diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2016-12-13 21:05:35 -0500 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2016-12-13 20:05:35 -0600 |
| commit | 0e8cdf1023f6e2045de444b1c7e09f40cccf019e (patch) | |
| tree | eb6241baa5c66447c988a5c45fed7f0cb77b8022 /src | |
| parent | 874445aea9e2d07a94444855ccfeaa3082de26a9 (diff) | |
| download | cryptography-0e8cdf1023f6e2045de444b1c7e09f40cccf019e.tar.gz cryptography-0e8cdf1023f6e2045de444b1c7e09f40cccf019e.tar.bz2 cryptography-0e8cdf1023f6e2045de444b1c7e09f40cccf019e.zip | |
Drop 1.0.0 (#3312)
* delete the 1.0.0 support
* drop the version check
* drop the AES-CTR stuff
* Update the example
* openssl truncates for us now
* delete unused test
* unused imports
* Remove a bunch of conditional bindings for NPN
* no more 1.0.0 builders
* libressl fix
* update the docs
* remove dead branches
* oops
* this is a word, damnit
* spelling
* try removing this
* this test is not needed
* unused import
Diffstat (limited to 'src')
| -rw-r--r-- | src/_cffi_src/openssl/aes.py | 15 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/cmac.py | 4 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/cryptography.py | 8 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/ec.py | 11 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/rsa.py | 7 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/ssl.py | 69 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 68 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/ciphers.py | 35 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/dsa.py | 28 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/ec.py | 39 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/rsa.py | 47 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/utils.py | 21 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/_conditional.py | 19 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/binding.py | 21 |
14 files changed, 29 insertions, 363 deletions
diff --git a/src/_cffi_src/openssl/aes.py b/src/_cffi_src/openssl/aes.py index c54b636a..d035fa8e 100644 --- a/src/_cffi_src/openssl/aes.py +++ b/src/_cffi_src/openssl/aes.py @@ -10,7 +10,6 @@ INCLUDES = """ TYPES = """ static const int Cryptography_HAS_AES_WRAP; -static const int Cryptography_HAS_AES_CTR128_ENCRYPT; struct aes_key_st { ...; @@ -29,22 +28,8 @@ int AES_unwrap_key(AES_KEY *, const unsigned char *, unsigned char *, """ MACROS = """ -/* The ctr128_encrypt function is only useful in 1.0.0. We can use EVP for - this in 1.0.1+. */ -void AES_ctr128_encrypt(const unsigned char *, unsigned char *, - size_t, const AES_KEY *, unsigned char[], - unsigned char[], unsigned int *); """ CUSTOMIZATIONS = """ static const long Cryptography_HAS_AES_WRAP = 1; -#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !defined(LIBRESSL_VERSION_NUMBER) -static const int Cryptography_HAS_AES_CTR128_ENCRYPT = 0; -void (*AES_ctr128_encrypt)(const unsigned char *, unsigned char *, - size_t, const AES_KEY *, - unsigned char[], unsigned char[], - unsigned int *) = NULL; -#else -static const int Cryptography_HAS_AES_CTR128_ENCRYPT = 1; -#endif """ diff --git a/src/_cffi_src/openssl/cmac.py b/src/_cffi_src/openssl/cmac.py index 67abc858..09987455 100644 --- a/src/_cffi_src/openssl/cmac.py +++ b/src/_cffi_src/openssl/cmac.py @@ -5,7 +5,7 @@ from __future__ import absolute_import, division, print_function INCLUDES = """ -#if !defined(OPENSSL_NO_CMAC) && CRYPTOGRAPHY_OPENSSL_101_OR_GREATER +#if !defined(OPENSSL_NO_CMAC) #include <openssl/cmac.h> #endif """ @@ -28,7 +28,7 @@ void CMAC_CTX_free(CMAC_CTX *); """ CUSTOMIZATIONS = """ -#if !defined(OPENSSL_NO_CMAC) && CRYPTOGRAPHY_OPENSSL_101_OR_GREATER +#if !defined(OPENSSL_NO_CMAC) static const long Cryptography_HAS_CMAC = 1; #else static const long Cryptography_HAS_CMAC = 0; diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 373f830e..1ce9d0f4 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -17,8 +17,6 @@ INCLUDES = """ #include <windows.h> #endif -#define