From 10a81a93b5b9a77a3022eaf4e24d28fa6e3fca0e Mon Sep 17 00:00:00 2001 From: Maximilian Hils Date: Tue, 25 Aug 2015 20:57:35 +0200 Subject: add set_cert_cb --- src/_cffi_src/openssl/ssl.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 7a7968a1..798fcb16 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -45,6 +45,7 @@ static const long Cryptography_HAS_SSL_OP_NO_TICKET; static const long Cryptography_HAS_NETBSD_D1_METH; static const long Cryptography_HAS_NEXTPROTONEG; static const long Cryptography_HAS_ALPN; +static const long Cryptography_HAS_SET_CERT_CB; static const long SSL_FILETYPE_PEM; static const long SSL_FILETYPE_ASN1; @@ -406,6 +407,12 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *, void SSL_get0_alpn_selected(const SSL *, const unsigned char **, unsigned *); long SSL_get_server_tmp_key(SSL *, EVP_PKEY **); + +/* SSL_CTX_set_cert_cb is introduced in OpenSSL 1.0.2. To continue to support + * earlier versions some special handling of these is necessary. + */ +void SSL_CTX_set_cert_cb(SSL_CTX *, int (*)(SSL *, void *), void *); +void SSL_set_cert_cb(SSL *, int (*)(SSL *, void *), void *); """ CUSTOMIZATIONS = """ @@ -609,6 +616,16 @@ static const long Cryptography_HAS_ALPN = 0; static const long Cryptography_HAS_ALPN = 1; #endif +/* SSL_CTX_set_cert_cb was added in OpenSSL 1.0.2. */ +#if OPENSSL_VERSION_NUMBER < 0x10002001L || defined(LIBRESSL_VERSION_NUMBER) +void (*SSL_CTX_set_cert_cb)(SSL_CTX *, int (*)(SSL *, void *), void *) = NULL; +void (*SSL_set_cert_cb)(SSL *, int (*)(SSL *, void *), void *) = NULL; +static const long Cryptography_HAS_SET_CERT_CB = 0; +#else +static const long Cryptography_HAS_SET_CERT_CB = 1; +#endif + + #if defined(OPENSSL_NO_COMP) || defined(LIBRESSL_VERSION_NUMBER) static const long Cryptography_HAS_COMPRESSION = 0; typedef void COMP_METHOD; -- cgit v1.2.3 From 21569bf71e32ece2f5dc0dfc40373b7b95ea3167 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 25 Aug 2015 14:46:52 -0500 Subject: add conditional removal for SET_CERT_CB --- src/cryptography/hazmat/bindings/openssl/_conditional.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index adf00b02..670710b1 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -410,5 +410,9 @@ CONDITIONAL_NAMES = { ], "Cryptography_HAS_X509_V_FLAG_CHECK_SS_SIGNATURE": [ "X509_V_FLAG_CHECK_SS_SIGNATURE", - ] + ], + "Cryptography_HAS_SET_CERT_CB": [ + "SSL_CTX_set_cert_cb", + "SSL_set_cert_cb", + ], } -- cgit v1.2.3 From 238c191b849ddd67732d0ad5ea26a0bc96c01305 Mon Sep 17 00:00:00 2001 From: Fran Fitzpatrick Date: Tue, 25 Aug 2015 21:22:30 -0400 Subject: Update fernet.rst - removed a word! --- docs/fernet.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/fernet.rst b/docs/fernet.rst index eacbc2ae..8ea33eef 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -3,7 +3,7 @@ Fernet (symmetric encryption) .. currentmodule:: cryptography.fernet -Fernet provides guarantees that a message encrypted using it cannot be +Fernet guarantees that a message encrypted using it cannot be manipulated or read without the key. `Fernet`_ is an implementation of symmetric (also known as "secret key") authenticated cryptography. Fernet also has support for implementing key rotation via :class:`MultiFernet`. -- cgit v1.2.3 From e7820613494bd856a84e46333b43716e5028bdbc Mon Sep 17 00:00:00 2001 From: Tim Buchwaldt Date: Wed, 26 Aug 2015 19:15:03 +0200 Subject: Write as binary At least on Python3 it fails otherwise. --- docs/x509/tutorial.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/x509/tutorial.rst b/docs/x509/tutorial.rst index 6e587d8b..d1c8ba14 100644 --- a/docs/x509/tutorial.rst +++ b/docs/x509/tutorial.rst @@ -37,7 +37,7 @@ are the most common types of keys on the web right now): ... backend=default_backend() ... ) >>> # Write our key to disk for safe keeping - >>> with open("path/to/store/key.pem", "w") as f: + >>> with open("path/to/store/key.pem", "wb") as f: ... f.write(key.private_bytes( ... encoding=serialization.Encoding.PEM, ... format=serialization.PrivateFormat.TraditionalOpenSSL, @@ -75,7 +75,7 @@ a few details: ... # Sign the CSR with our private key. ... ])).sign(key, hashes.SHA256(), default_backend()) >>> # Write our CSR out to disk. - >>> with open("path/to/csr.pem", "w") as f: + >>> with open("path/to/csr.pem", "wb") as f: ... f.write(csr.public_bytes(serialization.Encoding.PEM)) Now we can give our CSR to a CA, who will give a certificate to us in return. -- cgit v1.2.3 From aad39497b8fd352dff4342d41d3eb69b0225dc10 Mon Sep 17 00:00:00 2001 From: Terry Chia Date: Fri, 28 Aug 2015 23:15:47 +0800 Subject: Add SSL_renegotiate binding. --- src/_cffi_src/openssl/ssl.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 798fcb16..f14aaba7 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -205,6 +205,7 @@ Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *); int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); +int SSL_renegotiate(SSL *); const char *SSL_get_cipher_list(const SSL *, int); Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *); -- cgit v1.2.3 From c6a73cb16f00889b53d368359059141d75a26be0 Mon Sep 17 00:00:00 2001 From: kjav Date: Fri, 28 Aug 2015 16:44:16 +0100 Subject: Added bindings for SSL_renegotiate_ --- src/_cffi_src/openssl/ssl.