OLD | NEW |
1 """ | 1 """ |
2 MAIN CLASS FOR TLS LITE (START HERE!). | 2 MAIN CLASS FOR TLS LITE (START HERE!). |
3 """ | 3 """ |
4 from __future__ import generators | 4 from __future__ import generators |
5 | 5 |
6 import socket | 6 import socket |
7 from utils.compat import formatExceptionTrace | 7 from utils.compat import formatExceptionTrace |
8 from TLSRecordLayer import TLSRecordLayer | 8 from TLSRecordLayer import TLSRecordLayer |
9 from Session import Session | 9 from Session import Session |
10 from constants import * | 10 from constants import * |
(...skipping 913 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
924 yield result | 924 yield result |
925 | 925 |
926 #Mark the connection as open | 926 #Mark the connection as open |
927 self.session._setResumable(True) | 927 self.session._setResumable(True) |
928 self._handshakeDone(resumed=False) | 928 self._handshakeDone(resumed=False) |
929 | 929 |
930 | 930 |
931 | 931 |
932 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, | 932 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, |
933 certChain=None, privateKey=None, reqCert=False, | 933 certChain=None, privateKey=None, reqCert=False, |
934 sessionCache=None, settings=None, checker=None): | 934 sessionCache=None, settings=None, checker=None, |
| 935 reqCAs=None): |
935 """Perform a handshake in the role of server. | 936 """Perform a handshake in the role of server. |
936 | 937 |
937 This function performs an SSL or TLS handshake. Depending on | 938 This function performs an SSL or TLS handshake. Depending on |
938 the arguments and the behavior of the client, this function can | 939 the arguments and the behavior of the client, this function can |
939 perform a shared-key, SRP, or certificate-based handshake. It | 940 perform a shared-key, SRP, or certificate-based handshake. It |
940 can also perform a combined SRP and server-certificate | 941 can also perform a combined SRP and server-certificate |
941 handshake. | 942 handshake. |
942 | 943 |
943 Like any handshake function, this can be called on a closed | 944 Like any handshake function, this can be called on a closed |
944 TLS connection, or on a TLS connection that is already open. | 945 TLS connection, or on a TLS connection that is already open. |
(...skipping 45 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
990 | 991 |
991 @type settings: L{tlslite.HandshakeSettings.HandshakeSettings} | 992 @type settings: L{tlslite.HandshakeSettings.HandshakeSettings} |
992 @param settings: Various settings which can be used to control | 993 @param settings: Various settings which can be used to control |
993 the ciphersuites and SSL/TLS version chosen by the server. | 994 the ciphersuites and SSL/TLS version chosen by the server. |
994 | 995 |
995 @type checker: L{tlslite.Checker.Checker} | 996 @type checker: L{tlslite.Checker.Checker} |
996 @param checker: A Checker instance. This instance will be | 997 @param checker: A Checker instance. This instance will be |
997 invoked to examine the other party's authentication | 998 invoked to examine the other party's authentication |
998 credentials, if the handshake completes succesfully. | 999 credentials, if the handshake completes succesfully. |
999 | 1000 |
| 1001 @type reqCAs: list of L{array.array} of unsigned bytes |
| 1002 @param reqCAs: A collection of DER-encoded DistinguishedNames that |
| 1003 will be sent along with a certificate request. This does not affect |
| 1004 verification. |
| 1005 |
1000 @raise socket.error: If a socket error occurs. | 1006 @raise socket.error: If a socket error occurs. |
1001 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed | 1007 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
1002 without a preceding alert. | 1008 without a preceding alert. |
1003 @raise tlslite.errors.TLSAlert: If a TLS alert is signalled. | 1009 @raise tlslite.errors.TLSAlert: If a TLS alert is signalled. |
1004 @raise tlslite.errors.TLSAuthenticationError: If the checker | 1010 @raise tlslite.errors.TLSAuthenticationError: If the checker |
1005 doesn't like the other party's authentication credentials. | 1011 doesn't like the other party's authentication credentials. |
1006 """ | 1012 """ |
1007 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, | 1013 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, |
1008 certChain, privateKey, reqCert, sessionCache, settings, | 1014 certChain, privateKey, reqCert, sessionCache, settings, |
1009 checker): | 1015 checker, reqCAs): |
1010 pass | 1016 pass |
1011 | 1017 |
1012 | 1018 |
1013 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, | 1019 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, |
1014 certChain=None, privateKey=None, reqCert=False, | 1020 certChain=None, privateKey=None, reqCert=False, |
1015 sessionCache=None, settings=None, checker=None): | 1021 sessionCache=None, settings=None, checker=None, |
| 1022 reqCAs=None): |
1016 """Start a server handshake operation on the TLS connection. | 1023 """Start a server handshake operation on the TLS connection. |
1017 | 1024 |
1018 This function returns a generator which behaves similarly to | 1025 This function returns a generator which behaves similarly to |
1019 handshakeServer(). Successive invocations of the generator | 1026 handshakeServer(). Successive invocations of the generator |
1020 will return 0 if it is waiting to read from the socket, 1 if it is | 1027 will return 0 if it is waiting to read from the socket, 1 if it is |
