Package tlslite :: Module constants
[hide private]
[frames] | no frames]

Source Code for Module tlslite.constants

  1  # Authors:  
  2  #   Trevor Perrin 
  3  #   Google - defining ClientCertificateType 
  4  #   Google (adapted by Sam Rushing) - NPN support 
  5  #   Dimitris Moraitis - Anon ciphersuites 
  6  #   Dave Baggett (Arcode Corporation) - canonicalCipherName 
  7  #   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 
  8  # 
  9  # See the LICENSE file for legal information regarding use of this file. 
 10   
 11  """Constants used in various places.""" 
12 13 -class CertificateType:
14 x509 = 0 15 openpgp = 1
16
17 -class ClientCertificateType:
18 rsa_sign = 1 19 dss_sign = 2 20 rsa_fixed_dh = 3 21 dss_fixed_dh = 4
22
23 -class HandshakeType:
24 hello_request = 0 25 client_hello = 1 26 server_hello = 2 27 certificate = 11 28 server_key_exchange = 12 29 certificate_request = 13 30 server_hello_done = 14 31 certificate_verify = 15 32 client_key_exchange = 16 33 finished = 20 34 next_protocol = 67
35
36 -class ContentType:
37 change_cipher_spec = 20 38 alert = 21 39 handshake = 22 40 application_data = 23 41 all = (20,21,22,23)
42
43 -class ExtensionType: # RFC 6066 / 4366
44 server_name = 0 # RFC 6066 / 4366 45 srp = 12 # RFC 5054 46 cert_type = 9 # RFC 6091 47 tack = 0xF300 48 supports_npn = 13172 49
50 -class NameType:
51 host_name = 0
52
53 -class AlertLevel:
54 warning = 1 55 fatal = 2
56
57 -class AlertDescription:
58 """ 59 @cvar bad_record_mac: A TLS record failed to decrypt properly. 60 61 If this occurs during a SRP handshake it most likely 62 indicates a bad password. It may also indicate an implementation 63 error, or some tampering with the data in transit. 64 65 This alert will be signalled by the server if the SRP password is bad. It 66 may also be signalled by the server if the SRP username is unknown to the 67 server, but it doesn't wish to reveal that fact. 68 69 70 @cvar handshake_failure: A problem occurred while handshaking. 71 72 This typically indicates a lack of common ciphersuites between client and 73 server, or some other disagreement (about SRP parameters or key sizes, 74 for example). 75 76 @cvar protocol_version: The other party's SSL/TLS version was unacceptable. 77 78 This indicates that the client and server couldn't agree on which version 79 of SSL or TLS to use. 80 81 @cvar user_canceled: The handshake is being cancelled for some reason. 82 83 """ 84 85 close_notify = 0 86 unexpected_message = 10 87 bad_record_mac = 20 88 decryption_failed = 21 89 record_overflow = 22 90 decompression_failure = 30 91 handshake_failure = 40 92 no_certificate = 41 #SSLv3 93 bad_certificate = 42 94 unsupported_certificate = 43 95 certificate_revoked = 44 96 certificate_expired = 45 97 certificate_unknown = 46 98 illegal_parameter = 47 99 unknown_ca = 48 100 access_denied = 49 101 decode_error = 50 102 decrypt_error = 51 103 export_restriction = 60 104 protocol_version = 70 105 insufficient_security = 71 106 internal_error = 80 107 user_canceled = 90 108 no_renegotiation = 100 109 unknown_psk_identity = 115
110
111 112 -class CipherSuite:
113 # Weird pseudo-ciphersuite from RFC 5746 114 # Signals that "secure renegotiation" is supported 115 # We actually don't do any renegotiation, but this 116 # prevents renegotiation attacks 117 TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF 118 119 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A 120 TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D 121 TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020 122 123 TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B 124 TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E 125 TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021 126 127 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A 129 TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F 130 TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035 131 TLS_RSA_WITH_RC4_128_SHA = 0x0005 132 133 TLS_RSA_WITH_RC4_128_MD5 = 0x0004 134 135 TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034 136 TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A 137 138 TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C 139 TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D 140 141 tripleDESSuites = [] 142 tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 143 tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 144 tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 145 146 aes128Suites = [] 147 aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 148 aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 149 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 150 aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 151 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) 152 153 aes256Suites = [] 154 aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 155 aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 156 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 157 aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 158 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) 159 160 rc4Suites = [] 161 rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA) 162 rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5) 163 164 shaSuites = [] 165 shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 