OLD | NEW |
1 diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/
tlslite/TLSConnection.py | |
2 index f8811a9..e882e2c 100644 | |
3 --- a/third_party/tlslite/tlslite/TLSConnection.py | |
4 +++ b/third_party/tlslite/tlslite/TLSConnection.py | |
5 @@ -611,6 +611,8 @@ class TLSConnection(TLSRecordLayer): | |
6 settings.cipherImplementations) | |
7 | |
8 #Exchange ChangeCipherSpec and Finished messages | |
9 + for result in self._getChangeCipherSpec(): | |
10 + yield result | |
11 for result in self._getFinished(): | |
12 yield result | |
13 for result in self._sendFinished(): | |
14 @@ -920,6 +922,8 @@ class TLSConnection(TLSRecordLayer): | |
15 #Exchange ChangeCipherSpec and Finished messages | |
16 for result in self._sendFinished(): | |
17 yield result | |
18 + for result in self._getChangeCipherSpec(): | |
19 + yield result | |
20 for result in self._getFinished(): | |
21 yield result | |
22 | |
23 @@ -1089,6 +1093,7 @@ class TLSConnection(TLSRecordLayer): | |
24 clientCertChain = None | |
25 serverCertChain = None #We may set certChain to this later | |
26 postFinishedError = None | |
27 + doingChannelID = False | |
28 | |
29 #Tentatively set version to most-desirable version, so if an error | |
30 #occurs parsing the ClientHello, this is what we'll use for the | |
31 @@ -1208,6 +1213,8 @@ class TLSConnection(TLSRecordLayer): | |
32 serverHello.create(self.version, serverRandom, | |
33 session.sessionID, session.cipherSuite, | |
34 certificateType) | |
35 + serverHello.channel_id = clientHello.channel_id | |
36 + doingChannelID = clientHello.channel_id | |
37 for result in self._sendMsg(serverHello): | |
38 yield result | |
39 | |
40 @@ -1221,6 +1228,11 @@ class TLSConnection(TLSRecordLayer): | |
41 #Exchange ChangeCipherSpec and Finished messages | |
42 for result in self._sendFinished(): | |
43 yield result | |
44 + for result in self._getChangeCipherSpec(): | |
45 + yield result | |
46 + if doingChannelID: | |
47 + for result in self._getEncryptedExtensions(): | |
48 + yield result | |
49 for result in self._getFinished(): | |
50 yield result | |
51 | |
52 @@ -1399,8 +1411,12 @@ class TLSConnection(TLSRecordLayer): | |
53 #Send ServerHello, Certificate[, CertificateRequest], | |
54 #ServerHelloDone | |
55 msgs = [] | |
56 - msgs.append(ServerHello().create(self.version, serverRandom, | |
57 - sessionID, cipherSuite, certificateType)) | |
58 + serverHello = ServerHello().create( | |
59 + self.version, serverRandom, | |
60 + sessionID, cipherSuite, certificateType) | |
61 + serverHello.channel_id = clientHello.channel_id | |
62 + doingChannelID = clientHello.channel_id | |
63 + msgs.append(serverHello) | |
64 msgs.append(Certificate(certificateType).create(serverCertChain)) | |
65 if reqCert and reqCAs: | |
66 msgs.append(CertificateRequest().create([], reqCAs)) | |
67 @@ -1528,6 +1544,11 @@ class TLSConnection(TLSRecordLayer): | |
68 settings.cipherImplementations) | |
69 | |
70 #Exchange ChangeCipherSpec and Finished messages | |
71 + for result in self._getChangeCipherSpec(): | |
72 + yield result | |
73 + if doingChannelID: | |
74 + for result in self._getEncryptedExtensions(): | |
75 + yield result | |
76 for result in self._getFinished(): | |
77 yield result | |
78 | |
79 diff --git a/third_party/tlslite/tlslite/TLSRecordLayer.py b/third_party/tlslite
/tlslite/TLSRecordLayer.py | |
80 index 1bbd09d..933b95a 100644 | |
81 --- a/third_party/tlslite/tlslite/TLSRecordLayer.py | |
82 +++ b/third_party/tlslite/tlslite/TLSRecordLayer.py | |
83 @@ -714,6 +714,8 @@ class TLSRecordLayer: | |
84 self.version).parse(p) | |
85 elif subType == HandshakeType.finished: | |
86 yield Finished(self.version).parse(p) | |
