Implement ALPN in tlslite.

third_party/tlslite/tlslite/tlsconnection.py

 # Authors: 
 #   Trevor Perrin
 #   Google - added reqCAs parameter
 #   Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support
 #   Dimitris Moraitis - Anon ciphersuites
 #   Martin von Loewis - python 3 port
 #   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
 #
 # See the LICENSE file for legal information regarding use of this file.
 
@@ skipping 319 matching lines @@
         #
         # If 'async' is True, the generator is returned to the caller, 
         # otherwise it is executed to completion here.  
         if async:
             return handshaker
         for result in handshaker:
             pass
 
     def handshakeClientCert(self, certChain=None, privateKey=None,
                             session=None, settings=None, checker=None,
-                            nextProtos=None, reqTack=True, serverName="",
-                            async=False):
+                            reqTack=True, serverName="", async=False):
         """Perform a certificate-based handshake in the role of client.
 
         This function performs an SSL or TLS handshake.  The server
         will authenticate itself using an X.509 certificate
         chain.  If the handshake succeeds, the server's certificate
         chain will be stored in the session's serverCertChain attribute.
         Unless a checker object is passed in, this function does no
         validation or checking of the server's certificate chain.
 
         If the server requests client authentication, the
@@ skipping 24 matching lines @@
 
         @type settings: L{tlslite.handshakesettings.HandshakeSettings}
         @param settings: Various settings which can be used to control
         the ciphersuites, certificate types, and SSL/TLS versions
         offered by the client.
 
         @type checker: L{tlslite.checker.Checker}
         @param checker: A Checker instance.  This instance will be
         invoked to examine the other party's authentication
         credentials, if the handshake completes succesfully.
-        
-        @type nextProtos: list of strings.
-        @param nextProtos: A list of upper layer protocols ordered by
-        preference, to use in the Next-Protocol Negotiation Extension.
-        
+
         @type reqTack: bool
         @param reqTack: Whether or not to send a "tack" TLS Extension, 
         requesting the server return a TackExtension if it has one.        
 
         @type serverName: string
         @param serverName: The ServerNameIndication TLS Extension.
 
         @type async: bool
         @param async: If False, this function will block until the
         handshake is completed.  If True, this function will return a
         generator.  Successive invocations of the generator will
         return 0 if it is waiting to read from the socket, 1 if it is
         waiting to write to the socket, or will raise StopIteration if
         the handshake operation is completed.
 
         @rtype: None or an iterable
         @return: If 'async' is True, a generator object will be
         returned.
 
         @raise socket.error: If a socket error occurs.
         @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
         without a preceding alert.
         @raise tlslite.errors.TLSAlert: If a TLS alert is signalled.
         @raise tlslite.errors.TLSAuthenticationError: If the checker
         doesn't like the other party's authentication credentials.
         """
         handshaker = self._handshakeClientAsync(certParams=(certChain,
                         privateKey), session=session, settings=settings,
                         checker=checker, serverName=serverName, 
-                        nextProtos=nextProtos, reqTack=reqTack)
+                        reqTack=reqTack)
         # The handshaker is a Python Generator which executes the handshake.
         # It allows the handshake to be run in a "piecewise", asynchronous
         # fashion, returning 1 when it is waiting to able to write, 0 when
         # it is waiting to read.
         #
         # If 'async' is True, the generator is returned to the caller, 
         # otherwise it is executed to completion here.                        
         if async:
             return handshaker
         for result in handshaker:
             pass
 
 
     def _handshakeClientAsync(self, srpParams=(), certParams=(), anonParams=(),
                              session=None, settings=None, checker=None,
-                             nextProtos=None, serverName="", reqTack=True):
+                             serverName="", reqTack=True):
 
         handshaker = self._handshakeClientAsyncHelper(srpParams=srpParams,
                 certParams=certParams,
                 anonParams=anonParams,
                 session=session,
                 settings=settings,
                 serverName=serverName,
-                nextProtos=nextProtos,
                 reqTack=reqTack)
         for result in self._handshakeWrapperAsync(handshaker, checker):
             yield result
 
 
     def _handshakeClientAsyncHelper(self, srpParams, certParams, anonParams,
-                               session, settings, serverName, nextProtos, reqTack):
+                               session, settings, serverName, reqTack):
         
         self._handshakeStart(client=True)
 
         #Unpack parameters
         srpUsername = None      # srpParams[0]
         password = None         # srpParams[1]
         clientCertChain = None  # certParams[0]
         privateKey = None       # certParams[1]
 
