Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(388)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/tlslite/patches/status_request.patch

Issue 858373002: Update third_party/tlslite to 0.4.8. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Finish fixing client auth Created 5 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/tlslite/patches/ssl3_padding.patch ('k') | third_party/tlslite/patches/tls_intolerant.patch » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl ite/constants.py 1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl ite/constants.py
2 index d132b78..ceaa903 100755 2 index 69e6067..1a1ace9 100644
3 --- a/third_party/tlslite/tlslite/constants.py 3 --- a/third_party/tlslite/tlslite/constants.py
4 +++ b/third_party/tlslite/tlslite/constants.py 4 +++ b/third_party/tlslite/tlslite/constants.py
5 @@ -30,6 +30,7 @@ class HandshakeType: 5 @@ -31,6 +31,7 @@ class HandshakeType:
6 certificate_verify = 15 6 certificate_verify = 15
7 client_key_exchange = 16 7 client_key_exchange = 16
8 finished = 20 8 finished = 20
9 + certificate_status = 22 9 + certificate_status = 22
10 next_protocol = 67 10 next_protocol = 67
11 encrypted_extensions = 203 11 encrypted_extensions = 203
12 12
13 @@ -40,8 +41,12 @@ class ContentType: 13 @@ -41,8 +42,12 @@ class ContentType:
14 application_data = 23 14 application_data = 23
15 all = (20,21,22,23) 15 all = (20,21,22,23)
16 16
17 +class CertificateStatusType: 17 +class CertificateStatusType:
18 + ocsp = 1 18 + ocsp = 1
19 + 19 +
20 class ExtensionType: # RFC 6066 / 4366 20 class ExtensionType: # RFC 6066 / 4366
21 server_name = 0 # RFC 6066 / 4366 21 server_name = 0 # RFC 6066 / 4366
22 + status_request = 5 # RFC 6066 / 4366 22 + status_request = 5 # RFC 6066 / 4366
23 srp = 12 # RFC 5054 23 srp = 12 # RFC 5054
24 cert_type = 9 # RFC 6091 24 cert_type = 9 # RFC 6091
25 signed_cert_timestamps = 18 # RFC 6962 25 signed_cert_timestamps = 18 # RFC 6962
26 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli te/messages.py 26 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli te/messages.py
27 index 5a2cd6c..532d86b 100755 27 index 876b033..9a8e5f6 100644
28 --- a/third_party/tlslite/tlslite/messages.py 28 --- a/third_party/tlslite/tlslite/messages.py
29 +++ b/third_party/tlslite/tlslite/messages.py 29 +++ b/third_party/tlslite/tlslite/messages.py
30 @@ -114,6 +114,7 @@ class ClientHello(HandshakeMsg): 30 @@ -115,6 +115,7 @@ class ClientHello(HandshakeMsg):
31 self.server_name = bytearray(0) 31 self.server_name = bytearray(0)
32 self.channel_id = False 32 self.channel_id = False
33 self.support_signed_cert_timestamps = False 33 self.support_signed_cert_timestamps = False
34 + self.status_request = False 34 + self.status_request = False
35 35
36 def create(self, version, random, session_id, cipher_suites, 36 def create(self, version, random, session_id, cipher_suites,
37 certificate_types=None, srpUsername=None, 37 certificate_types=None, srpUsername=None,
38 @@ -187,6 +188,19 @@ class ClientHello(HandshakeMsg): 38 @@ -188,6 +189,19 @@ class ClientHello(HandshakeMsg):
39 if extLength: 39 if extLength:
40 raise SyntaxError() 40 raise SyntaxError()
41 self.support_signed_cert_timestamps = True 41 self.support_signed_cert_timestamps = True
42 + elif extType == ExtensionType.status_request: 42 + elif extType == ExtensionType.status_request:
43 + # Extension contents are currently ignored. 43 + # Extension contents are currently ignored.
44 + # According to RFC 6066, this is not strictly forbidden 44 + # According to RFC 6066, this is not strictly forbidden
45 + # (although it is suboptimal): 45 + # (although it is suboptimal):
46 + # Servers that receive a client hello containing the 46 + # Servers that receive a client hello containing the
47 + # "status_request" extension MAY return a suitable 47 + # "status_request" extension MAY return a suitable
48 + # certificate status response to the client along with 48 + # certificate status response to the client along with
49 + # their certificate. If OCSP is requested, they 49 + # their certificate. If OCSP is requested, they
50 + # SHOULD use the information contained in the extension 50 + # SHOULD use the information contained in the extension
51 + # when selecting an OCSP responder and SHOULD include 51 + # when selecting an OCSP responder and SHOULD include
52 + # request_extensions in the OCSP request. 52 + # request_extensions in the OCSP request.
