032: Add TLS-SRP (RFC 5054) support Base URL: http://git.chromium.org/git/chromium.git@trunk

Patch Set: use system srp and mpi libs, not local copies Created 9 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: third_party/tlslite/patches/tls-srp-rfc5054.patch

diff --git a/third_party/tlslite/patches/tls-srp-rfc5054.patch b/third_party/tlslite/patches/tls-srp-rfc5054.patch

new file mode 100644

index 0000000000000000000000000000000000000000..760188c563994d9a5de518163388c3053af930c5

--- /dev/null

+++ b/third_party/tlslite/patches/tls-srp-rfc5054.patch

@@ -0,0 +1,193 @@

+Only in chromium: patches

+diff --git tlslite-0.3.8/scripts/tls.py chromium/tlslite/scripts/tls.py

+index fa2c663..e7a473d 100644

+--- tlslite-0.3.8/scripts/tls.py

++++ chromium/tlslite/scripts/tls.py

+@@ -91,7 +91,7 @@ def clientTest(address, dir):

+ badFault = True

+ connection.sock.close()

+- print "Test 5 - good SRP: unknown_srp_username idiom"

++ print "Test 5 - good SRP: unknown_psk_identity idiom"

+ def srpCallback():

+ return ("test", "password")

+ connection = connect()

+@@ -465,7 +465,7 @@ def serverTest(address, dir):

+ pass

+ connection.sock.close()

+- print "Test 5 - good SRP: unknown_srp_username idiom"

++ print "Test 5 - good SRP: unknown_psk_identity idiom"

+ connection = connect()

+ connection.handshakeServer(verifierDB=verifierDB)

+ connection.close()

+@@ -893,7 +893,7 @@ try:

+ raise

+ sys.exit()

+ except TLSRemoteAlert, a:

+- if a.description == AlertDescription.unknown_srp_username:

++ if a.description == AlertDescription.unknown_psk_identity:

+ if cmd == "clientsrp":

+ print "Unknown username"

+ else:

+@@ -1027,7 +1027,7 @@ try:

+ connection.write(s)

+ s = ""

+ except TLSLocalAlert, a:

+- if a.description == AlertDescription.unknown_srp_username:

++ if a.description == AlertDescription.unknown_psk_identity:

+ print "Unknown SRP username"

+ elif a.description == AlertDescription.bad_record_mac:

+ if cmd == "serversrp" or cmd == "serversrpcert":

+diff --git tlslite-0.3.8/tlslite/TLSConnection.py chromium/tlslite//TLSConnection.py

+index 7e38a23..1616c7c 100644

+--- tlslite-0.3.8/tlslite/TLSConnection.py

++++ chromium/tlslite//TLSConnection.py

+@@ -514,7 +514,7 @@ class TLSConnection(TLSRecordLayer):

+ for result in self._sendMsg(clientHello):

+ yield result

+- #Get ServerHello (or missing_srp_username)

++ #Get ServerHello (or unknown_psk_identity)

+ for result in self._getMsg((ContentType.handshake,

+ ContentType.alert),

+ HandshakeType.server_hello):

+@@ -529,20 +529,17 @@ class TLSConnection(TLSRecordLayer):

+ elif isinstance(msg, Alert):

+ alert = msg

+- #If it's not a missing_srp_username, re-raise

+- if alert.description != AlertDescription.missing_srp_username:

++ #If it's not a unknown_psk_identity, re-raise

++ if alert.description != AlertDescription.unknown_psk_identity:

+ self._shutdown(False)

+ raise TLSRemoteAlert(alert)

+- #If we're not in SRP callback mode, we won't have offered SRP

+- #without a username, so we shouldn't get this alert

+- if not srpCallback:

+- for result in self._sendError(\

+- AlertDescription.unexpected_message):

+- yield result

+- srpParams = srpCallback()

+- #If the callback returns None, cancel the handshake

+- if srpParams == None:

++ #Our SRP credentials were wrong, so try getting new ones.