         # Allow only one of (srpParams, certParams, anonParams)
@@ skipping 16 matching lines @@
             raise ValueError("Caller passed a password but no username")
         if clientCertChain and not privateKey:
             raise ValueError("Caller passed a certChain but no privateKey")
         if privateKey and not clientCertChain:
             raise ValueError("Caller passed a privateKey but no certChain")
         if reqTack:
             if not tackpyLoaded:
                 reqTack = False
             if not settings or not settings.useExperimentalTackExtension:
                 reqTack = False
-        if nextProtos is not None:
-            if len(nextProtos) == 0:
-                raise ValueError("Caller passed no nextProtos")
-        
         # Validates the settings and filters out any unsupported ciphers
         # or crypto libraries that were requested        
         if not settings:
             settings = HandshakeSettings()
         settings = settings._filter()
 
+        if settings.alpnProtos is not None:
+            if len(settings.alpnProtos) == 0:
+                raise ValueError("Caller passed no alpnProtos")
+        if settings.nextProtos is not None:
+            if len(settings.nextProtos) == 0:
+                raise ValueError("Caller passed no nextProtos")
+
         if clientCertChain:
             if not isinstance(clientCertChain, X509CertChain):
                 raise ValueError("Unrecognized certificate type")
             if "x509" not in settings.certificateTypes:
                 raise ValueError("Client certificate doesn't match "\
                                  "Handshake Settings")
                                   
         if session:
             # session.valid() ensures session is resumable and has 
             # non-empty sessionID
@@ skipping 15 matching lines @@
         #We'll use this for the ClientHello, and if an error occurs
         #parsing the Server Hello, we'll use this version for the response
         self.version = settings.maxVersion
         
         # OK Start sending messages!
         # *****************************
 
         # Send the ClientHello.
         for result in self._clientSendClientHello(settings, session, 
                                         srpUsername, srpParams, certParams,
-                                        anonParams, serverName, nextProtos,
-                                        reqTack):
+                                        anonParams, serverName, reqTack):
             if result in (0,1): yield result
             else: break
         clientHello = result
         
         #Get the ServerHello.
         for result in self._clientGetServerHello(settings, clientHello):
             if result in (0,1): yield result
             else: break
         serverHello = result
         cipherSuite = serverHello.cipher_suite
         
-        # Choose a matching Next Protocol from server list against ours
-        # (string or None)

[davidben, 2016/08/04 22:29:26]

Unintentional lost comment?

[Bence, 2016/08/05 14:27:55]

Oops.  Done.

         nextProto = self._clientSelectNextProto(nextProtos, serverHello)

[davidben, 2016/08/04 22:29:26]

This variable isn't even defined anymore. I suspect this is only working because
we never run the tlslite client bits.

(I'd probably have just left the nextProtos stuff alone. Not really worth
carrying a diff on that.)

[Bence, 2016/08/05 14:27:55]

(1) Done.
(2) I have to admit that I have not run the tlslite tests locally.  The tests of
course fail on this line.
(3) I was contemplating not touching nextProtos, but in the end I decided to
move it together with alpnProtos to make is easier for the next poor developer
who needs to grok this code.

 
         #If the server elected to resume the session, it is handled here.
         for result in self._clientResume(session, serverHello, 
                         clientHello.random, 
                         settings.cipherImplementations,
                         nextProto):
             if result in (0,1): yield result
             else: break
         if result == "resumed_and_finished":
             self._handshakeDone(resumed=True)
@@ skipping 49 matching lines @@
                 else: break
         masterSecret = result
         
         self.clientRandom = clientHello.random
         self.serverRandom = serverHello.random
 
         # Create the session object which is used for resumptions
         self.session = Session()
         self.session.create(masterSecret, serverHello.session_id, cipherSuite,
             srpUsername, clientCertChain, serverCertChain,
-            tackExt, serverHello.tackExt!=None, serverName)
+            tackExt, serverHello.tackExt!=None, None, serverName)
         self._handshakeDone(resumed=False)
 
 
-    def _clientSendClientHello(self, settings, session, srpUsername,
-                                srpParams, certParams, anonParams, 
-                                serverName, nextProtos, reqTack):
+    def _clientSendClientHello(self, settings, session, srpUsername, srpParams,
+                               certParams, anonParams, serverName, reqTack):
         #Initialize acceptable ciphersuites
         cipherSuites = [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
         if srpParams:
             cipherSuites += CipherSuite.getSrpAllSuites(settings)
         elif certParams:
             # TODO: Client DHE_RSA not supported.
             # cipherSuites += CipherSuite.getDheCertSuites(settings)
             cipherSuites += CipherSuite.getCertSuites(settings)
         elif anonParams:
             cipherSuites += CipherSuite.getAnonSuites(settings)
         else:
             assert(False)
 
