1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
2 index 52c20ac..feca423 100644
3 --- a/third_party/tlslite/tlslite/constants.py
4 +++ b/third_party/tlslite/tlslite/constants.py
5 @@ -143,6 +143,10 @@ class CipherSuite:
7 TLS_RSA_WITH_RC4_128_MD5 = 0x0004
9 + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016
10 + TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033
11 + TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039
13 TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034
14 TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A
16 @@ -150,17 +154,20 @@ class CipherSuite:
17 tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
18 tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
19 tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
20 + tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
23 aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA)
24 aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA)
25 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA)
26 + aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
27 aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
30 aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA)
31 aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)
32 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
33 + aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
34 aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
37 @@ -178,6 +185,9 @@ class CipherSuite:
38 shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA)
39 shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
40 shaSuites.append(TLS_RSA_WITH_RC4_128_SHA)
41 + shaSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
42 + shaSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
43 + shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
44 shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
45 shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
47 @@ -188,6 +198,7 @@ class CipherSuite:
48 def _filterSuites(suites, settings):
49 macNames = settings.macNames
50 cipherNames = settings.cipherNames
51 + keyExchangeNames = settings.keyExchangeNames
54 macSuites += CipherSuite.shaSuites
55 @@ -204,7 +215,20 @@ class CipherSuite:
56 if "rc4" in cipherNames:
57 cipherSuites += CipherSuite.rc4Suites
59 - return [s for s in suites if s in macSuites and s in cipherSuites]
60 + keyExchangeSuites = []
61 + if "rsa" in keyExchangeNames:
62 + keyExchangeSuites += CipherSuite.certSuites
63 + if "dhe_rsa" in keyExchangeNames:
64 + keyExchangeSuites += CipherSuite.dheCertSuites
65 + if "srp_sha" in keyExchangeNames:
66 + keyExchangeSuites += CipherSuite.srpSuites
67 + if "srp_sha_rsa" in keyExchangeNames:
68 + keyExchangeSuites += CipherSuite.srpCertSuites
69 + if "dh_anon" in keyExchangeNames:
70 + keyExchangeSuites += CipherSuite.anonSuites
72 + return [s for s in suites if s in macSuites and
73 + s in cipherSuites and s in keyExchangeSuites]
76 srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
77 @@ -236,12 +260,22 @@ class CipherSuite:
78 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
79 certSuites.append(TLS_RSA_WITH_RC4_128_SHA)
80 certSuites.append(TLS_RSA_WITH_RC4_128_MD5)
81 - certAllSuites = srpCertSuites + certSuites
84 def getCertSuites(settings):
85 return CipherSuite._filterSuites(CipherSuite.certSuites, settings)
88 + dheCertSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
89 + dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
90 + dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
93 + def getDheCertSuites(settings):
94 + return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings)
96 + certAllSuites = srpCertSuites + certSuites + dheCertSuites
99 anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
100 anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
101 @@ -250,6 +284,8 @@ class CipherSuite:
102 def getAnonSuites(settings):
103 return CipherSuite._filterSuites(CipherSuite.anonSuites, settings)
105 + dhAllSuites = dheCertSuites + anonSuites
108 def canonicalCipherName(ciphersuite):
109 "Return the canonical name of the cipher whose number is provided."
110 diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
111 index 7a38ee2..e0bc0e6 100644
112 --- a/third_party/tlslite/tlslite/handshakesettings.py
113 +++ b/third_party/tlslite/tlslite/handshakesettings.py
114 @@ -13,7 +13,9 @@ from .utils import cipherfactory
115 # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC
116 # issues such as timing attacks
117 CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"]
118 -MAC_NAMES = ["sha"] # "md5" is allowed
119 +MAC_NAMES = ["sha"] # Don't allow "md5" by default.
