OLD | NEW |
1 """ | 1 """ |
2 MAIN CLASS FOR TLS LITE (START HERE!). | 2 MAIN CLASS FOR TLS LITE (START HERE!). |
3 """ | 3 """ |
4 from __future__ import generators | 4 from __future__ import generators |
5 | 5 |
6 import socket | 6 import socket |
7 from utils.compat import formatExceptionTrace | 7 from utils.compat import formatExceptionTrace |
8 from TLSRecordLayer import TLSRecordLayer | 8 from TLSRecordLayer import TLSRecordLayer |
9 from Session import Session | 9 from Session import Session |
10 from constants import * | 10 from constants import * |
(...skipping 918 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
929 | 929 |
930 #Mark the connection as open | 930 #Mark the connection as open |
931 self.session._setResumable(True) | 931 self.session._setResumable(True) |
932 self._handshakeDone(resumed=False) | 932 self._handshakeDone(resumed=False) |
933 | 933 |
934 | 934 |
935 | 935 |
936 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, | 936 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, |
937 certChain=None, privateKey=None, reqCert=False, | 937 certChain=None, privateKey=None, reqCert=False, |
938 sessionCache=None, settings=None, checker=None, | 938 sessionCache=None, settings=None, checker=None, |
939 reqCAs=None, tlsIntolerant=0): | 939 reqCAs=None, tlsIntolerant=0, |
| 940 signedCertTimestamps=None): |
940 """Perform a handshake in the role of server. | 941 """Perform a handshake in the role of server. |
941 | 942 |
942 This function performs an SSL or TLS handshake. Depending on | 943 This function performs an SSL or TLS handshake. Depending on |
943 the arguments and the behavior of the client, this function can | 944 the arguments and the behavior of the client, this function can |
944 perform a shared-key, SRP, or certificate-based handshake. It | 945 perform a shared-key, SRP, or certificate-based handshake. It |
945 can also perform a combined SRP and server-certificate | 946 can also perform a combined SRP and server-certificate |
946 handshake. | 947 handshake. |
947 | 948 |
948 Like any handshake function, this can be called on a closed | 949 Like any handshake function, this can be called on a closed |
949 TLS connection, or on a TLS connection that is already open. | 950 TLS connection, or on a TLS connection that is already open. |
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1000 @type checker: L{tlslite.Checker.Checker} | 1001 @type checker: L{tlslite.Checker.Checker} |
1001 @param checker: A Checker instance. This instance will be | 1002 @param checker: A Checker instance. This instance will be |
1002 invoked to examine the other party's authentication | 1003 invoked to examine the other party's authentication |
1003 credentials, if the handshake completes succesfully. | 1004 credentials, if the handshake completes succesfully. |
1004 | 1005 |
1005 @type reqCAs: list of L{array.array} of unsigned bytes | 1006 @type reqCAs: list of L{array.array} of unsigned bytes |
1006 @param reqCAs: A collection of DER-encoded DistinguishedNames that | 1007 @param reqCAs: A collection of DER-encoded DistinguishedNames that |
1007 will be sent along with a certificate request. This does not affect | 1008 will be sent along with a certificate request. This does not affect |
1008 verification. | 1009 verification. |
1009 | 1010 |
| 1011 @type signedCertTimestamps: str |
| 1012 @param signedCertTimestamps: A SignedCertificateTimestampList (as a |
| 1013 binary 8-bit string) that will be sent as a TLS extension whenever |
| 1014 the client announces support for the extension. |
| 1015 |
1010 @raise socket.error: If a socket error occurs. | 1016 @raise socket.error: If a socket error occurs. |
1011 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed | 1017 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
1012 without a preceding alert. | 1018 without a preceding alert. |
