From 719907c863ba9a5b61a1a056366e23e1100516e8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 12 Feb 2014 14:01:05 -0800 Subject: Be clear about HKDF's applicability for password storage --- docs/hazmat/primitives/key-derivation-functions.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst index 1937c2ec..da47ccd3 100644 --- a/docs/hazmat/primitives/key-derivation-functions.rst +++ b/docs/hazmat/primitives/key-derivation-functions.rst @@ -128,6 +128,7 @@ Different KDFs are suitable for different tasks such as: `HKDF`_ (HMAC-based Extract-and-Expand Key Derivation Function) is suitable for deriving keys of a fixed size used for other cryptographic operations. + **HKDF should not be used for password storage.** .. doctest:: -- cgit v1.2.3 From c43bb7579b4cdb7b0c9306e5444ad94563f081e5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 12 Feb 2014 16:42:11 -0800 Subject: Switch this to a warning block --- docs/hazmat/primitives/key-derivation-functions.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/hazmat/primitives/key-derivation-functions.rst b/docs/hazmat/primitives/key-derivation-functions.rst index da47ccd3..d8a0e241 100644 --- a/docs/hazmat/primitives/key-derivation-functions.rst +++ b/docs/hazmat/primitives/key-derivation-functions.rst @@ -128,7 +128,10 @@ Different KDFs are suitable for different tasks such as: `HKDF`_ (HMAC-based Extract-and-Expand Key Derivation Function) is suitable for deriving keys of a fixed size used for other cryptographic operations. - **HKDF should not be used for password storage.** + + .. warning:: + + HKDF should not be used for password storage. .. doctest:: -- cgit v1.2.3 From ed828e17a6eefca79afcde2f0b9cd63865c7b902 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 8 Feb 2014 21:06:45 -0600 Subject: re-add CAST5 ECB support (OpenSSL & CC backends). fixes #417 --- .../hazmat/backends/commoncrypto/backend.py | 8 ++++- cryptography/hazmat/backends/openssl/backend.py | 7 +++- .../hazmat/primitives/ciphers/algorithms.py | 15 ++++++++ tests/hazmat/primitives/test_cast5.py | 41 ++++++++++++++++++++++ tests/hazmat/primitives/test_ciphers.py | 15 +++++++- 5 files changed, 83 insertions(+), 3 deletions(-) create mode 100644 tests/hazmat/primitives/test_cast5.py diff --git a/cryptography/hazmat/backends/commoncrypto/backend.py b/cryptography/hazmat/backends/commoncrypto/backend.py index e5d4ee00..523aac82 100644 --- a/cryptography/hazmat/backends/commoncrypto/backend.py +++ b/cryptography/hazmat/backends/commoncrypto/backend.py @@ -25,7 +25,7 @@ from cryptography.hazmat.backends.interfaces import ( from cryptography.hazmat.bindings.commoncrypto.binding import Binding from cryptography.hazmat.primitives import interfaces, constant_time from cryptography.hazmat.primitives.ciphers.algorithms import ( - AES, Blowfish, TripleDES, ARC4 + AES, Blowfish, TripleDES, ARC4, CAST5 ) from cryptography.hazmat.primitives.ciphers.modes import ( CBC, CTR, ECB, OFB, CFB, GCM @@ -198,6 +198,12 @@ class Backend(object): mode_cls, mode_const ) + self._register_cipher_adapter( + CAST5, + self._lib.kCCAlgorithmCAST, + ECB, + self._lib.kCCModeECB + ) self._register_cipher_adapter( ARC4, self._lib.kCCAlgorithmRC4, diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index fc3c3bda..0e5e92a5 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -26,7 +26,7 @@ from cryptography.hazmat.bindings.openssl.binding import Binding from cryptography.hazmat.primitives import interfaces, hashes from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.ciphers.algorithms import ( - AES, Blowfish, Camellia, TripleDES, ARC4, + AES, Blowfish, Camellia, TripleDES, ARC4, CAST5 ) from cryptography.hazmat.primitives.ciphers.modes import ( CBC, CTR, ECB, OFB, CFB, GCM, @@ -153,6 +153,11 @@ class Backend(object): mode_cls, GetCipherByName("bf-{mode.name}") ) + self.register_cipher_adapter( + CAST5, + ECB, + GetCipherByName("cast5-{mode.name}") + ) self.register_cipher_adapter( ARC4, type(None), diff --git a/cryptography/hazmat/primitives/ciphers/algorithms.py b/cryptography/hazmat/primitives/ciphers/algorithms.py index 19cf1920..a5cfce92 100644 --- a/cryptography/hazmat/primitives/ciphers/algorithms.py +++ b/cryptography/hazmat/primitives/ciphers/algorithms.py @@ -90,6 +90,21 @@ class Blowfish(object): return len(self.key) * 8 +@utils.register_interface(interfaces.BlockCipherAlgorithm) +@utils.register_interface(interfaces.CipherAlgorithm) +class CAST5(object): + name = "CAST5" + block_size = 64 + key_sizes = frozenset(range(40, 129, 8)) + + def __init__(self, key): + self.key = _verify_key_size(self, key) + + @property + def key_size(self): + return len(self.key) * 8 + + @utils.register_interface(interfaces.CipherAlgorithm) class ARC4(object): name = "RC4" diff --git a/tests/hazmat/primitives/test_cast5.py b/tests/hazmat/primitives/test_cast5.py new file mode 100644 index 00000000..d65a86b2 --- /dev/null +++ b/tests/hazmat/primitives/test_cast5.py @@ -0,0 +1,41 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import absolute_import, division, print_function + +import binascii +import os + +import pytest + +from cryptography.hazmat.primitives.ciphers import algorithms, modes + +from .utils import generate_encrypt_test +from ...utils import load_nist_vectors + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.CAST5("\x00" * 16), modes.ECB() + ), + skip_message="Does not support CAST5 ECB", +) +@pytest.mark.cipher +class TestCAST5(object): + test_ECB = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "CAST5"), + ["cast5-ecb.txt"], + lambda key, **kwargs: algorithms.CAST5(binascii.unhexlify((key))), + lambda **kwargs: modes.ECB(), + ) diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py index 6a7b2f93..50cadf64 100644 --- a/tests/hazmat/primitives/test_ciphers.py +++ b/tests/hazmat/primitives/test_ciphers.py @@ -18,7 +18,7 @@ import binascii import pytest from cryptography.hazmat.primitives.ciphers.algorithms import ( - AES, Camellia, TripleDES, Blowfish, ARC4 + AES, Camellia, TripleDES, Blowfish, ARC4, CAST5 ) @@ -80,6 +80,19 @@ class TestBlowfish(object): Blowfish(binascii.unhexlify(b"0" * 6)) +class TestCAST5(object): + @pytest.mark.parametrize(("key", "keysize"), [ + (b"0" * (keysize // 4), keysize) for keysize in range(40, 129, 8) + ]) + def test_key_size(self, key, keysize): + cipher = CAST5(binascii.unhexlify(key)) + assert cipher.key_size == keysize + + def test_invalid_key_size(self): + with pytest.raises(ValueError): + CAST5(binascii.unhexlify(b"0" * 34)) + + class TestARC4(object): @pytest.mark.parametrize(("key", "keysize"), [ (b"0" * 10, 40), -- cgit v1.2.3 From c423f635d16443b0ca7c9fea280575b9035328d0 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sat, 8 Feb 2014 21:40:06 -0600 Subject: add cbc, cfb, ofb support to CAST5 (aka CAST128) for openssl & cc fixes #393 --- .../hazmat/backends/commoncrypto/backend.py | 18 +++++--- cryptography/hazmat/backends/openssl/backend.py | 11 +++-- tests/hazmat/primitives/test_cast5.py | 53 +++++++++++++++++++++- 3 files changed, 70 insertions(+), 12 deletions(-) diff --git a/cryptography/hazmat/backends/commoncrypto/backend.py b/cryptography/hazmat/backends/commoncrypto/backend.py index 523aac82..5c08a356 100644 --- a/cryptography/hazmat/backends/commoncrypto/backend.py +++ b/cryptography/hazmat/backends/commoncrypto/backend.py @@ -198,12 +198,18 @@ class Backend(object): mode_cls, mode_const ) - self._register_cipher_adapter( - CAST5, - self._lib.kCCAlgorithmCAST, - ECB, - self._lib.kCCModeECB - ) + for mode_cls, mode_const in [ + (CBC, self._lib.kCCModeCBC), + (ECB, self._lib.kCCModeECB), + (CFB, self._lib.kCCModeCFB), + (OFB, self._lib.kCCModeOFB) + ]: + self._register_cipher_adapter( + CAST5, + self._lib.kCCAlgorithmCAST, + mode_cls, + mode_const + ) self._register_cipher_adapter( ARC4, self._lib.kCCAlgorithmRC4, diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 0e5e92a5..ef34cb43 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -153,11 +153,12 @@ class Backend(object): mode_cls, GetCipherByName("bf-{mode.name}") ) - self.register_cipher_adapter( - CAST5, - ECB, - GetCipherByName("cast5-{mode.name}") - ) + for mode_cls in [CBC, CFB, OFB, ECB]: + self.register_cipher_adapter( + CAST5, + mode_cls, + GetCipherByName("cast5-{mode.name}") + ) self.register_cipher_adapter( ARC4, type(None), diff --git a/tests/hazmat/primitives/test_cast5.py b/tests/hazmat/primitives/test_cast5.py index d65a86b2..682b4496 100644 --- a/tests/hazmat/primitives/test_cast5.py +++ b/tests/hazmat/primitives/test_cast5.py @@ -31,7 +31,7 @@ from ...utils import load_nist_vectors skip_message="Does not support CAST5 ECB", ) @pytest.mark.cipher -class TestCAST5(object): +class TestCAST5_ECB(object): test_ECB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "CAST5"), @@ -39,3 +39,54 @@ class TestCAST5(object): lambda key, **kwargs: algorithms.CAST5(binascii.unhexlify((key))), lambda **kwargs: modes.ECB(), ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.CAST5("\x00" * 16), modes.CBC("\x00" * 8) + ), + skip_message="Does not support CAST5 CBC", +) +@pytest.mark.cipher +class TestCAST5_CBC(object): + test_CBC = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "CAST5"), + ["cast5-cbc.txt"], + lambda key, **kwargs: algorithms.CAST5(binascii.unhexlify((key))), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)) + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.CAST5("\x00" * 16), modes.OFB("\x00" * 8) + ), + skip_message="Does not support CAST5 OFB", +) +@pytest.mark.cipher +class TestCAST5_OFB(object): + test_OFB = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "CAST5"), + ["cast5-ofb.txt"], + lambda key, **kwargs: algorithms.CAST5(binascii.unhexlify((key))), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)) + ) + + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.CAST5("\x00" * 16), modes.CFB("\x00" * 8) + ), + skip_message="Does not support CAST5 CFB", +) +@pytest.mark.cipher +class TestCAST5_CFB(object): + test_CFB = generate_encrypt_test( + load_nist_vectors, + os.path.join("ciphers", "CAST5"), + ["cast5-cfb.txt"], + lambda key, **kwargs: algorithms.CAST5(binascii.unhexlify((key))), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)) + ) -- cgit v1.2.3 From 61ea493b97e2c2ba2d60a2925d46ba7f33327536 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Wed, 12 Feb 2014 16:51:20 -0800 Subject: Syntax highlight the go code. Be mad Rob Pike. --- docs/development/custom-vectors/cast5.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/development/custom-vectors/cast5.rst b/docs/development/custom-vectors/cast5.rst index 7f1d72c1..09b3bdb1 100644 --- a/docs/development/custom-vectors/cast5.rst +++ b/docs/development/custom-vectors/cast5.rst @@ -23,5 +23,6 @@ Verification The following go code was used to verify the vectors. .. literalinclude:: /development/custom-vectors/cast5/verify_cast5.go + :language: go Download link: :download:`verify_cast5.go ` -- cgit v1.2.3 From bab0e1a4c6301b2a9d23840ae55af92730519edb Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 9 Feb 2014 10:51:59 -0600 Subject: add cast5 docs --- docs/hazmat/primitives/symmetric-encryption.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index 85d8e8e3..d9c0cefa 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -116,6 +116,16 @@ Algorithms ``56`` bits long), they can simply be concatenated to produce the full key. This must be kept secret. +.. class:: CAST5(key) + + CAST5 (also known as CAST-128) is a block cipher approved for use in the + Canadian government by the `Communications Security Establishment`_. It is + a variable key length cipher and supports keys from 40-128 bits in length. + + :param bytes key: The secret key, 40-128 bits in length (in increments of + 8). This must be kept secret. + + Weak Ciphers ------------ @@ -469,3 +479,4 @@ Interfaces .. _`described by Colin Percival`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html .. _`recommends 96-bit IV length`: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf .. _`NIST SP-800-38D`: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf +.. _`Communications Security Establishment`: http://www.cse-cst.gc.ca -- cgit v1.2.3 From 70c90e965750da365e18d737faa6e08a1baf0f60 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 12 Feb 2014 18:58:31 -0600 Subject: remove some extra linebreaks --- docs/hazmat/primitives/symmetric-encryption.rst | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index d9c0cefa..210e6567 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -99,7 +99,6 @@ Algorithms :param bytes key: The secret key, either ``128``, ``192``, or ``256`` bits. This must be kept secret. - .. class:: TripleDES(key) Triple DES (Data Encryption Standard), sometimes referred to as 3DES, is a @@ -125,7 +124,6 @@ Algorithms :param bytes key: The secret key, 40-128 bits in length (in increments of 8). This must be kept secret. - Weak Ciphers ------------ -- cgit v1.2.3 From 87c4edbda9c838b721546dd9f6b9964b915127b5 Mon Sep 17 00:00:00 2001 From: Chris Glass Date: Thu, 13 Feb 2014 09:34:21 +0100 Subject: Added a docs section on Linux installation This simply adds a short paragraph on what dependencies are needed on Linux, as well as the command line to install them on Ubuntu (since users of other distributions are more likely to know how to do it). --- docs/installation.rst | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/docs/installation.rst b/docs/installation.rst index 7e7348e2..a2fc5b7c 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -22,8 +22,26 @@ to include the corresponding locations. For example: C:\> set INCLUDE=C:\OpenSSL-1.0.1f-64bit\include;%INCLUDE% C:\> pip install cryptography +Building cryptography on Linux +------------------------------ + +``cryptography`` should build very easily on linux provided you have headers +for the OpenSSL and libffi available on your system. + +For Ubuntu, the following command line will ensure this is the case: + +.. code-block:: console + + sudo apt-get install libssl-dev libffi-dev + +You should now be able to build and install cryptography with the usual + +.. code-block:: console + + python setup.py install + Using your own OpenSSL on Linux -------------------------------- +............................... Python links to OpenSSL for its own purposes and this can sometimes cause problems when you wish to use a different version of OpenSSL with cryptography. -- cgit v1.2.3 From f82d94f3d1c15e3b71528ba98c7e5ba4b54cc8ad Mon Sep 17 00:00:00 2001 From: Chris Glass Date: Thu, 13 Feb 2014 11:46:49 +0100 Subject: Added Debian mention, extra missing packages One tends to forget than not everyone has python-dev installed :) --- docs/installation.rst | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/docs/installation.rst b/docs/installation.rst index a2fc5b7c..28b311cb 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -22,17 +22,22 @@ to include the corresponding locations. For example: C:\> set INCLUDE=C:\OpenSSL-1.0.1f-64bit\include;%INCLUDE% C:\> pip install cryptography -Building cryptography on Linux ------------------------------- +Building cryptography on GNU/Linux +---------------------------------- + +``cryptography`` should build very easily on GNU/Linux provided you have a C +compiler and headers for Python and the OpenSSL and libffi libraries available +on your system. -``cryptography`` should build very easily on linux provided you have headers -for the OpenSSL and libffi available on your system. +Debian and Ubuntu systems +......................... -For Ubuntu, the following command line will ensure this is the case: +For Debian and Ubuntu, the following command line will ensure the required +dependencies are installed: .. code-block:: console - sudo apt-get install libssl-dev libffi-dev + sudo apt-get install build-essential libssl-dev libffi-dev python-dev You should now be able