Implement extended master secret in tlslite (again)

third_party/tlslite/patches/extended_master_secret.patch

Index: third_party/tlslite/patches/extended_master_secret.patch
diff --git a/third_party/tlslite/patches/extended_master_secret.patch b/third_party/tlslite/patches/extended_master_secret.patch
new file mode 100644
index 0000000000000000000000000000000000000000..19bf4072c6a05494a6779ad1e431e8e9ad76dbbf
--- /dev/null
+++ b/third_party/tlslite/patches/extended_master_secret.patch
@@ -0,0 +1,222 @@
+diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
+index 6d78a20..f9c8676 100644
+--- a/third_party/tlslite/tlslite/constants.py
++++ b/third_party/tlslite/tlslite/constants.py
+@@ -55,6 +55,7 @@ class ExtensionType:    # RFC 6066 / 4366
+     srp = 12            # RFC 5054  
+     cert_type = 9       # RFC 6091
+     signed_cert_timestamps = 18  # RFC 6962
++    extended_master_secret = 23  # draft-ietf-tls-session-hash-06
+     tack = 0xF300
+     supports_npn = 13172
+     channel_id = 30032
+diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
+index 605ed42..7679823 100644
+--- a/third_party/tlslite/tlslite/handshakesettings.py
++++ b/third_party/tlslite/tlslite/handshakesettings.py
+@@ -111,6 +111,10 @@ class HandshakeSettings(object):
+     @type alertAfterHandshake: bool
+     @ivar alertAfterHandshake: If true, the server will send a fatal
+     alert immediately after the handshake completes.
++
++    @type enableExtendedMasterSecret: bool
++    @ivar enableExtendedMasterSecret: If true, the server supports the extended
++    master secret TLS extension and will negotiated it with supporting clients.
+     
+     Note that TACK support is not standardized by IETF and uses a temporary
+     TLS Extension number, so should NOT be used in production software.
+@@ -129,6 +133,7 @@ class HandshakeSettings(object):
+         self.tlsIntoleranceType = 'alert'
+         self.useExperimentalTackExtension = False
+         self.alertAfterHandshake = False
++        self.enableExtendedMasterSecret = True
+ 
+     # Validates the min/max fields, and certificateTypes
+     # Filters out unsupported cipherNames and cipherImplementations
+diff --git a/third_party/tlslite/tlslite/mathtls.py b/third_party/tlslite/tlslite/mathtls.py
+index 60a331a..0a23fe1 100644
+--- a/third_party/tlslite/tlslite/mathtls.py
++++ b/third_party/tlslite/tlslite/mathtls.py
+@@ -67,16 +67,20 @@ def PRF_SSL(secret, seed, length):
+             index += 1
+     return bytes
+ 
+-def calcMasterSecret(version, premasterSecret, clientRandom, serverRandom):
++def calcMasterSecret(version, premasterSecret, clientRandom, serverRandom,
++                     handshakeHash, useExtendedMasterSecret):
++    label = b"master secret"
++    seed = clientRandom + serverRandom
++    if useExtendedMasterSecret:
++        label = b"extended master secret"
++        seed = handshakeHash
++
+     if version == (3,0):
+-        masterSecret = PRF_SSL(premasterSecret,
+-                            clientRandom + serverRandom, 48)
++        masterSecret = PRF_SSL(premasterSecret, seed, 48)
+     elif version in ((3,1), (3,2)):
+-        masterSecret = PRF(premasterSecret, b"master secret",
+-                            clientRandom + serverRandom, 48)
++        masterSecret = PRF(premasterSecret, label, seed, 48)
+     elif version == (3,3):
+-        masterSecret = PRF_1_2(premasterSecret, b"master secret",
+-                            clientRandom + serverRandom, 48)
++        masterSecret = PRF_1_2(premasterSecret, label, seed, 48)
+     else:
+         raise AssertionError()
+     return masterSecret
+diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
+index 9aeff6d..9b553ce 100644
+--- a/third_party/tlslite/tlslite/messages.py
++++ b/third_party/tlslite/tlslite/messages.py
+@@ -114,6 +114,7 @@ class ClientHello(HandshakeMsg):
+         self.supports_npn = False
+         self.server_name = bytearray(0)
+         self.channel_id = False
++        self.extended_master_secret = False
+         self.support_signed_cert_timestamps = False
+         self.status_request = False
+ 
+@@ -185,6 +186,8 @@ class ClientHello(HandshakeMsg):
+                                 break
+                     elif extType == ExtensionType.channel_id:
+                         self.channel_id = True
++                    elif extType == ExtensionType.extended_master_secret:
++                        self.extended_master_secret = True
+                     elif extType == ExtensionType.signed_cert_timestamps:
+                         if extLength:
+                             raise SyntaxError()
+@@ -267,6 +270,7 @@ class ServerHello(HandshakeMsg):
+         self.next_protos_advertised = None
+         self.next_protos = None
+         self.channel_id = False
++        self.extended_master_secret = False
+         self.signed_cert_timestamps = None
+         self.status_request = False
+ 
+@@ -358,6 +362,9 @@ class ServerHello(HandshakeMsg):
+         if self.channel_id:
+             w2.add(ExtensionType.channel_id, 2)
+             w2.add(0, 2)
++        if self.extended_master_secret:
++            w2.add(ExtensionType.extended_master_secret, 2)
++            w2.add(0, 2)
+         if self.signed_cert_timestamps:
+             w2.add(ExtensionType.signed_cert_timestamps, 2)
+             w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)
+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
+index dfac274..04161513 100644
+--- a/third_party/tlslite/tlslite/tlsconnection.py
++++ b/third_party/tlslite/tlslite/tlsconnection.py
+@@ -981,7 +981,8 @@ class TLSConnection(TLSRecordLayer):
+                 masterSecret = calcMasterSecret(self.version,
+                                          premasterSecret,
