Implement extended master secret in tlslite

third_party/tlslite/tlslite/tlsconnection.py

 # Authors: 
 #   Trevor Perrin
 #   Google - added reqCAs parameter
 #   Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support
 #   Dimitris Moraitis - Anon ciphersuites
 #   Martin von Loewis - python 3 port
 #   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
 #
 # See the LICENSE file for legal information regarding use of this file.
 
@@ skipping 963 matching lines @@
             yield result
 
         #If client authentication was requested and we have a
         #private key, send CertificateVerify
         if certificateRequest and privateKey:
             signatureAlgorithm = None
             if self.version == (3,0):
                 masterSecret = calcMasterSecret(self.version,
                                          premasterSecret,
                                          clientRandom,
-                                         serverRandom)
+                                         serverRandom,
+                                         b"", False)
                 verifyBytes = self._calcSSLHandshakeHash(masterSecret, b"")
             elif self.version in ((3,1), (3,2)):
                 verifyBytes = self._handshake_md5.digest() + \
                                 self._handshake_sha.digest()
             elif self.version == (3,3):
                 # TODO: Signature algorithm negotiation not supported.
                 signatureAlgorithm = (HashAlgorithm.sha1, SignatureAlgorithm.rsa)
                 verifyBytes = self._handshake_sha.digest()
                 verifyBytes = RSAKey.addPKCS1SHA1Prefix(verifyBytes)
             if self.fault == Fault.badVerifyMessage:
@@ skipping 34 matching lines @@
         #Calculate premaster secret
         S = powMod(dh_Ys, dh_Xc, dh_p)
         premasterSecret = numberToByteArray(S)
                      
         yield (premasterSecret, None, None)
         
     def _clientFinished(self, premasterSecret, clientRandom, serverRandom,
                         cipherSuite, cipherImplementations, nextProto):
 
         masterSecret = calcMasterSecret(self.version, premasterSecret,
-                            clientRandom, serverRandom)
+                            clientRandom, serverRandom, b"", False)
         self._calcPendingStates(cipherSuite, masterSecret, 
                                 clientRandom, serverRandom, 
                                 cipherImplementations)
 
         #Exchange ChangeCipherSpec and Finished messages
         for result in self._sendFinished(masterSecret, nextProto):
             yield result
         for result in self._getFinished(masterSecret, nextProto=nextProto):
             yield result
         yield masterSecret
@@ skipping 269 matching lines @@
         # Prepare a TACK Extension if requested
         if clientHello.tack:
             tackExt = TackExtension.create(tacks, activationFlags)
         else:
             tackExt = None
         serverHello = ServerHello()
         serverHello.create(self.version, getRandomBytes(32), sessionID, \
                             cipherSuite, CertificateType.x509, tackExt,
                             nextProtos)
         serverHello.channel_id = clientHello.channel_id
+        serverHello.extended_master_secret = clientHello.extended_master_secret
         if clientHello.support_signed_cert_timestamps:
             serverHello.signed_cert_timestamps = signedCertTimestamps
         if clientHello.status_request:
             serverHello.status_request = ocspResponse
 
         # Perform the SRP key exchange
         clientCertChain = None
         if cipherSuite in CipherSuite.srpAllSuites:
             for result in self._serverSRPKeyExchange(clientHello, serverHello, 
                                     verifierDB, cipherSuite, 
@@ skipping 37 matching lines @@
                 else: break
             premasterSecret = result
         
         else:
             assert(False)
                         
         # Exchange Finished messages      
         for result in self._serverFinished(premasterSecret, 
                                 clientHello.random, serverHello.random,
                                 cipherSuite, settings.cipherImplementations,
-                                nextProtos, clientHello.channel_id):
+                                nextProtos, clientHello.channel_id,
+                                clientHello.extended_master_secret):
                 if result in (0,1): yield result
                 else: break
         masterSecret = result
 
