OLD | NEW |
1 diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/
tlslite/TLSConnection.py | 1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py |
2 index e882e2c..d2270a9 100644 | 2 index 79ad145..b3bad2d 100755 |
3 --- a/third_party/tlslite/tlslite/TLSConnection.py | 3 --- a/third_party/tlslite/tlslite/constants.py |
4 +++ b/third_party/tlslite/tlslite/TLSConnection.py | 4 +++ b/third_party/tlslite/tlslite/constants.py |
5 @@ -936,7 +936,8 @@ class TLSConnection(TLSRecordLayer): | 5 @@ -44,6 +44,7 @@ class ExtensionType: # RFC 6066 / 4366 |
6 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, | 6 server_name = 0 # RFC 6066 / 4366 |
7 certChain=None, privateKey=None, reqCert=False, | 7 srp = 12 # RFC 5054 |
8 sessionCache=None, settings=None, checker=None, | 8 cert_type = 9 # RFC 6091 |
9 - reqCAs=None, tlsIntolerant=0): | 9 + signed_cert_timestamps = 18 # RFC 6962 |
10 + reqCAs=None, tlsIntolerant=0, | 10 tack = 0xF300 |
11 + signedCertTimestamps=None): | 11 supports_npn = 13172 |
| 12 channel_id = 30031 |
| 13 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py |
| 14 index 246082e..5a2cd6c 100755 |
| 15 --- a/third_party/tlslite/tlslite/messages.py |
| 16 +++ b/third_party/tlslite/tlslite/messages.py |
| 17 @@ -113,6 +113,7 @@ class ClientHello(HandshakeMsg): |
| 18 self.supports_npn = False |
| 19 self.server_name = bytearray(0) |
| 20 self.channel_id = False |
| 21 + self.support_signed_cert_timestamps = False |
| 22 |
| 23 def create(self, version, random, session_id, cipher_suites, |
| 24 certificate_types=None, srpUsername=None, |
| 25 @@ -182,6 +183,10 @@ class ClientHello(HandshakeMsg): |
| 26 break |
| 27 elif extType == ExtensionType.channel_id: |
| 28 self.channel_id = True |
| 29 + elif extType == ExtensionType.signed_cert_timestamps: |
| 30 + if extLength: |
| 31 + raise SyntaxError() |
| 32 + self.support_signed_cert_timestamps = True |
| 33 else: |
| 34 _ = p.getFixBytes(extLength) |
| 35 index2 = p.index |
| 36 @@ -247,6 +252,7 @@ class ServerHello(HandshakeMsg): |
| 37 self.next_protos_advertised = None |
| 38 self.next_protos = None |
| 39 self.channel_id = False |
| 40 + self.signed_cert_timestamps = None |
| 41 |
| 42 def create(self, version, random, session_id, cipher_suite, |
| 43 certificate_type, tackExt, next_protos_advertised): |
| 44 @@ -336,6 +342,9 @@ class ServerHello(HandshakeMsg): |
| 45 if self.channel_id: |
| 46 w2.add(ExtensionType.channel_id, 2) |
| 47 w2.add(0, 2) |
| 48 + if self.signed_cert_timestamps: |
| 49 + w2.add(ExtensionType.signed_cert_timestamps, 2) |
| 50 + w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2) |
| 51 if len(w2.bytes): |
| 52 w.add(len(w2.bytes), 2) |
| 53 w.bytes += w2.bytes |
| 54 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
| 55 index e7c5140..45b0bbb 100755 |
| 56 --- a/third_party/tlslite/tlslite/tlsconnection.py |
| 57 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| 58 @@ -966,7 +966,7 @@ class TLSConnection(TLSRecordLayer): |
| 59 reqCAs = None, |
| 60 tacks=None, activationFlags=0, |
| 61 nextProtos=None, anon=False, |
| 62 - tlsIntolerant=None): |
| 63 + tlsIntolerant=None, signedCertTimestamps=None): |
12 """Perform a handshake in the role of server. | 64 """Perform a handshake in the role of server. |
13 | 65 |
14 This function performs an SSL or TLS handshake. Depending on | 66 This function performs an SSL or TLS handshake. Depending on |
15 @@ -1007,6 +1008,11 @@ class TLSConnection(TLSRecordLayer): | 67 @@ -1040,6 +1040,11 @@ class TLSConnection(TLSRecordLayer): |
16 will be sent along with a certificate request. This does not affect | 68 simulate TLS version intolerance by returning a fatal handshake_failure |
17 verification. | 69 alert to all TLS versions tlsIntolerant or higher. |
18 | 70 |
19 + @type signedCertTimestamps: str | 71 + @type signedCertTimestamps: str |
