Index: third_party/tlslite/patches/signed_certificate_timestamps.patch |
diff --git a/third_party/tlslite/patches/signed_certificate_timestamps.patch b/third_party/tlslite/patches/signed_certificate_timestamps.patch |
index 55db061d1414466051cc1a71709438a6e6241ca9..21bcacc9bd7088cd933bcd1782cd0298c552db03 100644 |
--- a/third_party/tlslite/patches/signed_certificate_timestamps.patch |
+++ b/third_party/tlslite/patches/signed_certificate_timestamps.patch |
@@ -1,20 +1,72 @@ |
-diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py |
-index e882e2c..d2270a9 100644 |
---- a/third_party/tlslite/tlslite/TLSConnection.py |
-+++ b/third_party/tlslite/tlslite/TLSConnection.py |
-@@ -936,7 +936,8 @@ class TLSConnection(TLSRecordLayer): |
- def handshakeServer(self, sharedKeyDB=None, verifierDB=None, |
- certChain=None, privateKey=None, reqCert=False, |
- sessionCache=None, settings=None, checker=None, |
-- reqCAs=None, tlsIntolerant=0): |
-+ reqCAs=None, tlsIntolerant=0, |
-+ signedCertTimestamps=None): |
+diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py |
+index 79ad145..b3bad2d 100755 |
+--- a/third_party/tlslite/tlslite/constants.py |
++++ b/third_party/tlslite/tlslite/constants.py |
+@@ -44,6 +44,7 @@ class ExtensionType: # RFC 6066 / 4366 |
+ server_name = 0 # RFC 6066 / 4366 |
+ srp = 12 # RFC 5054 |
+ cert_type = 9 # RFC 6091 |
++ signed_cert_timestamps = 18 # RFC 6962 |
+ tack = 0xF300 |
+ supports_npn = 13172 |
+ channel_id = 30031 |
+diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py |
+index 246082e..5a2cd6c 100755 |
+--- a/third_party/tlslite/tlslite/messages.py |
++++ b/third_party/tlslite/tlslite/messages.py |
+@@ -113,6 +113,7 @@ class ClientHello(HandshakeMsg): |
+ self.supports_npn = False |
+ self.server_name = bytearray(0) |
+ self.channel_id = False |
++ self.support_signed_cert_timestamps = False |
+ |
+ def create(self, version, random, session_id, cipher_suites, |
+ certificate_types=None, srpUsername=None, |
+@@ -182,6 +183,10 @@ class ClientHello(HandshakeMsg): |
+ break |
+ elif extType == ExtensionType.channel_id: |
+ self.channel_id = True |
++ elif extType == ExtensionType.signed_cert_timestamps: |
++ if extLength: |
++ raise SyntaxError() |
++ self.support_signed_cert_timestamps = True |
+ else: |
+ _ = p.getFixBytes(extLength) |
+ index2 = p.index |
+@@ -247,6 +252,7 @@ class ServerHello(HandshakeMsg): |
+ self.next_protos_advertised = None |
+ self.next_protos = None |
+ self.channel_id = False |
++ self.signed_cert_timestamps = None |
+ |
+ def create(self, version, random, session_id, cipher_suite, |
+ certificate_type, tackExt, next_protos_advertised): |
+@@ -336,6 +342,9 @@ class ServerHello(HandshakeMsg): |
+ if self.channel_id: |
+ w2.add(ExtensionType.channel_id, 2) |
+ w2.add(0, 2) |
++ if self.signed_cert_timestamps: |
++ w2.add(ExtensionType.signed_cert_timestamps, 2) |
++ w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2) |
+ if len(w2.bytes): |
+ w.add(len(w2.bytes), 2) |
+ w.bytes += w2.bytes |
+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
+index e7c5140..45b0bbb 100755 |
+--- a/third_party/tlslite/tlslite/tlsconnection.py |
++++ b/third_party/tlslite/tlslite/tlsconnection.py |
+@@ -966,7 +966,7 @@ class TLSConnection(TLSRecordLayer): |
+ reqCAs = None, |
+ tacks=None, activationFlags=0, |
+ nextProtos=None, anon=False, |
+- tlsIntolerant=None): |