1013 @raise tlslite.errors.TLSAlert: If a TLS alert is signalled. | 1019 @raise tlslite.errors.TLSAlert: If a TLS alert is signalled. |
1014 @raise tlslite.errors.TLSAuthenticationError: If the checker | 1020 @raise tlslite.errors.TLSAuthenticationError: If the checker |
1015 doesn't like the other party's authentication credentials. | 1021 doesn't like the other party's authentication credentials. |
1016 """ | 1022 """ |
1017 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, | 1023 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, |
1018 certChain, privateKey, reqCert, sessionCache, settings, | 1024 certChain, privateKey, reqCert, sessionCache, settings, |
1019 checker, reqCAs, tlsIntolerant): | 1025 checker, reqCAs, tlsIntolerant, signedCertTimestamps): |
1020 pass | 1026 pass |
1021 | 1027 |
1022 | 1028 |
1023 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, | 1029 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, |
1024 certChain=None, privateKey=None, reqCert=False, | 1030 certChain=None, privateKey=None, reqCert=False, |
1025 sessionCache=None, settings=None, checker=None, | 1031 sessionCache=None, settings=None, checker=None, |
1026 reqCAs=None, tlsIntolerant=0): | 1032 reqCAs=None, tlsIntolerant=0, |
| 1033 signedCertTimestamps=None): |
1027 """Start a server handshake operation on the TLS connection. | 1034 """Start a server handshake operation on the TLS connection. |
1028 | 1035 |
1029 This function returns a generator which behaves similarly to | 1036 This function returns a generator which behaves similarly to |
1030 handshakeServer(). Successive invocations of the generator | 1037 handshakeServer(). Successive invocations of the generator |
1031 will return 0 if it is waiting to read from the socket, 1 if it is | 1038 will return 0 if it is waiting to read from the socket, 1 if it is |
1032 waiting to write to the socket, or it will raise StopIteration | 1039 waiting to write to the socket, or it will raise StopIteration |
1033 if the handshake operation is complete. | 1040 if the handshake operation is complete. |
1034 | 1041 |
1035 @rtype: iterable | 1042 @rtype: iterable |
1036 @return: A generator; see above for details. | 1043 @return: A generator; see above for details. |
1037 """ | 1044 """ |
1038 handshaker = self._handshakeServerAsyncHelper(\ | 1045 handshaker = self._handshakeServerAsyncHelper(\ |
1039 sharedKeyDB=sharedKeyDB, | 1046 sharedKeyDB=sharedKeyDB, |
1040 verifierDB=verifierDB, certChain=certChain, | 1047 verifierDB=verifierDB, certChain=certChain, |
1041 privateKey=privateKey, reqCert=reqCert, | 1048 privateKey=privateKey, reqCert=reqCert, |
1042 sessionCache=sessionCache, settings=settings, | 1049 sessionCache=sessionCache, settings=settings, |
1043 reqCAs=reqCAs, | 1050 reqCAs=reqCAs, |
1044 tlsIntolerant=tlsIntolerant) | 1051 tlsIntolerant=tlsIntolerant, |
| 1052 signedCertTimestamps=signedCertTimestamps) |
1045 for result in self._handshakeWrapperAsync(handshaker, checker): | 1053 for result in self._handshakeWrapperAsync(handshaker, checker): |
1046 yield result | 1054 yield result |
1047 | 1055 |
1048 | 1056 |
1049 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, | 1057 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, |
1050 certChain, privateKey, reqCert, sessionCache, | 1058 certChain, privateKey, reqCert, |
1051 settings, reqCAs, tlsIntolerant): | 1059 sessionCache, settings, reqCAs, |
| 1060 tlsIntolerant, signedCertTimestamps): |
1052 | 1061 |
1053 self._handshakeStart(client=False) | 1062 self._handshakeStart(client=False) |
1054 | 1063 |
1055 if (not sharedKeyDB) and (not verifierDB) and (not certChain): | 1064 if (not sharedKeyDB) and (not verifierDB) and (not certChain): |
1056 raise ValueError("Caller passed no authentication credentials") | 1065 raise ValueError("Caller passed no authentication credentials") |
1057 if certChain and not privateKey: | 1066 if certChain and not privateKey: |
