| Index: third_party/tlslite/patches/alpn.patch
|
| diff --git a/third_party/tlslite/patches/alpn.patch b/third_party/tlslite/patches/alpn.patch
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..12fb6ead38d845dea0bd2d359de697042074eb48
|
| --- /dev/null
|
| +++ b/third_party/tlslite/patches/alpn.patch
|
| @@ -0,0 +1,453 @@
|
| +diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
|
| +index 715def9..e9743e4 100644
|
| +--- a/third_party/tlslite/tlslite/constants.py
|
| ++++ b/third_party/tlslite/tlslite/constants.py
|
| +@@ -54,6 +54,7 @@ class ExtensionType: # RFC 6066 / 4366
|
| + status_request = 5 # RFC 6066 / 4366
|
| + srp = 12 # RFC 5054
|
| + cert_type = 9 # RFC 6091
|
| ++ alpn = 16 # RFC 7301
|
| + signed_cert_timestamps = 18 # RFC 6962
|
| + extended_master_secret = 23 # RFC 7627
|
| + token_binding = 24 # draft-ietf-tokbind-negotiation
|
| +diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
|
| +index 5762ac6..3d684d4 100644
|
| +--- a/third_party/tlslite/tlslite/messages.py
|
| ++++ b/third_party/tlslite/tlslite/messages.py
|
| +@@ -99,6 +99,27 @@ class HandshakeMsg(object):
|
| + headerWriter.add(len(w.bytes), 3)
|
| + return headerWriter.bytes + w.bytes
|
| +
|
| ++ def parse_next_protos(self, b):
|
| ++ protos = []
|
| ++ while True:
|
| ++ if len(b) == 0:
|
| ++ break
|
| ++ l = b[0]
|
| ++ b = b[1:]
|
| ++ if len(b) < l:
|
| ++ raise BadNextProtos(len(b))
|
| ++ protos.append(b[:l])
|
| ++ b = b[l:]
|
| ++ return protos
|
| ++
|
| ++ def next_protos_encoded(self, protocol_list):
|
| ++ b = bytearray()
|
| ++ for e in protocol_list:
|
| ++ if len(e) > 255 or len(e) == 0:
|
| ++ raise BadNextProtos(len(e))
|
| ++ b += bytearray( [len(e)] ) + bytearray(e)
|
| ++ return b
|
| ++
|
| + class ClientHello(HandshakeMsg):
|
| + def __init__(self, ssl2=False):
|
| + HandshakeMsg.__init__(self, HandshakeType.client_hello)
|
| +@@ -111,6 +132,7 @@ class ClientHello(HandshakeMsg):
|
| + self.compression_methods = [] # a list of 8-bit values
|
| + self.srp_username = None # a string
|
| + self.tack = False
|
| ++ self.alpn_protos_advertised = None
|
| + self.supports_npn = False
|
| + self.server_name = bytearray(0)
|
| + self.channel_id = False
|
| +@@ -120,8 +142,8 @@ class ClientHello(HandshakeMsg):
|
| + self.status_request = False
|
| +
|
| + def create(self, version, random, session_id, cipher_suites,
|
| +- certificate_types=None, srpUsername=None,
|
| +- tack=False, supports_npn=False, serverName=None):
|
| ++ certificate_types=None, srpUsername=None, tack=False,
|
| ++ alpn_protos_advertised=None, supports_npn=False, serverName=None):
|
| + self.client_version = version
|
| + self.random = random
|
| + self.session_id = session_id
|
| +@@ -131,6 +153,7 @@ class ClientHello(HandshakeMsg):
|
| + if srpUsername:
|
| + self.srp_username = bytearray(srpUsername, "utf-8")
|
| + self.tack = tack
|
| ++ self.alpn_protos_advertised = alpn_protos_advertised
|
| + self.supports_npn = supports_npn
|
| + if serverName:
|
| + self.server_name = bytearray(serverName, "utf-8")
|
| +@@ -171,6 +194,11 @@ class ClientHello(HandshakeMsg):
|
| + self.certificate_types = p.getVarList(1, 1)
|
| + elif extType == ExtensionType.tack:
|