++ if srpCallback:

++ srpParams = srpCallback()

++ #If we can't get different credentials, cancel the handshake

++ if srpParams == None or not srpCallback:

+ for result in self._sendError(AlertDescription.user_canceled):

+ yield result

+@@ -1259,7 +1256,7 @@ class TLSConnection(TLSRecordLayer):

+ #Ask the client to re-send ClientHello with one

+ for result in self._sendMsg(Alert().create(\

+- AlertDescription.missing_srp_username,

++ AlertDescription.unknown_psk_identity,

+ AlertLevel.warning)):

+ yield result

+@@ -1323,7 +1320,7 @@ class TLSConnection(TLSRecordLayer):

+ entry = verifierDB[self.allegedSrpUsername]

+ except KeyError:

+ for result in self._sendError(\

+- AlertDescription.unknown_srp_username):

++ AlertDescription.unknown_psk_identity):

+ yield result

+ (N, g, s, v) = entry

+diff --git tlslite-0.3.8/tlslite/constants.py chromium/tlslite//constants.py

+index 04302c0..7ed7634 100644

+--- tlslite-0.3.8/tlslite/constants.py

++++ chromium/tlslite//constants.py

+@@ -30,6 +30,9 @@ class ContentType:

+ application_data = 23

+ all = (20,21,22,23)

++class ClientHelloExtension:

++ srp = 12

+ class AlertLevel:

+ warning = 1

+ fatal = 2

+@@ -88,18 +91,19 @@ class AlertDescription:

+ internal_error = 80

+ user_canceled = 90

+ no_renegotiation = 100

+- unknown_srp_username = 120

+- missing_srp_username = 121

+- untrusted_srp_parameters = 122

++ unknown_psk_identity = 115

++ untrusted_srp_parameters = 122 # TODO(sqs): probably outdated wrt RFC 5054

+ class CipherSuite:

+- TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0x0050

+- TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0x0053

+- TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0x0056

++ TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A

++ TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D

++ TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020

++ TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B

++ TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E

++ TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021

+- TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0x0051

+- TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0x0054

+- TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0x0057

++ # TODO(sqs): No SRP DSS cipher suites

+ TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A

+ TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F

+@@ -202,8 +206,9 @@ class Fault:

+ genericFaults = range(300,303)

+ faultAlerts = {\

+- badUsername: (AlertDescription.unknown_srp_username, \

+- AlertDescription.bad_record_mac),\

++ badUsername: (AlertDescription.unknown_psk_identity, \

++ AlertDescription.bad_record_mac, \

++ AlertDescription.user_canceled),\

+ badPassword: (AlertDescription.bad_record_mac,),\

+ badA: (AlertDescription.illegal_parameter,),\

+ badIdentifier: (AlertDescription.handshake_failure,),\

+diff --git tlslite-0.3.8/tlslite/errors.py chromium/tlslite//errors.py

+index c7f7ba8..c9a480e 100644

+--- tlslite-0.3.8/tlslite/errors.py

++++ chromium/tlslite//errors.py

+@@ -50,8 +50,8 @@ class TLSAlert(TLSError):

+ AlertDescription.internal_error: "internal_error",\

+ AlertDescription.user_canceled: "user_canceled",\

+ AlertDescription.no_renegotiation: "no_renegotiation",\

+- AlertDescription.unknown_srp_username: "unknown_srp_username",\

+- AlertDescription.missing_srp_username: "missing_srp_username"}

++ AlertDescription.unknown_psk_identity: "unknown_psk_identity",

++ }

+ class TLSLocalAlert(TLSAlert):

+ """A TLS alert has been signalled by the local implementation.

+diff --git tlslite-0.3.8/tlslite/messages.py chromium/tlslite//messages.py

+index dc6ed32..1058ad0 100644

+--- tlslite-0.3.8/tlslite/messages.py

++++ chromium/tlslite//messages.py

+@@ -170,7 +170,7 @@ class ClientHello(HandshakeMsg):

+ while soFar != totalExtLength:

+ extType = p.get(2)

+ extLength = p.get(2)

+- if extType == 6:

++ if extType == ClientHelloExtension.srp:

+ self.srp_username = bytesToString(p.getVarBytes(1))

+ elif extType == 7:

+ self.certificate_types = p.getVarList(1, 1)

+@@ -204,7 +204,7 @@ class ClientHello(HandshakeMsg):

+ w.add(len(self.certificate_types)+1, 2)

+ w.addVarSeq(self.certificate_types, 1, 1)

+ if self.srp_username:

+- w.add(6, 2)

++ w.add(ClientHelloExtension.srp, 2)

+ w.add(len(self.srp_username)+1, 2)

+ w.addVarSeq(stringToBytes(self.srp_username), 1, 1)

« net/third_party/nss/ssl/ssl.def ('K') | « third_party/tlslite/README.chromium ('k') | third_party/tlslite/scripts/tls.py » ('j') | no next file with comments »