| Index: third_party/tlslite/patches/extended_master_secret.patch
|
| diff --git a/third_party/tlslite/patches/extended_master_secret.patch b/third_party/tlslite/patches/extended_master_secret.patch
|
| deleted file mode 100644
|
| index df60b4bc9781e49531722de76fe740dbba0fd586..0000000000000000000000000000000000000000
|
| --- a/third_party/tlslite/patches/extended_master_secret.patch
|
| +++ /dev/null
|
| @@ -1,197 +0,0 @@
|
| -diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
|
| -index 6d78a20..f9c8676 100644
|
| ---- a/third_party/tlslite/tlslite/constants.py
|
| -+++ b/third_party/tlslite/tlslite/constants.py
|
| -@@ -55,6 +55,7 @@ class ExtensionType: # RFC 6066 / 4366
|
| - srp = 12 # RFC 5054
|
| - cert_type = 9 # RFC 6091
|
| - signed_cert_timestamps = 18 # RFC 6962
|
| -+ extended_master_secret = 23 # draft-ietf-tls-session-hash-06
|
| - tack = 0xF300
|
| - supports_npn = 13172
|
| - channel_id = 30032
|
| -diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
|
| -index 605ed42..7679823 100644
|
| ---- a/third_party/tlslite/tlslite/handshakesettings.py
|
| -+++ b/third_party/tlslite/tlslite/handshakesettings.py
|
| -@@ -111,6 +111,10 @@ class HandshakeSettings(object):
|
| - @type alertAfterHandshake: bool
|
| - @ivar alertAfterHandshake: If true, the server will send a fatal
|
| - alert immediately after the handshake completes.
|
| -+
|
| -+ @type enableExtendedMasterSecret: bool
|
| -+ @ivar enableExtendedMasterSecret: If true, the server supports the extended
|
| -+ master secret TLS extension and will negotiated it with supporting clients.
|
| -
|
| - Note that TACK support is not standardized by IETF and uses a temporary
|
| - TLS Extension number, so should NOT be used in production software.
|
| -@@ -129,6 +133,7 @@ class HandshakeSettings(object):
|
| - self.tlsIntoleranceType = 'alert'
|
| - self.useExperimentalTackExtension = False
|
| - self.alertAfterHandshake = False
|
| -+ self.enableExtendedMasterSecret = True
|
| -
|
| - # Validates the min/max fields, and certificateTypes
|
| - # Filters out unsupported cipherNames and cipherImplementations
|
| -diff --git a/third_party/tlslite/tlslite/mathtls.py b/third_party/tlslite/tlslite/mathtls.py
|
| -index 60a331a..0a23fe1 100644
|
| ---- a/third_party/tlslite/tlslite/mathtls.py
|
| -+++ b/third_party/tlslite/tlslite/mathtls.py
|
| -@@ -67,16 +67,20 @@ def PRF_SSL(secret, seed, length):
|
| - index += 1
|
| - return bytes
|
| -
|
| --def calcMasterSecret(version, premasterSecret, clientRandom, serverRandom):
|
| -+def calcMasterSecret(version, premasterSecret, clientRandom, serverRandom,
|
| -+ handshakeHash, useExtendedMasterSecret):
|
| -+ label = b"master secret"
|
| -+ seed = clientRandom + serverRandom
|
| -+ if useExtendedMasterSecret:
|
| -+ label = b"extended master secret"
|
| -+ seed = handshakeHash
|
| -+
|
| - if version == (3,0):
|
| -- masterSecret = PRF_SSL(premasterSecret,
|
| -- clientRandom + serverRandom, 48)
|
| -+ masterSecret = PRF_SSL(premasterSecret, seed, 48)
|
| - elif version in ((3,1), (3,2)):
|
| -- masterSecret = PRF(premasterSecret, b"master secret",
|
| -- clientRandom + serverRandom, 48)
|
| -+ masterSecret = PRF(premasterSecret, label, seed, 48)
|
| - elif version == (3,3):
|
| -- masterSecret = PRF_1_2(premasterSecret, b"master secret",
|
| -- clientRandom + serverRandom, 48)
|
| -+ masterSecret = PRF_1_2(premasterSecret, label, seed, 48)
|
| - else:
|
| - raise AssertionError()
|
| - return masterSecret
|
| -diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
|
| -index 9aeff6d..9b553ce 100644
|
| ---- a/third_party/tlslite/tlslite/messages.py
|
| -+++ b/third_party/tlslite/tlslite/messages.py
|
| -@@ -114,6 +114,7 @@ class ClientHello(HandshakeMsg):
|
| - self.supports_npn = False
|
| - self.server_name = bytearray(0)
|
| - self.channel_id = False
|
| -+ self.extended_master_secret = False
|
| - self.support_signed_cert_timestamps = False
|
| - self.status_request = False
|
| -
|
| -@@ -185,6 +186,8 @@ class ClientHello(HandshakeMsg):
|
| - break
|
| - elif extType == ExtensionType.channel_id:
|
| - self.channel_id = True
|
| -+ elif extType == ExtensionType.extended_master_secret:
|
| -+ self.extended_master_secret = True
|
| - elif extType == ExtensionType.signed_cert_timestamps:
|
| - if extLength:
|
| - raise SyntaxError()
|
| -@@ -267,6 +270,7 @@ class ServerHello(HandshakeMsg):
|
| - self.next_protos_advertised = None
|
| - self.next_protos = None
|
| - self.channel_id = False
|
| -+ self.extended_master_secret = False
|
| - self.signed_cert_timestamps = None