53 + p.getFixBytes(extLength) 53 + p.getFixBytes(extLength)
54 + self.status_request = True 54 + self.status_request = True
55 else: 55 else:
56 _ = p.getFixBytes(extLength) 56 _ = p.getFixBytes(extLength)
57 index2 = p.index 57 index2 = p.index
58 @@ -253,6 +267,7 @@ class ServerHello(HandshakeMsg): 58 @@ -254,6 +268,7 @@ class ServerHello(HandshakeMsg):
59 self.next_protos = None 59 self.next_protos = None
60 self.channel_id = False 60 self.channel_id = False
61 self.signed_cert_timestamps = None 61 self.signed_cert_timestamps = None
62 + self.status_request = False 62 + self.status_request = False
63 63
64 def create(self, version, random, session_id, cipher_suite, 64 def create(self, version, random, session_id, cipher_suite,
65 certificate_type, tackExt, next_protos_advertised): 65 certificate_type, tackExt, next_protos_advertised):
66 @@ -345,6 +360,9 @@ class ServerHello(HandshakeMsg): 66 @@ -346,6 +361,9 @@ class ServerHello(HandshakeMsg):
67 if self.signed_cert_timestamps: 67 if self.signed_cert_timestamps:
68 w2.add(ExtensionType.signed_cert_timestamps, 2) 68 w2.add(ExtensionType.signed_cert_timestamps, 2)
69 w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2) 69 w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)
70 + if self.status_request: 70 + if self.status_request:
71 + w2.add(ExtensionType.status_request, 2) 71 + w2.add(ExtensionType.status_request, 2)
72 + w2.add(0, 2) 72 + w2.add(0, 2)
73 if len(w2.bytes): 73 if len(w2.bytes):
74 w.add(len(w2.bytes), 2) 74 w.add(len(w2.bytes), 2)
75 w.bytes += w2.bytes 75 w.bytes += w2.bytes
76 @@ -402,6 +420,37 @@ class Certificate(HandshakeMsg): 76 @@ -403,6 +421,37 @@ class Certificate(HandshakeMsg):
77 raise AssertionError() 77 raise AssertionError()
78 return self.postWrite(w) 78 return self.postWrite(w)
79 79
80 +class CertificateStatus(HandshakeMsg): 80 +class CertificateStatus(HandshakeMsg):
81 + def __init__(self): 81 + def __init__(self):
82 + HandshakeMsg.__init__(self, HandshakeType.certificate_status) 82 + HandshakeMsg.__init__(self, HandshakeType.certificate_status)
83 + 83 +
84 + def create(self, ocsp_response): 84 + def create(self, ocsp_response):
85 + self.ocsp_response = ocsp_response 85 + self.ocsp_response = ocsp_response
86 + return self 86 + return self
(...skipping 15 matching lines...) Expand all
102 + p.stopLengthCheck() 102 + p.stopLengthCheck()
103 + return self 103 + return self
104 + 104 +
105 + def write(self): 105 + def write(self):
106 + w = Writer() 106 + w = Writer()
107 + w.add(CertificateStatusType.ocsp, 1) 107 + w.add(CertificateStatusType.ocsp, 1)
108 + w.addVarSeq(bytearray(self.ocsp_response), 1, 3) 108 + w.addVarSeq(bytearray(self.ocsp_response), 1, 3)
109 + return self.postWrite(w) 109 + return self.postWrite(w)
110 + 110 +
111 class CertificateRequest(HandshakeMsg): 111 class CertificateRequest(HandshakeMsg):
112 def __init__(self): 112 def __init__(self, version):
113 HandshakeMsg.__init__(self, HandshakeType.certificate_request) 113 HandshakeMsg.__init__(self, HandshakeType.certificate_request)
114 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/ tlslite/tlsconnection.py 114 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/ tlslite/tlsconnection.py
115 index bd92161..b9797d2 100755 115 index 0563fb5f..5d508ed 100644
116 --- a/third_party/tlslite/tlslite/tlsconnection.py 116 --- a/third_party/tlslite/tlslite/tlsconnection.py
117 +++ b/third_party/tlslite/tlslite/tlsconnection.py 117 +++ b/third_party/tlslite/tlslite/tlsconnection.py
118 @@ -967,7 +967,7 @@ class TLSConnection(TLSRecordLayer): 118 @@ -970,7 +970,7 @@ class TLSConnection(TLSRecordLayer):
119 tacks=None, activationFlags=0, 119 tacks=None, activationFlags=0,
120 nextProtos=None, anon=False, 120 nextProtos=None, anon=False,
121 tlsIntolerant=None, signedCertTimestamps=None, 121 tlsIntolerant=None, signedCertTimestamps=None,
122 - fallbackSCSV=False): 122 - fallbackSCSV=False):
123 + fallbackSCSV=False, ocspResponse=None): 123 + fallbackSCSV=False, ocspResponse=None):
124 """Perform a handshake in the role of server. 124 """Perform a handshake in the role of server.
