OLD | NEW |
1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py | 1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py |
2 index 79ad145..b3bad2d 100755 | 2 index 6429c66..8720de6 100644 |
3 --- a/third_party/tlslite/tlslite/constants.py | 3 --- a/third_party/tlslite/tlslite/constants.py |
4 +++ b/third_party/tlslite/tlslite/constants.py | 4 +++ b/third_party/tlslite/tlslite/constants.py |
5 @@ -44,6 +44,7 @@ class ExtensionType: # RFC 6066 / 4366 | 5 @@ -45,6 +45,7 @@ class ExtensionType: # RFC 6066 / 4366 |
6 server_name = 0 # RFC 6066 / 4366 | 6 server_name = 0 # RFC 6066 / 4366 |
7 srp = 12 # RFC 5054 | 7 srp = 12 # RFC 5054 |
8 cert_type = 9 # RFC 6091 | 8 cert_type = 9 # RFC 6091 |
9 + signed_cert_timestamps = 18 # RFC 6962 | 9 + signed_cert_timestamps = 18 # RFC 6962 |
10 tack = 0xF300 | 10 tack = 0xF300 |
11 supports_npn = 13172 | 11 supports_npn = 13172 |
12 channel_id = 30031 | 12 channel_id = 30032 |
13 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py | 13 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py |
14 index 246082e..5a2cd6c 100755 | 14 index 4fa9d96..876b033 100644 |
15 --- a/third_party/tlslite/tlslite/messages.py | 15 --- a/third_party/tlslite/tlslite/messages.py |
16 +++ b/third_party/tlslite/tlslite/messages.py | 16 +++ b/third_party/tlslite/tlslite/messages.py |
17 @@ -113,6 +113,7 @@ class ClientHello(HandshakeMsg): | 17 @@ -114,6 +114,7 @@ class ClientHello(HandshakeMsg): |
18 self.supports_npn = False | 18 self.supports_npn = False |
19 self.server_name = bytearray(0) | 19 self.server_name = bytearray(0) |
20 self.channel_id = False | 20 self.channel_id = False |
21 + self.support_signed_cert_timestamps = False | 21 + self.support_signed_cert_timestamps = False |
22 | 22 |
23 def create(self, version, random, session_id, cipher_suites, | 23 def create(self, version, random, session_id, cipher_suites, |
24 certificate_types=None, srpUsername=None, | 24 certificate_types=None, srpUsername=None, |
25 @@ -182,6 +183,10 @@ class ClientHello(HandshakeMsg): | 25 @@ -183,6 +184,10 @@ class ClientHello(HandshakeMsg): |
26 break | 26 break |
27 elif extType == ExtensionType.channel_id: | 27 elif extType == ExtensionType.channel_id: |
28 self.channel_id = True | 28 self.channel_id = True |
29 + elif extType == ExtensionType.signed_cert_timestamps: | 29 + elif extType == ExtensionType.signed_cert_timestamps: |
30 + if extLength: | 30 + if extLength: |
31 + raise SyntaxError() | 31 + raise SyntaxError() |
32 + self.support_signed_cert_timestamps = True | 32 + self.support_signed_cert_timestamps = True |
33 else: | 33 else: |
34 _ = p.getFixBytes(extLength) | 34 _ = p.getFixBytes(extLength) |
35 index2 = p.index | 35 index2 = p.index |
36 @@ -247,6 +252,7 @@ class ServerHello(HandshakeMsg): | 36 @@ -248,6 +253,7 @@ class ServerHello(HandshakeMsg): |
37 self.next_protos_advertised = None | 37 self.next_protos_advertised = None |
38 self.next_protos = None | 38 self.next_protos = None |
39 self.channel_id = False | 39 self.channel_id = False |
40 + self.signed_cert_timestamps = None | 40 + self.signed_cert_timestamps = None |
41 | 41 |
42 def create(self, version, random, session_id, cipher_suite, | 42 def create(self, version, random, session_id, cipher_suite, |
43 certificate_type, tackExt, next_protos_advertised): | 43 certificate_type, tackExt, next_protos_advertised): |
44 @@ -336,6 +342,9 @@ class ServerHello(HandshakeMsg): | 44 @@ -337,6 +343,9 @@ class ServerHello(HandshakeMsg): |
45 if self.channel_id: | 45 if self.channel_id: |
46 w2.add(ExtensionType.channel_id, 2) | 46 w2.add(ExtensionType.channel_id, 2) |
