summaryrefslogtreecommitdiffstats
path: root/src/lib/tlslite/HandshakeSettings.py
diff options
context:
space:
mode:
authorNarayan Desai <desai@mcs.anl.gov>2007-03-12 16:22:51 +0000
committerNarayan Desai <desai@mcs.anl.gov>2007-03-12 16:22:51 +0000
commit6e5e9c8e969207e68665f12665a54768090897e4 (patch)
treede198777d5041073db4634a24ca37efad2a1017f /src/lib/tlslite/HandshakeSettings.py
parentac3eb44f16bc14e41ed62169ca36e9992509d7d6 (diff)
downloadbcfg2-6e5e9c8e969207e68665f12665a54768090897e4.tar.gz
bcfg2-6e5e9c8e969207e68665f12665a54768090897e4.tar.bz2
bcfg2-6e5e9c8e969207e68665f12665a54768090897e4.zip
Merged in certs branch in preparation for 0.9.3pre2
git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@2928 ce84e21b-d406-0410-9b95-82705330c041
Diffstat (limited to 'src/lib/tlslite/HandshakeSettings.py')
-rwxr-xr-xsrc/lib/tlslite/HandshakeSettings.py159
1 files changed, 159 insertions, 0 deletions
diff --git a/src/lib/tlslite/HandshakeSettings.py b/src/lib/tlslite/HandshakeSettings.py
new file mode 100755
index 000000000..c7c3223e5
--- /dev/null
+++ b/src/lib/tlslite/HandshakeSettings.py
@@ -0,0 +1,159 @@
+"""Class for setting handshake parameters."""
+
+from constants import CertificateType
+from utils import cryptomath
+from utils import cipherfactory
+
+class HandshakeSettings:
+ """This class encapsulates various parameters that can be used with
+ a TLS handshake.
+ @sort: minKeySize, maxKeySize, cipherNames, certificateTypes,
+ minVersion, maxVersion
+
+ @type minKeySize: int
+ @ivar minKeySize: The minimum bit length for asymmetric keys.
+
+ If the other party tries to use SRP, RSA, or Diffie-Hellman
+ parameters smaller than this length, an alert will be
+ signalled. The default is 1023.
+
+ @type maxKeySize: int
+ @ivar maxKeySize: The maximum bit length for asymmetric keys.
+
+ If the other party tries to use SRP, RSA, or Diffie-Hellman
+ parameters larger than this length, an alert will be signalled.
+ The default is 8193.
+
+ @type cipherNames: list
+ @ivar cipherNames: The allowed ciphers, in order of preference.
+
+ The allowed values in this list are 'aes256', 'aes128', '3des', and
+ 'rc4'. If these settings are used with a client handshake, they
+ determine the order of the ciphersuites offered in the ClientHello
+ message.
+
+ If these settings are used with a server handshake, the server will
+ choose whichever ciphersuite matches the earliest entry in this
+ list.
+
+ NOTE: If '3des' is used in this list, but TLS Lite can't find an
+ add-on library that supports 3DES, then '3des' will be silently
+ removed.
+
+ The default value is ['aes256', 'aes128', '3des', 'rc4'].
+
+ @type certificateTypes: list
+ @ivar certificateTypes: The allowed certificate types, in order of
+ preference.
+
+ The allowed values in this list are 'x509' and 'cryptoID'. This
+ list is only used with a client handshake. The client will
+ advertise to the server which certificate types are supported, and
+ will check that the server uses one of the appropriate types.
+
+ NOTE: If 'cryptoID' is used in this list, but cryptoIDlib is not
+ installed, then 'cryptoID' will be silently removed.
+
+ @type minVersion: tuple
+ @ivar minVersion: The minimum allowed SSL/TLS version.
+
+ This variable can be set to (3,0) for SSL 3.0, (3,1) for
+ TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to
+ use a lower version, a protocol_version alert will be signalled.
+ The default is (3,0).
