OLD | NEW |
| (Empty) |
1 """Class for setting handshake parameters.""" | |
2 | |
3 from constants import CertificateType | |
4 from utils import cryptomath | |
5 from utils import cipherfactory | |
6 | |
7 class HandshakeSettings: | |
8 """This class encapsulates various parameters that can be used with | |
9 a TLS handshake. | |
10 @sort: minKeySize, maxKeySize, cipherNames, certificateTypes, | |
11 minVersion, maxVersion | |
12 | |
13 @type minKeySize: int | |
14 @ivar minKeySize: The minimum bit length for asymmetric keys. | |
15 | |
16 If the other party tries to use SRP, RSA, or Diffie-Hellman | |
17 parameters smaller than this length, an alert will be | |
18 signalled. The default is 1023. | |
19 | |
20 @type maxKeySize: int | |
21 @ivar maxKeySize: The maximum bit length for asymmetric keys. | |
22 | |
23 If the other party tries to use SRP, RSA, or Diffie-Hellman | |
24 parameters larger than this length, an alert will be signalled. | |
25 The default is 8193. | |
26 | |
27 @type cipherNames: list | |
28 @ivar cipherNames: The allowed ciphers, in order of preference. | |
29 | |
30 The allowed values in this list are 'aes256', 'aes128', '3des', and | |
31 'rc4'. If these settings are used with a client handshake, they | |
32 determine the order of the ciphersuites offered in the ClientHello | |
33 message. | |
34 | |
35 If these settings are used with a server handshake, the server will | |
36 choose whichever ciphersuite matches the earliest entry in this | |
37 list. | |
38 | |
39 NOTE: If '3des' is used in this list, but TLS Lite can't find an | |
40 add-on library that supports 3DES, then '3des' will be silently | |
41 removed. | |
42 | |
43 The default value is ['aes256', 'aes128', '3des', 'rc4']. | |
44 | |
45 @type certificateTypes: list | |
46 @ivar certificateTypes: The allowed certificate types, in order of | |
47 preference. | |
48 | |
49 The allowed values in this list are 'x509' and 'cryptoID'. This | |
50 list is only used with a client handshake. The client will | |
51 advertise to the server which certificate types are supported, and | |
52 will check that the server uses one of the appropriate types. | |
53 | |
54 NOTE: If 'cryptoID' is used in this list, but cryptoIDlib is not | |
55 installed, then 'cryptoID' will be silently removed. | |
56 | |
57 @type minVersion: tuple | |
58 @ivar minVersion: The minimum allowed SSL/TLS version. | |
59 | |
60 This variable can be set to (3,0) for SSL 3.0, (3,1) for | |
61 TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to | |
62 use a lower version, a protocol_version alert will be signalled. | |
63 The default is (3,0). | |
64 | |
65 @type maxVersion: tuple | |
66 @ivar maxVersion: The maximum allowed SSL/TLS version. | |
67 | |
68 This variable can be set to (3,0) for SSL 3.0, (3,1) for | |
69 TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to | |
70 use a higher version, a protocol_version alert will be signalled. | |
71 The default is (3,2). (WARNING: Some servers may (improperly) | |
72 reject clients which offer support for TLS 1.1. In this case, | |
73 try lowering maxVersion to (3,1)). | |
74 """ | |
75 def __init__(self): | |
76 self.minKeySize = 1023 | |
77 self.maxKeySize = 8193 | |
78 self.cipherNames = ["aes256", "aes128", "3des", "rc4"] | |
79 self.cipherImplementations = ["cryptlib", "openssl", "pycrypto", | |
80 "python"] | |
81 self.certificateTypes = ["x509", "cryptoID"] | |
82 self.minVersion = (3,0) | |
83 self.maxVersion = (3,2) | |
84 | |
85 #Filters out options that are not supported | |
86 def _filter(self): | |
87 other = HandshakeSettings() | |
88 other.minKeySize = self.minKeySize | |
89 other.maxKeySize = self.maxKeySize | |
90 other.cipherNames = self.cipherNames | |
91 other.cipherImplementations = self.cipherImplementations | |
92 other.certificateTypes = self.certificateTypes | |
93 other.minVersion = self.minVersion | |
94 other.maxVersion = self.maxVersion | |
95 | |
96 if not cipherfactory.tripleDESPresent: | |
97 other.cipherNames = [e for e in self.cipherNames if e != "3des"] | |
98 if len(other.cipherNames)==0: | |
99 raise ValueError("No supported ciphers") | |
100 | |
101 try: | |
102 import cryptoIDlib | |
103 except ImportError: | |
104 other.certificateTypes = [e for e in self.certificateTypes \ | |
105 if e != "cryptoID"] | |
106 if len(other.certificateTypes)==0: | |
107 raise ValueError("No supported certificate types") | |
108 | |
109 if not cryptomath.cryptlibpyLoaded: | |
110 other.cipherImplementations = [e for e in \ | |
111 self.cipherImplementations if e != "cryptlib"] | |
112 if not cryptomath.m2cryptoLoaded: | |
113 other.cipherImplementations = [e for e in \ | |
114 other.cipherImplementations if e != "openssl"] | |
115 if not cryptomath.pycryptoLoaded: | |
116 other.cipherImplementations = [e for e in \ | |
117 other.cipherImplementations if e != "pycrypto"] | |
118 if len(other.cipherImplementations)==0: | |
119 raise ValueError("No supported cipher implementations") | |
120 | |
121 if other.minKeySize<512: | |
122 raise ValueError("minKeySize too small") | |
123 if other.minKeySize>16384: | |
124 raise ValueError("minKeySize too large") | |
125 if other.maxKeySize<512: | |
126 raise ValueError("maxKeySize too small") | |
127 if other.maxKeySize>16384: | |
128 raise ValueError("maxKeySize too large") | |
129 for s in other.cipherNames: | |
130 if s not in ("aes256", "aes128", "rc4", "3des"): | |
131 raise ValueError("Unknown cipher name: '%s'" % s) | |
132 for s in other.cipherImplementations: | |
133 if s not in ("cryptlib", "openssl", "python", "pycrypto"): | |
134 raise ValueError("Unknown cipher implementation: '%s'" % s) | |
135 for s in other.certificateTypes: | |
136 if s not in ("x509", "cryptoID"): | |
137 raise ValueError("Unknown certificate type: '%s'" % s) | |
138 | |
139 if other.minVersion > other.maxVersion: | |
140 raise ValueError("Versions set incorrectly") | |
141 | |
142 if not other.minVersion in ((3,0), (3,1), (3,2)): | |
143 raise ValueError("minVersion set incorrectly") | |
144 | |
145 if not other.maxVersion in ((3,0), (3,1), (3,2)): | |
146 raise ValueError("maxVersion set incorrectly") | |
147 | |
148 return other | |
149 | |
150 def _getCertificateTypes(self): | |
151 l = [] | |
152 for ct in self.certificateTypes: | |
153 if ct == "x509": | |
154 l.append(CertificateType.x509) | |
155 elif ct == "cryptoID": | |
156 l.append(CertificateType.cryptoID) | |
157 else: | |
158 raise AssertionError() | |
159 return l | |
OLD | NEW |