OLD | NEW |
1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py | 1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py |
2 index d132b78..ceaa903 100755 | 2 index 69e6067..1a1ace9 100644 |
3 --- a/third_party/tlslite/tlslite/constants.py | 3 --- a/third_party/tlslite/tlslite/constants.py |
4 +++ b/third_party/tlslite/tlslite/constants.py | 4 +++ b/third_party/tlslite/tlslite/constants.py |
5 @@ -30,6 +30,7 @@ class HandshakeType: | 5 @@ -31,6 +31,7 @@ class HandshakeType: |
6 certificate_verify = 15 | 6 certificate_verify = 15 |
7 client_key_exchange = 16 | 7 client_key_exchange = 16 |
8 finished = 20 | 8 finished = 20 |
9 + certificate_status = 22 | 9 + certificate_status = 22 |
10 next_protocol = 67 | 10 next_protocol = 67 |
11 encrypted_extensions = 203 | 11 encrypted_extensions = 203 |
12 | 12 |
13 @@ -40,8 +41,12 @@ class ContentType: | 13 @@ -41,8 +42,12 @@ class ContentType: |
14 application_data = 23 | 14 application_data = 23 |
15 all = (20,21,22,23) | 15 all = (20,21,22,23) |
16 | 16 |
17 +class CertificateStatusType: | 17 +class CertificateStatusType: |
18 + ocsp = 1 | 18 + ocsp = 1 |
19 + | 19 + |
20 class ExtensionType: # RFC 6066 / 4366 | 20 class ExtensionType: # RFC 6066 / 4366 |
21 server_name = 0 # RFC 6066 / 4366 | 21 server_name = 0 # RFC 6066 / 4366 |
22 + status_request = 5 # RFC 6066 / 4366 | 22 + status_request = 5 # RFC 6066 / 4366 |
23 srp = 12 # RFC 5054 | 23 srp = 12 # RFC 5054 |
24 cert_type = 9 # RFC 6091 | 24 cert_type = 9 # RFC 6091 |
25 signed_cert_timestamps = 18 # RFC 6962 | 25 signed_cert_timestamps = 18 # RFC 6962 |
26 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py | 26 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py |
27 index 5a2cd6c..532d86b 100755 | 27 index 876b033..9a8e5f6 100644 |
28 --- a/third_party/tlslite/tlslite/messages.py | 28 --- a/third_party/tlslite/tlslite/messages.py |
29 +++ b/third_party/tlslite/tlslite/messages.py | 29 +++ b/third_party/tlslite/tlslite/messages.py |
30 @@ -114,6 +114,7 @@ class ClientHello(HandshakeMsg): | 30 @@ -115,6 +115,7 @@ class ClientHello(HandshakeMsg): |
31 self.server_name = bytearray(0) | 31 self.server_name = bytearray(0) |
32 self.channel_id = False | 32 self.channel_id = False |
33 self.support_signed_cert_timestamps = False | 33 self.support_signed_cert_timestamps = False |
34 + self.status_request = False | 34 + self.status_request = False |
35 | 35 |
36 def create(self, version, random, session_id, cipher_suites, | 36 def create(self, version, random, session_id, cipher_suites, |
37 certificate_types=None, srpUsername=None, | 37 certificate_types=None, srpUsername=None, |
38 @@ -187,6 +188,19 @@ class ClientHello(HandshakeMsg): | 38 @@ -188,6 +189,19 @@ class ClientHello(HandshakeMsg): |
39 if extLength: | 39 if extLength: |
40 raise SyntaxError() | 40 raise SyntaxError() |
41 self.support_signed_cert_timestamps = True | 41 self.support_signed_cert_timestamps = True |
42 + elif extType == ExtensionType.status_request: | 42 + elif extType == ExtensionType.status_request: |
43 + # Extension contents are currently ignored. | 43 + # Extension contents are currently ignored. |
44 + # According to RFC 6066, this is not strictly forbidden | 44 + # According to RFC 6066, this is not strictly forbidden |
45 + # (although it is suboptimal): | 45 + # (although it is suboptimal): |
46 + # Servers that receive a client hello containing the | 46 + # Servers that receive a client hello containing the |
47 + # "status_request" extension MAY return a suitable | 47 + # "status_request" extension MAY return a suitable |
48 + # certificate status response to the client along with | 48 + # certificate status response to the client along with |
49 + # their certificate. If OCSP is requested, they | 49 + # their certificate. If OCSP is requested, they |
50 + # SHOULD use the information contained in the extension | 50 + # SHOULD use the information contained in the extension |
51 + # when selecting an OCSP responder and SHOULD include | 51 + # when selecting an OCSP responder and SHOULD include |
