Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(188)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/tlslite/tlslite/tlsconnection.py

Issue 1056153002: Reland 'Require ECDHE for False Start.' (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/tlslite/tlslite/messages.py ('k') | third_party/tlslite/tlslite/utils/p256.py » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/tlslite/tlslite/tlsconnection.py
diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
index 0a85d3cc98481d3e3f8afd1f8f4186ac5ce25bed..dfac274b6e939f631db5099046c9b8f89838b60a 100644
--- a/third_party/tlslite/tlslite/tlsconnection.py
+++ b/third_party/tlslite/tlslite/tlsconnection.py
@@ -24,6 +24,7 @@ from .mathtls import *
from .handshakesettings import HandshakeSettings
from .utils.tackwrapper import *
from .utils.rsakey import RSAKey
+from .utils import p256
class KeyExchange(object):
def __init__(self, cipherSuite, clientHello, serverHello, privateKey):
@@ -127,6 +128,25 @@ DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
S = powMod(dh_Yc, self.dh_Xs, self.dh_p)
return numberToByteArray(S)
+class ECDHE_RSAKeyExchange(KeyExchange):
+ def makeServerKeyExchange(self):
+ public, self.private = p256.generatePublicPrivate()
+
+ version = self.serverHello.server_version
+ serverKeyExchange = ServerKeyExchange(self.cipherSuite, version)
+ serverKeyExchange.createECDH(NamedCurve.secp256r1, bytearray(public))
+ hashBytes = serverKeyExchange.hash(self.clientHello.random,
+ self.serverHello.random)
+ if version >= (3,3):
+ # TODO: Signature algorithm negotiation not supported.
+ hashBytes = RSAKey.addPKCS1SHA1Prefix(hashBytes)
+ serverKeyExchange.signature = self.privateKey.sign(hashBytes)
+ return serverKeyExchange
+
+ def processClientKeyExchange(self, clientKeyExchange):
+ ecdh_Yc = clientKeyExchange.ecdh_Yc
+ return bytearray(p256.generateSharedValue(bytes(ecdh_Yc), self.private))
+
class TLSConnection(TLSRecordLayer):
"""
This class wraps a socket and provides TLS handshaking and data
@@ -1321,9 +1341,8 @@ class TLSConnection(TLSRecordLayer):
else: break
premasterSecret = result
- # Perform the RSA or DHE_RSA key exchange
- elif (cipherSuite in CipherSuite.certSuites or
- cipherSuite in CipherSuite.dheCertSuites):
+ # Perform a certificate-based key exchange
+ elif cipherSuite in CipherSuite.certAllSuites:
if cipherSuite in CipherSuite.certSuites:
keyExchange = RSAKeyExchange(cipherSuite,
clientHello,
@@ -1334,6 +1353,11 @@ class TLSConnection(TLSRecordLayer):
clientHello,
serverHello,
privateKey)
+ elif cipherSuite in CipherSuite.ecdheCertSuites:
+ keyExchange = ECDHE_RSAKeyExchange(cipherSuite,
+ clientHello,
+ serverHello,
+ privateKey)
else:
assert(False)
for result in self._serverCertKeyExchange(clientHello, serverHello,
@@ -1450,6 +1474,7 @@ class TLSConnection(TLSRecordLayer):
CipherSuite.getSrpCertSuites(settings, self.version)
cipherSuites += CipherSuite.getSrpSuites(settings, self.version)
elif certChain:
+ cipherSuites += CipherSuite.getEcdheCertSuites(settings, self.version)
cipherSuites += CipherSuite.getDheCertSuites(settings, self.version)
cipherSuites += CipherSuite.getCertSuites(settings, self.version)
elif anon:
« no previous file with comments | « third_party/tlslite/tlslite/messages.py ('k') | third_party/tlslite/tlslite/utils/p256.py » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698