| OLD | NEW |
|---|
| 1 # Authors: | 1 # Authors: |
| 2 # Trevor Perrin | 2 # Trevor Perrin |
| 3 # Dave Baggett (Arcode Corporation) - cleanup handling of constants | 3 # Dave Baggett (Arcode Corporation) - cleanup handling of constants |
| 4 # | 4 # |
| 5 # See the LICENSE file for legal information regarding use of this file. | 5 # See the LICENSE file for legal information regarding use of this file. |
| 6 | 6 |
| 7 """Class for setting handshake parameters.""" | 7 """Class for setting handshake parameters.""" |
| 8 | 8 |
| 9 from .constants import CertificateType | 9 from .constants import CertificateType |
| 10 from .utils import cryptomath | 10 from .utils import cryptomath |
| 11 from .utils import cipherfactory | 11 from .utils import cipherfactory |
| 12 | 12 |
| 13 # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC | 13 # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC |
| 14 # issues such as timing attacks | 14 # issues such as timing attacks |
| 15 CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"] | 15 CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"] |
| 16 MAC_NAMES = ["sha"] # "md5" is allowed | 16 MAC_NAMES = ["sha"] # Don't allow "md5" by default. |
| 17 ALL_MAC_NAMES = ["sha", "md5"] |
| 18 KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"] |
| 17 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] | 19 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] |
| 18 CERTIFICATE_TYPES = ["x509"] | 20 CERTIFICATE_TYPES = ["x509"] |
| 19 | 21 |
| 20 class HandshakeSettings(object): | 22 class HandshakeSettings(object): |
| 21 """This class encapsulates various parameters that can be used with | 23 """This class encapsulates various parameters that can be used with |
| 22 a TLS handshake. | 24 a TLS handshake. |
| 23 @sort: minKeySize, maxKeySize, cipherNames, macNames, certificateTypes, | 25 @sort: minKeySize, maxKeySize, cipherNames, macNames, certificateTypes, |
| 24 minVersion, maxVersion | 26 minVersion, maxVersion |
| 25 | 27 |
| 26 @type minKeySize: int | 28 @type minKeySize: int |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 95 @ivar useExperimentalTackExtension: Whether to enabled TACK support. | 97 @ivar useExperimentalTackExtension: Whether to enabled TACK support. |
| 96 | 98 |
| 97 Note that TACK support is not standardized by IETF and uses a temporary | 99 Note that TACK support is not standardized by IETF and uses a temporary |
| 98 TLS Extension number, so should NOT be used in production software. | 100 TLS Extension number, so should NOT be used in production software. |
| 99 """ | 101 """ |
| 100 def __init__(self): | 102 def __init__(self): |
| 101 self.minKeySize = 1023 | 103 self.minKeySize = 1023 |
| 102 self.maxKeySize = 8193 | 104 self.maxKeySize = 8193 |
| 103 self.cipherNames = CIPHER_NAMES | 105 self.cipherNames = CIPHER_NAMES |
| 104 self.macNames = MAC_NAMES | 106 self.macNames = MAC_NAMES |
| 107 self.keyExchangeNames = KEY_EXCHANGE_NAMES |
| 105 self.cipherImplementations = CIPHER_IMPLEMENTATIONS | 108 self.cipherImplementations = CIPHER_IMPLEMENTATIONS |
| 106 self.certificateTypes = CERTIFICATE_TYPES | 109 self.certificateTypes = CERTIFICATE_TYPES |
| 107 self.minVersion = (3,0) | 110 self.minVersion = (3,0) |
| 108 self.maxVersion = (3,2) | 111 self.maxVersion = (3,2) |
| 109 self.useExperimentalTackExtension = False | 112 self.useExperimentalTackExtension = False |
| 110 | 113 |
| 111 # Validates the min/max fields, and certificateTypes | 114 # Validates the min/max fields, and certificateTypes |
| 112 # Filters out unsupported cipherNames and cipherImplementations | 115 # Filters out unsupported cipherNames and cipherImplementations |
| 113 def _filter(self): | 116 def _filter(self): |
| 114 other = HandshakeSettings() | 117 other = HandshakeSettings() |
| 115 other.minKeySize = self.minKeySize | 118 other.minKeySize = self.minKeySize |
| 116 other.maxKeySize = self.maxKeySize | 119 other.maxKeySize = self.maxKeySize |
| 117 other.cipherNames = self.cipherNames | 120 other.cipherNames = self.cipherNames |
