OLD | NEW |
1 # Authors: | 1 # Authors: |
2 # Trevor Perrin | 2 # Trevor Perrin |
3 # Dave Baggett (Arcode Corporation) - cleanup handling of constants | 3 # Dave Baggett (Arcode Corporation) - cleanup handling of constants |
4 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 | 4 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 |
5 # | 5 # |
6 # See the LICENSE file for legal information regarding use of this file. | 6 # See the LICENSE file for legal information regarding use of this file. |
7 | 7 |
8 """Class for setting handshake parameters.""" | 8 """Class for setting handshake parameters.""" |
9 | 9 |
10 from .constants import CertificateType | 10 from .constants import CertificateType |
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
105 The allowed values are "alert" (return a fatal handshake_failure alert), | 105 The allowed values are "alert" (return a fatal handshake_failure alert), |
106 "close" (abruptly close the connection), and "reset" (send a TCP reset). | 106 "close" (abruptly close the connection), and "reset" (send a TCP reset). |
107 | 107 |
108 @type useExperimentalTackExtension: bool | 108 @type useExperimentalTackExtension: bool |
109 @ivar useExperimentalTackExtension: Whether to enabled TACK support. | 109 @ivar useExperimentalTackExtension: Whether to enabled TACK support. |
110 | 110 |
111 @type alertAfterHandshake: bool | 111 @type alertAfterHandshake: bool |
112 @ivar alertAfterHandshake: If true, the server will send a fatal | 112 @ivar alertAfterHandshake: If true, the server will send a fatal |
113 alert immediately after the handshake completes. | 113 alert immediately after the handshake completes. |
114 | 114 |
| 115 @type enableChannelID: bool |
| 116 @ivar enableChannelID: If true, the server supports channel ID. |
| 117 |
115 @type enableExtendedMasterSecret: bool | 118 @type enableExtendedMasterSecret: bool |
116 @ivar enableExtendedMasterSecret: If true, the server supports the extended | 119 @ivar enableExtendedMasterSecret: If true, the server supports the extended |
117 master secret TLS extension and will negotiated it with supporting clients. | 120 master secret TLS extension and will negotiated it with supporting clients. |
118 | 121 |
119 @type supportedTokenBindingParams: list | 122 @type supportedTokenBindingParams: list |
120 @ivar supportedTokenBindingParams: A list of token binding parameters that | 123 @ivar supportedTokenBindingParams: A list of token binding parameters that |
121 the server supports when negotiating token binding. List values are integers | 124 the server supports when negotiating token binding. List values are integers |
122 corresponding to the TokenBindingKeyParameters enum in the Token Binding | 125 corresponding to the TokenBindingKeyParameters enum in the Token Binding |
123 Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server's | 126 Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server's |
124 preference order, with most preferred params first. | 127 preference order, with most preferred params first. |
125 | 128 |
126 Note that TACK support is not standardized by IETF and uses a temporary | 129 Note that TACK support is not standardized by IETF and uses a temporary |
127 TLS Extension number, so should NOT be used in production software. | 130 TLS Extension number, so should NOT be used in production software. |
128 """ | 131 """ |
129 def __init__(self): | 132 def __init__(self): |
130 self.minKeySize = 1023 | 133 self.minKeySize = 1023 |
131 self.maxKeySize = 8193 | 134 self.maxKeySize = 8193 |
132 self.cipherNames = CIPHER_NAMES | 135 self.cipherNames = CIPHER_NAMES |
133 self.macNames = MAC_NAMES | 136 self.macNames = MAC_NAMES |
134 self.keyExchangeNames = KEY_EXCHANGE_NAMES | 137 self.keyExchangeNames = KEY_EXCHANGE_NAMES |
