Add fancier ECDHE support

[amluto]

This is based on #9, but it adds more curve definitions and ELLIPTIC_CURVE_DESCRIPTIONS. The latter lists curves that are actually supported on the system's OpenSSL.

[amluto]

This depends on pyca/cryptography#738

[amluto]

The cryptography dependency has been merged.

[amluto]

Looks like Travis CI needs to be asked to try again once cryptography makes a release.

[hynek]

dict comprehension are Python 2.7+. Try dict((key, value) for (key, value) in sequence) instead.

[amluto]

I updated the branch.

[reaperhulk]

@amluto, we're considering not adding any more NID bindings to cryptography and instead asking users to use OBJ_sn2nid to obtain the NID mappings. This decision won't affect this PR since we already landed the expanded NIDs you require, but would come up if you decided to support the brainpool curves present in OpenSSL 1.0.2. @hynek asked me to drop a comment here to get your thoughts on this, but to avoid polluting this PR feel free to comment over on pyca/cryptography#778

[amluto]

I didn't know about OBJ_sn2nid and OBJ_nid2sn. Let me adjust the branch to use strings instead of numbers -- I like that better.

[amluto]

I updated the pull request. I renamed the function, since it no longer uses a "curve name" (which, in OpenSSL parlance, is a number, not really a name).

[lvh]

This is only still failing because cryptography hasn't made a release yet, right?

[oberstet]

This works for me (PyPy 2.2.1, cryptography 3.0-dev1, OpenSSL 1.0.1e).
Anything missing to get it merged?

Other than adjusting setup.py:

install_requires=["cryptography>=0.3", "six>=1.5.2"],

[lvh]

I think that version of cryptography has to be actually released before we can merge this :) Specifically we can't merge things with red buildbots ;)

[lvh]

I've just merged the updated Travis configuration that will test this against cryptography master, so I will now re-run the build.

[oberstet]

awesome! I'd love to retire a bunch of hacks and take this into production ..

[lvh]

Likewise, although in Twisted trunk you should actually already get ECDHE (with nistp256 only though) even without this branch.

[oberstet]

Seems like crypography 0.2.2 is still missing

AttributeError: 'FFILibrary' object has no attribute 'EC_get_builtin_curves'

[lvh]

Yes. I can't figure out how to convince Travis to build against cryptography master. I've asked in their IRC channel. It may be necessary for @amluto to merge master back into his branch.

[lvh]

Yeah. Heard back from the Travis CI people. @amluto: could you please merge pyca/pyopenssl master back into your branch? That way we can at least see if it works on the buildbots with cryptography master :)

[oberstet]

@lvh I have merged master and @amluto 's ecdeh branch into https://github.com/oberstet/pyopenssl/tree/ecdhe

Will that work for Travis testing?

[lvh]

Only if you submit it as a PR.

[oberstet]

done: #71

[lvh]

So, recap from the #71 experiment: everything works with everything as trunk; we need cryptography 0.3 to be released and to depend on it in master, and then have master merged into this branch.

[alex]

We've done a release now.

[lvh]

I've made reffed PR to require that new release, once someone (presumably @exarkun) merges it and after that @amluto merges master back into this branch, we can get Travis to run the tests (which almost certainly will pass), and then we can finally get this to land :-)

[oberstet]

Awesome. If @amluto is busy with other stuff: why can't we just merge master onto amluto's branch plus the updated require on another branch (as I did 10 days ago for prelimiary testing) ourselves? In the end, this is Git .. version history is preserved. Why would @amluto be required to perform these mechanical acts?

[lvh]

There's no reason. Since @hynek thought the branch that needed the new cryptography should add the requirement, I'll make a new PR.

[lvh]

Closing in favor of #82.

[amluto]

See #89, and feel free to close it if you merge into here.