Package tlslite :: Module constants
[hide private]
[frames] | no frames]

Source Code for Module tlslite.constants

  1  # Authors:  
  2  #   Trevor Perrin 
  3  #   Google - defining ClientCertificateType 
  4  #   Google (adapted by Sam Rushing) - NPN support 
  5  #   Dimitris Moraitis - Anon ciphersuites 
  6  # 
  7  # See the LICENSE file for legal information regarding use of this file. 
  8   
  9  """Constants used in various places.""" 
10 11 -class CertificateType:
12 x509 = 0 13 openpgp = 1
14
15 -class ClientCertificateType:
16 rsa_sign = 1 17 dss_sign = 2 18 rsa_fixed_dh = 3 19 dss_fixed_dh = 4
20
21 -class HandshakeType:
22 hello_request = 0 23 client_hello = 1 24 server_hello = 2 25 certificate = 11 26 server_key_exchange = 12 27 certificate_request = 13 28 server_hello_done = 14 29 certificate_verify = 15 30 client_key_exchange = 16 31 finished = 20 32 next_protocol = 67
33
34 -class ContentType:
35 change_cipher_spec = 20 36 alert = 21 37 handshake = 22 38 application_data = 23 39 all = (20,21,22,23)
40
41 -class ExtensionType: # RFC 6066 / 4366
42 server_name = 0 # RFC 6066 / 4366 43 srp = 12 # RFC 5054 44 cert_type = 9 # RFC 6091 45 tack = 0xF300 46 break_sigs = 0xF301 47 supports_npn = 13172 48
49 -class NameType:
50 host_name = 0
51
52 -class AlertLevel:
53 warning = 1 54 fatal = 2
55
56 -class AlertDescription:
57 """ 58 @cvar bad_record_mac: A TLS record failed to decrypt properly. 59 60 If this occurs during a SRP handshake it most likely 61 indicates a bad password. It may also indicate an implementation 62 error, or some tampering with the data in transit. 63 64 This alert will be signalled by the server if the SRP password is bad. It 65 may also be signalled by the server if the SRP username is unknown to the 66 server, but it doesn't wish to reveal that fact. 67 68 69 @cvar handshake_failure: A problem occurred while handshaking. 70 71 This typically indicates a lack of common ciphersuites between client and 72 server, or some other disagreement (about SRP parameters or key sizes, 73 for example). 74 75 @cvar protocol_version: The other party's SSL/TLS version was unacceptable. 76 77 This indicates that the client and server couldn't agree on which version 78 of SSL or TLS to use. 79 80 @cvar user_canceled: The handshake is being cancelled for some reason. 81 82 """ 83 84 close_notify = 0 85 unexpected_message = 10 86 bad_record_mac = 20 87 decryption_failed = 21 88 record_overflow = 22 89 decompression_failure = 30 90 handshake_failure = 40 91 no_certificate = 41 #SSLv3 92 bad_certificate = 42 93 unsupported_certificate = 43 94 certificate_revoked = 44 95 certificate_expired = 45 96 certificate_unknown = 46 97 illegal_parameter = 47 98 unknown_ca = 48 99 access_denied = 49 100 decode_error = 50 101 decrypt_error = 51 102 export_restriction = 60 103 protocol_version = 70 104 insufficient_security = 71 105 internal_error = 80 106 user_canceled = 90 107 no_renegotiation = 100 108 unknown_psk_identity = 115
109
110 111 -class CipherSuite:
112 # Weird pseudo-ciphersuite from RFC 5746 113 # Signals that "secure renegotiation" is supported 114 # We actually don't do any renegotiation, but this 115 # prevents renegotiation attacks 116 TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF 117 118 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A 119 TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D 120 TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020 121 122 TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B 123 TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E 124 TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021 125 126 127 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A 128 TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F 129 TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035 130 TLS_RSA_WITH_RC4_128_SHA = 0x0005 131 132 TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034 133 TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A 134 135 srpSuites = [] 136 srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 137 srpSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 138 srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 139 140 @staticmethod
141 - def getSrpSuites(ciphers):
142 suites = [] 143 for cipher in ciphers: 144 if cipher == "aes128": 145 suites.append(CipherSuite.TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 146 elif cipher == "aes256": 147 suites.append(CipherSuite.TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 148 elif cipher == "3des": 149 suites.append(CipherSuite.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 150 return suites