| 118 other.macNames = self.macNames | 121 other.macNames = self.macNames |
| 122 other.keyExchangeNames = self.keyExchangeNames |
| 119 other.cipherImplementations = self.cipherImplementations | 123 other.cipherImplementations = self.cipherImplementations |
| 120 other.certificateTypes = self.certificateTypes | 124 other.certificateTypes = self.certificateTypes |
| 121 other.minVersion = self.minVersion | 125 other.minVersion = self.minVersion |
| 122 other.maxVersion = self.maxVersion | 126 other.maxVersion = self.maxVersion |
| 123 | 127 |
| 124 if not cipherfactory.tripleDESPresent: | 128 if not cipherfactory.tripleDESPresent: |
| 125 other.cipherNames = [e for e in self.cipherNames if e != "3des"] | 129 other.cipherNames = [e for e in self.cipherNames if e != "3des"] |
| 126 if len(other.cipherNames)==0: | 130 if len(other.cipherNames)==0: |
| 127 raise ValueError("No supported ciphers") | 131 raise ValueError("No supported ciphers") |
| 128 if len(other.certificateTypes)==0: | 132 if len(other.certificateTypes)==0: |
| (...skipping 12 matching lines...) Expand all Loading... |
| 141 raise ValueError("minKeySize too small") | 145 raise ValueError("minKeySize too small") |
| 142 if other.minKeySize>16384: | 146 if other.minKeySize>16384: |
| 143 raise ValueError("minKeySize too large") | 147 raise ValueError("minKeySize too large") |
| 144 if other.maxKeySize<512: | 148 if other.maxKeySize<512: |
| 145 raise ValueError("maxKeySize too small") | 149 raise ValueError("maxKeySize too small") |
| 146 if other.maxKeySize>16384: | 150 if other.maxKeySize>16384: |
| 147 raise ValueError("maxKeySize too large") | 151 raise ValueError("maxKeySize too large") |
| 148 for s in other.cipherNames: | 152 for s in other.cipherNames: |
| 149 if s not in CIPHER_NAMES: | 153 if s not in CIPHER_NAMES: |
| 150 raise ValueError("Unknown cipher name: '%s'" % s) | 154 raise ValueError("Unknown cipher name: '%s'" % s) |
| 155 for s in other.macNames: |
| 156 if s not in ALL_MAC_NAMES: |
| 157 raise ValueError("Unknown MAC name: '%s'" % s) |
| 158 for s in other.keyExchangeNames: |
| 159 if s not in KEY_EXCHANGE_NAMES: |
| 160 raise ValueError("Unknown key exchange name: '%s'" % s) |
| 151 for s in other.cipherImplementations: | 161 for s in other.cipherImplementations: |
| 152 if s not in CIPHER_IMPLEMENTATIONS: | 162 if s not in CIPHER_IMPLEMENTATIONS: |
| 153 raise ValueError("Unknown cipher implementation: '%s'" % s) | 163 raise ValueError("Unknown cipher implementation: '%s'" % s) |
| 154 for s in other.certificateTypes: | 164 for s in other.certificateTypes: |
| 155 if s not in CERTIFICATE_TYPES: | 165 if s not in CERTIFICATE_TYPES: |
| 156 raise ValueError("Unknown certificate type: '%s'" % s) | 166 raise ValueError("Unknown certificate type: '%s'" % s) |
| 157 | 167 |
| 158 if other.minVersion > other.maxVersion: | 168 if other.minVersion > other.maxVersion: |
| 159 raise ValueError("Versions set incorrectly") | 169 raise ValueError("Versions set incorrectly") |
| 160 | 170 |
| 161 if not other.minVersion in ((3,0), (3,1), (3,2)): | 171 if not other.minVersion in ((3,0), (3,1), (3,2)): |
| 162 raise ValueError("minVersion set incorrectly") | 172 raise ValueError("minVersion set incorrectly") |
| 163 | 173 |
| 164 if not other.maxVersion in ((3,0), (3,1), (3,2)): | 174 if not other.maxVersion in ((3,0), (3,1), (3,2)): |
| 165 raise ValueError("maxVersion set incorrectly") | 175 raise ValueError("maxVersion set incorrectly") |
| 166 | 176 |
| 167 return other | 177 return other |
| 168 | 178 |
| 169 def _getCertificateTypes(self): | 179 def _getCertificateTypes(self): |
| 170 l = [] | 180 l = [] |
| 171 for ct in self.certificateTypes: | 181 for ct in self.certificateTypes: |
| 172 if ct == "x509": | 182 if ct == "x509": |
| 173 l.append(CertificateType.x509) | 183 l.append(CertificateType.x509) |
| 174 else: | 184 else: |
| 175 raise AssertionError() | 185 raise AssertionError() |
| 176 return l | 186 return l |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 212883008:
Add DHE_RSA support to tlslite. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src