summaryrefslogtreecommitdiffstats
path: root/chromium/third_party/tlslite/patches/status_request.patch
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/third_party/tlslite/patches/status_request.patch')
-rw-r--r--chromium/third_party/tlslite/patches/status_request.patch274
1 files changed, 142 insertions, 132 deletions
diff --git a/chromium/third_party/tlslite/patches/status_request.patch b/chromium/third_party/tlslite/patches/status_request.patch
index 15f01d42809..cfd7f6f19c6 100644
--- a/chromium/third_party/tlslite/patches/status_request.patch
+++ b/chromium/third_party/tlslite/patches/status_request.patch
@@ -1,125 +1,41 @@
-diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py
-index e6ce187..94ee5eb 100644
---- a/third_party/tlslite/tlslite/TLSConnection.py
-+++ b/third_party/tlslite/tlslite/TLSConnection.py
-@@ -937,8 +937,8 @@ class TLSConnection(TLSRecordLayer):
- certChain=None, privateKey=None, reqCert=False,
- sessionCache=None, settings=None, checker=None,
- reqCAs=None, tlsIntolerant=0,
-- signedCertTimestamps=None,
-- fallbackSCSV=False):
-+ signedCertTimestamps=None, fallbackSCSV=False,
-+ ocspResponse=None):
- """Perform a handshake in the role of server.
-
- This function performs an SSL or TLS handshake. Depending on
-@@ -1014,6 +1014,16 @@ class TLSConnection(TLSRecordLayer):
- binary 8-bit string) that will be sent as a TLS extension whenever
- the client announces support for the extension.
-
-+ @type ocspResponse: str
-+ @param ocspResponse: An OCSP response (as a binary 8-bit string) that
-+ will be sent stapled in the handshake whenever the client announces
-+ support for the status_request extension.
-+ Note that the response is sent independent of the ClientHello
-+ status_request extension contents, and is thus only meant for testing
-+ environments. Real OCSP stapling is more complicated as it requires
-+ choosing a suitable response based on the ClientHello status_request
-+ extension contents.
-+
- @raise socket.error: If a socket error occurs.
- @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
- without a preceding alert.
-@@ -1024,7 +1034,7 @@ class TLSConnection(TLSRecordLayer):
- for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
- certChain, privateKey, reqCert, sessionCache, settings,
- checker, reqCAs, tlsIntolerant, signedCertTimestamps,
-- fallbackSCSV):
-+ fallbackSCSV, ocspResponse):
- pass
-
-
-@@ -1033,7 +1043,7 @@ class TLSConnection(TLSRecordLayer):
- sessionCache=None, settings=None, checker=None,
- reqCAs=None, tlsIntolerant=0,
- signedCertTimestamps=None,
-- fallbackSCSV=False):
-+ fallbackSCSV=False, ocspResponse=None):
- """Start a server handshake operation on the TLS connection.
-
- This function returns a generator which behaves similarly to
-@@ -1053,7 +1063,8 @@ class TLSConnection(TLSRecordLayer):
- reqCAs=reqCAs,
- tlsIntolerant=tlsIntolerant,
- signedCertTimestamps=signedCertTimestamps,
-- fallbackSCSV=fallbackSCSV)
-+ fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse)
-+
- for result in self._handshakeWrapperAsync(handshaker, checker):
- yield result
-
-@@ -1062,7 +1073,7 @@ class TLSConnection(TLSRecordLayer):
- certChain, privateKey, reqCert,
- sessionCache, settings, reqCAs,
- tlsIntolerant, signedCertTimestamps,
-- fallbackSCSV):
-+ fallbackSCSV, ocspResponse):
-
- self._handshakeStart(client=False)
-
-@@ -1439,10 +1450,14 @@ class TLSConnection(TLSRecordLayer):
- sessionID, cipherSuite, certificateType)
- serverHello.channel_id = clientHello.channel_id
- if clientHello.support_signed_cert_timestamps:
-- serverHello.signed_cert_timestamps = signedCertTimestamps
-+ serverHello.signed_cert_timestamps = signedCertTimestamps
-+ serverHello.status_request = (clientHello.status_request and
-+ ocspResponse)
- doingChannelID = clientHello.channel_id
- msgs.append(serverHello)
- msgs.append(Certificate(certificateType).create(serverCertChain))
-+ if serverHello.status_request:
-+ msgs.append(CertificateStatus().create(ocspResponse))
- if reqCert and reqCAs:
- msgs.append(CertificateRequest().create([], reqCAs))
- elif reqCert:
diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
-index 23e3dcb..d027ef5 100644
+index d132b78..ceaa903 100755
--- a/third_party/tlslite/tlslite/constants.py
+++ b/third_party/tlslite/tlslite/constants.py
-@@ -22,6 +22,7 @@ class HandshakeType:
+@@ -30,6 +30,7 @@ class HandshakeType:
certificate_verify = 15
client_key_exchange = 16
finished = 20
+ certificate_status = 22
+ next_protocol = 67
