OLD | NEW |
1 diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/ap
i.py | 1 diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/ap
i.py |
2 index faef6cb..562fb81 100644 | 2 index fa6a18c..aabcc14 100644 |
3 --- a/third_party/tlslite/tlslite/api.py | 3 --- a/third_party/tlslite/tlslite/api.py |
4 +++ b/third_party/tlslite/tlslite/api.py | 4 +++ b/third_party/tlslite/tlslite/api.py |
5 @@ -2,7 +2,8 @@ | 5 @@ -2,7 +2,8 @@ |
6 # See the LICENSE file for legal information regarding use of this file. | 6 # See the LICENSE file for legal information regarding use of this file. |
7 | 7 |
8 __version__ = "0.4.6" | 8 __version__ = "0.4.8" |
9 -from .constants import AlertLevel, AlertDescription, Fault | 9 -from .constants import AlertLevel, AlertDescription, Fault |
10 +from .constants import AlertLevel, AlertDescription, ClientCertificateType, \ | 10 +from .constants import AlertLevel, AlertDescription, ClientCertificateType, \ |
11 + Fault | 11 + Fault |
12 from .errors import * | 12 from .errors import * |
13 from .checker import Checker | 13 from .checker import Checker |
14 from .handshakesettings import HandshakeSettings | 14 from .handshakesettings import HandshakeSettings |
15 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py | 15 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py |
16 index 30d1f9f..457b339 100644 | 16 index d2d50c5..7ee70be 100644 |
17 --- a/third_party/tlslite/tlslite/constants.py | 17 --- a/third_party/tlslite/tlslite/constants.py |
18 +++ b/third_party/tlslite/tlslite/constants.py | 18 +++ b/third_party/tlslite/tlslite/constants.py |
19 @@ -14,10 +14,14 @@ class CertificateType: | 19 @@ -15,10 +15,14 @@ class CertificateType: |
20 openpgp = 1 | 20 openpgp = 1 |
21 | 21 |
22 class ClientCertificateType: | 22 class ClientCertificateType: |
23 + # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-p
arameters-2 | 23 + # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-p
arameters-2 |
24 rsa_sign = 1 | 24 rsa_sign = 1 |
25 dss_sign = 2 | 25 dss_sign = 2 |
26 rsa_fixed_dh = 3 | 26 rsa_fixed_dh = 3 |
27 dss_fixed_dh = 4 | 27 dss_fixed_dh = 4 |
28 + ecdsa_sign = 64 | 28 + ecdsa_sign = 64 |
29 + rsa_fixed_ecdh = 65 | 29 + rsa_fixed_ecdh = 65 |
30 + ecdsa_fixed_ecdh = 66 | 30 + ecdsa_fixed_ecdh = 66 |
31 | 31 |
32 class HandshakeType: | 32 class HandshakeType: |
33 hello_request = 0 | 33 hello_request = 0 |
34 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py | 34 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py |
35 index 550b387..c8a913c 100644 | 35 index 8b77ee6..e1be195 100644 |
36 --- a/third_party/tlslite/tlslite/messages.py | 36 --- a/third_party/tlslite/tlslite/messages.py |
37 +++ b/third_party/tlslite/tlslite/messages.py | 37 +++ b/third_party/tlslite/tlslite/messages.py |
38 @@ -454,9 +454,7 @@ class CertificateStatus(HandshakeMsg): | 38 @@ -455,17 +455,14 @@ class CertificateStatus(HandshakeMsg): |
39 class CertificateRequest(HandshakeMsg): | 39 class CertificateRequest(HandshakeMsg): |
40 def __init__(self): | 40 def __init__(self, version): |
41 HandshakeMsg.__init__(self, HandshakeType.certificate_request) | 41 HandshakeMsg.__init__(self, HandshakeType.certificate_request) |
42 - #Apple's Secure Transport library rejects empty certificate_types, so | 42 - #Apple's Secure Transport library rejects empty certificate_types, so |
43 - #default to rsa_sign. | 43 - #default to rsa_sign. |
