aboutsummaryrefslogtreecommitdiffstats
path: root/src/cryptography
diff options
context:
space:
mode:
Diffstat (limited to 'src/cryptography')
-rw-r--r--src/cryptography/hazmat/backends/openssl/backend.py68
-rw-r--r--src/cryptography/hazmat/backends/openssl/ciphers.py35
-rw-r--r--src/cryptography/hazmat/backends/openssl/dsa.py28
-rw-r--r--src/cryptography/hazmat/backends/openssl/ec.py39
-rw-r--r--src/cryptography/hazmat/backends/openssl/rsa.py47
-rw-r--r--src/cryptography/hazmat/backends/openssl/utils.py21
-rw-r--r--src/cryptography/hazmat/bindings/openssl/_conditional.py19
-rw-r--r--src/cryptography/hazmat/bindings/openssl/binding.py21
8 files changed, 25 insertions, 253 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 71063c19..d2a9e6c9 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -21,9 +21,7 @@ from cryptography.hazmat.backends.interfaces import (
EllipticCurveBackend, HMACBackend, HashBackend, PBKDF2HMACBackend,
PEMSerializationBackend, RSABackend, ScryptBackend, X509Backend
)
-from cryptography.hazmat.backends.openssl.ciphers import (
- _AESCTRCipherContext, _CipherContext
-)
+from cryptography.hazmat.backends.openssl.ciphers import _CipherContext
from cryptography.hazmat.backends.openssl.cmac import _CMACContext
from cryptography.hazmat.backends.openssl.dh import (
_DHParameters, _DHPrivateKey, _DHPublicKey
@@ -233,12 +231,7 @@ class Backend(object):
return _HashContext(self, algorithm)
def cipher_supported(self, cipher, mode):
- if self._evp_cipher_supported(cipher, mode):
- return True
- elif isinstance(mode, CTR) and isinstance(cipher, AES):
- return True
- else:
- return False
+ return self._evp_cipher_supported(cipher, mode)
def _evp_cipher_supported(self, cipher, mode):
try:
@@ -307,22 +300,10 @@ class Backend(object):
)
def create_symmetric_encryption_ctx(self, cipher, mode):
- if (isinstance(mode, CTR) and isinstance(cipher, AES) and
- not self._evp_cipher_supported(cipher, mode)):
- # This is needed to provide support for AES CTR mode in OpenSSL
- # 1.0.0. It can be removed when we drop 1.0.0 support (RHEL 6.4).
- return _AESCTRCipherContext(self, cipher, mode)
- else:
- return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT)
+ return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT)
def create_symmetric_decryption_ctx(self, cipher, mode):
- if (isinstance(mode, CTR) and isinstance(cipher, AES) and
- not self._evp_cipher_supported(cipher, mode)):
- # This is needed to provide support for AES CTR mode in OpenSSL
- # 1.0.0. It can be removed when we drop 1.0.0 support (RHEL 6.4).
- return _AESCTRCipherContext(self, cipher, mode)
- else:
- return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT)
+ return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT)
def pbkdf2_hmac_supported(self, algorithm):
return self.hmac_supported(algorithm)
@@ -606,10 +587,7 @@ class Backend(object):
return isinstance(algorithm, hashes.SHA1)
def _pss_mgf1_hash_supported(self, algorithm):
- if self._lib.Cryptography_HAS_MGF1_MD:
- return self.hash_supported(algorithm)
- else:
- return isinstance(algorithm, hashes.SHA1)
+ return self.hash_supported(algorithm)
def rsa_padding_supported(self, padding):
if isinstance(padding, PKCS1v15):
@@ -737,18 +715,6 @@ class Backend(object):
if not isinstance(algorithm, hashes.HashAlgorithm):
raise TypeError('Algorithm must be a registered hash algorithm.')
- if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
- if isinstance(private_key, _DSAPrivateKey):
- raise NotImplementedError(
- "Certificate signing requests aren't implemented for DSA"
- " keys on OpenSSL versions less than 1.0.1."
- )
- if isinstance(private_key, _EllipticCurvePrivateKey):
- raise NotImplementedError(
- "Certificate signing requests aren't implemented for EC"
- " keys on OpenSSL versions less than 1.0.1."
