diff options
Diffstat (limited to 'chromium/third_party/tlslite/patches/status_request.patch')
-rw-r--r-- | chromium/third_party/tlslite/patches/status_request.patch | 274 |
1 files changed, 142 insertions, 132 deletions
diff --git a/chromium/third_party/tlslite/patches/status_request.patch b/chromium/third_party/tlslite/patches/status_request.patch index 15f01d42809..cfd7f6f19c6 100644 --- a/chromium/third_party/tlslite/patches/status_request.patch +++ b/chromium/third_party/tlslite/patches/status_request.patch @@ -1,125 +1,41 @@ -diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py -index e6ce187..94ee5eb 100644 ---- a/third_party/tlslite/tlslite/TLSConnection.py -+++ b/third_party/tlslite/tlslite/TLSConnection.py -@@ -937,8 +937,8 @@ class TLSConnection(TLSRecordLayer): - certChain=None, privateKey=None, reqCert=False, - sessionCache=None, settings=None, checker=None, - reqCAs=None, tlsIntolerant=0, -- signedCertTimestamps=None, -- fallbackSCSV=False): -+ signedCertTimestamps=None, fallbackSCSV=False, -+ ocspResponse=None): - """Perform a handshake in the role of server. - - This function performs an SSL or TLS handshake. Depending on -@@ -1014,6 +1014,16 @@ class TLSConnection(TLSRecordLayer): - binary 8-bit string) that will be sent as a TLS extension whenever - the client announces support for the extension. - -+ @type ocspResponse: str -+ @param ocspResponse: An OCSP response (as a binary 8-bit string) that -+ will be sent stapled in the handshake whenever the client announces -+ support for the status_request extension. -+ Note that the response is sent independent of the ClientHello -+ status_request extension contents, and is thus only meant for testing -+ environments. Real OCSP stapling is more complicated as it requires -+ choosing a suitable response based on the ClientHello status_request -+ extension contents. -+ - @raise socket.error: If a socket error occurs. - @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed - without a preceding alert. -@@ -1024,7 +1034,7 @@ class TLSConnection(TLSRecordLayer): - for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, - certChain, privateKey, reqCert, sessionCache, settings, - checker, reqCAs, tlsIntolerant, signedCertTimestamps, -- fallbackSCSV): -+ fallbackSCSV, ocspResponse): - pass - - -@@ -1033,7 +1043,7 @@ class TLSConnection(TLSRecordLayer): - sessionCache=None, settings=None, checker=None, - reqCAs=None, tlsIntolerant=0, - signedCertTimestamps=None, -- fallbackSCSV=False): -+ fallbackSCSV=False, ocspResponse=None): - """Start a server handshake operation on the TLS connection. - - This function returns a generator which behaves similarly to -@@ -1053,7 +1063,8 @@ class TLSConnection(TLSRecordLayer): - reqCAs=reqCAs, - tlsIntolerant=tlsIntolerant, - signedCertTimestamps=signedCertTimestamps, -- fallbackSCSV=fallbackSCSV) -+ fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse) -+ - for result in self._handshakeWrapperAsync(handshaker, checker): - yield result - -@@ -1062,7 +1073,7 @@ class TLSConnection(TLSRecordLayer): - certChain, privateKey, reqCert, - sessionCache, settings, reqCAs, - tlsIntolerant, signedCertTimestamps, -- fallbackSCSV): -+ fallbackSCSV, ocspResponse): - - self._handshakeStart(client=False) - -@@ -1439,10 +1450,14 @@ class TLSConnection(TLSRecordLayer): - sessionID, cipherSuite, certificateType) - serverHello.channel_id = clientHello.channel_id - if clientHello.support_signed_cert_timestamps: -- serverHello.signed_cert_timestamps = signedCertTimestamps -+ serverHello.signed_cert_timestamps = signedCertTimestamps -+ serverHello.status_request = (clientHello.status_request and -+ ocspResponse) - doingChannelID = clientHello.channel_id - msgs.append(serverHello) - msgs.append(Certificate(certificateType).create(serverCertChain)) -+ if serverHello.status_request: -+ msgs.append(CertificateStatus().create(ocspResponse)) - if reqCert and reqCAs: - msgs.append(CertificateRequest().create([], reqCAs)) - elif reqCert: diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py -index 23e3dcb..d027ef5 100644 +index d132b78..ceaa903 100755 --- a/third_party/tlslite/tlslite/constants.py +++ b/third_party/tlslite/tlslite/constants.py -@@ -22,6 +22,7 @@ class HandshakeType: +@@ -30,6 +30,7 @@ class HandshakeType: certificate_verify = 15 client_key_exchange = 16 finished = 20 + certificate_status = 22 + next_protocol = 67 encrypted_extensions = 203 - class ContentType: -@@ -31,7 +32,11 @@ class ContentType: +@@ -40,8 +41,12 @@ class ContentType: application_data = 23 all = (20,21,22,23) +class CertificateStatusType: + ocsp = 1 + - class ExtensionType: -+ status_request = 5 # OCSP stapling - signed_cert_timestamps = 18 # signed_certificate_timestamp in RFC 6962 - channel_id = 30031 - + class ExtensionType: # RFC 6066 / 4366 + server_name = 0 # RFC 6066 / 4366 ++ status_request = 5 # RFC 6066 / 4366 + srp = 12 # RFC 5054 + cert_type = 9 # RFC 6091 + signed_cert_timestamps = 18 # RFC 6962 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py -index 296f422..497ef60 100644 +index 5a2cd6c..532d86b 100755 --- a/third_party/tlslite/tlslite/messages.py +++ b/third_party/tlslite/tlslite/messages.py -@@ -132,6 +132,7 @@ class ClientHello(HandshakeMsg): - self.srp_username = None # a string +@@ -114,6 +114,7 @@ class ClientHello(HandshakeMsg): + self.server_name = bytearray(0) self.channel_id = False self.support_signed_cert_timestamps = False + self.status_request = False def create(self, version, random, session_id, cipher_suites, - certificate_types=None, srp_username=None): -@@ -182,6 +183,19 @@ class ClientHello(HandshakeMsg): + certificate_types=None, srpUsername=None, +@@ -187,6 +188,19 @@ class ClientHello(HandshakeMsg): if extLength: raise SyntaxError() self.support_signed_cert_timestamps = True @@ -137,44 +53,33 @@ index 296f422..497ef60 100644 + p.getFixBytes(extLength) + self.status_request = True else: - p.getFixBytes(extLength) - soFar += 4 + extLength -@@ -230,6 +244,7 @@ class ServerHello(HandshakeMsg): - self.compression_method = 0 + _ = p.getFixBytes(extLength) + index2 = p.index +@@ -253,6 +267,7 @@ class ServerHello(HandshakeMsg): + self.next_protos = None self.channel_id = False self.signed_cert_timestamps = None + self.status_request = False def create(self, version, random, session_id, cipher_suite, - certificate_type): -@@ -282,6 +297,9 @@ class ServerHello(HandshakeMsg): + certificate_type, tackExt, next_protos_advertised): +@@ -345,6 +360,9 @@ class ServerHello(HandshakeMsg): if self.signed_cert_timestamps: - extLength += 4 + len(self.signed_cert_timestamps) - + w2.add(ExtensionType.signed_cert_timestamps, 2) + w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2) + if self.status_request: -+ extLength += 4 -+ - if extLength != 0: - w.add(extLength, 2) - -@@ -299,6 +317,10 @@ class ServerHello(HandshakeMsg): - w.add(ExtensionType.signed_cert_timestamps, 2) - w.addVarSeq(stringToBytes(self.signed_cert_timestamps), 1, 2) - -+ if self.status_request: -+ w.add(ExtensionType.status_request, 2) -+ w.add(0, 2) -+ - return HandshakeMsg.postWrite(self, w, trial) - - class Certificate(HandshakeMsg): -@@ -367,6 +389,37 @@ class Certificate(HandshakeMsg): ++ w2.add(ExtensionType.status_request, 2) ++ w2.add(0, 2) + if len(w2.bytes): + w.add(len(w2.bytes), 2) + w.bytes += w2.bytes +@@ -402,6 +420,37 @@ class Certificate(HandshakeMsg): raise AssertionError() - return HandshakeMsg.postWrite(self, w, trial) + return self.postWrite(w) +class CertificateStatus(HandshakeMsg): + def __init__(self): -+ self.contentType = ContentType.handshake ++ HandshakeMsg.__init__(self, HandshakeType.certificate_status) + + def create(self, ocsp_response): + self.ocsp_response = ocsp_response @@ -194,15 +99,120 @@ index 296f422..497ef60 100644 + # Can't be empty + raise SyntaxError() + self.ocsp_response = ocsp_response ++ p.stopLengthCheck() + return self + -+ def write(self, trial=False): -+ w = HandshakeMsg.preWrite(self, HandshakeType.certificate_status, -+ trial) ++ def write(self): ++ w = Writer() + w.add(CertificateStatusType.ocsp, 1) -+ w.addVarSeq(stringToBytes(self.ocsp_response), 1, 3) -+ return HandshakeMsg.postWrite(self, w, trial) ++ w.addVarSeq(bytearray(self.ocsp_response), 1, 3) ++ return self.postWrite(w) + class CertificateRequest(HandshakeMsg): def __init__(self): - self.contentType = ContentType.handshake + HandshakeMsg.