| diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py |
| index e5b88af..6d78a20 100644 |
| --- a/third_party/tlslite/tlslite/constants.py |
| +++ b/third_party/tlslite/tlslite/constants.py |
| @@ -76,6 +76,14 @@ class SignatureAlgorithm: |
| class NameType: |
| host_name = 0 |
| |
| +class ECCurveType: |
| + explicit_prime = 1 |
| + explicit_char2 = 2 |
| + named_curve = 3 |
| + |
| +class NamedCurve: |
| + secp256r1 = 23 |
| + |
| class AlertLevel: |
| warning = 1 |
| fatal = 2 |
| @@ -178,11 +186,19 @@ class CipherSuite: |
| TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E |
| |
| + TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xc011 |
| + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xc012 |
| + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xc013 |
| + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xc014 |
| + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027 |
| + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02f |
| + |
| tripleDESSuites = [] |
| tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) |
| tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) |
| tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) |
| tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) |
| + tripleDESSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) |
| |
| aes128Suites = [] |
| aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) |
| @@ -192,6 +208,8 @@ class CipherSuite: |
| aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) |
| aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) |
| aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) |
| + aes128Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) |
| + aes128Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) |
| |
| aes256Suites = [] |
| aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) |
| @@ -201,14 +219,17 @@ class CipherSuite: |
| aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) |
| aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) |
| aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) |
| + aes256Suites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) |
| |
| aes128GcmSuites = [] |
| aes128GcmSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) |
| aes128GcmSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) |
| + aes128GcmSuites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) |
| |
| rc4Suites = [] |
| rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA) |
| rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5) |
| + rc4Suites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA) |
| |
| shaSuites = [] |
| shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) |
| @@ -226,6 +247,10 @@ class CipherSuite: |
| shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) |
| shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) |
| shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) |
| + shaSuites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA) |
| + shaSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) |
| + shaSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) |
| + shaSuites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) |
| |
| sha256Suites = [] |
| sha256Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) |
| @@ -234,6 +259,9 @@ class CipherSuite: |
| sha256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) |
| sha256Suites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) |
| sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) |
| + sha256Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) |
| + sha256Suites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) |
| + |
| |
| aeadSuites = aes128GcmSuites |
| |
| @@ -275,6 +303,8 @@ class CipherSuite: |
| keyExchangeSuites += CipherSuite.certSuites |
| if "dhe_rsa" in keyExchangeNames: |
| keyExchangeSuites += CipherSuite.dheCertSuites |
| + if "ecdhe_rsa" in keyExchangeNames: |
| + keyExchangeSuites += CipherSuite.ecdheCertSuites |