47 w2.add(0, 2) | 47 w2.add(0, 2) |
48 + if self.signed_cert_timestamps: | 48 + if self.signed_cert_timestamps: |
49 + w2.add(ExtensionType.signed_cert_timestamps, 2) | 49 + w2.add(ExtensionType.signed_cert_timestamps, 2) |
50 + w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2) | 50 + w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2) |
51 if len(w2.bytes): | 51 if len(w2.bytes): |
52 w.add(len(w2.bytes), 2) | 52 w.add(len(w2.bytes), 2) |
53 w.bytes += w2.bytes | 53 w.bytes += w2.bytes |
54 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py | 54 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
55 index e7c5140..45b0bbb 100755 | 55 index b0400f8..4dedc5f 100644 |
56 --- a/third_party/tlslite/tlslite/tlsconnection.py | 56 --- a/third_party/tlslite/tlslite/tlsconnection.py |
57 +++ b/third_party/tlslite/tlslite/tlsconnection.py | 57 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
58 @@ -966,7 +966,7 @@ class TLSConnection(TLSRecordLayer): | 58 @@ -969,7 +969,7 @@ class TLSConnection(TLSRecordLayer): |
59 reqCAs = None, | 59 reqCAs = None, |
60 tacks=None, activationFlags=0, | 60 tacks=None, activationFlags=0, |
61 nextProtos=None, anon=False, | 61 nextProtos=None, anon=False, |
62 - tlsIntolerant=None): | 62 - tlsIntolerant=None): |
63 + tlsIntolerant=None, signedCertTimestamps=None): | 63 + tlsIntolerant=None, signedCertTimestamps=None): |
64 """Perform a handshake in the role of server. | 64 """Perform a handshake in the role of server. |
65 | 65 |
66 This function performs an SSL or TLS handshake. Depending on | 66 This function performs an SSL or TLS handshake. Depending on |
67 @@ -1040,6 +1040,11 @@ class TLSConnection(TLSRecordLayer): | 67 @@ -1043,6 +1043,11 @@ class TLSConnection(TLSRecordLayer): |
68 simulate TLS version intolerance by returning a fatal handshake_failure | 68 simulate TLS version intolerance by returning a fatal handshake_failure |
69 alert to all TLS versions tlsIntolerant or higher. | 69 alert to all TLS versions tlsIntolerant or higher. |
70 | 70 |
71 + @type signedCertTimestamps: str | 71 + @type signedCertTimestamps: str |
72 + @param signedCertTimestamps: A SignedCertificateTimestampList (as a | 72 + @param signedCertTimestamps: A SignedCertificateTimestampList (as a |
73 + binary 8-bit string) that will be sent as a TLS extension whenever | 73 + binary 8-bit string) that will be sent as a TLS extension whenever |
74 + the client announces support for the extension. | 74 + the client announces support for the extension. |
75 + | 75 + |
76 @raise socket.error: If a socket error occurs. | 76 @raise socket.error: If a socket error occurs. |
77 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed | 77 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
78 without a preceding alert. | 78 without a preceding alert. |
79 @@ -1051,7 +1056,8 @@ class TLSConnection(TLSRecordLayer): | 79 @@ -1054,7 +1059,8 @@ class TLSConnection(TLSRecordLayer): |
80 certChain, privateKey, reqCert, sessionCache, settings, | 80 certChain, privateKey, reqCert, sessionCache, settings, |
81 checker, reqCAs, | 81 checker, reqCAs, |
82 tacks=tacks, activationFlags=activationFlags, | 82 tacks=tacks, activationFlags=activationFlags, |
83 - nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant): | 83 - nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant): |
84 + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, | 84 + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
85 + signedCertTimestamps=signedCertTimestamps): | 85 + signedCertTimestamps=signedCertTimestamps): |
86 pass | 86 pass |
87 | 87 |
88 | 88 |