1058 raise ValueError("Caller passed a certChain but no privateKey") | 1067 raise ValueError("Caller passed a certChain but no privateKey") |
1059 if privateKey and not certChain: | 1068 if privateKey and not certChain: |
1060 raise ValueError("Caller passed a privateKey but no certChain") | 1069 raise ValueError("Caller passed a privateKey but no certChain") |
1061 if reqCAs and not reqCert: | 1070 if reqCAs and not reqCert: |
1062 raise ValueError("Caller passed reqCAs but not reqCert") | 1071 raise ValueError("Caller passed reqCAs but not reqCert") |
| 1072 if signedCertTimestamps and not certChain: |
| 1073 raise ValueError("Caller passed signedCertTimestamps but no " |
| 1074 "certChain") |
1063 | 1075 |
1064 if not settings: | 1076 if not settings: |
1065 settings = HandshakeSettings() | 1077 settings = HandshakeSettings() |
1066 settings = settings._filter() | 1078 settings = settings._filter() |
1067 | 1079 |
1068 #Initialize acceptable cipher suites | 1080 #Initialize acceptable cipher suites |
1069 cipherSuites = [] | 1081 cipherSuites = [] |
1070 if verifierDB: | 1082 if verifierDB: |
1071 if certChain: | 1083 if certChain: |
1072 cipherSuites += \ | 1084 cipherSuites += \ |
(...skipping 335 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1408 #premaster secret: | 1420 #premaster secret: |
1409 elif cipherSuite in CipherSuite.rsaSuites: | 1421 elif cipherSuite in CipherSuite.rsaSuites: |
1410 | 1422 |
1411 #Send ServerHello, Certificate[, CertificateRequest], | 1423 #Send ServerHello, Certificate[, CertificateRequest], |
1412 #ServerHelloDone | 1424 #ServerHelloDone |
1413 msgs = [] | 1425 msgs = [] |
1414 serverHello = ServerHello().create( | 1426 serverHello = ServerHello().create( |
1415 self.version, serverRandom, | 1427 self.version, serverRandom, |
1416 sessionID, cipherSuite, certificateType) | 1428 sessionID, cipherSuite, certificateType) |
1417 serverHello.channel_id = clientHello.channel_id | 1429 serverHello.channel_id = clientHello.channel_id |
| 1430 if clientHello.support_signed_cert_timestamps: |
| 1431 serverHello.signed_cert_timestamps = signedCertTimestamps |
1418 doingChannelID = clientHello.channel_id | 1432 doingChannelID = clientHello.channel_id |
1419 msgs.append(serverHello) | 1433 msgs.append(serverHello) |
1420 msgs.append(Certificate(certificateType).create(serverCertChain)) | 1434 msgs.append(Certificate(certificateType).create(serverCertChain)) |
1421 if reqCert and reqCAs: | 1435 if reqCert and reqCAs: |
1422 msgs.append(CertificateRequest().create([], reqCAs)) | 1436 msgs.append(CertificateRequest().create([], reqCAs)) |
1423 elif reqCert: | 1437 elif reqCert: |
1424 msgs.append(CertificateRequest()) | 1438 msgs.append(CertificateRequest()) |
1425 msgs.append(ServerHelloDone()) | 1439 msgs.append(ServerHelloDone()) |
1426 for result in self._sendMsgs(msgs): | 1440 for result in self._sendMsgs(msgs): |
1427 yield result | 1441 yield result |
(...skipping 208 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1636 if len(publicKey) < settings.minKeySize: | 1650 if len(publicKey) < settings.minKeySize: |
1637 for result in self._sendError(AlertDescription.handshake_failure, | 1651 for result in self._sendError(AlertDescription.handshake_failure, |
1638 "Other party's public key too small: %d" % len(publicKey)): | 1652 "Other party's public key too small: %d" % len(publicKey)): |
1639 yield result | 1653 yield result |
1640 if len(publicKey) > settings.maxKeySize: | 1654 if len(publicKey) > settings.maxKeySize: |
1641 for result in self._sendError(AlertDescription.handshake_failure, | 1655 for result in self._sendError(AlertDescription.handshake_failure, |
1642 "Other party's public key too large: %d" % len(publicKey)): | 1656 "Other party's public key too large: %d" % len(publicKey)): |
1643 yield result | 1657 yield result |
1644 | 1658 |
1645 yield publicKey, certChain | 1659 yield publicKey, certChain |
OLD | NEW |