Client side support for ECDSA ciphersuites

tlsfuzzer · Oct 24, 2017 · 6f2a74f · 6f2a74f
1 parent 2019573
commit 6f2a74f
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/tlslite/constants.py b/tlslite/constants.py
@@ -994,6 +994,8 @@ def _filterSuites(suites, settings, version=None):
             keyExchangeSuites += CipherSuite.dheCertSuites
         if "ecdhe_rsa" in keyExchangeNames:
             keyExchangeSuites += CipherSuite.ecdheCertSuites
+        if "ecdhe_ecdsa" in keyExchangeNames:
+            keyExchangeSuites += CipherSuite.ecdheEcdsaSuites
         if "srp_sha" in keyExchangeNames:
             keyExchangeSuites += CipherSuite.srpSuites
         if "srp_sha_rsa" in keyExchangeNames:
@@ -1112,6 +1114,12 @@ def getEcdheCertSuites(cls, settings, version=None):
     ecdheEcdsaSuites.append(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA)
     ecdheEcdsaSuites.append(TLS_ECDHE_ECDSA_WITH_NULL_SHA)
 
+    @classmethod
+    def getEcdsaSuites(cls, settings, version=None):
+        """Provide ECDSA authenticated ciphersuites matching settings"""
+        return cls._filterSuites(CipherSuite.ecdheEcdsaSuites,
+                                 settings, version)
+
     #: anon FFDHE key exchange
     anonSuites = []
     anonSuites.append(TLS_DH_ANON_WITH_AES_256_GCM_SHA384)

diff --git a/tlslite/handshakesettings.py b/tlslite/handshakesettings.py
@@ -20,7 +20,7 @@
                                    "rc4", "null"]
 MAC_NAMES = ["sha", "sha256", "sha384", "aead"] # Don't allow "md5" by default.
 ALL_MAC_NAMES = MAC_NAMES + ["md5"]
-KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "ecdhe_rsa", "srp_sha", "srp_sha_rsa",
+KEY_EXCHANGE_NAMES = ["ecdhe_ecdsa", "rsa", "dhe_rsa", "ecdhe_rsa", "srp_sha", "srp_sha_rsa",
                       "ecdh_anon", "dh_anon"]
 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
 CERTIFICATE_TYPES = ["x509"]

diff --git a/tlslite/tlsconnection.py b/tlslite/tlsconnection.py
@@ -602,6 +602,7 @@ def _clientSendClientHello(self, settings, session, srpUsername,
         if srpParams:
             cipherSuites += CipherSuite.getSrpAllSuites(settings)
         elif certParams:
+            cipherSuites += CipherSuite.getEcdsaSuites(settings)
             cipherSuites += CipherSuite.getEcdheCertSuites(settings)
             cipherSuites += CipherSuite.getDheCertSuites(settings)
             cipherSuites += CipherSuite.getCertSuites(settings)
@@ -842,7 +843,8 @@ def _clientKeyExchange(self, settings, cipherSuite,
                            keyExchange):
         """Perform the client side of key exchange"""
         # if server chose cipher suite with authentication, get the certificate
-        if cipherSuite in CipherSuite.certAllSuites:
+        if cipherSuite in CipherSuite.certAllSuites or \
+                cipherSuite in CipherSuite.ecdheEcdsaSuites:
             for result in self._getMsg(ContentType.handshake,
                                        HandshakeType.certificate,
                                        certificateType):
@@ -2271,6 +2273,11 @@ def _sigHashesToList(settings, privateKey=None, certList=None):
             certType = certList.x509List[0].certAlg
 
         sigAlgs = []
+
+        for hashName in settings.ecdsaSigHashes:
+            sigAlgs.append((getattr(HashAlgorithm, hashName),
+                            SignatureAlgorithm.ecdsa))
+
         for schemeName in settings.rsaSchemes:
             for hashName in settings.rsaSigHashes:
                 # rsa-pss certificates can't be used to make PKCS#1 v1.5