Update third_party/tlslite to 0.4.8.

third_party/tlslite/tlslite/tlsconnection.py

 # Authors: 
 #   Trevor Perrin
 #   Google - added reqCAs parameter
 #   Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support
 #   Dimitris Moraitis - Anon ciphersuites
 #   Martin von Loewis - python 3 port
+#   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
 #
 # See the LICENSE file for legal information regarding use of this file.
 
 """
 MAIN CLASS FOR TLS LITE (START HERE!).
 """
 
 import socket
 from .utils.compat import formatExceptionTrace
 from .tlsrecordlayer import TLSRecordLayer
 from .session import Session
 from .constants import *
 from .utils.cryptomath import getRandomBytes
 from .errors import *
 from .messages import *
 from .mathtls import *
 from .handshakesettings import HandshakeSettings
 from .utils.tackwrapper import *
+from .utils.rsakey import RSAKey
 
 class KeyExchange(object):
     def __init__(self, cipherSuite, clientHello, serverHello, privateKey):
         """
         Initializes the KeyExchange. privateKey is the signing private key.
         """
         self.cipherSuite = cipherSuite
         self.clientHello = clientHello
         self.serverHello = serverHello
         self.privateKey = privateKey
@@ skipping 60 matching lines @@
 
     # RFC 3526, Section 8.
     strength = 160
 
     def makeServerKeyExchange(self):
         # Per RFC 3526, Section 1, the exponent should have double the entropy
         # of the strength of the curve.
         self.dh_Xs = bytesToNumber(getRandomBytes(self.strength * 2 / 8))
         dh_Ys = powMod(self.dh_g, self.dh_Xs, self.dh_p)
 
-        serverKeyExchange = ServerKeyExchange(self.cipherSuite)
+        version = self.serverHello.server_version
+        serverKeyExchange = ServerKeyExchange(self.cipherSuite, version)
         serverKeyExchange.createDH(self.dh_p, self.dh_g, dh_Ys)
-        serverKeyExchange.signature = self.privateKey.sign(
-            serverKeyExchange.hash(self.clientHello.random,
-                                   self.serverHello.random))
+        hashBytes = serverKeyExchange.hash(self.clientHello.random,
+                                           self.serverHello.random)
+        if version >= (3,3):
+            # TODO: Signature algorithm negotiation not supported.
+            hashBytes = RSAKey.addPKCS1SHA1Prefix(hashBytes)
+        serverKeyExchange.signature = self.privateKey.sign(hashBytes)
         return serverKeyExchange
 
     def processClientKeyExchange(self, clientKeyExchange):
         dh_Yc = clientKeyExchange.dh_Yc
 
         # First half of RFC 2631, Section 2.1.5. Validate the client's public
         # key.
         if not 2 <= dh_Yc <= self.dh_p - 1:
             raise TLSLocalAlert(AlertDescription.illegal_parameter,
                                 "Invalid dh_Yc value")
@@ skipping 469 matching lines @@
 
 
     def _clientSendClientHello(self, settings, session, srpUsername,
                                 srpParams, certParams, anonParams, 
                                 serverName, nextProtos, reqTack):
         #Initialize acceptable ciphersuites
         cipherSuites = [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
         if srpParams:
             cipherSuites += CipherSuite.getSrpAllSuites(settings)
         elif certParams:
-            cipherSuites += CipherSuite.getCertSuites(settings)
             # TODO: Client DHE_RSA not supported.
             # cipherSuites += CipherSuite.getDheCertSuites(settings)
+            cipherSuites += CipherSuite.getCertSuites(settings)
         elif anonParams:
             cipherSuites += CipherSuite.getAnonSuites(settings)
         else:
             assert(False)
 
         #Initialize acceptable certificate types
         certificateTypes = settings._getCertificateTypes()
             
         #Either send ClientHello (with a resumable session)...
         if session and session.sessionID:
@@ skipping 340 matching lines @@
         if certificateRequest and privateKey:
             if self.version == (3,0):
                 masterSecret = calcMasterSecret(self.version,
                                          premasterSecret,
                                          clientRandom,
                                          serverRandom)
                 verifyBytes = self._calcSSLHandshakeHash(masterSecret, b"")
             elif self.version in ((3,1), (3,2)):
                 verifyBytes = self._handshake_md5.digest() + \
                                 self._handshake_sha.digest()
+            elif self.version == (3,3):
+                # TODO: This does not handle the PKCS#1 prefix in TLS 1.2.
+                verifyBytes = self._handshake_sha256.digest()

[davidben, 2015/01/21 23:44:11]

This completely broken for TLS 1.2. It is likewise completely broken upstream.
I've left it alone with a TODO for now, but we'll need to fix it once we can
unit test client auth in Chromium.