| if "srp_sha" in keyExchangeNames: |
| keyExchangeSuites += CipherSuite.srpSuites |
| if "srp_sha_rsa" in keyExchangeNames: |
| @@ -335,7 +365,19 @@ class CipherSuite: |
| def getDheCertSuites(settings, version=None): |
| return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings, version) |
| |
| - certAllSuites = srpCertSuites + certSuites + dheCertSuites |
| + ecdheCertSuites = [] |
| + ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) |
| + ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) |
| + ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) |
| + ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) |
| + ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) |
| + ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA) |
| + |
| + @staticmethod |
| + def getEcdheCertSuites(settings, version=None): |
| + return CipherSuite._filterSuites(CipherSuite.ecdheCertSuites, settings, version) |
| + |
| + certAllSuites = srpCertSuites + certSuites + dheCertSuites + ecdheCertSuites |
| |
| anonSuites = [] |
| anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) |
| @@ -346,6 +388,7 @@ class CipherSuite: |
| return CipherSuite._filterSuites(CipherSuite.anonSuites, settings, version) |
| |
| dhAllSuites = dheCertSuites + anonSuites |
| + ecdhAllSuites = ecdheCertSuites |
| |
| @staticmethod |
| def canonicalCipherName(ciphersuite): |
| diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py |
| index e752834..605ed42 100644 |
| --- a/third_party/tlslite/tlslite/handshakesettings.py |
| +++ b/third_party/tlslite/tlslite/handshakesettings.py |
| @@ -14,7 +14,7 @@ from .utils import cipherfactory |
| CIPHER_NAMES = ["aes128gcm", "rc4", "aes256", "aes128", "3des"] |
| MAC_NAMES = ["sha", "sha256", "aead"] # Don't allow "md5" by default. |
| ALL_MAC_NAMES = MAC_NAMES + ["md5"] |
| -KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] |
| +KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "ecdhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] |
| CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] |
| CERTIFICATE_TYPES = ["x509"] |
| TLS_INTOLERANCE_TYPES = ["alert", "close", "reset"] |
| diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py |
| index f2e2cfc..9aeff6d 100644 |
| --- a/third_party/tlslite/tlslite/messages.py |
| +++ b/third_party/tlslite/tlslite/messages.py |
| @@ -509,10 +509,13 @@ class ServerKeyExchange(HandshakeMsg): |
| self.srp_g = 0 |
| self.srp_s = bytearray(0) |
| self.srp_B = 0 |
| - # Anon DH params: |
| + # DH params: |
| self.dh_p = 0 |
| self.dh_g = 0 |
| self.dh_Ys = 0 |
| + # ECDH params: |
| + self.ecdhCurve = 0 |
| + self.ecdhPublic = bytearray(0) |
| self.signature = bytearray(0) |
| |
| def createSRP(self, srp_N, srp_g, srp_s, srp_B): |
| @@ -528,6 +531,11 @@ class ServerKeyExchange(HandshakeMsg): |
| self.dh_Ys = dh_Ys |
| return self |
| |
| + def createECDH(self, ecdhCurve, ecdhPublic): |
| + self.ecdhCurve = ecdhCurve |
| + self.ecdhPublic = ecdhPublic |
| + return self |
| + |
| def parse(self, p): |
| p.startLengthCheck(3) |
| if self.cipherSuite in CipherSuite.srpAllSuites: |
| @@ -555,6 +563,10 @@ class ServerKeyExchange(HandshakeMsg): |
| w.addVarSeq(numberToByteArray(self.dh_p), 1, 2) |
| w.addVarSeq(numberToByteArray(self.dh_g), 1, 2) |
| w.addVarSeq(numberToByteArray(self.dh_Ys), 1, 2) |
| + elif self.cipherSuite in CipherSuite.ecdhAllSuites: |
| + w.add(ECCurveType.named_curve, 1) |
| + w.add(self.ecdhCurve, 2) |
| + w.addVarSeq(self.ecdhPublic, 1, 1) |
| else: |
| assert(False) |
| return w.bytes |
| @@ -626,7 +638,9 @@ class ClientKeyExchange(HandshakeMsg): |
| else: |
| raise AssertionError() |
| elif self.cipherSuite in CipherSuite.dhAllSuites: |
| - self.dh_Yc = bytesToNumber(p.getVarBytes(2)) |
| + self.dh_Yc = bytesToNumber(p.getVarBytes(2)) |
| + elif self.cipherSuite in CipherSuite.ecdhAllSuites: |
| + self.ecdh_Yc = p.getVarBytes(1) |
| else: |
| raise AssertionError() |
| p.stopLengthCheck() |
| diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
| index 0a85d3c..dfac274 100644 |
| --- a/third_party/tlslite/tlslite/tlsconnection.py |
| +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| @@ -24,6 +24,7 @@ from .mathtls import * |
| from .handshakesettings import HandshakeSettings |
| from .utils.tackwrapper import * |
| from .utils.rsakey import RSAKey |
| +from .utils import p256 |
| |
| class KeyExchange(object): |
| def __init__(self, cipherSuite, clientHello, serverHello, privateKey): |
| @@ -127,6 +128,25 @@ DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510 |
| S = powMod(dh_Yc, self.dh_Xs, self.dh_p) |
| return numberToByteArray(S) |
| |
| +class ECDHE_RSAKeyExchange(KeyExchange): |
| + def makeServerKeyExchange(self): |
| + public, self.private = p256.generatePublicPrivate() |
| + |
| + version = self.serverHello.server_version |
| + serverKeyExchange = ServerKeyExchange(self.cipherSuite, version) |
| + serverKeyExchange.createECDH(NamedCurve.secp256r1, bytearray(public)) |
| + hashBytes = serverKeyExchange.hash(self.clientHello.random, |
| + self.serverHello.random) |
| + if version >= (3,3): |
| + # TODO: Signature algorithm negotiation not supported. |
| + hashBytes = RSAKey.addPKCS1SHA1Prefix(hashBytes) |
| + serverKeyExchange.signature = self.privateKey.sign(hashBytes) |
| + return serverKeyExchange |
| + |
| + def processClientKeyExchange(self, clientKeyExchange): |
| + ecdh_Yc = clientKeyExchange.ecdh_Yc |
| + return bytearray(p256.generateSharedValue(bytes(ecdh_Yc), self.private)) |
| + |
| class TLSConnection(TLSRecordLayer): |
| """ |
| This class wraps a socket and provides TLS handshaking and data |
| @@ -1321,9 +1341,8 @@ class TLSConnection(TLSRecordLayer): |
| else: break |
| premasterSecret = result |
| |
| - # Perform the RSA or DHE_RSA key exchange |
| - elif (cipherSuite in CipherSuite.certSuites or |
| - cipherSuite in CipherSuite.dheCertSuites): |
| + # Perform a certificate-based key exchange |
| + elif cipherSuite in CipherSuite.certAllSuites: |
| if cipherSuite in CipherSuite.certSuites: |
| keyExchange = RSAKeyExchange(cipherSuite, |
| clientHello, |
| @@ -1334,6 +1353,11 @@ class TLSConnection(TLSRecordLayer): |
| clientHello, |
| serverHello, |
| privateKey) |
| + elif cipherSuite in CipherSuite.ecdheCertSuites: |
| + keyExchange = ECDHE_RSAKeyExchange(cipherSuite, |
| + clientHello, |
| + serverHello, |
| + privateKey) |
| else: |
| assert(False) |
| for result in self._serverCertKeyExchange(clientHello, serverHello, |
| @@ -1450,6 +1474,7 @@ class TLSConnection(TLSRecordLayer): |
| CipherSuite.getSrpCertSuites(settings, self.version) |
| cipherSuites += CipherSuite.getSrpSuites(settings, self.version) |
| elif certChain: |
| + cipherSuites += CipherSuite.getEcdheCertSuites(settings, self.version) |
| cipherSuites += CipherSuite.getDheCertSuites(settings, self.version) |
| cipherSuites += CipherSuite.getCertSuites(settings, self.version) |
| elif anon: |
| diff --git a/third_party/tlslite/tlslite/utils/p256.py b/third_party/tlslite/tlslite/utils/p256.py |
| index e69de29..6eb9a77 100644 |
| --- a/third_party/tlslite/tlslite/utils/p256.py |
| +++ b/third_party/tlslite/tlslite/utils/p256.py |
| @@ -0,0 +1,162 @@ |
| +# Author: Google |
| +# See the LICENSE file for legal information regarding use of this file. |
| + |
| +import os |
| + |
| +p = ( |
| + 115792089210356248762697446949407573530086143415290314195533631308867097853951) |
| +order = ( |
| + 115792089210356248762697446949407573529996955224135760342422259061068512044369) |
| +p256B = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b |
| + |
| +baseX = 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296 |
| +baseY = 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5 |
| +basePoint = (baseX, baseY) |
| + |
| + |
| +def _pointAdd(a, b): |
| + Z1Z1 = (a[2] * a[2]) % p |
| + Z2Z2 = (b[2] * b[2]) % p |
| + U1 = (a[0] * Z2Z2) % p |
| + U2 = (b[0] * Z1Z1) % p |
