From e5c5eec8cc5b0a4a1faa47013c0b90d01483b125 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 13 Dec 2013 08:10:20 -0800 Subject: Clean up test generation to not use generators anymore and use parametrization --- tests/hazmat/primitives/utils.py | 541 +++++++++++++++------------------------ 1 file changed, 209 insertions(+), 332 deletions(-) diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 705983a0..7f67ad40 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -3,7 +3,6 @@ import os import pytest -from cryptography.hazmat.bindings import _ALL_BACKENDS from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.exceptions import ( @@ -13,378 +12,256 @@ from cryptography.exceptions import ( from ...utils import load_vectors_from_file +def _load_all_params(path, file_names, param_loader): + all_params = [] + for file_name in file_names: + all_params.extend( + load_vectors_from_file(os.path.join(path, file_name), param_loader) + ) + return all_params + + def generate_encrypt_test(param_loader, path, file_names, cipher_factory, mode_factory, only_if=lambda backend: True, skip_message=None): - def test_encryption(self): - for backend in _ALL_BACKENDS: - for file_name in file_names: - for params in load_vectors_from_file( - os.path.join(path, file_name), - param_loader - ): - yield ( - encrypt_test, - backend, - cipher_factory, - mode_factory, - params, - only_if, - skip_message - ) - return test_encryption - + all_params = _load_all_params(path, file_names, param_loader) + + @pytest.mark.parametrize("params", all_params) + def test_encryption(self, backend, params): + if not only_if(backend): + pytest.skip(skip_message) + plaintext = params.pop("plaintext") + ciphertext = params.pop("ciphertext") + cipher = Cipher( + cipher_factory(**params), + mode_factory(**params), + backend=backend + ) + encryptor = cipher.encryptor() + actual_ciphertext = encryptor.update(binascii.unhexlify(plaintext)) + actual_ciphertext += encryptor.finalize() + assert actual_ciphertext == binascii.unhexlify(ciphertext) + decryptor = cipher.decryptor() + actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) + actual_plaintext += decryptor.finalize() + assert actual_plaintext == binascii.unhexlify(plaintext) -def encrypt_test(backend, cipher_factory, mode_factory, params, only_if, - skip_message): - if not only_if(backend): - pytest.skip(skip_message) - plaintext = params.pop("plaintext") - ciphertext = params.pop("ciphertext") - cipher = Cipher( - cipher_factory(**params), - mode_factory(**params), - backend=backend - ) - encryptor = cipher.encryptor() - actual_ciphertext = encryptor.update(binascii.unhexlify(plaintext)) - actual_ciphertext += encryptor.finalize() - assert actual_ciphertext == binascii.unhexlify(ciphertext) - decryptor = cipher.decryptor() - actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) - actual_plaintext += decryptor.finalize() - assert actual_plaintext == binascii.unhexlify(plaintext) + return test_encryption def generate_aead_test(param_loader, path, file_names, cipher_factory, mode_factory, only_if, skip_message): - def test_aead(self): - for backend in _ALL_BACKENDS: - for file_name in file_names: - for params in load_vectors_from_file( - os.path.join(path, file_name), - param_loader - ): - yield ( - aead_test, - backend, - cipher_factory, - mode_factory, - params, - only_if, - skip_message - ) + all_params = _load_all_params(path, file_names, param_loader) + + @pytest.mark.parametrize("params", all_params) + def test_aead(self, backend, params): + if not only_if(backend): + pytest.skip(skip_message) + if params.get("pt") is not None: + plaintext = params.pop("pt") + ciphertext = params.pop("ct") + aad = params.pop("aad") + if params.get("fail") is True: + cipher = Cipher( + cipher_factory(binascii.unhexlify(params["key"])), + mode_factory(binascii.unhexlify(params["iv"]), + binascii.unhexlify(params["tag"])), + backend + ) + decryptor = cipher.decryptor() + decryptor.authenticate_additional_data(binascii.unhexlify(aad)) + actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) + with pytest.raises(InvalidTag): + decryptor.finalize() + else: + cipher = Cipher( + cipher_factory(binascii.unhexlify(params["key"])), + mode_factory(binascii.unhexlify(params["iv"]), None), + backend + ) + encryptor = cipher.encryptor() + encryptor.authenticate_additional_data(binascii.unhexlify(aad)) + actual_ciphertext = encryptor.update(binascii.unhexlify(plaintext)) + actual_ciphertext += encryptor.finalize() + tag_len = len(params["tag"]) + assert binascii.hexlify(encryptor.tag)[:tag_len] == params["tag"] + cipher = Cipher( + cipher_factory(binascii.unhexlify(params["key"])), + mode_factory(binascii.unhexlify(params["iv"]), + binascii.unhexlify(params["tag"])), + backend + ) + decryptor = cipher.decryptor() + decryptor.authenticate_additional_data(binascii.unhexlify(aad)) + actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) + actual_plaintext += decryptor.finalize() + assert actual_plaintext == binascii.unhexlify(plaintext) + return test_aead -def aead_test(backend, cipher_factory, mode_factory, params, only_if, - skip_message): - if not only_if(backend): - pytest.skip(skip_message) - if params.get("pt") is not None: - plaintext = params.pop("pt") - ciphertext = params.pop("ct") - aad = params.pop("aad") - if params.get("fail") is True: - cipher = Cipher( - cipher_factory(binascii.unhexlify(params["key"])), - mode_factory(binascii.unhexlify(params["iv"]), - binascii.unhexlify(params["tag"])), - backend - ) - decryptor = cipher.decryptor() - decryptor.authenticate_additional_data(binascii.unhexlify(aad)) - actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) - with pytest.raises(InvalidTag): - decryptor.finalize() - else: - cipher = Cipher( - cipher_factory(binascii.unhexlify(params["key"])), - mode_factory(binascii.unhexlify(params["iv"]), None), - backend - ) +def generate_stream_encryption_test(param_loader, path, file_names, + cipher_factory, only_if=None, + skip_message=None): + all_params = _load_all_params(path, file_names, param_loader) + + @pytest.mark.parametrize("params", all_params) + def test_stream_encryption(self, backend, params): + if not only_if(backend): + pytest.skip(skip_message) + plaintext = params.pop("plaintext") + ciphertext = params.pop("ciphertext") + offset = params.pop("offset") + cipher = Cipher(cipher_factory(**params), None, backend=backend) encryptor = cipher.encryptor() - encryptor.authenticate_additional_data(binascii.unhexlify(aad)) + # throw away offset bytes + encryptor.update(b"\x00" * int(offset)) actual_ciphertext = encryptor.update(binascii.unhexlify(plaintext)) actual_ciphertext += encryptor.finalize() - tag_len = len(params["tag"]) - assert binascii.hexlify(encryptor.tag)[:tag_len] == params["tag"] - cipher = Cipher( - cipher_factory(binascii.unhexlify(params["key"])), - mode_factory(binascii.unhexlify(params["iv"]), - binascii.unhexlify(params["tag"])), - backend - ) + assert actual_ciphertext == binascii.unhexlify(ciphertext) decryptor = cipher.decryptor() - decryptor.authenticate_additional_data(binascii.unhexlify(aad)) + decryptor.update(b"\x00" * int(offset)) actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) actual_plaintext += decryptor.finalize() assert actual_plaintext == binascii.unhexlify(plaintext) - -def generate_stream_encryption_test(param_loader, path, file_names, - cipher_factory, only_if=None, - skip_message=None): - def test_stream_encryption(self): - for backend in _ALL_BACKENDS: - for file_name in file_names: - for params in load_vectors_from_file( - os.path.join(path, file_name), - param_loader - ): - yield ( - stream_encryption_test, - backend, - cipher_factory, - params, - only_if, - skip_message - ) return test_stream_encryption -def stream_encryption_test(backend, cipher_factory, params, only_if, - skip_message): - if not only_if(backend): - pytest.skip(skip_message) - plaintext = params.pop("plaintext") - ciphertext = params.pop("ciphertext") - offset = params.pop("offset") - cipher = Cipher(cipher_factory(**params), None, backend=backend) - encryptor = cipher.encryptor() - # throw away offset bytes - encryptor.update(b"\x00" * int(offset)) - actual_ciphertext = encryptor.update(binascii.unhexlify(plaintext)) - actual_ciphertext += encryptor.finalize() - assert actual_ciphertext == binascii.unhexlify(ciphertext) - decryptor = cipher.decryptor() - decryptor.update(b"\x00" * int(offset)) - actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) - actual_plaintext += decryptor.finalize() - assert actual_plaintext == binascii.unhexlify(plaintext) - - -def generate_hash_test(param_loader, path, file_names, hash_cls, - only_if=None, skip_message=None): - def test_hash(self): - for backend in _ALL_BACKENDS: - for file_name in file_names: - for params in load_vectors_from_file( - os.path.join(path, file_name), - param_loader - ): - yield ( - hash_test, - backend, - hash_cls, - params, - only_if, - skip_message - ) - return test_hash +def generate_hash_test(param_loader, path, file_names, algorithm, only_if=None, + skip_message=None): + all_params = _load_all_params(path, file_names, param_loader) + @pytest.mark.parametrize("params", all_params) + def test_hash(self, backend, params): + if only_if is not None and not only_if(backend): + pytest.skip(skip_message) + msg, md = params + m = hashes.Hash(algorithm, backend=backend) + m.update(binascii.unhexlify(msg)) + expected_md = md.replace(" ", "").lower().encode("ascii") + assert m.finalize() == binascii.unhexlify(expected_md) -def hash_test(backend, algorithm, params, only_if, skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - msg = params[0] - md = params[1] - m = hashes.Hash(algorithm, backend=backend) - m.update(binascii.unhexlify(msg)) - expected_md = md.replace(" ", "").lower().encode("ascii") - assert m.finalize() == binascii.unhexlify(expected_md) - - -def generate_base_hash_test(algorithm, digest_size, block_size, - only_if=None, skip_message=None): - def test_base_hash(self): - for backend in _ALL_BACKENDS: - yield ( - base_hash_test, - backend, - algorithm, - digest_size, - block_size, - only_if, - skip_message, - ) - return test_base_hash + return test_hash -def base_hash_test(backend, algorithm, digest_size, block_size, only_if, - skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) +def generate_base_hash_test(algorithm, digest_size, block_size, only_if=None, + skip_message=None): + def test_base_hash(self, backend): + if only_if is not None and not only_if(backend): + pytest.skip(skip_message) - m = hashes.Hash(algorithm, backend=backend) - assert m.algorithm.digest_size == digest_size - assert m.algorithm.block_size == block_size - m_copy = m.copy() - assert m != m_copy - assert m._ctx != m_copy._ctx + m = hashes.Hash(algorithm, backend=backend) + assert m.algorithm.digest_size == digest_size + assert m.algorithm.block_size == block_size + m_copy = m.copy() + assert m != m_copy + assert m._ctx != m_copy._ctx - m.update(b"abc") - copy = m.copy() - copy.update(b"123") - m.update(b"123") - assert copy.finalize() == m.finalize() + m.update(b"abc") + copy = m.copy() + copy.update(b"123") + m.update(b"123") + assert copy.finalize() == m.finalize() + + return test_base_hash -def generate_long_string_hash_test(hash_factory, md, only_if=None, +def generate_long_string_hash_test(algorithm, md, only_if=None, skip_message=None): - def test_long_string_hash(self): - for backend in _ALL_BACKENDS: - yield( - long_string_hash_test, - backend, - hash_factory, - md, - only_if, - skip_message - ) + def test_long_string_hash(self, backend): + if only_if is not None and not only_if(backend): + pytest.skip(skip_message) + m = hashes.Hash(algorithm, backend=backend) + m.update(b"a" * 1000000) + assert m.finalize() == binascii.unhexlify(md.lower().encode("ascii")) + return test_long_string_hash -def long_string_hash_test(backend, algorithm, md, only_if, skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - m = hashes.Hash(algorithm, backend=backend) - m.update(b"a" * 1000000) - assert m.finalize() == binascii.unhexlify(md.lower().encode("ascii")) - - -def generate_hmac_test(param_loader, path, file_names, algorithm, - only_if=None, skip_message=None): - def test_hmac(self): - for backend in _ALL_BACKENDS: - for file_name in file_names: - for params in load_vectors_from_file( - os.path.join(path, file_name), - param_loader - ): - yield ( - hmac_test, - backend, - algorithm, - params, - only_if, - skip_message - ) +def generate_hmac_test(param_loader, path, file_names, algorithm, only_if=None, + skip_message=None): + all_params = _load_all_params(path, file_names, param_loader) + + @pytest.mark.parametrize("params", all_params) + def test_hmac(self, backend, params): + if only_if is not None and not only_if(backend): + pytest.skip(skip_message) + msg, md, key = params + h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) + h.update(binascii.unhexlify(msg)) + assert h.finalize() == binascii.unhexlify(md.encode("ascii")) + return test_hmac -def hmac_test(backend, algorithm, params, only_if, skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - msg = params[0] - md = params[1] - key = params[2] - h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) - h.update(binascii.unhexlify(msg)) - assert h.finalize() == binascii.unhexlify(md.encode("ascii")) - - -def generate_base_hmac_test(hash_cls, only_if=None, skip_message=None): - def test_base_hmac(self): - for backend in _ALL_BACKENDS: - yield ( - base_hmac_test, - backend, - hash_cls, - only_if, - skip_message, - ) +def generate_base_hmac_test(algorithm, only_if=None, skip_message=None): + def test_base_hmac(self, backend): + if only_if is not None and not only_if(backend): + pytest.skip(skip_message) + key = b"ab" + h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) + h_copy = h.copy() + assert h != h_copy + assert h._ctx != h_copy._ctx + return test_base_hmac -def base_hmac_test(backend, algorithm, only_if, skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - key = b"ab" - h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) - h_copy = h.copy() - assert h != h_copy - assert h._ctx != h_copy._ctx - - -def generate_aead_exception_test(cipher_factory, mode_factory, - only_if, skip_message): - def test_aead_exception(self): - for backend in _ALL_BACKENDS: - yield ( - aead_exception_test, - backend, - cipher_factory, - mode_factory, - only_if, - skip_message - ) - return test_aead_exception +def generate_aead_exception_test(cipher_factory, mode_factory, only_if, + skip_message): + def test_aead_exception(self, backend): + if not only_if(backend): + pytest.skip(skip_message) + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24)), + backend + ) + encryptor = cipher.encryptor() + encryptor.update(b"a" * 16) + with pytest.raises(NotYetFinalized): + encryptor.tag + with pytest.raises(AlreadyUpdated): + encryptor.authenticate_additional_data(b"b" * 16) + encryptor.finalize() + with pytest.raises(AlreadyFinalized): + encryptor.authenticate_additional_data(b"b" * 16) + with pytest.raises(AlreadyFinalized): + encryptor.update(b"b" * 16) + with pytest.raises(AlreadyFinalized): + encryptor.finalize() + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), + backend + ) + decryptor = cipher.decryptor() + decryptor.update(b"a" * 16) + with pytest.raises(AttributeError): + decryptor.tag + return test_aead_exception -def aead_exception_test(backend, cipher_factory, mode_factory, - only_if, skip_message): - if not only_if(backend): - pytest.skip(skip_message) - cipher = Cipher( - cipher_factory(binascii.unhexlify(b"0" * 32)), - mode_factory(binascii.unhexlify(b"0" * 24)), - backend - ) - encryptor = cipher.encryptor() - encryptor.update(b"a" * 16) - with pytest.raises(NotYetFinalized): - encryptor.tag - with pytest.raises(AlreadyUpdated): - encryptor.authenticate_additional_data(b"b" * 16) - encryptor.finalize() - with pytest.raises(AlreadyFinalized): - encryptor.authenticate_additional_data(b"b" * 16) - with pytest.raises(AlreadyFinalized): - encryptor.update(b"b" * 16) - with pytest.raises(AlreadyFinalized): - encryptor.finalize() - cipher = Cipher( - cipher_factory(binascii.unhexlify(b"0" * 32)), - mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), - backend - ) - decryptor = cipher.decryptor() - decryptor.update(b"a" * 16) - with pytest.raises(AttributeError): - decryptor.tag - - -def generate_aead_tag_exception_test(cipher_factory, mode_factory, - only_if, skip_message): - def test_aead_tag_exception(self): - for backend in _ALL_BACKENDS: - yield ( - aead_tag_exception_test, - backend, - cipher_factory, - mode_factory, - only_if, - skip_message - ) - return test_aead_tag_exception +def generate_aead_tag_exception_test(cipher_factory, mode_factory, only_if, + skip_message): + def test_aead_tag_exception(self, backend): + if not only_if(backend): + pytest.skip(skip_message) + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24)), + backend + ) + with pytest.raises(ValueError): + cipher.decryptor() + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), + backend + ) + with pytest.raises(ValueError): + cipher.encryptor() -def aead_tag_exception_test(backend, cipher_factory, mode_factory, - only_if, skip_message): - if not only_if(backend): - pytest.skip(skip_message) - cipher = Cipher( - cipher_factory(binascii.unhexlify(b"0" * 32)), - mode_factory(binascii.unhexlify(b"0" * 24)), - backend - ) - with pytest.raises(ValueError): - cipher.decryptor() - cipher = Cipher( - cipher_factory(binascii.unhexlify(b"0" * 32)), - mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), - backend - ) - with pytest.raises(ValueError): - cipher.encryptor() + return test_aead_tag_exception -- cgit v1.2.3 From 21919e218ae485e52da3f66e8373e79230e61a4c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 13 Dec 2013 08:56:32 -0800 Subject: Make this less invasive --- tests/hazmat/primitives/utils.py | 457 ++++++++++++++++++++++++--------------- 1 file changed, 280 insertions(+), 177 deletions(-) diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 7f67ad40..cfc885b0 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -3,6 +3,7 @@ import os import pytest +from cryptography.hazmat.bindings import _ALL_BACKENDS from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.exceptions import ( @@ -20,7 +21,6 @@ def _load_all_params(path, file_names, param_loader): ) return all_params - def generate_encrypt_test(param_loader, path, file_names, cipher_factory, mode_factory, only_if=lambda backend: True, skip_message=None): @@ -28,240 +28,343 @@ def generate_encrypt_test(param_loader, path, file_names, cipher_factory, @pytest.mark.parametrize("params", all_params) def test_encryption(self, backend, params): - if not only_if(backend): - pytest.skip(skip_message) - plaintext = params.pop("plaintext") - ciphertext = params.pop("ciphertext") - cipher = Cipher( - cipher_factory(**params), - mode_factory(**params), - backend=backend + encrypt_test( + backend, + cipher_factory, + mode_factory, + params, + only_if, + skip_message ) - encryptor = cipher.encryptor() - actual_ciphertext = encryptor.update(binascii.unhexlify(plaintext)) - actual_ciphertext += encryptor.finalize() - assert actual_ciphertext == binascii.unhexlify(ciphertext) - decryptor = cipher.decryptor() - actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) - actual_plaintext += decryptor.finalize() - assert actual_plaintext == binascii.unhexlify(plaintext) return test_encryption +def encrypt_test(backend, cipher_factory, mode_factory, params, only_if, + skip_message): + if not only_if(backend): + pytest.skip(skip_message) + plaintext = params.pop("plaintext") + ciphertext = params.pop("ciphertext") + cipher = Cipher( + cipher_factory(**params), + mode_factory(**params), + backend=backend + ) + encryptor = cipher.encryptor() + actual_ciphertext = encryptor.update(binascii.unhexlify(plaintext)) + actual_ciphertext += encryptor.finalize() + assert actual_ciphertext == binascii.unhexlify(ciphertext) + decryptor = cipher.decryptor() + actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) + actual_plaintext += decryptor.finalize() + assert actual_plaintext == binascii.unhexlify(plaintext) + + def generate_aead_test(param_loader, path, file_names, cipher_factory, mode_factory, only_if, skip_message): all_params = _load_all_params(path, file_names, param_loader) @pytest.mark.parametrize("params", all_params) def test_aead(self, backend, params): - if not only_if(backend): - pytest.skip(skip_message) - if params.get("pt") is not None: - plaintext = params.pop("pt") - ciphertext = params.pop("ct") - aad = params.pop("aad") - if params.get("fail") is True: - cipher = Cipher( - cipher_factory(binascii.unhexlify(params["key"])), - mode_factory(binascii.unhexlify(params["iv"]), - binascii.unhexlify(params["tag"])), - backend - ) - decryptor = cipher.decryptor() - decryptor.authenticate_additional_data(binascii.unhexlify(aad)) - actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) - with pytest.raises(InvalidTag): - decryptor.finalize() - else: - cipher = Cipher( - cipher_factory(binascii.unhexlify(params["key"])), - mode_factory(binascii.unhexlify(params["iv"]), None), - backend - ) - encryptor = cipher.encryptor() - encryptor.authenticate_additional_data(binascii.unhexlify(aad)) - actual_ciphertext = encryptor.update(binascii.unhexlify(plaintext)) - actual_ciphertext += encryptor.finalize() - tag_len = len(params["tag"]) - assert binascii.hexlify(encryptor.tag)[:tag_len] == params["tag"] - cipher = Cipher( - cipher_factory(binascii.unhexlify(params["key"])), - mode_factory(binascii.unhexlify(params["iv"]), - binascii.unhexlify(params["tag"])), - backend - ) - decryptor = cipher.decryptor() - decryptor.authenticate_additional_data(binascii.unhexlify(aad)) - actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) - actual_plaintext += decryptor.finalize() - assert actual_plaintext == binascii.unhexlify(plaintext) + aead_test( + backend, + cipher_factory, + mode_factory, + params, + only_if, + skip_message + ) return test_aead -def generate_stream_encryption_test(param_loader, path, file_names, - cipher_factory, only_if=None, - skip_message=None): - all_params = _load_all_params(path, file_names, param_loader) - - @pytest.mark.parametrize("params", all_params) - def test_stream_encryption(self, backend, params): - if not only_if(backend): - pytest.skip(skip_message) - plaintext = params.pop("plaintext") - ciphertext = params.pop("ciphertext") - offset = params.pop("offset") - cipher = Cipher(cipher_factory(**params), None, backend=backend) +def aead_test(backend, cipher_factory, mode_factory, params, only_if, + skip_message): + if not only_if(backend): + pytest.skip(skip_message) + if params.get("pt") is not None: + plaintext = params.pop("pt") + ciphertext = params.pop("ct") + aad = params.pop("aad") + if params.get("fail") is True: + cipher = Cipher( + cipher_factory(binascii.unhexlify(params["key"])), + mode_factory(binascii.unhexlify(params["iv"]), + binascii.unhexlify(params["tag"])), + backend + ) + decryptor = cipher.decryptor() + decryptor.authenticate_additional_data(binascii.unhexlify(aad)) + actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) + with pytest.raises(InvalidTag): + decryptor.finalize() + else: + cipher = Cipher( + cipher_factory(binascii.unhexlify(params["key"])), + mode_factory(binascii.unhexlify(params["iv"]), None), + backend + ) encryptor = cipher.encryptor() - # throw away offset bytes - encryptor.update(b"\x00" * int(offset)) + encryptor.authenticate_additional_data(binascii.unhexlify(aad)) actual_ciphertext = encryptor.update(binascii.unhexlify(plaintext)) actual_ciphertext += encryptor.finalize() - assert actual_ciphertext == binascii.unhexlify(ciphertext) + tag_len = len(params["tag"]) + assert binascii.hexlify(encryptor.tag)[:tag_len] == params["tag"] + cipher = Cipher( + cipher_factory(binascii.unhexlify(params["key"])), + mode_factory(binascii.unhexlify(params["iv"]), + binascii.unhexlify(params["tag"])), + backend + ) decryptor = cipher.decryptor() - decryptor.update(b"\x00" * int(offset)) + decryptor.authenticate_additional_data(binascii.unhexlify(aad)) actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) actual_plaintext += decryptor.finalize() assert actual_plaintext == binascii.unhexlify(plaintext) + +def generate_stream_encryption_test(param_loader, path, file_names, + cipher_factory, only_if=None, + skip_message=None): + all_params = _load_all_params(path, file_names, param_loader) + + @pytest.mark.parametrize("params", all_params) + def test_stream_encryption(self, backend, params): + stream_encryption_test( + backend, + cipher_factory, + params, + only_if, + skip_message + ) return test_stream_encryption -def generate_hash_test(param_loader, path, file_names, algorithm, only_if=None, - skip_message=None): +def stream_encryption_test(backend, cipher_factory, params, only_if, + skip_message): + if not only_if(backend): + pytest.skip(skip_message) + plaintext = params.pop("plaintext") + ciphertext = params.pop("ciphertext") + offset = params.pop("offset") + cipher = Cipher(cipher_factory(**params), None, backend=backend) + encryptor = cipher.encryptor() + # throw away offset bytes + encryptor.update(b"\x00" * int(offset)) + actual_ciphertext = encryptor.update(binascii.unhexlify(plaintext)) + actual_ciphertext += encryptor.finalize() + assert actual_ciphertext == binascii.unhexlify(ciphertext) + decryptor = cipher.decryptor() + decryptor.update(b"\x00" * int(offset)) + actual_plaintext = decryptor.update(binascii.unhexlify(ciphertext)) + actual_plaintext += decryptor.finalize() + assert actual_plaintext == binascii.unhexlify(plaintext) + + +def generate_hash_test(param_loader, path, file_names, hash_cls, + only_if=None, skip_message=None): all_params = _load_all_params(path, file_names, param_loader) @pytest.mark.parametrize("params", all_params) def test_hash(self, backend, params): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - msg, md = params - m = hashes.Hash(algorithm, backend=backend) - m.update(binascii.unhexlify(msg)) - expected_md = md.replace(" ", "").lower().encode("ascii") - assert m.finalize() == binascii.unhexlify(expected_md) - + hash_test( + backend, + hash_cls, + params, + only_if, + skip_message + ) return test_hash -def generate_base_hash_test(algorithm, digest_size, block_size, only_if=None, - skip_message=None): - def test_base_hash(self, backend): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - - m = hashes.Hash(algorithm, backend=backend) - assert m.algorithm.digest_size == digest_size - assert m.algorithm.block_size == block_size - m_copy = m.copy() - assert m != m_copy - assert m._ctx != m_copy._ctx - - m.update(b"abc") - copy = m.copy() - copy.update(b"123") - m.update(b"123") - assert copy.finalize() == m.finalize() +def hash_test(backend, algorithm, params, only_if, skip_message): + if only_if is not None and not only_if(backend): + pytest.skip(skip_message) + msg = params[0] + md = params[1] + m = hashes.Hash(algorithm, backend=backend) + m.update(binascii.unhexlify(msg)) + expected_md = md.replace(" ", "").lower().encode("ascii") + assert m.finalize() == binascii.unhexlify(expected_md) + +def generate_base_hash_test(algorithm, digest_size, block_size, + only_if=None, skip_message=None): + def test_base_hash(self, backend): + base_hash_test( + backend, + algorithm, + digest_size, + block_size, + only_if, + skip_message, + ) return test_base_hash -def generate_long_string_hash_test(algorithm, md, only_if=None, +def base_hash_test(backend, algorithm, digest_size, block_size, only_if, + skip_message): + if only_if is not None and not only_if(backend): + pytest.skip(skip_message) + + m = hashes.Hash(algorithm, backend=backend) + assert m.algorithm.digest_size == digest_size + assert m.algorithm.block_size == block_size + m_copy = m.copy() + assert m != m_copy + assert m._ctx != m_copy._ctx + + m.update(b"abc") + copy = m.copy() + copy.update(b"123") + m.update(b"123") + assert copy.finalize() == m.finalize() + + +def generate_long_string_hash_test(hash_factory, md, only_if=None, skip_message=None): def test_long_string_hash(self, backend): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - m = hashes.Hash(algorithm, backend=backend) - m.update(b"a" * 1000000) - assert m.finalize() == binascii.unhexlify(md.lower().encode("ascii")) - + long_string_hash_test( + backend, + hash_factory, + md, + only_if, + skip_message + ) return test_long_string_hash -def generate_hmac_test(param_loader, path, file_names, algorithm, only_if=None, - skip_message=None): +def long_string_hash_test(backend, algorithm, md, only_if, skip_message): + if only_if is not None and not only_if(backend): + pytest.skip(skip_message) + m = hashes.Hash(algorithm, backend=backend) + m.update(b"a" * 1000000) + assert m.finalize() == binascii.unhexlify(md.lower().encode("ascii")) + + +def generate_hmac_test(param_loader, path, file_names, algorithm, + only_if=None, skip_message=None): all_params = _load_all_params(path, file_names, param_loader) @pytest.mark.parametrize("params", all_params) def test_hmac(self, backend, params): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - msg, md, key = params - h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) - h.update(binascii.unhexlify(msg)) - assert h.finalize() == binascii.unhexlify(md.encode("ascii")) - + hmac_test( + backend, + algorithm, + params, + only_if, + skip_message + ) return test_hmac -def generate_base_hmac_test(algorithm, only_if=None, skip_message=None): - def test_base_hmac(self, backend): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - key = b"ab" - h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) - h_copy = h.copy() - assert h != h_copy - assert h._ctx != h_copy._ctx +def hmac_test(backend, algorithm, params, only_if, skip_message): + if only_if is not None and not only_if(backend): + pytest.skip(skip_message) + msg = params[0] + md = params[1] + key = params[2] + h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) + h.update(binascii.unhexlify(msg)) + assert h.finalize() == binascii.unhexlify(md.encode("ascii")) + +def generate_base_hmac_test(hash_cls, only_if=None, skip_message=None): + def test_base_hmac(self, backend): + base_hmac_test( + backend, + hash_cls, + only_if, + skip_message, + ) return test_base_hmac -def generate_aead_exception_test(cipher_factory, mode_factory, only_if, - skip_message): +def base_hmac_test(backend, algorithm, only_if, skip_message): + if only_if is not None and not only_if(backend): + pytest.skip(skip_message) + key = b"ab" + h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) + h_copy = h.copy() + assert h != h_copy + assert h._ctx != h_copy._ctx + + +def generate_aead_exception_test(cipher_factory, mode_factory, + only_if, skip_message): def test_aead_exception(self, backend): - if not only_if(backend): - pytest.skip(skip_message) - cipher = Cipher( - cipher_factory(binascii.unhexlify(b"0" * 32)), - mode_factory(binascii.unhexlify(b"0" * 24)), - backend - ) - encryptor = cipher.encryptor() - encryptor.update(b"a" * 16) - with pytest.raises(NotYetFinalized): - encryptor.tag - with pytest.raises(AlreadyUpdated): - encryptor.authenticate_additional_data(b"b" * 16) - encryptor.finalize() - with pytest.raises(AlreadyFinalized): - encryptor.authenticate_additional_data(b"b" * 16) - with pytest.raises(AlreadyFinalized): - encryptor.update(b"b" * 16) - with pytest.raises(AlreadyFinalized): - encryptor.finalize() - cipher = Cipher( - cipher_factory(binascii.unhexlify(b"0" * 32)), - mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), - backend + aead_exception_test( + backend, + cipher_factory, + mode_factory, + only_if, + skip_message ) - decryptor = cipher.decryptor() - decryptor.update(b"a" * 16) - with pytest.raises(AttributeError): - decryptor.tag - return test_aead_exception -def generate_aead_tag_exception_test(cipher_factory, mode_factory, only_if, - skip_message): +def aead_exception_test(backend, cipher_factory, mode_factory, + only_if, skip_message): + if not only_if(backend): + pytest.skip(skip_message) + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24)), + backend + ) + encryptor = cipher.encryptor() + encryptor.update(b"a" * 16) + with pytest.raises(NotYetFinalized): + encryptor.tag + with pytest.raises(AlreadyUpdated): + encryptor.authenticate_additional_data(b"b" * 16) + encryptor.finalize() + with pytest.raises(AlreadyFinalized): + encryptor.authenticate_additional_data(b"b" * 16) + with pytest.raises(AlreadyFinalized): + encryptor.update(b"b" * 16) + with pytest.raises(AlreadyFinalized): + encryptor.finalize() + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), + backend + ) + decryptor = cipher.decryptor() + decryptor.update(b"a" * 16) + with pytest.raises(AttributeError): + decryptor.tag + + +def generate_aead_tag_exception_test(cipher_factory, mode_factory, + only_if, skip_message): def test_aead_tag_exception(self, backend): - if not only_if(backend): - pytest.skip(skip_message) - cipher = Cipher( - cipher_factory(binascii.unhexlify(b"0" * 32)), - mode_factory(binascii.unhexlify(b"0" * 24)), - backend + aead_tag_exception_test( + backend, + cipher_factory, + mode_factory, + only_if, + skip_message ) - with pytest.raises(ValueError): - cipher.decryptor() - cipher = Cipher( - cipher_factory(binascii.unhexlify(b"0" * 32)), - mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), - backend - ) - with pytest.raises(ValueError): - cipher.encryptor() - return test_aead_tag_exception + + +def aead_tag_exception_test(backend, cipher_factory, mode_factory, + only_if, skip_message): + if not only_if(backend): + pytest.skip(skip_message) + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24)), + backend + ) + with pytest.raises(ValueError): + cipher.decryptor() + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), + backend + ) + with pytest.raises(ValueError): + cipher.encryptor() -- cgit v1.2.3 From 4eec0bb4e1d79f107f40b3856f2c9ec76c3eef88 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 13 Dec 2013 09:12:19 -0800 Subject: pep8 --- tests/hazmat/primitives/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index cfc885b0..758e755c 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -3,7 +3,6 @@ import os import pytest -from cryptography.hazmat.bindings import _ALL_BACKENDS from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.exceptions import ( @@ -21,6 +20,7 @@ def _load_all_params(path, file_names, param_loader): ) return all_params + def generate_encrypt_test(param_loader, path, file_names, cipher_factory, mode_factory, only_if=lambda backend: True, skip_message=None): -- cgit v1.2.3 From 7c0674641b28cd73fc0eea2ba91c1e03bf99e3fc Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 16 Dec 2013 10:11:00 -0800 Subject: Rework the index to give people a better lay of the land --- docs/index.rst | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/docs/index.rst b/docs/index.rst index 776c9d37..dd20a4a4 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -32,9 +32,24 @@ existing libraries: * Poor introspectability, and thus poor testability. * Extremely error prone APIs, and bad defaults. +Layout +------ -Contents --------- +``cryptography`` is broadly divided into two levels. One with safe +cryptographic recipes, "cryptography for humans" if you will. These are safe +and easy to use and don't require developers to make many decisions. + +The other level is low-level cryptographic primitives. These are often +dangerous and can be used incorrectly. They require making decisions and having +an in-depth knowledge of the cryptographic concepts at work. Because of the +potential danger in working at this level, this is referred to as the "hazmat" +layer. + +We recommend using the recipes layer whenever possible, and falling back to the +hazmat layer only when necessary. + +The recipes layer +~~~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 2 @@ -42,15 +57,23 @@ Contents architecture exceptions glossary - contributing - security - community Hazardous Materials -------------------- +~~~~~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 2 hazmat/primitives/index hazmat/backends/index + + +The ``cryptography`` open source project +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. toctree:: + :maxdepth: 2 + + contributing + security + community -- cgit v1.2.3 From df8bfea7df603a41c6c83a77b7fb93531b408a48 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 16 Dec 2013 10:17:48 -0800 Subject: DOn't assume people know that contraction --- docs/index.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/index.rst b/docs/index.rst index dd20a4a4..8e879b05 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -42,8 +42,8 @@ and easy to use and don't require developers to make many decisions. The other level is low-level cryptographic primitives. These are often dangerous and can be used incorrectly. They require making decisions and having an in-depth knowledge of the cryptographic concepts at work. Because of the -potential danger in working at this level, this is referred to as the "hazmat" -layer. +potential danger in working at this level, this is referred to as the +"hazardous materials" or "hazmat" layer. We recommend using the recipes layer whenever possible, and falling back to the hazmat layer only when necessary. -- cgit v1.2.3 From 2cfbc12d9111c17d48882a3db24de77375fcc9b1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 16 Dec 2013 10:19:00 -0800 Subject: Be consistent --- docs/index.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/index.rst b/docs/index.rst index 8e879b05..232ee63f 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -58,8 +58,8 @@ The recipes layer exceptions glossary -Hazardous Materials -~~~~~~~~~~~~~~~~~~~ +The hazardous materials layer +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 2 -- cgit v1.2.3 From be980532c4714e29d9afcec439eca8550343142c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 16 Dec 2013 10:24:26 -0800 Subject: A foolish consistency is a really cool idea -- Samuel Clemens --- docs/index.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/index.rst b/docs/index.rst index 232ee63f..381063df 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -67,7 +67,6 @@ The hazardous materials layer hazmat/primitives/index hazmat/backends/index - The ``cryptography`` open source project ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From 668d4803571876c1cf803b33495ddcf4433a4d83 Mon Sep 17 00:00:00 2001 From: David Reid Date: Tue, 17 Dec 2013 11:53:43 -0800 Subject: BlockCipherAlgorithm because we should document block_size and ARC4 shouldn't need block_size = 1. --- cryptography/hazmat/backends/openssl/backend.py | 11 ++++++++--- cryptography/hazmat/primitives/ciphers/algorithms.py | 6 +++++- cryptography/hazmat/primitives/interfaces.py | 8 ++++++++ docs/hazmat/primitives/interfaces.rst | 11 +++++++++++ 4 files changed, 32 insertions(+), 4 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index bd092bec..588a4273 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -276,6 +276,11 @@ class _CipherContext(object): self._operation = operation self._tag = None + if isinstance(self._cipher, interfaces.BlockCipherAlgorithm): + self._block_size = self._cipher.block_size + else: + self._block_size = 1 + ctx = self._backend.lib.EVP_CIPHER_CTX_new() ctx = self._backend.ffi.gc(ctx, self._backend.lib.EVP_CIPHER_CTX_free) @@ -341,7 +346,7 @@ class _CipherContext(object): def update(self, data): buf = self._backend.ffi.new("unsigned char[]", - len(data) + self._cipher.block_size - 1) + len(data) + self._block_size - 1) outlen = self._backend.ffi.new("int *") res = self._backend.lib.EVP_CipherUpdate(self._ctx, buf, outlen, data, len(data)) @@ -349,7 +354,7 @@ class _CipherContext(object): return self._backend.ffi.buffer(buf)[:outlen[0]] def finalize(self): - buf = self._backend.ffi.new("unsigned char[]", self._cipher.block_size) + buf = self._backend.ffi.new("unsigned char[]", self._block_size) outlen = self._backend.ffi.new("int *") res = self._backend.lib.EVP_CipherFinal_ex(self._ctx, buf, outlen) if res == 0: @@ -357,7 +362,7 @@ class _CipherContext(object): if (isinstance(self._mode, GCM) and self._operation == self._ENCRYPT): - block_byte_size = self._cipher.block_size // 8 + block_byte_size = self._block_size // 8 tag_buf = self._backend.ffi.new("unsigned char[]", block_byte_size) res = self._backend.lib.EVP_CIPHER_CTX_ctrl( self._ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_GET_TAG, diff --git a/cryptography/hazmat/primitives/ciphers/algorithms.py b/cryptography/hazmat/primitives/ciphers/algorithms.py index a206b273..a5cfce92 100644 --- a/cryptography/hazmat/primitives/ciphers/algorithms.py +++ b/cryptography/hazmat/primitives/ciphers/algorithms.py @@ -26,6 +26,7 @@ def _verify_key_size(algorithm, key): return key +@utils.register_interface(interfaces.BlockCipherAlgorithm) @utils.register_interface(interfaces.CipherAlgorithm) class AES(object): name = "AES" @@ -40,6 +41,7 @@ class AES(object): return len(self.key) * 8 +@utils.register_interface(interfaces.BlockCipherAlgorithm) @utils.register_interface(interfaces.CipherAlgorithm) class Camellia(object): name = "camellia" @@ -54,6 +56,7 @@ class Camellia(object): return len(self.key) * 8 +@utils.register_interface(interfaces.BlockCipherAlgorithm) @utils.register_interface(interfaces.CipherAlgorithm) class TripleDES(object): name = "3DES" @@ -72,6 +75,7 @@ class TripleDES(object): return len(self.key) * 8 +@utils.register_interface(interfaces.BlockCipherAlgorithm) @utils.register_interface(interfaces.CipherAlgorithm) class Blowfish(object): name = "Blowfish" @@ -86,6 +90,7 @@ class Blowfish(object): return len(self.key) * 8 +@utils.register_interface(interfaces.BlockCipherAlgorithm) @utils.register_interface(interfaces.CipherAlgorithm) class CAST5(object): name = "CAST5" @@ -103,7 +108,6 @@ class CAST5(object): @utils.register_interface(interfaces.CipherAlgorithm) class ARC4(object): name = "RC4" - block_size = 1 key_sizes = frozenset([40, 56, 64, 80, 128, 192, 256]) def __init__(self, key): diff --git a/cryptography/hazmat/primitives/interfaces.py b/cryptography/hazmat/primitives/interfaces.py index e3f4f586..2a1a21b8 100644 --- a/cryptography/hazmat/primitives/interfaces.py +++ b/cryptography/hazmat/primitives/interfaces.py @@ -32,6 +32,14 @@ class CipherAlgorithm(six.with_metaclass(abc.ABCMeta)): """ +class BlockCipherAlgorithm(six.with_metaclass(abc.ABCMeta)): + @abc.abstractproperty + def block_size(self): + """ + The size of a block as an integer in bits. (e.g. 64, 128) + """ + + class Mode(six.with_metaclass(abc.ABCMeta)): @abc.abstractproperty def name(self): diff --git a/docs/hazmat/primitives/interfaces.rst b/docs/hazmat/primitives/interfaces.rst index 11cff51a..361b723e 100644 --- a/docs/hazmat/primitives/interfaces.rst +++ b/docs/hazmat/primitives/interfaces.rst @@ -36,6 +36,17 @@ Symmetric Ciphers The number of bits in the key being used. +.. class:: BlockCipherAlgorithm + + A block cipher algorithm. + + .. attribute:: block_size + + :type: int + + The number of bits in a block. + + Cipher Modes ------------ -- cgit v1.2.3 From 2288e30119e2af3e2b448345cf6a9e61f8d06aa0 Mon Sep 17 00:00:00 2001 From: Julian Krause Date: Tue, 17 Dec 2013 21:26:23 -0800 Subject: Add verify function to hmac and hashes. --- cryptography/exceptions.py | 4 ++++ cryptography/hazmat/primitives/hashes.py | 11 +++++++++-- cryptography/hazmat/primitives/hmac.py | 11 +++++++++-- cryptography/hazmat/primitives/interfaces.py | 6 ++++++ docs/hazmat/primitives/cryptographic-hashes.rst | 7 +++++++ docs/hazmat/primitives/hmac.rst | 7 +++++++ tests/hazmat/primitives/test_hashes.py | 25 ++++++++++++++++++++++++- tests/hazmat/primitives/test_hmac.py | 25 ++++++++++++++++++++++++- 8 files changed, 90 insertions(+), 6 deletions(-) diff --git a/cryptography/exceptions.py b/cryptography/exceptions.py index e9d88199..44363c24 100644 --- a/cryptography/exceptions.py +++ b/cryptography/exceptions.py @@ -30,3 +30,7 @@ class NotYetFinalized(Exception): class InvalidTag(Exception): pass + + +class InvalidSignature(Exception): + pass diff --git a/cryptography/hazmat/primitives/hashes.py b/cryptography/hazmat/primitives/hashes.py index bee188b3..b3c626d4 100644 --- a/cryptography/hazmat/primitives/hashes.py +++ b/cryptography/hazmat/primitives/hashes.py @@ -16,8 +16,8 @@ from __future__ import absolute_import, division, print_function import six from cryptography import utils -from cryptography.exceptions import AlreadyFinalized -from cryptography.hazmat.primitives import interfaces +from cryptography.exceptions import AlreadyFinalized, InvalidSignature +from cryptography.hazmat.primitives import constant_time, interfaces @utils.register_interface(interfaces.HashContext) @@ -55,6 +55,13 @@ class Hash(object): self._ctx = None return digest + def verify(self, sig): + if isinstance(sig, six.text_type): + raise TypeError("Unicode-objects must be encoded before verifying") + digest = self.finalize() + if