diff options
Diffstat (limited to 'chromium/third_party/tlslite/patches/channel_id.patch')
-rw-r--r-- | chromium/third_party/tlslite/patches/channel_id.patch | 294 |
1 files changed, 125 insertions, 169 deletions
diff --git a/chromium/third_party/tlslite/patches/channel_id.patch b/chromium/third_party/tlslite/patches/channel_id.patch index 472406edad7..0fe16924b57 100644 --- a/chromium/third_party/tlslite/patches/channel_id.patch +++ b/chromium/third_party/tlslite/patches/channel_id.patch @@ -1,194 +1,65 @@ -diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py -index f8811a9..e882e2c 100644 ---- a/third_party/tlslite/tlslite/TLSConnection.py -+++ b/third_party/tlslite/tlslite/TLSConnection.py -@@ -611,6 +611,8 @@ class TLSConnection(TLSRecordLayer): - settings.cipherImplementations) - - #Exchange ChangeCipherSpec and Finished messages -+ for result in self._getChangeCipherSpec(): -+ yield result - for result in self._getFinished(): - yield result - for result in self._sendFinished(): -@@ -920,6 +922,8 @@ class TLSConnection(TLSRecordLayer): - #Exchange ChangeCipherSpec and Finished messages - for result in self._sendFinished(): - yield result -+ for result in self._getChangeCipherSpec(): -+ yield result - for result in self._getFinished(): - yield result - -@@ -1089,6 +1093,7 @@ class TLSConnection(TLSRecordLayer): - clientCertChain = None - serverCertChain = None #We may set certChain to this later - postFinishedError = None -+ doingChannelID = False - - #Tentatively set version to most-desirable version, so if an error - #occurs parsing the ClientHello, this is what we'll use for the -@@ -1208,6 +1213,8 @@ class TLSConnection(TLSRecordLayer): - serverHello.create(self.version, serverRandom, - session.sessionID, session.cipherSuite, - certificateType) -+ serverHello.channel_id = clientHello.channel_id -+ doingChannelID = clientHello.channel_id - for result in self._sendMsg(serverHello): - yield result - -@@ -1221,6 +1228,11 @@ class TLSConnection(TLSRecordLayer): - #Exchange ChangeCipherSpec and Finished messages - for result in self._sendFinished(): - yield result -+ for result in self._getChangeCipherSpec(): -+ yield result -+ if doingChannelID: -+ for result in self._getEncryptedExtensions(): -+ yield result - for result in self._getFinished(): - yield result - -@@ -1399,8 +1411,12 @@ class TLSConnection(TLSRecordLayer): - #Send ServerHello, Certificate[, CertificateRequest], - #ServerHelloDone - msgs = [] -- msgs.append(ServerHello().create(self.version, serverRandom, -- sessionID, cipherSuite, certificateType)) -+ serverHello = ServerHello().create( -+ self.version, serverRandom, -+ sessionID, cipherSuite, certificateType) -+ serverHello.channel_id = clientHello.channel_id -+ doingChannelID = clientHello.channel_id -+ msgs.append(serverHello) - msgs.append(Certificate(certificateType).create(serverCertChain)) - if reqCert and reqCAs: - msgs.append(CertificateRequest().create([], reqCAs)) -@@ -1528,6 +1544,11 @@ class TLSConnection(TLSRecordLayer): - settings.cipherImplementations) - - #Exchange ChangeCipherSpec and Finished messages -+ for result in self._getChangeCipherSpec(): -+ yield result -+ if doingChannelID: -+ for result in self._getEncryptedExtensions(): -+ yield result - for result in self._getFinished(): - yield result - -diff --git a/third_party/tlslite/tlslite/TLSRecordLayer.py b/third_party/tlslite/tlslite/TLSRecordLayer.py -index 1bbd09d..933b95a 100644 ---- a/third_party/tlslite/tlslite/TLSRecordLayer.py -+++ b/third_party/tlslite/tlslite/TLSRecordLayer.py -@@ -714,6 +714,8 @@ class TLSRecordLayer: - self.version).parse(p) - elif subType == HandshakeType.finished: - yield Finished(self.version).parse(p) -+ elif subType == HandshakeType.encrypted_extensions: -+ yield EncryptedExtensions().parse(p) - else: - raise AssertionError() - -@@ -1067,7 +1069,7 @@ class TLSRecordLayer: - for result in self._sendMsg(finished): - yield result - -- def _getFinished(self): -+ def _getChangeCipherSpec(self): - #Get and check ChangeCipherSpec - for result in self._getMsg(ContentType.change_cipher_spec): - if result in (0,1): -@@ -1082,6 +1084,15 @@ class TLSRecordLayer: - #Switch to pending read state - self._changeReadState() - -+ def _getEncryptedExtensions(self): -+ for result in self._getMsg(ContentType.handshake, -+ HandshakeType.encrypted_extensions): -+ if result in (0,1): -+ yield result -+ encrypted_extensions = result -+ self.channel_id = encrypted_extensions.channel_id_key -+ -+ def _getFinished(self): - #Calculate verification data - verifyData = self._calcFinished(False) - diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py -index 04302c0..e357dd0 100644 +index d52e596..79ad145 100755 --- a/third_party/tlslite/tlslite/constants.py +++ b/third_party/tlslite/tlslite/constants.py -@@ -22,6 +22,7 @@ class HandshakeType: - certificate_verify = 15 +@@ -31,6 +31,7 @@ class HandshakeType: client_key_exchange = 16 finished = 20 + next_protocol = 67 + encrypted_extensions = 203 class ContentType: change_cipher_spec = 20 -@@ -30,6 +31,9 @@ class ContentType: - application_data = 23 - all = (20,21,22,23) - -+class ExtensionType: -+ channel_id = 30031 -+ - class AlertLevel: - warning = 1 - fatal = 2 +@@ -45,6 +46,7 @@ class ExtensionType: # RFC 6066 / 4366 + cert_type = 9 # RFC 6091 + tack = 0xF300 + supports_npn = 13172 ++ channel_id = 30032 + + class NameType: + host_name = 0 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py -index dc6ed32..fa4d817 100644 +index 7ef4e3f..246082e 100755 --- a/third_party/tlslite/tlslite/messages.py +++ b/third_party/tlslite/tlslite/messages.py -@@ -130,6 +130,7 @@ class ClientHello(HandshakeMsg): - self.certificate_types = [CertificateType.x509] - self.compression_methods = [] # a list of 8-bit values - self.srp_username = None # a string +@@ -112,6 +112,7 @@ class ClientHello(HandshakeMsg): + self.tack = False + self.supports_npn = False + self.server_name = bytearray(0) + self.channel_id = False def create(self, version, random, session_id, cipher_suites, - certificate_types=None, srp_username=None): -@@ -174,6 +175,8 @@ class ClientHello(HandshakeMsg): - self.srp_username = bytesToString(p.getVarBytes(1)) - elif extType == 7: - self.certificate_types = p.getVarList(1, 1) + certificate_types=None, srpUsername=None, +@@ -179,6 +180,8 @@ class ClientHello(HandshakeMsg): + if name_type == NameType.host_name: + self.server_name = hostNameBytes + break + elif extType == ExtensionType.channel_id: + self.channel_id = True else: - p.getFixBytes(extLength) - soFar += 4 + extLength -@@ -220,6 +223,7 @@ class ServerHello(HandshakeMsg): - self.cipher_suite = 0 - self.certificate_type = CertificateType.x509 - self.compression_method = 0 + _ = p.getFixBytes(extLength) + index2 = p.index +@@ -243,6 +246,7 @@ class ServerHello(HandshakeMsg): + self.tackExt = None + self.next_protos_advertised = None + self.next_protos = None + self.channel_id = False def create(self, version, random, session_id, cipher_suite, - certificate_type): -@@ -266,6 +270,9 @@ class ServerHello(HandshakeMsg): - CertificateType.x509: - extLength += 5 - -+ if self.channel_id: -+ extLength += 4 -+ - if extLength != 0: - w.add(extLength, 2) - -@@ -275,6 +282,10 @@ class ServerHello(HandshakeMsg): - w.add(1, 2) - w.add(self.certificate_type, 1) - + certificate_type, tackExt, next_protos_advertised): +@@ -329,6 +333,9 @@ class ServerHello(HandshakeMsg): + w2.add(ExtensionType.supports_npn, 2) + w2.add(len(encoded_next_protos_advertised), 2) + w2.addFixSeq(encoded_next_protos_advertised, 1) + if self.channel_id: -+ w.add(ExtensionType.channel_id, 2) -+ w.add(0, 2) -+ - return