| + self.tack = True
|
| ++ elif extType == ExtensionType.alpn:
|
| ++ structLength = p.get(2)
|
| ++ if (structLength + 2 != extLength):
|
| ++ raise SyntaxError()
|
| ++ self.alpn_protos_advertised = self.parse_next_protos(p.getFixBytes(structLength))
|
| + elif extType == ExtensionType.supports_npn:
|
| + self.supports_npn = True
|
| + elif extType == ExtensionType.server_name:
|
| +@@ -243,6 +271,12 @@ class ClientHello(HandshakeMsg):
|
| + w2.add(ExtensionType.srp, 2)
|
| + w2.add(len(self.srp_username)+1, 2)
|
| + w2.addVarSeq(self.srp_username, 1, 1)
|
| ++ if self.alpn_protos_advertised is not None:
|
| ++ encoded_alpn_protos_advertised = self.next_protos_encoded(self.alpn_protos_advertised)
|
| ++ w2.add(ExtensionType.alpn, 2)
|
| ++ w2.add(len(encoded_alpn_protos_advertised) + 2, 2)
|
| ++ w2.add(len(encoded_alpn_protos_advertised), 2)
|
| ++ w2.addFixSeq(encoded_alpn_protos_advertised, 1)
|
| + if self.supports_npn:
|
| + w2.add(ExtensionType.supports_npn, 2)
|
| + w2.add(0, 2)
|
| +@@ -267,6 +301,13 @@ class BadNextProtos(Exception):
|
| + def __str__(self):
|
| + return 'Cannot encode a list of next protocols because it contains an element with invalid length %d. Element lengths must be 0 < x < 256' % self.length
|
| +
|
| ++class InvalidAlpnResponse(Exception):
|
| ++ def __init__(self, l):
|
| ++ self.length = l
|
| ++
|
| ++ def __str__(self):
|
| ++ return 'ALPN server response protocol list has invalid length %d. It must be of length one.' % self.length
|
| ++
|
| + class ServerHello(HandshakeMsg):
|
| + def __init__(self):
|
| + HandshakeMsg.__init__(self, HandshakeType.server_hello)
|
| +@@ -277,6 +318,7 @@ class ServerHello(HandshakeMsg):
|
| + self.certificate_type = CertificateType.x509
|
| + self.compression_method = 0
|
| + self.tackExt = None
|
| ++ self.alpn_proto_selected = None
|
| + self.next_protos_advertised = None
|
| + self.next_protos = None
|
| + self.channel_id = False
|
| +@@ -286,7 +328,8 @@ class ServerHello(HandshakeMsg):
|
| + self.status_request = False
|
| +
|
| + def create(self, version, random, session_id, cipher_suite,
|
| +- certificate_type, tackExt, next_protos_advertised):
|
| ++ certificate_type, tackExt, alpn_proto_selected,
|
| ++ next_protos_advertised):
|
| + self.server_version = version
|
| + self.random = random
|
| + self.session_id = session_id
|
| +@@ -294,6 +337,7 @@ class ServerHello(HandshakeMsg):
|
| + self.certificate_type = certificate_type
|
| + self.compression_method = 0
|
| + self.tackExt = tackExt
|
| ++ self.alpn_proto_selected = alpn_proto_selected
|
| + self.next_protos_advertised = next_protos_advertised
|
| + return self
|
| +
|
| +@@ -316,35 +360,22 @@ class ServerHello(HandshakeMsg):
|
| + self.certificate_type = p.get(1)
|
| + elif extType == ExtensionType.tack and tackpyLoaded:
|
| + self.tackExt = TackExtension(p.getFixBytes(extLength))
|
| ++ elif extType == ExtensionType.alpn:
|
| ++ structLength = p.get(2)
|
| ++ if (structLength + 2 != extLength):
|
| ++ raise SyntaxError()
|
| ++ alpn_protos = self.parse_next_protos(p.getFixBytes(structLength))
|
| ++ if (alpn_protos.len() != 1):
|
| ++ raise InvalidAlpnResponse(alpn_protos.len());
|
