From 9ca40b45229e26a08a42bd682ab7ed646f15d142 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 1 Jun 2014 14:22:25 -0500
Subject: use Hash rather than _HashContext

This change lets us remove the AlreadyFinalized checks from the backend
signature and verification contexts
---
 cryptography/hazmat/backends/openssl/backend.py | 45 ++++---------------------
 1 file changed, 6 insertions(+), 39 deletions(-)

diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index c6bcbaaa..c8baa0e6 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -21,8 +21,7 @@ import six
 
 from cryptography import utils
 from cryptography.exceptions import (
-    AlreadyFinalized, InternalError, InvalidSignature, InvalidTag,
-    UnsupportedAlgorithm, _Reasons
+    InternalError, InvalidSignature, InvalidTag, UnsupportedAlgorithm, _Reasons
 )
 from cryptography.hazmat.backends.interfaces import (
     CMACBackend, CipherBackend, DSABackend, HMACBackend, HashBackend,
@@ -1259,18 +1258,12 @@ class _RSASignatureContext(object):
 
         self._padding = padding
         self._algorithm = algorithm
-        self._hash_ctx = _HashContext(backend, self._algorithm)
+        self._hash_ctx = hashes.Hash(self._algorithm, self._backend)
 
     def update(self, data):
-        if self._hash_ctx is None:
-            raise AlreadyFinalized("Context has already been finalized.")
-
         self._hash_ctx.update(data)
 
     def finalize(self):
-        if self._hash_ctx is None:
-            raise AlreadyFinalized("Context has already been finalized.")
-
         evp_pkey = self._backend._rsa_private_key_to_evp_pkey(
             self._private_key)
 
@@ -1319,7 +1312,6 @@ class _RSASignatureContext(object):
                 )
                 assert res > 0
         data_to_sign = self._hash_ctx.finalize()
-        self._hash_ctx = None
         buflen = self._backend._ffi.new("size_t *")
         res = self._backend._lib.EVP_PKEY_sign(
             pkey_ctx,
@@ -1358,7 +1350,6 @@ class _RSASignatureContext(object):
             evp_pkey
         )
         self._hash_ctx.finalize()
-        self._hash_ctx = None
         if res == 0:
             errors = self._backend._consume_errors()
             assert errors[0].lib == self._backend._lib.ERR_LIB_RSA
@@ -1371,7 +1362,6 @@ class _RSASignatureContext(object):
 
     def _finalize_pss(self, evp_pkey, pkey_size, evp_md):
         data_to_sign = self._hash_ctx.finalize()
-        self._hash_ctx = None
         padded = self._backend._ffi.new("unsigned char[]", pkey_size)
         rsa_cdata = self._backend._lib.EVP_PKEY_get1_RSA(evp_pkey)
         assert rsa_cdata != self._backend._ffi.NULL
@@ -1461,18 +1451,12 @@ class _RSAVerificationContext(object):
 
         self._padding = padding
         self._algorithm = algorithm
-        self._hash_ctx = _HashContext(backend, self._algorithm)
+        self._hash_ctx = hashes.Hash(self._algorithm, self._backend)
 
     def update(self, data):
-        if self._hash_ctx is None:
-            raise AlreadyFinalized("Context has already been finalized.")
-
         self._hash_ctx.update(data)
 
     def verify(self):
-        if self._hash_ctx is None:
-            raise AlreadyFinalized("Context has already been finalized.")
-
         evp_pkey = self._backend._rsa_public_key_to_evp_pkey(
             self._public_key)
 
@@ -1519,7 +1503,6 @@ class _RSAVerificationContext(object):
                 assert res > 0
 
         data_to_verify = self._hash_ctx.finalize()
-        self._hash_ctx = None
         res = self._backend._lib.EVP_PKEY_verify(
             pkey_ctx,
             self._signature,
@@ -1538,13 +1521,12 @@ class _RSAVerificationContext(object):
 
     def _verify_pkcs1(self, evp_pkey, evp_md):
         res = self._backend._lib.EVP_VerifyFinal(
-            self._hash_ctx._ctx,
+            self._hash_ctx._ctx._ctx,
             self._signature,
             len(self._signature),
             evp_pkey
         )
         self._hash_ctx.finalize()
-        self._hash_ctx = None
         # The previous call can return negative numbers in the event of an
         # error. This is not a signature failure but we need to fail if it
         # occurs.
@@ -1575,7 +1557,6 @@ class _RSAVerificationContext(object):
             raise InvalidSignature
 
         data_to_verify = self._hash_ctx.finalize()
-        self._hash_ctx = None
         res = self._backend._lib.RSA_verify_PKCS1_PSS(
             rsa_cdata,
             data_to_verify,
@@ -1601,25 +1582,18 @@ class _DSAVerificationContext(object):
         self._signature = signature
         self._algorithm = algorithm
 
