Index: third_party/tlslite/patches/renegotiation_indication.patch |
diff --git a/third_party/tlslite/patches/renegotiation_indication.patch b/third_party/tlslite/patches/renegotiation_indication.patch |
new file mode 100644 |
index 0000000000000000000000000000000000000000..69a1d7b5940e37533e868255eac333d18cdfb250 |
--- /dev/null |
+++ b/third_party/tlslite/patches/renegotiation_indication.patch |
@@ -0,0 +1,86 @@ |
+diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py |
+index e9743e4..82e8c07 100644 |
+--- a/third_party/tlslite/tlslite/constants.py |
++++ b/third_party/tlslite/tlslite/constants.py |
+@@ -61,6 +61,7 @@ class ExtensionType: # RFC 6066 / 4366 |
+ tack = 0xF300 |
+ supports_npn = 13172 |
+ channel_id = 30032 |
++ renegotiation_info = 0xFF01 # RFC 5746 |
+ |
+ class HashAlgorithm: |
+ none = 0 |
+diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py |
+index 1ce9320..ac7e563 100644 |
+--- a/third_party/tlslite/tlslite/messages.py |
++++ b/third_party/tlslite/tlslite/messages.py |
+@@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg): |
+ self.tb_client_params = [] |
+ self.support_signed_cert_timestamps = False |
+ self.status_request = False |
++ self.ri = False |
+ |
+ def create(self, version, random, session_id, cipher_suites, |
+ certificate_types=None, srpUsername=None, |
+@@ -244,12 +245,20 @@ class ClientHello(HandshakeMsg): |
+ # request_extensions in the OCSP request. |
+ p.getFixBytes(extLength) |
+ self.status_request = True |
++ elif extType == ExtensionType.renegotiation_info: |
++ # We don't support renegotiation, so if we receive this |
++ # extension, it should contain a single null byte. |
++ if extLength != 1 or p.getFixBytes(extLength)[0] != 0: |
++ raise SyntaxError() |
++ self.ri = True |
+ else: |
+ _ = p.getFixBytes(extLength) |
+ index2 = p.index |
+ if index2 - index1 != extLength: |
+ raise SyntaxError("Bad length for extension_data") |
+ soFar += 4 + extLength |
++ if CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV in self.cipher_suites: |
++ self.ri = True |
+ p.stopLengthCheck() |
+ return self |
+ |
+@@ -327,6 +336,7 @@ class ServerHello(HandshakeMsg): |
+ self.tb_params = None |
+ self.signed_cert_timestamps = None |
+ self.status_request = False |
++ self.send_ri = False |
+ |
+ def create(self, version, random, session_id, cipher_suite, |
+ certificate_type, tackExt, alpn_proto_selected, |
+@@ -432,6 +442,10 @@ class ServerHello(HandshakeMsg): |
+ if self.status_request: |
+ w2.add(ExtensionType.status_request, 2) |
+ w2.add(0, 2) |
++ if self.send_ri: |
++ w2.add(ExtensionType.renegotiation_info, 2) |
++ w2.add(1, 2) |
++ w2.add(0, 1) |
+ if len(w2.bytes): |
+ w.add(len(w2.bytes), 2) |
+ w.bytes += w2.bytes |
+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
+index de5d580..8ba1c6e 100644 |
+--- a/third_party/tlslite/tlslite/tlsconnection.py |
++++ b/third_party/tlslite/tlslite/tlsconnection.py |
+@@ -1370,6 +1370,8 @@ class TLSConnection(TLSRecordLayer): |
+ serverHello.signed_cert_timestamps = signedCertTimestamps |
+ if clientHello.status_request: |
+ serverHello.status_request = ocspResponse |
++ if clientHello.ri: |
++ serverHello.send_ri = True |
+ |
+ # Perform the SRP key exchange |
+ clientCertChain = None |
+@@ -1583,6 +1585,8 @@ class TLSConnection(TLSRecordLayer): |
+ if param in settings.supportedTokenBindingParams: |
+ serverHello.tb_params = param |
+ break |
++ if clientHello.ri: |
++ serverHello.send_ri = True |
+ for result in self._sendMsg(serverHello): |
+ yield result |
+ |