Support for compressed_certificate extension

Added support in client and server for the TLS Certificate Compression
as described in https://www.rfc-editor.org/rfc/rfc8879.html

Author: GeorgePantelakis

.github/workflows/ci.yml

@@ -149,42 +149,77 @@ jobs:
             os: ubuntu-latest
             python-version: '3.12'
             opt-deps: ['gmpy2']
+          - name: py2.7 with brotli
+            os: ubuntu-20.04
+            python-version: 2.7
+            # zstandard is available for py3.8 and above
+            opt-deps: ['brotli']
+          - name: py3.6 with brotli
+            os: ubuntu-20.04
+            python-version: 3.6
+            # zstandard is available for py3.8 and above
+            opt-deps: ['brotli']
+          - name: py3.7 with brotli
+            os: ubuntu-latest
+            python-version: 3.7
+            # zstandard is available for py3.8 and above
+            opt-deps: ['brotli']
+          - name: py3.8 with brotli and zstandard
+            os: ubuntu-latest
+            python-version: 3.8
+            opt-deps: ['brotli', 'zstd']
+          - name: py3.9 with brotli and zstandard
+            os: ubuntu-latest
+            python-version: 3.9
+            opt-deps: ['brotli', 'zstd']
+          - name: py3.10 with brotli and zstandard
+            os: ubuntu-latest
+            python-version: '3.10'
+            opt-deps: ['brotli', 'zstd']
+          - name: py3.11 with brotli and zstandard
+            os: ubuntu-latest
+            python-version: '3.11'
+            opt-deps: ['brotli', 'zstd']
+          - name: py3.12with brotli and zstandard
+            os: ubuntu-latest
+            python-version: '3.12'
+            opt-deps: ['brotli', 'zstd']
           # finally test with multiple dependencies installed at the same time
-          - name: py2.7 with m2crypto, pycrypto, gmpy, and gmpy2
+          - name: py2.7 with m2crypto, pycrypto, gmpy, gmpy2, and brotli
             os: ubuntu-20.04
             python-version: 2.7
-            opt-deps: ['m2crypto', 'pycrypto', 'gmpy', 'gmpy2']
-          - name: py3.6 with m2crypto, pycrypto, gmpy, and gmpy2
+            opt-deps: ['m2crypto', 'pycrypto', 'gmpy', 'gmpy2', 'brotli']
+          - name: py3.6 with m2crypto, pycrypto, gmpy,  gmpy2, and brotli
             os: ubuntu-20.04
             python-version: 3.6
-            opt-deps: ['m2crypto', 'pycrypto', 'gmpy', 'gmpy2']
-          - name: py3.7 with m2crypto, gmpy, and gmpy2
+            opt-deps: ['m2crypto', 'pycrypto', 'gmpy', 'gmpy2', 'brotli']
+          - name: py3.7 with m2crypto, gmpy, gmpy2, and brotli
             os: ubuntu-latest
             python-version: 3.7
-            opt-deps: ['m2crypto', 'gmpy', 'gmpy2']
-          - name: py3.8 with m2crypto, gmpy, and gmpy2
+            opt-deps: ['m2crypto', 'gmpy', 'gmpy2', 'brotli']
+          - name: py3.8 with m2crypto, gmpy, gmpy2, and brotli
             os: ubuntu-latest
             python-version: 3.8
-            opt-deps: ['m2crypto', 'gmpy', 'gmpy2']
-          - name: py3.9 with m2crypto, gmpy, and gmpy2
+            opt-deps: ['m2crypto', 'gmpy', 'gmpy2', 'brotli', 'zstd']
+          - name: py3.9 with m2crypto, gmpy, gmpy2, brotli, and zstandard
             os: ubuntu-latest
             python-version: 3.9
-            opt-deps: ['m2crypto', 'gmpy', 'gmpy2']
-          - name: py3.10 with m2crypto, gmpy, and gmpy2
+            opt-deps: ['m2crypto', 'gmpy', 'gmpy2', 'brotli', 'zstd']
+          - name: py3.10 with m2crypto, gmpy, gmpy2, brotli, and zstandard
             os: ubuntu-latest
             python-version: '3.10'
-            opt-deps: ['m2crypto', 'gmpy', 'gmpy2']
-          - name: py3.11 with m2crypto, gmpy, and gmpy2
+            opt-deps: ['m2crypto', 'gmpy', 'gmpy2', 'brotli', 'zstd']
+          - name: py3.11 with m2crypto, gmpy, gmpy2, brotli, and zstandard
             os: ubuntu-latest
             python-version: '3.11'
             # gmpy doesn't build with 3.11
