Chromium Code Reviews Chromium Code Reviews
Issue 1336143002:
Implement Token Binding Negotiation in tlslite (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| (Empty) | |
| 1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl ite/constants.py | |
|
davidben
2015/09/15 15:49:40
[Did not review; assuming this patch matches the C
| |
| 2 index f9c8676..84bb703 100644 | |
| 3 --- a/third_party/tlslite/tlslite/constants.py | |
| 4 +++ b/third_party/tlslite/tlslite/constants.py | |
| 5 @@ -59,6 +59,7 @@ class ExtensionType: # RFC 6066 / 4366 | |
| 6 tack = 0xF300 | |
| 7 supports_npn = 13172 | |
| 8 channel_id = 30032 | |
| 9 + token_binding = 30033 | |
| 10 | |
| 11 class HashAlgorithm: | |
| 12 none = 0 | |
| 13 diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlsl ite/tlslite/handshakesettings.py | |
| 14 index a7b6ab9..8f25f62 100644 | |
| 15 --- a/third_party/tlslite/tlslite/handshakesettings.py | |
| 16 +++ b/third_party/tlslite/tlslite/handshakesettings.py | |
| 17 @@ -115,6 +115,13 @@ class HandshakeSettings(object): | |
| 18 @type enableExtendedMasterSecret: bool | |
| 19 @ivar enableExtendedMasterSecret: If true, the server supports the extended | |
| 20 master secret TLS extension and will negotiated it with supporting clients. | |
| 21 + | |
| 22 + @type supportedTokenBindingParams: list | |
| 23 + @ivar supportedTokenBindingParams: A list of token binding parameters that | |
| 24 + the server supports when negotiating token binding. List values are integer s | |
| 25 + corresponding to the TokenBindingKeyParameters enum in the Token Binding | |
| 26 + Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server' s | |
| 27 + preference order, with most preferred params first. | |
| 28 | |
| 29 Note that TACK support is not standardized by IETF and uses a temporary | |
| 30 TLS Extension number, so should NOT be used in production software. | |
| 31 @@ -134,6 +141,7 @@ class HandshakeSettings(object): | |
| 32 self.useExperimentalTackExtension = False | |
| 33 self.alertAfterHandshake = False | |
| 34 self.enableExtendedMasterSecret = True | |
| 35 + self.supportedTokenBindingParams = [] | |
| 36 | |
| 37 # Validates the min/max fields, and certificateTypes | |
| 38 # Filters out unsupported cipherNames and cipherImplementations | |
| 39 @@ -152,6 +160,7 @@ class HandshakeSettings(object): | |
| 40 other.tlsIntoleranceType = self.tlsIntoleranceType | |
| 41 other.alertAfterHandshake = self.alertAfterHandshake | |
| 42 other.enableExtendedMasterSecret = self.enableExtendedMasterSecret | |
| 43 + other.supportedTokenBindingParams = self.supportedTokenBindingParams | |
| 44 | |
| 45 if not cipherfactory.tripleDESPresent: | |
| 46 other.cipherNames = [e for e in self.cipherNames if e != "3des"] | |
| 47 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli te/messages.py | |
| 48 index 9b553ce..8e9ee89 100644 | |
| 49 --- a/third_party/tlslite/tlslite/messages.py | |
| 50 +++ b/third_party/tlslite/tlslite/messages.py | |
| 51 @@ -115,6 +115,7 @@ class ClientHello(HandshakeMsg): | |
| 52 self.server_name = bytearray(0) | |
| 53 self.channel_id = False | |
| 54 self.extended_master_secret = False | |
| 55 + self.tb_client_params = [] | |
| 56 self.support_signed_cert_timestamps = False | |
| 57 self.status_request = False | |
| 58 | |
| 59 @@ -188,6 +189,14 @@ class ClientHello(HandshakeMsg): | |
| 60 self.channel_id = True | |
| 61 elif extType == ExtensionType.extended_master_secret: | |
| 62 self.extended_master_secret = True | |
| 63 + elif extType == ExtensionType.token_binding: | |
| 64 + tokenBindingBytes = p.getFixBytes(extLength) | |
| 65 + p2 = Parser(tokenBindingBytes) | |
| 66 + ver_minor = p2.get(1) | |
| 67 + ver_major = p2.get(1) | |
| 68 + p2.startLengthCheck(1) | |
| 69 + while not p2.atLengthCheck(): | |
| 70 + self.tb_client_params.append(p2.get(1)) | |
| 71 elif extType == ExtensionType.signed_cert_timestamps: | |
| 72 if extLength: | |
| 73 raise SyntaxError() | |
| 74 @@ -271,6 +280,7 @@ class ServerHello(HandshakeMsg): | |
| 75 self.next_protos = None | |
| 76 self.channel_id = False | |
| 77 self.extended_master_secret = False | |
| 78 + self.tb_params = None | |
| 79 self.signed_cert_timestamps = None | |
| 80 self.status_request = False | |
| 81 | |
| 82 @@ -365,6 +375,17 @@ class ServerHello(HandshakeMsg): | |
| 83 if self.extended_master_secret: | |
| 84 w2.add(ExtensionType.extended_master_secret, 2) | |
| 85 w2.add(0, 2) | |
| 86 + if self.tb_params: | |
| 87 + w2.add(ExtensionType.token_binding, 2) | |
| 88 + # length of extension | |
| 89 + w2.add(4, 2) | |
| 90 + # version | |
| 91 + w2.add(0, 1) | |
| 92 + w2.add(2, 1) | |
| 93 + # length of params (defined as variable length <1..2^8-1>, but in | |
| 94 + # this context the server can only send a single value. | |
| 95 + w2.add(1, 1) | |
| 96 + w2.add(self.tb_params, 1) | |
| 97 if self.signed_cert_timestamps: | |
| 98 w2.add(ExtensionType.signed_cert_timestamps, 2) | |
| 99 w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2) | |
| 100 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/ tlslite/tlsconnection.py | |
| 101 index 04161513..06404fe 100644 | |
| 102 --- a/third_party/tlslite/tlslite/tlsconnection.py | |
| 103 +++ b/third_party/tlslite/tlslite/tlsconnection.py | |
| 104 @@ -1330,6 +1330,10 @@ class TLSConnection(TLSRecordLayer): | |
| 105 serverHello.extended_master_secret = \ | |
| 106 clientHello.extended_master_secret and \ | |
| 107 settings.enableExtendedMasterSecret | |
| 108 + for param in clientHello.tb_client_params: | |
| 109 + if param in settings.supportedTokenBindingParams: | |
| 110 + serverHello.tb_params = param | |
| 111 + break | |
| 112 if clientHello.support_signed_cert_timestamps: | |
| 113 serverHello.signed_cert_timestamps = signedCertTimestamps | |
| 114 if clientHello.status_request: | |
| OLD | NEW |
