/gdata/tlslite/HandshakeSettings.py

http://radioappz.googlecode.com/ · Python · 159 lines · 122 code · 10 blank · 27 comment · 10 complexity · f4ce31b64e2995ac2345203a925b2e01 MD5 · raw file

  1. """Class for setting handshake parameters."""
  2. from constants import CertificateType
  3. from utils import cryptomath
  4. from utils import cipherfactory
  5. class HandshakeSettings:
  6. """This class encapsulates various parameters that can be used with
  7. a TLS handshake.
  8. @sort: minKeySize, maxKeySize, cipherNames, certificateTypes,
  9. minVersion, maxVersion
  10. @type minKeySize: int
  11. @ivar minKeySize: The minimum bit length for asymmetric keys.
  12. If the other party tries to use SRP, RSA, or Diffie-Hellman
  13. parameters smaller than this length, an alert will be
  14. signalled. The default is 1023.
  15. @type maxKeySize: int
  16. @ivar maxKeySize: The maximum bit length for asymmetric keys.
  17. If the other party tries to use SRP, RSA, or Diffie-Hellman
  18. parameters larger than this length, an alert will be signalled.
  19. The default is 8193.
  20. @type cipherNames: list
  21. @ivar cipherNames: The allowed ciphers, in order of preference.
  22. The allowed values in this list are 'aes256', 'aes128', '3des', and
  23. 'rc4'. If these settings are used with a client handshake, they
  24. determine the order of the ciphersuites offered in the ClientHello
  25. message.
  26. If these settings are used with a server handshake, the server will
  27. choose whichever ciphersuite matches the earliest entry in this
  28. list.
  29. NOTE: If '3des' is used in this list, but TLS Lite can't find an
  30. add-on library that supports 3DES, then '3des' will be silently
  31. removed.
  32. The default value is ['aes256', 'aes128', '3des', 'rc4'].
  33. @type certificateTypes: list
  34. @ivar certificateTypes: The allowed certificate types, in order of
  35. preference.
  36. The allowed values in this list are 'x509' and 'cryptoID'. This
  37. list is only used with a client handshake. The client will
  38. advertise to the server which certificate types are supported, and
  39. will check that the server uses one of the appropriate types.
  40. NOTE: If 'cryptoID' is used in this list, but cryptoIDlib is not
  41. installed, then 'cryptoID' will be silently removed.
  42. @type minVersion: tuple
  43. @ivar minVersion: The minimum allowed SSL/TLS version.
  44. This variable can be set to (3,0) for SSL 3.0, (3,1) for
  45. TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to
  46. use a lower version, a protocol_version alert will be signalled.
  47. The default is (3,0).
  48. @type maxVersion: tuple
  49. @ivar maxVersion: The maximum allowed SSL/TLS version.
  50. This variable can be set to (3,0) for SSL 3.0, (3,1) for
  51. TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to
  52. use a higher version, a protocol_version alert will be signalled.
  53. The default is (3,2). (WARNING: Some servers may (improperly)
  54. reject clients which offer support for TLS 1.1. In this case,
  55. try lowering maxVersion to (3,1)).
  56. """
  57. def __init__(self):
  58. self.minKeySize = 1023
  59. self.maxKeySize = 8193
  60. self.cipherNames = ["aes256", "aes128", "3des", "rc4"]
  61. self.cipherImplementations = ["cryptlib", "openssl", "pycrypto",
  62. "python"]
  63. self.certificateTypes = ["x509", "cryptoID"]
  64. self.minVersion = (3,0)
  65. self.maxVersion = (3,2)
  66. #Filters out options that are not supported
  67. def _filter(self):
  68. other = HandshakeSettings()
  69. other.minKeySize = self.minKeySize
  70. other.maxKeySize = self.maxKeySize
  71. other.cipherNames = self.cipherNames
  72. other.cipherImplementations = self.cipherImplementations
  73. other.certificateTypes = self.certificateTypes
  74. other.minVersion = self.minVersion
  75. other.maxVersion = self.maxVersion
  76. if not cipherfactory.tripleDESPresent:
  77. other.cipherNames = [e for e in self.cipherNames if e != "3des"]
  78. if len(other.cipherNames)==0:
  79. raise ValueError("No supported ciphers")
  80. try:
  81. import cryptoIDlib
  82. except ImportError:
  83. other.certificateTypes = [e for e in self.certificateTypes \
  84. if e != "cryptoID"]
  85. if len(other.certificateTypes)==0:
  86. raise ValueError("No supported certificate types")
  87. if not cryptomath.cryptlibpyLoaded:
  88. other.cipherImplementations = [e for e in \
  89. self.cipherImplementations if e != "cryptlib"]
  90. if not cryptomath.m2cryptoLoaded:
  91. other.cipherImplementations = [e for e in \
  92. other.cipherImplementations if e != "openssl"]
  93. if not cryptomath.pycryptoLoaded:
  94. other.cipherImplementations = [e for e in \
  95. other.cipherImplementations if e != "pycrypto"]
  96. if len(other.cipherImplementations)==0:
  97. raise ValueError("No supported cipher implementations")
  98. if other.minKeySize<512:
  99. raise ValueError("minKeySize too small")
  100. if other.minKeySize>16384:
  101. raise ValueError("minKeySize too large")
  102. if other.maxKeySize<512:
  103. raise ValueError("maxKeySize too small")
  104. if other.maxKeySize>16384:
  105. raise ValueError("maxKeySize too large")
  106. for s in other.cipherNames:
  107. if s not in ("aes256", "aes128", "rc4", "3des"):
  108. raise ValueError("Unknown cipher name: '%s'" % s)
  109. for s in other.cipherImplementations:
  110. if s not in ("cryptlib", "openssl", "python", "pycrypto"):
  111. raise ValueError("Unknown cipher implementation: '%s'" % s)
  112. for s in other.certificateTypes:
  113. if s not in ("x509", "cryptoID"):
  114. raise ValueError("Unknown certificate type: '%s'" % s)
  115. if other.minVersion > other.maxVersion:
  116. raise ValueError("Versions set incorrectly")
  117. if not other.minVersion in ((3,0), (3,1), (3,2)):
  118. raise ValueError("minVersion set incorrectly")
  119. if not other.maxVersion in ((3,0), (3,1), (3,2)):
  120. raise ValueError("maxVersion set incorrectly")
  121. return other
  122. def _getCertificateTypes(self):
  123. l = []
  124. for ct in self.certificateTypes:
  125. if ct == "x509":
  126. l.append(CertificateType.x509)
  127. elif ct == "cryptoID":
  128. l.append(CertificateType.cryptoID)
  129. else:
  130. raise AssertionError()
  131. return l