120 +ALL_MAC_NAMES = ["sha", "md5"]
121 +KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]
122 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
123 CERTIFICATE_TYPES = ["x509"]
125 @@ -102,6 +104,7 @@ class HandshakeSettings(object):
126 self.maxKeySize = 8193
127 self.cipherNames = CIPHER_NAMES
128 self.macNames = MAC_NAMES
129 + self.keyExchangeNames = KEY_EXCHANGE_NAMES
130 self.cipherImplementations = CIPHER_IMPLEMENTATIONS
131 self.certificateTypes = CERTIFICATE_TYPES
132 self.minVersion = (3,0)
133 @@ -116,6 +119,7 @@ class HandshakeSettings(object):
134 other.maxKeySize = self.maxKeySize
135 other.cipherNames = self.cipherNames
136 other.macNames = self.macNames
137 + other.keyExchangeNames = self.keyExchangeNames
138 other.cipherImplementations = self.cipherImplementations
139 other.certificateTypes = self.certificateTypes
140 other.minVersion = self.minVersion
141 @@ -148,6 +152,12 @@ class HandshakeSettings(object):
142 for s in other.cipherNames:
143 if s not in CIPHER_NAMES:
144 raise ValueError("Unknown cipher name: '%s'" % s)
145 + for s in other.macNames:
146 + if s not in ALL_MAC_NAMES:
147 + raise ValueError("Unknown MAC name: '%s'" % s)
148 + for s in other.keyExchangeNames:
149 + if s not in KEY_EXCHANGE_NAMES:
150 + raise ValueError("Unknown key exchange name: '%s'" % s)
151 for s in other.cipherImplementations:
152 if s not in CIPHER_IMPLEMENTATIONS:
153 raise ValueError("Unknown cipher implementation: '%s'" % s)
154 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
155 index 532d86b..550b387 100644
156 --- a/third_party/tlslite/tlslite/messages.py
157 +++ b/third_party/tlslite/tlslite/messages.py
158 @@ -533,31 +533,31 @@ class ServerKeyExchange(HandshakeMsg):
163 + def write_params(self):
165 if self.cipherSuite in CipherSuite.srpAllSuites:
166 w.addVarSeq(numberToByteArray(self.srp_N), 1, 2)
167 w.addVarSeq(numberToByteArray(self.srp_g), 1, 2)
168 w.addVarSeq(self.srp_s, 1, 1)
169 w.addVarSeq(numberToByteArray(self.srp_B), 1, 2)
170 - if self.cipherSuite in CipherSuite.srpCertSuites:
171 - w.addVarSeq(self.signature, 1, 2)
172 - elif self.cipherSuite in CipherSuite.anonSuites:
173 + elif self.cipherSuite in CipherSuite.dhAllSuites:
174 w.addVarSeq(numberToByteArray(self.dh_p), 1, 2)
175 w.addVarSeq(numberToByteArray(self.dh_g), 1, 2)
176 w.addVarSeq(numberToByteArray(self.dh_Ys), 1, 2)
177 - if self.cipherSuite in []: # TODO support for signed_params
178 - w.addVarSeq(self.signature, 1, 2)
185 + w.bytes += self.write_params()
186 + if self.cipherSuite in CipherSuite.certAllSuites:
187 + w.addVarSeq(self.signature, 1, 2)
188 return self.postWrite(w)
190 def hash(self, clientRandom, serverRandom):
191 - oldCipherSuite = self.cipherSuite
192 - self.cipherSuite = None
194 - bytes = clientRandom + serverRandom + self.write()[4:]
195 - return MD5(bytes) + SHA1(bytes)
197 - self.cipherSuite = oldCipherSuite
198 + bytes = clientRandom + serverRandom + self.write_params()
199 + return MD5(bytes) + SHA1(bytes)
201 class ServerHelloDone(HandshakeMsg):
203 @@ -607,7 +607,7 @@ class ClientKeyExchange(HandshakeMsg):
204 p.getFixBytes(len(p.bytes)-p.index)
206 raise AssertionError()
207 - elif self.cipherSuite in CipherSuite.anonSuites:
208 + elif self.cipherSuite in CipherSuite.dhAllSuites:
209 self.dh_Yc = bytesToNumber(p.getVarBytes(2))
211 raise AssertionError()
212 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
213 index 20cd85b..e6f7820 100644
214 --- a/third_party/tlslite/tlslite/tlsconnection.py
215 +++ b/third_party/tlslite/tlslite/tlsconnection.py
216 @@ -23,6 +23,103 @@ from .mathtls import *
217 from .handshakesettings import HandshakeSettings
218 from .utils.tackwrapper import *
220 +class KeyExchange(object):
221 + def __init__(self, cipherSuite, clientHello, serverHello, privateKey):
223 + Initializes the KeyExchange. privateKey is the signing private key.