- )
-
# Resolve the signature algorithm.
evp_md = self._lib.EVP_get_digestbyname(
algorithm.name.encode('ascii')
@@ -815,18 +781,6 @@ class Backend(object):
if not isinstance(algorithm, hashes.HashAlgorithm):
raise TypeError('Algorithm must be a registered hash algorithm.')
- if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
- if isinstance(private_key, _DSAPrivateKey):
- raise NotImplementedError(
- "Certificate signatures aren't implemented for DSA"
- " keys on OpenSSL versions less than 1.0.1."
- )
- if isinstance(private_key, _EllipticCurvePrivateKey):
- raise NotImplementedError(
- "Certificate signatures aren't implemented for EC"
- " keys on OpenSSL versions less than 1.0.1."
- )
-
# Resolve the signature algorithm.
evp_md = self._lib.EVP_get_digestbyname(
algorithm.name.encode('ascii')
@@ -920,18 +874,6 @@ class Backend(object):
if not isinstance(algorithm, hashes.HashAlgorithm):
raise TypeError('Algorithm must be a registered hash algorithm.')
- if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
- if isinstance(private_key, _DSAPrivateKey):
- raise NotImplementedError(
- "CRL signatures aren't implemented for DSA"
- " keys on OpenSSL versions less than 1.0.1."
- )
- if isinstance(private_key, _EllipticCurvePrivateKey):
- raise NotImplementedError(
- "CRL signatures aren't implemented for EC"
- " keys on OpenSSL versions less than 1.0.1."
- )
-
evp_md = self._lib.EVP_get_digestbyname(
algorithm.name.encode('ascii')
)
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index bd5dfb31..898b3497 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -167,38 +167,3 @@ class _CipherContext(object):
self._backend.openssl_assert(res != 0)
tag = utils.read_only_property("_tag")
-
-
-@utils.register_interface(ciphers.CipherContext)
-class _AESCTRCipherContext(object):
- """
- This is needed to provide support for AES CTR mode in OpenSSL 1.0.0. It can
- be removed when we drop 1.0.0 support (RHEL 6.4 is the only thing that
- ships it).
- """
- def __init__(self, backend, cipher, mode):
- self._backend = backend
-
- self._key = self._backend._ffi.new("AES_KEY *")
- res = self._backend._lib.AES_set_encrypt_key(
- cipher.key, len(cipher.key) * 8, self._key
- )
- self._backend.openssl_assert(res == 0)
- self._ecount = self._backend._ffi.new("unsigned char[]", 16)
- self._nonce = self._backend._ffi.new("unsigned char[16]", mode.nonce)
- self._num = self._backend._ffi.new("unsigned int *", 0)
-
- def update(self, data):
- buf = self._backend._ffi.new("unsigned char[]", len(data))
- self._backend._lib.AES_ctr128_encrypt(
- data, buf, len(data), self._key, self._nonce,
- self._ecount, self._num
- )
- return self._backend._ffi.buffer(buf)[:]
-
- def finalize(self):
- self._key = None
- self._ecount = None
- self._nonce = None
- self._num = None
- return b""
diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py
index e82c043d..e2ed3dfd 100644
--- a/src/cryptography/hazmat/backends/openssl/dsa.py
+++ b/src/cryptography/hazmat/backends/openssl/dsa.py
@@ -7,7 +7,7 @@ from __future__ import absolute_import, division, print_function
from cryptography import utils
from cryptography.exceptions import InvalidSignature
from cryptography.hazmat.backends.openssl.utils import (
- _calculate_digest_and_algorithm, _truncate_digest
+ _calculate_digest_and_algorithm
)
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import (
@@ -15,24 +15,6 @@ from cryptography.hazmat.primitives.asymmetric import (
)
-def _truncate_digest_for_dsa(dsa_cdata, digest, backend):
- """
- This function truncates digests that are longer than a given DS
- key's length so they can be signed. OpenSSL does this for us in
- 1.0.0c+, leaving us with three releases (1.0.0, 1.0.0a, and 1.0.0b) where
- this is a problem.
