tlslite/tlsconnection.py
# Authors:
# Trevor Perrin
# Google - added reqCAs parameter
# Google (adapted by Sam Rushing and Marcelo Fernandez) - NPN support
# Google - FALLBACK_SCSV
# Dimitris Moraitis - Anon ciphersuites
# Martin von Loewis - python 3 port
# Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
# Hubert Kario - complete refactoring of key exchange methods, addition
# of ECDH support
#
# See the LICENSE file for legal information regarding use of this file.
"""
MAIN CLASS FOR TLS LITE (START HERE!).
"""
from __future__ import division
import time
import socket
from itertools import chain
from .utils.compat import formatExceptionTrace
from .tlsrecordlayer import TLSRecordLayer
from .session import Session, Ticket
from .constants import *
from .utils.cryptomath import derive_secret, getRandomBytes, HKDF_expand_label
from .utils.dns_utils import is_valid_hostname
from .utils.lists import getFirstMatching
from .errors import *
from .messages import *
from .mathtls import *
from .handshakesettings import HandshakeSettings, KNOWN_VERSIONS, CURVE_ALIASES
from .handshakehashes import HandshakeHashes
from .utils.tackwrapper import *
from .utils.deprecations import deprecated_params
from .keyexchange import KeyExchange, RSAKeyExchange, DHE_RSAKeyExchange, \
ECDHE_RSAKeyExchange, SRPKeyExchange, ADHKeyExchange, \
AECDHKeyExchange, FFDHKeyExchange, ECDHKeyExchange, KEMKeyExchange
from .handshakehelpers import HandshakeHelpers
from .utils.cipherfactory import createAESCCM, createAESCCM_8, \
createAESGCM, createCHACHA20
from .utils.compression import choose_compression_send_algo
class TLSConnection(TLSRecordLayer):
"""
This class wraps a socket and provides TLS handshaking and data transfer.
To use this class, create a new instance, passing a connected
socket into the constructor. Then call some handshake function.
If the handshake completes without raising an exception, then a TLS
connection has been negotiated. You can transfer data over this
connection as if it were a socket.
This class provides both synchronous and asynchronous versions of
its key functions. The synchronous versions should be used when
writing single-or multi-threaded code using blocking sockets. The
asynchronous versions should be used when performing asynchronous,
event-based I/O with non-blocking sockets.
Asynchronous I/O is a complicated subject; typically, you should
not use the asynchronous functions directly, but should use some
framework like asyncore or Twisted which TLS Lite integrates with
(see
:py:class:`~.integration.tlsasyncdispatchermixin.TLSAsyncDispatcherMixIn`).
:vartype client_cert_compression_algo: str
:ivar client_cert_compression_algo: Set to the compression algorithm used
for the compression of the client certificate. In the case of multiple
post-handshake authentication only the algorithm of the last
certificate compression is reflected. If certificate compression wasn't
used then it is set to None.
:vartype server_cert_compression_algo: str
:ivar server_cert_compression_algo: Set to the compression algorithm used
for the compression of the server certificate. If certificate
compression wasn't used then it is set to None.
"""
def __init__(self, sock):
"""Create a new TLSConnection instance.
:param sock: The socket data will be transmitted on. The
socket should already be connected. It may be in blocking or
non-blocking mode.
:type sock: socket.socket
"""
TLSRecordLayer.__init__(self, sock)
self.serverSigAlg = None
self.ecdhCurve = None
self.dhGroupSize = None
self.extendedMasterSecret = False
self._clientRandom = bytearray(0)
self._serverRandom = bytearray(0)
self.next_proto = None
# whether the CCS was already sent in the connection (for hello retry)
self._ccs_sent = False
# if and how big is the limit on records peer is willing to accept
# used only for TLS 1.2 and earlier
self._peer_record_size_limit = None
self._pha_supported = False
self.client_cert_compression_algo = None
self.server_cert_compression_algo = None
def keyingMaterialExporter(self, label, length=20):
"""Return keying material as described in RFC 5705
:type label: bytearray
:param label: label to be provided for the exporter
:type length: int
:param length: number of bytes of the keying material to export
"""
if label in (b'server finished', b'client finished',
b'master secret', b'key expansion'):
raise ValueError("Forbidden label value")
if self.version < (3, 1):
raise ValueError("Supported only in TLSv1.0 and later")
elif self.version < (3, 3):
return PRF(self.session.masterSecret, label,
self._clientRandom + self._serverRandom,
length)
elif self.version == (3, 3):
if self.session.cipherSuite in CipherSuite.sha384PrfSuites:
return PRF_1_2_SHA384(self.session.masterSecret, label,
self._clientRandom + self._serverRandom,
length)
else:
return PRF_1_2(self.session.masterSecret, label,
self._clientRandom + self._serverRandom,
length)
elif self.version == (3, 4):
prf = 'sha256'
if self.session.cipherSuite in CipherSuite.sha384PrfSuites:
prf = 'sha384'
secret = derive_secret(self.session.exporterMasterSecret, label,
None, prf)
ctxhash = secureHash(bytearray(b''), prf)
return HKDF_expand_label(secret, b"exporter", ctxhash, length, prf)
else:
raise AssertionError("Unknown protocol version")
#*********************************************************
# Client Handshake Functions
#*********************************************************
@deprecated_params({"async_": "async"},
"'{old_name}' is a keyword in Python 3.7, use"
"'{new_name}'")
def handshakeClientAnonymous(self, session=None, settings=None,
checker=None, serverName=None,
async_=False):
"""Perform an anonymous handshake in the role of client.
This function performs an SSL or TLS handshake using an
anonymous Diffie Hellman ciphersuite.
Like any handshake function, this can be called on a closed
TLS connection, or on a TLS connection that is already open.
If called on an open connection it performs a re-handshake.
If the function completes without raising an exception, the
TLS connection will be open and available for data transfer.
If an exception is raised, the connection will have been
automatically closed (if it was ever open).
:type session: ~tlslite.session.Session
:param session: A TLS session to attempt to resume. If the
resumption does not succeed, a full handshake will be
performed.
:type settings: ~tlslite.handshakesettings.HandshakeSettings
:param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
:type checker: ~tlslite.checker.Checker
:param checker: A Checker instance. This instance will be
invoked to examine the other party's authentication
credentials, if the handshake completes succesfully.
:type serverName: string
:param serverName: The ServerNameIndication TLS Extension.
:type async_: bool
:param async_: If False, this function will block until the
handshake is completed. If True, this function will return a
generator. Successive invocations of the generator will
return 0 if it is waiting to read from the socket, 1 if it is
waiting to write to the socket, or will raise StopIteration if
the handshake operation is completed.
:rtype: None or an iterable
:returns: If 'async_' is True, a generator object will be
returned.
:raises socket.error: If a socket error occurs.
:raises tlslite.errors.TLSAbruptCloseError: If the socket is closed
without a preceding alert.
:raises tlslite.errors.TLSAlert: If a TLS alert is signalled.
:raises tlslite.errors.TLSAuthenticationError: If the checker
doesn't like the other party's authentication credentials.
"""
handshaker = self._handshakeClientAsync(anonParams=(True),
session=session,
settings=settings,
checker=checker,
serverName=serverName)
if async_:
return handshaker
for result in handshaker:
pass
@deprecated_params({"async_": "async"},
"'{old_name}' is a keyword in Python 3.7, use"
"'{new_name}'")
def handshakeClientSRP(self, username, password, session=None,
settings=None, checker=None,
reqTack=True, serverName=None,
async_=False):
"""Perform an SRP handshake in the role of client.
This function performs a TLS/SRP handshake. SRP mutually
authenticates both parties to each other using only a
username and password. This function may also perform a
combined SRP and server-certificate handshake, if the server
chooses to authenticate itself with a certificate chain in
addition to doing SRP.
If the function completes without raising an exception, the
TLS connection will be open and available for data transfer.
If an exception is raised, the connection will have been
automatically closed (if it was ever open).
:type username: bytearray
:param username: The SRP username.
:type password: bytearray
:param password: The SRP password.
:type session: ~tlslite.session.Session
:param session: A TLS session to attempt to resume. This
session must be an SRP session performed with the same username
and password as were passed in. If the resumption does not
succeed, a full SRP handshake will be performed.
:type settings: ~tlslite.handshakesettings.HandshakeSettings
:param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
:type checker: ~tlslite.checker.Checker
:param checker: A Checker instance. This instance will be
invoked to examine the other party's authentication
credentials, if the handshake completes succesfully.
:type reqTack: bool
:param reqTack: Whether or not to send a "tack" TLS Extension,
requesting the server return a TackExtension if it has one.
:type serverName: string
:param serverName: The ServerNameIndication TLS Extension.
:type async_: bool
:param async_: If False, this function will block until the
handshake is completed. If True, this function will return a
generator. Successive invocations of the generator will
return 0 if it is waiting to read from the socket, 1 if it is
waiting to write to the socket, or will raise StopIteration if
the handshake operation is completed.
:rtype: None or an iterable
:returns: If 'async_' is True, a generator object will be
returned.
:raises socket.error: If a socket error occurs.
:raises tlslite.errors.TLSAbruptCloseError: If the socket is closed
without a preceding alert.
:raises tlslite.errors.TLSAlert: If a TLS alert is signalled.
:raises tlslite.errors.TLSAuthenticationError: If the checker
doesn't like the other party's authentication credentials.
"""
# TODO add deprecation warning
if isinstance(username, str):
username = bytearray(username, 'utf-8')
if isinstance(password, str):
password = bytearray(password, 'utf-8')
handshaker = self._handshakeClientAsync(srpParams=(username, password),
session=session, settings=settings, checker=checker,
reqTack=reqTack, serverName=serverName)
# The handshaker is a Python Generator which executes the handshake.
# It allows the handshake to be run in a "piecewise", asynchronous
# fashion, returning 1 when it is waiting to able to write, 0 when
# it is waiting to read.
#
# If 'async_' is True, the generator is returned to the caller,
# otherwise it is executed to completion here.
if async_:
return handshaker
for result in handshaker:
pass
@deprecated_params({"async_": "async"},
"'{old_name}' is a keyword in Python 3.7, use"
"'{new_name}'")
def handshakeClientCert(self, certChain=None, privateKey=None,
session=None, settings=None, checker=None,
nextProtos=None, reqTack=True, serverName=None,
async_=False, alpn=None):
"""Perform a certificate-based handshake in the role of client.
This function performs an SSL or TLS handshake. The server
will authenticate itself using an X.509 certificate
chain. If the handshake succeeds, the server's certificate
chain will be stored in the session's serverCertChain attribute.
Unless a checker object is passed in, this function does no
validation or checking of the server's certificate chain.
If the server requests client authentication, the
client will send the passed-in certificate chain, and use the
passed-in private key to authenticate itself. If no
certificate chain and private key were passed in, the client
will attempt to proceed without client authentication. The
server may or may not allow this.
If the function completes without raising an exception, the
TLS connection will be open and available for data transfer.
If an exception is raised, the connection will have been
automatically closed (if it was ever open).
:type certChain: ~tlslite.x509certchain.X509CertChain
:param certChain: The certificate chain to be used if the
server requests client authentication.
:type privateKey: ~tlslite.utils.rsakey.RSAKey
:param privateKey: The private key to be used if the server
requests client authentication.
:type session: ~tlslite.session.Session
:param session: A TLS session to attempt to resume. If the
resumption does not succeed, a full handshake will be
performed.
:type settings: ~tlslite.handshakesettings.HandshakeSettings
:param settings: Various settings which can be used to control
the ciphersuites, certificate types, and SSL/TLS versions
offered by the client.
:type checker: ~tlslite.checker.Checker
:param checker: A Checker instance. This instance will be
invoked to examine the other party's authentication
credentials, if the handshake completes succesfully.
:type nextProtos: list of str
:param nextProtos: A list of upper layer protocols ordered by
preference, to use in the Next-Protocol Negotiation Extension.
:type reqTack: bool
:param reqTack: Whether or not to send a "tack" TLS Extension,
requesting the server return a TackExtension if it has one.
:type serverName: string
:param serverName: The ServerNameIndication TLS Extension.
:type async_: bool
:param async_: If False, this function will block until the
handshake is completed. If True, this function will return a
generator. Successive invocations of the generator will
return 0 if it is waiting to read from the socket, 1 if it is
waiting to write to the socket, or will raise StopIteration if
the handshake operation is completed.
:type alpn: list of bytearrays
:param alpn: protocol names to advertise to server as supported by
client in the Application Layer Protocol Negotiation extension.
Example items in the array include b'http/1.1' or b'h2'.
:rtype: None or an iterable
:returns: If 'async_' is True, a generator object will be
returned.
:raises socket.error: If a socket error occurs.
:raises tlslite.errors.TLSAbruptCloseError: If the socket is closed
without a preceding alert.
:raises tlslite.errors.TLSAlert: If a TLS alert is signalled.
:raises tlslite.errors.TLSAuthenticationError: If the checker
doesn't like the other party's authentication credentials.
"""
handshaker = \
self._handshakeClientAsync(certParams=(certChain, privateKey),
session=session, settings=settings,
checker=checker,
serverName=serverName,
nextProtos=nextProtos,
reqTack=reqTack,
alpn=alpn)
# The handshaker is a Python Generator which executes the handshake.
# It allows the handshake to be run in a "piecewise", asynchronous
# fashion, returning 1 when it is waiting to able to write, 0 when
# it is waiting to read.
#
# If 'async_' is True, the generator is returned to the caller,
# otherwise it is executed to completion here.
if async_:
return handshaker
for result in handshaker:
pass
def _handshakeClientAsync(self, srpParams=(), certParams=(), anonParams=(),
session=None, settings=None, checker=None,
nextProtos=None, serverName=None, reqTack=True,
alpn=None):
handshaker = self._handshakeClientAsyncHelper(srpParams=srpParams,
certParams=certParams,
anonParams=anonParams,
session=session,
settings=settings,
serverName=serverName,
nextProtos=nextProtos,
reqTack=reqTack,
alpn=alpn)
for result in self._handshakeWrapperAsync(handshaker, checker):
yield result
def _handshakeClientAsyncHelper(self, srpParams, certParams, anonParams,
session, settings, serverName, nextProtos,
reqTack, alpn):
self._handshakeStart(client=True)
#Unpack parameters
srpUsername = None # srpParams[0]
password = None # srpParams[1]
clientCertChain = None # certParams[0]
privateKey = None # certParams[1]
# Allow only one of (srpParams, certParams, anonParams)
if srpParams:
assert(not certParams)
assert(not anonParams)
srpUsername, password = srpParams
if certParams:
assert(not srpParams)
assert(not anonParams)
clientCertChain, privateKey = certParams
if anonParams:
assert(not srpParams)
assert(not certParams)
#Validate parameters
if srpUsername and not password:
raise ValueError("Caller passed a username but no password")
if password and not srpUsername:
raise ValueError("Caller passed a password but no username")
if clientCertChain and not privateKey:
raise ValueError("Caller passed a cert_chain but no privateKey")
if privateKey and not clientCertChain:
raise ValueError("Caller passed a privateKey but no cert_chain")
if reqTack:
if not tackpyLoaded:
reqTack = False
if not settings or not settings.useExperimentalTackExtension:
reqTack = False
if nextProtos is not None:
if len(nextProtos) == 0:
raise ValueError("Caller passed no nextProtos")
if alpn is not None and not alpn:
raise ValueError("Caller passed empty alpn list")
# reject invalid hostnames but accept empty/None ones
if serverName and not is_valid_hostname(serverName):
raise ValueError("Caller provided invalid server host name: {0}"
.format(serverName))
# Validates the settings and filters out any unsupported ciphers
# or crypto libraries that were requested
if not settings:
settings = HandshakeSettings()
settings = settings.validate()
self.sock.padding_cb = settings.padding_cb
if clientCertChain:
if not isinstance(clientCertChain, X509CertChain):
raise ValueError("Unrecognized certificate type")
if "x509" not in settings.certificateTypes:
raise ValueError("Client certificate doesn't match "\
"Handshake Settings")
if session:
# session.valid() ensures session is resumable and has
# non-empty sessionID
if not session.valid():
session = None #ignore non-resumable sessions...
elif session.resumable:
if session.srpUsername != srpUsername:
raise ValueError("Session username doesn't match")
if session.serverName != serverName:
raise ValueError("Session servername doesn't match")
#Add Faults to parameters
if srpUsername and self.fault == Fault.badUsername:
srpUsername += bytearray(b"GARBAGE")
if password and self.fault == Fault.badPassword:
password += bytearray(b"GARBAGE")
# Tentatively set the client's record version.
# We'll use this for the ClientHello, and if an error occurs
# parsing the Server Hello, we'll use this version for the response
# in TLS 1.3 it always needs to be set to TLS 1.0
self.version = \
(3, 1) if settings.maxVersion > (3, 3) else settings.maxVersion
# OK Start sending messages!
# *****************************
# Send the ClientHello.
for result in self._clientSendClientHello(settings, session,
srpUsername, srpParams, certParams,
anonParams, serverName, nextProtos,
reqTack, alpn):
if result in (0,1): yield result
else: break
clientHello = result
#Get the ServerHello.
for result in self._clientGetServerHello(settings, session,
clientHello):
if result in (0,1): yield result
else: break
serverHello = result
cipherSuite = serverHello.cipher_suite
# Check the serverHello.random if it includes the downgrade protection
# values as described in RFC8446 section 4.1.3
# For TLS1.3
if (settings.maxVersion > (3, 3) and self.version <= (3, 3)) and \
(serverHello.random[-8:] == TLS_1_2_DOWNGRADE_SENTINEL or
serverHello.random[-8:] == TLS_1_1_DOWNGRADE_SENTINEL):
for result in self._sendError(AlertDescription.illegal_parameter,
"Connection terminated because "
"of downgrade protection."):
yield result
# For TLS1.2
if settings.maxVersion == (3, 3) and self.version < (3, 3) and \
serverHello.random[-8:] == TLS_1_1_DOWNGRADE_SENTINEL:
for result in self._sendError(AlertDescription.illegal_parameter,
"Connection terminated because "
"of downgrade protection."):
yield result
# if we're doing tls1.3, use the new code as the negotiation is much
# different
ext = serverHello.getExtension(ExtensionType.supported_versions)
if ext and ext.version > (3, 3):
for result in self._clientTLS13Handshake(settings, session,
clientHello,
clientCertChain,
privateKey,
serverHello):
if result in (0, 1):
yield result
else:
break
if result in ["finished", "resumed_and_finished"]:
self._handshakeDone(resumed=(result == "resumed_and_finished"))
self._serverRandom = serverHello.random
self._clientRandom = clientHello.random
return
else:
raise Exception("unexpected return")
# Choose a matching Next Protocol from server list against ours
# (string or None)
nextProto = self._clientSelectNextProto(nextProtos, serverHello)
# Check if server selected encrypt-then-MAC
if serverHello.getExtension(ExtensionType.encrypt_then_mac):
self._recordLayer.encryptThenMAC = True
if serverHello.getExtension(ExtensionType.extended_master_secret):
self.extendedMasterSecret = True
#If the server elected to resume the session, it is handled here.
for result in self._clientResume(session, serverHello,
clientHello.random,
nextProto, settings):
if result in (0,1): yield result
else: break
if result == "resumed_and_finished":
self._handshakeDone(resumed=True)
self._serverRandom = serverHello.random
self._clientRandom = clientHello.random
# alpn protocol is independent of resumption and renegotiation
# and needs to be negotiated every time
alpnExt = serverHello.getExtension(ExtensionType.alpn)
if alpnExt:
session.appProto = alpnExt.protocol_names[0]
return
#If the server selected an SRP ciphersuite, the client finishes
#reading the post-ServerHello messages, then derives a
#premasterSecret and sends a corresponding ClientKeyExchange.
if cipherSuite in CipherSuite.srpAllSuites:
keyExchange = SRPKeyExchange(cipherSuite, clientHello,
serverHello, None, None,
srpUsername=srpUsername,
password=password,
settings=settings)
#If the server selected an anonymous ciphersuite, the client
#finishes reading the post-ServerHello messages.
elif cipherSuite in CipherSuite.dhAllSuites:
keyExchange = DHE_RSAKeyExchange(cipherSuite, clientHello,
serverHello, None)
elif cipherSuite in CipherSuite.ecdhAllSuites:
acceptedCurves = self._curveNamesToList(settings)
keyExchange = ECDHE_RSAKeyExchange(cipherSuite, clientHello,
serverHello, None,
acceptedCurves)
#If the server selected a certificate-based RSA ciphersuite,
#the client finishes reading the post-ServerHello messages. If
#a CertificateRequest message was sent, the client responds with
#a Certificate message containing its certificate chain (if any),
#and also produces a CertificateVerify message that signs the
#ClientKeyExchange.
else:
keyExchange = RSAKeyExchange(cipherSuite, clientHello,
serverHello, None)
# we'll send few messages here, send them in single TCP packet
self.sock.buffer_writes = True
for result in self._clientKeyExchange(settings, cipherSuite,
clientCertChain,
privateKey,
serverHello.certificate_type,
serverHello.tackExt,
clientHello.random,
serverHello.random,
keyExchange):
if result in (0, 1):
yield result
else: break
(premasterSecret, serverCertChain, clientCertChain,
tackExt) = result
#After having previously sent a ClientKeyExchange, the client now
#initiates an exchange of Finished messages.
