Implement ALPN in tlslite.

third_party/tlslite/tlslite/tlsconnection.py

 # Authors: 
 #   Trevor Perrin
 #   Google - added reqCAs parameter
 #   Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support
 #   Dimitris Moraitis - Anon ciphersuites
 #   Martin von Loewis - python 3 port
 #   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
 #
 # See the LICENSE file for legal information regarding use of this file.
 
@@ skipping 319 matching lines @@
         #
         # If 'async' is True, the generator is returned to the caller, 
         # otherwise it is executed to completion here.  
         if async:
             return handshaker
         for result in handshaker:
             pass
 
     def handshakeClientCert(self, certChain=None, privateKey=None,
                             session=None, settings=None, checker=None,
-                            nextProtos=None, reqTack=True, serverName="",
-                            async=False):
+                            alpnProtos=None, nextProtos=None, reqTack=True,

[davidben, 2016/08/03 23:34:22]

Please do move this to the settings object. You won't have to pass it down
everywhere and it will be much simpler.

[Bence, 2016/08/04 18:41:45]

Done.  Also moved nextProtos so that they are together.

+                            serverName="", async=False):
         """Perform a certificate-based handshake in the role of client.
 
         This function performs an SSL or TLS handshake.  The server
         will authenticate itself using an X.509 certificate
         chain.  If the handshake succeeds, the server's certificate
         chain will be stored in the session's serverCertChain attribute.
         Unless a checker object is passed in, this function does no
         validation or checking of the server's certificate chain.
 
         If the server requests client authentication, the
@@ skipping 24 matching lines @@
 
         @type settings: L{tlslite.handshakesettings.HandshakeSettings}
         @param settings: Various settings which can be used to control
         the ciphersuites, certificate types, and SSL/TLS versions
         offered by the client.
 
         @type checker: L{tlslite.checker.Checker}
         @param checker: A Checker instance.  This instance will be
         invoked to examine the other party's authentication
         credentials, if the handshake completes succesfully.
+
+        @type alpnProtos: list of strings.
+        @param alpnProtos: A list of upper layer protocols ordered by
+        preference, to advertise in the Application-Layer Protocol Negotiation
+        Extension (RFC 7301).
         
         @type nextProtos: list of strings.
         @param nextProtos: A list of upper layer protocols ordered by
         preference, to use in the Next-Protocol Negotiation Extension.
         
         @type reqTack: bool
         @param reqTack: Whether or not to send a "tack" TLS Extension, 
         requesting the server return a TackExtension if it has one.        
 
         @type serverName: string
@@ skipping 14 matching lines @@
         @raise socket.error: If a socket error occurs.
         @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
         without a preceding alert.
         @raise tlslite.errors.TLSAlert: If a TLS alert is signalled.
         @raise tlslite.errors.TLSAuthenticationError: If the checker
         doesn't like the other party's authentication credentials.
         """
         handshaker = self._handshakeClientAsync(certParams=(certChain,
                         privateKey), session=session, settings=settings,
                         checker=checker, serverName=serverName, 
-                        nextProtos=nextProtos, reqTack=reqTack)
+                        alpnProtos=alpnProtos, nextProtos=nextProtos,
+                        reqTack=reqTack)
         # The handshaker is a Python Generator which executes the handshake.
         # It allows the handshake to be run in a "piecewise", asynchronous
         # fashion, returning 1 when it is waiting to able to write, 0 when
         # it is waiting to read.
         #
         # If 'async' is True, the generator is returned to the caller, 
         # otherwise it is executed to completion here.                        
         if async:
             return handshaker
         for result in handshaker:
             pass
 
 
     def _handshakeClientAsync(self, srpParams=(), certParams=(), anonParams=(),
                              session=None, settings=None, checker=None,
-                             nextProtos=None, serverName="", reqTack=True):
+                             alpnProtos=None, nextProtos=None, serverName="",
+                             reqTack=True):
 
         handshaker = self._handshakeClientAsyncHelper(srpParams=srpParams,
                 certParams=certParams,
                 anonParams=anonParams,
                 session=session,
                 settings=settings,
                 serverName=serverName,
+                alpnProtos=alpnProtos,
                 nextProtos=nextProtos,
                 reqTack=reqTack)
         for result in self._handshakeWrapperAsync(handshaker, checker):
             yield result
 
 
     def _handshakeClientAsyncHelper(self, srpParams, certParams, anonParams,
-                               session, settings, serverName, nextProtos, reqTack):
+                               session, settings, serverName, alpnProtos,
+                               nextProtos, reqTack):
         
         self._handshakeStart(client=True)
 
