Index: third_party/tlslite/patches/req_cert_types.patch |
diff --git a/third_party/tlslite/patches/req_cert_types.patch b/third_party/tlslite/patches/req_cert_types.patch |
index 2774e777968878c3a58a75f47067b10a299d5477..4e690030f59d44caaab0a049f60ae74c05671996 100644 |
--- a/third_party/tlslite/patches/req_cert_types.patch |
+++ b/third_party/tlslite/patches/req_cert_types.patch |
@@ -1,11 +1,11 @@ |
diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/api.py |
-index faef6cb..562fb81 100644 |
+index fa6a18c..aabcc14 100644 |
--- a/third_party/tlslite/tlslite/api.py |
+++ b/third_party/tlslite/tlslite/api.py |
@@ -2,7 +2,8 @@ |
# See the LICENSE file for legal information regarding use of this file. |
- __version__ = "0.4.6" |
+ __version__ = "0.4.8" |
-from .constants import AlertLevel, AlertDescription, Fault |
+from .constants import AlertLevel, AlertDescription, ClientCertificateType, \ |
+ Fault |
@@ -13,10 +13,10 @@ index faef6cb..562fb81 100644 |
from .checker import Checker |
from .handshakesettings import HandshakeSettings |
diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py |
-index 30d1f9f..457b339 100644 |
+index d2d50c5..7ee70be 100644 |
--- a/third_party/tlslite/tlslite/constants.py |
+++ b/third_party/tlslite/tlslite/constants.py |
-@@ -14,10 +14,14 @@ class CertificateType: |
+@@ -15,10 +15,14 @@ class CertificateType: |
openpgp = 1 |
class ClientCertificateType: |
@@ -32,25 +32,34 @@ index 30d1f9f..457b339 100644 |
class HandshakeType: |
hello_request = 0 |
diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py |
-index 550b387..c8a913c 100644 |
+index 8b77ee6..e1be195 100644 |
--- a/third_party/tlslite/tlslite/messages.py |
+++ b/third_party/tlslite/tlslite/messages.py |
-@@ -454,9 +454,7 @@ class CertificateStatus(HandshakeMsg): |
+@@ -455,17 +455,14 @@ class CertificateStatus(HandshakeMsg): |
class CertificateRequest(HandshakeMsg): |
- def __init__(self): |
+ def __init__(self, version): |
HandshakeMsg.__init__(self, HandshakeType.certificate_request) |
- #Apple's Secure Transport library rejects empty certificate_types, so |
- #default to rsa_sign. |
- self.certificate_types = [ClientCertificateType.rsa_sign] |
+ self.certificate_types = [] |
self.certificate_authorities = [] |
+ self.version = version |
+ self.supported_signature_algs = [] |
+ |
+- def create(self, certificate_types, certificate_authorities, sig_algs=(), version=(3,0)): |
++ def create(self, certificate_types, certificate_authorities, sig_algs=()): |
+ self.certificate_types = certificate_types |
+ self.certificate_authorities = certificate_authorities |
+- self.version = version |
+ self.supported_signature_algs = sig_algs |
+ return self |
- def create(self, certificate_types, certificate_authorities): |
diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
-index e6f7820..044ad59 100644 |
+index f6d13d4..f8547d5 100644 |
--- a/third_party/tlslite/tlslite/tlsconnection.py |
+++ b/third_party/tlslite/tlslite/tlsconnection.py |
-@@ -1062,7 +1062,7 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1070,7 +1070,7 @@ class TLSConnection(TLSRecordLayer): |
def handshakeServer(self, verifierDB=None, |
certChain=None, privateKey=None, reqCert=False, |
sessionCache=None, settings=None, checker=None, |
@@ -59,7 +68,7 @@ index e6f7820..044ad59 100644 |
tacks=None, activationFlags=0, |
nextProtos=None, anon=False, |
tlsIntolerant=None, signedCertTimestamps=None, |
-@@ -1130,6 +1130,10 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1138,6 +1138,10 @@ class TLSConnection(TLSRecordLayer): |
will be sent along with a certificate request. This does not affect |
verification. |
@@ -70,7 +79,7 @@ index e6f7820..044ad59 100644 |
@type nextProtos: list of strings. |
@param nextProtos: A list of upper layer protocols to expose to the |
clients through the Next-Protocol Negotiation Extension, |