| ++ self.alpn_proto_selected = alpn_protos[0]
|
| + elif extType == ExtensionType.supports_npn:
|
| +- self.next_protos = self.__parse_next_protos(p.getFixBytes(extLength))
|
| ++ self.next_protos = self.parse_next_protos(p.getFixBytes(extLength))
|
| + else:
|
| + p.getFixBytes(extLength)
|
| + soFar += 4 + extLength
|
| + p.stopLengthCheck()
|
| + return self
|
| +
|
| +- def __parse_next_protos(self, b):
|
| +- protos = []
|
| +- while True:
|
| +- if len(b) == 0:
|
| +- break
|
| +- l = b[0]
|
| +- b = b[1:]
|
| +- if len(b) < l:
|
| +- raise BadNextProtos(len(b))
|
| +- protos.append(b[:l])
|
| +- b = b[l:]
|
| +- return protos
|
| +-
|
| +- def __next_protos_encoded(self):
|
| +- b = bytearray()
|
| +- for e in self.next_protos_advertised:
|
| +- if len(e) > 255 or len(e) == 0:
|
| +- raise BadNextProtos(len(e))
|
| +- b += bytearray( [len(e)] ) + bytearray(e)
|
| +- return b
|
| +-
|
| + def write(self):
|
| + w = Writer()
|
| + w.add(self.server_version[0], 1)
|
| +@@ -365,8 +396,16 @@ class ServerHello(HandshakeMsg):
|
| + w2.add(ExtensionType.tack, 2)
|
| + w2.add(len(b), 2)
|
| + w2.bytes += b
|
| +- if self.next_protos_advertised is not None:
|
| +- encoded_next_protos_advertised = self.__next_protos_encoded()
|
| ++ if self.alpn_proto_selected is not None:
|
| ++ alpn_protos_single_element_list = [self.alpn_proto_selected]
|
| ++ encoded_alpn_protos_advertised = self.next_protos_encoded(alpn_protos_single_element_list)
|
| ++ w2.add(ExtensionType.alpn, 2)
|
| ++ w2.add(len(encoded_alpn_protos_advertised) + 2, 2)
|
| ++ w2.add(len(encoded_alpn_protos_advertised), 2)
|
| ++ w2.addFixSeq(encoded_alpn_protos_advertised, 1)
|
| ++ # Do not use NPN if ALPN is used.
|
| ++ elif self.next_protos_advertised is not None:
|
| ++ encoded_next_protos_advertised = self.next_protos_encoded(self.next_protos_advertised)
|
| + w2.add(ExtensionType.supports_npn, 2)
|
| + w2.add(len(encoded_next_protos_advertised), 2)
|
| + w2.addFixSeq(encoded_next_protos_advertised, 1)
|
| +diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
|
| +index 41aab85..1dc39e1 100644
|
| +--- a/third_party/tlslite/tlslite/tlsconnection.py
|
| ++++ b/third_party/tlslite/tlslite/tlsconnection.py
|
| +@@ -337,8 +337,8 @@ class TLSConnection(TLSRecordLayer):
|
| +
|
| + def handshakeClientCert(self, certChain=None, privateKey=None,
|
| + session=None, settings=None, checker=None,
|
| +- nextProtos=None, reqTack=True, serverName="",
|
| +- async=False):
|
| ++ alpnProtos=None, nextProtos=None, reqTack=True,
|
| ++ serverName="", async=False):
|
| + """Perform a certificate-based handshake in the role of client.
|
| +
|
| + This function performs an SSL or TLS handshake. The server
|
| +@@ -383,6 +383,11 @@ class TLSConnection(TLSRecordLayer):
|
| + @param checker: A Checker instance. This instance will be
|
| + invoked to examine the other party's authentication
|
| + credentials, if the handshake completes succesfully.
|
| ++
|
| ++ @type alpnProtos: list of strings.
|
| ++ @param alpnProtos: A list of upper layer protocols ordered by
|
| ++ preference, to advertise in the Application-Layer Protocol Negotiation
|
| ++ Extension (RFC 7301).
|
| +
|
| + @type nextProtos: list of strings.