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index f14aaba7..a5423552 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -206,6 +206,8 @@ int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); int SSL_renegotiate(SSL *); +int SSL_renegotiate_abbreviated(SSL *); +int SSL_renegotiate_pending(SSL *); const char *SSL_get_cipher_list(const SSL *, int); Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *); -- cgit v1.2.3 From 729abcf1d552fd215aad864152d227d11580e0c7 Mon Sep 17 00:00:00 2001 From: kjav Date: Fri, 28 Aug 2015 16:54:22 +0100 Subject: Removed SSL_renegotiate_abbreviated binding As this is not supported in OpenSSL < 1.01 --- src/_cffi_src/openssl/ssl.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index a5423552..ccabb872 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -206,7 +206,6 @@ int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); int SSL_renegotiate(SSL *); -int SSL_renegotiate_abbreviated(SSL *); int SSL_renegotiate_pending(SSL *); const char *SSL_get_cipher_list(const SSL *, int); Cryptography_STACK_OF_SSL_CIPHER *SSL_get_ciphers(const SSL *); -- cgit v1.2.3 From b964a5cfb006229c1cdb1a4cf97df845ef5e754e Mon Sep 17 00:00:00 2001 From: Terry Chia Date: Sat, 29 Aug 2015 18:53:47 +0800 Subject: Add some text regarding using passwords with Fernet. --- docs/fernet.rst | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/docs/fernet.rst b/docs/fernet.rst index 8ea33eef..b6ee87f7 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -106,6 +106,43 @@ has support for implementing key rotation via :class:`MultiFernet`. See :meth:`Fernet.decrypt` for more information. + +Using passwords with Fernet +--------------------------- + +It is possible to use passwords with Fernet. To do this, you need to run the +password through a key derivation function like +:class:`~cryptography.hazmat.primitives.kdf.PBKDF2`: + +.. code-block:: python + + import base64 + import os + from cryptography.hazmat.primitives import hashes + from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC + from cryptography.hazmat.backends import default_backend + from cryptography.fernet import Fernet + + password = b"password" + salt = os.urandom(16) + + kdf = PBKDF2HMAC( + algorithm=hashes.SHA256(), + length=32, + salt=salt, + iterations=100000, + backend=default_backend + ) + key = base64.urlsafe_b64encode(kdf.derive(password)) + f = Fernet(key) + +In this scheme, the salt has to be stored in a retrievable location in order +to derive the same key from the password in the future. + +The iteration count used should be adjusted to be as high as your server can +tolerate. A good default is at least 100k iterations which is what Django +`recommends`_. + Implementation -------------- @@ -125,3 +162,4 @@ For complete details consult the `specification`_. .. _`Fernet`: https://github.com/fernet/spec/ .. _`specification`: https://github.com/fernet/spec/blob/master/Spec.md +.. _`recommends`_: https://github.com/django/django/blob/master/django/utils/crypto.py#L148 -- cgit v1.2.3 From 1ef3aa3ea3bfe10f234aa4292d6f65d76c89b192 Mon Sep 17 00:00:00 2001 From: Terry Chia Date: Sat, 29 Aug 2015 19:04:57 +0800 Subject: Fix link. --- docs/fernet.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/fernet.rst b/docs/fernet.rst index b6ee87f7..1cea0a7a 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -162,4 +162,4 @@ For complete details consult the `specification`_. .. _`Fernet`: https://github.com/fernet/spec/ .. _`specification`: https://github.com/fernet/spec/blob/master/Spec.md -.. _`recommends`_: https://github.com/django/django/blob/master/django/utils/crypto.py#L148 +.. _`recommends`: https://github.com/django/django/blob/master/django/utils/crypto.py#L148 -- cgit v1.2.3 From d9f8bfaaa8c0f416a468e47e7b494661b30f42c8 Mon Sep 17 00:00:00 2001 From: Terry Chia Date: Sat, 29 Aug 2015 19:08:39 +0800 Subject: Fixed PBKDF2 class target. --- docs/fernet.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/fernet.rst b/docs/fernet.rst index 1cea0a7a..d4a7d284 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -112,7 +112,7 @@ Using passwords with Fernet It is possible to use passwords with Fernet. To do this, you need to run the password through a key derivation function like -:class:`~cryptography.hazmat.primitives.kdf.PBKDF2`: +:class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`: .. code-block:: python -- cgit v1.2.3 From 4678604fe39078e89e9a20931e64e1a2ac48bab5 Mon Sep 17 00:00:00 2001 From: Terry Chia Date: Sat, 29 Aug 2015 19:12:14 +0800 Subject: Add Django to wordlist. --- docs/spelling_wordlist.