summaryrefslogtreecommitdiffstats
path: root/chromium/third_party/tlslite/tlslite/constants.py
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/third_party/tlslite/tlslite/constants.py')
-rw-r--r--chromium/third_party/tlslite/tlslite/constants.py289
1 files changed, 206 insertions, 83 deletions
diff --git a/chromium/third_party/tlslite/tlslite/constants.py b/chromium/third_party/tlslite/tlslite/constants.py
index d027ef5f093..457b33934de 100644
--- a/chromium/third_party/tlslite/tlslite/constants.py
+++ b/chromium/third_party/tlslite/tlslite/constants.py
@@ -1,16 +1,28 @@
+# Authors:
+# Trevor Perrin
+# Google - defining ClientCertificateType
+# Google (adapted by Sam Rushing) - NPN support
+# Dimitris Moraitis - Anon ciphersuites
+# Dave Baggett (Arcode Corporation) - canonicalCipherName
+#
+# See the LICENSE file for legal information regarding use of this file.
+
"""Constants used in various places."""
class CertificateType:
x509 = 0
openpgp = 1
- cryptoID = 2
class ClientCertificateType:
+ # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2
rsa_sign = 1
dss_sign = 2
rsa_fixed_dh = 3
dss_fixed_dh = 4
-
+ ecdsa_sign = 64
+ rsa_fixed_ecdh = 65
+ ecdsa_fixed_ecdh = 66
+
class HandshakeType:
hello_request = 0
client_hello = 1
@@ -23,6 +35,7 @@ class HandshakeType:
client_key_exchange = 16
finished = 20
certificate_status = 22
+ next_protocol = 67
encrypted_extensions = 203
class ContentType:
@@ -35,10 +48,18 @@ class ContentType:
class CertificateStatusType:
ocsp = 1
-class ExtensionType:
- status_request = 5 # OCSP stapling
- signed_cert_timestamps = 18 # signed_certificate_timestamp in RFC 6962
- channel_id = 30031
+class ExtensionType: # RFC 6066 / 4366
+ server_name = 0 # RFC 6066 / 4366
+ status_request = 5 # RFC 6066 / 4366
+ srp = 12 # RFC 5054
+ cert_type = 9 # RFC 6091
+ signed_cert_timestamps = 18 # RFC 6962
+ tack = 0xF300
+ supports_npn = 13172
+ channel_id = 30032
+
+class NameType:
+ host_name = 0
class AlertLevel:
warning = 1
@@ -48,7 +69,7 @@ class AlertDescription:
"""
@cvar bad_record_mac: A TLS record failed to decrypt properly.
- If this occurs during a shared-key or SRP handshake it most likely
+ If this occurs during a SRP handshake it most likely
indicates a bad password. It may also indicate an implementation
error, or some tampering with the data in transit.
@@ -56,8 +77,6 @@ class AlertDescription:
may also be signalled by the server if the SRP username is unknown to the
server, but it doesn't wish to reveal that fact.
- This alert will be signalled by the client if the shared-key username is
- bad.
@cvar handshake_failure: A problem occurred while handshaking.