|
| + @param nextProtos: A list of upper layer protocols ordered by
|
| +@@ -417,7 +422,8 @@ class TLSConnection(TLSRecordLayer):
|
| + handshaker = self._handshakeClientAsync(certParams=(certChain,
|
| + privateKey), session=session, settings=settings,
|
| + checker=checker, serverName=serverName,
|
| +- nextProtos=nextProtos, reqTack=reqTack)
|
| ++ alpnProtos=alpnProtos, nextProtos=nextProtos,
|
| ++ reqTack=reqTack)
|
| + # The handshaker is a Python Generator which executes the handshake.
|
| + # It allows the handshake to be run in a "piecewise", asynchronous
|
| + # fashion, returning 1 when it is waiting to able to write, 0 when
|
| +@@ -433,7 +439,8 @@ class TLSConnection(TLSRecordLayer):
|
| +
|
| + def _handshakeClientAsync(self, srpParams=(), certParams=(), anonParams=(),
|
| + session=None, settings=None, checker=None,
|
| +- nextProtos=None, serverName="", reqTack=True):
|
| ++ alpnProtos=None, nextProtos=None, serverName="",
|
| ++ reqTack=True):
|
| +
|
| + handshaker = self._handshakeClientAsyncHelper(srpParams=srpParams,
|
| + certParams=certParams,
|
| +@@ -441,6 +448,7 @@ class TLSConnection(TLSRecordLayer):
|
| + session=session,
|
| + settings=settings,
|
| + serverName=serverName,
|
| ++ alpnProtos=alpnProtos,
|
| + nextProtos=nextProtos,
|
| + reqTack=reqTack)
|
| + for result in self._handshakeWrapperAsync(handshaker, checker):
|
| +@@ -448,7 +456,8 @@ class TLSConnection(TLSRecordLayer):
|
| +
|
| +
|
| + def _handshakeClientAsyncHelper(self, srpParams, certParams, anonParams,
|
| +- session, settings, serverName, nextProtos, reqTack):
|
| ++ session, settings, serverName, alpnProtos,
|
| ++ nextProtos, reqTack):
|
| +
|
| + self._handshakeStart(client=True)
|
| +
|
| +@@ -485,6 +494,9 @@ class TLSConnection(TLSRecordLayer):
|
| + reqTack = False
|
| + if not settings or not settings.useExperimentalTackExtension:
|
| + reqTack = False
|
| ++ if alpnProtos is not None:
|
| ++ if len(alpnProtos) == 0:
|
| ++ raise ValueError("Caller passed no alpnProtos")
|
| + if nextProtos is not None:
|
| + if len(nextProtos) == 0:
|
| + raise ValueError("Caller passed no nextProtos")
|
| +@@ -530,8 +542,8 @@ class TLSConnection(TLSRecordLayer):
|
| + # Send the ClientHello.
|
| + for result in self._clientSendClientHello(settings, session,
|
| + srpUsername, srpParams, certParams,
|
| +- anonParams, serverName, nextProtos,
|
| +- reqTack):
|
| ++ anonParams, serverName, alpnProtos,
|
| ++ nextProtos, reqTack):
|
| + if result in (0,1): yield result
|
| + else: break
|
| + clientHello = result
|
| +@@ -543,9 +555,11 @@ class TLSConnection(TLSRecordLayer):
|
| + serverHello = result
|
| + cipherSuite = serverHello.cipher_suite
|
| +
|
| +- # Choose a matching Next Protocol from server list against ours
|
| +- # (string or None)
|
| +- nextProto = self._clientSelectNextProto(nextProtos, serverHello)
|
| ++ #Ignore NPN if server response has ALPN.
|
| ++ if (serverHello.alpn_proto_selected):
|
| ++ nextProto = None
|
| ++ else:
|
| ++ nextProto = self._clientSelectNextProto(nextProtos, serverHello)
|
| +
|
| + #If the server elected to resume the session, it is handled here.