52 + # request_extensions in the OCSP request. | 52 + # request_extensions in the OCSP request. |
53 + p.getFixBytes(extLength) | 53 + p.getFixBytes(extLength) |
54 + self.status_request = True | 54 + self.status_request = True |
55 else: | 55 else: |
56 _ = p.getFixBytes(extLength) | 56 _ = p.getFixBytes(extLength) |
57 index2 = p.index | 57 index2 = p.index |
58 @@ -253,6 +267,7 @@ class ServerHello(HandshakeMsg): | 58 @@ -254,6 +268,7 @@ class ServerHello(HandshakeMsg): |
59 self.next_protos = None | 59 self.next_protos = None |
60 self.channel_id = False | 60 self.channel_id = False |
61 self.signed_cert_timestamps = None | 61 self.signed_cert_timestamps = None |
62 + self.status_request = False | 62 + self.status_request = False |
63 | 63 |
64 def create(self, version, random, session_id, cipher_suite, | 64 def create(self, version, random, session_id, cipher_suite, |
65 certificate_type, tackExt, next_protos_advertised): | 65 certificate_type, tackExt, next_protos_advertised): |
66 @@ -345,6 +360,9 @@ class ServerHello(HandshakeMsg): | 66 @@ -346,6 +361,9 @@ class ServerHello(HandshakeMsg): |
67 if self.signed_cert_timestamps: | 67 if self.signed_cert_timestamps: |
68 w2.add(ExtensionType.signed_cert_timestamps, 2) | 68 w2.add(ExtensionType.signed_cert_timestamps, 2) |
69 w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2) | 69 w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2) |
70 + if self.status_request: | 70 + if self.status_request: |
71 + w2.add(ExtensionType.status_request, 2) | 71 + w2.add(ExtensionType.status_request, 2) |
72 + w2.add(0, 2) | 72 + w2.add(0, 2) |
73 if len(w2.bytes): | 73 if len(w2.bytes): |
74 w.add(len(w2.bytes), 2) | 74 w.add(len(w2.bytes), 2) |
75 w.bytes += w2.bytes | 75 w.bytes += w2.bytes |
76 @@ -402,6 +420,37 @@ class Certificate(HandshakeMsg): | 76 @@ -403,6 +421,37 @@ class Certificate(HandshakeMsg): |
77 raise AssertionError() | 77 raise AssertionError() |
78 return self.postWrite(w) | 78 return self.postWrite(w) |
79 | 79 |
80 +class CertificateStatus(HandshakeMsg): | 80 +class CertificateStatus(HandshakeMsg): |
81 + def __init__(self): | 81 + def __init__(self): |
82 + HandshakeMsg.__init__(self, HandshakeType.certificate_status) | 82 + HandshakeMsg.__init__(self, HandshakeType.certificate_status) |
83 + | 83 + |
84 + def create(self, ocsp_response): | 84 + def create(self, ocsp_response): |
85 + self.ocsp_response = ocsp_response | 85 + self.ocsp_response = ocsp_response |
86 + return self | 86 + return self |
(...skipping 15 matching lines...) Expand all Loading... |
102 + p.stopLengthCheck() | 102 + p.stopLengthCheck() |
103 + return self | 103 + return self |
104 + | 104 + |
105 + def write(self): | 105 + def write(self): |
106 + w = Writer() | 106 + w = Writer() |
107 + w.add(CertificateStatusType.ocsp, 1) | 107 + w.add(CertificateStatusType.ocsp, 1) |
108 + w.addVarSeq(bytearray(self.ocsp_response), 1, 3) | 108 + w.addVarSeq(bytearray(self.ocsp_response), 1, 3) |
109 + return self.postWrite(w) | 109 + return self.postWrite(w) |
110 + | 110 + |
111 class CertificateRequest(HandshakeMsg): | 111 class CertificateRequest(HandshakeMsg): |
112 def __init__(self): | 112 def __init__(self, version): |
113 HandshakeMsg.__init__(self, HandshakeType.certificate_request) | 113 HandshakeMsg.__init__(self, HandshakeType.certificate_request) |
114 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py | 114 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
115 index bd92161..b9797d2 100755 | 115 index 0563fb5f..5d508ed 100644 |
116 --- a/third_party/tlslite/tlslite/tlsconnection.py | 116 --- a/third_party/tlslite/tlslite/tlsconnection.py |
117 +++ b/third_party/tlslite/tlslite/tlsconnection.py | 117 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
118 @@ -967,7 +967,7 @@ class TLSConnection(TLSRecordLayer): | 118 @@ -970,7 +970,7 @@ class TLSConnection(TLSRecordLayer): |
119 tacks=None, activationFlags=0, | 119 tacks=None, activationFlags=0, |
120 nextProtos=None, anon=False, | 120 nextProtos=None, anon=False, |
121 tlsIntolerant=None, signedCertTimestamps=None, | 121 tlsIntolerant=None, signedCertTimestamps=None, |
