Merge branch 'master' into idea-bespoke-vectors

* master: (246 commits)
  Fixed python3 incompatibility
  Removed dependency on setuptools for version check
  don't need to move these definitions
  conditional NIDs for 0.9.8e
  x509 changes for 0.9.8e support
  more changes for 0.9.8e support, this time in the ssl.h headers
  macro switches in evp for 0.9.8e
  bind some error constants conditionally for 0.9.8e support
  BIO macro switch for 0.9.8e support
  move some nids
  conditionally bind AES_wrap/unwrap for 0.9.8e support
  Add GPG key fingerprint for lvh
  change comparison to be easier to read
  ridiculous workaround time
  whoops
  Missing imports
  Convert stuff
  Add binding for DSA_new
  Fix drop in coverage levels by removing branches
  Added check to turn of CC backend for OS X version < 10.8
  ...

Conflicts:
	docs/development/test-vectors.rst

3 files changed, 224 insertions, 0 deletions

diff --git a/tests/hazmat/primitives/twofactor/__init__.py b/tests/hazmat/primitives/twofactor/__init__.py
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/tests/hazmat/primitives/twofactor/__init__.py
diff --git a/tests/hazmat/primitives/twofactor/test_hotp.py b/tests/hazmat/primitives/twofactor/test_hotp.py
new file mode 100644
index 00000000..0f8c4a53
--- /dev/null
+++ b/tests/hazmat/primitives/twofactor/test_hotp.py
@@ -0,0 +1,95 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import os
+
+import pytest
+
+from cryptography.exceptions import InvalidToken
+from cryptography.hazmat.primitives.twofactor.hotp import HOTP
+from cryptography.hazmat.primitives import hashes
+from tests.utils import load_vectors_from_file, load_nist_vectors
+from cryptography.hazmat.primitives.hashes import MD5, SHA1
+
+vectors = load_vectors_from_file(
+    "twofactor/rfc-4226.txt", load_nist_vectors)
+
+
+@pytest.mark.supported(
+    only_if=lambda backend: backend.hmac_supported(hashes.SHA1()),
+    skip_message="Does not support HMAC-SHA1."
+)
+@pytest.mark.hmac
+class TestHOTP(object):
+    def test_invalid_key_length(self, backend):
+        secret = os.urandom(10)
+
+        with pytest.raises(ValueError):
+            HOTP(secret, 6, SHA1(), backend)
+
+    def test_invalid_hotp_length(self, backend):
+        secret = os.urandom(16)
+
+        with pytest.raises(ValueError):
+            HOTP(secret, 4, SHA1(), backend)
+
+    def test_invalid_algorithm(self, backend):
+        secret = os.urandom(16)
+
+        with pytest.raises(TypeError):
+            HOTP(secret, 6, MD5(), backend)
+
+    @pytest.mark.parametrize("params", vectors)
+    def test_truncate(self, backend, params):
+        secret = params["secret"]
+        counter = int(params["counter"])
+        truncated = params["truncated"]
+
+        hotp = HOTP(secret, 6, SHA1(), backend)
+
+        assert hotp._dynamic_truncate(counter) == int(truncated.decode(), 16)
+
+    @pytest.mark.parametrize("params", vectors)
+    def test_generate(self, backend, params):
+        secret = params["secret"]
+        counter = int(params["counter"])
+        hotp_value = params["hotp"]
+
+        hotp = HOTP(secret, 6, SHA1(), backend)
+
+        assert hotp.generate(counter) == hotp_value
+
+    @pytest.mark.parametrize("params", vectors)
+    def test_verify(self, backend, params):
+        secret = params["secret"]
+        counter = int(params["counter"])
+        hotp_value = params["hotp"]
+
+        hotp = HOTP(secret, 6, SHA1(), backend)
+
+        assert hotp.verify(hotp_value, counter) is None
+
+    def test_invalid_verify(self, backend):
+        secret = b"12345678901234567890"
+        counter = 0
+
+        hotp = HOTP(secret, 6, SHA1(), backend)
+
+        with pytest.raises(InvalidToken):
+            hotp.verify(b"123456", counter)
+
+    def test_length_not_int(self, backend):
+        secret = b"12345678901234567890"
+
+        with pytest.raises(TypeError):
+            HOTP(secret, b"foo", SHA1(), backend)
diff --git a/tests/hazmat/primitives/twofactor/test_totp.py b/tests/hazmat/primitives/twofactor/test_totp.py
new file mode 100644
index 00000000..a4a108bc
--- /dev/null
+++ b/tests/hazmat/primitives/twofactor/test_totp.py
