third_party/tlslite/patches/token_binding_negotiation.patch - Issue 1336143002: Implement Token Binding Negotiation in tlslite

Side by Side Diff: third_party/tlslite/patches/token_binding_negotiation.patch

Issue 1336143002: Implement Token Binding Negotiation in tlslite (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: check version number Created 5 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl ite/constants.py

	2 index f9c8676..84bb703 100644

	3 --- a/third_party/tlslite/tlslite/constants.py

	4 +++ b/third_party/tlslite/tlslite/constants.py

	5 @@ -59,6 +59,7 @@ class ExtensionType: # RFC 6066 / 4366

	6 tack = 0xF300

	7 supports_npn = 13172

	8 channel_id = 30032

	9 + token_binding = 30033

	10

	11 class HashAlgorithm:

	12 none = 0

	13 diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlsl ite/tlslite/handshakesettings.py

	14 index a7b6ab9..8f25f62 100644

	15 --- a/third_party/tlslite/tlslite/handshakesettings.py

	16 +++ b/third_party/tlslite/tlslite/handshakesettings.py

	17 @@ -115,6 +115,13 @@ class HandshakeSettings(object):

	18 @type enableExtendedMasterSecret: bool

	19 @ivar enableExtendedMasterSecret: If true, the server supports the extended

	20 master secret TLS extension and will negotiated it with supporting clients.

	21 +

	22 + @type supportedTokenBindingParams: list

	23 + @ivar supportedTokenBindingParams: A list of token binding parameters that

	24 + the server supports when negotiating token binding. List values are integer s

	25 + corresponding to the TokenBindingKeyParameters enum in the Token Binding

	26 + Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server' s

	27 + preference order, with most preferred params first.

	28

	29 Note that TACK support is not standardized by IETF and uses a temporary

	30 TLS Extension number, so should NOT be used in production software.

	31 @@ -134,6 +141,7 @@ class HandshakeSettings(object):

	32 self.useExperimentalTackExtension = False

	33 self.alertAfterHandshake = False

	34 self.enableExtendedMasterSecret = True

	35 + self.supportedTokenBindingParams = []

	36

	37 # Validates the min/max fields, and certificateTypes

	38 # Filters out unsupported cipherNames and cipherImplementations

	39 @@ -152,6 +160,7 @@ class HandshakeSettings(object):

	40 other.tlsIntoleranceType = self.tlsIntoleranceType

	41 other.alertAfterHandshake = self.alertAfterHandshake

	42 other.enableExtendedMasterSecret = self.enableExtendedMasterSecret

	43 + other.supportedTokenBindingParams = self.supportedTokenBindingParams

	44

	45 if not cipherfactory.tripleDESPresent:

	46 other.cipherNames = [e for e in self.cipherNames if e != "3des"]

	47 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli te/messages.py

	48 index 9b553ce..ab2be57 100644

	49 --- a/third_party/tlslite/tlslite/messages.py

	50 +++ b/third_party/tlslite/tlslite/messages.py

	51 @@ -115,6 +115,7 @@ class ClientHello(HandshakeMsg):

	52 self.server_name = bytearray(0)

	53 self.channel_id = False

	54 self.extended_master_secret = False

	55 + self.tb_client_params = []

	56 self.support_signed_cert_timestamps = False

	57 self.status_request = False

	58

	59 @@ -188,6 +189,15 @@ class ClientHello(HandshakeMsg):

	60 self.channel_id = True

	61 elif extType == ExtensionType.extended_master_secret:

	62 self.extended_master_secret = True

	63 + elif extType == ExtensionType.token_binding:

	64 + tokenBindingBytes = p.getFixBytes(extLength)

	65 + p2 = Parser(tokenBindingBytes)

	66 + ver_minor = p2.get(1)

	67 + ver_major = p2.get(1)

	68 + if (ver_major, ver_minor) >= (0, 2):

	69 + p2.startLengthCheck(1)

	70 + while not p2.atLengthCheck():

	71 + self.tb_client_params.append(p2.get(1))

	72 elif extType == ExtensionType.signed_cert_timestamps:

	73 if extLength:

	74 raise SyntaxError()

	75 @@ -271,6 +281,7 @@ class ServerHello(HandshakeMsg):

	76 self.next_protos = None

	77 self.channel_id = False

	78 self.extended_master_secret = False

	79 + self.tb_params = None

	80 self.signed_cert_timestamps = None

	81 self.status_request = False

	82

	83 @@ -365,6 +376,17 @@ class ServerHello(HandshakeMsg):

	84 if self.extended_master_secret:

	85 w2.add(ExtensionType.extended_master_secret, 2)

	86 w2.add(0, 2)

	87 + if self.tb_params:

	88 + w2.add(ExtensionType.token_binding, 2)

	89 + # length of extension

	90 + w2.add(4, 2)

	91 + # version

	92 + w2.add(0, 1)

	93 + w2.add(2, 1)

	94 + # length of params (defined as variable length <1..2^8-1>, but in

	95 + # this context the server can only send a single value.

	96 + w2.add(1, 1)

	97 + w2.add(self.tb_params, 1)

	98 if self.signed_cert_timestamps:

	99 w2.add(ExtensionType.signed_cert_timestamps, 2)

	100 w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)

	101 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/ tlslite/tlsconnection.py

	102 index 04161513..06404fe 100644

	103 --- a/third_party/tlslite/tlslite/tlsconnection.py

	104 +++ b/third_party/tlslite/tlslite/tlsconnection.py

	105 @@ -1330,6 +1330,10 @@ class TLSConnection(TLSRecordLayer):

	106 serverHello.extended_master_secret = \

	107 clientHello.extended_master_secret and \

	108 settings.enableExtendedMasterSecret

	109 + for param in clientHello.tb_client_params:

	110 + if param in settings.supportedTokenBindingParams:

	111 + serverHello.tb_params = param

	112 + break

	113 if clientHello.support_signed_cert_timestamps:

	114 serverHello.signed_cert_timestamps = signedCertTimestamps

	115 if clientHello.status_request:

OLD	NEW

« no previous file with comments | « third_party/tlslite/README.chromium ('k') | third_party/tlslite/tlslite/constants.py » ('j') | no next file with comments »