Package tlslite :: Module handshakesettings
[hide private]
[frames] | no frames]

Source Code for Module tlslite.handshakesettings

  1  # Authors:  
  2  #   Trevor Perrin 
  3  #   Dave Baggett (Arcode Corporation) - cleanup handling of constants 
  4  # 
  5  # See the LICENSE file for legal information regarding use of this file. 
  6   
  7  """Class for setting handshake parameters.""" 
  8   
  9  from .constants import CertificateType 
 10  from .utils import cryptomath 
 11  from .utils import cipherfactory 
 12   
 13  # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC 
 14  # issues such as timing attacks 
 15  CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"] 
 16  MAC_NAMES = ["sha", "sha256"] # "md5" is allowed 
 17  CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] 
 18  CERTIFICATE_TYPES = ["x509"] 
 19   
20 -class HandshakeSettings(object):
21 """This class encapsulates various parameters that can be used with 22 a TLS handshake. 23 @sort: minKeySize, maxKeySize, cipherNames, macNames, certificateTypes, 24 minVersion, maxVersion 25 26 @type minKeySize: int 27 @ivar minKeySize: The minimum bit length for asymmetric keys. 28 29 If the other party tries to use SRP, RSA, or Diffie-Hellman 30 parameters smaller than this length, an alert will be 31 signalled. The default is 1023. 32 33 @type maxKeySize: int 34 @ivar maxKeySize: The maximum bit length for asymmetric keys. 35 36 If the other party tries to use SRP, RSA, or Diffie-Hellman 37 parameters larger than this length, an alert will be signalled. 38 The default is 8193. 39 40 @type cipherNames: list 41 @ivar cipherNames: The allowed ciphers, in order of preference. 42 43 The allowed values in this list are 'aes256', 'aes128', '3des', and 44 'rc4'. If these settings are used with a client handshake, they 45 determine the order of the ciphersuites offered in the ClientHello 46 message. 47 48 If these settings are used with a server handshake, the server will 49 choose whichever ciphersuite matches the earliest entry in this 50 list. 51 52 NOTE: If '3des' is used in this list, but TLS Lite can't find an 53 add-on library that supports 3DES, then '3des' will be silently 54 removed. 55 56 The default value is ['rc4', 'aes256', 'aes128', '3des']. 57 58 @type macNames: list 59 @ivar macNames: The allowed MAC algorithms. 60 61 The allowed values in this list are 'sha' and 'md5'. 62 63 The default value is ['sha']. 64 65 66 @type certificateTypes: list 67 @ivar certificateTypes: The allowed certificate types, in order of 68 preference. 69 70 The only allowed certificate type is 'x509'. This list is only used with a 71 client handshake. The client will advertise to the server which certificate 72 types are supported, and will check that the server uses one of the 73 appropriate types. 74 75 76 @type minVersion: tuple 77 @ivar minVersion: The minimum allowed SSL/TLS version. 78 79 This variable can be set to (3,0) for SSL 3.0, (3,1) for TLS 1.0, (3,2) for 80 TLS 1.1, or (3,3) for TLS 1.2. If the other party wishes to use a lower 81 version, a protocol_version alert will be signalled. The default is (3,1). 82 83 @type maxVersion: tuple 84 @ivar maxVersion: The maximum allowed SSL/TLS version. 85 86 This variable can be set to (3,0) for SSL 3.0, (3,1) for TLS 1.0, (3,2) for 87 TLS 1.1, or (3,3) for TLS 1.2. If the other party wishes to use a higher 88 version, a protocol_version alert will be signalled. The default is (3,3). 89 (WARNING: Some servers may (improperly) reject clients which offer support 90 for TLS 1.1. In this case, try lowering maxVersion to (3,1)). 91 92 @type useExperimentalTackExtension: bool 93 @ivar useExperimentalTackExtension: Whether to enabled TACK support. 94 95 Note that TACK support is not standardized by IETF and uses a temporary 96 TLS Extension number, so should NOT be used in production software. 97 """
98 - def __init__(self):
99 self.minKeySize = 1023 100 self.maxKeySize = 8193 101 self.cipherNames = CIPHER_NAMES 102 self.macNames = MAC_NAMES 103 self.cipherImplementations = CIPHER_IMPLEMENTATIONS 104 self.certificateTypes = CERTIFICATE_TYPES 105 self.minVersion = (3,1) 106 self.maxVersion = (3,3) 107 self.useExperimentalTackExtension = False
108 109 # Validates the min/max fields, and certificateTypes 110 # Filters out unsupported cipherNames and cipherImplementations
111 - def _filter(self):
112 other = HandshakeSettings() 113 other.minKeySize = self.minKeySize 114 other.maxKeySize = self.maxKeySize 115 other.cipherNames = self.cipherNames 116 other.macNames = self.macNames 117 other.cipherImplementations = self.cipherImplementations 118 other.certificateTypes = self.certificateTypes 119 other.minVersion = self.minVersion 120 other.maxVersion = self.maxVersion 121 122 if not cipherfactory.tripleDESPresent: 123 other.cipherNames = [e for e in self.cipherNames if e != "3des"] 124 if len(other.cipherNames)==0: 125 raise ValueError("No supported ciphers") 126 if len(other.certificateTypes)==0: 127 raise ValueError("No supported certificate types") 128 129 if not cryptomath.m2cryptoLoaded: 130 other.cipherImplementations = \ 131 [e for e in other.cipherImplementations if e != "openssl"] 132 if not cryptomath.pycryptoLoaded: 133 other.cipherImplementations = \ 134 [e for e in other.cipherImplementations if e != "pycrypto"] 135 if len(other.cipherImplementations)==0: 136 raise ValueError("No supported cipher implementations") 137 138 if other.minKeySize<512: 139 raise ValueError("minKeySize too small") 140 if other.minKeySize>16384: 141 raise ValueError("minKeySize too large") 142 if other.maxKeySize<512: 143 raise ValueError("maxKeySize too small") 144 if other.maxKeySize>16384: 145 raise ValueError("maxKeySize too large") 146 for s in other.cipherNames: 147 if s not in CIPHER_NAMES: 148 raise ValueError("Unknown cipher name: '%s'" % s) 149 for s in other.cipherImplementations: 150 if s not in CIPHER_IMPLEMENTATIONS: 151 raise ValueError("Unknown cipher implementation: '%s'" % s) 152 for s in other.certificateTypes: 153 if s not in CERTIFICATE_TYPES: 154 raise ValueError("Unknown certificate type: '%s'" % s) 155 156 if other.minVersion > other.maxVersion: 157 raise ValueError("Versions set incorrectly") 158 159 if not other.minVersion in ((3,0), (3,1), (3,2), (3,3)): 160 raise ValueError("minVersion set incorrectly") 161 162 if not other.maxVersion in ((3,0), (3,1), (3,2), (3,3)): 163 raise ValueError("maxVersion set incorrectly") 164 165 if other.maxVersion < (3,3): 166 # No sha256 pre TLS 1.2 167 other.macNames = [e for e in self.macNames if e != "sha256"] 168 169 return other
170
171 - def _getCertificateTypes(self):
172 l = [] 173 for ct in self.certificateTypes: 174 if ct == "x509": 175 l.append(CertificateType.x509) 176 else: 177 raise AssertionError() 178 return l
179