OLD | NEW |
---|---|
(Empty) | |
1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl ite/constants.py | |
davidben
2015/09/15 15:49:40
[Did not review; assuming this patch matches the C
| |
2 index f9c8676..84bb703 100644 | |
3 --- a/third_party/tlslite/tlslite/constants.py | |
4 +++ b/third_party/tlslite/tlslite/constants.py | |
5 @@ -59,6 +59,7 @@ class ExtensionType: # RFC 6066 / 4366 | |
6 tack = 0xF300 | |
7 supports_npn = 13172 | |
8 channel_id = 30032 | |
9 + token_binding = 30033 | |
10 | |
11 class HashAlgorithm: | |
12 none = 0 | |
13 diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlsl ite/tlslite/handshakesettings.py | |
14 index a7b6ab9..8f25f62 100644 | |
15 --- a/third_party/tlslite/tlslite/handshakesettings.py | |
16 +++ b/third_party/tlslite/tlslite/handshakesettings.py | |
17 @@ -115,6 +115,13 @@ class HandshakeSettings(object): | |
18 @type enableExtendedMasterSecret: bool | |
19 @ivar enableExtendedMasterSecret: If true, the server supports the extended | |
20 master secret TLS extension and will negotiated it with supporting clients. | |
21 + | |
22 + @type supportedTokenBindingParams: list | |
23 + @ivar supportedTokenBindingParams: A list of token binding parameters that | |
24 + the server supports when negotiating token binding. List values are integer s | |
25 + corresponding to the TokenBindingKeyParameters enum in the Token Binding | |
26 + Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server' s | |
27 + preference order, with most preferred params first. | |
28 | |
29 Note that TACK support is not standardized by IETF and uses a temporary | |
30 TLS Extension number, so should NOT be used in production software. | |
31 @@ -134,6 +141,7 @@ class HandshakeSettings(object): | |
32 self.useExperimentalTackExtension = False | |
33 self.alertAfterHandshake = False | |
34 self.enableExtendedMasterSecret = True | |
35 + self.supportedTokenBindingParams = [] | |
36 | |
37 # Validates the min/max fields, and certificateTypes | |
38 # Filters out unsupported cipherNames and cipherImplementations | |
39 @@ -152,6 +160,7 @@ class HandshakeSettings(object): | |
40 other.tlsIntoleranceType = self.tlsIntoleranceType | |
41 other.alertAfterHandshake = self.alertAfterHandshake | |
42 other.enableExtendedMasterSecret = self.enableExtendedMasterSecret | |
43 + other.supportedTokenBindingParams = self.supportedTokenBindingParams | |
44 | |
45 if not cipherfactory.tripleDESPresent: | |
46 other.cipherNames = [e for e in self.cipherNames if e != "3des"] | |
47 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli te/messages.py | |
48 index 9b553ce..8e9ee89 100644 | |
49 --- a/third_party/tlslite/tlslite/messages.py | |
50 +++ b/third_party/tlslite/tlslite/messages.py | |
51 @@ -115,6 +115,7 @@ class ClientHello(HandshakeMsg): | |
52 self.server_name = bytearray(0) | |
53 self.channel_id = False | |
54 self.extended_master_secret = False | |
55 + self.tb_client_params = [] | |
56 self.support_signed_cert_timestamps = False | |
57 self.status_request = False | |
58 | |
59 @@ -188,6 +189,14 @@ class ClientHello(HandshakeMsg): | |
60 self.channel_id = True | |
61 elif extType == ExtensionType.extended_master_secret: | |
62 self.extended_master_secret = True | |
63 + elif extType == ExtensionType.token_binding: | |
64 + tokenBindingBytes = p.getFixBytes(extLength) | |
65 + p2 = Parser(tokenBindingBytes) | |
66 + ver_minor = p2.get(1) | |
67 + ver_major = p2.get(1) | |
68 + p2.startLengthCheck(1) | |
69 + while not p2.atLengthCheck(): | |
70 + self.tb_client_params.append(p2.get(1)) | |
71 elif extType == ExtensionType.signed_cert_timestamps: | |
72 if extLength: | |
73 raise SyntaxError() | |
74 @@ -271,6 +280,7 @@ class ServerHello(HandshakeMsg): | |
75 self.next_protos = None | |
76 self.channel_id = False | |
77 self.extended_master_secret = False | |
78 + self.tb_params = None | |
79 self.signed_cert_timestamps = None | |
80 self.status_request = False | |
81 | |
82 @@ -365,6 +375,17 @@ class ServerHello(HandshakeMsg): | |
83 if self.extended_master_secret: | |
84 w2.add(ExtensionType.extended_master_secret, 2) | |
85 w2.add(0, 2) | |
86 + if self.tb_params: | |
87 + w2.add(ExtensionType.token_binding, 2) | |
88 + # length of extension | |
89 + w2.add(4, 2) | |
90 + # version | |
91 + w2.add(0, 1) | |
92 + w2.add(2, 1) | |
93 + # length of params (defined as variable length <1..2^8-1>, but in | |
94 + # this context the server can only send a single value. | |
95 + w2.add(1, 1) | |
96 + w2.add(self.tb_params, 1) | |
97 if self.signed_cert_timestamps: | |
98 w2.add(ExtensionType.signed_cert_timestamps, 2) | |
99 w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2) | |
100 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/ tlslite/tlsconnection.py | |
101 index 04161513..06404fe 100644 | |
102 --- a/third_party/tlslite/tlslite/tlsconnection.py | |
103 +++ b/third_party/tlslite/tlslite/tlsconnection.py | |
104 @@ -1330,6 +1330,10 @@ class TLSConnection(TLSRecordLayer): | |
105 serverHello.extended_master_secret = \ | |
106 clientHello.extended_master_secret and \ | |
107 settings.enableExtendedMasterSecret | |
108 + for param in clientHello.tb_client_params: | |
109 + if param in settings.supportedTokenBindingParams: | |
110 + serverHello.tb_params = param | |
111 + break | |
112 if clientHello.support_signed_cert_timestamps: | |
113 serverHello.signed_cert_timestamps = signedCertTimestamps | |
114 if clientHello.status_request: | |
OLD | NEW |