|
| - self.status_request = False
|
| -
|
| -@@ -358,6 +362,9 @@ class ServerHello(HandshakeMsg):
|
| - if self.channel_id:
|
| - w2.add(ExtensionType.channel_id, 2)
|
| - w2.add(0, 2)
|
| -+ if self.extended_master_secret:
|
| -+ w2.add(ExtensionType.extended_master_secret, 2)
|
| -+ w2.add(0, 2)
|
| - if self.signed_cert_timestamps:
|
| - w2.add(ExtensionType.signed_cert_timestamps, 2)
|
| - w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)
|
| -diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
|
| -index dfac274..231ba15 100644
|
| ---- a/third_party/tlslite/tlslite/tlsconnection.py
|
| -+++ b/third_party/tlslite/tlslite/tlsconnection.py
|
| -@@ -981,7 +981,8 @@ class TLSConnection(TLSRecordLayer):
|
| - masterSecret = calcMasterSecret(self.version,
|
| - premasterSecret,
|
| - clientRandom,
|
| -- serverRandom)
|
| -+ serverRandom,
|
| -+ b"", False)
|
| - verifyBytes = self._calcSSLHandshakeHash(masterSecret, b"")
|
| - elif self.version in ((3,1), (3,2)):
|
| - verifyBytes = self._handshake_md5.digest() + \
|
| -@@ -1036,7 +1037,7 @@ class TLSConnection(TLSRecordLayer):
|
| - cipherSuite, cipherImplementations, nextProto):
|
| -
|
| - masterSecret = calcMasterSecret(self.version, premasterSecret,
|
| -- clientRandom, serverRandom)
|
| -+ clientRandom, serverRandom, b"", False)
|
| - self._calcPendingStates(cipherSuite, masterSecret,
|
| - clientRandom, serverRandom,
|
| - cipherImplementations)
|
| -@@ -1326,6 +1327,9 @@ class TLSConnection(TLSRecordLayer):
|
| - cipherSuite, CertificateType.x509, tackExt,
|
| - nextProtos)
|
| - serverHello.channel_id = clientHello.channel_id
|
| -+ serverHello.extended_master_secret = \
|
| -+ clientHello.extended_master_secret and \
|
| -+ settings.enableExtendedMasterSecret
|
| - if clientHello.support_signed_cert_timestamps:
|
| - serverHello.signed_cert_timestamps = signedCertTimestamps
|
| - if clientHello.status_request:
|
| -@@ -1383,7 +1387,8 @@ class TLSConnection(TLSRecordLayer):
|
| - for result in self._serverFinished(premasterSecret,
|
| - clientHello.random, serverHello.random,
|
| - cipherSuite, settings.cipherImplementations,
|
| -- nextProtos, clientHello.channel_id):
|
| -+ nextProtos, clientHello.channel_id,
|
| -+ serverHello.extended_master_secret):
|
| - if result in (0,1): yield result
|
| - else: break
|
| - masterSecret = result
|
| -@@ -1523,6 +1528,9 @@ class TLSConnection(TLSRecordLayer):
|
| - serverHello.create(self.version, getRandomBytes(32),
|
| - session.sessionID, session.cipherSuite,
|
| - CertificateType.x509, None, None)
|
| -+ serverHello.extended_master_secret = \
|
| -+ clientHello.extended_master_secret and \
|
| -+ settings.enableExtendedMasterSecret
|
| - for result in self._sendMsg(serverHello):
|
| - yield result
|
| -
|
| -@@ -1743,7 +1751,8 @@ class TLSConnection(TLSRecordLayer):
|
| - if clientCertChain:
|
| - if self.version == (3,0):
|
| - masterSecret = calcMasterSecret(self.version, premasterSecret,
|
| -- clientHello.random, serverHello.random)
|
| -+ clientHello.random, serverHello.random,
|
| -+ b"", False)
|
| - verifyBytes = self._calcSSLHandshakeHash(masterSecret, b"")
|
| - elif self.version in ((3,1), (3,2)):
|
| - verifyBytes = self._handshake_md5.digest() + \
|
| -@@ -1827,9 +1836,11 @@ class TLSConnection(TLSRecordLayer):
|
| -
|
| - def _serverFinished(self, premasterSecret, clientRandom, serverRandom,
|
| - cipherSuite, cipherImplementations, nextProtos,
|
| -- doingChannelID):
|
| -+ doingChannelID, useExtendedMasterSecret):
|
| - masterSecret = calcMasterSecret(self.version, premasterSecret,
|
| -- clientRandom, serverRandom)
|
| -+ clientRandom, serverRandom,
|
| -+ self._getHandshakeHash(),
|
| -+ useExtendedMasterSecret)
|
| -
|
| - #Calculate pending connection states
|
| - self._calcPendingStates(cipherSuite, masterSecret,
|
| -diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
|
| -index c3bcd8c..b7d68a7a 100644
|
| ---- a/third_party/tlslite/tlslite/tlsrecordlayer.py
|
| -+++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
|
| -@@ -1256,3 +1256,9 @@ class TLSRecordLayer(object):
|
| -
|
| - return md5Bytes + shaBytes
|
| -
|
| -+ def _getHandshakeHash(self):
|
| -+ if self.version in ((3,1), (3,2)):
|
| -+ return self._handshake_md5.digest() + \
|
| -+ self._handshake_sha.digest()
|
| -+ elif self.version == (3,3):
|
| -+ return self._handshake_sha256.digest()
|
|
|
Chromium Code Reviews
Issue 1299153002:
Revert of Implement extended master secret in tlslite (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master