-            opt-deps: ['m2crypto', 'gmpy2']
-          - name: py3.12 with m2crypto, gmpy, and gmpy2
+            opt-deps: ['m2crypto', 'gmpy2', 'brotli', 'zstd']
+          - name: py3.12 with m2crypto, gmpy, gmpy2, brotli, and zstandard
             os: ubuntu-latest
             python-version: '3.12'
             # gmpy doesn't build with 3.12
             # coverage to codeclimate can be submitted just once
-            opt-deps: ['m2crypto', 'gmpy2', 'codeclimate']
+            opt-deps: ['m2crypto', 'gmpy2', 'codeclimate', 'brotli', 'zstd']
     steps:
       - uses: actions/checkout@v2
         if: ${{ !matrix.container }}
@@ -300,6 +335,17 @@ jobs:
         if: ${{ contains(matrix.opt-deps, 'gmpy2') && matrix.python-version == '3.12' }}
         # for py3.12 we need pre-release version: https://github.com/aleaxit/gmpy/issues/446
         run: pip install --pre gmpy2
+      - name: Install brotli for Python 2
+        if: ${{ contains(matrix.opt-deps, 'brotli') && matrix.python-version == '2.7' }}
+        # using 1.0.9 for Python 2 because latest is not compatible
+        # https://github.com/google/brotli/issues/1074
+        run: pip install brotli==1.0.9
+      - name: Install brotli
+        if: ${{ contains(matrix.opt-deps, 'brotli') && matrix.python-version != '2.7' }}
+        run: pip install brotli
+      - name: Install zstandard for py3.8 and after
+        if: ${{ contains(matrix.opt-deps, 'zstd') }}
+        run: pip install zstandard
       - name: Install build dependencies (2.6)
         if: ${{ matrix.python-version == '2.6' }}
         run: |
@@ -310,7 +356,7 @@ jobs:
           wget https://files.pythonhosted.org/packages/72/20/7f0f433060a962200b7272b8c12ba90ef5b903e218174301d0abfd523813/unittest2-1.1.0-py2.py3-none-any.whl
           wget https://files.pythonhosted.org/packages/85/d5/818d0e603685c4a613d56f065a721013e942088047ff1027a632948bdae6/coverage-4.5.4.tar.gz
           wget https://files.pythonhosted.org/packages/a8/5a/5cf074e1c6681dcbb4e640113f58bed16955e7da9a6c8090b518031775e7/hypothesis-2.0.0.tar.gz
-          wget https://files.pythonhosted.org/packages/f8/86/410d53faff049641f34951843245d168261512aea787a1f9f05c3fa025a0/pylint-1.7.6-py2.py3-none-any.whl 
+          wget https://files.pythonhosted.org/packages/f8/86/410d53faff049641f34951843245d168261512aea787a1f9f05c3fa025a0/pylint-1.7.6-py2.py3-none-any.whl
           wget https://files.pythonhosted.org/packages/81/a6/d076eeb83f383ac7a25e030709abebc6781bcf930d67316be6d47641637e/diff_cover-4.0.0-py2.py3-none-any.whl
           wget https://files.pythonhosted.org/packages/8c/2d/aad7f16146f4197a11f8e91fb81df177adcc2073d36a17b1491fd09df6ed/pycparser-2.18.tar.gz
           wget https://files.pythonhosted.org/packages/4b/2a/0276479a4b3caeb8a8c1af2f8e4355746a97fab05a372e4a2c6a6b876165/idna-2.7-py2.py3-none-any.whl
@@ -336,7 +382,7 @@ jobs:
           wget https://files.pythonhosted.org/packages/c2/f8/49697181b1651d8347d24c095ce46c7346c37335ddc7d255833e7cde674d/ipaddress-1.0.23-py2.py3-none-any.whl
           wget https://files.pythonhosted.org/packages/c7/a3/c5da2a44c85bfbb6eebcfc1dde24933f8704441b98fdde6528f4831757a6/linecache2-1.0.0-py2.py3-none-any.whl
           wget https://files.pythonhosted.org/packages/bc/a9/01ffebfb562e4274b6487b4bb1ddec7ca55ec7510b22e4c51f14098443b8/chardet-3.0.4-py2.py3-none-any.whl
-          wget https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl 
+          wget https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl
           wget https://files.pythonhosted.org/packages/5e/a0/5f06e1e1d463903cf0c0eebeb751791119ed7a4b3737fdc9a77f1cdfb51f/certifi-2020.12.5-py2.py3-none-any.whl
           wget https://files.pythonhosted.org/packages/8d/08/00aab975c99d156aec2d47e9e7a947ac3af3efab5065f666c8b157acc7a8/lazy_object_proxy-1.3.1-cp26-cp26mu-manylinux1_x86_64.whl
           wget https://files.pythonhosted.org/packages/82/f7/e43cefbe88c5fd371f4cf0cf5eb3feccd07515af9fd6cf7dbf1d1793a797/wrapt-1.12.1.tar.gz

