aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--docs/development/test-vectors.rst6
-rw-r--r--docs/hazmat/backends/interfaces.rst85
-rw-r--r--src/cryptography/hazmat/backends/interfaces.py52
-rw-r--r--src/cryptography/hazmat/bindings/openssl/ssl.py31
-rw-r--r--vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt44
5 files changed, 218 insertions, 0 deletions
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index f239db98..69f54d3a 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -78,6 +78,12 @@ Custom Asymmetric Vectors
``asymmetric/public/PKCS1/rsa.pub.der`` are PKCS1 conversions of the public
key from ``asymmetric/PKCS8/unenc-rsa-pkcs8.pem`` using PEM and DER encoding.
+Key exchange
+~~~~~~~~~~~~
+
+* ``vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt`` contains
+ Diffie-Hellman examples from appendix A.1, A.2 and A.3 of :rfc:`5114`.
+
X.509
~~~~~
diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst
index 8866cf71..4da0d753 100644
--- a/docs/hazmat/backends/interfaces.rst
+++ b/docs/hazmat/backends/interfaces.rst
@@ -518,3 +518,88 @@ A specific ``backend`` may provide one or more of these interfaces.
:returns: An instance of
:class:`~cryptography.x509.CertificateSigningRequest`.
+
+
+.. class:: DHBackend
+
+ .. versionadded:: 0.9
+
+ A backend with methods for doing Diffie-Hellman key exchange.
+
+ .. method:: generate_dh_parameters(key_size)
+
+ :param int key_size: The bit length of the prime modulus to generate.
+
+ :return: A new instance of a
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`
+ provider.
+
+ :raises ValueError: If ``key_size`` is not at least 512.
+
+ .. method:: generate_dh_private_key(parameters)
+
+ :param parameters: A
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`
+ provider.
+
+ :return: A new instance of a
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
+ provider.
+
+ .. method:: generate_dh_private_key_and_parameters(self, key_size)
+
+ :param int key_size: The bit length of the prime modulus to generate.
+
+ :return: A new instance of a
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
+ provider.
+
+ :raises ValueError: If ``key_size`` is not at least 512.
+
+ .. method:: load_dh_private_numbers(numbers)
+
+ :param numbers: A
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateNumbers`
+ instance.
+
+ :return: A new instance of a
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey`
+ provider.
+
+ :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
+ when any backend specific criteria are not met.
+
+ .. method:: load_dh_public_numbers(numbers)
+
+ :param numbers: A
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicNumbers`
+ instance.
+
+ :return: A new instance of a
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHPublicKey`
+ provider.
+
+ :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
+ when any backend specific criteria are not met.
+
+ .. method:: load_dh_parameter_numbers(numbers)
+
+ :param numbers: A
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameterNumbers`
+ instance.
+
+ :return: A new instance of a
+ :class:`~cryptography.hazmat.primitives.asymmetric.dh.DHParameters`
+ provider.
+
+ :raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
+ when any backend specific criteria are not met.
+
+ .. method:: dh_parameters_supported(p, g)
+
+ :param int p: The p value of the DH key.
+
+ :param int g: The g value of the DH key.
+
+ :returns: ``True`` if the given values of ``p`` and ``g`` are supported
+ by this backend, otherwise ``False``.
diff --git a/src/cryptography/hazmat/backends/interfaces.py b/src/cryptography/hazmat/backends/interfaces.py
index 5224f5c7..eca7ddf4 100644
--- a/src/cryptography/hazmat/backends/interfaces.py
+++ b/src/cryptography/hazmat/backends/interfaces.py
@@ -273,3 +273,55 @@ class X509Backend(object):
"""
Load an X.509 CSR from PEM encoded data.
"""
+
+
+@six.add_metaclass(abc.ABCMeta)
+class DHBackend(object):
+ @abc.abstractmethod
+ def generate_dh_parameters(self, key_size):
+ """
+ Generate a DHParameters instance with a modulus of key_size bits.
+ """
+
+ @abc.abstractmethod
+ def generate_dh_private_key(self, parameters):
+ """
+ Generate a DHPrivateKey instance with parameters as a DHParameters
+ object.
+ """
+
+ @abc.abstractmethod
+ def generate_dh_private_key_and_parameters(self, key_size):
+ """
+ Generate a DHPrivateKey instance using key size only.
+ """
+
+ @abc.abstractmethod
+ def load_dh_private_numbers(self, numbers):
+ """
+ Returns a DHPrivateKey provider.
