changes in point extension format

.github/workflows/ci.yml

@@ -433,7 +433,13 @@ jobs:
           COVERALLS_FLAG_NAME: ${{ matrix.name }}
           COVERALLS_PARALLEL: true
           COVERALLS_SERVICE_NAME: github
-        run: coveralls
+          PY_VERSION: ${{ matrix.python-version }}
+        run: |
+          if [[ $PY_VERSION == "2.6" ]]; then
+            COVERALLS_SKIP_SSL_VERIFY=1 coveralls
+          else
+            coveralls
+          fi
       - name: Publish coverage to Codeclimate
         if: ${{ contains(matrix.opt-deps, 'codeclimate') }}
         env:

.gitignore

@@ -9,4 +9,4 @@ coverage.xml
 pylint_report.txt
 build/
 docs/_build/
-htmlcov/
+htmlcov/

scripts/tls.py

@@ -367,6 +367,7 @@ def printGoodConnection(connection, seconds):
     print("  Extended Master Secret: {0}".format(
                                                connection.extendedMasterSecret))
     print("  Session Resumed: {0}".format(connection.resumed))
+    print("  Session used ec point format extension: {0}".format(connection.session.ec_point_format))
 
 def printExporter(connection, expLabel, expLength):
     if expLabel is None:
@@ -415,6 +416,8 @@ def clientCmd(argv):
     if cipherlist:
         settings.cipherNames = [item for cipher in cipherlist
                                 for item in cipher.split(',')]
+    # CHANGED
+    settings.ec_point_formats = []
     try:
         start = time_stamp()
         if username and password:
@@ -424,7 +427,7 @@ def clientCmd(argv):
             connection.handshakeClientCert(cert_chain, privateKey,
                 settings=settings, serverName=address[0], alpn=alpn)
         stop = time_stamp()
-        print("Handshake success")        
+        print("Handshake success")
     except TLSLocalAlert as a:
         if a.description == AlertDescription.user_canceled:
             print(str(a))
@@ -567,6 +570,9 @@ def serverCmd(argv):
     if cipherlist:
         settings.cipherNames = [item for cipher in cipherlist
                                 for item in cipher.split(',')]
+    # CHANGED
+
+    settings.ec_point_formats = [2, 0]
 
     class MySimpleEchoHandler(BaseRequestHandler):
         def handle(self):

tests/tlstest.py

@@ -44,7 +44,7 @@
     from xmlrpc import client as xmlrpclib
 import ssl
 from tlslite import *
-from tlslite.constants import KeyUpdateMessageType
+from tlslite.constants import KeyUpdateMessageType, ECPointFormat
 
 try:
     from tack.structures.Tack import Tack
@@ -286,6 +286,34 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} - client compressed/uncompressed - uncompressed, TLSv1.2".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 3)
+    settings.maxVersion = (3, 3)
+    settings.eccCurves = ["secp256r1", "secp384r1", "secp521r1", "x25519", "x448"]
+    connection.handshakeClientCert(settings=settings)
+    testConnClient(connection)
+    assert connection.session.ec_point_format == ECPointFormat.uncompressed
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} - client compressed - compressed, TLSv1.2".format(test_no))
+    synchro.recv(1)
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 3)
+    settings.maxVersion = (3, 3)
+    settings.eccCurves = ["secp256r1", "secp384r1", "secp521r1", "x25519", "x448"]
+    connection.handshakeClientCert(settings=settings)
+    testConnClient(connection)
+    assert connection.session.ec_point_format == ECPointFormat.ansiX962_compressed_char2
+    connection.close()
+
+    test_no += 1
+
     print("Test {0} - mismatched ECDSA curve, TLSv1.2".format(test_no))
     synchro.recv(1)
     connection = connect()
@@ -2162,6 +2190,37 @@ def connect():
 