CRYPTOGRAPHY_OPENSSL_101_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x10001000) #define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x10002000) #define CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER \ @@ -26,8 +24,6 @@ INCLUDES = """ #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x10100000) -#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_101 \ - (OPENSSL_VERSION_NUMBER < 0x10001000) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \ (OPENSSL_VERSION_NUMBER < 0x10002000) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102BETA3 \ @@ -51,12 +47,8 @@ INCLUDES = """ """ TYPES = """ -static const int CRYPTOGRAPHY_OPENSSL_101_OR_GREATER; - static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER; -static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_101; - static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I; static const int CRYPTOGRAPHY_IS_LIBRESSL; diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py index 0853a723..d1745054 100644 --- a/src/_cffi_src/openssl/ec.py +++ b/src/_cffi_src/openssl/ec.py @@ -14,7 +14,6 @@ INCLUDES = """ TYPES = """ static const int Cryptography_HAS_EC; -static const int Cryptography_HAS_EC_1_0_1; static const int Cryptography_HAS_EC2M; static const int Cryptography_HAS_EC_1_0_2; @@ -327,13 +326,6 @@ const EC_METHOD *(*EC_GFp_nist_method)() = NULL; int (*EC_METHOD_get_field_type)(const EC_METHOD *) = NULL; -#else -static const long Cryptography_HAS_EC = 1; -#endif - -#if defined(OPENSSL_NO_EC) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_101 -static const long Cryptography_HAS_EC_1_0_1 = 0; - int (*EC_KEY_get_flags)(const EC_KEY *) = NULL; void (*EC_KEY_set_flags)(EC_KEY *, int) = NULL; void (*EC_KEY_clear_flags)(EC_KEY *, int) = NULL; @@ -341,10 +333,9 @@ void (*EC_KEY_clear_flags)(EC_KEY *, int) = NULL; int (*EC_KEY_set_public_key_affine_coordinates)( EC_KEY *, BIGNUM *, BIGNUM *) = NULL; #else -static const long Cryptography_HAS_EC_1_0_1 = 1; +static const long Cryptography_HAS_EC = 1; #endif - #if defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_EC2M) static const long Cryptography_HAS_EC2M = 0; diff --git a/src/_cffi_src/openssl/rsa.py b/src/_cffi_src/openssl/rsa.py index e920cf2d..e9074905 100644 --- a/src/_cffi_src/openssl/rsa.py +++ b/src/_cffi_src/openssl/rsa.py @@ -20,7 +20,6 @@ static const int RSA_PKCS1_PSS_PADDING; static const int RSA_F4; static const int Cryptography_HAS_PSS_PADDING; -static const int Cryptography_HAS_MGF1_MD; static const int Cryptography_HAS_RSA_OAEP_MD; """ @@ -73,12 +72,6 @@ int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *, EVP_MD *); CUSTOMIZATIONS = """ static const long Cryptography_HAS_PSS_PADDING = 1; -#if CRYPTOGRAPHY_OPENSSL_101_OR_GREATER -static const long Cryptography_HAS_MGF1_MD = 1; -#else -static const long Cryptography_HAS_MGF1_MD = 0; -int (*EVP_PKEY_CTX_set_rsa_mgf1_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL; -#endif #if defined(EVP_PKEY_CTX_set_rsa_oaep_md) static const long Cryptography_HAS_RSA_OAEP_MD = 1; #else diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 28c14ca9..12af346c 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -25,7 +25,6 @@ static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE; static const long Cryptography_HAS_GET_SERVER_TMP_KEY; static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE; static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS; -static const long Cryptography_HAS_NPN_NEGOTIATED; /* Internally invented symbol to tell us if SNI is supported */ static const long Cryptography_HAS_TLSEXT_HOSTNAME; @@ -44,7 +43,6 @@ static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING; static const long Cryptography_HAS_SSL_SET_SSL_CTX; static const long Cryptography_HAS_SSL_OP_NO_TICKET; static const long Cryptography_HAS_NETBSD_D1_METH; -static const long Cryptography_HAS_NEXTPROTONEG; static const long Cryptography_HAS_ALPN; static const long Cryptography_HAS_SET_CERT_CB; @@ -363,9 +361,6 @@ long SSL_CTX_set_tlsext_status_arg(SSL_CTX *, void *); long SSL_session_reused(SSL *); -/* NPN APIs were introduced in OpenSSL 1.0.1. To