OLD | NEW |
1 # Authors: | 1 # Authors: |
2 # Trevor Perrin | 2 # Trevor Perrin |
3 # Dave Baggett (Arcode Corporation) - cleanup handling of constants | 3 # Dave Baggett (Arcode Corporation) - cleanup handling of constants |
4 # | 4 # |
5 # See the LICENSE file for legal information regarding use of this file. | 5 # See the LICENSE file for legal information regarding use of this file. |
6 | 6 |
7 """Class for setting handshake parameters.""" | 7 """Class for setting handshake parameters.""" |
8 | 8 |
9 from .constants import CertificateType | 9 from .constants import CertificateType |
10 from .utils import cryptomath | 10 from .utils import cryptomath |
11 from .utils import cipherfactory | 11 from .utils import cipherfactory |
12 | 12 |
13 # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC | 13 # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC |
14 # issues such as timing attacks | 14 # issues such as timing attacks |
15 CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"] | 15 CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"] |
16 MAC_NAMES = ["sha"] # "md5" is allowed | 16 MAC_NAMES = ["sha"] # Don't allow "md5" by default. |
| 17 ALL_MAC_NAMES = ["sha", "md5"] |
| 18 KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] |
17 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] | 19 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] |
18 CERTIFICATE_TYPES = ["x509"] | 20 CERTIFICATE_TYPES = ["x509"] |
19 | 21 |
20 class HandshakeSettings(object): | 22 class HandshakeSettings(object): |
21 """This class encapsulates various parameters that can be used with | 23 """This class encapsulates various parameters that can be used with |
22 a TLS handshake. | 24 a TLS handshake. |
23 @sort: minKeySize, maxKeySize, cipherNames, macNames, certificateTypes, | 25 @sort: minKeySize, maxKeySize, cipherNames, macNames, certificateTypes, |
24 minVersion, maxVersion | 26 minVersion, maxVersion |
25 | 27 |
26 @type minKeySize: int | 28 @type minKeySize: int |
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
95 @ivar useExperimentalTackExtension: Whether to enabled TACK support. | 97 @ivar useExperimentalTackExtension: Whether to enabled TACK support. |
96 | 98 |
97 Note that TACK support is not standardized by IETF and uses a temporary | 99 Note that TACK support is not standardized by IETF and uses a temporary |
98 TLS Extension number, so should NOT be used in production software. | 100 TLS Extension number, so should NOT be used in production software. |
99 """ | 101 """ |
100 def __init__(self): | 102 def __init__(self): |
101 self.minKeySize = 1023 | 103 self.minKeySize = 1023 |
102 self.maxKeySize = 8193 | 104 self.maxKeySize = 8193 |
103 self.cipherNames = CIPHER_NAMES | 105 self.cipherNames = CIPHER_NAMES |
104 self.macNames = MAC_NAMES | 106 self.macNames = MAC_NAMES |
| 107 self.keyExchangeNames = KEY_EXCHANGE_NAMES |
105 self.cipherImplementations = CIPHER_IMPLEMENTATIONS | 108 self.cipherImplementations = CIPHER_IMPLEMENTATIONS |
106 self.certificateTypes = CERTIFICATE_TYPES | 109 self.certificateTypes = CERTIFICATE_TYPES |
107 self.minVersion = (3,0) | 110 self.minVersion = (3,0) |
108 self.maxVersion = (3,2) | 111 self.maxVersion = (3,2) |
109 self.useExperimentalTackExtension = False | 112 self.useExperimentalTackExtension = False |
110 | 113 |
111 # Validates the min/max fields, and certificateTypes | 114 # Validates the min/max fields, and certificateTypes |
112 # Filters out unsupported cipherNames and cipherImplementations | 115 # Filters out unsupported cipherNames and cipherImplementations |
113 def _filter(self): | 116 def _filter(self): |
114 other = HandshakeSettings() | 117 other = HandshakeSettings() |
115 other.minKeySize = self.minKeySize | 118 other.minKeySize = self.minKeySize |
116 other.maxKeySize = self.maxKeySize | 119 other.maxKeySize = self.maxKeySize |
117 other.cipherNames = self.cipherNames | 120 other.cipherNames = self.cipherNames |
