third_party/tlslite/patches/token_binding_negotiation.patch - Issue 1336143002: Implement Token Binding Negotiation in tlslite

Unified Diff: third_party/tlslite/patches/token_binding_negotiation.patch

Issue 1336143002: Implement Token Binding Negotiation in tlslite (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: check version number Created 5 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: third_party/tlslite/patches/token_binding_negotiation.patch

diff --git a/third_party/tlslite/patches/token_binding_negotiation.patch b/third_party/tlslite/patches/token_binding_negotiation.patch

new file mode 100644

index 0000000000000000000000000000000000000000..336c11d0b6e17adf536596561250f6b4030ffa47

--- /dev/null

+++ b/third_party/tlslite/patches/token_binding_negotiation.patch

@@ -0,0 +1,115 @@

+diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py

+index f9c8676..84bb703 100644

+--- a/third_party/tlslite/tlslite/constants.py

++++ b/third_party/tlslite/tlslite/constants.py

+@@ -59,6 +59,7 @@ class ExtensionType: # RFC 6066 / 4366

+ tack = 0xF300

+ supports_npn = 13172

+ channel_id = 30032

++ token_binding = 30033

+ class HashAlgorithm:

+ none = 0

+diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py

+index a7b6ab9..8f25f62 100644

+--- a/third_party/tlslite/tlslite/handshakesettings.py

++++ b/third_party/tlslite/tlslite/handshakesettings.py

+@@ -115,6 +115,13 @@ class HandshakeSettings(object):

+ @type enableExtendedMasterSecret: bool

+ @ivar enableExtendedMasterSecret: If true, the server supports the extended

+ master secret TLS extension and will negotiated it with supporting clients.

++ @type supportedTokenBindingParams: list

++ @ivar supportedTokenBindingParams: A list of token binding parameters that

++ the server supports when negotiating token binding. List values are integers

++ corresponding to the TokenBindingKeyParameters enum in the Token Binding

++ Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server's

++ preference order, with most preferred params first.

+ Note that TACK support is not standardized by IETF and uses a temporary

+ TLS Extension number, so should NOT be used in production software.

+@@ -134,6 +141,7 @@ class HandshakeSettings(object):

+ self.useExperimentalTackExtension = False

+ self.alertAfterHandshake = False

+ self.enableExtendedMasterSecret = True

++ self.supportedTokenBindingParams = []

+ # Validates the min/max fields, and certificateTypes

+ # Filters out unsupported cipherNames and cipherImplementations

+@@ -152,6 +160,7 @@ class HandshakeSettings(object):

+ other.tlsIntoleranceType = self.tlsIntoleranceType

+ other.alertAfterHandshake = self.alertAfterHandshake

+ other.enableExtendedMasterSecret = self.enableExtendedMasterSecret

++ other.supportedTokenBindingParams = self.supportedTokenBindingParams

+ if not cipherfactory.tripleDESPresent:

+ other.cipherNames = [e for e in self.cipherNames if e != "3des"]

+diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py

+index 9b553ce..ab2be57 100644

+--- a/third_party/tlslite/tlslite/messages.py

++++ b/third_party/tlslite/tlslite/messages.py

+@@ -115,6 +115,7 @@ class ClientHello(HandshakeMsg):

+ self.server_name = bytearray(0)

+ self.channel_id = False

+ self.extended_master_secret = False

++ self.tb_client_params = []

+ self.support_signed_cert_timestamps = False

+ self.status_request = False

+@@ -188,6 +189,15 @@ class ClientHello(HandshakeMsg):

+ self.channel_id = True

+ elif extType == ExtensionType.extended_master_secret:

+ self.extended_master_secret = True

++ elif extType == ExtensionType.token_binding:

++ tokenBindingBytes = p.getFixBytes(extLength)

++ p2 = Parser(tokenBindingBytes)

++ ver_minor = p2.get(1)

++ ver_major = p2.get(1)

++ if (ver_major, ver_minor) >= (0, 2):

++ p2.startLengthCheck(1)

++ while not p2.atLengthCheck():

++ self.tb_client_params.append(p2.get(1))

+ elif extType == ExtensionType.signed_cert_timestamps:

+ if extLength:

+ raise SyntaxError()

+@@ -271,6 +281,7 @@ class ServerHello(HandshakeMsg):

+ self.next_protos = None

+ self.channel_id = False

+ self.extended_master_secret = False

++ self.tb_params = None

+ self.signed_cert_timestamps = None

+ self.status_request = False

+@@ -365,6 +376,17 @@ class ServerHello(HandshakeMsg):

+ if self.extended_master_secret:

+ w2.add(ExtensionType.extended_master_secret, 2)

+ w2.add(0, 2)

++ if self.tb_params:

++ w2.add(ExtensionType.token_binding, 2)

++ # length of extension

++ w2.add(4, 2)

++ # version

++ w2.add(0, 1)

++ w2.add(2, 1)

++ # length of params (defined as variable length <1..2^8-1>, but in

++ # this context the server can only send a single value.

++ w2.add(1, 1)

++ w2.add(self.tb_params, 1)

+ if self.signed_cert_timestamps:

+ w2.add(ExtensionType.signed_cert_timestamps, 2)

+ w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)

+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py

+index 04161513..06404fe 100644

+--- a/third_party/tlslite/tlslite/tlsconnection.py

++++ b/third_party/tlslite/tlslite/tlsconnection.py

+@@ -1330,6 +1330,10 @@ class TLSConnection(TLSRecordLayer):

+ serverHello.extended_master_secret = \

+ clientHello.extended_master_secret and \

+ settings.enableExtendedMasterSecret

++ for param in clientHello.tb_client_params:

++ if param in settings.supportedTokenBindingParams:

++ serverHello.tb_params = param

++ break

+ if clientHello.support_signed_cert_timestamps:

+ serverHello.signed_cert_timestamps = signedCertTimestamps

+ if clientHello.status_request:

« no previous file with comments | « third_party/tlslite/README.chromium ('k') | third_party/tlslite/tlslite/constants.py » ('j') | no next file with comments »