         #Unpack parameters
         srpUsername = None      # srpParams[0]
         password = None         # srpParams[1]
         clientCertChain = None  # certParams[0]
         privateKey = None       # certParams[1]
 
         # Allow only one of (srpParams, certParams, anonParams)
@@ skipping 16 matching lines @@
             raise ValueError("Caller passed a password but no username")
         if clientCertChain and not privateKey:
             raise ValueError("Caller passed a certChain but no privateKey")
         if privateKey and not clientCertChain:
             raise ValueError("Caller passed a privateKey but no certChain")
         if reqTack:
             if not tackpyLoaded:
                 reqTack = False
             if not settings or not settings.useExperimentalTackExtension:
                 reqTack = False
+        if alpnProtos is not None:
+            if len(alpnProtos) == 0:
+                raise ValueError("Caller passed no alpnProtos")
         if nextProtos is not None:
             if len(nextProtos) == 0:
                 raise ValueError("Caller passed no nextProtos")
         
         # Validates the settings and filters out any unsupported ciphers
         # or crypto libraries that were requested        
         if not settings:
             settings = HandshakeSettings()
         settings = settings._filter()
 
@@ skipping 25 matching lines @@
         #We'll use this for the ClientHello, and if an error occurs
         #parsing the Server Hello, we'll use this version for the response
         self.version = settings.maxVersion
         
         # OK Start sending messages!
         # *****************************
 
         # Send the ClientHello.
         for result in self._clientSendClientHello(settings, session, 
                                         srpUsername, srpParams, certParams,
-                                        anonParams, serverName, nextProtos,
-                                        reqTack):
+                                        anonParams, serverName, alpnProtos,
+                                        nextProtos, reqTack):
             if result in (0,1): yield result
             else: break
         clientHello = result
         
         #Get the ServerHello.
         for result in self._clientGetServerHello(settings, clientHello):
             if result in (0,1): yield result
             else: break
         serverHello = result
         cipherSuite = serverHello.cipher_suite
         
-        # Choose a matching Next Protocol from server list against ours
-        # (string or None)
-        nextProto = self._clientSelectNextProto(nextProtos, serverHello)
+        #Ignore NPN if server response has ALPN.

[davidben, 2016/08/03 23:34:22]

This isn't right. If the ServerHello contains both ALPN and NPN, you don't
ignore NPN. That won't work right. You have to hard-fail the connection. See
_clientGetServerHello comment.

[Bence, 2016/08/04 18:41:45]

Done.

+        if (serverHello.alpn_proto_selected):
+          nextProto = None
+        else:
+          nextProto = self._clientSelectNextProto(nextProtos, serverHello)
 
         #If the server elected to resume the session, it is handled here.
         for result in self._clientResume(session, serverHello, 
                         clientHello.random, 
                         settings.cipherImplementations,
                         nextProto):
             if result in (0,1): yield result
             else: break
         if result == "resumed_and_finished":
             self._handshakeDone(resumed=True)
@@ skipping 55 matching lines @@
         # Create the session object which is used for resumptions
         self.session = Session()
         self.session.create(masterSecret, serverHello.session_id, cipherSuite,
             srpUsername, clientCertChain, serverCertChain,
             tackExt, serverHello.tackExt!=None, serverName)
         self._handshakeDone(resumed=False)
 
 
     def _clientSendClientHello(self, settings, session, srpUsername,
                                 srpParams, certParams, anonParams, 
-                                serverName, nextProtos, reqTack):
+                                serverName, alpnProtos, nextProtos, reqTack):
         #Initialize acceptable ciphersuites
         cipherSuites = [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
         if srpParams:
             cipherSuites += CipherSuite.getSrpAllSuites(settings)
         elif certParams:
             # TODO: Client DHE_RSA not supported.
             # cipherSuites += CipherSuite.getDheCertSuites(settings)
             cipherSuites += CipherSuite.getCertSuites(settings)
         elif anonParams:
             cipherSuites += CipherSuite.getAnonSuites(settings)
         else:
             assert(False)
 