20 + @param signedCertTimestamps: A SignedCertificateTimestampList (as a | 72 + @param signedCertTimestamps: A SignedCertificateTimestampList (as a |
21 + binary 8-bit string) that will be sent as a TLS extension whenever | 73 + binary 8-bit string) that will be sent as a TLS extension whenever |
22 + the client announces support for the extension. | 74 + the client announces support for the extension. |
23 + | 75 + |
24 @raise socket.error: If a socket error occurs. | 76 @raise socket.error: If a socket error occurs. |
25 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed | 77 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
26 without a preceding alert. | 78 without a preceding alert. |
27 @@ -1016,14 +1022,15 @@ class TLSConnection(TLSRecordLayer): | 79 @@ -1051,7 +1056,8 @@ class TLSConnection(TLSRecordLayer): |
28 """ | |
29 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, | |
30 certChain, privateKey, reqCert, sessionCache, settings, | 80 certChain, privateKey, reqCert, sessionCache, settings, |
31 - checker, reqCAs, tlsIntolerant): | 81 checker, reqCAs, |
32 + checker, reqCAs, tlsIntolerant, signedCertTimestamps): | 82 tacks=tacks, activationFlags=activationFlags, |
| 83 - nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant): |
| 84 + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
| 85 + signedCertTimestamps=signedCertTimestamps): |
33 pass | 86 pass |
34 | 87 |
35 | 88 |
36 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, | 89 @@ -1061,7 +1067,8 @@ class TLSConnection(TLSRecordLayer): |
37 certChain=None, privateKey=None, reqCert=False, | 90 reqCAs=None, |
38 sessionCache=None, settings=None, checker=None, | 91 tacks=None, activationFlags=0, |
39 - reqCAs=None, tlsIntolerant=0): | 92 nextProtos=None, anon=False, |
40 + reqCAs=None, tlsIntolerant=0, | 93 - tlsIntolerant=None |
41 + signedCertTimestamps=None): | 94 + tlsIntolerant=None, |
| 95 + signedCertTimestamps=None |
| 96 ): |
42 """Start a server handshake operation on the TLS connection. | 97 """Start a server handshake operation on the TLS connection. |
43 | 98 |
44 This function returns a generator which behaves similarly to | 99 @@ -1081,7 +1088,8 @@ class TLSConnection(TLSRecordLayer): |
45 @@ -1041,14 +1048,16 @@ class TLSConnection(TLSRecordLayer): | 100 reqCAs=reqCAs, |
46 privateKey=privateKey, reqCert=reqCert, | 101 tacks=tacks, activationFlags=activationFlags, |
47 sessionCache=sessionCache, settings=settings, | 102 nextProtos=nextProtos, anon=anon, |
48 reqCAs=reqCAs, | |
49 - tlsIntolerant=tlsIntolerant) | 103 - tlsIntolerant=tlsIntolerant) |
50 + tlsIntolerant=tlsIntolerant, | 104 + tlsIntolerant=tlsIntolerant, |
51 + signedCertTimestamps=signedCertTimestamps) | 105 + signedCertTimestamps=signedCertTimestamps) |
52 for result in self._handshakeWrapperAsync(handshaker, checker): | 106 for result in self._handshakeWrapperAsync(handshaker, checker): |
53 yield result | 107 yield result |
54 | 108 |
55 | 109 @@ -1091,7 +1099,7 @@ class TLSConnection(TLSRecordLayer): |
56 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, | 110 settings, reqCAs, |
57 - certChain, privateKey, reqCert, sessionCache, | 111 tacks, activationFlags, |
58 - settings, reqCAs, tlsIntolerant): | 112 nextProtos, anon, |
59 + certChain, privateKey, reqCert, | 113 - tlsIntolerant): |
60 + sessionCache, settings, reqCAs, | 114 + tlsIntolerant, signedCertTimestamps): |
61 + tlsIntolerant, signedCertTimestamps): | |
62 | 115 |
63 self._handshakeStart(client=False) | 116 self._handshakeStart(client=False) |
64 | 117 |
65 @@ -1060,6 +1069,9 @@ class TLSConnection(TLSRecordLayer): | 118 @@ -1112,6 +1120,9 @@ class TLSConnection(TLSRecordLayer): |
66 raise ValueError("Caller passed a privateKey but no certChain") | 119 raise ValueError("tackpy is not loaded") |
67 if reqCAs and not reqCert: | 120 if not settings or not settings.useExperimentalTackExtension: |