- """
-
- q = backend._ffi.new("BIGNUM **")
- backend._lib.DSA_get0_pqg(
- dsa_cdata, backend._ffi.NULL, q, backend._ffi.NULL
- )
- backend.openssl_assert(q[0] != backend._ffi.NULL)
-
- order_bits = backend._lib.BN_num_bits(q[0])
- return _truncate_digest(digest, order_bits)
-
-
def _dsa_sig_sign(backend, private_key, data):
sig_buf_len = backend._lib.DSA_size(private_key._dsa_cdata)
sig_buf = backend._ffi.new("unsigned char[]", sig_buf_len)
@@ -77,9 +59,6 @@ class _DSAVerificationContext(object):
def verify(self):
data_to_verify = self._hash_ctx.finalize()
- data_to_verify = _truncate_digest_for_dsa(
- self._public_key._dsa_cdata, data_to_verify, self._backend
- )
_dsa_sig_verify(
self._backend, self._public_key, self._signature, data_to_verify
)
@@ -98,9 +77,6 @@ class _DSASignatureContext(object):
def finalize(self):
data_to_sign = self._hash_ctx.finalize()
- data_to_sign = _truncate_digest_for_dsa(
- self._private_key._dsa_cdata, data_to_sign, self._backend
- )
return _dsa_sig_sign(self._backend, self._private_key, data_to_sign)
@@ -212,7 +188,6 @@ class _DSAPrivateKey(object):
data, algorithm = _calculate_digest_and_algorithm(
self._backend, data, algorithm
)
- data = _truncate_digest_for_dsa(self._dsa_cdata, data, self._backend)
return _dsa_sig_sign(self._backend, self, data)
@@ -286,5 +261,4 @@ class _DSAPublicKey(object):
data, algorithm = _calculate_digest_and_algorithm(
self._backend, data, algorithm
)
- data = _truncate_digest_for_dsa(self._dsa_cdata, data, self._backend)
return _dsa_sig_verify(self._backend, self, signature, data)
diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py
index 5969f2a3..f2b52492 100644
--- a/src/cryptography/hazmat/backends/openssl/ec.py
+++ b/src/cryptography/hazmat/backends/openssl/ec.py
@@ -9,7 +9,7 @@ from cryptography.exceptions import (
InvalidSignature, UnsupportedAlgorithm, _Reasons
)
from cryptography.hazmat.backends.openssl.utils import (
- _calculate_digest_and_algorithm, _truncate_digest
+ _calculate_digest_and_algorithm
)
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import (
@@ -17,31 +17,6 @@ from cryptography.hazmat.primitives.asymmetric import (
)
-def _truncate_digest_for_ecdsa(ec_key_cdata, digest, backend):
- """
- This function truncates digests that are longer than a given elliptic
- curve key's length so they can be signed. Since elliptic curve keys are
- much shorter than RSA keys many digests (e.g. SHA-512) may require
- truncation.
- """
-
- _lib = backend._lib
- _ffi = backend._ffi
-
- group = _lib.EC_KEY_get0_group(ec_key_cdata)
-
- with backend._tmp_bn_ctx() as bn_ctx:
- order = _lib.BN_CTX_get(bn_ctx)
- backend.openssl_assert(order != _ffi.NULL)
-
- res = _lib.EC_GROUP_get_order(group, order, bn_ctx)
- backend.openssl_assert(res == 1)
-
- order_bits = _lib.BN_num_bits(order)
-
- return _truncate_digest(digest, order_bits)
-
-
def _check_signature_algorithm(signature_algorithm):
if not isinstance(signature_algorithm, ec.ECDSA):
raise UnsupportedAlgorithm(
@@ -127,9 +102,6 @@ class _ECDSASignatureContext(object):
def finalize(self):
digest = self._digest.finalize()
- digest = _truncate_digest_for_ecdsa(
- self._private_key._ec_key, digest, self._backend
- )
return _ecdsa_sig_sign(self._backend, self._private_key, digest)
@@ -146,9 +118,6 @@ class _ECDSAVerificationContext(object):
def verify(self):
digest = self._digest.finalize()
- digest = _truncate_digest_for_ecdsa(
- self._public_key._ec_key, digest, self._backend
- )
return _ecdsa_sig_verify(
self._backend, self._public_key, self._signature, digest
)
@@ -247,9 +216,6 @@ class _EllipticCurvePrivateKey(object):
data, algorithm = _calculate_digest_and_algorithm(
self._backend, data, signature_algorithm._algorithm
)
- data = _truncate_digest_for_ecdsa(
- self._ec_key, data, self._backend
- )
return _ecdsa_sig_sign(self._backend, self, data)
@@ -317,7 +283,4 @@ class _EllipticCurvePublicKey(object):
data, algorithm = _calculate_digest_and_algorithm(
self._backend, data, signature_algorithm._algorithm
)
- data = _truncate_digest_for_ecdsa(
- self._ec_key, data, self._backend
- )
return _ecdsa_sig_verify(self._backend, self, signature, data)
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
index 8996d884..0a375721 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
@@ -164,13 +164,6 @@ def _rsa_sig_determine_padding(backend, key, padding, algorithm):
raise ValueError("Digest too large for key size. Use a larger "
"key or different digest.")
