Merge branch 'master' into urandom-engine

* master: (66 commits)
  Chanloge + versionadded
  Added an example usage
  Typo fix
  Added to toctree
  Rename and document
  Linkify the things we have that others don't
  add HKDF to changelog
  Strings have quote marks at both ends.
  HKDF example.
  Properly mark all test cases as dependant on HMAC.
  Remove language about the separate stages of HKDF until we expose multiple stages of HKDF.
  Don't forget InvalidKey.
  Fix typo
  Import exception classes instead of the exceptions module.
  Lose the bit about passwords.
  https a bunch of links.
  Pseudorandom is a word.
  Backtick the entire equation.
  Clarify salt language and link to the paper in addition to the RFC.
  Don't expose extract and expand on this class yet because we don't know how best to expose verify functionality, continue testing the stages using the private methods.
  ...

Conflicts:
	docs/hazmat/backends/openssl.rst

2 files changed, 194 insertions, 17 deletions

diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py
new file mode 100644
index 00000000..ca21c9fc
--- /dev/null
+++ b/tests/hazmat/backends/test_multibackend.py
@@ -0,0 +1,144 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import pytest
+
+from cryptography import utils
+from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.hazmat.backends.interfaces import (
+    CipherBackend, HashBackend, HMACBackend, PBKDF2HMACBackend
+)
+from cryptography.hazmat.backends.multibackend import MultiBackend
+from cryptography.hazmat.primitives import hashes, hmac
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+
+
+@utils.register_interface(CipherBackend)
+class DummyCipherBackend(object):
+    def __init__(self, supported_ciphers):
+        self._ciphers = supported_ciphers
+
+    def cipher_supported(self, algorithm, mode):
+        return (type(algorithm), type(mode)) in self._ciphers
+
+    def create_symmetric_encryption_ctx(self, algorithm, mode):
+        if not self.cipher_supported(algorithm, mode):
+            raise UnsupportedAlgorithm
+
+    def create_symmetric_decryption_ctx(self, algorithm, mode):
+        if not self.cipher_supported(algorithm, mode):
+            raise UnsupportedAlgorithm
+
+
+@utils.register_interface(HashBackend)
+class DummyHashBackend(object):
+    def __init__(self, supported_algorithms):
+        self._algorithms = supported_algorithms
+
+    def hash_supported(self, algorithm):
+        return type(algorithm) in self._algorithms
+
+    def create_hash_ctx(self, algorithm):
+        if not self.hash_supported(algorithm):
+            raise UnsupportedAlgorithm
+
+
+@utils.register_interface(HMACBackend)
+class DummyHMACBackend(object):
+    def __init__(self, supported_algorithms):
+        self._algorithms = supported_algorithms
+
+    def hmac_supported(self, algorithm):
+        return type(algorithm) in self._algorithms
+
+    def create_hmac_ctx(self, key, algorithm):
+        if not self.hmac_supported(algorithm):
+            raise UnsupportedAlgorithm
+
+
+@utils.register_interface(PBKDF2HMACBackend)
+class DummyPBKDF2HMAC(object):
+    def __init__(self, supported_algorithms):
+        self._algorithms = supported_algorithms
+
+    def pbkdf2_hmac_supported(self, algorithm):
+        return type(algorithm) in self._algorithms
+
+    def derive_pbkdf2_hmac(self, algorithm, length, salt, iterations,
+                           key_material):
+        if not self.pbkdf2_hmac_supported(algorithm):
+            raise UnsupportedAlgorithm
+
+
+class TestMultiBackend(object):
+    def test_ciphers(self):
+        backend = MultiBackend([
+            DummyHashBackend([]),
+            DummyCipherBackend([
+                (algorithms.AES, modes.CBC),
+            ])
+        ])
+        assert backend.cipher_supported(
+            algorithms.AES(b"\x00" * 16), modes.CBC(b"\x00" * 16)
+        )
+
+        cipher = Cipher(
+            algorithms.AES(b"\x00" * 16),
+            modes.CBC(b"\x00" * 16),
+            backend=backend
+        )
+        cipher.encryptor()
+        cipher.decryptor()
+
+        cipher = Cipher(
+            algorithms.Camellia(b"\x00" * 16),
+            modes.CBC(b"\x00" * 16),
+            backend=backend
+        )
+        with pytest.raises(UnsupportedAlgorithm):
+            cipher.encryptor()
+        with pytest.raises(UnsupportedAlgorithm):
+            cipher.decryptor()
+
+    def test_hashes(self):
+        backend = MultiBackend([
+            DummyHashBackend([hashes.MD5])
+        ])
+        assert backend.hash_supported(hashes.MD5())
+
+        hashes.Hash(hashes.MD5(), backend=backend)
+
+        with pytest.raises(UnsupportedAlgorithm):
+            hashes.Hash(hashes.SHA1(), backend=backend)
+
+    def test_hmac(self):
+        backend = MultiBackend([
+            DummyHMACBackend([hashes.MD5])
+        ])
+        assert backend.hmac_supported(hashes.MD5())
+
+        hmac.HMAC(b"", hashes.MD5(), backend=backend)
+
+        with pytest.raises(UnsupportedAlgorithm):
+            hmac.HMAC(b"", hashes.SHA1(), backend=backend)
+
+    def test_pbkdf2(self):
+        backend = MultiBackend([
+            DummyPBKDF2HMAC([hashes.MD5])
+        ])
+        assert backend.pbkdf2_hmac_supported(hashes.MD5())
+
+        backend.derive_pbkdf2_hmac(hashes.MD5(), 10, b"", 10, b"")
+
+        with pytest.raises(UnsupportedAlgorithm):
+            backend.derive_pbkdf2_hmac(hashes.SHA1(), 10, b"", 10, b"")
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index cef28af0..046ff3e1 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -19,7 +19,6 @@ import pytest
 