# socket buffering is turned off in _clientFinished
for result in self._clientFinished(premasterSecret,
clientHello.random,
serverHello.random,
cipherSuite, settings.cipherImplementations,
nextProto, settings):
if result in (0,1): yield result
else: break
masterSecret = result
# check if an application layer protocol was negotiated
alpnProto = None
alpnExt = serverHello.getExtension(ExtensionType.alpn)
if alpnExt:
alpnProto = alpnExt.protocol_names[0]
ext_ec_point = ECPointFormat.uncompressed
if self.version < (3, 4):
ext_c = clientHello.getExtension(ExtensionType.ec_point_formats)
ext_s = serverHello.getExtension(ExtensionType.ec_point_formats)
if ext_c and ext_s:
try:
ext_ec_point = next((i for i in ext_c.formats \
if i in ext_s.formats))
except StopIteration as alert:
for result in self._sendError(
AlertDescription.illegal_parameter,
str(alert)):
yield result
# Create the session object which is used for resumptions
self.session = Session()
self.session.create(masterSecret, serverHello.session_id, cipherSuite,
srpUsername, clientCertChain, serverCertChain,
tackExt, (serverHello.tackExt is not None),
serverName,
encryptThenMAC=self._recordLayer.encryptThenMAC,
extendedMasterSecret=self.extendedMasterSecret,
appProto=alpnProto,
# NOTE it must be a reference not a copy
tickets=self.tickets,
tls_1_0_tickets=self.tls_1_0_tickets,
ec_point_format=ext_ec_point)
self._handshakeDone(resumed=False)
self._serverRandom = serverHello.random
self._clientRandom = clientHello.random
def _clientSendClientHello(self, settings, session, srpUsername,
srpParams, certParams, anonParams,
serverName, nextProtos, reqTack, alpn):
#Initialize acceptable ciphersuites
cipherSuites = [CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
if srpParams:
cipherSuites += CipherSuite.getSrpAllSuites(settings)
elif certParams:
cipherSuites += CipherSuite.getTLS13Suites(settings)
cipherSuites += CipherSuite.getEcdsaSuites(settings)
cipherSuites += CipherSuite.getEcdheCertSuites(settings)
cipherSuites += CipherSuite.getDheCertSuites(settings)
cipherSuites += CipherSuite.getCertSuites(settings)
cipherSuites += CipherSuite.getDheDsaSuites(settings)
elif anonParams:
cipherSuites += CipherSuite.getEcdhAnonSuites(settings)
cipherSuites += CipherSuite.getAnonSuites(settings)
else:
assert False
#Add any SCSVs. These are not real cipher suites, but signaling
#values which reuse the cipher suite field in the ClientHello.
wireCipherSuites = list(cipherSuites)
if settings.sendFallbackSCSV:
wireCipherSuites.append(CipherSuite.TLS_FALLBACK_SCSV)
#Initialize acceptable certificate types
certificateTypes = settings.getCertificateTypes()
extensions = []
#Initialize TLS extensions
if settings.useEncryptThenMAC:
extensions.append(TLSExtension().\
create(ExtensionType.encrypt_then_mac,
bytearray(0)))
if settings.useExtendedMasterSecret:
extensions.append(TLSExtension().create(ExtensionType.
extended_master_secret,
bytearray(0)))
# In TLS1.2 advertise support for additional signature types
if settings.maxVersion >= (3, 3):
sig_list = []
if settings.maxVersion >= (3, 4) and \
settings.minVersion <= (3, 4):
tls13_sig_list = self._sigHashesToList(
settings,
version=(3, 4))
sig_list.extend(tls13_sig_list)
if settings.maxVersion >= (3, 3) and \
settings.minVersion <= (3, 3):
tls12_sig_list = self._sigHashesToList(
settings,
version=(3, 3))
# add elements from tls12 signature algorithms set
# not yet in the list of algorithms while preserving order
sig_list_set = set(sig_list)
tls12_sig_list_set = set(tls12_sig_list)
not_in_sig_list = tls12_sig_list_set.difference(sig_list_set)
sig_list.extend(i for i in tls12_sig_list if i in not_in_sig_list)
assert sig_list
extensions.append(SignatureAlgorithmsExtension().\
create(sig_list))
# if we know any protocols for ALPN, advertise them
if alpn:
extensions.append(ALPNExtension().create(alpn))
session_id = bytearray()
# when TLS 1.3 advertised, add key shares, set fake session_id
shares = None
if next((i for i in settings.versions if i > (3, 3)), None):
# if we have a client cert configured, do indicate we're willing
# to perform Post Handshake Authentication
if certParams and certParams[1]:
extensions.append(TLSExtension(
extType=ExtensionType.post_handshake_auth).
create(bytearray(b'')))
self._client_keypair = certParams
# fake session_id for middlebox compatibility mode
session_id = getRandomBytes(32)
extensions.append(SupportedVersionsExtension().
create(settings.versions))
shares = []
for group_name in settings.keyShares:
group_id = getattr(GroupName, group_name)
key_share = self._genKeyShareEntry(group_id, (3, 4))
shares.append(key_share)
# if TLS 1.3 is enabled, key_share must always be sent
# (unless only static PSK is used)
extensions.append(ClientKeyShareExtension().create(shares))
# add info on types of PSKs supported (also used for
# NewSessionTicket so send basically always)
ext = PskKeyExchangeModesExtension().create(
[getattr(PskKeyExchangeMode, i) for i in settings.psk_modes])
extensions.append(ext)
groups = []
#Send the ECC extensions only if we advertise ECC ciphers
if next((cipher for cipher in cipherSuites \
if cipher in CipherSuite.ecdhAllSuites), None) is not None:
groups.extend(self._curveNamesToList(settings))
if settings.ec_point_formats:
extensions.append(ECPointFormatsExtension().\
create(settings.ec_point_formats))
# Advertise FFDHE groups if we have DHE ciphers
if next((cipher for cipher in cipherSuites
if cipher in CipherSuite.dhAllSuites), None) is not None:
groups.extend(self._groupNamesToList(settings))
# Send the extension only if it will be non empty
if groups:
if shares:
# put the groups used for key shares first, and in order
# (req. from RFC 8446, section 4.2.8)
share_ids = [i.group for i in shares]
diff = set(groups) - set(share_ids)
groups = share_ids + [i for i in groups if i in diff]
extensions.append(SupportedGroupsExtension().create(groups))
if settings.use_heartbeat_extension:
extensions.append(HeartbeatExtension().create(
HeartbeatMode.PEER_ALLOWED_TO_SEND))
self.heartbeat_can_receive = True
if settings.record_size_limit:
extensions.append(RecordSizeLimitExtension().create(
settings.record_size_limit))
# If SessionTicket support is enabled and we have a valid ticket, we
# send it in an attempt to resume the session, if SessionTicket support
# is enabled but we don't have a valid ticket, we send an empty ext
# to indicate support for the feaure
if session and session.tls_1_0_tickets:
# first get rid of expired tickets
session.tls_1_0_tickets[:] = [
i for i in session.tls_1_0_tickets if i.valid()]
# then send first ticket
for cached_ticket in session.tls_1_0_tickets:
extensions.append(SessionTicketExtension().create(
cached_ticket.ticket))
break
else:
# or just advertise that we support session resumption
extensions.append(SessionTicketExtension().create(
bytearray(0)))
else:
extensions.append(SessionTicketExtension().create(
bytearray(0)))
# when TLS 1.3 advertised, send also compress_certificate extension
if (
next((i for i in settings.versions if i >= (3, 4)), None)
and settings.certificate_compression_receive
):
algos_numbers = [getattr(CertificateCompressionAlgorithm, algo)
for algo
in settings.certificate_compression_receive]
extensions.append(CompressedCertificateExtension().create(
algos_numbers))
# don't send empty list of extensions or extensions in SSLv3
if not extensions or settings.maxVersion == (3, 0):
extensions = None
sent_version = min(settings.maxVersion, (3, 3))
#Either send ClientHello (with a resumable session)...
if session and session.sessionID:
#If it's resumable, then its
#ciphersuite must be one of the acceptable ciphersuites
if session.cipherSuite not in cipherSuites:
raise ValueError("Session's cipher suite not consistent "\
"with parameters")
else:
clientHello = ClientHello()
clientHello.create(sent_version, getRandomBytes(32),
session.sessionID, wireCipherSuites,
certificateTypes,
session.srpUsername,
reqTack, nextProtos is not None,
session.serverName,
extensions=extensions)
#Or send ClientHello (without)
else:
clientHello = ClientHello()
clientHello.create(sent_version, getRandomBytes(32),
session_id, wireCipherSuites,
certificateTypes,
srpUsername,
reqTack, nextProtos is not None,
serverName,
extensions=extensions)
# Check if padding extension should be added
# we want to add extensions even when using just SSLv3
if settings.usePaddingExtension:
HandshakeHelpers.alignClientHelloPadding(clientHello)
# because TLS 1.3 PSK is sent in ClientHello and signs the ClientHello
# we need to send it as the last extension
if (settings.pskConfigs or (session and session.tickets)) \
and settings.maxVersion >= (3, 4):
ext = PreSharedKeyExtension()
idens = []
binders = []
# if we have a previous session, include it in PSKs too
if session and session.tickets:
now = time.time()
# clean the list from obsolete ones
# RFC says that the tickets MUST NOT be cached longer than
# 7 days
session.tickets[:] = (i for i in session.tickets if
i.time + i.ticket_lifetime > now and
i.time + 7 * 24 * 60 * 60 > now)
if session.tickets:
ticket = session.tickets[0]
# ticket.time is in seconds while the obfuscated time
# is in ms
ticket_time = int(
time.time() * 1000 -
ticket.time * 1000 +
ticket.ticket_age_add) % 2**32
idens.append(PskIdentity().create(ticket.ticket,
ticket_time))
binder_len = 48 if session.cipherSuite in \
CipherSuite.sha384PrfSuites else 32
binders.append(bytearray(binder_len))
for psk in settings.pskConfigs:
# skip PSKs with no identities as they're TLS1.3 incompatible
if not psk[0]:
continue
idens.append(PskIdentity().create(psk[0], 0))
psk_hash = psk[2] if len(psk) > 2 else 'sha256'
assert psk_hash in set(['sha256', 'sha384'])
# create fake binder values to create correct length fields
binders.append(bytearray(32 if psk_hash == 'sha256' else 48))
if idens:
ext.create(idens, binders)
clientHello.extensions.append(ext)
# for HRR case we'll need 1st CH and HRR in handshake hashes,
# so pass them in, truncated CH will be added by the helpers to
# the copy of the hashes
HandshakeHelpers.update_binders(clientHello,
self._handshake_hash,
settings.pskConfigs,
session.tickets if session
else None,
session.resumptionMasterSecret
if session else None)
for result in self._sendMsg(clientHello):
yield result
yield clientHello
def _clientGetServerHello(self, settings, session, clientHello):
client_hello_hash = self._handshake_hash.copy()
for result in self._getMsg(ContentType.handshake,
HandshakeType.server_hello):
if result in (0,1): yield result
else: break
hello_retry = None
ext = result.getExtension(ExtensionType.supported_versions)
if result.random == TLS_1_3_HRR and ext and ext.version > (3, 3):
self.version = ext.version
hello_retry = result
# create synthetic handshake hash
prf_name, prf_size = self._getPRFParams(hello_retry.cipher_suite)
self._handshake_hash = HandshakeHashes()
writer = Writer()
writer.add(HandshakeType.message_hash, 1)
writer.addVarSeq(client_hello_hash.digest(prf_name), 1, 3)
self._handshake_hash.update(writer.bytes)
self._handshake_hash.update(hello_retry.write())
# check if all extensions in the HRR were present in client hello
ch_ext_types = set(i.extType for i in clientHello.extensions)
ch_ext_types.add(ExtensionType.cookie)
bad_ext = next((i for i in hello_retry.extensions
if i.extType not in ch_ext_types), None)
if bad_ext:
bad_ext = ExtensionType.toStr(bad_ext)
for result in self._sendError(AlertDescription
.unsupported_extension,
("Unexpected extension in HRR: "
"{0}").format(bad_ext)):
yield result
# handle cookie extension
cookie = hello_retry.getExtension(ExtensionType.cookie)
if cookie:
clientHello.addExtension(cookie)
# handle key share extension
sr_key_share_ext = hello_retry.getExtension(ExtensionType
.key_share)
if sr_key_share_ext:
group_id = sr_key_share_ext.selected_group
# check if group selected by server is valid
groups_ext = clientHello.getExtension(ExtensionType
.supported_groups)
if group_id not in groups_ext.groups:
for result in self._sendError(AlertDescription
.illegal_parameter,
"Server selected group we "
"did not advertise"):
yield result
cl_key_share_ext = clientHello.getExtension(ExtensionType
.key_share)
# check if the server didn't ask for a group we already sent
if next((entry for entry in cl_key_share_ext.client_shares
if entry.group == group_id), None):
for result in self._sendError(AlertDescription
.illegal_parameter,
"Server selected group we "
"did sent the key share "
"for"):
yield result
key_share = self._genKeyShareEntry(group_id, (3, 4))
# old key shares need to be removed
cl_key_share_ext.client_shares = [key_share]
if not cookie and not sr_key_share_ext:
# HRR did not result in change to Client Hello
for result in self._sendError(AlertDescription.
illegal_parameter,
"Received HRR did not cause "
"update to Client Hello"):
yield result
if clientHello.session_id != hello_retry.session_id:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Received HRR session_id does not match the one in "
"ClientHello"):
yield result
ext = clientHello.getExtension(ExtensionType.pre_shared_key)
if ext:
# move the extension to end (in case extension like cookie was
# added
clientHello.extensions.remove(ext)
clientHello.extensions.append(ext)
HandshakeHelpers.update_binders(clientHello,
self._handshake_hash,
settings.pskConfigs,
session.tickets if session
else None,
session.resumptionMasterSecret
if session else None)
# resend the client hello with performed changes
msgs = []
if clientHello.session_id:
ccs = ChangeCipherSpec().create()
msgs.append(ccs)
msgs.append(clientHello)
for result in self._sendMsgs(msgs):
yield result
self._ccs_sent = True
# retry getting server hello
for result in self._getMsg(ContentType.handshake,
HandshakeType.server_hello):
if result in (0, 1):
yield result
else:
break
serverHello = result
#Get the server version. Do this before anything else, so any
#error alerts will use the server's version
real_version = serverHello.server_version
if serverHello.server_version >= (3, 3):
ext = serverHello.getExtension(ExtensionType.supported_versions)
if ext:
real_version = ext.version
self.version = real_version
#Check ServerHello
if hello_retry and \
hello_retry.cipher_suite != serverHello.cipher_suite:
for result in self._sendError(AlertDescription.illegal_parameter,
"server selected different cipher "
"in HRR and Server Hello"):
yield result
if real_version < settings.minVersion:
for result in self._sendError(
AlertDescription.protocol_version,
"Too old version: {0} (min: {1})"
.format(real_version, settings.minVersion)):
yield result
if real_version > settings.maxVersion and \
real_version not in settings.versions:
for result in self._sendError(
AlertDescription.protocol_version,
"Too new version: {0} (max: {1})"
.format(real_version, settings.maxVersion)):
yield result
if real_version > (3, 3) and \
serverHello.session_id != clientHello.session_id:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Received ServerHello session_id does not match the one "
"in ClientHello"):
yield result
cipherSuites = CipherSuite.filterForVersion(clientHello.cipher_suites,
minVersion=real_version,
maxVersion=real_version)
if serverHello.cipher_suite not in cipherSuites:
for result in self._sendError(\
AlertDescription.illegal_parameter,
"Server responded with incorrect ciphersuite"):
yield result
if serverHello.certificate_type not in clientHello.certificate_types:
for result in self._sendError(\
AlertDescription.illegal_parameter,
"Server responded with incorrect certificate type"):
yield result
if serverHello.compression_method != 0:
for result in self._sendError(\
AlertDescription.illegal_parameter,
"Server responded with incorrect compression method"):
yield result
if serverHello.tackExt:
if not clientHello.tack:
for result in self._sendError(\
AlertDescription.illegal_parameter,
"Server responded with unrequested Tack Extension"):
yield result
if not serverHello.tackExt.verifySignatures():
for result in self._sendError(\
AlertDescription.decrypt_error,
"TackExtension contains an invalid signature"):
yield result
if serverHello.next_protos and not clientHello.supports_npn:
for result in self._sendError(\
AlertDescription.illegal_parameter,
"Server responded with unrequested NPN Extension"):
yield result
if not serverHello.getExtension(ExtensionType.extended_master_secret)\
and settings.requireExtendedMasterSecret:
for result in self._sendError(
AlertDescription.insufficient_security,
"Negotiation of Extended master Secret failed"):
yield result
alpnExt = serverHello.getExtension(ExtensionType.alpn)
if alpnExt:
if not alpnExt.protocol_names or \
len(alpnExt.protocol_names) != 1:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Server responded with invalid ALPN extension"):
yield result
clntAlpnExt = clientHello.getExtension(ExtensionType.alpn)
if not clntAlpnExt:
for result in self._sendError(
AlertDescription.unsupported_extension,
"Server sent ALPN extension without one in "
"client hello"):
yield result
if alpnExt.protocol_names[0] not in clntAlpnExt.protocol_names:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Server selected ALPN protocol we did not advertise"):
yield result
heartbeat_ext = serverHello.getExtension(ExtensionType.heartbeat)
if heartbeat_ext:
if not settings.use_heartbeat_extension:
for result in self._sendError(
AlertDescription.unsupported_extension,
"Server sent Heartbeat extension without one in "
"client hello"):
yield result
if heartbeat_ext.mode == HeartbeatMode.PEER_ALLOWED_TO_SEND and \
settings.heartbeat_response_callback:
self.heartbeat_can_send = True
self.heartbeat_response_callback = settings.\
heartbeat_response_callback
elif heartbeat_ext.mode == HeartbeatMode.\
PEER_NOT_ALLOWED_TO_SEND or not settings.\
heartbeat_response_callback:
self.heartbeat_can_send = False
else:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Server responded with invalid Heartbeat extension"):
yield result
self.heartbeat_supported = True
size_limit_ext = serverHello.getExtension(
ExtensionType.record_size_limit)
if size_limit_ext:
if size_limit_ext.record_size_limit is None:
for result in self._sendError(
AlertDescription.decode_error,
"Malformed record_size_limit extension"):
yield result
# if we got the extension in ServerHello it means we're doing
# TLS 1.2 so the max value for extension is 2^14
if not 64 <= size_limit_ext.record_size_limit <= 2**14:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Server responed with invalid value in "
"record_size_limit extension"):
yield result
self._peer_record_size_limit = size_limit_ext.record_size_limit
yield serverHello
@staticmethod
def _getKEX(group, version):
"""Get object for performing key exchange."""
if group in GroupName.allKEM:
return KEMKeyExchange(group, version)
if group in GroupName.allFF:
return FFDHKeyExchange(group, version)
return ECDHKeyExchange(group, version)
@classmethod
def _genKeyShareEntry(cls, group, version):
"""Generate KeyShareEntry object from randomly selected private value.