44 - self.certificate_types = [ClientCertificateType.rsa_sign] | 44 - self.certificate_types = [ClientCertificateType.rsa_sign] |
45 + self.certificate_types = [] | 45 + self.certificate_types = [] |
46 self.certificate_authorities = [] | 46 self.certificate_authorities = [] |
| 47 self.version = version |
| 48 self.supported_signature_algs = [] |
47 | 49 |
48 def create(self, certificate_types, certificate_authorities): | 50 - def create(self, certificate_types, certificate_authorities, sig_algs=(), v
ersion=(3,0)): |
| 51 + def create(self, certificate_types, certificate_authorities, sig_algs=()): |
| 52 self.certificate_types = certificate_types |
| 53 self.certificate_authorities = certificate_authorities |
| 54 - self.version = version |
| 55 self.supported_signature_algs = sig_algs |
| 56 return self |
| 57 |
49 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py | 58 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
50 index e6f7820..044ad59 100644 | 59 index f6d13d4..f8547d5 100644 |
51 --- a/third_party/tlslite/tlslite/tlsconnection.py | 60 --- a/third_party/tlslite/tlslite/tlsconnection.py |
52 +++ b/third_party/tlslite/tlslite/tlsconnection.py | 61 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
53 @@ -1062,7 +1062,7 @@ class TLSConnection(TLSRecordLayer): | 62 @@ -1070,7 +1070,7 @@ class TLSConnection(TLSRecordLayer): |
54 def handshakeServer(self, verifierDB=None, | 63 def handshakeServer(self, verifierDB=None, |
55 certChain=None, privateKey=None, reqCert=False, | 64 certChain=None, privateKey=None, reqCert=False, |
56 sessionCache=None, settings=None, checker=None, | 65 sessionCache=None, settings=None, checker=None, |
57 - reqCAs = None, | 66 - reqCAs = None, |
58 + reqCAs = None, reqCertTypes = None, | 67 + reqCAs = None, reqCertTypes = None, |
59 tacks=None, activationFlags=0, | 68 tacks=None, activationFlags=0, |
60 nextProtos=None, anon=False, | 69 nextProtos=None, anon=False, |
61 tlsIntolerant=None, signedCertTimestamps=None, | 70 tlsIntolerant=None, signedCertTimestamps=None, |
62 @@ -1130,6 +1130,10 @@ class TLSConnection(TLSRecordLayer): | 71 @@ -1138,6 +1138,10 @@ class TLSConnection(TLSRecordLayer): |
63 will be sent along with a certificate request. This does not affect | 72 will be sent along with a certificate request. This does not affect |
64 verification. | 73 verification. |
65 | 74 |
66 + @type reqCertTypes: list of int | 75 + @type reqCertTypes: list of int |
67 + @param reqCertTypes: A list of certificate_type values to be sent | 76 + @param reqCertTypes: A list of certificate_type values to be sent |
68 + along with a certificate request. This does not affect verification. | 77 + along with a certificate request. This does not affect verification. |
69 + | 78 + |
70 @type nextProtos: list of strings. | 79 @type nextProtos: list of strings. |
71 @param nextProtos: A list of upper layer protocols to expose to the | 80 @param nextProtos: A list of upper layer protocols to expose to the |
72 clients through the Next-Protocol Negotiation Extension, | 81 clients through the Next-Protocol Negotiation Extension, |
73 @@ -1169,7 +1173,7 @@ class TLSConnection(TLSRecordLayer): | 82 @@ -1177,7 +1181,7 @@ class TLSConnection(TLSRecordLayer): |
74 """ | 83 """ |
75 for result in self.handshakeServerAsync(verifierDB, | 84 for result in self.handshakeServerAsync(verifierDB, |
76 certChain, privateKey, reqCert, sessionCache, settings, | 85 certChain, privateKey, reqCert, sessionCache, settings, |