++ tlsIntolerant=None, signedCertTimestamps=None): |
"""Perform a handshake in the role of server. |
This function performs an SSL or TLS handshake. Depending on |
-@@ -1007,6 +1008,11 @@ class TLSConnection(TLSRecordLayer): |
- will be sent along with a certificate request. This does not affect |
- verification. |
+@@ -1040,6 +1040,11 @@ class TLSConnection(TLSRecordLayer): |
+ simulate TLS version intolerance by returning a fatal handshake_failure |
+ alert to all TLS versions tlsIntolerant or higher. |
+ @type signedCertTimestamps: str |
+ @param signedCertTimestamps: A SignedCertificateTimestampList (as a |
@@ -24,124 +76,61 @@ index e882e2c..d2270a9 100644 |
@raise socket.error: If a socket error occurs. |
@raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
without a preceding alert. |
-@@ -1016,14 +1022,15 @@ class TLSConnection(TLSRecordLayer): |
- """ |
- for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, |
+@@ -1051,7 +1056,8 @@ class TLSConnection(TLSRecordLayer): |
certChain, privateKey, reqCert, sessionCache, settings, |
-- checker, reqCAs, tlsIntolerant): |
-+ checker, reqCAs, tlsIntolerant, signedCertTimestamps): |
+ checker, reqCAs, |
+ tacks=tacks, activationFlags=activationFlags, |
+- nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant): |
++ nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
++ signedCertTimestamps=signedCertTimestamps): |
pass |
- def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, |
- certChain=None, privateKey=None, reqCert=False, |
- sessionCache=None, settings=None, checker=None, |
-- reqCAs=None, tlsIntolerant=0): |
-+ reqCAs=None, tlsIntolerant=0, |
-+ signedCertTimestamps=None): |
+@@ -1061,7 +1067,8 @@ class TLSConnection(TLSRecordLayer): |
+ reqCAs=None, |
+ tacks=None, activationFlags=0, |
+ nextProtos=None, anon=False, |
+- tlsIntolerant=None |
++ tlsIntolerant=None, |
++ signedCertTimestamps=None |
+ ): |
"""Start a server handshake operation on the TLS connection. |
- This function returns a generator which behaves similarly to |
-@@ -1041,14 +1048,16 @@ class TLSConnection(TLSRecordLayer): |
- privateKey=privateKey, reqCert=reqCert, |
- sessionCache=sessionCache, settings=settings, |
- reqCAs=reqCAs, |
+@@ -1081,7 +1088,8 @@ class TLSConnection(TLSRecordLayer): |
+ reqCAs=reqCAs, |
+ tacks=tacks, activationFlags=activationFlags, |
+ nextProtos=nextProtos, anon=anon, |
- tlsIntolerant=tlsIntolerant) |
+ tlsIntolerant=tlsIntolerant, |
+ signedCertTimestamps=signedCertTimestamps) |
for result in self._handshakeWrapperAsync(handshaker, checker): |
yield result |
- |
- def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, |
-- certChain, privateKey, reqCert, sessionCache, |
-- settings, reqCAs, tlsIntolerant): |
-+ certChain, privateKey, reqCert, |
-+ sessionCache, settings, reqCAs, |
-+ tlsIntolerant, signedCertTimestamps): |
+@@ -1091,7 +1099,7 @@ class TLSConnection(TLSRecordLayer): |
+ settings, reqCAs, |
+ tacks, activationFlags, |
+ nextProtos, anon, |
+- tlsIntolerant): |
++ tlsIntolerant, signedCertTimestamps): |
self._handshakeStart(client=False) |
-@@ -1060,6 +1069,9 @@ class TLSConnection(TLSRecordLayer): |
- raise ValueError("Caller passed a privateKey but no certChain") |
- if reqCAs and not reqCert: |
- raise ValueError("Caller passed reqCAs but not reqCert") |
+@@ -1112,6 +1120,9 @@ class TLSConnection(TLSRecordLayer): |
+ raise ValueError("tackpy is not loaded") |