+ """
+
+ @abc.abstractmethod
+ def load_dh_public_numbers(self, numbers):
+ """
+ Returns a DHPublicKey provider.
+ """
+
+ @abc.abstractmethod
+ def load_dh_parameter_numbers(self, numbers):
+ """
+ Returns a DHParameters provider.
+ """
+
+ @abc.abstractmethod
+ def dh_exchange_algorithm_supported(self, exchange_algorithm):
+ """
+ Returns whether the exchange algorithm is supported by this backend.
+ """
+
+ @abc.abstractmethod
+ def dh_parameters_supported(self, p, g):
+ """
+ Returns whether the backend supports DH with these parameter values.
+ """
diff --git a/src/cryptography/hazmat/bindings/openssl/ssl.py b/src/cryptography/hazmat/bindings/openssl/ssl.py
index 6161a9d1..b182180f 100644
--- a/src/cryptography/hazmat/bindings/openssl/ssl.py
+++ b/src/cryptography/hazmat/bindings/openssl/ssl.py
@@ -20,6 +20,8 @@ static const long Cryptography_HAS_TLSv1_1;
static const long Cryptography_HAS_TLSv1_2;
static const long Cryptography_HAS_SECURE_RENEGOTIATION;
static const long Cryptography_HAS_COMPRESSION;
+static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB;
+static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP;
/* Internally invented symbol to tell us if SNI is supported */
static const long Cryptography_HAS_TLSEXT_HOSTNAME;
@@ -304,6 +306,7 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *);
long SSL_CTX_get_timeout(const SSL_CTX *);
const SSL_CIPHER *SSL_get_current_cipher(const SSL *);
+const char *SSL_get_version(const SSL *);
int SSL_version(const SSL *);
/* SNI APIs were introduced in OpenSSL 1.0.0. To continue to support
@@ -315,6 +318,12 @@ void SSL_CTX_set_tlsext_servername_callback(
SSL_CTX *,
int (*)(const SSL *, int *, void *));
+/* These were added in OpenSSL 0.9.8h, but since version testing in OpenSSL
+ is fraught with peril thanks to OS distributions we check some constants
+ to determine if they are supported or not */
+long SSL_set_tlsext_status_ocsp_resp(SSL *, unsigned char *, int);
+long SSL_CTX_set_tlsext_status_cb(SSL_CTX *, int(*)(SSL *, void *));
+
long SSL_session_reused(SSL *);
/* The following were macros in 0.9.8e. Once we drop support for RHEL/CentOS 5
@@ -410,6 +419,20 @@ void (*SSL_CTX_set_tlsext_servername_callback)(
int (*)(const SSL *, int *, void *)) = NULL;
#endif
+#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
+static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB = 1;
+#else
+static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB = 0;
+long (*SSL_CTX_set_tlsext_status_cb)(SSL_CTX *, int(*)(SSL *, void *)) = NULL;
+#endif
+
+#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP
+static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP = 1;
+#else
+static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP = 0;
+long (*SSL_set_tlsext_status_ocsp_resp)(SSL *, unsigned char *, int) = NULL;
+#endif
+
#ifdef SSL_MODE_RELEASE_BUFFERS
static const long Cryptography_HAS_RELEASE_BUFFERS = 1;
#else
@@ -588,6 +611,14 @@ CONDITIONAL_NAMES = {
"SSL_CTX_set_tlsext_servername_callback",
],
+ "Cryptography_HAS_TLSEXT_STATUS_REQ_CB": [
+ "SSL_CTX_set_tlsext_status_cb",
+ ],
+
+ "Cryptography_HAS_STATUS_REQ_OCSP_RESP": [
+ "SSL_set_tlsext_status_ocsp_resp",
+ ],
+
"Cryptography_HAS_RELEASE_BUFFERS": [
"SSL_MODE_RELEASE_BUFFERS",
