diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2016-12-13 21:05:35 -0500 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2016-12-13 20:05:35 -0600 |
| commit | 0e8cdf1023f6e2045de444b1c7e09f40cccf019e (patch) | |
| tree | eb6241baa5c66447c988a5c45fed7f0cb77b8022 /src/cryptography | |
| parent | 874445aea9e2d07a94444855ccfeaa3082de26a9 (diff) | |
| download | cryptography-0e8cdf1023f6e2045de444b1c7e09f40cccf019e.tar.gz cryptography-0e8cdf1023f6e2045de444b1c7e09f40cccf019e.tar.bz2 cryptography-0e8cdf1023f6e2045de444b1c7e09f40cccf019e.zip | |
Drop 1.0.0 (#3312)
* delete the 1.0.0 support
* drop the version check
* drop the AES-CTR stuff
* Update the example
* openssl truncates for us now
* delete unused test
* unused imports
* Remove a bunch of conditional bindings for NPN
* no more 1.0.0 builders
* libressl fix
* update the docs
* remove dead branches
* oops
* this is a word, damnit
* spelling
* try removing this
* this test is not needed
* unused import
Diffstat (limited to 'src/cryptography')
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 68 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/ciphers.py | 35 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/dsa.py | 28 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/ec.py | 39 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/rsa.py | 47 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/utils.py | 21 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/_conditional.py | 19 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/binding.py | 21 |
8 files changed, 25 insertions, 253 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 71063c19..d2a9e6c9 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -21,9 +21,7 @@ from cryptography.hazmat.backends.interfaces import ( EllipticCurveBackend, HMACBackend, HashBackend, PBKDF2HMACBackend, PEMSerializationBackend, RSABackend, ScryptBackend, X509Backend ) -from cryptography.hazmat.backends.openssl.ciphers import ( - _AESCTRCipherContext, _CipherContext -) +from cryptography.hazmat.backends.openssl.ciphers import _CipherContext from cryptography.hazmat.backends.openssl.cmac import _CMACContext from cryptography.hazmat.backends.openssl.dh import ( _DHParameters, _DHPrivateKey, _DHPublicKey @@ -233,12 +231,7 @@ class Backend(object): return _HashContext(self, algorithm) def cipher_supported(self, cipher, mode): - if self._evp_cipher_supported(cipher, mode): - return True - elif isinstance(mode, CTR) and isinstance(cipher, AES): - return True - else: - return False + return self._evp_cipher_supported(cipher, mode) def _evp_cipher_supported(self, cipher, mode): try: @@ -307,22 +300,10 @@ class Backend(object): ) def create_symmetric_encryption_ctx(self, cipher, mode): - if (isinstance(mode, CTR) and isinstance(cipher, AES) and - not self._evp_cipher_supported(cipher, mode)): - # This is needed to provide support for AES CTR mode in OpenSSL - # 1.0.0. It can be removed when we drop 1.0.0 support (RHEL 6.4). - return _AESCTRCipherContext(self, cipher, mode) - else: - return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT) + return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT) def create_symmetric_decryption_ctx(self, cipher, mode): - if (isinstance(mode, CTR) and isinstance(cipher, AES) and - not self._evp_cipher_supported(cipher, mode)): - # This is needed to provide support for AES CTR mode in OpenSSL - # 1.0.0. It can be removed when we drop 1.0.0 support (RHEL 6.4). - return _AESCTRCipherContext(self, cipher, mode) - else: - return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT) + return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT) def pbkdf2_hmac_supported(self, algorithm): return