- if not backend._pss_mgf1_hash_supported(padding._mgf._algorithm):
- raise UnsupportedAlgorithm(
- "When OpenSSL is older than 1.0.1 then only SHA1 is "
- "supported with MGF1.",
- _Reasons.UNSUPPORTED_HASH
- )
-
padding_enum = backend._lib.RSA_PKCS1_PSS_PADDING
else:
raise UnsupportedAlgorithm(
@@ -212,17 +205,15 @@ def _rsa_sig_sign(backend, padding, padding_enum, algorithm, private_key,
)
backend.openssl_assert(res > 0)
- if backend._lib.Cryptography_HAS_MGF1_MD:
- # MGF1 MD is configurable in OpenSSL 1.0.1+
- mgf1_md = backend._lib.EVP_get_digestbyname(
- padding._mgf._algorithm.name.encode("ascii"))
- backend.openssl_assert(
- mgf1_md != backend._ffi.NULL
- )
- res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(
- pkey_ctx, mgf1_md
- )
- backend.openssl_assert(res > 0)
+ mgf1_md = backend._lib.EVP_get_digestbyname(
+ padding._mgf._algorithm.name.encode("ascii"))
+ backend.openssl_assert(
+ mgf1_md != backend._ffi.NULL
+ )
+ res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(
+ pkey_ctx, mgf1_md
+ )
+ backend.openssl_assert(res > 0)
buflen = backend._ffi.new("size_t *")
res = backend._lib.EVP_PKEY_sign(
@@ -284,17 +275,15 @@ def _rsa_sig_verify(backend, padding, padding_enum, algorithm, public_key,
)
)
backend.openssl_assert(res > 0)
- if backend._lib.Cryptography_HAS_MGF1_MD:
- # MGF1 MD is configurable in OpenSSL 1.0.1+
- mgf1_md = backend._lib.EVP_get_digestbyname(
- padding._mgf._algorithm.name.encode("ascii"))
- backend.openssl_assert(
- mgf1_md != backend._ffi.NULL
- )
- res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(
- pkey_ctx, mgf1_md
- )
- backend.openssl_assert(res > 0)
+ mgf1_md = backend._lib.EVP_get_digestbyname(
+ padding._mgf._algorithm.name.encode("ascii"))
+ backend.openssl_assert(
+ mgf1_md != backend._ffi.NULL
+ )
+ res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md(
+ pkey_ctx, mgf1_md
+ )
+ backend.openssl_assert(res > 0)
res = backend._lib.EVP_PKEY_verify(
pkey_ctx,
diff --git a/src/cryptography/hazmat/backends/openssl/utils.py b/src/cryptography/hazmat/backends/openssl/utils.py
index c88e3189..e8b4a307 100644
--- a/src/cryptography/hazmat/backends/openssl/utils.py
+++ b/src/cryptography/hazmat/backends/openssl/utils.py
@@ -4,31 +4,10 @@
from __future__ import absolute_import, division, print_function
-import six
-
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric.utils import Prehashed
-def _truncate_digest(digest, order_bits):
- digest_len = len(digest)
-
- if 8 * digest_len > order_bits:
- digest_len = (order_bits + 7) // 8
- digest = digest[:digest_len]
-
- if 8 * digest_len > order_bits:
- rshift = 8 - (order_bits & 0x7)
- assert 0 < rshift < 8
-
- mask = 0xFF >> rshift << rshift
-
- # Set the bottom rshift bits to 0
- digest = digest[:-1] + six.int2byte(six.indexbytes(digest, -1) & mask)
-
- return digest
-
-
def _calculate_digest_and_algorithm(backend, data, algorithm):