77 - checker, reqCAs, | 86 - checker, reqCAs, |
78 + checker, reqCAs, reqCertTypes, | 87 + checker, reqCAs, reqCertTypes, |
79 tacks=tacks, activationFlags=activationFlags, | 88 tacks=tacks, activationFlags=activationFlags, |
80 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, | 89 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
81 signedCertTimestamps=signedCertTimestamps, | 90 signedCertTimestamps=signedCertTimestamps, |
82 @@ -1180,7 +1184,7 @@ class TLSConnection(TLSRecordLayer): | 91 @@ -1188,7 +1192,7 @@ class TLSConnection(TLSRecordLayer): |
83 def handshakeServerAsync(self, verifierDB=None, | 92 def handshakeServerAsync(self, verifierDB=None, |
84 certChain=None, privateKey=None, reqCert=False, | 93 certChain=None, privateKey=None, reqCert=False, |
85 sessionCache=None, settings=None, checker=None, | 94 sessionCache=None, settings=None, checker=None, |
86 - reqCAs=None, | 95 - reqCAs=None, |
87 + reqCAs=None, reqCertTypes=None, | 96 + reqCAs=None, reqCertTypes=None, |
88 tacks=None, activationFlags=0, | 97 tacks=None, activationFlags=0, |
89 nextProtos=None, anon=False, | 98 nextProtos=None, anon=False, |
90 tlsIntolerant=None, | 99 tlsIntolerant=None, |
91 @@ -1203,7 +1207,7 @@ class TLSConnection(TLSRecordLayer): | 100 @@ -1211,7 +1215,7 @@ class TLSConnection(TLSRecordLayer): |
92 verifierDB=verifierDB, certChain=certChain, | 101 verifierDB=verifierDB, certChain=certChain, |
93 privateKey=privateKey, reqCert=reqCert, | 102 privateKey=privateKey, reqCert=reqCert, |
94 sessionCache=sessionCache, settings=settings, | 103 sessionCache=sessionCache, settings=settings, |
95 - reqCAs=reqCAs, | 104 - reqCAs=reqCAs, |
96 + reqCAs=reqCAs, reqCertTypes=reqCertTypes, | 105 + reqCAs=reqCAs, reqCertTypes=reqCertTypes, |
97 tacks=tacks, activationFlags=activationFlags, | 106 tacks=tacks, activationFlags=activationFlags, |
98 nextProtos=nextProtos, anon=anon, | 107 nextProtos=nextProtos, anon=anon, |
99 tlsIntolerant=tlsIntolerant, | 108 tlsIntolerant=tlsIntolerant, |
100 @@ -1216,7 +1220,7 @@ class TLSConnection(TLSRecordLayer): | 109 @@ -1224,7 +1228,7 @@ class TLSConnection(TLSRecordLayer): |
101 | 110 |
102 def _handshakeServerAsyncHelper(self, verifierDB, | 111 def _handshakeServerAsyncHelper(self, verifierDB, |
103 certChain, privateKey, reqCert, sessionCache, | 112 certChain, privateKey, reqCert, sessionCache, |
104 - settings, reqCAs, | 113 - settings, reqCAs, |
105 + settings, reqCAs, reqCertTypes, | 114 + settings, reqCAs, reqCertTypes, |
106 tacks, activationFlags, | 115 tacks, activationFlags, |
107 nextProtos, anon, | 116 nextProtos, anon, |
108 tlsIntolerant, signedCertTimestamps, fallbackSCSV, | 117 tlsIntolerant, signedCertTimestamps, fallbackSCSV, |
109 @@ -1232,6 +1236,8 @@ class TLSConnection(TLSRecordLayer): | 118 @@ -1240,6 +1244,8 @@ class TLSConnection(TLSRecordLayer): |
110 raise ValueError("Caller passed a privateKey but no certChain") | 119 raise ValueError("Caller passed a privateKey but no certChain") |
111 if reqCAs and not reqCert: | 120 if reqCAs and not reqCert: |
112 raise ValueError("Caller passed reqCAs but not reqCert")
| 121 raise ValueError("Caller passed reqCAs but not reqCert")
|
113 + if reqCertTypes and not reqCert: | 122 + if reqCertTypes and not reqCert: |
114 + raise ValueError("Caller passed reqCertTypes but not reqCert") | 123 + raise ValueError("Caller passed reqCertTypes but not reqCert") |
