From 966821aa1ab232e52c71d1ad7a7745bc9c6a08fb Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 19 Jan 2014 21:22:08 -0600 Subject: add cipher support to the commoncrypto backend --- tests/hazmat/backends/test_commoncrypto.py | 31 ++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 tests/hazmat/backends/test_commoncrypto.py (limited to 'tests') diff --git a/tests/hazmat/backends/test_commoncrypto.py b/tests/hazmat/backends/test_commoncrypto.py new file mode 100644 index 00000000..1d768ec4 --- /dev/null +++ b/tests/hazmat/backends/test_commoncrypto.py @@ -0,0 +1,31 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import pytest + +from cryptography.hazmat.bindings.commoncrypto.binding import Binding +from cryptography.hazmat.primitives.ciphers.algorithms import AES +from cryptography.hazmat.primitives.ciphers.modes import CBC + + +@pytest.mark.skipif(not Binding.is_available(), + reason="CommonCrypto not available") +class TestCommonCrypto(object): + def test_supports_cipher(self): + from cryptography.hazmat.backends.commoncrypto.backend import backend + assert backend.cipher_supported(None, None) is False + + def test_register_duplicate_cipher_adapter(self): + from cryptography.hazmat.backends.commoncrypto.backend import backend + with pytest.raises(ValueError): + backend.register_cipher_adapter(AES, CBC, None) -- cgit v1.2.3 From a33a5e3e17140f8877aafa9db55f69008d4f42d2 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 19 Jan 2014 22:27:00 -0600 Subject: add error handler --- tests/hazmat/backends/test_commoncrypto.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'tests') diff --git a/tests/hazmat/backends/test_commoncrypto.py b/tests/hazmat/backends/test_commoncrypto.py index 1d768ec4..8b353237 100644 --- a/tests/hazmat/backends/test_commoncrypto.py +++ b/tests/hazmat/backends/test_commoncrypto.py @@ -29,3 +29,15 @@ class TestCommonCrypto(object): from cryptography.hazmat.backends.commoncrypto.backend import backend with pytest.raises(ValueError): backend.register_cipher_adapter(AES, CBC, None) + + def test_handle_response(self): + from cryptography.hazmat.backends.commoncrypto.backend import backend + + with pytest.raises(ValueError): + backend._check_response(backend._lib.kCCAlignmentError) + + with pytest.raises(SystemError): + backend._check_response(backend._lib.kCCMemoryFailure) + + with pytest.raises(SystemError): + backend._check_response(backend._lib.kCCDecodeError) -- cgit v1.2.3 From 263a3352159cac0073df7d23c9dbbc6c0749d9aa Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 20 Jan 2014 00:07:34 -0600 Subject: change cipher registry to store enums --- tests/hazmat/backends/test_commoncrypto.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'tests') diff --git a/tests/hazmat/backends/test_commoncrypto.py b/tests/hazmat/backends/test_commoncrypto.py index 8b353237..8022863c 100644 --- a/tests/hazmat/backends/test_commoncrypto.py +++ b/tests/hazmat/backends/test_commoncrypto.py @@ -28,7 +28,10 @@ class TestCommonCrypto(object): def test_register_duplicate_cipher_adapter(self): from cryptography.hazmat.backends.commoncrypto.backend import backend with pytest.raises(ValueError): - backend.register_cipher_adapter(AES, CBC, None) + backend.register_cipher_adapter( + AES, backend._lib.kCCAlgorithmAES128, + CBC, backend._lib.kCCModeCBC + ) def test_handle_response(self): from cryptography.hazmat.backends.commoncrypto.backend import backend -- cgit v1.2.3 From 5ab6a208c46f1de6e261646a0ad34482ea755922 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 20 Jan 2014 12:03:46 -0600 Subject: make register_cipher_adapter private and fix cryptorref release --- tests/hazmat/backends/test_commoncrypto.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tests') diff --git a/tests/hazmat/backends/test_commoncrypto.py b/tests/hazmat/backends/test_commoncrypto.py index 8022863c..68ab6bc1 100644 --- a/tests/hazmat/backends/test_commoncrypto.py +++ b/tests/hazmat/backends/test_commoncrypto.py @@ -28,7 +28,7 @@ class TestCommonCrypto(object): def test_register_duplicate_cipher_adapter(self): from cryptography.hazmat.backends.commoncrypto.backend import backend with pytest.raises(ValueError): - backend.register_cipher_adapter( + backend._register_cipher_adapter( AES, backend._lib.kCCAlgorithmAES128, CBC, backend._lib.kCCModeCBC ) -- cgit v1.2.3 From 9eca43c41000bd3e7985e39854881e3a61e99803 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 22 Jan 2014 16:14:54 -0600 Subject: GCM support for CommonCrypto backend --- tests/hazmat/backends/test_commoncrypto.py | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) (limited to 'tests') diff --git a/tests/hazmat/backends/test_commoncrypto.py b/tests/hazmat/backends/test_commoncrypto.py index 68ab6bc1..cfa332d0 100644 --- a/tests/hazmat/backends/test_commoncrypto.py +++ b/tests/hazmat/backends/test_commoncrypto.py @@ -13,9 +13,19 @@ import pytest +from cryptography import utils +from cryptography.exceptions import UnsupportedAlgorithm from cryptography.hazmat.bindings.commoncrypto.binding import Binding +from cryptography.hazmat.primitives import interfaces from cryptography.hazmat.primitives.ciphers.algorithms import AES -from cryptography.hazmat.primitives.ciphers.modes import CBC +from cryptography.hazmat.primitives.ciphers.base import Cipher +from cryptography.hazmat.primitives.ciphers.modes import CBC, GCM + + +@utils.register_interface(interfaces.CipherAlgorithm) +class DummyCipher(object): + name = "dummy-cipher" + block_size = 128 @pytest.mark.skipif(not Binding.is_available(), @@ -44,3 +54,12 @@ class TestCommonCrypto(object): with pytest.raises(SystemError): backend._check_response(backend._lib.kCCDecodeError) + + def test_nonexistent_aead_cipher(self): + from cryptography.hazmat.backends.commoncrypto.backend import Backend + b = Backend() + cipher = Cipher( + DummyCipher(), GCM(b"fake_iv_here"), backend=b, + ) + with