diff options
Diffstat (limited to 'chromium/third_party/tlslite/patches/dhe_rsa.patch')
-rw-r--r-- | chromium/third_party/tlslite/patches/dhe_rsa.patch | 417 |
1 files changed, 417 insertions, 0 deletions
diff --git a/chromium/third_party/tlslite/patches/dhe_rsa.patch b/chromium/third_party/tlslite/patches/dhe_rsa.patch new file mode 100644 index 00000000000..1466851a66b --- /dev/null +++ b/chromium/third_party/tlslite/patches/dhe_rsa.patch @@ -0,0 +1,417 @@ +diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py +index 52c20ac..feca423 100644 +--- a/third_party/tlslite/tlslite/constants.py ++++ b/third_party/tlslite/tlslite/constants.py +@@ -143,6 +143,10 @@ class CipherSuite: + + TLS_RSA_WITH_RC4_128_MD5 = 0x0004 + ++ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016 ++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033 ++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039 ++ + TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034 + TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A + +@@ -150,17 +154,20 @@ class CipherSuite: + tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) + tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) + tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) ++ tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) + + aes128Suites = [] + aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) + aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) + aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA) ++ aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) + aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) + + aes256Suites = [] + aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) + aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) + aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA) ++ aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) + aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) + + rc4Suites = [] +@@ -178,6 +185,9 @@ class CipherSuite: + shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) + shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) + shaSuites.append(TLS_RSA_WITH_RC4_128_SHA) ++ shaSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) ++ shaSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) ++ shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) + shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) + shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) + +@@ -188,6 +198,7 @@ class CipherSuite: + def _filterSuites(suites, settings): + macNames = settings.macNames + cipherNames = settings.cipherNames ++ keyExchangeNames = settings.keyExchangeNames + macSuites = [] + if "sha" in macNames: + macSuites += CipherSuite.shaSuites +@@ -204,7 +215,20 @@ class CipherSuite: + if "rc4" in cipherNames: + cipherSuites += CipherSuite.rc4Suites + +- return [s for s in suites if s in macSuites and s in cipherSuites] ++ keyExchangeSuites = [] ++ if "rsa" in keyExchangeNames: ++ keyExchangeSuites += CipherSuite.certSuites ++ if "dhe_rsa" in keyExchangeNames: ++ keyExchangeSuites += CipherSuite.dheCertSuites ++ if "srp_sha" in keyExchangeNames: ++ keyExchangeSuites += CipherSuite.srpSuites ++ if "srp_sha_rsa" in keyExchangeNames: ++ keyExchangeSuites += CipherSuite.srpCertSuites ++ if "dh_anon" in keyExchangeNames: ++ keyExchangeSuites += CipherSuite.anonSuites ++ ++ return [s for s in suites if s in macSuites and ++ s in cipherSuites and s in keyExchangeSuites] + + srpSuites = [] + srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) +@@ -236,12 +260,22 @@ class CipherSuite: + certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) + certSuites.append(TLS_RSA_WITH_RC4_128_SHA) + certSuites.append(TLS_RSA_WITH_RC4_128_MD5) +- certAllSuites = srpCertSuites + certSuites + + @staticmethod + def getCertSuites(settings): + return CipherSuite._filterSuites(CipherSuite.certSuites, settings) + ++ dheCertSuites = [] ++ dheCertSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) ++ dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) ++ dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) ++ ++ @staticmethod ++ def getDheCertSuites(settings): ++ return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings) ++ ++ certAllSuites = srpCertSuites + certSuites + dheCertSuites ++ + anonSuites = [] + anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) + anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) +@@ -250,6 +284,8 @@ class CipherSuite: + def getAnonSuites(settings): + return CipherSuite._filterSuites(CipherSuite.anonSuites, settings) + ++ dhAllSuites = dheCertSuites + anonSuites ++ + @staticmethod + def canonicalCipherName(ciphersuite): + "Return the canonical name of the cipher whose number is provided." +diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py +index 7a38ee2..e0bc0e6 100644 +--- a/third_party/tlslite/tlslite/handshakesettings.py ++++ b/third_party/tlslite/tlslite/handshakesettings.py +@@ -13,7 +13,9 @@ from .utils import cipherfactory + # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC + # issues such as timing attacks + CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"] +-MAC_NAMES = ["sha"] # "md5" is allowed ++MAC_NAMES = ["sha"] # Don't allow "md5" by default. ++ALL_MAC_NAMES = ["sha", "md5"] ++KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] + CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] + CERTIFICATE_TYPES = ["x509"] + +@@ -102,6 +104,7 @@ class HandshakeSettings(object): + self.maxKeySize = 8193 + self.cipherNames = CIPHER_NAMES + self.macNames = MAC_NAMES ++ self.keyExchangeNames = KEY_EXCHANGE_NAMES + self.cipherImplementations = CIPHER_IMPLEMENTATIONS + self.certificateTypes = CERTIFICATE_TYPES + self.minVersion = (3,0) +@@ -116,6 +119,7 @@ class HandshakeSettings(object): + other.maxKeySize = self.maxKeySize + other.cipherNames = self.cipherNames + other.macNames = self.macNames ++ other.keyExchangeNames = self.keyExchangeNames + other.cipherImplementations = self.cipherImplementations + other.certificateTypes = self.certificateTypes + other.minVersion = self.minVersion +@@ -148,6 +152,12 @@ class HandshakeSettings(object): + for s in other.cipherNames: + if s not in CIPHER_NAMES: + raise ValueError("Unknown cipher name: '%s'" % s) ++ for s in other.macNames: ++ if s not in ALL_MAC_NAMES: ++ raise ValueError("Unknown MAC name: '%s'" % s) ++ for s in other.keyExchangeNames: ++ if s not in KEY_EXCHANGE_NAMES: ++ raise ValueError("Unknown key exchange name: '%s'" % s) + for s in other.cipherImplementations: + if s not in CIPHER_IMPLEMENTATIONS: + raise ValueError("Unknown cipher implementation: '%s'" % s) +diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py +index 532d86b..550b387 100644 +--- a/third_party/tlslite/tlslite/messages.py ++++ b/third_party/tlslite/tlslite/messages.py +@@ -533,31 +533,31 @@ class ServerKeyExchange(HandshakeMsg): + p.stopLengthCheck() + return self + +- def write(self): ++ def write_params(self): + w = Writer() + if self.cipherSuite in CipherSuite.srpAllSuites: + w.addVarSeq(numberToByteArray(self.srp_N), 1, 2) + w.addVarSeq(numberToByteArray(self.srp_g), 1, 2) + w.addVarSeq(self.srp_s, 1, 1) + w.addVarSeq(numberToByteArray(self.srp_B), 1, 2) +- if self.cipherSuite in CipherSuite.srpCertSuites: +- w.addVarSeq(self.signature, 1, 2) +- elif self.cipherSuite in CipherSuite.anonSuites: ++ elif self.cipherSuite in CipherSuite.dhAllSuites: + w.addVarSeq(numberToByteArray(self.dh_p), 1, 2) + w.addVarSeq(numberToByteArray(self.dh_g), 1, 2) + w.addVarSeq(numberToByteArray(self.dh_Ys), 1, 2) +- if self.cipherSuite in []: # TODO support for signed_params +- w.addVarSeq(self.signature, 1, 2) ++ else: ++ assert(False) ++ return w.bytes ++ ++ def write(self): ++ w = Writer() ++ w.bytes += self.write_params() ++ if self.cipherSuite in CipherSuite.certAllSuites: ++ w.addVarSeq(self.signature, 1, 2) + return self.postWrite(w) + + def hash(self, clientRandom, serverRandom): +- oldCipherSuite = self.cipherSuite +- self.cipherSuite = None +- try: +- bytes = clientRandom + serverRandom + self.write()[4:] +- return MD5(bytes) + SHA1(bytes) +- finally: +- self.cipherSuite = oldCipherSuite ++ bytes = clientRandom + serverRandom + self.write_params() ++ return MD5(bytes) + SHA1(bytes) + + class ServerHelloDone(HandshakeMsg): + def __init__(self): +@@ -607,7 +607,7 @@ class ClientKeyExchange(HandshakeMsg): + p.getFixBytes(len(p.bytes)-p.index) + else: + raise AssertionError() +- elif self.cipherSuite in CipherSuite.anonSuites: ++ elif self.cipherSuite in CipherSuite.dhAllSuites: + self.dh_Yc = bytesToNumber(p.getVarBytes(2)) + else: + raise AssertionError() +diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py +index 20cd85b..e6f7820 100644 +--- a/third_party/tlslite/tlslite/tlsconnection.py ++++ b/third_party/tlslite/tlslite/tlsconnection.py +@@ -23,6 +23,103 @@ from .mathtls import * + from .handshakesettings import HandshakeSettings + from .utils.tackwrapper import * + ++class KeyExchange(object): ++ def __init__(self, cipherSuite, clientHello, serverHello, privateKey): ++ """ ++ Initializes the KeyExchange. privateKey is the signing private key. ++ """ ++ self.cipherSuite = cipherSuite ++ self.clientHello = clientHello ++ self.serverHello = serverHello ++ self.privateKey = privateKey ++ ++ def makeServerKeyExchange(): ++ """ ++ Returns a ServerKeyExchange object for the server's initial leg in the ++ handshake. If the key exchange method does not send ServerKeyExchange ++ (e.g. RSA), it returns None. ++ """ ++ raise NotImplementedError() ++ ++ def processClientKeyExchange(clientKeyExchange): ++ """ ++ Processes the client's ClientKeyExchange message and returns the ++ premaster secret. Raises TLSLocalAlert on error. ++ """ ++ raise NotImplementedError() ++ ++class RSAKeyExchange(KeyExchange): ++ def makeServerKeyExchange(self): ++ return None ++ ++ def processClientKeyExchange(self, clientKeyExchange): ++ premasterSecret = self.privateKey.decrypt(\ ++ clientKeyExchange.encryptedPreMasterSecret) ++ ++ # On decryption failure randomize premaster secret to avoid ++ # Bleichenbacher's "million message" attack ++ randomPreMasterSecret = getRandomBytes(48) ++ if not premasterSecret: ++ premasterSecret = randomPreMasterSecret ++ elif len(premasterSecret)!=48: ++ premasterSecret = randomPreMasterSecret ++ else: ++ versionCheck = (premasterSecret[0], premasterSecret[1]) ++ if versionCheck != self.clientHello.client_version: ++ #Tolerate buggy IE clients ++ if versionCheck != self.serverHello.server_version: ++ premasterSecret = randomPreMasterSecret ++ return premasterSecret ++ ++def _hexStringToNumber(s): ++ s = s.replace(" ", "").replace("\n", "") ++ if len(s) % 2 != 0: ++ raise ValueError("Length is not even") ++ return bytesToNumber(bytearray(s.decode("hex"))) ++ ++class DHE_RSAKeyExchange(KeyExchange): ++ # 2048-bit MODP Group (RFC 3526, Section 3) ++ dh_p = _hexStringToNumber(""" ++FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 ++29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD ++EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 ++E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED ++EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D ++C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F ++83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D ++670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B ++E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 ++DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510 ++15728E5A 8AACAA68 FFFFFFFF FFFFFFFF""") ++ dh_g = 2 ++ ++ # RFC 3526, Section 8. ++ strength = 160 ++ ++ def makeServerKeyExchange(self): ++ # Per RFC 3526, Section 1, the exponent should have double the entropy ++ # of the strength of the curve. ++ self.dh_Xs = bytesToNumber(getRandomBytes(self.strength * 2 / 8)) ++ dh_Ys = powMod(self.dh_g, self.dh_Xs, self.dh_p) ++ ++ serverKeyExchange = ServerKeyExchange(self.cipherSuite) ++ serverKeyExchange.createDH(self.dh_p, self.dh_g, dh_Ys) ++ serverKeyExchange.signature = self.privateKey.sign( ++ serverKeyExchange.hash(self.clientHello.random, ++ self.serverHello.random)) ++ return serverKeyExchange ++ ++ def processClientKeyExchange(self, clientKeyExchange): ++ dh_Yc = clientKeyExchange.dh_Yc ++ ++ # First half of RFC 2631, Section 2.1.5. Validate the client's public ++ # key. ++ if not 2 <= dh_Yc <= self.dh_p - 1: ++ raise TLSLocalAlert(AlertDescription.illegal_parameter, ++ "Invalid dh_Yc value") ++ ++ S = powMod(dh_Yc, self.dh_Xs, self.dh_p) ++ return numberToByteArray(S) + + class TLSConnection(TLSRecordLayer): + """ +@@ -500,6 +597,8 @@ class TLSConnection(TLSRecordLayer): + cipherSuites += CipherSuite.getSrpAllSuites(settings) + elif certParams: + cipherSuites += CipherSuite.getCertSuites(settings) ++ # TODO: Client DHE_RSA not supported. ++ # cipherSuites += CipherSuite.getDheCertSuites(settings) + elif anonParams: + cipherSuites += CipherSuite.getAnonSuites(settings) + else: +@@ -1204,10 +1303,23 @@ class TLSConnection(TLSRecordLayer): + else: break + premasterSecret = result + +- # Perform the RSA key exchange +- elif cipherSuite in CipherSuite.certSuites: ++ # Perform the RSA or DHE_RSA key exchange ++ elif (cipherSuite in CipherSuite.certSuites or ++ cipherSuite in CipherSuite.dheCertSuites): ++ if cipherSuite in CipherSuite.certSuites: ++ keyExchange = RSAKeyExchange(cipherSuite, ++ clientHello, ++ serverHello, ++ privateKey) ++ elif cipherSuite in CipherSuite.dheCertSuites: ++ keyExchange = DHE_RSAKeyExchange(cipherSuite, ++ clientHello, ++ serverHello, ++ privateKey) ++ else: ++ assert(False) + for result in self._serverCertKeyExchange(clientHello, serverHello, +- certChain, privateKey, ++ certChain, keyExchange, + reqCert, reqCAs, cipherSuite, + settings, ocspResponse): + if result in (0,1): yield result +@@ -1268,6 +1380,7 @@ class TLSConnection(TLSRecordLayer): + cipherSuites += CipherSuite.getSrpSuites(settings) + elif certChain: + cipherSuites += CipherSuite.getCertSuites(settings) ++ cipherSuites += CipherSuite.getDheCertSuites(settings) + elif anon: + cipherSuites += CipherSuite.getAnonSuites(settings) + else: +@@ -1483,11 +1596,11 @@ class TLSConnection(TLSRecordLayer): + + + def _serverCertKeyExchange(self, clientHello, serverHello, +- serverCertChain, privateKey, ++ serverCertChain, keyExchange, + reqCert, reqCAs, cipherSuite, + settings, ocspResponse): +- #Send ServerHello, Certificate[, CertificateRequest], +- #ServerHelloDone ++ #Send ServerHello, Certificate[, ServerKeyExchange] ++ #[, CertificateRequest], ServerHelloDone + msgs = [] + + # If we verify a client cert chain, return it +@@ -1497,6 +1610,9 @@ class TLSConnection(TLSRecordLayer): + msgs.append(Certificate(CertificateType.x509).create(serverCertChain)) + if serverHello.status_request: + msgs.append(CertificateStatus().create(ocspResponse)) ++ serverKeyExchange = keyExchange.makeServerKeyExchange() ++ if serverKeyExchange is not None: ++ msgs.append(serverKeyExchange) + if reqCert and reqCAs: + msgs.append(CertificateRequest().create(\ + [ClientCertificateType.rsa_sign], reqCAs)) +@@ -1555,21 +1671,13 @@ class TLSConnection(TLSRecordLayer): + else: break + clientKeyExchange = result + +- #Decrypt ClientKeyExchange +- premasterSecret = privateKey.decrypt(\ +- clientKeyExchange.encryptedPreMasterSecret) +- +- # On decryption failure randomize premaster secret to avoid +- # Bleichenbacher's "million message" attack +- randomPreMasterSecret = getRandomBytes(48) +- versionCheck = (premasterSecret[0], premasterSecret[1]) +- if not premasterSecret: +- premasterSecret = randomPreMasterSecret +- elif len(premasterSecret)!=48: +- premasterSecret = randomPreMasterSecret +- elif versionCheck != clientHello.client_version: +- if versionCheck != self.version: #Tolerate buggy IE clients +- premasterSecret = randomPreMasterSecret ++ #Process ClientKeyExchange ++ try: ++ premasterSecret = \ ++ keyExchange.processClientKeyExchange(clientKeyExchange) ++ except TLSLocalAlert, alert: ++ for result in self._sendError(alert.description, alert.message): ++ yield result + + #Get and check CertificateVerify, if relevant + if clientCertChain: |