to build and install cryptography with the usual @@ -40,8 +45,8 @@ You should now be able to build and install cryptography with the usual python setup.py install -Using your own OpenSSL on Linux -............................... +Using your own OpenSSL on GNU/Linux +................................... Python links to OpenSSL for its own purposes and this can sometimes cause problems when you wish to use a different version of OpenSSL with cryptography. -- cgit v1.2.3 From 03829e595123879d26c4681eb180f056d549bc7f Mon Sep 17 00:00:00 2001 From: Chris Glass Date: Thu, 13 Feb 2014 13:07:55 +0100 Subject: Added Pypy note and fixed libffi's "spelling" --- docs/installation.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/installation.rst b/docs/installation.rst index 28b311cb..f2b40892 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -26,8 +26,8 @@ Building cryptography on GNU/Linux ---------------------------------- ``cryptography`` should build very easily on GNU/Linux provided you have a C -compiler and headers for Python and the OpenSSL and libffi libraries available -on your system. +compiler, headers for Python (if you're not using Pypy), and headers for the +OpenSSL and `libffi` libraries available on your system. Debian and Ubuntu systems ......................... -- cgit v1.2.3 From ae20caaed83d86fa40be4b979f7f7553eb6277fa Mon Sep 17 00:00:00 2001 From: Chris Glass Date: Thu, 13 Feb 2014 13:47:28 +0100 Subject: Pypy is not a real word either apparently. --- docs/installation.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/installation.rst b/docs/installation.rst index f2b40892..9d8916e3 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -26,7 +26,7 @@ Building cryptography on GNU/Linux ---------------------------------- ``cryptography`` should build very easily on GNU/Linux provided you have a C -compiler, headers for Python (if you're not using Pypy), and headers for the +compiler, headers for Python (if you're not using `pypy`), and headers for the OpenSSL and `libffi` libraries available on your system. Debian and Ubuntu systems -- cgit v1.2.3 From 2e15c7fce6ce478039d150b4d5442b51582e77b4 Mon Sep 17 00:00:00 2001 From: Chris Glass Date: Thu, 13 Feb 2014 19:10:10 +0100 Subject: Changed .... lines to ~~~~ and s/Gnu\/Linux/Linux/ --- docs/installation.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/installation.rst b/docs/installation.rst index 9d8916e3..595ccc83 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -22,15 +22,15 @@ to include the corresponding locations. For example: C:\> set INCLUDE=C:\OpenSSL-1.0.1f-64bit\include;%INCLUDE% C:\> pip install cryptography -Building cryptography on GNU/Linux ----------------------------------- +Building cryptography on Linux +------------------------------ -``cryptography`` should build very easily on GNU/Linux provided you have a C +``cryptography`` should build very easily on Linux provided you have a C compiler, headers for Python (if you're not using `pypy`), and headers for the OpenSSL and `libffi` libraries available on your system. Debian and Ubuntu systems -......................... +~~~~~~~~~~~~~~~~~~~~~~~~~ For Debian and Ubuntu, the following command line will ensure the required dependencies are installed: @@ -45,8 +45,8 @@ You should now be able to build and install cryptography with the usual python setup.py install -Using your own OpenSSL on GNU/Linux -................................... +Using your own OpenSSL on Linux +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Python links to OpenSSL for its own purposes and this can sometimes cause problems when you wish to use a different version of OpenSSL with cryptography. -- cgit v1.2.3 From 849da1988a3e410432f62c2e5bfa8009e827891a Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 13 Feb 2014 12:32:06 -0600 Subject: add CAST5 support to changelog --- docs/changelog.