| OLD | NEW |
|---|
| (Empty) | |
| 1 Only in chromium: patches |
| 2 diff --git tlslite-0.3.8/scripts/tls.py chromium/tlslite/scripts/tls.py |
| 3 index fa2c663..e7a473d 100644 |
| 4 --- tlslite-0.3.8/scripts/tls.py |
| 5 +++ chromium/tlslite/scripts/tls.py |
| 6 @@ -91,7 +91,7 @@ def clientTest(address, dir): |
| 7 badFault = True |
| 8 connection.sock.close() |
| 9 |
| 10 - print "Test 5 - good SRP: unknown_srp_username idiom" |
| 11 + print "Test 5 - good SRP: unknown_psk_identity idiom" |
| 12 def srpCallback(): |
| 13 return ("test", "password") |
| 14 connection = connect() |
| 15 @@ -465,7 +465,7 @@ def serverTest(address, dir): |
| 16 pass |
| 17 connection.sock.close() |
| 18 |
| 19 - print "Test 5 - good SRP: unknown_srp_username idiom" |
| 20 + print "Test 5 - good SRP: unknown_psk_identity idiom" |
| 21 connection = connect() |
| 22 connection.handshakeServer(verifierDB=verifierDB) |
| 23 connection.close() |
| 24 @@ -893,7 +893,7 @@ try: |
| 25 raise |
| 26 sys.exit() |
| 27 except TLSRemoteAlert, a: |
| 28 - if a.description == AlertDescription.unknown_srp_username: |
| 29 + if a.description == AlertDescription.unknown_psk_identity: |
| 30 if cmd == "clientsrp": |
| 31 print "Unknown username" |
| 32 else: |
| 33 @@ -1027,7 +1027,7 @@ try: |
| 34 connection.write(s) |
| 35 s = "" |
| 36 except TLSLocalAlert, a: |
| 37 - if a.description == AlertDescription.unknown_srp_username: |
| 38 + if a.description == AlertDescription.unknown_psk_identity: |
| 39 print "Unknown SRP username" |
| 40 elif a.description == AlertDescription.bad_record_mac: |
| 41 if cmd == "serversrp" or cmd == "serversrpcert": |
| 42 diff --git tlslite-0.3.8/tlslite/TLSConnection.py chromium/tlslite//TLSConnectio
n.py |
| 43 index 7e38a23..1616c7c 100644 |
| 44 --- tlslite-0.3.8/tlslite/TLSConnection.py |
| 45 +++ chromium/tlslite//TLSConnection.py |
| 46 @@ -514,7 +514,7 @@ class TLSConnection(TLSRecordLayer): |
| 47 for result in self._sendMsg(clientHello): |
| 48 yield result |
| 49 |
| 50 - #Get ServerHello (or missing_srp_username) |
| 51 + #Get ServerHello (or unknown_psk_identity) |
| 52 for result in self._getMsg((ContentType.handshake, |
| 53 ContentType.alert), |
| 54 HandshakeType.server_hello): |
| 55 @@ -529,20 +529,17 @@ class TLSConnection(TLSRecordLayer): |
| 56 elif isinstance(msg, Alert): |
| 57 alert = msg |
| 58 |
| 59 - #If it's not a missing_srp_username, re-raise |
| 60 - if alert.description != AlertDescription.missing_srp_username: |
| 61 + #If it's not a unknown_psk_identity, re-raise |
| 62 + if alert.description != AlertDescription.unknown_psk_identity: |
| 63 self._shutdown(False) |
| 64 raise TLSRemoteAlert(alert) |
| 65 |
| 66 - #If we're not in SRP callback mode, we won't have offered SRP |
| 67 - #without a username, so we shouldn't get this alert |
| 68 - if not srpCallback: |
| 69 - for result in self._sendError(\ |
| 70 - AlertDescription.unexpected_message): |
| 71 - yield result |
| 72 - srpParams = srpCallback() |
| 73 - #If the callback returns None, cancel the handshake |
| 74 - if srpParams == None: |
| 75 + #Our SRP credentials were wrong, so try getting new ones. |
| 76 + if srpCallback: |
| 77 + srpParams = srpCallback() |
| 78 + |
| 79 + #If we can't get different credentials, cancel the handshake |
| 80 + if srpParams == None or not srpCallback: |
| 81 for result in self._sendError(AlertDescription.user_canceled): |
| 82 yield result |
| 83 |
| 84 @@ -1259,7 +1256,7 @@ class TLSConnection(TLSRecordLayer): |
| 85 |
| 86 #Ask the client to re-send ClientHello with one |
| 87 for result in self._sendMsg(Alert().create(\ |
| 88 - AlertDescription.missing_srp_username, |
| 89 + AlertDescription.unknown_psk_identity, |
| 90 AlertLevel.warning)): |
| 91 yield result |
| 92 |
| 93 @@ -1323,7 +1320,7 @@ class TLSConnection(TLSRecordLayer): |
| 94 entry = verifierDB[self.allegedSrpUsername] |
| 95 except KeyError: |
| 96 for result in self._sendError(\ |
| 97 - AlertDescription.unknown_srp_username): |
| 98 + AlertDescription.unknown_psk_identity): |
| 99 yield result |
| 100 (N, g, s, v) = entry |
| 101 |
| 102 diff --git tlslite-0.3.8/tlslite/constants.py chromium/tlslite//constants.py |
| 103 index 04302c0..7ed7634 100644 |