125 125
126 This function performs an SSL or TLS handshake. Depending on 126 This function performs an SSL or TLS handshake. Depending on
127 @@ -1051,6 +1051,16 @@ class TLSConnection(TLSRecordLayer): 127 @@ -1054,6 +1054,16 @@ class TLSConnection(TLSRecordLayer):
128 TLS_FALLBACK_SCSV and thus reject connections using less than the 128 TLS_FALLBACK_SCSV and thus reject connections using less than the
129 server's maximum TLS version that include this cipher suite. 129 server's maximum TLS version that include this cipher suite.
130 130
131 + @type ocspResponse: str 131 + @type ocspResponse: str
132 + @param ocspResponse: An OCSP response (as a binary 8-bit string) that 132 + @param ocspResponse: An OCSP response (as a binary 8-bit string) that
133 + will be sent stapled in the handshake whenever the client announces 133 + will be sent stapled in the handshake whenever the client announces
134 + support for the status_request extension. 134 + support for the status_request extension.
135 + Note that the response is sent independent of the ClientHello 135 + Note that the response is sent independent of the ClientHello
136 + status_request extension contents, and is thus only meant for testing 136 + status_request extension contents, and is thus only meant for testing
137 + environments. Real OCSP stapling is more complicated as it requires 137 + environments. Real OCSP stapling is more complicated as it requires
138 + choosing a suitable response based on the ClientHello status_request 138 + choosing a suitable response based on the ClientHello status_request
139 + extension contents. 139 + extension contents.
140 + 140 +
141 @raise socket.error: If a socket error occurs. 141 @raise socket.error: If a socket error occurs.
142 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed 142 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
143 without a preceding alert. 143 without a preceding alert.
144 @@ -1064,7 +1074,7 @@ class TLSConnection(TLSRecordLayer): 144 @@ -1067,7 +1077,7 @@ class TLSConnection(TLSRecordLayer):
145 tacks=tacks, activationFlags=activationFlags, 145 tacks=tacks, activationFlags=activationFlags,
146 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, 146 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
147 signedCertTimestamps=signedCertTimestamps, 147 signedCertTimestamps=signedCertTimestamps,
148 - fallbackSCSV=fallbackSCSV): 148 - fallbackSCSV=fallbackSCSV):
149 + fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse): 149 + fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse):
150 pass 150 pass
151 151
152 152
153 @@ -1076,7 +1086,8 @@ class TLSConnection(TLSRecordLayer): 153 @@ -1079,7 +1089,8 @@ class TLSConnection(TLSRecordLayer):
154 nextProtos=None, anon=False, 154 nextProtos=None, anon=False,
155 tlsIntolerant=None, 155 tlsIntolerant=None,
156 signedCertTimestamps=None, 156 signedCertTimestamps=None,
157 - fallbackSCSV=False 157 - fallbackSCSV=False
158 + fallbackSCSV=False, 158 + fallbackSCSV=False,
159 + ocspResponse=None 159 + ocspResponse=None
160 ): 160 ):
161 """Start a server handshake operation on the TLS connection. 161 """Start a server handshake operation on the TLS connection.