LICENSE

@@ -3,7 +3,7 @@ TLS Lite includes code from different sources. All code is either dedicated to
 the public domain by its authors, available under a BSD-style license or
 available under GNU LGPL v2 license. In particular:
 
-- 
+-
 
 Code written by Trevor Perrin, Kees Bos, Sam Rushing, Dimitris Moraitis,
 Marcelo Fernandez, Martin von Loewis, Dave Baggett, Yngve Pettersen, and
@@ -38,7 +38,7 @@ its author. See rijndael.py for details.
 
 Code written by Google is available under the following terms:
 
-Copyright (c) 2008, The Chromium Authors 
+Copyright (c) 2008, The Chromium Authors
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
@@ -68,6 +68,29 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 -
 
+Code written by Sidney Markowitz is available under the following terms:
+Copyright (c) 2021 by Sidney Markowitz.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+-
+
 Code written by Hubert Kario is available under the following terms:
 
 Copyright (c) 2014, Hubert Kario, Red Hat Inc.

Makefile

@@ -1,4 +1,4 @@
-# Authors: 
+# Authors:
 #   Trevor Perrin
 #   Hubert Kario - test and test-dev
 #

README.md

@@ -81,7 +81,7 @@ Hubert Kario. TLS Lite was written (mostly) by Trevor
 Perrin. It includes code from Bram Cohen, Google, Kees Bos, Sam Rushing,
 Dimitris Moraitis, Marcelo Fernandez, Martin von Loewis, Dave Baggett, Yngve
 N. Pettersen (ported by Paul Sokolovsky), Mirko Dziadzka, David Benjamin,
-and Hubert Kario.
+Sidney Markowitz, and Hubert Kario.
 
 Original code in TLS Lite has either been dedicated to the public domain by its
 authors, or placed under a BSD-style license. See the LICENSE file for

scripts/tls.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 
-# Authors: 
+# Authors:
 #   Trevor Perrin
 #   Marcelo Fernandez - bugfix and NPN support
 #   Martin von Loewis - python 3 port
@@ -38,6 +38,7 @@
 from tlslite.utils.dns_utils import is_valid_hostname
 from tlslite.utils.cryptomath import getRandomBytes
 from tlslite.constants import KeyUpdateMessageType
+from tlslite.utils.compression import compression_algo_impls
 
 try:
     from tack.structures.Tack import Tack
@@ -58,7 +59,7 @@ def printUsage(s=None):
     if tackpyLoaded:
         print("  tackpy      : Loaded")
     else:
-        print("  tackpy      : Not Loaded")            
+        print("  tackpy      : Not Loaded")
     if m2cryptoLoaded:
         print("  M2Crypto    : Loaded")
     else:
@@ -76,10 +77,30 @@ def printUsage(s=None):
     else:
         print("  GMPY2       : Not Loaded")
 
