Home | Trees | Indices | Help |
---|
|
1 # Authors: 2 # Trevor Perrin 3 # Google - defining ClientCertificateType 4 # Google (adapted by Sam Rushing) - NPN support 5 # Dimitris Moraitis - Anon ciphersuites 6 # Dave Baggett (Arcode Corporation) - canonicalCipherName 7 # Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 8 # 9 # See the LICENSE file for legal information regarding use of this file. 10 11 """Constants used in various places.""" 16 2224 hello_request = 0 25 client_hello = 1 26 server_hello = 2 27 certificate = 11 28 server_key_exchange = 12 29 certificate_request = 13 30 server_hello_done = 14 31 certificate_verify = 15 32 client_key_exchange = 16 33 finished = 20 34 next_protocol = 673537 change_cipher_spec = 20 38 alert = 21 39 handshake = 22 40 application_data = 23 41 all = (20,21,22,23)42 44 server_name = 0 # RFC 6066 / 4366 45 cert_type = 9 # RFC 6091 46 supported_groups = 10 # RFC 4492, RFC-ietf-tls-negotiated-ff-dhe-10 47 ec_point_formats = 11 # RFC 4492 48 srp = 12 # RFC 5054 49 signature_algorithms = 13 # RFC 5246 50 encrypt_then_mac = 22 # RFC 7366 51 tack = 0xF300 52 supports_npn = 13172 53 renegotiation_info = 0xff01 5456 57 """Hash algorithm IDs used in TLSv1.2""" 58 59 none = 0 60 md5 = 1 61 sha1 = 2 62 sha224 = 3 63 sha256 = 4 64 sha384 = 5 65 sha512 = 66668 69 """Signing algorithms used in TLSv1.2""" 70 71 anonymous = 0 72 rsa = 1 73 dsa = 2 74 ecdsa = 37577 78 """Name of groups supported for (EC)DH key exchange""" 79 80 # RFC4492 81 sect163k1 = 1 82 sect163r1 = 2 83 sect163r2 = 3 84 sect193r1 = 4 85 sect193r2 = 5 86 sect233k1 = 6 87 sect233r1 = 7 88 sect239k1 = 8 89 sect283k1 = 9 90 sect283r1 = 10 91 sect409k1 = 11 92 sect409r1 = 12 93 sect571k1 = 13 94 sect571r1 = 14 95 secp160k1 = 15 96 secp160r1 = 16 97 secp160r2 = 17 98 secp192k1 = 18 99 secp192r1 = 19 100 secp224k1 = 20 101 secp224r1 = 21 102 secp256k1 = 22 103 secp256r1 = 23 104 secp384r1 = 24 105 secp521r1 = 25 106 allEC = list(range(1, 26)) 107 108 # RFC7027 109 brainpoolP256r1 = 26 110 brainpoolP384r1 = 27 111 brainpoolP512r1 = 28 112 allEC.append(list(range(26, 29))) 113 114 # RFC-ietf-tls-negotiated-ff-dhe-10 115 ffdhe2048 = 256 116 ffdhe3072 = 257 117 ffdhe4096 = 258 118 ffdhe6144 = 259 119 ffdhe8192 = 260 120 allFF = list(range(256, 261)) 121 122 all = allEC + allFF123125 126 """Names and ID's of supported EC point formats""" 127 128 uncompressed = 0 129 ansiX962_compressed_prime = 1 130 ansiX962_compressed_char2 = 2 131 132 all = [uncompressed, 133 ansiX962_compressed_prime, 134 ansiX962_compressed_char2]135137 host_name = 0138 142144 """ 145 @cvar bad_record_mac: A TLS record failed to decrypt properly. 146 147 If this occurs during a SRP handshake it most likely 148 indicates a bad password. It may also indicate an implementation 149 error, or some tampering with the data in transit. 150 151 This alert will be signalled by the server if the SRP password is bad. It 152 may also be signalled by the server if the SRP username is unknown to the 153 server, but it doesn't wish to reveal that fact. 154 155 156 @cvar handshake_failure: A problem occurred while handshaking. 157 158 This typically indicates a lack of common ciphersuites between client and 159 server, or some other disagreement (about SRP parameters or key sizes, 160 for example). 161 162 @cvar protocol_version: The other party's SSL/TLS version was unacceptable. 163 164 This indicates that the client and server couldn't agree on which version 165 of SSL or TLS to use. 166 167 @cvar user_canceled: The handshake is being cancelled for some reason. 