aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
...
* fix bug with n % 8 length wrapping on AESKWP (#4160)Paul Kehrer2018-03-201-2/+7
| | | | | | * fix bug with n % 8 length wrapping on AESKWP * review feedback
* Revert "don't allow GeneralNames to be an empty list (#4128)" (#4161)Alex Gaynor2018-03-201-3/+0
| | | | | This breaks the urllib3 tests, as well as several in-the-wild certs This reverts commit 388d1bd3e9cd953fcc948edbc152d5d140c87eb8.
* open master for 2.3 (#4151)Paul Kehrer2018-03-181-1/+1
|
* 2.2 release! (#4150)Paul Kehrer2018-03-181-1/+1
| | | | | | * 2.2 release! * also change versions
* implement AES KW with padding (RFC 5649) (#3880)Paul Kehrer2018-03-181-0/+57
| | | | | | | | | | | | | | | | | | * implement AES KW with padding (RFC 5649) fixes #3791 * oops, 2.2 * make sure this is the right valueerror * more match * make key padding easier to read * review feedback * review feedback
* Allow DSA q=224 (#4147)Paul Kehrer2018-03-181-2/+2
| | | | | | | | * load Q=224 vectors * DSA parameters should support 224 for q length * oxford comma
* Brainpool curves (#4129)Paul Kehrer2018-03-151-0/+22
| | | | | | | | | | | | | | | | | | * added brainpool ec-curves key_length >= 256bit * limit brainpool curves to the set that appear required + docs * oops * typos all around me * add brainpool ECDH kex tests * switch to using rfc 7027 vectors * review feedback * empty commits are the best
* add X509_CRL_dup function (#4127)Dominic Chen2018-03-051-0/+1
|
* remove cms bindings we don't use (#4131)Paul Kehrer2018-03-053-149/+0
|
* Remove unused bindings from asn1.py (#4082)David Benjamin2018-03-052-66/+1
| | | | | | | | | | | * Remove unused bindings from asn1.py This also includes a couple removals from x509v3.py which also reference ASN1_ITEM_EXP. * re-add int ASN1_STRING_set_default_mask_asc(char *); * also re-add static const int MBSTRING_UTF8
* don't allow GeneralNames to be an empty list (#4128)Paul Kehrer2018-03-051-0/+3
| | | | | | * don't allow GeneralNames to be an empty list * flake8
* Expose BN_rand and BN_rand_range (#4118)Tux2018-02-231-0/+3
|
* Add binding for SSL_get_certificate (#4100)Jeremy Lainé2018-02-061-0/+1
| | | | | | | | | | | | | | Currently we only expose SSL_get_peer_certificate, which allows you to retrieve the remote party's certificate. This adds the symetrical binding to retrieve the local party's certificate. The motivation for this additional binding is to make it possible to query the local certificate regardless of the method which was used to load the certificate into the SSL connection (from a file, from an in-memory object). An example where this is useful is when negotiating a DTLS-SRTP connection, the fingerprint of the local certificate needs to be communicated to the remote party out-of-band via SDP. This binding can be exposed in pyopenssl as Connection.get_certificate().
* Add bindings for SRTP support (#4099)Jeremy Lainé2018-02-061-0/+3
|
* fix a memory leak in ec derive_private_key (#4096)Paul Kehrer2018-02-041-2/+3
| | | | | | | | * fix a memory leak in ec derive_private_key fixes #4095 * pep8!
* Add bindings for DTLS support (#4089)gesslerpd2018-01-233-0/+30
| | | | | | | | | | | | | | | | * + more DTLS bindings * + BIO_CTRL_DGRAM* * + read ahead functions * rm BIO_CTRL_DGRAM_SET_PEEK_MODE * rm BIO_CTRL_DGRAM_SET_DONT_FRAG * + link mtu conditional logic * rm some BIO_CTRL_DGRAM* bindings
* Add bindings for PSK (#4084)gesslerpd2018-01-182-1/+53
| | | | | | | | | | * + PSK function bindings * + PSK conditional * trigger CI * trigger CI
* Add bindings for SSL_OP_NO_DTLS* (#4079)gesslerpd2018-01-162-0/+6
| | | | | | | | * + bindings for SSL_OP_NO_DTLS* * + conditional for not HAS_GENERIC_DTLS_METHOD * flag SSL_OP_NO_DTLS* for unsupported deletion
* Use the real X509_REVOKED_dup when available. (#4080)David Benjamin2018-01-121-0/+4
| | | This avoids reaching into the ASN1_ITEM mess if not necessary.
