OLD | NEW |
1 # Authors: | 1 # Authors: |
2 # Trevor Perrin | 2 # Trevor Perrin |
3 # Google - defining ClientCertificateType | 3 # Google - defining ClientCertificateType |
4 # Google (adapted by Sam Rushing) - NPN support | 4 # Google (adapted by Sam Rushing) - NPN support |
5 # Dimitris Moraitis - Anon ciphersuites | 5 # Dimitris Moraitis - Anon ciphersuites |
6 # Dave Baggett (Arcode Corporation) - canonicalCipherName | 6 # Dave Baggett (Arcode Corporation) - canonicalCipherName |
7 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 | 7 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 |
8 # | 8 # |
9 # See the LICENSE file for legal information regarding use of this file. | 9 # See the LICENSE file for legal information regarding use of this file. |
10 | 10 |
(...skipping 157 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
168 | 168 |
169 TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034 | 169 TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034 |
170 TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A | 170 TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A |
171 | 171 |
172 TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C | 172 TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C |
173 TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D | 173 TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D |
174 | 174 |
175 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067 | 175 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067 |
176 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B | 176 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B |
177 | 177 |
| 178 TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C |
| 179 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E |
| 180 |
178 tripleDESSuites = [] | 181 tripleDESSuites = [] |
179 tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) | 182 tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) |
180 tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) | 183 tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) |
181 tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) | 184 tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) |
182 tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) | 185 tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) |
183 | 186 |
184 aes128Suites = [] | 187 aes128Suites = [] |
185 aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) | 188 aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) |
186 aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) | 189 aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) |
187 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA) | 190 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA) |
188 aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) | 191 aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) |
189 aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) | 192 aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) |
190 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) | 193 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) |
191 aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) | 194 aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) |
192 | 195 |
193 aes256Suites = [] | 196 aes256Suites = [] |
194 aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) | 197 aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) |
195 aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) | 198 aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) |
196 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA) | 199 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA) |
197 aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) | 200 aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) |
198 aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) | 201 aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) |
199 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) | 202 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) |
200 aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) | 203 aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) |
201 | 204 |
| 205 aes128GcmSuites = [] |
| 206 aes128GcmSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) |
| 207 aes128GcmSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) |
| 208 |
202 rc4Suites = [] | 209 rc4Suites = [] |
203 rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA) | 210 rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA) |
204 rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5) | 211 rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5) |
205 | 212 |
206 shaSuites = [] | 213 shaSuites = [] |
207 shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) | 214 shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) |
208 shaSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) | 215 shaSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) |
209 shaSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) | 216 shaSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) |
210 shaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) | 217 shaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) |
211 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) | 218 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) |