168 169 """ 170 171 close_notify = 0 172 unexpected_message = 10 173 bad_record_mac = 20 174 decryption_failed = 21 175 record_overflow = 22 176 decompression_failure = 30 177 handshake_failure = 40 178 no_certificate = 41 #SSLv3 179 bad_certificate = 42 180 unsupported_certificate = 43 181 certificate_revoked = 44 182 certificate_expired = 45 183 certificate_unknown = 46 184 illegal_parameter = 47 185 unknown_ca = 48 186 access_denied = 49 187 decode_error = 50 188 decrypt_error = 51 189 export_restriction = 60 190 protocol_version = 70 191 insufficient_security = 71 192 internal_error = 80 193 inappropriate_fallback = 86 194 user_canceled = 90 195 no_renegotiation = 100 196 unknown_psk_identity = 115197200 201 """ 202 Numeric values of ciphersuites and ciphersuite types 203 204 @cvar tripleDESSuites: ciphersuties which use 3DES symmetric cipher in CBC 205 mode 206 @cvar aes128Suites: ciphersuites which use AES symmetric cipher in CBC mode 207 with 128 bit key 208 @cvar aes256Suites: ciphersuites which use AES symmetric cipher in CBC mode 209 with 128 bit key 210 @cvar rc4Suites: ciphersuites which use RC4 symmetric cipher with 128 bit 211 key 212 @cvar shaSuites: ciphersuites which use SHA-1 HMAC integrity mechanism 213 and protocol default Pseudo Random Function 214 @cvar sha256Suites: ciphersuites which use SHA-256 HMAC integrity mechanism 215 and SHA-256 Pseudo Random Function 216 @cvar md5Suites: ciphersuites which use MD-5 HMAC integrity mechanism and 217 protocol default Pseudo Random Function 218 @cvar srpSuites: ciphersuites which use Secure Remote Password (SRP) key 219 exchange protocol 220 @cvar srpCertSuites: ciphersuites which use Secure Remote Password (SRP) 221 key exchange protocol with RSA server authentication 222 @cvar srpAllSuites: all SRP ciphersuites, pure SRP and with RSA based 223 server authentication 224 @cvar certSuites: ciphersuites which use RSA key exchange with RSA server 225 authentication 226 @cvar certAllSuites: ciphersuites which use RSA server authentication 227 @cvar anonSuites: ciphersuites which use anonymous Finite Field 228 Diffie-Hellman key exchange 229 @cvar ietfNames: dictionary with string names of the ciphersuites 230 """ 231 232 ietfNames = {} 233 234 # Weird pseudo-ciphersuite from RFC 5746 235 # Signals that "secure renegotiation" is supported 236 # We actually don't do any renegotiation, but this 237 # prevents renegotiation attacks 238 TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF 239 ietfNames[0x00FF] = 'TLS_EMPTY_RENEGOTIATION_INFO_SCSV' 240 241 # RFC 7507 - Fallback Signaling Cipher Suite Value for Preventing Protocol 242 # Downgrade Attacks 243 TLS_FALLBACK_SCSV = 0x5600 244 ietfNames[0x5600] = 'TLS_FALLBACK_SCSV' 245 246 # RFC 5054 - Secure Remote Password (SRP) Protocol for TLS Authentication 247 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A 248 ietfNames[0xC01A] = 'TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA' 249 TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D 250 ietfNames[0xC01D] = 'TLS_SRP_SHA_WITH_AES_128_CBC_SHA' 251 TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020 252 ietfNames[0xC020] = 'TLS_SRP_SHA_WITH_AES_256_CBC_SHA' 253 254 # RFC 5054 - Secure Remote Password (SRP) Protocol for TLS Authentication 255 TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B 256 ietfNames[0xC01B] = 'TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA' 257 TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E 258 ietfNames[0xC01E] = 'TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA' 259 TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021 260 ietfNames[0xC021] = 'TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA' 261 262 # RFC 5246 - TLS v1.2 Protocol 263 TLS_RSA_WITH_NULL_MD5 = 0x0001 264 ietfNames[0x0001] = 'TLS_RSA_WITH_NULL_MD5' 265 TLS_RSA_WITH_NULL_SHA = 0x0002 266 ietfNames[0x0002] = 'TLS_RSA_WITH_NULL_SHA' 267 TLS_RSA_WITH_NULL_SHA256 = 0x003B 268 ietfNames[0x003B] = 'TLS_RSA_WITH_NULL_SHA256' 269 270 # RFC 5246 - TLS v1.2 Protocol 271 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A 272 ietfNames[0x000A] = 'TLS_RSA_WITH_3DES_EDE_CBC_SHA' 273 TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F 274 ietfNames[0x002F] = 'TLS_RSA_WITH_AES_128_CBC_SHA' 275 TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035 276 ietfNames[0x0035] = 'TLS_RSA_WITH_AES_256_CBC_SHA' 277 TLS_RSA_WITH_RC4_128_SHA = 0x0005 278 ietfNames[0x0005] = 'TLS_RSA_WITH_RC4_128_SHA' 279 280 # RFC 5246 - TLS v1.2 Protocol 281 TLS_RSA_WITH_RC4_128_MD5 = 0x0004 282 ietfNames[0x0004] = 'TLS_RSA_WITH_RC4_128_MD5' 283 284 # RFC 5246 - TLS v1.2 Protocol 285 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016 286 ietfNames[0x0016] = 'TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA' 287 TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033 288 ietfNames[0x0016] = 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA' 289 TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039 290 ietfNames[0x0039] = 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA' 291 292 # RFC 5246 - TLS v1.2 Protocol 293 TLS_DH_ANON_WITH_RC4_128_MD5 = 0x0018 294 ietfNames[0x0018] = 'TLS_DH_ANON_WITH_RC4_128_MD5' 295 TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001B 296 ietfNames[0x001B] = 'TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA' 297 TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034 298 ietfNames[0x0034] = 'TLS_DH_ANON_WITH_AES_128_CBC_SHA' 299 TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A 300 ietfNames[0x003A] = 'TLS_DH_ANON_WITH_AES_256_CBC_SHA' 301 TLS_DH_ANON_WITH_AES_128_CBC_SHA256 = 0x006C 302 ietfNames[0x006C] = 'TLS_DH_ANON_WITH_AES_128_CBC_SHA256' 303 TLS_DH_ANON_WITH_AES_256_CBC_SHA256 = 0x006D 304 ietfNames[0x006D] = 'TLS_DH_ANON_WITH_AES_256_CBC_SHA256' 305 TLS_DH_ANON_WITH_AES_128_GCM_SHA256 = 0x00A6 306 ietfNames[0x00A6] = 'TLS_DH_ANON_WITH_AES_128_GCM_SHA256' 307 TLS_DH_ANON_WITH_AES_256_GCM_SHA384 = 0x00A7 308 ietfNames[0x00A7] = 'TLS_DH_ANON_WITH_AES_256_GCM_SHA384' 309 310 # RFC 5246 - TLS v1.2 Protocol 311 TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C 312 ietfNames[0x003C] = 'TLS_RSA_WITH_AES_128_CBC_SHA256' 313 TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D 314 ietfNames[0x003D] = 'TLS_RSA_WITH_AES_256_CBC_SHA256' 315 316 # RFC 5246 - TLS v1.2 317 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067 318 ietfNames[0x0067] = 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256' 319 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B 320 ietfNames[0x006B] = 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256' 321 322 # RFC 5288 - AES-GCM ciphers for TLSv1.2 323 TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C 324 ietfNames[0x009C] = 'TLS_RSA_WITH_AES_128_GCM_SHA256' 325 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E 326 ietfNames[0x009E] = 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256' 327 TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D 328 ietfNames[0x009D] = 'TLS_RSA_WITH_AES_256_GCM_SHA384' 329 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F 330 ietfNames[0x009F] = 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384' 331 332 # 333 # Define cipher suite families below 334 # 335 336 # 3DES CBC ciphers 337 tripleDESSuites = [] 338 tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 339 tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 340 tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 341 tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) 342 tripleDESSuites.append(TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA) 343 344 # AES-128 CBC ciphers 345 aes128Suites = [] 346 aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 347 aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 348 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 349 aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) 350 aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 351 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) 