* Fixes #4076 - simplify the implementation of int_from_bytes on python2 (#4077)Alex Gaynor2018-01-101-2/+1
| | | | | | | | * Fixes #4076 - simplify the implementation of int_from_bytes on python2 * whitespace * Added a test
* The HKDF limit is actually 255 * digest_length_in_bytes (#4037)Paul Kehrer2018-01-061-1/+1
| | | | | | | | | | | * The HKDF limit is actually 255 * digest_length_in_bytes Previously we had a bug where we divided digest_size by 8...but HashAlgorithm.digest_size is already in bytes. * test longer output * changelog
* Use `BN_clear_free` in places where `BN_free` is being used (#4072)Tux2018-01-051-2/+2
| | | | | | | | | | * Expose BN_clear_free * Use BN_clear_free in test_int_to_bn * Use BN_clear_free in lieu of BN_free * Use BN_free on public values
* Expose `BN_clear_free` in the OpenSSL backend (#4071)Tux2018-01-051-0/+1
| | | | | | * Expose BN_clear_free * Use BN_clear_free in test_int_to_bn
* just a quick confirmation that it really is an x25519 evp key (#4070)Paul Kehrer2018-01-053-0/+13
| | | | | | * just a quick confirmation that it really is an x25519 evp key * openssl assert. take that python -O
* Fixed #4006 -- bind functions for dealing with sigalgs (#4063)Alex Gaynor2017-12-262-0/+23
| | | | | | * Fixed #4006 -- bind functions for dealing with sigalgs * oops
* Fixed #4058 -- use the thread-safe API from OpenSSL, not the danger one (#4059)Alex Gaynor2017-12-182-4/+4
|
* Pass the right length of null bytes when no salt is provided to HKDF (#4036)Paul Kehrer2017-12-011-1/+1
| | | | | | This bug looks bad but ends up being benign because HMAC is specified to pad null bytes if a key is too short. So we passed too few bytes and then OpenSSL obligingly padded it out to the correct length. However, we should still do the right thing obviously.
* Fix ASN1 string type encoding for several Name OIDs (#4035)Paul Kehrer2017-11-301-7/+15
| | | | | | | | | | | | | | | | | | | * Fix ASN1 string type encoding for several Name OIDs When we changed over to the new type encoding system we didn't verify that the new code exactly matched the ASN1 string types that OpenSSL was previously choosing. This caused serialNumber, dnQualifier, emailAddress, and domainComponent to change from their proper encodings to UTF8String as of version 2.1. Now we check to see if there's a sentinel value (indicating no custom type has been passed) and then check if the OID has a different default than UTF8. If it does, we set it. This PR also adds tests for the ASN1 string type of ever supported NameOID. * review feedback
* add X509_up_ref (#4028)Paul Kehrer2017-11-281-0/+5
|
* fix typo in comment (#4019)Benjamin Peterson2017-11-131-1/+1
|
* nit: remove double space in deprecation warning (#4018)Alex Gaynor2017-11-111-2/+2
|
* Use a different warning class so users get warnings (#4014)Alex Gaynor2017-11-111-2/+8
| | | | | | | | | | | | * Use a different warning class so users get warnings * fixed tests * do our own warning class * typo * flake8
* Fix a few new flake8 issues (#4008)Alex Gaynor2017-11-021-1/+0
|
* nit: line wrapping change (#4004)Alex Gaynor2017-10-281-2/+1
|
* Latest flake8 has some rules about variable names (#3996)Alex Gaynor2017-10-232-4/+4
|
* Add Multifernet.rotate method (#3979)Chris Wolfe2017-10-191-2/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * add rotate method * add some more tests for the failure modes * start adding some documentation for the rotate method * operate on a single token at a time, leave lists to the caller * add versionadded add versionadded, drop rotate from class doctest * give rotate a doctest * single level, not aligned * add changelog for mf.rotate * show that, once rotated, the old fernet instance can no longer decrypt the token * add the instead of just the how * update docs to reflect removal of ttl from rotate * update tests * refactor internal methods so that we can extract the timestamp * implement rotate * update wordlist (case sensitive?) * lints * consistent naming * get_token_data/get_unverified_token_data -> better name * doc changes * use the static method, do not treat as imethod * move up to MultiFernet docs * add to authors * alter wording * monkeypatch time to make it less possible for the test to pass simply due to calls occuring in less than one second * set the time after encryption to make sure that the time is preserved as part of re-encryption
* use the correct modern API (#3984)Alex Gaynor2017-10-171-1/+1
|
* Inline calls to bit_length now that it's trivial (#3966)Alex Gaynor2017-10-123-4/+6
| | | | | | | | * Inline calls to bit_length now that it's trivial * unused imports * An comment
* expunge python 2.6 (#3962)Paul Kehrer2017-10-112-17/+2
| | | | | | | | | | * expunge python 2.6 * how did THAT happen * remove another unsupported python from the tox envlist * hypothesis can now be unconditionally imported
* increment deprecation for the 2.2 release cycle (#3961)Paul Kehrer2017-10-111-2/+1
|