         #Initialize acceptable certificate types
         certificateTypes = settings._getCertificateTypes()
             
         #Either send ClientHello (with a resumable session)...
         if session and session.sessionID:
             #If it's resumable, then its
             #ciphersuite must be one of the acceptable ciphersuites
             if session.cipherSuite not in cipherSuites:
                 raise ValueError("Session's cipher suite not consistent "\
                                  "with parameters")
             else:
                 clientHello = ClientHello()
                 clientHello.create(settings.maxVersion, getRandomBytes(32),
                                    session.sessionID, cipherSuites,
-                                   certificateTypes, 
+                                   certificateTypes,
                                    session.srpUsername,
-                                   reqTack, nextProtos is not None,
+                                   reqTack, settings.alpnProtos,
+                                   settings.nextProtos is not None,
                                    session.serverName)
 
         #Or send ClientHello (without)
         else:
             clientHello = ClientHello()
             clientHello.create(settings.maxVersion, getRandomBytes(32),
                                bytearray(0), cipherSuites,
-                               certificateTypes, 
+                               certificateTypes,
                                srpUsername,
-                               reqTack, nextProtos is not None, 
-                               serverName)
+                               reqTack, settings.alpnProtos,
+                               settings.nextProtos is not None, serverName)
         for result in self._sendMsg(clientHello):
             yield result
         yield clientHello
 
 
     def _clientGetServerHello(self, settings, clientHello):
         for result in self._getMsg(ContentType.handshake,
                                   HandshakeType.server_hello):
             if result in (0,1): yield result
             else: break
@@ skipping 31 matching lines @@
             for result in self._sendError(\
                 AlertDescription.illegal_parameter,
                 "Server responded with incorrect compression method"):
                 yield result
         if serverHello.tackExt:            
             if not clientHello.tack:
                 for result in self._sendError(\
                     AlertDescription.illegal_parameter,
                     "Server responded with unrequested Tack Extension"):
                     yield result
+        if serverHello.alpn_proto_selected and not clientHello.alpn_protos_advertised:
+            for result in self._sendError(\
+                AlertDescription.illegal_parameter,
+                "Server responded with unrequested ALPN Extension"):
+                yield result
+        if serverHello.alpn_proto_selected and serverHello.next_protos:
+            for result in self._sendError(\
+                AlertDescription.illegal_parameter,
+                "Server responded with both ALPN and NPN extension"):
+                yield result
         if serverHello.next_protos and not clientHello.supports_npn:
             for result in self._sendError(\
                 AlertDescription.illegal_parameter,
                 "Server responded with unrequested NPN Extension"):
                 yield result
             if not serverHello.tackExt.verifySignatures():
                 for result in self._sendError(\
                     AlertDescription.decrypt_error,
                     "TackExtension contains an invalid signature"):
                     yield result
@@ skipping 367 matching lines @@
 
     #*********************************************************
     # Server Handshake Functions
     #*********************************************************
 
 
     def handshakeServer(self, verifierDB=None,
                         certChain=None, privateKey=None, reqCert=False,
                         sessionCache=None, settings=None, checker=None,
                         reqCAs = None, reqCertTypes = None,
-                        tacks=None, activationFlags=0,
-                        nextProtos=None, anon=False,
+                        tacks=None, activationFlags=0, anon=False,
                         signedCertTimestamps=None,
                         fallbackSCSV=False, ocspResponse=None):
         """Perform a handshake in the role of server.
 
         This function performs an SSL or TLS handshake.  Depending on
         the arguments and the behavior of the client, this function can
         perform an SRP, or certificate-based handshake.  It
         can also perform a combined SRP and server-certificate
         handshake.
 
@@ skipping 49 matching lines @@
         
         @type reqCAs: list of L{bytearray} of unsigned bytes
         @param reqCAs: A collection of DER-encoded DistinguishedNames that
         will be sent along with a certificate request. This does not affect
         verification.        
 
         @type reqCertTypes: list of int
         @param reqCertTypes: A list of certificate_type values to be sent
         along with a certificate request. This does not affect verification.
 