352 aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) 353 aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA256) 354 355 # AES-256 CBC ciphers 356 aes256Suites = [] 357 aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 358 aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 359 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 360 aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 361 aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) 362 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) 363 aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) 364 aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA256) 365 366 # AES-128 GCM ciphers 367 aes128GcmSuites = [] 368 aes128GcmSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) 369 aes128GcmSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) 370 aes128GcmSuites.append(TLS_DH_ANON_WITH_AES_128_GCM_SHA256) 371 372 # AES-256-GCM ciphers (implicit SHA384, see sha384PrfSuites) 373 aes256GcmSuites = [] 374 aes256GcmSuites.append(TLS_RSA_WITH_AES_256_GCM_SHA384) 375 aes256GcmSuites.append(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) 376 aes256GcmSuites.append(TLS_DH_ANON_WITH_AES_256_GCM_SHA384) 377 378 # RC4 128 stream cipher 379 rc4Suites = [] 380 rc4Suites.append(TLS_DH_ANON_WITH_RC4_128_MD5) 381 rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA) 382 rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5) 383 384 # no encryption 385 nullSuites = [] 386 nullSuites.append(TLS_RSA_WITH_NULL_MD5) 387 nullSuites.append(TLS_RSA_WITH_NULL_SHA) 388 nullSuites.append(TLS_RSA_WITH_NULL_SHA256) 389 390 # SHA-1 HMAC, protocol default PRF 391 shaSuites = [] 392 shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 393 shaSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 394 shaSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 395 shaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 396 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 397 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 398 shaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 399 shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 400 shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 401 shaSuites.append(TLS_RSA_WITH_RC4_128_SHA) 402 shaSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) 403 shaSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) 404 shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) 405 shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 406 shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 407 shaSuites.append(TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA) 408 shaSuites.append(TLS_RSA_WITH_NULL_SHA) 409 410 # SHA-256 HMAC, SHA-256 PRF 411 sha256Suites = [] 412 sha256Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) 413 sha256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) 414 sha256Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) 415 sha256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) 416 sha256Suites.append(TLS_RSA_WITH_NULL_SHA256) 417 sha256Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA256) 418 sha256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA256) 419 420 # SHA-384 HMAC, SHA-384 PRF 421 sha384Suites = [] 422 423 # stream cipher construction 424 streamSuites = [] 425 streamSuites.extend(rc4Suites) 426 streamSuites.extend(nullSuites) 427 428 # AEAD integrity, any PRF 429 aeadSuites = [] 430 aeadSuites.extend(aes128GcmSuites) 431 aeadSuites.extend(aes256GcmSuites) 432 433 # TLS1.2 with SHA384 PRF 434 sha384PrfSuites = [] 435 sha384PrfSuites.extend(sha384Suites) 436 sha384PrfSuites.extend(aes256GcmSuites) 437 438 # MD-5 HMAC, protocol default PRF 439 md5Suites = [] 440 md5Suites.append(TLS_DH_ANON_WITH_RC4_128_MD5) 441 md5Suites.append(TLS_RSA_WITH_RC4_128_MD5) 442 md5Suites.append(TLS_RSA_WITH_NULL_MD5) 