diff options
64 files changed, 1528 insertions, 729 deletions
diff --git a/AUTHORS.rst b/AUTHORS.rst index 0ef9958d..953ca55b 100644 --- a/AUTHORS.rst +++ b/AUTHORS.rst @@ -10,3 +10,4 @@ PGP key fingerprints are enclosed in parentheses. * Christian Heimes <christian@python.org> * Paul Kehrer <paul.l.kehrer@gmail.com> * Jarret Raim <jarito@gmail.com> +* Alex Stapleton <alexs@prol.etari.at> (A1C7 E50B 66DE 39ED C847 9665 8E3C 20D1 9BD9 5C4C) diff --git a/cryptography/__about__.py b/cryptography/__about__.py index cd207fcc..46212bff 100644 --- a/cryptography/__about__.py +++ b/cryptography/__about__.py @@ -30,4 +30,4 @@ __author__ = ("Alex Gaynor, Hynek Schlawack, Donald Stufft, " __email__ = "cryptography-dev@python.org" __license__ = "Apache License, Version 2.0" -__copyright__ = "Copyright 2013 %s" % __author__ +__copyright__ = "Copyright 2013-2014 %s" % __author__ diff --git a/cryptography/exceptions.py b/cryptography/exceptions.py index e9d88199..44363c24 100644 --- a/cryptography/exceptions.py +++ b/cryptography/exceptions.py @@ -30,3 +30,7 @@ class NotYetFinalized(Exception): class InvalidTag(Exception): pass + + +class InvalidSignature(Exception): + pass diff --git a/cryptography/hazmat/backends/interfaces.py b/cryptography/hazmat/backends/interfaces.py index 912476bb..9a570968 100644 --- a/cryptography/hazmat/backends/interfaces.py +++ b/cryptography/hazmat/backends/interfaces.py @@ -60,6 +60,13 @@ class HashBackend(six.with_metaclass(abc.ABCMeta)): class HMACBackend(six.with_metaclass(abc.ABCMeta)): @abc.abstractmethod + def hmac_supported(self, algorithm): + """ + Return True if the hash algorithm is supported for HMAC by this + backend. + """ + + @abc.abstractmethod def create_hmac_ctx(self, key, algorithm): """ Create a HashContext for calculating a message authentication code. diff --git a/cryptography/hazmat/backends/openssl/asn1.py b/cryptography/hazmat/backends/openssl/asn1.py index 719a523c..aeaf316e 100644 --- a/cryptography/hazmat/backends/openssl/asn1.py +++ b/cryptography/hazmat/backends/openssl/asn1.py @@ -16,7 +16,24 @@ INCLUDES = """ """ TYPES = """ -typedef ... time_t; +/* + * TODO: This typedef is wrong. + * + * This is due to limitations of cffi. + * See https://bitbucket.org/cffi/cffi/issue/69 + * + * For another possible work-around (not used here because it involves more + * complicated use of the cffi API which falls outside the general pattern used + * by this package), see + * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ + * + * The work-around used here is to just be sure to declare a type that is at + * least as large as the real type. Maciej explains: + * + * <fijal> I think you want to declare your value too large (e.g. long) + * <fijal> that way you'll never pass garbage + */ +typedef intptr_t time_t; typedef int ASN1_BOOLEAN; typedef ... ASN1_INTEGER; @@ -41,7 +58,7 @@ typedef ... ASN1_VALUE; typedef struct { ...; } ASN1_TIME; -typedef const ASN1_ITEM ASN1_ITEM_EXP; +typedef ... ASN1_ITEM_EXP; typedef ... ASN1_UTCTIME; @@ -51,7 +68,7 @@ static const int MBSTRING_UTF8; """ FUNCTIONS = """ -ASN1_OBJECT *ASN1_OBJECT_new(); +ASN1_OBJECT *ASN1_OBJECT_new(void); void ASN1_OBJECT_free(ASN1_OBJECT *); /* ASN1 OBJECT IDENTIFIER */ @@ -59,7 +76,7 @@ ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **, const unsigned char **, long); int i2d_ASN1_OBJECT(ASN1_OBJECT *, unsigned char **); /* ASN1 STRING */ -ASN1_STRING *ASN1_STRING_new(); +ASN1_STRING *ASN1_STRING_new(void); ASN1_STRING *ASN1_STRING_type_new(int); void ASN1_STRING_free(ASN1_STRING *); unsigned char *ASN1_STRING_data(ASN1_STRING *); @@ -68,18 +85,18 @@ int ASN1_STRING_type(ASN1_STRING *); int ASN1_STRING_to_UTF8(unsigned char **, ASN1_STRING *); /* ASN1 OCTET STRING */ -ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(); +ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(void); void ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *); int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *, const unsigned char *, int); /* ASN1 INTEGER */ -ASN1_INTEGER *ASN1_INTEGER_new(); +ASN1_INTEGER *ASN1_INTEGER_new(void); void ASN1_INTEGER_free(ASN1_INTEGER *); int ASN1_INTEGER_set(ASN1_INTEGER *, long); int i2a_ASN1_INTEGER(BIO *, ASN1_INTEGER *); /* ASN1 TIME */ -ASN1_TIME *ASN1_TIME_new(); +ASN1_TIME *ASN1_TIME_new(void); ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *, ASN1_GENERALIZEDTIME **); @@ -92,7 +109,7 @@ void ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *); int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *); /* ASN1 ENUMERATED */ -ASN1_ENUMERATED *ASN1_ENUMERATED_new(); +ASN1_ENUMERATED *ASN1_ENUMERATED_new(void); void ASN1_ENUMERATED_free(ASN1_ENUMERATED *); int ASN1_ENUMERATED_set(ASN1_ENUMERATED *, long); @@ -102,7 +119,7 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **, const unsigned char **, long, MACROS = """ ASN1_TIME *M_ASN1_TIME_dup(void *); -ASN1_ITEM *ASN1_ITEM_ptr(ASN1_ITEM *); +const ASN1_ITEM *ASN1_ITEM_ptr(ASN1_ITEM_EXP *); /* These aren't macros these arguments are all const X on openssl > 1.0.x */ @@ -118,7 +135,10 @@ int ASN1_INTEGER_cmp(ASN1_INTEGER *, ASN1_INTEGER *); long ASN1_INTEGER_get(ASN1_INTEGER *); BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *, BIGNUM *); +ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *, ASN1_INTEGER *); """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index bd092bec..6231aadb 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -56,7 +56,22 @@ _OSX_POST_INCLUDE = """ class Backend(object): """ OpenSSL API wrapper. + + Modules listed in the ``_modules`` listed should have the following + attributes: + + * ``INCLUDES``: A string containg C includes. + * ``TYPES``: A string containing C declarations for types. + * ``FUNCTIONS``: A string containing C declarations for functions. + * ``MACROS``: A string containing C declarations for any macros. + * ``CUSTOMIZATIONS``: A string containing arbitrary top-level C code, this + can be used to do things like test for a define and provide an + alternate implementation based on that. + * ``CONDITIONAL_NAMES``: A dict mapping strings of condition names from the + library to a list of names which will not be present without the + condition. """ + _module_prefix = "cryptography.hazmat.backends.openssl." _modules = [ "asn1", "bignum", @@ -70,6 +85,7 @@ class Backend(object): "evp", "hmac", "nid", + "objects", "opensslv", "pem", "pkcs7", @@ -102,7 +118,7 @@ class Backend(object): macros = [] customizations = [] for name in cls._modules: - module_name = "cryptography.hazmat.backends.openssl." + name + module_name = cls._module_prefix + name __import__(module_name) module = sys.modules[module_name] @@ -141,6 +157,14 @@ class Backend(object): libraries=["crypto", "ssl"], ) + for name in cls._modules: + module_name = cls._module_prefix + name + module = sys.modules[module_name] + for condition, names in module.CONDITIONAL_NAMES.items(): + if not getattr(lib, condition): + for name in names: + delattr(lib, name) + cls.ffi = ffi cls.lib = lib cls.lib.OpenSSL_add_all_algorithms() @@ -161,6 +185,9 @@ class Backend(object): digest = self.lib.EVP_get_digestbyname(algorithm.name.encode("ascii")) return digest != self.ffi.NULL + def hmac_supported(self, algorithm): + return self.hash_supported(algorithm) + def create_hash_ctx(self, algorithm): return _HashContext(self, algorithm) @@ -276,6 +303,11 @@ class _CipherContext(object): self._operation = operation self._tag = None + if isinstance(self._cipher, interfaces.BlockCipherAlgorithm): + self._block_size = self._cipher.block_size + else: + self._block_size = 1 + ctx = self._backend.lib.EVP_CIPHER_CTX_new() ctx = self._backend.ffi.gc(ctx, self._backend.lib.EVP_CIPHER_CTX_free) @@ -283,11 +315,19 @@ class _CipherContext(object): try: adapter = registry[type(cipher), type(mode)] except KeyError: - raise UnsupportedAlgorithm + raise UnsupportedAlgorithm( + "cipher {0} in {1} mode is not supported " + "by this backend".format( + cipher.name, mode.name if mode else mode) + ) evp_cipher = adapter(self._backend, cipher, mode) if evp_cipher == self._backend.ffi.NULL: - raise UnsupportedAlgorithm + raise UnsupportedAlgorithm( + "cipher {0} in {1} mode is not supported " + "by this backend".format( + cipher.name, mode.name if mode else mode) + ) if isinstance(mode, interfaces.ModeWithInitializationVector): iv_nonce = mode.initialization_vector @@ -309,16 +349,16 @@ class _CipherContext(object): assert res != 0 if isinstance(mode, GCM): res = self._backend.lib.EVP_CIPHER_CTX_ctrl( - ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_IVLEN, + ctx, self._backend.lib.EVP_CTRL_GCM_SET_IVLEN, len(iv_nonce), self._backend.ffi.NULL ) assert res != 0 if operation == self._DECRYPT: - if not mode.tag: - raise ValueError("Authentication tag must be supplied " - "when decrypting") + if not mode.tag or len(mode.tag) < 4: + raise ValueError("Authentication tag must be provided and " + "be 4 bytes or longer when decrypting") res = self._backend.lib.EVP_CIPHER_CTX_ctrl( - ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG, + ctx, self._backend.lib.EVP_CTRL_GCM_SET_TAG, len(mode.tag), mode.tag ) assert res != 0 @@ -341,7 +381,7 @@ class _CipherContext(object): def update(self, data): buf = self._backend.ffi.new("unsigned char[]", - len(data) + self._cipher.block_size - 1) + len(data) + self._block_size - 1) outlen = self._backend.ffi.new("int *") res = self._backend.lib.EVP_CipherUpdate(self._ctx, buf, outlen, data, len(data)) @@ -349,7 +389,7 @@ class _CipherContext(object): return self._backend.ffi.buffer(buf)[:outlen[0]] def finalize(self): - buf = self._backend.ffi.new("unsigned char[]", self._cipher.block_size) + buf = self._backend.ffi.new("unsigned char[]", self._block_size) outlen = self._backend.ffi.new("int *") res = self._backend.lib.EVP_CipherFinal_ex(self._ctx, buf, outlen) if res == 0: @@ -357,10 +397,10 @@ class _CipherContext(object): if (isinstance(self._mode, GCM) and self._operation == self._ENCRYPT): - block_byte_size = self._cipher.block_size // 8 + block_byte_size = self._block_size // 8 tag_buf = self._backend.ffi.new("unsigned char[]", block_byte_size) res = self._backend.lib.EVP_CIPHER_CTX_ctrl( - self._ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_GET_TAG, + self._ctx, self._backend.lib.EVP_CTRL_GCM_GET_TAG, block_byte_size, tag_buf ) assert res != 0 @@ -395,7 +435,11 @@ class _HashContext(object): self._backend.lib.EVP_MD_CTX_destroy) evp_md = self._backend.lib.EVP_get_digestbyname( algorithm.name.encode("ascii")) - assert evp_md != self._backend.ffi.NULL + if evp_md == self._backend.ffi.NULL: + raise UnsupportedAlgorithm( + "{0} is not a supported hash on this backend".format( + algorithm.name) + ) res = self._backend.lib.EVP_DigestInit_ex(ctx, evp_md, self._backend.ffi.NULL) assert res != 0 @@ -437,7 +481,11 @@ class _HMACContext(object): ctx = self._backend.ffi.gc(ctx, self._backend.lib.HMAC_CTX_cleanup) evp_md = self._backend.lib.EVP_get_digestbyname( algorithm.name.encode('ascii')) - assert evp_md != self._backend.ffi.NULL + if evp_md == self._backend.ffi.NULL: + raise UnsupportedAlgorithm( + "{0} is not a supported hash on this backend".format( + algorithm.name) + ) res = self._backend.lib.Cryptography_HMAC_Init_ex( ctx, key, len(key), evp_md, self._backend.ffi.NULL ) diff --git a/cryptography/hazmat/backends/openssl/bignum.py b/cryptography/hazmat/backends/openssl/bignum.py index 1b0fe5ab..59efd171 100644 --- a/cryptography/hazmat/backends/openssl/bignum.py +++ b/cryptography/hazmat/backends/openssl/bignum.py @@ -17,11 +17,28 @@ INCLUDES = """ TYPES = """ typedef ... BIGNUM; -typedef ... BN_ULONG; +/* + * TODO: This typedef is wrong. + * + * This is due to limitations of cffi. + * See https://bitbucket.org/cffi/cffi/issue/69 + * + * For another possible work-around (not used here because it involves more + * complicated use of the cffi API which falls outside the general pattern used + * by this package), see + * http://paste.pound-python.org/show/iJcTUMkKeBeS6yXpZWUU/ + * + * The work-around used here is to just be sure to declare a type that is at + * least as large as the real type. Maciej explains: + * + * <fijal> I think you want to declare your value too large (e.g. long) + * <fijal> that way you'll never pass garbage + */ +typedef uintptr_t BN_ULONG; """ FUNCTIONS = """ -BIGNUM *BN_new(); +BIGNUM *BN_new(void); void BN_free(BIGNUM *); int BN_set_word(BIGNUM *, BN_ULONG); @@ -38,3 +55,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/bio.py b/cryptography/hazmat/backends/openssl/bio.py index c23dd0d8..279ad223 100644 --- a/cryptography/hazmat/backends/openssl/bio.py +++ b/cryptography/hazmat/backends/openssl/bio.py @@ -50,6 +50,49 @@ struct bio_st { ...; }; typedef ... BUF_MEM; + +static const int BIO_TYPE_MEM; +static const int BIO_TYPE_FILE; +static const int BIO_TYPE_FD; +static const int BIO_TYPE_SOCKET; +static const int BIO_TYPE_CONNECT; +static const int BIO_TYPE_ACCEPT; +static const int BIO_TYPE_NULL; +static const int BIO_CLOSE; +static const int BIO_NOCLOSE; +static const int BIO_TYPE_SOURCE_SINK; +static const int BIO_CTRL_RESET; +static const int BIO_CTRL_EOF; +static const int BIO_CTRL_SET; +static const int BIO_CTRL_SET_CLOSE; +static const int BIO_CTRL_FLUSH; +static const int BIO_CTRL_DUP; +static const int BIO_CTRL_GET_CLOSE; +static const int BIO_CTRL_INFO; +static const int BIO_CTRL_GET; +static const int BIO_CTRL_PENDING; +static const int BIO_CTRL_WPENDING; +static const int BIO_C_FILE_SEEK; +static const int BIO_C_FILE_TELL; +static const int BIO_TYPE_NONE; +static const int BIO_TYPE_PROXY_CLIENT; +static const int BIO_TYPE_PROXY_SERVER; +static const int BIO_TYPE_NBIO_TEST; +static const int BIO_TYPE_BER; +static const int BIO_TYPE_BIO; +static const int BIO_TYPE_DESCRIPTOR; +static const int BIO_FLAGS_READ; +static const int BIO_FLAGS_WRITE; +static const int BIO_FLAGS_IO_SPECIAL; +static const int BIO_FLAGS_RWS; +static const int BIO_FLAGS_SHOULD_RETRY; +static const int BIO_TYPE_NULL_FILTER; +static const int BIO_TYPE_SSL; +static const int BIO_TYPE_MD; +static const int BIO_TYPE_BUFFER; +static const int BIO_TYPE_CIPHER; +static const int BIO_TYPE_BASE64; +static const int BIO_TYPE_FILTER; """ FUNCTIONS = """ @@ -63,16 +106,16 @@ BIO *BIO_pop(BIO *); BIO *BIO_next(BIO *); BIO *BIO_find_type(BIO *, int); int BIO_method_type(const BIO *); -BIO_METHOD *BIO_s_mem(); +BIO_METHOD *BIO_s_mem(void); BIO *BIO_new_mem_buf(void *, int); -BIO_METHOD *BIO_s_file(); +BIO_METHOD *BIO_s_file(void); BIO *BIO_new_file(const char *, const char *); BIO *BIO_new_fp(FILE *, int); -BIO_METHOD *BIO_s_fd(); +BIO_METHOD *BIO_s_fd(void); BIO *BIO_new_fd(int, int); -BIO_METHOD *BIO_s_socket(); +BIO_METHOD *BIO_s_socket(void); BIO *BIO_new_socket(int, int); -BIO_METHOD *BIO_s_null(); +BIO_METHOD *BIO_s_null(void); long BIO_ctrl(BIO *, int, long, void *); long BIO_callback_ctrl( BIO *, @@ -87,8 +130,8 @@ int BIO_read(BIO *, void *, int); int BIO_gets(BIO *, char *, int); int BIO_write(BIO *, const void *, int); int BIO_puts(BIO *, const char *); -BIO_METHOD *BIO_f_null(); -BIO_METHOD *BIO_f_buffer(); +BIO_METHOD *BIO_f_null(void); +BIO_METHOD *BIO_f_buffer(void); """ MACROS = """ @@ -100,10 +143,10 @@ long BIO_set_mem_buf(BIO *, BUF_MEM *, int); long BIO_get_mem_ptr(BIO *, BUF_MEM **); long BIO_set_fp(BIO *, FILE *, int); long BIO_get_fp(BIO *, FILE **); -int BIO_read_filename(BIO *, char *); -int BIO_write_filename(BIO *, char *); -int BIO_append_filename(BIO *, char *); -int BIO_rw_filename(BIO *, char *); +long BIO_read_filename(BIO *, char *); +long BIO_write_filename(BIO *, char *); +long BIO_append_filename(BIO *, char *); +long