Implement extended master secret in tlslite

third_party/tlslite/tlslite/tlsrecordlayer.py

 # Authors: 
 #   Trevor Perrin
 #   Google (adapted by Sam Rushing) - NPN support
 #   Martin von Loewis - python 3 port
 #   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
 #
 # See the LICENSE file for legal information regarding use of this file.
 
 """Helper class for TLSConnection."""
 from __future__ import generators
@@ skipping 97 matching lines @@
         self.session = None
 
         #Am I a client or server?
         self._client = None
 
         #Buffers for processing messages
         self._handshakeBuffer = []
         self.clearReadBuffer()
         self.clearWriteBuffer()
 
+        #All handshake messages, for use in extended master secret
+        self.handshakeMessages = []

[davidben, 2015/08/14 22:31:18]

You should be able to just use the handshake digests below rather than enable a
handshake buffer I think. (Handshake buffer in TLS is only needed in TLS 1.2
before ServerHello and for client auth  which this doesn't implement.)

They're sampled in _calcFinished in tlsconnection.py. I would suggest factoring
that out into a method like _handshakeHash or _getHandshakeHash whatever the
right naming convention is.

[nharper, 2015/08/15 00:37:43]

Ah, I should have read the surrounding code and seen the handshake digests that
were already there.

I created a _getHandshakeHash method to use with extended master secret. I could
do more refactoring to use it elsewhere as well, but that might make it harder
to cleanly apply the patch in the future.

+
         #Handshake digests
         self._handshake_md5 = hashlib.md5()
         self._handshake_sha = hashlib.sha1()
         self._handshake_sha256 = hashlib.sha256()
 
         #TLS Protocol Version
         self.version = (0,0) #read-only
         self._versionCheck = False #Once we choose a version, this is True
 
         #Current and Pending connection states
@@ skipping 423 matching lines @@
         if not self.closed and randomizeFirstBlock and self.version <= (3,1) \
                 and self._writeState.encContext \
                 and self._writeState.encContext.isBlockCipher \
                 and isinstance(msg, ApplicationData):
             msgFirstByte = msg.splitFirstByte()
             for result in self._sendMsg(msgFirstByte,
                                        randomizeFirstBlock = False):
                 yield result                                            
 
         b = msg.write()
+        self.handshakeMessages.append(b)
         
         # If a 1-byte message was passed in, and we "split" the 
         # first(only) byte off above, we may have a 0-length msg:
         if len(b) == 0:
             return
             
         contentType = msg.contentType
 
         #Update handshake hashes
         if contentType == ContentType.handshake:
@@ skipping 236 matching lines @@
                     if subType not in secondaryType:
                         for result in self._sendError(\
                                 AlertDescription.unexpected_message,
                                 "Expecting %s, got %s" % (str(secondaryType), subType)):
                             yield result
 
                 #Update handshake hashes
                 self._handshake_md5.update(compat26Str(p.bytes))
                 self._handshake_sha.update(compat26Str(p.bytes))
                 self._handshake_sha256.update(compat26Str(p.bytes))
+                self.handshakeMessages.append(p.bytes)
 
                 #Parse based on handshake type
                 if subType == HandshakeType.client_hello:
                     yield ClientHello(recordHeader.ssl2).parse(p)
                 elif subType == HandshakeType.server_hello:
                     yield ServerHello().parse(p)
                 elif subType == HandshakeType.certificate:
                     yield Certificate(constructorType).parse(p)
                 elif subType == HandshakeType.certificate_request:
                     yield CertificateRequest(self.version).parse(p)
@@ skipping 422 matching lines @@
         imac_md5.update(compatHMAC(label + masterSecret + bytearray([0x36]*48)))
         imac_sha.update(compatHMAC(label + masterSecret + bytearray([0x36]*40)))
 
         md5Bytes = MD5(masterSecret + bytearray([0x5c]*48) + \
                          bytearray(imac_md5.digest()))
         shaBytes = SHA1(masterSecret + bytearray([0x5c]*40) + \
                          bytearray(imac_sha.digest()))
 
         return md5Bytes + shaBytes