Home | Trees | Indices | Help |
---|
|
1 # Authors: 2 # Trevor Perrin 3 # Google - defining ClientCertificateType 4 # Google (adapted by Sam Rushing) - NPN support 5 # Dimitris Moraitis - Anon ciphersuites 6 # Dave Baggett (Arcode Corporation) - canonicalCipherName 7 # 8 # See the LICENSE file for legal information regarding use of this file. 9 10 """Constants used in various places.""" 15 2123 hello_request = 0 24 client_hello = 1 25 server_hello = 2 26 certificate = 11 27 server_key_exchange = 12 28 certificate_request = 13 29 server_hello_done = 14 30 certificate_verify = 15 31 client_key_exchange = 16 32 finished = 20 33 next_protocol = 673436 change_cipher_spec = 20 37 alert = 21 38 handshake = 22 39 application_data = 23 40 all = (20,21,22,23)41 43 server_name = 0 # RFC 6066 / 4366 44 srp = 12 # RFC 5054 45 cert_type = 9 # RFC 6091 46 tack = 0xF300 47 supports_npn = 13172 4850 host_name = 051 5557 """ 58 @cvar bad_record_mac: A TLS record failed to decrypt properly. 59 60 If this occurs during a SRP handshake it most likely 61 indicates a bad password. It may also indicate an implementation 62 error, or some tampering with the data in transit. 63 64 This alert will be signalled by the server if the SRP password is bad. It 65 may also be signalled by the server if the SRP username is unknown to the 66 server, but it doesn't wish to reveal that fact. 67 68 69 @cvar handshake_failure: A problem occurred while handshaking. 70 71 This typically indicates a lack of common ciphersuites between client and 72 server, or some other disagreement (about SRP parameters or key sizes, 73 for example). 74 75 @cvar protocol_version: The other party's SSL/TLS version was unacceptable. 76 77 This indicates that the client and server couldn't agree on which version 78 of SSL or TLS to use. 79 80 @cvar user_canceled: The handshake is being cancelled for some reason. 81 82 """ 83 84 close_notify = 0 85 unexpected_message = 10 86 bad_record_mac = 20 87 decryption_failed = 21 88 record_overflow = 22 89 decompression_failure = 30 90 handshake_failure = 40 91 no_certificate = 41 #SSLv3 92 bad_certificate = 42 93 unsupported_certificate = 43 94 certificate_revoked = 44 95 certificate_expired = 45 96 certificate_unknown = 46 97 illegal_parameter = 47 98 unknown_ca = 48 99 access_denied = 49 100 decode_error = 50 101 decrypt_error = 51 102 export_restriction = 60 103 protocol_version = 70 104 insufficient_security = 71 105 internal_error = 80 106 user_canceled = 90 107 no_renegotiation = 100 108 unknown_psk_identity = 115109112 # Weird pseudo-ciphersuite from RFC 5746 113 # Signals that "secure renegotiation" is supported 114 # We actually don't do any renegotiation, but this 115 # prevents renegotiation attacks 116 TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF 117 118 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A 119 TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D 120 TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020 121 122 TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B 123 TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E 124 TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021 125 126 127 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A 128 TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F 129 TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035 130 TLS_RSA_WITH_RC4_128_SHA = 0x0005 131 132 TLS_RSA_WITH_RC4_128_MD5 = 0x0004 133 134 TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034 135 TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A 136 137 TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C 138 TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D 139 140 tripleDESSuites = [] 141 tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 142 tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 143 tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 144 145 aes128Suites = [] 146 aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 147 aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 148 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 149 aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 150 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) 151 152 aes256Suites = [] 153 aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 154 aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 155 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 156 aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 157 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) 158 159 rc4Suites = [] 160 rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA) 161 rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5) 162 163 shaSuites = [] 164 shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 165 shaSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 166 shaSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 167 shaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 