OLD | NEW |
---|---|
1 """ | 1 """ |
2 MAIN CLASS FOR TLS LITE (START HERE!). | 2 MAIN CLASS FOR TLS LITE (START HERE!). |
3 """ | 3 """ |
4 from __future__ import generators | 4 from __future__ import generators |
5 | 5 |
6 import socket | 6 import socket |
7 from utils.compat import formatExceptionTrace | 7 from utils.compat import formatExceptionTrace |
8 from TLSRecordLayer import TLSRecordLayer | 8 from TLSRecordLayer import TLSRecordLayer |
9 from Session import Session | 9 from Session import Session |
10 from constants import * | 10 from constants import * |
(...skipping 919 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
930 #Mark the connection as open | 930 #Mark the connection as open |
931 self.session._setResumable(True) | 931 self.session._setResumable(True) |
932 self._handshakeDone(resumed=False) | 932 self._handshakeDone(resumed=False) |
933 | 933 |
934 | 934 |
935 | 935 |
936 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, | 936 def handshakeServer(self, sharedKeyDB=None, verifierDB=None, |
937 certChain=None, privateKey=None, reqCert=False, | 937 certChain=None, privateKey=None, reqCert=False, |
938 sessionCache=None, settings=None, checker=None, | 938 sessionCache=None, settings=None, checker=None, |
939 reqCAs=None, tlsIntolerant=0, | 939 reqCAs=None, tlsIntolerant=0, |
940 signedCertTimestamps=None): | 940 signedCertTimestamps=None, |
941 OCSPResponse=None): | |
wtc
2013/12/03 21:04:25
Nit: I suggest "ocspResponse" to match the capital
ekasper
2013/12/04 19:25:15
Done.
| |
941 """Perform a handshake in the role of server. | 942 """Perform a handshake in the role of server. |
942 | 943 |
943 This function performs an SSL or TLS handshake. Depending on | 944 This function performs an SSL or TLS handshake. Depending on |
944 the arguments and the behavior of the client, this function can | 945 the arguments and the behavior of the client, this function can |
945 perform a shared-key, SRP, or certificate-based handshake. It | 946 perform a shared-key, SRP, or certificate-based handshake. It |
946 can also perform a combined SRP and server-certificate | 947 can also perform a combined SRP and server-certificate |
947 handshake. | 948 handshake. |
948 | 949 |
949 Like any handshake function, this can be called on a closed | 950 Like any handshake function, this can be called on a closed |
950 TLS connection, or on a TLS connection that is already open. | 951 TLS connection, or on a TLS connection that is already open. |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1006 @type reqCAs: list of L{array.array} of unsigned bytes | 1007 @type reqCAs: list of L{array.array} of unsigned bytes |
1007 @param reqCAs: A collection of DER-encoded DistinguishedNames that | 1008 @param reqCAs: A collection of DER-encoded DistinguishedNames that |
1008 will be sent along with a certificate request. This does not affect | 1009 will be sent along with a certificate request. This does not affect |
1009 verification. | 1010 verification. |
1010 | 1011 |
1011 @type signedCertTimestamps: str | 1012 @type signedCertTimestamps: str |
1012 @param signedCertTimestamps: A SignedCertificateTimestampList (as a | 1013 @param signedCertTimestamps: A SignedCertificateTimestampList (as a |
1013 binary 8-bit string) that will be sent as a TLS extension whenever | 1014 binary 8-bit string) that will be sent as a TLS extension whenever |
1014 the client announces support for the extension. | 1015 the client announces support for the extension. |
1015 | 1016 |
1017 @type OCSPResponse: str | |
1018 @param OCSPResponse: An OCSP response (as a binary 8-bit string) that | |
1019 will be sent stapled in the handshake whenever the client announces | |
1020 support for the status_request extension. | |
1021 Note that the response is sent independent of the ClientHello extension | |
wtc
2013/12/03 21:04:25
Nit: add "status_request" between "ClientHello" an
ekasper
2013/12/04 19:25:15
Done.