not constant_time.bytes_eq(digest, sig): + raise InvalidSignature("Signature did not match digest.") + @utils.register_interface(interfaces.HashAlgorithm) class SHA1(object): diff --git a/cryptography/hazmat/primitives/hmac.py b/cryptography/hazmat/primitives/hmac.py index 618bccc5..8ade84aa 100644 --- a/cryptography/hazmat/primitives/hmac.py +++ b/cryptography/hazmat/primitives/hmac.py @@ -16,8 +16,8 @@ from __future__ import absolute_import, division, print_function import six from cryptography import utils -from cryptography.exceptions import AlreadyFinalized -from cryptography.hazmat.primitives import interfaces +from cryptography.exceptions import AlreadyFinalized, InvalidSignature +from cryptography.hazmat.primitives import constant_time, interfaces @utils.register_interface(interfaces.HashContext) @@ -57,3 +57,10 @@ class HMAC(object): digest = self._ctx.finalize() self._ctx = None return digest + + def verify(self, sig): + if isinstance(sig, six.text_type): + raise TypeError("Unicode-objects must be encoded before verifying") + digest = self.finalize() + if not constant_time.bytes_eq(digest, sig): + raise InvalidSignature("Signature did not match digest.") diff --git a/cryptography/hazmat/primitives/interfaces.py b/cryptography/hazmat/primitives/interfaces.py index e3f4f586..76dc9339 100644 --- a/cryptography/hazmat/primitives/interfaces.py +++ b/cryptography/hazmat/primitives/interfaces.py @@ -152,3 +152,9 @@ class HashContext(six.with_metaclass(abc.ABCMeta)): """ return a HashContext that is a copy of the current context. """ + + @abc.abstractmethod + def verify(self, sig): + """ + compare digest to sig and raise exception if not equal. + """ diff --git a/docs/hazmat/primitives/cryptographic-hashes.rst b/docs/hazmat/primitives/cryptographic-hashes.rst index 90ca198a..02c7b5e1 100644 --- a/docs/hazmat/primitives/cryptographic-hashes.rst +++ b/docs/hazmat/primitives/cryptographic-hashes.rst @@ -67,6 +67,13 @@ Message Digests :return bytes: The message digest as bytes. + .. method:: verify(sig) + + Finalize the current context and securely compare digest to sig. + + :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize` + :raises cryptography.exceptions.InvalidSignature: If sig does not match digest + .. _cryptographic-hash-algorithms: diff --git a/docs/hazmat/primitives/hmac.rst b/docs/hazmat/primitives/hmac.rst index 0c0d0220..b556bd6a 100644 --- a/docs/hazmat/primitives/hmac.rst +++ b/docs/hazmat/primitives/hmac.rst @@ -69,3 +69,10 @@ message. :return bytes: The message digest as bytes. :raises cryptography.exceptions.AlreadyFinalized: + + .. method:: verify(sig) + + Finalize the current context and securely compare digest to sig. + + :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize` + :raises cryptography.exceptions.InvalidSignature: If sig does not match digest diff --git a/tests/hazmat/primitives/test_hashes.py b/tests/hazmat/primitives/test_hashes.py index ff42e8f4..cd58b065 100644 --- a/tests/hazmat/primitives/test_hashes.py +++ b/tests/hazmat/primitives/test_hashes.py @@ -19,7 +19,7 @@ import pytest import six -from cryptography.exceptions import AlreadyFinalized +from cryptography.exceptions import AlreadyFinalized, InvalidSignature from cryptography.hazmat.primitives import hashes from .utils import generate_base_hash_test @@ -57,6 +57,29 @@ class TestHashContext(object): with pytest.raises(AlreadyFinalized): h.finalize() + def test_verify(self, backend): + h = hashes.Hash(hashes.SHA1(), backend=backend) + digest = h.finalize() + + h = hashes.Hash(hashes.SHA1(), backend=backend) + h.verify(digest) + + with pytest.raises(AlreadyFinalized): + h.verify(b'') + + def test_invalid_verify(self, backend): + h = hashes.Hash(hashes.SHA1(), backend=backend) + with pytest.raises(InvalidSignature): + h.verify(b'') + + with pytest.raises(AlreadyFinalized): + h.verify(b'') + + def test_verify_reject_unicode(self, backend): + h = hashes.Hash(hashes.SHA1(), backend=backend) + with pytest.raises(TypeError): + h.verify(six.u('')) + class TestSHA1(object): test_SHA1 = generate_base_hash_test( diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index 992bcb1a..48360185 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -19,7 +19,7 @@ import pytest import six -from cryptography.exceptions import AlreadyFinalized +from cryptography.exceptions import AlreadyFinalized, InvalidSignature from cryptography.hazmat.primitives import hashes, hmac from .utils import generate_base_hmac_test @@ -63,3 +63,26 @@ class TestHMAC(object): with pytest.raises(AlreadyFinalized): h.finalize() + + def test_verify(self, backend): + h = hmac.HMAC(b'', hashes.SHA1(), backend=backend) + digest = h.finalize() + + h = hmac.HMAC(b'', hashes.SHA1(), backend=backend) + h.verify(digest) + + with pytest.raises(AlreadyFinalized): + h.verify(b'') + + def test_invalid_verify(self, backend): + h = hmac.HMAC(b'', hashes.SHA1(), backend=backend) + with pytest.raises(InvalidSignature): + h.verify(b'') + + with pytest.raises(AlreadyFinalized): + h.verify(b'') + + def test_verify_reject_unicode(self, backend): + h = hmac.HMAC(b'', hashes.SHA1(), backend=backend) + with pytest.raises(TypeError): + h.verify(six.u('')) -- cgit v1.2.3 From ccfa8894432831126095f4d7a3691c2add25d873 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 18 Dec 2013 14:54:05 -0800 Subject: Removed usage of stdbool for Windows which doesn't have C99 --- cryptography/hazmat/primitives/constant_time.py | 11 +++++------ cryptography/hazmat/primitives/padding.py | 6 ++---- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/cryptography/hazmat/primitives/constant_time.py b/cryptography/hazmat/primitives/constant_time.py index a8351504..6502803e 100644 --- a/cryptography/hazmat/primitives/constant_time.py +++ b/cryptography/hazmat/primitives/constant_time.py @@ -20,17 +20,16 @@ import six _ffi = cffi.FFI() _ffi.cdef(""" -bool Cryptography_constant_time_bytes_eq(uint8_t *, size_t, uint8_t *, size_t); +uint8_t Cryptography_constant_time_bytes_eq(uint8_t *, size_t, uint8_t *, + size_t); """) _lib = _ffi.verify(""" -#include - -bool Cryptography_constant_time_bytes_eq(uint8_t *a, size_t len_a, uint8_t *b, - size_t len_b) { +uint8_t Cryptography_constant_time_bytes_eq(uint8_t *a, size_t len_a, + uint8_t *b, size_t len_b) { size_t i = 0; uint8_t mismatch = 0; if (len_a != len_b) { - return false; + return 0; } for (i = 0; i < len_a; i++) { mismatch |= a[i] ^ b[i]; diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index cfa90db9..97298277 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -21,11 +21,9 @@ from cryptography.hazmat.primitives import interfaces _ffi = cffi.FFI() _ffi.cdef(""" -bool Cryptography_check_pkcs7_padding(const uint8_t *, uint8_t); +uint8_t Cryptography_check_pkcs7_padding(const uint8_t *, uint8_t); """) _lib = _ffi.verify(""" -#include - /* Returns the value of the input with the most-significant-bit copied to all of the bits. */ static uint8_t Cryptography_DUPLICATE_MSB_TO_ALL(uint8_t a) { @@ -39,7 +37,7 @@ static uint8_t Cryptography_constant_time_lt(uint8_t a, uint8_t b) { return Cryptography_DUPLICATE_MSB_TO_ALL(a); } -bool Cryptography_check_pkcs7_padding(const uint8_t *data, uint8_t block_len) { +uint8_t Cryptography_check_pkcs7_padding(const uint8_t *data, uint8_t block_len) { uint8_t i; uint8_t pad_size = data[block_len - 1]; uint8_t mismatch = 0; -- cgit v1.2.3 From 41e604dceeb0290b43a348c10789e65af0cc60f7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 18 Dec 2013 16:26:27 -0800 Subject: flake8 fix --- cryptography/hazmat/primitives/padding.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index 97298277..e517dee0 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -37,7 +37,8 @@ static uint8_t Cryptography_constant_time_lt(uint8_t a, uint8_t b) { return Cryptography_DUPLICATE_MSB_TO_ALL(a); } -uint8_t Cryptography_check_pkcs7_padding(const uint8_t *data, uint8_t block_len) { +uint8_t Cryptography_check_pkcs7_padding(const uint8_t *data, + uint8_t block_len) { uint8_t i; uint8_t pad_size = data[block_len - 1]; uint8_t mismatch = 0; -- cgit v1.2.3 From 99fdc809e5ee05785d31af7da37dbed2326c8e5b Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 19 Dec 2013 13:31:03 -0800 Subject: Attempt to handle the fact that based on defines ASN1_ITEM_EXP might be something else --- cryptography/hazmat/backends/openssl/asn1.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index 719a523c..c752e682 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -41,7 +41,7 @@ typedef ... ASN1_VALUE; typedef struct { ...; } ASN1_TIME; -typedef const ASN1_ITEM ASN1_ITEM_EXP; +typedef ... ASN1_ITEM_EXP; typedef ... ASN1_UTCTIME; @@ -102,7 +102,7 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **, const unsigned char **, long, MACROS = """ ASN1_TIME *M_ASN1_TIME_dup(void *); -ASN1_ITEM *ASN1_ITEM_ptr(ASN1_ITEM *); +ASN1_ITEM *ASN1_ITEM_ptr(ASN1_ITEM_EXP *); /* These aren't macros these arguments are all const X on openssl > 1.0.x */ -- cgit v1.2.3 From 67539c09123de7e76440ce5867613ade2a74b075 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 19 Dec 2013 15:25:17 -0800 Subject: Clean up some docstrings --- cryptography/hazmat/primitives/interfaces.py | 30 +++++++++++++++------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/cryptography/hazmat/primitives/interfaces.py b/cryptography/hazmat/primitives/interfaces.py index 2a1a21b8..61ecda9a 100644 --- a/cryptography/hazmat/primitives/interfaces.py +++ b/cryptography/hazmat/primitives/interfaces.py @@ -22,13 +22,13 @@ class CipherAlgorithm(six.with_metaclass(abc.ABCMeta)): @abc.abstractproperty def name(self): """ - A string naming this mode. (e.g. AES, Camellia) + A string naming this mode (e.g. "AES", "Camellia"). """ @abc.abstractproperty def key_size(self): """ - The size of the key being used as an integer in bits. (e.g. 128, 256) + The size of the key being used as an integer in bits (e.g. 128, 256). """ @@ -36,7 +36,7 @@ class BlockCipherAlgorithm(six.with_metaclass(abc.ABCMeta)): @abc.abstractproperty def block_size(self): """ - The size of a block as an integer in bits. (e.g. 64, 128) + The size of a block as an integer in bits (e.g. 64, 128). """ @@ -44,7 +44,7 @@ class Mode(six.with_metaclass(abc.ABCMeta)): @abc.abstractproperty def name(self): """ - A string naming this mode. (e.g. ECB, CBC) + A string naming this mode (e.g. ECB, CBC). """ @@ -76,13 +76,14 @@ class CipherContext(six.with_metaclass(abc.ABCMeta)): @abc.abstractmethod def update(self, data): """ - update takes bytes and return bytes + Processes the provided bytes through the cipher and returns the results + as bytes. """ @abc.abstractmethod def finalize(self): """ - finalize return bytes + Returns the results of processing the final block as bytes. """ @@ -90,7 +91,7 @@ class AEADCipherContext(six.with_metaclass(abc.ABCMeta)): @abc.abstractmethod def authenticate_additional_data(self, data): """ - authenticate_additional_data takes bytes and returns nothing. + Authenticates the provided bytes. """ @@ -98,7 +99,8 @@ class AEADEncryptionContext(six.with_metaclass(abc.ABCMeta)): @abc.abstractproperty def tag(self): """ - Returns tag bytes after finalizing encryption. + Returns tag bytes. This is only available after encryption is + finalized. """ @@ -106,13 +108,13 @@ class PaddingContext(six.with_metaclass(abc.ABCMeta)): @abc.abstractmethod def update(self, data): """ - update takes bytes and return bytes + Pads the provided bytes and returns any available data as bytes. """ @abc.abstractmethod def finalize(self): """ - finalize return bytes + Finalize the padding, returns bytes. """ @@ -120,7 +122,7 @@ class HashAlgorithm(six.with_metaclass(abc.ABCMeta)): @abc.abstractproperty def name(self): """ - A string naming this algorithm. (e.g. sha256, md5) + A string naming this algorithm (e.g. sha256, md5). """ @abc.abstractproperty @@ -146,17 +148,17 @@ class HashContext(six.with_metaclass(abc.ABCMeta)): @abc.abstractmethod def update(self, data): """ - hash data as bytes + Processes the provided bytes through the hash. """ @abc.abstractmethod def finalize(self): """ - finalize this copy of the hash and return the digest as bytes. + Finalizes the hash context and returns the hash digest as bytes. """ @abc.abstractmethod def copy(self): """ - return a HashContext that is a copy of the current context. + Return a HashContext that is a copy of the current context. """ -- cgit v1.2.3 From 764b54a5b1b3e8d6f5d7c2b72a5fdf00b0d805b3 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 19 Dec 2013 17:22:20 -0800 Subject: Make these examples consistent --- cryptography/hazmat/primitives/interfaces.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/primitives/interfaces.py b/cryptography/hazmat/primitives/interfaces.py index 61ecda9a..e87c9ca9 100644 --- a/cryptography/hazmat/primitives/interfaces.py +++ b/cryptography/hazmat/primitives/interfaces.py @@ -44,7 +44,7 @@ class Mode(six.with_metaclass(abc.ABCMeta)): @abc.abstractproperty def name(self): """ - A string naming this mode (e.g. ECB, CBC). + A string naming this mode (e.g. "ECB", "CBC"). """ @@ -122,7 +122,7 @@ class HashAlgorithm(six.with_metaclass(abc.ABCMeta)): @abc.abstractproperty def name(self): """ - A string naming this algorithm (e.g. sha256, md5). + A string naming this algorithm (e.g. "sha256", "md5"). """ @abc.abstractproperty -- cgit v1.2.3 From b87f7b55d8322358c9dfa73d29d744c14c44237b Mon Sep 17 00:00:00 2001 From: cyli Date: Sat, 19 Oct 2013 21:25:41 -0700 Subject: Initial basic bindings for ssl --- cryptography/hazmat/backends/openssl/ssl.py | 74 +++++++++++++++++++++++++++-- 1 file changed, 71 insertions(+), 3 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 04611309..e1dccf4c 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -48,6 +48,7 @@ static const int SSL_OP_PKCS1_CHECK_1; static const int SSL_OP_PKCS1_CHECK_2; static const int SSL_OP_NETSCAPE_CA_DN_BUG; static const int SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG; +static const int SSL_OP_NO_COMPRESSION; static const int SSL_OP_NO_QUERY_MTU; static const int SSL_OP_COOKIE_EXCHANGE; static const int SSL_OP_NO_TICKET; @@ -84,6 +85,7 @@ static const int SSL_CB_CONNECT_LOOP; static const int SSL_CB_CONNECT_EXIT; static const int SSL_CB_HANDSHAKE_START; static const int SSL_CB_HANDSHAKE_DONE; +static const int SSL_MODE_RELEASE_BUFFERS; static const int SSL_MODE_ENABLE_PARTIAL_WRITE; static const int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; static const int SSL_MODE_AUTO_RETRY; @@ -112,13 +114,38 @@ typedef struct { } SSL; static const int TLSEXT_NAMETYPE_host_name; + +typedef int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); +typedef void info_callback(const SSL *ssl, int where, int ret); +typedef int tlsext_servername_callback(const SSL *ssl, int *alert, void *arg); """ FUNCTIONS = """ -void SSL_load_error_strings(); - +void *OPENSSL_malloc(int); +void OPENSSL_free(void *); int SSL_library_init(); +/* methods */ + +const SSL_METHOD *SSLv3_method(); +const SSL_METHOD *SSLv3_server_method(); +const SSL_METHOD *SSLv3_client_method(); +const SSL_METHOD *TLSv1_method(); +const SSL_METHOD *TLSv1_server_method(); +const SSL_METHOD *TLSv1_client_method(); +const SSL_METHOD *SSLv23_method(); +const SSL_METHOD *SSLv23_server_method(); +const SSL_METHOD *SSLv23_client_method(); + +/* SSLv2 support is compiled out of some versions of OpenSSL. These will + * get special support when we generate the bindings so that if they are + * available they will be wrapped, but if they are not they won't cause + * problems (like link errors). + */ +SSL_METHOD *SSLv2_method(); +SSL_METHOD *SSLv2_server_method(); +SSL_METHOD *SSLv2_client_method(); + /* SSL */ SSL_CTX *SSL_set_SSL_CTX(SSL *, SSL_CTX *); SSL_SESSION *SSL_get1_session(SSL *); @@ -126,6 +153,14 @@ int SSL_set_session(SSL *, SSL_SESSION *); int SSL_get_verify_mode(const SSL *); void SSL_set_verify_depth(SSL *, int); int SSL_get_verify_depth(const SSL *); +int (*SSL_get_verify_callback(const SSL *))(int, X509_STORE_CTX *); +long SSL_set_mode(SSL *, long); +long SSL_get_mode(SSL *); +long SSL_set_options(SSL *, long); +long SSL_clear_options(SSL *, long); +long SSL_get_options(SSL *); +void SSL_set_info_callback(SSL *, void (*callback)()); +void (*SSL_get_info_callback(const SSL *))(); SSL *SSL_new(SSL_CTX *); void SSL_free(SSL *); int SSL_set_fd(SSL *, int); @@ -138,20 +173,43 @@ int SSL_pending(const SSL *); int SSL_write(SSL *, const void *, int); int SSL_read(SSL *, void *, int); X509 *SSL_get_peer_certificate(const SSL *); +struct stack_st_X509 *SSL_get_peer_cert_chain(const SSL *); +int SSL_want_read(const SSL *); +int SSL_want_write(const SSL *); +int SSL_total_renegotiations(const SSL *); int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); +void SSL_set_shutdown(SSL *, int); +int SSL_get_shutdown(const SSL *); +struct stack_st_SSL_CIPHER *SSL_get_ciphers(const SSL *); const char *SSL_get_cipher_list(const SSL *, int); +struct stack_st_X509_NAME *SSL_get_client_CA_list(const SSL *); /* context */ +SSL_CTX *SSL_CTX_new(SSL_METHOD *); void SSL_CTX_free(SSL_CTX *); long SSL_CTX_set_timeout(SSL_CTX *, long); +long SSL_CTX_get_timeout(SSL_CTX *); int SSL_CTX_set_default_verify_paths(SSL_CTX *); +void SSL_CTX_set_verify(SSL_CTX *, int, verify_callback); void SSL_CTX_set_verify_depth(SSL_CTX *, int); +int (*SSL_CTX_get_verify_callback(const SSL_CTX *))(int, X509_STORE_CTX *); +void SSL_CTX_set_info_callback(SSL_CTX *, info_callback); +void (*SSL_CTX_get_info_callback(const SSL_CTX *))(); +long SSL_CTX_set_options(SSL_CTX *, long); +long SSL_CTX_clear_options(SSL_CTX *, long); +long SSL_CTX_get_options(SSL_CTX *); +long SSL_CTX_set_mode(SSL_CTX *, long); +long SSL_CTX_get_mode(SSL_CTX *); +long SSL_CTX_set_session_cache_mode(SSL_CTX *, long); +long SSL_CTX_get_session_cache_mode(SSL_CTX *); int SSL_CTX_get_verify_mode(const SSL_CTX *); int SSL_CTX_get_verify_depth(const SSL_CTX *); int SSL_CTX_set_cipher_list(SSL_CTX *, const char *); int SSL_CTX_load_verify_locations(SSL_CTX *, const char *, const char *); +long SSL_CTX_set_tmp_dh(SSL_CTX *, DH *); +long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *); void SSL_CTX_set_default_passwd_cb(SSL_CTX *, pem_password_cb *); void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *, void *); int SSL_CTX_use_certificate(SSL_CTX *, X509 *); @@ -159,9 +217,11 @@ int SSL_CTX_use_certificate_file(SSL_CTX *, const char *, int); int SSL_CTX_use_certificate_chain_file(SSL_CTX *, const char *); int SSL_CTX_use_PrivateKey(SSL_CTX *, EVP_PKEY *); int SSL_CTX_use_PrivateKey_file(SSL_CTX *, const char *, int); +struct stack_st_X509_NAME *SSL_CTX_get_client_CA_list(const SSL_CTX *); void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); int SSL_CTX_add_client_CA(SSL_CTX *, X509 *); +void SSL_CTX_set_client_CA_list(SSL_CTX *, struct stack_st_X509_NAME *); /* X509_STORE_CTX */ int X509_STORE_CTX_get_error(X509_STORE_CTX *); @@ -173,7 +233,7 @@ X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *); void SSL_SESSION_free(SSL_SESSION *); """ -MACROS = MACROS = """ +MACROS = """ long SSL_set_mode(SSL *, long); long SSL_get_mode(SSL *); @@ -210,6 +270,14 @@ const SSL_METHOD *SSLv23_client_method(); /*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/ SSL_CTX *SSL_CTX_new(const SSL_METHOD *); long SSL_CTX_get_timeout(const SSL_CTX *); + +/* SNI APIs were introduced in OpenSSL 1.0.0. To continue to support + * earlier versions some special handling of these is necessary. + */ +void SSL_set_tlsext_host_name(SSL *, char *); +const char *SSL_get_servername(const SSL *, const int); +void SSL_CTX_set_tlsext_servername_callback(SSL_CTX *, + tlsext_servername_callback); """ CUSTOMIZATIONS = """ -- cgit v1.2.3 From eb373f5b2c4b81a9a90504468a6d39c9b50e7fd6 Mon Sep 17 00:00:00 2001 From: cyli Date: Sat, 19 Oct 2013 21:36:23 -0700 Subject: Delete some repeated functions, and move the OPENSSL_malloc definition to crypto bindings, since it seems to be in crypto.h --- cryptography/hazmat/backends/openssl/crypto.py | 2 ++ cryptography/hazmat/backends/openssl/ssl.py | 4 ---- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/crypto.py b/cryptography/hazmat/backends/openssl/crypto.py index 773d9b14..2f1dfe11 100644 --- a/cryptography/hazmat/backends/openssl/crypto.py +++ b/cryptography/hazmat/backends/openssl/crypto.py @@ -34,6 +34,8 @@ void CRYPTO_malloc_debug_init(); #define CRYPTO_MEM_CHECK_OFF ... #define CRYPTO_MEM_CHECK_ENABLE ... #define CRYPTO_MEM_CHECK_DISABLE ... + +#define OPENSSL_malloc ... """ CUSTOMIZATIONS = """ diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index e1dccf4c..b42407ad 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -121,12 +121,10 @@ typedef int tlsext_servername_callback(const SSL *ssl, int *alert, void *arg); """ FUNCTIONS = """ -void *OPENSSL_malloc(int); void OPENSSL_free(void *); int SSL_library_init(); /* methods */ - const SSL_METHOD *SSLv3_method(); const SSL_METHOD *SSLv3_server_method(); const SSL_METHOD *SSLv3_client_method(); @@ -180,8 +178,6 @@ int SSL_total_renegotiations(const SSL *); int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); -void SSL_set_shutdown(SSL *, int); -int SSL_get_shutdown(const SSL *); struct stack_st_SSL_CIPHER *SSL_get_ciphers(const SSL *); const char *SSL_get_cipher_list(const SSL *, int); struct stack_st_X509_NAME *SSL_get_client_CA_list(const SSL *); -- cgit v1.2.3 From 3a61d720d0d622d1a8c019db4fe5c512ccdf7c3e Mon Sep 17 00:00:00 2001 From: cyli Date: Sat, 19 Oct 2013 23:09:30 -0700 Subject: Move a few macros to macros --- cryptography/hazmat/backends/openssl/ssl.py | 48 +++++++++++++++++------------ 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index b42407ad..3a100f18 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -135,15 +135,6 @@ const SSL_METHOD *SSLv23_method(); const SSL_METHOD *SSLv23_server_method(); const SSL_METHOD *SSLv23_client_method(); -/* SSLv2 support is compiled out of some versions of OpenSSL. These will - * get special support when we generate the bindings so that if they are - * available they will be wrapped, but if they are not they won't cause - * problems (like link errors). - */ -SSL_METHOD *SSLv2_method(); -SSL_METHOD *SSLv2_server_method(); -SSL_METHOD *SSLv2_client_method(); - /* SSL */ SSL_CTX *SSL_set_SSL_CTX(SSL *, SSL_CTX *); SSL_SESSION *SSL_get1_session(SSL *); @@ -152,11 +143,6 @@ int SSL_get_verify_mode(const SSL *); void SSL_set_verify_depth(SSL *, int); int SSL_get_verify_depth(const SSL *); int (*SSL_get_verify_callback(const SSL *))(int, X509_STORE_CTX *); -long SSL_set_mode(SSL *, long); -long SSL_get_mode(SSL *); -long SSL_set_options(SSL *, long); -long SSL_clear_options(SSL *, long); -long SSL_get_options(SSL *); void SSL_set_info_callback(SSL *, void (*callback)()); void (*SSL_get_info_callback(const SSL *))(); SSL *SSL_new(SSL_CTX *); @@ -172,9 +158,6 @@ int SSL_write(SSL *, const void *, int); int SSL_read(SSL *, void *, int); X509 *SSL_get_peer_certificate(const SSL *); struct stack_st_X509 *SSL_get_peer_cert_chain(const SSL *); -int SSL_want_read(const SSL *); -int SSL_want_write(const SSL *); -int SSL_total_renegotiations(const SSL *); int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); @@ -183,10 +166,8 @@ const char *SSL_get_cipher_list(const SSL *, int); struct stack_st_X509_NAME *SSL_get_client_CA_list(const SSL *); /* context */ -SSL_CTX *SSL_CTX_new(SSL_METHOD *); void SSL_CTX_free(SSL_CTX *); long SSL_CTX_set_timeout(SSL_CTX *, long); -long SSL_CTX_get_timeout(SSL_CTX *); int SSL_CTX_set_default_verify_paths(SSL_CTX *); void SSL_CTX_set_verify(SSL_CTX *, int, verify_callback); void SSL_CTX_set_verify_depth(SSL_CTX *, int); @@ -276,5 +257,34 @@ void SSL_CTX_set_tlsext_servername_callback(SSL_CTX *, tlsext_servername_callback); """ +MACROS = """ +long SSL_set_mode(SSL *, long); +long SSL_get_mode(SSL *); + +long SSL_set_options(SSL *, long); +long SSL_clear_options(SSL *, long); +long SSL_get_options(SSL *); + +int SSL_want_read(const SSL *); +int SSL_want_write(const SSL *); + +int SSL_total_renegotiations(const SSL *); + +/*- These aren't macros these functions are all const X on openssl > 1.0.x -*/ + +/* SSLv2 support is compiled out of some versions of OpenSSL. These will + * get special support when we generate the bindings so that if they are + * available they will be wrapped, but if they are not they won't cause + * problems (like link errors). + */ +const SSL_METHOD *SSLv2_method(); +const SSL_METHOD *SSLv2_server_method(); +const SSL_METHOD *SSLv2_client_method(); + +/*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/ +SSL_CTX *SSL_CTX_new(const SSL_METHOD *); +long SSL_CTX_get_timeout(const SSL_CTX *); +""" + CUSTOMIZATIONS = """ """ -- cgit v1.2.3 From 02209c6045d8a5702f30c7401dfe6755208edef1 Mon Sep 17 00:00:00 2001 From: cyli Date: Sat, 19 Oct 2013 23:19:10 -0700 Subject: Unfortunate hack to make replacing some callback signature in the function definitions work --- cryptography/hazmat/backends/openssl/ssl.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 3a100f18..dee5edc5 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -13,6 +13,14 @@ INCLUDES = """ #include + +/* This is a gross hack - if it is not here, as well as in the TYPES section, + * because it is needed to replace some function signatures in the FUNCTIONS + * section, and may be needed by PyOpenSSL + */ +typedef int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); +typedef void info_callback(const SSL *ssl, int where, int ret); +typedef int tlsext_servername_callback(const SSL *ssl, int *alert, void *arg); """ TYPES = """ -- cgit v1.2.3 From 272987868860db0d82a3765c7af767cbf12b4397 Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 20 Oct 2013 17:15:07 -0700 Subject: Move some methods to macros that have become const between versions --- cryptography/hazmat/backends/openssl/ssl.py | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index dee5edc5..20b69b11 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -132,17 +132,6 @@ FUNCTIONS = """ void OPENSSL_free(void *); int SSL_library_init(); -/* methods */ -const SSL_METHOD *SSLv3_method(); -const SSL_METHOD *SSLv3_server_method(); -const SSL_METHOD *SSLv3_client_method(); -const SSL_METHOD *TLSv1_method(); -const SSL_METHOD *TLSv1_server_method(); -const SSL_METHOD *TLSv1_client_method(); -const SSL_METHOD *SSLv23_method(); -const SSL_METHOD *SSLv23_server_method(); -const SSL_METHOD *SSLv23_client_method(); - /* SSL */ SSL_CTX *SSL_set_SSL_CTX(SSL *, SSL_CTX *); SSL_SESSION *SSL_get1_session(SSL *); @@ -289,6 +278,17 @@ const SSL_METHOD *SSLv2_method(); const SSL_METHOD *SSLv2_server_method(); const SSL_METHOD *SSLv2_client_method(); +/* methods */ +const SSL_METHOD *SSLv3_method(); +const SSL_METHOD *SSLv3_server_method(); +const SSL_METHOD *SSLv3_client_method(); +const SSL_METHOD *TLSv1_method(); +const SSL_METHOD *TLSv1_server_method(); +const SSL_METHOD *TLSv1_client_method(); +const SSL_METHOD *SSLv23_method(); +const SSL_METHOD *SSLv23_server_method(); +const SSL_METHOD *SSLv23_client_method(); + /*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/ SSL_CTX *SSL_CTX_new(const SSL_METHOD *); long SSL_CTX_get_timeout(const SSL_CTX *); -- cgit v1.2.3 From 76db2227819f19d1094aa569725356f0d0f02e8a Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 20 Oct 2013 17:17:34 -0700 Subject: Fix broken function definition --- cryptography/hazmat/backends/openssl/ssl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 20b69b11..5a235f85 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -170,7 +170,7 @@ void SSL_CTX_set_verify(SSL_CTX *, int, verify_callback); void SSL_CTX_set_verify_depth(SSL_CTX *, int); int (*SSL_CTX_get_verify_callback(const SSL_CTX *))(int, X509_STORE_CTX *); void SSL_CTX_set_info_callback(SSL_CTX *, info_callback); -void (*SSL_CTX_get_info_callback(const SSL_CTX *))(); +void (*SSL_CTX_get_info_callback(SSL_CTX *))(const SSL *, int, int); long SSL_CTX_set_options(SSL_CTX *, long); long SSL_CTX_clear_options(SSL_CTX *, long); long SSL_CTX_get_options(SSL_CTX *); -- cgit v1.2.3 From e105635d5e4bff08688760b5b1692520cd439446 Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 20 Oct 2013 18:08:55 -0700 Subject: Move OPENSSL_free to crypto.py as per @alex --- cryptography/hazmat/backends/openssl/crypto.py | 2 ++ cryptography/hazmat/backends/openssl/ssl.py | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cryptography/hazmat/backends/openssl/crypto.py b/cryptography/hazmat/backends/openssl/crypto.py index 2f1dfe11..c4300ee0 100644 --- a/cryptography/hazmat/backends/openssl/crypto.py +++ b/cryptography/hazmat/backends/openssl/crypto.py @@ -24,6 +24,8 @@ int CRYPTO_mem_ctrl(int); int CRYPTO_is_mem_check_on(); void CRYPTO_mem_leaks(struct bio_st *); void CRYPTO_cleanup_all_ex_data(); + +void OPENSSL_free(void *); """ MACROS = """ diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 5a235f85..46463eaa 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -129,7 +129,6 @@ typedef int tlsext_servername_callback(const SSL *ssl, int *alert, void *arg); """ FUNCTIONS = """ -void OPENSSL_free(void *); int SSL_library_init(); /* SSL */ -- cgit v1.2.3 From 6796ddd83f157fe394f433fdbc3582759f03c1c1 Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 20 Oct 2013 18:09:58 -0700 Subject: Remove typedef'd callbacks and just include the callback definitions in the larger function definitions --- cryptography/hazmat/backends/openssl/ssl.py | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 46463eaa..cf221c92 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -13,14 +13,6 @@ INCLUDES = """ #include - -/* This is a gross hack - if it is not here, as well as in the TYPES section, - * because it is needed to replace some function signatures in the FUNCTIONS - * section, and may be needed by PyOpenSSL - */ -typedef int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); -typedef void info_callback(const SSL *ssl, int where, int ret); -typedef int tlsext_servername_callback(const SSL *ssl, int *alert, void *arg); """ TYPES = """ @@ -122,10 +114,6 @@ typedef struct { } SSL; static const int TLSEXT_NAMETYPE_host_name; - -typedef int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); -typedef void info_callback(const SSL *ssl, int where, int ret); -typedef int tlsext_servername_callback(const SSL *ssl, int *alert, void *arg); """ FUNCTIONS = """ @@ -165,10 +153,10 @@ struct stack_st_X509_NAME *SSL_get_client_CA_list(const SSL *); void SSL_CTX_free(SSL_CTX *); long SSL_CTX_set_timeout(SSL_CTX *, long); int SSL_CTX_set_default_verify_paths(SSL_CTX *); -void SSL_CTX_set_verify(SSL_CTX *, int, verify_callback); +void SSL_CTX_set_verify(SSL_CTX *, int, int (*callback)(int, X509_STORE_CTX *)); void SSL_CTX_set_verify_depth(SSL_CTX *, int); int (*SSL_CTX_get_verify_callback(const SSL_CTX *))(int, X509_STORE_CTX *); -void SSL_CTX_set_info_callback(SSL_CTX *, info_callback); +void SSL_CTX_set_info_callback(SSL_CTX *, void (*cb)(const SSL *, int, int)); void (*SSL_CTX_get_info_callback(SSL_CTX *))(const SSL *, int, int); long SSL_CTX_set_options(SSL_CTX *, long); long SSL_CTX_clear_options(SSL_CTX *, long); @@ -249,8 +237,9 @@ long SSL_CTX_get_timeout(const SSL_CTX *); */ void SSL_set_tlsext_host_name(SSL *, char *); const char *SSL_get_servername(const SSL *, const int); -void SSL_CTX_set_tlsext_servername_callback(SSL_CTX *, - tlsext_servername_callback); +void SSL_CTX_set_tlsext_servername_callback( + SSL_CTX *, + int (*cb)(const SSL *, int *, void *)); """ MACROS = """ -- cgit v1.2.3 From 2df36e58f72aff9e86956f2c9a4d9dc4cd53c4ae Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 20 Oct 2013 18:13:37 -0700 Subject: Move more macros to the macro section --- cryptography/hazmat/backends/openssl/ssl.py | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index cf221c92..b2cc865e 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -158,19 +158,10 @@ void SSL_CTX_set_verify_depth(SSL_CTX *, int); int (*SSL_CTX_get_verify_callback(const SSL_CTX *))(int, X509_STORE_CTX *); void SSL_CTX_set_info_callback(SSL_CTX *, void (*cb)(const SSL *, int, int)); void (*SSL_CTX_get_info_callback(SSL_CTX *))(const SSL *, int, int); -long SSL_CTX_set_options(SSL_CTX *, long); -long SSL_CTX_clear_options(SSL_CTX *, long); -long SSL_CTX_get_options(SSL_CTX *); -long SSL_CTX_set_mode(SSL_CTX *, long); -long SSL_CTX_get_mode(SSL_CTX *); -long SSL_CTX_set_session_cache_mode(SSL_CTX *, long); -long SSL_CTX_get_session_cache_mode(SSL_CTX *); int SSL_CTX_get_verify_mode(const SSL_CTX *); int SSL_CTX_get_verify_depth(const SSL_CTX *); int SSL_CTX_set_cipher_list(SSL_CTX *, const char *); int SSL_CTX_load_verify_locations(SSL_CTX *, const char *, const char *); -long SSL_CTX_set_tmp_dh(SSL_CTX *, DH *); -long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *); void SSL_CTX_set_default_passwd_cb(SSL_CTX *, pem_password_cb *); void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *, void *); int SSL_CTX_use_certificate(SSL_CTX *, X509 *); @@ -255,6 +246,16 @@ int SSL_want_write(const SSL *); int SSL_total_renegotiations(const SSL *); +long SSL_CTX_set_options(SSL_CTX *, long); +long SSL_CTX_clear_options(SSL_CTX *, long); +long SSL_CTX_get_options(SSL_CTX *); +long SSL_CTX_set_mode(SSL_CTX *, long); +long SSL_CTX_get_mode(SSL_CTX *); +long SSL_CTX_set_session_cache_mode(SSL_CTX *, long); +long SSL_CTX_get_session_cache_mode(SSL_CTX *); +long SSL_CTX_set_tmp_dh(SSL_CTX *, DH *); +long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *); + /*- These aren't macros these functions are all const X on openssl > 1.0.x -*/ /* SSLv2 support is compiled out of some versions of OpenSSL. These will -- cgit v1.2.3 From db7a91138a4883de00917d862e69fe4414dac7b7 Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 20 Oct 2013 18:15:47 -0700 Subject: Undo accidentaly removal a function after rebase --- cryptography/hazmat/backends/openssl/ssl.py | 1 + 1 file changed, 1 insertion(+) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index b2cc865e..1d22ded8 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -117,6 +117,7 @@ static const int TLSEXT_NAMETYPE_host_name; """ FUNCTIONS = """ +void SSL_load_error_strings(); int SSL_library_init(); /* SSL */ -- cgit v1.2.3 From e0562502d3006c9bc4968e76f02274ec7ed80582 Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 10 Nov 2013 18:08:14 -0800 Subject: Put customizations back in after rebase --- cryptography/hazmat/backends/openssl/ssl.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 1d22ded8..d91c89a6 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -16,6 +16,12 @@ INCLUDES = """ """ TYPES = """ +/* Internally invented symbol to tell us if SSLv2 is supported */ +static const int PYOPENSSL_NO_SSL2; + +/* Internally invented symbol to tell us if SNI is supported */ +static const int PYOPENSSL_TLSEXT_HOSTNAME; + static const int SSL_FILETYPE_PEM; static const int SSL_FILETYPE_ASN1; static const int SSL_ERROR_NONE; @@ -285,4 +291,23 @@ long SSL_CTX_get_timeout(const SSL_CTX *); """ CUSTOMIZATIONS = """ +#ifdef OPENSSL_NO_SSL2 +static const int PYOPENSSL_NO_SSL2 = 1; +SSL_METHOD* (*SSLv2_method)() = NULL; +SSL_METHOD* (*SSLv2_client_method)() = NULL; +SSL_METHOD* (*SSLv2_server_method)() = NULL; +#else +static const int PYOPENSSL_NO_SSL2 = 0; +#endif + +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +static const int PYOPENSSL_TLSEXT_HOSTNAME = 1; +#else +static const int PYOPENSSL_TLSEXT_HOSTNAME = 0; +void (*SSL_set_tlsext_host_name)(SSL *, char *) = NULL; +const char* (*SSL_get_servername)(const SSL *, const int) = NULL; +void (*SSL_CTX_set_tlsext_servername_callback)( + SSL_CTX *, + int (*cb)(const SSL *, int *, void *)) = NULL; +#endif """ -- cgit v1.2.3 From bef5768d9e691c094f19bc4e611367d2e7b8b573 Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 10 Nov 2013 18:09:45 -0800 Subject: Move some SNI APIs to macros --- cryptography/hazmat/backends/openssl/ssl.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index d91c89a6..09d342b8 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -233,11 +233,7 @@ long SSL_CTX_get_timeout(const SSL_CTX *); /* SNI APIs were introduced in OpenSSL 1.0.0. To continue to support * earlier versions some special handling of these is necessary. */ -void SSL_set_tlsext_host_name(SSL *, char *); const char *SSL_get_servername(const SSL *, const int); -void SSL_CTX_set_tlsext_servername_callback( - SSL_CTX *, - int (*cb)(const SSL *, int *, void *)); """ MACROS = """ @@ -288,6 +284,14 @@ const SSL_METHOD *SSLv23_client_method(); /*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/ SSL_CTX *SSL_CTX_new(const SSL_METHOD *); long SSL_CTX_get_timeout(const SSL_CTX *); + +/* SNI APIs were introduced in OpenSSL 1.0.0. To continue to support + * earlier versions some special handling of these is necessary. + */ +void SSL_set_tlsext_host_name(SSL *, char *); +void SSL_CTX_set_tlsext_servername_callback( + SSL_CTX *, + int (*cb)(const SSL *, int *, void *)); """ CUSTOMIZATIONS = """ -- cgit v1.2.3 From 1c6110923d12b877390dcaa2ca07080261fca38d Mon Sep 17 00:00:00 2001 From: cyli Date: Mon, 11 Nov 2013 09:47:28 -0800 Subject: Remove some functions that are dependent upon the stacksafe macro STACK_OF --- cryptography/hazmat/backends/openssl/ssl.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 09d342b8..3de2e1e0 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -148,13 +148,10 @@ int SSL_pending(const SSL *); int SSL_write(SSL *, const void *, int); int SSL_read(SSL *, void *, int); X509 *SSL_get_peer_certificate(const SSL *); -struct stack_st_X509 *SSL_get_peer_cert_chain(const SSL *); int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); -struct stack_st_SSL_CIPHER *SSL_get_ciphers(const SSL *); const char *SSL_get_cipher_list(const SSL *, int); -struct stack_st_X509_NAME *SSL_get_client_CA_list(const SSL *); /* context */ void SSL_CTX_free(SSL_CTX *); @@ -176,11 +173,9 @@ int SSL_CTX_use_certificate_file(SSL_CTX *, const char *, int); int SSL_CTX_use_certificate_chain_file(SSL_CTX *, const char *); int SSL_CTX_use_PrivateKey(SSL_CTX *, EVP_PKEY *); int SSL_CTX_use_PrivateKey_file(SSL_CTX *, const char *, int); -struct stack_st_X509_NAME *SSL_CTX_get_client_CA_list(const SSL_CTX *); void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); int SSL_CTX_add_client_CA(SSL_CTX *, X509 *); -void SSL_CTX_set_client_CA_list(SSL_CTX *, struct stack_st_X509_NAME *); /* X509_STORE_CTX */ int X509_STORE_CTX_get_error(X509_STORE_CTX *); -- cgit v1.2.3 From 9f2182543e782cde17c1b46908d4c8e8ff01b8fc Mon Sep 17 00:00:00 2001 From: cyli Date: Mon, 11 Nov 2013 16:11:29 -0800 Subject: Remove OPENSSL_malloc, which was causing errors, and remove the two vars that were problematic in 0.9.8 --- cryptography/hazmat/backends/openssl/crypto.py | 2 -- cryptography/hazmat/backends/openssl/ssl.py | 2 -- 2 files changed, 4 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/crypto.py b/cryptography/hazmat/backends/openssl/crypto.py index c4300ee0..11e5f2f5 100644 --- a/cryptography/hazmat/backends/openssl/crypto.py +++ b/cryptography/hazmat/backends/openssl/crypto.py @@ -36,8 +36,6 @@ void CRYPTO_malloc_debug_init(); #define CRYPTO_MEM_CHECK_OFF ... #define CRYPTO_MEM_CHECK_ENABLE ... #define CRYPTO_MEM_CHECK_DISABLE ... - -#define OPENSSL_malloc ... """ CUSTOMIZATIONS = """ diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 3de2e1e0..a3a718bf 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -54,7 +54,6 @@ static const int SSL_OP_PKCS1_CHECK_1; static const int SSL_OP_PKCS1_CHECK_2; static const int SSL_OP_NETSCAPE_CA_DN_BUG; static const int SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG; -static const int SSL_OP_NO_COMPRESSION; static const int SSL_OP_NO_QUERY_MTU; static const int SSL_OP_COOKIE_EXCHANGE; static const int SSL_OP_NO_TICKET; @@ -91,7 +90,6 @@ static const int SSL_CB_CONNECT_LOOP; static const int SSL_CB_CONNECT_EXIT; static const int SSL_CB_HANDSHAKE_START; static const int SSL_CB_HANDSHAKE_DONE; -static const int SSL_MODE_RELEASE_BUFFERS; static const int SSL_MODE_ENABLE_PARTIAL_WRITE; static const int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; static const int SSL_MODE_AUTO_RETRY; -- cgit v1.2.3 From c24597b261249567afee2802c5eda5cd9141a141 Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 17 Nov 2013 18:05:09 -0800 Subject: Fixes after rebasing --- cryptography/hazmat/backends/openssl/ssl.py | 44 ----------------------------- 1 file changed, 44 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index a3a718bf..15269bd5 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -189,50 +189,6 @@ MACROS = """ long SSL_set_mode(SSL *, long); long SSL_get_mode(SSL *); -long SSL_set_options(SSL *, long); -long SSL_get_options(SSL *); - -int SSL_want_read(const SSL *); -int SSL_want_write(const SSL *); - -int SSL_total_renegotiations(const SSL *); - -long SSL_CTX_set_options(SSL_CTX *, long); -long SSL_CTX_get_options(SSL_CTX *); -long SSL_CTX_set_mode(SSL_CTX *, long); -long SSL_CTX_get_mode(SSL_CTX *); -long SSL_CTX_set_session_cache_mode(SSL_CTX *, long); -long SSL_CTX_get_session_cache_mode(SSL_CTX *); -long SSL_CTX_set_tmp_dh(SSL_CTX *, DH *); -long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *); - -/*- These aren't macros these functions are all const X on openssl > 1.0.x -*/ - -/* methods */ -const SSL_METHOD *SSLv3_method(); -const SSL_METHOD *SSLv3_server_method(); -const SSL_METHOD *SSLv3_client_method(); -const SSL_METHOD *TLSv1_method(); -const SSL_METHOD *TLSv1_server_method(); -const SSL_METHOD *TLSv1_client_method(); -const SSL_METHOD *SSLv23_method(); -const SSL_METHOD *SSLv23_server_method(); -const SSL_METHOD *SSLv23_client_method(); - -/*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/ -SSL_CTX *SSL_CTX_new(const SSL_METHOD *); -long SSL_CTX_get_timeout(const SSL_CTX *); - -/* SNI APIs were introduced in OpenSSL 1.0.0. To continue to support - * earlier versions some special handling of these is necessary. - */ -const char *SSL_get_servername(const SSL *, const int); -""" - -MACROS = """ -long SSL_set_mode(SSL *, long); -long SSL_get_mode(SSL *); - long SSL_set_options(SSL *, long); long SSL_clear_options(SSL *, long); long SSL_get_options(SSL *); -- cgit v1.2.3 From 6238b0a46255440e322b4403cd37330d1616c7ff Mon Sep 17 00:00:00 2001 From: cyli Date: Sat, 14 Dec 2013 22:32:42 -0800 Subject: Rename PYOPENSSL_ to CRYPTOGRAPHY_ --- cryptography/hazmat/backends/openssl/ssl.