pytest.raises(UnsupportedAlgorithm): + cipher.encryptor() -- cgit v1.2.3 From 580e883c4cf93c82460fd0e8308e68fe71f3342d Mon Sep 17 00:00:00 2001 From: David Reid Date: Thu, 23 Jan 2014 10:02:23 -0800 Subject: Add HKDF vectors from RFC5869. --- .../primitives/vectors/KDF/rfc-5869-HKDF-SHA1.txt | 48 ++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA1.txt (limited to 'tests') diff --git a/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA1.txt b/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA1.txt new file mode 100644 index 00000000..598ecaae --- /dev/null +++ b/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA1.txt @@ -0,0 +1,48 @@ +# A.4. Test Case 4 +# Basic test case with SHA-1 + +Hash = SHA-1 +IKM = 0b0b0b0b0b0b0b0b0b0b0b +salt = 000102030405060708090a0b0c +info = f0f1f2f3f4f5f6f7f8f9 +L = 42 + +PRK = 9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243 +OKM = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896 + +# A.5. Test Case 5 +# Test with SHA-1 and longer inputs/outputs + +Hash = SHA-1 +IKM = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f +salt = 606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf +info = b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff +L = 82 + +PRK = 8adae09a2a307059478d309b26c4115a224cfaf6 +OKM = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4 + +# A.6. Test Case 6 +# Test with SHA-1 and zero-length salt/info + +Hash = SHA-1 +IKM = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b +salt = +info = +L = 42 + +PRK = da8c8a73c7fa77288ec6f5e7c297786aa0d32d01 +OKM = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918 + +# A.7. Test Case 7 +# Test with SHA-1, salt not provided (defaults to HashLen zero octets), +# zero-length info + +Hash = SHA-1 +IKM = 0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c +salt = +info = +L = 42 + +PRK = 2adccada18779e7c2077ad2eb19d3f3e731385dd +OKM = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 -- cgit v1.2.3 From ec73839168a143935c202bebb54249123b20668b Mon Sep 17 00:00:00 2001 From: David Reid Date: Thu, 23 Jan 2014 10:04:35 -0800 Subject: SHA256 vectors. --- .../vectors/KDF/rfc-5869-HKDF-SHA256.txt | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA256.txt (limited to 'tests') diff --git a/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA256.txt b/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA256.txt new file mode 100644 index 00000000..170dd13e --- /dev/null +++ b/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA256.txt @@ -0,0 +1,34 @@ +# A.1. Test Case 1 +# Basic test case with SHA-256 + +Hash = SHA-256 +IKM = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b +salt = 000102030405060708090a0b0c +info = f0f1f2f3f4f5f6f7f8f9 +L = 42 +PRK = 077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5 +OKM = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865 + +# A.2. Test Case 2 +# Test with SHA-256 and longer inputs/outputs + +Hash = SHA-256 +IKM = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f +salt = 606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf +info = b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff +L = 82 + +PRK = 06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244 +OKM = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87 + +# A.3. Test Case 3 +# Test with SHA-256 and zero-length salt/info + +Hash = SHA-256 +IKM = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b +salt = +info = +L = 42 + +PRK = 19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04 +OKM = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8 -- cgit v1.2.3 From 17ed58daa9573458157b02f822f5dc471d954298 Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Tue, 21 Jan 2014 20:19:17 +0000 Subject: Python implementation of OpenSSL locking callback --- tests/hazmat/bindings/test_openssl.py | 106 ++++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) (limited to 'tests') diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index d1e85058..b2264fb5 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -11,6 +11,11 @@ # See the License for the specific language governing permissions and # limitations under the License. +import threading +import time + +import pytest + from cryptography.hazmat.bindings.openssl.binding import Binding @@ -23,3 +28,104 @@ class TestOpenSSL(object): def test_is_available(self): assert Binding.is_available() is True + + def test_crypto_lock_init(self): + b = Binding() + b.init_static_locks() + lock_cb = b.lib.CRYPTO_get_locking_callback() + assert lock_cb != b.ffi.NULL + + def test_our_crypto_lock(self, capfd): + b = Binding() + b.init_static_locks() + + # only run this test if we are using our locking cb + original_cb = b.lib.CRYPTO_get_locking_callback() + if original_cb != b._lock_cb_handle: + pytest.skip("Not using Python locking callback implementation") + + # check that the lock state changes appropriately + lock = b._locks[b.lib.CRYPTO_LOCK_SSL] + + assert lock.acquire(False) + + lock.release() + + b.lib.CRYPTO_lock( + b.lib.CRYPTO_LOCK | b.lib.CRYPTO_READ, + b.lib.CRYPTO_LOCK_SSL, + b.ffi.NULL, + 0 + ) + + assert not lock.acquire(False) + + b.lib.CRYPTO_lock( + b.lib.CRYPTO_UNLOCK | b.lib.CRYPTO_READ, + b.lib.CRYPTO_LOCK_SSL, + b.ffi.NULL, + 0 + ) + + assert lock.acquire(False) + lock.release() + + # force the error path to run. + + b.lib.CRYPTO_lock( + 0, + b.lib.CRYPTO_LOCK_SSL, + b.ffi.NULL, + 0 + ) + + lock.acquire(False) + lock.release() + + out, err = capfd.readouterr() + assert "RuntimeError: Unknown lock mode" in err + + def test_crypto_lock_mutex(self): + b = Binding() + b.init_static_locks() + + # make sure whatever locking system we end up with actually acts + # like a mutex. + + self._shared_value = 0 + + def critical_loop(): + for i in range(10): + b.lib.CRYPTO_lock( + b.lib.CRYPTO_LOCK | b.lib.CRYPTO_READ, + b.lib.CRYPTO_LOCK_SSL, + b.ffi.NULL, + 0 + ) + + assert self._shared_value == 0 + self._shared_value += 1 + time.sleep(0.01) + assert self._shared_value == 1 + self._shared_value = 0 + + b.lib.CRYPTO_lock( + b.lib.CRYPTO_UNLOCK | b.lib.CRYPTO_READ, + b.lib.CRYPTO_LOCK_SSL, + b.ffi.NULL, + 0 + ) + + threads = [] + for x in range(10): + t = threading.Thread(target=critical_loop) + t.daemon = True + t.start() + + threads.append(t) + + while threads: + for t in threads: + t.join(0.1) + if not t.is_alive(): + threads.remove(t) -- cgit v1.2.3 From 06649cf8bcd764c51c9ee819f43a5a0a29290a38 Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Wed, 22 Jan 2014 15:07:38 +0000 Subject: Also test the locking cb directly --- tests/hazmat/bindings/test_openssl.py | 39 ++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 19 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index b2264fb5..e5094133 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -47,43 +47,46 @@ class TestOpenSSL(object): # check that the lock state changes appropriately lock = b._locks[b.lib.CRYPTO_LOCK_SSL] + # starts out unlocked assert lock.acquire(False) - lock.release() b.lib.CRYPTO_lock( b.lib.CRYPTO_LOCK | b.lib.CRYPTO_READ, - b.lib.CRYPTO_LOCK_SSL, - b.ffi.NULL, - 0 + b.lib.CRYPTO_LOCK_SSL, b.ffi.NULL, 0 ) + # becomes locked assert not lock.acquire(False) b.lib.CRYPTO_lock( b.lib.CRYPTO_UNLOCK | b.lib.CRYPTO_READ, - b.lib.CRYPTO_LOCK_SSL, - b.ffi.NULL, - 0 + b.lib.CRYPTO_LOCK_SSL, b.ffi.NULL, 0 ) + # then unlocked assert lock.acquire(False) lock.release() - # force the error path to run. + # then test directly - b.lib.CRYPTO_lock( - 0, - b.lib.CRYPTO_LOCK_SSL, - b.ffi.NULL, - 0 - ) + with pytest.raises(RuntimeError): + b._lock_cb(0, b.lib.CRYPTO_LOCK_SSL, "", 1) - lock.acquire(False) + # errors shouldnt cause locking + assert lock.acquire(False) lock.release() - out, err = capfd.readouterr() - assert "RuntimeError: Unknown lock mode" in err + b._lock_cb(b.lib.CRYPTO_LOCK | b.lib.CRYPTO_READ, + b.lib.CRYPTO_LOCK_SSL, "", 1) + # locked + assert not lock.acquire(False) + + b._lock_cb(b.lib.CRYPTO_UNLOCK | b.lib.CRYPTO_READ, + b.lib.CRYPTO_LOCK_SSL, "", 1) + # unlocked + assert lock.acquire(False) + lock.release() def test_crypto_lock_mutex(self): b = Binding() @@ -119,9 +122,7 @@ class TestOpenSSL(object): threads = [] for x in range(10): t = threading.Thread(target=critical_loop) - t.daemon = True t.start() - threads.append(t) while threads: -- cgit v1.2.3 From 7ce51f26bb10dc56483a5f0e9639092ccb2f9d5c Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Thu, 23 Jan 2014 20:43:49 +0000 Subject: Split a test in half --- tests/hazmat/bindings/test_openssl.py | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index e5094133..43a07760 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -35,14 +35,20 @@ class TestOpenSSL(object): lock_cb = b.lib.CRYPTO_get_locking_callback() assert lock_cb != b.ffi.NULL - def test_our_crypto_lock(self, capfd): - b = Binding() - b.init_static_locks() - + def _skip_if_not_fallback_lock(self, b): # only run this test if we are using our locking cb original_cb = b.lib.CRYPTO_get_locking_callback() if original_cb != b._lock_cb_handle: - pytest.skip("Not using Python locking callback implementation") + pytest.skip( + "Not using the fallback Python locking callback " + "implementation. Probably because import _ssl set one" + ) + + def test_fallback_crypto_lock_via_openssl_api(self): + b = Binding() + b.init_static_locks() + + self._skip_if_not_fallback_lock(b) # check that the lock state changes appropriately lock = b._locks[b.lib.CRYPTO_LOCK_SSL] @@ -68,7 +74,13 @@ class TestOpenSSL(object): assert lock.acquire(False) lock.release() - # then test directly + def test_fallback_crypto_lock_via_binding_api(self): + b = Binding() + b.init_static_locks() + + self._skip_if_not_fallback_lock(b) + + lock = b._locks[b.lib.CRYPTO_LOCK_SSL] with pytest.raises(RuntimeError): b._lock_cb(0, b.lib.CRYPTO_LOCK_SSL, "", 1) -- cgit v1.2.3 From 0d62fb05a9203398510b2f0a6c940daab640f1d4 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Fri, 24 Jan 2014 12:19:05 -0600 Subject: Switch to using our own InternalError, instead of SystemError --- tests/hazmat/backends/test_commoncrypto.py | 6 +++--- tests/hazmat/backends/test_openssl.py | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/backends/test_commoncrypto.py b/tests/hazmat/backends/test_commoncrypto.py index cfa332d0..7cc0f72f 100644 --- a/tests/hazmat/backends/test_commoncrypto.py +++ b/tests/hazmat/backends/test_commoncrypto.py @@ -14,7 +14,7 @@ import pytest from cryptography import utils -from cryptography.exceptions import UnsupportedAlgorithm +from cryptography.exceptions import UnsupportedAlgorithm, InternalError from cryptography.hazmat.bindings.commoncrypto.binding import Binding from cryptography.hazmat.primitives import interfaces from cryptography.hazmat.primitives.ciphers.algorithms import AES @@ -49,10 +49,10 @@ class TestCommonCrypto(object): with pytest.raises(ValueError): backend._check_response(backend._lib.kCCAlignmentError) - with pytest.raises(SystemError): + with pytest.raises(InternalError): backend._check_response(backend._lib.kCCMemoryFailure) - with pytest.raises(SystemError): + with pytest.raises(InternalError): backend._check_response(backend._lib.kCCDecodeError) def test_nonexistent_aead_cipher(self): diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 2a329920..f01c3f64 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -14,7 +14,7 @@ import pytest from cryptography import utils -from cryptography.exceptions import UnsupportedAlgorithm +from cryptography.exceptions import UnsupportedAlgorithm, InternalError from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends.openssl.backend import backend, Backend from cryptography.hazmat.primitives import interfaces @@ -76,20 +76,20 @@ class TestOpenSSL(object): cipher.encryptor() def test_handle_unknown_error(self): - with pytest.raises(SystemError): + with pytest.raises(InternalError): backend._handle_error_code(0, 0, 0) - with