OLD | NEW |
1 # Authors: | 1 # Authors: |
2 # Trevor Perrin | 2 # Trevor Perrin |
3 # Google - defining ClientCertificateType | 3 # Google - defining ClientCertificateType |
4 # Google (adapted by Sam Rushing) - NPN support | 4 # Google (adapted by Sam Rushing) - NPN support |
5 # Dimitris Moraitis - Anon ciphersuites | 5 # Dimitris Moraitis - Anon ciphersuites |
6 # Dave Baggett (Arcode Corporation) - canonicalCipherName | 6 # Dave Baggett (Arcode Corporation) - canonicalCipherName |
7 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 | 7 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 |
8 # | 8 # |
9 # See the LICENSE file for legal information regarding use of this file. | 9 # See the LICENSE file for legal information regarding use of this file. |
10 | 10 |
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
69 | 69 |
70 class SignatureAlgorithm: | 70 class SignatureAlgorithm: |
71 anonymous = 0 | 71 anonymous = 0 |
72 rsa = 1 | 72 rsa = 1 |
73 dsa = 2 | 73 dsa = 2 |
74 ecdsa = 3 | 74 ecdsa = 3 |
75 | 75 |
76 class NameType: | 76 class NameType: |
77 host_name = 0 | 77 host_name = 0 |
78 | 78 |
| 79 class ECCurveType: |
| 80 explicit_prime = 1 |
| 81 explicit_char2 = 2 |
| 82 named_curve = 3 |
| 83 |
| 84 class NamedCurve: |
| 85 secp256r1 = 23 |
| 86 |
79 class AlertLevel: | 87 class AlertLevel: |
80 warning = 1 | 88 warning = 1 |
81 fatal = 2 | 89 fatal = 2 |
82 | 90 |
83 class AlertDescription: | 91 class AlertDescription: |
84 """ | 92 """ |
85 @cvar bad_record_mac: A TLS record failed to decrypt properly. | 93 @cvar bad_record_mac: A TLS record failed to decrypt properly. |
86 | 94 |
87 If this occurs during a SRP handshake it most likely | 95 If this occurs during a SRP handshake it most likely |
88 indicates a bad password. It may also indicate an implementation | 96 indicates a bad password. It may also indicate an implementation |
(...skipping 82 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
171 | 179 |
172 TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C | 180 TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C |
173 TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D | 181 TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D |
174 | 182 |
175 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067 | 183 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067 |
176 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B | 184 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B |
177 | 185 |
178 TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C | 186 TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C |
179 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E | 187 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E |
180 | 188 |
| 189 TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xc011 |
| 190 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xc012 |
| 191 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xc013 |
| 192 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xc014 |
| 193 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027 |
| 194 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02f |
| 195 |
181 tripleDESSuites = [] | 196 tripleDESSuites = [] |
182 tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) | 197 tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) |
183 tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) | 198 tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) |
184 tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) | 199 tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) |
185 tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) | 200 tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) |
| 201 tripleDESSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) |
186 | 202 |
187 aes128Suites = [] | 203 aes128Suites = [] |
188 aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) | 204 aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) |
189 aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) | 205 aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) |
190 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA) | 206 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA) |
191 aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) | 207 aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) |
192 aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) | 208 aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) |
193 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) | 209 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) |
194 aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) | 210 aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) |
| 211 aes128Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) |
| 212 aes128Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) |
195 | 213 |
196 aes256Suites = [] | 214 aes256Suites = [] |
197 aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) | 215 aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) |
198 aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) | 216 aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) |
199 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA) | 217 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA) |
200 aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) | 218 aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) |