encrypted_extensions = 203
- class ContentType:
-@@ -31,7 +32,11 @@ class ContentType:
+@@ -40,8 +41,12 @@ class ContentType:
application_data = 23
all = (20,21,22,23)
+class CertificateStatusType:
+ ocsp = 1
+
- class ExtensionType:
-+ status_request = 5 # OCSP stapling
- signed_cert_timestamps = 18 # signed_certificate_timestamp in RFC 6962
- channel_id = 30031
-
+ class ExtensionType: # RFC 6066 / 4366
+ server_name = 0 # RFC 6066 / 4366
++ status_request = 5 # RFC 6066 / 4366
+ srp = 12 # RFC 5054
+ cert_type = 9 # RFC 6091
+ signed_cert_timestamps = 18 # RFC 6962
diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
-index 296f422..497ef60 100644
+index 5a2cd6c..532d86b 100755
--- a/third_party/tlslite/tlslite/messages.py
+++ b/third_party/tlslite/tlslite/messages.py
-@@ -132,6 +132,7 @@ class ClientHello(HandshakeMsg):
- self.srp_username = None # a string
+@@ -114,6 +114,7 @@ class ClientHello(HandshakeMsg):
+ self.server_name = bytearray(0)
self.channel_id = False
self.support_signed_cert_timestamps = False
+ self.status_request = False
def create(self, version, random, session_id, cipher_suites,
- certificate_types=None, srp_username=None):
-@@ -182,6 +183,19 @@ class ClientHello(HandshakeMsg):
+ certificate_types=None, srpUsername=None,
+@@ -187,6 +188,19 @@ class ClientHello(HandshakeMsg):
if extLength:
raise SyntaxError()
self.support_signed_cert_timestamps = True
@@ -137,44 +53,33 @@ index 296f422..497ef60 100644
+ p.getFixBytes(extLength)
+ self.status_request = True
else:
- p.getFixBytes(extLength)
- soFar += 4 + extLength
-@@ -230,6 +244,7 @@ class ServerHello(HandshakeMsg):
- self.compression_method = 0
+ _ = p.getFixBytes(extLength)
+ index2 = p.index
+@@ -253,6 +267,7 @@ class ServerHello(HandshakeMsg):
+ self.next_protos = None
self.channel_id = False
self.signed_cert_timestamps = None
+ self.status_request = False
def create(self, version, random, session_id, cipher_suite,
- certificate_type):
-@@ -282,6 +297,9 @@ class ServerHello(HandshakeMsg):
+ certificate_type, tackExt, next_protos_advertised):
+@@ -345,6 +360,9 @@ class ServerHello(HandshakeMsg):
if self.signed_cert_timestamps:
- extLength += 4 + len(self.signed_cert_timestamps)
-
+ w2.add(ExtensionType.signed_cert_timestamps, 2)
+ w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)
+ if self.status_request:
-+ extLength += 4
-+
- if extLength != 0:
- w.add(extLength, 2)
-
-@@ -299,6 +317,10 @@ class ServerHello(HandshakeMsg):
- w.add(ExtensionType.signed_cert_timestamps, 2)
- w.addVarSeq(stringToBytes(self.signed_cert_timestamps), 1, 2)
-
-+ if self.status_request:
-+ w.add(ExtensionType.status_request, 2)
-+ w.add(0, 2)
-+
- return HandshakeMsg.postWrite(self, w, trial)
-
- class Certificate(HandshakeMsg):
-@@ -367,6 +389,37 @@ class Certificate(HandshakeMsg):
++ w2.add(ExtensionType.status_request, 2)
++ w2.add(0, 2)
+ if len(w2.bytes):
+ w.add(len(w2.bytes), 2)
+ w.bytes += w2.bytes
+@@ -402,6 +420,37 @@ class Certificate(HandshakeMsg):
raise AssertionError()
- return HandshakeMsg.postWrite(self, w, trial)
+ return self.postWrite(w)
+class CertificateStatus(HandshakeMsg):
+ def __init__(self):
-+ self.contentType = ContentType.handshake
++ HandshakeMsg.__init__(self, HandshakeType.certificate_status)
+
+ def create(self, ocsp_response):
+ self.ocsp_response = ocsp_response
@@ -194,15 +99,120 @@ index 296f422..497ef60 100644
+ # Can't be empty
+ raise SyntaxError()
+ self.ocsp_response = ocsp_response
++ p.stopLengthCheck()
+ return self
+
-+ def write(self, trial=False):
-+ w = HandshakeMsg.preWrite(self, HandshakeType.certificate_status,
-+ trial)
++ def write(self):
++ w = Writer()
+ w.add(CertificateStatusType.ocsp, 1)
-+ w.addVarSeq(stringToBytes(self.ocsp_response), 1, 3)
-+ return HandshakeMsg.postWrite(self, w, trial)
++ w.addVarSeq(bytearray(self.ocsp_response), 1, 3)
++ return self.postWrite(w)
+
class CertificateRequest(HandshakeMsg):
def __init__(self):
- self.contentType = ContentType.handshake
+ HandshakeMsg.__init__(self, HandshakeType.certificate_request)
+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
+index bd92161..b9797d2 100755
+--- a/third_party/tlslite/tlslite/tlsconnection.py
++++ b/third_party/tlslite/tlslite/tlsconnection.py
+@@ -967,7 +967,7 @@ class TLSConnection(TLSRecordLayer):
+ tacks=None, activationFlags=0,
+ nextProtos=None, anon=False,
+ tlsIntolerant=None, signedCertTimestamps=None,
+- fallbackSCSV=False):
++ fallbackSCSV=False, ocspResponse=None):
+ """Perform a handshake in the role of server.