| |
1022 contents, and is thus only meant for testing environments. Real OCSP | |
1023 stapling is more complicated as it requires choosing a suitable response | |
1024 based on the ClientHello extension contents. | |
1025 | |
1016 @raise socket.error: If a socket error occurs. | 1026 @raise socket.error: If a socket error occurs. |
1017 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed | 1027 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
1018 without a preceding alert. | 1028 without a preceding alert. |
1019 @raise tlslite.errors.TLSAlert: If a TLS alert is signalled. | 1029 @raise tlslite.errors.TLSAlert: If a TLS alert is signalled. |
1020 @raise tlslite.errors.TLSAuthenticationError: If the checker | 1030 @raise tlslite.errors.TLSAuthenticationError: If the checker |
1021 doesn't like the other party's authentication credentials. | 1031 doesn't like the other party's authentication credentials. |
1022 """ | 1032 """ |
1023 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, | 1033 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, |
1024 certChain, privateKey, reqCert, sessionCache, settings, | 1034 certChain, privateKey, reqCert, sessionCache, settings, |
1025 checker, reqCAs, tlsIntolerant, signedCertTimestamps): | 1035 checker, reqCAs, tlsIntolerant, signedCertTimestamps, |
1036 OCSPResponse): | |
1026 pass | 1037 pass |
1027 | 1038 |
1028 | 1039 |
1029 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, | 1040 def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None, |
1030 certChain=None, privateKey=None, reqCert=False, | 1041 certChain=None, privateKey=None, reqCert=False, |
1031 sessionCache=None, settings=None, checker=None, | 1042 sessionCache=None, settings=None, checker=None, |
1032 reqCAs=None, tlsIntolerant=0, | 1043 reqCAs=None, tlsIntolerant=0, |
1033 signedCertTimestamps=None): | 1044 signedCertTimestamps=None, |
1045 OCSPResponse=None): | |
wtc
2013/12/03 21:04:25
Nit: ocspResponse.
ekasper
2013/12/04 19:25:15
Done.
| |
1034 """Start a server handshake operation on the TLS connection. | 1046 """Start a server handshake operation on the TLS connection. |
1035 | 1047 |
1036 This function returns a generator which behaves similarly to | 1048 This function returns a generator which behaves similarly to |
1037 handshakeServer(). Successive invocations of the generator | 1049 handshakeServer(). Successive invocations of the generator |
1038 will return 0 if it is waiting to read from the socket, 1 if it is | 1050 will return 0 if it is waiting to read from the socket, 1 if it is |
1039 waiting to write to the socket, or it will raise StopIteration | 1051 waiting to write to the socket, or it will raise StopIteration |
1040 if the handshake operation is complete. | 1052 if the handshake operation is complete. |
1041 | 1053 |
1042 @rtype: iterable | 1054 @rtype: iterable |
1043 @return: A generator; see above for details. | 1055 @return: A generator; see above for details. |
1044 """ | 1056 """ |
1045 handshaker = self._handshakeServerAsyncHelper(\ | 1057 handshaker = self._handshakeServerAsyncHelper(\ |
1046 sharedKeyDB=sharedKeyDB, | 1058 sharedKeyDB=sharedKeyDB, |
1047 verifierDB=verifierDB, certChain=certChain, | 1059 verifierDB=verifierDB, certChain=certChain, |
1048 privateKey=privateKey, reqCert=reqCert, | 1060 privateKey=privateKey, reqCert=reqCert, |
1049 sessionCache=sessionCache, settings=settings, | 1061 sessionCache=sessionCache, settings=settings, |
1050 reqCAs=reqCAs, | 1062 reqCAs=reqCAs, |
1051 tlsIntolerant=tlsIntolerant, | 1063 tlsIntolerant=tlsIntolerant, |
1052 signedCertTimestamps=signedCertTimestamps) | 1064 signedCertTimestamps=signedCertTimestamps, |
1065 OCSPResponse=OCSPResponse) | |
1053 for result in self._handshakeWrapperAsync(handshaker, checker): | 1066 for result in self._handshakeWrapperAsync(handshaker, checker): |
1054 yield result | 1067 yield result |
1055 | 1068 |
1056 | 1069 |
1057 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, | 1070 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, |
1058 certChain, privateKey, reqCert, | 1071 certChain, privateKey, reqCert, |
1059 sessionCache, settings, reqCAs, | 1072 sessionCache, settings, reqCAs, |
1060 tlsIntolerant, signedCertTimestamps): | 1073 tlsIntolerant, signedCertTimestamps, |
1074 OCSPResponse): | |
wtc
2013/12/03 21:04:25
Nit: ocspResponse.
ekasper
2013/12/04 19:25:15
Done.
