Package tlslite :: Module handshakesettings
[hide private]
[frames] | no frames]

Source Code for Module tlslite.handshakesettings

  1  # Authors:  
  2  #   Trevor Perrin 
  3  #   Dave Baggett (Arcode Corporation) - cleanup handling of constants 
  4  #   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2 
  5  # 
  6  # See the LICENSE file for legal information regarding use of this file. 
  7   
  8  """Class for setting handshake parameters.""" 
  9   
 10  from .constants import CertificateType 
 11  from .utils import cryptomath 
 12  from .utils import cipherfactory 
 13   
 14  # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC 
 15  # issues such as timing attacks 
 16  CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"] 
 17  MAC_NAMES = ["sha", "sha256"] # "md5" is allowed 
 18  CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"] 
 19  CERTIFICATE_TYPES = ["x509"] 
 20   
21 -class HandshakeSettings(object):
22 """This class encapsulates various parameters that can be used with 23 a TLS handshake. 24 @sort: minKeySize, maxKeySize, cipherNames, macNames, certificateTypes, 25 minVersion, maxVersion 26 27 @type minKeySize: int 28 @ivar minKeySize: The minimum bit length for asymmetric keys. 29 30 If the other party tries to use SRP, RSA, or Diffie-Hellman 31 parameters smaller than this length, an alert will be 32 signalled. The default is 1023. 33 34 @type maxKeySize: int 35 @ivar maxKeySize: The maximum bit length for asymmetric keys. 36 37 If the other party tries to use SRP, RSA, or Diffie-Hellman 38 parameters larger than this length, an alert will be signalled. 39 The default is 8193. 40 41 @type cipherNames: list 42 @ivar cipherNames: The allowed ciphers, in order of preference. 43 44 The allowed values in this list are 'aes256', 'aes128', '3des', and 45 'rc4'. If these settings are used with a client handshake, they 46 determine the order of the ciphersuites offered in the ClientHello 47 message. 48 49 If these settings are used with a server handshake, the server will 50 choose whichever ciphersuite matches the earliest entry in this 51 list. 52 53 NOTE: If '3des' is used in this list, but TLS Lite can't find an 54 add-on library that supports 3DES, then '3des' will be silently 55 removed. 56 57 The default value is ['rc4', 'aes256', 'aes128', '3des']. 58 59 @type macNames: list 60 @ivar macNames: The allowed MAC algorithms. 61 62 The allowed values in this list are 'sha' and 'md5'. 63 64 The default value is ['sha']. 65 66 67 @type certificateTypes: list 68 @ivar certificateTypes: The allowed certificate types, in order of 69 preference. 70 71 The only allowed certificate type is 'x509'. This list is only used with a 72 client handshake. The client will advertise to the server which certificate 73 types are supported, and will check that the server uses one of the 74 appropriate types. 75 76 77 @type minVersion: tuple 78 @ivar minVersion: The minimum allowed SSL/TLS version. 79 80 This variable can be set to (3,0) for SSL 3.0, (3,1) for TLS 1.0, (3,2) for 81 TLS 1.1, or (3,3) for TLS 1.2. If the other party wishes to use a lower 82 version, a protocol_version alert will be signalled. The default is (3,1). 83 84 @type maxVersion: tuple 85 @ivar maxVersion: The maximum allowed SSL/TLS version. 86 87 This variable can be set to (3,0) for SSL 3.0, (3,1) for TLS 1.0, (3,2) for 88 TLS 1.1, or (3,3) for TLS 1.2. If the other party wishes to use a higher 89 version, a protocol_version alert will be signalled. The default is (3,3). 90 (WARNING: Some servers may (improperly) reject clients which offer support 91 for TLS 1.1. In this case, try lowering maxVersion to (3,1)). 92 93 @type useExperimentalTackExtension: bool 94 @ivar useExperimentalTackExtension: Whether to enabled TACK support. 95 96 Note that TACK support is not standardized by IETF and uses a temporary 97 TLS Extension number, so should NOT be used in production software. 98 """
99 - def __init__(self):
100 self.minKeySize = 1023 101 self.maxKeySize = 8193 102 self.cipherNames = CIPHER_NAMES 103 self.macNames = MAC_NAMES 104 self.cipherImplementations = CIPHER_IMPLEMENTATIONS 105 self.certificateTypes = CERTIFICATE_TYPES 106 self.minVersion = (3,1) 107 self.maxVersion = (3,3) 108 self.useExperimentalTackExtension = False
109 110 # Validates the min/max fields, and certificateTypes 111 # Filters out unsupported cipherNames and cipherImplementations
112 - def _filter(self):
113 other = HandshakeSettings() 114 other.minKeySize = self.minKeySize 115 other.maxKeySize = self.maxKeySize 116 other.cipherNames = self.cipherNames 117 other.macNames = self.macNames 118 other.cipherImplementations = self.cipherImplementations 119 other.certificateTypes = self.certificateTypes 120 other.minVersion = self.minVersion 121 other.maxVersion = self.maxVersion 122 123 if not cipherfactory.tripleDESPresent: 124 other.cipherNames = [e for e in self.cipherNames if e != "3des"] 125 if len(other.cipherNames)==0: 126 raise ValueError("No supported ciphers") 127 if len(other.certificateTypes)==0: 128 raise ValueError("No supported certificate types") 129 130 if not cryptomath.m2cryptoLoaded: 131 other.cipherImplementations = \ 132 [e for e in other.cipherImplementations if e != "openssl"] 133 if not cryptomath.pycryptoLoaded: 134 other.cipherImplementations = \ 135 [e for e in other.cipherImplementations if e != "pycrypto"] 136 if len(other.cipherImplementations)==0: 137 raise ValueError("No supported cipher implementations") 138 139 if other.minKeySize<512: 140 raise ValueError("minKeySize too small") 141 if other.minKeySize>16384: 142 raise ValueError("minKeySize too large") 143 if other.maxKeySize<512: 144 raise ValueError("maxKeySize too small") 145 if other.maxKeySize>16384: 146 raise ValueError("maxKeySize too large") 147 for s in other.cipherNames: 148 if s not in CIPHER_NAMES: 149 raise ValueError("Unknown cipher name: '%s'" % s) 150 for s in other.cipherImplementations: 151 if s not in CIPHER_IMPLEMENTATIONS: 152 raise ValueError("Unknown cipher implementation: '%s'" % s) 153 for s in other.certificateTypes: 154 if s not in CERTIFICATE_TYPES: 155 raise ValueError("Unknown certificate type: '%s'" % s) 156 157 if other.minVersion > other.maxVersion: 158 raise ValueError("Versions set incorrectly") 159 160 if not other.minVersion in ((3,0), (3,1), (3,2), (3,3)): 161 raise ValueError("minVersion set incorrectly") 162 163 if not other.maxVersion in ((3,0), (3,1), (3,2), (3,3)): 164 raise ValueError("maxVersion set incorrectly") 165 166 if other.maxVersion < (3,3): 167 # No sha256 pre TLS 1.2 168 other.macNames = [e for e in self.macNames if e != "sha256"] 169 170 return other
171
172 - def _getCertificateTypes(self):
173 l = [] 174 for ct in self.certificateTypes: 175 if ct == "x509": 176 l.append(CertificateType.x509) 177 else: 178 raise AssertionError() 179 return l
180