| Index: third_party/tlslite/patches/signed_certificate_timestamps.patch
|
| diff --git a/third_party/tlslite/patches/signed_certificate_timestamps.patch b/third_party/tlslite/patches/signed_certificate_timestamps.patch
|
| index 55db061d1414466051cc1a71709438a6e6241ca9..21bcacc9bd7088cd933bcd1782cd0298c552db03 100644
|
| --- a/third_party/tlslite/patches/signed_certificate_timestamps.patch
|
| +++ b/third_party/tlslite/patches/signed_certificate_timestamps.patch
|
| @@ -1,20 +1,72 @@
|
| -diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py
|
| -index e882e2c..d2270a9 100644
|
| ---- a/third_party/tlslite/tlslite/TLSConnection.py
|
| -+++ b/third_party/tlslite/tlslite/TLSConnection.py
|
| -@@ -936,7 +936,8 @@ class TLSConnection(TLSRecordLayer):
|
| - def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
|
| - certChain=None, privateKey=None, reqCert=False,
|
| - sessionCache=None, settings=None, checker=None,
|
| -- reqCAs=None, tlsIntolerant=0):
|
| -+ reqCAs=None, tlsIntolerant=0,
|
| -+ signedCertTimestamps=None):
|
| +diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
|
| +index 79ad145..b3bad2d 100755
|
| +--- a/third_party/tlslite/tlslite/constants.py
|
| ++++ b/third_party/tlslite/tlslite/constants.py
|
| +@@ -44,6 +44,7 @@ class ExtensionType: # RFC 6066 / 4366
|
| + server_name = 0 # RFC 6066 / 4366
|
| + srp = 12 # RFC 5054
|
| + cert_type = 9 # RFC 6091
|
| ++ signed_cert_timestamps = 18 # RFC 6962
|
| + tack = 0xF300
|
| + supports_npn = 13172
|
| + channel_id = 30031
|
| +diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
|
| +index 246082e..5a2cd6c 100755
|
| +--- a/third_party/tlslite/tlslite/messages.py
|
| ++++ b/third_party/tlslite/tlslite/messages.py
|
| +@@ -113,6 +113,7 @@ class ClientHello(HandshakeMsg):
|
| + self.supports_npn = False
|
| + self.server_name = bytearray(0)
|
| + self.channel_id = False
|
| ++ self.support_signed_cert_timestamps = False
|
| +
|
| + def create(self, version, random, session_id, cipher_suites,
|
| + certificate_types=None, srpUsername=None,
|
| +@@ -182,6 +183,10 @@ class ClientHello(HandshakeMsg):
|
| + break
|
| + elif extType == ExtensionType.channel_id:
|
| + self.channel_id = True
|
| ++ elif extType == ExtensionType.signed_cert_timestamps:
|
| ++ if extLength:
|
| ++ raise SyntaxError()
|
| ++ self.support_signed_cert_timestamps = True
|
| + else:
|
| + _ = p.getFixBytes(extLength)
|
| + index2 = p.index
|
| +@@ -247,6 +252,7 @@ class ServerHello(HandshakeMsg):
|
| + self.next_protos_advertised = None
|
| + self.next_protos = None
|
| + self.channel_id = False
|
| ++ self.signed_cert_timestamps = None
|
| +
|
| + def create(self, version, random, session_id, cipher_suite,
|
| + certificate_type, tackExt, next_protos_advertised):
|
| +@@ -336,6 +342,9 @@ class ServerHello(HandshakeMsg):
|
| + if self.channel_id:
|
| + w2.add(ExtensionType.channel_id, 2)
|
| + w2.add(0, 2)
|
| ++ if self.signed_cert_timestamps:
|
| ++ w2.add(ExtensionType.signed_cert_timestamps, 2)
|
| ++ w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)
|
| + if len(w2.bytes):
|
| + w.add(len(w2.bytes), 2)
|
| + w.bytes += w2.bytes
|
| +diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
|
| +index e7c5140..45b0bbb 100755
|
| +--- a/third_party/tlslite/tlslite/tlsconnection.py
|
| ++++ b/third_party/tlslite/tlslite/tlsconnection.py
|
| +@@ -966,7 +966,7 @@ class TLSConnection(TLSRecordLayer):
|
| + reqCAs = None,
|
| + tacks=None, activationFlags=0,
|
| + nextProtos=None, anon=False,
|
| +- tlsIntolerant=None):
|
| ++ tlsIntolerant=None, signedCertTimestamps=None):
|
| """Perform a handshake in the role of server.