[davidben, 2015/01/22 00:18:35]

Actually... we do have some tests in SSLClientSocketOpenSSLClientAuthTest. Try
jobs aren't exploding on Android though. I'll look into that and probably just
fix it.

[davidben, 2015/01/22 00:56:46]

Done.

             if self.fault == Fault.badVerifyMessage:
                 verifyBytes[0] = ((verifyBytes[0]+1) % 256)
             signedBytes = privateKey.sign(verifyBytes)
             certificateVerify = CertificateVerify()
             certificateVerify.create(signedBytes)
             for result in self._sendMsg(certificateVerify):
                 yield result
         yield (premasterSecret, serverCertChain, clientCertChain, tackExt)
 
     def _clientAnonKeyExchange(self, settings, cipherSuite, clientRandom, 
@@ skipping 402 matching lines @@
     def _serverGetClientHello(self, settings, certChain, verifierDB,
                                 sessionCache, anon, fallbackSCSV):
         #Initialize acceptable cipher suites
         cipherSuites = []
         if verifierDB:
             if certChain:
                 cipherSuites += \
                     CipherSuite.getSrpCertSuites(settings)
             cipherSuites += CipherSuite.getSrpSuites(settings)
         elif certChain:
+            cipherSuites += CipherSuite.getDheCertSuites(settings)
             cipherSuites += CipherSuite.getCertSuites(settings)
-            cipherSuites += CipherSuite.getDheCertSuites(settings)
         elif anon:
             cipherSuites += CipherSuite.getAnonSuites(settings)
         else:
             assert(False)
 
         #Tentatively set version to most-desirable version, so if an error
         #occurs parsing the ClientHello, this is what we'll use for the
         #error alert
         self.version = settings.maxVersion
 
@@ skipping 109 matching lines @@
                 self.session = session
                     
                 yield None # Handshake done!
 
         #Calculate the first cipher suite intersection.
         #This is the 'privileged' ciphersuite.  We'll use it if we're
         #doing a new negotiation.  In fact,
         #the only time we won't use it is if we're resuming a
         #session, in which case we use the ciphersuite from the session.
         #
-        #Use the client's preferences for now.
-        for cipherSuite in clientHello.cipher_suites:
-            if cipherSuite in cipherSuites:
+        #Given the current ciphersuite ordering, this means we prefer SRP
+        #over non-SRP.
+        for cipherSuite in cipherSuites:
+            if cipherSuite in clientHello.cipher_suites:
                 break
         else:
             for result in self._sendError(\
                     AlertDescription.handshake_failure,
                     "No mutual ciphersuite"):
                 yield result
         if cipherSuite in CipherSuite.srpAllSuites and \
                             not clientHello.srp_username:
             for result in self._sendError(\
                     AlertDescription.unknown_psk_identity,
@@ skipping 26 matching lines @@
                     AlertDescription.unknown_psk_identity):
                 yield result
         (N, g, s, v) = entry
 
         #Calculate server's ephemeral DH values (b, B)
         b = bytesToNumber(getRandomBytes(32))
         k = makeK(N, g)
         B = (powMod(g, b, N) + (k*v)) % N
 
         #Create ServerKeyExchange, signing it if necessary
-        serverKeyExchange = ServerKeyExchange(cipherSuite)
+        serverKeyExchange = ServerKeyExchange(cipherSuite, self.version)
         serverKeyExchange.createSRP(N, g, s, B)
         if cipherSuite in CipherSuite.srpCertSuites:
             hashBytes = serverKeyExchange.hash(clientHello.random,
                                                serverHello.random)
             serverKeyExchange.signature = privateKey.sign(hashBytes)
 
         #Send ServerHello[, Certificate], ServerKeyExchange,
         #ServerHelloDone
         msgs = []
         msgs.append(serverHello)
@@ skipping 49 matching lines @@
         if serverHello.status_request:
             msgs.append(CertificateStatus().create(ocspResponse))
         serverKeyExchange = keyExchange.makeServerKeyExchange()
         if serverKeyExchange is not None:
             msgs.append(serverKeyExchange)
         if reqCert:
             reqCAs = reqCAs or []
             #Apple's Secure Transport library rejects empty certificate_types,
             #so default to rsa_sign.
             reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign]
-            msgs.append(CertificateRequest().create(reqCertTypes, reqCAs))
+            msgs.append(CertificateRequest(self.version).create(reqCertTypes,
+                                                                reqCAs))
         msgs.append(ServerHelloDone())
         for result in self._sendMsgs(msgs):
             yield result
 
