OLD | NEW |
1 # Authors: | 1 # Authors: |
2 # Trevor Perrin | 2 # Trevor Perrin |
3 # Dave Baggett (Arcode Corporation) - cleanup handling of constants | 3 # Dave Baggett (Arcode Corporation) - cleanup handling of constants |
4 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 | 4 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 |
5 # | 5 # |
6 # See the LICENSE file for legal information regarding use of this file. | 6 # See the LICENSE file for legal information regarding use of this file. |
7 | 7 |
8 """Class for setting handshake parameters.""" | 8 """Class for setting handshake parameters.""" |
9 | 9 |
10 from .constants import CertificateType | 10 from .constants import CertificateType |
(...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
108 @type useExperimentalTackExtension: bool | 108 @type useExperimentalTackExtension: bool |
109 @ivar useExperimentalTackExtension: Whether to enabled TACK support. | 109 @ivar useExperimentalTackExtension: Whether to enabled TACK support. |
110 | 110 |
111 @type alertAfterHandshake: bool | 111 @type alertAfterHandshake: bool |
112 @ivar alertAfterHandshake: If true, the server will send a fatal | 112 @ivar alertAfterHandshake: If true, the server will send a fatal |
113 alert immediately after the handshake completes. | 113 alert immediately after the handshake completes. |
114 | 114 |
115 @type enableExtendedMasterSecret: bool | 115 @type enableExtendedMasterSecret: bool |
116 @ivar enableExtendedMasterSecret: If true, the server supports the extended | 116 @ivar enableExtendedMasterSecret: If true, the server supports the extended |
117 master secret TLS extension and will negotiated it with supporting clients. | 117 master secret TLS extension and will negotiated it with supporting clients. |
| 118 |
| 119 @type supportedTokenBindingParams: list |
| 120 @ivar supportedTokenBindingParams: A list of token binding parameters that |
| 121 the server supports when negotiating token binding. List values are integers |
| 122 corresponding to the TokenBindingKeyParameters enum in the Token Binding |
| 123 Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server's |
| 124 preference order, with most preferred params first. |
118 | 125 |
119 Note that TACK support is not standardized by IETF and uses a temporary | 126 Note that TACK support is not standardized by IETF and uses a temporary |
120 TLS Extension number, so should NOT be used in production software. | 127 TLS Extension number, so should NOT be used in production software. |
121 """ | 128 """ |
122 def __init__(self): | 129 def __init__(self): |
123 self.minKeySize = 1023 | 130 self.minKeySize = 1023 |
124 self.maxKeySize = 8193 | 131 self.maxKeySize = 8193 |
125 self.cipherNames = CIPHER_NAMES | 132 self.cipherNames = CIPHER_NAMES |
126 self.macNames = MAC_NAMES | 133 self.macNames = MAC_NAMES |
127 self.keyExchangeNames = KEY_EXCHANGE_NAMES | 134 self.keyExchangeNames = KEY_EXCHANGE_NAMES |
128 self.cipherImplementations = CIPHER_IMPLEMENTATIONS | 135 self.cipherImplementations = CIPHER_IMPLEMENTATIONS |
129 self.certificateTypes = CERTIFICATE_TYPES | 136 self.certificateTypes = CERTIFICATE_TYPES |
130 self.minVersion = (3,1) | 137 self.minVersion = (3,1) |
131 self.maxVersion = (3,3) | 138 self.maxVersion = (3,3) |
132 self.tlsIntolerant = None | 139 self.tlsIntolerant = None |
133 self.tlsIntoleranceType = 'alert' | 140 self.tlsIntoleranceType = 'alert' |
134 self.useExperimentalTackExtension = False | 141 self.useExperimentalTackExtension = False |
135 self.alertAfterHandshake = False | 142 self.alertAfterHandshake = False |
136 self.enableExtendedMasterSecret = True | 143 self.enableExtendedMasterSecret = True |
| 144 self.supportedTokenBindingParams = [] |
137 | 145 |
138 # Validates the min/max fields, and certificateTypes | 146 # Validates the min/max fields, and certificateTypes |
139 # Filters out unsupported cipherNames and cipherImplementations | 147 # Filters out unsupported cipherNames and cipherImplementations |
140 def _filter(self): | 148 def _filter(self): |
141 other = HandshakeSettings() | 149 other = HandshakeSettings() |
142 other.minKeySize = self.minKeySize | 150 other.minKeySize = self.minKeySize |
143 other.maxKeySize = self.maxKeySize | 151 other.maxKeySize = self.maxKeySize |
144 other.cipherNames = self.cipherNames | 152 other.cipherNames = self.cipherNames |
145 other.macNames = self.macNames | 153 other.macNames = self.macNames |
146 other.keyExchangeNames = self.keyExchangeNames | 154 other.keyExchangeNames = self.keyExchangeNames |
147 other.cipherImplementations = self.cipherImplementations | 155 other.cipherImplementations = self.cipherImplementations |
148 other.certificateTypes = self.certificateTypes | 156 other.certificateTypes = self.certificateTypes |
149 other.minVersion = self.minVersion | 157 other.minVersion = self.minVersion |
150 other.maxVersion = self.maxVersion | 158 other.maxVersion = self.maxVersion |
151 other.tlsIntolerant = self.tlsIntolerant | 159 other.tlsIntolerant = self.tlsIntolerant |
152 other.tlsIntoleranceType = self.tlsIntoleranceType | 160 other.tlsIntoleranceType = self.tlsIntoleranceType |
153 other.alertAfterHandshake = self.alertAfterHandshake | 161 other.alertAfterHandshake = self.alertAfterHandshake |
154 other.enableExtendedMasterSecret = self.enableExtendedMasterSecret | 162 other.enableExtendedMasterSecret = self.enableExtendedMasterSecret |
| 163 other.supportedTokenBindingParams = self.supportedTokenBindingParams |
155 | 164 |
156 if not cipherfactory.tripleDESPresent: | 165 if not cipherfactory.tripleDESPresent: |
157 other.cipherNames = [e for e in self.cipherNames if e != "3des"] | 166 other.cipherNames = [e for e in self.cipherNames if e != "3des"] |
158 if len(other.cipherNames)==0: | 167 if len(other.cipherNames)==0: |
159 raise ValueError("No supported ciphers") | 168 raise ValueError("No supported ciphers") |
160 if len(other.certificateTypes)==0: | 169 if len(other.certificateTypes)==0: |
161 raise ValueError("No supported certificate types") | 170 raise ValueError("No supported certificate types") |
162 | 171 |
163 if not cryptomath.m2cryptoLoaded: | 172 if not cryptomath.m2cryptoLoaded: |
164 other.cipherImplementations = \ | 173 other.cipherImplementations = \ |
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
209 return other | 218 return other |
210 | 219 |
211 def _getCertificateTypes(self): | 220 def _getCertificateTypes(self): |
212 l = [] | 221 l = [] |
213 for ct in self.certificateTypes: | 222 for ct in self.certificateTypes: |
214 if ct == "x509": | 223 if ct == "x509": |
215 l.append(CertificateType.x509) | 224 l.append(CertificateType.x509) |
216 else: | 225 else: |
217 raise AssertionError() | 226 raise AssertionError() |
218 return l | 227 return l |
OLD | NEW |