201 aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) | 219 aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) |
202 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) | 220 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) |
203 aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) | 221 aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) |
| 222 aes256Suites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) |
204 | 223 |
205 aes128GcmSuites = [] | 224 aes128GcmSuites = [] |
206 aes128GcmSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) | 225 aes128GcmSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) |
207 aes128GcmSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) | 226 aes128GcmSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) |
| 227 aes128GcmSuites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) |
208 | 228 |
209 rc4Suites = [] | 229 rc4Suites = [] |
210 rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA) | 230 rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA) |
211 rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5) | 231 rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5) |
| 232 rc4Suites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA) |
212 | 233 |
213 shaSuites = [] | 234 shaSuites = [] |
214 shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) | 235 shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) |
215 shaSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) | 236 shaSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) |
216 shaSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) | 237 shaSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) |
217 shaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) | 238 shaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) |
218 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) | 239 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) |
219 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) | 240 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) |
220 shaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) | 241 shaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) |
221 shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) | 242 shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) |
222 shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) | 243 shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) |
223 shaSuites.append(TLS_RSA_WITH_RC4_128_SHA) | 244 shaSuites.append(TLS_RSA_WITH_RC4_128_SHA) |
224 shaSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) | 245 shaSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) |
225 shaSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) | 246 shaSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) |
226 shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) | 247 shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) |
227 shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) | 248 shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) |
228 shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) | 249 shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) |
| 250 shaSuites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA) |
| 251 shaSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) |
| 252 shaSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) |
| 253 shaSuites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) |
229 | 254 |
230 sha256Suites = [] | 255 sha256Suites = [] |
231 sha256Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) | 256 sha256Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) |
232 sha256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) | 257 sha256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) |
233 sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) | 258 sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) |
234 sha256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) | 259 sha256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) |
235 sha256Suites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) | 260 sha256Suites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) |
236 sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) | 261 sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) |
| 262 sha256Suites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) |
| 263 sha256Suites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) |
| 264 |
237 | 265 |
238 aeadSuites = aes128GcmSuites | 266 aeadSuites = aes128GcmSuites |
239 | 267 |
240 | 268 |
241 md5Suites = [] | 269 md5Suites = [] |
242 md5Suites.append(TLS_RSA_WITH_RC4_128_MD5) | 270 md5Suites.append(TLS_RSA_WITH_RC4_128_MD5) |
243 | 271 |
244 @staticmethod | 272 @staticmethod |
245 def _filterSuites(suites, settings, version=None): | 273 def _filterSuites(suites, settings, version=None): |
246 if version is None: | 274 if version is None: |
(...skipping 21 matching lines...) Expand all Loading... |
268 if "3des" in cipherNames: | 296 if "3des" in cipherNames: |
269 cipherSuites += CipherSuite.tripleDESSuites | 297 cipherSuites += CipherSuite.tripleDESSuites |
270 if "rc4" in cipherNames: | 298 if "rc4" in cipherNames: |
271 cipherSuites += CipherSuite.rc4Suites | 299 cipherSuites += CipherSuite.rc4Suites |