pytest.raises(SystemError): + with pytest.raises(InternalError): backend._handle_error_code(backend._lib.ERR_LIB_EVP, 0, 0) - with pytest.raises(SystemError): + with pytest.raises(InternalError): backend._handle_error_code( backend._lib.ERR_LIB_EVP, backend._lib.EVP_F_EVP_ENCRYPTFINAL_EX, 0 ) - with pytest.raises(SystemError): + with pytest.raises(InternalError): backend._handle_error_code( backend._lib.ERR_LIB_EVP, backend._lib.EVP_F_EVP_DECRYPTFINAL_EX, -- cgit v1.2.3 From 29446cd8315985680fd2af0d0137c3d1c4c2a4a1 Mon Sep 17 00:00:00 2001 From: Alex Stapleton Date: Fri, 24 Jan 2014 19:04:01 +0000 Subject: Remove the contenious test of contention --- tests/hazmat/bindings/test_openssl.py | 46 ----------------------------------- 1 file changed, 46 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 43a07760..35eb7e8d 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -11,9 +11,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -import threading -import time - import pytest from cryptography.hazmat.bindings.openssl.binding import Binding @@ -99,46 +96,3 @@ class TestOpenSSL(object): # unlocked assert lock.acquire(False) lock.release() - - def test_crypto_lock_mutex(self): - b = Binding() - b.init_static_locks() - - # make sure whatever locking system we end up with actually acts - # like a mutex. - - self._shared_value = 0 - - def critical_loop(): - for i in range(10): - b.lib.CRYPTO_lock( - b.lib.CRYPTO_LOCK | b.lib.CRYPTO_READ, - b.lib.CRYPTO_LOCK_SSL, - b.ffi.NULL, - 0 - ) - - assert self._shared_value == 0 - self._shared_value += 1 - time.sleep(0.01) - assert self._shared_value == 1 - self._shared_value = 0 - - b.lib.CRYPTO_lock( - b.lib.CRYPTO_UNLOCK | b.lib.CRYPTO_READ, - b.lib.CRYPTO_LOCK_SSL, - b.ffi.NULL, - 0 - ) - - threads = [] - for x in range(10): - t = threading.Thread(target=critical_loop) - t.start() - threads.append(t) - - while threads: - for t in threads: - t.join(0.1) - if not t.is_alive(): - threads.remove(t) -- cgit v1.2.3 From 36e651c00aaa8f9016aed73bf30061fbd1bdf6e7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 27 Jan 2014 10:08:35 -0800 Subject: Represent the hash vectors more cleanly --- tests/hazmat/primitives/utils.py | 7 ++----- tests/utils.py | 23 +++++++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 6ecc70ff..f27afe41 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -141,8 +141,7 @@ def generate_hash_test(param_loader, path, file_names, hash_cls): def hash_test(backend, algorithm, params): - msg = params[0] - md = params[1] + msg, md = params m = hashes.Hash(algorithm, backend=backend) m.update(binascii.unhexlify(msg)) expected_md = md.replace(" ", "").lower().encode("ascii") @@ -206,9 +205,7 @@ def generate_hmac_test(param_loader, path, file_names, algorithm): def hmac_test(backend, algorithm, params): - msg = params[0] - md = params[1] - key = params[2] + msg, md, key = params h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) h.update(binascii.unhexlify(msg)) assert h.finalize() == binascii.unhexlify(md.encode("ascii")) diff --git a/tests/utils.py b/tests/utils.py index a2432256..507bc421 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -11,11 +11,18 @@ # See the License for the specific language governing permissions and # limitations under the License. +import collections import os import pytest +HashVector = collections.namedtuple("HashVector", ["message", "digest"]) +KeyedHashVector = collections.namedtuple( + "KeyedHashVector", ["message", "digest", "key"] +) + + def select_backends(names, backend_list): if names is None: return backend_list @@ -158,27 +165,23 @@ def load_hash_vectors(vector_data): if line.startswith("Len"): length = int(line.split(" = ")[1]) elif line.startswith("Key"): - """ - HMAC vectors contain a key attribute. Hash vectors do not. - """ + # HMAC vectors contain a key attribute. Hash vectors do not. key = line.split(" = ")[1].encode("ascii") elif line.startswith("Msg"): - """ - In the NIST vectors they have chosen to represent an empty - string as hex 00, which is of course not actually an empty - string. So we parse the provided length and catch this edge case. - """ + # In the NIST vectors they have chosen to represent an empty + # string as hex 00, which is of course not actually an empty + # string. So we parse the provided length and catch this edge case. msg = line.split(" = ")[1].encode("ascii") if length > 0 else b"" elif line.startswith("MD"): md = line.split(" = ")[1] # after MD is found the Msg+MD (+ potential key) tuple is complete if key is not None: - vectors.append((msg, md, key)) + vectors.append(KeyedHashVector(msg, md, key)) key = None msg = None md = None else: - vectors.append((msg, md)) + vectors.append(HashVector(msg, md)) msg = None md = None else: -- cgit v1.2.3 From 8412e7414d7f6246a2dccf478f3884480bba6c47 Mon Sep 17 00:00:00 2001 From: David Reid Date: Mon, 27 Jan 2014 11:28:09 -0800 Subject: Convert the HKDF vectors to the NIST format. --- tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA1.txt | 8 ++++++++ tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA256.txt | 6 ++++++ 2 files changed, 14 insertions(+) (limited to 'tests') diff --git a/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA1.txt b/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA1.txt index 598ecaae..b3fd03aa 100644 --- a/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA1.txt +++ b/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA1.txt @@ -1,6 +1,8 @@ # A.4. Test Case 4 # Basic test case with SHA-1 +COUNT = 4 + Hash = SHA-1 IKM = 0b0b0b0b0b0b0b0b0b0b0b salt = 000102030405060708090a0b0c @@ -13,6 +15,8 @@ OKM = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e42247 # A.5. Test Case 5 # Test with SHA-1 and longer inputs/outputs +COUNT = 5 + Hash = SHA-1 IKM = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f salt = 606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf @@ -25,6 +29,8 @@ OKM = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e # A.6. Test Case 6 # Test with SHA-1 and zero-length salt/info +COUNT = 6 + Hash = SHA-1 IKM = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b salt = @@ -38,6 +44,8 @@ OKM = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de # Test with SHA-1, salt not provided (defaults to HashLen zero octets), # zero-length info +COUNT = 7 + Hash = SHA-1 IKM = 0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c salt = diff --git a/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA256.txt b/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA256.txt index 170dd13e..9068a739 100644 --- a/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA256.txt +++ b/tests/hazmat/primitives/vectors/KDF/rfc-5869-HKDF-SHA256.txt @@ -1,6 +1,8 @@ # A.1. Test Case 1 # Basic test case with SHA-256 +COUNT = 1 + Hash = SHA-256 IKM = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b salt = 000102030405060708090a0b0c @@ -12,6 +14,8 @@ OKM = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d # A.2. Test Case 2 # Test with SHA-256 and longer inputs/outputs +COUNT = 2 + Hash = SHA-256 IKM = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f salt = 606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf @@ -24,6 +28,8 @@ OKM = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99c # A.3. Test Case 3 # Test with SHA-256 and zero-length salt/info +COUNT = 3 + Hash = SHA-256 IKM = 0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b salt = -- cgit v1.2.3 From 44fd0747de556c60853d2c522705501f19102c4f Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 27 Jan 2014 21:04:44 -0600 Subject: add PBKDF2 SHA1 vectors from RFC 6070 --- .../vectors/KDF/rfc-6070-PBKDF2-SHA1.txt | 48 ++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 tests/hazmat/primitives/vectors/KDF/rfc-6070-PBKDF2-SHA1.txt (limited to 'tests') diff --git a/tests/hazmat/primitives/vectors/KDF/rfc-6070-PBKDF2-SHA1.txt b/tests/hazmat/primitives/vectors/KDF/rfc-6070-PBKDF2-SHA1.txt new file mode 100644 index 00000000..739f3f36 --- /dev/null +++ b/tests/hazmat/primitives/vectors/KDF/rfc-6070-PBKDF2-SHA1.txt @@ -0,0 +1,48 @@ +# PBKDF2 SHA1 vectors from http://www.ietf.org/rfc/rfc6070.txt + +COUNT = 0 +PASSWORD = password +SALT = salt +ITERATIONS = 1 +LENGTH = 20 +DERIVED_KEY = 0c60c80f961f0e71f3a9b524af6012062fe037a6 + + +COUNT = 1 +PASSWORD = password +SALT = salt +ITERATIONS = 2 +LENGTH = 20 +DERIVED_KEY = ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957 + + +COUNT = 2 +PASSWORD = password +SALT = salt +ITERATIONS = 4096 +LENGTH = 20 +DERIVED_KEY = 4b007901b765489abead49d926f721d065a429c1 + + +COUNT = 3 +PASSWORD = password +SALT = salt +ITERATIONS = 16777216 +LENGTH = 20 +DERIVED_KEY = eefe3d61cd4da4e4e9945b3d6ba2158c2634e984 + + +COUNT = 4 +PASSWORD = passwordPASSWORDpassword +SALT = saltSALTsaltSALTsaltSALTsaltSALTsalt +ITERATIONS = 4096 +LENGTH = 25 +DERIVED_KEY = 3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038 + + +COUNT = 5 +PASSWORD = pass\0word +SALT = sa\0lt +ITERATIONS = 4096 +LENGTH = 16 +DERIVED_KEY = 56fa6aa75548099dcc37d7f03425e0c3 -- cgit v1.2.3 From 1050ddf44f0713a587cd0ba239e23c95064a39bc Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Mon, 27 Jan 2014 21:04:03 -0600 Subject: PBKDF2 support for OpenSSL backend --- tests/conftest.py | 3 ++- tests/hazmat/primitives/test_pbkdf2_vectors.py | 37 ++++++++++++++++++++++++++ tests/hazmat/primitives/utils.py | 25 +++++++++++++++++ tests/utils.py | 4 +++ 4 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 tests/hazmat/primitives/test_pbkdf2_vectors.py (limited to 'tests') diff --git a/tests/conftest.py b/tests/conftest.py index a9acb54a..7370294f 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -2,7 +2,7 @@ import pytest from cryptography.hazmat.backends import _ALL_BACKENDS from cryptography.hazmat.backends.interfaces import ( - HMACBackend, CipherBackend, HashBackend + HMACBackend, CipherBackend, HashBackend, PBKDF2Backend ) from .utils import check_for_iface, check_backend_support, select_backends @@ -21,6 +21,7 @@ def pytest_runtest_setup(item): check_for_iface("hmac", HMACBackend, item) check_for_iface("cipher", CipherBackend, item) check_for_iface("hash", HashBackend, item) + check_for_iface("pbkdf2", PBKDF2Backend, item) check_backend_support(item) diff --git a/tests/hazmat/primitives/test_pbkdf2_vectors.py b/tests/hazmat/primitives/test_pbkdf2_vectors.py new file mode 100644 index 00000000..e6e3935f --- /dev/null +++ b/tests/hazmat/primitives/test_pbkdf2_vectors.py @@ -0,0 +1,37 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import absolute_import, division, print_function + +import pytest + +from cryptography.hazmat.primitives import hashes + +from .utils import generate_pbkdf2_test +from ...utils import load_nist_vectors + + +@pytest.mark.supported( + only_if=lambda backend: backend.pbkdf2_hash_supported(hashes.SHA1()), + skip_message="Does not support SHA1 for PBKDF2", +) +@pytest.mark.pbkdf2 +class TestPBKDF2_SHA1(object): + test_pbkdf2_sha1 = generate_pbkdf2_test( + load_nist_vectors, + "KDF", + [ + "rfc-6070-PBKDF2-SHA1.txt", + ], + hashes.SHA1(), + ) diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index f27afe41..3a1d6d88 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -4,6 +4,7 @@ import os import pytest from cryptography.hazmat.primitives import hashes, hmac +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2 from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.exceptions import ( AlreadyFinalized, NotYetFinalized, AlreadyUpdated, InvalidTag, @@ -211,6 +212,30 @@ def hmac_test(backend, algorithm, params): assert h.finalize() == binascii.unhexlify(md.encode("ascii")) +def generate_pbkdf2_test(param_loader, path, file_names, algorithm): + all_params = _load_all_params(path, file_names, param_loader) + + @pytest.mark.parametrize("params", all_params) + def