+                                          clientRandom,
+-                                         serverRandom)
++                                         serverRandom,
++                                         b"", False)
+                 verifyBytes = self._calcSSLHandshakeHash(masterSecret, b"")
+             elif self.version in ((3,1), (3,2)):
+                 verifyBytes = self._handshake_md5.digest() + \
+@@ -1036,7 +1037,7 @@ class TLSConnection(TLSRecordLayer):
+                         cipherSuite, cipherImplementations, nextProto):
+ 
+         masterSecret = calcMasterSecret(self.version, premasterSecret,
+-                            clientRandom, serverRandom)
++                            clientRandom, serverRandom, b"", False)
+         self._calcPendingStates(cipherSuite, masterSecret, 
+                                 clientRandom, serverRandom, 
+                                 cipherImplementations)
+@@ -1326,6 +1327,9 @@ class TLSConnection(TLSRecordLayer):
+                             cipherSuite, CertificateType.x509, tackExt,
+                             nextProtos)
+         serverHello.channel_id = clientHello.channel_id
++        serverHello.extended_master_secret = \
++            clientHello.extended_master_secret and \
++            settings.enableExtendedMasterSecret
+         if clientHello.support_signed_cert_timestamps:
+             serverHello.signed_cert_timestamps = signedCertTimestamps
+         if clientHello.status_request:
+@@ -1383,7 +1387,8 @@ class TLSConnection(TLSRecordLayer):
+         for result in self._serverFinished(premasterSecret, 
+                                 clientHello.random, serverHello.random,
+                                 cipherSuite, settings.cipherImplementations,
+-                                nextProtos, clientHello.channel_id):
++                                nextProtos, clientHello.channel_id,
++                                serverHello.extended_master_secret):
+                 if result in (0,1): yield result
+                 else: break
+         masterSecret = result
+@@ -1523,6 +1528,9 @@ class TLSConnection(TLSRecordLayer):
+                 serverHello.create(self.version, getRandomBytes(32),
+                                    session.sessionID, session.cipherSuite,
+                                    CertificateType.x509, None, None)
++                serverHello.extended_master_secret = \
++                    clientHello.extended_master_secret and \
++                    settings.enableExtendedMasterSecret
+                 for result in self._sendMsg(serverHello):
+                     yield result
+ 
+@@ -1743,7 +1751,8 @@ class TLSConnection(TLSRecordLayer):
+         if clientCertChain:
+             if self.version == (3,0):
+                 masterSecret = calcMasterSecret(self.version, premasterSecret,
+-                                         clientHello.random, serverHello.random)
++                                         clientHello.random, serverHello.random,
++                                         b"", False)
+                 verifyBytes = self._calcSSLHandshakeHash(masterSecret, b"")
+             elif self.version in ((3,1), (3,2)):
+                 verifyBytes = self._handshake_md5.digest() + \
+@@ -1827,9 +1836,11 @@ class TLSConnection(TLSRecordLayer):
+ 
+     def _serverFinished(self,  premasterSecret, clientRandom, serverRandom,
+                         cipherSuite, cipherImplementations, nextProtos,
+-                        doingChannelID):
++                        doingChannelID, useExtendedMasterSecret):
+         masterSecret = calcMasterSecret(self.version, premasterSecret,
+-                                      clientRandom, serverRandom)
++                                      clientRandom, serverRandom,
++                                      self._ems_handshake_hash,
++                                      useExtendedMasterSecret)
+         
+         #Calculate pending connection states
+         self._calcPendingStates(cipherSuite, masterSecret, 
+diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
+index c3bcd8c..d2320b8 100644
+--- a/third_party/tlslite/tlslite/tlsrecordlayer.py
++++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
+@@ -119,6 +119,7 @@ class TLSRecordLayer(object):
+         self._handshake_md5 = hashlib.md5()
+         self._handshake_sha = hashlib.sha1()
+         self._handshake_sha256 = hashlib.sha256()
++        self._ems_handshake_hash = b""
+ 
+         #TLS Protocol Version
+         self.version = (0,0) #read-only
+@@ -814,6 +815,8 @@ class TLSRecordLayer(object):
+                 self._handshake_md5.update(compat26Str(p.bytes))
+                 self._handshake_sha.update(compat26Str(p.bytes))
+                 self._handshake_sha256.update(compat26Str(p.bytes))
++                if subType == HandshakeType.client_key_exchange:
++                    self._ems_handshake_hash = self._getHandshakeHash()
+ 
+                 #Parse based on handshake type
+                 if subType == HandshakeType.client_hello:
+@@ -1112,6 +1115,7 @@ class TLSRecordLayer(object):
+         self._handshake_md5 = hashlib.md5()
+         self._handshake_sha = hashlib.sha1()
+         self._handshake_sha256 = hashlib.sha256()
++        self._ems_handshake_hash = b""
+         self._handshakeBuffer = []
+         self.allegedSrpUsername = None
+         self._refCount = 1
+@@ -1256,3 +1260,9 @@ class TLSRecordLayer(object):
+ 
+         return md5Bytes + shaBytes
+ 
++    def _getHandshakeHash(self):
++        if self.version in ((3,1), (3,2)):
++            return self._handshake_md5.digest() + \
++                self._handshake_sha.digest()
++        elif self.version == (3,3):
++            return self._handshake_sha256.digest()