| OLD | NEW |
|---|
| 1 # Authors: | 1 # Authors: |
| 2 # Trevor Perrin | 2 # Trevor Perrin |
| 3 # Google - added reqCAs parameter | 3 # Google - added reqCAs parameter |
| 4 # Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support | 4 # Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support |
| 5 # Dimitris Moraitis - Anon ciphersuites | 5 # Dimitris Moraitis - Anon ciphersuites |
| 6 # Martin von Loewis - python 3 port | 6 # Martin von Loewis - python 3 port |
| 7 # | 7 # |
| 8 # See the LICENSE file for legal information regarding use of this file. | 8 # See the LICENSE file for legal information regarding use of this file. |
| 9 | 9 |
| 10 """ | 10 """ |
| (...skipping 1044 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1055 | 1055 |
| 1056 | 1056 |
| 1057 #********************************************************* | 1057 #********************************************************* |
| 1058 # Server Handshake Functions | 1058 # Server Handshake Functions |
| 1059 #********************************************************* | 1059 #********************************************************* |
| 1060 | 1060 |
| 1061 | 1061 |
| 1062 def handshakeServer(self, verifierDB=None, | 1062 def handshakeServer(self, verifierDB=None, |
| 1063 certChain=None, privateKey=None, reqCert=False, | 1063 certChain=None, privateKey=None, reqCert=False, |
| 1064 sessionCache=None, settings=None, checker=None, | 1064 sessionCache=None, settings=None, checker=None, |
| 1065 reqCAs = None, | 1065 reqCAs = None, reqCertTypes = None, |
| 1066 tacks=None, activationFlags=0, | 1066 tacks=None, activationFlags=0, |
| 1067 nextProtos=None, anon=False, | 1067 nextProtos=None, anon=False, |
| 1068 tlsIntolerant=None, signedCertTimestamps=None, | 1068 tlsIntolerant=None, signedCertTimestamps=None, |
| 1069 fallbackSCSV=False, ocspResponse=None): | 1069 fallbackSCSV=False, ocspResponse=None): |
| 1070 """Perform a handshake in the role of server. | 1070 """Perform a handshake in the role of server. |
| 1071 | 1071 |
| 1072 This function performs an SSL or TLS handshake. Depending on | 1072 This function performs an SSL or TLS handshake. Depending on |
| 1073 the arguments and the behavior of the client, this function can | 1073 the arguments and the behavior of the client, this function can |
| 1074 perform an SRP, or certificate-based handshake. It | 1074 perform an SRP, or certificate-based handshake. It |
| 1075 can also perform a combined SRP and server-certificate | 1075 can also perform a combined SRP and server-certificate |
| (...skipping 47 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1123 @type checker: L{tlslite.checker.Checker} | 1123 @type checker: L{tlslite.checker.Checker} |
| 1124 @param checker: A Checker instance. This instance will be | 1124 @param checker: A Checker instance. This instance will be |
| 1125 invoked to examine the other party's authentication | 1125 invoked to examine the other party's authentication |
| 1126 credentials, if the handshake completes succesfully. | 1126 credentials, if the handshake completes succesfully. |
| 1127 | 1127 |
| 1128 @type reqCAs: list of L{bytearray} of unsigned bytes | 1128 @type reqCAs: list of L{bytearray} of unsigned bytes |
| 1129 @param reqCAs: A collection of DER-encoded DistinguishedNames that | 1129 @param reqCAs: A collection of DER-encoded DistinguishedNames that |
| 1130 will be sent along with a certificate request. This does not affect | 1130 will be sent along with a certificate request. This does not affect |