+
+ This function performs an SSL or TLS handshake. Depending on
+@@ -1051,6 +1051,16 @@ class TLSConnection(TLSRecordLayer):
+ TLS_FALLBACK_SCSV and thus reject connections using less than the
+ server's maximum TLS version that include this cipher suite.
+
++ @type ocspResponse: str
++ @param ocspResponse: An OCSP response (as a binary 8-bit string) that
++ will be sent stapled in the handshake whenever the client announces
++ support for the status_request extension.
++ Note that the response is sent independent of the ClientHello
++ status_request extension contents, and is thus only meant for testing
++ environments. Real OCSP stapling is more complicated as it requires
++ choosing a suitable response based on the ClientHello status_request
++ extension contents.
++
+ @raise socket.error: If a socket error occurs.
+ @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
+ without a preceding alert.
+@@ -1064,7 +1074,7 @@ class TLSConnection(TLSRecordLayer):
+ tacks=tacks, activationFlags=activationFlags,
+ nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
+ signedCertTimestamps=signedCertTimestamps,
+- fallbackSCSV=fallbackSCSV):
++ fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse):
+ pass
+
+
+@@ -1076,7 +1086,8 @@ class TLSConnection(TLSRecordLayer):
+ nextProtos=None, anon=False,
+ tlsIntolerant=None,
+ signedCertTimestamps=None,
+- fallbackSCSV=False
++ fallbackSCSV=False,
++ ocspResponse=None
+ ):
+ """Start a server handshake operation on the TLS connection.
+
+@@ -1098,7 +1109,8 @@ class TLSConnection(TLSRecordLayer):
+ nextProtos=nextProtos, anon=anon,
+ tlsIntolerant=tlsIntolerant,
+ signedCertTimestamps=signedCertTimestamps,
+- fallbackSCSV=fallbackSCSV)
++ fallbackSCSV=fallbackSCSV,
++ ocspResponse=ocspResponse)
+ for result in self._handshakeWrapperAsync(handshaker, checker):
+ yield result
+
+@@ -1108,7 +1120,8 @@ class TLSConnection(TLSRecordLayer):
+ settings, reqCAs,
+ tacks, activationFlags,
+ nextProtos, anon,
+- tlsIntolerant, signedCertTimestamps, fallbackSCSV):
++ tlsIntolerant, signedCertTimestamps, fallbackSCSV,
++ ocspResponse):
+
+ self._handshakeStart(client=False)
+
+@@ -1178,6 +1191,8 @@ class TLSConnection(TLSRecordLayer):
+ serverHello.channel_id = clientHello.channel_id
+ if clientHello.support_signed_cert_timestamps:
+ serverHello.signed_cert_timestamps = signedCertTimestamps
++ if clientHello.status_request:
++ serverHello.status_request = ocspResponse
+
+ # Perform the SRP key exchange
+ clientCertChain = None
+@@ -1194,7 +1209,7 @@ class TLSConnection(TLSRecordLayer):
+ for result in self._serverCertKeyExchange(clientHello, serverHello,
+ certChain, privateKey,
+ reqCert, reqCAs, cipherSuite,
+- settings):
++ settings, ocspResponse):
+ if result in (0,1): yield result
+ else: break
+ (premasterSecret, clientCertChain) = result
+@@ -1471,7 +1486,7 @@ class TLSConnection(TLSRecordLayer):
+ def _serverCertKeyExchange(self, clientHello, serverHello,
+ serverCertChain, privateKey,
+ reqCert, reqCAs, cipherSuite,
+- settings):
++ settings, ocspResponse):
+ #Send ServerHello, Certificate[, CertificateRequest],
+ #ServerHelloDone
+ msgs = []
+@@ -1481,6 +1496,8 @@ class TLSConnection(TLSRecordLayer):
+
+ msgs.append(serverHello)
+ msgs.append(Certificate(CertificateType.x509).create(serverCertChain))
++ if serverHello.status_request:
++ msgs.append(CertificateStatus().create(ocspResponse))
+ if reqCert and reqCAs:
+ msgs.append(CertificateRequest().create(\
+ [ClientCertificateType.rsa_sign], reqCAs))
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-08 00:36:17 +0000