@@ -99,126 +118,232 @@ class AlertDescription:
inappropriate_fallback = 86
user_canceled = 90
no_renegotiation = 100
- unknown_srp_username = 120
- missing_srp_username = 121
- untrusted_srp_parameters = 122
+ unknown_psk_identity = 115
+
class CipherSuite:
- TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0x0050
- TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0x0053
- TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0x0056
+ # Weird pseudo-ciphersuite from RFC 5746
+ # Signals that "secure renegotiation" is supported
+ # We actually don't do any renegotiation, but this
+ # prevents renegotiation attacks
+ TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF
+
+ # draft-bmoeller-tls-downgrade-scsv-01
+ TLS_FALLBACK_SCSV = 0x5600
+
+ TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A
+ TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D
+ TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020
+
+ TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B
+ TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E
+ TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021
- TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0x0051
- TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0x0054
- TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0x0057
TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A
TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F
TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035
TLS_RSA_WITH_RC4_128_SHA = 0x0005
+
+ TLS_RSA_WITH_RC4_128_MD5 = 0x0004
- srpSuites = []
- srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
- srpSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA)
- srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA)
- def getSrpSuites(ciphers):
- suites = []
- for cipher in ciphers:
- if cipher == "aes128":
- suites.append(CipherSuite.TLS_SRP_SHA_WITH_AES_128_CBC_SHA)
- elif cipher == "aes256":
- suites.append(CipherSuite.TLS_SRP_SHA_WITH_AES_256_CBC_SHA)
- elif cipher == "3des":
- suites.append(CipherSuite.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
- return suites
- getSrpSuites = staticmethod(getSrpSuites)
-
- srpRsaSuites = []
- srpRsaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
- srpRsaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA)
- srpRsaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)
- def getSrpRsaSuites(ciphers):
- suites = []
- for cipher in ciphers:
- if cipher == "aes128":
- suites.append(CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA)
- elif cipher == "aes256":
- suites.append(CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)
- elif cipher == "3des":
- suites.append(CipherSuite.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
- return suites
- getSrpRsaSuites = staticmethod(getSrpRsaSuites)
-
- rsaSuites = []
- rsaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
- rsaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA)
- rsaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
- rsaSuites.append(TLS_RSA_WITH_RC4_128_SHA)
- def getRsaSuites(ciphers):
- suites = []
- for cipher in ciphers:
- if cipher == "aes128":
- suites.append(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA)
- elif cipher == "aes256":
- suites.append(CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA)
- elif cipher == "rc4":
- suites.append(CipherSuite.TLS_RSA_WITH_RC4_128_SHA)
- elif cipher == "3des":
- suites.append(CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA)
- return suites
- getRsaSuites = staticmethod(getRsaSuites)
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033
+ TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039
+
+ TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034
+ TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A
tripleDESSuites = []
tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
+ tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
aes128Suites = []
aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA)
aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA)
aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA)
+ aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
+ aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
aes256Suites = []
aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA)
aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)
aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
+ aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
+ aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
rc4Suites = []
rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA)
+ rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5)
+
+ shaSuites = []
+ shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
+ shaSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA)
+ shaSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA)
+ shaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
+ shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA)
+ shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)
+ shaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
+ shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA)
+ shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
+ shaSuites.append(TLS_RSA_WITH_RC4_128_SHA)
+ shaSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
+ shaSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
+ shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
+ shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
+ shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
+