-        self._hash_ctx = _HashContext(backend, self._algorithm)
+        self._hash_ctx = hashes.Hash(self._algorithm, self._backend)
 
     def update(self, data):
-        if self._hash_ctx is None:
-            raise AlreadyFinalized("Context has already been finalized.")
-
         self._hash_ctx.update(data)
 
     def verify(self):
-        if self._hash_ctx is None:
-            raise AlreadyFinalized("Context has already been finalized.")
-
         self._dsa_cdata = self._backend._dsa_cdata_from_public_key(
             self._public_key)
         self._dsa_cdata = self._backend._ffi.gc(self._dsa_cdata,
                                                 self._backend._lib.DSA_free)
 
         data_to_verify = self._hash_ctx.finalize()
-        self._hash_ctx = None
 
         # The first parameter passed to DSA_verify is unused by OpenSSL but
         # must be an integer.
@@ -1642,24 +1616,17 @@ class _DSASignatureContext(object):
         self._backend = backend
         self._private_key = private_key
         self._algorithm = algorithm
-        self._hash_ctx = _HashContext(backend, self._algorithm)
+        self._hash_ctx = hashes.Hash(self._algorithm, self._backend)
         self._dsa_cdata = self._backend._dsa_cdata_from_private_key(
             self._private_key)
         self._dsa_cdata = self._backend._ffi.gc(self._dsa_cdata,
                                                 self._backend._lib.DSA_free)
 
     def update(self, data):
-        if self._hash_ctx is None:
-            raise AlreadyFinalized("Context has already been finalized.")
-
         self._hash_ctx.update(data)
 
     def finalize(self):
-        if self._hash_ctx is None:
-            raise AlreadyFinalized("Context has already been finalized.")
-
         data_to_sign = self._hash_ctx.finalize()
-        self._hash_ctx = None
         sig_buf_len = self._backend._lib.DSA_size(self._dsa_cdata)
         sig_buf = self._backend._ffi.new("unsigned char[]", sig_buf_len)
         buflen = self._backend._ffi.new("unsigned int *")
-- 
cgit v1.2.3


From 4e52e7e50650b88d0e2c50bd5366bb0da1c5634d Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 1 Jun 2014 14:41:39 -0500
Subject: more _ctx required

---
 cryptography/hazmat/backends/openssl/backend.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index c8baa0e6..b5000d2e 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -1344,7 +1344,7 @@ class _RSASignatureContext(object):
         sig_buf = self._backend._ffi.new("char[]", pkey_size)
         sig_len = self._backend._ffi.new("unsigned int *")
         res = self._backend._lib.EVP_SignFinal(
-            self._hash_ctx._ctx,
+            self._hash_ctx._ctx._ctx,
             sig_buf,
             sig_len,
             evp_pkey
-- 
cgit v1.2.3


From 87d9c706dae2ce46f0191ae5aa3097fe7bbbc204 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 1 Jun 2014 14:47:08 -0500
Subject: add some complexity back to handle 0.9.8 annoyances

---
 cryptography/hazmat/backends/openssl/backend.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index b5000d2e..4112f0e5 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -21,7 +21,8 @@ import six
 
 from cryptography import utils
 from cryptography.exceptions import (
-    InternalError, InvalidSignature, InvalidTag, UnsupportedAlgorithm, _Reasons
+    AlreadyFinalized, InternalError, InvalidSignature, InvalidTag,
+    UnsupportedAlgorithm, _Reasons
 )
 from cryptography.hazmat.backends.interfaces import (
     CMACBackend, CipherBackend, DSABackend, HMACBackend, HashBackend,
@@ -1341,6 +1342,9 @@ class _RSASignatureContext(object):
         return self._backend._ffi.buffer(buf)[:]
 
     def _finalize_pkcs1(self, evp_pkey, pkey_size, evp_md):
+        if self._hash_ctx._ctx is None:
+            raise AlreadyFinalized("Context has already been finalized.")
+
         sig_buf = self._backend._ffi.new("char[]", pkey_size)
         sig_len = self._backend._ffi.new("unsigned int *")
         res = self._backend._lib.EVP_SignFinal(
@@ -1520,6 +1524,9 @@ class _RSAVerificationContext(object):
             raise InvalidSignature
 
     def _verify_pkcs1(self, evp_pkey, evp_md):
+        if self._hash_ctx._ctx is None:
+            raise AlreadyFinalized("Context has already been finalized.")
+
         res = self._backend._lib.EVP_VerifyFinal(
             self._hash_ctx._ctx._ctx,
             self._signature,
-- 
cgit v1.2.3