Index: third_party/tlslite/patches/exported_keying_material.patch |
diff --git a/third_party/tlslite/patches/exported_keying_material.patch b/third_party/tlslite/patches/exported_keying_material.patch |
new file mode 100644 |
index 0000000000000000000000000000000000000000..dce27dcbb352cdee4b91be64f3dfcb13bfde8a88 |
--- /dev/null |
+++ b/third_party/tlslite/patches/exported_keying_material.patch |
@@ -0,0 +1,88 @@ |
+diff --git a/third_party/tlslite/tlslite/session.py b/third_party/tlslite/tlslite/session.py |
+index 6aadf58..82f0910 100644 |
+--- a/third_party/tlslite/tlslite/session.py |
++++ b/third_party/tlslite/tlslite/session.py |
+@@ -51,20 +51,24 @@ class Session(object): |
+ self.srpUsername = "" |
+ self.clientCertChain = None |
+ self.serverCertChain = None |
++ self.clientRandom = b"" |
++ self.serverRandom = b"" |
+ self.tackExt = None |
+ self.tackInHelloExt = False |
+ self.serverName = "" |
+ self.resumable = False |
+ |
+ def create(self, masterSecret, sessionID, cipherSuite, |
+- srpUsername, clientCertChain, serverCertChain, |
+- tackExt, tackInHelloExt, serverName, resumable=True): |
++ srpUsername, clientCertChain, serverCertChain, clientRandom, |
++ serverRandom, tackExt, tackInHelloExt, serverName, resumable=True): |
+ self.masterSecret = masterSecret |
+ self.sessionID = sessionID |
+ self.cipherSuite = cipherSuite |
+ self.srpUsername = srpUsername |
+ self.clientCertChain = clientCertChain |
+ self.serverCertChain = serverCertChain |
++ self.clientRandom = clientRandom |
++ self.serverRandom = serverRandom |
+ self.tackExt = tackExt |
+ self.tackInHelloExt = tackInHelloExt |
+ self.serverName = serverName |
+@@ -78,6 +82,8 @@ class Session(object): |
+ other.srpUsername = self.srpUsername |
+ other.clientCertChain = self.clientCertChain |
+ other.serverCertChain = self.serverCertChain |
++ other.clientRandom = self.clientRandom |
++ other.serverRandom = self.serverRandom |
+ other.tackExt = self.tackExt |
+ other.tackInHelloExt = self.tackInHelloExt |
+ other.serverName = self.serverName |
+@@ -124,3 +130,21 @@ class Session(object): |
+ @return: The name of the HMAC hash algo used with this connection. |
+ """ |
+ return CipherSuite.canonicalMacName(self.cipherSuite) |
++ |
++ def exportKeyingMaterial(self, version, label, context, use_context, length): |
++ """Returns the exported keying material as defined in RFC 5705.""" |
++ |
++ seed = self.clientRandom + self.serverRandom |
++ if use_context: |
++ if len(context) > 65535: |
++ raise ValueError("Context is too long") |
++ seed += bytearray(2) |
++ seed[len(seed) - 2] = len(context) >> 8 |
++ seed[len(seed) - 1] = len(context) & 0xFF |
++ seed += context |
++ if version in ((3,1), (3,2)): |
++ return PRF(self.masterSecret, label, seed, length) |
++ elif version == (3,3): |
++ return PRF_1_2(self.masterSecret, label, seed, length) |
++ else: |
++ raise AssertionError() |
+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
+index 7363a30..6a53282 100644 |
+--- a/third_party/tlslite/tlslite/tlsconnection.py |
++++ b/third_party/tlslite/tlslite/tlsconnection.py |
+@@ -609,8 +609,8 @@ class TLSConnection(TLSRecordLayer): |
+ # Create the session object which is used for resumptions |
+ self.session = Session() |
+ self.session.create(masterSecret, serverHello.session_id, cipherSuite, |
+- srpUsername, clientCertChain, serverCertChain, |
+- tackExt, serverHello.tackExt!=None, serverName) |
++ srpUsername, clientCertChain, serverCertChain, clientHello.random, |
++ serverHello.random, tackExt, serverHello.tackExt!=None, serverName) |
+ self._handshakeDone(resumed=False) |
+ |
+ |
+@@ -1411,8 +1411,8 @@ class TLSConnection(TLSRecordLayer): |
+ if clientHello.server_name: |
+ serverName = clientHello.server_name.decode("utf-8") |
+ self.session.create(masterSecret, serverHello.session_id, cipherSuite, |
+- srpUsername, clientCertChain, serverCertChain, |
+- tackExt, serverHello.tackExt!=None, serverName) |
++ srpUsername, clientCertChain, serverCertChain, clientHello.random, |
++ serverHello.random, tackExt, serverHello.tackExt!=None, serverName) |
+ |
+ #Add the session object to the session cache |
+ if sessionCache and sessionID: |