Package tlslite :: Module handshakesettings
[hide private]
[frames] | no frames]

Source Code for Module tlslite.handshakesettings

  1  # Author: Trevor Perrin 
  2  # See the LICENSE file for legal information regarding use of this file. 
  3   
  4  """Class for setting handshake parameters.""" 
  5   
  6  from .constants import CertificateType 
  7  from .utils import cryptomath 
  8  from .utils import cipherfactory 
  9   
10 -class HandshakeSettings:
11 """This class encapsulates various parameters that can be used with 12 a TLS handshake. 13 @sort: minKeySize, maxKeySize, cipherNames, certificateTypes, 14 minVersion, maxVersion 15 16 @type minKeySize: int 17 @ivar minKeySize: The minimum bit length for asymmetric keys. 18 19 If the other party tries to use SRP, RSA, or Diffie-Hellman 20 parameters smaller than this length, an alert will be 21 signalled. The default is 1023. 22 23 @type maxKeySize: int 24 @ivar maxKeySize: The maximum bit length for asymmetric keys. 25 26 If the other party tries to use SRP, RSA, or Diffie-Hellman 27 parameters larger than this length, an alert will be signalled. 28 The default is 8193. 29 30 @type cipherNames: list 31 @ivar cipherNames: The allowed ciphers, in order of preference. 32 33 The allowed values in this list are 'aes256', 'aes128', '3des', and 34 'rc4'. If these settings are used with a client handshake, they 35 determine the order of the ciphersuites offered in the ClientHello 36 message. 37 38 If these settings are used with a server handshake, the server will 39 choose whichever ciphersuite matches the earliest entry in this 40 list. 41 42 NOTE: If '3des' is used in this list, but TLS Lite can't find an 43 add-on library that supports 3DES, then '3des' will be silently 44 removed. 45 46 The default value is ['aes256', 'aes128', '3des', 'rc4']. 47 48 @type certificateTypes: list 49 @ivar certificateTypes: The allowed certificate types, in order of 50 preference. 51 52 The allowed values in this list are 'x509'. This 53 list is only used with a client handshake. The client will 54 advertise to the server which certificate types are supported, and 55 will check that the server uses one of the appropriate types. 56 57 @type minVersion: tuple 58 @ivar minVersion: The minimum allowed SSL/TLS version. 59 60 This variable can be set to (3,0) for SSL 3.0, (3,1) for 61 TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to 62 use a lower version, a protocol_version alert will be signalled. 63 The default is (3,0). 64 65 @type maxVersion: tuple 66 @ivar maxVersion: The maximum allowed SSL/TLS version. 67 68 This variable can be set to (3,0) for SSL 3.0, (3,1) for 69 TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to 70 use a higher version, a protocol_version alert will be signalled. 71 The default is (3,2). (WARNING: Some servers may (improperly) 72 reject clients which offer support for TLS 1.1. In this case, 73 try lowering maxVersion to (3,1)). 74 """
75 - def __init__(self):
76 self.minKeySize = 1023 77 self.maxKeySize = 8193 78 self.cipherNames = ["aes256", "aes128", "3des", "rc4"] 79 self.cipherImplementations = ["openssl", "pycrypto","python"] 80 self.certificateTypes = ["x509"] 81 self.minVersion = (3,0) 82 self.maxVersion = (3,2)
83 84 # Validates the min/max fields, and certificateTypes 85 # Filters out unsupported cipherNames and cipherImplementations
86 - def _filter(self):
87 other = HandshakeSettings() 88 other.minKeySize = self.minKeySize 89 other.maxKeySize = self.maxKeySize 90 other.cipherNames = self.cipherNames 91 other.cipherImplementations = self.cipherImplementations 92 other.certificateTypes = self.certificateTypes 93 other.minVersion = self.minVersion 94 other.maxVersion = self.maxVersion 95 96 if not cipherfactory.tripleDESPresent: 97 other.cipherNames = [e for e in self.cipherNames if e != "3des"] 98 if len(other.cipherNames)==0: 99 raise ValueError("No supported ciphers") 100 if len(other.certificateTypes)==0: 101 raise ValueError("No supported certificate types") 102 103 if not cryptomath.m2cryptoLoaded: 104 other.cipherImplementations = [e for e in \ 105 other.cipherImplementations if e != "openssl"] 106 if not cryptomath.pycryptoLoaded: 107 other.cipherImplementations = [e for e in \ 108 other.cipherImplementations if e != "pycrypto"] 109 if len(other.cipherImplementations)==0: 110 raise ValueError("No supported cipher implementations") 111 112 if other.minKeySize<512: 113 raise ValueError("minKeySize too small") 114 if other.minKeySize>16384: 115 raise ValueError("minKeySize too large") 116 if other.maxKeySize<512: 117 raise ValueError("maxKeySize too small") 118 if other.maxKeySize>16384: 119 raise ValueError("maxKeySize too large") 120 for s in other.cipherNames: 121 if s not in ("aes256", "aes128", "rc4", "3des"): 122 raise ValueError("Unknown cipher name: '%s'" % s) 123 for s in other.cipherImplementations: 124 if s not in ("openssl", "python", "pycrypto"): 125 raise ValueError("Unknown cipher implementation: '%s'" % s) 126 for s in other.certificateTypes: 127 if s not in ("x509"): 128 raise ValueError("Unknown certificate type: '%s'" % s) 129 130 if other.minVersion > other.maxVersion: 131 raise ValueError("Versions set incorrectly") 132 133 if not other.minVersion in ((3,0), (3,1), (3,2)): 134 raise ValueError("minVersion set incorrectly") 135 136 if not other.maxVersion in ((3,0), (3,1), (3,2)): 137 raise ValueError("maxVersion set incorrectly") 138 139 return other
140
141 - def _getCertificateTypes(self):
142 l = [] 143 for ct in self.certificateTypes: 144 if ct == "x509": 145 l.append(CertificateType.x509) 146 else: 147 raise AssertionError() 148 return l
149