| |
1061 | 1075 |
1062 self._handshakeStart(client=False) | 1076 self._handshakeStart(client=False) |
1063 | 1077 |
1064 if (not sharedKeyDB) and (not verifierDB) and (not certChain): | 1078 if (not sharedKeyDB) and (not verifierDB) and (not certChain): |
1065 raise ValueError("Caller passed no authentication credentials") | 1079 raise ValueError("Caller passed no authentication credentials") |
1066 if certChain and not privateKey: | 1080 if certChain and not privateKey: |
1067 raise ValueError("Caller passed a certChain but no privateKey") | 1081 raise ValueError("Caller passed a certChain but no privateKey") |
1068 if privateKey and not certChain: | 1082 if privateKey and not certChain: |
1069 raise ValueError("Caller passed a privateKey but no certChain") | 1083 raise ValueError("Caller passed a privateKey but no certChain") |
1070 if reqCAs and not reqCert: | 1084 if reqCAs and not reqCert: |
(...skipping 350 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1421 elif cipherSuite in CipherSuite.rsaSuites: | 1435 elif cipherSuite in CipherSuite.rsaSuites: |
1422 | 1436 |
1423 #Send ServerHello, Certificate[, CertificateRequest], | 1437 #Send ServerHello, Certificate[, CertificateRequest], |
1424 #ServerHelloDone | 1438 #ServerHelloDone |
1425 msgs = [] | 1439 msgs = [] |
1426 serverHello = ServerHello().create( | 1440 serverHello = ServerHello().create( |
1427 self.version, serverRandom, | 1441 self.version, serverRandom, |
1428 sessionID, cipherSuite, certificateType) | 1442 sessionID, cipherSuite, certificateType) |
1429 serverHello.channel_id = clientHello.channel_id | 1443 serverHello.channel_id = clientHello.channel_id |
1430 if clientHello.support_signed_cert_timestamps: | 1444 if clientHello.support_signed_cert_timestamps: |
1431 serverHello.signed_cert_timestamps = signedCertTimestamps | 1445 serverHello.signed_cert_timestamps = signedCertTimestamps |
1446 serverHello.status_request = (clientHello.status_request and | |
1447 OCSPResponse) | |
1432 doingChannelID = clientHello.channel_id | 1448 doingChannelID = clientHello.channel_id |
1433 msgs.append(serverHello) | 1449 msgs.append(serverHello) |
1434 msgs.append(Certificate(certificateType).create(serverCertChain)) | 1450 msgs.append(Certificate(certificateType).create(serverCertChain)) |
1451 if clientHello.status_request and OCSPResponse: | |
wtc
2013/12/03 21:04:25
Nit: we may be able to just test serverHello.statu
ekasper
2013/12/04 19:25:15
Done.
| |
1452 msgs.append(CertificateStatus().create(OCSPResponse)) | |
1435 if reqCert and reqCAs: | 1453 if reqCert and reqCAs: |
1436 msgs.append(CertificateRequest().create([], reqCAs)) | 1454 msgs.append(CertificateRequest().create([], reqCAs)) |
1437 elif reqCert: | 1455 elif reqCert: |
1438 msgs.append(CertificateRequest()) | 1456 msgs.append(CertificateRequest()) |
1439 msgs.append(ServerHelloDone()) | 1457 msgs.append(ServerHelloDone()) |
1440 for result in self._sendMsgs(msgs): | 1458 for result in self._sendMsgs(msgs): |
1441 yield result | 1459 yield result |
1442 | 1460 |
1443 #From here on, the client's messages must have the right version | 1461 #From here on, the client's messages must have the right version |
1444 self._versionCheck = True | 1462 self._versionCheck = True |
(...skipping 205 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1650 if len(publicKey) < settings.minKeySize: | 1668 if len(publicKey) < settings.minKeySize: |
1651 for result in self._sendError(AlertDescription.handshake_failure, | 1669 for result in self._sendError(AlertDescription.handshake_failure, |
1652 "Other party's public key too small: %d" % len(publicKey)): | 1670 "Other party's public key too small: %d" % len(publicKey)): |
1653 yield result | 1671 yield result |
1654 if len(publicKey) > settings.maxKeySize: | 1672 if len(publicKey) > settings.maxKeySize: |
1655 for result in self._sendError(AlertDescription.handshake_failure, | 1673 for result in self._sendError(AlertDescription.handshake_failure, |
1656 "Other party's public key too large: %d" % len(publicKey)): | 1674 "Other party's public key too large: %d" % len(publicKey)): |
1657 yield result | 1675 yield result |
1658 | 1676 |
1659 yield publicKey, certChain | 1677 yield publicKey, certChain |
OLD | NEW |