         #Create the session object
         self.session = Session()
         if cipherSuite in CipherSuite.certAllSuites:        
             serverCertChain = certChain
         else:
             serverCertChain = None
@@ skipping 119 matching lines @@
                 except KeyError:
                     pass
 
             #If a session is found..
             if session:
                 #Send ServerHello
                 serverHello = ServerHello()
                 serverHello.create(self.version, getRandomBytes(32),
                                    session.sessionID, session.cipherSuite,
                                    CertificateType.x509, None, None)
+                serverHello.extended_master_secret = \
+                    clientHello.extended_master_secret

[davidben, 2015/08/17 17:10:22]

To confirm, this will make every connection we make negotiate EMS. Is this fine?
I don't know what kind of tests you wish to write. Do you want to be able to
test against EMS-less servers?

(If so, putting it in HandshakeSettings is probably the simplest. Otherwise you
need to add a parameter everywhere. A lot of our stuff should have been added
there.)

[nharper, 2015/08/18 00:03:31]

I added a setting to HandshakeSettings, since I'll probably want to test that
the client site token binding code behaves correctly when a server is bad and
supports token binding without extended master secret.

                 for result in self._sendMsg(serverHello):
                     yield result
 
                 #From here on, the client's messages must have right version
                 self._versionCheck = True
 
                 #Calculate pending connection states
                 self._calcPendingStates(session.cipherSuite, 
                                         session.masterSecret,
                                         clientHello.random, 
@@ skipping 200 matching lines @@
             premasterSecret = \
                 keyExchange.processClientKeyExchange(clientKeyExchange)
         except TLSLocalAlert, alert:
             for result in self._sendError(alert.description, alert.message):
                 yield result
 
         #Get and check CertificateVerify, if relevant
         if clientCertChain:
             if self.version == (3,0):
                 masterSecret = calcMasterSecret(self.version, premasterSecret,
-                                         clientHello.random, serverHello.random)
+                                         clientHello.random, serverHello.random,
+                                         b"", False)
                 verifyBytes = self._calcSSLHandshakeHash(masterSecret, b"")
             elif self.version in ((3,1), (3,2)):
                 verifyBytes = self._handshake_md5.digest() + \
                                 self._handshake_sha.digest()
             elif self.version == (3,3):
                 verifyBytes = self._handshake_sha.digest()
                 verifyBytes = RSAKey.addPKCS1SHA1Prefix(verifyBytes)
             for result in self._getMsg(ContentType.handshake,
                                       HandshakeType.certificate_verify):
                 if result in (0,1): yield result
@@ skipping 63 matching lines @@
 
         #Calculate premaster secre
         S = powMod(dh_Yc,dh_Xs,dh_p)
         premasterSecret = numberToByteArray(S)
         
         yield premasterSecret
 
 
     def _serverFinished(self,  premasterSecret, clientRandom, serverRandom,
                         cipherSuite, cipherImplementations, nextProtos,
-                        doingChannelID):
+                        doingChannelID, useExtendedMasterSecret):
         masterSecret = calcMasterSecret(self.version, premasterSecret,
-                                      clientRandom, serverRandom)
+                                      clientRandom, serverRandom,
+                                      self._getHandshakeHash(),
+                                      useExtendedMasterSecret)
         
         #Calculate pending connection states
         self._calcPendingStates(cipherSuite, masterSecret, 
                                 clientRandom, serverRandom,
                                 cipherImplementations)
 
         #Exchange ChangeCipherSpec and Finished messages
         for result in self._getFinished(masterSecret, 
                         expect_next_protocol=nextProtos is not None,
                         expect_channel_id=doingChannelID):
@@ skipping 147 matching lines @@
             except TLSAlert as alert:
                 if not self.fault:
                     raise
                 if alert.description not in Fault.faultAlerts[self.fault]:
                     raise TLSFaultError(str(alert))
                 else:
                     pass
             except:
                 self._shutdown(False)
                 raise