],
diff --git a/vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt b/vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt
new file mode 100644
index 00000000..bb8e238f
--- /dev/null
+++ b/vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt
@@ -0,0 +1,44 @@
+[A.1. 1024-bit MODP Group with 160-bit Prime Order Subgroup]
+P = B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C69A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C013ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD7098488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708DF1FB2BC2E4A4371
+Q = F518AA8781A8DF278ABA4E7D64B7CB9D49462353
+G = A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B777E690F5504F213160217B4B01B886A5E91547F9E2749F4D7FBD7D3B9A92EE1909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28AD662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24855E6EEB22B3B2E5
+
+XstatCAVS = B9A3B3AE8FEFC1A2930496507086F8455D48943E
+YstatCAVS = 2A853B3D92197501B9015B2DEB3ED84F5E021DCC3E52F109D3273D2B7521281CBABE0E76FF5727FA8ACCE26956BA9A1FCA26F20228D8693FEB10841D84A7360054ECE5A7F5B7A61AD3DFB3C60D2E43106D8727DA37DF9CCE95B478755D06BCEA8F9D45965F75A5F3D1DF3701165FC9E50C4279CEB07F989540AE96D5D88ED776
+
+XstatIUT = 9392C9F9EB6A7A6A9022F7D83E7223C6835BBDDA
+YstatIUT = 717A6CB053371FF4A3B932941C1E5663F861A1D6AD34AE66576DFB98F6C6CBF9DDD5A56C7833F6BCFDFF095582AD868E440E8D09FD769E3CECCDC3D3B1E4CFA057776CAAF9739B6A9FEE8E7411F8D6DAC09D6A4EDB46CC2B5D5203090EAE6126311E53FD2C14B574E6A3109A3DA1BE41BDCEAA186F5CE06716A2B6A07B3C33FE
+
+Z = 5C804F454D30D9C4DF85271F93528C91DF6B48AB5F80B3B59CAAC1B28F8ACBA9CD3E39F3CB614525D9521D2E644C53B807B810F340062F257D7D6FBFE8D5E8F072E9B6E9AFDA9413EAFB2E8B0699B1FB5A0CACEDDEAEAD7E9CFBB36AE2B420835BD83A19FB0B5E96BF8FA4D09E345525167ECD9155416F46F408ED31B63C6E6D
+
+Result = P (0 - Correct)
+
+[A.2.2048-bitMODPGroupwith224-bitPrimeOrderSubgroup]
+P = AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC2129037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708B3BF8A317091883681286130BC8985DB1602E714415D9330278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486DCDF93ACC44328387315D75E198C641A480CD86A1B9E587E8BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71CF9DE5384E71B81C0AC4DFFE0C10E64F
+Q = 801C0D34C58D93FE997177101F80535A4738CEBCBF389A99B36371EB
+G = AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFAAB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7C17669101999024AF4D027275AC1348BB8A762D0521BC98AE247150422EA1ED409939D54DA7460CDB5F6C6B250717CBEF180EB34118E98D119529A45D6F834566E3025E316A330EFBB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC017981BC087F2A7065B384B890D3191F2BFA
+
+XstatCAVS = 22E62601DBFFD06708A680F747F361F76D8F4F721A0548E483294B0C
+YstatCAVS = 1B3A63451BD886E699E67B494E288BD7F8E0D370BADDA7A0EFD2FDE7D8F66145CC9F280419975EB808877C8A4C0C8E0BD48D4A5401EB1E8776BFEEE134C03831AC273CD9D635AB0CE006A42A887E3F52FB8766B650F38078BC8EE8580CEFE243968CFC4F8DC3DB084554171D41BF2E861B7BB4D69DD0E01EA387CBAA5CA672AFCBE8BDB9D62D4CE15F17DD36F91ED1EEDD65CA4A06455CB94CD40A52EC360E84B3C926E22C4380A3BF309D56849768B7F52CFDF655FD053A7EF706979E7E5806B17DFAE53AD2A5BC568EBB529A7A61D68D256F8FC97C074A861D827E2EBC8C6134553115B70E7103920AA16D85E52BCBAB8D786A68178FA8FF7C2F5C71648D6F