166 shaSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 167 shaSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 168 shaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 169 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 170 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 171 shaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 172 shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 173 shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 174 shaSuites.append(TLS_RSA_WITH_RC4_128_SHA) 175 shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 176 shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 177 178 sha256Suites = [] 179 sha256Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) 180 sha256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) 181 182 md5Suites = [] 183 md5Suites.append(TLS_RSA_WITH_RC4_128_MD5) 184 185 @staticmethod
186 - def _filterSuites(suites, settings):
187 macNames = settings.macNames 188 cipherNames = settings.cipherNames 189 macSuites = [] 190 if "sha" in macNames: 191 macSuites += CipherSuite.shaSuites 192 if "sha256" in macNames: 193 macSuites += CipherSuite.sha256Suites 194 if "md5" in macNames: 195 macSuites += CipherSuite.md5Suites 196 197 cipherSuites = [] 198 if "aes128" in cipherNames: 199 cipherSuites += CipherSuite.aes128Suites 200 if "aes256" in cipherNames: 201 cipherSuites += CipherSuite.aes256Suites 202 if "3des" in cipherNames: 203 cipherSuites += CipherSuite.tripleDESSuites 204 if "rc4" in cipherNames: 205 cipherSuites += CipherSuite.rc4Suites 206 207 return [s for s in suites if s in macSuites and s in cipherSuites]
208 209 srpSuites = [] 210 srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 211 srpSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 212 srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 213 214 @staticmethod
215 - def getSrpSuites(settings):
217 218 srpCertSuites = [] 219 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 220 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 221 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 222 223 @staticmethod
224 - def getSrpCertSuites(settings):
226 227 srpAllSuites = srpSuites + srpCertSuites 228 229 @staticmethod
230 - def getSrpAllSuites(settings):
232 233 certSuites = [] 234 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA256) 235 certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA256) 236 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 237 certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 238 certSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 239 certSuites.append(TLS_RSA_WITH_RC4_128_SHA) 240 certSuites.append(TLS_RSA_WITH_RC4_128_MD5) 241 certAllSuites = srpCertSuites + certSuites 242 243 @staticmethod
244 - def getCertSuites(settings):
246 247 anonSuites = [] 248 anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 249 anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 250 251 @staticmethod
252 - def getAnonSuites(settings):
254 255 @staticmethod
256 - def canonicalCipherName(ciphersuite):
257 "Return the canonical name of the cipher whose number is provided." 258 if ciphersuite in CipherSuite.aes128Suites: 259 return "aes128" 260 elif ciphersuite in CipherSuite.aes256Suites: 261 return "aes256" 262 elif ciphersuite in CipherSuite.rc4Suites: 263 return "rc4" 264 elif ciphersuite in CipherSuite.tripleDESSuites: 265 return "3des" 266 else: 267 return None
268 269 @staticmethod
270 - def canonicalMacName(ciphersuite):
271 "Return the canonical name of the MAC whose number is provided." 272 if ciphersuite in CipherSuite.shaSuites: 273 return "sha" 274 elif ciphersuite in CipherSuite.md5Suites: 275 return "md5" 276 else: 277 return None
278
279 280 # The following faults are induced as part of testing. The faultAlerts 281 # dictionary describes the allowed alerts that may be triggered by these 282 # faults. 283 -class Fault:
284 badUsername = 101 285 badPassword = 102 286 badA = 103 287 clientSrpFaults = list(range(101,104)) 288 289 badVerifyMessage = 601 290 clientCertFaults = list(range(601,602)) 291 292 badPremasterPadding = 501 293 shortPremasterSecret = 502 294 clientNoAuthFaults = list(range(501,503)) 295 296 badB = 201 297 serverFaults = list(range(201,202)) 298 299 badFinished = 300 300 badMAC = 301 301 badPadding = 302 302 genericFaults = list(range(300,303)) 303 304 faultAlerts = {\ 305 badUsername: (AlertDescription.unknown_psk_identity, \ 306 AlertDescription.bad_record_mac),\ 307 badPassword: (AlertDescription.bad_record_mac,),\ 308 badA: (AlertDescription.illegal_parameter,),\ 309 badPremasterPadding: (AlertDescription.bad_record_mac,),\ 310 shortPremasterSecret: (AlertDescription.bad_record_mac,),\ 311 badVerifyMessage: (AlertDescription.decrypt_error,),\ 312 badFinished: (AlertDescription.decrypt_error,),\ 313 badMAC: (AlertDescription.bad_record_mac,),\ 314 badPadding: (AlertDescription.bad_record_mac,) 315 } 316 317 faultNames = {\ 318 badUsername: "bad username",\ 319 badPassword: "bad password",\ 320 badA: "bad A",\ 321 badPremasterPadding: "bad premaster padding",\ 322 shortPremasterSecret: "short premaster secret",\ 323 badVerifyMessage: "bad verify message",\ 324 badFinished: "bad finished message",\ 325 badMAC: "bad MAC",\ 326 badPadding: "bad padding" 327 }
328