| + S1 = (a[1] * b[2] * Z2Z2) % p |
| + S2 = (b[1] * a[2] * Z1Z1) % p |
| + if U1 == U2 and S1 == S2: |
| + return pointDouble(a) |
| + H = (U2 - U1) % p |
| + I = (4 * H * H) % p |
| + J = (H * I) % p |
| + r = (2 * (S2 - S1)) % p |
| + V = (U1 * I) % p |
| + X3 = (r * r - J - 2 * V) % p |
| + Y3 = (r * (V - X3) - 2 * S1 * J) % p |
| + Z3 = (((a[2] + b[2]) * (a[2] + b[2]) - Z1Z1 - Z2Z2) * H) % p |
| + |
| + return (X3, Y3, Z3) |
| + |
| + |
| +def _pointDouble(a): |
| + delta = (a[2] * a[2]) % p |
| + gamma = (a[1] * a[1]) % p |
| + beta = (a[0] * gamma) % p |
| + alpha = (3 * (a[0] - delta) * (a[0] + delta)) % p |
| + X3 = (alpha * alpha - 8 * beta) % p |
| + Z3 = ((a[1] + a[2]) * (a[1] + a[2]) - gamma - delta) % p |
| + Y3 = (alpha * (4 * beta - X3) - 8 * gamma * gamma) % p |
| + |
| + return (X3, Y3, Z3) |
| + |
| + |
| +def _square(n): |
| + return (n * n) |
| + |
| + |
| +def _modpow(a, n, p): |
| + if n == 0: |
| + return 1 |
| + if n == 1: |
| + return a |
| + r = _square(_modpow(a, n >> 1, p)) % p |
| + if n & 1 == 1: |
| + r = (r * a) % p |
| + return r |
| + |
| + |
| +def _scalarMult(k, point): |
| + accum = (0, 0, 0) |
| + accumIsInfinity = True |
| + jacobianPoint = (point[0], point[1], 1) |
| + |
| + for bit in range(255, -1, -1): |
| + if not accumIsInfinity: |
| + accum = _pointDouble(accum) |
| + |
| + if (k >> bit) & 1 == 1: |
| + if accumIsInfinity: |
| + accum = jacobianPoint |
| + accumIsInfinity = False |
| + else: |
| + accum = _pointAdd(accum, jacobianPoint) |
| + |
| + if accumIsInfinity: |
| + return (0, 0) |
| + |
| + zInv = _modpow(accum[2], p - 2, p) |
| + return ((accum[0] * zInv * zInv) % p, (accum[1] * zInv * zInv * zInv) % p) |
| + |
| + |
| +def _scalarBaseMult(k): |
| + return _scalarMult(k, basePoint) |
| + |
| + |
| +def _decodeBigEndian(b): |
| + return sum([ord(b[len(b) - i - 1]) << 8 * i for i in range(len(b))]) |
| + |
| + |
| +def _encodeBigEndian(n): |
| + b = [] |
| + while n != 0: |
| + b.append(chr(n & 0xff)) |
| + n >>= 8 |
| + |
| + if len(b) == 0: |
| + b.append(0) |
| + b.reverse() |
| + |
| + return "".join(b) |
| + |
| + |
| +def _zeroPad(b, length): |
| + if len(b) < length: |
| + return ("\x00" * (length - len(b))) + b |
| + return b |
| + |
| + |
| +def _encodePoint(point): |
| + x = point[0] |
| + y = point[1] |
| + if (y * y) % p != (x * x * x - 3 * x + p256B) % p: |
| + raise "point not on curve" |
| + return "\x04" + _zeroPad(_encodeBigEndian(point[0]), 32) + _zeroPad( |
| + _encodeBigEndian(point[1]), 32) |
| + |
| + |
| +def _decodePoint(b): |
| + if len(b) != 1 + 32 + 32 or ord(b[0]) != 4: |
| + raise "invalid encoded ec point" |
| + x = _decodeBigEndian(b[1:33]) |
| + y = _decodeBigEndian(b[33:65]) |
| + if (y * y) % p != (x * x * x - 3 * x + p256B) % p: |
| + raise "point not on curve" |
| + return (x, y) |
| + |
| + |
| +def generatePublicPrivate(): |
| + """generatePublicPrivate returns a tuple of (X9.62 encoded public point, |
| + private value), where the private value is generated from os.urandom.""" |
| + private = _decodeBigEndian(os.urandom(40)) % order |
| + return _encodePoint(_scalarBaseMult(private)), private |
| + |
| + |
| +def generateSharedValue(theirPublic, private): |
| + """generateSharedValue returns the encoded x-coordinate of the |
| + multiplication of a peer's X9.62 encoded point and a private value.""" |
| + return _zeroPad( |
| + _encodeBigEndian(_scalarMult(private, _decodePoint(theirPublic))[0]), |
| + 32) |
| + |
| +if __name__ == "__main__": |
| + alice, alicePrivate = generatePublicPrivate() |
| + bob, bobPrivate = generatePublicPrivate() |
| + |
| + if generateSharedValue(alice, bobPrivate) != generateSharedValue( |
| + bob, alicePrivate): |
| + raise "simple DH test failed" |
| + |
| + (x, _) = _scalarBaseMult(1) |
| + |
| + for i in range(1000): |
| + (x, _) = _scalarBaseMult(x) |
| + |
| + if x != 2428281965257598569040586318034812501729437946720808289049534492833635302706: |
| + raise "loop test failed" |