OLD | NEW |
(Empty) | |
| 1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py |
| 2 index f9c8676..84bb703 100644 |
| 3 --- a/third_party/tlslite/tlslite/constants.py |
| 4 +++ b/third_party/tlslite/tlslite/constants.py |
| 5 @@ -59,6 +59,7 @@ class ExtensionType: # RFC 6066 / 4366 |
| 6 tack = 0xF300 |
| 7 supports_npn = 13172 |
| 8 channel_id = 30032 |
| 9 + token_binding = 30033 |
| 10 |
| 11 class HashAlgorithm: |
| 12 none = 0 |
| 13 diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlsl
ite/tlslite/handshakesettings.py |
| 14 index a7b6ab9..8f25f62 100644 |
| 15 --- a/third_party/tlslite/tlslite/handshakesettings.py |
| 16 +++ b/third_party/tlslite/tlslite/handshakesettings.py |
| 17 @@ -115,6 +115,13 @@ class HandshakeSettings(object): |
| 18 @type enableExtendedMasterSecret: bool |
| 19 @ivar enableExtendedMasterSecret: If true, the server supports the extended |
| 20 master secret TLS extension and will negotiated it with supporting clients. |
| 21 + |
| 22 + @type supportedTokenBindingParams: list |
| 23 + @ivar supportedTokenBindingParams: A list of token binding parameters that |
| 24 + the server supports when negotiating token binding. List values are integer
s |
| 25 + corresponding to the TokenBindingKeyParameters enum in the Token Binding |
| 26 + Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server'
s |
| 27 + preference order, with most preferred params first. |
| 28 |
| 29 Note that TACK support is not standardized by IETF and uses a temporary |
| 30 TLS Extension number, so should NOT be used in production software. |
| 31 @@ -134,6 +141,7 @@ class HandshakeSettings(object): |
| 32 self.useExperimentalTackExtension = False |
| 33 self.alertAfterHandshake = False |
| 34 self.enableExtendedMasterSecret = True |
| 35 + self.supportedTokenBindingParams = [] |
| 36 |
| 37 # Validates the min/max fields, and certificateTypes |
| 38 # Filters out unsupported cipherNames and cipherImplementations |
| 39 @@ -152,6 +160,7 @@ class HandshakeSettings(object): |
| 40 other.tlsIntoleranceType = self.tlsIntoleranceType |
| 41 other.alertAfterHandshake = self.alertAfterHandshake |
| 42 other.enableExtendedMasterSecret = self.enableExtendedMasterSecret |
| 43 + other.supportedTokenBindingParams = self.supportedTokenBindingParams |
| 44 |
| 45 if not cipherfactory.tripleDESPresent: |
| 46 other.cipherNames = [e for e in self.cipherNames if e != "3des"] |
| 47 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py |
| 48 index 9b553ce..ab2be57 100644 |
| 49 --- a/third_party/tlslite/tlslite/messages.py |
| 50 +++ b/third_party/tlslite/tlslite/messages.py |
| 51 @@ -115,6 +115,7 @@ class ClientHello(HandshakeMsg): |
| 52 self.server_name = bytearray(0) |
| 53 self.channel_id = False |
| 54 self.extended_master_secret = False |
| 55 + self.tb_client_params = [] |
| 56 self.support_signed_cert_timestamps = False |
| 57 self.status_request = False |
| 58 |
| 59 @@ -188,6 +189,15 @@ class ClientHello(HandshakeMsg): |
| 60 self.channel_id = True |
| 61 elif extType == ExtensionType.extended_master_secret: |
| 62 self.extended_master_secret = True |
| 63 + elif extType == ExtensionType.token_binding: |
| 64 + tokenBindingBytes = p.getFixBytes(extLength) |
| 65 + p2 = Parser(tokenBindingBytes) |
| 66 + ver_minor = p2.get(1) |
| 67 + ver_major = p2.get(1) |
| 68 + if (ver_major, ver_minor) >= (0, 2): |
| 69 + p2.startLengthCheck(1) |
| 70 + while not p2.atLengthCheck(): |
| 71 + self.tb_client_params.append(p2.get(1)) |
| 72 elif extType == ExtensionType.signed_cert_timestamps: |
| 73 if extLength: |
| 74 raise SyntaxError() |
| 75 @@ -271,6 +281,7 @@ class ServerHello(HandshakeMsg): |
| 76 self.next_protos = None |
| 77 self.channel_id = False |
| 78 self.extended_master_secret = False |
| 79 + self.tb_params = None |
| 80 self.signed_cert_timestamps = None |
| 81 self.status_request = False |
| 82 |
| 83 @@ -365,6 +376,17 @@ class ServerHello(HandshakeMsg): |
| 84 if self.extended_master_secret: |
| 85 w2.add(ExtensionType.extended_master_secret, 2) |
| 86 w2.add(0, 2) |
| 87 + if self.tb_params: |
| 88 + w2.add(ExtensionType.token_binding, 2) |
| 89 + # length of extension |
| 90 + w2.add(4, 2) |
| 91 + # version |
| 92 + w2.add(0, 1) |
| 93 + w2.add(2, 1) |
| 94 + # length of params (defined as variable length <1..2^8-1>, but in |
| 95 + # this context the server can only send a single value. |
| 96 + w2.add(1, 1) |
| 97 + w2.add(self.tb_params, 1) |
| 98 if self.signed_cert_timestamps: |
| 99 w2.add(ExtensionType.signed_cert_timestamps, 2) |
| 100 w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2) |
| 101 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
| 102 index 04161513..06404fe 100644 |
| 103 --- a/third_party/tlslite/tlslite/tlsconnection.py |
| 104 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| 105 @@ -1330,6 +1330,10 @@ class TLSConnection(TLSRecordLayer): |
| 106 serverHello.extended_master_secret = \ |
| 107 clientHello.extended_master_secret and \ |
| 108 settings.enableExtendedMasterSecret |
| 109 + for param in clientHello.tb_client_params: |
| 110 + if param in settings.supportedTokenBindingParams: |
| 111 + serverHello.tb_params = param |
| 112 + break |
| 113 if clientHello.support_signed_cert_timestamps: |
| 114 serverHello.signed_cert_timestamps = signedCertTimestamps |
| 115 if clientHello.status_request: |
OLD | NEW |