Only grant permissions to new extensions from sync if they have the expected version
[chromium-blink-merge.git] / third_party / tlslite / patches / channel_id.patch
blob1ba92872aa39c5fbbf79f3c8df755a4bfe5513cf
1 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
2 index 4165de0..6429c66 100644
3 --- a/third_party/tlslite/tlslite/constants.py
4 +++ b/third_party/tlslite/tlslite/constants.py
5 @@ -32,6 +32,7 @@ class HandshakeType:
6 client_key_exchange = 16
7 finished = 20
8 next_protocol = 67
9 + encrypted_extensions = 203
11 class ContentType:
12 change_cipher_spec = 20
13 @@ -46,6 +47,7 @@ class ExtensionType: # RFC 6066 / 4366
14 cert_type = 9 # RFC 6091
15 tack = 0xF300
16 supports_npn = 13172
17 + channel_id = 30032
19 class NameType:
20 host_name = 0
21 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
22 index 2b3e518..4fa9d96 100644
23 --- a/third_party/tlslite/tlslite/messages.py
24 +++ b/third_party/tlslite/tlslite/messages.py
25 @@ -113,6 +113,7 @@ class ClientHello(HandshakeMsg):
26 self.tack = False
27 self.supports_npn = False
28 self.server_name = bytearray(0)
29 + self.channel_id = False
31 def create(self, version, random, session_id, cipher_suites,
32 certificate_types=None, srpUsername=None,
33 @@ -180,6 +181,8 @@ class ClientHello(HandshakeMsg):
34 if name_type == NameType.host_name:
35 self.server_name = hostNameBytes
36 break
37 + elif extType == ExtensionType.channel_id:
38 + self.channel_id = True
39 else:
40 _ = p.getFixBytes(extLength)
41 index2 = p.index
42 @@ -244,6 +247,7 @@ class ServerHello(HandshakeMsg):
43 self.tackExt = None
44 self.next_protos_advertised = None
45 self.next_protos = None
46 + self.channel_id = False
48 def create(self, version, random, session_id, cipher_suite,
49 certificate_type, tackExt, next_protos_advertised):
50 @@ -330,6 +334,9 @@ class ServerHello(HandshakeMsg):
51 w2.add(ExtensionType.supports_npn, 2)
52 w2.add(len(encoded_next_protos_advertised), 2)
53 w2.addFixSeq(encoded_next_protos_advertised, 1)
54 + if self.channel_id:
55 + w2.add(ExtensionType.channel_id, 2)
56 + w2.add(0, 2)
57 if len(w2.bytes):
58 w.add(len(w2.bytes), 2)
59 w.bytes += w2.bytes
60 @@ -665,6 +672,28 @@ class Finished(HandshakeMsg):
61 w.addFixSeq(self.verify_data, 1)
62 return self.postWrite(w)
64 +class EncryptedExtensions(HandshakeMsg):
65 + def __init__(self):
66 + self.channel_id_key = None
67 + self.channel_id_proof = None
69 + def parse(self, p):
70 + p.startLengthCheck(3)
71 + soFar = 0
72 + while soFar != p.lengthCheck:
73 + extType = p.get(2)
74 + extLength = p.get(2)
75 + if extType == ExtensionType.channel_id:
76 + if extLength != 32*4:
77 + raise SyntaxError()
78 + self.channel_id_key = p.getFixBytes(64)
79 + self.channel_id_proof = p.getFixBytes(64)
80 + else:
81 + p.getFixBytes(extLength)
82 + soFar += 4 + extLength
83 + p.stopLengthCheck()
84 + return self
86 class ApplicationData(object):
87 def __init__(self):
88 self.contentType = ContentType.application_data
89 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
90 index 0e78753..b0400f8 100644
91 --- a/third_party/tlslite/tlslite/tlsconnection.py
92 +++ b/third_party/tlslite/tlslite/tlsconnection.py
93 @@ -1158,6 +1158,7 @@ class TLSConnection(TLSRecordLayer):
94 serverHello.create(self.version, getRandomBytes(32), sessionID, \
95 cipherSuite, CertificateType.x509, tackExt,
96 nextProtos)
97 + serverHello.channel_id = clientHello.channel_id
99 # Perform the SRP key exchange
100 clientCertChain = None
101 @@ -1194,7 +1195,7 @@ class TLSConnection(TLSRecordLayer):
102 for result in self._serverFinished(premasterSecret,
103 clientHello.random, serverHello.random,
104 cipherSuite, settings.cipherImplementations,
105 - nextProtos):
106 + nextProtos, clientHello.channel_id):
107 if result in (0,1): yield result
108 else: break
109 masterSecret = result
110 @@ -1614,7 +1615,8 @@ class TLSConnection(TLSRecordLayer):
113 def _serverFinished(self, premasterSecret, clientRandom, serverRandom,
114 - cipherSuite, cipherImplementations, nextProtos):
115 + cipherSuite, cipherImplementations, nextProtos,
116 + doingChannelID):
117 masterSecret = calcMasterSecret(self.version, premasterSecret,
118 clientRandom, serverRandom)
120 @@ -1625,7 +1627,8 @@ class TLSConnection(TLSRecordLayer):
122 #Exchange ChangeCipherSpec and Finished messages
123 for result in self._getFinished(masterSecret,
124 - expect_next_protocol=nextProtos is not None):
125 + expect_next_protocol=nextProtos is not None,
126 + expect_channel_id=doingChannelID):
127 yield result
129 for result in self._sendFinished(masterSecret):
130 @@ -1662,7 +1665,8 @@ class TLSConnection(TLSRecordLayer):
131 for result in self._sendMsg(finished):
132 yield result
134 - def _getFinished(self, masterSecret, expect_next_protocol=False, nextProto=None):
135 + def _getFinished(self, masterSecret, expect_next_protocol=False, nextProto=None,
136 + expect_channel_id=False):
137 #Get and check ChangeCipherSpec
138 for result in self._getMsg(ContentType.change_cipher_spec):
139 if result in (0,1):
140 @@ -1695,6 +1699,20 @@ class TLSConnection(TLSRecordLayer):
141 if nextProto:
142 self.next_proto = nextProto
144 + #Server Finish - Are we waiting for a EncryptedExtensions?
145 + if expect_channel_id:
146 + for result in self._getMsg(ContentType.handshake, HandshakeType.encrypted_extensions):
147 + if result in (0,1):
148 + yield result
149 + if result is None:
150 + for result in self._sendError(AlertDescription.unexpected_message,
151 + "Didn't get EncryptedExtensions message"):
152 + yield result
153 + encrypted_extensions = result
154 + self.channel_id = result.channel_id_key
155 + else:
156 + self.channel_id = None
158 #Calculate verification data
159 verifyData = self._calcFinished(masterSecret, False)
161 diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
162 index 5fe7410..f18fcf5 100644
163 --- a/third_party/tlslite/tlslite/tlsrecordlayer.py
164 +++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
165 @@ -806,6 +806,8 @@ class TLSRecordLayer(object):
166 yield Finished(self.version).parse(p)
167 elif subType == HandshakeType.next_protocol:
168 yield NextProtocol().parse(p)
169 + elif subType == HandshakeType.encrypted_extensions:
170 + yield EncryptedExtensions().parse(p)
171 else:
172 raise AssertionError()