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 15269bd5..89b2c5ae 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -17,10 +17,10 @@ INCLUDES = """ TYPES = """ /* Internally invented symbol to tell us if SSLv2 is supported */ -static const int PYOPENSSL_NO_SSL2; +static const int CRYPTOGRAPHY_NO_SSL2; /* Internally invented symbol to tell us if SNI is supported */ -static const int PYOPENSSL_TLSEXT_HOSTNAME; +static const int CRYPTOGRAPHY_TLSEXT_HOSTNAME; static const int SSL_FILETYPE_PEM; static const int SSL_FILETYPE_ASN1; @@ -245,18 +245,18 @@ void SSL_CTX_set_tlsext_servername_callback( CUSTOMIZATIONS = """ #ifdef OPENSSL_NO_SSL2 -static const int PYOPENSSL_NO_SSL2 = 1; +static const int CRYPTOGRAPHY_NO_SSL2 = 1; SSL_METHOD* (*SSLv2_method)() = NULL; SSL_METHOD* (*SSLv2_client_method)() = NULL; SSL_METHOD* (*SSLv2_server_method)() = NULL; #else -static const int PYOPENSSL_NO_SSL2 = 0; +static const int CRYPTOGRAPHY_NO_SSL2 = 0; #endif #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME -static const int PYOPENSSL_TLSEXT_HOSTNAME = 1; +static const int CRYPTOGRAPHY_TLSEXT_HOSTNAME = 1; #else -static const int PYOPENSSL_TLSEXT_HOSTNAME = 0; +static const int CRYPTOGRAPHY_TLSEXT_HOSTNAME = 0; void (*SSL_set_tlsext_host_name)(SSL *, char *) = NULL; const char* (*SSL_get_servername)(const SSL *, const int) = NULL; void (*SSL_CTX_set_tlsext_servername_callback)( -- cgit v1.2.3 From 4ba8ea6c962d0c4277b7c46c401a93db708e0378 Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 15 Dec 2013 21:02:52 -0800 Subject: Oops, change to Cryptography_, not CRYPTOPGRAPHY_ (screaming). Also remove SSL_clear_options which is not in 0.9.8. --- cryptography/hazmat/backends/openssl/ssl.py | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 89b2c5ae..7e7de5ce 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -17,10 +17,10 @@ INCLUDES = """ TYPES = """ /* Internally invented symbol to tell us if SSLv2 is supported */ -static const int CRYPTOGRAPHY_NO_SSL2; +static const int Cryptography_NO_SSL2; /* Internally invented symbol to tell us if SNI is supported */ -static const int CRYPTOGRAPHY_TLSEXT_HOSTNAME; +static const int Cryptography_TLSEXT_HOSTNAME; static const int SSL_FILETYPE_PEM; static const int SSL_FILETYPE_ASN1; @@ -190,7 +190,6 @@ long SSL_set_mode(SSL *, long); long SSL_get_mode(SSL *); long SSL_set_options(SSL *, long); -long SSL_clear_options(SSL *, long); long SSL_get_options(SSL *); int SSL_want_read(const SSL *); @@ -245,18 +244,18 @@ void SSL_CTX_set_tlsext_servername_callback( CUSTOMIZATIONS = """ #ifdef OPENSSL_NO_SSL2 -static const int CRYPTOGRAPHY_NO_SSL2 = 1; +static const int Cryptography_NO_SSL2 = 1; SSL_METHOD* (*SSLv2_method)() = NULL; SSL_METHOD* (*SSLv2_client_method)() = NULL; SSL_METHOD* (*SSLv2_server_method)() = NULL; #else -static const int CRYPTOGRAPHY_NO_SSL2 = 0; +static const int Cryptography_NO_SSL2 = 0; #endif #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME -static const int CRYPTOGRAPHY_TLSEXT_HOSTNAME = 1; +static const int Cryptography_TLSEXT_HOSTNAME = 1; #else -static const int CRYPTOGRAPHY_TLSEXT_HOSTNAME = 0; +static const int Cryptography_TLSEXT_HOSTNAME = 0; void (*SSL_set_tlsext_host_name)(SSL *, char *) = NULL; const char* (*SSL_get_servername)(const SSL *, const int) = NULL; void (*SSL_CTX_set_tlsext_servername_callback)( -- cgit v1.2.3 From a620b7dfc15cf945a589e9d472b01db6f48a50a5 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 20 Dec 2013 22:59:02 -0600 Subject: don't modify params on parametrized tests multiple backends receive the same params dicts, but we were modifying them using pop. --- tests/hazmat/primitives/test_3des.py | 42 ++++++++++++++++++-------------- tests/hazmat/primitives/test_aes.py | 20 +++++++-------- tests/hazmat/primitives/test_arc4.py | 2 +- tests/hazmat/primitives/test_blowfish.py | 24 ++++++++++++------ tests/hazmat/primitives/test_camellia.py | 24 ++++++++++++------ tests/hazmat/primitives/test_cast5.py | 4 +-- tests/hazmat/primitives/utils.py | 16 ++++++------ 7 files changed, 77 insertions(+), 55 deletions(-) diff --git a/tests/hazmat/primitives/test_3des.py b/tests/hazmat/primitives/test_3des.py index 69ec9c9a..35745310 100644 --- a/tests/hazmat/primitives/test_3des.py +++ b/tests/hazmat/primitives/test_3des.py @@ -37,8 +37,10 @@ class TestTripleDES_CBC(object): "TCBCvarkey.rsp", "TCBCvartext.rsp", ], - lambda keys, iv: algorithms.TripleDES(binascii.unhexlify(keys)), - lambda keys, iv: modes.CBC(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.TripleDES( + binascii.unhexlify(kwargs["keys"]) + ), + lambda **kwargs: modes.CBC(binascii.unhexlify(kwargs["iv"])), ) test_MMT = generate_encrypt_test( @@ -49,10 +51,10 @@ class TestTripleDES_CBC(object): "TCBCMMT2.rsp", "TCBCMMT3.rsp", ], - lambda key1, key2, key3, iv: ( - algorithms.TripleDES(binascii.unhexlify(key1 + key2 + key3)) - ), - lambda key1, key2, key3, iv: modes.CBC(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.TripleDES(binascii.unhexlify( + kwargs["key1"] + kwargs["key2"] + kwargs["key3"] + )), + lambda **kwargs: modes.CBC(binascii.unhexlify(kwargs["iv"])), ) @@ -67,8 +69,10 @@ class TestTripleDES_OFB(object): "TOFBvartext.rsp", "TOFBinvperm.rsp", ], - lambda keys, iv: algorithms.TripleDES(binascii.unhexlify(keys)), - lambda keys, iv: modes.OFB(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.TripleDES( + binascii.unhexlify(kwargs["keys"]) + ), + lambda **kwargs: modes.OFB(binascii.unhexlify(kwargs["iv"])), ) test_MMT = generate_encrypt_test( @@ -79,10 +83,10 @@ class TestTripleDES_OFB(object): "TOFBMMT2.rsp", "TOFBMMT3.rsp", ], - lambda key1, key2, key3, iv: ( - algorithms.TripleDES(binascii.unhexlify(key1 + key2 + key3)) - ), - lambda key1, key2, key3, iv: modes.OFB(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.TripleDES(binascii.unhexlify( + kwargs["key1"] + kwargs["key2"] + kwargs["key3"] + )), + lambda **kwargs: modes.OFB(binascii.unhexlify(kwargs["iv"])), ) @@ -97,8 +101,10 @@ class TestTripleDES_CFB(object): "TCFB64varkey.rsp", "TCFB64vartext.rsp", ], - lambda keys, iv: algorithms.TripleDES(binascii.unhexlify(keys)), - lambda keys, iv: modes.CFB(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.TripleDES( + binascii.unhexlify(kwargs["keys"]) + ), + lambda **kwargs: modes.CFB(binascii.unhexlify(kwargs["iv"])), ) test_MMT = generate_encrypt_test( @@ -109,8 +115,8 @@ class TestTripleDES_CFB(object): "TCFB64MMT2.rsp", "TCFB64MMT3.rsp", ], - lambda key1, key2, key3, iv: ( - algorithms.TripleDES(binascii.unhexlify(key1 + key2 + key3)) - ), - lambda key1, key2, key3, iv: modes.CFB(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.TripleDES(binascii.unhexlify( + kwargs["key1"] + kwargs["key2"] + kwargs["key3"] + )), + lambda **kwargs: modes.CFB(binascii.unhexlify(kwargs["iv"])), ) diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index f7b0b9a0..d706cbd8 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -45,8 +45,8 @@ class TestAES(object): "CBCMMT192.rsp", "CBCMMT256.rsp", ], - lambda key, iv: algorithms.AES(binascii.unhexlify(key)), - lambda key, iv: modes.CBC(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.AES(binascii.unhexlify(kwargs["key"])), + lambda **kwargs: modes.CBC(binascii.unhexlify(kwargs["iv"])), ) test_ECB = generate_encrypt_test( @@ -69,8 +69,8 @@ class TestAES(object): "ECBMMT192.rsp", "ECBMMT256.rsp", ], - lambda key: algorithms.AES(binascii.unhexlify(key)), - lambda key: modes.ECB(), + lambda **kwargs: algorithms.AES(binascii.unhexlify(kwargs["key"])), + lambda **kwargs: modes.ECB(), ) test_OFB = generate_encrypt_test( @@ -93,8 +93,8 @@ class TestAES(object): "OFBMMT192.rsp", "OFBMMT256.rsp", ], - lambda key, iv: algorithms.AES(binascii.unhexlify(key)), - lambda key, iv: modes.OFB(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.AES(binascii.unhexlify(kwargs["key"])), + lambda **kwargs: modes.OFB(binascii.unhexlify(kwargs["iv"])), ) test_CFB = generate_encrypt_test( @@ -117,16 +117,16 @@ class TestAES(object): "CFB128MMT192.rsp", "CFB128MMT256.rsp", ], - lambda key, iv: algorithms.AES(binascii.unhexlify(key)), - lambda key, iv: modes.CFB(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.AES(binascii.unhexlify(kwargs["key"])), + lambda **kwargs: modes.CFB(binascii.unhexlify(kwargs["iv"])), ) test_CTR = generate_encrypt_test( load_openssl_vectors, os.path.join("ciphers", "AES", "CTR"), ["aes-128-ctr.txt", "aes-192-ctr.txt", "aes-256-ctr.txt"], - lambda key, iv: algorithms.AES(binascii.unhexlify(key)), - lambda key, iv: modes.CTR(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.AES(binascii.unhexlify(kwargs["key"])), + lambda **kwargs: modes.CTR(binascii.unhexlify(kwargs["iv"])), only_if=lambda backend: backend.cipher_supported( algorithms.AES("\x00" * 16), modes.CTR("\x00" * 16) ), diff --git a/tests/hazmat/primitives/test_arc4.py b/tests/hazmat/primitives/test_arc4.py index d233bec2..7ce93061 100644 --- a/tests/hazmat/primitives/test_arc4.py +++ b/tests/hazmat/primitives/test_arc4.py @@ -35,7 +35,7 @@ class TestARC4(object): "rfc-6229-192.txt", "rfc-6229-256.txt", ], - lambda key: algorithms.ARC4(binascii.unhexlify((key))), + lambda **kwargs: algorithms.ARC4(binascii.unhexlify((kwargs["key"]))), only_if=lambda backend: backend.cipher_supported( algorithms.ARC4("\x00" * 16), None ), diff --git a/tests/hazmat/primitives/test_blowfish.py b/tests/hazmat/primitives/test_blowfish.py index d5fbed6f..3e0e9025 100644 --- a/tests/hazmat/primitives/test_blowfish.py +++ b/tests/hazmat/primitives/test_blowfish.py @@ -27,8 +27,10 @@ class TestBlowfish(object): load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-ecb.txt"], - lambda key: algorithms.Blowfish(binascii.unhexlify(key)), - lambda key: modes.ECB(), + lambda **kwargs: algorithms.Blowfish( + binascii.unhexlify(kwargs["key"]) + ), + lambda **kwargs: modes.ECB(), only_if=lambda backend: backend.cipher_supported( algorithms.Blowfish("\x00" * 56), modes.ECB() ), @@ -39,8 +41,10 @@ class TestBlowfish(object): load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-cbc.txt"], - lambda key, iv: algorithms.Blowfish(binascii.unhexlify(key)), - lambda key, iv: modes.CBC(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.Blowfish( + binascii.unhexlify(kwargs["key"]) + ), + lambda **kwargs: modes.CBC(binascii.unhexlify(kwargs["iv"])), only_if=lambda backend: backend.cipher_supported( algorithms.Blowfish("\x00" * 56), modes.CBC("\x00" * 8) ), @@ -51,8 +55,10 @@ class TestBlowfish(object): load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-ofb.txt"], - lambda key, iv: algorithms.Blowfish(binascii.unhexlify(key)), - lambda key, iv: modes.OFB(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.Blowfish( + binascii.unhexlify(kwargs["key"]) + ), + lambda **kwargs: modes.OFB(binascii.unhexlify(kwargs["iv"])), only_if=lambda backend: backend.cipher_supported( algorithms.Blowfish("\x00" * 56), modes.OFB("\x00" * 8) ), @@ -63,8 +69,10 @@ class TestBlowfish(object): load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-cfb.txt"], - lambda key, iv: algorithms.Blowfish(binascii.unhexlify(key)), - lambda key, iv: modes.CFB(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.Blowfish( + binascii.unhexlify(kwargs["key"]) + ), + lambda **kwargs: modes.CFB(binascii.unhexlify(kwargs["iv"])), only_if=lambda backend: backend.cipher_supported( algorithms.Blowfish("\x00" * 56), modes.CFB("\x00" * 8) ), diff --git a/tests/hazmat/primitives/test_camellia.py b/tests/hazmat/primitives/test_camellia.py index a2c935d9..e11d590a 100644 --- a/tests/hazmat/primitives/test_camellia.py +++ b/tests/hazmat/primitives/test_camellia.py @@ -33,8 +33,10 @@ class TestCamellia(object): "camellia-192-ecb.txt", "camellia-256-ecb.txt" ], - lambda key: algorithms.Camellia(binascii.unhexlify((key))), - lambda key: modes.ECB(), + lambda **kwargs: algorithms.Camellia( + binascii.unhexlify((kwargs["key"])) + ), + lambda **kwargs: modes.ECB(), only_if=lambda backend: backend.cipher_supported( algorithms.Camellia("\x00" * 16), modes.ECB() ), @@ -45,8 +47,10 @@ class TestCamellia(object): load_openssl_vectors, os.path.join("ciphers", "Camellia"), ["camellia-cbc.txt"], - lambda key, iv: algorithms.Camellia(binascii.unhexlify(key)), - lambda key, iv: modes.CBC(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.Camellia( + binascii.unhexlify((kwargs["key"])) + ), + lambda **kwargs: modes.CBC(binascii.unhexlify(kwargs["iv"])), only_if=lambda backend: backend.cipher_supported( algorithms.Camellia("\x00" * 16), modes.CBC("\x00" * 16) ), @@ -57,8 +61,10 @@ class TestCamellia(object): load_openssl_vectors, os.path.join("ciphers", "Camellia"), ["camellia-ofb.txt"], - lambda key, iv: algorithms.Camellia(binascii.unhexlify(key)), - lambda key, iv: modes.OFB(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.Camellia( + binascii.unhexlify((kwargs["key"])) + ), + lambda **kwargs: modes.OFB(binascii.unhexlify(kwargs["iv"])), only_if=lambda backend: backend.cipher_supported( algorithms.Camellia("\x00" * 16), modes.OFB("\x00" * 16) ), @@ -69,8 +75,10 @@ class TestCamellia(object): load_openssl_vectors, os.path.join("ciphers", "Camellia"), ["camellia-cfb.txt"], - lambda key, iv: algorithms.Camellia(binascii.unhexlify(key)), - lambda key, iv: modes.CFB(binascii.unhexlify(iv)), + lambda **kwargs: algorithms.Camellia( + binascii.unhexlify((kwargs["key"])) + ), + lambda **kwargs: modes.CFB(binascii.unhexlify(kwargs["iv"])), only_if=lambda backend: backend.cipher_supported( algorithms.Camellia("\x00" * 16), modes.CFB("\x00" * 16) ), diff --git a/tests/hazmat/primitives/test_cast5.py b/tests/hazmat/primitives/test_cast5.py index a283dafc..10c6ef39 100644 --- a/tests/hazmat/primitives/test_cast5.py +++ b/tests/hazmat/primitives/test_cast5.py @@ -27,8 +27,8 @@ class TestCAST5(object): load_nist_vectors, os.path.join("ciphers", "CAST5"), ["cast5-ecb.txt"], - lambda key: algorithms.CAST5(binascii.unhexlify((key))), - lambda key: modes.ECB(), + lambda **kwargs: algorithms.CAST5(binascii.unhexlify((kwargs["key"]))), + lambda **kwargs: modes.ECB(), only_if=lambda backend: backend.cipher_supported( algorithms.CAST5("\x00" * 16), modes.ECB() ), diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 758e755c..227a4055 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -44,8 +44,8 @@ def encrypt_test(backend, cipher_factory, mode_factory, params, only_if, skip_message): if not only_if(backend): pytest.skip(skip_message) - plaintext = params.pop("plaintext") - ciphertext = params.pop("ciphertext") + plaintext = params["plaintext"] + ciphertext = params["ciphertext"] cipher = Cipher( cipher_factory(**params), mode_factory(**params), @@ -84,9 +84,9 @@ def aead_test(backend, cipher_factory, mode_factory, params, only_if, if not only_if(backend): pytest.skip(skip_message) if params.get("pt") is not None: - plaintext = params.pop("pt") - ciphertext = params.pop("ct") - aad = params.pop("aad") + plaintext = params["pt"] + ciphertext = params["ct"] + aad = params["aad"] if params.get("fail") is True: cipher = Cipher( cipher_factory(binascii.unhexlify(params["key"])), @@ -145,9 +145,9 @@ def stream_encryption_test(backend, cipher_factory, params, only_if, skip_message): if not only_if(backend): pytest.skip(skip_message) - plaintext = params.pop("plaintext") - ciphertext = params.pop("ciphertext") - offset = params.pop("offset") + plaintext = params["plaintext"] + ciphertext = params["ciphertext"] + offset = params["offset"] cipher = Cipher(cipher_factory(**params), None, backend=backend) encryptor = cipher.encryptor() # throw away offset bytes -- cgit v1.2.3 From 687d0f849fd88eeaa6fe8968091a9d79b7f96901 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 21 Dec 2013 10:53:50 -0600 Subject: use both kwargs and named args in lambdas for clarity --- tests/hazmat/primitives/test_3des.py | 42 ++++++++++++++------------------ tests/hazmat/primitives/test_aes.py | 18 +++++++------- tests/hazmat/primitives/test_arc4.py | 2 +- tests/hazmat/primitives/test_blowfish.py | 22 ++++++----------- tests/hazmat/primitives/test_camellia.py | 22 ++++++----------- tests/hazmat/primitives/test_cast5.py | 2 +- 6 files changed, 43 insertions(+), 65 deletions(-) diff --git a/tests/hazmat/primitives/test_3des.py b/tests/hazmat/primitives/test_3des.py index 35745310..0db56f47 100644 --- a/tests/hazmat/primitives/test_3des.py +++ b/tests/hazmat/primitives/test_3des.py @@ -37,10 +37,8 @@ class TestTripleDES_CBC(object): "TCBCvarkey.rsp", "TCBCvartext.rsp", ], - lambda **kwargs: algorithms.TripleDES( - binascii.unhexlify(kwargs["keys"]) - ), - lambda **kwargs: modes.CBC(binascii.unhexlify(kwargs["iv"])), + lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), ) test_MMT = generate_encrypt_test( @@ -51,10 +49,10 @@ class TestTripleDES_CBC(object): "TCBCMMT2.rsp", "TCBCMMT3.rsp", ], - lambda **kwargs: algorithms.TripleDES(binascii.unhexlify( - kwargs["key1"] + kwargs["key2"] + kwargs["key3"] - )), - lambda **kwargs: modes.CBC(binascii.unhexlify(kwargs["iv"])), + lambda key1, key2, key3, **kwargs: algorithms.TripleDES( + binascii.unhexlify(key1 + key2 + key3) + ), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), ) @@ -69,10 +67,8 @@ class TestTripleDES_OFB(object): "TOFBvartext.rsp", "TOFBinvperm.rsp", ], - lambda **kwargs: algorithms.TripleDES( - binascii.unhexlify(kwargs["keys"]) - ), - lambda **kwargs: modes.OFB(binascii.unhexlify(kwargs["iv"])), + lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), ) test_MMT = generate_encrypt_test( @@ -83,10 +79,10 @@ class TestTripleDES_OFB(object): "TOFBMMT2.rsp", "TOFBMMT3.rsp", ], - lambda **kwargs: algorithms.TripleDES(binascii.unhexlify( - kwargs["key1"] + kwargs["key2"] + kwargs["key3"] - )), - lambda **kwargs: modes.OFB(binascii.unhexlify(kwargs["iv"])), + lambda key1, key2, key3, **kwargs: algorithms.TripleDES( + binascii.unhexlify(key1 + key2 + key3) + ), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), ) @@ -101,10 +97,8 @@ class TestTripleDES_CFB(object): "TCFB64varkey.rsp", "TCFB64vartext.rsp", ], - lambda **kwargs: algorithms.TripleDES( - binascii.unhexlify(kwargs["keys"]) - ), - lambda **kwargs: modes.CFB(binascii.unhexlify(kwargs["iv"])), + lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), ) test_MMT = generate_encrypt_test( @@ -115,8 +109,8 @@ class TestTripleDES_CFB(object): "TCFB64MMT2.rsp", "TCFB64MMT3.rsp", ], - lambda **kwargs: algorithms.TripleDES(binascii.unhexlify( - kwargs["key1"] + kwargs["key2"] + kwargs["key3"] - )), - lambda **kwargs: modes.CFB(binascii.unhexlify(kwargs["iv"])), + lambda key1, key2, key3, **kwargs: algorithms.TripleDES( + binascii.unhexlify(key1 + key2 + key3) + ), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), ) diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index d706cbd8..9e5a3cb5 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -45,8 +45,8 @@ class TestAES(object): "CBCMMT192.rsp", "CBCMMT256.rsp", ], - lambda **kwargs: algorithms.AES(binascii.unhexlify(kwargs["key"])), - lambda **kwargs: modes.CBC(binascii.unhexlify(kwargs["iv"])), + lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), ) test_ECB = generate_encrypt_test( @@ -69,7 +69,7 @@ class TestAES(object): "ECBMMT192.rsp", "ECBMMT256.rsp", ], - lambda **kwargs: algorithms.AES(binascii.unhexlify(kwargs["key"])), + lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), lambda **kwargs: modes.ECB(), ) @@ -93,8 +93,8 @@ class TestAES(object): "OFBMMT192.rsp", "OFBMMT256.rsp", ], - lambda **kwargs: algorithms.AES(binascii.unhexlify(kwargs["key"])), - lambda **kwargs: modes.OFB(binascii.unhexlify(kwargs["iv"])), + lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), ) test_CFB = generate_encrypt_test( @@ -117,16 +117,16 @@ class TestAES(object): "CFB128MMT192.rsp", "CFB128MMT256.rsp", ], - lambda **kwargs: algorithms.AES(binascii.unhexlify(kwargs["key"])), - lambda **kwargs: modes.CFB(binascii.unhexlify(kwargs["iv"])), + lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), ) test_CTR = generate_encrypt_test( load_openssl_vectors, os.path.join("ciphers", "AES", "CTR"), ["aes-128-ctr.txt", "aes-192-ctr.txt", "aes-256-ctr.txt"], - lambda **kwargs: algorithms.AES(binascii.unhexlify(kwargs["key"])), - lambda **kwargs: modes.CTR(binascii.unhexlify(kwargs["iv"])), + lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CTR(binascii.unhexlify(iv)), only_if=lambda backend: backend.cipher_supported( algorithms.AES("\x00" * 16), modes.CTR("\x00" * 16) ), diff --git a/tests/hazmat/primitives/test_arc4.py b/tests/hazmat/primitives/test_arc4.py index 7ce93061..a9ef2bbe 100644 --- a/tests/hazmat/primitives/test_arc4.py +++ b/tests/hazmat/primitives/test_arc4.py @@ -35,7 +35,7 @@ class TestARC4(object): "rfc-6229-192.txt", "rfc-6229-256.txt", ], - lambda **kwargs: algorithms.ARC4(binascii.unhexlify((kwargs["key"]))), + lambda key, **kwargs: algorithms.ARC4(binascii.unhexlify(key)), only_if=lambda backend: backend.cipher_supported( algorithms.ARC4("\x00" * 16), None ), diff --git a/tests/hazmat/primitives/test_blowfish.py b/tests/hazmat/primitives/test_blowfish.py index 3e0e9025..065855d7 100644 --- a/tests/hazmat/primitives/test_blowfish.py +++ b/tests/hazmat/primitives/test_blowfish.py @@ -27,9 +27,7 @@ class TestBlowfish(object): load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-ecb.txt"], - lambda **kwargs: algorithms.Blowfish( - binascii.unhexlify(kwargs["key"]) - ), + lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)), lambda **kwargs: modes.ECB(), only_if=lambda backend: backend.cipher_supported( algorithms.Blowfish("\x00" * 56), modes.ECB() @@ -41,10 +39,8 @@ class TestBlowfish(object): load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-cbc.txt"], - lambda **kwargs: algorithms.Blowfish( - binascii.unhexlify(kwargs["key"]) - ), - lambda **kwargs: modes.CBC(binascii.unhexlify(kwargs["iv"])), + lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), only_if=lambda backend: backend.cipher_supported( algorithms.Blowfish("\x00" * 56), modes.CBC("\x00" * 8) ), @@ -55,10 +51,8 @@ class TestBlowfish(object): load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-ofb.txt"], - lambda **kwargs: algorithms.Blowfish( - binascii.unhexlify(kwargs["key"]) - ), - lambda **kwargs: modes.OFB(binascii.unhexlify(kwargs["iv"])), + lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), only_if=lambda backend: backend.cipher_supported( algorithms.Blowfish("\x00" * 56), modes.OFB("\x00" * 8) ), @@ -69,10 +63,8 @@ class TestBlowfish(object): load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-cfb.txt"], - lambda **kwargs: algorithms.Blowfish( - binascii.unhexlify(kwargs["key"]) - ), - lambda **kwargs: modes.CFB(binascii.unhexlify(kwargs["iv"])), + lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), only_if=lambda backend: backend.cipher_supported( algorithms.Blowfish("\x00" * 56), modes.CFB("\x00" * 8) ), diff --git a/tests/hazmat/primitives/test_camellia.py b/tests/hazmat/primitives/test_camellia.py index e11d590a..6e5fe682 100644 --- a/tests/hazmat/primitives/test_camellia.py +++ b/tests/hazmat/primitives/test_camellia.py @@ -33,9 +33,7 @@ class TestCamellia(object): "camellia-192-ecb.txt", "camellia-256-ecb.txt" ], - lambda **kwargs: algorithms.Camellia( - binascii.unhexlify((kwargs["key"])) - ), + lambda key, **kwargs: algorithms.Camellia(binascii.unhexlify(key)), lambda **kwargs: modes.ECB(), only_if=lambda backend: backend.cipher_supported( algorithms.Camellia("\x00" * 16), modes.ECB() @@ -47,10 +45,8 @@ class TestCamellia(object): load_openssl_vectors, os.path.join("ciphers", "Camellia"), ["camellia-cbc.txt"], - lambda **kwargs: algorithms.Camellia( - binascii.unhexlify((kwargs["key"])) - ), - lambda **kwargs: modes.CBC(binascii.unhexlify(kwargs["iv"])), + lambda key, **kwargs: algorithms.Camellia(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), only_if=lambda backend: backend.cipher_supported( algorithms.Camellia("\x00" * 16), modes.CBC("\x00" * 16) ), @@ -61,10 +57,8 @@ class TestCamellia(object): load_openssl_vectors, os.path.join("ciphers", "Camellia"), ["camellia-ofb.txt"], - lambda **kwargs: algorithms.Camellia( - binascii.unhexlify((kwargs["key"])) - ), - lambda **kwargs: modes.OFB(binascii.unhexlify(kwargs["iv"])), + lambda key, **kwargs: algorithms.Camellia(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), only_if=lambda backend: backend.cipher_supported( algorithms.Camellia("\x00" * 16), modes.OFB("\x00" * 16) ), @@ -75,10 +69,8 @@ class TestCamellia(object): load_openssl_vectors, os.path.join("ciphers", "Camellia"), ["camellia-cfb.txt"], - lambda **kwargs: algorithms.Camellia( - binascii.unhexlify((kwargs["key"])) - ), - lambda **kwargs: modes.CFB(binascii.unhexlify(kwargs["iv"])), + lambda key, **kwargs: algorithms.Camellia(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), only_if=lambda backend: backend.cipher_supported( algorithms.Camellia("\x00" * 16), modes.CFB("\x00" * 16) ), diff --git a/tests/hazmat/primitives/test_cast5.py b/tests/hazmat/primitives/test_cast5.py index 10c6ef39..406f9b55 100644 --- a/tests/hazmat/primitives/test_cast5.py +++ b/tests/hazmat/primitives/test_cast5.py @@ -27,7 +27,7 @@ class TestCAST5(object): load_nist_vectors, os.path.join("ciphers", "CAST5"), ["cast5-ecb.txt"], - lambda **kwargs: algorithms.CAST5(binascii.unhexlify((kwargs["key"]))), + lambda key, **kwargs: algorithms.CAST5(binascii.unhexlify((key))), lambda **kwargs: modes.ECB(), only_if=lambda backend: backend.cipher_supported( algorithms.CAST5("\x00" * 16), modes.ECB() -- cgit v1.2.3 From 1b1327cfe537b9e7bdc271239d1025c2479239c3 Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Sat, 21 Dec 2013 15:16:57 +0000 Subject: Raise UnsupportedAlgorithm when initing Hash() Instead of just an AssertionError. --- cryptography/hazmat/backends/openssl/backend.py | 6 +++++- docs/hazmat/primitives/cryptographic-hashes.rst | 3 +++ tests/hazmat/primitives/test_hashes.py | 14 ++++++++++++-- 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 588a4273..5b7cb3de 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -400,7 +400,11 @@ class _HashContext(object): self._backend.lib.EVP_MD_CTX_destroy) evp_md = self._backend.lib.EVP_get_digestbyname( algorithm.name.encode("ascii")) - assert evp_md != self._backend.ffi.NULL + if evp_md == self._backend.ffi.NULL: + raise UnsupportedAlgorithm( + "{0} is not a supported hash on this backend".format( + algorithm.name) + ) res = self._backend.lib.EVP_DigestInit_ex(ctx, evp_md, self._backend.ffi.NULL) assert res != 0 diff --git a/docs/hazmat/primitives/cryptographic-hashes.rst b/docs/hazmat/primitives/cryptographic-hashes.rst index 90ca198a..38347378 100644 --- a/docs/hazmat/primitives/cryptographic-hashes.rst +++ b/docs/hazmat/primitives/cryptographic-hashes.rst @@ -28,6 +28,9 @@ Message Digests >>> digest.finalize() 'l\xa1=R\xcap\xc8\x83\xe0\xf0\xbb\x10\x1eBZ\x89\xe8bM\xe5\x1d\xb2\xd29%\x93\xafj\x84\x11\x80\x90' + If the backend doesn't support the requested ``algorithm`` an + :class:`~cryptography.exceptions.UnsupportedAlgorithm` will be raised. + Keep in mind that attacks against cryptographic hashes only get stronger with time, and that often algorithms that were once thought to be strong, become broken. Because of this it's important to include a plan for diff --git a/tests/hazmat/primitives/test_hashes.py b/tests/hazmat/primitives/test_hashes.py index ff42e8f4..72bc3e27 100644 --- a/tests/hazmat/primitives/test_hashes.py +++ b/tests/hazmat/primitives/test_hashes.py @@ -19,12 +19,18 @@ import pytest import six -from cryptography.exceptions import AlreadyFinalized -from cryptography.hazmat.primitives import hashes +from cryptography import utils +from cryptography.exceptions import AlreadyFinalized, UnsupportedAlgorithm +from cryptography.hazmat.primitives import hashes, interfaces from .utils import generate_base_hash_test +@utils.register_interface(interfaces.HashAlgorithm) +class UnsupportedDummyHash(object): + name = "unsupported-dummy-hash" + + class TestHashContext(object): def test_hash_reject_unicode(self, backend): m = hashes.Hash(hashes.SHA1(), backend=backend) @@ -57,6 +63,10 @@ class TestHashContext(object): with pytest.raises(AlreadyFinalized): h.finalize() + def test_unsupported_hash(self, backend): + with pytest.raises(UnsupportedAlgorithm): + hashes.Hash(UnsupportedDummyHash(), backend) + class TestSHA1(object): test_SHA1 = generate_base_hash_test( -- cgit v1.2.3 From 447d64fb69e19c0059e3ba18ef3b1317a716a7c4 Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Sat, 21 Dec 2013 21:26:55 +0000 Subject: Raise UnsupportedAlgorithm when initing HMACs --- cryptography/hazmat/backends/openssl/backend.py | 6 +++++- docs/hazmat/primitives/hmac.rst | 2 ++ tests/hazmat/primitives/test_hmac.py | 14 ++++++++++++-- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 588a4273..94826874 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -442,7 +442,11 @@ class _HMACContext(object): ctx = self._backend.ffi.gc(ctx, self._backend.lib.HMAC_CTX_cleanup) evp_md = self._backend.lib.EVP_get_digestbyname( algorithm.name.encode('ascii')) - assert evp_md != self._backend.ffi.NULL + if evp_md == self._backend.ffi.NULL: + raise UnsupportedAlgorithm( + "{0} is not a supported hash on this backend".format( + algorithm.name) + ) res = self._backend.lib.Cryptography_HMAC_Init_ex( ctx, key, len(key), evp_md, self._backend.ffi.NULL ) diff --git a/docs/hazmat/primitives/hmac.rst b/docs/hazmat/primitives/hmac.rst index 0c0d0220..0547b7d2 100644 --- a/docs/hazmat/primitives/hmac.rst +++ b/docs/hazmat/primitives/hmac.rst @@ -34,6 +34,8 @@ message. >>> h.finalize() '#F\xdaI\x8b"e\xc4\xf1\xbb\x9a\x8fc\xff\xf5\xdex.\xbc\xcd/+\x8a\x86\x1d\x84\'\xc3\xa6\x1d\xd8J' + If the backend doesn't support the requested ``algorithm`` an + :class:`~cryptography.exceptions.UnsupportedAlgorithm` will be raised. :param key: Secret key as ``bytes``. :param algorithm: A diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index 992bcb1a..124c4377 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -19,12 +19,18 @@ import pytest import six -from cryptography.exceptions import AlreadyFinalized -from cryptography.hazmat.primitives import hashes, hmac +from cryptography import utils +from cryptography.exceptions import AlreadyFinalized, UnsupportedAlgorithm +from cryptography.hazmat.primitives import hashes, hmac, interfaces from .utils import generate_base_hmac_test +@utils.register_interface(interfaces.HashAlgorithm) +class UnsupportedDummyHash(object): + name = "unsupported-dummy-hash" + + class TestHMAC(object): test_copy = generate_base_hmac_test( hashes.MD5(), @@ -63,3 +69,7 @@ class TestHMAC(object): with pytest.raises(AlreadyFinalized): h.finalize() + + def test_unsupported_hash(self, backend): + with pytest.raises(UnsupportedAlgorithm): + hmac.HMAC(b"key", UnsupportedDummyHash(), backend) -- cgit v1.2.3 From f7b4ede584f5612546a07eb085eb5672629dcb96 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 21 Dec 2013 17:25:19 -0600 Subject: restrict gcm tags to a minimum of 4 bytes in length --- cryptography/hazmat/backends/openssl/backend.py | 6 +++--- tests/hazmat/primitives/utils.py | 7 +++++++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 5b7cb3de..559ace7e 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -319,9 +319,9 @@ class _CipherContext(object): ) assert res != 0 if operation == self._DECRYPT: - if not mode.tag: - raise ValueError("Authentication tag must be supplied " - "when decrypting") + if not mode.tag or len(mode.tag) < 4: + raise ValueError("Authentication tag must be provided " + "and >= 4 bytes when decrypting") res = self._backend.lib.EVP_CIPHER_CTX_ctrl( ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG, len(mode.tag), mode.tag diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 227a4055..b00d3184 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -359,6 +359,13 @@ def aead_tag_exception_test(backend, cipher_factory, mode_factory, mode_factory(binascii.unhexlify(b"0" * 24)), backend ) + with pytest.raises(ValueError): + cipher.decryptor() + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24), b"000"), + backend + ) with pytest.raises(ValueError): cipher.decryptor() cipher = Cipher( -- cgit v1.2.3 From ca73504e62e2c55a7235f94c78cb8ee4d3718590 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 21 Dec 2013 17:31:48 -0600 Subject: add note regarding not truncating tags --- docs/hazmat/primitives/symmetric-encryption.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index f4d0457a..8ed64c7c 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -352,6 +352,11 @@ Modes Do not reuse an ``initialization_vector`` with a given ``key``. + .. note:: + + Do not truncate the GCM authentication tag unless absolutely necessary. + If you must truncate the minimum allowable length is 4 bytes. + :param bytes tag: The tag bytes to verify during decryption. When encrypting this must be None. -- cgit v1.2.3 From a7fbf07a3e96133b40df05ac5be159bbf6f1fc91 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 21 Dec 2013 18:12:25 -0600 Subject: doc updates --- cryptography/hazmat/backends/openssl/backend.py | 2 +- docs/hazmat/primitives/symmetric-encryption.rst | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 559ace7e..9697a4a6 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -321,7 +321,7 @@ class _CipherContext(object): if operation == self._DECRYPT: if not mode.tag or len(mode.tag) < 4: raise ValueError("Authentication tag must be provided " - "and >= 4 bytes when decrypting") + "and 4 bytes or longer when decrypting") res = self._backend.lib.EVP_CIPHER_CTX_ctrl( ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG, len(mode.tag), mode.tag diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index 8ed64c7c..85d7d5b1 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -354,8 +354,10 @@ Modes .. note:: - Do not truncate the GCM authentication tag unless absolutely necessary. - If you must truncate the minimum allowable length is 4 bytes. + `NIST SP-800-38D`_ recommends that GCM tags be 128, 120, 122, 104, or + 96-bits in length. Tags are shortened by truncating bytes. Longer tags + provide better security margins. If you must shorten the tag the minimum + allowed length is 4 bytes (32 bits). :param bytes tag: The tag bytes to verify during decryption. When encrypting this must be None. @@ -395,3 +397,4 @@ Insecure Modes .. _`described by Colin Percival`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html .. _`recommends 96-bit IV length`: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf +.. _`NIST SP-800-38D`: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf -- cgit v1.2.3 From fc73e2d04315e21011869fbd925df9e7a99d21ae Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 21 Dec 2013 18:41:38 -0600 Subject: prose updates for GCM tag --- cryptography/hazmat/backends/openssl/backend.py | 4 ++-- docs/hazmat/primitives/symmetric-encryption.rst | 10 ++++++---- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 9697a4a6..b0ea96ea 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -320,8 +320,8 @@ class _CipherContext(object): assert res != 0 if operation == self._DECRYPT: if not mode.tag or len(mode.tag) < 4: - raise ValueError("Authentication tag must be provided " - "and 4 bytes or longer when decrypting") + raise ValueError("Authentication tag must be provided and " + "be 4 bytes or longer when decrypting") res = self._backend.lib.EVP_CIPHER_CTX_ctrl( ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG, len(mode.tag), mode.tag diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index 85d7d5b1..f009bb78 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -354,10 +354,12 @@ Modes .. note:: - `NIST SP-800-38D`_ recommends that GCM tags be 128, 120, 122, 104, or - 96-bits in length. Tags are shortened by truncating bytes. Longer tags - provide better security margins. If you must shorten the tag the minimum - allowed length is 4 bytes (32 bits). + Cryptography will emit a 128-bit tag when finalizing encryption. + You can shorten a tag by truncating it to the desired length, but this + is **not recommended** as it lowers the security margins of the + authentication (`NIST SP-800-38D`_ recommends 96-bit or greater). + If you must shorten the tag the minimum allowed length is 4 bytes + (32 bit). :param bytes tag: The tag bytes to verify during decryption. When encrypting this must be None. -- cgit v1.2.3 From 048d6cb43a0757f3b4cca385e788d30173ebcb17 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 21 Dec 2013 18:53:19 -0600 Subject: a few more doc changes to gcm tag info --- docs/hazmat/primitives/symmetric-encryption.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index f009bb78..6e3c1024 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -357,9 +357,10 @@ Modes Cryptography will emit a 128-bit tag when finalizing encryption. You can shorten a tag by truncating it to the desired length, but this is **not recommended** as it lowers the security margins of the - authentication (`NIST SP-800-38D`_ recommends 96-bit or greater). + authentication (`NIST SP-800-38D`_ recommends 96-bits or greater). If you must shorten the tag the minimum allowed length is 4 bytes - (32 bit). + (32-bits). Applications **must** verify the tag is the expected length + to guarantee the expected security margin. :param bytes tag: The tag bytes to verify during decryption. When encrypting this must be None. -- cgit v1.2.3 From 15cf6b995624e938209e611f3953dd8dbb7a57b8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 21 Dec 2013 19:22:39 -0800 Subject: A handful of cleanups and rewordings to the docs --- docs/contributing.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/contributing.rst b/docs/contributing.rst index cb9c7283..f176393f 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -53,11 +53,10 @@ API Considerations Most projects' APIs are designed with a philosophy of "make easy things easy, and make hard things possible". One of the perils of writing cryptographic code -is that code that is secure looks just like code that isn't, and produces -results that are also difficult to distinguish. As a result ``cryptography`` -has, as a design philosophy: "make it hard to do insecure things". Here are a -few strategies for API design which should be both followed, and should inspire -other API choices: +is that secure code looks just like insecure code, and it's results are almost +always indistinguishable. As a result ``cryptography`` has, as a design +philosophy: "make it hard to do insecure things". Here are a few strategies for +API design which should be both followed, and should inspire other API choices: If it is incorrect to ignore the result of a method, it should raise an exception, and not return a boolean ``True``/``False`` flag. For example, a @@ -163,7 +162,7 @@ as much as possible. To that end: * When documenting a generic interface, use a strong algorithm in examples. (e.g. when showing a hashing example, don't use - :class:`cryptography.hazmat.primitives.hashes.MD5`) + :class:`~cryptography.hazmat.primitives.hashes.MD5`) * When giving prescriptive advice, always provide references and supporting material. * When there is real disagreement between cryptographic experts, represent both @@ -206,7 +205,7 @@ automatically, so all you have to do is: $ py.test ... - 4294 passed in 15.24 seconds + 62746 passed in 220.43 seconds This runs the tests with the default Python interpreter. @@ -244,7 +243,8 @@ Use `tox`_ to build the documentation. For example: docs: commands succeeded congratulations :) -The HTML documentation index can now be found at ``docs/_build/html/index.html`` +The HTML documentation index can now be found at +``docs/_build/html/index.html``. .. _`GitHub`: https://github.com/pyca/cryptography -- cgit v1.2.3 From 6955ea32cdfbc8719c5f4ae9c55c989787553a97 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 21 Dec 2013 19:26:19 -0800 Subject: Recommend that recipes include a version --- docs/contributing.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/contributing.rst b/docs/contributing.rst index cb9c7283..cec067ca 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -77,6 +77,10 @@ whether the signature was valid. if not is_valid: raise InvalidSignature +Every recipe should include a version or algorithmic marker of some sort in its +output in order to allow transparent upgrading of the algorithms in use, as +the algorithms or parameters needed to achieve a given security margin evolve. + APIs at the :doc:`/hazmat/primitives/index` layer should always take an explicit backend, APIs at the recipes layer should automatically use the :func:`~cryptography.hazmat.backends.default_backend`, but optionally allow -- cgit v1.2.3 From 95243f5b34f6cdfc16fb95669efbe2a61ac81179 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 21 Dec 2013 19:37:24 -0800 Subject: English, how does it work? --- docs/contributing.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/contributing.rst b/docs/contributing.rst index f176393f..b1702df8 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -53,7 +53,7 @@ API Considerations Most projects' APIs are designed with a philosophy of "make easy things easy, and make hard things possible". One of the perils of writing cryptographic code -is that secure code looks just like insecure code, and it's results are almost +is that secure code looks just like insecure code, and its results are almost always indistinguishable. As a result ``cryptography`` has, as a design philosophy: "make it hard to do insecure things". Here are a few strategies for API design which should be both followed, and should inspire other API choices: -- cgit v1.2.3 From 35cb3659bcf97eea22ce1ad14b7fc3d0913d2be2 Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Sat, 21 Dec 2013 16:29:45 +0000 Subject: UnsupportedAlgorithm error messages for Ciphers --- cryptography/hazmat/backends/openssl/backend.py | 12 ++++++++++-- docs/hazmat/primitives/symmetric-encryption.rst | 2 +- tests/hazmat/backends/test_openssl.py | 12 +++++++----- tests/hazmat/primitives/test_block.py | 12 +++++++++--- 4 files changed, 27 insertions(+), 11 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 588a4273..714823e9 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -288,11 +288,19 @@ class _CipherContext(object): try: adapter = registry[type(cipher), type(mode)] except KeyError: - raise UnsupportedAlgorithm + raise UnsupportedAlgorithm( + "cipher {0} in {1} mode is not supported " + "by this backend".format( + cipher.name, mode.name if mode else mode) + ) evp_cipher = adapter(self._backend, cipher, mode) if evp_cipher == self._backend.ffi.NULL: - raise UnsupportedAlgorithm + raise UnsupportedAlgorithm( + "cipher {0} in {1} mode is not supported " + "by this backend".format( + cipher.name, mode.name if mode else mode) + ) if isinstance(mode, interfaces.ModeWithInitializationVector): iv_nonce = mode.initialization_vector diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index f4d0457a..dfadd895 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -61,7 +61,7 @@ an "encrypt-then-MAC" formulation as `described by Colin Percival`_. provider. If the backend doesn't support the requested combination of ``cipher`` - and ``mode`` an :class:`cryptography.exceptions.UnsupportedAlgorithm` + and ``mode`` an :class:`~cryptography.exceptions.UnsupportedAlgorithm` will be raised. .. method:: decryptor() diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 962959b9..543a05fe 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -23,13 +23,14 @@ from cryptography.hazmat.primitives.ciphers.algorithms import AES from cryptography.hazmat.primitives.ciphers.modes import CBC +@utils.register_interface(interfaces.Mode) class DummyMode(object): - pass + name = "dummy-mode" @utils.register_interface(interfaces.CipherAlgorithm) class DummyCipher(object): - pass + name = "dummy-cipher" class TestOpenSSL(object): @@ -62,15 +63,16 @@ class TestOpenSSL(object): assert b.ffi is backend.ffi assert b.lib is backend.lib - def test_nonexistent_cipher(self): + @pytest.mark.parametrize("mode", [DummyMode(), None]) + def test_nonexistent_cipher(self, mode): b = Backend() b.register_cipher_adapter( DummyCipher, - DummyMode, + type(mode), lambda backend, cipher, mode: backend.ffi.NULL ) cipher = Cipher( - DummyCipher(), DummyMode(), backend=b, + DummyCipher(), mode, backend=b, ) with pytest.raises(UnsupportedAlgorithm): cipher.encryptor() diff --git a/tests/hazmat/primitives/test_block.py b/tests/hazmat/primitives/test_block.py index 02de3861..573f5633 100644 --- a/tests/hazmat/primitives/test_block.py +++ b/tests/hazmat/primitives/test_block.py @@ -31,9 +31,14 @@ from .utils import ( ) +@utils.register_interface(interfaces.Mode) +class DummyMode(object): + name = "dummy-mode" + + @utils.register_interface(interfaces.CipherAlgorithm) class DummyCipher(object): - pass + name = "dummy-cipher" class TestCipher(object): @@ -101,9 +106,10 @@ class TestCipherContext(object): assert pt == b"a" * 80 decryptor.finalize() - def test_nonexistent_cipher(self, backend): + @pytest.mark.parametrize("mode", [DummyMode(), None]) + def test_nonexistent_cipher(self, backend, mode): cipher = Cipher( - DummyCipher(), object(), backend + DummyCipher(), mode, backend ) with pytest.raises(UnsupportedAlgorithm): cipher.encryptor() -- cgit v1.2.3 From b32c90c00975c95ae6c00d232b39e8eff6339243 Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 22 Dec 2013 15:51:50 -0800 Subject: Change the Cryptography-specific variable names --- cryptography/hazmat/backends/openssl/ssl.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 7e7de5ce..76bb8363 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -17,10 +17,10 @@ INCLUDES = """ TYPES = """ /* Internally invented symbol to tell us if SSLv2 is supported */ -static const int Cryptography_NO_SSL2; +static const int Cryptography_HAS_SSL2; /* Internally invented symbol to tell us if SNI is supported */ -static const int Cryptography_TLSEXT_HOSTNAME; +static const int Cryptography_HAS_TLSEXT_HOSTNAME; static const int SSL_FILETYPE_PEM; static const int SSL_FILETYPE_ASN1; @@ -244,18 +244,18 @@ void SSL_CTX_set_tlsext_servername_callback( CUSTOMIZATIONS = """ #ifdef OPENSSL_NO_SSL2 -static const int Cryptography_NO_SSL2 = 1; +static const int Cryptography_HAS_SSL2 = 0; SSL_METHOD* (*SSLv2_method)() = NULL; SSL_METHOD* (*SSLv2_client_method)() = NULL; SSL_METHOD* (*SSLv2_server_method)() = NULL; #else -static const int Cryptography_NO_SSL2 = 0; +static const int Cryptography_HAS_SSL2 = 1; #endif #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME -static const int Cryptography_TLSEXT_HOSTNAME = 1; +static const int Cryptography_HAS_TLSEXT_HOSTNAME = 1; #else -static const int Cryptography_TLSEXT_HOSTNAME = 0; +static const int Cryptography_HAS_TLSEXT_HOSTNAME = 0; void (*SSL_set_tlsext_host_name)(SSL *, char *) = NULL; const char* (*SSL_get_servername)(const SSL *, const int) = NULL; void (*SSL_CTX_set_tlsext_servername_callback)( -- cgit v1.2.3 From 6fd76ba7a5f7810757f4c2c5f0b07cf947dd2315 Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 22 Dec 2013 16:26:44 -0800 Subject: Remove some extra parameters in function declarations --- cryptography/hazmat/backends/openssl/ssl.