OLD | NEW |
---|---|
1 # Authors: | 1 # Authors: |
2 # Trevor Perrin | 2 # Trevor Perrin |
3 # Dave Baggett (Arcode Corporation) - cleanup handling of constants | 3 # Dave Baggett (Arcode Corporation) - cleanup handling of constants |
4 # | 4 # |
5 # See the LICENSE file for legal information regarding use of this file. | 5 # See the LICENSE file for legal information regarding use of this file. |
6 | 6 |
7 """Class for setting handshake parameters.""" | 7 """Class for setting handshake parameters.""" |
8 | 8 |
9 from .constants import CertificateType | 9 from .constants import CertificateType |
10 from .utils import cryptomath | 10 from .utils import cryptomath |
11 from .utils import cipherfactory | 11 from .utils import cipherfactory |
12 | 12 |
13 # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC | 13 # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC |
14 # issues such as timing attacks | 14 # issues such as timing attacks |
15 CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"] | 15 CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"] |
16 MAC_NAMES = ["sha"] # "md5" is allowed | 16 MAC_NAMES = ["sha"] # "md5" is allowed |
17 KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] | |
17 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] | 18 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] |
18 CERTIFICATE_TYPES = ["x509"] | 19 CERTIFICATE_TYPES = ["x509"] |
19 | 20 |
20 class HandshakeSettings(object): | 21 class HandshakeSettings(object): |
21 """This class encapsulates various parameters that can be used with | 22 """This class encapsulates various parameters that can be used with |
22 a TLS handshake. | 23 a TLS handshake. |
23 @sort: minKeySize, maxKeySize, cipherNames, macNames, certificateTypes, | 24 @sort: minKeySize, maxKeySize, cipherNames, macNames, certificateTypes, |
24 minVersion, maxVersion | 25 minVersion, maxVersion |
25 | 26 |
26 @type minKeySize: int | 27 @type minKeySize: int |
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
93 | 94 |
94 @type useExperimentalTackExtension: bool | 95 @type useExperimentalTackExtension: bool |
95 @ivar useExperimentalTackExtension: Whether to enabled TACK support. | 96 @ivar useExperimentalTackExtension: Whether to enabled TACK support. |
96 | 97 |
97 Note that TACK support is not standardized by IETF and uses a temporary | 98 Note that TACK support is not standardized by IETF and uses a temporary |
98 TLS Extension number, so should NOT be used in production software. | 99 TLS Extension number, so should NOT be used in production software. |
99 """ | 100 """ |
100 def __init__(self): | 101 def __init__(self): |
101 self.minKeySize = 1023 | 102 self.minKeySize = 1023 |
102 self.maxKeySize = 8193 | 103 self.maxKeySize = 8193 |
104 self.keyExchangeNames = KEY_EXCHANGE_NAMES | |
wtc
2014/04/01 22:00:01
Nit: list the self.keyExchangeNames assignment aft
davidben
2014/04/01 23:25:18
Done.
| |
103 self.cipherNames = CIPHER_NAMES | 105 self.cipherNames = CIPHER_NAMES |
104 self.macNames = MAC_NAMES | 106 self.macNames = MAC_NAMES |
105 self.cipherImplementations = CIPHER_IMPLEMENTATIONS | 107 self.cipherImplementations = CIPHER_IMPLEMENTATIONS |
106 self.certificateTypes = CERTIFICATE_TYPES | 108 self.certificateTypes = CERTIFICATE_TYPES |
107 self.minVersion = (3,0) | 109 self.minVersion = (3,0) |
108 self.maxVersion = (3,2) | 110 self.maxVersion = (3,2) |
109 self.useExperimentalTackExtension = False | 111 self.useExperimentalTackExtension = False |
110 | 112 |
111 # Validates the min/max fields, and certificateTypes | 113 # Validates the min/max fields, and certificateTypes |
112 # Filters out unsupported cipherNames and cipherImplementations | 114 # Filters out unsupported cipherNames and cipherImplementations |
113 def _filter(self): | 115 def _filter(self): |
114 other = HandshakeSettings() | 116 other = HandshakeSettings() |
115 other.minKeySize = self.minKeySize | 117 other.minKeySize = self.minKeySize |