272 | 300 |
273 keyExchangeSuites = [] | 301 keyExchangeSuites = [] |
274 if "rsa" in keyExchangeNames: | 302 if "rsa" in keyExchangeNames: |
275 keyExchangeSuites += CipherSuite.certSuites | 303 keyExchangeSuites += CipherSuite.certSuites |
276 if "dhe_rsa" in keyExchangeNames: | 304 if "dhe_rsa" in keyExchangeNames: |
277 keyExchangeSuites += CipherSuite.dheCertSuites | 305 keyExchangeSuites += CipherSuite.dheCertSuites |
| 306 if "ecdhe_rsa" in keyExchangeNames: |
| 307 keyExchangeSuites += CipherSuite.ecdheCertSuites |
278 if "srp_sha" in keyExchangeNames: | 308 if "srp_sha" in keyExchangeNames: |
279 keyExchangeSuites += CipherSuite.srpSuites | 309 keyExchangeSuites += CipherSuite.srpSuites |
280 if "srp_sha_rsa" in keyExchangeNames: | 310 if "srp_sha_rsa" in keyExchangeNames: |
281 keyExchangeSuites += CipherSuite.srpCertSuites | 311 keyExchangeSuites += CipherSuite.srpCertSuites |
282 if "dh_anon" in keyExchangeNames: | 312 if "dh_anon" in keyExchangeNames: |
283 keyExchangeSuites += CipherSuite.anonSuites | 313 keyExchangeSuites += CipherSuite.anonSuites |
284 | 314 |
285 return [s for s in suites if s in macSuites and | 315 return [s for s in suites if s in macSuites and |
286 s in cipherSuites and s in keyExchangeSuites] | 316 s in cipherSuites and s in keyExchangeSuites] |
287 | 317 |
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
328 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) | 358 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) |
329 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) | 359 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) |
330 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) | 360 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) |
331 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) | 361 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) |
332 dheCertSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) | 362 dheCertSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) |
333 | 363 |
334 @staticmethod | 364 @staticmethod |
335 def getDheCertSuites(settings, version=None): | 365 def getDheCertSuites(settings, version=None): |
336 return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings, ve
rsion) | 366 return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings, ve
rsion) |
337 | 367 |
338 certAllSuites = srpCertSuites + certSuites + dheCertSuites | 368 ecdheCertSuites = [] |
| 369 ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) |
| 370 ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) |
| 371 ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) |
| 372 ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) |
| 373 ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) |
| 374 ecdheCertSuites.append(TLS_ECDHE_RSA_WITH_RC4_128_SHA) |
| 375 |
| 376 @staticmethod |
| 377 def getEcdheCertSuites(settings, version=None): |
| 378 return CipherSuite._filterSuites(CipherSuite.ecdheCertSuites, settings,
version) |
| 379 |
| 380 certAllSuites = srpCertSuites + certSuites + dheCertSuites + ecdheCertSuites |
339 | 381 |
340 anonSuites = [] | 382 anonSuites = [] |
341 anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) | 383 anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) |
342 anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) | 384 anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) |
343 | 385 |
344 @staticmethod | 386 @staticmethod |
345 def getAnonSuites(settings, version=None): | 387 def getAnonSuites(settings, version=None): |
346 return CipherSuite._filterSuites(CipherSuite.anonSuites, settings, versi
on) | 388 return CipherSuite._filterSuites(CipherSuite.anonSuites, settings, versi
on) |
347 | 389 |
348 dhAllSuites = dheCertSuites + anonSuites | 390 dhAllSuites = dheCertSuites + anonSuites |
| 391 ecdhAllSuites = ecdheCertSuites |
349 | 392 |
350 @staticmethod | 393 @staticmethod |
351 def canonicalCipherName(ciphersuite): | 394 def canonicalCipherName(ciphersuite): |
352 "Return the canonical name of the cipher whose number is provided." | 395 "Return the canonical name of the cipher whose number is provided." |
353 if ciphersuite in CipherSuite.aes128Suites: | 396 if ciphersuite in CipherSuite.aes128Suites: |
354 return "aes128" | 397 return "aes128" |
355 elif ciphersuite in CipherSuite.aes256Suites: | 398 elif ciphersuite in CipherSuite.aes256Suites: |
356 return "aes256" | 399 return "aes256" |
357 elif ciphersuite in CipherSuite.rc4Suites: | 400 elif ciphersuite in CipherSuite.rc4Suites: |
358 return "rc4" | 401 return "rc4" |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
413 badUsername: "bad username",\ | 456 badUsername: "bad username",\ |
414 badPassword: "bad password",\ | 457 badPassword: "bad password",\ |
415 badA: "bad A",\ | 458 badA: "bad A",\ |
416 badPremasterPadding: "bad premaster padding",\ | 459 badPremasterPadding: "bad premaster padding",\ |
417 shortPremasterSecret: "short premaster secret",\ | 460 shortPremasterSecret: "short premaster secret",\ |
418 badVerifyMessage: "bad verify message",\ | 461 badVerifyMessage: "bad verify message",\ |
419 badFinished: "bad finished message",\ | 462 badFinished: "bad finished message",\ |
420 badMAC: "bad MAC",\ | 463 badMAC: "bad MAC",\ |
421 badPadding: "bad padding" | 464 badPadding: "bad padding" |
422 } | 465 } |
OLD | NEW |