212 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) | 219 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) |
213 shaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) | 220 shaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) |
214 shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) | 221 shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) |
215 shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) | 222 shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) |
216 shaSuites.append(TLS_RSA_WITH_RC4_128_SHA) | 223 shaSuites.append(TLS_RSA_WITH_RC4_128_SHA) |
217 shaSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) | 224 shaSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) |
218 shaSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) | 225 shaSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) |
219 shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) | 226 shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) |
220 shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) | 227 shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) |
221 shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) | 228 shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) |
222 | 229 |
223 sha256Suites = [] | 230 sha256Suites = [] |
224 sha256Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) | 231 sha256Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) |
225 sha256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) | 232 sha256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) |
226 sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) | 233 sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) |
227 sha256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) | 234 sha256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) |
| 235 sha256Suites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) |
| 236 sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) |
| 237 |
| 238 aeadSuites = aes128GcmSuites |
228 | 239 |
229 | 240 |
230 md5Suites = [] | 241 md5Suites = [] |
231 md5Suites.append(TLS_RSA_WITH_RC4_128_MD5) | 242 md5Suites.append(TLS_RSA_WITH_RC4_128_MD5) |
232 | 243 |
233 @staticmethod | 244 @staticmethod |
234 def _filterSuites(suites, settings): | 245 def _filterSuites(suites, settings, version=None): |
| 246 if version is None: |
| 247 version = settings.maxVersion |
235 macNames = settings.macNames | 248 macNames = settings.macNames |
236 cipherNames = settings.cipherNames | 249 cipherNames = settings.cipherNames |
237 keyExchangeNames = settings.keyExchangeNames | 250 keyExchangeNames = settings.keyExchangeNames |
238 macSuites = [] | 251 macSuites = [] |
239 if "sha" in macNames: | 252 if "sha" in macNames: |
240 macSuites += CipherSuite.shaSuites | 253 macSuites += CipherSuite.shaSuites |
241 if "sha256" in macNames: | 254 if "sha256" in macNames and version >= (3,3): |
242 macSuites += CipherSuite.sha256Suites | 255 macSuites += CipherSuite.sha256Suites |
243 if "md5" in macNames: | 256 if "md5" in macNames: |
244 macSuites += CipherSuite.md5Suites | 257 macSuites += CipherSuite.md5Suites |
| 258 if "aead" in macNames and version >= (3,3): |
| 259 macSuites += CipherSuite.aeadSuites |
245 | 260 |
246 cipherSuites = [] | 261 cipherSuites = [] |
| 262 if "aes128gcm" in cipherNames and version >= (3,3): |
| 263 cipherSuites += CipherSuite.aes128GcmSuites |
247 if "aes128" in cipherNames: | 264 if "aes128" in cipherNames: |
248 cipherSuites += CipherSuite.aes128Suites | 265 cipherSuites += CipherSuite.aes128Suites |
249 if "aes256" in cipherNames: | 266 if "aes256" in cipherNames: |
250 cipherSuites += CipherSuite.aes256Suites | 267 cipherSuites += CipherSuite.aes256Suites |
251 if "3des" in cipherNames: | 268 if "3des" in cipherNames: |
252 cipherSuites += CipherSuite.tripleDESSuites | 269 cipherSuites += CipherSuite.tripleDESSuites |
253 if "rc4" in cipherNames: | 270 if "rc4" in cipherNames: |
254 cipherSuites += CipherSuite.rc4Suites | 271 cipherSuites += CipherSuite.rc4Suites |
255 | 272 |
256 keyExchangeSuites = [] | 273 keyExchangeSuites = [] |
(...skipping 10 matching lines...) Expand all Loading... |
267 | 284 |
268 return [s for s in suites if s in macSuites and | 285 return [s for s in suites if s in macSuites and |
269 s in cipherSuites and s in keyExchangeSuites] | 286 s in cipherSuites and s in keyExchangeSuites] |
270 | 287 |
271 srpSuites = [] | 288 srpSuites = [] |
272 srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) | 289 srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) |
273 srpSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) | 290 srpSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) |
274 srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) | 291 srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) |
275 | 292 |
276 @staticmethod | 293 @staticmethod |
277 def getSrpSuites(settings): | 294 def getSrpSuites(settings, version=None): |
278 return CipherSuite._filterSuites(CipherSuite.srpSuites, settings) | 295 return CipherSuite._filterSuites(CipherSuite.srpSuites, settings, versio
n) |
279 | 296 |
280 srpCertSuites = [] | 297 srpCertSuites = [] |
281 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) | 298 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) |
282 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) | 299 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) |