BIO_rw_filename(BIO *, char *); int BIO_should_read(BIO *); int BIO_should_write(BIO *); int BIO_should_io_special(BIO *); @@ -125,49 +168,9 @@ long BIO_set_read_buffer_size(BIO *, long); long BIO_set_write_buffer_size(BIO *, long); long BIO_set_buffer_size(BIO *, long); long BIO_set_buffer_read_data(BIO *, void *, long); -#define BIO_TYPE_MEM ... -#define BIO_TYPE_FILE ... -#define BIO_TYPE_FD ... -#define BIO_TYPE_SOCKET ... -#define BIO_TYPE_CONNECT ... -#define BIO_TYPE_ACCEPT ... -#define BIO_TYPE_NULL ... -#define BIO_CLOSE ... -#define BIO_NOCLOSE ... -#define BIO_TYPE_SOURCE_SINK ... -#define BIO_CTRL_RESET ... -#define BIO_CTRL_EOF ... -#define BIO_CTRL_SET ... -#define BIO_CTRL_SET_CLOSE ... -#define BIO_CTRL_FLUSH ... -#define BIO_CTRL_DUP ... -#define BIO_CTRL_GET_CLOSE ... -#define BIO_CTRL_INFO ... -#define BIO_CTRL_GET ... -#define BIO_CTRL_PENDING ... -#define BIO_CTRL_WPENDING ... -#define BIO_C_FILE_SEEK ... -#define BIO_C_FILE_TELL ... -#define BIO_TYPE_NONE ... -#define BIO_TYPE_PROXY_CLIENT ... -#define BIO_TYPE_PROXY_SERVER ... -#define BIO_TYPE_NBIO_TEST ... -#define BIO_TYPE_BER ... -#define BIO_TYPE_BIO ... -#define BIO_TYPE_DESCRIPTOR ... -#define BIO_FLAGS_READ ... -#define BIO_FLAGS_WRITE ... -#define BIO_FLAGS_IO_SPECIAL ... -#define BIO_FLAGS_RWS ... -#define BIO_FLAGS_SHOULD_RETRY ... -#define BIO_TYPE_NULL_FILTER ... -#define BIO_TYPE_SSL ... -#define BIO_TYPE_MD ... -#define BIO_TYPE_BUFFER ... -#define BIO_TYPE_CIPHER ... -#define BIO_TYPE_BASE64 ... -#define BIO_TYPE_FILTER ... """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/conf.py b/cryptography/hazmat/backends/openssl/conf.py index 4846252c..6d818cf1 100644 --- a/cryptography/hazmat/backends/openssl/conf.py +++ b/cryptography/hazmat/backends/openssl/conf.py @@ -27,3 +27,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/crypto.py b/cryptography/hazmat/backends/openssl/crypto.py index 773d9b14..835be14b 100644 --- a/cryptography/hazmat/backends/openssl/crypto.py +++ b/cryptography/hazmat/backends/openssl/crypto.py @@ -16,25 +16,38 @@ INCLUDES = """ """ TYPES = """ +static const int SSLEAY_VERSION; +static const int SSLEAY_CFLAGS; +static const int SSLEAY_PLATFORM; +static const int SSLEAY_DIR; +static const int SSLEAY_BUILT_ON; +static const int CRYPTO_MEM_CHECK_ON; +static const int CRYPTO_MEM_CHECK_OFF; +static const int CRYPTO_MEM_CHECK_ENABLE; +static const int CRYPTO_MEM_CHECK_DISABLE; """ FUNCTIONS = """ +unsigned long SSLeay(void); +const char *SSLeay_version(int); + void CRYPTO_free(void *); int CRYPTO_mem_ctrl(int); -int CRYPTO_is_mem_check_on(); +int CRYPTO_is_mem_check_on(void); void CRYPTO_mem_leaks(struct bio_st *); -void CRYPTO_cleanup_all_ex_data(); +void CRYPTO_cleanup_all_ex_data(void); + +void OPENSSL_free(void *); """ MACROS = """ void CRYPTO_add(int *, int, int); -void CRYPTO_malloc_init(); -void CRYPTO_malloc_debug_init(); -#define CRYPTO_MEM_CHECK_ON ... -#define CRYPTO_MEM_CHECK_OFF ... -#define CRYPTO_MEM_CHECK_ENABLE ... -#define CRYPTO_MEM_CHECK_DISABLE ... +void CRYPTO_malloc_init(void); +void CRYPTO_malloc_debug_init(void); + """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/dh.py b/cryptography/hazmat/backends/openssl/dh.py index b8fbf368..3c12fbc6 100644 --- a/cryptography/hazmat/backends/openssl/dh.py +++ b/cryptography/hazmat/backends/openssl/dh.py @@ -20,7 +20,7 @@ typedef ... DH; """ FUNCTIONS = """ -DH *DH_new(); +DH *DH_new(void); void DH_free(DH *); """ @@ -29,3 +29,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/dsa.py b/cryptography/hazmat/backends/openssl/dsa.py index e6c369a6..3b77d7ae 100644 --- a/cryptography/hazmat/backends/openssl/dsa.py +++ b/cryptography/hazmat/backends/openssl/dsa.py @@ -31,3 +31,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/engine.py b/cryptography/hazmat/backends/openssl/engine.py index 1f377665..390bfde1 100644 --- a/cryptography/hazmat/backends/openssl/engine.py +++ b/cryptography/hazmat/backends/openssl/engine.py @@ -17,11 +17,36 @@ INCLUDES = """ TYPES = """ typedef ... ENGINE; +typedef ... RSA_METHOD; +typedef ... DSA_METHOD; +typedef ... ECDH_METHOD; +typedef ... ECDSA_METHOD; +typedef ... DH_METHOD; +typedef ... RAND_METHOD; +typedef ... STORE_METHOD; +typedef ... ENGINE_GEN_INT_FUNC_PTR; +typedef ... ENGINE_CTRL_FUNC_PTR; +typedef ... ENGINE_LOAD_KEY_PTR; +typedef ... ENGINE_CIPHERS_PTR; +typedef ... ENGINE_DIGESTS_PTR; +typedef ... ENGINE_CMD_DEFN; +typedef ... UI_METHOD; + +static const unsigned int ENGINE_METHOD_RSA; +static const unsigned int ENGINE_METHOD_DSA; +static const unsigned int ENGINE_METHOD_RAND; +static const unsigned int ENGINE_METHOD_ECDH; +static const unsigned int ENGINE_METHOD_ECDSA; +static const unsigned int ENGINE_METHOD_CIPHERS; +static const unsigned int ENGINE_METHOD_DIGESTS; +static const unsigned int ENGINE_METHOD_STORE; +static const unsigned int ENGINE_METHOD_ALL; +static const unsigned int ENGINE_METHOD_NONE; """ FUNCTIONS = """ -ENGINE *ENGINE_get_first(); -ENGINE *ENGINE_get_last(); +ENGINE *ENGINE_get_first(void); +ENGINE *ENGINE_get_last(void); ENGINE *ENGINE_get_next(ENGINE *); ENGINE *ENGINE_get_prev(ENGINE *); int ENGINE_add(ENGINE *); @@ -29,16 +54,20 @@ int ENGINE_remove(ENGINE *); ENGINE *ENGINE_by_id(const char *); int ENGINE_init(ENGINE *); int ENGINE_finish(ENGINE *); -int ENGINE_free(ENGINE *); -void ENGINE_cleanup(); -void ENGINE_load_dynamic(); -void ENGINE_load_builtin_engines(); -int ENGINE_ctrl_cmd_string(ENGINE *, const char *, const char *, int); -int ENGINE_set_default(ENGINE *, unsigned int); -int ENGINE_register_complete(ENGINE *); - +void ENGINE_load_openssl(void); +void ENGINE_load_dynamic(void); +void ENGINE_load_cryptodev(void); +void ENGINE_load_builtin_engines(void); +void ENGINE_cleanup(void); +ENGINE *ENGINE_get_default_RSA(void); +ENGINE *ENGINE_get_default_DSA(void); +ENGINE *ENGINE_get_default_ECDH(void); +ENGINE *ENGINE_get_default_ECDSA(void); +ENGINE *ENGINE_get_default_DH(void); +ENGINE *ENGINE_get_default_RAND(void); +ENGINE *ENGINE_get_cipher_engine(int); +ENGINE *ENGINE_get_digest_engine(int); int ENGINE_set_default_RSA(ENGINE *); -int ENGINE_set_default_string(ENGINE *, const char *); int ENGINE_set_default_DSA(ENGINE *); int ENGINE_set_default_ECDH(ENGINE *); int ENGINE_set_default_ECDSA(ENGINE *); @@ -46,20 +75,89 @@ int ENGINE_set_default_DH(ENGINE *); int ENGINE_set_default_RAND(ENGINE *); int ENGINE_set_default_ciphers(ENGINE *); int ENGINE_set_default_digests(ENGINE *); +int ENGINE_set_default_string(ENGINE *, const char *); +int ENGINE_set_default(ENGINE *, unsigned int); +unsigned int ENGINE_get_table_flags(void); +void ENGINE_set_table_flags(unsigned int); +int ENGINE_register_RSA(ENGINE *); +void ENGINE_unregister_RSA(ENGINE *); +void ENGINE_register_all_RSA(void); +int ENGINE_register_DSA(ENGINE *); +void ENGINE_unregister_DSA(ENGINE *); +void ENGINE_register_all_DSA(void); +int ENGINE_register_ECDH(ENGINE *); +void ENGINE_unregister_ECDH(ENGINE *); +void ENGINE_register_all_ECDH(void); +int ENGINE_register_ECDSA(ENGINE *); +void ENGINE_unregister_ECDSA(ENGINE *); +void ENGINE_register_all_ECDSA(void); +int ENGINE_register_DH(ENGINE *); +void ENGINE_unregister_DH(ENGINE *); +void ENGINE_register_all_DH(void); +int ENGINE_register_RAND(ENGINE *); +void ENGINE_unregister_RAND(ENGINE *); +void ENGINE_register_all_RAND(void); +int ENGINE_register_STORE(ENGINE *); +void ENGINE_unregister_STORE(ENGINE *); +void ENGINE_register_all_STORE(void); +int ENGINE_register_ciphers(ENGINE *); +void ENGINE_unregister_ciphers(ENGINE *); +void ENGINE_register_all_ciphers(void); +int ENGINE_register_digests(ENGINE *); +void ENGINE_unregister_digests(ENGINE *); +void ENGINE_register_all_digests(void); +int ENGINE_register_complete(ENGINE *); +int ENGINE_register_all_complete(void); +int ENGINE_ctrl(ENGINE *, int, long, void *, void (*)(void)); +int ENGINE_cmd_is_executable(ENGINE *, int); +int ENGINE_ctrl_cmd(ENGINE *, const char *, long, void *, void (*)(void), int); +int ENGINE_ctrl_cmd_string(ENGINE *, const char *, const char *, int); + +ENGINE *ENGINE_new(void); +int ENGINE_free(ENGINE *); +int ENGINE_up_ref(ENGINE *); +int ENGINE_set_id(ENGINE *, const char *); +int ENGINE_set_name(ENGINE *, const char *); +int ENGINE_set_RSA(ENGINE *, const RSA_METHOD *); +int ENGINE_set_DSA(ENGINE *, const DSA_METHOD *); +int ENGINE_set_ECDH(ENGINE *, const ECDH_METHOD *); +int ENGINE_set_ECDSA(ENGINE *, const ECDSA_METHOD *); +int ENGINE_set_DH(ENGINE *, const DH_METHOD *); +int ENGINE_set_RAND(ENGINE *, const RAND_METHOD *); +int ENGINE_set_STORE(ENGINE *, const STORE_METHOD *); +int ENGINE_set_destroy_function(ENGINE *, ENGINE_GEN_INT_FUNC_PTR); +int ENGINE_set_init_function(ENGINE *, ENGINE_GEN_INT_FUNC_PTR); +int ENGINE_set_finish_function(ENGINE *, ENGINE_GEN_INT_FUNC_PTR); +int ENGINE_set_ctrl_function(ENGINE *, ENGINE_CTRL_FUNC_PTR); +int ENGINE_set_load_privkey_function(ENGINE *, ENGINE_LOAD_KEY_PTR); +int ENGINE_set_load_pubkey_function(ENGINE *, ENGINE_LOAD_KEY_PTR); +int ENGINE_set_ciphers(ENGINE *, ENGINE_CIPHERS_PTR); +int ENGINE_set_digests(ENGINE *, ENGINE_DIGESTS_PTR); +int ENGINE_set_flags(ENGINE *, int); +int ENGINE_set_cmd_defns(ENGINE *, const ENGINE_CMD_DEFN *); +const char *ENGINE_get_id(const ENGINE *); +const char *ENGINE_get_name(const ENGINE *); +const RSA_METHOD *ENGINE_get_RSA(const ENGINE *); +const DSA_METHOD *ENGINE_get_DSA(const ENGINE *); +const ECDH_METHOD *ENGINE_get_ECDH(const ENGINE *); +const ECDSA_METHOD *ENGINE_get_ECDSA(const ENGINE *); +const DH_METHOD *ENGINE_get_DH(const ENGINE *); +const RAND_METHOD *ENGINE_get_RAND(const ENGINE *); +const STORE_METHOD *ENGINE_get_STORE(const ENGINE *); + +const EVP_CIPHER *ENGINE_get_cipher(ENGINE *, int); +const EVP_MD *ENGINE_get_digest(ENGINE *, int); +int ENGINE_get_flags(const ENGINE *); +const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *); +EVP_PKEY *ENGINE_load_private_key(ENGINE *, const char *, UI_METHOD *, void *); +EVP_PKEY *ENGINE_load_public_key(ENGINE *, const char *, UI_METHOD *, void *); +void ENGINE_add_conf_module(void); """ MACROS = """ -#define ENGINE_METHOD_RSA ... -#define ENGINE_METHOD_DSA ... -#define ENGINE_METHOD_RAND ... -#define ENGINE_METHOD_ECDH ... -#define ENGINE_METHOD_ECDSA ... -#define ENGINE_METHOD_CIPHERS ... -#define ENGINE_METHOD_DIGESTS ... -#define ENGINE_METHOD_STORE ... -#define ENGINE_METHOD_ALL ... -#define ENGINE_METHOD_NONE ... """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/err.py b/cryptography/hazmat/backends/openssl/err.py index f31c2405..6b2a77b1 100644 --- a/cryptography/hazmat/backends/openssl/err.py +++ b/cryptography/hazmat/backends/openssl/err.py @@ -38,8 +38,8 @@ static const int ASN1_R_BAD_PASSWORD_READ; """ FUNCTIONS = """ -void ERR_load_crypto_strings(); -void ERR_free_strings(); +void ERR_load_crypto_strings(void); +void ERR_free_strings(void); char* ERR_error_string(unsigned long, char *); void ERR_error_string_n(unsigned long, char *, size_t); const char* ERR_lib_error_string(unsigned long); @@ -47,9 +47,9 @@ const char* ERR_func_error_string(unsigned long); const char* ERR_reason_error_string(unsigned long); void ERR_print_errors(BIO *); void ERR_print_errors_fp(FILE *); -unsigned long ERR_get_error(); -unsigned long ERR_peek_error(); -unsigned long ERR_peek_last_error(); +unsigned long ERR_get_error(void); +unsigned long ERR_peek_error(void); +unsigned long ERR_peek_last_error(void); unsigned long ERR_get_error_line(const char **, int *); unsigned long ERR_peek_error_line(const char **, int *); unsigned long ERR_peek_last_error_line(const char **, int *); @@ -61,7 +61,7 @@ unsigned long ERR_peek_last_error_line_data(const char **, int *, const char **, int *); void ERR_put_error(int, int, int, const char *, int); void ERR_add_error_data(int, ...); -int ERR_get_next_error_library(); +int ERR_get_next_error_library(void); """ MACROS = """ @@ -74,3 +74,5 @@ int ERR_FATAL_ERROR(unsigned long); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/evp.py b/cryptography/hazmat/backends/openssl/evp.py index 8cb44610..c426e52e 100644 --- a/cryptography/hazmat/backends/openssl/evp.py +++ b/cryptography/hazmat/backends/openssl/evp.py @@ -24,7 +24,9 @@ typedef struct { ...; } EVP_CIPHER_CTX; typedef ... EVP_MD; -typedef struct env_md_ctx_st EVP_MD_CTX; +typedef struct env_md_ctx_st { + ...; +} EVP_MD_CTX; typedef struct evp_pkey_st { int type; @@ -32,14 +34,15 @@ typedef struct evp_pkey_st { } EVP_PKEY; static const int EVP_PKEY_RSA; static const int EVP_PKEY_DSA; -static const int Cryptography_EVP_CTRL_GCM_SET_IVLEN; -static const int Cryptography_EVP_CTRL_GCM_GET_TAG; -static const int Cryptography_EVP_CTRL_GCM_SET_TAG; +static const int EVP_MAX_MD_SIZE; +static const int EVP_CTRL_GCM_SET_IVLEN; +static const int EVP_CTRL_GCM_GET_TAG; +static const int EVP_CTRL_GCM_SET_TAG; + +static const int Cryptography_HAS_GCM; """ FUNCTIONS = """ -void OpenSSL_add_all_algorithms(); - const EVP_CIPHER *EVP_get_cipherbyname(const char *); int EVP_EncryptInit_ex(EVP_CIPHER_CTX *, const EVP_CIPHER *, ENGINE *, const unsigned char *, const unsigned char *); @@ -61,11 +64,11 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *); const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *); int EVP_CIPHER_block_size(const EVP_CIPHER *); void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *); -EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(); +EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *); int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *, int); -EVP_MD_CTX *EVP_MD_CTX_create(); +EVP_MD_CTX *EVP_MD_CTX_create(void); int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *); int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, ENGINE *); int EVP_DigestUpdate(EVP_MD_CTX *, const void *, size_t); @@ -76,7 +79,7 @@ const EVP_MD *EVP_get_digestbyname(const char *); const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *); int EVP_MD_size(const EVP_MD *); -EVP_PKEY *EVP_PKEY_new(); +EVP_PKEY *EVP_PKEY_new(void); void EVP_PKEY_free(EVP_PKEY *); int EVP_PKEY_type(int); int EVP_PKEY_bits(EVP_PKEY *); @@ -90,9 +93,12 @@ int EVP_VerifyInit(EVP_MD_CTX *, const EVP_MD *); int EVP_VerifyUpdate(EVP_MD_CTX *, const void *, size_t); int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int, EVP_PKEY *); + +const EVP_MD *EVP_md5(void); """ MACROS = """ +void OpenSSL_add_all_algorithms(void); int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); int EVP_PKEY_assign_DSA(EVP_PKEY *, DSA *); int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *); @@ -101,12 +107,19 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); CUSTOMIZATIONS = """ #ifdef EVP_CTRL_GCM_SET_TAG -const int Cryptography_EVP_CTRL_GCM_GET_TAG = EVP_CTRL_GCM_GET_TAG; -const int Cryptography_EVP_CTRL_GCM_SET_TAG = EVP_CTRL_GCM_SET_TAG; -const int Cryptography_EVP_CTRL_GCM_SET_IVLEN = EVP_CTRL_GCM_SET_IVLEN; +const long Cryptography_HAS_GCM = 1; #else -const int Cryptography_EVP_CTRL_GCM_GET_TAG = -1; -const int Cryptography_EVP_CTRL_GCM_SET_TAG = -1; -const int Cryptography_EVP_CTRL_GCM_SET_IVLEN = -1; +const long Cryptography_HAS_GCM = 0; +const long EVP_CTRL_GCM_GET_TAG = -1; +const long EVP_CTRL_GCM_SET_TAG = -1; +const long EVP_CTRL_GCM_SET_IVLEN = -1; #endif """ + +CONDITIONAL_NAMES = { + "Cryptography_HAS_GCM": [ + "EVP_CTRL_GCM_GET_TAG", + "EVP_CTRL_GCM_SET_TAG", + "EVP_CTRL_GCM_SET_IVLEN", + ] +} diff --git a/cryptography/hazmat/backends/openssl/hmac.py b/cryptography/hazmat/backends/openssl/hmac.py index 10e67141..5f9e0945 100644 --- a/cryptography/hazmat/backends/openssl/hmac.py +++ b/cryptography/hazmat/backends/openssl/hmac.py @@ -88,3 +88,5 @@ int Cryptography_HMAC_CTX_copy(HMAC_CTX *dst_ctx, HMAC_CTX *src_ctx) { #endif } """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/nid.py b/cryptography/hazmat/backends/openssl/nid.py index 9816dde4..40aed19f 100644 --- a/cryptography/hazmat/backends/openssl/nid.py +++ b/cryptography/hazmat/backends/openssl/nid.py @@ -37,6 +37,7 @@ static const int NID_ecdsa_with_SHA384; static const int NID_ecdsa_with_SHA512; static const int NID_crl_reason; static const int NID_pbe_WithSHA1And3_Key_TripleDES_CBC; +static const int NID_subject_alt_name; """ FUNCTIONS = """ @@ -47,3 +48,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/objects.py b/cryptography/hazmat/backends/openssl/objects.py new file mode 100644 index 00000000..0abc42d6 --- /dev/null +++ b/cryptography/hazmat/backends/openssl/objects.py @@ -0,0 +1,43 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +INCLUDES = """ +#include <openssl/objects.h> +""" + +TYPES = """ +""" + +FUNCTIONS = """ +ASN1_OBJECT *OBJ_nid2obj(int); +const char *OBJ_nid2ln(int); +const char *OBJ_nid2sn(int); +int OBJ_obj2nid(const ASN1_OBJECT *); +int OBJ_ln2nid(const char *); +int OBJ_sn2nid(const char *); +int OBJ_txt2nid(const char *); +ASN1_OBJECT *OBJ_txt2obj(const char *, int); +int OBJ_obj2txt(char *, int, const ASN1_OBJECT *, int); +int OBJ_cmp(const ASN1_OBJECT *, const ASN1_OBJECT *); +ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *); +int OBJ_create(const char *, const char *, const char *); +void OBJ_cleanup(void); +""" + +MACROS = """ +""" + +CUSTOMIZATIONS = """ +""" + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/opensslv.py b/cryptography/hazmat/backends/openssl/opensslv.py index d463776c..397f4ca2 100644 --- a/cryptography/hazmat/backends/openssl/opensslv.py +++ b/cryptography/hazmat/backends/openssl/opensslv.py @@ -16,7 +16,8 @@ INCLUDES = """ """ TYPES = """ -static char *const OPENSSL_VERSION_TEXT; +static const int OPENSSL_VERSION_NUMBER; +static const char *const OPENSSL_VERSION_TEXT; """ FUNCTIONS = """ @@ -27,3 +28,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/pem.py b/cryptography/hazmat/backends/openssl/pem.py index cef7839f..ee5552c5 100644 --- a/cryptography/hazmat/backends/openssl/pem.py +++ b/cryptography/hazmat/backends/openssl/pem.py @@ -55,3 +55,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/pkcs12.py b/cryptography/hazmat/backends/openssl/pkcs12.py index d91d100f..bd01e756 100644 --- a/cryptography/hazmat/backends/openssl/pkcs12.py +++ b/cryptography/hazmat/backends/openssl/pkcs12.py @@ -28,10 +28,12 @@ int i2d_PKCS12_bio(BIO *, PKCS12 *); MACROS = """ int PKCS12_parse(PKCS12 *, const char *, EVP_PKEY **, X509 **, - struct stack_st_X509 **); + Cryptography_STACK_OF_X509 **); PKCS12 *PKCS12_create(char *, char *, EVP_PKEY *, X509 *, - struct stack_st_X509 *, int, int, int, int, int); + Cryptography_STACK_OF_X509 *, int, int, int, int, int); """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/pkcs7.py b/cryptography/hazmat/backends/openssl/pkcs7.py index 60ea3c52..43f9540b 100644 --- a/cryptography/hazmat/backends/openssl/pkcs7.py +++ b/cryptography/hazmat/backends/openssl/pkcs7.py @@ -35,3 +35,5 @@ int PKCS7_type_is_data(PKCS7 *); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/rand.py b/cryptography/hazmat/backends/openssl/rand.py index 848ee05a..0e645fbc 100644 --- a/cryptography/hazmat/backends/openssl/rand.py +++ b/cryptography/hazmat/backends/openssl/rand.py @@ -19,16 +19,17 @@ TYPES = """ """ FUNCTIONS = """ +void ERR_load_RAND_strings(void); void RAND_seed(const void *, int); void RAND_add(const void *, int, double); -int RAND_status(); +int RAND_status(void); int RAND_egd(const char *); int RAND_egd_bytes(const char *, int); int RAND_query_egd_bytes(const char *, unsigned char *, int); const char *RAND_file_name(char *, size_t); int RAND_load_file(const char *, long); int RAND_write_file(const char *); -void RAND_cleanup(); +void RAND_cleanup(void); int RAND_bytes(unsigned char *, int); int RAND_pseudo_bytes(unsigned char *, int); """ @@ -38,3 +39,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/rsa.py b/cryptography/hazmat/backends/openssl/rsa.py index ad0d37b4..a44ca4a6 100644 --- a/cryptography/hazmat/backends/openssl/rsa.py +++ b/cryptography/hazmat/backends/openssl/rsa.py @@ -33,10 +33,11 @@ static const int RSA_SSLV23_PADDING; static const int RSA_NO_PADDING; static const int RSA_PKCS1_OAEP_PADDING; static const int RSA_X931_PADDING; +static const int RSA_F4; """ FUNCTIONS = """ -RSA *RSA_new(); +RSA *RSA_new(void); void RSA_free(RSA *); int RSA_size(const RSA *); int RSA_generate_key_ex(RSA *, int, BIGNUM *, BN_GENCB *); @@ -50,6 +51,7 @@ int RSA_public_decrypt(int, const unsigned char *, unsigned char *, RSA *, int); int RSA_private_decrypt(int, const unsigned char *, unsigned char *, RSA *, int); +int RSA_print(BIO *, const RSA *, int); """ MACROS = """ @@ -57,3 +59,5 @@ MACROS = """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/ssl.py b/cryptography/hazmat/backends/openssl/ssl.py index 04611309..d0d5ae2d 100644 --- a/cryptography/hazmat/backends/openssl/ssl.py +++ b/cryptography/hazmat/backends/openssl/ssl.py @@ -16,6 +16,28 @@ INCLUDES = """ """ TYPES = """ +/* + * Internally invented symbols to tell which versions of SSL/TLS are supported. +*/ +static const int Cryptography_HAS_SSL2; +static const int Cryptography_HAS_TLSv1_1; +static const int Cryptography_HAS_TLSv1_2; + +/* Internally invented symbol to tell us if SNI is supported */ +static const int Cryptography_HAS_TLSEXT_HOSTNAME; + +/* Internally invented symbol to tell us if SSL_MODE_RELEASE_BUFFERS is + * supported + */ +static const int Cryptography_HAS_RELEASE_BUFFERS; + +/* Internally invented symbol to tell us if SSL_OP_NO_COMPRESSION is + * supported + */ +static const int Cryptography_HAS_OP_NO_COMPRESSION; + +static const int Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING; + static const int SSL_FILETYPE_PEM; static const int SSL_FILETYPE_ASN1; static const int SSL_ERROR_NONE; @@ -30,6 +52,9 @@ static const int SSL_RECEIVED_SHUTDOWN; static const int SSL_OP_NO_SSLv2; static const int SSL_OP_NO_SSLv3; static const int SSL_OP_NO_TLSv1; +static const int SSL_OP_NO_TLSv1_1; +static const int SSL_OP_NO_TLSv1_2; +static const int SSL_OP_NO_COMPRESSION; static const int SSL_OP_SINGLE_DH_USE; static const int SSL_OP_EPHEMERAL_RSA; static const int SSL_OP_MICROSOFT_SESS_ID_BUG; @@ -84,6 +109,7 @@ static const int SSL_CB_CONNECT_LOOP; static const int SSL_CB_CONNECT_EXIT; static const int SSL_CB_HANDSHAKE_START; static const int SSL_CB_HANDSHAKE_DONE; +static const int SSL_MODE_RELEASE_BUFFERS; static const int SSL_MODE_ENABLE_PARTIAL_WRITE; static const int SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; static const int SSL_MODE_AUTO_RETRY; @@ -115,9 +141,8 @@ static const int TLSEXT_NAMETYPE_host_name; """ FUNCTIONS = """ -void SSL_load_error_strings(); - -int SSL_library_init(); +void SSL_load_error_strings(void); +int SSL_library_init(void); /* SSL */ SSL_CTX *SSL_set_SSL_CTX(SSL *, SSL_CTX *); @@ -126,6 +151,9 @@ int SSL_set_session(SSL *, SSL_SESSION *); int SSL_get_verify_mode(const SSL *); void SSL_set_verify_depth(SSL *, int); int SSL_get_verify_depth(const SSL *); +int (*SSL_get_verify_callback(const SSL *))(int, X509_STORE_CTX *); +void SSL_set_info_callback(SSL *ssl, void (*)(const SSL *, int, int)); +void (*SSL_get_info_callback(const SSL *))(const SSL *, int, int); SSL *SSL_new(SSL_CTX *); void SSL_free(SSL *); int SSL_set_fd(SSL *, int); @@ -138,6 +166,10 @@ int SSL_pending(const SSL *); int SSL_write(SSL *, const void *, int); int SSL_read(SSL *, void *, int); X509 *SSL_get_peer_certificate(const SSL *); + +Cryptography_STACK_OF_X509 *SSL_get_peer_cert_chain(const SSL *); +Cryptography_STACK_OF_X509_NAME *SSL_get_client_CA_list(const SSL *); + int SSL_get_error(const SSL *, int); int SSL_do_handshake(SSL *); int SSL_shutdown(SSL *); @@ -147,7 +179,11 @@ const char *SSL_get_cipher_list(const SSL *, int); void SSL_CTX_free(SSL_CTX *); long SSL_CTX_set_timeout(SSL_CTX *, long); int SSL_CTX_set_default_verify_paths(SSL_CTX *); +void SSL_CTX_set_verify(SSL_CTX *, int, int (*)(int, X509_STORE_CTX *)); void SSL_CTX_set_verify_depth(SSL_CTX *, int); +int (*SSL_CTX_get_verify_callback(const SSL_CTX *))(int, X509_STORE_CTX *); +void SSL_CTX_set_info_callback(SSL_CTX *, void (*)(const SSL *, int, int)); +void (*SSL_CTX_get_info_callback(SSL_CTX *))(const SSL *, int, int); int SSL_CTX_get_verify_mode(const SSL_CTX *); int SSL_CTX_get_verify_depth(const SSL_CTX *); int SSL_CTX_set_cipher_list(SSL_CTX *, const char *); @@ -163,6 +199,9 @@ void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); int SSL_CTX_add_client_CA(SSL_CTX *, X509 *); +void SSL_CTX_set_client_CA_list(SSL_CTX *, Cryptography_STACK_OF_X509_NAME *); + + /* X509_STORE_CTX */ int X509_STORE_CTX_get_error(X509_STORE_CTX *); void X509_STORE_CTX_set_error(X509_STORE_CTX *, int); @@ -173,7 +212,7 @@ X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *); void SSL_SESSION_free(SSL_SESSION *); """ -MACROS = MACROS = """ +MACROS = """ long SSL_set_mode(SSL *, long); long SSL_get_mode(SSL *); @@ -183,7 +222,7 @@ long SSL_get_options(SSL *); int SSL_want_read(const SSL *); int SSL_want_write(const SSL *); -int SSL_total_renegotiations(const SSL *); +long SSL_total_renegotiations(SSL *); long SSL_CTX_set_options(SSL_CTX *, long); long SSL_CTX_get_options(SSL_CTX *); @@ -197,20 +236,153 @@ long SSL_CTX_add_extra_chain_cert(SSL_CTX *, X509 *); /*- These aren't macros these functions are all const X on openssl > 1.0.x -*/ /* methods */ -const SSL_METHOD *SSLv3_method(); -const SSL_METHOD *SSLv3_server_method(); -const SSL_METHOD *SSLv3_client_method(); -const SSL_METHOD *TLSv1_method(); -const SSL_METHOD *TLSv1_server_method(); -const SSL_METHOD *TLSv1_client_method(); -const SSL_METHOD *SSLv23_method(); -const SSL_METHOD *SSLv23_server_method(); -const SSL_METHOD *SSLv23_client_method(); + +/* SSLv2 support is compiled out of some versions of OpenSSL. These will + * get special support when we generate the bindings so that if they are + * available they will be wrapped, but if they are not they won't cause + * problems (like link errors). + */ +const SSL_METHOD *SSLv2_method(void); +const SSL_METHOD *SSLv2_server_method(void); +const SSL_METHOD *SSLv2_client_method(void); + +/* + * TLSv1_1 and TLSv1_2 are recent additions. Only sufficiently new versions of + * OpenSSL support them. + */ +const SSL_METHOD *TLSv1_1_method(void); +const SSL_METHOD *TLSv1_1_server_method(void); +const SSL_METHOD *TLSv1_1_client_method(void); + +const SSL_METHOD *TLSv1_2_method(void); +const SSL_METHOD *TLSv1_2_server_method(void); +const SSL_METHOD *TLSv1_2_client_method(void); + +const SSL_METHOD *SSLv3_method(void); +const SSL_METHOD *SSLv3_server_method(void); +const SSL_METHOD *SSLv3_client_method(void); + +const SSL_METHOD *TLSv1_method(void); +const SSL_METHOD *TLSv1_server_method(void); +const SSL_METHOD *TLSv1_client_method(void); + +const SSL_METHOD *SSLv23_method(void); +const SSL_METHOD *SSLv23_server_method(void); +const SSL_METHOD *SSLv23_client_method(void); /*- These aren't macros these arguments are all const X on openssl > 1.0.x -*/ -SSL_CTX *SSL_CTX_new(const SSL_METHOD *); +SSL_CTX *SSL_CTX_new(SSL_METHOD *); long SSL_CTX_get_timeout(const SSL_CTX *); + +/* SNI APIs were introduced in OpenSSL 1.0.0. To continue to support + * earlier versions some special handling of these is necessary. + */ +const char *SSL_get_servername(const SSL *, const int); +void SSL_set_tlsext_host_name(SSL *, char *); +void SSL_CTX_set_tlsext_servername_callback( + SSL_CTX *, + int (*)(const SSL *, int *, void *)); """ CUSTOMIZATIONS = """ +#ifdef OPENSSL_NO_SSL2 +static const long Cryptography_HAS_SSL2 = 0; +SSL_METHOD* (*SSLv2_method)(void) = NULL; +SSL_METHOD* (*SSLv2_client_method)(void) = NULL; +SSL_METHOD* (*SSLv2_server_method)(void) = NULL; +#else +static const long Cryptography_HAS_SSL2 = 1; +#endif + +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1; +#else +static const long Cryptography_HAS_TLSEXT_HOSTNAME = 0; +void (*SSL_set_tlsext_host_name)(SSL *, char *) = NULL; +const char* (*SSL_get_servername)(const SSL *, const int) = NULL; +void (*SSL_CTX_set_tlsext_servername_callback)( + SSL_CTX *, + int (*)(const SSL *, int *, void *)) = NULL; +#endif + +#ifdef SSL_MODE_RELEASE_BUFFERS +static const long Cryptography_HAS_RELEASE_BUFFERS = 1; +#else +static const long Cryptography_HAS_RELEASE_BUFFERS = 0; +const long SSL_MODE_RELEASE_BUFFERS = 0; +#endif + +#ifdef SSL_OP_NO_COMPRESSION +static const long Cryptography_HAS_OP_NO_COMPRESSION = 1; +#else +static const long Cryptography_HAS_OP_NO_COMPRESSION = 0; +const long SSL_OP_NO_COMPRESSION = 0; +#endif + +#ifdef SSL_OP_NO_TLSv1_1 +static const long Cryptography_HAS_TLSv1_1 = 1; +#else +static const long Cryptography_HAS_TLSv1_1 = 0; +static const long SSL_OP_NO_TLSv1_1 = 0; +SSL_METHOD* (*TLSv1_1_method)(void) = NULL; +SSL_METHOD* (*TLSv1_1_client_method)(void) = NULL; +SSL_METHOD* (*TLSv1_1_server_method)(void) = NULL; +#endif + +#ifdef SSL_OP_NO_TLSv1_2 +static const long Cryptography_HAS_TLSv1_2 = 1; +#else +static const long Cryptography_HAS_TLSv1_2 = 0; +static const long SSL_OP_NO_TLSv1_2 = 0; +SSL_METHOD* (*TLSv1_2_method)(void) = NULL; +SSL_METHOD* (*TLSv1_2_client_method)(void) = NULL; +SSL_METHOD* (*TLSv1_2_server_method)(void) = NULL; +#endif + +#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING +static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1; +#else +static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 0; +const long SSL_OP_MSIE_SSLV2_RSA_PADDING = 0; +#endif """ + +CONDITIONAL_NAMES = { + "Cryptography_HAS_TLSv1_1": [ + "SSL_OP_NO_TLSv1_1", + "TLSv1_1_method", + "TLSv1_1_server_method", + "TLSv1_1_client_method", + ], + + "Cryptography_HAS_TLSv1_2": [ + "SSL_OP_NO_TLSv1_2", + "TLSv1_2_method", + "TLSv1_2_server_method", + "TLSv1_2_client_method", + ], + + "Cryptography_HAS_SSL2": [ + "SSLv2_method", + "SSLv2_client_method", + "SSLv2_server_method", + ], + + "Cryptography_HAS_TLSEXT_HOSTNAME": [ + "SSL_set_tlsext_host_name", + "SSL_get_servername", + "SSL_CTX_set_tlsext_servername_callback", + ], + + "Cryptography_HAS_RELEASE_BUFFERS": [ + "SSL_MODE_RELEASE_BUFFERS", + ], + + "Cryptography_HAS_OP_NO_COMPRESSION": [ + "SSL_OP_NO_COMPRESSION", + ], + + "Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING": [ + "SSL_OP_MSIE_SSLV2_RSA_PADDING", + ], +} diff --git a/cryptography/hazmat/backends/openssl/x509.py b/cryptography/hazmat/backends/openssl/x509.py index b2ee672e..840254a2 100644 --- a/cryptography/hazmat/backends/openssl/x509.py +++ b/cryptography/hazmat/backends/openssl/x509.py @@ -13,9 +13,22 @@ INCLUDES = """ #include <openssl/ssl.h> + +/* + * This is part of a work-around for the difficulty cffi has in dealing with + * `STACK_OF(foo)` as the name of a type. We invent a new, simpler name that + * will be an alias for this type and use the alias throughout. This works + * together with another opaque typedef for the same name in the TYPES section. + * Note that the result is an opaque type. + */ +typedef STACK_OF(X509) Cryptography_STACK_OF_X509; +typedef STACK_OF(X509_REVOKED) Cryptography_STACK_OF_X509_REVOKED; """ TYPES = """ +typedef ... Cryptography_STACK_OF_X509; +typedef ... Cryptography_STACK_OF_X509_REVOKED; + typedef struct { ASN1_OBJECT *algorithm; ...; @@ -36,8 +49,6 @@ typedef ... X509_EXTENSIONS; typedef ... X509_REQ; -typedef ... x509_revoked_st; - typedef struct { ASN1_INTEGER *serialNumber; ASN1_TIME *revocationDate; @@ -47,7 +58,7 @@ typedef struct { } X509_REVOKED; typedef struct { - struct