Extend the enterprise policy for SSL overrides to the "danger" command
[chromium-blink-merge.git] / third_party / tlslite / patches / signed_certificate_timestamps.patch
blob91bc06c7a18334ac99a3f9caa719378109ea0e84
1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
2 index 6429c66..8720de6 100644
3 --- a/third_party/tlslite/tlslite/constants.py
4 +++ b/third_party/tlslite/tlslite/constants.py
5 @@ -45,6 +45,7 @@ class ExtensionType: # RFC 6066 / 4366
6 server_name = 0 # RFC 6066 / 4366
7 srp = 12 # RFC 5054
8 cert_type = 9 # RFC 6091
9 + signed_cert_timestamps = 18 # RFC 6962
10 tack = 0xF300
11 supports_npn = 13172
12 channel_id = 30032
13 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
14 index 4fa9d96..876b033 100644
15 --- a/third_party/tlslite/tlslite/messages.py
16 +++ b/third_party/tlslite/tlslite/messages.py
17 @@ -114,6 +114,7 @@ class ClientHello(HandshakeMsg):
18 self.supports_npn = False
19 self.server_name = bytearray(0)
20 self.channel_id = False
21 + self.support_signed_cert_timestamps = False
23 def create(self, version, random, session_id, cipher_suites,
24 certificate_types=None, srpUsername=None,
25 @@ -183,6 +184,10 @@ class ClientHello(HandshakeMsg):
26 break
27 elif extType == ExtensionType.channel_id:
28 self.channel_id = True
29 + elif extType == ExtensionType.signed_cert_timestamps:
30 + if extLength:
31 + raise SyntaxError()
32 + self.support_signed_cert_timestamps = True
33 else:
34 _ = p.getFixBytes(extLength)
35 index2 = p.index
36 @@ -248,6 +253,7 @@ class ServerHello(HandshakeMsg):
37 self.next_protos_advertised = None
38 self.next_protos = None
39 self.channel_id = False
40 + self.signed_cert_timestamps = None
42 def create(self, version, random, session_id, cipher_suite,
43 certificate_type, tackExt, next_protos_advertised):
44 @@ -337,6 +343,9 @@ class ServerHello(HandshakeMsg):
45 if self.channel_id:
46 w2.add(ExtensionType.channel_id, 2)
47 w2.add(0, 2)
48 + if self.signed_cert_timestamps:
49 + w2.add(ExtensionType.signed_cert_timestamps, 2)
50 + w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)
51 if len(w2.bytes):
52 w.add(len(w2.bytes), 2)
53 w.bytes += w2.bytes
54 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
55 index b0400f8..4dedc5f 100644
56 --- a/third_party/tlslite/tlslite/tlsconnection.py
57 +++ b/third_party/tlslite/tlslite/tlsconnection.py
58 @@ -969,7 +969,7 @@ class TLSConnection(TLSRecordLayer):
59 reqCAs = None,
60 tacks=None, activationFlags=0,
61 nextProtos=None, anon=False,
62 - tlsIntolerant=None):
63 + tlsIntolerant=None, signedCertTimestamps=None):
64 """Perform a handshake in the role of server.
66 This function performs an SSL or TLS handshake. Depending on
67 @@ -1043,6 +1043,11 @@ class TLSConnection(TLSRecordLayer):
68 simulate TLS version intolerance by returning a fatal handshake_failure
69 alert to all TLS versions tlsIntolerant or higher.
71 + @type signedCertTimestamps: str
72 + @param signedCertTimestamps: A SignedCertificateTimestampList (as a
73 + binary 8-bit string) that will be sent as a TLS extension whenever
74 + the client announces support for the extension.
76 @raise socket.error: If a socket error occurs.
77 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
78 without a preceding alert.
79 @@ -1054,7 +1059,8 @@ class TLSConnection(TLSRecordLayer):
80 certChain, privateKey, reqCert, sessionCache, settings,
81 checker, reqCAs,
82 tacks=tacks, activationFlags=activationFlags,
83 - nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant):
84 + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
85 + signedCertTimestamps=signedCertTimestamps):
86 pass
89 @@ -1064,7 +1070,8 @@ class TLSConnection(TLSRecordLayer):
90 reqCAs=None,
91 tacks=None, activationFlags=0,
92 nextProtos=None, anon=False,
93 - tlsIntolerant=None
94 + tlsIntolerant=None,
95 + signedCertTimestamps=None
97 """Start a server handshake operation on the TLS connection.
99 @@ -1084,7 +1091,8 @@ class TLSConnection(TLSRecordLayer):
100 reqCAs=reqCAs,
101 tacks=tacks, activationFlags=activationFlags,
102 nextProtos=nextProtos, anon=anon,
103 - tlsIntolerant=tlsIntolerant)
104 + tlsIntolerant=tlsIntolerant,
105 + signedCertTimestamps=signedCertTimestamps)
106 for result in self._handshakeWrapperAsync(handshaker, checker):
107 yield result
109 @@ -1094,7 +1102,7 @@ class TLSConnection(TLSRecordLayer):
110 settings, reqCAs,
111 tacks, activationFlags,
112 nextProtos, anon,
113 - tlsIntolerant):
114 + tlsIntolerant, signedCertTimestamps):
116 self._handshakeStart(client=False)
118 @@ -1115,6 +1123,9 @@ class TLSConnection(TLSRecordLayer):
119 raise ValueError("tackpy is not loaded")
120 if not settings or not settings.useExperimentalTackExtension:
121 raise ValueError("useExperimentalTackExtension not enabled")
122 + if signedCertTimestamps and not certChain:
123 + raise ValueError("Caller passed signedCertTimestamps but no "
124 + "certChain")
126 if not settings:
127 settings = HandshakeSettings()
128 @@ -1159,6 +1170,8 @@ class TLSConnection(TLSRecordLayer):
129 cipherSuite, CertificateType.x509, tackExt,
130 nextProtos)
131 serverHello.channel_id = clientHello.channel_id
132 + if clientHello.support_signed_cert_timestamps:
133 + serverHello.signed_cert_timestamps = signedCertTimestamps
135 # Perform the SRP key exchange
136 clientCertChain = None