"""
kex = cls._getKEX(group, version)
private = kex.get_random_private_key()
share = kex.calc_public_value(private)
return KeyShareEntry().create(group, share, private)
@classmethod
def _KEMEncaps(cls, group, public):
"""Generate the server's KeyShareEntry object with encapsulated secret.
"""
kex = cls._getKEX(group, (3, 4))
shared_sec, key_share_value = kex.encapsulate_key(public)
key_share = KeyShareEntry().create(group, key_share_value, None)
return shared_sec, key_share
@staticmethod
def _getPRFParams(cipher_suite):
"""Return name of hash used for PRF and the hash output size."""
if cipher_suite in CipherSuite.sha384PrfSuites:
return 'sha384', 48
return 'sha256', 32
def _clientTLS13Handshake(self, settings, session, clientHello,
clientCertChain, privateKey, serverHello):
"""Perform TLS 1.3 handshake as a client."""
prfName, prf_size = self._getPRFParams(serverHello.cipher_suite)
# we have client and server hello in TLS 1.3 so we have the necessary
# key shares to derive the handshake receive key
sr_kex = serverHello.getExtension(ExtensionType.key_share)
sr_psk = serverHello.getExtension(ExtensionType.pre_shared_key)
if not sr_kex and not sr_psk:
raise TLSIllegalParameterException("Server did not select PSK nor "
"an (EC)DH group")
if sr_kex:
sr_kex = sr_kex.server_share
self.ecdhCurve = sr_kex.group
cl_key_share_ex = clientHello.getExtension(ExtensionType.key_share)
cl_kex = next((i for i in cl_key_share_ex.client_shares
if i.group == sr_kex.group), None)
if cl_kex is None:
raise TLSIllegalParameterException("Server selected not "
"advertised group.")
kex = self._getKEX(sr_kex.group, self.version)
shared_sec = kex.calc_shared_key(cl_kex.private,
sr_kex.key_exchange)
else:
shared_sec = bytearray(prf_size)
# if server agreed to perform resumption, find the matching secret key
resuming = False
if sr_psk:
clPSK = clientHello.getExtension(ExtensionType.pre_shared_key)
ident = clPSK.identities[sr_psk.selected]
psk = [i[1] for i in settings.pskConfigs if i[0] == ident.identity]
if psk:
psk = psk[0]
else:
resuming = True
psk = HandshakeHelpers.calc_res_binder_psk(
ident, session.resumptionMasterSecret,
session.tickets)
else:
psk = bytearray(prf_size)
secret = bytearray(prf_size)
# Early Secret
secret = secureHMAC(secret, psk, prfName)
# Handshake Secret
secret = derive_secret(secret, bytearray(b'derived'),
None, prfName)
secret = secureHMAC(secret, shared_sec, prfName)
sr_handshake_traffic_secret = derive_secret(secret,
bytearray(b's hs traffic'),
self._handshake_hash,
prfName)
cl_handshake_traffic_secret = derive_secret(secret,
bytearray(b'c hs traffic'),
self._handshake_hash,
prfName)
# prepare for reading encrypted messages
self._recordLayer.calcTLS1_3PendingState(
serverHello.cipher_suite,
cl_handshake_traffic_secret,
sr_handshake_traffic_secret,
settings.cipherImplementations)
self._changeReadState()
for result in self._getMsg(ContentType.handshake,
HandshakeType.encrypted_extensions):
if result in (0, 1):
yield result
else:
break
encrypted_extensions = result
assert isinstance(encrypted_extensions, EncryptedExtensions)
size_limit_ext = encrypted_extensions.getExtension(
ExtensionType.record_size_limit)
if size_limit_ext and not settings.record_size_limit:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Server sent record_size_limit extension despite us not "
"advertising it"):
yield result
if size_limit_ext:
if size_limit_ext.record_size_limit is None:
for result in self._sendError(
AlertDescription.decode_error,
"Malformed record_size_limit extension"):
yield result
if not 64 <= size_limit_ext.record_size_limit <= 2**14+1:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Invalid valid in record_size_limit extension"):
yield result
# the record layer code expects a limit that excludes content type
# from the value while extension is defined including it
self._send_record_limit = size_limit_ext.record_size_limit - 1
self._recv_record_limit = min(2**14, settings.record_size_limit - 1)
# if we negotiated PSK then Certificate is not sent
certificate_request = None
certificate = None
comp_cert_ext = clientHello.getExtension(
ExtensionType.compress_certificate)
if comp_cert_ext and not comp_cert_ext.algorithms:
for result in self._sendError(
AlertDescription.decode_error,
"Empty algorithm list in compress_certificate "
"extension"):
yield result
if comp_cert_ext:
expected_msg = (HandshakeType.certificate_request,
HandshakeType.certificate,
HandshakeType.compressed_certificate)
else:
expected_msg = (HandshakeType.certificate_request,
HandshakeType.certificate)
if not sr_psk:
for result in self._getMsg(ContentType.handshake, expected_msg,
CertificateType.x509):
if result in (0, 1):
yield result
else:
break
if isinstance(result, CertificateRequest):
certificate_request = result
if comp_cert_ext:
expected_msg = (HandshakeType.certificate,
HandshakeType.compressed_certificate)
else:
expected_msg = (HandshakeType.certificate)
# we got CertificateRequest so now we'll get Certificate or
# Compressed Certificate
for result in self._getMsg(ContentType.handshake, expected_msg,
CertificateType.x509):
if result in (0, 1):
yield result
else:
break
if isinstance(result, CompressedCertificate):
self.server_cert_compression_algo = \
CertificateCompressionAlgorithm.toStr(
result.compression_algo)
certificate = result
assert isinstance(certificate, Certificate)
srv_cert_verify_hh = self._handshake_hash.copy()
for result in self._getMsg(ContentType.handshake,
HandshakeType.certificate_verify):
if result in (0, 1):
yield result
else:
break
certificate_verify = result
assert isinstance(certificate_verify, CertificateVerify)
signature_scheme = certificate_verify.signatureAlgorithm
self.serverSigAlg = signature_scheme
signature_context = KeyExchange.calcVerifyBytes((3, 4),
srv_cert_verify_hh,
signature_scheme,
None, None, None,
prfName, b'server')
for result in self._clientGetKeyFromChain(certificate, settings):
if result in (0, 1):
yield result
else:
break
publicKey, serverCertChain, tackExt = result
if signature_scheme in (SignatureScheme.ed25519,
SignatureScheme.ed448):
pad_type = None
hash_name = "intrinsic"
salt_len = None
method = publicKey.hashAndVerify
elif signature_scheme[1] == SignatureAlgorithm.ecdsa:
pad_type = None
hash_name = HashAlgorithm.toRepr(signature_scheme[0])
matching_hash = self._curve_name_to_hash_name(
publicKey.curve_name)
if hash_name != matching_hash:
raise TLSIllegalParameterException(
"server selected signature method invalid for the "
"certificate it presented (curve mismatch)")
salt_len = None
method = publicKey.verify
elif signature_scheme in TLS_1_3_BRAINPOOL_SIG_SCHEMES:
scheme = SignatureScheme.toRepr(signature_scheme)
pad_type = None
hash_name = SignatureScheme.getHash(scheme)
salt_len = None
method = publicKey.verify
else:
scheme = SignatureScheme.toRepr(signature_scheme)
pad_type = SignatureScheme.getPadding(scheme)
hash_name = SignatureScheme.getHash(scheme)
salt_len = getattr(hashlib, hash_name)().digest_size
method = publicKey.verify
if not method(certificate_verify.signature,
signature_context,
pad_type,
hash_name,
salt_len):
raise TLSDecryptionFailed("server Certificate Verify "
"signature "
"verification failed")
transcript_hash = self._handshake_hash.digest(prfName)
for result in self._getMsg(ContentType.handshake,
HandshakeType.finished,
prf_size):
if result in (0, 1):
yield result
else:
break
finished = result
server_finish_hs = self._handshake_hash.copy()
assert isinstance(finished, Finished)
finished_key = HKDF_expand_label(sr_handshake_traffic_secret,
b"finished", b'', prf_size, prfName)
verify_data = secureHMAC(finished_key, transcript_hash, prfName)
if finished.verify_data != verify_data:
raise TLSDecryptionFailed("Finished value is not valid")
# now send client set of messages
self._changeWriteState()
# Master secret
secret = derive_secret(secret, bytearray(b'derived'), None, prfName)
secret = secureHMAC(secret, bytearray(prf_size), prfName)
cl_app_traffic = derive_secret(secret, bytearray(b'c ap traffic'),
server_finish_hs, prfName)
sr_app_traffic = derive_secret(secret, bytearray(b's ap traffic'),
server_finish_hs, prfName)
if certificate_request:
if clientCertChain:
# Check to make sure we have the same type of certificates the
# server requested
if serverHello.certificate_type == CertificateType.x509 \
and not isinstance(clientCertChain, X509CertChain):
for result in self._sendError(
AlertDescription.handshake_failure,
"Client certificate is of wrong type"):
yield result
client_certificate = self._create_cert_msg(
"client", clientHello,
settings.certificate_compression_send, clientCertChain,
serverHello.certificate_type, version=self.version)
# we need to send the message even if we don't have a certificate
for result in self._sendMsg(client_certificate):
yield result
if clientCertChain and privateKey:
valid_sig_algs = certificate_request.supported_signature_algs
if not valid_sig_algs:
for result in self._sendError(
AlertDescription.missing_extension,
"No Signature Algorithms found"):
yield result
availSigAlgs = self._sigHashesToList(settings, privateKey,
clientCertChain,
version=(3, 4))
signature_scheme = getFirstMatching(availSigAlgs,
valid_sig_algs)
scheme = SignatureScheme.toRepr(signature_scheme)
signature_scheme = getattr(SignatureScheme, scheme)
signature_context = \
KeyExchange.calcVerifyBytes((3, 4), self._handshake_hash,
signature_scheme, None, None,
None, prfName, b'client')
if signature_scheme in (SignatureScheme.ed25519,
SignatureScheme.ed448):
pad_type = None
hash_name = "intrinsic"
salt_len = None
sig_func = privateKey.hashAndSign
ver_func = privateKey.hashAndVerify
elif signature_scheme[1] == SignatureAlgorithm.ecdsa:
pad_type = None
hash_name = HashAlgorithm.toRepr(signature_scheme[0])
salt_len = None
sig_func = privateKey.sign
ver_func = privateKey.verify
elif signature_scheme in TLS_1_3_BRAINPOOL_SIG_SCHEMES:
pad_type = None
hash_name = SignatureScheme.getHash(scheme)
salt_len = None
sig_func = privateKey.sign
ver_func = privateKey.verify
else:
pad_type = SignatureScheme.getPadding(scheme)
hash_name = SignatureScheme.getHash(scheme)
salt_len = getattr(hashlib, hash_name)().digest_size
sig_func = privateKey.sign
ver_func = privateKey.verify
signature = sig_func(signature_context,
pad_type,
hash_name,
salt_len)
if not ver_func(signature, signature_context,
pad_type,
hash_name,
salt_len):
for result in self._sendError(
AlertDescription.internal_error,
"Certificate Verify signature failed"):
yield result
certificate_verify = CertificateVerify(self.version)
certificate_verify.create(signature, signature_scheme)
for result in self._sendMsg(certificate_verify):
yield result
# Do after client cert and verify messages has been sent.
exporter_master_secret = derive_secret(secret,
bytearray(b'exp master'),
self._handshake_hash, prfName)
self._recordLayer.calcTLS1_3PendingState(
serverHello.cipher_suite,
cl_app_traffic,
sr_app_traffic,
settings.cipherImplementations)
# be ready to process alert messages from the server, which
# MUST be encrypted with ap traffic secret when they are sent after
# Finished
self._changeReadState()
cl_finished_key = HKDF_expand_label(cl_handshake_traffic_secret,
b"finished", b'',
prf_size, prfName)
cl_verify_data = secureHMAC(
cl_finished_key,
self._handshake_hash.digest(prfName),
prfName)
cl_finished = Finished(self.version, prf_size)
cl_finished.create(cl_verify_data)
if not self._ccs_sent and clientHello.session_id:
ccs = ChangeCipherSpec().create()
msgs = [ccs, cl_finished]
else:
msgs = [cl_finished]
for result in self._sendMsgs(msgs):
yield result
# CCS messages are not allowed in post handshake authentication
self._middlebox_compat_mode = False
# fully switch to application data
self._changeWriteState()
self._first_handshake_hashes = self._handshake_hash.copy()
resumption_master_secret = derive_secret(secret,
bytearray(b'res master'),
self._handshake_hash, prfName)
self.session = Session()
self.extendedMasterSecret = True
serverName = None
if clientHello.server_name:
serverName = clientHello.server_name.decode("utf-8")
appProto = None
alpnExt = encrypted_extensions.getExtension(ExtensionType.alpn)
if alpnExt:
appProto = alpnExt.protocol_names[0]
heartbeat_ext = encrypted_extensions.getExtension(ExtensionType.heartbeat)
if heartbeat_ext:
if not settings.use_heartbeat_extension:
for result in self._sendError(
AlertDescription.unsupported_extension,
"Server sent Heartbeat extension without one in "
"client hello"):
yield result
if heartbeat_ext.mode == HeartbeatMode.PEER_ALLOWED_TO_SEND and \
settings.heartbeat_response_callback:
self.heartbeat_can_send = True
self.heartbeat_response_callback = settings.\
heartbeat_response_callback
elif heartbeat_ext.mode == HeartbeatMode.\
PEER_NOT_ALLOWED_TO_SEND or not settings.\
heartbeat_response_callback:
self.heartbeat_can_send = False
else:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Server responded with invalid Heartbeat extension"):
yield result
self.heartbeat_supported = True
self.session.create(secret,
bytearray(b''), # no session_id in TLS 1.3
serverHello.cipher_suite,
None, # no SRP
clientCertChain,
certificate.cert_chain if certificate else None,
None, # no TACK
False, # no TACK in hello
serverName,
encryptThenMAC=False, # all ciphers are AEAD
extendedMasterSecret=True, # all TLS1.3 are EMS
appProto=appProto,
cl_app_secret=cl_app_traffic,
sr_app_secret=sr_app_traffic,
exporterMasterSecret=exporter_master_secret,
resumptionMasterSecret=resumption_master_secret,
# NOTE it must be a reference, not a copy!
tickets=self.tickets)
yield "finished" if not resuming else "resumed_and_finished"
def _clientSelectNextProto(self, nextProtos, serverHello):
# nextProtos is None or non-empty list of strings
# serverHello.next_protos is None or possibly-empty list of strings
#
# !!! We assume the client may have specified nextProtos as a list of
# strings so we convert them to bytearrays (it's awkward to require
# the user to specify a list of bytearrays or "bytes", and in
# Python 2.6 bytes() is just an alias for str() anyways...
if nextProtos is not None and serverHello.next_protos is not None:
for p in nextProtos:
if bytearray(p) in serverHello.next_protos:
return bytearray(p)
else:
# If the client doesn't support any of server's protocols,
# or the server doesn't advertise any (next_protos == [])
# the client SHOULD select the first protocol it supports.
return bytearray(nextProtos[0])
return None
def _clientResume(self, session, serverHello, clientRandom,
nextProto, settings):
if session and ((session.sessionID and \
serverHello.session_id == session.sessionID) or
session.tls_1_0_tickets):
if serverHello.cipher_suite != session.cipherSuite:
for result in self._sendError(\
AlertDescription.illegal_parameter,\
"Server's ciphersuite doesn't match session"):
yield result
#Calculate pending connection states
self._calcPendingStates(session.cipherSuite,
session.masterSecret,
clientRandom, serverHello.random,
settings.cipherImplementations)
#Exchange ChangeCipherSpec and Finished messages
for result in self._getFinished(session.masterSecret,
session.cipherSuite):
yield result
# buffer writes so that CCS and Finished go out in one TCP packet
self.sock.buffer_writes = True
for result in self._sendFinished(session.masterSecret,
session.cipherSuite,
nextProto,
settings=settings):
yield result
self.sock.flush()
self.sock.buffer_writes = False
#Set the session for this connection
self.session = session
yield "resumed_and_finished"
def _clientKeyExchange(self, settings, cipherSuite,
clientCertChain, privateKey,
certificateType,
tackExt, clientRandom, serverRandom,
keyExchange):
"""Perform the client side of key exchange"""
# if server chose cipher suite with authentication, get the certificate
if cipherSuite in CipherSuite.certAllSuites or \
cipherSuite in CipherSuite.ecdheEcdsaSuites or \
cipherSuite in CipherSuite.dheDsaSuites:
for result in self._getMsg(ContentType.handshake,
HandshakeType.certificate,
certificateType):
if result in (0, 1):
yield result
else: break
serverCertificate = result
else:
serverCertificate = None
# if server chose RSA key exchange, we need to skip SKE message
if cipherSuite not in CipherSuite.certSuites:
for result in self._getMsg(ContentType.handshake,
HandshakeType.server_key_exchange,
cipherSuite):
if result in (0, 1):
yield result
else: break
serverKeyExchange = result
else:
serverKeyExchange = None
for result in self._getMsg(ContentType.handshake,
(HandshakeType.certificate_request,
HandshakeType.server_hello_done)):
if result in (0, 1):
yield result
else: break
certificateRequest = None
if isinstance(result, CertificateRequest):
certificateRequest = result
#abort if Certificate Request with inappropriate ciphersuite
if cipherSuite not in CipherSuite.certAllSuites \
and cipherSuite not in CipherSuite.ecdheEcdsaSuites \
and cipherSuite not in CipherSuite.dheDsaSuites\
or cipherSuite in CipherSuite.srpAllSuites:
for result in self._sendError(\
AlertDescription.unexpected_message,
"Certificate Request with incompatible cipher suite"):
yield result
# abort if Certificate Request has an empty certificate compression
# algorithm list
comp_cert_ext = certificateRequest.getExtension(
ExtensionType.compress_certificate)
if comp_cert_ext and not comp_cert_ext.algorithms:
for result in self._sendError(
AlertDescription.decode_error,
"Empty algorithm list in compress_certificate "
"extension"):
yield result
# we got CertificateRequest so now we'll get ServerHelloDone
for result in self._getMsg(ContentType.handshake,
HandshakeType.server_hello_done):
if result in (0, 1):
yield result
else: break
serverHelloDone = result
serverCertChain = None
publicKey = None
if cipherSuite in CipherSuite.certAllSuites or \
cipherSuite in CipherSuite.ecdheEcdsaSuites or \
cipherSuite in CipherSuite.dheDsaSuites:
# get the certificate
for result in self._clientGetKeyFromChain(serverCertificate,
settings,
tackExt):
if result in (0, 1):
yield result
else: break
publicKey, serverCertChain, tackExt = result
#Check the server's signature, if the server chose an authenticated
# PFS-enabled ciphersuite
if serverKeyExchange:
valid_sig_algs = \
self._sigHashesToList(settings,
certList=serverCertChain)
try:
KeyExchange.verifyServerKeyExchange(serverKeyExchange,
publicKey,
clientRandom,
serverRandom,
valid_sig_algs)
except TLSIllegalParameterException:
for result in self._sendError(AlertDescription.\
illegal_parameter):
yield result
except TLSDecryptionFailed:
for result in self._sendError(\
AlertDescription.decrypt_error):
yield result
if serverKeyExchange:
# store key exchange metadata for user applications
if self.version >= (3, 3) \
and (cipherSuite in CipherSuite.certAllSuites or
cipherSuite in CipherSuite.ecdheEcdsaSuites) \
and cipherSuite not in CipherSuite.certSuites:
self.serverSigAlg = (serverKeyExchange.hashAlg,
serverKeyExchange.signAlg)
if cipherSuite in CipherSuite.dhAllSuites:
self.dhGroupSize = numBits(serverKeyExchange.dh_p)
if cipherSuite in CipherSuite.ecdhAllSuites:
self.ecdhCurve = serverKeyExchange.named_curve
#Send Certificate if we were asked for it
if certificateRequest:
# if a peer doesn't advertise support for any algorithm in TLSv1.2,
# support for SHA1+RSA can be assumed
if self.version == (3, 3)\
and not [sig for sig in \
certificateRequest.supported_signature_algs\
if sig[1] == SignatureAlgorithm.rsa]:
for result in self._sendError(\
AlertDescription.handshake_failure,
"Server doesn't accept any sigalgs we support: " +
str(certificateRequest.supported_signature_algs)):
yield result
if clientCertChain:
#Check to make sure we have the same type of
#certificates the server requested
if certificateType == CertificateType.x509 \
and not isinstance(clientCertChain, X509CertChain):
for result in self._sendError(\
AlertDescription.handshake_failure,
"Client certificate is of wrong type"):
yield result
clientCertificate = self._create_cert_msg(
"client", certificateRequest,
settings.certificate_compression_send, clientCertChain,
certificateType)
# we need to send the message even if we don't have a certificate
for result in self._sendMsg(clientCertificate):
yield result
else:
#Server didn't ask for cer, zeroise so session doesn't store them
privateKey = None
clientCertChain = None
try:
ske = serverKeyExchange
premasterSecret = keyExchange.processServerKeyExchange(publicKey,
ske)
except TLSInsufficientSecurity as e:
for result in self._sendError(\
AlertDescription.insufficient_security, e):
yield result
except TLSIllegalParameterException as e:
for result in self._sendError(\
AlertDescription.illegal_parameter, e):
yield result
clientKeyExchange = keyExchange.makeClientKeyExchange()
#Send ClientKeyExchange
for result in self._sendMsg(clientKeyExchange):
yield result
# the Extended Master Secret calculation uses the same handshake
# hashes as the Certificate Verify calculation so we need to
# make a copy of it
self._certificate_verify_handshake_hash = self._handshake_hash.copy()
#if client auth was requested and we have a private key, send a
#CertificateVerify
if certificateRequest and privateKey:
valid_sig_algs = self._sigHashesToList(settings, privateKey,
clientCertChain)
try:
certificateVerify = KeyExchange.makeCertificateVerify(
self.version,
self._certificate_verify_handshake_hash,
valid_sig_algs,
privateKey,
certificateRequest,
premasterSecret,
clientRandom,
serverRandom)
except TLSInternalError as exception:
for result in self._sendError(
AlertDescription.internal_error, exception):
yield result
for result in self._sendMsg(certificateVerify):
yield result
yield (premasterSecret, serverCertChain, clientCertChain, tackExt)
def _clientFinished(self, premasterSecret, clientRandom, serverRandom,
cipherSuite, cipherImplementations, nextProto,
settings):
masterSecret = self._calculate_master_secret(premasterSecret,
cipherSuite,
clientRandom,
serverRandom)
self._calcPendingStates(cipherSuite, masterSecret,
clientRandom, serverRandom,
cipherImplementations)
#Exchange ChangeCipherSpec and Finished messages
for result in self._sendFinished(masterSecret, cipherSuite, nextProto,
settings=settings):
yield result
self.sock.flush()
self.sock.buffer_writes = False
for result in self._getFinished(masterSecret,
cipherSuite,
nextProto=nextProto):
yield result
yield masterSecret
def _check_certchain_with_settings(self, cert_chain, settings):
"""
Verify that the key parameters match enabled ones.