-        @type nextProtos: list of strings.
-        @param nextProtos: A list of upper layer protocols to expose to the
-        clients through the Next-Protocol Negotiation Extension, 
-        if they support it.
-
         @type signedCertTimestamps: str
         @param signedCertTimestamps: A SignedCertificateTimestampList (as a
         binary 8-bit string) that will be sent as a TLS extension whenever
         the client announces support for the extension.
 
         @type fallbackSCSV: bool
         @param fallbackSCSV: if true, the server will implement
         TLS_FALLBACK_SCSV and thus reject connections using less than the
         server's maximum TLS version that include this cipher suite.
 
         @type ocspResponse: str
         @param ocspResponse: An OCSP response (as a binary 8-bit string) that
         will be sent stapled in the handshake whenever the client announces
         support for the status_request extension.
         Note that the response is sent independent of the ClientHello
         status_request extension contents, and is thus only meant for testing
         environments. Real OCSP stapling is more complicated as it requires
         choosing a suitable response based on the ClientHello status_request
         extension contents.
 
         @raise socket.error: If a socket error occurs.
         @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
         without a preceding alert.
         @raise tlslite.errors.TLSAlert: If a TLS alert is signalled.
         @raise tlslite.errors.TLSAuthenticationError: If the checker
         doesn't like the other party's authentication credentials.
         """
         for result in self.handshakeServerAsync(verifierDB,
                 certChain, privateKey, reqCert, sessionCache, settings,
-                checker, reqCAs, reqCertTypes,
-                tacks=tacks, activationFlags=activationFlags, 
-                nextProtos=nextProtos, anon=anon,
+                checker, reqCAs, reqCertTypes, tacks=tacks,
+                activationFlags=activationFlags, anon=anon,
                 signedCertTimestamps=signedCertTimestamps,
                 fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse):
             pass
 
 
     def handshakeServerAsync(self, verifierDB=None,
                              certChain=None, privateKey=None, reqCert=False,
                              sessionCache=None, settings=None, checker=None,
                              reqCAs=None, reqCertTypes=None,
-                             tacks=None, activationFlags=0,
-                             nextProtos=None, anon=False,
+                             tacks=None, activationFlags=0, anon=False,
                              signedCertTimestamps=None,
                              fallbackSCSV=False,
                              ocspResponse=None
                              ):
         """Start a server handshake operation on the TLS connection.
 
         This function returns a generator which behaves similarly to
         handshakeServer().  Successive invocations of the generator
         will return 0 if it is waiting to read from the socket, 1 if it is
         waiting to write to the socket, or it will raise StopIteration
         if the handshake operation is complete.
 
         @rtype: iterable
         @return: A generator; see above for details.
         """
         handshaker = self._handshakeServerAsyncHelper(\
             verifierDB=verifierDB, certChain=certChain,
             privateKey=privateKey, reqCert=reqCert,
-            sessionCache=sessionCache, settings=settings, 
+            sessionCache=sessionCache, settings=settings,
             reqCAs=reqCAs, reqCertTypes=reqCertTypes,
-            tacks=tacks, activationFlags=activationFlags, 
-            nextProtos=nextProtos, anon=anon,
+            tacks=tacks, activationFlags=activationFlags, anon=anon,
             signedCertTimestamps=signedCertTimestamps,
             fallbackSCSV=fallbackSCSV,
             ocspResponse=ocspResponse)
         for result in self._handshakeWrapperAsync(handshaker, checker):
             yield result
         if settings and settings.alertAfterHandshake:
             for result in self._sendError(AlertDescription.internal_error,
                                           "Spurious alert"):
                 yield result
 
 
     def _handshakeServerAsyncHelper(self, verifierDB,
                              certChain, privateKey, reqCert, sessionCache,
                              settings, reqCAs, reqCertTypes,
-                             tacks, activationFlags, 
-                             nextProtos, anon,
+                             tacks, activationFlags, anon,
                              signedCertTimestamps, fallbackSCSV,
                              ocspResponse):
 
         self._handshakeStart(client=False)
 
         if (not verifierDB) and (not certChain) and not anon:
             raise ValueError("Caller passed no authentication credentials")
         if certChain and not privateKey:
             raise ValueError("Caller passed a certChain but no privateKey")
         if privateKey and not certChain:
@@ skipping 36 matching lines @@
         # Save the ClientHello for external code to query.
         self.clientHello = clientHello
         
         #If not a resumption...
 
