Package tlslite :: Module constants
[hide private]
[frames] | no frames]

Source Code for Module tlslite.constants

  1  # Authors:  
  2  #   Trevor Perrin 
  3  #   Google - defining ClientCertificateType 
  4  #   Google (adapted by Sam Rushing) - NPN support 
  5  #   Dimitris Moraitis - Anon ciphersuites 
  6  #   Dave Baggett (Arcode Corporation) - canonicalCipherName 
  7  # 
  8  # See the LICENSE file for legal information regarding use of this file. 
  9   
 10  """Constants used in various places.""" 
11 12 -class CertificateType:
13 x509 = 0 14 openpgp = 1
15
16 -class ClientCertificateType:
17 rsa_sign = 1 18 dss_sign = 2 19 rsa_fixed_dh = 3 20 dss_fixed_dh = 4
21
22 -class HandshakeType:
23 hello_request = 0 24 client_hello = 1 25 server_hello = 2 26 certificate = 11 27 server_key_exchange = 12 28 certificate_request = 13 29 server_hello_done = 14 30 certificate_verify = 15 31 client_key_exchange = 16 32 finished = 20 33 next_protocol = 67
34
35 -class ContentType:
36 change_cipher_spec = 20 37 alert = 21 38 handshake = 22 39 application_data = 23 40 all = (20,21,22,23)
41
42 -class ExtensionType: # RFC 6066 / 4366
43 server_name = 0 # RFC 6066 / 4366 44 srp = 12 # RFC 5054 45 cert_type = 9 # RFC 6091 46 tack = 0xF300 47 supports_npn = 13172 48
49 -class NameType:
50 host_name = 0
51
52 -class AlertLevel:
53 warning = 1 54 fatal = 2
55
56 -class AlertDescription:
57 """ 58 @cvar bad_record_mac: A TLS record failed to decrypt properly. 59 60 If this occurs during a SRP handshake it most likely 61 indicates a bad password. It may also indicate an implementation 62 error, or some tampering with the data in transit. 63 64 This alert will be signalled by the server if the SRP password is bad. It 65 may also be signalled by the server if the SRP username is unknown to the 66 server, but it doesn't wish to reveal that fact. 67 68 69 @cvar handshake_failure: A problem occurred while handshaking. 70 71 This typically indicates a lack of common ciphersuites between client and 72 server, or some other disagreement (about SRP parameters or key sizes, 73 for example). 74 75 @cvar protocol_version: The other party's SSL/TLS version was unacceptable. 76 77 This indicates that the client and server couldn't agree on which version 78 of SSL or TLS to use. 79 80 @cvar user_canceled: The handshake is being cancelled for some reason. 81 82 """ 83 84 close_notify = 0 85 unexpected_message = 10 86 bad_record_mac = 20 87 decryption_failed = 21 88 record_overflow = 22 89 decompression_failure = 30 90 handshake_failure = 40 91 no_certificate = 41 #SSLv3 92 bad_certificate = 42 93 unsupported_certificate = 43 94 certificate_revoked = 44 95 certificate_expired = 45 96 certificate_unknown = 46 97 illegal_parameter = 47 98 unknown_ca = 48 99 access_denied = 49 100 decode_error = 50 101 decrypt_error = 51 102 export_restriction = 60 103 protocol_version = 70 104 insufficient_security = 71 105 internal_error = 80 106 user_canceled = 90 107 no_renegotiation = 100 108 unknown_psk_identity = 115
109
110 111 -class CipherSuite:
112 # Weird pseudo-ciphersuite from RFC 5746 113 # Signals that "secure renegotiation" is supported 114 # We actually don't do any renegotiation, but this 115 # prevents renegotiation attacks 116 TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF 117 118 TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A 119 TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D 120 TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020 121 122 TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B 123 TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E 124 TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021 125 126 127 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A 128 TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F 129 TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035 130 TLS_RSA_WITH_RC4_128_SHA = 0x0005 131 132 TLS_RSA_WITH_RC4_128_MD5 = 0x0004 133 134 TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034 135 TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A 136 137 tripleDESSuites = [] 138 tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 139 tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 140 tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 141 142 aes128Suites = [] 143 aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 144 aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 145 aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 146 aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 147 148 aes256Suites = [] 149 aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 150 aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 151 aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 152 aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 153 154 rc4Suites = [] 155 rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA) 156 rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5) 157 158 shaSuites = [] 159 shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 160 shaSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 161 shaSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 162 shaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 163 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 164 shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 165 shaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 166 shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 167 shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 168 shaSuites.append(TLS_RSA_WITH_RC4_128_SHA) 169 shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 170 shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 171 172 md5Suites = [] 173 md5Suites.append(TLS_RSA_WITH_RC4_128_MD5) 174 175 @staticmethod
176 - def _filterSuites(suites, settings):
177 macNames = settings.macNames 178 cipherNames = settings.cipherNames 179 macSuites = [] 180 if "sha" in macNames: 181 macSuites += CipherSuite.shaSuites 182 if "md5" in macNames: 183 macSuites += CipherSuite.md5Suites 184 185 cipherSuites = [] 186 if "aes128" in cipherNames: 187 cipherSuites += CipherSuite.aes128Suites 188 if "aes256" in cipherNames: 189 cipherSuites += CipherSuite.aes256Suites 190 if "3des" in cipherNames: 191 cipherSuites += CipherSuite.tripleDESSuites 192 if "rc4" in cipherNames: 193 cipherSuites += CipherSuite.rc4Suites 194 195 return [s for s in suites if s in macSuites and s in cipherSuites]
196 197 srpSuites = [] 198 srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) 199 srpSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) 200 srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) 201 202 @staticmethod
203 - def getSrpSuites(settings):
205 206 srpCertSuites = [] 207 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) 208 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) 209 srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) 210 211 @staticmethod
212 - def getSrpCertSuites(settings):
214 215 srpAllSuites = srpSuites + srpCertSuites 216 217 @staticmethod
218 - def getSrpAllSuites(settings):
220 221 certSuites = [] 222 certSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) 223 certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) 224 certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) 225 certSuites.append(TLS_RSA_WITH_RC4_128_SHA) 226 certSuites.append(TLS_RSA_WITH_RC4_128_MD5) 227 certAllSuites = srpCertSuites + certSuites 228 229 @staticmethod
230 - def getCertSuites(settings):
232 233 anonSuites = [] 234 anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) 235 anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) 236 237 @staticmethod
238 - def getAnonSuites(settings):
240 241 @staticmethod
242 - def canonicalCipherName(ciphersuite):
243 "Return the canonical name of the cipher whose number is provided." 244 if ciphersuite in CipherSuite.aes128Suites: 245 return "aes128" 246 elif ciphersuite in CipherSuite.aes256Suites: 247 return "aes256" 248 elif ciphersuite in CipherSuite.rc4Suites: 249 return "rc4" 250 elif ciphersuite in CipherSuite.tripleDESSuites: 251 return "3des" 252 else: 253 return None
254 255 @staticmethod
256 - def canonicalMacName(ciphersuite):
257 "Return the canonical name of the MAC whose number is provided." 258 if ciphersuite in CipherSuite.shaSuites: 259 return "sha" 260 elif ciphersuite in CipherSuite.md5Suites: 261 return "md5" 262 else: 263 return None
264
265 266 # The following faults are induced as part of testing. The faultAlerts 267 # dictionary describes the allowed alerts that may be triggered by these 268 # faults. 269 -class Fault:
270 badUsername = 101 271 badPassword = 102 272 badA = 103 273 clientSrpFaults = list(range(101,104)) 274 275 badVerifyMessage = 601 276 clientCertFaults = list(range(601,602)) 277 278 badPremasterPadding = 501 279 shortPremasterSecret = 502 280 clientNoAuthFaults = list(range(501,503)) 281 282 badB = 201 283 serverFaults = list(range(201,202)) 284 285 badFinished = 300 286 badMAC = 301 287 badPadding = 302 288 genericFaults = list(range(300,303)) 289 290 faultAlerts = {\ 291 badUsername: (AlertDescription.unknown_psk_identity, \ 292 AlertDescription.bad_record_mac),\ 293 badPassword: (AlertDescription.bad_record_mac,),\ 294 badA: (AlertDescription.illegal_parameter,),\ 295 badPremasterPadding: (AlertDescription.bad_record_mac,),\ 296 shortPremasterSecret: (AlertDescription.bad_record_mac,),\ 297 badVerifyMessage: (AlertDescription.decrypt_error,),\ 298 badFinished: (AlertDescription.decrypt_error,),\ 299 badMAC: (AlertDescription.bad_record_mac,),\ 300 badPadding: (AlertDescription.bad_record_mac,) 301 } 302 303 faultNames = {\ 304 badUsername: "bad username",\ 305 badPassword: "bad password",\ 306 badA: "bad A",\ 307 badPremasterPadding: "bad premaster padding",\ 308 shortPremasterSecret: "short premaster secret",\ 309 badVerifyMessage: "bad verify message",\ 310 badFinished: "bad finished message",\ 311 badMAC: "bad MAC",\ 312 badPadding: "bad padding" 313 }
314