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/changelog.rst b/docs/changelog.rst index 4d459bd9..cd289b6e 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -18,6 +18,7 @@ Changelog * Added :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`. * Added :doc:`/hazmat/backends/multibackend`. * Set default random for the :doc:`/hazmat/backends/openssl` to the OS random engine. +* Added :class:`~cryptography.hazmat.primitives.ciphers.algorithms.CAST5` (CAST-128) support. 0.1 - 2014-01-08 ~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From 4992384b9ebab1c06dd41423dadbb1f24625b019 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 13 Feb 2014 10:32:56 -0800 Subject: A few style nits in the docs --- docs/installation.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/installation.rst b/docs/installation.rst index 595ccc83..f9c3574d 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -26,8 +26,8 @@ Building cryptography on Linux ------------------------------ ``cryptography`` should build very easily on Linux provided you have a C -compiler, headers for Python (if you're not using `pypy`), and headers for the -OpenSSL and `libffi` libraries available on your system. +compiler, headers for Python (if you're not using ``pypy``), and headers for +the OpenSSL and ``libffi`` libraries available on your system. Debian and Ubuntu systems ~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -37,13 +37,13 @@ dependencies are installed: .. code-block:: console - sudo apt-get install build-essential libssl-dev libffi-dev python-dev + $ sudo apt-get install build-essential libssl-dev libffi-dev python-dev You should now be able to build and install cryptography with the usual .. code-block:: console - python setup.py install + $ pip install cryptography Using your own OpenSSL on Linux ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- cgit v1.2.3 From a5011ec2863d1a698780153a5f2498bd69add56f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Thu, 13 Feb 2014 12:33:34 -0600 Subject: add versionadded to cast5 --- docs/hazmat/primitives/symmetric-encryption.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index 210e6567..d91dde9d 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -117,6 +117,8 @@ Algorithms .. class:: CAST5(key) + .. versionadded:: 0.2 + CAST5 (also known as CAST-128) is a block cipher approved for use in the Canadian government by the `Communications Security Establishment`_. It is a variable key length cipher and supports keys from 40-128 bits in length. -- cgit v1.2.3 From 86dc3ab8e849498471f8f5b65470c7a53d4023e7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 13 Feb 2014 12:48:46 -0800 Subject: Fix comments in padding.py to be accurate This is not in fact O(n ** 2) because ``len(self._buffer)`` is bounded by ``self.block_size``. This means that each ``self._buffer += x`` only copies O(len(x)) bytes, meaning the whole thing is linear. --- cryptography/hazmat/primitives/padding.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index ddb2c63c..1717262c 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -86,8 +86,7 @@ class PKCS7(object): class _PKCS7PaddingContext(object): def __init__(self, block_size): self.block_size = block_size - # TODO: O(n ** 2) complexity for repeated concatentation, we should use - # zero-buffer (#193) + # TODO: more copies than necessary, we should use zero-buffer (#193) self._buffer = b"" def update(self, data): @@ -120,8 +119,7 @@ class _PKCS7PaddingContext(object): class _PKCS7UnpaddingContext(object): def __init__(self, block_size): self.block_size = block_size - # TODO: O(n ** 2) complexity for repeated concatentation, we should use - # zero-buffer (#193) + # TODO: more copies than necessary, we should use zero-buffer (#193) self._buffer = b"" def update(self, data): -- cgit v1.2.3 From 14971b7c3a1a5d43363b76506e6a3d1881d7d51f Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 13 Feb 2014 12:56:14 -0800 Subject: Fixed a missing word in the RSA docs --- docs/hazmat/primitives/rsa.rst | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/hazmat/primitives/rsa.rst b/docs/hazmat/primitives/rsa.rst index a19ada33..0c7be2c2 100644 --- a/docs/hazmat/primitives/rsa.rst +++ b/docs/hazmat/primitives/rsa.rst @@ -8,7 +8,7 @@ RSA `RSA`_ is a `public-key`_ algorithm for encrypting and signing messages. .. class:: RSAPrivateKey(p, q, private_exponent, public_exponent, modulus) - + .. versionadded:: 0.2 An RSA private key is required for decryption and signing of messages. @@ -16,23 +16,23 @@ RSA You should use :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey.generate` to generate new keys. - + .. warning:: This method only checks a limited set of properties of its arguments. - Using an RSA that you do not trust or with incorrect parameters may - lead to insecure operation, crashes, and other undefined behavior. We - recommend that you only ever load private keys that were generated with - software you trust. + Using an RSA private key that you do not trust or with incorrect + parameters may lead to insecure operation, crashes, and other undefined + behavior. We recommend that you only ever load private keys that were + generated with software you trust. This class conforms to the :class:`~cryptography.hazmat.primitives.interfaces.RSAPrivateKey` interface. - :raises TypeError: This is raised when the arguments are not all integers. + :raises TypeError: This is raised when the arguments are not all integers. :raises ValueError: This is raised when the values of `p`, `q`, - `private_exponent`, `public_exponent` or `modulus` do + `private_exponent`, `public_exponent` or `modulus` do not match the bounds specified in `RFC 3447`_. .. classmethod:: generate(public_exponent, key_size, backend) @@ -52,7 +52,7 @@ RSA :return: A new instance of ``RSAPrivateKey``. .. class:: RSAPublicKey(public_exponent, modulus) - + .. versionadded:: 0.2 An RSA public key is required for encryption and verification of messages. @@ -65,7 +65,7 @@ RSA :class:`~cryptography.hazmat.primitives.interfaces.RSAPublicKey` interface. - :raises TypeError: This is raised when the arguments are not all integers. + :raises TypeError: This is raised when the arguments are not all integers. :raises ValueError: This is raised when the values of `public_exponent` or `modulus` do not match the bounds specified in -- cgit v1.2.3 From a9d802a8364bff9f511db28b4c57bce3498b937d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Thu, 13 Feb 2014 12:57:57 -0800 Subject: Also clean up this syntax --- docs/hazmat/primitives/rsa.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/hazmat/primitives/rsa.rst b/docs/hazmat/primitives/rsa.rst index 0c7be2c2..2875b209 100644 --- a/docs/hazmat/primitives/rsa.rst +++ b/docs/hazmat/primitives/rsa.rst @@ -31,9 +31,10 @@ RSA :raises TypeError: This is raised when the arguments are not all integers. - :raises ValueError: This is raised when the values of `p`, `q`, - `private_exponent`, `public_exponent` or `modulus` do - not match the bounds specified in `RFC 3447`_. + :raises ValueError: This is raised when the values of ``p``, ``q``, + ``private_exponent``, ``public_exponent``, or + ``modulus`` do not match the bounds specified in + :rfc:`3447`. .. classmethod:: generate(public_exponent, key_size, backend) @@ -67,12 +68,11 @@ RSA :raises TypeError: This is raised when the arguments are not all integers. - :raises ValueError: This is raised when the values of `public_exponent` or - `modulus` do not match the bounds specified in - `RFC 3447`_. + :raises ValueError: This is raised when the values of ``public_exponent`` + or ``modulus`` do not match the bounds specified in + :rfc:`3447`. .. _`RSA`: https://en.wikipedia.org/wiki/RSA_(cryptosystem) .. _`public-key`: https://en.wikipedia.org/wiki/Public-key_cryptography -.. _`RFC 3447`: https://tools.ietf.org/html/rfc3447 .. _`use 65537`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html .. _`at least 2048`: http://www.ecrypt.eu.org/documents/D.SPA.20.pdf -- cgit v1.2.3