168 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 169 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 170 shaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 171 shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 172 shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 173 shaSuites.append(TLS_RSA_WITH_RC4_128_SHA) 174 shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 175 shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 176 177 sha256Suites = [] 178 sha256Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) 179 sha256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) 180 181 md5Suites = [] 182 md5Suites.append(TLS_RSA_WITH_RC4_128_MD5) 183 184 @staticmethod277186 macNames = settings.macNames 187 cipherNames = settings.cipherNames 188 macSuites = [] 189 if "sha" in macNames: 190 macSuites += CipherSuite.shaSuites 191 if "sha256" in macNames: 192 macSuites += CipherSuite.sha256Suites 193 if "md5" in macNames: 194 macSuites += CipherSuite.md5Suites 195 196 cipherSuites = [] 197 if "aes128" in cipherNames: 198 cipherSuites += CipherSuite.aes128Suites 199 if "aes256" in cipherNames: 200 cipherSuites += CipherSuite.aes256Suites 201 if "3des" in cipherNames: 202 cipherSuites += CipherSuite.tripleDESSuites 203 if "rc4" in cipherNames: 204 cipherSuites += CipherSuite.rc4Suites 205 206 return [s for s in suites if s in macSuites and s in cipherSuites]207 208 srpSuites = [] 209 srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 210 srpSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 211 srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 212 213 @staticmethod 216 217 srpCertSuites = [] 218 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 219 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 220 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 221 222 @staticmethod 225 226 srpAllSuites = srpSuites + srpCertSuites 227 228 @staticmethod 231 232 certSuites = [] 233 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) 234 certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) 235 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 236 certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 237 certSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 238 certSuites.append(TLS_RSA_WITH_RC4_128_SHA) 239 certSuites.append(TLS_RSA_WITH_RC4_128_MD5) 240 certAllSuites = srpCertSuites + certSuites 241 242 @staticmethod 245 246 anonSuites = [] 247 anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 248 anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 249 250 @staticmethod 253 254 @staticmethod256 "Return the canonical name of the cipher whose number is provided." 257 if ciphersuite in CipherSuite.aes128Suites: 258 return "aes128" 259 elif ciphersuite in CipherSuite.aes256Suites: 260 return "aes256" 261 elif ciphersuite in CipherSuite.rc4Suites: 262 return "rc4" 263 elif ciphersuite in CipherSuite.tripleDESSuites: 264 return "3des" 265 else: 266 return None267 268 @staticmethod270 "Return the canonical name of the MAC whose number is provided." 271 if ciphersuite in CipherSuite.shaSuites: 272 return "sha" 273 elif ciphersuite in CipherSuite.md5Suites: 274 return "md5" 275 else: 276 return None278 279 # The following faults are induced as part of testing. The faultAlerts 280 # dictionary describes the allowed alerts that may be triggered by these 281 # faults. 282 -class Fault:283 badUsername = 101 284 badPassword = 102 285 badA = 103 286 clientSrpFaults = list(range(101,104)) 287 288 badVerifyMessage = 601 289 clientCertFaults = list(range(601,602)) 290 291 badPremasterPadding = 501 292 shortPremasterSecret = 502 293 clientNoAuthFaults = list(range(501,503)) 294 295 badB = 201 296 serverFaults = list(range(201,202)) 297 298 badFinished = 300 299 badMAC = 301 300 badPadding = 302 301 genericFaults = list(range(300,303)) 302 303 faultAlerts = {\ 304 badUsername: (AlertDescription.unknown_psk_identity, \ 305 AlertDescription.bad_record_mac),\ 306 badPassword: (AlertDescription.bad_record_mac,),\ 307 badA: (AlertDescription.illegal_parameter,),\ 308 badPremasterPadding: (AlertDescription.bad_record_mac,),\ 309 shortPremasterSecret: (AlertDescription.bad_record_mac,),\ 310 badVerifyMessage: (AlertDescription.decrypt_error,),\ 311 badFinished: (AlertDescription.decrypt_error,),\ 312 badMAC: (AlertDescription.bad_record_mac,),\ 313 badPadding: (AlertDescription.bad_record_mac,) 314 } 315 316 faultNames = {\ 317 badUsername: "bad username",\ 318 badPassword: "bad password",\ 319 badA: "bad A",\ 320 badPremasterPadding: "bad premaster padding",\ 321 shortPremasterSecret: "short premaster secret",\ 322 badVerifyMessage: "bad verify message",\ 323 badFinished: "bad finished message",\ 324 badMAC: "bad MAC",\ 325 badPadding: "bad padding" 326 }327
Home | Trees | Indices | Help |
---|
Generated by Epydoc 3.0.1 on Wed Nov 12 16:23:50 2014 | http://epydoc.sourceforge.net |