         #Initialize acceptable certificate types
         certificateTypes = settings._getCertificateTypes()
             
         #Either send ClientHello (with a resumable session)...
         if session and session.sessionID:
             #If it's resumable, then its
             #ciphersuite must be one of the acceptable ciphersuites
             if session.cipherSuite not in cipherSuites:
                 raise ValueError("Session's cipher suite not consistent "\
                                  "with parameters")
             else:
                 clientHello = ClientHello()
                 clientHello.create(settings.maxVersion, getRandomBytes(32),
                                    session.sessionID, cipherSuites,
                                    certificateTypes, 
                                    session.srpUsername,
-                                   reqTack, nextProtos is not None,
+                                   reqTack, alpnProtos, nextProtos is not None,
                                    session.serverName)
 
         #Or send ClientHello (without)
         else:
             clientHello = ClientHello()
             clientHello.create(settings.maxVersion, getRandomBytes(32),
                                bytearray(0), cipherSuites,
                                certificateTypes, 
                                srpUsername,
-                               reqTack, nextProtos is not None, 
+                               reqTack, alpnProtos, nextProtos is not None,
                                serverName)
         for result in self._sendMsg(clientHello):
             yield result
         yield clientHello
 
 
     def _clientGetServerHello(self, settings, clientHello):
         for result in self._getMsg(ContentType.handshake,
                                   HandshakeType.server_hello):
             if result in (0,1): yield result
@@ skipping 32 matching lines @@
             for result in self._sendError(\
                 AlertDescription.illegal_parameter,
                 "Server responded with incorrect compression method"):
                 yield result
         if serverHello.tackExt:            
             if not clientHello.tack:
                 for result in self._sendError(\
                     AlertDescription.illegal_parameter,
                     "Server responded with unrequested Tack Extension"):
                     yield result
+        if serverHello.alpn_proto_selected and not clientHello.alpn_protos_advertised:
+            for result in self._sendError(\
+                AlertDescription.illegal_parameter,
+                "Server responded with unrequested ALPN Extension"):
+                yield result

[davidben, 2016/08/03 23:34:22]

Add a check that ALPN + NPN in a ServerHello is illegal.

[Bence, 2016/08/04 18:41:45]

Done.

         if serverHello.next_protos and not clientHello.supports_npn:
             for result in self._sendError(\
                 AlertDescription.illegal_parameter,
                 "Server responded with unrequested NPN Extension"):
                 yield result
             if not serverHello.tackExt.verifySignatures():
                 for result in self._sendError(\
                     AlertDescription.decrypt_error,
                     "TackExtension contains an invalid signature"):
                     yield result
@@ skipping 368 matching lines @@
     #*********************************************************
     # Server Handshake Functions
     #*********************************************************
 
 
     def handshakeServer(self, verifierDB=None,
                         certChain=None, privateKey=None, reqCert=False,
                         sessionCache=None, settings=None, checker=None,
                         reqCAs = None, reqCertTypes = None,
                         tacks=None, activationFlags=0,
-                        nextProtos=None, anon=False,
+                        alpnProtos=None, nextProtos=None, anon=False,
                         signedCertTimestamps=None,
                         fallbackSCSV=False, ocspResponse=None):
         """Perform a handshake in the role of server.
 
         This function performs an SSL or TLS handshake.  Depending on
         the arguments and the behavior of the client, this function can
         perform an SRP, or certificate-based handshake.  It
         can also perform a combined SRP and server-certificate
         handshake.
 
@@ skipping 49 matching lines @@
         
         @type reqCAs: list of L{bytearray} of unsigned bytes
         @param reqCAs: A collection of DER-encoded DistinguishedNames that
         will be sent along with a certificate request. This does not affect
         verification.        
 
         @type reqCertTypes: list of int
         @param reqCertTypes: A list of certificate_type values to be sent
         along with a certificate request. This does not affect verification.
 