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 1eed7c7a..a78b99f0 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -22,6 +22,7 @@ deserialize deserialized Diffie Docstrings +Django Encodings fernet Fernet -- cgit v1.2.3 From 7126e61fc31d9684314c3749f4b552f6d43e39fc Mon Sep 17 00:00:00 2001 From: Terry Chia Date: Sat, 29 Aug 2015 22:28:51 +0800 Subject: Fix imports and wordings. --- docs/fernet.rst | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/fernet.rst b/docs/fernet.rst index d4a7d284..18aab439 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -111,17 +111,18 @@ Using passwords with Fernet --------------------------- It is possible to use passwords with Fernet. To do this, you need to run the -password through a key derivation function like +password through a key derivation function such as :class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`: .. code-block:: python import base64 import os + + from cryptography.fernet import Fernet + from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC - from cryptography.hazmat.backends import default_backend - from cryptography.fernet import Fernet password = b"password" salt = os.urandom(16) @@ -140,8 +141,8 @@ In this scheme, the salt has to be stored in a retrievable location in order to derive the same key from the password in the future. The iteration count used should be adjusted to be as high as your server can -tolerate. A good default is at least 100k iterations which is what Django -`recommends`_. +tolerate. A good default is at least 100,000 iterations which is what Django +`recommends`_ in 2014. Implementation -------------- -- cgit v1.2.3 From 72ccef56791f4f5fe80980728cc953b6ce81efad Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 29 Aug 2015 12:30:33 -0400 Subject: Fixed #2270 -- update citation to something that works --- docs/hazmat/primitives/asymmetric/ec.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index 323f4c3f..d5131df6 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -125,10 +125,10 @@ Elliptic Curve Signature Algorithms Elliptic Curves --------------- -Elliptic curves provide equivalent security at much smaller key sizes than -asymmetric cryptography systems such as RSA or DSA. For some operations they -can also provide higher performance at every security level. According to NIST -they can have as much as a `64x lower computational cost than DH`_. +Elliptic curves provide equivalent security at much smaller key sizes than other +asymmetric cryptography systems such as RSA or DSA. For many operations elliptic +curves are also signfiicantly faster; `elliptic curve diffie-hellman is faster +than diffie-hellman`_. .. note:: Curves with a size of `less than 224 bits`_ should not be used. You should @@ -421,7 +421,7 @@ Key Interfaces .. _`FIPS 186-4`: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf .. _`some concern`: https://crypto.stackexchange.com/questions/10263/should-we-trust-the-nist-recommended-ecc-parameters .. _`less than 224 bits`: http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf -.. _`64x lower computational cost than DH`: https://www.nsa.gov/business/programs/elliptic_curve.shtml +.. _`elliptic curve diffie-hellman is faster than diffie-hellman`: http://digitalcommons.unl.edu/cgi/viewcontent.cgi?article=1100&context=cseconfwork .. _`minimize the number of security concerns for elliptic-curve cryptography`: http://cr.yp.to/ecdh/curve25519-20060209.pdf .. _`SafeCurves`: http://safecurves.cr.yp.to/ .. _`ECDSA`: https://en.wikipedia.org/wiki/ECDSA -- cgit v1.2.3 From fd07919bf6c462e40fdbd536a204f42a0dbbeaa5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 29 Aug 2015 12:36:51 -0400 Subject: spelling --- docs/hazmat/primitives/asymmetric/ec.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index d5131df6..176bf301 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -127,7 +127,7 @@ Elliptic Curves Elliptic curves provide equivalent security at much smaller key sizes than other asymmetric cryptography systems such as RSA or DSA. For many operations elliptic -curves are also signfiicantly faster; `elliptic curve diffie-hellman is faster +curves are also significantly faster; `elliptic curve diffie-hellman is faster than diffie-hellman`_. .. note:: -- cgit v1.2.3 From 40d56b2d98b96ef3c086db710f363953eac2d26e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 29 Aug 2015 12:39:12 -0400 Subject: line length --- docs/hazmat/primitives/asymmetric/ec.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/hazmat/primitives/asymmetric/ec.rst b/docs/hazmat/primitives/asymmetric/ec.rst index 176bf301..01671d44 100644 --- a/docs/hazmat/primitives/asymmetric/ec.rst +++ b/docs/hazmat/primitives/asymmetric/ec.rst @@ -125,10 +125,10 @@ Elliptic Curve Signature Algorithms Elliptic Curves --------------- -Elliptic curves provide equivalent security at much smaller key sizes than other -asymmetric cryptography systems such as RSA or DSA. For many operations elliptic -curves are also significantly faster; `elliptic curve diffie-hellman is faster -than diffie-hellman`_. +Elliptic curves provide equivalent security at much smaller key sizes than +other asymmetric cryptography systems such as RSA or DSA. For many operations +elliptic curves are also significantly faster; `elliptic curve diffie-hellman +is faster than diffie-hellman`_. .. note:: Curves with a size of `less than 224 bits`_ should not be used. You should -- cgit v1.2.3 From 1055431497ded70c1ef766ea7e543e6c4bc4f0da Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 29 Aug 2015 15:47:53 -0500 Subject: add support for static linking of the openssl backend on OS X --- src/_cffi_src/build_openssl.py | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 