         #From here on, the client's messages must have the right version
         self._versionCheck = True
 
         #Get [Certificate,] (if was requested)
         if reqCert:
             if self.version == (3,0):
@@ skipping 12 matching lines @@
                             AlertDescription.no_certificate:
                         self._shutdown(False)
                         raise TLSRemoteAlert(alert)
                 elif isinstance(msg, Certificate):
                     clientCertificate = msg
                     if clientCertificate.certChain and \
                             clientCertificate.certChain.getNumCerts()!=0:
                         clientCertChain = clientCertificate.certChain
                 else:
                     raise AssertionError()
-            elif self.version in ((3,1), (3,2)):
+            elif self.version in ((3,1), (3,2), (3,3)):
                 for result in self._getMsg(ContentType.handshake,
                                           HandshakeType.certificate,
                                           CertificateType.x509):
                     if result in (0,1): yield result
                     else: break
                 clientCertificate = result
                 if clientCertificate.certChain and \
                         clientCertificate.certChain.getNumCerts()!=0:
                     clientCertChain = clientCertificate.certChain
             else:
@@ skipping 17 matching lines @@
 
         #Get and check CertificateVerify, if relevant
         if clientCertChain:
             if self.version == (3,0):
                 masterSecret = calcMasterSecret(self.version, premasterSecret,
                                          clientHello.random, serverHello.random)
                 verifyBytes = self._calcSSLHandshakeHash(masterSecret, b"")
             elif self.version in ((3,1), (3,2)):
                 verifyBytes = self._handshake_md5.digest() + \
                                 self._handshake_sha.digest()
+            elif self.version == (3,3):
+                verifyBytes = self._handshake_sha256.digest()
             for result in self._getMsg(ContentType.handshake,
                                       HandshakeType.certificate_verify):
                 if result in (0,1): yield result
                 else: break
             certificateVerify = result
             publicKey = clientCertChain.getEndEntityPublicKey()
             if len(publicKey) < settings.minKeySize:
                 for result in self._sendError(\
                         AlertDescription.handshake_failure,
                         "Client's public key too small: %d" % len(publicKey)):
@@ skipping 15 matching lines @@
 
     def _serverAnonKeyExchange(self, clientHello, serverHello, cipherSuite, 
                                settings):
         # Calculate DH p, g, Xs, Ys
         dh_p = getRandomSafePrime(32, False)
         dh_g = getRandomNumber(2, dh_p)        
         dh_Xs = bytesToNumber(getRandomBytes(32))        
         dh_Ys = powMod(dh_g, dh_Xs, dh_p)
 
         #Create ServerKeyExchange
-        serverKeyExchange = ServerKeyExchange(cipherSuite)
+        serverKeyExchange = ServerKeyExchange(cipherSuite, self.version)
         serverKeyExchange.createDH(dh_p, dh_g, dh_Ys)
         
         #Send ServerHello[, Certificate], ServerKeyExchange,
         #ServerHelloDone  
         msgs = []
         msgs.append(serverHello)
         msgs.append(serverKeyExchange)
         msgs.append(ServerHelloDone())
         for result in self._sendMsgs(msgs):
             yield result
@@ skipping 151 matching lines @@
         elif self.version in ((3,1), (3,2)):
             if (self._client and send) or (not self._client and not send):
                 label = b"client finished"
             else:
                 label = b"server finished"
 
             handshakeHashes = self._handshake_md5.digest() + \
                                 self._handshake_sha.digest()
             verifyData = PRF(masterSecret, label, handshakeHashes, 12)
             return verifyData
+        elif self.version == (3,3):
+            if (self._client and send) or (not self._client and not send):
+                label = b"client finished"
+            else:
+                label = b"server finished"
+
+            handshakeHashes = self._handshake_sha256.digest()
+            verifyData = PRF_1_2(masterSecret, label, handshakeHashes, 12)
+            return verifyData
         else:
             raise AssertionError()
 
 
     def _handshakeWrapperAsync(self, handshaker, checker):
         if not self.fault:
             try:
                 for result in handshaker:
                     yield result
                 if checker:
@@ skipping 10 matching lines @@
             except TLSAlert as alert:
                 if not self.fault:
                     raise
                 if alert.description not in Fault.faultAlerts[self.fault]:
                     raise TLSFaultError(str(alert))
                 else:
                     pass
             except:
                 self._shutdown(False)
                 raise