Add DHE_RSA support to tlslite.

third_party/tlslite/tlslite/handshakesettings.py

Index: third_party/tlslite/tlslite/handshakesettings.py
diff --git a/third_party/tlslite/tlslite/handshakesettings.py b/third_party/tlslite/tlslite/handshakesettings.py
index 7a38ee212d40dadaf215581a96472df676a2f9bb..cf9cbc3f3d1cf600873597e7f1ba7c8dbfcd5578 100644
--- a/third_party/tlslite/tlslite/handshakesettings.py
+++ b/third_party/tlslite/tlslite/handshakesettings.py
@@ -14,6 +14,7 @@ from .utils import cipherfactory
 # issues such as timing attacks

[wtc, 2014/04/02 19:11:29]

Nit: You can make this change in a separate CL to the tlslite upstream.

This comment may need to be updated given the "On the Security of RC4 in TLS and
WPA" attack (http://www.isg.rhul.ac.uk/tls/). I said "may" rather than "should"
because I'm not sure if the CBC implementation in tlslite is constant-time.

[davidben, 2014/04/03 18:45:48]

Heh. Yeah, let's do that separately or so. Though I doubt most of this code is
particularly "production-grade" anyway. If none of the C-based modules are
available, it falls back to pure-Python crypto implementations. For our
purposes, we probably don't actually care.

 CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"]
 MAC_NAMES = ["sha"] # "md5" is allowed
+KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]
 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
 CERTIFICATE_TYPES = ["x509"]
 
@@ -102,6 +103,7 @@ class HandshakeSettings(object):
         self.maxKeySize = 8193
         self.cipherNames = CIPHER_NAMES
         self.macNames = MAC_NAMES
+        self.keyExchangeNames = KEY_EXCHANGE_NAMES
         self.cipherImplementations = CIPHER_IMPLEMENTATIONS
         self.certificateTypes = CERTIFICATE_TYPES
         self.minVersion = (3,0)
@@ -116,6 +118,7 @@ class HandshakeSettings(object):
         other.maxKeySize = self.maxKeySize
         other.cipherNames = self.cipherNames
         other.macNames = self.macNames
+        other.keyExchangeNames = self.keyExchangeNames
         other.cipherImplementations = self.cipherImplementations
         other.certificateTypes = self.certificateTypes
         other.minVersion = self.minVersion
@@ -148,6 +151,9 @@ class HandshakeSettings(object):
         for s in other.cipherNames:
             if s not in CIPHER_NAMES:
                 raise ValueError("Unknown cipher name: '%s'" % s)

[wtc, 2014/04/02 19:11:29]

Do you know why the original code doesn't check other.macNames? Seems like an
oversight.

[davidben, 2014/04/03 18:45:48]

Apparently it's because FOOBAR_NAMES doubles as both the default set of names
and all valid ones. And MAC_NAMES has them different. I've tweaked it so the
check actually works.

+        for s in other.keyExchangeNames:
+            if s not in KEY_EXCHANGE_NAMES:
+                raise ValueError("Unknown key exchange name: '%s'" % s)
         for s in other.cipherImplementations:
             if s not in CIPHER_IMPLEMENTATIONS:
                 raise ValueError("Unknown cipher implementation: '%s'" % s)