122 - fallbackSCSV=False): | 122 - fallbackSCSV=False): |
123 + fallbackSCSV=False, ocspResponse=None): | 123 + fallbackSCSV=False, ocspResponse=None): |
124 """Perform a handshake in the role of server. | 124 """Perform a handshake in the role of server. |
125 | 125 |
126 This function performs an SSL or TLS handshake. Depending on | 126 This function performs an SSL or TLS handshake. Depending on |
127 @@ -1051,6 +1051,16 @@ class TLSConnection(TLSRecordLayer): | 127 @@ -1054,6 +1054,16 @@ class TLSConnection(TLSRecordLayer): |
128 TLS_FALLBACK_SCSV and thus reject connections using less than the | 128 TLS_FALLBACK_SCSV and thus reject connections using less than the |
129 server's maximum TLS version that include this cipher suite. | 129 server's maximum TLS version that include this cipher suite. |
130 | 130 |
131 + @type ocspResponse: str | 131 + @type ocspResponse: str |
132 + @param ocspResponse: An OCSP response (as a binary 8-bit string) that | 132 + @param ocspResponse: An OCSP response (as a binary 8-bit string) that |
133 + will be sent stapled in the handshake whenever the client announces | 133 + will be sent stapled in the handshake whenever the client announces |
134 + support for the status_request extension. | 134 + support for the status_request extension. |
135 + Note that the response is sent independent of the ClientHello | 135 + Note that the response is sent independent of the ClientHello |
136 + status_request extension contents, and is thus only meant for testing | 136 + status_request extension contents, and is thus only meant for testing |
137 + environments. Real OCSP stapling is more complicated as it requires | 137 + environments. Real OCSP stapling is more complicated as it requires |
138 + choosing a suitable response based on the ClientHello status_request | 138 + choosing a suitable response based on the ClientHello status_request |
139 + extension contents. | 139 + extension contents. |
140 + | 140 + |
141 @raise socket.error: If a socket error occurs. | 141 @raise socket.error: If a socket error occurs. |
142 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed | 142 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
143 without a preceding alert. | 143 without a preceding alert. |
144 @@ -1064,7 +1074,7 @@ class TLSConnection(TLSRecordLayer): | 144 @@ -1067,7 +1077,7 @@ class TLSConnection(TLSRecordLayer): |
145 tacks=tacks, activationFlags=activationFlags, | 145 tacks=tacks, activationFlags=activationFlags, |
146 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, | 146 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
147 signedCertTimestamps=signedCertTimestamps, | 147 signedCertTimestamps=signedCertTimestamps, |
148 - fallbackSCSV=fallbackSCSV): | 148 - fallbackSCSV=fallbackSCSV): |
149 + fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse): | 149 + fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse): |
150 pass | 150 pass |
151 | 151 |
152 | 152 |
153 @@ -1076,7 +1086,8 @@ class TLSConnection(TLSRecordLayer): | 153 @@ -1079,7 +1089,8 @@ class TLSConnection(TLSRecordLayer): |
154 nextProtos=None, anon=False, | 154 nextProtos=None, anon=False, |
155 tlsIntolerant=None, | 155 tlsIntolerant=None, |
156 signedCertTimestamps=None, | 156 signedCertTimestamps=None, |
157 - fallbackSCSV=False | 157 - fallbackSCSV=False |
158 + fallbackSCSV=False, | 158 + fallbackSCSV=False, |
159 + ocspResponse=None | 159 + ocspResponse=None |
160 ): | 160 ): |
161 """Start a server handshake operation on the TLS connection. | 161 """Start a server handshake operation on the TLS connection. |
162 | 162 |
163 @@ -1098,7 +1109,8 @@ class TLSConnection(TLSRecordLayer): | 163 @@ -1101,7 +1112,8 @@ class TLSConnection(TLSRecordLayer): |
164 nextProtos=nextProtos, anon=anon, | 164 nextProtos=nextProtos, anon=anon, |
165 tlsIntolerant=tlsIntolerant, | 165 tlsIntolerant=tlsIntolerant, |
166 signedCertTimestamps=signedCertTimestamps, | 166 signedCertTimestamps=signedCertTimestamps, |
167 - fallbackSCSV=fallbackSCSV) | 167 - fallbackSCSV=fallbackSCSV) |