283 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) | 300 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) |
284 | 301 |
285 @staticmethod | 302 @staticmethod |
286 def getSrpCertSuites(settings): | 303 def getSrpCertSuites(settings, version=None): |
287 return CipherSuite._filterSuites(CipherSuite.srpCertSuites, settings) | 304 return CipherSuite._filterSuites(CipherSuite.srpCertSuites, settings, ve
rsion) |
288 | 305 |
289 srpAllSuites = srpSuites + srpCertSuites | 306 srpAllSuites = srpSuites + srpCertSuites |
290 | 307 |
291 @staticmethod | 308 @staticmethod |
292 def getSrpAllSuites(settings): | 309 def getSrpAllSuites(settings, version=None): |
293 return CipherSuite._filterSuites(CipherSuite.srpAllSuites, settings) | 310 return CipherSuite._filterSuites(CipherSuite.srpAllSuites, settings, ver
sion) |
294 | 311 |
295 certSuites = [] | 312 certSuites = [] |
| 313 certSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) |
296 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) | 314 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) |
297 certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) | 315 certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) |
298 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) | 316 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) |
299 certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) | 317 certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) |
300 certSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) | 318 certSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) |
301 certSuites.append(TLS_RSA_WITH_RC4_128_SHA) | 319 certSuites.append(TLS_RSA_WITH_RC4_128_SHA) |
302 certSuites.append(TLS_RSA_WITH_RC4_128_MD5) | 320 certSuites.append(TLS_RSA_WITH_RC4_128_MD5) |
303 | 321 |
304 @staticmethod | 322 @staticmethod |
305 def getCertSuites(settings): | 323 def getCertSuites(settings, version=None): |
306 return CipherSuite._filterSuites(CipherSuite.certSuites, settings) | 324 return CipherSuite._filterSuites(CipherSuite.certSuites, settings, versi
on) |
307 | 325 |
308 dheCertSuites = [] | 326 dheCertSuites = [] |
| 327 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) |
309 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) | 328 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) |
310 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) | 329 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) |
311 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) | 330 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) |
312 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) | 331 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) |
313 dheCertSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) | 332 dheCertSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) |
314 | 333 |
315 @staticmethod | 334 @staticmethod |
316 def getDheCertSuites(settings): | 335 def getDheCertSuites(settings, version=None): |
317 return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings) | 336 return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings, ve
rsion) |
318 | 337 |
319 certAllSuites = srpCertSuites + certSuites + dheCertSuites | 338 certAllSuites = srpCertSuites + certSuites + dheCertSuites |
320 | 339 |
321 anonSuites = [] | 340 anonSuites = [] |
322 anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) | 341 anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) |
323 anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) | 342 anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) |
324 | 343 |
325 @staticmethod | 344 @staticmethod |
326 def getAnonSuites(settings): | 345 def getAnonSuites(settings, version=None): |
327 return CipherSuite._filterSuites(CipherSuite.anonSuites, settings) | 346 return CipherSuite._filterSuites(CipherSuite.anonSuites, settings, versi
on) |
328 | 347 |
329 dhAllSuites = dheCertSuites + anonSuites | 348 dhAllSuites = dheCertSuites + anonSuites |
330 | 349 |
331 @staticmethod | 350 @staticmethod |
332 def canonicalCipherName(ciphersuite): | 351 def canonicalCipherName(ciphersuite): |
333 "Return the canonical name of the cipher whose number is provided." | 352 "Return the canonical name of the cipher whose number is provided." |
334 if ciphersuite in CipherSuite.aes128Suites: | 353 if ciphersuite in CipherSuite.aes128Suites: |
335 return "aes128" | 354 return "aes128" |
336 elif ciphersuite in CipherSuite.aes256Suites: | 355 elif ciphersuite in CipherSuite.aes256Suites: |
337 return "aes256" | 356 return "aes256" |
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
394 badUsername: "bad username",\ | 413 badUsername: "bad username",\ |
395 badPassword: "bad password",\ | 414 badPassword: "bad password",\ |
396 badA: "bad A",\ | 415 badA: "bad A",\ |
397 badPremasterPadding: "bad premaster padding",\ | 416 badPremasterPadding: "bad premaster padding",\ |
398 shortPremasterSecret: "short premaster secret",\ | 417 shortPremasterSecret: "short premaster secret",\ |
399 badVerifyMessage: "bad verify message",\ | 418 badVerifyMessage: "bad verify message",\ |
400 badFinished: "bad finished message",\ | 419 badFinished: "bad finished message",\ |
401 badMAC: "bad MAC",\ | 420 badMAC: "bad MAC",\ |
402 badPadding: "bad padding" | 421 badPadding: "bad padding" |
403 } | 422 } |
OLD | NEW |