225 + self.cipherSuite = cipherSuite
226 + self.clientHello = clientHello
227 + self.serverHello = serverHello
228 + self.privateKey = privateKey
230 + def makeServerKeyExchange():
232 + Returns a ServerKeyExchange object for the server's initial leg in the
233 + handshake. If the key exchange method does not send ServerKeyExchange
234 + (e.g. RSA), it returns None.
236 + raise NotImplementedError()
238 + def processClientKeyExchange(clientKeyExchange):
240 + Processes the client's ClientKeyExchange message and returns the
241 + premaster secret. Raises TLSLocalAlert on error.
243 + raise NotImplementedError()
245 +class RSAKeyExchange(KeyExchange):
246 + def makeServerKeyExchange(self):
249 + def processClientKeyExchange(self, clientKeyExchange):
250 + premasterSecret = self.privateKey.decrypt(\
251 + clientKeyExchange.encryptedPreMasterSecret)
253 + # On decryption failure randomize premaster secret to avoid
254 + # Bleichenbacher's "million message" attack
255 + randomPreMasterSecret = getRandomBytes(48)
256 + if not premasterSecret:
257 + premasterSecret = randomPreMasterSecret
258 + elif len(premasterSecret)!=48:
259 + premasterSecret = randomPreMasterSecret
261 + versionCheck = (premasterSecret[0], premasterSecret[1])
262 + if versionCheck != self.clientHello.client_version:
263 + #Tolerate buggy IE clients
264 + if versionCheck != self.serverHello.server_version:
265 + premasterSecret = randomPreMasterSecret
266 + return premasterSecret
268 +def _hexStringToNumber(s):
269 + s = s.replace(" ", "").replace("\n", "")
270 + if len(s) % 2 != 0:
271 + raise ValueError("Length is not even")
272 + return bytesToNumber(bytearray(s.decode("hex")))
274 +class DHE_RSAKeyExchange(KeyExchange):
275 + # 2048-bit MODP Group (RFC 3526, Section 3)
276 + dh_p = _hexStringToNumber("""
277 +FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
278 +29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
279 +EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
280 +E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
281 +EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
282 +C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
283 +83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
284 +670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B
285 +E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9
286 +DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510
287 +15728E5A 8AACAA68 FFFFFFFF FFFFFFFF""")
290 + # RFC 3526, Section 8.
293 + def makeServerKeyExchange(self):
294 + # Per RFC 3526, Section 1, the exponent should have double the entropy
295 + # of the strength of the curve.
296 + self.dh_Xs = bytesToNumber(getRandomBytes(self.strength * 2 / 8))
297 + dh_Ys = powMod(self.dh_g, self.dh_Xs, self.dh_p)
299 + serverKeyExchange = ServerKeyExchange(self.cipherSuite)
300 + serverKeyExchange.createDH(self.dh_p, self.dh_g, dh_Ys)
301 + serverKeyExchange.signature = self.privateKey.sign(
302 + serverKeyExchange.hash(self.clientHello.random,
303 + self.serverHello.random))
304 + return serverKeyExchange
306 + def processClientKeyExchange(self, clientKeyExchange):
307 + dh_Yc = clientKeyExchange.dh_Yc
309 + # First half of RFC 2631, Section 2.1.5. Validate the client's public
311 + if not 2 <= dh_Yc <= self.dh_p - 1:
312 + raise TLSLocalAlert(AlertDescription.illegal_parameter,
313 + "Invalid dh_Yc value")
315 + S = powMod(dh_Yc, self.dh_Xs, self.dh_p)
316 + return numberToByteArray(S)
318 class TLSConnection(TLSRecordLayer):
320 @@ -500,6 +597,8 @@ class TLSConnection(TLSRecordLayer):
321 cipherSuites += CipherSuite.getSrpAllSuites(settings)
323 cipherSuites += CipherSuite.getCertSuites(settings)
324 + # TODO: Client DHE_RSA not supported.