 from cryptography import utils
 from cryptography.exceptions import UnsupportedAlgorithm, InternalError
-from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.backends.openssl.backend import backend, Backend
 from cryptography.hazmat.primitives import interfaces
 from cryptography.hazmat.primitives.ciphers import Cipher
@@ -139,9 +138,6 @@ class TestOpenSSL(object):
     def test_backend_exists(self):
         assert backend
 
-    def test_is_default(self):
-        assert backend == default_backend()
-
     def test_openssl_version_text(self):
         """
         This test checks the value of OPENSSL_VERSION_TEXT.
@@ -176,24 +172,61 @@ class TestOpenSSL(object):
 
     def test_handle_unknown_error(self):
         with pytest.raises(InternalError):
-            backend._handle_error_code(0, 0, 0)
+            backend._handle_error_code(0)
 
+        backend._lib.ERR_put_error(backend._lib.ERR_LIB_EVP, 0, 0,
+                                   b"test_openssl.py", -1)
         with pytest.raises(InternalError):
-            backend._handle_error_code(backend._lib.ERR_LIB_EVP, 0, 0)
-
+            backend._handle_error(None)
+
+        backend._lib.ERR_put_error(
+            backend._lib.ERR_LIB_EVP,
+            backend._lib.EVP_F_EVP_ENCRYPTFINAL_EX,
+            0,
+            b"test_openssl.py",
+            -1
+        )
         with pytest.raises(InternalError):
-            backend._handle_error_code(
-                backend._lib.ERR_LIB_EVP,
-                backend._lib.EVP_F_EVP_ENCRYPTFINAL_EX,
-                0
-            )
+            backend._handle_error(None)
+
+        backend._lib.ERR_put_error(
+            backend._lib.ERR_LIB_EVP,
+            backend._lib.EVP_F_EVP_DECRYPTFINAL_EX,
+            0,
+            b"test_openssl.py",
+            -1
+        )
+        with pytest.raises(InternalError):
+            backend._handle_error(None)
+
+    def test_handle_multiple_errors(self):
+        for i in range(10):
+            backend._lib.ERR_put_error(backend._lib.ERR_LIB_EVP, 0, 0,
+                                       b"test_openssl.py", -1)
+
+        assert backend._lib.ERR_peek_error() != 0
 
         with pytest.raises(InternalError):
-            backend._handle_error_code(
-                backend._lib.ERR_LIB_EVP,
-                backend._lib.EVP_F_EVP_DECRYPTFINAL_EX,
-                0
-            )
+            backend._handle_error(None)
+
+        assert backend._lib.ERR_peek_error() == 0
+
+    def test_openssl_error_string(self):
+        backend._lib.ERR_put_error(
+            backend._lib.ERR_LIB_EVP,
+            backend._lib.EVP_F_EVP_DECRYPTFINAL_EX,
+            0,
+            b"test_openssl.py",
+            -1
+        )
+
+        with pytest.raises(InternalError) as exc:
+            backend._handle_error(None)
+
+        assert (
+            "digital envelope routines:"
+            "EVP_DecryptFinal_ex:digital envelope routines" in str(exc)
+        )
 
     def test_ssl_ciphers_registered(self):
         meth = backend._lib.TLSv1_method()