118 other.macNames = self.macNames | 121 other.macNames = self.macNames |
| 122 other.keyExchangeNames = self.keyExchangeNames |
119 other.cipherImplementations = self.cipherImplementations | 123 other.cipherImplementations = self.cipherImplementations |
120 other.certificateTypes = self.certificateTypes | 124 other.certificateTypes = self.certificateTypes |
121 other.minVersion = self.minVersion | 125 other.minVersion = self.minVersion |
122 other.maxVersion = self.maxVersion | 126 other.maxVersion = self.maxVersion |
123 | 127 |
124 if not cipherfactory.tripleDESPresent: | 128 if not cipherfactory.tripleDESPresent: |
125 other.cipherNames = [e for e in self.cipherNames if e != "3des"] | 129 other.cipherNames = [e for e in self.cipherNames if e != "3des"] |
126 if len(other.cipherNames)==0: | 130 if len(other.cipherNames)==0: |
127 raise ValueError("No supported ciphers") | 131 raise ValueError("No supported ciphers") |
128 if len(other.certificateTypes)==0: | 132 if len(other.certificateTypes)==0: |
(...skipping 12 matching lines...) Expand all Loading... |
141 raise ValueError("minKeySize too small") | 145 raise ValueError("minKeySize too small") |
142 if other.minKeySize>16384: | 146 if other.minKeySize>16384: |
143 raise ValueError("minKeySize too large") | 147 raise ValueError("minKeySize too large") |
144 if other.maxKeySize<512: | 148 if other.maxKeySize<512: |
145 raise ValueError("maxKeySize too small") | 149 raise ValueError("maxKeySize too small") |
146 if other.maxKeySize>16384: | 150 if other.maxKeySize>16384: |
147 raise ValueError("maxKeySize too large") | 151 raise ValueError("maxKeySize too large") |
148 for s in other.cipherNames: | 152 for s in other.cipherNames: |
149 if s not in CIPHER_NAMES: | 153 if s not in CIPHER_NAMES: |
150 raise ValueError("Unknown cipher name: '%s'" % s) | 154 raise ValueError("Unknown cipher name: '%s'" % s) |
| 155 for s in other.macNames: |
| 156 if s not in ALL_MAC_NAMES: |
| 157 raise ValueError("Unknown MAC name: '%s'" % s) |
| 158 for s in other.keyExchangeNames: |
| 159 if s not in KEY_EXCHANGE_NAMES: |
| 160 raise ValueError("Unknown key exchange name: '%s'" % s) |
151 for s in other.cipherImplementations: | 161 for s in other.cipherImplementations: |
152 if s not in CIPHER_IMPLEMENTATIONS: | 162 if s not in CIPHER_IMPLEMENTATIONS: |
153 raise ValueError("Unknown cipher implementation: '%s'" % s) | 163 raise ValueError("Unknown cipher implementation: '%s'" % s) |
154 for s in other.certificateTypes: | 164 for s in other.certificateTypes: |
155 if s not in CERTIFICATE_TYPES: | 165 if s not in CERTIFICATE_TYPES: |
156 raise ValueError("Unknown certificate type: '%s'" % s) | 166 raise ValueError("Unknown certificate type: '%s'" % s) |
157 | 167 |
158 if other.minVersion > other.maxVersion: | 168 if other.minVersion > other.maxVersion: |
159 raise ValueError("Versions set incorrectly") | 169 raise ValueError("Versions set incorrectly") |
160 | 170 |
161 if not other.minVersion in ((3,0), (3,1), (3,2)): | 171 if not other.minVersion in ((3,0), (3,1), (3,2)): |
162 raise ValueError("minVersion set incorrectly") | 172 raise ValueError("minVersion set incorrectly") |
163 | 173 |
164 if not other.maxVersion in ((3,0), (3,1), (3,2)): | 174 if not other.maxVersion in ((3,0), (3,1), (3,2)): |
165 raise ValueError("maxVersion set incorrectly") | 175 raise ValueError("maxVersion set incorrectly") |
166 | 176 |
167 return other | 177 return other |
168 | 178 |
169 def _getCertificateTypes(self): | 179 def _getCertificateTypes(self): |
170 l = [] | 180 l = [] |
171 for ct in self.certificateTypes: | 181 for ct in self.certificateTypes: |
172 if ct == "x509": | 182 if ct == "x509": |
173 l.append(CertificateType.x509) | 183 l.append(CertificateType.x509) |
174 else: | 184 else: |
175 raise AssertionError() | 185 raise AssertionError() |
176 return l | 186 return l |
OLD | NEW |