diff options
Diffstat (limited to 'chromium/third_party/tlslite/tlslite/constants.py')
-rw-r--r-- | chromium/third_party/tlslite/tlslite/constants.py | 289 |
1 files changed, 206 insertions, 83 deletions
diff --git a/chromium/third_party/tlslite/tlslite/constants.py b/chromium/third_party/tlslite/tlslite/constants.py index d027ef5f093..457b33934de 100644 --- a/chromium/third_party/tlslite/tlslite/constants.py +++ b/chromium/third_party/tlslite/tlslite/constants.py @@ -1,16 +1,28 @@ +# Authors: +# Trevor Perrin +# Google - defining ClientCertificateType +# Google (adapted by Sam Rushing) - NPN support +# Dimitris Moraitis - Anon ciphersuites +# Dave Baggett (Arcode Corporation) - canonicalCipherName +# +# See the LICENSE file for legal information regarding use of this file. + """Constants used in various places.""" class CertificateType: x509 = 0 openpgp = 1 - cryptoID = 2 class ClientCertificateType: + # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2 rsa_sign = 1 dss_sign = 2 rsa_fixed_dh = 3 dss_fixed_dh = 4 - + ecdsa_sign = 64 + rsa_fixed_ecdh = 65 + ecdsa_fixed_ecdh = 66 + class HandshakeType: hello_request = 0 client_hello = 1 @@ -23,6 +35,7 @@ class HandshakeType: client_key_exchange = 16 finished = 20 certificate_status = 22 + next_protocol = 67 encrypted_extensions = 203 class ContentType: @@ -35,10 +48,18 @@ class ContentType: class CertificateStatusType: ocsp = 1 -class ExtensionType: - status_request = 5 # OCSP stapling - signed_cert_timestamps = 18 # signed_certificate_timestamp in RFC 6962 - channel_id = 30031 +class ExtensionType: # RFC 6066 / 4366 + server_name = 0 # RFC 6066 / 4366 + status_request = 5 # RFC 6066 / 4366 + srp = 12 # RFC 5054 + cert_type = 9 # RFC 6091 + signed_cert_timestamps = 18 # RFC 6962 + tack = 0xF300 + supports_npn = 13172 + channel_id = 30032 + +class NameType: + host_name = 0 class AlertLevel: warning = 1 @@ -48,7 +69,7 @@ class AlertDescription: """ @cvar bad_record_mac: A TLS record failed to decrypt properly. - If this occurs during a shared-key or SRP handshake it most likely + If this occurs during a SRP handshake it most likely indicates a bad password. It may also indicate an implementation error, or some tampering with the data in transit. @@ -56,8 +77,6 @@ class AlertDescription: may also be signalled by the server if the SRP username is unknown to the server, but it doesn't wish to reveal that fact. - This alert will be signalled by the client if the shared-key username is - bad. @cvar handshake_failure: A problem occurred while handshaking. @@ -99,126 +118,232 @@ class AlertDescription: inappropriate_fallback = 86 user_canceled = 90 no_renegotiation = 100 - unknown_srp_username = 120 - missing_srp_username = 121 - untrusted_srp_parameters = 122 + unknown_psk_identity = 115 + class CipherSuite: - TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0x0050 - TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0x0053 - TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0x0056 + # Weird pseudo-ciphersuite from RFC 5746 + # Signals that "secure renegotiation" is supported + # We actually don't do any renegotiation, but this + # prevents renegotiation attacks + TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF + + # draft-bmoeller-tls-downgrade-scsv-01 + TLS_FALLBACK_SCSV = 0x5600 + + TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA = 0xC01A + TLS_SRP_SHA_WITH_AES_128_CBC_SHA = 0xC01D + TLS_SRP_SHA_WITH_AES_256_CBC_SHA = 0xC020 + + TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0xC01B + TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0xC01E + TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0xC021 - TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA = 0x0051 - TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA = 0x0054 - TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA = 0x0057 TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000A TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035 TLS_RSA_WITH_RC4_128_SHA = 0x0005 + + TLS_RSA_WITH_RC4_128_MD5 = 0x0004 - srpSuites = [] - srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) - srpSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) - srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) - def getSrpSuites(ciphers): - suites = [] - for cipher in ciphers: - if cipher == "aes128": - suites.append(CipherSuite.TLS_SRP_SHA_WITH_AES_128_CBC_SHA) - elif cipher == "aes256": - suites.append(CipherSuite.TLS_SRP_SHA_WITH_AES_256_CBC_SHA) - elif cipher == "3des": - suites.append(CipherSuite.TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) - return