if not isinstance(algorithm, Prehashed):
hash_ctx = hashes.Hash(algorithm, backend)
diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py
index d1cebd8e..46c32d14 100644
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -133,9 +133,6 @@ CONDITIONAL_NAMES = {
"POINT_CONVERSION_COMPRESSED",
"POINT_CONVERSION_UNCOMPRESSED",
"POINT_CONVERSION_HYBRID",
- ],
-
- "Cryptography_HAS_EC_1_0_1": [
"EC_KEY_get_flags",
"EC_KEY_set_flags",
"EC_KEY_clear_flags",
@@ -195,9 +192,6 @@ CONDITIONAL_NAMES = {
"RAND_egd_bytes",
"RAND_query_egd_bytes",
],
- "Cryptography_HAS_MGF1_MD": [
- "EVP_PKEY_CTX_set_rsa_mgf1_md",
- ],
"Cryptography_HAS_RSA_OAEP_MD": [
"EVP_PKEY_CTX_set_rsa_oaep_md",
],
@@ -241,13 +235,6 @@ CONDITIONAL_NAMES = {
"DTLSv1_method",
],
- "Cryptography_HAS_NEXTPROTONEG": [
- "SSL_CTX_set_next_protos_advertised_cb",
- "SSL_CTX_set_next_proto_select_cb",
- "SSL_select_next_proto",
- "SSL_get0_next_proto_negotiated",
- ],
-
"Cryptography_HAS_ALPN": [
"SSL_CTX_set_alpn_protos",
"SSL_set_alpn_protos",
@@ -296,9 +283,6 @@ CONDITIONAL_NAMES = {
"SSL_CTX_set_cert_cb",
"SSL_set_cert_cb",
],
- "Cryptography_HAS_AES_CTR128_ENCRYPT": [
- "AES_ctr128_encrypt",
- ],
"Cryptography_HAS_SSL_ST": [
"SSL_ST_BEFORE",
"SSL_ST_OK",
@@ -319,7 +303,4 @@ CONDITIONAL_NAMES = {
"Cryptography_HAS_SCRYPT": [
"EVP_PBE_scrypt",
],
- "Cryptography_HAS_NPN_NEGOTIATED": [
- "OPENSSL_NPN_NEGOTIATED",
- ],
}
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index 39750abc..b6617543 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -5,10 +5,8 @@
from __future__ import absolute_import, division, print_function
import collections
-import os
import threading
import types
-import warnings
from cryptography.exceptions import InternalError
from cryptography.hazmat.bindings._openssl import ffi, lib
@@ -148,28 +146,9 @@ class Binding(object):
_openssl_assert(cls.lib, res == 1)
-def _verify_openssl_version(version):
- if version < 0x10001000:
- if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_100"):
- warnings.warn(
- "OpenSSL version 1.0.0 is no longer supported by the OpenSSL "
- "project, please upgrade. The next version of cryptography "
- "will completely remove support for it.",
- DeprecationWarning
- )
- else:
- raise RuntimeError(
- "You are linking against OpenSSL 1.0.0, which is no longer "
- "support by the OpenSSL project. You need to upgrade to a "
- "newer version of OpenSSL."
- )
-
-
# OpenSSL is not thread safe until the locks are initialized. We call this
# method in module scope so that it executes with the import lock. On
# Pythons < 3.4 this import lock is a global lock, which can prevent a race
# condition registering the OpenSSL locks. On Python 3.4+ the import lock
# is per module so this approach will not work.
Binding.init_static_locks()
-
-_verify_openssl_version(Binding.lib.SSLeay())
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-28 12:31:33 +0000