89 @@ -1061,7 +1067,8 @@ class TLSConnection(TLSRecordLayer): | 89 @@ -1064,7 +1070,8 @@ class TLSConnection(TLSRecordLayer): |
90 reqCAs=None, | 90 reqCAs=None, |
91 tacks=None, activationFlags=0, | 91 tacks=None, activationFlags=0, |
92 nextProtos=None, anon=False, | 92 nextProtos=None, anon=False, |
93 - tlsIntolerant=None | 93 - tlsIntolerant=None |
94 + tlsIntolerant=None, | 94 + tlsIntolerant=None, |
95 + signedCertTimestamps=None | 95 + signedCertTimestamps=None |
96 ): | 96 ): |
97 """Start a server handshake operation on the TLS connection. | 97 """Start a server handshake operation on the TLS connection. |
98 | 98 |
99 @@ -1081,7 +1088,8 @@ class TLSConnection(TLSRecordLayer): | 99 @@ -1084,7 +1091,8 @@ class TLSConnection(TLSRecordLayer): |
100 reqCAs=reqCAs, | 100 reqCAs=reqCAs, |
101 tacks=tacks, activationFlags=activationFlags, | 101 tacks=tacks, activationFlags=activationFlags, |
102 nextProtos=nextProtos, anon=anon, | 102 nextProtos=nextProtos, anon=anon, |
103 - tlsIntolerant=tlsIntolerant) | 103 - tlsIntolerant=tlsIntolerant) |
104 + tlsIntolerant=tlsIntolerant, | 104 + tlsIntolerant=tlsIntolerant, |
105 + signedCertTimestamps=signedCertTimestamps) | 105 + signedCertTimestamps=signedCertTimestamps) |
106 for result in self._handshakeWrapperAsync(handshaker, checker): | 106 for result in self._handshakeWrapperAsync(handshaker, checker): |
107 yield result | 107 yield result |
108 | 108 |
109 @@ -1091,7 +1099,7 @@ class TLSConnection(TLSRecordLayer): | 109 @@ -1094,7 +1102,7 @@ class TLSConnection(TLSRecordLayer): |
110 settings, reqCAs, | 110 settings, reqCAs, |
111 tacks, activationFlags, | 111 tacks, activationFlags, |
112 nextProtos, anon, | 112 nextProtos, anon, |
113 - tlsIntolerant): | 113 - tlsIntolerant): |
114 + tlsIntolerant, signedCertTimestamps): | 114 + tlsIntolerant, signedCertTimestamps): |
115 | 115 |
116 self._handshakeStart(client=False) | 116 self._handshakeStart(client=False) |
117 | 117 |
118 @@ -1112,6 +1120,9 @@ class TLSConnection(TLSRecordLayer): | 118 @@ -1115,6 +1123,9 @@ class TLSConnection(TLSRecordLayer): |
119 raise ValueError("tackpy is not loaded") | 119 raise ValueError("tackpy is not loaded") |
120 if not settings or not settings.useExperimentalTackExtension: | 120 if not settings or not settings.useExperimentalTackExtension: |
121 raise ValueError("useExperimentalTackExtension not enabled") | 121 raise ValueError("useExperimentalTackExtension not enabled") |
122 + if signedCertTimestamps and not certChain: | 122 + if signedCertTimestamps and not certChain: |
123 + raise ValueError("Caller passed signedCertTimestamps but no " | 123 + raise ValueError("Caller passed signedCertTimestamps but no " |
124 + "certChain") | 124 + "certChain") |
125 | 125 |
126 if not settings: | 126 if not settings: |
127 settings = HandshakeSettings() | 127 settings = HandshakeSettings() |
128 @@ -1156,6 +1167,8 @@ class TLSConnection(TLSRecordLayer): | 128 @@ -1159,6 +1170,8 @@ class TLSConnection(TLSRecordLayer): |
129 cipherSuite, CertificateType.x509, tackExt, | 129 cipherSuite, CertificateType.x509, tackExt, |
130 nextProtos) | 130 nextProtos) |
131 serverHello.channel_id = clientHello.channel_id | 131 serverHello.channel_id = clientHello.channel_id |
132 + if clientHello.support_signed_cert_timestamps: | 132 + if clientHello.support_signed_cert_timestamps: |
133 + serverHello.signed_cert_timestamps = signedCertTimestamps | 133 + serverHello.signed_cert_timestamps = signedCertTimestamps |
134 | 134 |
135 # Perform the SRP key exchange | 135 # Perform the SRP key exchange |
136 clientCertChain = None | 136 clientCertChain = None |
OLD | NEW |