test_pbkdf2(self, backend, params): + pbkdf2_test(backend, algorithm, params) + return test_pbkdf2 + + +def pbkdf2_test(backend, algorithm, params): + # Password and salt can contain \0, which should be loaded as a null char. + # The NIST loader loads them as literal strings so we replace with the + # proper value. + kdf = PBKDF2( + algorithm, + int(params["length"]), + params["salt"], + int(params["iterations"]), + backend + ) + derived_key = kdf.derive(params["password"]) + assert binascii.hexlify(derived_key) == params["derived_key"] + + def generate_aead_exception_test(cipher_factory, mode_factory): def test_aead_exception(self, backend): aead_exception_test(backend, cipher_factory, mode_factory) diff --git a/tests/utils.py b/tests/utils.py index 507bc421..5c0e524f 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -89,6 +89,10 @@ def load_nist_vectors(vector_data): # Build our data using a simple Key = Value format name, value = [c.strip() for c in line.split("=")] + # Some tests (PBKDF2) contain \0, which should be interpreted as a + # null character rather than literal. + value = value.replace("\\0", "\0") + # COUNT is a special token that indicates a new block of data if name.upper() == "COUNT": test_data = {} -- cgit v1.2.3 From 6f2a04b4cf3cb938cdd58205a4fc7e8ddb6af299 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 28 Jan 2014 12:05:51 -0600 Subject: test coverage, other changes --- tests/hazmat/primitives/test_pbkdf2.py | 63 ++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 tests/hazmat/primitives/test_pbkdf2.py (limited to 'tests') diff --git a/tests/hazmat/primitives/test_pbkdf2.py b/tests/hazmat/primitives/test_pbkdf2.py new file mode 100644 index 00000000..6dd10129 --- /dev/null +++ b/tests/hazmat/primitives/test_pbkdf2.py @@ -0,0 +1,63 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import absolute_import, division, print_function + +import pytest + +from cryptography import utils +from cryptography.exceptions import ( + InvalidKey, UnsupportedAlgorithm, AlreadyFinalized +) +from cryptography.hazmat.primitives import hashes, interfaces +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2 +from cryptography.hazmat.backends import default_backend + + +@utils.register_interface(interfaces.HashAlgorithm) +class UnsupportedDummyHash(object): + name = "unsupported-dummy-hash" + + +class TestPBKDF2(object): + def test_already_finalized(self): + kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend()) + kdf.derive(b"password") + with pytest.raises(AlreadyFinalized): + kdf.derive(b"password2") + + kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend()) + key = kdf.derive(b"password") + with pytest.raises(AlreadyFinalized): + kdf.verify(b"password", key) + + kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend()) + kdf.verify(b"password", key) + with pytest.raises(AlreadyFinalized): + kdf.verify(b"password", key) + + def test_unsupported_algorithm(self): + with pytest.raises(UnsupportedAlgorithm): + PBKDF2(UnsupportedDummyHash(), 20, b"salt", 10, default_backend()) + + def test_invalid_key(self): + kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend()) + key = kdf.derive(b"password") + + kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend()) + with pytest.raises(InvalidKey): + kdf.verify(b"password2", key) + + def test_salt_too_long(self): + with pytest.raises(ValueError): + PBKDF2(hashes.SHA1(), 2**31, b"salt", 10, default_backend()) -- cgit v1.2.3 From 695313ff7cb1a7026a2624b8c61d495978d6f41c Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 28 Jan 2014 13:13:48 -0600 Subject: remove length check (which cffi handles) --- tests/hazmat/primitives/test_pbkdf2.py | 4 ---- 1 file changed, 4 deletions(-) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_pbkdf2.py b/tests/hazmat/primitives/test_pbkdf2.py index 6dd10129..4d15d7a7 100644 --- a/tests/hazmat/primitives/test_pbkdf2.py +++ b/tests/hazmat/primitives/test_pbkdf2.py @@ -57,7 +57,3 @@ class TestPBKDF2(object): kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend()) with pytest.raises(InvalidKey): kdf.verify(b"password2", key) - - def test_salt_too_long(self): - with pytest.raises(ValueError): - PBKDF2(hashes.SHA1(), 2**31, b"salt", 10, default_backend()) -- cgit v1.2.3 From 1277bc7e993dec8bbe64f1b5aeaaae6cff6429dd Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 28 Jan 2014 17:09:59 -0600 Subject: okay this time really finish the rename. Up example iterations to 100k --- tests/conftest.py | 4 ++-- tests/hazmat/primitives/test_pbkdf2.py | 20 ++++++++++---------- tests/hazmat/primitives/test_pbkdf2_vectors.py | 8 ++++---- tests/hazmat/primitives/utils.py | 4 ++-- 4 files changed, 18 insertions(+), 18 deletions(-) (limited to 'tests') diff --git a/tests/conftest.py b/tests/conftest.py index 7370294f..ecad1b23 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -2,7 +2,7 @@ import pytest from cryptography.hazmat.backends import _ALL_BACKENDS from cryptography.hazmat.backends.interfaces import ( - HMACBackend, CipherBackend, HashBackend, PBKDF2Backend + HMACBackend, CipherBackend, HashBackend, PBKDF2HMACBackend ) from .utils import check_for_iface, check_backend_support, select_backends @@ -21,7 +21,7 @@ def pytest_runtest_setup(item): check_for_iface("hmac", HMACBackend, item) check_for_iface("cipher", CipherBackend, item) check_for_iface("hash", HashBackend, item) - check_for_iface("pbkdf2", PBKDF2Backend, item) + check_for_iface("pbkdf2hmac", PBKDF2HMACBackend, item) check_backend_support(item) diff --git a/tests/hazmat/primitives/test_pbkdf2.py b/tests/hazmat/primitives/test_pbkdf2.py index 4d15d7a7..41123557 100644 --- a/tests/hazmat/primitives/test_pbkdf2.py +++ b/tests/hazmat/primitives/test_pbkdf2.py @@ -20,40 +20,40 @@ from cryptography.exceptions import ( InvalidKey, UnsupportedAlgorithm, AlreadyFinalized ) from cryptography.hazmat.primitives import hashes, interfaces -from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2 +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC from cryptography.hazmat.backends import default_backend @utils.register_interface(interfaces.HashAlgorithm) -class UnsupportedDummyHash(object): - name = "unsupported-dummy-hash" +class DummyHash(object): + name = "dummy-hash" -class TestPBKDF2(object): +class TestPBKDF2HMAC(object): def test_already_finalized(self): - kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend()) + kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) kdf.derive(b"password") with pytest.raises(AlreadyFinalized): kdf.derive(b"password2") - kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend()) + kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) key = kdf.derive(b"password") with pytest.raises(AlreadyFinalized): kdf.verify(b"password", key) - kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend()) + kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) kdf.verify(b"password", key) with pytest.raises(AlreadyFinalized): kdf.verify(b"password", key) def test_unsupported_algorithm(self): with pytest.raises(UnsupportedAlgorithm): - PBKDF2(UnsupportedDummyHash(), 20, b"salt", 10, default_backend()) + PBKDF2HMAC(DummyHash(), 20, b"salt", 10, default_backend()) def test_invalid_key(self): - kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend()) + kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) key = kdf.derive(b"password") - kdf = PBKDF2(hashes.SHA1(), 20, b"salt", 10, default_backend()) + kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) with pytest.raises(InvalidKey): kdf.verify(b"password2", key) diff --git a/tests/hazmat/primitives/test_pbkdf2_vectors.py b/tests/hazmat/primitives/test_pbkdf2_vectors.py index e6e3935f..cbd4cc9d 100644 --- a/tests/hazmat/primitives/test_pbkdf2_vectors.py +++ b/tests/hazmat/primitives/test_pbkdf2_vectors.py @@ -22,11 +22,11 @@ from ...utils import load_nist_vectors @pytest.mark.supported( - only_if=lambda backend: backend.pbkdf2_hash_supported(hashes.SHA1()), - skip_message="Does not support SHA1 for PBKDF2", + only_if=lambda backend: backend.pbkdf2_hmac_supported(hashes.SHA1()), + skip_message="Does not support SHA1 for PBKDF2HMAC", ) -@pytest.mark.pbkdf2 -class TestPBKDF2_SHA1(object): +@pytest.mark.pbkdf2hmac +class TestPBKDF2HMAC_SHA1(object): test_pbkdf2_sha1 = generate_pbkdf2_test( load_nist_vectors, "KDF", diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index 3a1d6d88..6b1d055d 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -4,7 +4,7 @@ import os import pytest from cryptography.hazmat.primitives import hashes, hmac -from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2 +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.exceptions import ( AlreadyFinalized, NotYetFinalized, AlreadyUpdated, InvalidTag, @@ -225,7 +225,7 @@ def pbkdf2_test(backend, algorithm, params): # Password and salt can contain \0, which should be loaded as a null char. # The NIST loader loads them as literal strings so we replace with the # proper value. - kdf = PBKDF2( + kdf = PBKDF2HMAC( algorithm, int(params["length"]), params["salt"], -- cgit v1.2.3 From 5c8ea70ca7a36a0e090640b329bd9931232b7b23 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 28 Jan 2014 19:23:01 -0600 Subject: add some unicode checks for salt on init and key_material on derive --- tests/hazmat/primitives/test_pbkdf2.py | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'tests') diff --git a/tests/hazmat/primitives/test_pbkdf2.py b/tests/hazmat/primitives/test_pbkdf2.py index 41123557..6ad225a8 100644 --- a/tests/hazmat/primitives/test_pbkdf2.py +++ b/tests/hazmat/primitives/test_pbkdf2.py @@ -14,6 +14,7 @@ from __future__ import absolute_import, division, print_function import pytest +import six from cryptography import utils from cryptography.exceptions import ( @@ -57,3 +58,12 @@ class TestPBKDF2HMAC(object): kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) with pytest.raises(InvalidKey): kdf.verify(b"password2", key) + + def test_unicode_error_with_salt(self): + with pytest.raises(TypeError): + PBKDF2HMAC(hashes.SHA1(), 20, six.u("salt"), 10, default_backend()) + + def test_unicode_error_with_key_material(self): + kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) + with pytest.raises(TypeError): + kdf.derive(six.u("unicode here")) -- cgit v1.2.3 From 2e8617bea70e1b29b4138f591c2264041f5b1099 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Tue, 28 Jan 2014 19:27:06 -0600 Subject: rename test files --- tests/hazmat/primitives/test_pbkdf2.py | 69 ---------------------- tests/hazmat/primitives/test_pbkdf2_vectors.py | 37 ------------ tests/hazmat/primitives/test_pbkdf2hmac.py | 69 ++++++++++++++++++++++ tests/hazmat/primitives/test_pbkdf2hmac_vectors.py | 37 ++++++++++++ 4 files changed, 106 insertions(+), 106 deletions(-) delete mode 100644 tests/hazmat/primitives/test_pbkdf2.py delete mode 100644 tests/hazmat/primitives/test_pbkdf2_vectors.py create mode 100644 tests/hazmat/primitives/test_pbkdf2hmac.py create mode 100644 tests/hazmat/primitives/test_pbkdf2hmac_vectors.py (limited to 'tests') diff --git a/tests/hazmat/primitives/test_pbkdf2.py b/tests/hazmat/primitives/test_pbkdf2.py deleted file mode 100644 index 6ad225a8..00000000 --- a/tests/hazmat/primitives/test_pbkdf2.py +++ /dev/null @@ -1,69 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from __future__ import absolute_import, division, print_function - -import pytest -import six - -from cryptography import utils -from cryptography.exceptions import ( - InvalidKey, UnsupportedAlgorithm, AlreadyFinalized -) -from cryptography.hazmat.primitives import hashes, interfaces -from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC -from cryptography.hazmat.backends import default_backend - - -@utils.register_interface(interfaces.HashAlgorithm) -class DummyHash(object): - name = "dummy-hash" - - -class TestPBKDF2HMAC(object): - def