Checks if the certificate key size matches the minimum and maximum
sizes set or that it uses curves enabled in settings
"""
#Get and check public key from the cert chain
publicKey = cert_chain.getEndEntityPublicKey()
cert_type = cert_chain.x509List[0].certAlg
if cert_type == "ecdsa":
curve_name = publicKey.curve_name
for name, aliases in CURVE_ALIASES.items():
if curve_name in aliases:
curve_name = name
break
if self.version <= (3, 3) and curve_name not in settings.eccCurves:
for result in self._sendError(
AlertDescription.handshake_failure,
"Peer sent certificate with curve we did not "
"advertise support for: {0}".format(curve_name)):
yield result
if self.version >= (3, 4):
if curve_name not in ('secp256r1', 'secp384r1', 'secp521r1',
'brainpoolP256r1', 'brainpoolP384r1',
'brainpoolP512r1'):
for result in self._sendError(
AlertDescription.illegal_parameter,
"Peer sent certificate with curve not supported "
"in TLS 1.3: {0}".format(curve_name)):
yield result
if curve_name == 'secp256r1':
sig_alg_for_curve = 'sha256'
elif curve_name == 'secp384r1':
sig_alg_for_curve = 'sha384'
elif curve_name == 'secp521r1':
sig_alg_for_curve = 'sha512'
elif curve_name == 'brainpoolP256r1':
sig_alg_for_curve = 'sha256'
elif curve_name == 'brainpoolP384r1':
sig_alg_for_curve = 'sha384'
else:
assert curve_name == 'brainpoolP512r1'
sig_alg_for_curve = 'sha512'
if sig_alg_for_curve not in settings.ecdsaSigHashes:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Peer selected certificate with ECDSA curve we "
"did not advertise support for: {0}"
.format(curve_name)):
yield result
elif cert_type in ("Ed25519", "Ed448"):
if self.version < (3, 3):
for result in self._sendError(
AlertDescription.illegal_parameter,
"Peer sent certificate incompatible with negotiated "
"TLS version"):
yield result
if cert_type not in settings.more_sig_schemes:
for result in self._sendError(
AlertDescription.handshake_failure,
"Peer sent certificate we did not advertise support "
"for: {0}".format(cert_type)):
yield result
else:
# for RSA and DSA keys
if len(publicKey) < settings.minKeySize:
for result in self._sendError(
AlertDescription.handshake_failure,
"Other party's public key too small: %d" %
len(publicKey)):
yield result
if len(publicKey) > settings.maxKeySize:
for result in self._sendError(
AlertDescription.handshake_failure,
"Other party's public key too large: %d" %
len(publicKey)):
yield result
yield publicKey
def _clientGetKeyFromChain(self, certificate, settings, tack_ext=None):
#Get and check cert chain from the Certificate message
cert_chain = certificate.cert_chain
if not cert_chain or cert_chain.getNumCerts() == 0:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Other party sent a Certificate message without "\
"certificates"):
yield result
for result in self._check_certchain_with_settings(
cert_chain,
settings):
if result in (0, 1):
yield result
else: break
public_key = result
# If there's no TLS Extension, look for a TACK cert
if tackpyLoaded:
if not tack_ext:
tack_ext = cert_chain.getTackExt()
# If there's a TACK (whether via TLS or TACK Cert), check that it
# matches the cert chain
if tack_ext and tack_ext.tacks:
for tack in tack_ext.tacks:
if not cert_chain.checkTack(tack):
for result in self._sendError(
AlertDescription.illegal_parameter,
"Other party's TACK doesn't match their public key"):
yield result
yield public_key, cert_chain, tack_ext
#*********************************************************
# Server Handshake Functions
#*********************************************************
def handshakeServer(self, verifierDB=None,
certChain=None, privateKey=None, reqCert=False,
sessionCache=None, settings=None, checker=None,
reqCAs = None,
tacks=None, activationFlags=0,
nextProtos=None, anon=False, alpn=None, sni=None):
"""Perform a handshake in the role of server.
This function performs an SSL or TLS handshake. Depending on
the arguments and the behavior of the client, this function can
perform an SRP, or certificate-based handshake. It
can also perform a combined SRP and server-certificate
handshake.
Like any handshake function, this can be called on a closed
TLS connection, or on a TLS connection that is already open.
If called on an open connection it performs a re-handshake.
This function does not send a Hello Request message before
performing the handshake, so if re-handshaking is required,
the server must signal the client to begin the re-handshake
through some other means.
If the function completes without raising an exception, the
TLS connection will be open and available for data transfer.
If an exception is raised, the connection will have been
automatically closed (if it was ever open).
:type verifierDB: ~tlslite.verifierdb.VerifierDB
:param verifierDB: A database of SRP password verifiers
associated with usernames. If the client performs an SRP
handshake, the session's srpUsername attribute will be set.
:type certChain: ~tlslite.x509certchain.X509CertChain
:param certChain: The certificate chain to be used if the
client requests server certificate authentication and no virtual
host defined in HandshakeSettings matches ClientHello.
:type privateKey: ~tlslite.utils.rsakey.RSAKey
:param privateKey: The private key to be used if the client
requests server certificate authentication and no virtual host
defined in HandshakeSettings matches ClientHello.
:type reqCert: bool
:param reqCert: Whether to request client certificate
authentication. This only applies if the client chooses server
certificate authentication; if the client chooses SRP
authentication, this will be ignored. If the client
performs a client certificate authentication, the sessions's
clientCertChain attribute will be set.
:type sessionCache: ~tlslite.sessioncache.SessionCache
:param sessionCache: An in-memory cache of resumable sessions.
The client can resume sessions from this cache. Alternatively,
if the client performs a full handshake, a new session will be
added to the cache.
:type settings: ~tlslite.handshakesettings.HandshakeSettings
:param settings: Various settings which can be used to control
the ciphersuites and SSL/TLS version chosen by the server.
:type checker: ~tlslite.checker.Checker
:param checker: A Checker instance. This instance will be
invoked to examine the other party's authentication
credentials, if the handshake completes succesfully.
:type reqCAs: list of bytearray
:param reqCAs: A collection of DER-encoded DistinguishedNames that
will be sent along with a certificate request to help client pick
a certificates. This does not affect verification.
:type nextProtos: list of str
:param nextProtos: A list of upper layer protocols to expose to the
clients through the Next-Protocol Negotiation Extension,
if they support it. Deprecated, use the `virtual_hosts` in
HandshakeSettings.
:type alpn: list of bytearray
:param alpn: names of application layer protocols supported.
Note that it will be used instead of NPN if both were advertised by
client. Deprecated, use the `virtual_hosts` in HandshakeSettings.
:type sni: bytearray
:param sni: expected virtual name hostname. Deprecated, use the
`virtual_hosts` in HandshakeSettings.
:raises socket.error: If a socket error occurs.
:raises tlslite.errors.TLSAbruptCloseError: If the socket is closed
without a preceding alert.
:raises tlslite.errors.TLSAlert: If a TLS alert is signalled.
:raises tlslite.errors.TLSAuthenticationError: If the checker
doesn't like the other party's authentication credentials.
"""
for result in self.handshakeServerAsync(verifierDB,
certChain, privateKey, reqCert, sessionCache, settings,
checker, reqCAs,
tacks=tacks, activationFlags=activationFlags,
nextProtos=nextProtos, anon=anon, alpn=alpn, sni=sni):
pass
def handshakeServerAsync(self, verifierDB=None,
certChain=None, privateKey=None, reqCert=False,
sessionCache=None, settings=None, checker=None,
reqCAs=None,
tacks=None, activationFlags=0,
nextProtos=None, anon=False, alpn=None, sni=None
):
"""Start a server handshake operation on the TLS connection.
This function returns a generator which behaves similarly to
handshakeServer(). Successive invocations of the generator
will return 0 if it is waiting to read from the socket, 1 if it is
waiting to write to the socket, or it will raise StopIteration
if the handshake operation is complete.
:rtype: iterable
:returns: A generator; see above for details.
"""
handshaker = self._handshakeServerAsyncHelper(\
verifierDB=verifierDB, cert_chain=certChain,
privateKey=privateKey, reqCert=reqCert,
sessionCache=sessionCache, settings=settings,
reqCAs=reqCAs,
tacks=tacks, activationFlags=activationFlags,
nextProtos=nextProtos, anon=anon, alpn=alpn, sni=sni)
for result in self._handshakeWrapperAsync(handshaker, checker):
yield result
def _handshakeServerAsyncHelper(self, verifierDB,
cert_chain, privateKey, reqCert,
sessionCache, settings, reqCAs, tacks,
activationFlags, nextProtos, anon, alpn,
sni):
self._handshakeStart(client=False)
if not settings:
settings = HandshakeSettings()
settings = settings.validate()
if (not verifierDB) and (not cert_chain) and not anon and \
not settings.pskConfigs and not settings.virtual_hosts:
raise ValueError("Caller passed no authentication credentials")
if cert_chain and not privateKey:
raise ValueError("Caller passed a cert_chain but no privateKey")
if privateKey and not cert_chain:
raise ValueError("Caller passed a privateKey but no cert_chain")
if reqCAs and not reqCert:
raise ValueError("Caller passed reqCAs but not reqCert")
if cert_chain and not isinstance(cert_chain, X509CertChain):
raise ValueError("Unrecognized certificate type")
if activationFlags and not tacks:
raise ValueError("Nonzero activationFlags requires tacks")
if tacks:
if not tackpyLoaded:
raise ValueError("tackpy is not loaded")
if not settings.useExperimentalTackExtension:
raise ValueError("useExperimentalTackExtension not enabled")
if alpn is not None and not alpn:
raise ValueError("Empty list of ALPN protocols")
self.sock.padding_cb = settings.padding_cb
# OK Start exchanging messages
# ******************************
# Handle ClientHello and resumption
for result in self._serverGetClientHello(settings, privateKey,
cert_chain,
verifierDB, sessionCache,
anon, alpn, sni):
if result in (0,1): yield result
elif result == None:
self._handshakeDone(resumed=True)
return # Handshake was resumed, we're done
else: break
(clientHello, version, cipherSuite, sig_scheme, privateKey,
cert_chain) = result
# in TLS 1.3 the handshake is completely different
# (extensions go into different messages, format of messages is
# different, etc.)
if version > (3, 3):
for result in self._serverTLS13Handshake(settings, clientHello,
cipherSuite,
privateKey, cert_chain,
version, sig_scheme,
alpn, reqCert):
if result in (0, 1):
yield result
else:
break
if result == "finished":
self._handshakeDone(resumed=False)
return
#If not a resumption...
# Create the ServerHello message
if sessionCache:
sessionID = getRandomBytes(32)
else:
sessionID = bytearray(0)
if not clientHello.supports_npn:
nextProtos = None
alpnExt = clientHello.getExtension(ExtensionType.alpn)
if alpnExt and alpn:
# if there's ALPN, don't do NPN
nextProtos = None
# If not doing a certificate-based suite, discard the TACK
if not cipherSuite in CipherSuite.certAllSuites and \
not cipherSuite in CipherSuite.ecdheEcdsaSuites:
tacks = None
# Prepare a TACK Extension if requested
if clientHello.tack:
tackExt = TackExtension.create(tacks, activationFlags)
else:
tackExt = None
extensions = []
# Prepare other extensions if requested
if settings.useEncryptThenMAC and \
clientHello.getExtension(ExtensionType.encrypt_then_mac) and \
cipherSuite not in CipherSuite.streamSuites and \
cipherSuite not in CipherSuite.aeadSuites:
extensions.append(TLSExtension().create(ExtensionType.
encrypt_then_mac,
bytearray(0)))
self._recordLayer.encryptThenMAC = True
if settings.useExtendedMasterSecret:
if clientHello.getExtension(ExtensionType.extended_master_secret):
extensions.append(TLSExtension().create(ExtensionType.
extended_master_secret,
bytearray(0)))
self.extendedMasterSecret = True
elif settings.requireExtendedMasterSecret:
for result in self._sendError(
AlertDescription.insufficient_security,
"Failed to negotiate Extended Master Secret"):
yield result
selectedALPN = None
if alpnExt and alpn:
for protoName in alpnExt.protocol_names:
if protoName in alpn:
selectedALPN = protoName
ext = ALPNExtension().create([protoName])
extensions.append(ext)
break
else:
for result in self._sendError(
AlertDescription.no_application_protocol,
"No mutually supported application layer protocols"):
yield result
# notify client that we understood its renegotiation info extension
# or SCSV
secureRenego = False
renegoExt = clientHello.getExtension(ExtensionType.renegotiation_info)
if renegoExt:
if renegoExt.renegotiated_connection:
for result in self._sendError(
AlertDescription.handshake_failure,
"Non empty renegotiation info extension in "
"initial Client Hello"):
yield result
secureRenego = True
elif CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV in \
clientHello.cipher_suites:
secureRenego = True
if secureRenego:
extensions.append(RenegotiationInfoExtension()
.create(bytearray(0)))
# tell the client what point formats we support
if clientHello.getExtension(ExtensionType.ec_point_formats):
# even though the selected cipher may not use ECC, client may want
# to send a CA certificate with ECDSA...
if settings.ec_point_formats:
extensions.append(ECPointFormatsExtension().
