| diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py |
| index e9743e4..82e8c07 100644 |
| --- a/third_party/tlslite/tlslite/constants.py |
| +++ b/third_party/tlslite/tlslite/constants.py |
| @@ -61,6 +61,7 @@ class ExtensionType: # RFC 6066 / 4366 |
| tack = 0xF300 |
| supports_npn = 13172 |
| channel_id = 30032 |
| + renegotiation_info = 0xFF01 # RFC 5746 |
| |
| class HashAlgorithm: |
| none = 0 |
| diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py |
| index 1ce9320..ac7e563 100644 |
| --- a/third_party/tlslite/tlslite/messages.py |
| +++ b/third_party/tlslite/tlslite/messages.py |
| @@ -140,6 +140,7 @@ class ClientHello(HandshakeMsg): |
| self.tb_client_params = [] |
| self.support_signed_cert_timestamps = False |
| self.status_request = False |
| + self.ri = False |
| |
| def create(self, version, random, session_id, cipher_suites, |
| certificate_types=None, srpUsername=None, |
| @@ -244,12 +245,20 @@ class ClientHello(HandshakeMsg): |
| # request_extensions in the OCSP request. |
| p.getFixBytes(extLength) |
| self.status_request = True |
| + elif extType == ExtensionType.renegotiation_info: |
| + # We don't support renegotiation, so if we receive this |
| + # extension, it should contain a single null byte. |
| + if extLength != 1 or p.getFixBytes(extLength)[0] != 0: |
| + raise SyntaxError() |
| + self.ri = True |
| else: |
| _ = p.getFixBytes(extLength) |
| index2 = p.index |
| if index2 - index1 != extLength: |
| raise SyntaxError("Bad length for extension_data") |
| soFar += 4 + extLength |
| + if CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV in self.cipher_suites: |
| + self.ri = True |
| p.stopLengthCheck() |
| return self |
| |
| @@ -327,6 +336,7 @@ class ServerHello(HandshakeMsg): |
| self.tb_params = None |
| self.signed_cert_timestamps = None |
| self.status_request = False |
| + self.send_ri = False |
| |
| def create(self, version, random, session_id, cipher_suite, |
| certificate_type, tackExt, alpn_proto_selected, |
| @@ -432,6 +442,10 @@ class ServerHello(HandshakeMsg): |
| if self.status_request: |
| w2.add(ExtensionType.status_request, 2) |
| w2.add(0, 2) |
| + if self.send_ri: |
| + w2.add(ExtensionType.renegotiation_info, 2) |
| + w2.add(1, 2) |
| + w2.add(0, 1) |
| if len(w2.bytes): |
| w.add(len(w2.bytes), 2) |
| w.bytes += w2.bytes |
| diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
| index de5d580..8ba1c6e 100644 |
| --- a/third_party/tlslite/tlslite/tlsconnection.py |
| +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| @@ -1370,6 +1370,8 @@ class TLSConnection(TLSRecordLayer): |
| serverHello.signed_cert_timestamps = signedCertTimestamps |
| if clientHello.status_request: |
| serverHello.status_request = ocspResponse |
| + if clientHello.ri: |
| + serverHello.send_ri = True |
| |
| # Perform the SRP key exchange |
| clientCertChain = None |
| @@ -1583,6 +1585,8 @@ class TLSConnection(TLSRecordLayer): |
| if param in settings.supportedTokenBindingParams: |
| serverHello.tb_params = param |
| break |
| + if clientHello.ri: |
| + serverHello.send_ri = True |
| for result in self._sendMsg(serverHello): |
| yield result |
| |