115 if certChain and not isinstance(certChain, X509CertChain): | 124 if certChain and not isinstance(certChain, X509CertChain): |
116 raise ValueError("Unrecognized certificate type") | 125 raise ValueError("Unrecognized certificate type") |
117 if activationFlags and not tacks: | 126 if activationFlags and not tacks: |
118 @@ -1320,7 +1326,7 @@ class TLSConnection(TLSRecordLayer): | 127 @@ -1328,7 +1334,7 @@ class TLSConnection(TLSRecordLayer): |
119 assert(False) | 128 assert(False) |
120 for result in self._serverCertKeyExchange(clientHello, serverHello,
| 129 for result in self._serverCertKeyExchange(clientHello, serverHello,
|
121 certChain, keyExchange, | 130 certChain, keyExchange, |
122 - reqCert, reqCAs, cipherSuite, | 131 - reqCert, reqCAs, cipherSuite, |
123 + reqCert, reqCAs, reqCertTypes, cipherSu
ite, | 132 + reqCert, reqCAs, reqCertTypes, cipherSu
ite, |
124 settings, ocspResponse): | 133 settings, ocspResponse): |
125 if result in (0,1): yield result | 134 if result in (0,1): yield result |
126 else: break | 135 else: break |
127 @@ -1597,7 +1603,7 @@ class TLSConnection(TLSRecordLayer): | 136 @@ -1607,7 +1613,7 @@ class TLSConnection(TLSRecordLayer): |
128 | 137 |
129 def _serverCertKeyExchange(self, clientHello, serverHello, | 138 def _serverCertKeyExchange(self, clientHello, serverHello, |
130 serverCertChain, keyExchange, | 139 serverCertChain, keyExchange, |
131 - reqCert, reqCAs, cipherSuite, | 140 - reqCert, reqCAs, cipherSuite, |
132 + reqCert, reqCAs, reqCertTypes, cipherSuite, | 141 + reqCert, reqCAs, reqCertTypes, cipherSuite, |
133 settings, ocspResponse): | 142 settings, ocspResponse): |
134 #Send ServerHello, Certificate[, ServerKeyExchange] | 143 #Send ServerHello, Certificate[, ServerKeyExchange] |
135 #[, CertificateRequest], ServerHelloDone | 144 #[, CertificateRequest], ServerHelloDone |
136 @@ -1613,11 +1619,12 @@ class TLSConnection(TLSRecordLayer): | 145 @@ -1623,11 +1629,13 @@ class TLSConnection(TLSRecordLayer): |
137 serverKeyExchange = keyExchange.makeServerKeyExchange() | 146 serverKeyExchange = keyExchange.makeServerKeyExchange() |
138 if serverKeyExchange is not None: | 147 if serverKeyExchange is not None: |
139 msgs.append(serverKeyExchange) | 148 msgs.append(serverKeyExchange) |
140 - if reqCert and reqCAs: | 149 - if reqCert and reqCAs: |
141 - msgs.append(CertificateRequest().create(\ | 150 - msgs.append(CertificateRequest().create(\ |
142 - [ClientCertificateType.rsa_sign], reqCAs)) | 151 - [ClientCertificateType.rsa_sign], reqCAs)) |
143 - elif reqCert: | 152 - elif reqCert: |
144 - msgs.append(CertificateRequest()) | 153 - msgs.append(CertificateRequest(self.version)) |
145 + if reqCert: | 154 + if reqCert: |
146 + reqCAs = reqCAs or [] | 155 + reqCAs = reqCAs or [] |
147 + #Apple's Secure Transport library rejects empty certificate_types, | 156 + #Apple's Secure Transport library rejects empty certificate_types, |
148 + #so default to rsa_sign. | 157 + #so default to rsa_sign. |
149 + reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign] | 158 + reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign] |
150 + msgs.append(CertificateRequest().create(reqCertTypes, reqCAs)) | 159 + msgs.append(CertificateRequest(self.version).create(reqCertTypes, |
| 160 + reqCAs)) |
151 msgs.append(ServerHelloDone()) | 161 msgs.append(ServerHelloDone()) |
152 for result in self._sendMsgs(msgs): | 162 for result in self._sendMsgs(msgs): |
153 yield result | 163 yield result |
OLD | NEW |