tls.py: add support for PHA

tomato42 · tomato42 · commit 4113029dae24 · 2019-11-26T18:56:14.000+01:00
diff --git a/scripts/tls.py b/scripts/tls.py
@@ -79,6 +79,7 @@ def printUsage(s=None):
     [-c CERT] [-k KEY] [-t TACK] [-v VERIFIERDB] [-d DIR] [-l LABEL] [-L LENGTH]
     [--reqcert] [--param DHFILE] [--psk PSK] [--psk-ident IDENTITY]
     [--psk-sha384] [--ssl3] [--max-ver VER] [--tickets COUNT] [--cipherlist]
+    [--request-pha]
     HOST:PORT
 
   client
@@ -159,6 +160,7 @@ def handleArgs(argv, argString, flagsList=[]):
     max_ver = None
     tickets = None
     ciphers = []
+    request_pha = False
 
     for opt, arg in opts:
         if opt == "-k":
@@ -232,6 +234,8 @@ def handleArgs(argv, argString, flagsList=[]):
             tickets = int(arg)
         elif opt == "--cipherlist":
             ciphers.append(arg)
+        elif opt == "--request-pha":
+            request_pha = True
         else:
             assert(False)
 
@@ -294,6 +298,8 @@ def handleArgs(argv, argString, flagsList=[]):
         retList.append(tickets)
     if "cipherlist=" in flagsList:
         retList.append(ciphers)
+    if "request-pha" in flagsList:
+        retList.append(request_pha)
     return retList
 
 
@@ -494,11 +500,11 @@ def serverCmd(argv):
     (address, privateKey, cert_chain, virtual_hosts, tacks, verifierDB,
             directory, reqCert,
             expLabel, expLength, dhparam, psk, psk_ident, psk_hash, ssl3,
-            max_ver, tickets, cipherlist) = \
+            max_ver, tickets, cipherlist, request_pha) = \
         handleArgs(argv, "kctbvdlL",
                    ["reqcert", "param=", "psk=",
                     "psk-ident=", "psk-sha384", "ssl3", "max-ver=",
-                    "tickets=", "cipherlist="])
+                    "tickets=", "cipherlist=", "request-pha"])
 
 
     if (cert_chain and not privateKey) or (not cert_chain and privateKey):
@@ -589,6 +595,13 @@ def handshake(self, connection):
                                               sni=sni)
                                               # As an example (does not work here):
                                               #nextProtos=[b"spdy/3", b"spdy/2", b"http/1.1"])
+                try:
+                    if request_pha:
+                        for i in connection.request_post_handshake_auth():
+                            pass
+                except ValueError:
+                    # if we can't do PHA, we can't do it
+                    pass
                 stop = time_stamp()
             except TLSRemoteAlert as a:
                 if a.description == AlertDescription.user_canceled:
