/gdata/tlslite/HandshakeSettings.py
http://radioappz.googlecode.com/ · Python · 159 lines · 122 code · 10 blank · 27 comment · 10 complexity · f4ce31b64e2995ac2345203a925b2e01 MD5 · raw file
- """Class for setting handshake parameters."""
- from constants import CertificateType
- from utils import cryptomath
- from utils import cipherfactory
- class HandshakeSettings:
- """This class encapsulates various parameters that can be used with
- a TLS handshake.
- @sort: minKeySize, maxKeySize, cipherNames, certificateTypes,
- minVersion, maxVersion
- @type minKeySize: int
- @ivar minKeySize: The minimum bit length for asymmetric keys.
- If the other party tries to use SRP, RSA, or Diffie-Hellman
- parameters smaller than this length, an alert will be
- signalled. The default is 1023.
- @type maxKeySize: int
- @ivar maxKeySize: The maximum bit length for asymmetric keys.
- If the other party tries to use SRP, RSA, or Diffie-Hellman
- parameters larger than this length, an alert will be signalled.
- The default is 8193.
- @type cipherNames: list
- @ivar cipherNames: The allowed ciphers, in order of preference.
- The allowed values in this list are 'aes256', 'aes128', '3des', and
- 'rc4'. If these settings are used with a client handshake, they
- determine the order of the ciphersuites offered in the ClientHello
- message.
- If these settings are used with a server handshake, the server will
- choose whichever ciphersuite matches the earliest entry in this
- list.
- NOTE: If '3des' is used in this list, but TLS Lite can't find an
- add-on library that supports 3DES, then '3des' will be silently
- removed.
- The default value is ['aes256', 'aes128', '3des', 'rc4'].
- @type certificateTypes: list
- @ivar certificateTypes: The allowed certificate types, in order of
- preference.
- The allowed values in this list are 'x509' and 'cryptoID'. This
- list is only used with a client handshake. The client will
- advertise to the server which certificate types are supported, and
- will check that the server uses one of the appropriate types.
- NOTE: If 'cryptoID' is used in this list, but cryptoIDlib is not
- installed, then 'cryptoID' will be silently removed.
- @type minVersion: tuple
- @ivar minVersion: The minimum allowed SSL/TLS version.
- This variable can be set to (3,0) for SSL 3.0, (3,1) for
- TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to
- use a lower version, a protocol_version alert will be signalled.
- The default is (3,0).
- @type maxVersion: tuple
- @ivar maxVersion: The maximum allowed SSL/TLS version.
- This variable can be set to (3,0) for SSL 3.0, (3,1) for
- TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to
- use a higher version, a protocol_version alert will be signalled.
- The default is (3,2). (WARNING: Some servers may (improperly)
- reject clients which offer support for TLS 1.1. In this case,
- try lowering maxVersion to (3,1)).
- """
- def __init__(self):
- self.minKeySize = 1023
- self.maxKeySize = 8193
- self.cipherNames = ["aes256", "aes128", "3des", "rc4"]
- self.cipherImplementations = ["cryptlib", "openssl", "pycrypto",
- "python"]
- self.certificateTypes = ["x509", "cryptoID"]
- self.minVersion = (3,0)
- self.maxVersion = (3,2)
- #Filters out options that are not supported
- def _filter(self):
- other = HandshakeSettings()
- other.minKeySize = self.minKeySize
- other.maxKeySize = self.maxKeySize
- other.cipherNames = self.cipherNames
- other.cipherImplementations = self.cipherImplementations
- other.certificateTypes = self.certificateTypes
- other.minVersion = self.minVersion
- other.maxVersion = self.maxVersion
- if not cipherfactory.tripleDESPresent:
- other.cipherNames = [e for e in self.cipherNames if e != "3des"]
- if len(other.cipherNames)==0:
- raise ValueError("No supported ciphers")
- try:
- import cryptoIDlib
- except ImportError:
- other.certificateTypes = [e for e in self.certificateTypes \
- if e != "cryptoID"]
- if len(other.certificateTypes)==0:
- raise ValueError("No supported certificate types")
- if not cryptomath.cryptlibpyLoaded:
- other.cipherImplementations = [e for e in \
- self.cipherImplementations if e != "cryptlib"]
- if not cryptomath.m2cryptoLoaded:
- other.cipherImplementations = [e for e in \
- other.cipherImplementations if e != "openssl"]
- if not cryptomath.pycryptoLoaded:
- other.cipherImplementations = [e for e in \
- other.cipherImplementations if e != "pycrypto"]
- if len(other.cipherImplementations)==0:
- raise ValueError("No supported cipher implementations")
- if other.minKeySize<512:
- raise ValueError("minKeySize too small")
- if other.minKeySize>16384:
- raise ValueError("minKeySize too large")
- if other.maxKeySize<512:
- raise ValueError("maxKeySize too small")
- if other.maxKeySize>16384:
- raise ValueError("maxKeySize too large")
- for s in other.cipherNames:
- if s not in ("aes256", "aes128", "rc4", "3des"):
- raise ValueError("Unknown cipher name: '%s'" % s)
- for s in other.cipherImplementations:
- if s not in ("cryptlib", "openssl", "python", "pycrypto"):
- raise ValueError("Unknown cipher implementation: '%s'" % s)
- for s in other.certificateTypes:
- if s not in ("x509", "cryptoID"):
- raise ValueError("Unknown certificate type: '%s'" % s)
- if other.minVersion > other.maxVersion:
- raise ValueError("Versions set incorrectly")
- if not other.minVersion in ((3,0), (3,1), (3,2)):
- raise ValueError("minVersion set incorrectly")
- if not other.maxVersion in ((3,0), (3,1), (3,2)):
- raise ValueError("maxVersion set incorrectly")
- return other
- def _getCertificateTypes(self):
- l = []
- for ct in self.certificateTypes:
- if ct == "x509":
- l.append(CertificateType.x509)
- elif ct == "cryptoID":
- l.append(CertificateType.cryptoID)
- else:
- raise AssertionError()
- return l