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 76bb8363..e478f65e 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -132,7 +132,7 @@ int SSL_get_verify_mode(const SSL *); void SSL_set_verify_depth(SSL *, int); int SSL_get_verify_depth(const SSL *); int (*SSL_get_verify_callback(const SSL *))(int, X509_STORE_CTX *); -void SSL_set_info_callback(SSL *, void (*callback)()); +void SSL_set_info_callback(SSL *, void (*)()); void (*SSL_get_info_callback(const SSL *))(); SSL *SSL_new(SSL_CTX *); void SSL_free(SSL *); @@ -155,10 +155,10 @@ const char *SSL_get_cipher_list(const SSL *, int); void SSL_CTX_free(SSL_CTX *); long SSL_CTX_set_timeout(SSL_CTX *, long); int SSL_CTX_set_default_verify_paths(SSL_CTX *); -void SSL_CTX_set_verify(SSL_CTX *, int, int (*callback)(int, X509_STORE_CTX *)); +void SSL_CTX_set_verify(SSL_CTX *, int, int (*)(int, X509_STORE_CTX *)); void SSL_CTX_set_verify_depth(SSL_CTX *, int); int (*SSL_CTX_get_verify_callback(const SSL_CTX *))(int, X509_STORE_CTX *); -void SSL_CTX_set_info_callback(SSL_CTX *, void (*cb)(const SSL *, int, int)); +void SSL_CTX_set_info_callback(SSL_CTX *, void (*)(const SSL *, int, int)); void (*SSL_CTX_get_info_callback(SSL_CTX *))(const SSL *, int, int); int SSL_CTX_get_verify_mode(const SSL_CTX *); int SSL_CTX_get_verify_depth(const SSL_CTX *); @@ -239,7 +239,7 @@ long SSL_CTX_get_timeout(const SSL_CTX *); void SSL_set_tlsext_host_name(SSL *, char *); void SSL_CTX_set_tlsext_servername_callback( SSL_CTX *, - int (*cb)(const SSL *, int *, void *)); + int (*)(const SSL *, int *, void *)); """ CUSTOMIZATIONS = """ @@ -260,6 +260,6 @@ void (*SSL_set_tlsext_host_name)(SSL *, char *) = NULL; const char* (*SSL_get_servername)(const SSL *, const int) = NULL; void (*SSL_CTX_set_tlsext_servername_callback)( SSL_CTX *, - int (*cb)(const SSL *, int *, void *)) = NULL; + int (*)(const SSL *, int *, void *)) = NULL; #endif """ -- cgit v1.2.3 From f8540eb4b2366a64711d058896a8be91e2410fd4 Mon Sep 17 00:00:00 2001 From: cyli Date: Sun, 22 Dec 2013 17:15:05 -0800 Subject: Remove SSL_CTX_clear_options, since it doesn't seem to be in openssl 0.9.8 --- cryptography/hazmat/backends/openssl/ssl.py | 1 - 1 file changed, 1 deletion(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index e478f65e..4fc20ebc 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -198,7 +198,6 @@ int SSL_want_write(const SSL *); int SSL_total_renegotiations(const SSL *); long SSL_CTX_set_options(SSL_CTX *, long); -long SSL_CTX_clear_options(SSL_CTX *, long); long SSL_CTX_get_options(SSL_CTX *); long SSL_CTX_set_mode(SSL_CTX *, long); long SSL_CTX_get_mode(SSL_CTX *); -- cgit v1.2.3 From 7dc4a127e2fe5ec07ba94e96de00a6b2f65f4371 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 23 Dec 2013 07:53:34 -0800 Subject: Remove names from the backend that don't actually exist --- cryptography/hazmat/backends/openssl/asn1.py | 2 ++ cryptography/hazmat/backends/openssl/backend.py | 8 ++++++++ cryptography/hazmat/backends/openssl/bignum.py | 2 ++ cryptography/hazmat/backends/openssl/bio.py | 2 ++ cryptography/hazmat/backends/openssl/conf.py | 2 ++ cryptography/hazmat/backends/openssl/crypto.py | 2 ++ cryptography/hazmat/backends/openssl/dh.py | 2 ++ cryptography/hazmat/backends/openssl/dsa.py | 2 ++ cryptography/hazmat/backends/openssl/engine.py | 2 ++ cryptography/hazmat/backends/openssl/err.py | 2 ++ cryptography/hazmat/backends/openssl/evp.py | 10 ++++++++++ cryptography/hazmat/backends/openssl/hmac.py | 2 ++ cryptography/hazmat/backends/openssl/nid.py | 2 ++ cryptography/hazmat/backends/openssl/opensslv.py | 2 ++ cryptography/hazmat/backends/openssl/pem.py | 2 ++ cryptography/hazmat/backends/openssl/pkcs12.py | 2 ++ cryptography/hazmat/backends/openssl/pkcs7.py | 2 ++ cryptography/hazmat/backends/openssl/rand.py | 2 ++ cryptography/hazmat/backends/openssl/rsa.py | 2 ++ cryptography/hazmat/backends/openssl/ssl.py | 12 ++++++++++++ cryptography/hazmat/backends/openssl/x509.py | 2 ++ cryptography/hazmat/backends/openssl/x509name.py | 2 ++ cryptography/hazmat/backends/openssl/x509v3.py | 2 ++ 23 files changed, 70 insertions(+) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index c752e682..b56932fa 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -122,3 +122,5 @@ BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *, BIGNUM *); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 080cb5f1..5d6b5bcc 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -141,6 +141,14 @@ class Backend(object): libraries=["crypto", "ssl"], ) + for name in cls._modules: + module_name = "cryptography.hazmat.backends.openssl." + name + __import__(module_name) + module = sys.modules[module_name] + for name, condition in module.CONDITIONAL_NAMES.items(): + if not getattr(lib, condition): + delattr(lib, name) + cls.ffi = ffi cls.lib = lib cls.lib.OpenSSL_add_all_algorithms() diff --git a/cryptography/hazmat/backends/openssl/bignum.py b/cryptography/hazmat/backends/openssl/bignum.py index 1b0fe5ab..68d0c3a2 100644 --- a/cryptography/hazmat/backends/openssl/bignum.py +++ b/cryptography/hazmat/backends/openssl/bignum.py @@ -38,3 +38,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/bio.py b/cryptography/hazmat/backends/openssl/bio.py index c23dd0d8..d164804f 100644 --- a/cryptography/hazmat/backends/openssl/bio.py +++ b/cryptography/hazmat/backends/openssl/bio.py @@ -171,3 +171,5 @@ long BIO_set_buffer_read_data(BIO *, void *, long); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/conf.py b/cryptography/hazmat/backends/openssl/conf.py index 4846252c..6d818cf1 100644 --- a/cryptography/hazmat/backends/openssl/conf.py +++ b/cryptography/hazmat/backends/openssl/conf.py @@ -27,3 +27,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/crypto.py b/cryptography/hazmat/backends/openssl/crypto.py index 11e5f2f5..8d88c16e 100644 --- a/cryptography/hazmat/backends/openssl/crypto.py +++ b/cryptography/hazmat/backends/openssl/crypto.py @@ -40,3 +40,5 @@ void CRYPTO_malloc_debug_init(); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/dh.py b/cryptography/hazmat/backends/openssl/dh.py index b8fbf368..56fa8b46 100644 --- a/cryptography/hazmat/backends/openssl/dh.py +++ b/cryptography/hazmat/backends/openssl/dh.py @@ -29,3 +29,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/dsa.py b/cryptography/hazmat/backends/openssl/dsa.py index e6c369a6..3b77d7ae 100644 --- a/cryptography/hazmat/backends/openssl/dsa.py +++ b/cryptography/hazmat/backends/openssl/dsa.py @@ -31,3 +31,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/engine.py b/cryptography/hazmat/backends/openssl/engine.py index 1f377665..cc214f84 100644 --- a/cryptography/hazmat/backends/openssl/engine.py +++ b/cryptography/hazmat/backends/openssl/engine.py @@ -63,3 +63,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/err.py b/cryptography/hazmat/backends/openssl/err.py index f31c2405..2fb8bbe1 100644 --- a/cryptography/hazmat/backends/openssl/err.py +++ b/cryptography/hazmat/backends/openssl/err.py @@ -74,3 +74,5 @@ int ERR_FATAL_ERROR(unsigned long); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/evp.py b/cryptography/hazmat/backends/openssl/evp.py index 8cb44610..fa35c6ac 100644 --- a/cryptography/hazmat/backends/openssl/evp.py +++ b/cryptography/hazmat/backends/openssl/evp.py @@ -35,6 +35,8 @@ static const int EVP_PKEY_DSA; static const int Cryptography_EVP_CTRL_GCM_SET_IVLEN; static const int Cryptography_EVP_CTRL_GCM_GET_TAG; static const int Cryptography_EVP_CTRL_GCM_SET_TAG; + +static const int Cryptography_HAS_GCM; """ FUNCTIONS = """ @@ -101,12 +103,20 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); CUSTOMIZATIONS = """ #ifdef EVP_CTRL_GCM_SET_TAG +const int Cryptography_HAS_GCM = 1; const int Cryptography_EVP_CTRL_GCM_GET_TAG = EVP_CTRL_GCM_GET_TAG; const int Cryptography_EVP_CTRL_GCM_SET_TAG = EVP_CTRL_GCM_SET_TAG; const int Cryptography_EVP_CTRL_GCM_SET_IVLEN = EVP_CTRL_GCM_SET_IVLEN; #else +const int Cryptography_HAS_GCM = 0; const int Cryptography_EVP_CTRL_GCM_GET_TAG = -1; const int Cryptography_EVP_CTRL_GCM_SET_TAG = -1; const int Cryptography_EVP_CTRL_GCM_SET_IVLEN = -1; #endif """ + +CONDITIONAL_NAMES = { + "Cryptography_EVP_CTRL_GCM_GET_TAG": "Cryptography_HAS_GCM", + "Cryptography_EVP_CTRL_GCM_SET_TAG": "Cryptography_HAS_GCM", + "Cryptography_EVP_CTRL_GCM_SET_IVLEN": "Cryptography_HAS_GCM", +} diff --git a/cryptography/hazmat/backends/openssl/hmac.py b/cryptography/hazmat/backends/openssl/hmac.py index 10e67141..5f9e0945 100644 --- a/cryptography/hazmat/backends/openssl/hmac.py +++ b/cryptography/hazmat/backends/openssl/hmac.py @@ -88,3 +88,5 @@ int Cryptography_HMAC_CTX_copy(HMAC_CTX *dst_ctx, HMAC_CTX *src_ctx) { #endif } """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/nid.py b/cryptography/hazmat/backends/openssl/nid.py index 9816dde4..111f82f9 100644 --- a/cryptography/hazmat/backends/openssl/nid.py +++ b/cryptography/hazmat/backends/openssl/nid.py @@ -47,3 +47,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/opensslv.py b/cryptography/hazmat/backends/openssl/opensslv.py index d463776c..37bbd2a7 100644 --- a/cryptography/hazmat/backends/openssl/opensslv.py +++ b/cryptography/hazmat/backends/openssl/opensslv.py @@ -27,3 +27,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/pem.py b/cryptography/hazmat/backends/openssl/pem.py index cef7839f..ee5552c5 100644 --- a/cryptography/hazmat/backends/openssl/pem.py +++ b/cryptography/hazmat/backends/openssl/pem.py @@ -55,3 +55,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/pkcs12.py b/cryptography/hazmat/backends/openssl/pkcs12.py index d91d100f..b3ecd0aa 100644 --- a/cryptography/hazmat/backends/openssl/pkcs12.py +++ b/cryptography/hazmat/backends/openssl/pkcs12.py @@ -35,3 +35,5 @@ PKCS12 *PKCS12_create(char *, char *, EVP_PKEY *, X509 *, CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/pkcs7.py b/cryptography/hazmat/backends/openssl/pkcs7.py index 60ea3c52..43f9540b 100644 --- a/cryptography/hazmat/backends/openssl/pkcs7.py +++ b/cryptography/hazmat/backends/openssl/pkcs7.py @@ -35,3 +35,5 @@ int PKCS7_type_is_data(PKCS7 *); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/rand.py b/cryptography/hazmat/backends/openssl/rand.py index 848ee05a..ddd0a3d8 100644 --- a/cryptography/hazmat/backends/openssl/rand.py +++ b/cryptography/hazmat/backends/openssl/rand.py @@ -38,3 +38,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/rsa.py b/cryptography/hazmat/backends/openssl/rsa.py index ad0d37b4..e3a24d0f 100644 --- a/cryptography/hazmat/backends/openssl/rsa.py +++ b/cryptography/hazmat/backends/openssl/rsa.py @@ -57,3 +57,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 4fc20ebc..45dc97bd 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -262,3 +262,15 @@ void (*SSL_CTX_set_tlsext_servername_callback)( int (*)(const SSL *, int *, void *)) = NULL; #endif """ + +CONDITIONAL_NAMES = { + "SSLv2_method": "Cryptography_HAS_SSL2", + "SSLv2_client_method": "Cryptography_HAS_SSL2", + "SSLv2_server_method": "Cryptography_HAS_SSL2", + + "SSL_set_tlsext_host_name": "Cryptography_HAS_TLSEXT_HOSTNAME", + "SSL_get_servername": "Cryptography_HAS_TLSEXT_HOSTNAME", + "SSL_CTX_set_tlsext_servername_callback": ( + "Cryptography_HAS_TLSEXT_HOSTNAME" + ), +} diff --git a/cryptography/hazmat/backends/openssl/x509.py b/cryptography/hazmat/backends/openssl/x509.py index b2ee672e..dd7815fa 100644 --- a/cryptography/hazmat/backends/openssl/x509.py +++ b/cryptography/hazmat/backends/openssl/x509.py @@ -188,3 +188,5 @@ int X509_CRL_set_nextUpdate(X509_CRL *, const ASN1_TIME *); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/x509name.py b/cryptography/hazmat/backends/openssl/x509name.py index 896f0ae4..4be39b53 100644 --- a/cryptography/hazmat/backends/openssl/x509name.py +++ b/cryptography/hazmat/backends/openssl/x509name.py @@ -49,3 +49,5 @@ void sk_X509_NAME_free(struct stack_st_X509_NAME *); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/x509v3.py b/cryptography/hazmat/backends/openssl/x509v3.py index bc26236c..6d2d2361 100644 --- a/cryptography/hazmat/backends/openssl/x509v3.py +++ b/cryptography/hazmat/backends/openssl/x509v3.py @@ -95,3 +95,5 @@ const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} -- cgit v1.2.3 From 7938206b7a7416f5a1a7abd7b652302ee2125a91 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 23 Dec 2013 08:02:38 -0800 Subject: Reduce duplication --- cryptography/hazmat/backends/openssl/backend.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 5d6b5bcc..67a3e698 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -57,6 +57,7 @@ class Backend(object): """ OpenSSL API wrapper. """ + _module_prefix = "cryptography.hazmat.backends.openssl." _modules = [ "asn1", "bignum", @@ -102,7 +103,7 @@ class Backend(object): macros = [] customizations = [] for name in cls._modules: - module_name = "cryptography.hazmat.backends.openssl." + name + module_name = cls._module_prefix + name __import__(module_name) module = sys.modules[module_name] @@ -142,7 +143,7 @@ class Backend(object): ) for name in cls._modules: - module_name = "cryptography.hazmat.backends.openssl." + name + module_name = cls._module_prefix + name __import__(module_name) module = sys.modules[module_name] for name, condition in module.CONDITIONAL_NAMES.items(): -- cgit v1.2.3 From 3e52645f14dc3f015f354fb1c545259a4d882bc7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 23 Dec 2013 08:02:49 -0800 Subject: Invert these dics for more readability --- cryptography/hazmat/backends/openssl/backend.py | 5 +++-- cryptography/hazmat/backends/openssl/evp.py | 8 +++++--- cryptography/hazmat/backends/openssl/ssl.py | 18 ++++++++++-------- 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 67a3e698..6cc8275d 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -146,9 +146,10 @@ class Backend(object): module_name = cls._module_prefix + name __import__(module_name) module = sys.modules[module_name] - for name, condition in module.CONDITIONAL_NAMES.items(): + for condition, names in module.CONDITIONAL_NAMES.items(): if not getattr(lib, condition): - delattr(lib, name) + for name in names: + delattr(lib, name) cls.ffi = ffi cls.lib = lib diff --git a/cryptography/hazmat/backends/openssl/evp.py b/cryptography/hazmat/backends/openssl/evp.py index fa35c6ac..7e50a6b3 100644 --- a/cryptography/hazmat/backends/openssl/evp.py +++ b/cryptography/hazmat/backends/openssl/evp.py @@ -116,7 +116,9 @@ const int Cryptography_EVP_CTRL_GCM_SET_IVLEN = -1; """ CONDITIONAL_NAMES = { - "Cryptography_EVP_CTRL_GCM_GET_TAG": "Cryptography_HAS_GCM", - "Cryptography_EVP_CTRL_GCM_SET_TAG": "Cryptography_HAS_GCM", - "Cryptography_EVP_CTRL_GCM_SET_IVLEN": "Cryptography_HAS_GCM", + "Cryptography_HAS_GCM": [ + "Cryptography_EVP_CTRL_GCM_GET_TAG", + "Cryptography_EVP_CTRL_GCM_SET_TAG", + "Cryptography_EVP_CTRL_GCM_SET_IVLEN", + ] } diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 45dc97bd..bf1ffcc6 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -264,13 +264,15 @@ void (*SSL_CTX_set_tlsext_servername_callback)( """ CONDITIONAL_NAMES = { - "SSLv2_method": "Cryptography_HAS_SSL2", - "SSLv2_client_method": "Cryptography_HAS_SSL2", - "SSLv2_server_method": "Cryptography_HAS_SSL2", + "Cryptography_HAS_SSL2": [ + "SSLv2_method", + "SSLv2_client_method", + "SSLv2_server_method", + ], - "SSL_set_tlsext_host_name": "Cryptography_HAS_TLSEXT_HOSTNAME", - "SSL_get_servername": "Cryptography_HAS_TLSEXT_HOSTNAME", - "SSL_CTX_set_tlsext_servername_callback": ( - "Cryptography_HAS_TLSEXT_HOSTNAME" - ), + "Cryptography_HAS_TLSEXT_HOSTNAME": [ + "SSL_set_tlsext_host_name", + "SSL_get_servername", + "SSL_CTX_set_tlsext_servername_callback", + ] } -- cgit v1.2.3 From af09025900863a2a196eb67b1ec844a8626caa0c Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 23 Dec 2013 08:22:03 -0500 Subject: bind a few more assorted random simple things --- cryptography/hazmat/backends/openssl/crypto.py | 6 ++++++ cryptography/hazmat/backends/openssl/opensslv.py | 1 + cryptography/hazmat/backends/openssl/rand.py | 1 + cryptography/hazmat/backends/openssl/ssl.py | 2 ++ 4 files changed, 10 insertions(+) diff --git a/cryptography/hazmat/backends/openssl/crypto.py b/cryptography/hazmat/backends/openssl/crypto.py index 8d88c16e..71d32c52 100644 --- a/cryptography/hazmat/backends/openssl/crypto.py +++ b/cryptography/hazmat/backends/openssl/crypto.py @@ -16,6 +16,11 @@ INCLUDES = """ """ TYPES = """ +static const int SSLEAY_VERSION; +static const int SSLEAY_CFLAGS; +static const int SSLEAY_PLATFORM; +static const int SSLEAY_DIR; +static const int SSLEAY_BUILT_ON; """ FUNCTIONS = """ @@ -32,6 +37,7 @@ MACROS = """ void CRYPTO_add(int *, int, int); void CRYPTO_malloc_init(); void CRYPTO_malloc_debug_init(); + #define CRYPTO_MEM_CHECK_ON ... #define CRYPTO_MEM_CHECK_OFF ... #define CRYPTO_MEM_CHECK_ENABLE ... diff --git a/cryptography/hazmat/backends/openssl/opensslv.py b/cryptography/hazmat/backends/openssl/opensslv.py index 37bbd2a7..4e110327 100644 --- a/cryptography/hazmat/backends/openssl/opensslv.py +++ b/cryptography/hazmat/backends/openssl/opensslv.py @@ -16,6 +16,7 @@ INCLUDES = """ """ TYPES = """ +static const int OPENSSL_VERSION_NUMBER; static char *const OPENSSL_VERSION_TEXT; """ diff --git a/cryptography/hazmat/backends/openssl/rand.py b/cryptography/hazmat/backends/openssl/rand.py index ddd0a3d8..5ac36cac 100644 --- a/cryptography/hazmat/backends/openssl/rand.py +++ b/cryptography/hazmat/backends/openssl/rand.py @@ -19,6 +19,7 @@ TYPES = """ """ FUNCTIONS = """ +void ERR_load_RAND_strings(); void RAND_seed(const void *, int); void RAND_add(const void *, int, double); int RAND_status(); diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index bf1ffcc6..168d5429 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -36,6 +36,7 @@ static const int SSL_RECEIVED_SHUTDOWN; static const int SSL_OP_NO_SSLv2; static const int SSL_OP_NO_SSLv3; static const int SSL_OP_NO_TLSv1; +static const int SSL_OP_NO_COMPRESSION; static const int SSL_OP_SINGLE_DH_USE; static const int SSL_OP_EPHEMERAL_RSA; static const int SSL_OP_MICROSOFT_SESS_ID_BUG; @@ -93,6 +94,7 @@ static const int SSL_CB_HANDSHAKE_DONE; static const int SSL_MODE_ENABLE_PARTIAL_WRITE; static const int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; static const int SSL_MODE_AUTO_RETRY; +static const int SSL_MODE_RELEASE_BUFFERS; static const int SSL3_RANDOM_SIZE; typedef ... X509_STORE_CTX; static const int X509_V_OK; -- cgit v1.2.3 From 21a37548b5c1cd2df9f2e3e7131e4ae3d72c333a Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 23 Dec 2013 11:13:34 -0500 Subject: Try making SSL_MODE_RELEASE_BUFFERS conditional on whether the underlying OpenSSL library has this flag --- cryptography/hazmat/backends/openssl/ssl.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 168d5429..3af0074e 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -94,7 +94,6 @@ static const int SSL_CB_HANDSHAKE_DONE; static const int SSL_MODE_ENABLE_PARTIAL_WRITE; static const int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; static const int SSL_MODE_AUTO_RETRY; -static const int SSL_MODE_RELEASE_BUFFERS; static const int SSL3_RANDOM_SIZE; typedef ... X509_STORE_CTX; static const int X509_V_OK; @@ -263,6 +262,13 @@ void (*SSL_CTX_set_tlsext_servername_callback)( SSL_CTX *, int (*)(const SSL *, int *, void *)) = NULL; #endif + +#ifdef SSL_MODE_RELEASE_BUFFERS +static const int Cryptography_HAS_RELEASE_BUFFERS = 1; +#else +static const int Cryptography_HAS_RELEASE_BUFFERS = 0; +const int SSL_MODE_RELEASE_BUFFERS = 0; +#endif """ CONDITIONAL_NAMES = { @@ -276,5 +282,10 @@ CONDITIONAL_NAMES = { "SSL_set_tlsext_host_name", "SSL_get_servername", "SSL_CTX_set_tlsext_servername_callback", - ] + ], + + "Cryptography_HAS_RELEASE_BUFFERS": [ + "SSL_MODE_RELEASE_BUFFERS", + ], + } -- cgit v1.2.3 From ab51df1d664fafe1426748e38ddb125cf31d4052 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 23 Dec 2013 11:16:12 -0500 Subject: Finish that conditional support --- cryptography/hazmat/backends/openssl/ssl.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 3af0074e..a1acde38 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -22,6 +22,11 @@ static const int Cryptography_HAS_SSL2; /* Internally invented symbol to tell us if SNI is supported */ static const int Cryptography_HAS_TLSEXT_HOSTNAME; +/* Internally invented symbol to tell us if SSL_MODE_RELEASE_BUFFERS is + * supported + */ +static const int Cryptography_HAS_RELEASE_BUFFERS; + static const int SSL_FILETYPE_PEM; static const int SSL_FILETYPE_ASN1; static const int SSL_ERROR_NONE; @@ -91,6 +96,7 @@ static const int SSL_CB_CONNECT_LOOP; static const int SSL_CB_CONNECT_EXIT; static const int SSL_CB_HANDSHAKE_START; static const int SSL_CB_HANDSHAKE_DONE; +static const int SSL_MODE_RELEASE_BUFFERS; static const int SSL_MODE_ENABLE_PARTIAL_WRITE; static const int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; static const int SSL_MODE_AUTO_RETRY; -- cgit v1.2.3 From 2ca30db7b8608af3e9994f6b324d9311ca437b78 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 23 Dec 2013 08:21:34 -0800 Subject: This name is alreayd known to be imported --- cryptography/hazmat/backends/openssl/backend.py | 1 - 1 file changed, 1 deletion(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 6cc8275d..9cd07ea5 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -144,7 +144,6 @@ class Backend(object): for name in cls._modules: module_name = cls._module_prefix + name - __import__(module_name) module = sys.modules[module_name] for condition, names in module.CONDITIONAL_NAMES.items(): if not getattr(lib, condition): -- cgit v1.2.3 From e7d5fdbb7bb2969329070e6f1b35ec49e634f0b3 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 23 Dec 2013 10:06:12 -0500 Subject: bind a few more things necessary for OpenSSL.crypto. Also tweak some existing definitions to be more functional. --- cryptography/hazmat/backends/openssl/asn1.py | 10 +++++- cryptography/hazmat/backends/openssl/backend.py | 1 + cryptography/hazmat/backends/openssl/bignum.py | 9 +++++- cryptography/hazmat/backends/openssl/evp.py | 7 ++++- cryptography/hazmat/backends/openssl/nid.py | 1 + cryptography/hazmat/backends/openssl/objects.py | 41 +++++++++++++++++++++++++ cryptography/hazmat/backends/openssl/rsa.py | 2 ++ 7 files changed, 68 insertions(+), 3 deletions(-) create mode 100644 cryptography/hazmat/backends/openssl/objects.py diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index b56932fa..28ec0631 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -16,7 +16,14 @@ INCLUDES = """ """ TYPES = """ -typedef ... time_t; +/* + * XXX This typedef is wrong. + * https://bitbucket.org/cffi/cffi/issue/69/support-for-using-typedef-with-primitive + * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ + * < fijal> exarkun: I think you want to declare your value too large (e.g. long) + * < fijal> exarkun: that way you'll never pass garbage + */ +typedef long time_t; typedef int ASN1_BOOLEAN; typedef ... ASN1_INTEGER; @@ -118,6 +125,7 @@ int ASN1_INTEGER_cmp(ASN1_INTEGER *, ASN1_INTEGER *); long ASN1_INTEGER_get(ASN1_INTEGER *); BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *, BIGNUM *); +ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai); """ CUSTOMIZATIONS = """ diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 6cc8275d..3d2fa01f 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -71,6 +71,7 @@ class Backend(object): "evp", "hmac", "nid", + "objects", "opensslv", "pem", "pkcs7", diff --git a/cryptography/hazmat/backends/openssl/bignum.py b/cryptography/hazmat/backends/openssl/bignum.py index 68d0c3a2..4885d5b4 100644 --- a/cryptography/hazmat/backends/openssl/bignum.py +++ b/cryptography/hazmat/backends/openssl/bignum.py @@ -17,7 +17,14 @@ INCLUDES = """ TYPES = """ typedef ... BIGNUM; -typedef ... BN_ULONG; +/* + * XXX This typedef is wrong. + * https://bitbucket.org/cffi/cffi/issue/69/support-for-using-typedef-with-primitive + * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ + * < fijal> exarkun: I think you want to declare your value too large (e.g. long) + * < fijal> exarkun: that way you'll never pass garbage + */ +typedef unsigned long long BN_ULONG; """ FUNCTIONS = """ diff --git a/cryptography/hazmat/backends/openssl/evp.py b/cryptography/hazmat/backends/openssl/evp.py index 7e50a6b3..68bff2b7 100644 --- a/cryptography/hazmat/backends/openssl/evp.py +++ b/cryptography/hazmat/backends/openssl/evp.py @@ -24,7 +24,9 @@ typedef struct { ...; } EVP_CIPHER_CTX; typedef ... EVP_MD; -typedef struct env_md_ctx_st EVP_MD_CTX; +typedef struct env_md_ctx_st { + ...; +} EVP_MD_CTX; typedef struct evp_pkey_st { int type; @@ -32,6 +34,7 @@ typedef struct evp_pkey_st { } EVP_PKEY; static const int EVP_PKEY_RSA; static const int EVP_PKEY_DSA; +static const int EVP_MAX_MD_SIZE; static const int Cryptography_EVP_CTRL_GCM_SET_IVLEN; static const int Cryptography_EVP_CTRL_GCM_GET_TAG; static const int Cryptography_EVP_CTRL_GCM_SET_TAG; @@ -92,6 +95,8 @@ int EVP_VerifyInit(EVP_MD_CTX *, const EVP_MD *); int EVP_VerifyUpdate(EVP_MD_CTX *, const void *, size_t); int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int, EVP_PKEY *); + +const EVP_MD *EVP_md5(void); """ MACROS = """ diff --git a/cryptography/hazmat/backends/openssl/nid.py b/cryptography/hazmat/backends/openssl/nid.py index 111f82f9..40aed19f 100644 --- a/cryptography/hazmat/backends/openssl/nid.py +++ b/cryptography/hazmat/backends/openssl/nid.py @@ -37,6 +37,7 @@ static const int NID_ecdsa_with_SHA384; static const int NID_ecdsa_with_SHA512; static const int NID_crl_reason; static const int NID_pbe_WithSHA1And3_Key_TripleDES_CBC; +static const int NID_subject_alt_name; """ FUNCTIONS = """ diff --git a/cryptography/hazmat/backends/openssl/objects.py b/cryptography/hazmat/backends/openssl/objects.py new file mode 100644 index 00000000..b981252b --- /dev/null +++ b/cryptography/hazmat/backends/openssl/objects.py @@ -0,0 +1,41 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +INCLUDES = """ +#include +""" + +TYPES = """ +""" + +FUNCTIONS = """ +ASN1_OBJECT * OBJ_nid2obj(int n); +const char * OBJ_nid2ln(int n); +const char * OBJ_nid2sn(int n); +int OBJ_obj2nid(const ASN1_OBJECT *o); +int OBJ_ln2nid(const char *ln); +int OBJ_sn2nid(const char *sn); +int OBJ_txt2nid(const char *s); +ASN1_OBJECT * OBJ_txt2obj(const char *s, int no_name); +int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name); +int OBJ_cmp(const ASN1_OBJECT *a,const ASN1_OBJECT *b); +ASN1_OBJECT * OBJ_dup(const ASN1_OBJECT *o); +int OBJ_create(const char *oid,const char *sn,const char *ln); +void OBJ_cleanup(void); +""" + +MACROS = """ +""" + +CUSTOMIZATIONS = """ +""" diff --git a/cryptography/hazmat/backends/openssl/rsa.py b/cryptography/hazmat/backends/openssl/rsa.py index e3a24d0f..f9d9cb59 100644 --- a/cryptography/hazmat/backends/openssl/rsa.py +++ b/cryptography/hazmat/backends/openssl/rsa.py @@ -33,6 +33,7 @@ static const int RSA_SSLV23_PADDING; static const int RSA_NO_PADDING; static const int RSA_PKCS1_OAEP_PADDING; static const int RSA_X931_PADDING; +static const int RSA_F4; """ FUNCTIONS = """ @@ -50,6 +51,7 @@ int RSA_public_decrypt(int, const unsigned char *, unsigned char *, RSA *, int); int RSA_private_decrypt(int, const unsigned char *, unsigned char *, RSA *, int); +int RSA_print(BIO *bp, const RSA *r,int offset); """ MACROS = """ -- cgit v1.2.3 From 834342bea3990d166b9c63620a133d18ae5c9339 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 23 Dec 2013 08:25:24 -0800 Subject: A docstring --- cryptography/hazmat/backends/openssl/backend.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 9cd07ea5..3e47afa1 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -56,6 +56,20 @@ _OSX_POST_INCLUDE = """ class Backend(object): """ OpenSSL API wrapper. + + Modules listed in the ``_modules`` listed should have the following + attributes: + + * ``INCLUDES``: A string containg C includes. + * ``TYPES``: A string containing C declarations for types. + * ``FUNCTIONS``: A string containing C declarations for functions. + * ``MACROS``: A string containing C declarations for any macros. + * ``CUSTOMIZATIONS``: A string containing arbitrary top-level C code, this + can be used to do things like test for a define and provide an + alternate implementation based on that. + * ``CONDITIONAL_NAMES``: A dict mapping strings of condition names from the + library to a list of names which will not be present without the + condition. """ _module_prefix = "cryptography.hazmat.backends.openssl." _modules = [ -- cgit v1.2.3 From e9ed22aec48fd3d27db6d8c027493b16a61e2ce3 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 23 Dec 2013 11:27:49 -0500 Subject: Define the newly-required CONDITIONAL_NAMES None of these are conditional at the moment. --- cryptography/hazmat/backends/openssl/objects.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cryptography/hazmat/backends/openssl/objects.py b/cryptography/hazmat/backends/openssl/objects.py index b981252b..b3a2c2c9 100644 --- a/cryptography/hazmat/backends/openssl/objects.py +++ b/cryptography/hazmat/backends/openssl/objects.py @@ -39,3 +39,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} -- cgit v1.2.3 From f1ca56c42a9cb6fc1e83f6c28ae941d0f0044fb9 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 23 Dec 2013 09:54:03 -0800 Subject: Make the naming of things in the OpenSSL backend more consistent --- cryptography/hazmat/backends/openssl/backend.py | 6 +++--- cryptography/hazmat/backends/openssl/evp.py | 15 ++++++--------- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 3e47afa1..f11ddf22 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -345,7 +345,7 @@ class _CipherContext(object): assert res != 0 if isinstance(mode, GCM): res = self._backend.lib.EVP_CIPHER_CTX_ctrl( - ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_IVLEN, + ctx, self._backend.lib.EVP_CTRL_GCM_SET_IVLEN, len(iv_nonce), self._backend.ffi.NULL ) assert res != 0 @@ -354,7 +354,7 @@ class _CipherContext(object): raise ValueError("Authentication tag must be provided and " "be 4 bytes or longer when decrypting") res = self._backend.lib.EVP_CIPHER_CTX_ctrl( - ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG, + ctx, self._backend.lib.EVP_CTRL_GCM_SET_TAG, len(mode.tag), mode.tag ) assert res != 0 @@ -396,7 +396,7 @@ class _CipherContext(object): block_byte_size = self._block_size // 8 tag_buf = self._backend.ffi.new("unsigned char[]", block_byte_size) res = self._backend.lib.EVP_CIPHER_CTX_ctrl( - self._ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_GET_TAG, + self._ctx, self._backend.lib.EVP_CTRL_GCM_GET_TAG, block_byte_size, tag_buf ) assert res != 0 diff --git a/cryptography/hazmat/backends/openssl/evp.py b/cryptography/hazmat/backends/openssl/evp.py index 7e50a6b3..e7b61b72 100644 --- a/cryptography/hazmat/backends/openssl/evp.py +++ b/cryptography/hazmat/backends/openssl/evp.py @@ -32,9 +32,9 @@ typedef struct evp_pkey_st { } EVP_PKEY; static const int EVP_PKEY_RSA; static const int EVP_PKEY_DSA; -static const int Cryptography_EVP_CTRL_GCM_SET_IVLEN; -static const int Cryptography_EVP_CTRL_GCM_GET_TAG; -static const int Cryptography_EVP_CTRL_GCM_SET_TAG; +static const int EVP_CTRL_GCM_SET_IVLEN; +static const int EVP_CTRL_GCM_GET_TAG; +static const int EVP_CTRL_GCM_SET_TAG; static const int Cryptography_HAS_GCM; """ @@ -104,9 +104,6 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); CUSTOMIZATIONS = """ #ifdef EVP_CTRL_GCM_SET_TAG const int Cryptography_HAS_GCM = 1; -const int Cryptography_EVP_CTRL_GCM_GET_TAG = EVP_CTRL_GCM_GET_TAG; -const int Cryptography_EVP_CTRL_GCM_SET_TAG = EVP_CTRL_GCM_SET_TAG; -const int Cryptography_EVP_CTRL_GCM_SET_IVLEN = EVP_CTRL_GCM_SET_IVLEN; #else const int Cryptography_HAS_GCM = 0; const int Cryptography_EVP_CTRL_GCM_GET_TAG = -1; @@ -117,8 +114,8 @@ const int Cryptography_EVP_CTRL_GCM_SET_IVLEN = -1; CONDITIONAL_NAMES = { "Cryptography_HAS_GCM": [ - "Cryptography_EVP_CTRL_GCM_GET_TAG", - "Cryptography_EVP_CTRL_GCM_SET_TAG", - "Cryptography_EVP_CTRL_GCM_SET_IVLEN", + "EVP_CTRL_GCM_GET_TAG", + "EVP_CTRL_GCM_SET_TAG", + "EVP_CTRL_GCM_SET_IVLEN", ] } -- cgit v1.2.3 From 0245a9a1070b4d0834cd84aad6292238cf74cb81 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 23 Dec 2013 09:57:07 -0800 Subject: Fix --- cryptography/hazmat/backends/openssl/evp.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/evp.py b/cryptography/hazmat/backends/openssl/evp.py index e7b61b72..8cf96b2d 100644 --- a/cryptography/hazmat/backends/openssl/evp.py +++ b/cryptography/hazmat/backends/openssl/evp.py @@ -106,9 +106,9 @@ CUSTOMIZATIONS = """ const int Cryptography_HAS_GCM = 1; #else const int Cryptography_HAS_GCM = 0; -const int Cryptography_EVP_CTRL_GCM_GET_TAG = -1; -const int Cryptography_EVP_CTRL_GCM_SET_TAG = -1; -const int Cryptography_EVP_CTRL_GCM_SET_IVLEN = -1; +const int EVP_CTRL_GCM_GET_TAG = -1; +const int EVP_CTRL_GCM_SET_TAG = -1; +const int EVP_CTRL_GCM_SET_IVLEN = -1; #endif """ -- cgit v1.2.3 From 22af23ebbbee831f8d9874ebf9080b4b5ed545b7 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 23 Dec 2013 15:00:02 -0500 Subject: Also make SSL_OP_NO_COMPRESSION optional --- cryptography/hazmat/backends/openssl/ssl.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index a1acde38..3fd0bf23 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -27,6 +27,11 @@ static const int Cryptography_HAS_TLSEXT_HOSTNAME; */ static const int Cryptography_HAS_RELEASE_BUFFERS; +/* Internally invented symbol to tell us if SSL_OP_NO_COMPRESSION is + * supported + */ +static const int Cryptography_HAS_OP_NO_COMPRESSION; + static const int SSL_FILETYPE_PEM; static const int SSL_FILETYPE_ASN1; static const int SSL_ERROR_NONE; @@ -275,6 +280,13 @@ static const int Cryptography_HAS_RELEASE_BUFFERS = 1; static const int Cryptography_HAS_RELEASE_BUFFERS = 0; const int SSL_MODE_RELEASE_BUFFERS = 0; #endif + +#ifdef SSL_OP_NO_COMPRESSION +static const int Cryptography_HAS_OP_NO_COMPRESSION = 1; +#else +static const int Cryptography_HAS_OP_NO_COMPRESSION = 0; +const int SSL_OP_NO_COMPRESSION = 0; +#endif """ CONDITIONAL_NAMES = { @@ -294,4 +306,8 @@ CONDITIONAL_NAMES = { "SSL_MODE_RELEASE_BUFFERS", ], + "Cryptography_HAS_OP_NO_COMPRESSION": [ + "SSL_OP_NO_COMPRESSION", + ], + } -- cgit v1.2.3 From 7b136459af582427d7f738a905aa3cfaa5b4c195 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 23 Dec 2013 15:11:16 -0500 Subject: revert the time_t and BN_ULONG fixes --- cryptography/hazmat/backends/openssl/asn1.py | 9 +-------- cryptography/hazmat/backends/openssl/bignum.py | 9 +-------- 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index 28ec0631..12e8cb35 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -16,14 +16,7 @@ INCLUDES = """ """ TYPES = """ -/* - * XXX This typedef is wrong. - * https://bitbucket.org/cffi/cffi/issue/69/support-for-using-typedef-with-primitive - * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ - * < fijal> exarkun: I think you want to declare your value too large (e.g. long) - * < fijal> exarkun: that way you'll never pass garbage - */ -typedef long time_t; +typedef ... time_t; typedef int ASN1_BOOLEAN; typedef ... ASN1_INTEGER; diff --git a/cryptography/hazmat/backends/openssl/bignum.py b/cryptography/hazmat/backends/openssl/bignum.py index 4885d5b4..68d0c3a2 100644 --- a/cryptography/hazmat/backends/openssl/bignum.py +++ b/cryptography/hazmat/backends/openssl/bignum.py @@ -17,14 +17,7 @@ INCLUDES = """ TYPES = """ typedef ... BIGNUM; -/* - * XXX This typedef is wrong. - * https://bitbucket.org/cffi/cffi/issue/69/support-for-using-typedef-with-primitive - * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ - * < fijal> exarkun: I think you want to declare your value too large (e.g. long) - * < fijal> exarkun: that way you'll never pass garbage - */ -typedef unsigned long long BN_ULONG; +typedef ... BN_ULONG; """ FUNCTIONS = """ -- cgit v1.2.3 From cf99cc77f863a7254d449ecb5f80a35ad7db11ab Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Mon, 23 Dec 2013 15:18:47 -0500 Subject: Switch two types which were declared as opaque but are actually integers to an integer type so they can be passed to functions --- cryptography/hazmat/backends/openssl/asn1.py | 9 ++++++++- cryptography/hazmat/backends/openssl/bignum.py | 9 ++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index b56932fa..385c5e8c 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -16,7 +16,14 @@ INCLUDES = """ """ TYPES = """ -typedef ... time_t; +/* + * XXX This typedef is wrong. + * https://bitbucket.org/cffi/cffi/issue/69/support-for-using-typedef-with-primitive + * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ + * < fijal> exarkun: I think you want to declare your value too large (e.g. long) + * < fijal> exarkun: that way you'll never pass garbage + */ +typedef long time_t; typedef int ASN1_BOOLEAN; typedef ... ASN1_INTEGER; diff --git a/cryptography/hazmat/backends/openssl/bignum.py b/cryptography/hazmat/backends/openssl/bignum.py index 68d0c3a2..4885d5b4 100644 --- a/cryptography/hazmat/backends/openssl/bignum.py +++ b/cryptography/hazmat/backends/openssl/bignum.py @@ -17,7 +17,14 @@ INCLUDES = """ TYPES = """ typedef ... BIGNUM; -typedef ... BN_ULONG; +/* + * XXX This typedef is wrong. + * https://bitbucket.org/cffi/cffi/issue/69/support-for-using-typedef-with-primitive + * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ + * < fijal> exarkun: I think you want to declare your value too large (e.g. long) + * < fijal> exarkun: that way you'll never pass garbage + */ +typedef unsigned long long BN_ULONG; """ FUNCTIONS = """ -- cgit v1.2.3 From 90ae866e0a83ef92ce2b2e7c58ccb86e79f3bee8 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 23 Dec 2013 17:21:00 -0600 Subject: add hmac_supported method to backend. Previously we were implicitly assuming that if a hash was supported then its hmac equivalent was as well. --- cryptography/hazmat/backends/openssl/backend.py | 3 +++ docs/hazmat/backends/interfaces.rst | 15 +++++++++++++-- tests/hazmat/primitives/test_hmac.py | 2 +- tests/hazmat/primitives/test_hmac_vectors.py | 14 +++++++------- 4 files changed, 24 insertions(+), 10 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index f11ddf22..7b67fb0b 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -184,6 +184,9 @@ class Backend(object): digest = self.lib.EVP_get_digestbyname(algorithm.name.encode("ascii")) return digest != self.ffi.NULL + def hmac_supported(self, algorithm): + return self.hash_supported(algorithm) + def create_hash_ctx(self, algorithm): return _HashContext(self, algorithm) diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst index b524943d..45fbaf09 100644 --- a/docs/hazmat/backends/interfaces.rst +++ b/docs/hazmat/backends/interfaces.rst @@ -126,12 +126,23 @@ A specific ``backend`` may provide one or more of these interfaces. A backend with methods for using cryptographic hash functions as message authentication codes. + .. method:: hmac_supported(algorithm) + + Check if the specified ``algorithm`` is supported by this backend. + + :param algorithm: An instance of a + :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm` + provider. + + :returns: ``True`` if the specified ``algorithm`` is supported for HMAC + by this backend, otherwise ``False``. + .. method:: create_hmac_ctx(algorithm) Create a :class:`~cryptogrpahy.hazmat.primitives.interfaces.HashContext` that - uses the specified ``algorithm`` to calculate a hash-based message - authentication code. + uses the specified ``algorithm`` to calculate a hash-based message + authentication code. :param algorithm: An instance of a :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm` diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index 124c4377..1e776c98 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -34,7 +34,7 @@ class UnsupportedDummyHash(object): class TestHMAC(object): test_copy = generate_base_hmac_test( hashes.MD5(), - only_if=lambda backend: backend.hash_supported(hashes.MD5), + only_if=lambda backend: backend.hmac_supported(hashes.MD5), skip_message="Does not support MD5", ) diff --git a/tests/hazmat/primitives/test_hmac_vectors.py b/tests/hazmat/primitives/test_hmac_vectors.py index 7d0f156a..f884d850 100644 --- a/tests/hazmat/primitives/test_hmac_vectors.py +++ b/tests/hazmat/primitives/test_hmac_vectors.py @@ -27,7 +27,7 @@ class TestHMAC_MD5(object): "rfc-2202-md5.txt", ], hashes.MD5(), - only_if=lambda backend: backend.hash_supported(hashes.MD5), + only_if=lambda backend: backend.hmac_supported(hashes.MD5), skip_message="Does not support MD5", ) @@ -40,7 +40,7 @@ class TestHMAC_SHA1(object): "rfc-2202-sha1.txt", ], hashes.SHA1(), - only_if=lambda backend: backend.hash_supported(hashes.SHA1), + only_if=lambda backend: backend.hmac_supported(hashes.SHA1), skip_message="Does not support SHA1", ) @@ -53,7 +53,7 @@ class TestHMAC_SHA224(object): "rfc-4231-sha224.txt", ], hashes.SHA224(), - only_if=lambda backend: backend.hash_supported(hashes.SHA224), + only_if=lambda backend: backend.hmac_supported(hashes.SHA224), skip_message="Does not support SHA224", ) @@ -66,7 +66,7 @@ class TestHMAC_SHA256(object): "rfc-4231-sha256.txt", ], hashes.SHA256(), - only_if=lambda backend: backend.hash_supported(hashes.SHA256), + only_if=lambda backend: backend.hmac_supported(hashes.SHA256), skip_message="Does not support SHA256", ) @@ -79,7 +79,7 @@ class TestHMAC_SHA384(object): "rfc-4231-sha384.txt", ], hashes.SHA384(), - only_if=lambda backend: backend.hash_supported(hashes.SHA384), + only_if=lambda backend: backend.hmac_supported(hashes.SHA384), skip_message="Does not support SHA384", ) @@ -92,7 +92,7 @@ class TestHMAC_SHA512(object): "rfc-4231-sha512.txt", ], hashes.SHA512(), - only_if=lambda backend: backend.hash_supported(hashes.SHA512), + only_if=lambda backend: backend.hmac_supported(hashes.SHA512), skip_message="Does not support SHA512", ) @@ -105,6 +105,6 @@ class TestHMAC_RIPEMD160(object): "rfc-2286-ripemd160.txt", ], hashes.RIPEMD160(), - only_if=lambda backend: backend.hash_supported(hashes.RIPEMD160), + only_if=lambda backend: backend.hmac_supported(hashes.RIPEMD160), skip_message="Does not support RIPEMD160", ) -- cgit v1.2.3 From 4f776c495cfef4dd29023cb7bb035612d1e53916 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 23 Dec 2013 17:25:54 -0600 Subject: fix erroneous indent and add abstractmethod to HMACBackend --- cryptography/hazmat/backends/interfaces.py | 7 +++++++ docs/hazmat/backends/interfaces.rst | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/backends/interfaces.py b/cryptography/hazmat/backends/interfaces.py index 912476bb..9a570968 100644 --- a/cryptography/hazmat/backends/interfaces.py +++ b/cryptography/hazmat/backends/interfaces.py @@ -59,6 +59,13 @@ class HashBackend(six.with_metaclass(abc.ABCMeta)): class HMACBackend(six.with_metaclass(abc.ABCMeta)): + @abc.abstractmethod + def hmac_supported(self, algorithm): + """ + Return True if the hash algorithm is supported for HMAC by this + backend. + """ + @abc.abstractmethod def create_hmac_ctx(self, key, algorithm): """ diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst index 45fbaf09..5b6cd64d 100644 --- a/docs/hazmat/backends/interfaces.rst +++ b/docs/hazmat/backends/interfaces.rst @@ -141,8 +141,8 @@ A specific ``backend`` may provide one or more of these interfaces. Create a :class:`~cryptogrpahy.hazmat.primitives.interfaces.HashContext` that - uses the specified ``algorithm`` to calculate a hash-based message - authentication code. + uses the specified ``algorithm`` to calculate a hash-based message + authentication code. :param algorithm: An instance of a :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm` -- cgit v1.2.3 From 93a0b2f1f7ec9fcc2c0f5327f4f88378ae19561e Mon Sep 17 00:00:00 2001 From: David Reid Date: Mon, 23 Dec 2013 15:56:21 -0800 Subject: Run py.test with catpure=no for more faster. --- tox.ini | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tox.ini b/tox.ini index 39fe024f..61143112 100644 --- a/tox.ini +++ b/tox.ini @@ -7,7 +7,7 @@ deps = coverage pretend commands = - coverage run --source=cryptography/,tests/ -m pytest --strict + coverage run --source=cryptography/,tests/ -m pytest --capture=no --strict coverage report -m [testenv:docs] @@ -24,7 +24,7 @@ commands = # Temporarily disable coverage on pypy because of performance problems with # coverage.py on pypy. [testenv:pypy] -commands = py.test +commands = py.test --capture=no [testenv:pep8] deps = flake8 -- cgit v1.2.3 From c80c68da793a255c552e0131ebc07ba2cf911570 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 23 Dec 2013 19:38:08 -0600 Subject: add more skip check lambdas --- tests/hazmat/primitives/test_3des.py | 24 ++++++++++++++++++++++++ tests/hazmat/primitives/test_aes.py | 16 ++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/tests/hazmat/primitives/test_3des.py b/tests/hazmat/primitives/test_3des.py index 0db56f47..4e380dee 100644 --- a/tests/hazmat/primitives/test_3des.py +++ b/tests/hazmat/primitives/test_3des.py @@ -39,6 +39,10 @@ class TestTripleDES_CBC(object): ], lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + only_if=lambda backend: backend.cipher_supported( + algorithms.TripleDES("\x00" * 8), modes.CBC("\x00" * 8) + ), + skip_message="Does not support TripleDES CBC", ) test_MMT = generate_encrypt_test( @@ -53,6 +57,10 @@ class TestTripleDES_CBC(object): binascii.unhexlify(key1 + key2 + key3) ), lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + only_if=lambda backend: backend.cipher_supported( + algorithms.TripleDES("\x00" * 8), modes.CBC("\x00" * 8) + ), + skip_message="Does not support TripleDES CBC", ) @@ -69,6 +77,10 @@ class TestTripleDES_OFB(object): ], lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), + only_if=lambda backend: backend.cipher_supported( + algorithms.TripleDES("\x00" * 8), modes.OFB("\x00" * 8) + ), + skip_message="Does not support TripleDES OFB", ) test_MMT = generate_encrypt_test( @@ -83,6 +95,10 @@ class TestTripleDES_OFB(object): binascii.unhexlify(key1 + key2 + key3) ), lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), + only_if=lambda backend: backend.cipher_supported( + algorithms.TripleDES("\x00" * 8), modes.OFB("\x00" * 8) + ), + skip_message="Does not support TripleDES OFB", ) @@ -99,6 +115,10 @@ class TestTripleDES_CFB(object): ], lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), + only_if=lambda backend: backend.cipher_supported( + algorithms.TripleDES("\x00" * 8), modes.CFB("\x00" * 8) + ), + skip_message="Does not support TripleDES CFB", ) test_MMT = generate_encrypt_test( @@ -113,4 +133,8 @@ class TestTripleDES_CFB(object): binascii.unhexlify(key1 + key2 + key3) ), lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), + only_if=lambda backend: backend.cipher_supported( + algorithms.TripleDES("\x00" * 8), modes.CFB("\x00" * 8) + ), + skip_message="Does not support TripleDES CFB", ) diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index 9e5a3cb5..241772e6 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -47,6 +47,10 @@ class TestAES(object): ], lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.CBC("\x00" * 16) + ), + skip_message="Does not support AES CBC", ) test_ECB = generate_encrypt_test( @@ -71,6 +75,10 @@ class TestAES(object): ], lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), lambda **kwargs: modes.ECB(), + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.ECB() + ), + skip_message="Does not support AES ECB", ) test_OFB = generate_encrypt_test( @@ -95,6 +103,10 @@ class TestAES(object): ], lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.OFB("\x00" * 16) + ), + skip_message="Does not support AES OFB", ) test_CFB = generate_encrypt_test( @@ -119,6 +131,10 @@ class TestAES(object): ], lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.CFB("\x00" * 16) + ), + skip_message="Does not support AES CFB", ) test_CTR = generate_encrypt_test( -- cgit v1.2.3 From 1a9bbf24301a9b0dc76ede1128d74ca629075888 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 24 Dec 2013 10:59:50 -0800 Subject: Document our API stability policy. Fixes #312 --- docs/contributing.rst | 1 - docs/index.rst | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/contributing.rst b/docs/contributing.rst index 744f2098..620e1b6a 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -136,7 +136,6 @@ Include a space after commas between parameters: // Bad long f(int,char *) - Documentation ------------- diff --git a/docs/index.rst b/docs/index.rst index 381063df..70558bda 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -75,4 +75,5 @@ The ``cryptography`` open source project contributing security + api-stability community -- cgit v1.2.3 From f5415c859d4e413e9ac8b1862157babdcbda88ec Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 24 Dec 2013 11:00:15 -0800 Subject: Forgotten file --- docs/api-stability.rst | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 docs/api-stability.rst diff --git a/docs/api-stability.rst b/docs/api-stability.rst new file mode 100644 index 00000000..6497a687 --- /dev/null +++ b/docs/api-stability.rst @@ -0,0 +1,48 @@ +API Stability +============= + +From its first release, ``cryptography`` will have a strong API stability +policy. + +What does this policy cover? +---------------------------- + +This policy includes any API or behavior which is documented in this +documentation. + +What does "stable" mean? +------------------------ + +* Public APIs will not be removed or renamed without providing a compatibility + alias. +* The behavior of existing APIs will not change. + +What doesn't this policy cover? +------------------------------- + +* We may add new features, things like the result of ``dir(obj))`` or the + contents of ``obj.