         # Create the ServerHello message
         if sessionCache:
             sessionID = getRandomBytes(32)
         else:
             sessionID = bytearray(0)
-        
+
+        alpn_proto_selected = None
+        if clientHello.alpn_protos_advertised is not None:
+            if settings.alpnProtos is not None:
+                for proto in settings.alpnProtos:
+                    if proto in clientHello.alpn_protos_advertised:
+                        alpn_proto_selected = proto
+                        settings.nextProtos = None
+                        break;
+
         if not clientHello.supports_npn:
-            nextProtos = None
+            settings.nextProtos = None

[davidben, 2016/08/04 22:29:26]

This function probably should not mutate the settings object? That seems a
little weird.

[Bence, 2016/08/05 14:27:55]

Done.

 
         # If not doing a certificate-based suite, discard the TACK
         if not cipherSuite in CipherSuite.certAllSuites:
             tacks = None
 
         # Prepare a TACK Extension if requested
         if clientHello.tack:
             tackExt = TackExtension.create(tacks, activationFlags)
         else:
             tackExt = None
         serverHello = ServerHello()
         serverHello.create(self.version, getRandomBytes(32), sessionID, \
                             cipherSuite, CertificateType.x509, tackExt,
-                            nextProtos)
+                            alpn_proto_selected, settings.nextProtos)
         serverHello.channel_id = \
             clientHello.channel_id and settings.enableChannelID
         serverHello.extended_master_secret = \
             clientHello.extended_master_secret and \
             settings.enableExtendedMasterSecret
         for param in clientHello.tb_client_params:
             if param in settings.supportedTokenBindingParams:
                 serverHello.tb_params = param
                 break
         if clientHello.support_signed_cert_timestamps:
@@ skipping 46 matching lines @@
                 else: break
             premasterSecret = result
         
         else:
             assert(False)
                         
         # Exchange Finished messages      
         for result in self._serverFinished(premasterSecret, 
                                 clientHello.random, serverHello.random,
                                 cipherSuite, settings.cipherImplementations,
-                                nextProtos, serverHello.channel_id,
+                                settings.nextProtos, serverHello.channel_id,
                                 serverHello.extended_master_secret):
                 if result in (0,1): yield result
                 else: break
         masterSecret = result
 
         self.clientRandom = clientHello.random
         self.serverRandom = serverHello.random
 
         #Create the session object
         self.session = Session()
         if cipherSuite in CipherSuite.certAllSuites:        
             serverCertChain = certChain
         else:
             serverCertChain = None
         srpUsername = None
         serverName = None
         if clientHello.srp_username:
             srpUsername = clientHello.srp_username.decode("utf-8")
         if clientHello.server_name:
             serverName = clientHello.server_name.decode("utf-8")
         self.session.create(masterSecret, serverHello.session_id, cipherSuite,
             srpUsername, clientCertChain, serverCertChain,
-            tackExt, serverHello.tackExt!=None, serverName)
+            tackExt, serverHello.tackExt!=None, alpn_proto_selected, serverName)
             
         #Add the session object to the session cache
         if sessionCache and sessionID:
             sessionCache[sessionID] = self.session
 
         self._handshakeDone(resumed=False)
 
 
     def _serverGetClientHello(self, settings, certChain, verifierDB,
                                 sessionCache, anon, fallbackSCSV):
@@ skipping 99 matching lines @@
                                 yield result                    
                 except KeyError:
                     pass
 
             #If a session is found..
             if session:
                 #Send ServerHello
                 serverHello = ServerHello()
                 serverHello.create(self.version, getRandomBytes(32),
                                    session.sessionID, session.cipherSuite,
-                                   CertificateType.x509, None, None)
+                                   CertificateType.x509, None,
+                                   session.alpn_proto_selected, None)
                 serverHello.extended_master_secret = \
                     clientHello.extended_master_secret and \
                     settings.enableExtendedMasterSecret
                 for param in clientHello.tb_client_params:
                     if param in settings.supportedTokenBindingParams:
                           serverHello.tb_params = param
                           break
                 for result in self._sendMsg(serverHello):
                     yield result
 
@@ skipping 485 matching lines @@
             seed += bytearray(2)
             seed[len(seed) - 2] = len(context) >> 8
             seed[len(seed) - 1] = len(context) & 0xFF
             seed += context
         if self.version in ((3,1), (3,2)):
             return PRF(self.session.masterSecret, label, seed, length)
         elif self.version == (3,3):
             return PRF_1_2(self.session.masterSecret, label, seed, length)
         else:
             raise AssertionError()