create(settings.ec_point_formats))
# if client sent Heartbeat extension
if clientHello.getExtension(ExtensionType.heartbeat):
# and we want to accept it
if settings.use_heartbeat_extension:
extensions.append(HeartbeatExtension().create(
HeartbeatMode.PEER_ALLOWED_TO_SEND))
if clientHello.getExtension(ExtensionType.record_size_limit) and \
settings.record_size_limit:
# in TLS 1.2 and earlier we can select at most 2^14B records
extensions.append(RecordSizeLimitExtension().create(
min(2**14, settings.record_size_limit)))
# If the client indicates that it supports resumption using
# session_ticket extension, we send a zero len extension to indicate
# that we are going to
# send a new ticket in a NewSessionTicket message
send_session_ticket = False
session_ticket = clientHello.getExtension(ExtensionType.session_ticket)
enable_ticket = settings.ticket_count > 0 and settings.ticketKeys
if session_ticket and len(session_ticket.ticket) == 0 \
and enable_ticket:
send_session_ticket = True
extensions.append(SessionTicketExtension().create(
bytearray(0)))
# don't send empty list of extensions
if not extensions:
extensions = None
serverHello = ServerHello()
# RFC 8446, section 4.1.3
random = getRandomBytes(32)
if version == (3, 3) and settings.maxVersion > (3, 3):
random[-8:] = TLS_1_2_DOWNGRADE_SENTINEL
if version < (3, 3) and settings.maxVersion >= (3, 3):
random[-8:] = TLS_1_1_DOWNGRADE_SENTINEL
serverHello.create(self.version, random, sessionID,
cipherSuite, CertificateType.x509, tackExt,
nextProtos, extensions=extensions)
# Perform the SRP key exchange
clientCertChain = None
if cipherSuite in CipherSuite.srpAllSuites:
for result in self._serverSRPKeyExchange(clientHello, serverHello,
verifierDB, cipherSuite,
privateKey, cert_chain,
settings):
if result in (0, 1):
yield result
else: break
premasterSecret, privateKey, cert_chain = result
# Perform a certificate-based key exchange
elif (cipherSuite in CipherSuite.certSuites or
cipherSuite in CipherSuite.dheCertSuites or
cipherSuite in CipherSuite.dheDsaSuites or
cipherSuite in CipherSuite.ecdheCertSuites or
cipherSuite in CipherSuite.ecdheEcdsaSuites):
try:
sig_hash_alg, cert_chain, privateKey = \
self._pickServerKeyExchangeSig(settings,
clientHello,
cert_chain,
privateKey)
except TLSHandshakeFailure as alert:
for result in self._sendError(
AlertDescription.handshake_failure,
str(alert)):
yield result
if cipherSuite in CipherSuite.certSuites:
keyExchange = RSAKeyExchange(cipherSuite,
clientHello,
serverHello,
privateKey)
elif cipherSuite in CipherSuite.dheCertSuites or \
cipherSuite in CipherSuite.dheDsaSuites:
dhGroups = self._groupNamesToList(settings)
keyExchange = DHE_RSAKeyExchange(cipherSuite,
clientHello,
serverHello,
privateKey,
settings.dhParams,
dhGroups)
elif cipherSuite in CipherSuite.ecdheCertSuites or \
cipherSuite in CipherSuite.ecdheEcdsaSuites:
acceptedCurves = self._curveNamesToList(settings, version)
defaultCurve = getattr(GroupName, settings.defaultCurve)
keyExchange = ECDHE_RSAKeyExchange(cipherSuite,
clientHello,
serverHello,
privateKey,
acceptedCurves,
defaultCurve)
else:
assert(False)
for result in self._serverCertKeyExchange(clientHello, serverHello,
sig_hash_alg, cert_chain, keyExchange,
reqCert, reqCAs, cipherSuite,
settings):
if result in (0,1): yield result
else: break
(premasterSecret, clientCertChain) = result
# Perform anonymous Diffie Hellman key exchange
elif (cipherSuite in CipherSuite.anonSuites or
cipherSuite in CipherSuite.ecdhAnonSuites):
if cipherSuite in CipherSuite.anonSuites:
dhGroups = self._groupNamesToList(settings)
keyExchange = ADHKeyExchange(cipherSuite, clientHello,
serverHello, settings.dhParams,
dhGroups)
else:
acceptedCurves = self._curveNamesToList(settings, version)
defaultCurve = getattr(GroupName, settings.defaultCurve)
keyExchange = AECDHKeyExchange(cipherSuite, clientHello,
serverHello, acceptedCurves,
defaultCurve)
for result in self._serverAnonKeyExchange(serverHello, keyExchange,
cipherSuite):
if result in (0,1): yield result
else: break
premasterSecret = result
else:
assert(False)
# Create the session object
self.session = Session()
if cipherSuite in CipherSuite.certAllSuites or \
cipherSuite in CipherSuite.ecdheEcdsaSuites:
serverCertChain = cert_chain
else:
serverCertChain = None
srpUsername = None
serverName = None
if clientHello.srp_username:
srpUsername = clientHello.srp_username.decode("utf-8")
if clientHello.server_name:
serverName = clientHello.server_name.decode("utf-8")
ext_ec_point = ECPointFormat.uncompressed
if version < (3, 4):
ext_c = clientHello.getExtension(ExtensionType.ec_point_formats)
ext_s = serverHello.getExtension(ExtensionType.ec_point_formats)
if ext_c and ext_s:
try:
ext_ec_point = next((i for i in ext_c.formats \
if i in ext_s.formats))
except StopIteration as alert:
for result in self._sendError(
AlertDescription.illegal_parameter,
str(alert)):
yield result
# We'll update the session master secret once it is calculated
# in _serverFinished
self.session.create(b"", serverHello.session_id, cipherSuite,
srpUsername, clientCertChain, serverCertChain,
tackExt, (serverHello.tackExt is not None),
serverName,
encryptThenMAC=
self._recordLayer._get_pending_state_etm(),
extendedMasterSecret=self.extendedMasterSecret,
appProto=selectedALPN,
# NOTE it must be a reference, not a copy!
tickets=self.tickets,
ec_point_format=ext_ec_point)
# Exchange Finished messages
for result in self._serverFinished(premasterSecret,
clientHello.random, serverHello.random,
cipherSuite, settings.cipherImplementations,
nextProtos, settings, send_session_ticket,
clientCertChain):
if result in (0,1): yield result
else: break
#Add the session object to the session cache
if sessionCache and sessionID:
sessionCache[sessionID] = self.session
self._handshakeDone(resumed=False)
self._serverRandom = serverHello.random
self._clientRandom = clientHello.random
def request_post_handshake_auth(self, settings=None):
"""
Request Post-handshake Authentication from client.
The PHA process is asynchronous, and client may send some data before
its certificates are added to Session object. Calling this generator
will only request for the new identity of client, it will not wait for
it.
"""
if self.version != (3, 4):
raise ValueError("PHA is supported only in TLS 1.3")
if self._client:
raise ValueError("PHA can only be requested by server")
if not self._pha_supported:
raise ValueError("PHA not supported by client")
settings = settings or HandshakeSettings()
settings = settings.validate()
valid_sig_algs = self._sigHashesToList(settings)
if not valid_sig_algs:
raise ValueError("No signature algorithms enabled in "
"HandshakeSettings")
context = bytes(getRandomBytes(32))
certificate_request = CertificateRequest(self.version)
extensions = []
if self.version >= (3, 4):
if settings:
algos_numbers = [
getattr(CertificateCompressionAlgorithm, algo) for algo
in settings.certificate_compression_receive
]
extensions.append(CompressedCertificateExtension().create(
algos_numbers))
certificate_request.create(context=context, sig_algs=valid_sig_algs,
extensions=extensions)
self._cert_requests[context] = certificate_request
for result in self._sendMsg(certificate_request):
yield result
@staticmethod
def _derive_key_iv(nonce, user_key, settings):
"""Derive the IV and key for session ticket encryption."""
if settings.ticketCipher == "aes128gcm":
prf_name = "sha256"
prf_size = 32
else:
prf_name = "sha384"
prf_size = 48
# mix the nonce with the key set by user
secret = bytearray(prf_size)
secret = secureHMAC(secret, nonce, prf_name)
secret = derive_secret(secret, bytearray(b'derived'), None, prf_name)
secret = secureHMAC(secret, user_key, prf_name)
ticket_secret = derive_secret(secret,
bytearray(b'SessionTicket secret'),
None, prf_name)
key = HKDF_expand_label(ticket_secret, b"key", b"", len(user_key),
prf_name)
# all AEADs use 12 byte long IV
iv = HKDF_expand_label(ticket_secret, b"iv", b"", 12, prf_name)
return key, iv
def _serverSendTickets(self, settings):
"""Send session tickets to client."""
if not settings.ticketKeys:
return
if self.version < (3, 4):
secret = self.session.masterSecret
else:
secret = self.session.resumptionMasterSecret
# make sure we send at most one ticket in TLS 1.2 and earlier
for _ in range(settings.ticket_count if self.version > (3, 3) else
int(bool(settings.ticket_count))):
# prepare the ticket
ticket = SessionTicketPayload()
ticket.create(secret,
self.version,
self.session.cipherSuite,
int(time.time()),
getRandomBytes(len(settings.ticketKeys[0])),
client_cert_chain=self.session.clientCertChain,
encrypt_then_mac=
self._recordLayer._get_pending_state_etm(),
extended_master_secret=self.extendedMasterSecret,
server_name=self.session.serverName.encode("utf-8")
if self.session.serverName else bytearray())
# encrypt the ticket
# generate keys for the encryption
nonce = getRandomBytes(32)
key, iv = self._derive_key_iv(nonce, settings.ticketKeys[0],
settings)
if settings.ticketCipher in ("aes128gcm", "aes256gcm"):
cipher = createAESGCM(key,
settings.cipherImplementations)
elif settings.ticketCipher in ("aes128ccm", "aes256ccm"):
cipher = createAESCCM(key, settings.cipherImplementations)
elif settings.ticketCipher in ("aes128ccm_8", "aes256ccm_8"):
cipher = createAESCCM_8(key, settings.cipherImplementations)
else:
assert settings.ticketCipher == "chacha20-poly1305"
cipher = createCHACHA20(key,
settings.cipherImplementations)
encrypted_ticket = cipher.seal(iv, ticket.write(), b'')
# encapsulate the ticket and send to client
if self.version < (3, 4):
new_ticket = NewSessionTicket1_0()
new_ticket.create(settings.ticketLifetime,
nonce + encrypted_ticket)
self.tls_1_0_tickets.append(encrypted_ticket)
else:
new_ticket = NewSessionTicket()
new_ticket.create(settings.ticketLifetime,
getRandomNumber(1, 8**4),
ticket.nonce,
nonce + encrypted_ticket,
[])
self._queue_message(new_ticket)
# send tickets to client
if settings.ticket_count:
for result in self._queue_flush():
yield result
def _tryDecrypt(self, settings, identity=None, ticket=None):
if not settings.ticketKeys:
return None, None
if self.version < (3, 4):
assert ticket
nonce, encrypted_ticket = ticket[:32], ticket[32:]
else:
assert identity
if len(identity.identity) < 33:
# too small for an encrypted ticket
return None, None
nonce, encrypted_ticket = identity.identity[:32], identity.identity[32:]
for user_key in settings.ticketKeys:
key, iv = self._derive_key_iv(nonce, user_key, settings)
if settings.ticketCipher in ("aes128gcm", "aes256gcm"):
cipher = createAESGCM(key, settings.cipherImplementations)
elif settings.ticketCipher in ("aes128ccm", "aes256ccm"):
cipher = createAESCCM(key, settings.cipherImplementations)
elif settings.ticketCipher in ("aes128ccm_8", "aes256ccm_8"):
cipher = createAESCCM_8(key, settings.cipherImplementations)
else:
assert settings.ticketCipher == "chacha20-poly1305"
cipher = createCHACHA20(key, settings.cipherImplementations)
ticket = cipher.open(iv, encrypted_ticket, b'')
if not ticket:
continue
parser = Parser(ticket)
try:
ticket = SessionTicketPayload().parse(parser)
except ValueError:
continue
if self.version < (3, 4):
return None, ticket
prf = 'sha384' if ticket.cipher_suite \
in CipherSuite.sha384PrfSuites else 'sha256'
new_sess_ticket = NewSessionTicket()
new_sess_ticket.ticket_nonce = ticket.nonce
new_sess_ticket.ticket = identity.identity
psk = HandshakeHelpers.calc_res_binder_psk(identity,
ticket.master_secret,
[new_sess_ticket])
return ((identity.identity, psk, prf), ticket)
# no working keys
return None, None
def _serverTLS13Handshake(self, settings, clientHello, cipherSuite,
privateKey, serverCertChain, version, scheme,
srv_alpns, reqCert):
"""Perform a TLS 1.3 handshake"""
prf_name, prf_size = self._getPRFParams(cipherSuite)
cert_req_comp_cert_ext = None
secret = bytearray(prf_size)
share = clientHello.getExtension(ExtensionType.key_share)
if share:
share_ids = [i.group for i in share.client_shares]
for group_name in chain(settings.keyShares, settings.eccCurves,
settings.dhGroups):
selected_group = getattr(GroupName, group_name)
if selected_group in share_ids:
cl_key_share = next(i for i in share.client_shares
if i.group == selected_group)
break
else:
for result in self._sendError(AlertDescription.internal_error,
"HRR did not work?!"):
yield result
comp_cert_ext = clientHello.getExtension(
ExtensionType.compress_certificate)
if comp_cert_ext and not comp_cert_ext.algorithms:
for result in self._sendError(
AlertDescription.decode_error,
"Empty algorithm list in compress_certificate extension"):
yield result
psk = None
selected_psk = None
resumed_client_cert_chain = None
psks = clientHello.getExtension(ExtensionType.pre_shared_key)
psk_types = clientHello.getExtension(
ExtensionType.psk_key_exchange_modes)
if psks and (PskKeyExchangeMode.psk_dhe_ke in psk_types.modes or
PskKeyExchangeMode.psk_ke in psk_types.modes) and \
(settings.pskConfigs or settings.ticketKeys):
for i, ident in enumerate(psks.identities):
ticket = None
external = True
match = [j for j in settings.pskConfigs
if j[0] == ident.identity]
if not match:
(match, ticket) = self._tryDecrypt(settings, ident)
external = False
if not match:
continue
match = [match]
# check if the ticket version matches
# but with PSK we don't have a ticket, but we still can have a
# binder value, so `match` will be non-null
if ticket and self.version != ticket.protocol_version:
continue
# check if PSK can be used with selected cipher suite
psk_hash = match[0][2] if len(match[0]) > 2 else 'sha256'
if psk_hash != prf_name:
continue
psk = match[0][1]
selected_psk = i
if ticket:
resumed_client_cert_chain = ticket.client_cert_chain
try:
HandshakeHelpers.verify_binder(
clientHello,
self._pre_client_hello_handshake_hash,
selected_psk,
psk,
psk_hash,
external)
except TLSIllegalParameterException as e:
for result in self._sendError(
AlertDescription.illegal_parameter,
str(e)):
yield result
break
sh_extensions = []
# we need to gen key share either when we selected psk_dhe_ke or
# regular certificate authenticated key exchange (the default)
if (psk and
PskKeyExchangeMode.psk_dhe_ke in psk_types.modes and
"psk_dhe_ke" in settings.psk_modes) or\
(psk is None and privateKey):
self.ecdhCurve = selected_group
kex = self._getKEX(selected_group, version)
if selected_group in GroupName.allKEM:
try:
shared_sec, key_share = self._KEMEncaps(
selected_group,
cl_key_share.key_exchange)
except TLSIllegalParameterException as alert:
for result in self._sendError(
AlertDescription.illegal_parameter,
str(alert)):
yield result
else:
key_share = self._genKeyShareEntry(selected_group, version)
try:
shared_sec = kex.calc_shared_key(key_share.private,
cl_key_share.key_exchange)
except TLSIllegalParameterException as alert:
for result in self._sendError(
AlertDescription.illegal_parameter,
str(alert)):
yield result
sh_extensions.append(ServerKeyShareExtension().create(key_share))
elif (psk is not None and
PskKeyExchangeMode.psk_ke in psk_types.modes and
"psk_ke" in settings.psk_modes):
shared_sec = bytearray(prf_size)
else:
for result in self._sendError(
AlertDescription.handshake_failure,
"Could not find acceptable PSK identity nor certificate"):
yield result
if psk is None:
psk = bytearray(prf_size)
sh_extensions.append(SrvSupportedVersionsExtension().create(version))
if selected_psk is not None:
sh_extensions.append(SrvPreSharedKeyExtension()
.create(selected_psk))
serverHello = ServerHello()
# in TLS1.3 the version selected is sent in extension, (3, 3) is
# just dummy value to workaround broken middleboxes
serverHello.create((3, 3), getRandomBytes(32),
clientHello.session_id,
cipherSuite, extensions=sh_extensions)
msgs = []
msgs.append(serverHello)
if not self._ccs_sent and clientHello.session_id:
ccs = ChangeCipherSpec().create()
msgs.append(ccs)
for result in self._sendMsgs(msgs):
yield result
# Early secret
secret = secureHMAC(secret, psk, prf_name)
# Handshake Secret
secret = derive_secret(secret, bytearray(b'derived'), None, prf_name)
secret = secureHMAC(secret, shared_sec, prf_name)
sr_handshake_traffic_secret = derive_secret(secret,
bytearray(b's hs traffic'),
self._handshake_hash,
prf_name)
cl_handshake_traffic_secret = derive_secret(secret,
bytearray(b'c hs traffic'),
self._handshake_hash,
prf_name)
self.version = version
self._recordLayer.calcTLS1_3PendingState(
cipherSuite,
cl_handshake_traffic_secret,
sr_handshake_traffic_secret,
settings.cipherImplementations)
self._changeWriteState()
ee_extensions = []
if clientHello.getExtension(ExtensionType.record_size_limit) and \
settings.record_size_limit:
ee_extensions.append(RecordSizeLimitExtension().create(
min(2**14+1, settings.record_size_limit)))
# a bit of a hack to detect if the HRR was sent
# as that means that original key share didn't match what we wanted
# send the client updated list of shares we support,
# preferred ones first
if clientHello.getExtension(ExtensionType.cookie):
ext = SupportedGroupsExtension()
groups = [getattr(GroupName, i) for i in settings.keyShares]
groups += [getattr(GroupName, i) for i in settings.eccCurves
if getattr(GroupName, i) not in groups]
groups += [getattr(GroupName, i) for i in settings.dhGroups
if getattr(GroupName, i) not in groups]
if groups:
ext.create(groups)
ee_extensions.append(ext)
alpn_ext = clientHello.getExtension(ExtensionType.alpn)
if alpn_ext:
# error handling was done when receiving ClientHello
matched = [i for i in alpn_ext.protocol_names if i in srv_alpns]
if matched:
ext = ALPNExtension().create([matched[0]])
ee_extensions.append(ext)
if clientHello.getExtension(ExtensionType.heartbeat):
if settings.use_heartbeat_extension:
ee_extensions.append(HeartbeatExtension().create(
HeartbeatMode.PEER_ALLOWED_TO_SEND))
encryptedExtensions = EncryptedExtensions().create(ee_extensions)
self._queue_message(encryptedExtensions)
if selected_psk is None:
# optionally send the client a certificate request
if reqCert:
# the context SHALL be zero length except in post-handshake
ctx = b''
# Get list of valid Signing Algorithms
# DSA is not supported for TLS 1.3
cr_settings = settings.validate()
cr_settings.dsaSigHashes = []
valid_sig_algs = self._sigHashesToList(
cr_settings,
version=self.version)
assert valid_sig_algs
extensions = []
if self.version >= (3, 4):
algos_numbers = [
getattr(CertificateCompressionAlgorithm, algo) for algo
in settings.certificate_compression_receive
]
cert_req_comp_cert_ext = CompressedCertificateExtension()\
.create(algos_numbers)
extensions.append(cert_req_comp_cert_ext)
certificate_request = CertificateRequest(self.version)
certificate_request.create(
context=ctx, sig_algs=valid_sig_algs,
extensions=extensions)
self._queue_message(certificate_request)
certificate = self._create_cert_msg(
"server", clientHello, settings.certificate_compression_send,
serverCertChain, CertificateType.x509, bytearray(),
self.version)
self._queue_message(certificate)
certificate_verify = CertificateVerify(self.version)
signature_scheme = getattr(SignatureScheme, scheme)
self.serverSigAlg = signature_scheme
signature_context = \
KeyExchange.calcVerifyBytes((3, 4), self._handshake_hash,
signature_scheme, None, None, None,
prf_name, b'server')
if signature_scheme in (SignatureScheme.ed25519,
SignatureScheme.ed448):
hashName = "intrinsic"
padType = None
saltLen = None
sig_func = privateKey.hashAndSign
ver_func = privateKey.hashAndVerify
elif signature_scheme[1] == SignatureAlgorithm.ecdsa:
hashName = HashAlgorithm.toRepr(signature_scheme[0])
padType = None
saltLen = None
sig_func = privateKey.sign
ver_func = privateKey.verify
elif signature_scheme in TLS_1_3_BRAINPOOL_SIG_SCHEMES:
hashName = SignatureScheme.getHash(scheme)
padType = None
saltLen = None
sig_func = privateKey.sign
ver_func = privateKey.verify
else:
padType = SignatureScheme.getPadding(scheme)
hashName = SignatureScheme.getHash(scheme)
saltLen = getattr(hashlib, hashName)().digest_size
sig_func = privateKey.sign
ver_func = privateKey.verify
signature = sig_func(signature_context,
padType,
hashName,
saltLen)