| 104 --- tlslite-0.3.8/tlslite/constants.py |
| 105 +++ chromium/tlslite//constants.py |
| 106 @@ -30,6 +30,9 @@ class ContentType: |
| 107 application_data = 23 |
| 108 all = (20,21,22,23) |
| 109 |
| 110 +class ClientHelloExtension: |
| 111 + srp = 12 |
| 112 + |
| 113 class AlertLevel: |
| 114 warning = 1 |
| 115 fatal = 2 |
| 116 @@ -88,18 +91,19 @@ class AlertDescription: |
| 117 internal_error = 80 |
| 118 user_canceled = 90 |
| 119 no_renegotiation = 100 |
| 120 - unknown_srp_username = 120 |
| 121 - missing_srp_username = 121 |
| 122 - untrusted_srp_parameters = 122 |
| 123 + unknown_psk_identity = 115 |
| 124 + untrusted_srp_parameters = 122 # TODO(sqs): probably outdated wrt RFC 5054 |
| 125 |
| 126 class CipherSuite: |
| 127 - TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0x0050 |
| 128 - TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0x0053 |
| 129 - TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0x0056 |
| 130 + TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A |
| 131 + TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D |
| 132 + TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020 |
| 133 + |
| 134 + TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B |
| 135 + TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E |
| 136 + TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021 |
| 137 |
| 138 - TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0x0051 |
| 139 - TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0x0054 |
| 140 - TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0x0057 |
| 141 + # TODO(sqs): No SRP DSS cipher suites |
| 142 |
| 143 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A |
| 144 TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F |
| 145 @@ -202,8 +206,9 @@ class Fault: |
| 146 genericFaults = range(300,303) |
| 147 |
| 148 faultAlerts = {\ |
| 149 - badUsername: (AlertDescription.unknown_srp_username, \ |
| 150 - AlertDescription.bad_record_mac),\ |
| 151 + badUsername: (AlertDescription.unknown_psk_identity, \ |
| 152 + AlertDescription.bad_record_mac, \ |
| 153 + AlertDescription.user_canceled),\ |
| 154 badPassword: (AlertDescription.bad_record_mac,),\ |
| 155 badA: (AlertDescription.illegal_parameter,),\ |
| 156 badIdentifier: (AlertDescription.handshake_failure,),\ |
| 157 diff --git tlslite-0.3.8/tlslite/errors.py chromium/tlslite//errors.py |
| 158 index c7f7ba8..c9a480e 100644 |
| 159 --- tlslite-0.3.8/tlslite/errors.py |
| 160 +++ chromium/tlslite//errors.py |
| 161 @@ -50,8 +50,8 @@ class TLSAlert(TLSError): |
| 162 AlertDescription.internal_error: "internal_error",\ |
| 163 AlertDescription.user_canceled: "user_canceled",\ |
| 164 AlertDescription.no_renegotiation: "no_renegotiation",\ |
| 165 - AlertDescription.unknown_srp_username: "unknown_srp_username",\ |
| 166 - AlertDescription.missing_srp_username: "missing_srp_username"} |
| 167 + AlertDescription.unknown_psk_identity: "unknown_psk_identity", |
| 168 + } |
| 169 |
| 170 class TLSLocalAlert(TLSAlert): |
| 171 """A TLS alert has been signalled by the local implementation. |
| 172 diff --git tlslite-0.3.8/tlslite/messages.py chromium/tlslite//messages.py |
| 173 index dc6ed32..1058ad0 100644 |
| 174 --- tlslite-0.3.8/tlslite/messages.py |
| 175 +++ chromium/tlslite//messages.py |
| 176 @@ -170,7 +170,7 @@ class ClientHello(HandshakeMsg): |
| 177 while soFar != totalExtLength: |
| 178 extType = p.get(2) |
| 179 extLength = p.get(2) |
| 180 - if extType == 6: |
| 181 + if extType == ClientHelloExtension.srp: |
| 182 self.srp_username = bytesToString(p.getVarBytes(1)) |
| 183 elif extType == 7: |
| 184 self.certificate_types = p.getVarList(1, 1) |
| 185 @@ -204,7 +204,7 @@ class ClientHello(HandshakeMsg): |
| 186 w.add(len(self.certificate_types)+1, 2) |
| 187 w.addVarSeq(self.certificate_types, 1, 1) |
| 188 if self.srp_username: |
| 189 - w.add(6, 2) |
| 190 + w.add(ClientHelloExtension.srp, 2) |
| 191 w.add(len(self.srp_username)+1, 2) |
| 192 w.addVarSeq(stringToBytes(self.srp_username), 1, 1) |
| 193 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 6804032:
Add TLS-SRP (RFC 5054) support
Base URL: http://git.chromium.org/git/chromium.git@trunk