87 + elif subType == HandshakeType.encrypted_extensions: | |
88 + yield EncryptedExtensions().parse(p) | |
89 else: | |
90 raise AssertionError() | |
91 | |
92 @@ -1067,7 +1069,7 @@ class TLSRecordLayer: | |
93 for result in self._sendMsg(finished): | |
94 yield result | |
95 | |
96 - def _getFinished(self): | |
97 + def _getChangeCipherSpec(self): | |
98 #Get and check ChangeCipherSpec | |
99 for result in self._getMsg(ContentType.change_cipher_spec): | |
100 if result in (0,1): | |
101 @@ -1082,6 +1084,15 @@ class TLSRecordLayer: | |
102 #Switch to pending read state | |
103 self._changeReadState() | |
104 | |
105 + def _getEncryptedExtensions(self): | |
106 + for result in self._getMsg(ContentType.handshake, | |
107 + HandshakeType.encrypted_extensions): | |
108 + if result in (0,1): | |
109 + yield result | |
110 + encrypted_extensions = result | |
111 + self.channel_id = encrypted_extensions.channel_id_key | |
112 + | |
113 + def _getFinished(self): | |
114 #Calculate verification data | |
115 verifyData = self._calcFinished(False) | |
116 | |
117 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py | 1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py |
118 index 04302c0..e357dd0 100644 | 2 index d52e596..79ad145 100755 |
119 --- a/third_party/tlslite/tlslite/constants.py | 3 --- a/third_party/tlslite/tlslite/constants.py |
120 +++ b/third_party/tlslite/tlslite/constants.py | 4 +++ b/third_party/tlslite/tlslite/constants.py |
121 @@ -22,6 +22,7 @@ class HandshakeType: | 5 @@ -31,6 +31,7 @@ class HandshakeType: |
122 certificate_verify = 15 | |
123 client_key_exchange = 16 | 6 client_key_exchange = 16 |
124 finished = 20 | 7 finished = 20 |
| 8 next_protocol = 67 |
125 + encrypted_extensions = 203 | 9 + encrypted_extensions = 203 |
126 | 10 |
127 class ContentType: | 11 class ContentType: |
128 change_cipher_spec = 20 | 12 change_cipher_spec = 20 |
129 @@ -30,6 +31,9 @@ class ContentType: | 13 @@ -45,6 +46,7 @@ class ExtensionType: # RFC 6066 / 4366 |
130 application_data = 23 | 14 cert_type = 9 # RFC 6091 |
131 all = (20,21,22,23) | 15 tack = 0xF300 |
132 | 16 supports_npn = 13172 |
133 +class ExtensionType: | |
134 + channel_id = 30031 | 17 + channel_id = 30031 |
135 + | 18 |
136 class AlertLevel: | 19 class NameType: |
137 warning = 1 | 20 host_name = 0 |
138 fatal = 2 | |
139 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py | 21 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py |
140 index dc6ed32..fa4d817 100644 | 22 index 7ef4e3f..246082e 100755 |
141 --- a/third_party/tlslite/tlslite/messages.py | 23 --- a/third_party/tlslite/tlslite/messages.py |
142 +++ b/third_party/tlslite/tlslite/messages.py | 24 +++ b/third_party/tlslite/tlslite/messages.py |
143 @@ -130,6 +130,7 @@ class ClientHello(HandshakeMsg): | 25 @@ -112,6 +112,7 @@ class ClientHello(HandshakeMsg): |
144 self.certificate_types = [CertificateType.x509] | 26 self.tack = False |
145 self.compression_methods = [] # a list of 8-bit values | 27 self.supports_npn = False |
146 self.srp_username = None # a string | 28 self.server_name = bytearray(0) |
147 + self.channel_id = False | 29 + self.channel_id = False |
148 | 30 |
149 def create(self, version, random, session_id, cipher_suites, | 31 def create(self, version, random, session_id, cipher_suites, |
150 certificate_types=None, srp_username=None): | 32 certificate_types=None, srpUsername=None, |
151 @@ -174,6 +175,8 @@ class ClientHello(HandshakeMsg): | 33 @@ -179,6 +180,8 @@ class ClientHello(HandshakeMsg): |
152 self.srp_username = bytesToString(p.getVarBytes(1)) | 34 if name_type == NameType.host_name: |
153 elif extType == 7: | 35 self.server_name = hostNameBytes |
154 self.certificate_types = p.getVarList(1, 1) | 36 break |