|
|
|
| This function performs an SSL or TLS handshake. Depending on
|
| -@@ -1007,6 +1008,11 @@ class TLSConnection(TLSRecordLayer):
|
| - will be sent along with a certificate request. This does not affect
|
| - verification.
|
| +@@ -1040,6 +1040,11 @@ class TLSConnection(TLSRecordLayer):
|
| + simulate TLS version intolerance by returning a fatal handshake_failure
|
| + alert to all TLS versions tlsIntolerant or higher.
|
|
|
| + @type signedCertTimestamps: str
|
| + @param signedCertTimestamps: A SignedCertificateTimestampList (as a
|
| @@ -24,124 +76,61 @@ index e882e2c..d2270a9 100644
|
| @raise socket.error: If a socket error occurs.
|
| @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
|
| without a preceding alert.
|
| -@@ -1016,14 +1022,15 @@ class TLSConnection(TLSRecordLayer):
|
| - """
|
| - for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
|
| +@@ -1051,7 +1056,8 @@ class TLSConnection(TLSRecordLayer):
|
| certChain, privateKey, reqCert, sessionCache, settings,
|
| -- checker, reqCAs, tlsIntolerant):
|
| -+ checker, reqCAs, tlsIntolerant, signedCertTimestamps):
|
| + checker, reqCAs,
|
| + tacks=tacks, activationFlags=activationFlags,
|
| +- nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant):
|
| ++ nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
|
| ++ signedCertTimestamps=signedCertTimestamps):
|
| pass
|
|
|
|
|
| - def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
|
| - certChain=None, privateKey=None, reqCert=False,
|
| - sessionCache=None, settings=None, checker=None,
|
| -- reqCAs=None, tlsIntolerant=0):
|
| -+ reqCAs=None, tlsIntolerant=0,
|
| -+ signedCertTimestamps=None):
|
| +@@ -1061,7 +1067,8 @@ class TLSConnection(TLSRecordLayer):
|
| + reqCAs=None,
|
| + tacks=None, activationFlags=0,
|
| + nextProtos=None, anon=False,
|
| +- tlsIntolerant=None
|
| ++ tlsIntolerant=None,
|
| ++ signedCertTimestamps=None
|
| + ):
|
| """Start a server handshake operation on the TLS connection.
|
|
|
| - This function returns a generator which behaves similarly to
|
| -@@ -1041,14 +1048,16 @@ class TLSConnection(TLSRecordLayer):
|
| - privateKey=privateKey, reqCert=reqCert,
|
| - sessionCache=sessionCache, settings=settings,
|
| - reqCAs=reqCAs,
|
| +@@ -1081,7 +1088,8 @@ class TLSConnection(TLSRecordLayer):
|
| + reqCAs=reqCAs,
|
| + tacks=tacks, activationFlags=activationFlags,
|
| + nextProtos=nextProtos, anon=anon,
|
| - tlsIntolerant=tlsIntolerant)
|
| + tlsIntolerant=tlsIntolerant,
|
| + signedCertTimestamps=signedCertTimestamps)
|
| for result in self._handshakeWrapperAsync(handshaker, checker):
|
| yield result
|
|
|
| -
|
| - def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
|
| -- certChain, privateKey, reqCert, sessionCache,
|
| -- settings, reqCAs, tlsIntolerant):
|
| -+ certChain, privateKey, reqCert,
|
| -+ sessionCache, settings, reqCAs,
|
| -+ tlsIntolerant, signedCertTimestamps):
|
| +@@ -1091,7 +1099,7 @@ class TLSConnection(TLSRecordLayer):
|
| + settings, reqCAs,
|
| + tacks, activationFlags,
|
| + nextProtos, anon,
|
| +- tlsIntolerant):
|
| ++ tlsIntolerant, signedCertTimestamps):
|
|
|
| self._handshakeStart(client=False)
|
|
|
| -@@ -1060,6 +1069,9 @@ class TLSConnection(TLSRecordLayer):
|
| - raise ValueError("Caller passed a privateKey but no certChain")
|
| - if reqCAs and not reqCert:
|
| - raise ValueError("Caller passed reqCAs but not reqCert")
|
| +@@ -1112,6 +1120,9 @@ class TLSConnection(TLSRecordLayer):
|
| + raise ValueError("tackpy is not loaded")
|
| + if not settings or not settings.useExperimentalTackExtension:
|
