1
2
3
4 """Class for setting handshake parameters."""
5
6 from .constants import CertificateType
7 from .utils import cryptomath
8 from .utils import cipherfactory
9
11 """This class encapsulates various parameters that can be used with
12 a TLS handshake.
13 @sort: minKeySize, maxKeySize, cipherNames, certificateTypes,
14 minVersion, maxVersion
15
16 @type minKeySize: int
17 @ivar minKeySize: The minimum bit length for asymmetric keys.
18
19 If the other party tries to use SRP, RSA, or Diffie-Hellman
20 parameters smaller than this length, an alert will be
21 signalled. The default is 1023.
22
23 @type maxKeySize: int
24 @ivar maxKeySize: The maximum bit length for asymmetric keys.
25
26 If the other party tries to use SRP, RSA, or Diffie-Hellman
27 parameters larger than this length, an alert will be signalled.
28 The default is 8193.
29
30 @type cipherNames: list
31 @ivar cipherNames: The allowed ciphers, in order of preference.
32
33 The allowed values in this list are 'aes256', 'aes128', '3des', and
34 'rc4'. If these settings are used with a client handshake, they
35 determine the order of the ciphersuites offered in the ClientHello
36 message.
37
38 If these settings are used with a server handshake, the server will
39 choose whichever ciphersuite matches the earliest entry in this
40 list.
41
42 NOTE: If '3des' is used in this list, but TLS Lite can't find an
43 add-on library that supports 3DES, then '3des' will be silently
44 removed.
45
46 The default value is ['aes256', 'aes128', '3des', 'rc4'].
47
48 @type certificateTypes: list
49 @ivar certificateTypes: The allowed certificate types, in order of
50 preference.
51
52 The allowed values in this list are 'x509'. This
53 list is only used with a client handshake. The client will
54 advertise to the server which certificate types are supported, and
55 will check that the server uses one of the appropriate types.
56
57 @type minVersion: tuple
58 @ivar minVersion: The minimum allowed SSL/TLS version.
59
60 This variable can be set to (3,0) for SSL 3.0, (3,1) for
61 TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to
62 use a lower version, a protocol_version alert will be signalled.
63 The default is (3,0).
64
65 @type maxVersion: tuple
66 @ivar maxVersion: The maximum allowed SSL/TLS version.
67
68 This variable can be set to (3,0) for SSL 3.0, (3,1) for
69 TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to
70 use a higher version, a protocol_version alert will be signalled.
71 The default is (3,2). (WARNING: Some servers may (improperly)
72 reject clients which offer support for TLS 1.1. In this case,
73 try lowering maxVersion to (3,1)).
74
75 @type useExperimentalTackExtension: bool
76 @ivar useExperimentalTackExtension: Whether to enabled TACK support.
77
78 Note that TACK support is not standardized by IETF and uses a temporary
79 TLS Extension number, so should NOT be used in production software.
80 """
82 self.minKeySize = 1023
83 self.maxKeySize = 8193
84 self.cipherNames = ["aes256", "aes128", "3des", "rc4"]
85 self.cipherImplementations = ["openssl", "pycrypto","python"]
86 self.certificateTypes = ["x509"]
87 self.minVersion = (3,0)
88 self.maxVersion = (3,2)
89 self.useExperimentalTackExtension = False
90
91
92
94 other = HandshakeSettings()
95 other.minKeySize = self.minKeySize
96 other.maxKeySize = self.maxKeySize
97 other.cipherNames = self.cipherNames
98 other.cipherImplementations = self.cipherImplementations
99 other.certificateTypes = self.certificateTypes
100 other.minVersion = self.minVersion
101 other.maxVersion = self.maxVersion
102
103 if not cipherfactory.tripleDESPresent:
104 other.cipherNames = [e for e in self.cipherNames if e != "3des"]
105 if len(other.cipherNames)==0:
106 raise ValueError("No supported ciphers")
107 if len(other.certificateTypes)==0:
108 raise ValueError("No supported certificate types")
109
110 if not cryptomath.m2cryptoLoaded:
111 other.cipherImplementations = [e for e in \
112 other.cipherImplementations if e != "openssl"]
113 if not cryptomath.pycryptoLoaded:
114 other.cipherImplementations = [e for e in \
115 other.cipherImplementations if e != "pycrypto"]
116 if len(other.cipherImplementations)==0:
117 raise ValueError("No supported cipher implementations")
118
119 if other.minKeySize<512:
120 raise ValueError("minKeySize too small")
121 if other.minKeySize>16384:
122 raise ValueError("minKeySize too large")
123 if other.maxKeySize<512:
124 raise ValueError("maxKeySize too small")
125 if other.maxKeySize>16384:
126 raise ValueError("maxKeySize too large")
127 for s in other.cipherNames:
128 if s not in ("aes256", "aes128", "rc4", "3des"):
129 raise ValueError("Unknown cipher name: '%s'" % s)
130 for s in other.cipherImplementations:
131 if s not in ("openssl", "python", "pycrypto"):
132 raise ValueError("Unknown cipher implementation: '%s'" % s)
133 for s in other.certificateTypes:
134 if s not in ("x509"):
135 raise ValueError("Unknown certificate type: '%s'" % s)
136
137 if other.minVersion > other.maxVersion:
138 raise ValueError("Versions set incorrectly")
139
140 if not other.minVersion in ((3,0), (3,1), (3,2)):
141 raise ValueError("minVersion set incorrectly")
142
143 if not other.maxVersion in ((3,0), (3,1), (3,2)):
144 raise ValueError("maxVersion set incorrectly")
145
146 return other
147
149 l = []
150 for ct in self.certificateTypes:
151 if ct == "x509":
152 l.append(CertificateType.x509)
153 else:
154 raise AssertionError()
155 return l
156