155 + elif extType == ExtensionType.channel_id: | 37 + elif extType == ExtensionType.channel_id: |
156 + self.channel_id = True | 38 + self.channel_id = True |
157 else: | 39 else: |
158 p.getFixBytes(extLength) | 40 _ = p.getFixBytes(extLength) |
159 soFar += 4 + extLength | 41 index2 = p.index |
160 @@ -220,6 +223,7 @@ class ServerHello(HandshakeMsg): | 42 @@ -243,6 +246,7 @@ class ServerHello(HandshakeMsg): |
161 self.cipher_suite = 0 | 43 self.tackExt = None |
162 self.certificate_type = CertificateType.x509 | 44 self.next_protos_advertised = None |
163 self.compression_method = 0 | 45 self.next_protos = None |
164 + self.channel_id = False | 46 + self.channel_id = False |
165 | 47 |
166 def create(self, version, random, session_id, cipher_suite, | 48 def create(self, version, random, session_id, cipher_suite, |
167 certificate_type): | 49 certificate_type, tackExt, next_protos_advertised): |
168 @@ -266,6 +270,9 @@ class ServerHello(HandshakeMsg): | 50 @@ -329,6 +333,9 @@ class ServerHello(HandshakeMsg): |
169 CertificateType.x509: | 51 w2.add(ExtensionType.supports_npn, 2) |
170 extLength += 5 | 52 w2.add(len(encoded_next_protos_advertised), 2) |
171 | 53 w2.addFixSeq(encoded_next_protos_advertised, 1) |
172 + if self.channel_id: | 54 + if self.channel_id: |
173 + extLength += 4 | 55 + w2.add(ExtensionType.channel_id, 2) |
174 + | 56 + w2.add(0, 2) |
175 if extLength != 0: | 57 if len(w2.bytes): |
176 w.add(extLength, 2) | 58 w.add(len(w2.bytes), 2) |
177 | 59 w.bytes += w2.bytes |
178 @@ -275,6 +282,10 @@ class ServerHello(HandshakeMsg): | 60 @@ -656,6 +663,28 @@ class Finished(HandshakeMsg): |
179 w.add(1, 2) | |
180 w.add(self.certificate_type, 1) | |
181 | |
182 + if self.channel_id: | |
183 + w.add(ExtensionType.channel_id, 2) | |
184 + w.add(0, 2) | |
185 + | |
186 return HandshakeMsg.postWrite(self, w, trial) | |
187 | |
188 class Certificate(HandshakeMsg): | |
189 @@ -567,6 +578,28 @@ class Finished(HandshakeMsg): | |
190 w.addFixSeq(self.verify_data, 1) | 61 w.addFixSeq(self.verify_data, 1) |
191 return HandshakeMsg.postWrite(self, w, trial) | 62 return self.postWrite(w) |
192 | 63 |
193 +class EncryptedExtensions(HandshakeMsg): | 64 +class EncryptedExtensions(HandshakeMsg): |
194 + def __init__(self): | 65 + def __init__(self): |
195 + self.channel_id_key = None | 66 + self.channel_id_key = None |
196 + self.channel_id_proof = None | 67 + self.channel_id_proof = None |
197 + | 68 + |
198 + def parse(self, p): | 69 + def parse(self, p): |
199 + p.startLengthCheck(3) | 70 + p.startLengthCheck(3) |
200 + soFar = 0 | 71 + soFar = 0 |
201 + while soFar != p.lengthCheck: | 72 + while soFar != p.lengthCheck: |
202 + extType = p.get(2) | 73 + extType = p.get(2) |
203 + extLength = p.get(2) | 74 + extLength = p.get(2) |
204 + if extType == ExtensionType.channel_id: | 75 + if extType == ExtensionType.channel_id: |
205 + if extLength != 32*4: | 76 + if extLength != 32*4: |
206 + raise SyntaxError() | 77 + raise SyntaxError() |
207 + self.channel_id_key = p.getFixBytes(64) | 78 + self.channel_id_key = p.getFixBytes(64) |
208 + self.channel_id_proof = p.getFixBytes(64) | 79 + self.channel_id_proof = p.getFixBytes(64) |
209 + else: | 80 + else: |
210 + p.getFixBytes(extLength) | 81 + p.getFixBytes(extLength) |
211 + soFar += 4 + extLength | 82 + soFar += 4 + extLength |
212 + p.stopLengthCheck() | 83 + p.stopLengthCheck() |
213 + return self | 84 + return self |
214 + | 85 + |
215 class ApplicationData(Msg): | 86 class ApplicationData(object): |
216 def __init__(self): | 87 def __init__(self): |
217 self.contentType = ContentType.application_data | 88 self.contentType = ContentType.application_data |