| + raise ValueError("useExperimentalTackExtension not enabled")
|
| + if signedCertTimestamps and not certChain:
|
| + raise ValueError("Caller passed signedCertTimestamps but no "
|
| + "certChain")
|
|
|
| if not settings:
|
| settings = HandshakeSettings()
|
| -@@ -1415,6 +1427,8 @@ class TLSConnection(TLSRecordLayer):
|
| - self.version, serverRandom,
|
| - sessionID, cipherSuite, certificateType)
|
| - serverHello.channel_id = clientHello.channel_id
|
| -+ if clientHello.support_signed_cert_timestamps:
|
| -+ serverHello.signed_cert_timestamps = signedCertTimestamps
|
| - doingChannelID = clientHello.channel_id
|
| - msgs.append(serverHello)
|
| - msgs.append(Certificate(certificateType).create(serverCertChain))
|
| -diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
|
| -index e357dd0..b5a345a 100644
|
| ---- a/third_party/tlslite/tlslite/constants.py
|
| -+++ b/third_party/tlslite/tlslite/constants.py
|
| -@@ -32,6 +32,7 @@ class ContentType:
|
| - all = (20,21,22,23)
|
| -
|
| - class ExtensionType:
|
| -+ signed_cert_timestamps = 18 # signed_certificate_timestamp in RFC 6962
|
| - channel_id = 30031
|
| -
|
| - class AlertLevel:
|
| -diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
|
| -index fa4d817..296f422 100644
|
| ---- a/third_party/tlslite/tlslite/messages.py
|
| -+++ b/third_party/tlslite/tlslite/messages.py
|
| -@@ -131,6 +131,7 @@ class ClientHello(HandshakeMsg):
|
| - self.compression_methods = [] # a list of 8-bit values
|
| - self.srp_username = None # a string
|
| - self.channel_id = False
|
| -+ self.support_signed_cert_timestamps = False
|
| -
|
| - def create(self, version, random, session_id, cipher_suites,
|
| - certificate_types=None, srp_username=None):
|
| -@@ -177,6 +178,10 @@ class ClientHello(HandshakeMsg):
|
| - self.certificate_types = p.getVarList(1, 1)
|
| - elif extType == ExtensionType.channel_id:
|
| - self.channel_id = True
|
| -+ elif extType == ExtensionType.signed_cert_timestamps:
|
| -+ if extLength:
|
| -+ raise SyntaxError()
|
| -+ self.support_signed_cert_timestamps = True
|
| - else:
|
| - p.getFixBytes(extLength)
|
| - soFar += 4 + extLength
|
| -@@ -224,6 +229,7 @@ class ServerHello(HandshakeMsg):
|
| - self.certificate_type = CertificateType.x509
|
| - self.compression_method = 0
|
| - self.channel_id = False
|
| -+ self.signed_cert_timestamps = None
|
| -
|
| - def create(self, version, random, session_id, cipher_suite,
|
| - certificate_type):
|
| -@@ -273,6 +279,9 @@ class ServerHello(HandshakeMsg):
|
| - if self.channel_id:
|
| - extLength += 4
|
| -
|
| -+ if self.signed_cert_timestamps:
|
| -+ extLength += 4 + len(self.signed_cert_timestamps)
|
| -+
|
| - if extLength != 0:
|
| - w.add(extLength, 2)
|
| -
|
| -@@ -286,6 +295,10 @@ class ServerHello(HandshakeMsg):
|
| - w.add(ExtensionType.channel_id, 2)
|
| - w.add(0, 2)
|
| -
|
| -+ if self.signed_cert_timestamps:
|
| -+ w.add(ExtensionType.signed_cert_timestamps, 2)
|
| -+ w.addVarSeq(stringToBytes(self.signed_cert_timestamps), 1, 2)
|
| -+
|
| - return HandshakeMsg.postWrite(self, w, trial)
|
| -
|
| - class Certificate(HandshakeMsg):
|
| +@@ -1156,6 +1167,8 @@ class TLSConnection(TLSRecordLayer):
|
| + cipherSuite, CertificateType.x509, tackExt,
|
| + nextProtos)
|
| + serverHello.channel_id = clientHello.channel_id
|
| ++ if clientHello.support_signed_cert_timestamps:
|
| ++ serverHello.signed_cert_timestamps = signedCertTimestamps
|
| +
|
| + # Perform the SRP key exchange
|
| + clientCertChain = None
|
|
|
Chromium Code Reviews
Issue 210323002:
Update tlslite to 0.4.6. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src