     test_no += 1
 
+    print("Test {0} server uncompressed ec format - uncompressed, TLSv1.2".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 1)
+    settings.maxVersion = (3, 3)
+    settings.eccCurves = ["secp256r1", "secp384r1", "secp521r1", "x25519", "x448"]
+    settings.ec_point_formats = [ECPointFormat.uncompressed]
+    connection.handshakeServer(certChain=x509ecdsaChain,
+                            privateKey=x509ecdsaKey, settings=settings)
+    testConnServer(connection)
+    assert connection.session.ec_point_format == ECPointFormat.uncompressed
+    connection.close()
+
+    test_no += 1
+
+    print("Test {0} server compressed ec format - compressed, TLSv1.2".format(test_no))
+    synchro.send(b'R')
+    connection = connect()
+    settings = HandshakeSettings()
+    settings.minVersion = (3, 1)
+    settings.maxVersion = (3, 3)
+    settings.eccCurves = ["secp256r1", "secp384r1", "secp521r1", "x25519", "x448"]
+    connection.handshakeServer(certChain=x509ecdsaChain,
+                            privateKey=x509ecdsaKey, settings=settings)
+    testConnServer(connection)
+    assert connection.session.ec_point_format == ECPointFormat.ansiX962_compressed_char2
+    connection.close()
+
+    test_no +=1
+
     print("Test {0} - mismatched ECDSA curve, TLSv1.2".format(test_no))
     synchro.send(b'R')
     connection = connect()
@@ -3416,7 +3475,7 @@ def heartbeat_response_check(message):
     assert synchro.recv(1) == b'R'
     connection.close()
 
-    test_no += 1
+    test_no +=1
 
     print("Tests {0}-{1} - XMLRPXC server".format(test_no, test_no + 2))
 
@@ -3449,6 +3508,7 @@ def add(self, x, y): return x + y
 
     synchro.close()
     synchroSocket.close()
+
     test_no += 2
 
     print("Test succeeded")

tlslite/handshakesettings.py

@@ -7,7 +7,7 @@
 
 """Class for setting handshake parameters."""
 
-from .constants import CertificateType
+from .constants import CertificateType, ECPointFormat
 from .utils import cryptomath
 from .utils import cipherfactory
 from .utils.compat import ecdsaAllCurves, int_types
@@ -61,6 +61,9 @@
 TICKET_CIPHERS = ["chacha20-poly1305", "aes256gcm", "aes128gcm", "aes128ccm",
                   "aes128ccm_8", "aes256ccm", "aes256ccm_8"]
 PSK_MODES = ["psk_dhe_ke", "psk_ke"]
+EC_POINT_FORMATS = [ECPointFormat.ansiX962_compressed_char2,
+                    ECPointFormat.ansiX962_compressed_prime,
+                    ECPointFormat.uncompressed]
 
 
 class Keypair(object):
@@ -353,6 +356,10 @@ class HandshakeSettings(object):
     :vartype keyExchangeNames: list
     :ivar keyExchangeNames: Enabled key exchange types for the connection,
         influences selected cipher suites.
+
+    :vartype ec_point_formats: list
+    :ivat ec_point_formats: Enabeled point format extension for
+     elliptic curves.
     """
 
     def _init_key_settings(self):
@@ -396,6 +403,7 @@ def _init_misc_extensions(self):
         # resumed connections (as tickets are single-use in TLS 1.3
         self.ticket_count = 2
         self.record_size_limit = 2**14 + 1  # TLS 1.3 includes content type
+        self.ec_point_formats = list(EC_POINT_FORMATS)
 
     def __init__(self):
         """Initialise default values for settings."""
@@ -598,6 +606,12 @@ def _sanityCheckExtensions(other):
         if other.record_size_limit is not None and \
                 not 64 <= other.record_size_limit <= 2**14 + 1:
             raise ValueError("record_size_limit cannot exceed 2**14+1 bytes")
+
+        bad_ec_ext = [i for i in other.ec_point_formats if
+                      i not in EC_POINT_FORMATS]
+        if bad_ec_ext:
+            raise ValueError("Unknown ec point format extension: "
+                             "{0}".format(bad_ec_ext))
 
         HandshakeSettings._sanityCheckEMSExtension(other)
 
@@ -667,6 +681,7 @@ def _copy_extension_settings(self, other):
         other.sendFallbackSCSV = self.sendFallbackSCSV
         other.useEncryptThenMAC = self.useEncryptThenMAC
         other.usePaddingExtension = self.usePaddingExtension
+        other.ec_point_formats = self.ec_point_formats
         # session tickets
         other.padding_cb = self.padding_cb
         other.ticketKeys = self.ticketKeys