self.hmac_supported(algorithm) @@ -606,10 +587,7 @@ class Backend(object): return isinstance(algorithm, hashes.SHA1) def _pss_mgf1_hash_supported(self, algorithm): - if self._lib.Cryptography_HAS_MGF1_MD: - return self.hash_supported(algorithm) - else: - return isinstance(algorithm, hashes.SHA1) + return self.hash_supported(algorithm) def rsa_padding_supported(self, padding): if isinstance(padding, PKCS1v15): @@ -737,18 +715,6 @@ class Backend(object): if not isinstance(algorithm, hashes.HashAlgorithm): raise TypeError('Algorithm must be a registered hash algorithm.') - if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - if isinstance(private_key, _DSAPrivateKey): - raise NotImplementedError( - "Certificate signing requests aren't implemented for DSA" - " keys on OpenSSL versions less than 1.0.1." - ) - if isinstance(private_key, _EllipticCurvePrivateKey): - raise NotImplementedError( - "Certificate signing requests aren't implemented for EC" - " keys on OpenSSL versions less than 1.0.1." - ) - # Resolve the signature algorithm. evp_md = self._lib.EVP_get_digestbyname( algorithm.name.encode('ascii') @@ -815,18 +781,6 @@ class Backend(object): if not isinstance(algorithm, hashes.HashAlgorithm): raise TypeError('Algorithm must be a registered hash algorithm.') - if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - if isinstance(private_key, _DSAPrivateKey): - raise NotImplementedError( - "Certificate signatures aren't implemented for DSA" - " keys on OpenSSL versions less than 1.0.1." - ) - if isinstance(private_key, _EllipticCurvePrivateKey): - raise NotImplementedError( - "Certificate signatures aren't implemented for EC" - " keys on OpenSSL versions less than 1.0.1." - ) - # Resolve the signature algorithm. evp_md = self._lib.EVP_get_digestbyname( algorithm.name.encode('ascii') @@ -920,18 +874,6 @@ class Backend(object): if not isinstance(algorithm, hashes.HashAlgorithm): raise TypeError('Algorithm must be a registered hash algorithm.') - if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - if isinstance(private_key, _DSAPrivateKey): - raise NotImplementedError( - "CRL signatures aren't implemented for DSA" - " keys on OpenSSL versions less than 1.0.1." - ) - if isinstance(private_key, _EllipticCurvePrivateKey): - raise NotImplementedError( - "CRL signatures aren't implemented for EC" - " keys on OpenSSL versions less than 1.0.1." - ) - evp_md = self._lib.EVP_get_digestbyname( algorithm.name.encode('ascii') ) diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py index bd5dfb31..898b3497 100644 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py @@ -167,38 +167,3 @@ class _CipherContext(object): self._backend.openssl_assert(res != 0) tag = utils.read_only_property("_tag") - - -@utils.register_interface(ciphers.CipherContext) -class _AESCTRCipherContext(object): - """ - This is needed to provide support for AES CTR mode in OpenSSL 1.0.0. It can - be removed when we drop 1.0.0 support (RHEL 6.4 is the only thing that - ships it). - """ - def __init__(self, backend, cipher, mode): - self._backend = backend - - self._key = self._backend._ffi.new("AES_KEY *") - res = self._backend._lib.AES_set_encrypt_key( - cipher.key, len(cipher.key) * 8, self._key - ) - self._backend.openssl_assert(res == 0) - self._ecount = self._backend._ffi.new("unsigned char[]", 16) - self._nonce = self._backend._ffi.new("unsigned char[16]", mode.nonce) - self._num = self._backend._ffi.new("unsigned int *", 0) - - def update(self, data): - buf = self._backend._ffi.new("unsigned char[]", len(data)) - self._backend._lib.AES_ctr128_encrypt( - data, buf, len(data), self._key, self._nonce, - self._ecount, self._num - ) - return self._backend._ffi.buffer(buf)[:] - - def finalize(self): - self._key = None - self._ecount = None - self._nonce = None - self._num = None - return b"" diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py index e82c043d..e2ed3dfd 100644 --- a/src/cryptography/hazmat/backends/openssl/dsa.py +++ b/src/cryptography/hazmat/backends/openssl/dsa.py @@ -7,7 +7,7 @@ from __future__ import absolute_import, division, print_function from cryptography import utils from cryptography.exceptions import InvalidSignature from cryptography.hazmat.backends.openssl.utils import ( - _calculate_digest_and_algorithm, _truncate_digest + _calculate_digest_and_algorithm ) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( @@ -15,24 +15,6 @@ from cryptography.hazmat.primitives.asymmetric import ( ) -def _truncate_digest_for_dsa(dsa_cdata, digest, backend): - """ - This function truncates digests that are longer than a given DS - key's length so they can be signed. OpenSSL does this for us in - 1.0.0c+, leaving us with three releases (1.0.0, 1.0.0a, and 1.0.0b) where - this is a problem. - """ - - q = backend._ffi.new("BIGNUM **") - backend._lib.DSA_get0_pqg( - dsa_cdata, backend._ffi.NULL, q, backend._ffi.NULL - ) - backend.openssl_assert(q[0] != backend._ffi.NULL) - - order_bits = backend._lib.BN_num_bits(q[0]) - return _truncate_digest(digest, order_bits) - - def _dsa_sig_sign(backend, private_key, data): sig_buf_len = backend._lib.DSA_size(private_key._dsa_cdata) sig_buf = backend._ffi.new("unsigned char[]", sig_buf_len) @@ -77,9 +59,6 @@ class _DSAVerificationContext(object): def verify(self): data_to_verify = self._hash_ctx.finalize() - data_to_verify = _truncate_digest_for_dsa( - self._public_key._dsa_cdata, data_to_verify, self._backend - ) _dsa_sig_verify( self._backend, self._public_key, self._signature, data_to_verify ) @@ -98,9 +77,6 @@ class _DSASignatureContext(object): def finalize(self): data_to_sign = self._hash_ctx.finalize() - data_to_sign = _truncate_digest_for_dsa( - self._private_key._dsa_cdata, data_to_sign, self._backend - ) return _dsa_sig_sign(self._backend, self._private_key, data_to_sign) @@ -212,7 +188,6 @@ class _DSAPrivateKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, algorithm ) - data = _truncate_digest_for_dsa(self._dsa_cdata, data, self._backend) return _dsa_sig_sign(self._backend, self, data) @@ -286,5 +261,4 @@ class _DSAPublicKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, algorithm ) - data = _truncate_digest_for_dsa(self._dsa_cdata, data, self._backend) return _dsa_sig_verify(self._backend, self, signature, data) diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py index 5969f2a3..f2b52492 100644 --- a/src/cryptography/hazmat/backends/openssl/ec.py +++ b/src/cryptography/hazmat/backends/openssl/ec.py @@ -9,7 +9,7 @@ from cryptography.exceptions import ( InvalidSignature, UnsupportedAlgorithm, _Reasons ) from cryptography.hazmat.backends.openssl.utils import ( - _calculate_digest_and_algorithm, _truncate_digest + _calculate_digest_and_algorithm ) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( @@ -17,31 +17,6 @@ from cryptography.hazmat.primitives.asymmetric import ( ) -def _truncate_digest_for_ecdsa(ec_key_cdata, digest, backend): - """ - This function truncates digests that are longer than a given elliptic - curve key's length so they can be signed. Since elliptic curve keys are - much shorter than RSA keys many digests (e.g. SHA-512) may require - truncation. - """ - - _lib = backend._lib - _ffi = backend._ffi - - group = _lib.EC_KEY_get0_group(ec_key_cdata) - - with backend._tmp_bn_ctx() as bn_ctx: - order = _lib.BN_CTX_get(bn_ctx) - backend.openssl_assert(order != _ffi.NULL) - - res = _lib.EC_GROUP_get_order(group, order, bn_ctx) - backend.openssl_assert(res == 1) - - order_bits = _lib.BN_num_bits(order) - - return _truncate_digest(digest, order_bits) - - def _check_signature_algorithm(signature_algorithm): if not isinstance(signature_algorithm, ec.ECDSA): raise UnsupportedAlgorithm( @@ -127,9 +102,6 @@ class _ECDSASignatureContext(object): def finalize(self): digest = self._digest.finalize() - digest = _truncate_digest_for_ecdsa( - self._private_key._ec_key, digest, self._backend - ) return _ecdsa_sig_sign(self._backend, self._private_key, digest) @@ -146,9 +118,6 @@ class _ECDSAVerificationContext(object): def verify(self): digest = self._digest.finalize() - digest = _truncate_digest_for_ecdsa( - self._public_key._ec_key, digest, self._backend - ) return _ecdsa_sig_verify( self._backend, self._public_key, self._signature, digest ) @@ -247,9 +216,6 @@ class _EllipticCurvePrivateKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, signature_algorithm._algorithm ) - data = _truncate_digest_for_ecdsa( - self._ec_key, data, self._backend - ) return _ecdsa_sig_sign(self._backend, self, data) @@ -317,7 +283,4 @@ class _EllipticCurvePublicKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, signature_algorithm._algorithm ) - data = _truncate_digest_for_ecdsa( - self._ec_key, data, self._backend - ) return _ecdsa_sig_verify(self._backend, self, signature, data) diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py index 8996d884..0a375721 100644 --- a/src/cryptography/hazmat/backends/openssl/rsa.py +++ b/src/cryptography/hazmat/backends/openssl/rsa.py @@ -164,13 +164,6 @@ def _rsa_sig_determine_padding(backend, key, padding, algorithm): raise ValueError("Digest too large for key size. Use a larger " "key or different digest.") - if not backend._pss_mgf1_hash_supported(padding._mgf._algorithm): - raise UnsupportedAlgorithm( - "When OpenSSL is older than 1.0.1 then only SHA1 is " - "supported with MGF1.", - _Reasons.UNSUPPORTED_HASH - ) - padding_enum = backend._lib.RSA_PKCS1_PSS_PADDING else: raise UnsupportedAlgorithm( @@ -212,17 +205,15 @@ def _rsa_sig_sign(backend, padding, padding_enum, algorithm, private_key, ) backend.openssl_assert(res > 0) - if backend._lib.Cryptography_HAS_MGF1_MD: - # MGF1 MD is configurable in OpenSSL 1.0.1+ - mgf1_md = backend._lib.EVP_get_digestbyname( - padding._mgf._algorithm.name.encode("ascii")) - backend.openssl_assert( - mgf1_md != backend._ffi.NULL - ) - res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( - pkey_ctx, mgf1_md - ) - backend.openssl_assert(res > 0) + mgf1_md = backend._lib.EVP_get_digestbyname( + padding._mgf._algorithm.name.encode("ascii")) + backend.openssl_assert( + mgf1_md != backend._ffi.NULL + ) + res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( + pkey_ctx, mgf1_md + ) + backend.openssl_assert(res > 0) buflen = backend._ffi.new("size_t *") res = backend._lib.EVP_PKEY_sign( @@ -284,17 +275,15 @@ def _rsa_sig_verify(backend, padding, padding_enum, algorithm, public_key, ) ) backend.openssl_assert(res > 0) - if backend._lib.Cryptography_HAS_MGF1_MD: - # MGF1 MD is configurable in OpenSSL 1.0.1+ - mgf1_md = backend._lib.EVP_get_digestbyname( - padding._mgf._algorithm.name.encode("ascii")) - backend.openssl_assert( - mgf1_md != backend._ffi.NULL - ) - res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( - pkey_ctx, mgf1_md - ) - backend.openssl_assert(res > 0) + mgf1_md = backend._lib.EVP_get_digestbyname( + padding._mgf._algorithm.name.encode("ascii")) + backend.openssl_assert( + mgf1_md != backend._ffi.NULL + ) + res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( + pkey_ctx, mgf1_md + ) + backend.openssl_assert(res > 0) res = backend._lib.EVP_PKEY_verify( pkey_ctx, diff --git a/src/cryptography/hazmat/backends/openssl/utils.py