+        @type alpnProtos: list of strings.
+        @param alpnProtos: A list of upper layer protocols with zero or one
+        elements.  If not empty, its single element is the protocol negotiated
+        via the Application-Layer Protocol Negotiation Extension (RFC 7301).
+
         @type nextProtos: list of strings.
         @param nextProtos: A list of upper layer protocols to expose to the
         clients through the Next-Protocol Negotiation Extension, 
         if they support it.
 
         @type signedCertTimestamps: str
         @param signedCertTimestamps: A SignedCertificateTimestampList (as a
         binary 8-bit string) that will be sent as a TLS extension whenever
         the client announces support for the extension.
 
@@ skipping 16 matching lines @@
         @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
         without a preceding alert.
         @raise tlslite.errors.TLSAlert: If a TLS alert is signalled.
         @raise tlslite.errors.TLSAuthenticationError: If the checker
         doesn't like the other party's authentication credentials.
         """
         for result in self.handshakeServerAsync(verifierDB,
                 certChain, privateKey, reqCert, sessionCache, settings,
                 checker, reqCAs, reqCertTypes,
                 tacks=tacks, activationFlags=activationFlags, 
-                nextProtos=nextProtos, anon=anon,
+                alpnProtos=alpnProtos, nextProtos=nextProtos, anon=anon,
                 signedCertTimestamps=signedCertTimestamps,
                 fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse):
             pass
 
 
     def handshakeServerAsync(self, verifierDB=None,
                              certChain=None, privateKey=None, reqCert=False,
                              sessionCache=None, settings=None, checker=None,
                              reqCAs=None, reqCertTypes=None,
-                             tacks=None, activationFlags=0,
+                             tacks=None, activationFlags=0, alpnProtos=None,
                              nextProtos=None, anon=False,
                              signedCertTimestamps=None,
                              fallbackSCSV=False,
                              ocspResponse=None
                              ):
         """Start a server handshake operation on the TLS connection.
 
         This function returns a generator which behaves similarly to
         handshakeServer().  Successive invocations of the generator
         will return 0 if it is waiting to read from the socket, 1 if it is
         waiting to write to the socket, or it will raise StopIteration
         if the handshake operation is complete.
 
         @rtype: iterable
         @return: A generator; see above for details.
         """
         handshaker = self._handshakeServerAsyncHelper(\
             verifierDB=verifierDB, certChain=certChain,
             privateKey=privateKey, reqCert=reqCert,
             sessionCache=sessionCache, settings=settings, 
             reqCAs=reqCAs, reqCertTypes=reqCertTypes,
-            tacks=tacks, activationFlags=activationFlags, 
+            tacks=tacks, activationFlags=activationFlags, alpnProtos=alpnProtos,
             nextProtos=nextProtos, anon=anon,
             signedCertTimestamps=signedCertTimestamps,
             fallbackSCSV=fallbackSCSV,
             ocspResponse=ocspResponse)
         for result in self._handshakeWrapperAsync(handshaker, checker):
             yield result
         if settings and settings.alertAfterHandshake:
             for result in self._sendError(AlertDescription.internal_error,
                                           "Spurious alert"):
                 yield result
 
 
     def _handshakeServerAsyncHelper(self, verifierDB,
                              certChain, privateKey, reqCert, sessionCache,
                              settings, reqCAs, reqCertTypes,
                              tacks, activationFlags, 
-                             nextProtos, anon,
+                             alpnProtos, nextProtos, anon,
                              signedCertTimestamps, fallbackSCSV,
                              ocspResponse):
 
         self._handshakeStart(client=False)
 
         if (not verifierDB) and (not certChain) and not anon:
             raise ValueError("Caller passed no authentication credentials")
         if certChain and not privateKey:
             raise ValueError("Caller passed a certChain but no privateKey")
         if privateKey and not certChain:
@@ skipping 36 matching lines @@
         # Save the ClientHello for external code to query.
         self.clientHello = clientHello
         
         #If not a resumption...
 