__dict__`` may change. +* Objects are not guarnteed to be pickleable, and pickled objects from one + version of ``cryptography`` may not be loadable in future versions. + +Security +~~~~~~~~ + +In the event a security vulnerability, or hardening necessitates it, we will +break backwards compatibility in order to address an issue. + +Deprecation +----------- + +From time to time we will want to change the behavior of an API or remove it +entirely. In that case, here's how the process will work: + +* In ``cryptography X.Y`` the feature exists. +* In ``cryptography X.Y+1`` using that feature will emit a + ``PendingDeprecationWarning``. +* In ``cryptography X.Y+2`` using that feature will emit a + ``DeprecationWarning``. +* In ``cryptography X.Y+3`` the feature will be removed or changed. + +In short, code which runs without warnings will always continue to work for a +period of two releases. -- cgit v1.2.3 From 6cf1e697a8024c779b9b86d29f300a3bfed30cfe Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 24 Dec 2013 11:02:54 -0800 Subject: Note abotu development versions --- docs/api-stability.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/api-stability.rst b/docs/api-stability.rst index 6497a687..40608ac5 100644 --- a/docs/api-stability.rst +++ b/docs/api-stability.rst @@ -24,6 +24,8 @@ What doesn't this policy cover? contents of ``obj.__dict__`` may change. * Objects are not guarnteed to be pickleable, and pickled objects from one version of ``cryptography`` may not be loadable in future versions. +* Development versions of ``cryptography``. Before a feature is in a release, + it is not covered by this policy and may change. Security ~~~~~~~~ -- cgit v1.2.3 From d43134ae57a1bb91bfa47a53176a88789728d686 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 24 Dec 2013 11:03:16 -0800 Subject: Typo --- docs/api-stability.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/api-stability.rst b/docs/api-stability.rst index 40608ac5..a457306f 100644 --- a/docs/api-stability.rst +++ b/docs/api-stability.rst @@ -22,7 +22,7 @@ What doesn't this policy cover? * We may add new features, things like the result of ``dir(obj))`` or the contents of ``obj.__dict__`` may change. -* Objects are not guarnteed to be pickleable, and pickled objects from one +* Objects are not guaranteed to be pickleable, and pickled objects from one version of ``cryptography`` may not be loadable in future versions. * Development versions of ``cryptography``. Before a feature is in a release, it is not covered by this policy and may change. -- cgit v1.2.3 From 1c9e57bbc64d5023ec9d35f162b0a071a39b0a48 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 24 Dec 2013 12:47:45 -0800 Subject: Rephrase --- docs/api-stability.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/api-stability.rst b/docs/api-stability.rst index a457306f..e87cc140 100644 --- a/docs/api-stability.rst +++ b/docs/api-stability.rst @@ -30,8 +30,9 @@ What doesn't this policy cover? Security ~~~~~~~~ -In the event a security vulnerability, or hardening necessitates it, we will -break backwards compatibility in order to address an issue. +One exception to our API stability policy is for security. We will violate this +policy as necessary in order to resolve a security issue or harden +``cryptography`` against a possible attack. Deprecation ----------- -- cgit v1.2.3 From 8f42fe4e86267c4dee696707ac08371a1aa2531a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 24 Dec 2013 13:15:52 -0800 Subject: Slightly reorganize and cleanuip the backend docs --- docs/hazmat/backends/index.rst | 24 ++++++++++++------------ docs/hazmat/backends/openssl.rst | 4 ++-- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/hazmat/backends/index.rst b/docs/hazmat/backends/index.rst index a89cf0d5..06951281 100644 --- a/docs/hazmat/backends/index.rst +++ b/docs/hazmat/backends/index.rst @@ -1,17 +1,10 @@ .. hazmat:: -Bindings +Backends ======== -.. toctree:: - :maxdepth: 1 - - openssl - interfaces - - -Getting a Backend Provider -~~~~~~~~~~~~~~~~~~~~~~~~~~ +Getting a Backend +----------------- .. currentmodule:: cryptography.hazmat.backends @@ -19,8 +12,7 @@ Getting a Backend Provider the widest number of supported cryptographic algorithms as well as supporting platform specific implementations. -You can get the default backend by calling -:func:`~default_backend`. +You can get the default backend by calling :func:`~default_backend`. The default backend will change over time as we implement new backends and the libraries we use in those backends changes. @@ -32,3 +24,11 @@ the libraries we use in those backends changes. :class:`~interfaces.CipherBackend`, :class:`~interfaces.HashBackend`, and :class:`~interfaces.HMACBackend`. +Individual Backends +------------------- + +.. toctree:: + :maxdepth: 1 + + openssl + interfaces diff --git a/docs/hazmat/backends/openssl.rst b/docs/hazmat/backends/openssl.rst index 12fbff04..5e51c75e 100644 --- a/docs/hazmat/backends/openssl.rst +++ b/docs/hazmat/backends/openssl.rst @@ -1,7 +1,7 @@ .. hazmat:: -OpenSSL -======= +OpenSSL Backend +=============== These are `CFFI`_ bindings to the `OpenSSL`_ C library. -- cgit v1.2.3 From 2a36dd1b9f68f34f2545e519f8eac00b8b40c59d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 24 Dec 2013 13:44:45 -0800 Subject: Cover a missed branch --- tests/hazmat/primitives/utils.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index b00d3184..e0184777 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -22,8 +22,7 @@ def _load_all_params(path, file_names, param_loader): def generate_encrypt_test(param_loader, path, file_names, cipher_factory, - mode_factory, only_if=lambda backend: True, - skip_message=None): + mode_factory, only_if, skip_message=None): all_params = _load_all_params(path, file_names, param_loader) @pytest.mark.parametrize("params", all_params) -- cgit v1.2.3 From 7e4bc6d87741e8469ffcd00dc8004875ec9a95fe Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 24 Dec 2013 22:23:53 -0600 Subject: add test marks for various backend functionality --- pytest.ini | 4 ++++ tests/conftest.py | 16 ++++++++++++++++ tests/skip_check.py | 22 ++++++++++++++++++++++ tests/test_skip_check.py | 31 +++++++++++++++++++++++++++++++ 4 files changed, 73 insertions(+) create mode 100644 tests/skip_check.py create mode 100644 tests/test_skip_check.py diff --git a/pytest.ini b/pytest.ini index 723735ac..1aeb23fc 100644 --- a/pytest.ini +++ b/pytest.ini @@ -1,2 +1,6 @@ [pytest] addopts = -r s +markers = + hmac: this test requires a backend providing HMACBackend + cipher: this test requires a backend providing CipherBackend + hash: this test requires a backend providing HashBackend diff --git a/tests/conftest.py b/tests/conftest.py index 71662802..91ba988f 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -1,5 +1,21 @@ +import pytest + +from cryptography.hazmat.backends.interfaces import ( + HMACBackend, CipherBackend, HashBackend +) + +from .skip_check import skip_check + + def pytest_generate_tests(metafunc): from cryptography.hazmat.backends import _ALL_BACKENDS if "backend" in metafunc.fixturenames: metafunc.parametrize("backend", _ALL_BACKENDS) + + +@pytest.mark.trylast +def pytest_runtest_setup(item): + skip_check('hmac', HMACBackend, item) + skip_check('cipher', CipherBackend, item) + skip_check('hash', HashBackend, item) diff --git a/tests/skip_check.py b/tests/skip_check.py new file mode 100644 index 00000000..4d454d73 --- /dev/null +++ b/tests/skip_check.py @@ -0,0 +1,22 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import absolute_import, division, print_function + +import pytest + + +def skip_check(name, iface, item): + if name in item.keywords and item.funcargs.get('backend') is not None: + if not isinstance(item.funcargs['backend'], iface): + pytest.skip("Backend does not support {}".format(name)) diff --git a/tests/test_skip_check.py b/tests/test_skip_check.py new file mode 100644 index 00000000..3b303aca --- /dev/null +++ b/tests/test_skip_check.py @@ -0,0 +1,31 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import absolute_import, division, print_function + +import pretend + +import pytest + +from .skip_check import skip_check + + +class FakeInterface(object): + pass + + +def test_skip_check(): + item = pretend.stub(keywords=["fake_name"], funcargs={"backend": True}) + with pytest.raises(pytest.skip.Exception) as exc_info: + skip_check("fake_name", FakeInterface, item) + assert exc_info.value.args[0] == "Backend does not support fake_name" -- cgit v1.2.3 From 0cbcfa67fc7c1e13764f4b662fc238a372507af8 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 24 Dec 2013 22:29:12 -0600 Subject: whoops, python 2.6 compatible format string --- tests/skip_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/skip_check.py b/tests/skip_check.py index 4d454d73..454a3c5f 100644 --- a/tests/skip_check.py +++ b/tests/skip_check.py @@ -19,4 +19,4 @@ import pytest def skip_check(name, iface, item): if name in item.keywords and item.funcargs.get('backend') is not None: if not isinstance(item.funcargs['backend'], iface): - pytest.skip("Backend does not support {}".format(name)) + pytest.skip("Backend does not support {0}".format(name)) -- cgit v1.2.3 From 4f2b1031c3c155b9af3817126b9ac508cbf849a3 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 24 Dec 2013 22:24:31 -0600 Subject: add all the markers to the tests --- tests/hazmat/primitives/test_3des.py | 4 ++++ tests/hazmat/primitives/test_aes.py | 2 ++ tests/hazmat/primitives/test_arc4.py | 2 ++ tests/hazmat/primitives/test_block.py | 3 +++ tests/hazmat/primitives/test_blowfish.py | 2 ++ tests/hazmat/primitives/test_camellia.py | 2 ++ tests/hazmat/primitives/test_cast5.py | 2 ++ tests/hazmat/primitives/test_hash_vectors.py | 9 +++++++++ tests/hazmat/primitives/test_hashes.py | 9 +++++++++ tests/hazmat/primitives/test_hmac.py | 1 + tests/hazmat/primitives/test_hmac_vectors.py | 9 +++++++++ 11 files changed, 45 insertions(+) diff --git a/tests/hazmat/primitives/test_3des.py b/tests/hazmat/primitives/test_3des.py index 4e380dee..4c43898c 100644 --- a/tests/hazmat/primitives/test_3des.py +++ b/tests/hazmat/primitives/test_3des.py @@ -19,6 +19,7 @@ from __future__ import absolute_import, division, print_function import binascii import os +import pytest from cryptography.hazmat.primitives.ciphers import algorithms, modes @@ -26,6 +27,7 @@ from .utils import generate_encrypt_test from ...utils import load_nist_vectors +@pytest.mark.cipher class TestTripleDES_CBC(object): test_KAT = generate_encrypt_test( load_nist_vectors, @@ -64,6 +66,7 @@ class TestTripleDES_CBC(object): ) +@pytest.mark.cipher class TestTripleDES_OFB(object): test_KAT = generate_encrypt_test( load_nist_vectors, @@ -102,6 +105,7 @@ class TestTripleDES_OFB(object): ) +@pytest.mark.cipher class TestTripleDES_CFB(object): test_KAT = generate_encrypt_test( load_nist_vectors, diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index 241772e6..5b706842 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -15,6 +15,7 @@ from __future__ import absolute_import, division, print_function import binascii import os +import pytest from cryptography.hazmat.primitives.ciphers import algorithms, modes @@ -24,6 +25,7 @@ from ...utils import ( ) +@pytest.mark.cipher class TestAES(object): test_CBC = generate_encrypt_test( load_nist_vectors, diff --git a/tests/hazmat/primitives/test_arc4.py b/tests/hazmat/primitives/test_arc4.py index a9ef2bbe..d506a8a1 100644 --- a/tests/hazmat/primitives/test_arc4.py +++ b/tests/hazmat/primitives/test_arc4.py @@ -15,6 +15,7 @@ from __future__ import absolute_import, division, print_function import binascii import os +import pytest from cryptography.hazmat.primitives.ciphers import algorithms @@ -22,6 +23,7 @@ from .utils import generate_stream_encryption_test from ...utils import load_nist_vectors +@pytest.mark.cipher class TestARC4(object): test_rfc = generate_stream_encryption_test( load_nist_vectors, diff --git a/tests/hazmat/primitives/test_block.py b/tests/hazmat/primitives/test_block.py index 573f5633..22a7c02f 100644 --- a/tests/hazmat/primitives/test_block.py +++ b/tests/hazmat/primitives/test_block.py @@ -41,6 +41,7 @@ class DummyCipher(object): name = "dummy-cipher" +@pytest.mark.cipher class TestCipher(object): def test_creates_encryptor(self, backend): cipher = Cipher( @@ -64,6 +65,7 @@ class TestCipher(object): Cipher(algorithm, mode=None, backend=backend) +@pytest.mark.cipher class TestCipherContext(object): def test_use_after_finalize(self, backend): cipher = Cipher( @@ -134,6 +136,7 @@ class TestCipherContext(object): decryptor.finalize() +@pytest.mark.cipher class TestAEADCipherContext(object): test_aead_exceptions = generate_aead_exception_test( algorithms.AES, diff --git a/tests/hazmat/primitives/test_blowfish.py b/tests/hazmat/primitives/test_blowfish.py index 065855d7..2d5dc521 100644 --- a/tests/hazmat/primitives/test_blowfish.py +++ b/tests/hazmat/primitives/test_blowfish.py @@ -15,6 +15,7 @@ from __future__ import absolute_import, division, print_function import binascii import os +import pytest from cryptography.hazmat.primitives.ciphers import algorithms, modes @@ -22,6 +23,7 @@ from .utils import generate_encrypt_test from ...utils import load_nist_vectors +@pytest.mark.cipher class TestBlowfish(object): test_ECB = generate_encrypt_test( load_nist_vectors, diff --git a/tests/hazmat/primitives/test_camellia.py b/tests/hazmat/primitives/test_camellia.py index 6e5fe682..0b6c37fb 100644 --- a/tests/hazmat/primitives/test_camellia.py +++ b/tests/hazmat/primitives/test_camellia.py @@ -15,6 +15,7 @@ from __future__ import absolute_import, division, print_function import binascii import os +import pytest from cryptography.hazmat.primitives.ciphers import algorithms, modes @@ -24,6 +25,7 @@ from ...utils import ( ) +@pytest.mark.cipher class TestCamellia(object): test_ECB = generate_encrypt_test( load_cryptrec_vectors, diff --git a/tests/hazmat/primitives/test_cast5.py b/tests/hazmat/primitives/test_cast5.py index 406f9b55..2ebc040b 100644 --- a/tests/hazmat/primitives/test_cast5.py +++ b/tests/hazmat/primitives/test_cast5.py @@ -15,6 +15,7 @@ from __future__ import absolute_import, division, print_function import binascii import os +import pytest from cryptography.hazmat.primitives.ciphers import algorithms, modes @@ -22,6 +23,7 @@ from .utils import generate_encrypt_test from ...utils import load_nist_vectors +@pytest.mark.cipher class TestCAST5(object): test_ECB = generate_encrypt_test( load_nist_vectors, diff --git a/tests/hazmat/primitives/test_hash_vectors.py b/tests/hazmat/primitives/test_hash_vectors.py index a8655812..5c9e9bed 100644 --- a/tests/hazmat/primitives/test_hash_vectors.py +++ b/tests/hazmat/primitives/test_hash_vectors.py @@ -14,6 +14,7 @@ from __future__ import absolute_import, division, print_function import os +import pytest from cryptography.hazmat.primitives import hashes @@ -21,6 +22,7 @@ from .utils import generate_hash_test, generate_long_string_hash_test from ...utils import load_hash_vectors +@pytest.mark.hash class TestSHA1(object): test_SHA1 = generate_hash_test( load_hash_vectors, @@ -35,6 +37,7 @@ class TestSHA1(object): ) +@pytest.mark.hash class TestSHA224(object): test_SHA224 = generate_hash_test( load_hash_vectors, @@ -49,6 +52,7 @@ class TestSHA224(object): ) +@pytest.mark.hash class TestSHA256(object): test_SHA256 = generate_hash_test( load_hash_vectors, @@ -63,6 +67,7 @@ class TestSHA256(object): ) +@pytest.mark.hash class TestSHA384(object): test_SHA384 = generate_hash_test( load_hash_vectors, @@ -77,6 +82,7 @@ class TestSHA384(object): ) +@pytest.mark.hash class TestSHA512(object): test_SHA512 = generate_hash_test( load_hash_vectors, @@ -91,6 +97,7 @@ class TestSHA512(object): ) +@pytest.mark.hash class TestRIPEMD160(object): test_RIPEMD160 = generate_hash_test( load_hash_vectors, @@ -111,6 +118,7 @@ class TestRIPEMD160(object): ) +@pytest.mark.hash class TestWhirlpool(object): test_whirlpool = generate_hash_test( load_hash_vectors, @@ -133,6 +141,7 @@ class TestWhirlpool(object): ) +@pytest.mark.hash class TestMD5(object): test_md5 = generate_hash_test( load_hash_vectors, diff --git a/tests/hazmat/primitives/test_hashes.py b/tests/hazmat/primitives/test_hashes.py index 72bc3e27..45faaab2 100644 --- a/tests/hazmat/primitives/test_hashes.py +++ b/tests/hazmat/primitives/test_hashes.py @@ -31,6 +31,7 @@ class UnsupportedDummyHash(object): name = "unsupported-dummy-hash" +@pytest.mark.hash class TestHashContext(object): def test_hash_reject_unicode(self, backend): m = hashes.Hash(hashes.SHA1(), backend=backend) @@ -68,6 +69,7 @@ class TestHashContext(object): hashes.Hash(UnsupportedDummyHash(), backend) +@pytest.mark.hash class TestSHA1(object): test_SHA1 = generate_base_hash_test( hashes.SHA1(), @@ -78,6 +80,7 @@ class TestSHA1(object): ) +@pytest.mark.hash class TestSHA224(object): test_SHA224 = generate_base_hash_test( hashes.SHA224(), @@ -88,6 +91,7 @@ class TestSHA224(object): ) +@pytest.mark.hash class TestSHA256(object): test_SHA256 = generate_base_hash_test( hashes.SHA256(), @@ -98,6 +102,7 @@ class TestSHA256(object): ) +@pytest.mark.hash class TestSHA384(object): test_SHA384 = generate_base_hash_test( hashes.SHA384(), @@ -108,6 +113,7 @@ class TestSHA384(object): ) +@pytest.mark.hash class TestSHA512(object): test_SHA512 = generate_base_hash_test( hashes.SHA512(), @@ -118,6 +124,7 @@ class TestSHA512(object): ) +@pytest.mark.hash class TestRIPEMD160(object): test_RIPEMD160 = generate_base_hash_test( hashes.RIPEMD160(), @@ -128,6 +135,7 @@ class TestRIPEMD160(object): ) +@pytest.mark.hash class TestWhirlpool(object): test_Whirlpool = generate_base_hash_test( hashes.Whirlpool(), @@ -138,6 +146,7 @@ class TestWhirlpool(object): ) +@pytest.mark.hash class TestMD5(object): test_MD5 = generate_base_hash_test( hashes.MD5(), diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index 1e776c98..6d8cc27b 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -31,6 +31,7 @@ class UnsupportedDummyHash(object): name = "unsupported-dummy-hash" +@pytest.mark.hmac class TestHMAC(object): test_copy = generate_base_hmac_test( hashes.MD5(), diff --git a/tests/hazmat/primitives/test_hmac_vectors.py b/tests/hazmat/primitives/test_hmac_vectors.py index f884d850..9bc06a2e 100644 --- a/tests/hazmat/primitives/test_hmac_vectors.py +++ b/tests/hazmat/primitives/test_hmac_vectors.py @@ -13,12 +13,15 @@ from __future__ import absolute_import, division, print_function +import pytest + from cryptography.hazmat.primitives import hashes from .utils import generate_hmac_test from ...utils import load_hash_vectors +@pytest.mark.hmac class TestHMAC_MD5(object): test_hmac_md5 = generate_hmac_test( load_hash_vectors, @@ -32,6 +35,7 @@ class TestHMAC_MD5(object): ) +@pytest.mark.hmac class TestHMAC_SHA1(object): test_hmac_sha1 = generate_hmac_test( load_hash_vectors, @@ -45,6 +49,7 @@ class TestHMAC_SHA1(object): ) +@pytest.mark.hmac class TestHMAC_SHA224(object): test_hmac_sha224 = generate_hmac_test( load_hash_vectors, @@ -58,6 +63,7 @@ class TestHMAC_SHA224(object): ) +@pytest.mark.hmac class TestHMAC_SHA256(object): test_hmac_sha256 = generate_hmac_test( load_hash_vectors, @@ -71,6 +77,7 @@ class TestHMAC_SHA256(object): ) +@pytest.mark.hmac class TestHMAC_SHA384(object): test_hmac_sha384 = generate_hmac_test( load_hash_vectors, @@ -84,6 +91,7 @@ class TestHMAC_SHA384(object): ) +@pytest.mark.hmac class TestHMAC_SHA512(object): test_hmac_sha512 = generate_hmac_test( load_hash_vectors, @@ -97,6 +105,7 @@ class TestHMAC_SHA512(object): ) +@pytest.mark.hmac class TestHMAC_RIPEMD160(object): test_hmac_ripemd160 = generate_hmac_test( load_hash_vectors, -- cgit v1.2.3 From 5a09c6e9545373cece95f87ed28579f05959fced Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 24 Dec 2013 21:03:23 -0800 Subject: Include teh name of the backend in the error message --- tests/skip_check.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tests/skip_check.py b/tests/skip_check.py index 454a3c5f..42a152ea 100644 --- a/tests/skip_check.py +++ b/tests/skip_check.py @@ -17,6 +17,8 @@ import pytest def skip_check(name, iface, item): - if name in item.keywords and item.funcargs.get('backend') is not None: - if not isinstance(item.funcargs['backend'], iface): - pytest.skip("Backend does not support {0}".format(name)) + if name in item.keywords and "backend" in item.funcargs: + if not isinstance(item.funcargs["backend"], iface): + pytest.skip("{0} backend does not support {1}".format( + item.funcargs["backend"], name + )) -- cgit v1.2.3 From 6198da1fcce93d7efb89995d0a10d9170ee8f230 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 24 Dec 2013 21:03:43 -0800 Subject: Update test --- tests/test_skip_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_skip_check.py b/tests/test_skip_check.py index 3b303aca..73a6e563 100644 --- a/tests/test_skip_check.py +++ b/tests/test_skip_check.py @@ -28,4 +28,4 @@ def test_skip_check(): item = pretend.stub(keywords=["fake_name"], funcargs={"backend": True}) with pytest.raises(pytest.skip.Exception) as exc_info: skip_check("fake_name", FakeInterface, item) - assert exc_info.value.args[0] == "Backend does not support fake_name" + assert exc_info.value.args[0] == "True backend does not support fake_name" -- cgit v1.2.3 From 8d85b058d28d37f1f505292f7cc6311092dd4f39 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 24 Dec 2013 23:50:59 -0600 Subject: correct import style --- tests/hazmat/primitives/test_3des.py | 1 + tests/hazmat/primitives/test_aes.py | 1 + tests/hazmat/primitives/test_arc4.py | 1 + tests/hazmat/primitives/test_blowfish.py | 1 + tests/hazmat/primitives/test_camellia.py | 1 + tests/hazmat/primitives/test_cast5.py | 1 + tests/hazmat/primitives/test_hash_vectors.py | 1 + 7 files changed, 7 insertions(+) diff --git a/tests/hazmat/primitives/test_3des.py b/tests/hazmat/primitives/test_3des.py index 4c43898c..439ca258 100644 --- a/tests/hazmat/primitives/test_3des.py +++ b/tests/hazmat/primitives/test_3des.py @@ -19,6 +19,7 @@ from __future__ import absolute_import, division, print_function import binascii import os + import pytest from cryptography.hazmat.primitives.ciphers import algorithms, modes diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index 5b706842..e9ef3853 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -15,6 +15,7 @@ from __future__ import absolute_import, division, print_function import binascii import os + import pytest from cryptography.hazmat.primitives.ciphers import algorithms, modes diff --git a/tests/hazmat/primitives/test_arc4.py b/tests/hazmat/primitives/test_arc4.py index d506a8a1..f2e2452c 100644 --- a/tests/hazmat/primitives/test_arc4.py +++ b/tests/hazmat/primitives/test_arc4.py @@ -15,6 +15,7 @@ from __future__ import absolute_import, division, print_function import binascii import os + import pytest from cryptography.hazmat.primitives.ciphers import algorithms diff --git a/tests/hazmat/primitives/test_blowfish.py b/tests/hazmat/primitives/test_blowfish.py index 2d5dc521..79ceabe7 100644 --- a/tests/hazmat/primitives/test_blowfish.py +++ b/tests/hazmat/primitives/test_blowfish.py @@ -15,6 +15,7 @@ from __future__ import absolute_import, division, print_function import binascii import os + import pytest from cryptography.hazmat.primitives.ciphers import algorithms, modes diff --git a/tests/hazmat/primitives/test_camellia.py b/tests/hazmat/primitives/test_camellia.py index 0b6c37fb..c376220e 100644 --- a/tests/hazmat/primitives/test_camellia.py +++ b/tests/hazmat/primitives/test_camellia.py @@ -15,6 +15,7 @@ from __future__ import absolute_import, division, print_function import binascii import os + import pytest from cryptography.hazmat.primitives.ciphers import algorithms, modes diff --git a/tests/hazmat/primitives/test_cast5.py b/tests/hazmat/primitives/test_cast5.py index 2ebc040b..a4789c65 100644 --- a/tests/hazmat/primitives/test_cast5.py +++ b/tests/hazmat/primitives/test_cast5.py @@ -15,6 +15,7 @@ from __future__ import absolute_import, division, print_function import binascii import os + import pytest from cryptography.hazmat.primitives.ciphers import algorithms, modes diff --git a/tests/hazmat/primitives/test_hash_vectors.py b/tests/hazmat/primitives/test_hash_vectors.py index 5c9e9bed..d9febea9 100644 --- a/tests/hazmat/primitives/test_hash_vectors.py +++ b/tests/hazmat/primitives/test_hash_vectors.py @@ -14,6 +14,7 @@ from __future__ import absolute_import, division, print_function import os + import pytest from cryptography.hazmat.primitives import hashes -- cgit v1.2.3 From 2b3f94271209883aab4181ac5401c699c5c60b75 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 24 Dec 2013 21:55:24 -0800 Subject: Move stuff around and coverage --- tests/conftest.py | 8 ++++---- tests/skip_check.py | 24 ------------------------ tests/test_skip_check.py | 31 ------------------------------- tests/test_utils.py | 21 ++++++++++++++++++++- tests/utils.py | 12 +++++++++++- 5 files changed, 35 insertions(+), 61 deletions(-) delete mode 100644 tests/skip_check.py delete mode 100644 tests/test_skip_check.py diff --git a/tests/conftest.py b/tests/conftest.py index 91ba988f..e059b630 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -4,7 +4,7 @@ from cryptography.hazmat.backends.interfaces import ( HMACBackend, CipherBackend, HashBackend ) -from .skip_check import skip_check +from .utils import check_for_iface def pytest_generate_tests(metafunc): @@ -16,6 +16,6 @@ def pytest_generate_tests(metafunc): @pytest.mark.trylast def pytest_runtest_setup(item): - skip_check('hmac', HMACBackend, item) - skip_check('cipher', CipherBackend, item) - skip_check('hash', HashBackend, item) + check_for_iface("hmac", HMACBackend, item) + check_for_iface("cipher", CipherBackend, item) + check_for_iface("hash", HashBackend, item) diff --git a/tests/skip_check.py b/tests/skip_check.py deleted file mode 100644 index 42a152ea..00000000 --- a/tests/skip_check.py +++ /dev/null @@ -1,24 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from __future__ import absolute_import, division, print_function - -import pytest - - -def skip_check(name, iface, item): - if name in item.keywords and "backend" in item.funcargs: - if not isinstance(item.funcargs["backend"], iface): - pytest.skip("{0} backend does not support {1}".format( - item.funcargs["backend"], name - )) diff --git a/tests/test_skip_check.py b/tests/test_skip_check.py deleted file mode 100644 index 73a6e563..00000000 --- a/tests/test_skip_check.py +++ /dev/null @@ -1,31 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from __future__ import absolute_import, division, print_function - -import pretend - -import pytest - -from .skip_check import skip_check - - -class FakeInterface(object): - pass - - -def test_skip_check(): - item = pretend.stub(keywords=["fake_name"], funcargs={"backend": True}) - with pytest.raises(pytest.skip.Exception) as exc_info: - skip_check("fake_name", FakeInterface, item) - assert exc_info.value.args[0] == "True backend does not support fake_name" diff --git a/tests/test_utils.py b/tests/test_utils.py index 5c58fd76..a65091ff 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -14,14 +14,33 @@ import os import textwrap +import pretend + import pytest from .utils import ( load_nist_vectors, load_vectors_from_file, load_cryptrec_vectors, - load_openssl_vectors, load_hash_vectors, + load_openssl_vectors, load_hash_vectors, check_for_iface ) +class FakeInterface(object): + pass + + +def test_check_for_iface(): + item = pretend.stub(keywords=["fake_name"], funcargs={"backend": True}) + with pytest.raises(pytest.skip.Exception) as exc_info: + check_for_iface("fake_name", FakeInterface, item) + assert exc_info.value.args[0] == "True backend does not support fake_name" + + item = pretend.stub( + keywords=["fake_name"], + funcargs={"backend": FakeInterface()} + ) + check_for_iface("fake_name", FakeInterface, item) + + def test_load_nist_vectors(): vector_data = textwrap.dedent(""" # CAVS 11.1 diff --git a/tests/utils.py b/tests/utils.py index 94f97d59..82021a5f 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -11,7 +11,17 @@ # See the License for the specific language governing permissions and # limitations under the License. -import os.path +import os + +import pytest + + +def check_for_iface(name, iface, item): + if name in item.keywords and "backend" in item.funcargs: + if not isinstance(item.funcargs["backend"], iface): + pytest.skip("{0} backend does not support {1}".format( + item.funcargs["backend"], name + )) def load_vectors_from_file(filename, loader): -- cgit v1.2.3 From c91fe6a21fbae3107de7b2e53b7343cd67ac8c6d Mon Sep 17 00:00:00 2001 From: Julian Krause Date: Wed, 25 Dec 2013 11:00:49 -0800 Subject: Clean up documentation and naming. --- cryptography/hazmat/primitives/hashes.py | 10 +++++----- cryptography/hazmat/primitives/hmac.py | 6 +++--- docs/exceptions.rst | 6 ++++++ docs/hazmat/primitives/cryptographic-hashes.rst | 7 ++++--- docs/hazmat/primitives/hmac.rst | 7 ++++--- 5 files changed, 22 insertions(+), 14 deletions(-) diff --git a/cryptography/hazmat/primitives/hashes.py b/cryptography/hazmat/primitives/hashes.py index b3c626d4..c71377d7 100644 --- a/cryptography/hazmat/primitives/hashes.py +++ b/cryptography/hazmat/primitives/hashes.py @@ -55,12 +55,12 @@ class Hash(object): self._ctx = None return digest - def verify(self, sig): - if isinstance(sig, six.text_type): + def verify(self, digest): + if isinstance(digest, six.text_type): raise TypeError("Unicode-objects must be encoded before verifying") - digest = self.finalize() - if not constant_time.bytes_eq(digest, sig): - raise InvalidSignature("Signature did not match digest.") + hash_digest = self.finalize() + if not constant_time.bytes_eq(digest, hash_digest): + raise InvalidSignature("Digest did not match hash digest.") @utils.register_interface(interfaces.HashAlgorithm) diff --git a/cryptography/hazmat/primitives/hmac.py b/cryptography/hazmat/primitives/hmac.py index 8ade84aa..76d658aa 100644 --- a/cryptography/hazmat/primitives/hmac.py +++ b/cryptography/hazmat/primitives/hmac.py @@ -58,9 +58,9 @@ class HMAC(object): self._ctx = None return digest - def verify(self, sig): - if isinstance(sig, six.text_type): + def verify(self, signature): + if isinstance(signature, six.text_type): raise TypeError("Unicode-objects must be encoded before verifying") digest = self.finalize() - if not constant_time.bytes_eq(digest, sig): + if not constant_time.bytes_eq(digest, signature): raise InvalidSignature("Signature did not match digest.") diff --git a/docs/exceptions.rst b/docs/exceptions.rst index 087066b8..8be2c48c 100644 --- a/docs/exceptions.rst +++ b/docs/exceptions.rst @@ -8,6 +8,12 @@ Exceptions This is raised when a context is used after being finalized. +.. class:: InvalidSignature + + This is raised when the verify function of a hash function does not + compare equal. + + .. class:: NotYetFinalized This is raised when the AEAD tag property is accessed on a context diff --git a/docs/hazmat/primitives/cryptographic-hashes.rst b/docs/hazmat/primitives/cryptographic-hashes.rst index 02c7b5e1..f6a3f7a1 100644 --- a/docs/hazmat/primitives/cryptographic-hashes.rst +++ b/docs/hazmat/primitives/cryptographic-hashes.rst @@ -67,12 +67,13 @@ Message Digests :return bytes: The message digest as bytes. - .. method:: verify(sig) + .. method:: verify(digest) - Finalize the current context and securely compare digest to sig. + Finalize the current context and securely compare that digest to ``digest``. + :param bytes digest: Received hash digest :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize` - :raises cryptography.exceptions.InvalidSignature: If sig does not match digest + :raises cryptography.exceptions.InvalidSignature: If hash digest does not match digest .. _cryptographic-hash-algorithms: diff --git a/docs/hazmat/primitives/hmac.rst b/docs/hazmat/primitives/hmac.rst index b556bd6a..0c19f20c 100644 --- a/docs/hazmat/primitives/hmac.rst +++ b/docs/hazmat/primitives/hmac.rst @@ -70,9 +70,10 @@ message. :return bytes: The message digest as bytes. :raises cryptography.exceptions.AlreadyFinalized: - .. method:: verify(sig) + .. method:: verify(signature) - Finalize the current context and securely compare digest to sig. + Finalize the current context and securely compare digest to ``signature``. + :param bytes signature: The bytes of the HMAC signature recieved. :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize` - :raises cryptography.exceptions.InvalidSignature: If sig does not match digest + :raises cryptography.exceptions.InvalidSignature: If signature does not match digest -- cgit v1.2.3 From a4a8a0378c158ac8ba1d83619a909021bef17dd1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 25 Dec 2013 14:51:27 -0600 Subject: clean up warnings. 3 left on 1.0.1e, 21 left 0.9.8y (OS X) --- cryptography/hazmat/backends/openssl/evp.py | 10 +++++----- cryptography/hazmat/backends/openssl/ssl.py | 22 +++++++++++----------- cryptography/hazmat/backends/openssl/x509.py | 6 +++--- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/evp.py b/cryptography/hazmat/backends/openssl/evp.py index 8cf96b2d..0662b1ef 100644 --- a/cryptography/hazmat/backends/openssl/evp.py +++ b/cryptography/hazmat/backends/openssl/evp.py @@ -103,12 +103,12 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); CUSTOMIZATIONS = """ #ifdef EVP_CTRL_GCM_SET_TAG -const int Cryptography_HAS_GCM = 1; +const long Cryptography_HAS_GCM = 1; #else -const int Cryptography_HAS_GCM = 0; -const int EVP_CTRL_GCM_GET_TAG = -1; -const int EVP_CTRL_GCM_SET_TAG = -1; -const int EVP_CTRL_GCM_SET_IVLEN = -1; +const long Cryptography_HAS_GCM = 0; +const long EVP_CTRL_GCM_GET_TAG = -1; +const long EVP_CTRL_GCM_SET_TAG = -1; +const long EVP_CTRL_GCM_SET_IVLEN = -1; #endif """ diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 3fd0bf23..a2aba4d9 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -207,7 +207,7 @@ long SSL_get_options(SSL *); int SSL_want_read(const SSL *); int SSL_want_write(const SSL *); -int SSL_total_renegotiations(const SSL *); +int SSL_total_renegotiations(SSL *); long SSL_CTX_set_options(SSL_CTX *, long); long SSL_CTX_get_options(SSL_CTX *); @@ -255,18 +255,18 @@ void SSL_CTX_set_tlsext_servername_callback( CUSTOMIZATIONS = """ #ifdef OPENSSL_NO_SSL2 -static const int Cryptography_HAS_SSL2 = 0; +static const long Cryptography_HAS_SSL2 = 0; SSL_METHOD* (*SSLv2_method)() = NULL; SSL_METHOD* (*SSLv2_client_method)() = NULL; SSL_METHOD* (*SSLv2_server_method)() = NULL; #else -static const int Cryptography_HAS_SSL2 = 1; +static const long Cryptography_HAS_SSL2 = 1; #endif #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME -static const int Cryptography_HAS_TLSEXT_HOSTNAME = 1; +static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1; #else -static const int Cryptography_HAS_TLSEXT_HOSTNAME = 0; +static const long Cryptography_HAS_TLSEXT_HOSTNAME = 0; void (*SSL_set_tlsext_host_name)(SSL *, char *) = NULL; const char* (*SSL_get_servername)(const SSL *, const int) = NULL; void (*SSL_CTX_set_tlsext_servername_callback)( @@ -275,17 +275,17 @@ void (*SSL_CTX_set_tlsext_servername_callback)( #endif #ifdef SSL_MODE_RELEASE_BUFFERS -static const int Cryptography_HAS_RELEASE_BUFFERS = 1; +static const long Cryptography_HAS_RELEASE_BUFFERS = 1; #else -static const int Cryptography_HAS_RELEASE_BUFFERS = 0; -const int SSL_MODE_RELEASE_BUFFERS = 0; +static const long Cryptography_HAS_RELEASE_BUFFERS = 0; +const long SSL_MODE_RELEASE_BUFFERS = 0; #endif #ifdef SSL_OP_NO_COMPRESSION -static const int Cryptography_HAS_OP_NO_COMPRESSION = 1; +static const long Cryptography_HAS_OP_NO_COMPRESSION = 1; #else -static const int Cryptography_HAS_OP_NO_COMPRESSION = 0; -const int SSL_OP_NO_COMPRESSION = 0; +static const long Cryptography_HAS_OP_NO_COMPRESSION = 0; +const long SSL_OP_NO_COMPRESSION = 0; #endif """ diff --git a/cryptography/hazmat/backends/openssl/x509.py b/cryptography/hazmat/backends/openssl/x509.py index dd7815fa..5cba476e 100644 --- a/cryptography/hazmat/backends/openssl/x509.py +++ b/cryptography/hazmat/backends/openssl/x509.py @@ -47,7 +47,7 @@ typedef struct { } X509_REVOKED; typedef struct { - struct x509_revoked_st *revoked; + struct stack_st_X509_REVOKED *revoked; ...; } X509_CRL_INFO; @@ -178,8 +178,8 @@ int sk_X509_EXTENSION_push(X509_EXTENSIONS *, X509_EXTENSION *); void sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int); void sk_X509_EXTENSION_free(X509_EXTENSIONS *); -int sk_X509_REVOKED_num(struct x509_revoked_st *); -X509_REVOKED *sk_X509_REVOKED_value(struct x509_revoked_st *, int); +int sk_X509_REVOKED_num(struct stack_st_X509_REVOKED *); +X509_REVOKED *sk_X509_REVOKED_value(struct stack_st_X509_REVOKED *, int); /* These aren't macros these arguments are all const X on openssl > 1.0.x */ int X509_CRL_set_lastUpdate(X509_CRL *, const ASN1_TIME *); -- cgit v1.2.3 From 4bf5f32cdfbbed0895918d4e8ed51a1adc410f40 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 25 Dec 2013 15:33:33 -0600 Subject: 2 more warnings fixed (on both 1.0.1e and 0.9.8y) --- cryptography/hazmat/backends/openssl/ssl.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index a2aba4d9..ba4451c2 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -144,8 +144,8 @@ int SSL_get_verify_mode(const SSL *); void SSL_set_verify_depth(SSL *, int); int SSL_get_verify_depth(const SSL *); int (*SSL_get_verify_callback(const SSL *))(int, X509_STORE_CTX *); -void SSL_set_info_callback(SSL *, void (*)()); -void (*SSL_get_info_callback(const SSL *))(); +void SSL_set_info_callback(SSL *ssl, void (*)(const SSL *, int, int)); +void (*SSL_get_info_callback(const SSL *))(const SSL *,int, int); SSL *SSL_new(SSL_CTX *); void SSL_free(SSL *); int SSL_set_fd(SSL *, int); -- cgit v1.2.3 From 04fd62fc1502f59d25cf03611aadacbc2007b9c8 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 25 Dec 2013 15:43:22 -0600 Subject: fix last warning (macro returns ASN1_ITEM_EXP *) * 0 warnings in OpenSSL 1.0.1e * 18 warnings in 0.9.8y --- cryptography/hazmat/backends/openssl/asn1.