+
+ @type maxVersion: tuple
+ @ivar maxVersion: The maximum allowed SSL/TLS version.
+
+ This variable can be set to (3,0) for SSL 3.0, (3,1) for
+ TLS 1.0, or (3,2) for TLS 1.1. If the other party wishes to
+ use a higher version, a protocol_version alert will be signalled.
+ The default is (3,2). (WARNING: Some servers may (improperly)
+ reject clients which offer support for TLS 1.1. In this case,
+ try lowering maxVersion to (3,1)).
+ """
+ def __init__(self):
+ self.minKeySize = 1023
+ self.maxKeySize = 8193
+ self.cipherNames = ["aes256", "aes128", "3des", "rc4"]
+ self.cipherImplementations = ["cryptlib", "openssl", "pycrypto",
+ "python"]
+ self.certificateTypes = ["x509", "cryptoID"]
+ self.minVersion = (3,0)
+ self.maxVersion = (3,2)
+
+ #Filters out options that are not supported
+ def _filter(self):
+ other = HandshakeSettings()
+ other.minKeySize = self.minKeySize
+ other.maxKeySize = self.maxKeySize
+ other.cipherNames = self.cipherNames
+ other.cipherImplementations = self.cipherImplementations
+ other.certificateTypes = self.certificateTypes
+ other.minVersion = self.minVersion
+ other.maxVersion = self.maxVersion
+
+ if not cipherfactory.tripleDESPresent:
+ other.cipherNames = [e for e in self.cipherNames if e != "3des"]
+ if len(other.cipherNames)==0:
+ raise ValueError("No supported ciphers")
+
+ try:
+ import cryptoIDlib
+ except ImportError:
+ other.certificateTypes = [e for e in self.certificateTypes \
+ if e != "cryptoID"]
+ if len(other.certificateTypes)==0:
+ raise ValueError("No supported certificate types")
+
+ if not cryptomath.cryptlibpyLoaded:
+ other.cipherImplementations = [e for e in \
+ self.cipherImplementations if e != "cryptlib"]
+ if not cryptomath.m2cryptoLoaded:
+ other.cipherImplementations = [e for e in \
+ other.cipherImplementations if e != "openssl"]
+ if not cryptomath.pycryptoLoaded:
+ other.cipherImplementations = [e for e in \
+ other.cipherImplementations if e != "pycrypto"]
+ if len(other.cipherImplementations)==0:
+ raise ValueError("No supported cipher implementations")
+
+ if other.minKeySize<512:
+ raise ValueError("minKeySize too small")
+ if other.minKeySize>16384:
+ raise ValueError("minKeySize too large")
+ if other.maxKeySize<512:
+ raise ValueError("maxKeySize too small")
+ if other.maxKeySize>16384:
+ raise ValueError("maxKeySize too large")
+ for s in other.cipherNames:
+ if s not in ("aes256", "aes128", "rc4", "3des"):
+ raise ValueError("Unknown cipher name: '%s'" % s)
+ for s in other.cipherImplementations:
+ if s not in ("cryptlib", "openssl", "python", "pycrypto"):
+ raise ValueError("Unknown cipher implementation: '%s'" % s)
+ for s in other.certificateTypes:
+ if s not in ("x509", "cryptoID"):
+ raise ValueError("Unknown certificate type: '%s'" % s)
+
+ if other.minVersion > other.maxVersion:
+ raise ValueError("Versions set incorrectly")
+
+ if not other.minVersion in ((3,0), (3,1), (3,2)):
+ raise ValueError("minVersion set incorrectly")
+
+ if not other.maxVersion in ((3,0), (3,1), (3,2)):
+ raise ValueError("maxVersion set incorrectly")
+
+ return other
+
+ def _getCertificateTypes(self):
+ l = []
+ for ct in self.certificateTypes:
+ if ct == "x509":
+ l.append(CertificateType.x509)
+ elif ct == "cryptoID":
+ l.append(CertificateType.cryptoID)
+ else:
+ raise AssertionError()
+ return l