325 + # cipherSuites += CipherSuite.getDheCertSuites(settings)
327 cipherSuites += CipherSuite.getAnonSuites(settings)
329 @@ -1204,10 +1303,23 @@ class TLSConnection(TLSRecordLayer):
331 premasterSecret = result
333 - # Perform the RSA key exchange
334 - elif cipherSuite in CipherSuite.certSuites:
335 + # Perform the RSA or DHE_RSA key exchange
336 + elif (cipherSuite in CipherSuite.certSuites or
337 + cipherSuite in CipherSuite.dheCertSuites):
338 + if cipherSuite in CipherSuite.certSuites:
339 + keyExchange = RSAKeyExchange(cipherSuite,
343 + elif cipherSuite in CipherSuite.dheCertSuites:
344 + keyExchange = DHE_RSAKeyExchange(cipherSuite,
350 for result in self._serverCertKeyExchange(clientHello, serverHello,
351 - certChain, privateKey,
352 + certChain, keyExchange,
353 reqCert, reqCAs, cipherSuite,
354 settings, ocspResponse):
355 if result in (0,1): yield result
356 @@ -1268,6 +1380,7 @@ class TLSConnection(TLSRecordLayer):
357 cipherSuites += CipherSuite.getSrpSuites(settings)
359 cipherSuites += CipherSuite.getCertSuites(settings)
360 + cipherSuites += CipherSuite.getDheCertSuites(settings)
362 cipherSuites += CipherSuite.getAnonSuites(settings)
364 @@ -1483,11 +1596,11 @@ class TLSConnection(TLSRecordLayer):
367 def _serverCertKeyExchange(self, clientHello, serverHello,
368 - serverCertChain, privateKey,
369 + serverCertChain, keyExchange,
370 reqCert, reqCAs, cipherSuite,
371 settings, ocspResponse):
372 - #Send ServerHello, Certificate[, CertificateRequest],
374 + #Send ServerHello, Certificate[, ServerKeyExchange]
375 + #[, CertificateRequest], ServerHelloDone
378 # If we verify a client cert chain, return it
379 @@ -1497,6 +1610,9 @@ class TLSConnection(TLSRecordLayer):
380 msgs.append(Certificate(CertificateType.x509).create(serverCertChain))
381 if serverHello.status_request:
382 msgs.append(CertificateStatus().create(ocspResponse))
383 + serverKeyExchange = keyExchange.makeServerKeyExchange()
384 + if serverKeyExchange is not None:
385 + msgs.append(serverKeyExchange)
386 if reqCert and reqCAs:
387 msgs.append(CertificateRequest().create(\
388 [ClientCertificateType.rsa_sign], reqCAs))
389 @@ -1555,21 +1671,13 @@ class TLSConnection(TLSRecordLayer):
391 clientKeyExchange = result
393 - #Decrypt ClientKeyExchange
394 - premasterSecret = privateKey.decrypt(\
395 - clientKeyExchange.encryptedPreMasterSecret)
397 - # On decryption failure randomize premaster secret to avoid
398 - # Bleichenbacher's "million message" attack
399 - randomPreMasterSecret = getRandomBytes(48)
400 - versionCheck = (premasterSecret[0], premasterSecret[1])
401 - if not premasterSecret:
402 - premasterSecret = randomPreMasterSecret
403 - elif len(premasterSecret)!=48:
404 - premasterSecret = randomPreMasterSecret
405 - elif versionCheck != clientHello.client_version:
406 - if versionCheck != self.version: #Tolerate buggy IE clients
407 - premasterSecret = randomPreMasterSecret
408 + #Process ClientKeyExchange
410 + premasterSecret = \
411 + keyExchange.processClientKeyExchange(clientKeyExchange)
412 + except TLSLocalAlert, alert:
413 + for result in self._sendError(alert.description, alert.message):
416 #Get and check CertificateVerify, if relevant