168 + fallbackSCSV=fallbackSCSV, | 168 + fallbackSCSV=fallbackSCSV, |
169 + ocspResponse=ocspResponse) | 169 + ocspResponse=ocspResponse) |
170 for result in self._handshakeWrapperAsync(handshaker, checker): | 170 for result in self._handshakeWrapperAsync(handshaker, checker): |
171 yield result | 171 yield result |
172 | 172 |
173 @@ -1108,7 +1120,8 @@ class TLSConnection(TLSRecordLayer): | 173 @@ -1111,7 +1123,8 @@ class TLSConnection(TLSRecordLayer): |
174 settings, reqCAs, | 174 settings, reqCAs, |
175 tacks, activationFlags, | 175 tacks, activationFlags, |
176 nextProtos, anon, | 176 nextProtos, anon, |
177 - tlsIntolerant, signedCertTimestamps, fallbackSCSV)
: | 177 - tlsIntolerant, signedCertTimestamps, fallbackSCSV)
: |
178 + tlsIntolerant, signedCertTimestamps, fallbackSCSV, | 178 + tlsIntolerant, signedCertTimestamps, fallbackSCSV, |
179 + ocspResponse): | 179 + ocspResponse): |
180 | 180 |
181 self._handshakeStart(client=False) | 181 self._handshakeStart(client=False) |
182 | 182 |
183 @@ -1178,6 +1191,8 @@ class TLSConnection(TLSRecordLayer): | 183 @@ -1181,6 +1194,8 @@ class TLSConnection(TLSRecordLayer): |
184 serverHello.channel_id = clientHello.channel_id | 184 serverHello.channel_id = clientHello.channel_id |
185 if clientHello.support_signed_cert_timestamps: | 185 if clientHello.support_signed_cert_timestamps: |
186 serverHello.signed_cert_timestamps = signedCertTimestamps | 186 serverHello.signed_cert_timestamps = signedCertTimestamps |
187 + if clientHello.status_request: | 187 + if clientHello.status_request: |
188 + serverHello.status_request = ocspResponse | 188 + serverHello.status_request = ocspResponse |
189 | 189 |
190 # Perform the SRP key exchange | 190 # Perform the SRP key exchange |
191 clientCertChain = None | 191 clientCertChain = None |
192 @@ -1194,7 +1209,7 @@ class TLSConnection(TLSRecordLayer): | 192 @@ -1197,7 +1212,7 @@ class TLSConnection(TLSRecordLayer): |
193 for result in self._serverCertKeyExchange(clientHello, serverHello,
| 193 for result in self._serverCertKeyExchange(clientHello, serverHello,
|
194 certChain, privateKey, | 194 certChain, privateKey, |
195 reqCert, reqCAs, cipherSuite, | 195 reqCert, reqCAs, cipherSuite, |
196 - settings): | 196 - settings): |
197 + settings, ocspResponse): | 197 + settings, ocspResponse): |
198 if result in (0,1): yield result | 198 if result in (0,1): yield result |
199 else: break | 199 else: break |
200 (premasterSecret, clientCertChain) = result | 200 (premasterSecret, clientCertChain) = result |
201 @@ -1471,7 +1486,7 @@ class TLSConnection(TLSRecordLayer): | 201 @@ -1475,7 +1490,7 @@ class TLSConnection(TLSRecordLayer): |
202 def _serverCertKeyExchange(self, clientHello, serverHello, | 202 def _serverCertKeyExchange(self, clientHello, serverHello, |
203 serverCertChain, privateKey, | 203 serverCertChain, privateKey, |
204 reqCert, reqCAs, cipherSuite, | 204 reqCert, reqCAs, cipherSuite, |
205 - settings): | 205 - settings): |
206 + settings, ocspResponse): | 206 + settings, ocspResponse): |
207 #Send ServerHello, Certificate[, CertificateRequest], | 207 #Send ServerHello, Certificate[, CertificateRequest], |
208 #ServerHelloDone | 208 #ServerHelloDone |
209 msgs = [] | 209 msgs = [] |
210 @@ -1481,6 +1496,8 @@ class TLSConnection(TLSRecordLayer): | 210 @@ -1485,6 +1500,8 @@ class TLSConnection(TLSRecordLayer): |
211 | 211 |
212 msgs.append(serverHello) | 212 msgs.append(serverHello) |
213 msgs.append(Certificate(CertificateType.x509).create(serverCertChain)) | 213 msgs.append(Certificate(CertificateType.x509).create(serverCertChain)) |
214 + if serverHello.status_request: | 214 + if serverHello.status_request: |
215 + msgs.append(CertificateStatus().create(ocspResponse)) | 215 + msgs.append(CertificateStatus().create(ocspResponse)) |
216 if reqCert and reqCAs: | 216 if reqCert and reqCAs: |
217 msgs.append(CertificateRequest().create(\ | 217 msgs.append(CertificateRequest().create(\ |
218 [ClientCertificateType.rsa_sign], reqCAs)) | 218 [ClientCertificateType.rsa_sign], reqCAs)) |
OLD | NEW |