* start the twenty second release cycle (#3960)Paul Kehrer2017-10-111-1/+1
|
* update changelog release date and bump version for 2.1 release (#3958)Paul Kehrer2017-10-111-1/+1
|
* backwards incompatible change to UniformResourceIdentifier (#3954)Paul Kehrer2017-10-103-61/+33
| | | | | | | | | | | | | | | * backwards incompatible change to UniformResourceIdentifier During this release cycle we decided to officially deprecate passing U-labels to our GeneralName constructors. At first we tried changing this in a purely backwards compatible way but get_values_for_type made that untenable. This PR modifies URI to accept two types: U-label strings (which raises a deprecation warning) and A-label strings (the new preferred type). There is also a constructor for URI that bypasses validation so we can parse garbage out of certificates (and round trip it if necessary) * nonsense empty commit 2.6 and codecov are the worst
* backwards incompatible change to RFC822Name (#3953)Paul Kehrer2017-10-103-47/+32
| | | | | | | | | | | | | | | * backwards incompatible change to RFC822Name During this release cycle we decided to officially deprecate passing U-labels to our GeneralName constructors. At first we tried changing this in a purely backwards compatible way but get_values_for_type made that untenable. This PR modifies RFC822Name to accept two types: U-label strings (which raises a deprecation warning) and A-label strings (the new preferred type). There is also a constructor for RFC822Name that bypasses validation so we can parse garbage out of certificates (and round trip it if necessary) * whoops
* Backwards incompatible change to DNSName (#3951)Paul Kehrer2017-10-103-51/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Backwards incompatible change to DNSName During this release cycle we decided to officially deprecate passing U-labels to our GeneralName constructors. At first we tried changing this in a purely backwards compatible way but get_values_for_type made that untenable. This PR modifies DNSName to take three different types. U-label strings (which raises a deprecation warning), A-label strings (the new preferred type), and bytes (which are assumed to be decodable to unicode strings). The latter, while supported, is primarily intended for use by our parser and allows us to return the actual encoded data in a certificate even if it has not been properly encoded to A-label before the certificate is created. (Of course, if the certificate contains invalid utf8 sequences this will still fail, but let's handle one catastrophic failure at a time). * coverage * don't delete that asterisk from a test. it does things. * no bytes in DNSName. Private constructor for bypassing validation * test unicode in dnsname (yuck) * fix docs * empty commit, you disappoint me codecov * CI is the worst
* Add support for AES XTS (#3900)Paul Kehrer2017-10-014-9/+63
| | | | | | | | | | | | | | | | | | | | | | | | * Add support for AES XTS We drop the non-byte aligned test vectors because according to NIST http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSVS.pdf "An implementation may support a data unit length that is not a multiple of 8 bits." OpenSSL does not support this, so we can't use those test vectors. * fix docs and pep8 * docs fix * the spellchecker is so frustrating * add note about AES 192 for XTS (it's not supported) * docs work * enforce key length on ECB mode in AES as well (thanks XTS) * a few more words about why we exclude some test vectors for XTS
* Declare that 2.1 is the last version to support Python 2.6 (#3944)Alex Gaynor2017-10-011-1/+1
| | | | | | * Declare that 2.1 is the last version to support Python 2.6 * It's the Final Countdown!
* add ChaCha20 support (#3919)Paul Kehrer2017-09-283-1/+32
| | | | | | | | | | * add ChaCha20 support * review feedback * 256 divided by 8 is what again? * ...
* Expose FIPS funcs for OpenSSL. (#3939)Scott Sturdivant2017-09-273-0/+37
| | | | | | | | | | | | | * Expose FIPS funcs for OpenSSL. * Remove FIPS customization / conditionals. It seems that the FIPS functions are always defined, regardless of if the FIPS module is present. * Do not include FIPS_selftest_check func. * Libressl does not have FIPS.
* both parse and encode the ASN1 string type for Name attributes (#3896)Paul Kehrer2017-09-254-23/+47
| | | | | | | | | | | | | | | * both parse and encode the ASN1 string type for Name attributes Previously cryptography encoded everything (except country names) as UTF8String. This caused problems with chain building in libraries like NSS where the subject and issuer are expected to match byte-for-byte. With this change we now parse and store the ASN1 string type as a private _type in NameAttribute. We then use this to encode when issuing a new certificate. This allows the CertificateBuilder to properly construct an identical issuer and fixes the issue with NSS. * make the sentinel private too
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-16 19:38:23 +0000