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index b56932fa..a186d592 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -102,7 +102,7 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **, const unsigned char **, long, MACROS = """ ASN1_TIME *M_ASN1_TIME_dup(void *); -ASN1_ITEM *ASN1_ITEM_ptr(ASN1_ITEM_EXP *); +ASN1_ITEM_EXP *ASN1_ITEM_ptr(ASN1_ITEM_EXP *); /* These aren't macros these arguments are all const X on openssl > 1.0.x */ -- cgit v1.2.3 From b236b77f686cc24b441cbf0e9521e0679d8a9c61 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 25 Dec 2013 16:49:33 -0600 Subject: fix a style error --- cryptography/hazmat/backends/openssl/ssl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index ba4451c2..2777ad4a 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -145,7 +145,7 @@ void SSL_set_verify_depth(SSL *, int); int SSL_get_verify_depth(const SSL *); int (*SSL_get_verify_callback(const SSL *))(int, X509_STORE_CTX *); void SSL_set_info_callback(SSL *ssl, void (*)(const SSL *, int, int)); -void (*SSL_get_info_callback(const SSL *))(const SSL *,int, int); +void (*SSL_get_info_callback(const SSL *))(const SSL *, int, int); SSL *SSL_new(SSL_CTX *); void SSL_free(SSL *); int SSL_set_fd(SSL *, int); -- cgit v1.2.3 From 5f61765a723b162c7067ef72df7ab9ee88a6fd0f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 25 Dec 2013 18:06:42 -0600 Subject: remove SSL_OP_MSIE_SSLV2_RSA_PADDING According to the header it ahs had "no effect singe 0.9.7h and 0.9.8b" but more importantly they decided to re-use the constant (wtf?) in an upcoming OpenSSL release so anybody running bleeding edge will get an undefined symbol To see the commit where they reused the define: https://github.com/openssl/openssl/commit/dece3209f299ebcd82414868ee39b2c6feb3be0a --- cryptography/hazmat/backends/openssl/ssl.py | 1 - 1 file changed, 1 deletion(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 3fd0bf23..77185dfd 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -54,7 +54,6 @@ static const int SSL_OP_NETSCAPE_CHALLENGE_BUG; static const int SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; static const int SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG; static const int SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER; -static const int SSL_OP_MSIE_SSLV2_RSA_PADDING; static const int SSL_OP_SSLEAY_080_CLIENT_DH_BUG; static const int SSL_OP_TLS_D5_BUG; static const int SSL_OP_TLS_BLOCK_PADDING_BUG; -- cgit v1.2.3 From 5a8fdf82f396609ccb971d707edddea58f2d3917 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 26 Dec 2013 20:13:45 -0600 Subject: add mark that allows us to do skip tests on backends via decorators --- pytest.ini | 1 + tests/conftest.py | 3 ++- tests/test_utils.py | 33 ++++++++++++++++++++++++++++++++- tests/utils.py | 10 ++++++++++ 4 files changed, 45 insertions(+), 2 deletions(-) diff --git a/pytest.ini b/pytest.ini index 1aeb23fc..36d4edc4 100644 --- a/pytest.ini +++ b/pytest.ini @@ -4,3 +4,4 @@ markers = hmac: this test requires a backend providing HMACBackend cipher: this test requires a backend providing CipherBackend hash: this test requires a backend providing HashBackend + supported: parametrized test requiring only_if and skip_message diff --git a/tests/conftest.py b/tests/conftest.py index e059b630..d8ab5819 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -4,7 +4,7 @@ from cryptography.hazmat.backends.interfaces import ( HMACBackend, CipherBackend, HashBackend ) -from .utils import check_for_iface +from .utils import check_for_iface, supported_by_backend_skip def pytest_generate_tests(metafunc): @@ -19,3 +19,4 @@ def pytest_runtest_setup(item): check_for_iface("hmac", HMACBackend, item) check_for_iface("cipher", CipherBackend, item) check_for_iface("hash", HashBackend, item) + supported_by_backend_skip(item) diff --git a/tests/test_utils.py b/tests/test_utils.py index a65091ff..b347efd5 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -20,7 +20,8 @@ import pytest from .utils import ( load_nist_vectors, load_vectors_from_file, load_cryptrec_vectors, - load_openssl_vectors, load_hash_vectors, check_for_iface + load_openssl_vectors, load_hash_vectors, check_for_iface, + supported_by_backend_skip ) @@ -41,6 +42,36 @@ def test_check_for_iface(): check_for_iface("fake_name", FakeInterface, item) +def test_supported_by_backend_skip(): + supported = pretend.stub( + kwargs={"only_if": lambda backend: False, "skip_message": "Nope"} + ) + item = pretend.stub(keywords={"supported": supported}, + funcargs={"backend": True}) + with pytest.raises(pytest.skip.Exception) as exc_info: + supported_by_backend_skip(item) + assert exc_info.value.args[0] == "Nope" + + +def test_supported_by_backend_no_skip(): + supported = pretend.stub( + kwargs={"only_if": lambda backend: True, "skip_message": "Nope"} + ) + item = pretend.stub(keywords={"supported": supported}, + funcargs={"backend": True}) + assert supported_by_backend_skip(item) is None + + +def test_supported_by_backend_skip_no_backend(): + supported = pretend.stub( + kwargs={"only_if": "notalambda", "skip_message": "Nope"} + ) + item = pretend.stub(keywords={"supported": supported}, + funcargs={}) + with pytest.raises(TypeError): + supported_by_backend_skip(item) + + def test_load_nist_vectors(): vector_data = textwrap.dedent(""" # CAVS 11.1 diff --git a/tests/utils.py b/tests/utils.py index 82021a5f..113488d3 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -24,6 +24,16 @@ def check_for_iface(name, iface, item): )) +def supported_by_backend_skip(item): + supported = item.keywords.get("supported") + if supported and "backend" in item.funcargs: + if not supported.kwargs["only_if"](item.funcargs["backend"]): + pytest.skip(supported.kwargs["skip_message"]) + elif supported: + raise TypeError("This mark is only available on methods that take a " + "backend") + + def load_vectors_from_file(filename, loader): base = os.path.join( os.path.dirname(__file__), "hazmat", "primitives", "vectors", -- cgit v1.2.3 From 60fc8da5aad59fd61b891c3538ce61d96e91cbcb Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 26 Dec 2013 20:19:34 -0600 Subject: rename the method to be less horribly named --- tests/conftest.py | 4 ++-- tests/test_utils.py | 14 +++++++------- tests/utils.py | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/conftest.py b/tests/conftest.py index d8ab5819..0ddc3338 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -4,7 +4,7 @@ from cryptography.hazmat.backends.interfaces import ( HMACBackend, CipherBackend, HashBackend ) -from .utils import check_for_iface, supported_by_backend_skip +from .utils import check_for_iface, check_backend_support def pytest_generate_tests(metafunc): @@ -19,4 +19,4 @@ def pytest_runtest_setup(item): check_for_iface("hmac", HMACBackend, item) check_for_iface("cipher", CipherBackend, item) check_for_iface("hash", HashBackend, item) - supported_by_backend_skip(item) + check_backend_support(item) diff --git a/tests/test_utils.py b/tests/test_utils.py index b347efd5..32daff70 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -21,7 +21,7 @@ import pytest from .utils import ( load_nist_vectors, load_vectors_from_file, load_cryptrec_vectors, load_openssl_vectors, load_hash_vectors, check_for_iface, - supported_by_backend_skip + check_backend_support ) @@ -42,34 +42,34 @@ def test_check_for_iface(): check_for_iface("fake_name", FakeInterface, item) -def test_supported_by_backend_skip(): +def test_check_backend_support_skip(): supported = pretend.stub( kwargs={"only_if": lambda backend: False, "skip_message": "Nope"} ) item = pretend.stub(keywords={"supported": supported}, funcargs={"backend": True}) with pytest.raises(pytest.skip.Exception) as exc_info: - supported_by_backend_skip(item) + check_backend_support(item) assert exc_info.value.args[0] == "Nope" -def test_supported_by_backend_no_skip(): +def test_check_backend_support_no_skip(): supported = pretend.stub( kwargs={"only_if": lambda backend: True, "skip_message": "Nope"} ) item = pretend.stub(keywords={"supported": supported}, funcargs={"backend": True}) - assert supported_by_backend_skip(item) is None + assert check_backend_support(item) is None -def test_supported_by_backend_skip_no_backend(): +def test_check_backend_support_no_backend(): supported = pretend.stub( kwargs={"only_if": "notalambda", "skip_message": "Nope"} ) item = pretend.stub(keywords={"supported": supported}, funcargs={}) with pytest.raises(TypeError): - supported_by_backend_skip(item) + check_backend_support(item) def test_load_nist_vectors(): diff --git a/tests/utils.py b/tests/utils.py index 113488d3..7ae2eb8b 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -24,7 +24,7 @@ def check_for_iface(name, iface, item): )) -def supported_by_backend_skip(item): +def check_backend_support(item): supported = item.keywords.get("supported") if supported and "backend" in item.funcargs: if not supported.kwargs["only_if"](item.funcargs["backend"]): -- cgit v1.2.3 From 783479c6189d788ac2f721b5b017073736c578cb Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 26 Dec 2013 21:08:45 -0600 Subject: refactor all tests to use mark instead of generator skips --- tests/hazmat/primitives/test_3des.py | 42 +++---- tests/hazmat/primitives/test_aes.py | 77 +++++++++---- tests/hazmat/primitives/test_arc4.py | 10 +- tests/hazmat/primitives/test_block.py | 14 +-- tests/hazmat/primitives/test_blowfish.py | 51 +++++--- tests/hazmat/primitives/test_camellia.py | 51 +++++--- tests/hazmat/primitives/test_cast5.py | 10 +- tests/hazmat/primitives/test_hash_vectors.py | 52 +++++---- tests/hazmat/primitives/test_hashes.py | 95 +++++++-------- tests/hazmat/primitives/test_hmac.py | 13 ++- tests/hazmat/primitives/test_hmac_vectors.py | 42 ++++--- tests/hazmat/primitives/test_utils.py | 117 ------------------- tests/hazmat/primitives/utils.py | 166 ++++----------------------- 13 files changed, 290 insertions(+), 450 deletions(-) delete mode 100644 tests/hazmat/primitives/test_utils.py diff --git a/tests/hazmat/primitives/test_3des.py b/tests/hazmat/primitives/test_3des.py index 439ca258..581c47eb 100644 --- a/tests/hazmat/primitives/test_3des.py +++ b/tests/hazmat/primitives/test_3des.py @@ -28,6 +28,12 @@ from .utils import generate_encrypt_test from ...utils import load_nist_vectors +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.TripleDES("\x00" * 8), modes.CBC("\x00" * 8) + ), + skip_message="Does not support TripleDES CBC", +) @pytest.mark.cipher class TestTripleDES_CBC(object): test_KAT = generate_encrypt_test( @@ -42,10 +48,6 @@ class TestTripleDES_CBC(object): ], lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.TripleDES("\x00" * 8), modes.CBC("\x00" * 8) - ), - skip_message="Does not support TripleDES CBC", ) test_MMT = generate_encrypt_test( @@ -60,13 +62,15 @@ class TestTripleDES_CBC(object): binascii.unhexlify(key1 + key2 + key3) ), lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.TripleDES("\x00" * 8), modes.CBC("\x00" * 8) - ), - skip_message="Does not support TripleDES CBC", ) +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.TripleDES("\x00" * 8), modes.OFB("\x00" * 8) + ), + skip_message="Does not support TripleDES OFB", +) @pytest.mark.cipher class TestTripleDES_OFB(object): test_KAT = generate_encrypt_test( @@ -81,10 +85,6 @@ class TestTripleDES_OFB(object): ], lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.TripleDES("\x00" * 8), modes.OFB("\x00" * 8) - ), - skip_message="Does not support TripleDES OFB", ) test_MMT = generate_encrypt_test( @@ -99,13 +99,15 @@ class TestTripleDES_OFB(object): binascii.unhexlify(key1 + key2 + key3) ), lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.TripleDES("\x00" * 8), modes.OFB("\x00" * 8) - ), - skip_message="Does not support TripleDES OFB", ) +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.TripleDES("\x00" * 8), modes.CFB("\x00" * 8) + ), + skip_message="Does not support TripleDES CFB", +) @pytest.mark.cipher class TestTripleDES_CFB(object): test_KAT = generate_encrypt_test( @@ -120,10 +122,6 @@ class TestTripleDES_CFB(object): ], lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.TripleDES("\x00" * 8), modes.CFB("\x00" * 8) - ), - skip_message="Does not support TripleDES CFB", ) test_MMT = generate_encrypt_test( @@ -138,8 +136,4 @@ class TestTripleDES_CFB(object): binascii.unhexlify(key1 + key2 + key3) ), lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.TripleDES("\x00" * 8), modes.CFB("\x00" * 8) - ), - skip_message="Does not support TripleDES CFB", ) diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index e9ef3853..8cba8c66 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -26,8 +26,14 @@ from ...utils import ( ) +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.CBC("\x00" * 16) + ), + skip_message="Does not support AES CBC", +) @pytest.mark.cipher -class TestAES(object): +class TestAES_CBC(object): test_CBC = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "AES", "CBC"), @@ -50,12 +56,17 @@ class TestAES(object): ], lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.CBC("\x00" * 16) - ), - skip_message="Does not support AES CBC", ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.ECB() + ), + skip_message="Does not support AES ECB", +) +@pytest.mark.cipher +class TestAES_ECB(object): test_ECB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "AES", "ECB"), @@ -78,12 +89,17 @@ class TestAES(object): ], lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), lambda **kwargs: modes.ECB(), - only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.ECB() - ), - skip_message="Does not support AES ECB", ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.OFB("\x00" * 16) + ), + skip_message="Does not support AES OFB", +) +@pytest.mark.cipher +class TestAES_OFB(object): test_OFB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "AES", "OFB"), @@ -106,12 +122,17 @@ class TestAES(object): ], lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.OFB("\x00" * 16) - ), - skip_message="Does not support AES OFB", ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.CFB("\x00" * 16) + ), + skip_message="Does not support AES CFB", +) +@pytest.mark.cipher +class TestAES_CFB(object): test_CFB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "AES", "CFB"), @@ -134,24 +155,34 @@ class TestAES(object): ], lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.CFB("\x00" * 16) - ), - skip_message="Does not support AES CFB", ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.CTR("\x00" * 16) + ), + skip_message="Does not support AES CTR", +) +@pytest.mark.cipher +class TestAES_CTR(object): test_CTR = generate_encrypt_test( load_openssl_vectors, os.path.join("ciphers", "AES", "CTR"), ["aes-128-ctr.txt", "aes-192-ctr.txt", "aes-256-ctr.txt"], lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), lambda iv, **kwargs: modes.CTR(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.CTR("\x00" * 16) - ), - skip_message="Does not support AES CTR", ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.GCM("\x00" * 12) + ), + skip_message="Does not support AES GCM", +) +@pytest.mark.cipher +class TestAES_GCM(object): test_GCM = generate_aead_test( load_nist_vectors, os.path.join("ciphers", "AES", "GCM"), @@ -165,8 +196,4 @@ class TestAES(object): ], lambda key: algorithms.AES(key), lambda iv, tag: modes.GCM(iv, tag), - only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.GCM("\x00" * 12) - ), - skip_message="Does not support AES GCM", ) diff --git a/tests/hazmat/primitives/test_arc4.py b/tests/hazmat/primitives/test_arc4.py index f2e2452c..33f7ff09 100644 --- a/tests/hazmat/primitives/test_arc4.py +++ b/tests/hazmat/primitives/test_arc4.py @@ -24,6 +24,12 @@ from .utils import generate_stream_encryption_test from ...utils import load_nist_vectors +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.ARC4("\x00" * 16), None + ), + skip_message="Does not support ARC4", +) @pytest.mark.cipher class TestARC4(object): test_rfc = generate_stream_encryption_test( @@ -39,8 +45,4 @@ class TestARC4(object): "rfc-6229-256.txt", ], lambda key, **kwargs: algorithms.ARC4(binascii.unhexlify(key)), - only_if=lambda backend: backend.cipher_supported( - algorithms.ARC4("\x00" * 16), None - ), - skip_message="Does not support ARC4", ) diff --git a/tests/hazmat/primitives/test_block.py b/tests/hazmat/primitives/test_block.py index 22a7c02f..30cf1d60 100644 --- a/tests/hazmat/primitives/test_block.py +++ b/tests/hazmat/primitives/test_block.py @@ -136,21 +136,19 @@ class TestCipherContext(object): decryptor.finalize() +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.GCM("\x00" * 12) + ), + skip_message="Does not support AES GCM", +) @pytest.mark.cipher class TestAEADCipherContext(object): test_aead_exceptions = generate_aead_exception_test( algorithms.AES, modes.GCM, - only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.GCM("\x00" * 12) - ), - skip_message="Does not support AES GCM", ) test_aead_tag_exceptions = generate_aead_tag_exception_test( algorithms.AES, modes.GCM, - only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.GCM("\x00" * 12) - ), - skip_message="Does not support AES GCM", ) diff --git a/tests/hazmat/primitives/test_blowfish.py b/tests/hazmat/primitives/test_blowfish.py index 79ceabe7..18512a6e 100644 --- a/tests/hazmat/primitives/test_blowfish.py +++ b/tests/hazmat/primitives/test_blowfish.py @@ -24,52 +24,69 @@ from .utils import generate_encrypt_test from ...utils import load_nist_vectors +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Blowfish("\x00" * 56), modes.ECB() + ), + skip_message="Does not support Blowfish ECB", +) @pytest.mark.cipher -class TestBlowfish(object): +class TestBlowfish_ECB(object): test_ECB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-ecb.txt"], lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)), lambda **kwargs: modes.ECB(), - only_if=lambda backend: backend.cipher_supported( - algorithms.Blowfish("\x00" * 56), modes.ECB() - ), - skip_message="Does not support Blowfish ECB", ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Blowfish("\x00" * 56), modes.CBC("\x00" * 8) + ), + skip_message="Does not support Blowfish CBC", +) +@pytest.mark.cipher +class TestBlowfish_CBC(object): test_CBC = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-cbc.txt"], lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)), lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.Blowfish("\x00" * 56), modes.CBC("\x00" * 8) - ), - skip_message="Does not support Blowfish CBC", ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Blowfish("\x00" * 56), modes.OFB("\x00" * 8) + ), + skip_message="Does not support Blowfish OFB", +) +@pytest.mark.cipher +class TestBlowfish_OFB(object): test_OFB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-ofb.txt"], lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)), lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.Blowfish("\x00" * 56), modes.OFB("\x00" * 8) - ), - skip_message="Does not support Blowfish OFB", ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Blowfish("\x00" * 56), modes.CFB("\x00" * 8) + ), + skip_message="Does not support Blowfish CFB", +) +@pytest.mark.cipher +class TestBlowfish_CFB(object): test_CFB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-cfb.txt"], lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)), lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.Blowfish("\x00" * 56), modes.CFB("\x00" * 8) - ), - skip_message="Does not support Blowfish CFB", ) diff --git a/tests/hazmat/primitives/test_camellia.py b/tests/hazmat/primitives/test_camellia.py index c376220e..7c56f6f9 100644 --- a/tests/hazmat/primitives/test_camellia.py +++ b/tests/hazmat/primitives/test_camellia.py @@ -26,8 +26,14 @@ from ...utils import ( ) +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Camellia("\x00" * 16), modes.ECB() + ), + skip_message="Does not support Camellia ECB", +) @pytest.mark.cipher -class TestCamellia(object): +class TestCamellia_ECB(object): test_ECB = generate_encrypt_test( load_cryptrec_vectors, os.path.join("ciphers", "Camellia"), @@ -38,44 +44,55 @@ class TestCamellia(object): ], lambda key, **kwargs: algorithms.Camellia(binascii.unhexlify(key)), lambda **kwargs: modes.ECB(), - only_if=lambda backend: backend.cipher_supported( - algorithms.Camellia("\x00" * 16), modes.ECB() - ), - skip_message="Does not support Camellia ECB", ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Camellia("\x00" * 16), modes.CBC("\x00" * 16) + ), + skip_message="Does not support Camellia CBC", +) +@pytest.mark.cipher +class TestCamellia_CBC(object): test_CBC = generate_encrypt_test( load_openssl_vectors, os.path.join("ciphers", "Camellia"), ["camellia-cbc.txt"], lambda key, **kwargs: algorithms.Camellia(binascii.unhexlify(key)), lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.Camellia("\x00" * 16), modes.CBC("\x00" * 16) - ), - skip_message="Does not support Camellia CBC", ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Camellia("\x00" * 16), modes.OFB("\x00" * 16) + ), + skip_message="Does not support Camellia OFB", +) +@pytest.mark.cipher +class TestCamellia_OFB(object): test_OFB = generate_encrypt_test( load_openssl_vectors, os.path.join("ciphers", "Camellia"), ["camellia-ofb.txt"], lambda key, **kwargs: algorithms.Camellia(binascii.unhexlify(key)), lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.Camellia("\x00" * 16), modes.OFB("\x00" * 16) - ), - skip_message="Does not support Camellia OFB", ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Camellia("\x00" * 16), modes.CFB("\x00" * 16) + ), + skip_message="Does not support Camellia CFB", +) +@pytest.mark.cipher +class TestCamellia_CFB(object): test_CFB = generate_encrypt_test( load_openssl_vectors, os.path.join("ciphers", "Camellia"), ["camellia-cfb.txt"], lambda key, **kwargs: algorithms.Camellia(binascii.unhexlify(key)), lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.Camellia("\x00" * 16), modes.CFB("\x00" * 16) - ), - skip_message="Does not support Camellia CFB", ) diff --git a/tests/hazmat/primitives/test_cast5.py b/tests/hazmat/primitives/test_cast5.py index a4789c65..d65a86b2 100644 --- a/tests/hazmat/primitives/test_cast5.py +++ b/tests/hazmat/primitives/test_cast5.py @@ -24,6 +24,12 @@ from .utils import generate_encrypt_test from ...utils import load_nist_vectors +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.CAST5("\x00" * 16), modes.ECB() + ), + skip_message="Does not support CAST5 ECB", +) @pytest.mark.cipher class TestCAST5(object): test_ECB = generate_encrypt_test( @@ -32,8 +38,4 @@ class TestCAST5(object): ["cast5-ecb.txt"], lambda key, **kwargs: algorithms.CAST5(binascii.unhexlify((key))), lambda **kwargs: modes.ECB(), - only_if=lambda backend: backend.cipher_supported( - algorithms.CAST5("\x00" * 16), modes.ECB() - ), - skip_message="Does not support CAST5 ECB", ) diff --git a/tests/hazmat/primitives/test_hash_vectors.py b/tests/hazmat/primitives/test_hash_vectors.py index d9febea9..13ffc3fd 100644 --- a/tests/hazmat/primitives/test_hash_vectors.py +++ b/tests/hazmat/primitives/test_hash_vectors.py @@ -23,6 +23,10 @@ from .utils import generate_hash_test, generate_long_string_hash_test from ...utils import load_hash_vectors +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA1), + skip_message="Does not support SHA1", +) @pytest.mark.hash class TestSHA1(object): test_SHA1 = generate_hash_test( @@ -33,11 +37,13 @@ class TestSHA1(object): "SHA1ShortMsg.rsp", ], hashes.SHA1(), - only_if=lambda backend: backend.hash_supported(hashes.SHA1), - skip_message="Does not support SHA1", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA224), + skip_message="Does not support SHA224", +) @pytest.mark.hash class TestSHA224(object): test_SHA224 = generate_hash_test( @@ -48,11 +54,13 @@ class TestSHA224(object): "SHA224ShortMsg.rsp", ], hashes.SHA224(), - only_if=lambda backend: backend.hash_supported(hashes.SHA224), - skip_message="Does not support SHA224", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA256), + skip_message="Does not support SHA256", +) @pytest.mark.hash class TestSHA256(object): test_SHA256 = generate_hash_test( @@ -63,11 +71,13 @@ class TestSHA256(object): "SHA256ShortMsg.rsp", ], hashes.SHA256(), - only_if=lambda backend: backend.hash_supported(hashes.SHA256), - skip_message="Does not support SHA256", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA384), + skip_message="Does not support SHA384", +) @pytest.mark.hash class TestSHA384(object): test_SHA384 = generate_hash_test( @@ -78,11 +88,13 @@ class TestSHA384(object): "SHA384ShortMsg.rsp", ], hashes.SHA384(), - only_if=lambda backend: backend.hash_supported(hashes.SHA384), - skip_message="Does not support SHA384", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA512), + skip_message="Does not support SHA512", +) @pytest.mark.hash class TestSHA512(object): test_SHA512 = generate_hash_test( @@ -93,11 +105,13 @@ class TestSHA512(object): "SHA512ShortMsg.rsp", ], hashes.SHA512(), - only_if=lambda backend: backend.hash_supported(hashes.SHA512), - skip_message="Does not support SHA512", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.RIPEMD160), + skip_message="Does not support RIPEMD160", +) @pytest.mark.hash class TestRIPEMD160(object): test_RIPEMD160 = generate_hash_test( @@ -107,18 +121,18 @@ class TestRIPEMD160(object): "ripevectors.txt", ], hashes.RIPEMD160(), - only_if=lambda backend: backend.hash_supported(hashes.RIPEMD160), - skip_message="Does not support RIPEMD160", ) test_RIPEMD160_long_string = generate_long_string_hash_test( hashes.RIPEMD160(), "52783243c1697bdbe16d37f97f68f08325dc1528", - only_if=lambda backend: backend.hash_supported(hashes.RIPEMD160), - skip_message="Does not support RIPEMD160", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.Whirlpool), + skip_message="Does not support Whirlpool", +) @pytest.mark.hash class TestWhirlpool(object): test_whirlpool = generate_hash_test( @@ -128,8 +142,6 @@ class TestWhirlpool(object): "iso-test-vectors.txt", ], hashes.Whirlpool(), - only_if=lambda backend: backend.hash_supported(hashes.Whirlpool), - skip_message="Does not support Whirlpool", ) test_whirlpool_long_string = generate_long_string_hash_test( @@ -137,11 +149,13 @@ class TestWhirlpool(object): ("0c99005beb57eff50a7cf005560ddf5d29057fd86b2" "0bfd62deca0f1ccea4af51fc15490eddc47af32bb2b" "66c34ff9ad8c6008ad677f77126953b226e4ed8b01"), - only_if=lambda backend: backend.hash_supported(hashes.Whirlpool), - skip_message="Does not support Whirlpool", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.MD5), + skip_message="Does not support MD5", +) @pytest.mark.hash class TestMD5(object): test_md5 = generate_hash_test( @@ -151,6 +165,4 @@ class TestMD5(object): "rfc-1321.txt", ], hashes.MD5(), - only_if=lambda backend: backend.hash_supported(hashes.MD5), - skip_message="Does not support MD5", ) diff --git a/tests/hazmat/primitives/test_hashes.py b/tests/hazmat/primitives/test_hashes.py index 45faaab2..d52021eb 100644 --- a/tests/hazmat/primitives/test_hashes.py +++ b/tests/hazmat/primitives/test_hashes.py @@ -23,7 +23,7 @@ from cryptography import utils from cryptography.exceptions import AlreadyFinalized, UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes, interfaces -from .utils import generate_base_hash_test +from .utils import base_hash_test @utils.register_interface(interfaces.HashAlgorithm) @@ -70,88 +70,73 @@ class TestHashContext(object): @pytest.mark.hash -class TestSHA1(object): - test_SHA1 = generate_base_hash_test( - hashes.SHA1(), - digest_size=20, - block_size=64, +class TestHashes(object): + @pytest.mark.supported( only_if=lambda backend: backend.hash_supported(hashes.SHA1), skip_message="Does not support SHA1", ) + def test_SHA1(self, backend): + base_hash_test(backend, hashes.SHA1(), digest_size=20, block_size=64) - -@pytest.mark.hash -class TestSHA224(object): - test_SHA224 = generate_base_hash_test( - hashes.SHA224(), - digest_size=28, - block_size=64, + @pytest.mark.supported( only_if=lambda backend: backend.hash_supported(hashes.SHA224), skip_message="Does not support SHA224", ) + def test_SHA224(self, backend): + base_hash_test(backend, hashes.SHA224(), digest_size=28, block_size=64) - -@pytest.mark.hash -class TestSHA256(object): - test_SHA256 = generate_base_hash_test( - hashes.SHA256(), - digest_size=32, - block_size=64, + @pytest.mark.supported( only_if=lambda backend: backend.hash_supported(hashes.SHA256), skip_message="Does not support SHA256", ) + def test_SHA256(self, backend): + base_hash_test(backend, hashes.SHA256(), digest_size=32, block_size=64) - -@pytest.mark.hash -class TestSHA384(object): - test_SHA384 = generate_base_hash_test( - hashes.SHA384(), - digest_size=48, - block_size=128, + @pytest.mark.supported( only_if=lambda backend: backend.hash_supported(hashes.SHA384), skip_message="Does not support SHA384", ) + def test_SHA384(self, backend): + base_hash_test(backend, hashes.SHA384(), + digest_size=48, block_size=128) - -@pytest.mark.hash -class TestSHA512(object): - test_SHA512 = generate_base_hash_test( - hashes.SHA512(), - digest_size=64, - block_size=128, + @pytest.mark.supported( only_if=lambda backend: backend.hash_supported(hashes.SHA512), skip_message="Does not support SHA512", ) + def test_SHA512(self, backend): + base_hash_test(backend, hashes.SHA512(), + digest_size=64, block_size=128) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.RIPEMD160), + skip_message="Does not support RIPEMD160", +) @pytest.mark.hash class TestRIPEMD160(object): - test_RIPEMD160 = generate_base_hash_test( - hashes.RIPEMD160(), - digest_size=20, - block_size=64, - only_if=lambda backend: backend.hash_supported(hashes.RIPEMD160), - skip_message="Does not support RIPEMD160", - ) + def test_RIPEMD160(self, backend): + base_hash_test(backend, hashes.RIPEMD160(), + digest_size=20, block_size=64) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.Whirlpool), + skip_message="Does not support Whirlpool", +) @pytest.mark.hash class TestWhirlpool(object): - test_Whirlpool = generate_base_hash_test( - hashes.Whirlpool(), - digest_size=64, - block_size=64, - only_if=lambda backend: backend.hash_supported(hashes.Whirlpool), - skip_message="Does not support Whirlpool", - ) + def test_Whirlpool(self, backend): + base_hash_test(backend, hashes.Whirlpool(), + digest_size=64, block_size=64) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.MD5), + skip_message="Does not support MD5", +) @pytest.mark.hash class TestMD5(object): - test_MD5 = generate_base_hash_test( - hashes.MD5(), - digest_size=16, - block_size=64, - only_if=lambda backend: backend.hash_supported(hashes.MD5), - skip_message="Does not support MD5", - ) + def test_MD5(self, backend): + base_hash_test(backend, hashes.MD5(), + digest_size=16, block_size=64) diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index 6d8cc27b..c216dd4d 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -13,6 +13,8 @@ from __future__ import absolute_import, division, print_function +import binascii + import pretend import pytest @@ -23,8 +25,6 @@ from cryptography import utils from cryptography.exceptions import AlreadyFinalized, UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes, hmac, interfaces -from .utils import generate_base_hmac_test - @utils.register_interface(interfaces.HashAlgorithm) class UnsupportedDummyHash(object): @@ -33,11 +33,16 @@ class UnsupportedDummyHash(object): @pytest.mark.hmac class TestHMAC(object): - test_copy = generate_base_hmac_test( - hashes.MD5(), + @pytest.mark.supported( only_if=lambda backend: backend.hmac_supported(hashes.MD5), skip_message="Does not support MD5", ) + def test_hmac_copy(self, backend): + key = b"ab" + h = hmac.HMAC(binascii.unhexlify(key), hashes.MD5(), backend=backend) + h_copy = h.copy() + assert h != h_copy + assert h._ctx != h_copy._ctx def test_hmac_reject_unicode(self, backend): h = hmac.HMAC(b"mykey", hashes.SHA1(), backend=backend) diff --git a/tests/hazmat/primitives/test_hmac_vectors.py b/tests/hazmat/primitives/test_hmac_vectors.py index 9bc06a2e..c5644459 100644 --- a/tests/hazmat/primitives/test_hmac_vectors.py +++ b/tests/hazmat/primitives/test_hmac_vectors.py @@ -21,6 +21,10 @@ from .utils import generate_hmac_test from ...utils import load_hash_vectors +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.MD5), + skip_message="Does not support MD5", +) @pytest.mark.hmac class TestHMAC_MD5(object): test_hmac_md5 = generate_hmac_test( @@ -30,11 +34,13 @@ class TestHMAC_MD5(object): "rfc-2202-md5.txt", ], hashes.MD5(), - only_if=lambda backend: backend.hmac_supported(hashes.MD5), - skip_message="Does not support MD5", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.SHA1), + skip_message="Does not support SHA1", +) @pytest.mark.hmac class TestHMAC_SHA1(object): test_hmac_sha1 = generate_hmac_test( @@ -44,11 +50,13 @@ class TestHMAC_SHA1(object): "rfc-2202-sha1.txt", ], hashes.SHA1(), - only_if=lambda backend: backend.hmac_supported(hashes.SHA1), - skip_message="Does not support SHA1", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.SHA224), + skip_message="Does not support SHA224", +) @pytest.mark.hmac class TestHMAC_SHA224(object): test_hmac_sha224 = generate_hmac_test( @@ -58,11 +66,13 @@ class TestHMAC_SHA224(object): "rfc-4231-sha224.txt", ], hashes.SHA224(), - only_if=lambda backend: backend.hmac_supported(hashes.SHA224), - skip_message="Does not support SHA224", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.SHA256), + skip_message="Does not support SHA256", +) @pytest.mark.hmac class TestHMAC_SHA256(object): test_hmac_sha256 = generate_hmac_test( @@ -72,11 +82,13 @@ class TestHMAC_SHA256(object): "rfc-4231-sha256.txt", ], hashes.SHA256(), - only_if=lambda backend: backend.hmac_supported(hashes.SHA256), - skip_message="Does not support SHA256", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.SHA384), + skip_message="Does not support SHA384", +) @pytest.mark.hmac class TestHMAC_SHA384(object): test_hmac_sha384 = generate_hmac_test( @@ -86,11 +98,13 @@ class TestHMAC_SHA384(object): "rfc-4231-sha384.txt", ], hashes.SHA384(), - only_if=lambda backend: backend.hmac_supported(hashes.SHA384), - skip_message="Does not support SHA384", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.SHA512), + skip_message="Does not support SHA512", +) @pytest.mark.hmac class TestHMAC_SHA512(object): test_hmac_sha512 = generate_hmac_test( @@ -100,11 +114,13 @@ class TestHMAC_SHA512(object): "rfc-4231-sha512.txt", ], hashes.SHA512(), - only_if=lambda backend: backend.hmac_supported(hashes.SHA512), - skip_message="Does not support SHA512", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.RIPEMD160), + skip_message="Does not support RIPEMD160", +) @pytest.mark.hmac class TestHMAC_RIPEMD160(object): test_hmac_ripemd160 = generate_hmac_test( @@ -114,6 +130,4 @@ class TestHMAC_RIPEMD160(object): "rfc-2286-ripemd160.txt", ], hashes.RIPEMD160(), - only_if=lambda backend: backend.hmac_supported(hashes.RIPEMD160), - skip_message="Does not support RIPEMD160", ) diff --git a/tests/hazmat/primitives/test_utils.py b/tests/hazmat/primitives/test_utils.py deleted file mode 100644 index c39364c7..00000000 --- a/tests/hazmat/primitives/test_utils.py +++ /dev/null @@ -1,117 +0,0 @@ -import pytest - -from .utils import ( - base_hash_test, encrypt_test, hash_test, long_string_hash_test, - base_hmac_test, hmac_test, stream_encryption_test, aead_test, - aead_exception_test, aead_tag_exception_test, -) - - -class TestEncryptTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - encrypt_test( - None, None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestAEADTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - aead_test( - None, None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestAEADExceptionTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - aead_exception_test( - None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestAEADTagExceptionTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - aead_tag_exception_test( - None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestHashTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - hash_test( - None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestBaseHashTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - base_hash_test( - None, None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestLongHashTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - long_string_hash_test( - None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestHMACTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - hmac_test( - None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestBaseHMACTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - base_hmac_test( - None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestStreamEncryptionTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - stream_encryption_test( - None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index e0184777..3c962752 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -22,27 +22,17 @@ def _load_all_params(path, file_names, param_loader): def generate_encrypt_test(param_loader, path, file_names, cipher_factory, - mode_factory, only_if, skip_message=None): + mode_factory): all_params = _load_all_params(path, file_names, param_loader) @pytest.mark.parametrize("params", all_params) def test_encryption(self, backend, params): - encrypt_test( - backend, - cipher_factory, - mode_factory, - params, - only_if, - skip_message - ) + encrypt_test(backend, cipher_factory, mode_factory, params) return test_encryption -def encrypt_test(backend, cipher_factory, mode_factory, params, only_if, - skip_message): - if not only_if(backend): - pytest.skip(skip_message) +def encrypt_test(backend, cipher_factory, mode_factory, params): plaintext = params["plaintext"] ciphertext = params["ciphertext"] cipher = Cipher( @@ -61,27 +51,17 @@ def encrypt_test(backend, cipher_factory, mode_factory, params, only_if, def generate_aead_test(param_loader, path, file_names, cipher_factory, - mode_factory, only_if, skip_message): + mode_factory): all_params = _load_all_params(path, file_names, param_loader) @pytest.mark.parametrize("params", all_params) def test_aead(self, backend, params): - aead_test( - backend, - cipher_factory, - mode_factory, - params, - only_if, - skip_message - ) + aead_test(backend, cipher_factory, mode_factory, params) return test_aead -def aead_test(backend, cipher_factory, mode_factory, params, only_if, - skip_message): - if not only_if(backend): - pytest.skip(skip_message) +def aead_test(backend, cipher_factory, mode_factory, params): if params.get("pt") is not None: plaintext = params["pt"] ciphertext = params["ct"] @@ -124,26 +104,16 @@ def aead_test(backend, cipher_factory, mode_factory, params, only_if, def generate_stream_encryption_test(param_loader, path, file_names, - cipher_factory, only_if=None, - skip_message=None): + cipher_factory): all_params = _load_all_params(path, file_names, param_loader) @pytest.mark.parametrize("params", all_params) def test_stream_encryption(self, backend, params): - stream_encryption_test( - backend, - cipher_factory, - params, - only_if, - skip_message - ) + stream_encryption_test(backend, cipher_factory, params) return test_stream_encryption -def stream_encryption_test(backend, cipher_factory, params, only_if, - skip_message): - if not only_if(backend): - pytest.skip(skip_message) +def stream_encryption_test(backend, cipher_factory, params): plaintext = params["plaintext"] ciphertext = params["ciphertext"] offset = params["offset"] @@ -161,25 +131,16 @@ def stream_encryption_test(backend, cipher_factory, params, only_if, assert actual_plaintext == binascii.unhexlify(plaintext) -def generate_hash_test(param_loader, path, file_names, hash_cls, - only_if=None, skip_message=None): +def generate_hash_test(param_loader, path, file_names, hash_cls): all_params = _load_all_params(path, file_names, param_loader) @pytest.mark.parametrize("params", all_params) def test_hash(self, backend, params): - hash_test( - backend, - hash_cls, - params, - only_if, - skip_message - ) + hash_test(backend, hash_cls, params) return test_hash -def hash_test(backend, algorithm, params, only_if, skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) +def hash_test(backend, algorithm, params): msg = params[0] md = params[1] m = hashes.Hash(algorithm, backend=backend) @@ -188,25 +149,7 @@ def hash_test(backend, algorithm, params, only_if, skip_message): assert m.finalize() == binascii.unhexlify(expected_md) -def generate_base_hash_test(algorithm, digest_size, block_size, - only_if=None, skip_message=None): - def test_base_hash(self, backend): - base_hash_test( - backend, - algorithm, - digest_size, - block_size, - only_if, - skip_message, - ) - return test_base_hash - - -def base_hash_test(backend, algorithm, digest_size, block_size, only_if, - skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - +def base_hash_test(backend, algorithm, digest_size, block_size): m = hashes.Hash(algorithm, backend=backend) assert m.algorithm.digest_size == digest_size assert m.algorithm.block_size == block_size @@ -221,46 +164,28 @@ def base_hash_test(backend, algorithm, digest_size, block_size, only_if, assert copy.finalize() == m.finalize() -def generate_long_string_hash_test(hash_factory, md, only_if=None, - skip_message=None): +def generate_long_string_hash_test(hash_factory, md): def test_long_string_hash(self, backend): - long_string_hash_test( - backend, - hash_factory, - md, - only_if, - skip_message - ) + long_string_hash_test(backend, hash_factory, md) return test_long_string_hash -def long_string_hash_test(backend, algorithm, md, only_if, skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) +def long_string_hash_test(backend, algorithm, md): m = hashes.Hash(algorithm, backend=backend) m.update(b"a" * 1000000) assert m.finalize() == binascii.unhexlify(md.lower().encode("ascii")) -def generate_hmac_test(param_loader, path, file_names, algorithm, - only_if=None, skip_message=None): +def generate_hmac_test(param_loader, path, file_names, algorithm): all_params = _load_all_params(path, file_names, param_loader) @pytest.mark.parametrize("params", all_params) def test_hmac(self, backend, params): - hmac_test( - backend, - algorithm, - params, - only_if, - skip_message - ) + hmac_test(backend, algorithm, params) return test_hmac -def hmac_test(backend, algorithm, params, only_if, skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) +def hmac_test(backend, algorithm, params): msg = params[0] md = params[1] key = params[2] @@ -269,44 +194,13 @@ def hmac_test(backend, algorithm, params, only_if, skip_message): assert h.finalize() == binascii.unhexlify(md.encode("ascii")) -def generate_base_hmac_test(hash_cls, only_if=None, skip_message=None): - def test_base_hmac(self, backend): - base_hmac_test( - backend, - hash_cls, - only_if, - skip_message, - ) - return test_base_hmac - - -def base_hmac_test(backend, algorithm, only_if, skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - key = b"ab" - h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) - h_copy = h.copy() - assert h != h_copy - assert h._ctx != h_copy._ctx - - -def generate_aead_exception_test(cipher_factory, mode_factory, - only_if, skip_message): +def generate_aead_exception_test(cipher_factory, mode_factory): def test_aead_exception(self, backend): - aead_exception_test( - backend, - cipher_factory, - mode_factory, - only_if, - skip_message - ) + aead_exception_test(backend, cipher_factory, mode_factory) return test_aead_exception -def aead_exception_test(backend, cipher_factory, mode_factory, - only_if, skip_message): - if not only_if(backend): - pytest.skip(skip_message) +def aead_exception_test(backend, cipher_factory, mode_factory): cipher = Cipher( cipher_factory(binascii.unhexlify(b"0" * 32)), mode_factory(binascii.unhexlify(b"0" * 24)), @@ -336,23 +230,13 @@ def aead_exception_test(backend, cipher_factory, mode_factory, decryptor.tag -def generate_aead_tag_exception_test(cipher_factory, mode_factory, - only_if, skip_message): +def generate_aead_tag_exception_test(cipher_factory, mode_factory): def test_aead_tag_exception(self, backend): - aead_tag_exception_test( - backend, - cipher_factory, - mode_factory, - only_if, - skip_message - ) + aead_tag_exception_test(backend, cipher_factory, mode_factory) return test_aead_tag_exception -def aead_tag_exception_test(backend, cipher_factory, mode_factory, - only_if, skip_message): - if not only_if(backend): - pytest.skip(skip_message) +def aead_tag_exception_test(backend, cipher_factory, mode_factory): cipher = Cipher( cipher_factory(binascii.unhexlify(b"0" * 32)), mode_factory(binascii.unhexlify(b"0" * 24)), -- cgit v1.2.3 From 5093d97130ff3ae5328d1e6e83e86f1988f1e277 Mon Sep 17 00:00:00 2001 From: Julian Krause Date: Thu, 26 Dec 2013 21:06:07 -0800 Subject: Update documentation on interface as well. --- cryptography/hazmat/primitives/interfaces.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/primitives/interfaces.py b/cryptography/hazmat/primitives/interfaces.py index c6377df5..4143d644 100644 --- a/cryptography/hazmat/primitives/interfaces.py +++ b/cryptography/hazmat/primitives/interfaces.py @@ -164,7 +164,8 @@ class HashContext(six.with_metaclass(abc.ABCMeta)): """ @abc.abstractmethod - def verify(self, sig): + def verify(self, signature): """ - compare digest to sig and raise exception if not equal. + Compare hash digest to signature and raises InvalidSignature + they are not equal. """ -- cgit v1.2.3 From 831467cce6c2a2b916e30914635924042b15ed2d Mon Sep 17 00:00:00 2001 From: Julian Krause Date: Thu, 26 Dec 2013 21:12:58 -0800 Subject: Documentation clarity and grammer fixes. --- cryptography/hazmat/primitives/interfaces.py | 2 +- docs/exceptions.