162 162
163 @@ -1098,7 +1109,8 @@ class TLSConnection(TLSRecordLayer): 163 @@ -1101,7 +1112,8 @@ class TLSConnection(TLSRecordLayer):
164 nextProtos=nextProtos, anon=anon, 164 nextProtos=nextProtos, anon=anon,
165 tlsIntolerant=tlsIntolerant, 165 tlsIntolerant=tlsIntolerant,
166 signedCertTimestamps=signedCertTimestamps, 166 signedCertTimestamps=signedCertTimestamps,
167 - fallbackSCSV=fallbackSCSV) 167 - fallbackSCSV=fallbackSCSV)
168 + fallbackSCSV=fallbackSCSV, 168 + fallbackSCSV=fallbackSCSV,
169 + ocspResponse=ocspResponse) 169 + ocspResponse=ocspResponse)
170 for result in self._handshakeWrapperAsync(handshaker, checker): 170 for result in self._handshakeWrapperAsync(handshaker, checker):
171 yield result 171 yield result
172 172
173 @@ -1108,7 +1120,8 @@ class TLSConnection(TLSRecordLayer): 173 @@ -1111,7 +1123,8 @@ class TLSConnection(TLSRecordLayer):
174 settings, reqCAs, 174 settings, reqCAs,
175 tacks, activationFlags, 175 tacks, activationFlags,
176 nextProtos, anon, 176 nextProtos, anon,
177 - tlsIntolerant, signedCertTimestamps, fallbackSCSV) : 177 - tlsIntolerant, signedCertTimestamps, fallbackSCSV) :
178 + tlsIntolerant, signedCertTimestamps, fallbackSCSV, 178 + tlsIntolerant, signedCertTimestamps, fallbackSCSV,
179 + ocspResponse): 179 + ocspResponse):
180 180
181 self._handshakeStart(client=False) 181 self._handshakeStart(client=False)
182 182
183 @@ -1178,6 +1191,8 @@ class TLSConnection(TLSRecordLayer): 183 @@ -1181,6 +1194,8 @@ class TLSConnection(TLSRecordLayer):
184 serverHello.channel_id = clientHello.channel_id 184 serverHello.channel_id = clientHello.channel_id
185 if clientHello.support_signed_cert_timestamps: 185 if clientHello.support_signed_cert_timestamps:
186 serverHello.signed_cert_timestamps = signedCertTimestamps 186 serverHello.signed_cert_timestamps = signedCertTimestamps
187 + if clientHello.status_request: 187 + if clientHello.status_request:
188 + serverHello.status_request = ocspResponse 188 + serverHello.status_request = ocspResponse
189 189
190 # Perform the SRP key exchange 190 # Perform the SRP key exchange
191 clientCertChain = None 191 clientCertChain = None
192 @@ -1194,7 +1209,7 @@ class TLSConnection(TLSRecordLayer): 192 @@ -1197,7 +1212,7 @@ class TLSConnection(TLSRecordLayer):
193 for result in self._serverCertKeyExchange(clientHello, serverHello, 193 for result in self._serverCertKeyExchange(clientHello, serverHello,
194 certChain, privateKey, 194 certChain, privateKey,
195 reqCert, reqCAs, cipherSuite, 195 reqCert, reqCAs, cipherSuite,
196 - settings): 196 - settings):
197 + settings, ocspResponse): 197 + settings, ocspResponse):
198 if result in (0,1): yield result 198 if result in (0,1): yield result
199 else: break 199 else: break
200 (premasterSecret, clientCertChain) = result 200 (premasterSecret, clientCertChain) = result
201 @@ -1471,7 +1486,7 @@ class TLSConnection(TLSRecordLayer): 201 @@ -1475,7 +1490,7 @@ class TLSConnection(TLSRecordLayer):
202 def _serverCertKeyExchange(self, clientHello, serverHello, 202 def _serverCertKeyExchange(self, clientHello, serverHello,
203 serverCertChain, privateKey, 203 serverCertChain, privateKey,
204 reqCert, reqCAs, cipherSuite, 204 reqCert, reqCAs, cipherSuite,
205 - settings): 205 - settings):
206 + settings, ocspResponse): 206 + settings, ocspResponse):
207 #Send ServerHello, Certificate[, CertificateRequest], 207 #Send ServerHello, Certificate[, CertificateRequest],
208 #ServerHelloDone 208 #ServerHelloDone
209 msgs = [] 209 msgs = []
210 @@ -1481,6 +1496,8 @@ class TLSConnection(TLSRecordLayer): 210 @@ -1485,6 +1500,8 @@ class TLSConnection(TLSRecordLayer):
211 211
212 msgs.append(serverHello) 212 msgs.append(serverHello)
213 msgs.append(Certificate(CertificateType.x509).create(serverCertChain)) 213 msgs.append(Certificate(CertificateType.x509).create(serverCertChain))
214 + if serverHello.status_request: 214 + if serverHello.status_request:
215 + msgs.append(CertificateStatus().create(ocspResponse)) 215 + msgs.append(CertificateStatus().create(ocspResponse))
216 if reqCert and reqCAs: 216 if reqCert and reqCAs:
217 msgs.append(CertificateRequest().create(\ 217 msgs.append(CertificateRequest().create(\
218 [ClientCertificateType.rsa_sign], reqCAs)) 218 [ClientCertificateType.rsa_sign], reqCAs))
OLDNEW
« no previous file with comments | « third_party/tlslite/patches/ssl3_padding.patch ('k') | third_party/tlslite/patches/tls_intolerant.patch » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698