suites - getSrpSuites = staticmethod(getSrpSuites) - - srpRsaSuites = [] - srpRsaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) - srpRsaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) - srpRsaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) - def getSrpRsaSuites(ciphers): - suites = [] - for cipher in ciphers: - if cipher == "aes128": - suites.append(CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) - elif cipher == "aes256": - suites.append(CipherSuite.TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) - elif cipher == "3des": - suites.append(CipherSuite.TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) - return suites - getSrpRsaSuites = staticmethod(getSrpRsaSuites) - - rsaSuites = [] - rsaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) - rsaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) - rsaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) - rsaSuites.append(TLS_RSA_WITH_RC4_128_SHA) - def getRsaSuites(ciphers): - suites = [] - for cipher in ciphers: - if cipher == "aes128": - suites.append(CipherSuite.TLS_RSA_WITH_AES_128_CBC_SHA) - elif cipher == "aes256": - suites.append(CipherSuite.TLS_RSA_WITH_AES_256_CBC_SHA) - elif cipher == "rc4": - suites.append(CipherSuite.TLS_RSA_WITH_RC4_128_SHA) - elif cipher == "3des": - suites.append(CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA) - return suites - getRsaSuites = staticmethod(getRsaSuites) + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016 + TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033 + TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039 + + TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034 + TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A tripleDESSuites = [] tripleDESSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) tripleDESSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) tripleDESSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) + tripleDESSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) aes128Suites = [] aes128Suites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) aes128Suites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) aes128Suites.append(TLS_RSA_WITH_AES_128_CBC_SHA) + aes128Suites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) + aes128Suites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) aes256Suites = [] aes256Suites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) aes256Suites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) aes256Suites.append(TLS_RSA_WITH_AES_256_CBC_SHA) + aes256Suites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) + aes256Suites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) rc4Suites = [] rc4Suites.append(TLS_RSA_WITH_RC4_128_SHA) + rc4Suites.append(TLS_RSA_WITH_RC4_128_MD5) + + shaSuites = [] + shaSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) + shaSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) + shaSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) + shaSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) + shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) + shaSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) + shaSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) + shaSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) + shaSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) + shaSuites.append(TLS_RSA_WITH_RC4_128_SHA) + shaSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) + shaSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) + shaSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) + shaSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) + shaSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) + + md5Suites = [] + md5Suites.append(TLS_RSA_WITH_RC4_128_MD5) + + @staticmethod + def _filterSuites(suites, settings): + macNames = settings.macNames + cipherNames = settings.cipherNames + keyExchangeNames = settings.keyExchangeNames + macSuites = [] + if "sha" in macNames: + macSuites += CipherSuite.shaSuites + if "md5" in macNames: + macSuites += CipherSuite.md5Suites + + cipherSuites = [] + if "aes128" in cipherNames: + cipherSuites += CipherSuite.aes128Suites + if "aes256" in cipherNames: + cipherSuites += CipherSuite.aes256Suites + if "3des" in cipherNames: + cipherSuites += CipherSuite.tripleDESSuites + if "rc4" in cipherNames: + cipherSuites += CipherSuite.rc4Suites + + keyExchangeSuites = [] + if "rsa" in keyExchangeNames: + keyExchangeSuites += CipherSuite.certSuites + if "dhe_rsa" in keyExchangeNames: + keyExchangeSuites += CipherSuite.dheCertSuites + if "srp_sha" in keyExchangeNames: + keyExchangeSuites += CipherSuite.srpSuites + if "srp_sha_rsa" in keyExchangeNames: + keyExchangeSuites += CipherSuite.srpCertSuites + if "dh_anon" in keyExchangeNames: + keyExchangeSuites += CipherSuite.anonSuites + + return [s for s in suites if s in macSuites and + s in cipherSuites and s in keyExchangeSuites] - + srpSuites = [] + srpSuites.append(TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA) + srpSuites.append(TLS_SRP_SHA_WITH_AES_128_CBC_SHA) + srpSuites.append(TLS_SRP_SHA_WITH_AES_256_CBC_SHA) + + @staticmethod + def getSrpSuites(settings): + return CipherSuite._filterSuites(CipherSuite.srpSuites, settings) + + srpCertSuites = [] + srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA) + srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA) + srpCertSuites.append(TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA) + + @staticmethod + def getSrpCertSuites(settings): + return CipherSuite._filterSuites(CipherSuite.srpCertSuites, settings) + + srpAllSuites = srpCertSuites + srpSuites + + @staticmethod + def getSrpAllSuites(settings): + return CipherSuite._filterSuites(CipherSuite.srpAllSuites, settings) + + certSuites = [] + certSuites.append(TLS_RSA_WITH_3DES_EDE_CBC_SHA) + certSuites.append(TLS_RSA_WITH_AES_128_CBC_SHA) + certSuites.append(TLS_RSA_WITH_AES_256_CBC_SHA) + certSuites.append(TLS_RSA_WITH_RC4_128_SHA) + certSuites.append(TLS_RSA_WITH_RC4_128_MD5) + + @staticmethod + def getCertSuites(settings): + return CipherSuite._filterSuites(CipherSuite.certSuites, settings) + + dheCertSuites = [] + dheCertSuites.append(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA) + dheCertSuites.append(TLS_DHE_RSA_WITH_AES_128_CBC_SHA) + dheCertSuites.append(TLS_DHE_RSA_WITH_AES_256_CBC_SHA) + + @staticmethod + def getDheCertSuites(settings): + return CipherSuite._filterSuites(CipherSuite.dheCertSuites, settings) + + certAllSuites = srpCertSuites + certSuites + dheCertSuites + + anonSuites = [] + anonSuites.append(TLS_DH_ANON_WITH_AES_128_CBC_SHA) + anonSuites.append(TLS_DH_ANON_WITH_AES_256_CBC_SHA) + + @staticmethod + def getAnonSuites(settings): + return CipherSuite._filterSuites(CipherSuite.anonSuites, settings) + + dhAllSuites = dheCertSuites + anonSuites + + @staticmethod + def canonicalCipherName(ciphersuite): + "Return the canonical name of the cipher whose number is provided." + if ciphersuite in CipherSuite.aes128Suites: + return "aes128" + elif ciphersuite in CipherSuite.aes256Suites: + return "aes256" + elif ciphersuite in CipherSuite.rc4Suites: + return "rc4" + elif ciphersuite in CipherSuite.tripleDESSuites: + return "3des" + else: + return None + + @staticmethod + def canonicalMacName(ciphersuite): + "Return the canonical name of the MAC whose number is provided." + if ciphersuite in CipherSuite.shaSuites: + return "sha" + elif ciphersuite in CipherSuite.md5Suites: + return "md5" + else: + return None + + +# The following faults are induced as part of testing. The faultAlerts +# dictionary describes the allowed alerts that may be triggered by these +# faults. class Fault: badUsername = 101 badPassword = 102 badA = 103 - clientSrpFaults = range(101,104) + clientSrpFaults = list(range(101,104)) badVerifyMessage = 601 - clientCertFaults = range(601,602) + clientCertFaults = list(range(601,602)) badPremasterPadding = 501 shortPremasterSecret = 502 - clientNoAuthFaults = range(501,503) - - badIdentifier = 401 - badSharedKey = 402 - clientSharedKeyFaults = range(401,403) + clientNoAuthFaults = list(range(501,503)) badB = 201 - serverFaults = range(201,202) + serverFaults = list(range(201,202)) badFinished = 300 badMAC = 301 badPadding = 302 - genericFaults = range(300,303) + genericFaults = list(range(300,303)) faultAlerts = {\ - badUsername: (AlertDescription.unknown_srp_username, \ + badUsername: (AlertDescription.unknown_psk_identity, \ AlertDescription.bad_record_mac),\ badPassword: (AlertDescription.bad_record_mac,),\ badA: (AlertDescription.illegal_parameter,),\ - badIdentifier: (AlertDescription.handshake_failure,),\ - badSharedKey: (AlertDescription.bad_record_mac,),\ badPremasterPadding: (AlertDescription.bad_record_mac,),\ shortPremasterSecret: (AlertDescription.bad_record_mac,),\ badVerifyMessage: (AlertDescription.decrypt_error,),\ @@ -231,8 +356,6 @@ class Fault: badUsername: "bad username",\ badPassword: "bad password",\ badA: "bad A",\ - badIdentifier: "bad identifier",\ - badSharedKey: "bad sharedkey",\ badPremasterPadding: "bad premaster padding",\ shortPremasterSecret: "short premaster secret",\ badVerifyMessage: "bad verify message",\ |