x509_revoked_st *revoked; + Cryptography_STACK_OF_X509_REVOKED *revoked; ...; } X509_CRL_INFO; @@ -66,7 +77,7 @@ typedef ... NETSCAPE_SPKI; """ FUNCTIONS = """ -X509 *X509_new(); +X509 *X509_new(void); void X509_free(X509 *); X509 *X509_dup(X509 *); @@ -101,7 +112,7 @@ ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *); void X509_EXTENSION_free(X509_EXTENSION *); int X509_REQ_set_version(X509_REQ *, long); -X509_REQ *X509_REQ_new(); +X509_REQ *X509_REQ_new(void); void X509_REQ_free(X509_REQ *); int X509_REQ_set_pubkey(X509_REQ *, EVP_PKEY *); int X509_REQ_sign(X509_REQ *, EVP_PKEY *, const EVP_MD *); @@ -113,7 +124,7 @@ int X509_REQ_print_ex(BIO *, X509_REQ *, unsigned long, unsigned long); int X509V3_EXT_print(BIO *, X509_EXTENSION *, unsigned long, int); ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *); -X509_REVOKED *X509_REVOKED_new(); +X509_REVOKED *X509_REVOKED_new(void); void X509_REVOKED_free(X509_REVOKED *); int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *); @@ -121,7 +132,7 @@ int X509_REVOKED_set_serialNumber(X509_REVOKED *, ASN1_INTEGER *); int X509_REVOKED_add1_ext_i2d(X509_REVOKED *, int, void *, int, unsigned long); X509_CRL *d2i_X509_CRL_bio(BIO *, X509_CRL **); -X509_CRL *X509_CRL_new(); +X509_CRL *X509_CRL_new(void); void X509_CRL_free(X509_CRL *); int X509_CRL_add0_revoked(X509_CRL *, X509_REVOKED *); int i2d_X509_CRL_bio(BIO *, X509_CRL *); @@ -134,7 +145,7 @@ int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *, EVP_PKEY *, const EVP_MD *); char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *); EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *); int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *, EVP_PKEY *); -NETSCAPE_SPKI *NETSCAPE_SPKI_new(); +NETSCAPE_SPKI *NETSCAPE_SPKI_new(void); void NETSCAPE_SPKI_free(NETSCAPE_SPKI *); /* ASN1 serialization */ @@ -151,7 +162,7 @@ ASN1_INTEGER *X509_get_serialNumber(X509 *); int X509_set_serialNumber(X509 *, ASN1_INTEGER *); /* X509_STORE */ -X509_STORE *X509_STORE_new(); +X509_STORE *X509_STORE_new(void); void X509_STORE_free(X509_STORE *); int X509_STORE_add_cert(X509_STORE *, X509 *); """ @@ -165,26 +176,28 @@ ASN1_TIME *X509_get_notAfter(X509 *); long X509_REQ_get_version(X509_REQ *); X509_NAME *X509_REQ_get_subject_name(X509_REQ *); -struct stack_st_X509 *sk_X509_new_null(); -void sk_X509_free(struct stack_st_X509 *); -int sk_X509_num(struct stack_st_X509 *); -int sk_X509_push(struct stack_st_X509 *, X509 *); -X509 *sk_X509_value(struct stack_st_X509 *, int); +Cryptography_STACK_OF_X509 *sk_X509_new_null(void); +void sk_X509_free(Cryptography_STACK_OF_X509 *); +int sk_X509_num(Cryptography_STACK_OF_X509 *); +int sk_X509_push(Cryptography_STACK_OF_X509 *, X509 *); +X509 *sk_X509_value(Cryptography_STACK_OF_X509 *, int); -X509_EXTENSIONS *sk_X509_EXTENSION_new_null(); +X509_EXTENSIONS *sk_X509_EXTENSION_new_null(void); int sk_X509_EXTENSION_num(X509_EXTENSIONS *); X509_EXTENSION *sk_X509_EXTENSION_value(X509_EXTENSIONS *, int); int sk_X509_EXTENSION_push(X509_EXTENSIONS *, X509_EXTENSION *); -void sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int); +X509_EXTENSION *sk_X509_EXTENSION_delete(X509_EXTENSIONS *, int); void sk_X509_EXTENSION_free(X509_EXTENSIONS *); -int sk_X509_REVOKED_num(struct x509_revoked_st *); -X509_REVOKED *sk_X509_REVOKED_value(struct x509_revoked_st *, int); +int sk_X509_REVOKED_num(Cryptography_STACK_OF_X509_REVOKED *); +X509_REVOKED *sk_X509_REVOKED_value(Cryptography_STACK_OF_X509_REVOKED *, int); /* These aren't macros these arguments are all const X on openssl > 1.0.x */ -int X509_CRL_set_lastUpdate(X509_CRL *, const ASN1_TIME *); -int X509_CRL_set_nextUpdate(X509_CRL *, const ASN1_TIME *); +int X509_CRL_set_lastUpdate(X509_CRL *, ASN1_TIME *); +int X509_CRL_set_nextUpdate(X509_CRL *, ASN1_TIME *); """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/x509name.py b/cryptography/hazmat/backends/openssl/x509name.py index 896f0ae4..bf627d61 100644 --- a/cryptography/hazmat/backends/openssl/x509name.py +++ b/cryptography/hazmat/backends/openssl/x509name.py @@ -13,11 +13,17 @@ INCLUDES = """ #include <openssl/x509.h> + +/* + * See the comment above Cryptography_STACK_OF_X509 in x509.py + */ +typedef STACK_OF(X509_NAME) Cryptography_STACK_OF_X509_NAME; """ TYPES = """ typedef ... X509_NAME; typedef ... X509_NAME_ENTRY; +typedef ... Cryptography_STACK_OF_X509_NAME; """ FUNCTIONS = """ @@ -40,12 +46,14 @@ void X509_NAME_free(X509_NAME *); """ MACROS = """ -struct stack_st_X509_NAME *sk_X509_NAME_new_null(); -int sk_X509_NAME_num(struct stack_st_X509_NAME *); -int sk_X509_NAME_push(struct stack_st_X509_NAME *, X509_NAME *); -X509_NAME *sk_X509_NAME_value(struct stack_st_X509_NAME *, int); -void sk_X509_NAME_free(struct stack_st_X509_NAME *); +Cryptography_STACK_OF_X509_NAME *sk_X509_NAME_new_null(void); +int sk_X509_NAME_num(Cryptography_STACK_OF_X509_NAME *); +int sk_X509_NAME_push(Cryptography_STACK_OF_X509_NAME *, X509_NAME *); +X509_NAME *sk_X509_NAME_value(Cryptography_STACK_OF_X509_NAME *, int); +void sk_X509_NAME_free(Cryptography_STACK_OF_X509_NAME *); """ CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/backends/openssl/x509v3.py b/cryptography/hazmat/backends/openssl/x509v3.py index bc26236c..6d2d2361 100644 --- a/cryptography/hazmat/backends/openssl/x509v3.py +++ b/cryptography/hazmat/backends/openssl/x509v3.py @@ -95,3 +95,5 @@ const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int); CUSTOMIZATIONS = """ """ + +CONDITIONAL_NAMES = {} diff --git a/cryptography/hazmat/primitives/ciphers/algorithms.py b/cryptography/hazmat/primitives/ciphers/algorithms.py index a206b273..a5cfce92 100644 --- a/cryptography/hazmat/primitives/ciphers/algorithms.py +++ b/cryptography/hazmat/primitives/ciphers/algorithms.py @@ -26,6 +26,7 @@ def _verify_key_size(algorithm, key): return key +@utils.register_interface(interfaces.BlockCipherAlgorithm) @utils.register_interface(interfaces.CipherAlgorithm) class AES(object): name = "AES" @@ -40,6 +41,7 @@ class AES(object): return len(self.key) * 8 +@utils.register_interface(interfaces.BlockCipherAlgorithm) @utils.register_interface(interfaces.CipherAlgorithm) class Camellia(object): name = "camellia" @@ -54,6 +56,7 @@ class Camellia(object): return len(self.key) * 8 +@utils.register_interface(interfaces.BlockCipherAlgorithm) @utils.register_interface(interfaces.CipherAlgorithm) class TripleDES(object): name = "3DES" @@ -72,6 +75,7 @@ class TripleDES(object): return len(self.key) * 8 +@utils.register_interface(interfaces.BlockCipherAlgorithm) @utils.register_interface(interfaces.CipherAlgorithm) class Blowfish(object): name = "Blowfish" @@ -86,6 +90,7 @@ class Blowfish(object): return len(self.key) * 8 +@utils.register_interface(interfaces.BlockCipherAlgorithm) @utils.register_interface(interfaces.CipherAlgorithm) class CAST5(object): name = "CAST5" @@ -103,7 +108,6 @@ class CAST5(object): @utils.register_interface(interfaces.CipherAlgorithm) class ARC4(object): name = "RC4" - block_size = 1 key_sizes = frozenset([40, 56, 64, 80, 128, 192, 256]) def __init__(self, key): diff --git a/cryptography/hazmat/primitives/constant_time.py b/cryptography/hazmat/primitives/constant_time.py index a8351504..6502803e 100644 --- a/cryptography/hazmat/primitives/constant_time.py +++ b/cryptography/hazmat/primitives/constant_time.py @@ -20,17 +20,16 @@ import six _ffi = cffi.FFI() _ffi.cdef(""" -bool Cryptography_constant_time_bytes_eq(uint8_t *, size_t, uint8_t *, size_t); +uint8_t Cryptography_constant_time_bytes_eq(uint8_t *, size_t, uint8_t *, + size_t); """) _lib = _ffi.verify(""" -#include <stdbool.h> - -bool Cryptography_constant_time_bytes_eq(uint8_t *a, size_t len_a, uint8_t *b, - size_t len_b) { +uint8_t Cryptography_constant_time_bytes_eq(uint8_t *a, size_t len_a, + uint8_t *b, size_t len_b) { size_t i = 