116 other.maxKeySize = self.maxKeySize | 118 other.maxKeySize = self.maxKeySize |
119 other.keyExchangeNames = self.keyExchangeNames | |
117 other.cipherNames = self.cipherNames | 120 other.cipherNames = self.cipherNames |
118 other.macNames = self.macNames | 121 other.macNames = self.macNames |
119 other.cipherImplementations = self.cipherImplementations | 122 other.cipherImplementations = self.cipherImplementations |
120 other.certificateTypes = self.certificateTypes | 123 other.certificateTypes = self.certificateTypes |
121 other.minVersion = self.minVersion | 124 other.minVersion = self.minVersion |
122 other.maxVersion = self.maxVersion | 125 other.maxVersion = self.maxVersion |
123 | 126 |
124 if not cipherfactory.tripleDESPresent: | 127 if not cipherfactory.tripleDESPresent: |
125 other.cipherNames = [e for e in self.cipherNames if e != "3des"] | 128 other.cipherNames = [e for e in self.cipherNames if e != "3des"] |
126 if len(other.cipherNames)==0: | 129 if len(other.cipherNames)==0: |
(...skipping 11 matching lines...) Expand all Loading... | |
138 raise ValueError("No supported cipher implementations") | 141 raise ValueError("No supported cipher implementations") |
139 | 142 |
140 if other.minKeySize<512: | 143 if other.minKeySize<512: |
141 raise ValueError("minKeySize too small") | 144 raise ValueError("minKeySize too small") |
142 if other.minKeySize>16384: | 145 if other.minKeySize>16384: |
143 raise ValueError("minKeySize too large") | 146 raise ValueError("minKeySize too large") |
144 if other.maxKeySize<512: | 147 if other.maxKeySize<512: |
145 raise ValueError("maxKeySize too small") | 148 raise ValueError("maxKeySize too small") |
146 if other.maxKeySize>16384: | 149 if other.maxKeySize>16384: |
147 raise ValueError("maxKeySize too large") | 150 raise ValueError("maxKeySize too large") |
151 for s in other.keyExchangeNames: | |
152 if s not in KEY_EXCHANGE_NAMES: | |
153 raise ValueError("Unknown key exchange name: '%s'" % s) | |
148 for s in other.cipherNames: | 154 for s in other.cipherNames: |
149 if s not in CIPHER_NAMES: | 155 if s not in CIPHER_NAMES: |
150 raise ValueError("Unknown cipher name: '%s'" % s) | 156 raise ValueError("Unknown cipher name: '%s'" % s) |
151 for s in other.cipherImplementations: | 157 for s in other.cipherImplementations: |
152 if s not in CIPHER_IMPLEMENTATIONS: | 158 if s not in CIPHER_IMPLEMENTATIONS: |
153 raise ValueError("Unknown cipher implementation: '%s'" % s) | 159 raise ValueError("Unknown cipher implementation: '%s'" % s) |
154 for s in other.certificateTypes: | 160 for s in other.certificateTypes: |
155 if s not in CERTIFICATE_TYPES: | 161 if s not in CERTIFICATE_TYPES: |
156 raise ValueError("Unknown certificate type: '%s'" % s) | 162 raise ValueError("Unknown certificate type: '%s'" % s) |
157 | 163 |
158 if other.minVersion > other.maxVersion: | 164 if other.minVersion > other.maxVersion: |
159 raise ValueError("Versions set incorrectly") | 165 raise ValueError("Versions set incorrectly") |
160 | 166 |
161 if not other.minVersion in ((3,0), (3,1), (3,2)): | 167 if not other.minVersion in ((3,0), (3,1), (3,2)): |
162 raise ValueError("minVersion set incorrectly") | 168 raise ValueError("minVersion set incorrectly") |
163 | 169 |
164 if not other.maxVersion in ((3,0), (3,1), (3,2)): | 170 if not other.maxVersion in ((3,0), (3,1), (3,2)): |
165 raise ValueError("maxVersion set incorrectly") | 171 raise ValueError("maxVersion set incorrectly") |
166 | 172 |
167 return other | 173 return other |
168 | 174 |
169 def _getCertificateTypes(self): | 175 def _getCertificateTypes(self): |
170 l = [] | 176 l = [] |
171 for ct in self.certificateTypes: | 177 for ct in self.certificateTypes: |
172 if ct == "x509": | 178 if ct == "x509": |
173 l.append(CertificateType.x509) | 179 l.append(CertificateType.x509) |
174 else: | 180 else: |
175 raise AssertionError() | 181 raise AssertionError() |
176 return l | 182 return l |
OLD | NEW |