aboutsummaryrefslogtreecommitdiffstats
path: root/cryptography/hazmat/bindings/openssl
diff options
context:
space:
mode:
Diffstat (limited to 'cryptography/hazmat/bindings/openssl')
-rw-r--r--cryptography/hazmat/bindings/openssl/backend.py89
-rw-r--r--cryptography/hazmat/bindings/openssl/bignum.py3
-rw-r--r--cryptography/hazmat/bindings/openssl/engine.py10
-rw-r--r--cryptography/hazmat/bindings/openssl/err.py7
-rw-r--r--cryptography/hazmat/bindings/openssl/pem.py9
-rw-r--r--cryptography/hazmat/bindings/openssl/rsa.py27
6 files changed, 139 insertions, 6 deletions
diff --git a/cryptography/hazmat/bindings/openssl/backend.py b/cryptography/hazmat/bindings/openssl/backend.py
index 9f8ea939..f19c8cca 100644
--- a/cryptography/hazmat/bindings/openssl/backend.py
+++ b/cryptography/hazmat/bindings/openssl/backend.py
@@ -19,7 +19,7 @@ import sys
import cffi
from cryptography import utils
-from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.exceptions import UnsupportedAlgorithm, InvalidTag
from cryptography.hazmat.bindings.interfaces import (
CipherBackend, HashBackend, HMACBackend
)
@@ -28,9 +28,27 @@ from cryptography.hazmat.primitives.ciphers.algorithms import (
AES, Blowfish, Camellia, CAST5, TripleDES, ARC4,
)
from cryptography.hazmat.primitives.ciphers.modes import (
- CBC, CTR, ECB, OFB, CFB
+ CBC, CTR, ECB, OFB, CFB, GCM,
)
+_OSX_PRE_INCLUDE = """
+#ifdef __APPLE__
+#include <AvailabilityMacros.h>
+#define __ORIG_DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER \
+ DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
+#undef DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
+#define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
+#endif
+"""
+
+_OSX_POST_INCLUDE = """
+#ifdef __APPLE__
+#undef DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
+#define DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER \
+ __ORIG_DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER
+#endif
+"""
+
@utils.register_interface(CipherBackend)
@utils.register_interface(HashBackend)
@@ -111,8 +129,15 @@ class Backend(object):
# is legal, but the following will fail to compile:
# int foo(int);
# int foo(short);
+
lib = ffi.verify(
- source="\n".join(includes + functions + customizations),
+ source="\n".join(
+ [_OSX_PRE_INCLUDE] +
+ includes +
+ [_OSX_POST_INCLUDE] +
+ functions +
+ customizations
+ ),
libraries=["crypto", "ssl"],
)
@@ -186,6 +211,11 @@ class Backend(object):
type(None),
GetCipherByName("rc4")
)
+ self.register_cipher_adapter(
+ AES,
+ GCM,
+ GetCipherByName("{cipher.name}-{cipher.key_size}-{mode.name}")
+ )
def create_symmetric_encryption_ctx(self, cipher, mode):
return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT)
@@ -193,8 +223,10 @@ class Backend(object):
def create_symmetric_decryption_ctx(self, cipher, mode):
return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT)
- def _handle_error(self):
+ def _handle_error(self, mode):
code = self.lib.ERR_get_error()
+ if not code and isinstance(mode, GCM):
+ raise InvalidTag
assert code != 0
lib = self.lib.ERR_GET_LIB(code)
func = self.lib.ERR_GET_FUNC(code)
@@ -231,6 +263,8 @@ class GetCipherByName(object):
@utils.register_interface(interfaces.CipherContext)
+@utils.register_interface(interfaces.AEADCipherContext)
+@utils.register_interface(interfaces.AEADEncryptionContext)