+    print("")
+    print("Certificate compression algorithms:")
+    print("  zlib compress      : Loaded")
+    print("  zlib decompress    : Loaded")
+    print("  brotli compress    : {0}".format(
+        "Loaded" if compression_algo_impls["brotli_compress"]
+        else "Not Loaded"
+    ))
+    print("  brotli decompress  : {0}".format(
+        "Loaded" if compression_algo_impls["brotli_decompress"]
+        else "Not Loaded"
+    ))
+    print("  zstd decompress    : {0}".format(
+        "Loaded" if compression_algo_impls["zstd_compress"]
+        else "Not Loaded"
+    ))
+    print("  zstd decompress    : {0}".format(
+        "Loaded" if compression_algo_impls["zstd_decompress"]
+        else "Not Loaded"
+    ))
     print("")
     print("""Commands:
 
-  server  
+  server
     [-c CERT] [-k KEY] [-t TACK] [-v VERIFIERDB] [-d DIR] [-l LABEL] [-L LENGTH]
     [--reqcert] [--param DHFILE] [--psk PSK] [--psk-ident IDENTITY]
     [--psk-sha384] [--ssl3] [--max-ver VER] [--tickets COUNT] [--cipherlist]
@@ -144,8 +165,8 @@ def handleArgs(argv, argString, flagsList=[]):
     try:
         opts, argv = getopt.getopt(argv, getOptArgString, flagsList)
     except getopt.GetoptError as e:
-        printError(e) 
-    # Default values if arg not present  
+        printError(e)
+    # Default values if arg not present
     privateKey = None
     cert_chain = None
     virtual_hosts = []
@@ -367,6 +388,12 @@ def printGoodConnection(connection, seconds):
     print("  Extended Master Secret: {0}".format(
                                                connection.extendedMasterSecret))
     print("  Session Resumed: {0}".format(connection.resumed))
+    if connection.client_cert_compression_algo:
+        print("  Client compression algorithm used: {0}".format(
+            connection.client_cert_compression_algo))
+    if connection.server_cert_compression_algo:
+        print("  Server compression algorithm used: {0}".format(
+            connection.server_cert_compression_algo))
 
 def printExporter(connection, expLabel, expLength):
     if expLabel is None:
@@ -378,7 +405,7 @@ def printExporter(connection, expLabel, expLength):
     print("  Exporter length: {0}".format(expLength))
     print("  Keying material: {0}".format(exp))
 
-    
+
 def clientCmd(argv):
     (address, privateKey, cert_chain, virtual_hosts, username, password,
             expLabel,
@@ -387,7 +414,7 @@ def clientCmd(argv):
         handleArgs(argv, "kcuplLa", ["psk=", "psk-ident=", "psk-sha384",
                                      "resumption", "ssl3", "max-ver=",
                                      "cipherlist="])
-        
+
     if (cert_chain and not privateKey) or (not cert_chain and privateKey):
         raise SyntaxError("Must specify CERT and KEY together")
     if (username and not password) or (not username and password):
@@ -403,7 +430,7 @@ def clientCmd(argv):
     sock.connect(address)
     sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
     connection = TLSConnection(sock)
-    
+
     settings = HandshakeSettings()
     if psk:
         settings.pskConfigs = [(psk_ident, psk, psk_hash)]
@@ -418,13 +445,13 @@ def clientCmd(argv):
     try:
         start = time_stamp()
         if username and password:
-            connection.handshakeClientSRP(username, password, 
+            connection.handshakeClientSRP(username, password,
                 settings=settings, serverName=address[0])
         else:
             connection.handshakeClientCert(cert_chain, privateKey,
                 settings=settings, serverName=address[0], alpn=alpn)
         stop = time_stamp()
-        print("Handshake success")        
+        print("Handshake success")
     except TLSLocalAlert as a:
         if a.description == AlertDescription.user_canceled:
             print(str(a))
@@ -544,7 +571,7 @@ def serverCmd(argv):
         print("Using Tacks...")
     if reqCert:
         print("Asking for client certificates...")
-        
+
     #############
     sessionCache = SessionCache()
     username = None