if not ver_func(signature, signature_context,
padType,
hashName,
saltLen):
for result in self._sendError(
AlertDescription.internal_error,
"Certificate Verify signature failed"):
yield result
certificate_verify.create(signature, signature_scheme)
self._queue_message(certificate_verify)
finished_key = HKDF_expand_label(sr_handshake_traffic_secret,
b"finished", b'', prf_size, prf_name)
verify_data = secureHMAC(finished_key,
self._handshake_hash.digest(prf_name),
prf_name)
finished = Finished(self.version, prf_size).create(verify_data)
self._queue_message(finished)
for result in self._queue_flush():
yield result
self._changeReadState()
# Master secret
secret = derive_secret(secret, bytearray(b'derived'), None, prf_name)
secret = secureHMAC(secret, bytearray(prf_size), prf_name)
cl_app_traffic = derive_secret(secret, bytearray(b'c ap traffic'),
self._handshake_hash, prf_name)
sr_app_traffic = derive_secret(secret, bytearray(b's ap traffic'),
self._handshake_hash, prf_name)
self._recordLayer.calcTLS1_3PendingState(serverHello.cipher_suite,
cl_app_traffic,
sr_app_traffic,
settings
.cipherImplementations)
# all the messages sent by the server after the Finished message
# MUST be encrypted with ap traffic secret, even if they regard
# problems in processing client Certificate, CertificateVerify or
# Finished messages
self._changeWriteState()
client_cert_chain = None
#Get [Certificate,] (if was requested)
if reqCert and selected_psk is None:
if cert_req_comp_cert_ext:
expected_msg = (HandshakeType.certificate,
HandshakeType.compressed_certificate)
else:
expected_msg = (HandshakeType.certificate)
for result in self._getMsg(ContentType.handshake, expected_msg,
CertificateType.x509):
if result in (0, 1):
yield result
else:
break
client_certificate = result
if isinstance(client_certificate, CompressedCertificate):
self.client_cert_compression_algo = \
CertificateCompressionAlgorithm.toStr(
client_certificate.compression_algo)
else:
assert isinstance(client_certificate, Certificate)
client_cert_chain = client_certificate.cert_chain
#Get and check CertificateVerify, if relevant
cli_cert_verify_hh = self._handshake_hash.copy()
if client_cert_chain and client_cert_chain.getNumCerts():
for result in self._getMsg(ContentType.handshake,
HandshakeType.certificate_verify):
if result in (0, 1):
yield result
else: break
certificate_verify = result
assert isinstance(certificate_verify, CertificateVerify)
signature_scheme = certificate_verify.signatureAlgorithm
valid_sig_algs = self._sigHashesToList(settings,
certList=client_cert_chain,
version=(3, 4))
if signature_scheme not in valid_sig_algs:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Invalid signature on Certificate Verify"):
yield result
signature_context = \
KeyExchange.calcVerifyBytes((3, 4), cli_cert_verify_hh,
signature_scheme, None, None, None,
prf_name, b'client')
public_key = client_cert_chain.getEndEntityPublicKey()
if signature_scheme in (SignatureScheme.ed25519,
SignatureScheme.ed448):
hash_name = "intrinsic"
pad_type = None
salt_len = None
ver_func = public_key.hashAndVerify
elif signature_scheme[1] == SignatureAlgorithm.ecdsa:
hash_name = HashAlgorithm.toRepr(signature_scheme[0])
pad_type = None
salt_len = None
ver_func = public_key.verify
elif signature_scheme in TLS_1_3_BRAINPOOL_SIG_SCHEMES:
pad_type = None
salt_len = None
hash_name = SignatureScheme.getHash(scheme)
ver_func = public_key.verify
else:
scheme = SignatureScheme.toRepr(signature_scheme)
pad_type = SignatureScheme.getPadding(scheme)
hash_name = SignatureScheme.getHash(scheme)
salt_len = getattr(hashlib, hash_name)().digest_size
ver_func = public_key.verify
if not ver_func(certificate_verify.signature,
signature_context,
pad_type,
hash_name,
salt_len):
for result in self._sendError(
AlertDescription.decrypt_error,
"signature verification failed"):
yield result
# as both exporter and resumption master secrets include handshake
# transcript, we need to derive them early
exporter_master_secret = derive_secret(secret,
bytearray(b'exp master'),
self._handshake_hash,
prf_name)
# verify Finished of client
cl_finished_key = HKDF_expand_label(cl_handshake_traffic_secret,
b"finished", b'',
prf_size, prf_name)
cl_verify_data = secureHMAC(cl_finished_key,
self._handshake_hash.digest(prf_name),
prf_name)
for result in self._getMsg(ContentType.handshake,
HandshakeType.finished,
prf_size):
if result in (0, 1):
yield result
else:
break
cl_finished = result
assert isinstance(cl_finished, Finished)
if cl_finished.verify_data != cl_verify_data:
for result in self._sendError(
AlertDescription.decrypt_error,
"Finished value is not valid"):
yield result
# disallow CCS messages after handshake
self._middlebox_compat_mode = False
resumption_master_secret = derive_secret(secret,
bytearray(b'res master'),
self._handshake_hash,
prf_name)
self._first_handshake_hashes = self._handshake_hash.copy()
self.session = Session()
self.extendedMasterSecret = True
server_name = None
if clientHello.server_name:
server_name = clientHello.server_name.decode('utf-8')
app_proto = None
alpnExt = encryptedExtensions.getExtension(ExtensionType.alpn)
if alpnExt:
app_proto = alpnExt.protocol_names[0]
if not client_cert_chain and resumed_client_cert_chain:
client_cert_chain = resumed_client_cert_chain
self.session.create(secret,
bytearray(b''), # no session_id
serverHello.cipher_suite,
bytearray(b''), # no SRP
client_cert_chain,
serverCertChain,
None,
False,
server_name,
encryptThenMAC=False,
extendedMasterSecret=True,
appProto=app_proto,
cl_app_secret=cl_app_traffic,
sr_app_secret=sr_app_traffic,
exporterMasterSecret=exporter_master_secret,
resumptionMasterSecret=resumption_master_secret,
# NOTE it must be a reference, not a copy
tickets=self.tickets)
# switch to application_traffic_secret for client packets
self._changeReadState()
for result in self._serverSendTickets(settings):
yield result
yield "finished"
def _ticket_to_session(self, settings, ticket_ext):
if not ticket_ext.ticket:
return None
_, ticket = self._tryDecrypt(settings, ticket=ticket_ext.ticket)
if not ticket:
return None
if ticket.creation_time + settings.ticketLifetime < time.time():
return None
session = Session()
session.create(ticket.master_secret,
b'', # no session_id
ticket.cipher_suite,
'', # not SRP
ticket.client_cert_chain,
None, # no server cert chain
None, # no TACK
False, # no TACK
serverName=ticket.server_name.decode("utf-8") if
ticket.server_name else "",
encryptThenMAC=ticket.encrypt_then_mac,
extendedMasterSecret=ticket.extended_master_secret,
ec_point_format=0)
return session
def _serverGetClientHello(self, settings, private_key, cert_chain,
verifierDB,
sessionCache, anon, alpn, sni):
# Tentatively set version to most-desirable version, so if an error
# occurs parsing the ClientHello, this will be the version we'll use
# for the error alert
# If TLS 1.3 is enabled, use the "compatible" TLS 1.2 version
self.version = min(settings.maxVersion, (3, 3))
self._pre_client_hello_handshake_hash = self._handshake_hash.copy()
#Get ClientHello
for result in self._getMsg(ContentType.handshake,
HandshakeType.client_hello):
if result in (0,1): yield result
else: break
clientHello = result
# check if the ClientHello and its extensions are well-formed
#If client's version is too low, reject it
real_version = clientHello.client_version
if real_version >= (3, 3):
ext = clientHello.getExtension(ExtensionType.supported_versions)
if ext:
for v in ext.versions:
if v in KNOWN_VERSIONS and v > real_version:
real_version = v
if real_version < settings.minVersion:
self.version = settings.minVersion
for result in self._sendError(\
AlertDescription.protocol_version,
"Too old version: %s" % str(clientHello.client_version)):
yield result
# there MUST be at least one value in both of those
if not clientHello.cipher_suites or \
not clientHello.compression_methods:
for result in self._sendError(
AlertDescription.decode_error,
"Malformed Client Hello message"):
yield result
# client hello MUST advertise uncompressed method
if 0 not in clientHello.compression_methods:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Client Hello missing uncompressed method"):
yield result
# the list of signatures methods is defined as <2..2^16-2>, which
# means it can't be empty, but it's only applicable to TLSv1.2 protocol
ext = clientHello.getExtension(ExtensionType.signature_algorithms)
if clientHello.client_version >= (3, 3) and ext and not ext.sigalgs:
for result in self._sendError(
AlertDescription.decode_error,
"Malformed signature_algorithms extension"):
yield result
# Sanity check the ALPN extension
alpnExt = clientHello.getExtension(ExtensionType.alpn)
if alpnExt:
if not alpnExt.protocol_names:
for result in self._sendError(
AlertDescription.decode_error,
"Client sent empty list of ALPN names"):
yield result
for protocolName in alpnExt.protocol_names:
if not protocolName:
for result in self._sendError(
AlertDescription.decode_error,
"Client sent empty name in ALPN extension"):
yield result
# Sanity check the SNI extension
sniExt = clientHello.getExtension(ExtensionType.server_name)
# check if extension is well formed
if sniExt and (not sniExt.extData or not sniExt.serverNames):
for result in self._sendError(
AlertDescription.decode_error,
"Recevived SNI extension is malformed"):
yield result
if sniExt and sniExt.hostNames:
# RFC 6066 limitation
if len(sniExt.hostNames) > 1:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Client sent multiple host names in SNI extension"):
yield result
if not sniExt.hostNames[0]:
for result in self._sendError(
AlertDescription.decode_error,
"Received SNI extension is malformed"):
yield result
try:
name = sniExt.hostNames[0].decode('ascii', 'strict')
except UnicodeDecodeError:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Host name in SNI is not valid ASCII"):
yield result
if not is_valid_hostname(name):
for result in self._sendError(
AlertDescription.illegal_parameter,
"Host name in SNI is not valid DNS name"):
yield result
# sanity check the EMS extension
emsExt = clientHello.getExtension(ExtensionType.extended_master_secret)
if emsExt and emsExt.extData:
for result in self._sendError(
AlertDescription.decode_error,
"Non empty payload of the Extended "
"Master Secret extension"):
yield result
# sanity check the ec point formats extension
ecExt = clientHello.getExtension(ExtensionType.ec_point_formats)
if ecExt:
if not ecExt.formats:
for result in self._sendError(
AlertDescription.decode_error,
"Empty ec_point_formats extension"):
yield result
if ECPointFormat.uncompressed not in ecExt.formats:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Client sent ec_point_formats extension "
"without uncompressed format"):
yield result
# sanity check the TLS 1.3 extensions
ver_ext = clientHello.getExtension(ExtensionType.supported_versions)
if ver_ext and (3, 4) in ver_ext.versions:
psk = clientHello.getExtension(ExtensionType.pre_shared_key)
psk_modes = clientHello.getExtension(
ExtensionType.psk_key_exchange_modes)
key_share = clientHello.getExtension(ExtensionType.key_share)
sup_groups = clientHello.getExtension(
ExtensionType.supported_groups)
pha = clientHello.getExtension(ExtensionType.post_handshake_auth)
if pha:
if pha.extData:
for result in self._sendError(
AlertDescription.decode_error,
"Invalid encoding of post_handshake_auth extension"
):
yield result
self._pha_supported = True
key_exchange = None
if psk_modes:
if not psk_modes.modes:
for result in self._sendError(
AlertDescription.decode_error,
"Empty psk_key_exchange_modes extension"):
yield result
# psk_ke
if psk:
if not psk.identities:
for result in self._sendError(
AlertDescription.decode_error,
"No identities in PSK extension"):
yield result
if not psk.binders:
for result in self._sendError(
AlertDescription.decode_error,
"No binders in PSK extension"):
yield result
if len(psk.identities) != len(psk.binders):
for result in self._sendError(
AlertDescription.illegal_parameter,
"Number of identities does not match number of "
"binders in PSK extension"):
yield result
if any(not i.identity for i in psk.identities):
for result in self._sendError(
AlertDescription.decoder_error,
"Empty identity in PSK extension"):
yield result
if any(not i for i in psk.binders):
for result in self._sendError(
AlertDescription.decoder_error,
"Empty binder in PSK extension"):
yield result
if psk is not clientHello.extensions[-1]:
for result in self._sendError(
AlertDescription.illegal_parameter,
"PSK extension not last in client hello"):
yield result
if not psk_modes:
for result in self._sendError(
AlertDescription.missing_extension,
"PSK extension without psk_key_exchange_modes "
"extension"):
yield result
if PskKeyExchangeMode.psk_dhe_ke not in psk_modes.modes:
key_exchange = "psk_ke"
# cert
if not key_exchange:
if not sup_groups:
for result in self._sendError(
AlertDescription.missing_extension,
"Missing supported_groups extension"):
yield result
if not key_share:
for result in self._sendError(
AlertDescription.missing_extension,
"Missing key_share extension"):
yield result
if not sup_groups.groups:
for result in self._sendError(
AlertDescription.decode_error,
"Empty supported_groups extension"):
yield result
if key_share.client_shares is None:
for result in self._sendError(
AlertDescription.decode_error,
"Empty key_share extension"):
yield result
# check supported_groups
if TLS_1_3_FORBIDDEN_GROUPS.intersection(sup_groups.groups) \
and (3, 3) not in ver_ext.versions:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Client advertised in TLS 1.3 Client Hello a key "
"exchange group forbidden in TLS 1.3 without "
"advertising support for TLS 1.2"):
yield result
# Check key_share
mismatch = next((i for i in key_share.client_shares
if i.group not in sup_groups.groups), None)
if mismatch:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Client sent key share for "
"group it did not advertise "
"support for: {0}"
.format(GroupName.toStr(mismatch))):
yield result
key_share_ids = [i.group for i in key_share.client_shares]
if len(set(key_share_ids)) != len(key_share_ids):
for result in self._sendError(
AlertDescription.illegal_parameter,
"Client sent multiple key shares for the same "
"group"):
yield result
group_ids = sup_groups.groups
diff = set(group_ids) - set(key_share_ids)
if key_share_ids != [i for i in group_ids if i not in diff]:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Client sent key shares in different order than "
"the advertised groups."):
yield result
sig_algs = clientHello.getExtension(
ExtensionType.signature_algorithms)
if (not psk_modes or not psk) and sig_algs:
key_exchange = "cert"
# psk_dhe_ke
if not key_exchange and psk:
key_exchange = "psk_dhe_ke"
if not key_exchange:
for result in self._sendError(
AlertDescription.missing_extension,
"Missing extension"):
yield result
early_data = clientHello.getExtension(ExtensionType.early_data)
if early_data:
if early_data.extData:
for result in self._sendError(
AlertDescription.decode_error,
"malformed early_data extension"):
yield result
if not psk:
for result in self._sendError(
AlertDescription.illegal_parameter,
"early_data without PSK extension"):
yield result
# if early data comes from version we don't support, client
# MUST (section D.3 draft 28) abort the connection so we
# enable early data tolerance only when versions match
self._recordLayer.max_early_data = settings.max_early_data
self._recordLayer.early_data_ok = True
# negotiate the protocol version for the connection
high_ver = None
if ver_ext:
high_ver = getFirstMatching(settings.versions,
ver_ext.versions)
if not high_ver:
for result in self._sendError(
AlertDescription.protocol_version,
"supported_versions did not include version we "
"support"):
yield result
if high_ver:
# when we selected TLS 1.3, we cannot set the record layer to
# it as well as that also switches it to a mode where the
# content type is encrypted
# use the backwards compatible TLS 1.2 version instead
self.version = min((3, 3), high_ver)
version = high_ver
elif clientHello.client_version > settings.maxVersion:
# in TLS 1.3 the version is negotiatied with extension,
# but the settings use the (3, 4) as the max version
self.version = min(settings.maxVersion, (3, 3))
version = self.version
else:
#Set the version to the client's version
self.version = min(clientHello.client_version, (3, 3))
version = self.version
#Detect if the client performed an inappropriate fallback.
if version < settings.maxVersion and \
CipherSuite.TLS_FALLBACK_SCSV in clientHello.cipher_suites:
for result in self._sendError(
AlertDescription.inappropriate_fallback):
yield result
# TODO when TLS 1.3 is final, check the client hello random for
# downgrade too
# start negotiating the parameters of the connection
sni_ext = clientHello.getExtension(ExtensionType.server_name)
if sni_ext:
name = sni_ext.hostNames[0].decode('ascii', 'strict')
# warn the client if the name didn't match the expected value
if sni and sni != name:
alert = Alert().create(AlertDescription.unrecognized_name,
AlertLevel.warning)
for result in self._sendMsg(alert):
yield result
#Check if there's intersection between supported curves by client and
#server
clientGroups = clientHello.getExtension(ExtensionType.supported_groups)
# in case the client didn't advertise any curves, we can pick any so
# enable ECDHE
ecGroupIntersect = True
# if there is no extension, then enable DHE
ffGroupIntersect = True
if clientGroups is not None:
clientGroups = clientGroups.groups
if not clientGroups:
for result in self._sendError(
AlertDescription.decode_error,
"Received malformed supported_groups extension"):
yield result
serverGroups = self._curveNamesToList(settings, version)
ecGroupIntersect = getFirstMatching(clientGroups, serverGroups)
# RFC 7919 groups
serverGroups = self._groupNamesToList(settings)
ffGroupIntersect = getFirstMatching(clientGroups, serverGroups)
# if there is no overlap, but there are no FFDHE groups listed,
# allow DHE, prohibit otherwise
if not ffGroupIntersect:
if clientGroups and \
any(i for i in clientGroups if i in range(256, 512)):
ffGroupIntersect = False
else:
ffGroupIntersect = True
# Check and save clients heartbeat extension mode
heartbeat_ext = clientHello.getExtension(ExtensionType.heartbeat)
if heartbeat_ext:
if heartbeat_ext.mode == HeartbeatMode.PEER_ALLOWED_TO_SEND:
if settings.heartbeat_response_callback:
self.heartbeat_can_send = True
self.heartbeat_response_callback = settings.\
heartbeat_response_callback
elif heartbeat_ext.mode == HeartbeatMode.PEER_NOT_ALLOWED_TO_SEND:
self.heartbeat_can_send = False
else:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Received invalid value in Heartbeat extension"):
yield result
self.heartbeat_supported = True
self.heartbeat_can_receive = True
size_limit_ext = clientHello.getExtension(
ExtensionType.record_size_limit)
if size_limit_ext:
if size_limit_ext.record_size_limit is None:
for result in self._sendError(
AlertDescription.decode_error,
"Malformed record_size_limit extension"):
yield result
if not 64 <= size_limit_ext.record_size_limit:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Invalid value in record_size_limit extension"):
yield result
if settings.record_size_limit:
# in TLS 1.3 handshake is encrypted so we need to switch
# to sending smaller messages right away
if version >= (3, 4):
# the client can send bigger values because it may
# know protocol versions or extensions we don't know about
# (but we need to still clamp it to protocol limit)
self._send_record_limit = min(
2**14, size_limit_ext.record_size_limit - 1)
# the record layer excludes content type, extension doesn't
# thus the "-1)
self._recv_record_limit = min(2**14,
settings.record_size_limit - 1)
else:
# but in TLS 1.2 and earlier we need to postpone it till
# handling of Finished
self._peer_record_size_limit = min(
2**14, size_limit_ext.record_size_limit)
#Now that the version is known, limit to only the ciphers available to
#that version and client capabilities.