test_already_finalized(self): - kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) - kdf.derive(b"password") - with pytest.raises(AlreadyFinalized): - kdf.derive(b"password2") - - kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) - key = kdf.derive(b"password") - with pytest.raises(AlreadyFinalized): - kdf.verify(b"password", key) - - kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) - kdf.verify(b"password", key) - with pytest.raises(AlreadyFinalized): - kdf.verify(b"password", key) - - def test_unsupported_algorithm(self): - with pytest.raises(UnsupportedAlgorithm): - PBKDF2HMAC(DummyHash(), 20, b"salt", 10, default_backend()) - - def test_invalid_key(self): - kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) - key = kdf.derive(b"password") - - kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) - with pytest.raises(InvalidKey): - kdf.verify(b"password2", key) - - def test_unicode_error_with_salt(self): - with pytest.raises(TypeError): - PBKDF2HMAC(hashes.SHA1(), 20, six.u("salt"), 10, default_backend()) - - def test_unicode_error_with_key_material(self): - kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) - with pytest.raises(TypeError): - kdf.derive(six.u("unicode here")) diff --git a/tests/hazmat/primitives/test_pbkdf2_vectors.py b/tests/hazmat/primitives/test_pbkdf2_vectors.py deleted file mode 100644 index cbd4cc9d..00000000 --- a/tests/hazmat/primitives/test_pbkdf2_vectors.py +++ /dev/null @@ -1,37 +0,0 @@ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from __future__ import absolute_import, division, print_function - -import pytest - -from cryptography.hazmat.primitives import hashes - -from .utils import generate_pbkdf2_test -from ...utils import load_nist_vectors - - -@pytest.mark.supported( - only_if=lambda backend: backend.pbkdf2_hmac_supported(hashes.SHA1()), - skip_message="Does not support SHA1 for PBKDF2HMAC", -) -@pytest.mark.pbkdf2hmac -class TestPBKDF2HMAC_SHA1(object): - test_pbkdf2_sha1 = generate_pbkdf2_test( - load_nist_vectors, - "KDF", - [ - "rfc-6070-PBKDF2-SHA1.txt", - ], - hashes.SHA1(), - ) diff --git a/tests/hazmat/primitives/test_pbkdf2hmac.py b/tests/hazmat/primitives/test_pbkdf2hmac.py new file mode 100644 index 00000000..6ad225a8 --- /dev/null +++ b/tests/hazmat/primitives/test_pbkdf2hmac.py @@ -0,0 +1,69 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import absolute_import, division, print_function + +import pytest +import six + +from cryptography import utils +from cryptography.exceptions import ( + InvalidKey, UnsupportedAlgorithm, AlreadyFinalized +) +from cryptography.hazmat.primitives import hashes, interfaces +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC +from cryptography.hazmat.backends import default_backend + + +@utils.register_interface(interfaces.HashAlgorithm) +class DummyHash(object): + name = "dummy-hash" + + +class TestPBKDF2HMAC(object): + def test_already_finalized(self): + kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) + kdf.derive(b"password") + with pytest.raises(AlreadyFinalized): + kdf.derive(b"password2") + + kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) + key = kdf.derive(b"password") + with pytest.raises(AlreadyFinalized): + kdf.verify(b"password", key) + + kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) + kdf.verify(b"password", key) + with pytest.raises(AlreadyFinalized): + kdf.verify(b"password", key) + + def test_unsupported_algorithm(self): + with pytest.raises(UnsupportedAlgorithm): + PBKDF2HMAC(DummyHash(), 20, b"salt", 10, default_backend()) + + def test_invalid_key(self): + kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) + key = kdf.derive(b"password") + + kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) + with pytest.raises(InvalidKey): + kdf.verify(b"password2", key) + + def test_unicode_error_with_salt(self): + with pytest.raises(TypeError): + PBKDF2HMAC(hashes.SHA1(), 20, six.u("salt"), 10, default_backend()) + + def test_unicode_error_with_key_material(self): + kdf = PBKDF2HMAC(hashes.SHA1(), 20, b"salt", 10, default_backend()) + with pytest.raises(TypeError): + kdf.derive(six.u("unicode here")) diff --git a/tests/hazmat/primitives/test_pbkdf2hmac_vectors.py b/tests/hazmat/primitives/test_pbkdf2hmac_vectors.py new file mode 100644 index 00000000..cbd4cc9d --- /dev/null +++ b/tests/hazmat/primitives/test_pbkdf2hmac_vectors.py @@ -0,0 +1,37 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from __future__ import absolute_import, division, print_function + +import pytest + +from cryptography.hazmat.primitives import hashes + +from .utils import generate_pbkdf2_test +from ...utils import load_nist_vectors + + +@pytest.mark.supported( + only_if=lambda backend: backend.pbkdf2_hmac_supported(hashes.SHA1()), + skip_message="Does not support SHA1 for PBKDF2HMAC", +) +@pytest.mark.pbkdf2hmac +class TestPBKDF2HMAC_SHA1(object): + test_pbkdf2_sha1 = generate_pbkdf2_test( + load_nist_vectors, + "KDF", + [ + "rfc-6070-PBKDF2-SHA1.txt", + ], + hashes.SHA1(), + ) -- cgit v1.2.3 From 6fb1a5a99d3742763961d907c9f297f89f2f0b91 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 29 Jan 2014 13:44:07 -0600 Subject: add test for null char replacement --- tests/test_utils.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'tests') diff --git a/tests/test_utils.py b/tests/test_utils.py index f852f3ab..8ecb33f9 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -180,6 +180,25 @@ def test_load_nist_vectors(): ] +def test_load_nist_vectors_with_null_chars(): + vector_data = textwrap.dedent(""" + COUNT = 0 + KEY = thing\\0withnulls + + COUNT = 1 + KEY = 00000000000000000000000000000000 + """).splitlines() + + assert load_nist_vectors(vector_data) == [ + { + "key": b"thing\x00withnulls", + }, + { + "key": b"00000000000000000000000000000000", + }, + ] + + def test_load_cryptrec_vectors(): vector_data = textwrap.dedent(""" # Vectors taken from http://info.isl.ntt.co.jp/crypt/eng/camellia/ -- cgit v1.2.3