+
+XstatIUT = 4FF3BC96C7FC6A6D71D3B363800A7CDFEF6FC41B4417EA15353B7590
+YstatIUT = 4DCEE992A9762A13F2F83844AD3D77EE0E31C9718B3DB6C2035D3961182C3E0BA247EC4182D760CD48D99599970622A1881BBA2DC822939C78C3912C6661FA5438B20766222B75E24C2E3AD0C7287236129525EE15B5DD7998AA04C4A9696CACD7172083A97A81664EAD2C479E444E4C0654CC19E28D7703CEE8DACD6126F5D665EC52C67255DB92014B037EB621A2AC8E365DE071FFC1400ACF077A12913DD8DE89473437AB7BA346743C1B215DD9C12164A7E4053118D199BEC8EF6FC561170C84C87D10EE9A674A1FA8FFE13BDFBA1D44DE48946D68DC0CDD777635A7AB5BFB1E4BB7B856F96827734C184138E915D9C3002EBCE53120546A7E2002142B6C
+
+Z = 34D9BDDC1B42176C313FEA034C21034D074A6313BB4ECDB3703FFF424567A46BDF75530EDE0A9DA5229DE7D76732286CBC0F91DA4C3C852FC099C679531D94C78AB03D9DECB0A4E4CA8B2BB4591C4021CF8CE3A20A541D33994017D0200AE2C9516E2FF5145779269E862B0FB474A2D56DC31ED569A7700B4C4AB16B22A45513531EF523D71212077B5A169BDEFFAD7AD9608284C7795B6D5A5183B87066DE17D8D671C9EBD8EC89544D45EC061593D442C62AB9CE3B1CB9943A1D23A5EA3BCF21A01471E67E003E7F8A69C728BE490B2FC88CFEB92DB6A215E5D03C17C464C9AC1A46E203E13F952995FB03C69D3CC47FCB510B6998FFD3AA6DE73CF9F63869
+
+Result = P (0 - Correct)
+
+[A.3. 2048-bit MODP Group with 256-bit Prime Order Subgroup]
+P = 87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597
+Q = 8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F5FBD3
+G = 3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC41659
+
+XstatCAVS = 0881382CDB87660C6DC13E614938D5B9C8B2F248581CC5E31B35454397FCE50E
+YstatCAVS = 2E9380C8323AF97545BC4941DEB0EC3742C62FE0ECE824A6ABDBE66C59BEE0242911BFB967235CEBA35AE13E4EC752BE630B92DC4BDE2847A9C62CB8152745421FB7EB60A63C0FE9159FCCE726CE7CD8523D7450667EF840E4919121EB5F01C8C9B0D3D648A93BFB75689E8244AC134AF544711CE79A02DCC34226684780DDDCB498594106C37F5BC79856487AF5AB022A2E5E42F09897C1A85A11EA0212AF04D9B4CEBC937C3C1A3E15A8A0342E337615C84E7FE3B8B9B87FB1E73A15AF12A30D746E06DFC34F290D797CE51AA13AA785BF6658AFF5E4B093003CBEAF665B3C2E113A3A4E905269341DC0711426685F4EF37E868A8126FF3F2279B57CA67E29
+
+XstatIUT = 7D62A7E3EF36DE617B13D1AFB82C780D83A23BD4EE6705645121F371F546A53D
+YstatIUT = 575F0351BD2B1B817448BDF87A6C362C1E289D3903A30B9832C5741FA250363E7ACBC7F77F3DACBC1F131ADD8E03367EFF8FBBB3E1C5784424809B25AFE4D2262A1A6FD2FAB64105CA30A674E07F7809852088632FC049233791AD4EDD083A978B883EE618BC5E0DD047415F2D95E683CF14826B5FBE10D3CE41C6C120C78AB20008C698BF7F0BCAB9D7F407BED0F43AFB2970F57F8D12043963E66DDD320D599AD9936C8F44137C08B180EC5E985CEBE186F3D549677E80607331EE17AF3380A725B0782317D7DD43F59D7AF9568A9BB63A84D365F92244ED120988219302F42924C7CA90B89D24F71B0AB697823D7DEB1AFF5B0E8E4A45D49F7F53757E1913
+
+Z = 86C70BF8D0BB81BB01078A17219CB7D27203DB2A19C877F1D1F19FD7D77EF22546A68F005AD52DC84553B78FC60330BE51EA7C0672CAC1515E4B35C047B9A551B88F39DC26DA14A09EF74774D47C762DD177F9ED5BC2F11E52C879BD95098504CD9EECD8A8F9B3EFBD1F008AC5853097D9D1837F2B18F77CD7BE01AF80A7C7B5EA3CA54CC02D0C116FEE3F95BB87399385875D7E86747E676E728938ACBFF7098E05BE4DCFB24052B83AEFFB14783F029ADBDE7F53FAE92084224090E007CEE94D4BF2BACE9FFD4B57D2AF7C724D0CAA19BF0501F6F17B4AA10F425E3EA76080B4B9D6B3CEFEA115B2CEB8789BB8A3B0EA87FEBE63B6C8F846EC6DB0C26C5D7C
+
+Result = P (0 - Correct)
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-27 16:11:37 +0000