1
2
3
4 """Class for setting handshake parameters."""
5
6 from .constants import CertificateType
7 from .utils import cryptomath
8 from .utils import cipherfactory
9
11 """This class encapsulates various parameters that can be used with
12 a TLS handshake.
13 @sort: minKeySize, maxKeySize, cipherNames, certificateTypes,
14 minVersion, maxVersion
15
16 @type minKeySize: int
17 @ivar minKeySize: The minimum bit length for asymmetric keys.
18
19 If the other party tries to use SRP, RSA, or Diffie-Hellman
20 parameters smaller than this length, an alert will be
21 signalled. The default is 1023.
22
23 @type maxKeySize: int
24 @ivar maxKeySize: The maximum bit length for asymmetric keys.
25
26 If the other party tries to use SRP, RSA, or Diffie-Hellman
27 parameters larger than this length, an alert will be signalled.
28 The default is 8193.
29
30 @type cipherNames: list
31 @ivar cipherNames: The allowed ciphers, in order of preference.
32
33 The allowed values in this list are 'aes256', 'aes128', '3des', and
34 'rc4'. If these settings are used with a client handshake, they
35 determine the order of the ciphersuites offered in the ClientHello
36 message.
37
38 If these settings are used with a server handshake, the server will
39 choose whichever ciphersuite matches the earliest entry in this
40 list.
41
42 NOTE: If '3des' is used in this list, but TLS Lite can't find an
43 add-on library that supports 3DES, then '3des' will be silently
44 removed.
45
46 The default value is ['aes256', 'aes128', '3des', 'rc4'].
47
48 @type certificateTypes: list
49 @ivar certificateTypes: The allowed certificate types, in order of
50 preference.
51
52 The allowed values in this list are 'x509'. This
53 list is only used with a client handshake. The client will
54 advertise to the server which certificate types are supported, and
55 will check that the server uses one of the appropriate types.
56
57 @type minVersion: tuple
58 @ivar minVersion: The minimum allowed SSL/TLS version.
59
60 This variable can be set to (3,0) for SSL 3.0, (3,1) for
61 TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to
62 use a lower version, a protocol_version alert will be signalled.
63 The default is (3,0).
64
65 @type maxVersion: tuple
66 @ivar maxVersion: The maximum allowed SSL/TLS version.
67
68 This variable can be set to (3,0) for SSL 3.0, (3,1) for
69 TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to
70 use a higher version, a protocol_version alert will be signalled.
71 The default is (3,2). (WARNING: Some servers may (improperly)
72 reject clients which offer support for TLS 1.1. In this case,
73 try lowering maxVersion to (3,1)).
74 """
76 self.minKeySize = 1023
77 self.maxKeySize = 8193
78 self.cipherNames = ["aes256", "aes128", "3des", "rc4"]
79 self.cipherImplementations = ["openssl", "pycrypto","python"]
80 self.certificateTypes = ["x509"]
81 self.minVersion = (3,0)
82 self.maxVersion = (3,2)
83
84
85
87 other = HandshakeSettings()
88 other.minKeySize = self.minKeySize
89 other.maxKeySize = self.maxKeySize
90 other.cipherNames = self.cipherNames
91 other.cipherImplementations = self.cipherImplementations
92 other.certificateTypes = self.certificateTypes
93 other.minVersion = self.minVersion
94 other.maxVersion = self.maxVersion
95
96 if not cipherfactory.tripleDESPresent:
97 other.cipherNames = [e for e in self.cipherNames if e != "3des"]
98 if len(other.cipherNames)==0:
99 raise ValueError("No supported ciphers")
100 if len(other.certificateTypes)==0:
101 raise ValueError("No supported certificate types")
102
103 if not cryptomath.m2cryptoLoaded:
104 other.cipherImplementations = [e for e in \
105 other.cipherImplementations if e != "openssl"]
106 if not cryptomath.pycryptoLoaded:
107 other.cipherImplementations = [e for e in \
108 other.cipherImplementations if e != "pycrypto"]
109 if len(other.cipherImplementations)==0:
110 raise ValueError("No supported cipher implementations")
111
112 if other.minKeySize<512:
113 raise ValueError("minKeySize too small")
114 if other.minKeySize>16384:
115 raise ValueError("minKeySize too large")
116 if other.maxKeySize<512:
117 raise ValueError("maxKeySize too small")
118 if other.maxKeySize>16384:
119 raise ValueError("maxKeySize too large")
120 for s in other.cipherNames:
121 if s not in ("aes256", "aes128", "rc4", "3des"):
122 raise ValueError("Unknown cipher name: '%s'" % s)
123 for s in other.cipherImplementations:
124 if s not in ("openssl", "python", "pycrypto"):
125 raise ValueError("Unknown cipher implementation: '%s'" % s)
126 for s in other.certificateTypes:
127 if s not in ("x509"):
128 raise ValueError("Unknown certificate type: '%s'" % s)
129
130 if other.minVersion > other.maxVersion:
131 raise ValueError("Versions set incorrectly")
132
133 if not other.minVersion in ((3,0), (3,1), (3,2)):
134 raise ValueError("minVersion set incorrectly")
135
136 if not other.maxVersion in ((3,0), (3,1), (3,2)):
137 raise ValueError("maxVersion set incorrectly")
138
139 return other
140
142 l = []
143 for ct in self.certificateTypes:
144 if ct == "x509":
145 l.append(CertificateType.x509)
146 else:
147 raise AssertionError()
148 return l
149