+ if not settings or not settings.useExperimentalTackExtension: |
+ raise ValueError("useExperimentalTackExtension not enabled") |
+ if signedCertTimestamps and not certChain: |
+ raise ValueError("Caller passed signedCertTimestamps but no " |
+ "certChain") |
if not settings: |
settings = HandshakeSettings() |
-@@ -1415,6 +1427,8 @@ class TLSConnection(TLSRecordLayer): |
- self.version, serverRandom, |
- sessionID, cipherSuite, certificateType) |
- serverHello.channel_id = clientHello.channel_id |
-+ if clientHello.support_signed_cert_timestamps: |
-+ serverHello.signed_cert_timestamps = signedCertTimestamps |
- doingChannelID = clientHello.channel_id |
- msgs.append(serverHello) |
- msgs.append(Certificate(certificateType).create(serverCertChain)) |
-diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py |
-index e357dd0..b5a345a 100644 |
---- a/third_party/tlslite/tlslite/constants.py |
-+++ b/third_party/tlslite/tlslite/constants.py |
-@@ -32,6 +32,7 @@ class ContentType: |
- all = (20,21,22,23) |
- |
- class ExtensionType: |
-+ signed_cert_timestamps = 18 # signed_certificate_timestamp in RFC 6962 |
- channel_id = 30031 |
- |
- class AlertLevel: |
-diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py |
-index fa4d817..296f422 100644 |
---- a/third_party/tlslite/tlslite/messages.py |
-+++ b/third_party/tlslite/tlslite/messages.py |
-@@ -131,6 +131,7 @@ class ClientHello(HandshakeMsg): |
- self.compression_methods = [] # a list of 8-bit values |
- self.srp_username = None # a string |
- self.channel_id = False |
-+ self.support_signed_cert_timestamps = False |
- |
- def create(self, version, random, session_id, cipher_suites, |
- certificate_types=None, srp_username=None): |
-@@ -177,6 +178,10 @@ class ClientHello(HandshakeMsg): |
- self.certificate_types = p.getVarList(1, 1) |
- elif extType == ExtensionType.channel_id: |
- self.channel_id = True |
-+ elif extType == ExtensionType.signed_cert_timestamps: |
-+ if extLength: |
-+ raise SyntaxError() |
-+ self.support_signed_cert_timestamps = True |
- else: |
- p.getFixBytes(extLength) |
- soFar += 4 + extLength |
-@@ -224,6 +229,7 @@ class ServerHello(HandshakeMsg): |
- self.certificate_type = CertificateType.x509 |
- self.compression_method = 0 |
- self.channel_id = False |
-+ self.signed_cert_timestamps = None |
- |
- def create(self, version, random, session_id, cipher_suite, |
- certificate_type): |
-@@ -273,6 +279,9 @@ class ServerHello(HandshakeMsg): |
- if self.channel_id: |
- extLength += 4 |
- |
-+ if self.signed_cert_timestamps: |
-+ extLength += 4 + len(self.signed_cert_timestamps) |
-+ |
- if extLength != 0: |
- w.add(extLength, 2) |
- |
-@@ -286,6 +295,10 @@ class ServerHello(HandshakeMsg): |
- w.add(ExtensionType.channel_id, 2) |
- w.add(0, 2) |
- |
-+ if self.signed_cert_timestamps: |
-+ w.add(ExtensionType.signed_cert_timestamps, 2) |
-+ w.addVarSeq(stringToBytes(self.signed_cert_timestamps), 1, 2) |
-+ |
- return HandshakeMsg.postWrite(self, w, trial) |
- |
- class Certificate(HandshakeMsg): |
+@@ -1156,6 +1167,8 @@ class TLSConnection(TLSRecordLayer): |
+ cipherSuite, CertificateType.x509, tackExt, |
+ nextProtos) |
+ serverHello.channel_id = clientHello.channel_id |
++ if clientHello.support_signed_cert_timestamps: |
++ serverHello.signed_cert_timestamps = signedCertTimestamps |
+ |
+ # Perform the SRP key exchange |
+ clientCertChain = None |