PageRenderTime 18ms CodeModel.GetById 1ms app.highlight 12ms RepoModel.GetById 1ms app.codeStats 1ms

/gdata/tlslite/HandshakeSettings.py

http://radioappz.googlecode.com/
Python | 159 lines | 122 code | 10 blank | 27 comment | 11 complexity | f4ce31b64e2995ac2345203a925b2e01 MD5 | raw file
  1"""Class for setting handshake parameters."""
  2
  3from constants import CertificateType
  4from utils import cryptomath
  5from utils import cipherfactory
  6
  7class HandshakeSettings:
  8    """This class encapsulates various parameters that can be used with
  9    a TLS handshake.
 10    @sort: minKeySize, maxKeySize, cipherNames, certificateTypes,
 11    minVersion, maxVersion
 12
 13    @type minKeySize: int
 14    @ivar minKeySize: The minimum bit length for asymmetric keys.
 15
 16    If the other party tries to use SRP, RSA, or Diffie-Hellman
 17    parameters smaller than this length, an alert will be
 18    signalled.  The default is 1023.
 19
 20    @type maxKeySize: int
 21    @ivar maxKeySize: The maximum bit length for asymmetric keys.
 22
 23    If the other party tries to use SRP, RSA, or Diffie-Hellman
 24    parameters larger than this length, an alert will be signalled.
 25    The default is 8193.
 26
 27    @type cipherNames: list
 28    @ivar cipherNames: The allowed ciphers, in order of preference.
 29
 30    The allowed values in this list are 'aes256', 'aes128', '3des', and
 31    'rc4'.  If these settings are used with a client handshake, they
 32    determine the order of the ciphersuites offered in the ClientHello
 33    message.
 34
 35    If these settings are used with a server handshake, the server will
 36    choose whichever ciphersuite matches the earliest entry in this
 37    list.
 38
 39    NOTE:  If '3des' is used in this list, but TLS Lite can't find an
 40    add-on library that supports 3DES, then '3des' will be silently
 41    removed.
 42
 43    The default value is ['aes256', 'aes128', '3des', 'rc4'].
 44
 45    @type certificateTypes: list
 46    @ivar certificateTypes: The allowed certificate types, in order of
 47    preference.
 48
 49    The allowed values in this list are 'x509' and 'cryptoID'.  This
 50    list is only used with a client handshake.  The client will
 51    advertise to the server which certificate types are supported, and
 52    will check that the server uses one of the appropriate types.
 53
 54    NOTE:  If 'cryptoID' is used in this list, but cryptoIDlib is not
 55    installed, then 'cryptoID' will be silently removed.
 56
 57    @type minVersion: tuple
 58    @ivar minVersion: The minimum allowed SSL/TLS version.
 59
 60    This variable can be set to (3,0) for SSL 3.0, (3,1) for
 61    TLS 1.0, or (3,2) for TLS 1.1.  If the other party wishes to
 62    use a lower version, a protocol_version alert will be signalled.
 63    The default is (3,0).
 64
 65    @type maxVersion: tuple
 66    @ivar maxVersion: The maximum allowed SSL/TLS version.
 67
 68    This variable can be set to (3,0) for SSL 3.0, (3,1) for
 69    TLS 1.0, or (3,2) for TLS 1.1.  If the other party wishes to
 70    use a higher version, a protocol_version alert will be signalled.
 71    The default is (3,2).  (WARNING: Some servers may (improperly)
 72    reject clients which offer support for TLS 1.1.  In this case,
 73    try lowering maxVersion to (3,1)).
 74    """
 75    def __init__(self):
 76        self.minKeySize = 1023
 77        self.maxKeySize = 8193
 78        self.cipherNames = ["aes256", "aes128", "3des", "rc4"]
 79        self.cipherImplementations = ["cryptlib", "openssl", "pycrypto",
 80                                      "python"]
 81        self.certificateTypes = ["x509", "cryptoID"]
 82        self.minVersion = (3,0)
 83        self.maxVersion = (3,2)
 84
 85    #Filters out options that are not supported
 86    def _filter(self):
 87        other = HandshakeSettings()
 88        other.minKeySize = self.minKeySize
 89        other.maxKeySize = self.maxKeySize
 90        other.cipherNames = self.cipherNames
 91        other.cipherImplementations = self.cipherImplementations
 92        other.certificateTypes = self.certificateTypes
 93        other.minVersion = self.minVersion
 94        other.maxVersion = self.maxVersion
 95
 96        if not cipherfactory.tripleDESPresent:
 97            other.cipherNames = [e for e in self.cipherNames if e != "3des"]
 98        if len(other.cipherNames)==0:
 99            raise ValueError("No supported ciphers")
100
101        try:
102            import cryptoIDlib
103        except ImportError:
104            other.certificateTypes = [e for e in self.certificateTypes \
105                                      if e != "cryptoID"]
106        if len(other.certificateTypes)==0:
107            raise ValueError("No supported certificate types")
108
109        if not cryptomath.cryptlibpyLoaded:
110            other.cipherImplementations = [e for e in \
111                self.cipherImplementations if e != "cryptlib"]
112        if not cryptomath.m2cryptoLoaded:
113            other.cipherImplementations = [e for e in \
114                other.cipherImplementations if e != "openssl"]
115        if not cryptomath.pycryptoLoaded:
116            other.cipherImplementations = [e for e in \
117                other.cipherImplementations if e != "pycrypto"]
118        if len(other.cipherImplementations)==0:
119            raise ValueError("No supported cipher implementations")
120
121        if other.minKeySize<512:
122            raise ValueError("minKeySize too small")
123        if other.minKeySize>16384:
124            raise ValueError("minKeySize too large")
125        if other.maxKeySize<512:
126            raise ValueError("maxKeySize too small")
127        if other.maxKeySize>16384:
128            raise ValueError("maxKeySize too large")
129        for s in other.cipherNames:
130            if s not in ("aes256", "aes128", "rc4", "3des"):
131                raise ValueError("Unknown cipher name: '%s'" % s)
132        for s in other.cipherImplementations:
133            if s not in ("cryptlib", "openssl", "python", "pycrypto"):
134                raise ValueError("Unknown cipher implementation: '%s'" % s)
135        for s in other.certificateTypes:
136            if s not in ("x509", "cryptoID"):
137                raise ValueError("Unknown certificate type: '%s'" % s)
138
139        if other.minVersion > other.maxVersion:
140            raise ValueError("Versions set incorrectly")
141
142        if not other.minVersion in ((3,0), (3,1), (3,2)):
143            raise ValueError("minVersion set incorrectly")
144
145        if not other.maxVersion in ((3,0), (3,1), (3,2)):
146            raise ValueError("maxVersion set incorrectly")
147
148        return other
149
150    def _getCertificateTypes(self):
151        l = []
152        for ct in self.certificateTypes:
153            if ct == "x509":
154                l.append(CertificateType.x509)
155            elif ct == "cryptoID":
156                l.append(CertificateType.cryptoID)
157            else:
158                raise AssertionError()
159        return l