6a5bf2da..bd8cf73e 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -4,6 +4,7 @@ from __future__ import absolute_import, division, print_function +import os import sys from _cffi_src.utils import build_ffi_for_binding, extra_link_args @@ -11,15 +12,27 @@ from _cffi_src.utils import build_ffi_for_binding, extra_link_args def _get_openssl_libraries(platform): # OpenSSL goes by a different library name on different operating systems. - if platform != "win32": + if platform == "darwin": + return _osx_libraries( + os.environ.get("CRYPTOGRAPHY_BUILD_STATIC", None) + ) + elif platform == "win32": + return ["libeay32", "ssleay32", "advapi32", + "crypt32", "gdi32", "user32", "ws2_32"] + else: # In some circumstances, the order in which these libs are # specified on the linker command-line is significant; # libssl must come before libcrypto # (http://marc.info/?l=openssl-users&m=135361825921871) return ["ssl", "crypto"] + + +def _osx_libraries(build_static): + # For building statically we don't want to pass the -lssl or -lcrypto flags + if build_static == "1": + return [] else: - return ["libeay32", "ssleay32", "advapi32", - "crypt32", "gdi32", "user32", "ws2_32"] + return ["ssl", "crypto"] _OSX_PRE_INCLUDE = """ -- cgit v1.2.3 From 5f7d9d2f68d51fe7fd89f752484920aa5680258a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 29 Aug 2015 15:48:13 -0500 Subject: update travis to static link homebrew openssl (plus one dynamic job) --- .travis.yml | 14 +++++++++----- .travis/run.sh | 7 ++++++- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/.travis.yml b/.travis.yml index c61682ed..90b2b1fb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -71,23 +71,23 @@ matrix: - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py26 + env: TOXENV=py26 CRYPTOGRAPHY_BUILD_STATIC=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py27 + env: TOXENV=py27 CRYPTOGRAPHY_BUILD_STATIC=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py33 + env: TOXENV=py33 CRYPTOGRAPHY_BUILD_STATIC=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py34 + env: TOXENV=py34 CRYPTOGRAPHY_BUILD_STATIC=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=pypy + env: TOXENV=pypy CRYPTOGRAPHY_BUILD_STATIC=1 - language: generic os: osx osx_image: beta-xcode6.3 @@ -112,6 +112,10 @@ matrix: os: osx osx_image: beta-xcode6.3 env: TOXENV=docs + - language: generic + os: osx + osx_image: beta-xcode6.3 + env: TOXENV=py27 install: - ./.travis/install.sh diff --git a/.travis/run.sh b/.travis/run.sh index 17358655..b519c9fc 100755 --- a/.travis/run.sh +++ b/.travis/run.sh @@ -8,7 +8,12 @@ if [[ "$(uname -s)" == "Darwin" ]]; then if [[ "${OPENSSL}" != "0.9.8" ]]; then # set our flags to use homebrew openssl export ARCHFLAGS="-arch x86_64" - export LDFLAGS="-L/usr/local/opt/openssl/lib" + # if the build is static we need different LDFLAGS + if [[ "${CRYPTOGRAPHY_BUILD_STATIC}" == "1" ]]; then + export LDFLAGS="/usr/local/opt/openssl/lib/libssl.a /usr/local/opt/openssl/lib/libcrypto.a" + else + export LDFLAGS="-L/usr/local/opt/openssl/lib" + fi export CFLAGS="-I/usr/local/opt/openssl/include" # The Travis OS X jobs are run for two versions # of OpenSSL, but we only need to run the -- cgit v1.2.3 From 2f1d5a47c155edf376fdef3b5b94667cea259653 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 29 Aug 2015 15:55:56 -0500 Subject: move dynamic build and add an env to make it obvious it's dynamic --- .travis.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 90b2b1fb..bd039065 100644 --- a/.travis.yml +++ b/.travis.yml @@ -88,6 +88,10 @@ matrix: os: osx osx_image: beta-xcode6.3 env: TOXENV=pypy CRYPTOGRAPHY_BUILD_STATIC=1 + - language: generic + os: osx + osx_image: beta-xcode6.3 + env: TOXENV=py27 CRYPTOGRAPHY_BUILD_STATIC=0 - language: generic os: osx osx_image: beta-xcode6.3 @@ -112,10 +116,6 @@ matrix: os: osx osx_image: beta-xcode6.3 env: TOXENV=docs - - language: generic - os: osx - osx_image: beta-xcode6.3 - env: TOXENV=py27 install: - ./.travis/install.sh -- cgit v1.2.3 From 039540a3f5fbb458987c999e507010c478dd635d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 29 Aug 2015 16:02:19 -0500 Subject: add some otool output to the OS X builds --- .travis/run.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.travis/run.sh b/.travis/run.sh index b519c9fc..a1788f8f 100755 --- a/.travis/run.sh +++ b/.travis/run.sh @@ -31,3 +31,7 @@ else fi source ~/.venv/bin/activate tox -- $TOX_FLAGS +# Output information about linking of the OpenSSL library on OS X +if [[ "$(uname -s)" == "Darwin" ]]; then + otool -L `find .tox -name _openssl.so` +fi -- cgit v1.2.3 From 162f30a226f2ac35ae8e9ed09911adecd0db280c Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 29 Aug 2015 16:30:06 -0500 Subject: pypy doesn't name that shared object quite the same --- .travis/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis/run.sh b/.travis/run.sh index a1788f8f..c22ded22 100755 --- a/.travis/run.sh +++ b/.travis/run.sh @@ -33,5 +33,5 @@ source ~/.venv/bin/activate tox -- $TOX_FLAGS # Output information about linking of the OpenSSL library on OS X if [[ "$(uname -s)" == "Darwin" ]]; then - otool -L `find .tox -name _openssl.so` + otool -L `find .tox -name _openssl*.so` fi -- cgit v1.2.3 From 89656cd08cf0369677b298f30ba754cb62e5009b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 29 Aug 2015 18:18:53 -0500 Subject: Resolve an unusual test bug related to initializing the bindings To make calls against the "SSL" parts of OpenSSL you need to call SSL_library_init. There are multiple ways this can be called: * If you're using the same OpenSSL in cryptography as you are in your Python then Python will call it for you. * If you import the openssl backend. These tests need SSL_library_init to be called. When run in our CI SSL_library_init is called because during the parametrization step the OpenSSL backend is imported (thus triggering it). However, you can also run tests directly via py.test and without this change py.test tests/hazmat/bindings/test_openssl.py would crash if you had cryptography linked against a different OpenSSL than your Python used. --- src/cryptography/hazmat/backends/openssl/backend.py | 7 ------- src/cryptography/hazmat/bindings/openssl/binding.py | 6 ++++++ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 8c4abcd6..197bcb8c 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -529,13 +529,6 @@ class Backend(object): self._binding.init_static_locks() - # adds all ciphers/digests for EVP - self._lib.OpenSSL_add_all_algorithms() - # registers available SSL/TLS ciphers and digests - self._lib.SSL_library_init() - # loads error strings for libcrypto and libssl functions - self._lib.SSL_load_error_strings() - self._cipher_registry = {} self._register_default_ciphers() self.activate_osrandom_engine() diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index e18d89c5..50d7f6d5 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -92,6 +92,12 @@ class Binding(object): if not cls._lib_loaded: cls.lib = build_conditional_library(lib, CONDITIONAL_NAMES) cls._lib_loaded = True + # initialize the SSL library + cls.lib.SSL_library_init() + # adds all ciphers/digests for EVP + cls.lib.OpenSSL_add_all_algorithms() + # loads error strings for libcrypto and libssl functions + cls.lib.SSL_load_error_strings() cls._register_osrandom_engine() @classmethod -- cgit v1.2.3 From 7539dcb6e424e27f6bb270571b9410bd6ad36aac Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 29 Aug 2015 21:00:54 -0500 Subject: no need for None --- src/_cffi_src/build_openssl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index bd8cf73e..49d7464c 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -14,7 +14,7 @@ def _get_openssl_libraries(platform): # OpenSSL goes by a different library name on different operating systems. if platform == "darwin": return _osx_libraries( - os.environ.get("CRYPTOGRAPHY_BUILD_STATIC", None) + os.environ.get("CRYPTOGRAPHY_BUILD_STATIC") ) elif platform == "win32": return ["libeay32", "ssleay32", "advapi32", -- cgit v1.2.3 From b1903b0d4caaac29f78b7421704caf01255b3c13 Mon Sep 17 00:00:00 2001 From: Terry Chia Date: Sun, 30 Aug 2015 11:09:22 +0800 Subject: Mention bcrypt and scrypt. --- docs/fernet.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/fernet.rst b/docs/fernet.rst index 18aab439..a066ae63 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -112,7 +112,8 @@ Using passwords with Fernet It is possible to use passwords with Fernet. To do this, you need to run the password through a key derivation function such as -:class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`: +:class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`, bcrypt or +scrypt. .. code-block:: python -- cgit v1.2.3 From 69382a045a1647a78ab8a6a00d95ea85c9f93147 Mon Sep 17 00:00:00 2001 From: Terry Chia Date: Sun, 30 Aug 2015 13:09:36 +0800 Subject: Add bcrypt to word list. --- docs/spelling_wordlist.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index a78b99f0..75497840 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -1,6 +1,7 @@ affine backend backends +bcrypt Backends Blowfish boolean -- cgit v1.2.3 From 7402cf1c676ffb7ba48d6e90227bb4b1397af12d Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 31 Aug 2015 12:34:30 -0500 Subject: rename env var to CRYPTOGRAPHY_OSX_NO_LINK_FLAGS --- .travis.yml | 12 ++++++------ .travis/run.sh | 2 +- src/_cffi_src/build_openssl.py | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.travis.yml b/.travis.yml index bd039065..f1c3567d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -71,27 +71,27 @@ matrix: - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py26 CRYPTOGRAPHY_BUILD_STATIC=1 + env: TOXENV=py26 CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py27 CRYPTOGRAPHY_BUILD_STATIC=1 + env: TOXENV=py27 CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py33 CRYPTOGRAPHY_BUILD_STATIC=1 + env: TOXENV=py33 CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py34 CRYPTOGRAPHY_BUILD_STATIC=1 + env: TOXENV=py34 CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=pypy CRYPTOGRAPHY_BUILD_STATIC=1 + env: TOXENV=pypy CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 - language: generic os: osx osx_image: beta-xcode6.3 - env: TOXENV=py27 CRYPTOGRAPHY_BUILD_STATIC=0 + env: TOXENV=py27 CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=0 - language: generic os: osx osx_image: beta-xcode6.3 diff --git a/.travis/run.sh b/.travis/run.sh index c22ded22..1ce8011f 100755 --- a/.travis/run.sh +++ b/.travis/run.sh @@ -9,7 +9,7 @@ if [[ "$(uname -s)" == "Darwin" ]]; then # set our flags to use homebrew openssl export ARCHFLAGS="-arch x86_64" # if the build is static we need different LDFLAGS - if [[ "${CRYPTOGRAPHY_BUILD_STATIC}" == "1" ]]; then + if [[ "${CRYPTOGRAPHY_OSX_NO_LINK_FLAGS}" == "1" ]]; then export LDFLAGS="/usr/local/opt/openssl/lib/libssl.a /usr/local/opt/openssl/lib/libcrypto.a" else export LDFLAGS="-L/usr/local/opt/openssl/lib" diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py index 49d7464c..defa69d3 100644 --- a/src/_cffi_src/build_openssl.py +++ b/src/_cffi_src/build_openssl.py @@ -14,7 +14,7 @@ def _get_openssl_libraries(platform): # OpenSSL goes by a different library name on different operating systems. if platform == "darwin": return _osx_libraries( - os.environ.get("CRYPTOGRAPHY_BUILD_STATIC") + os.environ.get("CRYPTOGRAPHY_OSX_NO_LINK_FLAGS") ) elif platform == "win32": return ["libeay32", "ssleay32", "advapi32", -- cgit v1.2.3 From 646c7cc3cdbedb5f8d9090043da3db34ee298dff Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 1 Sep 2015 21:56:39 -0400 Subject: upgrade to pypy 2.6.1 --- .travis/install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.travis/install.sh b/.travis/install.sh index 17aee435..3ff723da 100755 --- a/.travis/install.sh +++ b/.travis/install.sh @@ -35,8 +35,8 @@ if [[ "$(uname -s)" == 'Darwin' ]]; then ;; pypy) brew outdated pyenv || brew upgrade pyenv - pyenv install pypy-2.6.0 - pyenv global pypy-2.6.0 + pyenv install pypy-2.6.1 + pyenv global pypy-2.6.1 ;; pypy3) brew outdated pyenv || brew upgrade pyenv @@ -57,8 +57,8 @@ else PYENV_ROOT="$HOME/.pyenv" PATH="$PYENV_ROOT/bin:$PATH" eval "$(pyenv init -)" - pyenv install pypy-2.6.0 - pyenv global pypy-2.6.0 + pyenv install pypy-2.6.1 + pyenv global pypy-2.6.1 fi pip install virtualenv fi -- cgit v1.2.3 From 18fab258a2c06e4c86765ebc74507f0a3f26fa07 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 1 Sep 2015 22:16:17 -0400 Subject: fix --- .travis/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis/run.sh b/.travis/run.sh index 17358655..1c49911f 100755 --- a/.travis/run.sh +++ b/.travis/run.sh @@ -21,7 +21,7 @@ else PYENV_ROOT="$HOME/.pyenv" PATH="$PYENV_ROOT/bin:$PATH" eval "$(pyenv init -)" - pyenv global pypy-2.6.0 + pyenv global pypy-2.6.1 fi fi source ~/.venv/bin/activate -- cgit v1.2.3 From f648734d1a0da965983e42e96437b99acd7dd1ea Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 3 Sep 2015 10:10:49 -0400 Subject: Fixed #2318 -- added the missing critical flag to the x509 tutorial --- docs/x509/tutorial.rst | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/docs/x509/tutorial.rst b/docs/x509/tutorial.rst index d1c8ba14..0fa061a2 100644 --- a/docs/x509/tutorial.rst +++ b/docs/x509/tutorial.rst @@ -67,13 +67,16 @@ a few details: ... x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"), ... x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"), ... x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"), - ... ])).add_extension(x509.SubjectAlternativeName([ - ... # Describe what sites we want this certificate for. - ... x509.DNSName(u"mysite.com"), - ... x509.DNSName(u"www.mysite.com"), - ... x509.DNSName(u"subdomain.mysite.com"), + ... ])).add_extension( + ... x509.SubjectAlternativeName([ + ... # Describe what sites we want this certificate for. + ... x509.DNSName(u"mysite.com"), + ... x509.DNSName(u"www.mysite.com"), + ... x509.DNSName(u"subdomain.mysite.com"), + ... ]), + ... critical=False, ... # Sign the CSR with our private key. - ... ])).sign(key, hashes.SHA256(), default_backend()) + ... ).sign(key, hashes.SHA256(), default_backend()) >>> # Write our CSR out to disk. >>> with open("path/to/csr.pem", "wb") as f: ... f.write(csr.public_bytes(serialization.Encoding.PEM)) -- cgit v1.2.3 From 726cea356bd84ecea16cd5b6ed402351790fd103 Mon Sep 17 00:00:00 2001 From: Erik Trauschke Date: Thu, 3 Sep 2015 09:27:09 -0700 Subject: remove critical flag from cert issuer entry ext to work with OpenSSL < 1.0.0 --- .../x509/custom/crl_all_reasons.pem | 67 +++++++++++----------- 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem b/vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem index 960363d0..fdc82ae6 100644 --- a/vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem +++ b/vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem @@ -1,37 +1,36 @@ -----BEGIN X509 CRL----- -MIIGZTCCBU0CAQIwDQYJKoZIhvcNAQELBQAwJzELMAkGA1UEBhMCVVMxGDAWBgNV +MIIGRzCCBS8CAQIwDQYJKoZIhvcNAQELBQAwJzELMAkGA1UEBhMCVVMxGDAWBgNV BAMMD2NyeXB0b2dyYXBoeS5pbxgPMjAxNTAxMDEwMDAwMDBaGA8yMDE2MDEwMTAw -MDAwMFowggTsMBQCAQAYDzIwMTUwMTAxMDAwMDAwWjB1AgEBGA8yMDE1MDEwMTAw -MDAwMFowXzAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDcGA1UdHQEB/wQtMCuk -KTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1Ud -FQQDCgEAMHUCAQIYDzIwMTUwMTAxMDAwMDAwWjBfMBgGA1UdGAQRGA8yMDE1MDEw -MTAwMDAwMFowNwYDVR0dAQH/BC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQD -DA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQEwdQIBAxgPMjAxNTAxMDEwMDAw -MDBaMF8wGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA3BgNVHR0BAf8ELTArpCkw -JzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUE -AwoBAjB1AgEEGA8yMDE1MDEwMTAwMDAwMFowXzAYBgNVHRgEERgPMjAxNTAxMDEw -MDAwMDBaMDcGA1UdHQEB/wQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwP -Y3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEDMHUCAQUYDzIwMTUwMTAxMDAwMDAw -WjBfMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAwMFowNwYDVR0dAQH/BC0wK6QpMCcx -CzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMK -AQQwdQIBBhgPMjAxNTAxMDEwMDAwMDBaMF8wGAYDVR0YBBEYDzIwMTUwMTAxMDAw -MDAwWjA3BgNVHR0BAf8ELTArpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2Ny -eXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBBTB1AgEHGA8yMDE1MDEwMTAwMDAwMFow -XzAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDcGA1UdHQEB/wQtMCukKTAnMQsw -CQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEG -MHUCAQgYDzIwMTUwMTAxMDAwMDAwWjBfMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAw -MFowNwYDVR0dAQH/BC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlw -dG9ncmFwaHkuaW8wCgYDVR0VBAMKAQgwdQIBCRgPMjAxNTAxMDEwMDAwMDBaMF8w -GAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA3BgNVHR0BAf8ELTArpCkwJzELMAkG -A1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBCTB1 -AgEKGA8yMDE1MDEwMTAwMDAwMFowXzAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBa -MDcGA1UdHQEB/wQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRv -Z3JhcGh5LmlvMAoGA1UdFQQDCgEKMC4CAQsYDzIwMTUwMTAxMDAwMDAwWjAYMAoG -A1UdFQQDCgEBMAoGAyoDBAQDCgEAMA0GCSqGSIb3DQEBCwUAA4IBAQAYO41YpMSq -6pPwgp2gqBUHPkFe4FuoxP4kXpsdAurQMb3WM8eZBNMQkgLP94ZYW3cliy+QClb3 -3EzTbckFhnS/avpQGD92hkp7gY5aETL8PuxFpK8qD3gzS+YZ0icbHbqacGxRYwT5 -rdSKb0B5soXe6Wf149Z6mze3X8+kCKpZILHytFzlCeiUZ0lG4bZRYNyQEqGzpsXD -8LuA5McqwASR1QkGNJTT7TKLBIfhy4CSt5aclnmdf4sWNQa9i560lj38ariZExXV -mqtqFIfhvJiVwpljj08uWZocVJcCOEQ9yxk5iVRWMicT79p6wukHqq8ecJBkgH/W -EO3JcHNjZRmW +MDAwMFowggTOMBQCAQAYDzIwMTUwMTAxMDAwMDAwWjByAgEBGA8yMDE1MDEwMTAw +MDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAn +MQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQD +CgEAMHICAQIYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAw +MDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlw +dG9ncmFwaHkuaW8wCgYDVR0VBAMKAQEwcgIBAxgPMjAxNTAxMDEwMDAwMDBaMFww +GAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTArpCkwJzELMAkGA1UE +BhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBAjByAgEE +GA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQG +A1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5 +LmlvMAoGA1UdFQQDCgEDMHICAQUYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQR +GA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgw +FgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQQwcgIBBhgPMjAxNTAx +MDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTAr +pCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNV +HRUEAwoBBTByAgEHGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAx +MDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwP +Y3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEGMHICAQgYDzIwMTUwMTAxMDAwMDAw +WjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJ +BgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQgw +cgIBCRgPMjAxNTAxMDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAw +WjA0BgNVHR0ELTArpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dy +YXBoeS5pbzAKBgNVHRUEAwoBCTByAgEKGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNV +HRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJV +UzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEKMC4CAQsYDzIw +MTUwMTAxMDAwMDAwWjAYMAoGA1UdFQQDCgEBMAoGAyoDBAQDCgEAMA0GCSqGSIb3 +DQEBCwUAA4IBAQBTaloHlPaCZzYee8LxkWej5meiqxQVNWFoVdjesroa+f1FRrH+ +drRU60Nq97KCKf7f9GNN/J3ZIlQmYhmuDqh12f+XLpotoj1ZRfBz2hjFCkJlv+2c +oWWGNHgA70ndFoVtcmX088SYpX8E3ARATivS4q2h9WlwV6rO93mhg3HGIe3JpcK4 +7BcW6Poi/ut/zsDOkVbI00SqaujRpdmdCTht82MH3ztjyDkI9KYaD/YEweKSrWOz +SdEILd164bfBeLuplVI+xpmTEMVNpXBlSXl7+xIw9Vk7p7Q1Pa3k/SvhOldYCm6y +C1xAg/AAq6w78yzYt18j5Mj0s6eeHi1YpHKw -----END X509 CRL----- -- cgit v1.2.3 From 8d242c78255eb872f53c685230459a2670217e19 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 4 Sep 2015 14:08:10 -0500 Subject: fix a docs typo and convert it to a doctest to prevent future problems --- docs/fernet.rst | 46 ++++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/docs/fernet.rst b/docs/fernet.rst index a066ae63..a2bab32a 100644 --- a/docs/fernet.rst +++ b/docs/fernet.rst @@ -115,28 +115,30 @@ password through a key derivation function such as :class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`, bcrypt or scrypt. -.. code-block:: python - - import base64 - import os - - from cryptography.fernet import Fernet - from cryptography.hazmat.backends import default_backend - from cryptography.hazmat.primitives import hashes - from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC - - password = b"password" - salt = os.urandom(16) - - kdf = PBKDF2HMAC( - algorithm=hashes.SHA256(), - length=32, - salt=salt, - iterations=100000, - backend=default_backend - ) - key = base64.urlsafe_b64encode(kdf.derive(password)) - f = Fernet(key) +.. doctest:: + + >>> import base64 + >>> import os + >>> from