|
| + for result in self._clientResume(session, serverHello,
|
| +@@ -621,7 +635,7 @@ class TLSConnection(TLSRecordLayer):
|
| +
|
| + def _clientSendClientHello(self, settings, session, srpUsername,
|
| + srpParams, certParams, anonParams,
|
| +- serverName, nextProtos, reqTack):
|
| ++ serverName, alpnProtos, nextProtos, reqTack):
|
| + #Initialize acceptable ciphersuites
|
| + cipherSuites = [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
|
| + if srpParams:
|
| +@@ -651,7 +665,7 @@ class TLSConnection(TLSRecordLayer):
|
| + session.sessionID, cipherSuites,
|
| + certificateTypes,
|
| + session.srpUsername,
|
| +- reqTack, nextProtos is not None,
|
| ++ reqTack, alpnProtos, nextProtos is not None,
|
| + session.serverName)
|
| +
|
| + #Or send ClientHello (without)
|
| +@@ -661,7 +675,7 @@ class TLSConnection(TLSRecordLayer):
|
| + bytearray(0), cipherSuites,
|
| + certificateTypes,
|
| + srpUsername,
|
| +- reqTack, nextProtos is not None,
|
| ++ reqTack, alpnProtos, nextProtos is not None,
|
| + serverName)
|
| + for result in self._sendMsg(clientHello):
|
| + yield result
|
| +@@ -714,6 +728,11 @@ class TLSConnection(TLSRecordLayer):
|
| + AlertDescription.illegal_parameter,
|
| + "Server responded with unrequested Tack Extension"):
|
| + yield result
|
| ++ if serverHello.alpn_proto_selected and not clientHello.alpn_protos_advertised:
|
| ++ for result in self._sendError(\
|
| ++ AlertDescription.illegal_parameter,
|
| ++ "Server responded with unrequested ALPN Extension"):
|
| ++ yield result
|
| + if serverHello.next_protos and not clientHello.supports_npn:
|
| + for result in self._sendError(\
|
| + AlertDescription.illegal_parameter,
|
| +@@ -1102,7 +1121,7 @@ class TLSConnection(TLSRecordLayer):
|
| + sessionCache=None, settings=None, checker=None,
|
| + reqCAs = None, reqCertTypes = None,
|
| + tacks=None, activationFlags=0,
|
| +- nextProtos=None, anon=False,
|
| ++ alpnProtos=None, nextProtos=None, anon=False,
|
| + signedCertTimestamps=None,
|
| + fallbackSCSV=False, ocspResponse=None):
|
| + """Perform a handshake in the role of server.
|
| +@@ -1172,6 +1191,11 @@ class TLSConnection(TLSRecordLayer):
|
| + @param reqCertTypes: A list of certificate_type values to be sent
|
| + along with a certificate request. This does not affect verification.
|
| +
|
| ++ @type alpnProtos: list of strings.
|
| ++ @param alpnProtos: A list of upper layer protocols with zero or one
|
| ++ elements. If not empty, its single element is the protocol negotiated
|
| ++ via the Application-Layer Protocol Negotiation Extension (RFC 7301).
|
| ++
|
| + @type nextProtos: list of strings.
|
| + @param nextProtos: A list of upper layer protocols to expose to the
|
| + clients through the Next-Protocol Negotiation Extension,
|
| +@@ -1208,7 +1232,7 @@ class TLSConnection(TLSRecordLayer):
|
| + certChain, privateKey, reqCert, sessionCache, settings,
|
| + checker, reqCAs, reqCertTypes,
|
| + tacks=tacks, activationFlags=activationFlags,
|
| +- nextProtos=nextProtos, anon=anon,
|
| ++ alpnProtos=alpnProtos, nextProtos=nextProtos, anon=anon,
|
| + signedCertTimestamps=signedCertTimestamps,
|
| + fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse):
|
| + pass
|
| +@@ -1218,7 +1242,7 @@ class TLSConnection(TLSRecordLayer):
|
| + certChain=None, privateKey=None, reqCert=False,
|
| + sessionCache=None, settings=None, checker=None,
|