443 444 # SSL3, TLS1.0, TLS1.1 and TLS1.2 compatible ciphers 445 ssl3Suites = [] 446 ssl3Suites.extend(shaSuites) 447 ssl3Suites.extend(md5Suites) 448 449 # TLS1.2 specific ciphersuites 450 tls12Suites = [] 451 tls12Suites.extend(sha256Suites) 452 tls12Suites.extend(sha384Suites) 453 tls12Suites.extend(aeadSuites) 454 455 @staticmethod627457 """Return a copy of suites without ciphers incompatible with version""" 458 includeSuites = set([]) 459 if (3, 0) <= minVersion <= (3, 3): 460 includeSuites.update(CipherSuite.ssl3Suites) 461 if maxVersion == (3, 3): 462 includeSuites.update(CipherSuite.tls12Suites) 463 return [s for s in suites if s in includeSuites]464 465 @staticmethod467 if version is None: 468 version = settings.maxVersion 469 macNames = settings.macNames 470 cipherNames = settings.cipherNames 471 keyExchangeNames = settings.keyExchangeNames 472 macSuites = [] 473 if "sha" in macNames: 474 macSuites += CipherSuite.shaSuites 475 if "sha256" in macNames and version >= (3, 3): 476 macSuites += CipherSuite.sha256Suites 477 if "sha384" in macNames and version >= (3, 3): 478 macSuites += CipherSuite.sha384Suites 479 if "md5" in macNames: 480 macSuites += CipherSuite.md5Suites 481 if "aead" in macNames and version >= (3, 3): 482 macSuites += CipherSuite.aeadSuites 483 484 cipherSuites = [] 485 if "aes128gcm" in cipherNames and version >= (3, 3): 486 cipherSuites += CipherSuite.aes128GcmSuites 487 if "aes256gcm" in cipherNames and version >= (3, 3): 488 cipherSuites += CipherSuite.aes256GcmSuites 489 if "aes128" in cipherNames: 490 cipherSuites += CipherSuite.aes128Suites 491 if "aes256" in cipherNames: 492 cipherSuites += CipherSuite.aes256Suites 493 if "3des" in cipherNames: 494 cipherSuites += CipherSuite.tripleDESSuites 495 if "rc4" in cipherNames: 496 cipherSuites += CipherSuite.rc4Suites 497 if "null" in cipherNames: 498 cipherSuites += CipherSuite.nullSuites 499 500 keyExchangeSuites = [] 501 if "rsa" in keyExchangeNames: 502 keyExchangeSuites += CipherSuite.certSuites 503 if "dhe_rsa" in keyExchangeNames: 504 keyExchangeSuites += CipherSuite.dheCertSuites 505 if "srp_sha" in keyExchangeNames: 506 keyExchangeSuites += CipherSuite.srpSuites 507 if "srp_sha_rsa" in keyExchangeNames: 508 keyExchangeSuites += CipherSuite.srpCertSuites 509 if "dh_anon" in keyExchangeNames: 510 keyExchangeSuites += CipherSuite.anonSuites 511 512 return [s for s in suites if s in macSuites and 513 s in cipherSuites and s in keyExchangeSuites]514 515 # SRP key exchange 516 srpSuites = [] 517 srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 518 srpSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 519 srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 520 521 @staticmethod 524 525 # SRP key exchange, RSA authentication 526 srpCertSuites = [] 527 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 528 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 529 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 530 531 @staticmethod 534 535 srpAllSuites = srpSuites + srpCertSuites 536 537 @staticmethod 540 541 # RSA key exchange, RSA authentication 542 certSuites = [] 543 certSuites.append(TLS_RSA_WITH_AES_256_GCM_SHA384) 544 certSuites.append(TLS_RSA_WITH_AES_128_GCM_SHA256) 545 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) 546 certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) 547 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 548 certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 549 certSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 550 certSuites.append(TLS_RSA_WITH_RC4_128_SHA) 551 certSuites.append(TLS_RSA_WITH_RC4_128_MD5) 552 certSuites.append(TLS_RSA_WITH_NULL_MD5) 553 certSuites.append(TLS_RSA_WITH_NULL_SHA) 554 certSuites.append(TLS_RSA_WITH_NULL_SHA256) 555 556 @staticmethod 559 560 # FFDHE key exchange, RSA authentication 561 