__init__(self, HandshakeType.certificate_request) +diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py +index bd92161..b9797d2 100755 +--- a/third_party/tlslite/tlslite/tlsconnection.py ++++ b/third_party/tlslite/tlslite/tlsconnection.py +@@ -967,7 +967,7 @@ class TLSConnection(TLSRecordLayer): + tacks=None, activationFlags=0, + nextProtos=None, anon=False, + tlsIntolerant=None, signedCertTimestamps=None, +- fallbackSCSV=False): ++ fallbackSCSV=False, ocspResponse=None): + """Perform a handshake in the role of server. + + This function performs an SSL or TLS handshake. Depending on +@@ -1051,6 +1051,16 @@ class TLSConnection(TLSRecordLayer): + TLS_FALLBACK_SCSV and thus reject connections using less than the + server's maximum TLS version that include this cipher suite. + ++ @type ocspResponse: str ++ @param ocspResponse: An OCSP response (as a binary 8-bit string) that ++ will be sent stapled in the handshake whenever the client announces ++ support for the status_request extension. ++ Note that the response is sent independent of the ClientHello ++ status_request extension contents, and is thus only meant for testing ++ environments. Real OCSP stapling is more complicated as it requires ++ choosing a suitable response based on the ClientHello status_request ++ extension contents. ++ + @raise socket.error: If a socket error occurs. + @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed + without a preceding alert. +@@ -1064,7 +1074,7 @@ class TLSConnection(TLSRecordLayer): + tacks=tacks, activationFlags=activationFlags, + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, + signedCertTimestamps=signedCertTimestamps, +- fallbackSCSV=fallbackSCSV): ++ fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse): + pass + + +@@ -1076,7 +1086,8 @@ class TLSConnection(TLSRecordLayer): + nextProtos=None, anon=False, + tlsIntolerant=None, + signedCertTimestamps=None, +- fallbackSCSV=False ++ fallbackSCSV=False, ++ ocspResponse=None + ): + """Start a server handshake operation on the TLS connection. + +@@ -1098,7 +1109,8 @@ class TLSConnection(TLSRecordLayer): + nextProtos=nextProtos, anon=anon, + tlsIntolerant=tlsIntolerant, + signedCertTimestamps=signedCertTimestamps, +- fallbackSCSV=fallbackSCSV) ++ fallbackSCSV=fallbackSCSV, ++ ocspResponse=ocspResponse) + for result in self._handshakeWrapperAsync(handshaker, checker): + yield result + +@@ -1108,7 +1120,8 @@ class TLSConnection(TLSRecordLayer): + settings, reqCAs, + tacks, activationFlags, + nextProtos, anon, +- tlsIntolerant, signedCertTimestamps, fallbackSCSV): ++ tlsIntolerant, signedCertTimestamps, fallbackSCSV, ++ ocspResponse): + + self._handshakeStart(client=False) + +@@ -1178,6 +1191,8 @@ class TLSConnection(TLSRecordLayer): + serverHello.channel_id = clientHello.channel_id + if clientHello.support_signed_cert_timestamps: + serverHello.signed_cert_timestamps = signedCertTimestamps ++ if clientHello.status_request: ++ serverHello.status_request = ocspResponse + + # Perform the SRP key exchange + clientCertChain = None +@@ -1194,7 +1209,7 @@ class TLSConnection(TLSRecordLayer): + for result in self._serverCertKeyExchange(clientHello, serverHello, + certChain, privateKey, + reqCert, reqCAs, cipherSuite, +- settings): ++ settings, ocspResponse): + if result in (0,1): yield result + else: break + (premasterSecret, clientCertChain) = result +@@ -1471,7 +1486,7 @@ class TLSConnection(TLSRecordLayer): + def _serverCertKeyExchange(self, clientHello, serverHello, + serverCertChain, privateKey, + reqCert, reqCAs, cipherSuite, +- settings): ++ settings, ocspResponse): + #Send ServerHello, Certificate[, CertificateRequest], + #ServerHelloDone + msgs = [] +@@ -1481,6 +1496,8 @@ class TLSConnection(TLSRecordLayer): + + msgs.append(serverHello) + msgs.append(Certificate(CertificateType.x509).create(serverCertChain)) ++ if serverHello.status_request: ++ msgs.append(CertificateStatus().create(ocspResponse)) + if reqCert and reqCAs: + msgs.append(CertificateRequest().create(\ + [ClientCertificateType.rsa_sign], reqCAs)) |