-@@ -1169,7 +1173,7 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1177,7 +1181,7 @@ class TLSConnection(TLSRecordLayer): |
""" |
for result in self.handshakeServerAsync(verifierDB, |
certChain, privateKey, reqCert, sessionCache, settings, |
@@ -79,7 +88,7 @@ index e6f7820..044ad59 100644 |
tacks=tacks, activationFlags=activationFlags, |
nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
signedCertTimestamps=signedCertTimestamps, |
-@@ -1180,7 +1184,7 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1188,7 +1192,7 @@ class TLSConnection(TLSRecordLayer): |
def handshakeServerAsync(self, verifierDB=None, |
certChain=None, privateKey=None, reqCert=False, |
sessionCache=None, settings=None, checker=None, |
@@ -88,7 +97,7 @@ index e6f7820..044ad59 100644 |
tacks=None, activationFlags=0, |
nextProtos=None, anon=False, |
tlsIntolerant=None, |
-@@ -1203,7 +1207,7 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1211,7 +1215,7 @@ class TLSConnection(TLSRecordLayer): |
verifierDB=verifierDB, certChain=certChain, |
privateKey=privateKey, reqCert=reqCert, |
sessionCache=sessionCache, settings=settings, |
@@ -97,7 +106,7 @@ index e6f7820..044ad59 100644 |
tacks=tacks, activationFlags=activationFlags, |
nextProtos=nextProtos, anon=anon, |
tlsIntolerant=tlsIntolerant, |
-@@ -1216,7 +1220,7 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1224,7 +1228,7 @@ class TLSConnection(TLSRecordLayer): |
def _handshakeServerAsyncHelper(self, verifierDB, |
certChain, privateKey, reqCert, sessionCache, |
@@ -106,7 +115,7 @@ index e6f7820..044ad59 100644 |
tacks, activationFlags, |
nextProtos, anon, |
tlsIntolerant, signedCertTimestamps, fallbackSCSV, |
-@@ -1232,6 +1236,8 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1240,6 +1244,8 @@ class TLSConnection(TLSRecordLayer): |
raise ValueError("Caller passed a privateKey but no certChain") |
if reqCAs and not reqCert: |
raise ValueError("Caller passed reqCAs but not reqCert") |
@@ -115,7 +124,7 @@ index e6f7820..044ad59 100644 |
if certChain and not isinstance(certChain, X509CertChain): |
raise ValueError("Unrecognized certificate type") |
if activationFlags and not tacks: |
-@@ -1320,7 +1326,7 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1328,7 +1334,7 @@ class TLSConnection(TLSRecordLayer): |
assert(False) |
for result in self._serverCertKeyExchange(clientHello, serverHello, |
certChain, keyExchange, |
@@ -124,7 +133,7 @@ index e6f7820..044ad59 100644 |
settings, ocspResponse): |
if result in (0,1): yield result |
else: break |
-@@ -1597,7 +1603,7 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1607,7 +1613,7 @@ class TLSConnection(TLSRecordLayer): |
def _serverCertKeyExchange(self, clientHello, serverHello, |
serverCertChain, keyExchange, |
@@ -133,7 +142,7 @@ index e6f7820..044ad59 100644 |
settings, ocspResponse): |
#Send ServerHello, Certificate[, ServerKeyExchange] |
#[, CertificateRequest], ServerHelloDone |
-@@ -1613,11 +1619,12 @@ class TLSConnection(TLSRecordLayer): |
+@@ -1623,11 +1629,13 @@ class TLSConnection(TLSRecordLayer): |
serverKeyExchange = keyExchange.makeServerKeyExchange() |
if serverKeyExchange is not None: |
msgs.append(serverKeyExchange) |
@@ -141,13 +150,14 @@ index e6f7820..044ad59 100644 |
- msgs.append(CertificateRequest().create(\ |
- [ClientCertificateType.rsa_sign], reqCAs)) |
- elif reqCert: |
-- msgs.append(CertificateRequest()) |
+- msgs.append(CertificateRequest(self.version)) |
+ if reqCert: |
+ reqCAs = reqCAs or [] |
+ #Apple's Secure Transport library rejects empty certificate_types, |
+ #so default to rsa_sign. |
+ reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign] |
-+ msgs.append(CertificateRequest().create(reqCertTypes, reqCAs)) |
++ msgs.append(CertificateRequest(self.version).create(reqCertTypes, |
++ reqCAs)) |
msgs.append(ServerHelloDone()) |
for result in self._sendMsgs(msgs): |
yield result |