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/primitives/interfaces.py b/cryptography/hazmat/primitives/interfaces.py index 4143d644..371701a4 100644 --- a/cryptography/hazmat/primitives/interfaces.py +++ b/cryptography/hazmat/primitives/interfaces.py @@ -167,5 +167,5 @@ class HashContext(six.with_metaclass(abc.ABCMeta)): def verify(self, signature): """ Compare hash digest to signature and raises InvalidSignature - they are not equal. + if they are not equal. """ diff --git a/docs/exceptions.rst b/docs/exceptions.rst index 8be2c48c..1fbd3267 100644 --- a/docs/exceptions.rst +++ b/docs/exceptions.rst @@ -10,7 +10,7 @@ Exceptions .. class:: InvalidSignature - This is raised when the verify function of a hash function does not + This is raised when the verify method of a hash context does not compare equal. -- cgit v1.2.3 From b808f8cc91e302d4120eefa80c946a7cdcf9a155 Mon Sep 17 00:00:00 2001 From: Julian Krause Date: Thu, 26 Dec 2013 21:47:39 -0800 Subject: Remove verify from Hash. --- cryptography/hazmat/primitives/hashes.py | 11 ++-------- cryptography/hazmat/primitives/interfaces.py | 7 ------- docs/hazmat/primitives/cryptographic-hashes.rst | 8 -------- tests/hazmat/primitives/test_hashes.py | 27 +------------------------ 4 files changed, 3 insertions(+), 50 deletions(-) diff --git a/cryptography/hazmat/primitives/hashes.py b/cryptography/hazmat/primitives/hashes.py index c71377d7..bee188b3 100644 --- a/cryptography/hazmat/primitives/hashes.py +++ b/cryptography/hazmat/primitives/hashes.py @@ -16,8 +16,8 @@ from __future__ import absolute_import, division, print_function import six from cryptography import utils -from cryptography.exceptions import AlreadyFinalized, InvalidSignature -from cryptography.hazmat.primitives import constant_time, interfaces +from cryptography.exceptions import AlreadyFinalized +from cryptography.hazmat.primitives import interfaces @utils.register_interface(interfaces.HashContext) @@ -55,13 +55,6 @@ class Hash(object): self._ctx = None return digest - def verify(self, digest): - if isinstance(digest, six.text_type): - raise TypeError("Unicode-objects must be encoded before verifying") - hash_digest = self.finalize() - if not constant_time.bytes_eq(digest, hash_digest): - raise InvalidSignature("Digest did not match hash digest.") - @utils.register_interface(interfaces.HashAlgorithm) class SHA1(object): diff --git a/cryptography/hazmat/primitives/interfaces.py b/cryptography/hazmat/primitives/interfaces.py index 371701a4..e87c9ca9 100644 --- a/cryptography/hazmat/primitives/interfaces.py +++ b/cryptography/hazmat/primitives/interfaces.py @@ -162,10 +162,3 @@ class HashContext(six.with_metaclass(abc.ABCMeta)): """ Return a HashContext that is a copy of the current context. """ - - @abc.abstractmethod - def verify(self, signature): - """ - Compare hash digest to signature and raises InvalidSignature - if they are not equal. - """ diff --git a/docs/hazmat/primitives/cryptographic-hashes.rst b/docs/hazmat/primitives/cryptographic-hashes.rst index f00dd3f5..38347378 100644 --- a/docs/hazmat/primitives/cryptographic-hashes.rst +++ b/docs/hazmat/primitives/cryptographic-hashes.rst @@ -70,14 +70,6 @@ Message Digests :return bytes: The message digest as bytes. - .. method:: verify(digest) - - Finalize the current context and securely compare that digest to ``digest``. - - :param bytes digest: Received hash digest - :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize` - :raises cryptography.exceptions.InvalidSignature: If hash digest does not match digest - .. _cryptographic-hash-algorithms: diff --git a/tests/hazmat/primitives/test_hashes.py b/tests/hazmat/primitives/test_hashes.py index 69d0773a..45faaab2 100644 --- a/tests/hazmat/primitives/test_hashes.py +++ b/tests/hazmat/primitives/test_hashes.py @@ -20,9 +20,7 @@ import pytest import six from cryptography import utils -from cryptography.exceptions import ( - AlreadyFinalized, UnsupportedAlgorithm, InvalidSignature -) +from cryptography.exceptions import AlreadyFinalized, UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes, interfaces from .utils import generate_base_hash_test @@ -66,29 +64,6 @@ class TestHashContext(object): with pytest.raises(AlreadyFinalized): h.finalize() - def test_verify(self, backend): - h = hashes.Hash(hashes.SHA1(), backend=backend) - digest = h.finalize() - - h = hashes.Hash(hashes.SHA1(), backend=backend) - h.verify(digest) - - with pytest.raises(AlreadyFinalized): - h.verify(b'') - - def test_invalid_verify(self, backend): - h = hashes.Hash(hashes.SHA1(), backend=backend) - with pytest.raises(InvalidSignature): - h.verify(b'') - - with pytest.raises(AlreadyFinalized): - h.verify(b'') - - def test_verify_reject_unicode(self, backend): - h = hashes.Hash(hashes.SHA1(), backend=backend) - with pytest.raises(TypeError): - h.verify(six.u('')) - def test_unsupported_hash(self, backend): with pytest.raises(UnsupportedAlgorithm): hashes.Hash(UnsupportedDummyHash(), backend) -- cgit v1.2.3 From c7dfd526f8fa9cbca2b9937f110ac9d3160442dd Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Fri, 27 Dec 2013 13:38:16 -0500 Subject: remove parameter names, fix some spacing --- cryptography/hazmat/backends/openssl/asn1.py | 2 +- cryptography/hazmat/backends/openssl/objects.py | 26 ++++++++++++------------- cryptography/hazmat/backends/openssl/rsa.py | 2 +- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index ec25c225..07bb32f9 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -118,7 +118,7 @@ int ASN1_INTEGER_cmp(ASN1_INTEGER *, ASN1_INTEGER *); long ASN1_INTEGER_get(ASN1_INTEGER *); BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *, BIGNUM *); -ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai); +ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *, ASN1_INTEGER *); """ CUSTOMIZATIONS = """ diff --git a/cryptography/hazmat/backends/openssl/objects.py b/cryptography/hazmat/backends/openssl/objects.py index b3a2c2c9..aff1c496 100644 --- a/cryptography/hazmat/backends/openssl/objects.py +++ b/cryptography/hazmat/backends/openssl/objects.py @@ -19,19 +19,19 @@ TYPES = """ """ FUNCTIONS = """ -ASN1_OBJECT * OBJ_nid2obj(int n); -const char * OBJ_nid2ln(int n); -const char * OBJ_nid2sn(int n); -int OBJ_obj2nid(const ASN1_OBJECT *o); -int OBJ_ln2nid(const char *ln); -int OBJ_sn2nid(const char *sn); -int OBJ_txt2nid(const char *s); -ASN1_OBJECT * OBJ_txt2obj(const char *s, int no_name); -int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name); -int OBJ_cmp(const ASN1_OBJECT *a,const ASN1_OBJECT *b); -ASN1_OBJECT * OBJ_dup(const ASN1_OBJECT *o); -int OBJ_create(const char *oid,const char *sn,const char *ln); -void OBJ_cleanup(void); +ASN1_OBJECT * OBJ_nid2obj(int); +const char * OBJ_nid2ln(int); +const char * OBJ_nid2sn(int); +int OBJ_obj2nid(const ASN1_OBJECT *); +int OBJ_ln2nid(const char *); +int OBJ_sn2nid(const char *); +int OBJ_txt2nid(const char *); +ASN1_OBJECT * OBJ_txt2obj(const char *, int); +int OBJ_obj2txt(char *, int, const ASN1_OBJECT *, int); +int OBJ_cmp(const ASN1_OBJECT *, const ASN1_OBJECT *); +ASN1_OBJECT * OBJ_dup(const ASN1_OBJECT *); +int OBJ_create(const char *, const char *, const char *); +void OBJ_cleanup(); """ MACROS = """ diff --git a/cryptography/hazmat/backends/openssl/rsa.py b/cryptography/hazmat/backends/openssl/rsa.py index f9d9cb59..6cee569a 100644 --- a/cryptography/hazmat/backends/openssl/rsa.py +++ b/cryptography/hazmat/backends/openssl/rsa.py @@ -51,7 +51,7 @@ int RSA_public_decrypt(int, const unsigned char *, unsigned char *, RSA *, int); int RSA_private_decrypt(int, const unsigned char *, unsigned char *, RSA *, int); -int RSA_print(BIO *bp, const RSA *r,int offset); +int RSA_print(BIO *, const RSA *, int); """ MACROS = """ -- cgit v1.2.3 From 3aa5b942364aec3cd6c281802dab18c04e22b0f1 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Fri, 27 Dec 2013 13:58:42 -0500 Subject: Shorten long lines --- cryptography/hazmat/backends/openssl/asn1.py | 6 +++--- cryptography/hazmat/backends/openssl/bignum.py | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index e285954a..3d3a8dea 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -18,10 +18,10 @@ INCLUDES = """ TYPES = """ /* * XXX This typedef is wrong. - * https://bitbucket.org/cffi/cffi/issue/69/support-for-using-typedef-with-primitive + * https://bitbucket.org/cffi/cffi/issue/69 * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ - * < fijal> exarkun: I think you want to declare your value too large (e.g. long) - * < fijal> exarkun: that way you'll never pass garbage + * I think you want to declare your value too large (e.g. long) + * that way you'll never pass garbage */ typedef long time_t; diff --git a/cryptography/hazmat/backends/openssl/bignum.py b/cryptography/hazmat/backends/openssl/bignum.py index 4885d5b4..41c9d1e5 100644 --- a/cryptography/hazmat/backends/openssl/bignum.py +++ b/cryptography/hazmat/backends/openssl/bignum.py @@ -19,10 +19,10 @@ TYPES = """ typedef ... BIGNUM; /* * XXX This typedef is wrong. - * https://bitbucket.org/cffi/cffi/issue/69/support-for-using-typedef-with-primitive + * https://bitbucket.org/cffi/cffi/issue/69 * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ - * < fijal> exarkun: I think you want to declare your value too large (e.g. long) - * < fijal> exarkun: that way you'll never pass garbage + * I think you want to declare your value too large (e.g. long) + * that way you'll never pass garbage */ typedef unsigned long long BN_ULONG; """ -- cgit v1.2.3 From 470a116786e692753ef96da2095d72e5383d417d Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Fri, 27 Dec 2013 14:02:45 -0500 Subject: Use uintptr_t to get sufficiently wide storage for these types even on 32 bit Windows. --- cryptography/hazmat/backends/openssl/asn1.py | 2 +- cryptography/hazmat/backends/openssl/bignum.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index 3d3a8dea..e7c18a52 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -23,7 +23,7 @@ TYPES = """ * I think you want to declare your value too large (e.g. long) * that way you'll never pass garbage */ -typedef long time_t; +typedef uintptr_t time_t; typedef int ASN1_BOOLEAN; typedef ... ASN1_INTEGER; diff --git a/cryptography/hazmat/backends/openssl/bignum.py b/cryptography/hazmat/backends/openssl/bignum.py index 41c9d1e5..a5ba07b1 100644 --- a/cryptography/hazmat/backends/openssl/bignum.py +++ b/cryptography/hazmat/backends/openssl/bignum.py @@ -24,7 +24,7 @@ typedef ... BIGNUM; * I think you want to declare your value too large (e.g. long) * that way you'll never pass garbage */ -typedef unsigned long long BN_ULONG; +typedef uintptr_t BN_ULONG; """ FUNCTIONS = """ -- cgit v1.2.3 From c9aeb34db5f0a675f60742ea82d67d92ea75865c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 27 Dec 2013 11:07:42 -0800 Subject: A handful of style fixes in the cffi bindings --- cryptography/hazmat/backends/openssl/evp.py | 2 +- cryptography/hazmat/backends/openssl/objects.py | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/evp.py b/cryptography/hazmat/backends/openssl/evp.py index d2297a0e..1f8901bf 100644 --- a/cryptography/hazmat/backends/openssl/evp.py +++ b/cryptography/hazmat/backends/openssl/evp.py @@ -96,7 +96,7 @@ int EVP_VerifyUpdate(EVP_MD_CTX *, const void *, size_t); int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int, EVP_PKEY *); -const EVP_MD *EVP_md5(void); +const EVP_MD *EVP_md5(); """ MACROS = """ diff --git a/cryptography/hazmat/backends/openssl/objects.py b/cryptography/hazmat/backends/openssl/objects.py index aff1c496..ad1b8588 100644 --- a/cryptography/hazmat/backends/openssl/objects.py +++ b/cryptography/hazmat/backends/openssl/objects.py @@ -19,17 +19,17 @@ TYPES = """ """ FUNCTIONS = """ -ASN1_OBJECT * OBJ_nid2obj(int); -const char * OBJ_nid2ln(int); -const char * OBJ_nid2sn(int); +ASN1_OBJECT *OBJ_nid2obj(int); +const char *OBJ_nid2ln(int); +const char *OBJ_nid2sn(int); int OBJ_obj2nid(const ASN1_OBJECT *); int OBJ_ln2nid(const char *); int OBJ_sn2nid(const char *); int OBJ_txt2nid(const char *); -ASN1_OBJECT * OBJ_txt2obj(const char *, int); +ASN1_OBJECT *OBJ_txt2obj(const char *, int); int OBJ_obj2txt(char *, int, const ASN1_OBJECT *, int); int OBJ_cmp(const ASN1_OBJECT *, const ASN1_OBJECT *); -ASN1_OBJECT * OBJ_dup(const ASN1_OBJECT *); +ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *); int OBJ_create(const char *, const char *, const char *); void OBJ_cleanup(); """ -- cgit v1.2.3 From 2dd6cc89f6822ede162ef402f270493b2263d829 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Fri, 27 Dec 2013 16:50:56 -0500 Subject: expand the explanation for this workaround and switch XXX to TODO --- cryptography/hazmat/backends/openssl/asn1.py | 14 ++++++++++++-- cryptography/hazmat/backends/openssl/bignum.py | 14 ++++++++++++-- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index e7c18a52..fa336cf3 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -17,9 +17,19 @@ INCLUDES = """ TYPES = """ /* - * XXX This typedef is wrong. - * https://bitbucket.org/cffi/cffi/issue/69 + * TODO: This typedef is wrong. + * + * This is due to limitations of cffi. + * See https://bitbucket.org/cffi/cffi/issue/69 + * + * For another possible work-around (not used here because it involves more + * complicated use of the cffi API which falls outside the general pattern used + * by this package), see * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ + * + * The work-around used here is to just be sure to declare a type that is at + * least as large as the real type. Maciej explains: + * * I think you want to declare your value too large (e.g. long) * that way you'll never pass garbage */ diff --git a/cryptography/hazmat/backends/openssl/bignum.py b/cryptography/hazmat/backends/openssl/bignum.py index a5ba07b1..599eadc8 100644 --- a/cryptography/hazmat/backends/openssl/bignum.py +++ b/cryptography/hazmat/backends/openssl/bignum.py @@ -18,9 +18,19 @@ INCLUDES = """ TYPES = """ typedef ... BIGNUM; /* - * XXX This typedef is wrong. - * https://bitbucket.org/cffi/cffi/issue/69 + * TODO: This typedef is wrong. + * + * This is due to limitations of cffi. + * See https://bitbucket.org/cffi/cffi/issue/69 + * + * For another possible work-around (not used here because it involves more + * complicated use of the cffi API which falls outside the general pattern used + * by this package), see * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ + * + * The work-around used here is to just be sure to declare a type that is at + * least as large as the real type. Maciej explains: + * * I think you want to declare your value too large (e.g. long) * that way you'll never pass garbage */ -- cgit v1.2.3 From ec49550b1f29c52164a3f4bca7779e7dc23d397f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 27 Dec 2013 15:51:40 -0600 Subject: change typeerror to valueerror --- tests/test_utils.py | 2 +- tests/utils.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/test_utils.py b/tests/test_utils.py index 32daff70..c640367e 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -68,7 +68,7 @@ def test_check_backend_support_no_backend(): ) item = pretend.stub(keywords={"supported": supported}, funcargs={}) - with pytest.raises(TypeError): + with pytest.raises(ValueError): check_backend_support(item) diff --git a/tests/utils.py b/tests/utils.py index 7ae2eb8b..beb2ca5d 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -30,8 +30,8 @@ def check_backend_support(item): if not supported.kwargs["only_if"](item.funcargs["backend"]): pytest.skip(supported.kwargs["skip_message"]) elif supported: - raise TypeError("This mark is only available on methods that take a " - "backend") + raise ValueError("This mark is only available on methods that take a " + "backend") def load_vectors_from_file(filename, loader): -- cgit v1.2.3 From 3f54e65894d2cc1d31fd760e78be6b641d180bb3 Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Fri, 27 Dec 2013 21:58:05 +0000 Subject: Add myself to AUTHORS --- AUTHORS.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/AUTHORS.rst b/AUTHORS.rst index 0ef9958d..953ca55b 100644 --- a/AUTHORS.rst +++ b/AUTHORS.rst @@ -10,3 +10,4 @@ PGP key fingerprints are enclosed in parentheses. * Christian Heimes * Paul Kehrer * Jarret Raim +* Alex Stapleton (A1C7 E50B 66DE 39ED C847 9665 8E3C 20D1 9BD9 5C4C) -- cgit v1.2.3 From ccf0d901501245dacc01bec6648f6e1b872d2bf4 Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Fri, 27 Dec 2013 22:27:58 +0000 Subject: ASN1_ITEM_ptr always has a const return type --- cryptography/hazmat/backends/openssl/asn1.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index a186d592..15991767 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -102,7 +102,7 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **, const unsigned char **, long, MACROS = """ ASN1_TIME *M_ASN1_TIME_dup(void *); -ASN1_ITEM_EXP *ASN1_ITEM_ptr(ASN1_ITEM_EXP *); +const ASN1_ITEM *ASN1_ITEM_ptr(ASN1_ITEM_EXP *); /* These aren't macros these arguments are all const X on openssl > 1.0.x */ -- cgit v1.2.3 From b078d8e1f446a1d2d13453e65e37fbaf4f6b17f2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 27 Dec 2013 16:33:14 -0600 Subject: re-add some removed generators to simplify patch --- tests/hazmat/primitives/test_hashes.py | 107 +++++++++++++++++++++------------ tests/hazmat/primitives/test_hmac.py | 24 ++++---- tests/hazmat/primitives/utils.py | 20 ++++++ 3 files changed, 101 insertions(+), 50 deletions(-) diff --git a/tests/hazmat/primitives/test_hashes.py b/tests/hazmat/primitives/test_hashes.py index d52021eb..c907ef61 100644 --- a/tests/hazmat/primitives/test_hashes.py +++ b/tests/hazmat/primitives/test_hashes.py @@ -23,7 +23,7 @@ from cryptography import utils from cryptography.exceptions import AlreadyFinalized, UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes, interfaces -from .utils import base_hash_test +from .utils import generate_base_hash_test @utils.register_interface(interfaces.HashAlgorithm) @@ -69,44 +69,69 @@ class TestHashContext(object): hashes.Hash(UnsupportedDummyHash(), backend) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA1), + skip_message="Does not support SHA1", +) @pytest.mark.hash -class TestHashes(object): - @pytest.mark.supported( - only_if=lambda backend: backend.hash_supported(hashes.SHA1), - skip_message="Does not support SHA1", +class TestSHA1(object): + test_SHA1 = generate_base_hash_test( + hashes.SHA1(), + digest_size=20, + block_size=64, ) - def test_SHA1(self, backend): - base_hash_test(backend, hashes.SHA1(), digest_size=20, block_size=64) - @pytest.mark.supported( - only_if=lambda backend: backend.hash_supported(hashes.SHA224), - skip_message="Does not support SHA224", + +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA224), + skip_message="Does not support SHA224", +) +@pytest.mark.hash +class TestSHA224(object): + test_SHA224 = generate_base_hash_test( + hashes.SHA224(), + digest_size=28, + block_size=64, ) - def test_SHA224(self, backend): - base_hash_test(backend, hashes.SHA224(), digest_size=28, block_size=64) - @pytest.mark.supported( - only_if=lambda backend: backend.hash_supported(hashes.SHA256), - skip_message="Does not support SHA256", + +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA256), + skip_message="Does not support SHA256", +) +@pytest.mark.hash +class TestSHA256(object): + test_SHA256 = generate_base_hash_test( + hashes.SHA256(), + digest_size=32, + block_size=64, ) - def test_SHA256(self, backend): - base_hash_test(backend, hashes.SHA256(), digest_size=32, block_size=64) - @pytest.mark.supported( - only_if=lambda backend: backend.hash_supported(hashes.SHA384), - skip_message="Does not support SHA384", + +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA384), + skip_message="Does not support SHA384", +) +@pytest.mark.hash +class TestSHA384(object): + test_SHA384 = generate_base_hash_test( + hashes.SHA384(), + digest_size=48, + block_size=128, ) - def test_SHA384(self, backend): - base_hash_test(backend, hashes.SHA384(), - digest_size=48, block_size=128) - @pytest.mark.supported( - only_if=lambda backend: backend.hash_supported(hashes.SHA512), - skip_message="Does not support SHA512", + +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA512), + skip_message="Does not support SHA512", +) +@pytest.mark.hash +class TestSHA512(object): + test_SHA512 = generate_base_hash_test( + hashes.SHA512(), + digest_size=64, + block_size=128, ) - def test_SHA512(self, backend): - base_hash_test(backend, hashes.SHA512(), - digest_size=64, block_size=128) @pytest.mark.supported( @@ -115,9 +140,11 @@ class TestHashes(object): ) @pytest.mark.hash class TestRIPEMD160(object): - def test_RIPEMD160(self, backend): - base_hash_test(backend, hashes.RIPEMD160(), - digest_size=20, block_size=64) + test_RIPEMD160 = generate_base_hash_test( + hashes.RIPEMD160(), + digest_size=20, + block_size=64, + ) @pytest.mark.supported( @@ -126,9 +153,11 @@ class TestRIPEMD160(object): ) @pytest.mark.hash class TestWhirlpool(object): - def test_Whirlpool(self, backend): - base_hash_test(backend, hashes.Whirlpool(), - digest_size=64, block_size=64) + test_Whirlpool = generate_base_hash_test( + hashes.Whirlpool(), + digest_size=64, + block_size=64, + ) @pytest.mark.supported( @@ -137,6 +166,8 @@ class TestWhirlpool(object): ) @pytest.mark.hash class TestMD5(object): - def test_MD5(self, backend): - base_hash_test(backend, hashes.MD5(), - digest_size=16, block_size=64) + test_MD5 = generate_base_hash_test( + hashes.MD5(), + digest_size=16, + block_size=64, + ) diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index c216dd4d..924e2167 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -13,8 +13,6 @@ from __future__ import absolute_import, division, print_function -import binascii - import pretend import pytest @@ -25,25 +23,27 @@ from cryptography import utils from cryptography.exceptions import AlreadyFinalized, UnsupportedAlgorithm from cryptography.hazmat.primitives import hashes, hmac, interfaces +from .utils import generate_base_hmac_test + @utils.register_interface(interfaces.HashAlgorithm) class UnsupportedDummyHash(object): name = "unsupported-dummy-hash" +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.MD5), + skip_message="Does not support MD5", +) @pytest.mark.hmac -class TestHMAC(object): - @pytest.mark.supported( - only_if=lambda backend: backend.hmac_supported(hashes.MD5), - skip_message="Does not support MD5", +class TestHMACCopy(object): + test_copy = generate_base_hmac_test( + hashes.MD5(), ) - def test_hmac_copy(self, backend): - key = b"ab" - h = hmac.HMAC(binascii.unhexlify(key), hashes.MD5(), backend=backend) - h_copy = h.copy() - assert h != h_copy - assert h._ctx != h_copy._ctx + +@pytest.mark.hmac +class TestHMAC(object): def test_hmac_reject_unicode(self, backend): h = hmac.HMAC(b"mykey", hashes.SHA1(), backend=backend) with pytest.raises(TypeError): diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 3c962752..cdcf84cb 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -149,6 +149,12 @@ def hash_test(backend, algorithm, params): assert m.finalize() == binascii.unhexlify(expected_md) +def generate_base_hash_test(algorithm, digest_size, block_size): + def test_base_hash(self, backend): + base_hash_test(backend, algorithm, digest_size, block_size) + return test_base_hash + + def base_hash_test(backend, algorithm, digest_size, block_size): m = hashes.Hash(algorithm, backend=backend) assert m.algorithm.digest_size == digest_size @@ -176,6 +182,20 @@ def long_string_hash_test(backend, algorithm, md): assert m.finalize() == binascii.unhexlify(md.lower().encode("ascii")) +def generate_base_hmac_test(hash_cls): + def test_base_hmac(self, backend): + base_hmac_test(backend, hash_cls) + return test_base_hmac + + +def base_hmac_test(backend, algorithm): + key = b"ab" + h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) + h_copy = h.copy() + assert h != h_copy + assert h._ctx != h_copy._ctx + + def generate_hmac_test(param_loader, path, file_names, algorithm): all_params = _load_all_params(path, file_names, param_loader) -- cgit v1.2.3 From 047dab8e76639ef2682c78b899ee9ba1f7ba28f8 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 27 Dec 2013 16:45:52 -0600 Subject: update style guide docs to reflect change to (void) --- docs/contributing.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/contributing.rst b/docs/contributing.rst index 620e1b6a..139f7f3b 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -110,14 +110,14 @@ Don't name parameters: ...; }; -Don't include stray ``void`` parameters: +Include ``void`` if the function takes no arguments: .. code-block:: c // Good - long f(); - // Bad long f(void); + // Bad + long f(); Wrap lines at 80 characters like so: -- cgit v1.2.3 From 01e9886f9bade642512829c21dbfeddcda978e71 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 27 Dec 2013 16:48:07 -0600 Subject: convert all functions without args from () to (void) --- cryptography/hazmat/backends/openssl/asn1.py | 12 +++++----- cryptography/hazmat/backends/openssl/bignum.py | 2 +- cryptography/hazmat/backends/openssl/bio.py | 14 ++++++------ cryptography/hazmat/backends/openssl/crypto.py | 8 +++---- cryptography/hazmat/backends/openssl/dh.py | 2 +- cryptography/hazmat/backends/openssl/engine.py | 10 ++++----- cryptography/hazmat/backends/openssl/err.py | 12 +++++----- cryptography/hazmat/backends/openssl/evp.py | 10 ++++----- cryptography/hazmat/backends/openssl/rand.py | 6 ++--- cryptography/hazmat/backends/openssl/rsa.py | 2 +- cryptography/hazmat/backends/openssl/ssl.py | 28 ++++++++++++------------ cryptography/hazmat/backends/openssl/x509.py | 16 +++++++------- cryptography/hazmat/backends/openssl/x509name.py | 2 +- 13 files changed, 62 insertions(+), 62 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index 6a309ee1..f7e4f07e 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -68,7 +68,7 @@ static const int MBSTRING_UTF8; """ FUNCTIONS = """ -ASN1_OBJECT *ASN1_OBJECT_new(); +ASN1_OBJECT *ASN1_OBJECT_new(void); void ASN1_OBJECT_free(ASN1_OBJECT *); /* ASN1 OBJECT IDENTIFIER */ @@ -76,7 +76,7 @@ ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **, const unsigned char **, long); int i2d_ASN1_OBJECT(ASN1_OBJECT *, unsigned char **); /* ASN1 STRING */ -ASN1_STRING *ASN1_STRING_new(); +ASN1_STRING *ASN1_STRING_new(void); ASN1_STRING *ASN1_STRING_type_new(int); void ASN1_STRING_free(ASN1_STRING *); unsigned char *ASN1_STRING_data(ASN1_STRING *); @@ -85,18 +85,18 @@ int ASN1_STRING_type(ASN1_STRING *); int ASN1_STRING_to_UTF8(unsigned char **, ASN1_STRING *); /* ASN1 OCTET STRING */ -ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(); +ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(void); void ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *); int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *, const unsigned char *, int); /* ASN1 INTEGER */ -ASN1_INTEGER *ASN1_INTEGER_new(); +ASN1_INTEGER *ASN1_INTEGER_new(void); void ASN1_INTEGER_free(ASN1_INTEGER *); int ASN1_INTEGER_set(ASN1_INTEGER *, long); int i2a_ASN1_INTEGER(BIO *, ASN1_INTEGER *); /* ASN1 TIME */ -ASN1_TIME *ASN1_TIME_new(); +ASN1_TIME *ASN1_TIME_new(void); ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *, ASN1_GENERALIZEDTIME **); @@ -109,7 +109,7 @@ void ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *); int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *); /* ASN1 ENUMERATED */ -ASN1_ENUMERATED *ASN1_ENUMERATED_new(); +ASN1_ENUMERATED *ASN1_ENUMERATED_new(void); void ASN1_ENUMERATED_free(ASN1_ENUMERATED *); int ASN1_ENUMERATED_set(ASN1_ENUMERATED *, long); diff --git a/cryptography/hazmat/backends/openssl/bignum.py b/cryptography/hazmat/backends/openssl/bignum.py index 599eadc8..59efd171 100644 --- a/cryptography/hazmat/backends/openssl/bignum.py +++ b/cryptography/hazmat/backends/openssl/bignum.py @@ -38,7 +38,7 @@ typedef uintptr_t BN_ULONG; """ FUNCTIONS = """ -BIGNUM *BN_new(); +BIGNUM *BN_new(void); void BN_free(BIGNUM *); int BN_set_word(BIGNUM *, BN_ULONG); diff --git a/cryptography/hazmat/backends/openssl/bio.py b/cryptography/hazmat/backends/openssl/bio.py index d164804f..9af32b71 100644 --- a/cryptography/hazmat/backends/openssl/bio.py +++ b/cryptography/hazmat/backends/openssl/bio.py @@ -63,16 +63,16 @@ BIO *BIO_pop(BIO *); BIO *BIO_next(BIO *); BIO *BIO_find_type(BIO *, int); int BIO_method_type(const BIO *); -BIO_METHOD *BIO_s_mem(); +BIO_METHOD *BIO_s_mem(void); BIO *BIO_new_mem_buf(void *, int); -BIO_METHOD *BIO_s_file(); +BIO_METHOD *BIO_s_file(void); BIO *BIO_new_file(const char *, const char *); BIO *BIO_new_fp(FILE *, int); -BIO_METHOD *BIO_s_fd(); +BIO_METHOD *BIO_s_fd(void); BIO *BIO_new_fd(int, int); -BIO_METHOD *BIO_s_socket(); +BIO_METHOD *BIO_s_socket(void); BIO *BIO_new_socket(int, int); -BIO_METHOD *BIO_s_null(); +BIO_METHOD *BIO_s_null(void); long BIO_ctrl(BIO *, int, long, void *); long BIO_callback_ctrl( BIO *, @@ -87,8 +87,8 @@ int BIO_read(BIO *, void *, int); int BIO_gets(BIO *, char *, int); int BIO_write(BIO *, const void *, int); int BIO_puts(BIO *, const char *); -BIO_METHOD *BIO_f_null(); -BIO_METHOD *BIO_f_buffer(); +BIO_METHOD *BIO_f_null(void); +BIO_METHOD *BIO_f_buffer(void); """ MACROS = """ diff --git a/cryptography/hazmat/backends/openssl/crypto.py b/cryptography/hazmat/backends/openssl/crypto.py index 71d32c52..5e995023 100644 --- a/cryptography/hazmat/backends/openssl/crypto.py +++ b/cryptography/hazmat/backends/openssl/crypto.py @@ -26,17 +26,17 @@ static const int SSLEAY_BUILT_ON; FUNCTIONS = """ void CRYPTO_free(void *); int CRYPTO_mem_ctrl(int); -int CRYPTO_is_mem_check_on(); +int CRYPTO_is_mem_check_on(void); void CRYPTO_mem_leaks(struct bio_st *); -void CRYPTO_cleanup_all_ex_data(); +void CRYPTO_cleanup_all_ex_data(void); void OPENSSL_free(void *); """ MACROS = """ void CRYPTO_add(int *, int, int); -void CRYPTO_malloc_init(); -void CRYPTO_malloc_debug_init(); +void CRYPTO_malloc_init(void); +void CRYPTO_malloc_debug_init(void); #define CRYPTO_MEM_CHECK_ON ... #define CRYPTO_MEM_CHECK_OFF ... diff --git a/cryptography/hazmat/backends/openssl/dh.py b/cryptography/hazmat/backends/openssl/dh.py index 56fa8b46..3c12fbc6 100644 --- a/cryptography/hazmat/backends/openssl/dh.py +++ b/cryptography/hazmat/backends/openssl/dh.py @@ -20,7 +20,7 @@ typedef ... DH; """ FUNCTIONS = """ -DH *DH_new(); +DH *DH_new(void); void DH_free(DH *); """ diff --git a/cryptography/hazmat/backends/openssl/engine.py b/cryptography/hazmat/backends/openssl/engine.py index cc214f84..640ef18c 100644 --- a/cryptography/hazmat/backends/openssl/engine.py +++ b/cryptography/hazmat/backends/openssl/engine.py @@ -20,8 +20,8 @@ typedef ... ENGINE; """ FUNCTIONS = """ -ENGINE *ENGINE_get_first(); -ENGINE *ENGINE_get_last(); +ENGINE *ENGINE_get_first(void); +ENGINE *ENGINE_get_last(void); ENGINE *ENGINE_get_next(ENGINE *); ENGINE *ENGINE_get_prev(ENGINE *); int ENGINE_add(ENGINE *); @@ -30,9 +30,9 @@ ENGINE *ENGINE_by_id(const char *); int ENGINE_init(ENGINE *); int ENGINE_finish(ENGINE *); int ENGINE_free(ENGINE *); -void ENGINE_cleanup(); -void ENGINE_load_dynamic(); -void ENGINE_load_builtin_engines(); +void ENGINE_cleanup(void); +void ENGINE_load_dynamic(void); +void ENGINE_load_builtin_engines(void); int ENGINE_ctrl_cmd_string(ENGINE *, const char *, const char *, int); int ENGINE_set_default(ENGINE *, unsigned int); int ENGINE_register_complete(ENGINE *); diff --git a/cryptography/hazmat/backends/openssl/err.py b/cryptography/hazmat/backends/openssl/err.py index 2fb8bbe1..6b2a77b1 100644 --- a/cryptography/hazmat/backends/openssl/err.py +++ b/cryptography/hazmat/backends/openssl/err.py @@ -38,8 +38,8 @@ static const int ASN1_R_BAD_PASSWORD_READ; """ FUNCTIONS = """ -void ERR_load_crypto_strings(); -void ERR_free_strings(); +void ERR_load_crypto_strings(void); +void ERR_free_strings(void); char* ERR_error_string(unsigned long, char *); void ERR_error_string_n(unsigned long, char *, size_t); const char* ERR_lib_error_string(unsigned long); @@ -47,9 +47,9 @@ const char* ERR_func_error_string(unsigned long); const char* ERR_reason_error_string(unsigned long); void ERR_print_errors(BIO *); void ERR_print_errors_fp(FILE *); -unsigned long ERR_get_error(); -unsigned long ERR_peek_error(); -unsigned long ERR_peek_last_error(); +unsigned long ERR_get_error(void); +unsigned long ERR_peek_error(void); +unsigned long ERR_peek_last_error(void); unsigned long ERR_get_error_line(const char **, int *); unsigned long ERR_peek_error_line(const char **, int *); unsigned long ERR_peek_last_error_line(const char **, int *); @@ -61,7 +61,7 @@ unsigned long ERR_peek_last_error_line_data(const char **, int *, const char **, int *); void ERR_put_error(int, int, int, const char *, int); void ERR_add_error_data(int, ...); -int ERR_get_next_error_library(); +int ERR_get_next_error_library(void); """ MACROS = """ diff --git a/cryptography/hazmat/backends/openssl/evp.py b/cryptography/hazmat/backends/openssl/evp.py index 1f8901bf..f1c061dc 100644 --- a/cryptography/hazmat/backends/openssl/evp.py +++ b/cryptography/hazmat/backends/openssl/evp.py @@ -43,7 +43,7 @@ static const int Cryptography_HAS_GCM; """ FUNCTIONS = """ -void OpenSSL_add_all_algorithms(); +void OpenSSL_add_all_algorithms(void); const EVP_CIPHER *EVP_get_cipherbyname(const char *); int EVP_EncryptInit_ex(EVP_CIPHER_CTX *, const EVP_CIPHER *, ENGINE *, @@ -66,11 +66,11 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *); const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *); int EVP_CIPHER_block_size(const EVP_CIPHER *); void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *); -EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(); +EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *); int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *, int); -EVP_MD_CTX *EVP_MD_CTX_create(); +EVP_MD_CTX *EVP_MD_CTX_create(void); int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *); int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, ENGINE *); int EVP_DigestUpdate(EVP_MD_CTX *, const void *, size_t); @@ -81,7 +81,7 @@ const EVP_MD *EVP_get_digestbyname(const char *); const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *); int EVP_MD_size(const EVP_MD *); -EVP_PKEY *EVP_PKEY_new(); +EVP_PKEY *EVP_PKEY_new(void); void EVP_PKEY_free(EVP_PKEY *); int EVP_PKEY_type(int); int EVP_PKEY_bits(EVP_PKEY *); @@ -96,7 +96,7 @@ int EVP_VerifyUpdate(EVP_MD_CTX *, const void *, size_t); int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int, EVP_PKEY *); -const EVP_MD *EVP_md5(); +const EVP_MD *EVP_md5(void); """ MACROS = """ diff --git a/cryptography/hazmat/backends/openssl/rand.py b/cryptography/hazmat/backends/openssl/rand.py index 5ac36cac..0e645fbc 100644 --- a/cryptography/hazmat/backends/openssl/rand.py +++ b/cryptography/hazmat/backends/openssl/rand.py @@ -19,17 +19,17 @@ TYPES = """ """ FUNCTIONS = """ -void ERR_load_RAND_strings(); +void ERR_load_RAND_strings(void); void RAND_seed(const void *, int); void RAND_add(const void *, int, double); -int RAND_status(); +int RAND_status(void); int RAND_egd(const char *); int RAND_egd_bytes(const char *, int); int RAND_query_egd_bytes(const char *, unsigned char *, int); const char *RAND_file_name(char *, size_t); int RAND_load_file(const char *, long); int RAND_write_file(const char *); -void RAND_cleanup(); +void RAND_cleanup(void); int RAND_bytes(unsigned char *, int); int RAND_pseudo_bytes(unsigned char *, int); """ diff --git a/cryptography/hazmat/backends/openssl/rsa.py b/cryptography/hazmat/backends/openssl/rsa.py index 6cee569a..a44ca4a6 100644 --- a/cryptography/hazmat/backends/openssl/rsa.py +++ b/cryptography/hazmat/backends/openssl/rsa.py @@ -37,7 +37,7 @@ static const int RSA_F4; """ FUNCTIONS = """ -RSA *RSA_new(); +RSA *RSA_new(void); void RSA_free(RSA *); int RSA_size(const RSA *); int RSA_generate_key_ex(RSA *, int, BIGNUM *, BN_GENCB *); diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index f99c2636..49b142ca 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -132,8 +132,8 @@ static const int TLSEXT_NAMETYPE_host_name; """ FUNCTIONS = """ -void SSL_load_error_strings(); -int SSL_library_init(); +void SSL_load_error_strings(void); +int SSL_library_init(void); /* SSL */ SSL_CTX *SSL_set_SSL_CTX(SSL *, SSL_CTX *); @@ -224,20 +224,20 @@ long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *); * available they will be wrapped, but if they are not they won't cause * problems (like link errors). */ -const SSL_METHOD *SSLv2_method(); -const SSL_METHOD *SSLv2_server_method(); -const SSL_METHOD *SSLv2_client_method(); +const SSL_METHOD *SSLv2_method(void); +const SSL_METHOD *SSLv2_server_method(void); +const SSL_METHOD *SSLv2_client_method(void); /* methods */ -const SSL_METHOD *SSLv3_method(); -const SSL_METHOD *SSLv3_server_method(); -const SSL_METHOD *SSLv3_client_method(); -const SSL_METHOD *TLSv1_method(); -const SSL_METHOD *TLSv1_server_method(); -const SSL_METHOD *TLSv1_client_method(); -const SSL_METHOD *SSLv23_method(); -const SSL_METHOD *SSLv23_server_method(); -const SSL_METHOD *SSLv23_client_method(); +const SSL_METHOD *SSLv3_method(void); +const SSL_METHOD *SSLv3_server_method(void); +const SSL_METHOD *SSLv3_client_method(void); +const SSL_METHOD *TLSv1_method(void); +const SSL_METHOD *TLSv1_server_method(void); +const SSL_METHOD *TLSv1_client_method(void); +const SSL_METHOD *SSLv23_method(void); +const SSL_METHOD *SSLv23_server_method(void); +const SSL_METHOD *SSLv23_client_method(void); /*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/ SSL_CTX *SSL_CTX_new(const SSL_METHOD *); diff --git a/cryptography/hazmat/backends/openssl/x509.py b/cryptography/hazmat/backends/openssl/x509.py index 5cba476e..632efb31 100644 --- a/cryptography/hazmat/backends/openssl/x509.py +++ b/cryptography/hazmat/backends/openssl/x509.py @@ -66,7 +66,7 @@ typedef ... NETSCAPE_SPKI; """ FUNCTIONS = """ -X509 *X509_new(); +X509 *X509_new(void); void X509_free(X509 *); X509 *X509_dup(X509 *); @@ -101,7 +101,7 @@ ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *); void X509_EXTENSION_free(X509_EXTENSION *); int X509_REQ_set_version(X509_REQ *, long); -X509_REQ *X509_REQ_new(); +X509_REQ *X509_REQ_new(void); void X509_REQ_free(X509_REQ *); int X509_REQ_set_pubkey(X509_REQ *, EVP_PKEY *); int X509_REQ_sign(X509_REQ *, EVP_PKEY *, const EVP_MD *); @@ -113,7 +113,7 @@ int X509_REQ_print_ex(BIO *, X509_REQ *, unsigned long, unsigned long); int X509V3_EXT_print(BIO *, X509_EXTENSION *, unsigned long, int); ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *); -X509_REVOKED *X509_REVOKED_new(); +X509_REVOKED *X509_REVOKED_new(void); void X509_REVOKED_free(X509_REVOKED *); int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *); @@ -121,7 +121,7 @@ int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *); int X509_REVOKED_add1_ext_i2d(X509_REVOKED *, int, void *, int, unsigned long); X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **); -X509_CRL *X509_CRL_new(); +X509_CRL *X509_CRL_new(void); void X509_CRL_free(X509_CRL *); int X509_CRL_add0_revoked(X509_CRL *, X509_REVOKED *); int i2d_X509_CRL_bio(BIO *, X509_CRL *); @@ -134,7 +134,7 @@ int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *, EVP_PKEY *, const EVP_MD *); char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *); EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *); int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *, EVP_PKEY *); -NETSCAPE_SPKI *NETSCAPE_SPKI_new(); +NETSCAPE_SPKI *NETSCAPE_SPKI_new(void); void NETSCAPE_SPKI_free(NETSCAPE_SPKI *); /* ASN1 serialization */ @@ -151,7 +151,7 @@ ASN1_INTEGER *X509_get_serialNumber(X509 *); int X509_set_serialNumber(X509 *, ASN1_INTEGER *); /* X509_STORE */ -X509_STORE *X509_STORE_new(); +X509_STORE *X509_STORE_new(void); void X509_STORE_free(X509_STORE *); int X509_STORE_add_cert(X509_STORE *, X509 *); """ @@ -165,13 +165,13 @@ ASN1_TIME *X509_get_notAfter(X509 *); long X509_REQ_get_version(X509_REQ *); X509_NAME *X509_REQ_get_subject_name(X509_REQ *); -struct stack_st_X509 *sk_X509_new_null(); +struct stack_st_X509 *sk_X509_new_null(void); void sk_X509_free(struct stack_st_X509 *); int sk_X509_num(struct stack_st_X509 *); int sk_X509_push(struct stack_st_X509 *, X509 *); X509 *sk_X509_value(struct stack_st_X509 *, int); -X509_EXTENSIONS *sk_X509_EXTENSION_new_null(); +X509_EXTENSIONS *sk_X509_EXTENSION_new_null(void); int sk_X509_EXTENSION_num(X509_EXTENSIONS *); X509_EXTENSION *sk_X509_EXTENSION_value(X509_EXTENSIONS *, int); int sk_X509_EXTENSION_push(X509_EXTENSIONS *, X509_EXTENSION *); diff --git a/cryptography/hazmat/backends/openssl/x509name.py b/cryptography/hazmat/backends/openssl/x509name.py index 4be39b53..0543e387 100644 --- a/cryptography/hazmat/backends/openssl/x509name.py +++ b/cryptography/hazmat/backends/openssl/x509name.py @@ -40,7 +40,7 @@ void X509_NAME_free(X509_NAME *); """ MACROS = """ -struct stack_st_X509_NAME *sk_X509_NAME_new_null(); +struct stack_st_X509_NAME *sk_X509_NAME_new_null(void); int sk_X509_NAME_num(struct stack_st_X509_NAME *); int sk_X509_NAME_push(struct stack_st_X509_NAME *, X509_NAME *); X509_NAME *sk_X509_NAME_value(struct stack_st_X509_NAME *, int); -- cgit v1.2.3 From 08d72a56f9dd110ac246f2dc4b63a82874a95483 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 27 Dec 2013 16:53:55 -0600 Subject: move macro from functions into macros where it belongs --- cryptography/hazmat/backends/openssl/evp.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/evp.py b/cryptography/hazmat/backends/openssl/evp.py index f1c061dc..c426e52e 100644 --- a/cryptography/hazmat/backends/openssl/evp.py +++ b/cryptography/hazmat/backends/openssl/evp.py @@ -43,8 +43,6 @@ static const int Cryptography_HAS_GCM; """ FUNCTIONS = """ -void OpenSSL_add_all_algorithms(void); - const EVP_CIPHER *EVP_get_cipherbyname(const char *); int EVP_EncryptInit_ex(EVP_CIPHER_CTX *, const EVP_CIPHER *, ENGINE *, const unsigned char *, const unsigned char *); @@ -100,6 +98,7 @@ const EVP_MD *EVP_md5(void); """ MACROS = """ +void OpenSSL_add_all_algorithms(void); int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); int EVP_PKEY_assign_DSA(EVP_PKEY *, DSA *); int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *); -- cgit v1.2.3 From 1839b19f7ab7795250c662bd2b38fc0bbf1e65a1 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 27 Dec 2013 18:50:52 -0600 Subject: a few missed functions in the () -> (void) migration --- cryptography/hazmat/backends/openssl/objects.py | 2 +- cryptography/hazmat/backends/openssl/ssl.py | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/objects.py b/cryptography/hazmat/backends/openssl/objects.py index ad1b8588..0abc42d6 100644 --- a/cryptography/hazmat/backends/openssl/objects.py +++ b/cryptography/hazmat/backends/openssl/objects.py @@ -31,7 +31,7 @@ int OBJ_obj2txt(char *, int, const ASN1_OBJECT *, int); int OBJ_cmp(const ASN1_OBJECT *, const ASN1_OBJECT *); ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *); int OBJ_create(const char *, const char *, const char *); -void OBJ_cleanup(); +void OBJ_cleanup(void); """ MACROS = """ diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 49b142ca..fb3b17e6 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -255,9 +255,9 @@ void SSL_CTX_set_tlsext_servername_callback( CUSTOMIZATIONS = """ #ifdef OPENSSL_NO_SSL2 static const long Cryptography_HAS_SSL2 = 0; -SSL_METHOD* (*SSLv2_method)() = NULL; -SSL_METHOD* (*SSLv2_client_method)() = NULL; -SSL_METHOD* (*SSLv2_server_method)() = NULL; +SSL_METHOD* (*SSLv2_method)(void) = NULL; +SSL_METHOD* (*SSLv2_client_method)(void) = NULL; +SSL_METHOD* (*SSLv2_server_method)(void) = NULL; #else static const long Cryptography_HAS_SSL2 = 1; #endif -- cgit v1.2.3 From ccd9c0069f6955e8325ec63853e4609241cbea06 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 27 Dec 2013 20:25:06 -0600 Subject: Convert #defines to explicit type declaration for consistency --- cryptography/hazmat/backends/openssl/bio.py | 85 +++++++++++++------------- cryptography/hazmat/backends/openssl/crypto.py | 8 +-- cryptography/hazmat/backends/openssl/engine.py | 22 ++++--- docs/contributing.rst | 17 ++++++ 4 files changed, 76 insertions(+), 56 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/bio.py b/cryptography/hazmat/backends/openssl/bio.py index 9af32b71..264a2410 100644 --- a/cryptography/hazmat/backends/openssl/bio.py +++ b/cryptography/hazmat/backends/openssl/bio.py @@ -50,6 +50,49 @@ struct bio_st { ...; }; typedef ... BUF_MEM; + +static const int BIO_TYPE_MEM; +static const int BIO_TYPE_FILE; +static const int BIO_TYPE_FD; +static const int BIO_TYPE_SOCKET; +static const int BIO_TYPE_CONNECT; +static const int BIO_TYPE_ACCEPT; +static const int BIO_TYPE_NULL; +static const int BIO_CLOSE; +static const int BIO_NOCLOSE; +static const int BIO_TYPE_SOURCE_SINK; +static const int BIO_CTRL_RESET; +static const int BIO_CTRL_EOF; +static const int BIO_CTRL_SET; +static const int BIO_CTRL_SET_CLOSE; +static const int BIO_CTRL_FLUSH; +static const int BIO_CTRL_DUP; +static const int BIO_CTRL_GET_CLOSE; +static const int BIO_CTRL_INFO; +static const int BIO_CTRL_GET; +static const int BIO_CTRL_PENDING; +static const int BIO_CTRL_WPENDING; +static const int BIO_C_FILE_SEEK; +static const int BIO_C_FILE_TELL; +static const int BIO_TYPE_NONE; +static const int BIO_TYPE_PROXY_CLIENT; +static const int BIO_TYPE_PROXY_SERVER; +static const int BIO_TYPE_NBIO_TEST; +static const int BIO_TYPE_BER; +static const int BIO_TYPE_BIO; +static const int BIO_TYPE_DESCRIPTOR; +static const int BIO_FLAGS_READ; +static const int BIO_FLAGS_WRITE; +static const int BIO_FLAGS_IO_SPECIAL; +static const int BIO_FLAGS_RWS; +static const int BIO_FLAGS_SHOULD_RETRY; +static const int BIO_TYPE_NULL_FILTER; +static const int BIO_TYPE_SSL; +static const int BIO_TYPE_MD; +static const int BIO_TYPE_BUFFER; +static const int BIO_TYPE_CIPHER; +static const int BIO_TYPE_BASE64; +static const int BIO_TYPE_FILTER; """ FUNCTIONS = """ @@ -125,48 +168,6 @@ long BIO_set_read_buffer_size(BIO *, long); long BIO_set_write_buffer_size(BIO *, long); long BIO_set_buffer_size(BIO *, long); long BIO_set_buffer_read_data(BIO *, void *, long); -#define BIO_TYPE_MEM ... -#define BIO_TYPE_FILE ... -#define BIO_TYPE_FD ... -#define BIO_TYPE_SOCKET ... -#define BIO_TYPE_CONNECT ... -#define BIO_TYPE_ACCEPT ... -#define BIO_TYPE_NULL ... -#define BIO_CLOSE ... -#define BIO_NOCLOSE ... -#define BIO_TYPE_SOURCE_SINK ... -#define BIO_CTRL_RESET ... -#define BIO_CTRL_EOF ... -#define BIO_CTRL_SET ... -#define BIO_CTRL_SET_CLOSE ... -#define BIO_CTRL_FLUSH ... -#define BIO_CTRL_DUP ... -#define BIO_CTRL_GET_CLOSE ... -#define BIO_CTRL_INFO ... -#define BIO_CTRL_GET ... -#define BIO_CTRL_PENDING ... -#define BIO_CTRL_WPENDING ... -#define BIO_C_FILE_SEEK ... -#define BIO_C_FILE_TELL ... -#define BIO_TYPE_NONE ... -#define BIO_TYPE_PROXY_CLIENT ... -#define BIO_TYPE_PROXY_SERVER ... -#define BIO_TYPE_NBIO_TEST ... -#define BIO_TYPE_BER ... -#define BIO_TYPE_BIO ... -#define BIO_TYPE_DESCRIPTOR ... -#define BIO_FLAGS_READ ... -#define BIO_FLAGS_WRITE ... -#define BIO_FLAGS_IO_SPECIAL ... -#define BIO_FLAGS_RWS ... -#define BIO_FLAGS_SHOULD_RETRY ... -#define BIO_TYPE_NULL_FILTER ... -#define BIO_TYPE_SSL ... -#define BIO_TYPE_MD ... -#define BIO_TYPE_BUFFER ... -#define BIO_TYPE_CIPHER ... -#define BIO_TYPE_BASE64 ... -#define BIO_TYPE_FILTER ... """ CUSTOMIZATIONS = """ diff --git a/cryptography/hazmat/backends/openssl/crypto.py b/cryptography/hazmat/backends/openssl/crypto.py index 5e995023..8749e2e1 100644 --- a/cryptography/hazmat/backends/openssl/crypto.py +++ b/cryptography/hazmat/backends/openssl/crypto.py @@ -21,6 +21,10 @@ static const int SSLEAY_CFLAGS; static const int SSLEAY_PLATFORM; static const int SSLEAY_DIR; static const int SSLEAY_BUILT_ON; +static const int CRYPTO_MEM_CHECK_ON; +static const int CRYPTO_MEM_CHECK_OFF; +static const int CRYPTO_MEM_CHECK_ENABLE; +static const int CRYPTO_MEM_CHECK_DISABLE; """ FUNCTIONS = """ @@ -38,10 +42,6 @@ void CRYPTO_add(int *, int, int); void CRYPTO_malloc_init(void); void CRYPTO_malloc_debug_init(void); -#define CRYPTO_MEM_CHECK_ON ... -#define CRYPTO_MEM_CHECK_OFF ... -#define CRYPTO_MEM_CHECK_ENABLE ... -#define CRYPTO_MEM_CHECK_DISABLE ... """ CUSTOMIZATIONS = """ diff --git a/cryptography/hazmat/backends/openssl/engine.py b/cryptography/hazmat/backends/openssl/engine.py index 640ef18c..acd92eee 100644 --- a/cryptography/hazmat/backends/openssl/engine.py +++ b/cryptography/hazmat/backends/openssl/engine.py @@ -17,6 +17,17 @@ INCLUDES = """ TYPES = """ typedef ... ENGINE; + +static const unsigned int ENGINE_METHOD_RSA; +static const unsigned int ENGINE_METHOD_DSA; +static const unsigned int ENGINE_METHOD_RAND; +static const unsigned int ENGINE_METHOD_ECDH; +static const unsigned int ENGINE_METHOD_ECDSA; +static const unsigned int ENGINE_METHOD_CIPHERS; +static const unsigned int ENGINE_METHOD_DIGESTS; +static const unsigned int ENGINE_METHOD_STORE; +static const unsigned int ENGINE_METHOD_ALL; +static const unsigned int ENGINE_METHOD_NONE; """ FUNCTIONS = """ @@ -46,19 +57,10 @@ int ENGINE_set_default_DH(ENGINE *); int ENGINE_set_default_RAND(ENGINE *); int ENGINE_set_default_ciphers(ENGINE *); int ENGINE_set_default_digests(ENGINE *); + """ MACROS = """ -#define ENGINE_METHOD_RSA ... -#define ENGINE_METHOD_DSA ... -#define ENGINE_METHOD_RAND ... -#define ENGINE_METHOD_ECDH ... -#define ENGINE_METHOD_ECDSA ... -#define ENGINE_METHOD_CIPHERS ... -#define ENGINE_METHOD_DIGESTS ... -#define ENGINE_METHOD_STORE ... -#define ENGINE_METHOD_ALL ... -#define ENGINE_METHOD_NONE ... """ CUSTOMIZATIONS = """ diff --git a/docs/contributing.rst b/docs/contributing.rst index 139f7f3b..336d2acb 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -136,6 +136,23 @@ Include a space after commas between parameters: // Bad long f(int,char *) +Values set by #define should be assigned the appropriate type. If you see +this: + +.. code-block:: c + + #define SOME_INTEGER 0x0; + #define SOME_UINTEGER (unsigned int)0x0001; + #define SOME_STRING "hello"; + +...it should be added to the bindings like so: + +.. code-block:: c + + static const int SOME_INTEGER; + static const unsigned int SOME_UINTEGER; + static char *const SOME_STRING; + Documentation ------------- -- cgit v1.2.3 From 745ee07dcf72bee4dab1d807779be6449a81b96f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 27 Dec 2013 20:42:54 -0600 Subject: Fix docs --- docs/contributing.