Index: third_party/tlslite/patches/token_binding_negotiation.patch |
diff --git a/third_party/tlslite/patches/token_binding_negotiation.patch b/third_party/tlslite/patches/token_binding_negotiation.patch |
new file mode 100644 |
index 0000000000000000000000000000000000000000..336c11d0b6e17adf536596561250f6b4030ffa47 |
--- /dev/null |
+++ b/third_party/tlslite/patches/token_binding_negotiation.patch |
@@ -0,0 +1,115 @@ |
+diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py |
+index f9c8676..84bb703 100644 |
+--- a/third_party/tlslite/tlslite/constants.py |
++++ b/third_party/tlslite/tlslite/constants.py |
+@@ -59,6 +59,7 @@ class ExtensionType: # RFC 6066 / 4366 |
+ tack = 0xF300 |
+ supports_npn = 13172 |
+ channel_id = 30032 |
++ token_binding = 30033 |
+ |
+ class HashAlgorithm: |
+ none = 0 |
+diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py |
+index a7b6ab9..8f25f62 100644 |
+--- a/third_party/tlslite/tlslite/handshakesettings.py |
++++ b/third_party/tlslite/tlslite/handshakesettings.py |
+@@ -115,6 +115,13 @@ class HandshakeSettings(object): |
+ @type enableExtendedMasterSecret: bool |
+ @ivar enableExtendedMasterSecret: If true, the server supports the extended |
+ master secret TLS extension and will negotiated it with supporting clients. |
++ |
++ @type supportedTokenBindingParams: list |
++ @ivar supportedTokenBindingParams: A list of token binding parameters that |
++ the server supports when negotiating token binding. List values are integers |
++ corresponding to the TokenBindingKeyParameters enum in the Token Binding |
++ Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server's |
++ preference order, with most preferred params first. |
+ |
+ Note that TACK support is not standardized by IETF and uses a temporary |
+ TLS Extension number, so should NOT be used in production software. |
+@@ -134,6 +141,7 @@ class HandshakeSettings(object): |
+ self.useExperimentalTackExtension = False |
+ self.alertAfterHandshake = False |
+ self.enableExtendedMasterSecret = True |
++ self.supportedTokenBindingParams = [] |
+ |
+ # Validates the min/max fields, and certificateTypes |
+ # Filters out unsupported cipherNames and cipherImplementations |
+@@ -152,6 +160,7 @@ class HandshakeSettings(object): |
+ other.tlsIntoleranceType = self.tlsIntoleranceType |
+ other.alertAfterHandshake = self.alertAfterHandshake |
+ other.enableExtendedMasterSecret = self.enableExtendedMasterSecret |
++ other.supportedTokenBindingParams = self.supportedTokenBindingParams |
+ |
+ if not cipherfactory.tripleDESPresent: |
+ other.cipherNames = [e for e in self.cipherNames if e != "3des"] |
+diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py |
+index 9b553ce..ab2be57 100644 |
+--- a/third_party/tlslite/tlslite/messages.py |
++++ b/third_party/tlslite/tlslite/messages.py |
+@@ -115,6 +115,7 @@ class ClientHello(HandshakeMsg): |
+ self.server_name = bytearray(0) |
+ self.channel_id = False |
+ self.extended_master_secret = False |
++ self.tb_client_params = [] |
+ self.support_signed_cert_timestamps = False |
+ self.status_request = False |
+ |
+@@ -188,6 +189,15 @@ class ClientHello(HandshakeMsg): |
+ self.channel_id = True |
+ elif extType == ExtensionType.extended_master_secret: |
+ self.extended_master_secret = True |
++ elif extType == ExtensionType.token_binding: |
++ tokenBindingBytes = p.getFixBytes(extLength) |
++ p2 = Parser(tokenBindingBytes) |
++ ver_minor = p2.get(1) |
++ ver_major = p2.get(1) |
++ if (ver_major, ver_minor) >= (0, 2): |
++ p2.startLengthCheck(1) |
++ while not p2.atLengthCheck(): |
++ self.tb_client_params.append(p2.get(1)) |
+ elif extType == ExtensionType.signed_cert_timestamps: |
+ if extLength: |
+ raise SyntaxError() |
+@@ -271,6 +281,7 @@ class ServerHello(HandshakeMsg): |
+ self.next_protos = None |
+ self.channel_id = False |
+ self.extended_master_secret = False |
++ self.tb_params = None |
+ self.signed_cert_timestamps = None |
+ self.status_request = False |
+ |
+@@ -365,6 +376,17 @@ class ServerHello(HandshakeMsg): |
+ if self.extended_master_secret: |
+ w2.add(ExtensionType.extended_master_secret, 2) |
+ w2.add(0, 2) |
++ if self.tb_params: |
++ w2.add(ExtensionType.token_binding, 2) |
++ # length of extension |
++ w2.add(4, 2) |
++ # version |
++ w2.add(0, 1) |
++ w2.add(2, 1) |
++ # length of params (defined as variable length <1..2^8-1>, but in |
++ # this context the server can only send a single value. |
++ w2.add(1, 1) |
++ w2.add(self.tb_params, 1) |
+ if self.signed_cert_timestamps: |
+ w2.add(ExtensionType.signed_cert_timestamps, 2) |
+ w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2) |
+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
+index 04161513..06404fe 100644 |
+--- a/third_party/tlslite/tlslite/tlsconnection.py |
++++ b/third_party/tlslite/tlslite/tlsconnection.py |
+@@ -1330,6 +1330,10 @@ class TLSConnection(TLSRecordLayer): |
+ serverHello.extended_master_secret = \ |
+ clientHello.extended_master_secret and \ |
+ settings.enableExtendedMasterSecret |
++ for param in clientHello.tb_client_params: |
++ if param in settings.supportedTokenBindingParams: |
++ serverHello.tb_params = param |
++ break |
+ if clientHello.support_signed_cert_timestamps: |
+ serverHello.signed_cert_timestamps = signedCertTimestamps |
+ if clientHello.status_request: |