         # Create the ServerHello message
         if sessionCache:
             sessionID = getRandomBytes(32)
         else:
             sessionID = bytearray(0)
-        
+
+        alpn_proto_selected = None
+        if clientHello.alpn_protos_advertised is not None:
+            if alpnProtos is not None:
+                for proto in alpnProtos:
+                    if proto in clientHello.alpn_protos_advertised:
+                        alpn_proto_selected = proto
+                        nextProtos = None
+                        break;
+
         if not clientHello.supports_npn:
             nextProtos = None
 
         # If not doing a certificate-based suite, discard the TACK
         if not cipherSuite in CipherSuite.certAllSuites:
             tacks = None
 
         # Prepare a TACK Extension if requested
         if clientHello.tack:
             tackExt = TackExtension.create(tacks, activationFlags)
         else:
             tackExt = None
         serverHello = ServerHello()
         serverHello.create(self.version, getRandomBytes(32), sessionID, \
                             cipherSuite, CertificateType.x509, tackExt,
-                            nextProtos)
+                            alpn_proto_selected, nextProtos)
         serverHello.channel_id = \
             clientHello.channel_id and settings.enableChannelID
         serverHello.extended_master_secret = \
             clientHello.extended_master_secret and \
             settings.enableExtendedMasterSecret
         for param in clientHello.tb_client_params:
             if param in settings.supportedTokenBindingParams:
                 serverHello.tb_params = param
                 break
         if clientHello.support_signed_cert_timestamps:
@@ skipping 46 matching lines @@
                 else: break
             premasterSecret = result
         
         else:
             assert(False)
                         
         # Exchange Finished messages      
         for result in self._serverFinished(premasterSecret, 
                                 clientHello.random, serverHello.random,
                                 cipherSuite, settings.cipherImplementations,
-                                nextProtos, serverHello.channel_id,
+                                alpnProtos, nextProtos, serverHello.channel_id,
                                 serverHello.extended_master_secret):
                 if result in (0,1): yield result
                 else: break
         masterSecret = result
 
         self.clientRandom = clientHello.random
         self.serverRandom = serverHello.random
 
         #Create the session object
         self.session = Session()
@@ skipping 122 matching lines @@
                                 yield result                    
                 except KeyError:
                     pass
 
             #If a session is found..
             if session:
                 #Send ServerHello
                 serverHello = ServerHello()
                 serverHello.create(self.version, getRandomBytes(32),
                                    session.sessionID, session.cipherSuite,
-                                   CertificateType.x509, None, None)
+                                   CertificateType.x509, None, None, None)

[davidben, 2016/08/03 23:34:22]

ALPN also should happen on session resumption.

[Bence, 2016/08/04 18:41:45]

Done.

                 serverHello.extended_master_secret = \
                     clientHello.extended_master_secret and \
                     settings.enableExtendedMasterSecret
                 for param in clientHello.tb_client_params:
                     if param in settings.supportedTokenBindingParams:
                           serverHello.tb_params = param
                           break
                 for result in self._sendMsg(serverHello):
                     yield result
 
@@ skipping 293 matching lines @@
             assert(False) # Just to ensure we don't fall through somehow            
 
         #Calculate premaster secre
         S = powMod(dh_Yc,dh_Xs,dh_p)
         premasterSecret = numberToByteArray(S)
         
         yield premasterSecret
 
 
     def _serverFinished(self,  premasterSecret, clientRandom, serverRandom,
-                        cipherSuite, cipherImplementations, nextProtos,
-                        doingChannelID, useExtendedMasterSecret):
+                        cipherSuite, cipherImplementations, alpnProtos,
+                        nextProtos, doingChannelID, useExtendedMasterSecret):

[davidben, 2016/08/03 23:34:22]

(ALPN doesn't interact interestingly with the Finished message and need not be
passed down here.)

[Bence, 2016/08/04 18:41:44]

Done.

         masterSecret = calcMasterSecret(self.version, premasterSecret,
                                       clientRandom, serverRandom,
                                       self._ems_handshake_hash,
                                       useExtendedMasterSecret)
         
         #Calculate pending connection states
         self._calcPendingStates(cipherSuite, masterSecret, 
                                 clientRandom, serverRandom,
                                 cipherImplementations)
 
@@ skipping 170 matching lines @@
             seed += bytearray(2)
             seed[len(seed) - 2] = len(context) >> 8
             seed[len(seed) - 1] = len(context) & 0xFF
             seed += context
         if self.version in ((3,1), (3,2)):
             return PRF(self.session.masterSecret, label, seed, length)
         elif self.version == (3,3):
             return PRF_1_2(self.session.masterSecret, label, seed, length)
         else:
             raise AssertionError()