continue to support earlier - * versions some special handling of these is necessary. - */ void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *, int (*)(SSL *, const unsigned char **, @@ -414,7 +409,7 @@ void SSL_set_cert_cb(SSL *, int (*)(SSL *, void *), void *); /* Added in 1.0.2 */ const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *); -/* Added in 1.0.1 */ + int SSL_SESSION_set1_id_context(SSL_SESSION *, const unsigned char *, unsigned int); /* Added in 1.1.0 for the great opaquing of structs */ @@ -438,28 +433,6 @@ long SSL_CTX_sess_cache_full(SSL_CTX *); """ CUSTOMIZATIONS = """ -/* Added in 1.0.1 but we need it in all versions now due to the great - opaquing. */ -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_101 -/* from ssl.h */ -#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312 -#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273 -/* from ssl/ssl_sess.c */ -int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, - unsigned int sid_ctx_len) -{ - if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { - SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT, - SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); - return 0; - } - s->sid_ctx_length = sid_ctx_len; - memcpy(s->sid_ctx, sid_ctx, sid_ctx_len); - - return 1; -} -#endif - /* Added in 1.0.2 but we need it in all versions now due to the great opaquing. */ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 || defined(LIBRESSL_VERSION_NUMBER) @@ -605,37 +578,6 @@ static const long Cryptography_HAS_NETBSD_D1_METH = 1; static const long Cryptography_HAS_NETBSD_D1_METH = 1; #endif -/* Because OPENSSL defines macros that claim lack of support for things, rather - * than macros that claim support for things, we need to do a version check in - * addition to a definition check. NPN was added in 1.0.1: for any version - * before that, there is no compatibility. - */ -#if defined(OPENSSL_NO_NEXTPROTONEG) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_101 -static const long Cryptography_HAS_NEXTPROTONEG = 0; -void (*SSL_CTX_set_next_protos_advertised_cb)(SSL_CTX *, - int (*)(SSL *, - const unsigned char **, - unsigned int *, - void *), - void *) = NULL; -void (*SSL_CTX_set_next_proto_select_cb)(SSL_CTX *, - int (*)(SSL *, - unsigned char **, - unsigned char *, - const unsigned char *, - unsigned int, - void *), - void *) = NULL; -int (*SSL_select_next_proto)(unsigned char **, unsigned char *, - const unsigned char *, unsigned int, - const unsigned char *, unsigned int) = NULL; -void (*SSL_get0_next_proto_negotiated)(const SSL *, - const unsigned char **, - unsigned *) = NULL; -#else -static const long Cryptography_HAS_NEXTPROTONEG = 1; -#endif - /* ALPN was added in OpenSSL 1.0.2. */ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !defined(LIBRESSL_VERSION_NUMBER) int (*SSL_CTX_set_alpn_protos)(SSL_CTX *, @@ -707,13 +649,4 @@ static const long Cryptography_HAS_TLS_ST = 0; static const long TLS_ST_BEFORE = 0; static const long TLS_ST_OK = 0; #endif - -/* This define is available in 1.0.1+ so we can remove this when we drop - support for 1.0.0 */ -#ifdef OPENSSL_NPN_NEGOTIATED -static const long Cryptography_HAS_NPN_NEGOTIATED = 1; -#else -static const long OPENSSL_NPN_NEGOTIATED = -1; -static const long Cryptography_HAS_NPN_NEGOTIATED = 0; -#endif """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 71063c19..d2a9e6c9 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -21,9 +21,7 @@ from cryptography.hazmat.backends.interfaces import ( EllipticCurveBackend, HMACBackend, HashBackend, PBKDF2HMACBackend, PEMSerializationBackend, RSABackend, ScryptBackend, X509Backend ) -from cryptography.hazmat.backends.openssl.ciphers import ( - _AESCTRCipherContext, _CipherContext -) +from cryptography.hazmat.backends.openssl.ciphers import _CipherContext from cryptography.hazmat.backends.openssl.cmac import _CMACContext from cryptography.hazmat.backends.openssl.dh import ( _DHParameters, _DHPrivateKey, _DHPublicKey @@ -233,12 +231,7 @@ class Backend(object): return _HashContext(self, algorithm) def