151 152 srpCertSuites = [] 153 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 154 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 155 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 156 srpAllSuites = srpSuites + srpCertSuites 157 158 @staticmethod
159 - def getSrpCertSuites(ciphers):
160 suites = [] 161 for cipher in ciphers: 162 if cipher == "aes128": 163 suites.append(CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 164 elif cipher == "aes256": 165 suites.append(CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 166 elif cipher == "3des": 167 suites.append(CipherSuite.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 168 return suites
169 170 @staticmethod
171 - def getSrpAllSuites(ciphers):
172 return CipherSuite.getSrpSuites(ciphers) + \ 173 CipherSuite.getSrpCertSuites(ciphers)
174 175 certSuites = [] 176 certSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 177 certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 178 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 179 certSuites.append(TLS_RSA_WITH_RC4_128_SHA) 180 certAllSuites = srpCertSuites + certSuites 181 182 @staticmethod
183 - def getCertSuites(ciphers):
184 suites = [] 185 for cipher in ciphers: 186 if cipher == "aes128": 187 suites.append(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA) 188 elif cipher == "aes256": 189 suites.append(CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA) 190 elif cipher == "rc4": 191 suites.append(CipherSuite.TLS_RSA_WITH_RC4_128_SHA) 192 elif cipher == "3des": 193 suites.append(CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA) 194 return suites
195 196 anonSuites = [] 197 anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 198 anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 199 200 @staticmethod
201 - def getAnonSuites(ciphers):
202 suites = [] 203 for cipher in ciphers: 204 if cipher == "aes128": 205 suites.append(CipherSuite.TLS_DH_ANON_WITH_AES_128_CBC_SHA) 206 elif cipher == "aes256": 207 suites.append(CipherSuite.TLS_DH_ANON_WITH_AES_256_CBC_SHA) 208 return suites
209 210 tripleDESSuites = [] 211 tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 212 tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 213 tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 214 215 aes128Suites = [] 216 aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 217 aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 218 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 219 aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 220 221 aes256Suites = [] 222 aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 223 aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 224 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 225 aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 226 227 rc4Suites = [] 228 rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA)
229
230 231 # The following faults are induced as part of testing. The faultAlerts 232 # dictionary describes the allowed alerts that may be triggered by these 233 # faults. 234 -class Fault:
235 badUsername = 101 236 badPassword = 102 237 badA = 103 238 clientSrpFaults = range(101,104) 239 240 badVerifyMessage = 601 241 clientCertFaults = range(601,602) 242 243 badPremasterPadding = 501 244 shortPremasterSecret = 502 245 clientNoAuthFaults = range(501,503) 246 247 badB = 201 248 serverFaults = range(201,202) 249 250 badFinished = 300 251 badMAC = 301 252 badPadding = 302 253 genericFaults = range(300,303) 254 255 faultAlerts = {\ 256 badUsername: (AlertDescription.unknown_psk_identity, \ 257 AlertDescription.bad_record_mac),\ 258 badPassword: (AlertDescription.bad_record_mac,),\ 259 badA: (AlertDescription.illegal_parameter,),\ 260 badPremasterPadding: (AlertDescription.bad_record_mac,),\ 261 shortPremasterSecret: (AlertDescription.bad_record_mac,),\ 262 badVerifyMessage: (AlertDescription.decrypt_error,),\ 263 badFinished: (AlertDescription.decrypt_error,),\ 264 badMAC: (AlertDescription.bad_record_mac,),\ 265 badPadding: (AlertDescription.bad_record_mac,) 266 } 267 268 faultNames = {\ 269 badUsername: "bad username",\ 270 badPassword: "bad password",\ 271 badA: "bad A",\ 272 badPremasterPadding: "bad premaster padding",\ 273 shortPremasterSecret: "short premaster secret",\ 274 badVerifyMessage: "bad verify message",\ 275 badFinished: "bad finished message",\ 276 badMAC: "bad MAC",\ 277 badPadding: "bad padding" 278 }
279