68 raise ValueError("Caller passed reqCAs but not reqCert") | 121 raise ValueError("useExperimentalTackExtension not enabled") |
69 + if signedCertTimestamps and not certChain: | 122 + if signedCertTimestamps and not certChain: |
70 + raise ValueError("Caller passed signedCertTimestamps but no " | 123 + raise ValueError("Caller passed signedCertTimestamps but no " |
71 + "certChain") | 124 + "certChain") |
72 | 125 |
73 if not settings: | 126 if not settings: |
74 settings = HandshakeSettings() | 127 settings = HandshakeSettings() |
75 @@ -1415,6 +1427,8 @@ class TLSConnection(TLSRecordLayer): | 128 @@ -1156,6 +1167,8 @@ class TLSConnection(TLSRecordLayer): |
76 self.version, serverRandom, | 129 cipherSuite, CertificateType.x509, tackExt, |
77 sessionID, cipherSuite, certificateType) | 130 nextProtos) |
78 serverHello.channel_id = clientHello.channel_id | 131 serverHello.channel_id = clientHello.channel_id |
79 + if clientHello.support_signed_cert_timestamps: | 132 + if clientHello.support_signed_cert_timestamps: |
80 + serverHello.signed_cert_timestamps = signedCertTimestamps | 133 + serverHello.signed_cert_timestamps = signedCertTimestamps |
81 doingChannelID = clientHello.channel_id | |
82 msgs.append(serverHello) | |
83 msgs.append(Certificate(certificateType).create(serverCertChain)) | |
84 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py | |
85 index e357dd0..b5a345a 100644 | |
86 --- a/third_party/tlslite/tlslite/constants.py | |
87 +++ b/third_party/tlslite/tlslite/constants.py | |
88 @@ -32,6 +32,7 @@ class ContentType: | |
89 all = (20,21,22,23) | |
90 | 134 |
91 class ExtensionType: | 135 # Perform the SRP key exchange |
92 + signed_cert_timestamps = 18 # signed_certificate_timestamp in RFC 6962 | 136 clientCertChain = None |
93 channel_id = 30031 | |
94 | |
95 class AlertLevel: | |
96 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py | |
97 index fa4d817..296f422 100644 | |
98 --- a/third_party/tlslite/tlslite/messages.py | |
99 +++ b/third_party/tlslite/tlslite/messages.py | |
100 @@ -131,6 +131,7 @@ class ClientHello(HandshakeMsg): | |
101 self.compression_methods = [] # a list of 8-bit values | |
102 self.srp_username = None # a string | |
103 self.channel_id = False | |
104 + self.support_signed_cert_timestamps = False | |
105 | |
106 def create(self, version, random, session_id, cipher_suites, | |
107 certificate_types=None, srp_username=None): | |
108 @@ -177,6 +178,10 @@ class ClientHello(HandshakeMsg): | |
109 self.certificate_types = p.getVarList(1, 1) | |
110 elif extType == ExtensionType.channel_id: | |
111 self.channel_id = True | |
112 + elif extType == ExtensionType.signed_cert_timestamps: | |
113 + if extLength: | |
114 + raise SyntaxError() | |
115 + self.support_signed_cert_timestamps = True | |
116 else: | |
117 p.getFixBytes(extLength) | |
118 soFar += 4 + extLength | |
119 @@ -224,6 +229,7 @@ class ServerHello(HandshakeMsg): | |
120 self.certificate_type = CertificateType.x509 | |
121 self.compression_method = 0 | |
122 self.channel_id = False | |
123 + self.signed_cert_timestamps = None | |
124 | |
125 def create(self, version, random, session_id, cipher_suite, | |
126 certificate_type): | |
127 @@ -273,6 +279,9 @@ class ServerHello(HandshakeMsg): | |
128 if self.channel_id: | |
129 extLength += 4 | |
130 | |
131 + if self.signed_cert_timestamps: | |
132 + extLength += 4 + len(self.signed_cert_timestamps) | |
133 + | |
134 if extLength != 0: | |
135 w.add(extLength, 2) | |
136 | |
137 @@ -286,6 +295,10 @@ class ServerHello(HandshakeMsg): | |
138 w.add(ExtensionType.channel_id, 2) | |
139 w.add(0, 2) | |
140 | |
141 + if self.signed_cert_timestamps: | |
142 + w.add(ExtensionType.signed_cert_timestamps, 2) | |
143 + w.addVarSeq(stringToBytes(self.signed_cert_timestamps), 1, 2) | |
144 + | |
145 return HandshakeMsg.postWrite(self, w, trial) | |
146 | |
147 class Certificate(HandshakeMsg): | |
OLD | NEW |