| 1131 verification. | 1131 verification. |
| 1132 | 1132 |
| 1133 @type reqCertTypes: list of int |
| 1134 @param reqCertTypes: A list of certificate_type values to be sent |
| 1135 along with a certificate request. This does not affect verification. |
| 1136 |
| 1133 @type nextProtos: list of strings. | 1137 @type nextProtos: list of strings. |
| 1134 @param nextProtos: A list of upper layer protocols to expose to the | 1138 @param nextProtos: A list of upper layer protocols to expose to the |
| 1135 clients through the Next-Protocol Negotiation Extension, | 1139 clients through the Next-Protocol Negotiation Extension, |
| 1136 if they support it. | 1140 if they support it. |
| 1137 | 1141 |
| 1138 @type tlsIntolerant: (int, int) or None | 1142 @type tlsIntolerant: (int, int) or None |
| 1139 @param tlsIntolerant: If tlsIntolerant is not None, the server will | 1143 @param tlsIntolerant: If tlsIntolerant is not None, the server will |
| 1140 simulate TLS version intolerance by returning a fatal handshake_failure | 1144 simulate TLS version intolerance by returning a fatal handshake_failure |
| 1141 alert to all TLS versions tlsIntolerant or higher. | 1145 alert to all TLS versions tlsIntolerant or higher. |
| 1142 | 1146 |
| (...skipping 19 matching lines...) Expand all Loading... |
| 1162 | 1166 |
| 1163 @raise socket.error: If a socket error occurs. | 1167 @raise socket.error: If a socket error occurs. |
| 1164 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed | 1168 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
| 1165 without a preceding alert. | 1169 without a preceding alert. |
| 1166 @raise tlslite.errors.TLSAlert: If a TLS alert is signalled. | 1170 @raise tlslite.errors.TLSAlert: If a TLS alert is signalled. |
| 1167 @raise tlslite.errors.TLSAuthenticationError: If the checker | 1171 @raise tlslite.errors.TLSAuthenticationError: If the checker |
| 1168 doesn't like the other party's authentication credentials. | 1172 doesn't like the other party's authentication credentials. |
| 1169 """ | 1173 """ |
| 1170 for result in self.handshakeServerAsync(verifierDB, | 1174 for result in self.handshakeServerAsync(verifierDB, |
| 1171 certChain, privateKey, reqCert, sessionCache, settings, | 1175 certChain, privateKey, reqCert, sessionCache, settings, |
| 1172 checker, reqCAs, | 1176 checker, reqCAs, reqCertTypes, |
| 1173 tacks=tacks, activationFlags=activationFlags, | 1177 tacks=tacks, activationFlags=activationFlags, |
| 1174 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, | 1178 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
| 1175 signedCertTimestamps=signedCertTimestamps, | 1179 signedCertTimestamps=signedCertTimestamps, |
| 1176 fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse): | 1180 fallbackSCSV=fallbackSCSV, ocspResponse=ocspResponse): |
| 1177 pass | 1181 pass |
| 1178 | 1182 |
| 1179 | 1183 |
| 1180 def handshakeServerAsync(self, verifierDB=None, | 1184 def handshakeServerAsync(self, verifierDB=None, |
| 1181 certChain=None, privateKey=None, reqCert=False, | 1185 certChain=None, privateKey=None, reqCert=False, |
| 1182 sessionCache=None, settings=None, checker=None, | 1186 sessionCache=None, settings=None, checker=None, |
| 1183 reqCAs=None, | 1187 reqCAs=None, reqCertTypes=None, |
| 1184 tacks=None, activationFlags=0, | 1188 tacks=None, activationFlags=0, |
| 1185 nextProtos=None, anon=False, | 1189 nextProtos=None, anon=False, |
| 1186 tlsIntolerant=None, | 1190 tlsIntolerant=None, |
| 1187 signedCertTimestamps=None, | 1191 signedCertTimestamps=None, |
| 1188 fallbackSCSV=False, | 1192 fallbackSCSV=False, |
| 1189 ocspResponse=None | 1193 ocspResponse=None |
| 1190 ): | 1194 ): |
| 1191 """Start a server handshake operation on the TLS connection. | 1195 """Start a server handshake operation on the TLS connection. |
| 1192 | 1196 |
| 1193 This function returns a generator which behaves similarly to | 1197 This function returns a generator which behaves similarly to |
| 1194 handshakeServer(). Successive invocations of the generator | 1198 handshakeServer(). Successive invocations of the generator |
| 1195 will return 0 if it is waiting to read from the socket, 1 if it is | 1199 will return 0 if it is waiting to read from the socket, 1 if it is |
| 1196 waiting to write to the socket, or it will raise StopIteration | 1200 waiting to write to the socket, or it will raise StopIteration |
| 1197 if the handshake operation is complete. | 1201 if the handshake operation is complete. |
| 1198 | 1202 |
| 1199 @rtype: iterable | 1203 @rtype: iterable |
| 1200 @return: A generator; see above for details. | 1204 @return: A generator; see above for details. |
| 1201 """ | 1205 """ |
| 1202 handshaker = self._handshakeServerAsyncHelper(\ | 1206 handshaker = self._handshakeServerAsyncHelper(\ |
| 1203 verifierDB=verifierDB, certChain=certChain, | 1207 verifierDB=verifierDB, certChain=certChain, |
| 1204 privateKey=privateKey, reqCert=reqCert, | 1208 privateKey=privateKey, reqCert=reqCert, |
| 1205 sessionCache=sessionCache, settings=settings, | 1209 sessionCache=sessionCache, settings=settings, |
| 1206 reqCAs=reqCAs, | 1210 reqCAs=reqCAs, reqCertTypes=reqCertTypes, |
| 1207 tacks=tacks, activationFlags=activationFlags, | 1211 tacks=tacks, activationFlags=activationFlags, |
| 1208 nextProtos=nextProtos, anon=anon, | 1212 nextProtos=nextProtos, anon=anon, |
| 1209 tlsIntolerant=tlsIntolerant, | 1213 tlsIntolerant=tlsIntolerant, |
| 1210 signedCertTimestamps=signedCertTimestamps, | 1214 signedCertTimestamps=signedCertTimestamps, |
| 1211 fallbackSCSV=fallbackSCSV, | 1215 fallbackSCSV=fallbackSCSV, |
| 1212 ocspResponse=ocspResponse) | 1216 ocspResponse=ocspResponse) |
| 1213 for result in self._handshakeWrapperAsync(handshaker, checker): | 1217 for result in self._handshakeWrapperAsync(handshaker, checker): |
| 1214 yield result | 1218 yield result |
| 1215 | 1219 |
| 1216 | 1220 |
| 1217 def _handshakeServerAsyncHelper(self, verifierDB, | 1221 def _handshakeServerAsyncHelper(self, verifierDB, |
| 1218 certChain, privateKey, reqCert, sessionCache, | 1222 certChain, privateKey, reqCert, sessionCache, |
| 1219 settings, reqCAs, | 1223 settings, reqCAs, reqCertTypes, |
| 1220 tacks, activationFlags, | 1224 tacks, activationFlags, |
| 1221 nextProtos, anon, | 1225 nextProtos, anon, |
| 1222 tlsIntolerant, signedCertTimestamps, fallbackSCSV, | 1226 tlsIntolerant, signedCertTimestamps, fallbackSCSV, |
| 1223 ocspResponse): | 1227 ocspResponse): |
| 1224 | 1228 |
| 1225 self._handshakeStart(client=False) | 1229 self._handshakeStart(client=False) |
| 1226 | 1230 |
| 1227 if (not verifierDB) and (not certChain) and not anon: | 1231 if (not verifierDB) and (not certChain) and not anon: |
| 1228 raise ValueError("Caller passed no authentication credentials") | 1232 raise ValueError("Caller passed no authentication credentials") |
| 1229 if certChain and not privateKey: | 1233 if certChain and not privateKey: |
| 1230 raise ValueError("Caller passed a certChain but no privateKey") | 1234 raise ValueError("Caller passed a certChain but no privateKey") |
| 1231 if privateKey and not certChain: | 1235 if privateKey and not certChain: |
| 1232 raise ValueError("Caller passed a privateKey but no certChain") | 1236 raise ValueError("Caller passed a privateKey but no certChain") |
| 1233 if reqCAs and not reqCert: | 1237 if reqCAs and not reqCert: |
| 1234 raise ValueError("Caller passed reqCAs but not reqCert") | 1238 raise ValueError("Caller passed reqCAs but not reqCert") |
| 1239 if reqCertTypes and not reqCert: |
| 1240 raise ValueError("Caller passed reqCertTypes but not reqCert") |
| 1235 if certChain and not isinstance(certChain, X509CertChain): | 1241 if certChain and not isinstance(certChain, X509CertChain): |
| 1236 raise ValueError("Unrecognized certificate type") | 1242 raise ValueError("Unrecognized certificate type") |
| 1237 if activationFlags and not tacks: | 1243 if activationFlags and not tacks: |
| 1238 raise ValueError("Nonzero activationFlags requires tacks") | 1244 raise ValueError("Nonzero activationFlags requires tacks") |
| 1239 if tacks: | 1245 if tacks: |
| 1240 if not tackpyLoaded: | 1246 if not tackpyLoaded: |
| 1241 raise ValueError("tackpy is not loaded") | 1247 raise ValueError("tackpy is not loaded") |
| 1242 if not settings or not settings.useExperimentalTackExtension: | 1248 if not settings or not settings.useExperimentalTackExtension: |
| 1243 raise ValueError("useExperimentalTackExtension not enabled") | 1249 raise ValueError("useExperimentalTackExtension not enabled") |
| 1244 if signedCertTimestamps and not certChain: | 1250 if signedCertTimestamps and not certChain: |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1313 privateKey) | 1319 privateKey) |
| 1314 elif cipherSuite in CipherSuite.dheCertSuites: | 1320 elif cipherSuite in CipherSuite.dheCertSuites: |
| 1315 keyExchange = DHE_RSAKeyExchange(cipherSuite, | 1321 keyExchange = DHE_RSAKeyExchange(cipherSuite, |
| 1316 clientHello, | 1322 clientHello, |
| 1317 serverHello, | 1323 serverHello, |
| 1318 privateKey) | 1324 privateKey) |
| 1319 else: | 1325 else: |
| 1320 assert(False) | 1326 assert(False) |
| 1321 for result in self._serverCertKeyExchange(clientHello, serverHello, | 1327 for result in self._serverCertKeyExchange(clientHello, serverHello, |
| 1322 certChain, keyExchange, | 1328 certChain, keyExchange, |
| 1323 reqCert, reqCAs, cipherSuite, | 1329 reqCert, reqCAs, reqCertTypes, cipherSui
te, |
| 1324 settings, ocspResponse): | 1330 settings, ocspResponse): |
| 1325 if result in (0,1): yield result | 1331 if result in (0,1): yield result |
| 1326 else: break | 1332 else: break |
| 1327 (premasterSecret, clientCertChain) = result | 1333 (premasterSecret, clientCertChain) = result |
| 1328 | 1334 |
| 1329 # Perform anonymous Diffie Hellman key exchange | 1335 # Perform anonymous Diffie Hellman key exchange |
| 1330 elif cipherSuite in CipherSuite.anonSuites: | 1336 elif cipherSuite in CipherSuite.anonSuites: |
| 1331 for result in self._serverAnonKeyExchange(clientHello, serverHello, | 1337 for result in self._serverAnonKeyExchange(clientHello, serverHello, |
| 1332 cipherSuite, settings): | 1338 cipherSuite, settings): |
| 1333 if result in (0,1): yield result | 1339 if result in (0,1): yield result |
| (...skipping 256 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1590 | 1596 |
| 1591 #Calculate premaster secret | 1597 #Calculate premaster secret |
| 1592 S = powMod((A * powMod(v,u,N)) % N, b, N) | 1598 S = powMod((A * powMod(v,u,N)) % N, b, N) |
| 1593 premasterSecret = numberToByteArray(S) | 1599 premasterSecret = numberToByteArray(S) |
| 1594 | 1600 |
| 1595 yield premasterSecret | 1601 yield premasterSecret |
| 1596 | 1602 |
| 1597 | 1603 |
| 1598 def _serverCertKeyExchange(self, clientHello, serverHello, | 1604 def _serverCertKeyExchange(self, clientHello, serverHello, |
| 1599 serverCertChain, keyExchange, | 1605 serverCertChain, keyExchange, |
| 1600 reqCert, reqCAs, cipherSuite, | 1606 reqCert, reqCAs, reqCertTypes, cipherSuite, |
| 1601 settings, ocspResponse): | 1607 settings, ocspResponse): |
| 1602 #Send ServerHello, Certificate[, ServerKeyExchange] | 1608 #Send ServerHello, Certificate[, ServerKeyExchange] |
| 1603 #[, CertificateRequest], ServerHelloDone | 1609 #[, CertificateRequest], ServerHelloDone |
| 1604 msgs = [] | 1610 msgs = [] |
| 1605 | 1611 |
| 1606 # If we verify a client cert chain, return it | 1612 # If we verify a client cert chain, return it |
| 1607 clientCertChain = None | 1613 clientCertChain = None |
| 1608 | 1614 |
| 1609 msgs.append(serverHello) | 1615 msgs.append(serverHello) |
| 1610 msgs.append(Certificate(CertificateType.x509).create(serverCertChain)) | 1616 msgs.append(Certificate(CertificateType.x509).create(serverCertChain)) |
| 1611 if serverHello.status_request: | 1617 if serverHello.status_request: |
| 1612 msgs.append(CertificateStatus().create(ocspResponse)) | 1618 msgs.append(CertificateStatus().create(ocspResponse)) |
| 1613 serverKeyExchange = keyExchange.makeServerKeyExchange() | 1619 serverKeyExchange = keyExchange.makeServerKeyExchange() |
| 1614 if serverKeyExchange is not None: | 1620 if serverKeyExchange is not None: |
| 1615 msgs.append(serverKeyExchange) | 1621 msgs.append(serverKeyExchange) |
| 1616 if reqCert and reqCAs: | 1622 if reqCert: |
| 1617 msgs.append(CertificateRequest().create(\ | 1623 reqCAs = reqCAs or [] |
| 1618 [ClientCertificateType.rsa_sign], reqCAs)) | 1624 #Apple's Secure Transport library rejects empty certificate_types, |
| 1619 elif reqCert: | 1625 #so default to rsa_sign. |
| 1620 msgs.append(CertificateRequest()) | 1626 reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign] |
| 1627 msgs.append(CertificateRequest().create(reqCertTypes, reqCAs)) |
| 1621 msgs.append(ServerHelloDone()) | 1628 msgs.append(ServerHelloDone()) |
| 1622 for result in self._sendMsgs(msgs): | 1629 for result in self._sendMsgs(msgs): |
| 1623 yield result | 1630 yield result |
| 1624 | 1631 |
| 1625 #From here on, the client's messages must have the right version | 1632 #From here on, the client's messages must have the right version |
| 1626 self._versionCheck = True | 1633 self._versionCheck = True |
| 1627 | 1634 |
| 1628 #Get [Certificate,] (if was requested) | 1635 #Get [Certificate,] (if was requested) |
| 1629 if reqCert: | 1636 if reqCert: |
| 1630 if self.version == (3,0): | 1637 if self.version == (3,0): |
| (...skipping 287 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1918 except TLSAlert as alert: | 1925 except TLSAlert as alert: |
| 1919 if not self.fault: | 1926 if not self.fault: |
| 1920 raise | 1927 raise |
| 1921 if alert.description not in Fault.faultAlerts[self.fault]: | 1928 if alert.description not in Fault.faultAlerts[self.fault]: |
| 1922 raise TLSFaultError(str(alert)) | 1929 raise TLSFaultError(str(alert)) |
| 1923 else: | 1930 else: |
| 1924 pass | 1931 pass |
| 1925 except: | 1932 except: |
| 1926 self._shutdown(False) | 1933 self._shutdown(False) |
| 1927 raise | 1934 raise |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 257513008:
Populate cert_key_types on OpenSSL. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src