dheCertSuites = [] 562 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384) 563 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256) 564 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256) 565 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256) 566 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) 567 dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) 568 dheCertSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) 569 570 @staticmethod 573 574 # RSA authentication 575 certAllSuites = srpCertSuites + certSuites + dheCertSuites 576 577 # anon FFDHE key exchange 578 anonSuites = [] 579 anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 580 anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 581 anonSuites.append(TLS_DH_ANON_WITH_RC4_128_MD5) 582 anonSuites.append(TLS_DH_ANON_WITH_3DES_EDE_CBC_SHA) 583 anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA256) 584 anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA256) 585 anonSuites.append(TLS_DH_ANON_WITH_AES_128_GCM_SHA256) 586 anonSuites.append(TLS_DH_ANON_WITH_AES_256_GCM_SHA384) 587 588 @staticmethod 591 592 dhAllSuites = dheCertSuites + anonSuites 593 594 @staticmethod596 """Return the canonical name of the cipher whose number is provided.""" 597 if ciphersuite in CipherSuite.aes128GcmSuites: 598 return "aes128gcm" 599 elif ciphersuite in CipherSuite.aes256GcmSuites: 600 return "aes256gcm" 601 elif ciphersuite in CipherSuite.aes128Suites: 602 return "aes128" 603 elif ciphersuite in CipherSuite.aes256Suites: 604 return "aes256" 605 elif ciphersuite in CipherSuite.rc4Suites: 606 return "rc4" 607 elif ciphersuite in CipherSuite.tripleDESSuites: 608 return "3des" 609 elif ciphersuite in CipherSuite.nullSuites: 610 return "null" 611 else: 612 return None613 614 @staticmethod616 """Return the canonical name of the MAC whose number is provided.""" 617 if ciphersuite in CipherSuite.sha384Suites: 618 return "sha384" 619 elif ciphersuite in CipherSuite.sha256Suites: 620 return "sha256" 621 elif ciphersuite in CipherSuite.shaSuites: 622 return "sha" 623 elif ciphersuite in CipherSuite.md5Suites: 624 return "md5" 625 else: 626 return None628 629 # The following faults are induced as part of testing. The faultAlerts 630 # dictionary describes the allowed alerts that may be triggered by these 631 # faults. 632 -class Fault:633 badUsername = 101 634 badPassword = 102 635 badA = 103 636 clientSrpFaults = list(range(101,104)) 637 638 badVerifyMessage = 601 639 clientCertFaults = list(range(601,602)) 640 641 badPremasterPadding = 501 642 shortPremasterSecret = 502 643 clientNoAuthFaults = list(range(501,503)) 644 645 badB = 201 646 serverFaults = list(range(201,202)) 647 648 badFinished = 300 649 badMAC = 301 650 badPadding = 302 651 genericFaults = list(range(300,303)) 652 653 faultAlerts = {\ 654 badUsername: (AlertDescription.unknown_psk_identity, \ 655 AlertDescription.bad_record_mac),\ 656 badPassword: (AlertDescription.bad_record_mac,),\ 657 badA: (AlertDescription.illegal_parameter,),\ 658 badPremasterPadding: (AlertDescription.bad_record_mac,),\ 659 shortPremasterSecret: (AlertDescription.bad_record_mac,),\ 660 badVerifyMessage: (AlertDescription.decrypt_error,),\ 661 badFinished: (AlertDescription.decrypt_error,),\ 662 badMAC: (AlertDescription.bad_record_mac,),\ 663 badPadding: (AlertDescription.bad_record_mac,) 664 } 665 666 faultNames = {\ 667 badUsername: "bad username",\ 668 badPassword: "bad password",\ 669 badA: "bad A",\ 670 badPremasterPadding: "bad premaster padding",\ 671 shortPremasterSecret: "short premaster secret",\ 672 badVerifyMessage: "bad verify message",\ 673 badFinished: "bad finished message",\ 674 badMAC: "bad MAC",\ 675 badPadding: "bad padding" 676 }677
Home | Trees | Indices | Help |
---|
Generated by Epydoc 3.0.1 on Thu Nov 5 14:25:11 2015 | http://epydoc.sourceforge.net |