@@ -0,0 +1,129 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import pytest
+
+from cryptography.exceptions import InvalidToken
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.twofactor.totp import TOTP
+from tests.utils import load_vectors_from_file, load_nist_vectors
+
+vectors = load_vectors_from_file(
+    "twofactor/rfc-6238.txt", load_nist_vectors)
+
+
+@pytest.mark.hmac
+class TestTOTP(object):
+    @pytest.mark.supported(
+        only_if=lambda backend: backend.hmac_supported(hashes.SHA1()),
+        skip_message="Does not support HMAC-SHA1."
+    )
+    @pytest.mark.parametrize(
+        "params", [i for i in vectors if i["mode"] == b"SHA1"])
+    def test_generate_sha1(self, backend, params):
+        secret = params["secret"]
+        time = int(params["time"])
+        totp_value = params["totp"]
+
+        totp = TOTP(secret, 8, hashes.SHA1(), 30, backend)
+        assert totp.generate(time) == totp_value
+
+    @pytest.mark.supported(
+        only_if=lambda backend: backend.hmac_supported(hashes.SHA256()),
+        skip_message="Does not support HMAC-SHA256."
+    )
+    @pytest.mark.parametrize(
+        "params", [i for i in vectors if i["mode"] == b"SHA256"])
+    def test_generate_sha256(self, backend, params):
+        secret = params["secret"]
+        time = int(params["time"])
+        totp_value = params["totp"]
+
+        totp = TOTP(secret, 8, hashes.SHA256(), 30, backend)
+        assert totp.generate(time) == totp_value
+
+    @pytest.mark.supported(
+        only_if=lambda backend: backend.hmac_supported(hashes.SHA512()),
+        skip_message="Does not support HMAC-SHA512."
+    )
+    @pytest.mark.parametrize(
+        "params", [i for i in vectors if i["mode"] == b"SHA512"])
+    def test_generate_sha512(self, backend, params):
+        secret = params["secret"]
+        time = int(params["time"])
+        totp_value = params["totp"]
+
+        totp = TOTP(secret, 8, hashes.SHA512(), 30, backend)
+        assert totp.generate(time) == totp_value
+
+    @pytest.mark.supported(
+        only_if=lambda backend: backend.hmac_supported(hashes.SHA1()),
+        skip_message="Does not support HMAC-SHA1."
+    )
+    @pytest.mark.parametrize(
+        "params", [i for i in vectors if i["mode"] == b"SHA1"])
+    def test_verify_sha1(self, backend, params):
+        secret = params["secret"]
+        time = int(params["time"])
+        totp_value = params["totp"]
+
+        totp = TOTP(secret, 8, hashes.SHA1(), 30, backend)
+
+        assert totp.verify(totp_value, time) is None
+
+    @pytest.mark.supported(
+        only_if=lambda backend: backend.hmac_supported(hashes.SHA256()),
+        skip_message="Does not support HMAC-SHA256."
+    )
+    @pytest.mark.parametrize(
+        "params", [i for i in vectors if i["mode"] == b"SHA256"])
+    def test_verify_sha256(self, backend, params):
+        secret = params["secret"]
+        time = int(params["time"])
+        totp_value = params["totp"]
+
+        totp = TOTP(secret, 8, hashes.SHA256(), 30, backend)
+
+        assert totp.verify(totp_value, time) is None
+
+    @pytest.mark.supported(
+        only_if=lambda backend: backend.hmac_supported(hashes.SHA512()),
+        skip_message="Does not support HMAC-SHA512."
+    )
+    @pytest.mark.parametrize(
+        "params", [i for i in vectors if i["mode"] == b"SHA512"])
+    def test_verify_sha512(self, backend, params):
+        secret = params["secret"]
+        time = int(params["time"])
+        totp_value = params["totp"]
+
+        totp = TOTP(secret, 8, hashes.SHA512(), 30, backend)
+
+        assert totp.verify(totp_value, time) is None
+
+    def test_invalid_verify(self, backend):
+        secret = b"12345678901234567890"
+        time = 59
+
+        totp = TOTP(secret, 8, hashes.SHA1(), 30, backend)
+
+        with pytest.raises(InvalidToken):
+            totp.verify(b"12345678", time)
+
+    def test_floating_point_time_generate(self, backend):
+        secret = b"12345678901234567890"
+        time = 59.1
+
+        totp = TOTP(secret, 8, hashes.SHA1(), 30, backend)
+
+        assert totp.generate(time) == b"94287082"