HandshakeMsg.postWrite(self, w, trial) - - class Certificate(HandshakeMsg): -@@ -567,6 +578,28 @@ class Finished(HandshakeMsg): ++ w2.add(ExtensionType.channel_id, 2) ++ w2.add(0, 2) + if len(w2.bytes): + w.add(len(w2.bytes), 2) + w.bytes += w2.bytes +@@ -656,6 +663,28 @@ class Finished(HandshakeMsg): w.addFixSeq(self.verify_data, 1) - return HandshakeMsg.postWrite(self, w, trial) + return self.postWrite(w) +class EncryptedExtensions(HandshakeMsg): + def __init__(self): @@ -212,6 +83,91 @@ index dc6ed32..fa4d817 100644 + p.stopLengthCheck() + return self + - class ApplicationData(Msg): + class ApplicationData(object): def __init__(self): self.contentType = ContentType.application_data +diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py +index 8415592..e7c5140 100755 +--- a/third_party/tlslite/tlslite/tlsconnection.py ++++ b/third_party/tlslite/tlslite/tlsconnection.py +@@ -1155,6 +1155,7 @@ class TLSConnection(TLSRecordLayer): + serverHello.create(self.version, getRandomBytes(32), sessionID, \ + cipherSuite, CertificateType.x509, tackExt, + nextProtos) ++ serverHello.channel_id = clientHello.channel_id + + # Perform the SRP key exchange + clientCertChain = None +@@ -1191,7 +1192,7 @@ class TLSConnection(TLSRecordLayer): + for result in self._serverFinished(premasterSecret, + clientHello.random, serverHello.random, + cipherSuite, settings.cipherImplementations, +- nextProtos): ++ nextProtos, clientHello.channel_id): + if result in (0,1): yield result + else: break + masterSecret = result +@@ -1609,7 +1610,8 @@ class TLSConnection(TLSRecordLayer): + + + def _serverFinished(self, premasterSecret, clientRandom, serverRandom, +- cipherSuite, cipherImplementations, nextProtos): ++ cipherSuite, cipherImplementations, nextProtos, ++ doingChannelID): + masterSecret = calcMasterSecret(self.version, premasterSecret, + clientRandom, serverRandom) + +@@ -1620,7 +1622,8 @@ class TLSConnection(TLSRecordLayer): + + #Exchange ChangeCipherSpec and Finished messages + for result in self._getFinished(masterSecret, +- expect_next_protocol=nextProtos is not None): ++ expect_next_protocol=nextProtos is not None, ++ expect_channel_id=doingChannelID): + yield result + + for result in self._sendFinished(masterSecret): +@@ -1657,7 +1660,8 @@ class TLSConnection(TLSRecordLayer): + for result in self._sendMsg(finished): + yield result + +- def _getFinished(self, masterSecret, expect_next_protocol=False, nextProto=None): ++ def _getFinished(self, masterSecret, expect_next_protocol=False, nextProto=None, ++ expect_channel_id=False): + #Get and check ChangeCipherSpec + for result in self._getMsg(ContentType.change_cipher_spec): + if result in (0,1): +@@ -1690,6 +1694,20 @@ class TLSConnection(TLSRecordLayer): + if nextProto: + self.next_proto = nextProto + ++ #Server Finish - Are we waiting for a EncryptedExtensions? ++ if expect_channel_id: ++ for result in self._getMsg(ContentType.handshake, HandshakeType.encrypted_extensions): ++ if result in (0,1): ++ yield result ++ if result is None: ++ for result in self._sendError(AlertDescription.unexpected_message, ++ "Didn't get EncryptedExtensions message"): ++ yield result ++ encrypted_extensions = result ++ self.channel_id = result.channel_id_key ++ else: ++ self.channel_id = None ++ + #Calculate verification data + verifyData = self._calcFinished(masterSecret, False) + +diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py +index b0833fe..ff08cbf 100755 +--- a/third_party/tlslite/tlslite/tlsrecordlayer.py ++++ b/third_party/tlslite/tlslite/tlsrecordlayer.py +@@ -800,6 +800,8 @@ class TLSRecordLayer(object): + yield Finished(self.version).parse(p) + elif subType == HandshakeType.next_protocol: + yield NextProtocol().parse(p) ++ elif subType == HandshakeType.encrypted_extensions: ++ yield EncryptedExtensions().parse(p) + else: + raise AssertionError() + |