135 self.cipherImplementations = CIPHER_IMPLEMENTATIONS | 138 self.cipherImplementations = CIPHER_IMPLEMENTATIONS |
136 self.certificateTypes = CERTIFICATE_TYPES | 139 self.certificateTypes = CERTIFICATE_TYPES |
137 self.minVersion = (3,1) | 140 self.minVersion = (3,1) |
138 self.maxVersion = (3,3) | 141 self.maxVersion = (3,3) |
139 self.tlsIntolerant = None | 142 self.tlsIntolerant = None |
140 self.tlsIntoleranceType = 'alert' | 143 self.tlsIntoleranceType = 'alert' |
141 self.useExperimentalTackExtension = False | 144 self.useExperimentalTackExtension = False |
142 self.alertAfterHandshake = False | 145 self.alertAfterHandshake = False |
| 146 self.enableChannelID = True |
143 self.enableExtendedMasterSecret = True | 147 self.enableExtendedMasterSecret = True |
144 self.supportedTokenBindingParams = [] | 148 self.supportedTokenBindingParams = [] |
145 | 149 |
146 # Validates the min/max fields, and certificateTypes | 150 # Validates the min/max fields, and certificateTypes |
147 # Filters out unsupported cipherNames and cipherImplementations | 151 # Filters out unsupported cipherNames and cipherImplementations |
148 def _filter(self): | 152 def _filter(self): |
149 other = HandshakeSettings() | 153 other = HandshakeSettings() |
150 other.minKeySize = self.minKeySize | 154 other.minKeySize = self.minKeySize |
151 other.maxKeySize = self.maxKeySize | 155 other.maxKeySize = self.maxKeySize |
152 other.cipherNames = self.cipherNames | 156 other.cipherNames = self.cipherNames |
153 other.macNames = self.macNames | 157 other.macNames = self.macNames |
154 other.keyExchangeNames = self.keyExchangeNames | 158 other.keyExchangeNames = self.keyExchangeNames |
155 other.cipherImplementations = self.cipherImplementations | 159 other.cipherImplementations = self.cipherImplementations |
156 other.certificateTypes = self.certificateTypes | 160 other.certificateTypes = self.certificateTypes |
157 other.minVersion = self.minVersion | 161 other.minVersion = self.minVersion |
158 other.maxVersion = self.maxVersion | 162 other.maxVersion = self.maxVersion |
159 other.tlsIntolerant = self.tlsIntolerant | 163 other.tlsIntolerant = self.tlsIntolerant |
160 other.tlsIntoleranceType = self.tlsIntoleranceType | 164 other.tlsIntoleranceType = self.tlsIntoleranceType |
161 other.alertAfterHandshake = self.alertAfterHandshake | 165 other.alertAfterHandshake = self.alertAfterHandshake |
| 166 other.enableChannelID = self.enableChannelID |
162 other.enableExtendedMasterSecret = self.enableExtendedMasterSecret | 167 other.enableExtendedMasterSecret = self.enableExtendedMasterSecret |
163 other.supportedTokenBindingParams = self.supportedTokenBindingParams | 168 other.supportedTokenBindingParams = self.supportedTokenBindingParams |
164 | 169 |
165 if not cipherfactory.tripleDESPresent: | 170 if not cipherfactory.tripleDESPresent: |
166 other.cipherNames = [e for e in self.cipherNames if e != "3des"] | 171 other.cipherNames = [e for e in self.cipherNames if e != "3des"] |
167 if len(other.cipherNames)==0: | 172 if len(other.cipherNames)==0: |
168 raise ValueError("No supported ciphers") | 173 raise ValueError("No supported ciphers") |
169 if len(other.certificateTypes)==0: | 174 if len(other.certificateTypes)==0: |
170 raise ValueError("No supported certificate types") | 175 raise ValueError("No supported certificate types") |
171 | 176 |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
218 return other | 223 return other |
219 | 224 |
220 def _getCertificateTypes(self): | 225 def _getCertificateTypes(self): |
221 l = [] | 226 l = [] |
222 for ct in self.certificateTypes: | 227 for ct in self.certificateTypes: |
223 if ct == "x509": | 228 if ct == "x509": |
224 l.append(CertificateType.x509) | 229 l.append(CertificateType.x509) |
225 else: | 230 else: |
226 raise AssertionError() | 231 raise AssertionError() |
227 return l | 232 return l |
OLD | NEW |