+ md5Suites = []
+ md5Suites.append(TLS_RSA_WITH_RC4_128_MD5)
+
+ @staticmethod
+ def _filterSuites(suites, settings):
+ macNames = settings.macNames
+ cipherNames = settings.cipherNames
+ keyExchangeNames = settings.keyExchangeNames
+ macSuites = []
+ if "sha" in macNames:
+ macSuites += CipherSuite.shaSuites
+ if "md5" in macNames:
+ macSuites += CipherSuite.md5Suites
+
+ cipherSuites = []
+ if "aes128" in cipherNames:
+ cipherSuites += CipherSuite.aes128Suites
+ if "aes256" in cipherNames:
+ cipherSuites += CipherSuite.aes256Suites
+ if "3des" in cipherNames:
+ cipherSuites += CipherSuite.tripleDESSuites
+ if "rc4" in cipherNames:
+ cipherSuites += CipherSuite.rc4Suites
+
+ keyExchangeSuites = []
+ if "rsa" in keyExchangeNames:
+ keyExchangeSuites += CipherSuite.certSuites
+ if "dhe_rsa" in keyExchangeNames:
+ keyExchangeSuites += CipherSuite.dheCertSuites
+ if "srp_sha" in keyExchangeNames:
+ keyExchangeSuites += CipherSuite.srpSuites
+ if "srp_sha_rsa" in keyExchangeNames:
+ keyExchangeSuites += CipherSuite.srpCertSuites
+ if "dh_anon" in keyExchangeNames:
+ keyExchangeSuites += CipherSuite.anonSuites
+
+ return [s for s in suites if s in macSuites and
+ s in cipherSuites and s in keyExchangeSuites]
-
+ srpSuites = []
+ srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA)
+ srpSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA)
+ srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA)
+
+ @staticmethod
+ def getSrpSuites(settings):
+ return CipherSuite._filterSuites(CipherSuite.srpSuites, settings)
+
+ srpCertSuites = []
+ srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA)
+ srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA)
+ srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA)
+
+ @staticmethod
+ def getSrpCertSuites(settings):
+ return CipherSuite._filterSuites(CipherSuite.srpCertSuites, settings)
+
+ srpAllSuites = srpCertSuites + srpSuites
+
+ @staticmethod
+ def getSrpAllSuites(settings):
+ return CipherSuite._filterSuites(CipherSuite.srpAllSuites, settings)
+
+ certSuites = []
+ certSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA)
+ certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA)
+ certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA)
+ certSuites.append(TLS_RSA_WITH_RC4_128_SHA)
+ certSuites.append(TLS_RSA_WITH_RC4_128_MD5)
+
+ @staticmethod
+ def getCertSuites(settings):
+ return CipherSuite._filterSuites(CipherSuite.certSuites, settings)
+
+ dheCertSuites = []
+ dheCertSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA)
+ dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
+ dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA)
+
+ @staticmethod
+ def getDheCertSuites(settings):
+ return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings)
+
+ certAllSuites = srpCertSuites + certSuites + dheCertSuites
+
+ anonSuites = []
+ anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA)
+ anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA)
+
+ @staticmethod
+ def getAnonSuites(settings):
+ return CipherSuite._filterSuites(CipherSuite.anonSuites, settings)
+
+ dhAllSuites = dheCertSuites + anonSuites
+
+ @staticmethod
+ def canonicalCipherName(ciphersuite):
+ "Return the canonical name of the cipher whose number is provided."
+ if ciphersuite in CipherSuite.aes128Suites:
+ return "aes128"
+ elif ciphersuite in CipherSuite.aes256Suites:
+ return "aes256"
+ elif ciphersuite in CipherSuite.rc4Suites:
+ return "rc4"
+ elif ciphersuite in CipherSuite.tripleDESSuites:
+ return "3des"
+ else:
+ return None
+
+ @staticmethod
+ def canonicalMacName(ciphersuite):
+ "Return the canonical name of the MAC whose number is provided."
+ if ciphersuite in CipherSuite.shaSuites:
+ return "sha"
+ elif ciphersuite in CipherSuite.md5Suites:
+ return "md5"
+ else:
+ return None
+
+
+# The following faults are induced as part of testing. The faultAlerts
+# dictionary describes the allowed alerts that may be triggered by these
+# faults.
class Fault:
badUsername = 101
badPassword = 102
badA = 103
- clientSrpFaults = range(101,104)
+ clientSrpFaults = list(range(101,104))
badVerifyMessage = 601
- clientCertFaults = range(601,602)
+ clientCertFaults = list(range(601,602))
badPremasterPadding = 501
shortPremasterSecret = 502
- clientNoAuthFaults = range(501,503)
-
- badIdentifier = 401
- badSharedKey = 402
- clientSharedKeyFaults = range(401,403)
+ clientNoAuthFaults = list(range(501,503))
badB = 201
- serverFaults = range(201,202)
+ serverFaults = list(range(201,202))
badFinished = 300
badMAC = 301
badPadding = 302
- genericFaults = range(300,303)
+ genericFaults = list(range(300,303))
faultAlerts = {\
- badUsername: (AlertDescription.unknown_srp_username, \
+ badUsername: (AlertDescription.unknown_psk_identity, \
AlertDescription.bad_record_mac),\
badPassword: (AlertDescription.bad_record_mac,),\
badA: (AlertDescription.illegal_parameter,),\
- badIdentifier: (AlertDescription.handshake_failure,),\
- badSharedKey: (AlertDescription.bad_record_mac,),\
badPremasterPadding: (AlertDescription.bad_record_mac,),\
shortPremasterSecret: (AlertDescription.bad_record_mac,),\
badVerifyMessage: (AlertDescription.decrypt_error,),\
@@ -231,8 +356,6 @@ class Fault:
badUsername: "bad username",\
badPassword: "bad password",\
badA: "bad A",\
- badIdentifier: "bad identifier",\
- badSharedKey: "bad sharedkey",\
badPremasterPadding: "bad premaster padding",\
shortPremasterSecret: "short premaster secret",\
badVerifyMessage: "bad verify message",\
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-07 18:12:00 +0000