cipher_supported(self, cipher, mode): - if self._evp_cipher_supported(cipher, mode): - return True - elif isinstance(mode, CTR) and isinstance(cipher, AES): - return True - else: - return False + return self._evp_cipher_supported(cipher, mode) def _evp_cipher_supported(self, cipher, mode): try: @@ -307,22 +300,10 @@ class Backend(object): ) def create_symmetric_encryption_ctx(self, cipher, mode): - if (isinstance(mode, CTR) and isinstance(cipher, AES) and - not self._evp_cipher_supported(cipher, mode)): - # This is needed to provide support for AES CTR mode in OpenSSL - # 1.0.0. It can be removed when we drop 1.0.0 support (RHEL 6.4). - return _AESCTRCipherContext(self, cipher, mode) - else: - return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT) + return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT) def create_symmetric_decryption_ctx(self, cipher, mode): - if (isinstance(mode, CTR) and isinstance(cipher, AES) and - not self._evp_cipher_supported(cipher, mode)): - # This is needed to provide support for AES CTR mode in OpenSSL - # 1.0.0. It can be removed when we drop 1.0.0 support (RHEL 6.4). - return _AESCTRCipherContext(self, cipher, mode) - else: - return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT) + return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT) def pbkdf2_hmac_supported(self, algorithm): return self.hmac_supported(algorithm) @@ -606,10 +587,7 @@ class Backend(object): return isinstance(algorithm, hashes.SHA1) def _pss_mgf1_hash_supported(self, algorithm): - if self._lib.Cryptography_HAS_MGF1_MD: - return self.hash_supported(algorithm) - else: - return isinstance(algorithm, hashes.SHA1) + return self.hash_supported(algorithm) def rsa_padding_supported(self, padding): if isinstance(padding, PKCS1v15): @@ -737,18 +715,6 @@ class Backend(object): if not isinstance(algorithm, hashes.HashAlgorithm): raise TypeError('Algorithm must be a registered hash algorithm.') - if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - if isinstance(private_key, _DSAPrivateKey): - raise NotImplementedError( - "Certificate signing requests aren't implemented for DSA" - " keys on OpenSSL versions less than 1.0.1." - ) - if isinstance(private_key, _EllipticCurvePrivateKey): - raise NotImplementedError( - "Certificate signing requests aren't implemented for EC" - " keys on OpenSSL versions less than 1.0.1." - ) - # Resolve the signature algorithm. evp_md = self._lib.EVP_get_digestbyname( algorithm.name.encode('ascii') @@ -815,18 +781,6 @@ class Backend(object): if not isinstance(algorithm, hashes.HashAlgorithm): raise TypeError('Algorithm must be a registered hash algorithm.') - if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - if isinstance(private_key, _DSAPrivateKey): - raise NotImplementedError( - "Certificate signatures aren't implemented for DSA" - " keys on OpenSSL versions less than 1.0.1." - ) - if isinstance(private_key, _EllipticCurvePrivateKey): - raise NotImplementedError( - "Certificate signatures aren't implemented for EC" - " keys on OpenSSL versions less than 1.0.1." - ) - # Resolve the signature algorithm. evp_md = self._lib.EVP_get_digestbyname( algorithm.name.encode('ascii') @@ -920,18 +874,6 @@ class Backend(object): if not isinstance(algorithm, hashes.HashAlgorithm): raise TypeError('Algorithm must be a registered hash algorithm.') - if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - if isinstance(private_key, _DSAPrivateKey): - raise NotImplementedError( - "CRL signatures aren't implemented for DSA" - " keys on OpenSSL versions less than 1.0.1." - ) - if isinstance(private_key, _EllipticCurvePrivateKey): - raise NotImplementedError( - "CRL signatures aren't implemented for EC" - " keys on OpenSSL versions less than 1.0.1." - ) - evp_md = self._lib.EVP_get_digestbyname( algorithm.name.encode('ascii') ) diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py index bd5dfb31..898b3497 100644 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py @@ -167,38 +167,3 @@ class _CipherContext(object): self._backend.openssl_assert(res != 0) tag = utils.read_only_property("_tag") - - -@utils.register_interface(ciphers.CipherContext) -class _AESCTRCipherContext(object): - """ - This is needed to provide support for AES CTR mode in OpenSSL 1.0.0. It can - be removed when we drop 1.0.0 support (RHEL 6.4 is the only thing that - ships it). - """ - def __init__(self, backend, cipher, mode): - self._backend = backend - - self._key = self._backend._ffi.new("AES_KEY *") - res = self._backend._lib.AES_set_encrypt_key( - cipher.key, len(cipher.key) * 8, self._key - ) - self._backend.openssl_assert(res == 0) - self._ecount = self._backend._ffi.new("unsigned char[]", 16) - self._nonce = self._backend._ffi.new("unsigned char[16]", mode.nonce) - self._num = self._backend._ffi.new("unsigned int *", 0) - - def update(self, data): - buf = self._backend._ffi.new("unsigned char[]", len(data)) - self._backend._lib.AES_ctr128_encrypt( - data, buf, len(data), self._key, self._nonce, - self._ecount, self._num - ) - return self._backend._ffi.buffer(buf)[:] - - def finalize(self): - self._key = None - self._ecount = None - self._nonce = None - self._num = None - return b"" diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py index e82c043d..e2ed3dfd 100644 --- a/src/cryptography/hazmat/backends/openssl/dsa.py +++ b/src/cryptography/hazmat/backends/openssl/dsa.py @@ -7,7 +7,7 @@ from __future__ import absolute_import, division, print_function from cryptography import utils from cryptography.exceptions import InvalidSignature from cryptography.hazmat.backends.openssl.utils import ( - _calculate_digest_and_algorithm, _truncate_digest + _calculate_digest_and_algorithm ) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( @@ -15,24 +15,6 @@ from cryptography.hazmat.primitives.asymmetric import ( ) -def _truncate_digest_for_dsa(dsa_cdata, digest, backend): - """ - This function truncates digests that are longer than a given DS - key's length so they can be signed. OpenSSL does this for us in - 1.0.0c+, leaving us with three releases (1.0.0, 1.0.0a, and 1.0.0b) where - this is a problem. - """ - - q = backend._ffi.new("BIGNUM **") - backend._lib.DSA_get0_pqg( - dsa_cdata, backend._ffi.NULL, q, backend._ffi.NULL - ) - backend.openssl_assert(q[0] != backend._ffi.NULL) - - order_bits = backend._lib.BN_num_bits(q[0]) - return _truncate_digest(digest, order_bits) - - def _dsa_sig_sign(backend, private_key, data): sig_buf_len = backend._lib.DSA_size(private_key._dsa_cdata) sig_buf = backend._ffi.new("unsigned char[]", sig_buf_len) @@ -77,9 +59,6 @@ class _DSAVerificationContext(object): def verify(self): data_to_verify = self._hash_ctx.finalize() - data_to_verify = _truncate_digest_for_dsa( - self._public_key._dsa_cdata, data_to_verify, self._backend - ) _dsa_sig_verify( self._backend, self._public_key, self._signature, data_to_verify ) @@ -98,9 +77,6 @@ class _DSASignatureContext(object): def finalize(self): data_to_sign = self._hash_ctx.finalize() - data_to_sign = _truncate_digest_for_dsa( - self._private_key._dsa_cdata, data_to_sign, self._backend - ) return _dsa_sig_sign(self._backend, self._private_key, data_to_sign) @@ -212,7 +188,6 @@ class _DSAPrivateKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, algorithm ) - data = _truncate_digest_for_dsa(self._dsa_cdata, data, self._backend) return _dsa_sig_sign(self._backend, self, data) @@ -286,5 +261,4 @@ class _DSAPublicKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, algorithm ) - data = _truncate_digest_for_dsa(self._dsa_cdata, data, self._backend) return _dsa_sig_verify(self._backend, self, signature, data) diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py index 5969f2a3..f2b52492 100644 --- a/src/cryptography/hazmat/backends/openssl/ec.py +++ b/src/cryptography/hazmat/backends/openssl/ec.py @@ -9,7 +9,7 @@ from cryptography.exceptions import ( InvalidSignature, UnsupportedAlgorithm, _Reasons ) from cryptography.hazmat.backends.openssl.utils import ( - _calculate_digest_and_algorithm, _truncate_digest + _calculate_digest_and_algorithm ) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( @@ -17,31 +17,6 @@ from cryptography.hazmat.primitives.asymmetric import ( ) -def _truncate_digest_for_ecdsa(ec_key_cdata, digest, backend): - """ - This function truncates digests that are longer than a given elliptic - curve key's length so they can be signed. Since elliptic curve keys are - much shorter than RSA keys many digests (e.g. SHA-512) may require - truncation. - """ - - _lib = backend._lib - _ffi = backend._ffi - - group = _lib.EC_KEY_get0_group(ec_key_cdata) - - with backend._tmp_bn_ctx() as bn_ctx: - order = _lib.BN_CTX_get(bn_ctx) - backend.openssl_assert(order != _ffi.NULL) - - res = _lib.EC_GROUP_get_order(group, order, bn_ctx) - backend.openssl_assert(res == 1) - - order_bits = _lib.BN_num_bits(order) - - return _truncate_digest(digest, order_bits) - - def _check_signature_algorithm(signature_algorithm): if not isinstance(signature_algorithm, ec.ECDSA): raise UnsupportedAlgorithm( @@ -127,9 +102,6 @@ class _ECDSASignatureContext(object): def finalize(self): digest = self._digest.finalize() - digest = _truncate_digest_for_ecdsa( - self._private_key._ec_key, digest, self._backend - ) return _ecdsa_sig_sign(self._backend, self._private_key, digest) @@ -146,9 +118,6 @@ class _ECDSAVerificationContext(object): def verify(self): digest = self._digest.finalize() - digest = _truncate_digest_for_ecdsa( - self._public_key._ec_key, digest, self._backend - ) return _ecdsa_sig_verify( self._backend, self._public_key, self._signature, digest ) @@ -247,9 +216,6 @@ class _EllipticCurvePrivateKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, signature_algorithm._algorithm ) - data = _truncate_digest_for_ecdsa( - self._ec_key, data, self._backend - ) return _ecdsa_sig_sign(self._backend, self, data) @@ -317,7 +283,4 @@ class _EllipticCurvePublicKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, signature_algorithm._algorithm ) - data = _truncate_digest_for_ecdsa( - self._ec_key, data, self._backend - ) return _ecdsa_sig_verify(self._backend, self, signature, data) diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py index 8996d884..0a375721 100644 --- a/src/cryptography/hazmat/backends/openssl/rsa.py +++ b/src/cryptography/hazmat/backends/openssl/rsa.py @@ -164,13 +164,6 @@ def _rsa_sig_determine_padding(backend, key, padding, algorithm): raise ValueError("Digest too large for key size. Use a larger " "key or different digest.") - if not backend._pss_mgf1_hash_supported(padding._mgf._algorithm): - raise UnsupportedAlgorithm( - "When OpenSSL is older than 1.0.1 then only SHA1 is " - "supported with MGF1.", - _Reasons.UNSUPPORTED_HASH - ) - padding_enum = backend._lib.RSA_PKCS1_PSS_PADDING else: raise UnsupportedAlgorithm( @@ -212,17 +205,15 @@ def _rsa_sig_sign(backend, padding, padding_enum, algorithm, private_key, ) backend.openssl_assert(res > 0) - if backend._lib.Cryptography_HAS_MGF1_MD: - # MGF1 MD is configurable in OpenSSL 1.0.1+ - mgf1_md = backend._lib.EVP_get_digestbyname( - padding._mgf._algorithm.name.encode("ascii")) - backend.openssl_assert( - mgf1_md != backend._ffi.NULL - ) - res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( - pkey_ctx, mgf1_md - ) - backend.openssl_assert(res > 0) + mgf1_md = backend._lib.EVP_get_digestbyname( + padding._mgf._algorithm.name.encode("ascii")) + backend.openssl_assert( + mgf1_md != backend._ffi.NULL + ) + res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( + pkey_ctx, mgf1_md + ) + backend.openssl_assert(res > 0) buflen = backend._ffi.new("size_t *") res = backend._lib.EVP_PKEY_sign( @@ -284,17 +275,15 @@ def _rsa_sig_verify(backend, padding, padding_enum, algorithm, public_key, ) ) backend.openssl_assert(res > 0) - if backend._lib.Cryptography_HAS_MGF1_MD: - # MGF1 MD is configurable in OpenSSL 1.0.1+ - mgf1_md = backend._lib.EVP_get_digestbyname( - padding._mgf._algorithm.name.encode("ascii")) - backend.openssl_assert( - mgf1_md != backend._ffi.NULL - ) - res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( - pkey_ctx, mgf1_md - ) - backend.openssl_assert(res > 0) + mgf1_md = backend._lib.EVP_get_digestbyname( + padding._mgf._algorithm.name.encode("ascii")) + backend.openssl_assert( + mgf1_md != backend._ffi.NULL + ) + res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( + pkey_ctx, mgf1_md + ) + backend.openssl_assert(res > 0) res = backend._lib.EVP_PKEY_verify( pkey_ctx, diff --git a/src/cryptography/hazmat/backends/openssl/utils.py b/src/cryptography/hazmat/backends/openssl/utils.py index c88e3189..e8b4a307 100644 --- a/src/cryptography/hazmat/backends/openssl/utils.py +++ b/src/cryptography/hazmat/backends/openssl/utils.py @@ -4,31 +4,10 @@ from __future__ import absolute_import, division, print_function -import six - from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.utils import Prehashed -def _truncate_digest(digest, order_bits): - digest_len = len(digest) - - if 8 * digest_len > order_bits: - digest_len = (order_bits + 7) // 8 - digest = digest[:digest_len] - - if 8 * digest_len > order_bits: - rshift = 8 - (order_bits & 0x7) - assert 0 < rshift < 8 - - mask = 0xFF >> rshift << rshift - - # Set the bottom rshift bits to 0 - digest = digest[:-1] + six.int2byte(six.indexbytes(digest, -1) & mask) - - return digest - - def _calculate_digest_and_algorithm(backend, data, algorithm): if not isinstance(algorithm, Prehashed): hash_ctx = hashes.Hash(algorithm, backend) diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index d1cebd8e..46c32d14 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -133,9 +133,6 @@ CONDITIONAL_NAMES = { "POINT_CONVERSION_COMPRESSED", "POINT_CONVERSION_UNCOMPRESSED", "POINT_CONVERSION_HYBRID", - ], - - "Cryptography_HAS_EC_1_0_1": [ "EC_KEY_get_flags", "EC_KEY_set_flags", "EC_KEY_clear_flags", @@ -195,9 +192,6 @@ CONDITIONAL_NAMES = { "RAND_egd_bytes", "RAND_query_egd_bytes", ], - "Cryptography_HAS_MGF1_MD": [ - "EVP_PKEY_CTX_set_rsa_mgf1_md", - ], "Cryptography_HAS_RSA_OAEP_MD": [ "EVP_PKEY_CTX_set_rsa_oaep_md", ], @@ -241,13 +235,6 @@ CONDITIONAL_NAMES = { "DTLSv1_method", ], - "Cryptography_HAS_NEXTPROTONEG": [ - "SSL_CTX_set_next_protos_advertised_cb", - "SSL_CTX_set_next_proto_select_cb", - "SSL_select_next_proto", - "SSL_get0_next_proto_negotiated", - ], - "Cryptography_HAS_ALPN": [ "SSL_CTX_set_alpn_protos", "SSL_set_alpn_protos", @@ -296,9 +283,6 @@ CONDITIONAL_NAMES = { "SSL_CTX_set_cert_cb", "SSL_set_cert_cb", ], - "Cryptography_HAS_AES_CTR128_ENCRYPT": [ - "AES_ctr128_encrypt", - ], "Cryptography_HAS_SSL_ST": [ "SSL_ST_BEFORE", "SSL_ST_OK", @@ -319,7 +303,4 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_SCRYPT": [ "EVP_PBE_scrypt", ], - "Cryptography_HAS_NPN_NEGOTIATED": [ - "OPENSSL_NPN_NEGOTIATED", - ], } diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 39750abc..b6617543 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -5,10 +5,8 @@ from __future__ import absolute_import, division, print_function import collections -import os import threading import types -import warnings from cryptography.exceptions import InternalError from cryptography.hazmat.bindings._openssl import ffi, lib @@ -148,28 +146,9 @@ class Binding(object): _openssl_assert(cls.lib, res == 1) -def _verify_openssl_version(version): - if version < 0x10001000: - if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_100"): - warnings.warn( - "OpenSSL version 1.0.0 is no longer supported by the OpenSSL " - "project, please upgrade. The next version of cryptography " - "will completely remove support for it.", - DeprecationWarning - ) - else: - raise RuntimeError( - "You are linking against OpenSSL 1.0.0, which is no longer " - "support by the OpenSSL project. You need to upgrade to a " - "newer version of OpenSSL." - ) - - # OpenSSL is not thread safe until the locks are initialized. We call this # method in module scope so that it executes with the import lock. On # Pythons < 3.4 this import lock is a global lock, which can prevent a race # condition registering the OpenSSL locks. On Python 3.4+ the import lock # is per module so this approach will not work. Binding.init_static_locks() - -_verify_openssl_version(Binding.lib.SSLeay()) |