Update third_party/tlslite to 0.4.8.

third_party/tlslite/tlslite/handshakesettings.py

 # Authors: 
 #   Trevor Perrin
 #   Dave Baggett (Arcode Corporation) - cleanup handling of constants
+#   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
 #
 # See the LICENSE file for legal information regarding use of this file.
 
 """Class for setting handshake parameters."""
 
 from .constants import CertificateType
 from .utils import cryptomath
 from .utils import cipherfactory
 
 # RC4 is preferred as faster in Python, works in SSL3, and immune to CBC
 # issues such as timing attacks
 CIPHER_NAMES = ["rc4", "aes256", "aes128", "3des"]
-MAC_NAMES = ["sha"] # Don't allow "md5" by default.
-ALL_MAC_NAMES = ["sha", "md5"]
+MAC_NAMES = ["sha", "sha256"] # Don't allow "md5" by default.
+ALL_MAC_NAMES = ["sha", "sha256", "md5"]
 KEY_EXCHANGE_NAMES = ["rsa", "dhe_rsa", "srp_sha", "srp_sha_rsa", "dh_anon"]
 CIPHER_IMPLEMENTATIONS = ["openssl", "pycrypto", "python"]
 CERTIFICATE_TYPES = ["x509"]
 TLS_INTOLERANCE_TYPES = ["alert", "close", "reset"]
 
 class HandshakeSettings(object):
     """This class encapsulates various parameters that can be used with
     a TLS handshake.
     @sort: minKeySize, maxKeySize, cipherNames, macNames, certificateTypes,
     minVersion, maxVersion
@@ skipping 44 matching lines @@
 
     The only allowed certificate type is 'x509'.  This list is only used with a
     client handshake.  The client will advertise to the server which certificate
     types are supported, and will check that the server uses one of the
     appropriate types.
 
 
     @type minVersion: tuple
     @ivar minVersion: The minimum allowed SSL/TLS version.
 
-    This variable can be set to (3,0) for SSL 3.0, (3,1) for
-    TLS 1.0, or (3,2) for TLS 1.1.  If the other party wishes to
-    use a lower version, a protocol_version alert will be signalled.
-    The default is (3,0).
+    This variable can be set to (3,0) for SSL 3.0, (3,1) for TLS 1.0, (3,2) for
+    TLS 1.1, or (3,3) for TLS 1.2.  If the other party wishes to use a lower
+    version, a protocol_version alert will be signalled.  The default is (3,1).
 
     @type maxVersion: tuple
     @ivar maxVersion: The maximum allowed SSL/TLS version.
 
-    This variable can be set to (3,0) for SSL 3.0, (3,1) for
-    TLS 1.0, or (3,2) for TLS 1.1.  If the other party wishes to
-    use a higher version, a protocol_version alert will be signalled.
-    The default is (3,2).  (WARNING: Some servers may (improperly)
-    reject clients which offer support for TLS 1.1.  In this case,
-    try lowering maxVersion to (3,1)).
+    This variable can be set to (3,0) for SSL 3.0, (3,1) for TLS 1.0, (3,2) for
+    TLS 1.1, or (3,3) for TLS 1.2.  If the other party wishes to use a higher
+    version, a protocol_version alert will be signalled.  The default is (3,3).
+    (WARNING: Some servers may (improperly) reject clients which offer support
+    for TLS 1.1.  In this case, try lowering maxVersion to (3,1)).
 
     @type tlsIntolerant: tuple
     @ivar tlsIntolerant: The TLS ClientHello version which the server
     simulates intolerance of.
 
     If tlsIntolerant is not None, the server will simulate TLS version
     intolerance by aborting the handshake in response to all TLS versions
     tlsIntolerant or higher.
 
     @type tlsIntoleranceType: str
@@ skipping 10 matching lines @@
     TLS Extension number, so should NOT be used in production software.
     """
     def __init__(self):
         self.minKeySize = 1023
         self.maxKeySize = 8193
         self.cipherNames = CIPHER_NAMES
         self.macNames = MAC_NAMES
         self.keyExchangeNames = KEY_EXCHANGE_NAMES
         self.cipherImplementations = CIPHER_IMPLEMENTATIONS
         self.certificateTypes = CERTIFICATE_TYPES
-        self.minVersion = (3,0)
-        self.maxVersion = (3,2)
+        self.minVersion = (3,1)
+        self.maxVersion = (3,3)
         self.tlsIntolerant = None
         self.tlsIntoleranceType = 'alert'
         self.useExperimentalTackExtension = False
 
     # Validates the min/max fields, and certificateTypes
     # Filters out unsupported cipherNames and cipherImplementations
     def _filter(self):
         other = HandshakeSettings()
         other.minKeySize = self.minKeySize
         other.maxKeySize = self.maxKeySize
@@ skipping 47 matching lines @@
             if s not in CERTIFICATE_TYPES:
                 raise ValueError("Unknown certificate type: '%s'" % s)
 
         if other.tlsIntoleranceType not in TLS_INTOLERANCE_TYPES:
             raise ValueError(
                 "Unknown TLS intolerance type: '%s'" % other.tlsIntoleranceType)
 
         if other.minVersion > other.maxVersion:
             raise ValueError("Versions set incorrectly")
 
-        if not other.minVersion in ((3,0), (3,1), (3,2)):
+        if not other.minVersion in ((3,0), (3,1), (3,2), (3,3)):
             raise ValueError("minVersion set incorrectly")
 
-        if not other.maxVersion in ((3,0), (3,1), (3,2)):
+        if not other.maxVersion in ((3,0), (3,1), (3,2), (3,3)):
             raise ValueError("maxVersion set incorrectly")
 
+        if other.maxVersion < (3,3):
+            # No sha256 pre TLS 1.2
+            other.macNames = [e for e in self.macNames if e != "sha256"]
+
         return other
 
     def _getCertificateTypes(self):
         l = []
         for ct in self.certificateTypes:
             if ct == "x509":
                 l.append(CertificateType.x509)
             else:
                 raise AssertionError()
         return l