| + reqCAs=None, reqCertTypes=None,
|
| +- tacks=None, activationFlags=0,
|
| ++ tacks=None, activationFlags=0, alpnProtos=None,
|
| + nextProtos=None, anon=False,
|
| + signedCertTimestamps=None,
|
| + fallbackSCSV=False,
|
| +@@ -1240,7 +1264,7 @@ class TLSConnection(TLSRecordLayer):
|
| + privateKey=privateKey, reqCert=reqCert,
|
| + sessionCache=sessionCache, settings=settings,
|
| + reqCAs=reqCAs, reqCertTypes=reqCertTypes,
|
| +- tacks=tacks, activationFlags=activationFlags,
|
| ++ tacks=tacks, activationFlags=activationFlags, alpnProtos=alpnProtos,
|
| + nextProtos=nextProtos, anon=anon,
|
| + signedCertTimestamps=signedCertTimestamps,
|
| + fallbackSCSV=fallbackSCSV,
|
| +@@ -1257,7 +1281,7 @@ class TLSConnection(TLSRecordLayer):
|
| + certChain, privateKey, reqCert, sessionCache,
|
| + settings, reqCAs, reqCertTypes,
|
| + tacks, activationFlags,
|
| +- nextProtos, anon,
|
| ++ alpnProtos, nextProtos, anon,
|
| + signedCertTimestamps, fallbackSCSV,
|
| + ocspResponse):
|
| +
|
| +@@ -1314,7 +1338,16 @@ class TLSConnection(TLSRecordLayer):
|
| + sessionID = getRandomBytes(32)
|
| + else:
|
| + sessionID = bytearray(0)
|
| +-
|
| ++
|
| ++ alpn_proto_selected = None
|
| ++ if clientHello.alpn_protos_advertised is not None:
|
| ++ if alpnProtos is not None:
|
| ++ for proto in alpnProtos:
|
| ++ if proto in clientHello.alpn_protos_advertised:
|
| ++ alpn_proto_selected = proto
|
| ++ nextProtos = None
|
| ++ break;
|
| ++
|
| + if not clientHello.supports_npn:
|
| + nextProtos = None
|
| +
|
| +@@ -1330,7 +1363,7 @@ class TLSConnection(TLSRecordLayer):
|
| + serverHello = ServerHello()
|
| + serverHello.create(self.version, getRandomBytes(32), sessionID, \
|
| + cipherSuite, CertificateType.x509, tackExt,
|
| +- nextProtos)
|
| ++ alpn_proto_selected, nextProtos)
|
| + serverHello.channel_id = \
|
| + clientHello.channel_id and settings.enableChannelID
|
| + serverHello.extended_master_secret = \
|
| +@@ -1397,7 +1430,7 @@ class TLSConnection(TLSRecordLayer):
|
| + for result in self._serverFinished(premasterSecret,
|
| + clientHello.random, serverHello.random,
|
| + cipherSuite, settings.cipherImplementations,
|
| +- nextProtos, serverHello.channel_id,
|
| ++ alpnProtos, nextProtos, serverHello.channel_id,
|
| + serverHello.extended_master_secret):
|
| + if result in (0,1): yield result
|
| + else: break
|
| +@@ -1540,7 +1573,7 @@ class TLSConnection(TLSRecordLayer):
|
| + serverHello = ServerHello()
|
| + serverHello.create(self.version, getRandomBytes(32),
|
| + session.sessionID, session.cipherSuite,
|
| +- CertificateType.x509, None, None)
|
| ++ CertificateType.x509, None, None, None)
|
| + serverHello.extended_master_secret = \
|
| + clientHello.extended_master_secret and \
|
| + settings.enableExtendedMasterSecret
|
| +@@ -1854,8 +1887,8 @@ class TLSConnection(TLSRecordLayer):
|
| +
|
| +
|
| + def _serverFinished(self, premasterSecret, clientRandom, serverRandom,
|
| +- cipherSuite, cipherImplementations, nextProtos,
|
| +- doingChannelID, useExtendedMasterSecret):
|
| ++ cipherSuite, cipherImplementations, alpnProtos,
|
| ++ nextProtos, doingChannelID, useExtendedMasterSecret):
|
| + masterSecret = calcMasterSecret(self.version, premasterSecret,
|
| + clientRandom, serverRandom,
|
| + self._ems_handshake_hash,
|
|
|
Chromium Code Reviews
Issue 2205433002:
Implement ALPN in tlslite. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master