class _CipherContext(object):
_ENCRYPT = 1
_DECRYPT = 0
@@ -238,6 +272,9 @@ class _CipherContext(object):
def __init__(self, backend, cipher, mode, operation):
self._backend = backend
self._cipher = cipher
+ self._mode = mode
+ self._operation = operation
+ self._tag = None
ctx = self._backend.lib.EVP_CIPHER_CTX_new()
ctx = self._backend.ffi.gc(ctx, self._backend.lib.EVP_CIPHER_CTX_free)
@@ -270,6 +307,26 @@ class _CipherContext(object):
ctx, len(cipher.key)
)
assert res != 0
+ if isinstance(mode, GCM):
+ res = self._backend.lib.EVP_CIPHER_CTX_ctrl(
+ ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_IVLEN,
+ len(iv_nonce), self._backend.ffi.NULL
+ )
+ assert res != 0
+ if operation == self._DECRYPT:
+ if not mode.tag:
+ raise ValueError("Authentication tag must be supplied "
+ "when decrypting")
+ res = self._backend.lib.EVP_CIPHER_CTX_ctrl(
+ ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG,
+ len(mode.tag), mode.tag
+ )
+ assert res != 0
+ else:
+ if mode.tag:
+ raise ValueError("Authentication tag must be None when "
+ "encrypting")
+
# pass key/iv
res = self._backend.lib.EVP_CipherInit_ex(ctx, self._backend.ffi.NULL,
self._backend.ffi.NULL,
@@ -296,12 +353,34 @@ class _CipherContext(object):
outlen = self._backend.ffi.new("int *")
res = self._backend.lib.EVP_CipherFinal_ex(self._ctx, buf, outlen)
if res == 0:
- self._backend._handle_error()
+ self._backend._handle_error(self._mode)
+
+ if (isinstance(self._mode, GCM) and
+ self._operation == self._ENCRYPT):
+ block_byte_size = self._cipher.block_size // 8
+ tag_buf = self._backend.ffi.new("unsigned char[]", block_byte_size)
+ res = self._backend.lib.EVP_CIPHER_CTX_ctrl(
+ self._ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_GET_TAG,
+ block_byte_size, tag_buf
+ )
+ assert res != 0
+ self._tag = self._backend.ffi.buffer(tag_buf)[:]
res = self._backend.lib.EVP_CIPHER_CTX_cleanup(self._ctx)
assert res == 1
return self._backend.ffi.buffer(buf)[:outlen[0]]
+ def authenticate_additional_data(self, data):
+ outlen = self._backend.ffi.new("int *")
+ res = self._backend.lib.EVP_CipherUpdate(
+ self._ctx, self._backend.ffi.NULL, outlen, data, len(data)
+ )
+ assert res != 0
+
+ @property
+ def tag(self):
+ return self._tag
+
@utils.register_interface(interfaces.HashContext)
class _HashContext(object):
diff --git a/cryptography/hazmat/bindings/openssl/bignum.py b/cryptography/hazmat/bindings/openssl/bignum.py
index fcfadff1..1b0fe5ab 100644
--- a/cryptography/hazmat/bindings/openssl/bignum.py
+++ b/cryptography/hazmat/bindings/openssl/bignum.py
@@ -28,6 +28,9 @@ int BN_set_word(BIGNUM *, BN_ULONG);
char *BN_bn2hex(const BIGNUM *);
int BN_hex2bn(BIGNUM **, const char *);
+int BN_dec2bn(BIGNUM **, const char *);
+
+int BN_num_bits(const BIGNUM *);
"""
MACROS = """
diff --git a/cryptography/hazmat/bindings/openssl/engine.py b/cryptography/hazmat/bindings/openssl/engine.py
index b76befce..1f377665 100644
--- a/cryptography/hazmat/bindings/openssl/engine.py
+++ b/cryptography/hazmat/bindings/openssl/engine.py
@@ -36,6 +36,16 @@ void ENGINE_load_builtin_engines();
int ENGINE_ctrl_cmd_string(ENGINE *, const char *, const char *, int);
int ENGINE_set_default(ENGINE *, unsigned int);
int ENGINE_register_complete(ENGINE *);
+
+int ENGINE_set_default_RSA(ENGINE *);