b/src/cryptography/hazmat/backends/openssl/utils.py index c88e3189..e8b4a307 100644 --- a/src/cryptography/hazmat/backends/openssl/utils.py +++ b/src/cryptography/hazmat/backends/openssl/utils.py @@ -4,31 +4,10 @@ from __future__ import absolute_import, division, print_function -import six - from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.utils import Prehashed -def _truncate_digest(digest, order_bits): - digest_len = len(digest) - - if 8 * digest_len > order_bits: - digest_len = (order_bits + 7) // 8 - digest = digest[:digest_len] - - if 8 * digest_len > order_bits: - rshift = 8 - (order_bits & 0x7) - assert 0 < rshift < 8 - - mask = 0xFF >> rshift << rshift - - # Set the bottom rshift bits to 0 - digest = digest[:-1] + six.int2byte(six.indexbytes(digest, -1) & mask) - - return digest - - def _calculate_digest_and_algorithm(backend, data, algorithm): if not isinstance(algorithm, Prehashed): hash_ctx = hashes.Hash(algorithm, backend) diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index d1cebd8e..46c32d14 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -133,9 +133,6 @@ CONDITIONAL_NAMES = { "POINT_CONVERSION_COMPRESSED", "POINT_CONVERSION_UNCOMPRESSED", "POINT_CONVERSION_HYBRID", - ], - - "Cryptography_HAS_EC_1_0_1": [ "EC_KEY_get_flags", "EC_KEY_set_flags", "EC_KEY_clear_flags", @@ -195,9 +192,6 @@ CONDITIONAL_NAMES = { "RAND_egd_bytes", "RAND_query_egd_bytes", ], - "Cryptography_HAS_MGF1_MD": [ - "EVP_PKEY_CTX_set_rsa_mgf1_md", - ], "Cryptography_HAS_RSA_OAEP_MD": [ "EVP_PKEY_CTX_set_rsa_oaep_md", ], @@ -241,13 +235,6 @@ CONDITIONAL_NAMES = { "DTLSv1_method", ], - "Cryptography_HAS_NEXTPROTONEG": [ - "SSL_CTX_set_next_protos_advertised_cb", - "SSL_CTX_set_next_proto_select_cb", - "SSL_select_next_proto", - "SSL_get0_next_proto_negotiated", - ], - "Cryptography_HAS_ALPN": [ "SSL_CTX_set_alpn_protos", "SSL_set_alpn_protos", @@ -296,9 +283,6 @@ CONDITIONAL_NAMES = { "SSL_CTX_set_cert_cb", "SSL_set_cert_cb", ], - "Cryptography_HAS_AES_CTR128_ENCRYPT": [ - "AES_ctr128_encrypt", - ], "Cryptography_HAS_SSL_ST": [ "SSL_ST_BEFORE", "SSL_ST_OK", @@ -319,7 +303,4 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_SCRYPT": [ "EVP_PBE_scrypt", ], - "Cryptography_HAS_NPN_NEGOTIATED": [ - "OPENSSL_NPN_NEGOTIATED", - ], } diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 39750abc..b6617543 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -5,10 +5,8 @@ from __future__ import absolute_import, division, print_function import collections -import os import threading import types -import warnings from cryptography.exceptions import InternalError from cryptography.hazmat.bindings._openssl import ffi, lib @@ -148,28 +146,9 @@ class Binding(object): _openssl_assert(cls.lib, res == 1) -def _verify_openssl_version(version): - if version < 0x10001000: - if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_100"): - warnings.warn( - "OpenSSL version 1.0.0 is no longer supported by the OpenSSL " - "project, please upgrade. The next version of cryptography " - "will completely remove support for it.", - DeprecationWarning - ) - else: - raise RuntimeError( - "You are linking against OpenSSL 1.0.0, which is no longer " - "support by the OpenSSL project. You need to upgrade to a " - "newer version of OpenSSL." - ) - - # OpenSSL is not thread safe until the locks are initialized. We call this # method in module scope so that it executes with the import lock. On # Pythons < 3.4 this import lock is a global lock, which can prevent a race # condition registering the OpenSSL locks. On Python 3.4+ the import lock # is per module so this approach will not work. Binding.init_static_locks() - -_verify_openssl_version(Binding.lib.SSLeay()) |