cryptography.fernet import Fernet + >>> from cryptography.hazmat.backends import default_backend + >>> from cryptography.hazmat.primitives import hashes + >>> from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC + >>> password = b"password" + >>> salt = os.urandom(16) + >>> kdf = PBKDF2HMAC( + ... algorithm=hashes.SHA256(), + ... length=32, + ... salt=salt, + ... iterations=100000, + ... backend=default_backend() + ... ) + >>> key = base64.urlsafe_b64encode(kdf.derive(password)) + >>> f = Fernet(key) + >>> token = f.encrypt(b"Secret message!") + >>> token + '...' + >>> f.decrypt(token) + 'Secret message!' In this scheme, the salt has to be stored in a retrievable location in order to derive the same key from the password in the future. -- cgit v1.2.3 From 1e071ac064c1f9edf450c18836cd16e8f336a926 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 5 Sep 2015 16:30:25 -0500 Subject: rework OS X install docs to describe static/dynamic linking --- docs/installation.rst | 55 ++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 41 insertions(+), 14 deletions(-) diff --git a/docs/installation.rst b/docs/installation.rst index f7a88b98..277e021b 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -118,38 +118,65 @@ build. Building cryptography on OS X ----------------------------- -Building cryptography requires the presence of a C compiler and development -headers. On OS X this is typically provided by Apple's Xcode development tools. -To install the Xcode command line tools on open a terminal window and run: +The wheel package on OS X is a statically linked build (as of 1.0.1) so for +users on 10.10 (Yosemite) and above you need two steps: .. code-block:: console $ xcode-select --install -This will install a compiler (clang) along with the required development -headers. If you wish to compile against a more recent OpenSSL than the -version shipped with OS X see the next section. +followed by -Using your own OpenSSL on OS X -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.. code-block:: console + + $ pip install cryptography + +If you want to build cryptography yourself or are on an older OS X version +cryptography requires the presence of a C compiler, development headers, and +the proper libraries. On OS X much of this is provided by Apple's Xcode +development tools. To install the Xcode command line tools open a terminal +window and run: + +.. code-block:: console + + $ xcode-select --install + +This will install a compiler (clang) along with (most of) the required +development headers. + +You'll also need OpenSSL, which you can obtain from `Homebrew`_ or `MacPorts`_. + +To build cryptography and dynamically link it: + +`Homebrew`_ + +.. code-block:: console + + $ brew install openssl + $ env LDFLAGS="-L$(brew --prefix openssl)/lib" CFLAGS="-I$(brew --prefix openssl)/include" pip install cryptography + +`MacPorts`_: + +.. code-block:: console + + $ sudo port install openssl + $ env LDFLAGS="-L/opt/local/lib" CFLAGS="-I/opt/local/include" pip install cryptography -To link cryptography against a custom version of OpenSSL you'll need to set -``ARCHFLAGS``, ``LDFLAGS``, and ``CFLAGS``. OpenSSL can be installed via -`Homebrew`_ or `MacPorts`_: +You can also build cryptography statically: `Homebrew`_ .. code-block:: console $ brew install openssl - $ env ARCHFLAGS="-arch x86_64" LDFLAGS="-L$(brew --prefix openssl)/lib" CFLAGS="-I$(brew --prefix openssl)/include" pip install cryptography + $ env CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 LDFLAGS="$(brew --prefix openssl)/lib/libssl.a $(brew --prefix openssl)/lib/libcrypto.a" CFLAGS="-I$(brew --prefix openssl)/include" pip install cryptography -or `MacPorts`_: +`MacPorts`_: .. code-block:: console $ sudo port install openssl - $ env ARCHFLAGS="-arch x86_64" LDFLAGS="-L/opt/local/lib" CFLAGS="-I/opt/local/include" pip install cryptography + $ env CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 LDFLAGS="/opt/local/lib/libssl.a /opt/local/lib/libcrypto.a" CFLAGS="-I/opt/local/include" pip install cryptography Building cryptography with conda -------------------------------- -- cgit v1.2.3 From 2f6b169f89674ce66df9a20f6d6105cb3e495fca Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 5 Sep 2015 20:58:52 -0500 Subject: port 1.0.1 changelog to master --- CHANGELOG.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 900a3365..f8c7eefa 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,18 @@ Changelog .. note:: This version is not yet released and is under active development. +1.0.1 - 2015-09-05 +~~~~~~~~~~~~~~~~~~ + +* We now ship OS X wheels that statically link OpenSSL by default. When + installing a wheel on OS X 10.10+ (and using a Python compiled against the + 10.10 SDK) users will no longer need to compile. See :doc:`/installation` for + alternate installation methods if required. +* Set the default string mask to UTF-8 in the OpenSSL backend to resolve + character encoding issues with older versions of OpenSSL. +* Several new OpenSSL bindings have been added to support a future pyOpenSSL + release. +* Raise an error during install on PyPy < 2.6. 1.0+ requires PyPy 2.6+. 1.0 - 2015-08-12 ~~~~~~~~~~~~~~~~ -- cgit v1.2.3