/gdata/tlslite/HandshakeSettings.py
Python | 159 lines | 122 code | 10 blank | 27 comment | 11 complexity | f4ce31b64e2995ac2345203a925b2e01 MD5 | raw file
1"""Class for setting handshake parameters.""" 2 3from constants import CertificateType 4from utils import cryptomath 5from utils import cipherfactory 6 7class HandshakeSettings: 8 """This class encapsulates various parameters that can be used with 9 a TLS handshake. 10 @sort: minKeySize, maxKeySize, cipherNames, certificateTypes, 11 minVersion, maxVersion 12 13 @type minKeySize: int 14 @ivar minKeySize: The minimum bit length for asymmetric keys. 15 16 If the other party tries to use SRP, RSA, or Diffie-Hellman 17 parameters smaller than this length, an alert will be 18 signalled. The default is 1023. 19 20 @type maxKeySize: int 21 @ivar maxKeySize: The maximum bit length for asymmetric keys. 22 23 If the other party tries to use SRP, RSA, or Diffie-Hellman 24 parameters larger than this length, an alert will be signalled. 25 The default is 8193. 26 27 @type cipherNames: list 28 @ivar cipherNames: The allowed ciphers, in order of preference. 29 30 The allowed values in this list are 'aes256', 'aes128', '3des', and 31 'rc4'. If these settings are used with a client handshake, they 32 determine the order of the ciphersuites offered in the ClientHello 33 message. 34 35 If these settings are used with a server handshake, the server will 36 choose whichever ciphersuite matches the earliest entry in this 37 list. 38 39 NOTE: If '3des' is used in this list, but TLS Lite can't find an 40 add-on library that supports 3DES, then '3des' will be silently 41 removed. 42 43 The default value is ['aes256', 'aes128', '3des', 'rc4']. 44 45 @type certificateTypes: list 46 @ivar certificateTypes: The allowed certificate types, in order of 47 preference. 48 49 The allowed values in this list are 'x509' and 'cryptoID'. This 50 list is only used with a client handshake. The client will 51 advertise to the server which certificate types are supported, and 52 will check that the server uses one of the appropriate types. 53 54 NOTE: If 'cryptoID' is used in this list, but cryptoIDlib is not 55 installed, then 'cryptoID' will be silently removed. 56 57 @type minVersion: tuple 58 @ivar minVersion: The minimum allowed SSL/TLS version. 59 60 This variable can be set to (3,0) for SSL 3.0, (3,1) for 61 TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to 62 use a lower version, a protocol_version alert will be signalled. 63 The default is (3,0). 64 65 @type maxVersion: tuple 66 @ivar maxVersion: The maximum allowed SSL/TLS version. 67 68 This variable can be set to (3,0) for SSL 3.0, (3,1) for 69 TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to 70 use a higher version, a protocol_version alert will be signalled. 71 The default is (3,2). (WARNING: Some servers may (improperly) 72 reject clients which offer support for TLS 1.1. In this case, 73 try lowering maxVersion to (3,1)). 74 """ 75 def __init__(self): 76 self.minKeySize = 1023 77 self.maxKeySize = 8193 78 self.cipherNames = ["aes256", "aes128", "3des", "rc4"] 79 self.cipherImplementations = ["cryptlib", "openssl", "pycrypto", 80 "python"] 81 self.certificateTypes = ["x509", "cryptoID"] 82 self.minVersion = (3,0) 83 self.maxVersion = (3,2) 84 85 #Filters out options that are not supported 86 def _filter(self): 87 other = HandshakeSettings() 88 other.minKeySize = self.minKeySize 89 other.maxKeySize = self.maxKeySize 90 other.cipherNames = self.cipherNames 91 other.cipherImplementations = self.cipherImplementations 92 other.certificateTypes = self.certificateTypes 93 other.minVersion = self.minVersion 94 other.maxVersion = self.maxVersion 95 96 if not cipherfactory.tripleDESPresent: 97 other.cipherNames = [e for e in self.cipherNames if e != "3des"] 98 if len(other.cipherNames)==0: 99 raise ValueError("No supported ciphers") 100 101 try: 102 import cryptoIDlib 103 except ImportError: 104 other.certificateTypes = [e for e in self.certificateTypes \ 105 if e != "cryptoID"] 106 if len(other.certificateTypes)==0: 107 raise ValueError("No supported certificate types") 108 109 if not cryptomath.cryptlibpyLoaded: 110 other.cipherImplementations = [e for e in \ 111 self.cipherImplementations if e != "cryptlib"] 112 if not cryptomath.m2cryptoLoaded: 113 other.cipherImplementations = [e for e in \ 114 other.cipherImplementations if e != "openssl"] 115 if not cryptomath.pycryptoLoaded: 116 other.cipherImplementations = [e for e in \ 117 other.cipherImplementations if e != "pycrypto"] 118 if len(other.cipherImplementations)==0: 119 raise ValueError("No supported cipher implementations") 120 121 if other.minKeySize<512: 122 raise ValueError("minKeySize too small") 123 if other.minKeySize>16384: 124 raise ValueError("minKeySize too large") 125 if other.maxKeySize<512: 126 raise ValueError("maxKeySize too small") 127 if other.maxKeySize>16384: 128 raise ValueError("maxKeySize too large") 129 for s in other.cipherNames: 130 if s not in ("aes256", "aes128", "rc4", "3des"): 131 raise ValueError("Unknown cipher name: '%s'" % s) 132 for s in other.cipherImplementations: 133 if s not in ("cryptlib", "openssl", "python", "pycrypto"): 134 raise ValueError("Unknown cipher implementation: '%s'" % s) 135 for s in other.certificateTypes: 136 if s not in ("x509", "cryptoID"): 137 raise ValueError("Unknown certificate type: '%s'" % s) 138 139 if other.minVersion > other.maxVersion: 140 raise ValueError("Versions set incorrectly") 141 142 if not other.minVersion in ((3,0), (3,1), (3,2)): 143 raise ValueError("minVersion set incorrectly") 144 145 if not other.maxVersion in ((3,0), (3,1), (3,2)): 146 raise ValueError("maxVersion set incorrectly") 147 148 return other 149 150 def _getCertificateTypes(self): 151 l = [] 152 for ct in self.certificateTypes: 153 if ct == "x509": 154 l.append(CertificateType.x509) 155 elif ct == "cryptoID": 156 l.append(CertificateType.cryptoID) 157 else: 158 raise AssertionError() 159 return l