1021 waiting to write to the socket, or it will raise StopIteration | 1028 waiting to write to the socket, or it will raise StopIteration |
1022 if the handshake operation is complete. | 1029 if the handshake operation is complete. |
1023 | 1030 |
1024 @rtype: iterable | 1031 @rtype: iterable |
1025 @return: A generator; see above for details. | 1032 @return: A generator; see above for details. |
1026 """ | 1033 """ |
1027 handshaker = self._handshakeServerAsyncHelper(\ | 1034 handshaker = self._handshakeServerAsyncHelper(\ |
1028 sharedKeyDB=sharedKeyDB, | 1035 sharedKeyDB=sharedKeyDB, |
1029 verifierDB=verifierDB, certChain=certChain, | 1036 verifierDB=verifierDB, certChain=certChain, |
1030 privateKey=privateKey, reqCert=reqCert, | 1037 privateKey=privateKey, reqCert=reqCert, |
1031 sessionCache=sessionCache, settings=settings) | 1038 sessionCache=sessionCache, settings=settings, |
| 1039 reqCAs=reqCAs) |
1032 for result in self._handshakeWrapperAsync(handshaker, checker): | 1040 for result in self._handshakeWrapperAsync(handshaker, checker): |
1033 yield result | 1041 yield result |
1034 | 1042 |
1035 | 1043 |
1036 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, | 1044 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, |
1037 certChain, privateKey, reqCert, sessionCache, | 1045 certChain, privateKey, reqCert, sessionCache, |
1038 settings): | 1046 settings, reqCAs): |
1039 | 1047 |
1040 self._handshakeStart(client=False) | 1048 self._handshakeStart(client=False) |
1041 | 1049 |
1042 if (not sharedKeyDB) and (not verifierDB) and (not certChain): | 1050 if (not sharedKeyDB) and (not verifierDB) and (not certChain): |
1043 raise ValueError("Caller passed no authentication credentials") | 1051 raise ValueError("Caller passed no authentication credentials") |
1044 if certChain and not privateKey: | 1052 if certChain and not privateKey: |
1045 raise ValueError("Caller passed a certChain but no privateKey") | 1053 raise ValueError("Caller passed a certChain but no privateKey") |
1046 if privateKey and not certChain: | 1054 if privateKey and not certChain: |
1047 raise ValueError("Caller passed a privateKey but no certChain") | 1055 raise ValueError("Caller passed a privateKey but no certChain") |
| 1056 if reqCAs and not reqCert: |
| 1057 raise ValueError("Caller passed reqCAs but not reqCert") |
1048 | 1058 |
1049 if not settings: | 1059 if not settings: |
1050 settings = HandshakeSettings() | 1060 settings = HandshakeSettings() |
1051 settings = settings._filter() | 1061 settings = settings._filter() |
1052 | 1062 |
1053 #Initialize acceptable cipher suites | 1063 #Initialize acceptable cipher suites |
1054 cipherSuites = [] | 1064 cipherSuites = [] |
1055 if verifierDB: | 1065 if verifierDB: |
1056 if certChain: | 1066 if certChain: |
1057 cipherSuites += \ | 1067 cipherSuites += \ |
(...skipping 315 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1373 #If we've selected an RSA suite, exchange keys and calculate | 1383 #If we've selected an RSA suite, exchange keys and calculate |
1374 #premaster secret: | 1384 #premaster secret: |
1375 elif cipherSuite in CipherSuite.rsaSuites: | 1385 elif cipherSuite in CipherSuite.rsaSuites: |
1376 | 1386 |
1377 #Send ServerHello, Certificate[, CertificateRequest], | 1387 #Send ServerHello, Certificate[, CertificateRequest], |
1378 #ServerHelloDone | 1388 #ServerHelloDone |
1379 msgs = [] | 1389 msgs = [] |
1380 msgs.append(ServerHello().create(self.version, serverRandom, | 1390 msgs.append(ServerHello().create(self.version, serverRandom, |
1381 sessionID, cipherSuite, certificateType)) | 1391 sessionID, cipherSuite, certificateType)) |
1382 msgs.append(Certificate(certificateType).create(serverCertChain)) | 1392 msgs.append(Certificate(certificateType).create(serverCertChain)) |
1383 if reqCert: | 1393 if reqCert and reqCAs: |
| 1394 msgs.append(CertificateRequest().create([], reqCAs)) |
| 1395 elif reqCert: |
1384 msgs.append(CertificateRequest()) | 1396 msgs.append(CertificateRequest()) |
1385 msgs.append(ServerHelloDone()) | 1397 msgs.append(ServerHelloDone()) |
1386 for result in self._sendMsgs(msgs): | 1398 for result in self._sendMsgs(msgs): |
1387 yield result | 1399 yield result |
1388 | 1400 |
1389 #From here on, the client's messages must have the right version | 1401 #From here on, the client's messages must have the right version |
1390 self._versionCheck = True | 1402 self._versionCheck = True |
1391 | 1403 |
1392 #Get [Certificate,] (if was requested) | 1404 #Get [Certificate,] (if was requested) |
1393 if reqCert: | 1405 if reqCert: |
(...skipping 197 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1591 if len(publicKey) < settings.minKeySize: | 1603 if len(publicKey) < settings.minKeySize: |
1592 for result in self._sendError(AlertDescription.handshake_failure, | 1604 for result in self._sendError(AlertDescription.handshake_failure, |
1593 "Other party's public key too small: %d" % len(publicKey)): | 1605 "Other party's public key too small: %d" % len(publicKey)): |
1594 yield result | 1606 yield result |
1595 if len(publicKey) > settings.maxKeySize: | 1607 if len(publicKey) > settings.maxKeySize: |
1596 for result in self._sendError(AlertDescription.handshake_failure, | 1608 for result in self._sendError(AlertDescription.handshake_failure, |
1597 "Other party's public key too large: %d" % len(publicKey)): | 1609 "Other party's public key too large: %d" % len(publicKey)): |
1598 yield result | 1610 yield result |
1599 | 1611 |
1600 yield publicKey, certChain | 1612 yield publicKey, certChain |
OLD | NEW |