Add DHE_RSA support to tlslite.

third_party/tlslite/tlslite/handshakesettings.py

 # Authors: 
 #   Trevor Perrin
 #   Dave Baggett (Arcode Corporation) - cleanup handling of constants
 #
 # See the LICENSE file for legal information regarding use of this file.
 
 """Class for setting handshake parameters."""
 
 from .constants import CertificateType
 from .utils import cryptomath
 from .utils import cipherfactory
 
 # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC
 # issues such as timing attacks
 CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"]
 MAC_NAMES = ["sha"] # "md5" is allowed
+KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]
 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
 CERTIFICATE_TYPES = ["x509"]
 
 class HandshakeSettings(object):
     """This class encapsulates various parameters that can be used with
     a TLS handshake.
     @sort: minKeySize, maxKeySize, cipherNames, macNames, certificateTypes,
     minVersion, maxVersion
 
     @type minKeySize: int
@@ skipping 66 matching lines @@
     
     @type useExperimentalTackExtension: bool
     @ivar useExperimentalTackExtension: Whether to enabled TACK support.
     
     Note that TACK support is not standardized by IETF and uses a temporary
     TLS Extension number, so should NOT be used in production software.
     """
     def __init__(self):
         self.minKeySize = 1023
         self.maxKeySize = 8193
+        self.keyExchangeNames = KEY_EXCHANGE_NAMES

[wtc, 2014/04/01 22:00:01]

Nit: list the self.keyExchangeNames assignment after the self.macNames
assignment, to match the order of lines 15-17, unless there is a better reason
to assign self.keyExchangeNames first.

This comment also applies to the two changes below in this file.

[davidben, 2014/04/01 23:25:18]

Done.

         self.cipherNames = CIPHER_NAMES
         self.macNames = MAC_NAMES
         self.cipherImplementations = CIPHER_IMPLEMENTATIONS
         self.certificateTypes = CERTIFICATE_TYPES
         self.minVersion = (3,0)
         self.maxVersion = (3,2)
         self.useExperimentalTackExtension = False
 
     # Validates the min/max fields, and certificateTypes
     # Filters out unsupported cipherNames and cipherImplementations
     def _filter(self):
         other = HandshakeSettings()
         other.minKeySize = self.minKeySize
         other.maxKeySize = self.maxKeySize
+        other.keyExchangeNames = self.keyExchangeNames
         other.cipherNames = self.cipherNames
         other.macNames = self.macNames
         other.cipherImplementations = self.cipherImplementations
         other.certificateTypes = self.certificateTypes
         other.minVersion = self.minVersion
         other.maxVersion = self.maxVersion
 
         if not cipherfactory.tripleDESPresent:
             other.cipherNames = [e for e in self.cipherNames if e != "3des"]
         if len(other.cipherNames)==0:
@@ skipping 11 matching lines @@
             raise ValueError("No supported cipher implementations")
 
         if other.minKeySize<512:
             raise ValueError("minKeySize too small")
         if other.minKeySize>16384:
             raise ValueError("minKeySize too large")
         if other.maxKeySize<512:
             raise ValueError("maxKeySize too small")
         if other.maxKeySize>16384:
             raise ValueError("maxKeySize too large")
+        for s in other.keyExchangeNames:
+            if s not in KEY_EXCHANGE_NAMES:
+                raise ValueError("Unknown key exchange name: '%s'" % s)
         for s in other.cipherNames:
             if s not in CIPHER_NAMES:
                 raise ValueError("Unknown cipher name: '%s'" % s)
         for s in other.cipherImplementations:
             if s not in CIPHER_IMPLEMENTATIONS:
                 raise ValueError("Unknown cipher implementation: '%s'" % s)
         for s in other.certificateTypes:
             if s not in CERTIFICATE_TYPES:
                 raise ValueError("Unknown certificate type: '%s'" % s)
 
         if other.minVersion > other.maxVersion:
             raise ValueError("Versions set incorrectly")
 
         if not other.minVersion in ((3,0), (3,1), (3,2)):
             raise ValueError("minVersion set incorrectly")
 
         if not other.maxVersion in ((3,0), (3,1), (3,2)):
             raise ValueError("maxVersion set incorrectly")
 
         return other
 
     def _getCertificateTypes(self):
         l = []
         for ct in self.certificateTypes:
             if ct == "x509":
                 l.append(CertificateType.x509)
             else:
                 raise AssertionError()
         return l