search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / third_party / tlslite / patches / token_binding_negotiation.patch
blob336c11d0b6e17adf536596561250f6b4030ffa47
1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
2 index f9c8676..84bb703 100644
3 --- a/third_party/tlslite/tlslite/constants.py
4 +++ b/third_party/tlslite/tlslite/constants.py
5 @@ -59,6 +59,7 @@ class ExtensionType: # RFC 6066 / 4366
6 tack = 0xF300
7 supports_npn = 13172
8 channel_id = 30032
9 + token_binding = 30033
10
11 class HashAlgorithm:
12 none = 0
13 diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
14 index a7b6ab9..8f25f62 100644
15 --- a/third_party/tlslite/tlslite/handshakesettings.py
16 +++ b/third_party/tlslite/tlslite/handshakesettings.py
17 @@ -115,6 +115,13 @@ class HandshakeSettings(object):
18 @type enableExtendedMasterSecret: bool
19 @ivar enableExtendedMasterSecret: If true, the server supports the extended
20 master secret TLS extension and will negotiated it with supporting clients.
21 +
22 + @type supportedTokenBindingParams: list
23 + @ivar supportedTokenBindingParams: A list of token binding parameters that
24 + the server supports when negotiating token binding. List values are integers
25 + corresponding to the TokenBindingKeyParameters enum in the Token Binding
26 + Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server's
27 + preference order, with most preferred params first.
28
29 Note that TACK support is not standardized by IETF and uses a temporary
30 TLS Extension number, so should NOT be used in production software.
31 @@ -134,6 +141,7 @@ class HandshakeSettings(object):
32 self.useExperimentalTackExtension = False
33 self.alertAfterHandshake = False
34 self.enableExtendedMasterSecret = True
35 + self.supportedTokenBindingParams = []
36
37 # Validates the min/max fields, and certificateTypes
38 # Filters out unsupported cipherNames and cipherImplementations
39 @@ -152,6 +160,7 @@ class HandshakeSettings(object):
40 other.tlsIntoleranceType = self.tlsIntoleranceType
41 other.alertAfterHandshake = self.alertAfterHandshake
42 other.enableExtendedMasterSecret = self.enableExtendedMasterSecret
43 + other.supportedTokenBindingParams = self.supportedTokenBindingParams
44
45 if not cipherfactory.tripleDESPresent:
46 other.cipherNames = [e for e in self.cipherNames if e != "3des"]
47 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
48 index 9b553ce..ab2be57 100644
49 --- a/third_party/tlslite/tlslite/messages.py
50 +++ b/third_party/tlslite/tlslite/messages.py
51 @@ -115,6 +115,7 @@ class ClientHello(HandshakeMsg):
52 self.server_name = bytearray(0)
53 self.channel_id = False
54 self.extended_master_secret = False
55 + self.tb_client_params = []
56 self.support_signed_cert_timestamps = False
57 self.status_request = False
58
59 @@ -188,6 +189,15 @@ class ClientHello(HandshakeMsg):
60 self.channel_id = True
61 elif extType == ExtensionType.extended_master_secret:
62 self.extended_master_secret = True
63 + elif extType == ExtensionType.token_binding:
64 + tokenBindingBytes = p.getFixBytes(extLength)
65 + p2 = Parser(tokenBindingBytes)
66 + ver_minor = p2.get(1)
67 + ver_major = p2.get(1)
68 + if (ver_major, ver_minor) >= (0, 2):
69 + p2.startLengthCheck(1)
70 + while not p2.atLengthCheck():
71 + self.tb_client_params.append(p2.get(1))
72 elif extType == ExtensionType.signed_cert_timestamps:
73 if extLength:
74 raise SyntaxError()
75 @@ -271,6 +281,7 @@ class ServerHello(HandshakeMsg):
76 self.next_protos = None
77 self.channel_id = False
78 self.extended_master_secret = False
79 + self.tb_params = None
80 self.signed_cert_timestamps = None
81 self.status_request = False
82
83 @@ -365,6 +376,17 @@ class ServerHello(HandshakeMsg):
84 if self.extended_master_secret:
85 w2.add(ExtensionType.extended_master_secret, 2)
86 w2.add(0, 2)
87 + if self.tb_params:
88 + w2.add(ExtensionType.token_binding, 2)
89 + # length of extension
90 + w2.add(4, 2)
91 + # version
92 + w2.add(0, 1)
93 + w2.add(2, 1)
94 + # length of params (defined as variable length <1..2^8-1>, but in
95 + # this context the server can only send a single value.
96 + w2.add(1, 1)
97 + w2.add(self.tb_params, 1)
98 if self.signed_cert_timestamps:
99 w2.add(ExtensionType.signed_cert_timestamps, 2)
100 w2.addVarSeq(bytearray(self.signed_cert_timestamps), 1, 2)
101 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
102 index 04161513..06404fe 100644
103 --- a/third_party/tlslite/tlslite/tlsconnection.py
104 +++ b/third_party/tlslite/tlslite/tlsconnection.py
105 @@ -1330,6 +1330,10 @@ class TLSConnection(TLSRecordLayer):
106 serverHello.extended_master_secret = \
107 clientHello.extended_master_secret and \
108 settings.enableExtendedMasterSecret
109 + for param in clientHello.tb_client_params:
110 + if param in settings.supportedTokenBindingParams:
111 + serverHello.tb_params = param
112 + break
113 if clientHello.support_signed_cert_timestamps:
114 serverHello.signed_cert_timestamps = signedCertTimestamps
115 if clientHello.status_request: