OLD | NEW |
---|---|
1 """ | 1 """ |
2 MAIN CLASS FOR TLS LITE (START HERE!). | 2 MAIN CLASS FOR TLS LITE (START HERE!). |
3 """ | 3 """ |
4 from __future__ import generators | 4 from __future__ import generators |
5 | 5 |
6 import socket | 6 import socket |
7 from utils.compat import formatExceptionTrace | 7 from utils.compat import formatExceptionTrace |
8 from TLSRecordLayer import TLSRecordLayer | 8 from TLSRecordLayer import TLSRecordLayer |
9 from Session import Session | 9 from Session import Session |
10 from constants import * | 10 from constants import * |
(...skipping 918 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
929 | 929 |
930 #Mark the connection as open | 930 #Mark the connection as open |
931 self.session._setResumable(True) | 931 self.session._setResumable(True) |
932 self._handshakeDone(resumed=False) | 932 self._handshakeDone(resumed=False) |
933 | 933 |
934 | 934 |
935 | 935 |
936 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, | 936 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, |
937 certChain=None, privateKey=None, reqCert=False, | 937 certChain=None, privateKey=None, reqCert=False, |
938 sessionCache=None, settings=None, checker=None, | 938 sessionCache=None, settings=None, checker=None, |
939 reqCAs=None, tlsIntolerant=0): | 939 reqCAs=None, tlsIntolerant=0, |
940 signedCertTimestamps=None): | |
940 """Perform a handshake in the role of server. | 941 """Perform a handshake in the role of server. |
941 | 942 |
942 This function performs an SSL or TLS handshake. Depending on | 943 This function performs an SSL or TLS handshake. Depending on |
943 the arguments and the behavior of the client, this function can | 944 the arguments and the behavior of the client, this function can |
944 perform a shared-key, SRP, or certificate-based handshake. It | 945 perform a shared-key, SRP, or certificate-based handshake. It |
945 can also perform a combined SRP and server-certificate | 946 can also perform a combined SRP and server-certificate |
946 handshake. | 947 handshake. |
947 | 948 |
948 Like any handshake function, this can be called on a closed | 949 Like any handshake function, this can be called on a closed |
949 TLS connection, or on a TLS connection that is already open. | 950 TLS connection, or on a TLS connection that is already open. |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
998 the ciphersuites and SSL/TLS version chosen by the server. | 999 the ciphersuites and SSL/TLS version chosen by the server. |
999 | 1000 |
1000 @type checker: L{tlslite.Checker.Checker} | 1001 @type checker: L{tlslite.Checker.Checker} |
1001 @param checker: A Checker instance. This instance will be | 1002 @param checker: A Checker instance. This instance will be |
1002 invoked to examine the other party's authentication | 1003 invoked to examine the other party's authentication |
1003 credentials, if the handshake completes succesfully. | 1004 credentials, if the handshake completes succesfully. |
1004 | 1005 |
1005 @type reqCAs: list of L{array.array} of unsigned bytes | 1006 @type reqCAs: list of L{array.array} of unsigned bytes |
1006 @param reqCAs: A collection of DER-encoded DistinguishedNames that | 1007 @param reqCAs: A collection of DER-encoded DistinguishedNames that |
1007 will be sent along with a certificate request. This does not affect | 1008 will be sent along with a certificate request. This does not affect |
1008 verification. | 1009 verification. |
wtc
2013/11/26 17:32:55
Nit: we probably should document the signedCertTim
ekasper
2013/11/26 19:33:54
I was badly fashioning after another patch. Done.
| |
1009 | 1010 |
1010 @raise socket.error: If a socket error occurs. | 1011 @raise socket.error: If a socket error occurs. |
1011 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed | 1012 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
1012 without a preceding alert. | 1013 without a preceding alert. |
1013 @raise tlslite.errors.TLSAlert: If a TLS alert is signalled. | 1014 @raise tlslite.errors.TLSAlert: If a TLS alert is signalled. |
1014 @raise tlslite.errors.TLSAuthenticationError: If the checker | 1015 @raise tlslite.errors.TLSAuthenticationError: If the checker |
1015 doesn't like the other party's authentication credentials. | 1016 doesn't like the other party's authentication credentials. |
1016 """ | 1017 """ |
1017 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, | 1018 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, |
1018 certChain, privateKey, reqCert, sessionCache, settings, | 1019 certChain, privateKey, reqCert, sessionCache, settings, |
1019 checker, reqCAs, tlsIntolerant): | 1020 checker, reqCAs, tlsIntolerant, signedCertTimestamps): |
1020 pass | 1021 pass |
1021 | 1022 |
1022 | 1023 |
1023 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, | 1024 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, |
1024 certChain=None, privateKey=None, reqCert=False, | 1025 certChain=None, privateKey=None, reqCert=False, |
1025 sessionCache=None, settings=None, checker=None, | 1026 sessionCache=None, settings=None, checker=None, |
1026 reqCAs=None, tlsIntolerant=0): | 1027 reqCAs=None, tlsIntolerant=0, |
1028 signedCertTimestamps=None): | |
1027 """Start a server handshake operation on the TLS connection. | 1029 """Start a server handshake operation on the TLS connection. |
1028 | 1030 |
1029 This function returns a generator which behaves similarly to | 1031 This function returns a generator which behaves similarly to |
1030 handshakeServer(). Successive invocations of the generator | 1032 handshakeServer(). Successive invocations of the generator |
1031 will return 0 if it is waiting to read from the socket, 1 if it is | 1033 will return 0 if it is waiting to read from the socket, 1 if it is |
1032 waiting to write to the socket, or it will raise StopIteration | 1034 waiting to write to the socket, or it will raise StopIteration |
1033 if the handshake operation is complete. | 1035 if the handshake operation is complete. |
1034 | 1036 |
1035 @rtype: iterable | 1037 @rtype: iterable |
1036 @return: A generator; see above for details. | 1038 @return: A generator; see above for details. |
1037 """ | 1039 """ |
1038 handshaker = self._handshakeServerAsyncHelper(\ | 1040 handshaker = self._handshakeServerAsyncHelper(\ |
1039 sharedKeyDB=sharedKeyDB, | 1041 sharedKeyDB=sharedKeyDB, |
1040 verifierDB=verifierDB, certChain=certChain, | 1042 verifierDB=verifierDB, certChain=certChain, |
1041 privateKey=privateKey, reqCert=reqCert, | 1043 privateKey=privateKey, reqCert=reqCert, |
1042 sessionCache=sessionCache, settings=settings, | 1044 sessionCache=sessionCache, settings=settings, |
1043 reqCAs=reqCAs, | 1045 reqCAs=reqCAs, |
1044 tlsIntolerant=tlsIntolerant) | 1046 tlsIntolerant=tlsIntolerant, |
1047 signedCertTimestamps=signedCertTimestamps) | |
1045 for result in self._handshakeWrapperAsync(handshaker, checker): | 1048 for result in self._handshakeWrapperAsync(handshaker, checker): |
1046 yield result | 1049 yield result |
1047 | 1050 |
1048 | 1051 |
1049 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, | 1052 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, |
1050 certChain, privateKey, reqCert, sessionCache, | 1053 certChain, privateKey, reqCert, |
1051 settings, reqCAs, tlsIntolerant): | 1054 sessionCache, settings, reqCAs, |
1055 tlsIntolerant, signedCertTimestamps): | |
1052 | 1056 |
1053 self._handshakeStart(client=False) | 1057 self._handshakeStart(client=False) |
1054 | 1058 |
1055 if (not sharedKeyDB) and (not verifierDB) and (not certChain): | 1059 if (not sharedKeyDB) and (not verifierDB) and (not certChain): |
1056 raise ValueError("Caller passed no authentication credentials") | 1060 raise ValueError("Caller passed no authentication credentials") |
1057 if certChain and not privateKey: | 1061 if certChain and not privateKey: |
1058 raise ValueError("Caller passed a certChain but no privateKey") | 1062 raise ValueError("Caller passed a certChain but no privateKey") |
1059 if privateKey and not certChain: | 1063 if privateKey and not certChain: |
1060 raise ValueError("Caller passed a privateKey but no certChain") | 1064 raise ValueError("Caller passed a privateKey but no certChain") |
1061 if reqCAs and not reqCert: | 1065 if reqCAs and not reqCert: |
1062 raise ValueError("Caller passed reqCAs but not reqCert") | 1066 raise ValueError("Caller passed reqCAs but not reqCert") |
1067 if signedCertTimestamps and not certChain: | |
1068 raise ValueError("Caller passed signedCertTimestamps but no " | |
1069 "certChain") | |
1063 | 1070 |
1064 if not settings: | 1071 if not settings: |
1065 settings = HandshakeSettings() | 1072 settings = HandshakeSettings() |
1066 settings = settings._filter() | 1073 settings = settings._filter() |
1067 | 1074 |
1068 #Initialize acceptable cipher suites | 1075 #Initialize acceptable cipher suites |
1069 cipherSuites = [] | 1076 cipherSuites = [] |
1070 if verifierDB: | 1077 if verifierDB: |
1071 if certChain: | 1078 if certChain: |
1072 cipherSuites += \ | 1079 cipherSuites += \ |
(...skipping 335 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1408 #premaster secret: | 1415 #premaster secret: |
1409 elif cipherSuite in CipherSuite.rsaSuites: | 1416 elif cipherSuite in CipherSuite.rsaSuites: |
1410 | 1417 |
1411 #Send ServerHello, Certificate[, CertificateRequest], | 1418 #Send ServerHello, Certificate[, CertificateRequest], |
1412 #ServerHelloDone | 1419 #ServerHelloDone |
1413 msgs = [] | 1420 msgs = [] |
1414 serverHello = ServerHello().create( | 1421 serverHello = ServerHello().create( |
1415 self.version, serverRandom, | 1422 self.version, serverRandom, |
1416 sessionID, cipherSuite, certificateType) | 1423 sessionID, cipherSuite, certificateType) |
1417 serverHello.channel_id = clientHello.channel_id | 1424 serverHello.channel_id = clientHello.channel_id |
1425 if clientHello.signed_cert_timestamps: | |
1426 serverHello.signed_cert_timestamps = signedCertTimestamps | |
1418 doingChannelID = clientHello.channel_id | 1427 doingChannelID = clientHello.channel_id |
1419 msgs.append(serverHello) | 1428 msgs.append(serverHello) |
1420 msgs.append(Certificate(certificateType).create(serverCertChain)) | 1429 msgs.append(Certificate(certificateType).create(serverCertChain)) |
1421 if reqCert and reqCAs: | 1430 if reqCert and reqCAs: |
1422 msgs.append(CertificateRequest().create([], reqCAs)) | 1431 msgs.append(CertificateRequest().create([], reqCAs)) |
1423 elif reqCert: | 1432 elif reqCert: |
1424 msgs.append(CertificateRequest()) | 1433 msgs.append(CertificateRequest()) |
1425 msgs.append(ServerHelloDone()) | 1434 msgs.append(ServerHelloDone()) |
1426 for result in self._sendMsgs(msgs): | 1435 for result in self._sendMsgs(msgs): |
1427 yield result | 1436 yield result |
(...skipping 208 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1636 if len(publicKey) < settings.minKeySize: | 1645 if len(publicKey) < settings.minKeySize: |
1637 for result in self._sendError(AlertDescription.handshake_failure, | 1646 for result in self._sendError(AlertDescription.handshake_failure, |
1638 "Other party's public key too small: %d" % len(publicKey)): | 1647 "Other party's public key too small: %d" % len(publicKey)): |
1639 yield result | 1648 yield result |
1640 if len(publicKey) > settings.maxKeySize: | 1649 if len(publicKey) > settings.maxKeySize: |
1641 for result in self._sendError(AlertDescription.handshake_failure, | 1650 for result in self._sendError(AlertDescription.handshake_failure, |
1642 "Other party's public key too large: %d" % len(publicKey)): | 1651 "Other party's public key too large: %d" % len(publicKey)): |
1643 yield result | 1652 yield result |
1644 | 1653 |
1645 yield publicKey, certChain | 1654 yield publicKey, certChain |
OLD | NEW |