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/contributing.rst b/docs/contributing.rst index 336d2acb..63c99530 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -136,7 +136,7 @@ Include a space after commas between parameters: // Bad long f(int,char *) -Values set by #define should be assigned the appropriate type. If you see +Values set by ``#define`` should be assigned the appropriate type. If you see this: .. code-block:: c -- cgit v1.2.3 From b232b627d50f73ae54bcadf46b273a0794d0d8b3 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sat, 28 Dec 2013 08:54:51 -0500 Subject: expose SSLeay and SSLeay_version --- cryptography/hazmat/backends/openssl/crypto.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cryptography/hazmat/backends/openssl/crypto.py b/cryptography/hazmat/backends/openssl/crypto.py index 5e995023..45e265d1 100644 --- a/cryptography/hazmat/backends/openssl/crypto.py +++ b/cryptography/hazmat/backends/openssl/crypto.py @@ -24,6 +24,9 @@ static const int SSLEAY_BUILT_ON; """ FUNCTIONS = """ +unsigned long SSLeay(void); +const char *SSLeay_version(int); + void CRYPTO_free(void *); int CRYPTO_mem_ctrl(int); int CRYPTO_is_mem_check_on(void); -- cgit v1.2.3 From b4b58c37a9b86fc609c5f7b695bd1bd082fd8a77 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sat, 28 Dec 2013 08:55:50 -0500 Subject: add the missing SSL_get_servername prototype (already handled in the existing SNI conditional section) --- cryptography/hazmat/backends/openssl/ssl.py | 1 + 1 file changed, 1 insertion(+) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index fb3b17e6..596db05b 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -246,6 +246,7 @@ long SSL_CTX_get_timeout(const SSL_CTX *); /* SNI APIs were introduced in OpenSSL 1.0.0. To continue to support * earlier versions some special handling of these is necessary. */ +const char *SSL_get_servername(const SSL *, const int); void SSL_set_tlsext_host_name(SSL *, char *); void SSL_CTX_set_tlsext_servername_callback( SSL_CTX *, -- cgit v1.2.3 From 7c243875f34a47d3c552634a00440c846855c3a2 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sat, 28 Dec 2013 08:56:34 -0500 Subject: expose SSL_get_peer_cert_chain, SSL_get_client_CA_list, and SSL_CTX_set_client_CA_list --- cryptography/hazmat/backends/openssl/ssl.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index fb3b17e6..7a1219b0 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -157,6 +157,13 @@ int SSL_pending(const SSL *); int SSL_write(SSL *, const void *, int); int SSL_read(SSL *, void *, int); X509 *SSL_get_peer_certificate(const SSL *); + +/* OpenSSL defines these with STACK_OF(...) instead stack_st_... of but the + * STACK_OF macro does not play well with cffi. + */ +struct stack_st_X509 *SSL_get_peer_cert_chain(const SSL *); +struct stack_st_X509_NAME *SSL_get_client_CA_list(const SSL *s); + int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); @@ -186,6 +193,11 @@ void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); int SSL_CTX_add_client_CA(SSL_CTX *, X509 *); +/* See comment above about STACK_OF(...) vs stack_st_... + */ +void SSL_CTX_set_client_CA_list(SSL_CTX *, struct stack_st_X509_NAME *); + + /* X509_STORE_CTX */ int X509_STORE_CTX_get_error(X509_STORE_CTX *); void X509_STORE_CTX_set_error(X509_STORE_CTX *, int); -- cgit v1.2.3 From db78cfdb6c7f28e57346c44097a9c17c24ecdb2b Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Sat, 28 Dec 2013 16:51:14 +0000 Subject: sk_X509_EXTENSION_delete returns X509_EXTENSION* --- cryptography/hazmat/backends/openssl/x509.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cryptography/hazmat/backends/openssl/x509.py b/cryptography/hazmat/backends/openssl/x509.py index 632efb31..ea46256b 100644 --- a/cryptography/hazmat/backends/openssl/x509.py +++ b/cryptography/hazmat/backends/openssl/x509.py @@ -175,7 +175,7 @@ X509_EXTENSIONS *sk_X509_EXTENSION_new_null(void); int sk_X509_EXTENSION_num(X509_EXTENSIONS *); X509_EXTENSION *sk_X509_EXTENSION_value(X509_EXTENSIONS *, int); int sk_X509_EXTENSION_push(X509_EXTENSIONS *, X509_EXTENSION *); -void sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int); +X509_EXTENSION *sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int); void sk_X509_EXTENSION_free(X509_EXTENSIONS *); int sk_X509_REVOKED_num(struct stack_st_X509_REVOKED *); -- cgit v1.2.3 From 9020b4845a8667a2f400a0fb1b5138cb8d51eaca Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Sat, 28 Dec 2013 16:28:59 +0000 Subject: String literals are const char*. GCC won't whine with -Wall because so much code isn't const correct but writing to a string literal is undefined. -Wwrite-strings is the warning flag to enable to spot these. --- cryptography/hazmat/backends/openssl/opensslv.py | 2 +- docs/contributing.rst | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/opensslv.py b/cryptography/hazmat/backends/openssl/opensslv.py index 4e110327..397f4ca2 100644 --- a/cryptography/hazmat/backends/openssl/opensslv.py +++ b/cryptography/hazmat/backends/openssl/opensslv.py @@ -17,7 +17,7 @@ INCLUDES = """ TYPES = """ static const int OPENSSL_VERSION_NUMBER; -static char *const OPENSSL_VERSION_TEXT; +static const char *const OPENSSL_VERSION_TEXT; """ FUNCTIONS = """ diff --git a/docs/contributing.rst b/docs/contributing.rst index 63c99530..657c4359 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -141,17 +141,17 @@ this: .. code-block:: c - #define SOME_INTEGER 0x0; - #define SOME_UINTEGER (unsigned int)0x0001; - #define SOME_STRING "hello"; + #define SOME_INTEGER_LITERAL 0x0; + #define SOME_UNSIGNED_INTEGER_LITERAL 0x0001U; + #define SOME_STRING_LITERAL "hello"; ...it should be added to the bindings like so: .. code-block:: c - static const int SOME_INTEGER; - static const unsigned int SOME_UINTEGER; - static char *const SOME_STRING; + static const int SOME_INTEGER_LITERAL; + static const unsigned int SOME_UNSIGNED_INTEGER_LITERAL; + static const char *const SOME_STRING_LITERAL; Documentation ------------- -- cgit v1.2.3 From 6c56e254932021e73aca04d1b1c71fb8ce9a95ea Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sat, 28 Dec 2013 12:47:43 -0500 Subject: simplify a bit - just try tackling one problem at a time. and add some more typedefs that maybe should help (still broken though) --- cryptography/hazmat/backends/openssl/ssl.py | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 7a1219b0..071ec503 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -110,6 +110,8 @@ static const int X509_V_OK; typedef ... SSL_METHOD; typedef ... SSL_CTX; +typedef ... Cryptography_STACK_OF_X509; + typedef struct { int master_key_length; unsigned char master_key[...]; @@ -158,11 +160,13 @@ int SSL_write(SSL *, const void *, int); int SSL_read(SSL *, void *, int); X509 *SSL_get_peer_certificate(const SSL *); -/* OpenSSL defines these with STACK_OF(...) instead stack_st_... of but the - * STACK_OF macro does not play well with cffi. +/* + * OpenSSL defines these with STACK_OF(...) but the STACK_OF macro does not + * play well with cffi. */ -struct stack_st_X509 *SSL_get_peer_cert_chain(const SSL *); -struct stack_st_X509_NAME *SSL_get_client_CA_list(const SSL *s); + +Cryptography_STACK_OF_X509 *SSL_get_peer_cert_chain(const SSL *); +// Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *); int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); @@ -193,9 +197,10 @@ void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); int SSL_CTX_add_client_CA(SSL_CTX *, X509 *); -/* See comment above about STACK_OF(...) vs stack_st_... +/* + * See comment above about STACK_OF(...) vs stack_st_... */ -void SSL_CTX_set_client_CA_list(SSL_CTX *, struct stack_st_X509_NAME *); +// void SSL_CTX_set_client_CA_list(SSL_CTX *, Cryptography_STACK_OF_X509_NAME *); /* X509_STORE_CTX */ @@ -298,6 +303,11 @@ static const long Cryptography_HAS_OP_NO_COMPRESSION = 1; static const long Cryptography_HAS_OP_NO_COMPRESSION = 0; const long SSL_OP_NO_COMPRESSION = 0; #endif + +/* + * Get some simpler definitions for some types used by later prototypes. + */ +typedef STACK_OF(X509) Cryptography_STACK_OF_X509; """ CONDITIONAL_NAMES = { -- cgit v1.2.3 From 30f22f1ee19d8ff9df35d2a04b454a8da9af1a89 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sat, 28 Dec 2013 12:56:08 -0500 Subject: typedef has to come before function prototype that relies on it; only place that can happen is if the typedef is in INCLUDES woops --- cryptography/hazmat/backends/openssl/ssl.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 071ec503..83353e4f 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -13,6 +13,11 @@ INCLUDES = """ #include + +/* + * Get some simpler definitions for some types used by later prototypes. + */ +typedef STACK_OF(X509) Cryptography_STACK_OF_X509; """ TYPES = """ @@ -303,11 +308,6 @@ static const long Cryptography_HAS_OP_NO_COMPRESSION = 1; static const long Cryptography_HAS_OP_NO_COMPRESSION = 0; const long SSL_OP_NO_COMPRESSION = 0; #endif - -/* - * Get some simpler definitions for some types used by later prototypes. - */ -typedef STACK_OF(X509) Cryptography_STACK_OF_X509; """ CONDITIONAL_NAMES = { -- cgit v1.2.3 From f5360499bac470d2d3231f2529bce5bc0a770c76 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sat, 28 Dec 2013 12:57:42 -0500 Subject: Put back these other functions now that they ought to work. --- cryptography/hazmat/backends/openssl/ssl.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index c3d485b2..e62a45a5 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -18,6 +18,7 @@ INCLUDES = """ * Get some simpler definitions for some types used by later prototypes. */ typedef STACK_OF(X509) Cryptography_STACK_OF_X509; +typedef STACK_OF(X509_NAME) Cryptography_STACK_OF_X509_NAME; """ TYPES = """ @@ -171,7 +172,7 @@ X509 *SSL_get_peer_certificate(const SSL *); */ Cryptography_STACK_OF_X509 *SSL_get_peer_cert_chain(const SSL *); -// Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *); +Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *); int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); @@ -203,9 +204,9 @@ X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); int SSL_CTX_add_client_CA(SSL_CTX *, X509 *); /* - * See comment above about STACK_OF(...) vs stack_st_... + * See comment above about STACK_OF(...) */ -// void SSL_CTX_set_client_CA_list(SSL_CTX *, Cryptography_STACK_OF_X509_NAME *); +void SSL_CTX_set_client_CA_list(SSL_CTX *, Cryptography_STACK_OF_X509_NAME *); /* X509_STORE_CTX */ -- cgit v1.2.3 From f8475f44238c8a7ee0e730e118683d4732d06c76 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sat, 28 Dec 2013 12:58:10 -0500 Subject: This bit is important as well. --- cryptography/hazmat/backends/openssl/ssl.py | 1 + 1 file changed, 1 insertion(+) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index e62a45a5..e4192349 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -117,6 +117,7 @@ typedef ... SSL_METHOD; typedef ... SSL_CTX; typedef ... Cryptography_STACK_OF_X509; +typedef ... Cryptography_STACK_OF_X509_NAME; typedef struct { int master_key_length; -- cgit v1.2.3 From 7db423959e5648bd1ba3bbf3581d56b199de10f2 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sat, 28 Dec 2013 13:04:53 -0500 Subject: move these type definitions to perhaps-more-appropriate modules --- cryptography/hazmat/backends/openssl/ssl.py | 9 --------- cryptography/hazmat/backends/openssl/x509.py | 3 +++ cryptography/hazmat/backends/openssl/x509name.py | 3 +++ 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index e4192349..32ea2190 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -13,12 +13,6 @@ INCLUDES = """ #include - -/* - * Get some simpler definitions for some types used by later prototypes. - */ -typedef STACK_OF(X509) Cryptography_STACK_OF_X509; -typedef STACK_OF(X509_NAME) Cryptography_STACK_OF_X509_NAME; """ TYPES = """ @@ -116,9 +110,6 @@ static const int X509_V_OK; typedef ... SSL_METHOD; typedef ... SSL_CTX; -typedef ... Cryptography_STACK_OF_X509; -typedef ... Cryptography_STACK_OF_X509_NAME; - typedef struct { int master_key_length; unsigned char master_key[...]; diff --git a/cryptography/hazmat/backends/openssl/x509.py b/cryptography/hazmat/backends/openssl/x509.py index 632efb31..8f4f3a0b 100644 --- a/cryptography/hazmat/backends/openssl/x509.py +++ b/cryptography/hazmat/backends/openssl/x509.py @@ -13,6 +13,8 @@ INCLUDES = """ #include + +typedef STACK_OF(X509) Cryptography_STACK_OF_X509; """ TYPES = """ @@ -63,6 +65,7 @@ typedef struct { typedef ... X509_STORE; typedef ... NETSCAPE_SPKI; +typedef ... Cryptography_STACK_OF_X509; """ FUNCTIONS = """ diff --git a/cryptography/hazmat/backends/openssl/x509name.py b/cryptography/hazmat/backends/openssl/x509name.py index 0543e387..25638ab0 100644 --- a/cryptography/hazmat/backends/openssl/x509name.py +++ b/cryptography/hazmat/backends/openssl/x509name.py @@ -13,11 +13,14 @@ INCLUDES = """ #include + +typedef STACK_OF(X509_NAME) Cryptography_STACK_OF_X509_NAME; """ TYPES = """ typedef ... X509_NAME; typedef ... X509_NAME_ENTRY; +typedef ... Cryptography_STACK_OF_X509_NAME; """ FUNCTIONS = """ -- cgit v1.2.3 From b14472fdb3deae6525df4823376fb4add191eeb9 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sat, 28 Dec 2013 13:10:18 -0500 Subject: Switch other spellings of this type from `struct stack_st_X509` to `Cryptography_STACK_OF_X590` (and similar for X509_NAME) --- cryptography/hazmat/backends/openssl/pkcs12.py | 4 ++-- cryptography/hazmat/backends/openssl/x509.py | 10 +++++----- cryptography/hazmat/backends/openssl/x509name.py | 10 +++++----- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/pkcs12.py b/cryptography/hazmat/backends/openssl/pkcs12.py index b3ecd0aa..bd01e756 100644 --- a/cryptography/hazmat/backends/openssl/pkcs12.py +++ b/cryptography/hazmat/backends/openssl/pkcs12.py @@ -28,9 +28,9 @@ int i2d_PKCS12_bio(BIO *, PKCS12 *); MACROS = """ int PKCS12_parse(PKCS12 *, const char *, EVP_PKEY **, X509 **, - struct stack_st_X509 **); + Cryptography_STACK_OF_X509 **); PKCS12 *PKCS12_create(char *, char *, EVP_PKEY *, X509 *, - struct stack_st_X509 *, int, int, int, int, int); + Cryptography_STACK_OF_X509 *, int, int, int, int, int); """ CUSTOMIZATIONS = """ diff --git a/cryptography/hazmat/backends/openssl/x509.py b/cryptography/hazmat/backends/openssl/x509.py index 8f4f3a0b..f0c84fd6 100644 --- a/cryptography/hazmat/backends/openssl/x509.py +++ b/cryptography/hazmat/backends/openssl/x509.py @@ -168,11 +168,11 @@ ASN1_TIME *X509_get_notAfter(X509 *); long X509_REQ_get_version(X509_REQ *); X509_NAME *X509_REQ_get_subject_name(X509_REQ *); -struct stack_st_X509 *sk_X509_new_null(void); -void sk_X509_free(struct stack_st_X509 *); -int sk_X509_num(struct stack_st_X509 *); -int sk_X509_push(struct stack_st_X509 *, X509 *); -X509 *sk_X509_value(struct stack_st_X509 *, int); +Cryptography_STACK_OF_X509 *sk_X509_new_null(void); +void sk_X509_free(Cryptography_STACK_OF_X509 *); +int sk_X509_num(Cryptography_STACK_OF_X509 *); +int sk_X509_push(Cryptography_STACK_OF_X509 *, X509 *); +X509 *sk_X509_value(Cryptography_STACK_OF_X509 *, int); X509_EXTENSIONS *sk_X509_EXTENSION_new_null(void); int sk_X509_EXTENSION_num(X509_EXTENSIONS *); diff --git a/cryptography/hazmat/backends/openssl/x509name.py b/cryptography/hazmat/backends/openssl/x509name.py index 25638ab0..a6f0a3c2 100644 --- a/cryptography/hazmat/backends/openssl/x509name.py +++ b/cryptography/hazmat/backends/openssl/x509name.py @@ -43,11 +43,11 @@ void X509_NAME_free(X509_NAME *); """ MACROS = """ -struct stack_st_X509_NAME *sk_X509_NAME_new_null(void); -int sk_X509_NAME_num(struct stack_st_X509_NAME *); -int sk_X509_NAME_push(struct stack_st_X509_NAME *, X509_NAME *); -X509_NAME *sk_X509_NAME_value(struct stack_st_X509_NAME *, int); -void sk_X509_NAME_free(struct stack_st_X509_NAME *); +Cryptography_STACK_OF_X509_NAME *sk_X509_NAME_new_null(void); +int sk_X509_NAME_num(Cryptography_STACK_OF_X509_NAME *); +int sk_X509_NAME_push(Cryptography_STACK_OF_X509_NAME *, X509_NAME *); +X509_NAME *sk_X509_NAME_value(Cryptography_STACK_OF_X509_NAME *, int); +void sk_X509_NAME_free(Cryptography_STACK_OF_X509_NAME *); """ CUSTOMIZATIONS = """ -- cgit v1.2.3 From ec79c43e9b6d35c9e715f3d0bf25a0cfd71fdc56 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sat, 28 Dec 2013 13:12:46 -0500 Subject: clean up the comments a bit --- cryptography/hazmat/backends/openssl/ssl.py | 8 -------- cryptography/hazmat/backends/openssl/x509.py | 7 +++++++ cryptography/hazmat/backends/openssl/x509name.py | 3 +++ 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 32ea2190..499e9c3a 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -158,11 +158,6 @@ int SSL_write(SSL *, const void *, int); int SSL_read(SSL *, void *, int); X509 *SSL_get_peer_certificate(const SSL *); -/* - * OpenSSL defines these with STACK_OF(...) but the STACK_OF macro does not - * play well with cffi. - */ - Cryptography_STACK_OF_X509 *SSL_get_peer_cert_chain(const SSL *); Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *); @@ -195,9 +190,6 @@ void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); int SSL_CTX_add_client_CA(SSL_CTX *, X509 *); -/* - * See comment above about STACK_OF(...) - */ void SSL_CTX_set_client_CA_list(SSL_CTX *, Cryptography_STACK_OF_X509_NAME *); diff --git a/cryptography/hazmat/backends/openssl/x509.py b/cryptography/hazmat/backends/openssl/x509.py index f0c84fd6..c83f5685 100644 --- a/cryptography/hazmat/backends/openssl/x509.py +++ b/cryptography/hazmat/backends/openssl/x509.py @@ -14,6 +14,13 @@ INCLUDES = """ #include +/* + * This is part of a work-around for the difficulty cffi has in dealing with + * `STACK_OF(foo)` as the name of a type. We invent a new, simpler name that + * will be an alias for this type and use the alias throughout. This works + * together with another opaque typedef for the same name in the TYPES section. + * Note that the result is an opaque type. + */ typedef STACK_OF(X509) Cryptography_STACK_OF_X509; """ diff --git a/cryptography/hazmat/backends/openssl/x509name.py b/cryptography/hazmat/backends/openssl/x509name.py index a6f0a3c2..bf627d61 100644 --- a/cryptography/hazmat/backends/openssl/x509name.py +++ b/cryptography/hazmat/backends/openssl/x509name.py @@ -14,6 +14,9 @@ INCLUDES = """ #include +/* + * See the comment above Cryptography_STACK_OF_X509 in x509.py + */ typedef STACK_OF(X509_NAME) Cryptography_STACK_OF_X509_NAME; """ -- cgit v1.2.3 From dec26e5aae31e645533ef9920c9f7d638745ee9a Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 28 Dec 2013 14:35:16 -0800 Subject: Port the STACK_OF(X509_REVOKED) stuff to use the same pattern @exarkun figured out for X509 --- cryptography/hazmat/backends/openssl/x509.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/x509.py b/cryptography/hazmat/backends/openssl/x509.py index f0061a70..2e7505a0 100644 --- a/cryptography/hazmat/backends/openssl/x509.py +++ b/cryptography/hazmat/backends/openssl/x509.py @@ -22,9 +22,13 @@ INCLUDES = """ * Note that the result is an opaque type. */ typedef STACK_OF(X509) Cryptography_STACK_OF_X509; +typedef STACK_OF(X509_REVOKED) Cryptography_STACK_OF_X509_REVOKED; """ TYPES = """ +typedef ... Cryptography_STACK_OF_X509; +typedef ... Cryptography_STACK_OF_X509_REVOKED; + typedef struct { ASN1_OBJECT *algorithm; ...; @@ -45,8 +49,6 @@ typedef ... X509_EXTENSIONS; typedef ... X509_REQ; -typedef ... x509_revoked_st; - typedef struct { ASN1_INTEGER *serialNumber; ASN1_TIME *revocationDate; @@ -56,7 +58,7 @@ typedef struct { } X509_REVOKED; typedef struct { - struct stack_st_X509_REVOKED *revoked; + Cryptography_STACK_OF_X509_REVOKED *revoked; ...; } X509_CRL_INFO; @@ -72,7 +74,6 @@ typedef struct { typedef ... X509_STORE; typedef ... NETSCAPE_SPKI; -typedef ... Cryptography_STACK_OF_X509; """ FUNCTIONS = """ @@ -188,8 +189,8 @@ int sk_X509_EXTENSION_push(X509_EXTENSIONS *, X509_EXTENSION *); X509_EXTENSION *sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int); void sk_X509_EXTENSION_free(X509_EXTENSIONS *); -int sk_X509_REVOKED_num(struct stack_st_X509_REVOKED *); -X509_REVOKED *sk_X509_REVOKED_value(struct stack_st_X509_REVOKED *, int); +int sk_X509_REVOKED_num(Cryptography_STACK_OF_X509_REVOKED *); +X509_REVOKED *sk_X509_REVOKED_value(Cryptography_STACK_OF_X509_REVOKED *, int); /* These aren't macros these arguments are all const X on openssl > 1.0.x */ int X509_CRL_set_lastUpdate(X509_CRL *, const ASN1_TIME *); -- cgit v1.2.3 From fe7cc9455c2973bf1b4a044cb38c20fa4c25df28 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 28 Dec 2013 17:44:48 -0600 Subject: remove some consts in the function arg declarations These functions take const in OpenSSL 1.0.0+ but not in 0.9.8. Removing the const declaration will silence warnings for 0.9.8 but not cause them in 1.0.0+. Not ideal, but *fingers crossed* shouldn't cause problems --- cryptography/hazmat/backends/openssl/asn1.py | 2 +- cryptography/hazmat/backends/openssl/ssl.py | 2 +- cryptography/hazmat/backends/openssl/x509.py | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index bf3cf48f..6701ea63 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -135,7 +135,7 @@ int ASN1_INTEGER_cmp(ASN1_INTEGER *, ASN1_INTEGER *); long ASN1_INTEGER_get(ASN1_INTEGER *); BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *, BIGNUM *); -ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *, ASN1_INTEGER *); +ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *, ASN1_INTEGER *); """ CUSTOMIZATIONS = """ diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 499e9c3a..fc7ccf37 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -247,7 +247,7 @@ const SSL_METHOD *SSLv23_server_method(void); const SSL_METHOD *SSLv23_client_method(void); /*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/ -SSL_CTX *SSL_CTX_new(const SSL_METHOD *); +SSL_CTX *SSL_CTX_new(SSL_METHOD *); long SSL_CTX_get_timeout(const SSL_CTX *); /* SNI APIs were introduced in OpenSSL 1.0.0. To continue to support diff --git a/cryptography/hazmat/backends/openssl/x509.py b/cryptography/hazmat/backends/openssl/x509.py index 2e7505a0..840254a2 100644 --- a/cryptography/hazmat/backends/openssl/x509.py +++ b/cryptography/hazmat/backends/openssl/x509.py @@ -193,8 +193,8 @@ int sk_X509_REVOKED_num(Cryptography_STACK_OF_X509_REVOKED *); X509_REVOKED *sk_X509_REVOKED_value(Cryptography_STACK_OF_X509_REVOKED *, int); /* These aren't macros these arguments are all const X on openssl > 1.0.x */ -int X509_CRL_set_lastUpdate(X509_CRL *, const ASN1_TIME *); -int X509_CRL_set_nextUpdate(X509_CRL *, const ASN1_TIME *); +int X509_CRL_set_lastUpdate(X509_CRL *, ASN1_TIME *); +int X509_CRL_set_nextUpdate(X509_CRL *, ASN1_TIME *); """ CUSTOMIZATIONS = """ -- cgit v1.2.3 From ddc4e3a7c9f2cfcf618d140730eb799bb5d5055a Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Sun, 29 Dec 2013 00:06:02 +0000 Subject: time_t is signed Unless you are on QNX, lulz. --- cryptography/hazmat/backends/openssl/asn1.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index bf3cf48f..c6382234 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -33,7 +33,7 @@ TYPES = """ * I think you want to declare your value too large (e.g. long) * that way you'll never pass garbage */ -typedef uintptr_t time_t; +typedef intptr_t time_t; typedef int ASN1_BOOLEAN; typedef ... ASN1_INTEGER; -- cgit v1.2.3 From 6d43f5bde0efa27e784223aae18ca12f6ed1e11c Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 28 Dec 2013 16:42:42 -0800 Subject: Make some types wider to be warning free on OS X --- cryptography/hazmat/backends/openssl/bio.py | 8 ++++---- cryptography/hazmat/backends/openssl/ssl.py | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/bio.py b/cryptography/hazmat/backends/openssl/bio.py index 264a2410..279ad223 100644 --- a/cryptography/hazmat/backends/openssl/bio.py +++ b/cryptography/hazmat/backends/openssl/bio.py @@ -143,10 +143,10 @@ long BIO_set_mem_buf(BIO *, BUF_MEM *, int); long BIO_get_mem_ptr(BIO *, BUF_MEM **); long BIO_set_fp(BIO *, FILE *, int); long BIO_get_fp(BIO *, FILE **); -int BIO_read_filename(BIO *, char *); -int BIO_write_filename(BIO *, char *); -int BIO_append_filename(BIO *, char *); -int BIO_rw_filename(BIO *, char *); +long BIO_read_filename(BIO *, char *); +long BIO_write_filename(BIO *, char *); +long BIO_append_filename(BIO *, char *); +long BIO_rw_filename(BIO *, char *); int BIO_should_read(BIO *); int BIO_should_write(BIO *); int BIO_should_io_special(BIO *); diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index fc7ccf37..2b1fb4a3 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -213,7 +213,7 @@ long SSL_get_options(SSL *); int SSL_want_read(const SSL *); int SSL_want_write(const SSL *); -int SSL_total_renegotiations(SSL *); +long SSL_total_renegotiations(SSL *); long SSL_CTX_set_options(SSL_CTX *, long); long SSL_CTX_get_options(SSL_CTX *); -- cgit v1.2.3 From e951cbc50cf2d159d520e9c7a46749e25c9b219b Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sun, 29 Dec 2013 07:34:25 -0500 Subject: Optionally bind some TLSv1_1 and TLSv1_2 features --- cryptography/hazmat/backends/openssl/ssl.py | 59 ++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 2b1fb4a3..6afe3a9d 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -16,8 +16,12 @@ INCLUDES = """ """ TYPES = """ -/* Internally invented symbol to tell us if SSLv2 is supported */ +/* + * Internally invented symbols to tell which versions of SSL/TLS are supported. +*/ static const int Cryptography_HAS_SSL2; +static const int Cryptography_HAS_TLSv1_1; +static const int Cryptography_HAS_TLSv1_2; /* Internally invented symbol to tell us if SNI is supported */ static const int Cryptography_HAS_TLSEXT_HOSTNAME; @@ -46,6 +50,8 @@ static const int SSL_RECEIVED_SHUTDOWN; static const int SSL_OP_NO_SSLv2; static const int SSL_OP_NO_SSLv3; static const int SSL_OP_NO_TLSv1; +static const int SSL_OP_NO_TLSv1_1; +static const int SSL_OP_NO_TLSv1_2; static const int SSL_OP_NO_COMPRESSION; static const int SSL_OP_SINGLE_DH_USE; static const int SSL_OP_EPHEMERAL_RSA; @@ -226,6 +232,8 @@ long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *); /*- These aren't macros these functions are all const X on openssl > 1.0.x -*/ +/* methods */ + /* SSLv2 support is compiled out of some versions of OpenSSL. These will * get special support when we generate the bindings so that if they are * available they will be wrapped, but if they are not they won't cause @@ -235,13 +243,26 @@ const SSL_METHOD *SSLv2_method(void); const SSL_METHOD *SSLv2_server_method(void); const SSL_METHOD *SSLv2_client_method(void); -/* methods */ +/* + * TLSv1_1 and TLSv1_2 are recent additions. Only sufficiently new versions of + * OpenSSL support them. + */ +const SSL_METHOD *TLSv1_1_method(void); +const SSL_METHOD *TLSv1_1_server_method(void); +const SSL_METHOD *TLSv1_1_client_method(void); + +const SSL_METHOD *TLSv1_2_method(void); +const SSL_METHOD *TLSv1_2_server_method(void); +const SSL_METHOD *TLSv1_2_client_method(void); + const SSL_METHOD *SSLv3_method(void); const SSL_METHOD *SSLv3_server_method(void); const SSL_METHOD *SSLv3_client_method(void); + const SSL_METHOD *TLSv1_method(void); const SSL_METHOD *TLSv1_server_method(void); const SSL_METHOD *TLSv1_client_method(void); + const SSL_METHOD *SSLv23_method(void); const SSL_METHOD *SSLv23_server_method(void); const SSL_METHOD *SSLv23_client_method(void); @@ -294,9 +315,43 @@ static const long Cryptography_HAS_OP_NO_COMPRESSION = 1; static const long Cryptography_HAS_OP_NO_COMPRESSION = 0; const long SSL_OP_NO_COMPRESSION = 0; #endif + +#ifdef SSL_OP_NO_TLSv1_1 +static const long Cryptography_HAS_TLSv1_1 = 1; +#else +static const long Cryptography_HAS_TLSv1_1 = 0; +static const int SSL_OP_NO_TLSv1_1 = 0; +SSL_METHOD* (*TLSv1_1_method)(void) = NULL; +SSL_METHOD* (*TLSv1_1_client_method)(void) = NULL; +SSL_METHOD* (*TLSv1_1_server_method)(void) = NULL; +#endif + +#ifdef SSL_OP_NO_TLSv1_2 +static const long Cryptography_HAS_TLSv1_2 = 1; +#else +static const long Cryptography_HAS_TLSv1_2 = 0; +static const int SSL_OP_NO_TLSv1_2 = 0; +SSL_METHOD* (*TLSv1_2_method)(void) = NULL; +SSL_METHOD* (*TLSv1_2_client_method)(void) = NULL; +SSL_METHOD* (*TLSv1_2_server_method)(void) = NULL; +#endif """ CONDITIONAL_NAMES = { + "Cryptography_HAS_TLSv1_1": [ + "SSL_OP_NO_TLSv1_1", + "TLSv1_1_method", + "TLSv1_1_server_method", + "TLSv1_1_client_method", + ], + + "Cryptography_HAS_TLSv1_2": [ + "SSL_OP_NO_TLSv1_2", + "TLSv1_2_method", + "TLSv1_2_server_method", + "TLSv1_2_client_method", + ], + "Cryptography_HAS_SSL2": [ "SSLv2_method", "SSLv2_client_method", -- cgit v1.2.3 From 0cbe7a16e6c8be28ab8b3eb520ca9c271b8ab5ae Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 29 Dec 2013 08:20:52 -0800 Subject: Restore exposing a symbol when it's available. Refs #351 --- cryptography/hazmat/backends/openssl/ssl.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 2b1fb4a3..4322cc76 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -32,6 +32,8 @@ static const int Cryptography_HAS_RELEASE_BUFFERS; */ static const int Cryptography_HAS_OP_NO_COMPRESSION; +static const int Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING; + static const int SSL_FILETYPE_PEM; static const int SSL_FILETYPE_ASN1; static const int SSL_ERROR_NONE; @@ -54,6 +56,7 @@ static const int SSL_OP_NETSCAPE_CHALLENGE_BUG; static const int SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; static const int SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG; static const int SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER; +static const int SSL_OP_MSIE_SSLV2_RSA_PADDING; static const int SSL_OP_SSLEAY_080_CLIENT_DH_BUG; static const int SSL_OP_TLS_D5_BUG; static const int SSL_OP_TLS_BLOCK_PADDING_BUG; @@ -294,6 +297,13 @@ static const long Cryptography_HAS_OP_NO_COMPRESSION = 1; static const long Cryptography_HAS_OP_NO_COMPRESSION = 0; const long SSL_OP_NO_COMPRESSION = 0; #endif + +#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING +static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1; +#else +static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 0; +const long SSL_OP_MSIE_SSLV2_RSA_PADDING = 0; +#endif """ CONDITIONAL_NAMES = { @@ -317,4 +327,7 @@ CONDITIONAL_NAMES = { "SSL_OP_NO_COMPRESSION", ], + "Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING": [ + "SSL_OP_MSIE_SSLV2_RSA_PADDING", + ], } -- cgit v1.2.3 From 6eb15b0925ccf504941b35685afea9eef09d937a Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sun, 29 Dec 2013 14:14:37 -0500 Subject: Switch to long for these stand-in constants as suggested by reaperhulk to avoid compiler warnings --- cryptography/hazmat/backends/openssl/ssl.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index cc3b3fe6..48910573 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -323,7 +323,7 @@ const long SSL_OP_NO_COMPRESSION = 0; static const long Cryptography_HAS_TLSv1_1 = 1; #else static const long Cryptography_HAS_TLSv1_1 = 0; -static const int SSL_OP_NO_TLSv1_1 = 0; +static const long SSL_OP_NO_TLSv1_1 = 0; SSL_METHOD* (*TLSv1_1_method)(void) = NULL; SSL_METHOD* (*TLSv1_1_client_method)(void) = NULL; SSL_METHOD* (*TLSv1_1_server_method)(void) = NULL; @@ -333,7 +333,7 @@ SSL_METHOD* (*TLSv1_1_server_method)(void) = NULL; static const long Cryptography_HAS_TLSv1_2 = 1; #else static const long Cryptography_HAS_TLSv1_2 = 0; -static const int SSL_OP_NO_TLSv1_2 = 0; +static const long SSL_OP_NO_TLSv1_2 = 0; SSL_METHOD* (*TLSv1_2_method)(void) = NULL; SSL_METHOD* (*TLSv1_2_client_method)(void) = NULL; SSL_METHOD* (*TLSv1_2_server_method)(void) = NULL; -- cgit v1.2.3 From d69cb49b273c47382ff135269903716729a06158 Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone Date: Sun, 29 Dec 2013 14:15:13 -0500 Subject: fix bogus merge --- cryptography/hazmat/backends/openssl/ssl.py | 1 + 1 file changed, 1 insertion(+) diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 48910573..d0d5ae2d 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -337,6 +337,7 @@ static const long SSL_OP_NO_TLSv1_2 = 0; SSL_METHOD* (*TLSv1_2_method)(void) = NULL; SSL_METHOD* (*TLSv1_2_client_method)(void) = NULL; SSL_METHOD* (*TLSv1_2_server_method)(void) = NULL; +#endif #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1; -- cgit v1.2.3 From 3c661e02397072746dd85397b300076a61fba58c Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 29 Dec 2013 20:52:44 -0600 Subject: add the rest of the engine methods --- cryptography/hazmat/backends/openssl/engine.py | 108 +++++++++++++++++++++++-- 1 file changed, 101 insertions(+), 7 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/engine.py b/cryptography/hazmat/backends/openssl/engine.py index acd92eee..dc9c2748 100644 --- a/cryptography/hazmat/backends/openssl/engine.py +++ b/cryptography/hazmat/backends/openssl/engine.py @@ -17,6 +17,20 @@ INCLUDES = """ TYPES = """ typedef ... ENGINE; +typedef ... RSA_METHOD; +typedef ... DSA_METHOD; +typedef ... ECDH_METHOD; +typedef ... ECDSA_METHOD; +typedef ... DH_METHOD; +typedef ... RAND_METHOD; +typedef ... STORE_METHOD; +typedef ... ENGINE_GEN_INT_FUNC_PTR; +typedef ... ENGINE_CTRL_FUNC_PTR; +typedef ... ENGINE_LOAD_KEY_PTR; +typedef ... ENGINE_CIPHERS_PTR; +typedef ... ENGINE_DIGESTS_PTR; +typedef ... ENGINE_CMD_DEFN; +typedef ... UI_METHOD; static const unsigned int ENGINE_METHOD_RSA; static const unsigned int ENGINE_METHOD_DSA; @@ -40,16 +54,20 @@ int ENGINE_remove(ENGINE *); ENGINE *ENGINE_by_id(const char *); int ENGINE_init(ENGINE *); int ENGINE_finish(ENGINE *); -int ENGINE_free(ENGINE *); -void ENGINE_cleanup(void); +void ENGINE_load_openssl(void); void ENGINE_load_dynamic(void); +void ENGINE_load_cryptodev(void); void ENGINE_load_builtin_engines(void); -int ENGINE_ctrl_cmd_string(ENGINE *, const char *, const char *, int); -int ENGINE_set_default(ENGINE *, unsigned int); -int ENGINE_register_complete(ENGINE *); - +void ENGINE_cleanup(void); +ENGINE *ENGINE_get_default_RSA(void); +ENGINE *ENGINE_get_default_DSA(void); +ENGINE *ENGINE_get_default_ECDH(void); +ENGINE *ENGINE_get_default_ECDSA(void); +ENGINE *ENGINE_get_default_DH(void); +ENGINE *ENGINE_get_default_RAND(void); +ENGINE *ENGINE_get_cipher_engine(int nid); +ENGINE *ENGINE_get_digest_engine(int nid); int ENGINE_set_default_RSA(ENGINE *); -int ENGINE_set_default_string(ENGINE *, const char *); int ENGINE_set_default_DSA(ENGINE *); int ENGINE_set_default_ECDH(ENGINE *); int ENGINE_set_default_ECDSA(ENGINE *); @@ -57,7 +75,83 @@ int ENGINE_set_default_DH(ENGINE *); int ENGINE_set_default_RAND(ENGINE *); int ENGINE_set_default_ciphers(ENGINE *); int ENGINE_set_default_digests(ENGINE *); +int ENGINE_set_default_string(ENGINE *, const char *); +int ENGINE_set_default(ENGINE *, unsigned int); +unsigned int ENGINE_get_table_flags(void); +void ENGINE_set_table_flags(unsigned int); +int ENGINE_register_RSA(ENGINE *); +void ENGINE_unregister_RSA(ENGINE *); +void ENGINE_register_all_RSA(void); +int ENGINE_register_DSA(ENGINE *); +void ENGINE_unregister_DSA(ENGINE *); +void ENGINE_register_all_DSA(void); +int ENGINE_register_ECDH(ENGINE *); +void ENGINE_unregister_ECDH(ENGINE *); +void ENGINE_register_all_ECDH(void); +int ENGINE_register_ECDSA(ENGINE *); +void ENGINE_unregister_ECDSA(ENGINE *); +void ENGINE_register_all_ECDSA(void); +int ENGINE_register_DH(ENGINE *); +void ENGINE_unregister_DH(ENGINE *); +void ENGINE_register_all_DH(void); +int ENGINE_register_RAND(ENGINE *); +void ENGINE_unregister_RAND(ENGINE *); +void ENGINE_register_all_RAND(void); +int ENGINE_register_STORE(ENGINE *); +void ENGINE_unregister_STORE(ENGINE *); +void ENGINE_register_all_STORE(void); +int ENGINE_register_ciphers(ENGINE *); +void ENGINE_unregister_ciphers(ENGINE *); +void ENGINE_register_all_ciphers(void); +int ENGINE_register_digests(ENGINE *); +void ENGINE_unregister_digests(ENGINE *); +void ENGINE_register_all_digests(void); +int ENGINE_register_complete(ENGINE *); +int ENGINE_register_all_complete(void); +int ENGINE_ctrl(ENGINE *, int, long, void *, void (*)(void)); +int ENGINE_cmd_is_executable(ENGINE *, int); +int ENGINE_ctrl_cmd(ENGINE *, const char *, long, void *, void (*)(void), int); +int ENGINE_ctrl_cmd_string(ENGINE *, const char *, const char *, int); + +ENGINE *ENGINE_new(void); +int ENGINE_free(ENGINE *); +int ENGINE_up_ref(ENGINE *); +int ENGINE_set_id(ENGINE *, const char *); +int ENGINE_set_name(ENGINE *, const char *); +int ENGINE_set_RSA(ENGINE *, const RSA_METHOD *); +int ENGINE_set_DSA(ENGINE *, const DSA_METHOD *); +int ENGINE_set_ECDH(ENGINE *, const ECDH_METHOD *); +int ENGINE_set_ECDSA(ENGINE *, const ECDSA_METHOD *); +int ENGINE_set_DH(ENGINE *, const DH_METHOD *); +int ENGINE_set_RAND(ENGINE *, const RAND_METHOD *); +int ENGINE_set_STORE(ENGINE *, const STORE_METHOD *); +int ENGINE_set_destroy_function(ENGINE *, ENGINE_GEN_INT_FUNC_PTR); +int ENGINE_set_init_function(ENGINE *, ENGINE_GEN_INT_FUNC_PTR); +int ENGINE_set_finish_function(ENGINE *, ENGINE_GEN_INT_FUNC_PTR); +int ENGINE_set_ctrl_function(ENGINE *, ENGINE_CTRL_FUNC_PTR); +int ENGINE_set_load_privkey_function(ENGINE *, ENGINE_LOAD_KEY_PTR); +int ENGINE_set_load_pubkey_function(ENGINE *, ENGINE_LOAD_KEY_PTR); +int ENGINE_set_ciphers(ENGINE *, ENGINE_CIPHERS_PTR); +int ENGINE_set_digests(ENGINE *, ENGINE_DIGESTS_PTR); +int ENGINE_set_flags(ENGINE *, int); +int ENGINE_set_cmd_defns(ENGINE *, const ENGINE_CMD_DEFN *); +const char *ENGINE_get_id(const ENGINE *); +const char *ENGINE_get_name(const ENGINE *); +const RSA_METHOD *ENGINE_get_RSA(const ENGINE *); +const DSA_METHOD *ENGINE_get_DSA(const ENGINE *); +const ECDH_METHOD *ENGINE_get_ECDH(const ENGINE *); +const ECDSA_METHOD *ENGINE_get_ECDSA(const ENGINE *); +const DH_METHOD *ENGINE_get_DH(const ENGINE *); +const RAND_METHOD *ENGINE_get_RAND(const ENGINE *); +const STORE_METHOD *ENGINE_get_STORE(const ENGINE *); +const EVP_CIPHER *ENGINE_get_cipher(ENGINE *, int); +const EVP_MD *ENGINE_get_digest(ENGINE *, int); +int ENGINE_get_flags(const ENGINE *); +const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *); +EVP_PKEY *ENGINE_load_private_key(ENGINE *, const char *, UI_METHOD *, void *); +EVP_PKEY *ENGINE_load_public_key(ENGINE *, const char *, UI_METHOD *, void *); +void ENGINE_add_conf_module(void); """ MACROS = """ -- cgit v1.2.3 From 718bb42f9e9692fd7be4084bfb16d0deb08d3cc3 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 29 Dec 2013 20:56:23 -0600 Subject: missed some param names (C style fix) --- cryptography/hazmat/backends/openssl/engine.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cryptography/hazmat/backends/openssl/engine.py b/cryptography/hazmat/backends/openssl/engine.py index dc9c2748..390bfde1 100644 --- a/cryptography/hazmat/backends/openssl/engine.py +++ b/cryptography/hazmat/backends/openssl/engine.py @@ -65,8 +65,8 @@ ENGINE *ENGINE_get_default_ECDH(void); ENGINE *ENGINE_get_default_ECDSA(void); ENGINE *ENGINE_get_default_DH(void); ENGINE *ENGINE_get_default_RAND(void); -ENGINE *ENGINE_get_cipher_engine(int nid); -ENGINE *ENGINE_get_digest_engine(int nid); +ENGINE *ENGINE_get_cipher_engine(int); +ENGINE *ENGINE_get_digest_engine(int); int ENGINE_set_default_RSA(ENGINE *); int ENGINE_set_default_DSA(ENGINE *); int ENGINE_set_default_ECDH(ENGINE *); -- cgit v1.2.3 From e68d73e37be57774246165a5d5263c89825e0864 Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Tue, 31 Dec 2013 14:00:38 +0000 Subject: Document compiling OpenSSL to avoid conflicts --- docs/hazmat/backends/openssl.rst | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/hazmat/backends/openssl.rst b/docs/hazmat/backends/openssl.rst index 5e51c75e..99b327d9 100644 --- a/docs/hazmat/backends/openssl.rst +++ b/docs/hazmat/backends/openssl.rst @@ -21,5 +21,32 @@ These are `CFFI`_ bindings to the `OpenSSL`_ C library. and access constants. +Using your own OpenSSL on Linux +------------------------------- + +Python links to OpenSSL for its own purposes and this can sometimes cause +problems when you wish to use a different version of OpenSSL with cryptography. +If you want to use cryptography with your own build of OpenSSL you will need to +make sure that the build is configured correctly so that your version of +OpenSSL doesn't conflict with Python's. + +The options you need to add allow the linker to identify every symbol correctly +even when multiple versions of the library are linked into the same program. If +you are using your distribution's source packages these will probably be +patched in for you already, otherwise you'll need to use options something like +this when configuring OpenSSL:: + + ./config -Wl,--version-script=openssl.ld -Wl,-Bsymbolic-functions -fPIC shared + +You'll also need to generate your own ``openssl.ld`` file. For example:: + + OPENSSL_1.0.1F_CUSTOM { + global: + *; + }; + +You should replace the version string on the first line as appropriate for your +build. + .. _`CFFI`: https://cffi.readthedocs.org/ .. _`OpenSSL`: https://www.openssl.org/ -- cgit v1.2.3 From dd1f5c5398a4c38179af70ed258641d720aa7d28 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 1 Jan 2014 06:23:31 -0800 Subject: Bump the copyright year --- cryptography/__about__.py | 2 +- docs/conf.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cryptography/__about__.py b/cryptography/__about__.py index cd207fcc..46212bff 100644 --- a/cryptography/__about__.py +++ b/cryptography/__about__.py @@ -30,4 +30,4 @@ __author__ = ("Alex Gaynor, Hynek Schlawack, Donald Stufft, " __email__ = "cryptography-dev@python.org" __license__ = "Apache License, Version 2.0" -__copyright__ = "Copyright 2013 %s" % __author__ +__copyright__ = "Copyright 2013-2014 %s" % __author__ diff --git a/docs/conf.py b/docs/conf.py index 5092e4d3..5dbcdab8 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -54,7 +54,7 @@ master_doc = 'index' # General information about the project. project = 'Cryptography' -copyright = '2013, Individual Contributors' +copyright = '2013-2014, Individual Contributors' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the -- cgit v1.2.3