cipherSuites = []
if verifierDB:
if cert_chain:
cipherSuites += \
CipherSuite.getSrpCertSuites(settings, version)
cipherSuites += CipherSuite.getSrpSuites(settings, version)
elif cert_chain:
if ecGroupIntersect or ffGroupIntersect:
cipherSuites += CipherSuite.getTLS13Suites(settings,
version)
if ecGroupIntersect:
cipherSuites += CipherSuite.getEcdsaSuites(settings, version)
cipherSuites += CipherSuite.getEcdheCertSuites(settings,
version)
if ffGroupIntersect:
cipherSuites += CipherSuite.getDheCertSuites(settings,
version)
cipherSuites += CipherSuite.getDheDsaSuites(settings,
version)
cipherSuites += CipherSuite.getCertSuites(settings, version)
elif anon:
cipherSuites += CipherSuite.getAnonSuites(settings, version)
cipherSuites += CipherSuite.getEcdhAnonSuites(settings,
version)
elif settings.pskConfigs:
cipherSuites += CipherSuite.getTLS13Suites(settings,
version)
else:
assert False
cipherSuites = CipherSuite.filterForVersion(cipherSuites,
minVersion=version,
maxVersion=version)
ticket_ext = clientHello.getExtension(ExtensionType.session_ticket)
# If resumption was requested and we have a session cache...
if (clientHello.session_id and sessionCache) or (
ticket_ext and ticket_ext.ticket):
session = None
# Check if the session there is good enough and consistent with
# new Client Hello
try:
if ticket_ext:
session = self._ticket_to_session(settings, ticket_ext)
# client MAY send a random session_id to easily tell
# if the session is resumed, for that server has to
# echo the session_ID back
if session and clientHello.session_id:
session.sessionID = clientHello.session_id
if not session and \
(not ticket_ext or ticket_ext and not ticket_ext.ticket)\
and sessionCache and clientHello.session_id:
# Session ID resumption is allowed only if the client
# didn't send a ticket
session = sessionCache[clientHello.session_id]
if not session:
raise KeyError()
if not session.resumable:
raise AssertionError()
# Check if we are willing to use that old cipher still
if session.cipherSuite not in cipherSuites:
session = None
raise KeyError()
# Check for consistency with ClientHello
# see RFC 5246 section 7.4.1.2, description of
# cipher_suites
if session.cipherSuite not in clientHello.cipher_suites:
for result in self._sendError(
AlertDescription.illegal_parameter):
yield result
if clientHello.srp_username:
if not session.srpUsername or \
clientHello.srp_username != \
bytearray(session.srpUsername, "utf-8"):
for result in self._sendError(
AlertDescription.handshake_failure):
yield result
if clientHello.server_name:
if not session.serverName or \
clientHello.server_name != \
bytearray(session.serverName, "utf-8"):
for result in self._sendError(
AlertDescription.handshake_failure):
yield result
if session.encryptThenMAC and \
not clientHello.getExtension(
ExtensionType.encrypt_then_mac):
for result in self._sendError(
AlertDescription.illegal_parameter):
yield result
# if old session used EMS, new connection MUST use EMS
if session.extendedMasterSecret and \
not clientHello.getExtension(
ExtensionType.extended_master_secret):
# RFC 7627, section 5.2 explicitly requires
# handshake_failure
for result in self._sendError(
AlertDescription.handshake_failure):
yield result
# if old session didn't use EMS but new connection
# advertises EMS, create a new session
elif not session.extendedMasterSecret and \
clientHello.getExtension(
ExtensionType.extended_master_secret):
session = None
except KeyError:
pass
#If a session is found..
if session:
#Send ServerHello
extensions = []
if session.encryptThenMAC:
self._recordLayer.encryptThenMAC = True
etm = TLSExtension().create(ExtensionType.encrypt_then_mac,
bytearray(0))
extensions.append(etm)
if session.extendedMasterSecret:
ems = TLSExtension().create(ExtensionType.
extended_master_secret,
bytearray(0))
extensions.append(ems)
secureRenego = False
renegoExt = clientHello.\
getExtension(ExtensionType.renegotiation_info)
if renegoExt:
if renegoExt.renegotiated_connection:
for result in self._sendError(
AlertDescription.handshake_failure):
yield result
secureRenego = True
elif CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV in \
clientHello.cipher_suites:
secureRenego = True
if secureRenego:
extensions.append(RenegotiationInfoExtension()
.create(bytearray(0)))
selectedALPN = None
if alpn:
alpnExt = clientHello.getExtension(ExtensionType.alpn)
if alpnExt:
for protocolName in alpnExt.protocol_names:
if protocolName in alpn:
ext = ALPNExtension().create([protocolName])
extensions.append(ext)
selectedALPN = protocolName
break
else:
for result in self._sendError(
AlertDescription.no_application_protocol,
"No commonly supported application layer"
"protocol supported"):
yield result
heartbeat_ext = clientHello.getExtension(
ExtensionType.heartbeat)
if heartbeat_ext:
if heartbeat_ext.mode == HeartbeatMode.PEER_ALLOWED_TO_SEND:
self.heartbeat_can_send = True
elif heartbeat_ext.mode == \
HeartbeatMode.PEER_NOT_ALLOWED_TO_SEND:
self.heartbeat_can_send = False
else:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Client sent invalid Heartbeat extension"):
yield result
heartbeat = HeartbeatExtension().create(
HeartbeatMode.PEER_ALLOWED_TO_SEND)
self.heartbeat_can_receive = True
self.heartbeat_supported = True
extensions.append(heartbeat)
record_limit = clientHello.getExtension(
ExtensionType.record_size_limit)
if record_limit and settings.record_size_limit:
extensions.append(RecordSizeLimitExtension().create(
min(2**14, settings.record_size_limit)))
# don't send empty extensions
if not extensions:
extensions = None
serverHello = ServerHello()
serverHello.create(version, getRandomBytes(32),
session.sessionID, session.cipherSuite,
CertificateType.x509, None, None,
extensions=extensions)
for result in self._sendMsg(serverHello):
yield result
#Calculate pending connection states
self._calcPendingStates(session.cipherSuite,
session.masterSecret,
clientHello.random,
serverHello.random,
settings.cipherImplementations)
#Exchange ChangeCipherSpec and Finished messages
for result in self._sendFinished(session.masterSecret,
session.cipherSuite,
settings=settings):
yield result
for result in self._getFinished(session.masterSecret,
session.cipherSuite):
yield result
#Set the session
self.session = session
self._clientRandom = clientHello.random
self._serverRandom = serverHello.random
self.session.appProto = selectedALPN
yield None # Handshake done!
#Calculate the first cipher suite intersection.
#This is the 'privileged' ciphersuite. We'll use it if we're
#doing a new negotiation. In fact,
#the only time we won't use it is if we're resuming a
#session, in which case we use the ciphersuite from the session.
#
#Given the current ciphersuite ordering, this means we prefer SRP
#over non-SRP.
try:
cipherSuite, sig_scheme, cert_chain, private_key = \
self._server_select_certificate(settings, clientHello,
cipherSuites, cert_chain,
private_key, version)
except TLSHandshakeFailure as err:
for result in self._sendError(
AlertDescription.handshake_failure,
str(err)):
yield result
except TLSInsufficientSecurity as err:
for result in self._sendError(
AlertDescription.insufficient_security,
str(err)):
yield result
except TLSIllegalParameterException as err:
for result in self._sendError(
AlertDescription.illegal_parameter,
str(err)):
yield result
#If an RSA suite is chosen, check for certificate type intersection
if (cipherSuite in CipherSuite.certAllSuites or
cipherSuite in CipherSuite.ecdheEcdsaSuites) \
and CertificateType.x509 \
not in clientHello.certificate_types:
for result in self._sendError(\
AlertDescription.handshake_failure,
"the client doesn't support my certificate type"):
yield result
# when we have selected TLS 1.3, check if we don't have to ask for
# a new client hello
if version > (3, 3):
self.version = version
hrr_ext = []
# check if we have good key share
share = clientHello.getExtension(ExtensionType.key_share)
if share:
share_ids = [i.group for i in share.client_shares]
acceptable_ids = [getattr(GroupName, i) for i in
chain(settings.keyShares, settings.eccCurves,
settings.dhGroups)]
for selected_group in acceptable_ids:
if selected_group in share_ids:
cl_key_share = next(i for i in share.client_shares
if i.group == selected_group)
break
else:
# if no key share is acceptable, pick one of the supported
# groups that we support
supported = clientHello.getExtension(ExtensionType
.supported_groups)
supported_ids = supported.groups
selected_group = next((i for i in acceptable_ids
if i in supported_ids), None)
if not selected_group:
for result in self._sendError(AlertDescription
.handshake_failure,
"No acceptable group "
"advertised by client"):
yield result
hrr_ks = HRRKeyShareExtension().create(selected_group)
hrr_ext.append(hrr_ks)
if hrr_ext:
cookie = TLSExtension(extType=ExtensionType.cookie)
cookie = cookie.create(bytearray(b'\x00\x20') +
getRandomBytes(32))
hrr_ext.append(cookie)
if hrr_ext:
clientHello1 = clientHello
# create synthetic handshake hash of the first Client Hello
prf_name, prf_size = self._getPRFParams(cipherSuite)
client_hello_hash = self._handshake_hash.digest(prf_name)
self._handshake_hash = HandshakeHashes()
writer = Writer()
writer.add(HandshakeType.message_hash, 1)
writer.addVarSeq(client_hello_hash, 1, 3)
self._handshake_hash.update(writer.bytes)
# send the version that was really selected
vers = SrvSupportedVersionsExtension().create(version)
hrr_ext.append(vers)
# send the HRR
hrr = ServerHello()
# version is hardcoded in TLS 1.3, and real version
# is sent as extension
hrr.create((3, 3), TLS_1_3_HRR, clientHello.session_id,
cipherSuite, extensions=hrr_ext)
msgs = [hrr]
if clientHello.session_id:
ccs = ChangeCipherSpec().create()
msgs.append(ccs)
for result in self._sendMsgs(msgs):
yield result
self._ccs_sent = True
# copy for calculating PSK binders
self._pre_client_hello_handshake_hash = \
self._handshake_hash.copy()
for result in self._getMsg(ContentType.handshake,
HandshakeType.client_hello):
if result in (0, 1):
yield result
else:
break
clientHello = result
# verify that the new key share is present
ext = clientHello.getExtension(ExtensionType.key_share)
if not ext:
for result in self._sendError(AlertDescription
.missing_extension,
"Key share missing in "
"Client Hello"):
yield result
# here we're assuming that the HRR was sent because of
# missing key share, that may not always be the case
if len(ext.client_shares) != 1:
for result in self._sendError(AlertDescription
.illegal_parameter,
"Multiple key shares in "
"second Client Hello"):
yield result
if ext.client_shares[0].group != selected_group:
for result in self._sendError(AlertDescription
.illegal_parameter,
"Client key share does not "
"match Hello Retry Request"):
yield result
# here we're assuming no 0-RTT and possibly no session
# resumption
# verify that new client hello is like the old client hello
# with the exception of changes requested in HRR
old_ext = clientHello1.getExtension(ExtensionType.key_share)
new_ext = clientHello.getExtension(ExtensionType.key_share)
old_ext.client_shares = new_ext.client_shares
# TODO when 0-RTT supported, remove early_data from old hello
if cookie:
# insert the extension at the same place in the old hello
# as it is in the new hello so that later binary compare
# works
for i, ext in enumerate(clientHello.extensions):
if ext.extType == ExtensionType.cookie:
if ext.extData != cookie.extData:
eType = AlertDescription.illegal_parameter
eText = "Malformed cookie extension"
for result in self._sendError(eType, eText):
yield result
clientHello1.extensions.insert(i, ext)
break
else:
for result in self._sendError(AlertDescription
.missing_extension,
"Second client hello "
"does not contain "
"cookie extension"):
yield result
# also padding extension may change
old_ext = clientHello1.getExtension(
ExtensionType.client_hello_padding)
new_ext = clientHello.getExtension(
ExtensionType.client_hello_padding)
if old_ext != new_ext:
if old_ext is None and new_ext:
for i, ext in enumerate(clientHello.extensions):
if ext.extType == \
ExtensionType.client_hello_padding:
clientHello1.extensions.insert(i, ext)
break
elif old_ext and new_ext is None:
# extension was removed, so remove it here too
clientHello1.extensions[:] = \
(i for i in clientHello1.extensions
if i.extType !=
ExtensionType.client_hello_padding)
else:
old_ext.paddingData = new_ext.paddingData
# PSKs not compatible with cipher suite MAY
# be removed, but must have updated obfuscated ticket age
# and binders
old_ext = clientHello1.getExtension(
ExtensionType.pre_shared_key)
new_ext = clientHello.getExtension(
ExtensionType.pre_shared_key)
if new_ext and old_ext:
clientHello1.extensions[-1] = new_ext
if clientHello.extensions[-1] is not new_ext:
for result in self._sendError(
AlertDescription.illegal_parameter,
"PSK extension not last in client hello"):
yield result
# early_data extension MUST be dropped
old_ext = clientHello1.getExtension(ExtensionType.early_data)
if old_ext:
clientHello1.extensions.remove(old_ext)
if clientHello1 != clientHello:
for result in self._sendError(AlertDescription
.illegal_parameter,
"Old Client Hello does not "
"match the updated Client "
"Hello"):
yield result
# If resumption was not requested, or
# we have no session cache, or
# the client's session_id was not found in cache:
#pylint: disable = undefined-loop-variable
yield (clientHello, version, cipherSuite, sig_scheme, private_key,
cert_chain)
#pylint: enable = undefined-loop-variable
def _serverSRPKeyExchange(self, clientHello, serverHello, verifierDB,
cipherSuite, privateKey, serverCertChain,
settings):
"""Perform the server side of SRP key exchange"""
try:
sigHash, serverCertChain, privateKey = \
self._pickServerKeyExchangeSig(settings, clientHello,
serverCertChain,
privateKey)
except TLSHandshakeFailure as alert:
for result in self._sendError(
AlertDescription.handshake_failure,
str(alert)):
yield result
comp_cert_ext = clientHello.getExtension(
ExtensionType.compress_certificate)
if comp_cert_ext and not comp_cert_ext.algorithms:
for result in self._sendError(
AlertDescription.decode_error,
"Empty algorithm list in compress_certificate extension"):
yield result
keyExchange = SRPKeyExchange(cipherSuite,
clientHello,
serverHello,
privateKey,
verifierDB)
#Create ServerKeyExchange, signing it if necessary
try:
serverKeyExchange = keyExchange.makeServerKeyExchange(sigHash)
except TLSUnknownPSKIdentity:
for result in self._sendError(
AlertDescription.unknown_psk_identity):
yield result
except TLSInsufficientSecurity:
for result in self._sendError(
AlertDescription.insufficient_security):
yield result
#Send ServerHello[, Certificate or Compressed Certificate],
#ServerKeyExchange, ServerHelloDone
msgs = []
msgs.append(serverHello)
if cipherSuite in CipherSuite.srpCertSuites:
certificateMsg = self._create_cert_msg(
"server", clientHello, settings.certificate_compression_send,
serverCertChain, CertificateType.x509)
msgs.append(certificateMsg)
msgs.append(serverKeyExchange)
msgs.append(ServerHelloDone())
for result in self._sendMsgs(msgs):
yield result
#Get and check ClientKeyExchange
for result in self._getMsg(ContentType.handshake,
HandshakeType.client_key_exchange,
cipherSuite):
if result in (0,1): yield result
else: break
try:
premasterSecret = keyExchange.processClientKeyExchange(result)
except TLSIllegalParameterException:
for result in self._sendError(AlertDescription.illegal_parameter,
"Suspicious A value"):
yield result
except TLSDecodeError as alert:
for result in self._sendError(AlertDescription.decode_error,
str(alert)):
yield result
yield premasterSecret, privateKey, serverCertChain
def _server_select_certificate(self, settings, client_hello,
cipher_suites, cert_chain,
private_key, version):
"""
This method makes the decision on which certificate/key pair,
signature algorithm and cipher to use based on the certificate.
"""
last_cert = False
possible_certs = []
# Get client groups
client_groups = client_hello. \
getExtension(ExtensionType.supported_groups)
if client_groups is not None:
client_groups = client_groups.groups
# If client did send signature_algorithms_cert use it,
# otherwise fallback to signature_algorithms.
# Client can also decide not to send sigalg extension
client_sigalgs = \
client_hello. \
getExtension(ExtensionType.signature_algorithms_cert)
if client_sigalgs is not None:
client_sigalgs = \
client_hello. \
getExtension(ExtensionType.signature_algorithms_cert). \
sigalgs
else:
client_sigalgs = \
client_hello. \
getExtension(ExtensionType.signature_algorithms)
if client_sigalgs is not None:
client_sigalgs = \
client_hello. \
getExtension(ExtensionType.signature_algorithms). \
sigalgs
else:
client_sigalgs = []
client_psks = client_hello.getExtension(ExtensionType.pre_shared_key)
# Get all the certificates we can offer
alt_certs = ((X509CertChain(i.certificates), i.key) for vh in
settings.virtual_hosts for i in vh.keys)
certs = [(cert, key)
for cert, key in chain([(cert_chain, private_key)], alt_certs)]
for cert, key in certs:
# Check if this is the last (cert, key) pair we have to check
if (cert, key) == certs[-1]:
last_cert = True
# Mandatory checks. If any one of these checks fail, the certificate
# is not usable.
try:
# Find a suitable ciphersuite based on the certificate
ciphers = CipherSuite.filter_for_certificate(cipher_suites, cert)
# but if we have matching PSKs, prefer those
if settings.pskConfigs and client_psks:
client_identities = [
i.identity for i in client_psks.identities]
psks_prfs = [i[2] if len(i) == 3 else None for i in
settings.pskConfigs if
i[0] in client_identities]
if psks_prfs:
ciphers = CipherSuite.filter_for_prfs(ciphers,
psks_prfs)
for cipher in ciphers:
# select first mutually supported
if cipher in client_hello.cipher_suites:
break
else:
# abort with context-specific alert if client indicated
# support for FFDHE groups
if client_groups and \
any(i in range(256, 512) for i in client_groups) and \
any(i in CipherSuite.dhAllSuites
for i in client_hello.cipher_suites):
raise TLSInsufficientSecurity(
"FFDHE groups not acceptable and no other common "
"ciphers")
raise TLSHandshakeFailure("No mutual ciphersuite")
# Find a signature algorithm based on the certificate
try:
sig_scheme, _, _ = \
self._pickServerKeyExchangeSig(settings,
client_hello,
cert,
key,
version,
False)
except TLSHandshakeFailure:
raise TLSHandshakeFailure(
"No common signature algorithms")
# If the certificate is ECDSA, we must check curve compatibility
if cert and cert.x509List[0].certAlg == 'ecdsa' and \
client_groups and client_sigalgs:
public_key = cert.getEndEntityPublicKey()
curve = public_key.curve_name
for name, aliases in CURVE_ALIASES.items():
if curve in aliases:
curve = getattr(GroupName, name)
break
if version <= (3, 3) and curve not in client_groups:
raise TLSHandshakeFailure(
"The curve in the public key is not "
"supported by the client: {0}" \
.format(GroupName.toRepr(curve)))
if version >= (3, 4):
if GroupName.toRepr(curve) not in \
('secp256r1', 'secp384r1', 'secp521r1',
'brainpoolP256r1', 'brainpoolP384r1',
'brainpoolP512r1'):
raise TLSIllegalParameterException(
"Curve in public key ({0}) is not "
"supported "
"in TLS1.3".format(
GroupName.toRepr(curve)))
# If all mandatory checks passed add
# this as possible certificate we can use.
possible_certs.append((cipher, sig_scheme, cert, key))
except Exception:
if last_cert and not possible_certs:
raise
continue
# Non-mandatory checks, if these fail the certificate is still usable
# but we should try to find one that passes all the checks
# Check if every certificate(except the self-signed root CA)
# in the certificate chain is signed with a signature algorithm
# supported by the client.
if cert:
cert_chain_ok = True
for i in range(len(cert.x509List)):
if cert.x509List[i].issuer != cert.x509List[i].subject:
if cert.x509List[i].sigalg not in client_sigalgs:
cert_chain_ok = False
break
if not cert_chain_ok:
if not last_cert:
continue
break
# If all mandatory and non-mandatory checks passed
# return the (cert, key) pair, cipher and sig_scheme
return cipher, sig_scheme, cert, key
# If we can't find cert that passed all the checks, return the first usable one.
return possible_certs[0]
def _serverCertKeyExchange(self, clientHello, serverHello, sigHashAlg,
serverCertChain, keyExchange,
reqCert, reqCAs, cipherSuite,
settings):
#Send ServerHello, Certificate or Compressed Certificate
#[, ServerKeyExchange] [, CertificateRequest], ServerHelloDone
msgs = []
# If we verify a client cert chain, return it
clientCertChain = None
comp_cert_ext = clientHello.getExtension(
ExtensionType.compress_certificate)
if comp_cert_ext and not comp_cert_ext.algorithms:
for result in self._sendError(
AlertDescription.decode_error,
"Empty algorithm list in compress_certificate "
"extension"):
yield result
msgs.append(serverHello)
chosen_compression_algo = choose_compression_send_algo(
self.version, comp_cert_ext,
settings.certificate_compression_send)
if chosen_compression_algo:
self.server_cert_compression_algo = \
CertificateCompressionAlgorithm.toStr(
chosen_compression_algo)
certificate = CompressedCertificate(CertificateType.x509,
self.version)
certificate.create(chosen_compression_algo, serverCertChain,
bytearray())
else:
certificate = Certificate(CertificateType.x509, self.version)
certificate.create(serverCertChain, bytearray())
msgs.append(certificate)
try:
serverKeyExchange = keyExchange.makeServerKeyExchange(sigHashAlg)
except TLSInternalError as alert:
for result in self._sendError(
AlertDescription.internal_error,
str(alert)):
yield result
except TLSInsufficientSecurity as alert:
for result in self._sendError(
AlertDescription.insufficient_security,
str(alert)):
yield result
except TLSIllegalParameterException as alert:
alert = Alert().create(AlertDescription.illegal_parameter,
AlertLevel.fatal)
for result in self._sendError(alert):
yield result
raise
except TLSDecodeError as alert:
alert = Alert().create(AlertDescription.decode_error,
AlertLevel.fatal)
for result in self._sendError(alert):
yield result
raise
if serverKeyExchange is not None:
msgs.append(serverKeyExchange)
if reqCert:
certificateRequest = CertificateRequest(self.version)
if not reqCAs:
reqCAs = []
cr_settings = settings.validate()
valid_sig_algs = self._sigHashesToList(cr_settings,
version=self.version)
cert_types = []
if cr_settings.rsaSigHashes:
cert_types.append(ClientCertificateType.rsa_sign)
if cr_settings.ecdsaSigHashes or cr_settings.more_sig_schemes:
cert_types.append(ClientCertificateType.ecdsa_sign)
if cr_settings.dsaSigHashes:
cert_types.append(ClientCertificateType.dss_sign)
extensions = []
if self.version >= (3, 4):
algos_numbers = [
getattr(CertificateCompressionAlgorithm, algo) for algo
in cr_settings.certificate_compression_receive
]
extensions.append(CompressedCertificateExtension().create(
algos_numbers))
certificateRequest.create(cert_types,
reqCAs,
valid_sig_algs,
extensions=extensions)
msgs.append(certificateRequest)
msgs.append(ServerHelloDone())
for result in self._sendMsgs(msgs):
yield result
#Get [Certificate,] (if was requested)
if reqCert:
if self.version == (3,0):
for result in self._getMsg((ContentType.handshake,
ContentType.alert),
HandshakeType.certificate,
CertificateType.x509):
if result in (0,1): yield result
else: break
msg = result
if isinstance(msg, Alert):
#If it's not a no_certificate alert, re-raise
alert = msg
if alert.description != \
AlertDescription.no_certificate:
self._shutdown(False)
raise TLSRemoteAlert(alert)
elif isinstance(msg, Certificate):
clientCertificate = msg
if clientCertificate.cert_chain and \
clientCertificate.cert_chain.getNumCerts() != 0:
clientCertChain = clientCertificate.cert_chain
else:
raise AssertionError()
elif self.version in ((3,1), (3,2), (3,3)):
for result in self._getMsg(ContentType.handshake,
HandshakeType.certificate,
CertificateType.x509):
if result in (0,1): yield result
else: break
clientCertificate = result
if clientCertificate.cert_chain and \
clientCertificate.cert_chain.getNumCerts() != 0:
clientCertChain = clientCertificate.cert_chain
else:
raise AssertionError()
#Get ClientKeyExchange
for result in self._getMsg(ContentType.handshake,
HandshakeType.client_key_exchange,
cipherSuite):
if result in (0,1): yield result
else: break
clientKeyExchange = result
#Process ClientKeyExchange
try:
premasterSecret = \
keyExchange.processClientKeyExchange(clientKeyExchange)
except TLSIllegalParameterException as alert:
for result in self._sendError(AlertDescription.illegal_parameter,
str(alert)):
yield result
except TLSDecodeError as alert:
for result in self._sendError(AlertDescription.decode_error,
str(alert)):
yield result
#Get and check CertificateVerify, if relevant
self._certificate_verify_handshake_hash = self._handshake_hash.copy()
if clientCertChain:
for result in self._getMsg(ContentType.handshake,
HandshakeType.certificate_verify):
if result in (0, 1):
yield result
else: break
certificateVerify = result
signatureAlgorithm = None
if self.version == (3, 3):
valid_sig_algs = \
self._sigHashesToList(settings,
certList=clientCertChain,
version=self.version)
if certificateVerify.signatureAlgorithm not in valid_sig_algs:
for result in self._sendError(
AlertDescription.illegal_parameter,
"Invalid signature algorithm in Certificate "
"Verify"):
yield result
signatureAlgorithm = certificateVerify.signatureAlgorithm
if not signatureAlgorithm and \
clientCertChain.x509List[0].certAlg == "ecdsa":
signatureAlgorithm = (HashAlgorithm.sha1,
SignatureAlgorithm.ecdsa)
cvhh = self._certificate_verify_handshake_hash
verify_bytes = KeyExchange.calcVerifyBytes(
self.version,
cvhh,
signatureAlgorithm,
premasterSecret,
clientHello.random,
serverHello.random,
key_type=clientCertChain.x509List[0].certAlg)
for result in self._check_certchain_with_settings(
clientCertChain,
settings):
if result in (0, 1):
yield result
else: break
public_key = result
if signatureAlgorithm and signatureAlgorithm in (
SignatureScheme.ed25519, SignatureScheme.ed448):
hash_name = "intrinsic"
salt_len = None
padding = None
ver_func = public_key.hashAndVerify
elif signatureAlgorithm and \
signatureAlgorithm[1] == SignatureAlgorithm.dsa:
padding = None
hash_name = HashAlgorithm.toRepr(signatureAlgorithm[0])
salt_len = None
ver_func = public_key.verify
elif not signatureAlgorithm or \
signatureAlgorithm[1] != SignatureAlgorithm.ecdsa:
scheme = SignatureScheme.toRepr(signatureAlgorithm)
# for pkcs1 signatures hash is used to add PKCS#1 prefix, but
# that was already done by calcVerifyBytes
hash_name = None
salt_len = 0
if scheme is None:
padding = 'pkcs1'
else:
padding = SignatureScheme.getPadding(scheme)
if padding == 'pss':
hash_name = SignatureScheme.getHash(scheme)
salt_len = getattr(hashlib, hash_name)().digest_size
ver_func = public_key.verify
else:
hash_name = HashAlgorithm.toStr(signatureAlgorithm[0])
verify_bytes = verify_bytes[
:public_key.public_key.curve.baselen]
padding = None
salt_len = None
ver_func = public_key.verify
if not ver_func(certificateVerify.signature,
verify_bytes,
padding,
hash_name,
salt_len):
for result in self._sendError(
AlertDescription.decrypt_error,
"Signature failed to verify"):
yield result
yield (premasterSecret, clientCertChain)
def _serverAnonKeyExchange(self, serverHello, keyExchange, cipherSuite):
# Create ServerKeyExchange
serverKeyExchange = keyExchange.makeServerKeyExchange()
# Send ServerHello[, Certificate], ServerKeyExchange,
# ServerHelloDone
msgs = []
msgs.append(serverHello)
msgs.append(serverKeyExchange)
msgs.append(ServerHelloDone())
for result in self._sendMsgs(msgs):
yield result
# Get and check ClientKeyExchange
for result in self._getMsg(ContentType.handshake,
HandshakeType.client_key_exchange,
cipherSuite):
if result in (0,1):
yield result
else:
break
cke = result
try:
premasterSecret = keyExchange.processClientKeyExchange(cke)
except TLSIllegalParameterException as alert:
for result in self._sendError(AlertDescription.illegal_parameter,
str(alert)):
yield result
except TLSDecodeError as alert:
for result in self._sendError(AlertDescription.decode_error,
str(alert)):
yield result
yield premasterSecret
def _serverFinished(self, premasterSecret, clientRandom, serverRandom,
cipherSuite, cipherImplementations, nextProtos,
settings, send_session_ticket=False,
client_cert_chain=None):
masterSecret = self._calculate_master_secret(premasterSecret,
cipherSuite,
clientRandom,
serverRandom)
self.session.masterSecret = masterSecret
#Calculate pending connection states
self._calcPendingStates(cipherSuite, masterSecret,
clientRandom, serverRandom,
cipherImplementations)
#Exchange ChangeCipherSpec and Finished messages
for result in self._getFinished(masterSecret,
cipherSuite,
expect_next_protocol=nextProtos is not None):
yield result
for result in self._sendFinished(masterSecret, cipherSuite,
settings=settings,
send_session_ticket=send_session_ticket,
client_cert_chain=client_cert_chain):
yield result
#*********************************************************
# Shared Handshake Functions
#*********************************************************
def _sendFinished(self, masterSecret, cipherSuite=None, nextProto=None,
settings=None, send_session_ticket=False, client_cert_chain=None):
if send_session_ticket:
for result in self._serverSendTickets(settings):
yield result
# send the CCS and Finished in single TCP packet
self.sock.buffer_writes = True
#Send ChangeCipherSpec
for result in self._sendMsg(ChangeCipherSpec()):
yield result
#Switch to pending write state
self._changeWriteState()
if self._peer_record_size_limit:
self._send_record_limit = self._peer_record_size_limit
# this is TLS 1.2 and earlier method, so the real limit may be
# lower that what's in the settings
self._recv_record_limit = min(2**14, settings.record_size_limit)
if nextProto is not None:
nextProtoMsg = NextProtocol().create(nextProto)
for result in self._sendMsg(nextProtoMsg):
yield result
#Figure out the correct label to use
if self._client:
label = b"client finished"
else:
label = b"server finished"
#Calculate verification data
verifyData = calc_key(self.version, masterSecret,
cipherSuite, label,
handshake_hashes=self._handshake_hash,
output_length=12)
if self.fault == Fault.badFinished:
verifyData[0] = (verifyData[0]+1)%256
#Send Finished message under new state
finished = Finished(self.version).create(verifyData)
for result in self._sendMsg(finished):
yield result
self.sock.flush()
self.sock.buffer_writes = False
def _getFinished(self, masterSecret, cipherSuite=None,
expect_next_protocol=False, nextProto=None):
expect_ccs_message = True
# If we use SessionTicket resumption on client side, there are multiple
# situations where the server has the option to send new ticket
for result in self._getMsg(
(ContentType.handshake, ContentType.change_cipher_spec),
HandshakeType.new_session_ticket):
if result in (0,1):
yield result
else: break
if isinstance(result, NewSessionTicket1_0):
session_ticket = result
# If we receive new ticket we clear the old ones
del self.tls_1_0_tickets[:]
self.tls_1_0_tickets.append(Ticket(session_ticket.ticket,
session_ticket.ticket_lifetime,
masterSecret, cipherSuite))
else:
assert isinstance(result, ChangeCipherSpec)
expect_ccs_message = False
changeCipherSpec = result
if changeCipherSpec.type != 1:
for result in self._sendError(
AlertDescription.illegal_parameter,
"ChangeCipherSpec type incorrect"):
yield result
if expect_ccs_message:
for result in self._getMsg(ContentType.change_cipher_spec):
if result in (0,1):
yield result
changeCipherSpec = result
if changeCipherSpec.type != 1:
for result in self._sendError(AlertDescription.illegal_parameter,
"ChangeCipherSpec type incorrect"):
yield result
#Switch to pending read state
self._changeReadState()
#Server Finish - Are we waiting for a next protocol echo?
if expect_next_protocol:
for result in self._getMsg(ContentType.handshake, HandshakeType.next_protocol):
if result in (0,1):
yield result
if result is None:
for result in self._sendError(AlertDescription.unexpected_message,
"Didn't get NextProtocol message"):
yield result
self.next_proto = result.next_proto
else:
self.next_proto = None
#Client Finish - Only set the next_protocol selected in the connection
if nextProto:
self.next_proto = nextProto
#Figure out which label to use.
if self._client:
label = b"server finished"
else:
label = b"client finished"
#Calculate verification data
verifyData = calc_key(self.version, masterSecret,
cipherSuite, label,
handshake_hashes=self._handshake_hash,
output_length=12)
#Get and check Finished message under new state
for result in self._getMsg(ContentType.handshake,
HandshakeType.finished):
if result in (0,1):
yield result
finished = result
if finished.verify_data != verifyData:
for result in self._sendError(AlertDescription.decrypt_error,
"Finished message is incorrect"):
yield result
def _handshakeWrapperAsync(self, handshaker, checker):
try:
for result in handshaker:
yield result
if checker:
try:
checker(self)
except TLSAuthenticationError:
alert = Alert().create(AlertDescription.close_notify,
AlertLevel.fatal)
for result in self._sendMsg(alert):
yield result
raise
except GeneratorExit:
raise
except TLSAlert as alert:
if not self.fault:
raise
if alert.description not in Fault.faultAlerts[self.fault]:
raise TLSFaultError(str(alert))
else:
pass
except:
self._shutdown(False)
raise
def _calculate_master_secret(self, premaster_secret, cipher_suite,
client_random, server_random):
if self.extendedMasterSecret:
cvhh = self._certificate_verify_handshake_hash
# in case of resumption or lack of certificate authentication,
# the CVHH won't be initialised, but then it would also be equal
# to regular handshake hash
if not cvhh:
cvhh = self._handshake_hash
secret = calc_key(self.version, premaster_secret,
cipher_suite, b"extended master secret",
handshake_hashes=cvhh,
output_length=48)
else:
secret = calc_key(self.version, premaster_secret,
cipher_suite, b"master secret",
client_random=client_random,
server_random=server_random,
output_length=48)
return secret
@staticmethod
def _pickServerKeyExchangeSig(settings, clientHello, certList=None,
private_key=None,
version=(3, 3), check_alt=True):
"""Pick a hash that matches most closely the supported ones"""
hashAndAlgsExt = clientHello.getExtension(
ExtensionType.signature_algorithms)
if version > (3, 3):
if not hashAndAlgsExt:
# the error checking was done before hand, likely we're
# doing PSK key exchange
return None, certList, private_key
if hashAndAlgsExt is None or hashAndAlgsExt.sigalgs is None:
# RFC 5246 states that if there are no hashes advertised,
# sha1 should be picked
return "sha1", certList, private_key
if check_alt:
alt_certs = ((X509CertChain(i.certificates), i.key) for vh in
settings.virtual_hosts for i in vh.keys)
else:
alt_certs = ()
for certs, key in chain([(certList, private_key)], alt_certs):
supported = TLSConnection._sigHashesToList(settings,
certList=certs,
version=version)
for schemeID in supported:
if schemeID in hashAndAlgsExt.sigalgs:
name = SignatureScheme.toRepr(schemeID)
if not name and schemeID[1] in (SignatureAlgorithm.rsa,
SignatureAlgorithm.ecdsa,
SignatureAlgorithm.dsa):
name = HashAlgorithm.toRepr(schemeID[0])
if name:
return name, certs, key
# if no match, we must abort per RFC 5246
raise TLSHandshakeFailure("No common signature algorithms")
@staticmethod
def _sigHashesToList(settings, privateKey=None, certList=None,
version=(3, 3)):
"""Convert list of valid signature hashes to array of tuples"""
certType = None
publicKey = None
if certList and certList.x509List:
certType = certList.x509List[0].certAlg
publicKey = certList.x509List[0].publicKey
sigAlgs = []
if not certType or certType == "Ed25519" or certType == "Ed448":
for sig_scheme in settings.more_sig_schemes:
if version < (3, 3):
# EdDSA is supported only in TLS 1.2 and 1.3
continue
if certType and sig_scheme != certType:
continue
# the special brainpool sig schemes are TLS 1.3 only
# in TLS 1.2 we use general "ECDSA" sig schemes
if version < (3, 4) and 'brainpool' in sig_scheme:
continue
try:
sigAlgs.append(getattr(SignatureScheme, sig_scheme))
except AttributeError:
sigAlgs.append(
getattr(SignatureScheme, sig_scheme.lower()))
if not certType or certType == "ecdsa":
if version > (3, 3) and publicKey and \
"BRAINPOOL" in publicKey.curve_name:
# brainpool in TLS 1.3 uses special signature schemes
curve = publicKey.curve_name
if curve == "BRAINPOOLP256r1":
sigAlgs.append(
SignatureScheme.ecdsa_brainpoolP256r1tls13_sha256)
elif curve == "BRAINPOOLP384r1":
sigAlgs.append(
SignatureScheme.ecdsa_brainpoolP384r1tls13_sha384)
else:
assert curve == "BRAINPOOLP512r1"
sigAlgs.append(
SignatureScheme.ecdsa_brainpoolP512r1tls13_sha512)
else:
for hashName in settings.ecdsaSigHashes:
# only SHA256, SHA384 and SHA512 are allowed in TLS 1.3
if version > (3, 3) and hashName in ("sha1", "sha224"):
continue
# in TLS 1.3 ECDSA key curve is bound to hash
if publicKey and version > (3, 3):
curve = publicKey.curve_name
matching_hash = TLSConnection._curve_name_to_hash_name(
curve)
if hashName != matching_hash:
continue
sigAlgs.append((getattr(HashAlgorithm, hashName),
SignatureAlgorithm.ecdsa))
if not certType or certType == "dsa":
for hashName in settings.dsaSigHashes:
if version > (3, 3):
continue
sigAlgs.append((getattr(HashAlgorithm, hashName),
SignatureAlgorithm.dsa))
if not certType or certType in ("rsa", "rsa-pss"):
for schemeName in settings.rsaSchemes:
# pkcs#1 v1.5 signatures are not allowed in TLS 1.3
if version > (3, 3) and schemeName == "pkcs1":
continue
for hashName in settings.rsaSigHashes:
# rsa-pss certificates can't be used to make PKCS#1 v1.5
# signatures
if certType == "rsa-pss" and schemeName == "pkcs1":
continue
try:
# 1024 bit keys are too small to create valid
# rsa-pss-SHA512 signatures
if schemeName == 'pss' and hashName == 'sha512'\
and privateKey and privateKey.n < 2**2047:
continue
# advertise support for both rsaEncryption and RSA-PSS OID
# key type
if certType != 'rsa-pss':
sigAlgs.append(getattr(SignatureScheme,
"rsa_{0}_rsae_{1}"
.format(schemeName, hashName)))
if certType != 'rsa':
sigAlgs.append(getattr(SignatureScheme,
"rsa_{0}_pss_{1}"
.format(schemeName, hashName)))
except AttributeError:
if schemeName == 'pkcs1':
sigAlgs.append((getattr(HashAlgorithm, hashName),
SignatureAlgorithm.rsa))
continue
return sigAlgs
@staticmethod
def _curveNamesToList(settings, version=(3, 4)):
"""Convert list of acceptable curves to array identifiers"""
ret = [getattr(GroupName, val) for val in settings.eccCurves]
if (settings.maxVersion < (3, 4) and (3, 4) not in settings.versions)\
or version < (3, 4):
# if we don't support TLS 1.3, filter out KEMs
ret = [i for i in ret if i not in GroupName.allKEM]
return ret
@staticmethod
def _groupNamesToList(settings):
"""Convert list of acceptable ff groups to TLS identifiers."""
return [getattr(GroupName, val) for val in settings.dhGroups]
@staticmethod
def _curve_name_to_hash_name(curve_name):
"""Returns the matching hash for a given curve name, for TLS 1.3
expects the python-ecdsa curve names as parameter
"""
if curve_name == "NIST256p":
return "sha256"
if curve_name == "NIST384p":
return "sha384"
if curve_name == "NIST521p":
return "sha512"
if curve_name == "BRAINPOOLP256r1":
return "sha256"
if curve_name == "BRAINPOOLP384r1":
return "sha384"
if curve_name == "BRAINPOOLP512r1":
return "sha512"
raise TLSIllegalParameterException(
"Curve {0} is not supported in TLS 1.3".format(curve_name))