+int ENGINE_set_default_string(ENGINE *, const char *);
+int ENGINE_set_default_DSA(ENGINE *);
+int ENGINE_set_default_ECDH(ENGINE *);
+int ENGINE_set_default_ECDSA(ENGINE *);
+int ENGINE_set_default_DH(ENGINE *);
+int ENGINE_set_default_RAND(ENGINE *);
+int ENGINE_set_default_ciphers(ENGINE *);
+int ENGINE_set_default_digests(ENGINE *);
"""
MACROS = """
diff --git a/cryptography/hazmat/bindings/openssl/err.py b/cryptography/hazmat/bindings/openssl/err.py
index 3dac6948..f31c2405 100644
--- a/cryptography/hazmat/bindings/openssl/err.py
+++ b/cryptography/hazmat/bindings/openssl/err.py
@@ -23,11 +23,18 @@ struct ERR_string_data_st {
typedef struct ERR_string_data_st ERR_STRING_DATA;
static const int ERR_LIB_EVP;
+static const int ERR_LIB_PEM;
static const int EVP_F_EVP_ENCRYPTFINAL_EX;
static const int EVP_F_EVP_DECRYPTFINAL_EX;
static const int EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH;
+
+static const int PEM_F_PEM_READ_BIO_PRIVATEKEY;
+static const int PEM_F_D2I_PKCS8PRIVATEKEY_BIO;
+
+static const int PEM_R_BAD_PASSWORD_READ;
+static const int ASN1_R_BAD_PASSWORD_READ;
"""
FUNCTIONS = """
diff --git a/cryptography/hazmat/bindings/openssl/pem.py b/cryptography/hazmat/bindings/openssl/pem.py
index 00f0dc36..cef7839f 100644
--- a/cryptography/hazmat/bindings/openssl/pem.py
+++ b/cryptography/hazmat/bindings/openssl/pem.py
@@ -29,6 +29,15 @@ int PEM_write_bio_PrivateKey(BIO *, EVP_PKEY *, const EVP_CIPHER *,
EVP_PKEY *PEM_read_bio_PrivateKey(BIO *, EVP_PKEY **, pem_password_cb *,
void *);
+int PEM_write_bio_PKCS8PrivateKey(BIO *, EVP_PKEY *, const EVP_CIPHER *,
+ char *, int, pem_password_cb *, void *);
+
+int i2d_PKCS8PrivateKey_bio(BIO *, EVP_PKEY *, const EVP_CIPHER *,
+ char *, int, pem_password_cb *, void *);
+
+EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *, EVP_PKEY **, pem_password_cb *,
+ void *);
+
int PEM_write_bio_X509_REQ(BIO *, X509_REQ *);
X509_REQ *PEM_read_bio_X509_REQ(BIO *, X509_REQ **, pem_password_cb *, void *);
diff --git a/cryptography/hazmat/bindings/openssl/rsa.py b/cryptography/hazmat/bindings/openssl/rsa.py
index 21ed5d67..ad0d37b4 100644
--- a/cryptography/hazmat/bindings/openssl/rsa.py
+++ b/cryptography/hazmat/bindings/openssl/rsa.py
@@ -16,15 +16,40 @@ INCLUDES = """
"""
TYPES = """
-typedef ... RSA;
+typedef struct rsa_st {
+ BIGNUM *n;
+ BIGNUM *e;
+ BIGNUM *d;
+ BIGNUM *p;
+ BIGNUM *q;
+ BIGNUM *dmp1;
+ BIGNUM *dmq1;
+ BIGNUM *iqmp;
+ ...;
+} RSA;
typedef ... BN_GENCB;
+static const int RSA_PKCS1_PADDING;
+static const int RSA_SSLV23_PADDING;
+static const int RSA_NO_PADDING;
+static const int RSA_PKCS1_OAEP_PADDING;
+static const int RSA_X931_PADDING;
"""
FUNCTIONS = """
RSA *RSA_new();
void RSA_free(RSA *);
+int RSA_size(const RSA *);
int RSA_generate_key_ex(RSA *, int, BIGNUM *, BN_GENCB *);
int RSA_check_key(const RSA *);
+RSA *RSAPublicKey_dup(RSA *);
+int RSA_public_encrypt(int, const unsigned char *, unsigned char *,
+ RSA *, int);
+int RSA_private_encrypt(int, const unsigned char *, unsigned char *,
+ RSA *, int);
+int RSA_public_decrypt(int, const unsigned char *, unsigned char *,
+ RSA *, int);
+int RSA_private_decrypt(int, const unsigned char *, unsigned char *,
+ RSA *, int);
"""
MACROS = """
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-02 23:44:11 +0000