| 89 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
| 90 index 8415592..e7c5140 100755 |
| 91 --- a/third_party/tlslite/tlslite/tlsconnection.py |
| 92 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| 93 @@ -1155,6 +1155,7 @@ class TLSConnection(TLSRecordLayer): |
| 94 serverHello.create(self.version, getRandomBytes(32), sessionID, \ |
| 95 cipherSuite, CertificateType.x509, tackExt, |
| 96 nextProtos) |
| 97 + serverHello.channel_id = clientHello.channel_id |
| 98 |
| 99 # Perform the SRP key exchange |
| 100 clientCertChain = None |
| 101 @@ -1191,7 +1192,7 @@ class TLSConnection(TLSRecordLayer): |
| 102 for result in self._serverFinished(premasterSecret, |
| 103 clientHello.random, serverHello.random, |
| 104 cipherSuite, settings.cipherImplementations, |
| 105 - nextProtos): |
| 106 + nextProtos, clientHello.channel_id): |
| 107 if result in (0,1): yield result |
| 108 else: break |
| 109 masterSecret = result |
| 110 @@ -1609,7 +1610,8 @@ class TLSConnection(TLSRecordLayer): |
| 111 |
| 112 |
| 113 def _serverFinished(self, premasterSecret, clientRandom, serverRandom, |
| 114 - cipherSuite, cipherImplementations, nextProtos): |
| 115 + cipherSuite, cipherImplementations, nextProtos, |
| 116 + doingChannelID): |
| 117 masterSecret = calcMasterSecret(self.version, premasterSecret, |
| 118 clientRandom, serverRandom) |
| 119 |
| 120 @@ -1620,7 +1622,8 @@ class TLSConnection(TLSRecordLayer): |
| 121 |
| 122 #Exchange ChangeCipherSpec and Finished messages |
| 123 for result in self._getFinished(masterSecret, |
| 124 - expect_next_protocol=nextProtos is not None): |
| 125 + expect_next_protocol=nextProtos is not None, |
| 126 + expect_channel_id=doingChannelID): |
| 127 yield result |
| 128 |
| 129 for result in self._sendFinished(masterSecret): |
| 130 @@ -1657,7 +1660,8 @@ class TLSConnection(TLSRecordLayer): |
| 131 for result in self._sendMsg(finished): |
| 132 yield result |
| 133 |
| 134 - def _getFinished(self, masterSecret, expect_next_protocol=False, nextProto=
None): |
| 135 + def _getFinished(self, masterSecret, expect_next_protocol=False, nextProto=
None, |
| 136 + expect_channel_id=False): |
| 137 #Get and check ChangeCipherSpec |
| 138 for result in self._getMsg(ContentType.change_cipher_spec): |
| 139 if result in (0,1): |
| 140 @@ -1690,6 +1694,20 @@ class TLSConnection(TLSRecordLayer): |
| 141 if nextProto: |
| 142 self.next_proto = nextProto |
| 143 |
| 144 + #Server Finish - Are we waiting for a EncryptedExtensions? |
| 145 + if expect_channel_id: |
| 146 + for result in self._getMsg(ContentType.handshake, HandshakeType.enc
rypted_extensions): |
| 147 + if result in (0,1): |
| 148 + yield result |
| 149 + if result is None: |
| 150 + for result in self._sendError(AlertDescription.unexpected_messa
ge, |
| 151 + "Didn't get EncryptedExtensions me
ssage"): |
| 152 + yield result |
| 153 + encrypted_extensions = result |
| 154 + self.channel_id = result.channel_id_key |
| 155 + else: |
| 156 + self.channel_id = None |
| 157 + |
| 158 #Calculate verification data |
| 159 verifyData = self._calcFinished(masterSecret, False) |
| 160 |
| 161 diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite
/tlslite/tlsrecordlayer.py |
| 162 index b0833fe..ff08cbf 100755 |
| 163 --- a/third_party/tlslite/tlslite/tlsrecordlayer.py |
| 164 +++ b/third_party/tlslite/tlslite/tlsrecordlayer.py |
| 165 @@ -800,6 +800,8 @@ class TLSRecordLayer(object): |
| 166 yield Finished(self.version).parse(p) |
| 167 elif subType == HandshakeType.next_protocol: |
| 168 yield NextProtocol().parse(p) |
| 169 + elif subType == HandshakeType.encrypted_extensions: |
| 170 + yield EncryptedExtensions().parse(p) |
| 171 else: |
| 172 raise AssertionError() |
| 173 |
OLD | NEW |