0; uint8_t mismatch = 0; if (len_a != len_b) { - return false; + return 0; } for (i = 0; i < len_a; i++) { mismatch |= a[i] ^ b[i]; diff --git a/cryptography/hazmat/primitives/hmac.py b/cryptography/hazmat/primitives/hmac.py index 618bccc5..76d658aa 100644 --- a/cryptography/hazmat/primitives/hmac.py +++ b/cryptography/hazmat/primitives/hmac.py @@ -16,8 +16,8 @@ from __future__ import absolute_import, division, print_function import six from cryptography import utils -from cryptography.exceptions import AlreadyFinalized -from cryptography.hazmat.primitives import interfaces +from cryptography.exceptions import AlreadyFinalized, InvalidSignature +from cryptography.hazmat.primitives import constant_time, interfaces @utils.register_interface(interfaces.HashContext) @@ -57,3 +57,10 @@ class HMAC(object): digest = self._ctx.finalize() self._ctx = None return digest + + def verify(self, signature): + if isinstance(signature, six.text_type): + raise TypeError("Unicode-objects must be encoded before verifying") + digest = self.finalize() + if not constant_time.bytes_eq(digest, signature): + raise InvalidSignature("Signature did not match digest.") diff --git a/cryptography/hazmat/primitives/interfaces.py b/cryptography/hazmat/primitives/interfaces.py index feab316b..7a6bf3e2 100644 --- a/cryptography/hazmat/primitives/interfaces.py +++ b/cryptography/hazmat/primitives/interfaces.py @@ -22,13 +22,21 @@ class CipherAlgorithm(six.with_metaclass(abc.ABCMeta)): @abc.abstractproperty def name(self): """ - A string naming this mode. (e.g. AES, Camellia) + A string naming this mode (e.g. "AES", "Camellia"). """ @abc.abstractproperty def key_size(self): """ - The size of the key being used as an integer in bits. (e.g. 128, 256) + The size of the key being used as an integer in bits (e.g. 128, 256). + """ + + +class BlockCipherAlgorithm(six.with_metaclass(abc.ABCMeta)): + @abc.abstractproperty + def block_size(self): + """ + The size of a block as an integer in bits (e.g. 64, 128). """ @@ -36,7 +44,7 @@ class Mode(six.with_metaclass(abc.ABCMeta)): @abc.abstractproperty def name(self): """ - A string naming this mode. (e.g. ECB, CBC) + A string naming this mode (e.g. "ECB", "CBC"). """ @abc.abstractmethod @@ -75,13 +83,14 @@ class CipherContext(six.with_metaclass(abc.ABCMeta)): @abc.abstractmethod def update(self, data): """ - update takes bytes and return bytes + Processes the provided bytes through the cipher and returns the results + as bytes. """ @abc.abstractmethod def finalize(self): """ - finalize return bytes + Returns the results of processing the final block as bytes. """ @@ -89,7 +98,7 @@ class AEADCipherContext(six.with_metaclass(abc.ABCMeta)): @abc.abstractmethod def authenticate_additional_data(self, data): """ - authenticate_additional_data takes bytes and returns nothing. + Authenticates the provided bytes. """ @@ -97,7 +106,8 @@ class AEADEncryptionContext(six.with_metaclass(abc.ABCMeta)): @abc.abstractproperty def tag(self): """ - Returns tag bytes after finalizing encryption. + Returns tag bytes. This is only available after encryption is + finalized. """ @@ -105,13 +115,13 @@ class PaddingContext(six.with_metaclass(abc.ABCMeta)): @abc.abstractmethod def update(self, data): """ - update takes bytes and return bytes + Pads the provided bytes and returns any available data as bytes. """ @abc.abstractmethod def finalize(self): """ - finalize return bytes + Finalize the padding, returns bytes. """ @@ -119,7 +129,7 @@ class HashAlgorithm(six.with_metaclass(abc.ABCMeta)): @abc.abstractproperty def name(self): """ - A string naming this algorithm. (e.g. sha256, md5) + A string naming this algorithm (e.g. "sha256", "md5"). """ @abc.abstractproperty @@ -145,17 +155,17 @@ class HashContext(six.with_metaclass(abc.ABCMeta)): @abc.abstractmethod def update(self, data): """ - hash data as bytes + Processes the provided bytes through the hash. """ @abc.abstractmethod def finalize(self): """ - finalize this copy of the hash and return the digest as bytes. + Finalizes the hash context and returns the hash digest as bytes. """ @abc.abstractmethod def copy(self): """ - return a HashContext that is a copy of the current context. + Return a HashContext that is a copy of the current context. """ diff --git a/cryptography/hazmat/primitives/padding.py b/cryptography/hazmat/primitives/padding.py index cfa90db9..e517dee0 100644 --- a/cryptography/hazmat/primitives/padding.py +++ b/cryptography/hazmat/primitives/padding.py @@ -21,11 +21,9 @@ from cryptography.hazmat.primitives import interfaces _ffi = cffi.FFI() _ffi.cdef(""" -bool Cryptography_check_pkcs7_padding(const uint8_t *, uint8_t); +uint8_t Cryptography_check_pkcs7_padding(const uint8_t *, uint8_t); """) _lib = _ffi.verify(""" -#include <stdbool.h> - /* Returns the value of the input with the most-significant-bit copied to all of the bits. */ static uint8_t Cryptography_DUPLICATE_MSB_TO_ALL(uint8_t a) { @@ -39,7 +37,8 @@ static uint8_t Cryptography_constant_time_lt(uint8_t a, uint8_t b) { return Cryptography_DUPLICATE_MSB_TO_ALL(a); } -bool Cryptography_check_pkcs7_padding(const uint8_t *data, uint8_t block_len) { +uint8_t Cryptography_check_pkcs7_padding(const uint8_t *data, + uint8_t block_len) { uint8_t i; uint8_t pad_size = data[block_len - 1]; uint8_t mismatch = 0; diff --git a/docs/api-stability.rst b/docs/api-stability.rst new file mode 100644 index 00000000..e87cc140 --- /dev/null +++ b/docs/api-stability.rst @@ -0,0 +1,51 @@ +API Stability +============= + +From its first release, ``cryptography`` will have a strong API stability +policy. + +What does this policy cover? +---------------------------- + +This policy includes any API or behavior which is documented in this +documentation. + +What does "stable" mean? +------------------------ + +* Public APIs will not be removed or renamed without providing a compatibility + alias. +* The behavior of existing APIs will not change. + +What doesn't this policy cover? +------------------------------- + +* We may add new features, things like the result of ``dir(obj))`` or the + contents of ``obj.__dict__`` may change. +* Objects are not guaranteed to be pickleable, and pickled objects from one + version of ``cryptography`` may not be loadable in future versions. +* Development versions of ``cryptography``. Before a feature is in a release, + it is not covered by this policy and may change. + +Security +~~~~~~~~ + +One exception to our API stability policy is for security. We will violate this +policy as necessary in order to resolve a security issue or harden +``cryptography`` against a possible attack. + +Deprecation +----------- + +From time to time we will want to change the behavior of an API or remove it +entirely. In that case, here's how the process will work: + +* In ``cryptography X.Y`` the feature exists. +* In ``cryptography X.Y+1`` using that feature will emit a + ``PendingDeprecationWarning``. +* In ``cryptography X.Y+2`` using that feature will emit a + ``DeprecationWarning``. +* In ``cryptography X.Y+3`` the feature will be removed or changed. + +In short, code which runs without warnings will always continue to work for a +period of two releases. diff --git a/docs/conf.py b/docs/conf.py index 5092e4d3..5dbcdab8 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -54,7 +54,7 @@ master_doc = 'index' # General information about the project. project = 'Cryptography' -copyright = '2013, Individual Contributors' +copyright = '2013-2014, Individual Contributors' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the diff --git a/docs/contributing.rst b/docs/contributing.rst index cb9c7283..657c4359 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -53,11 +53,10 @@ API Considerations Most projects' APIs are designed with a philosophy of "make easy things easy, and make hard things possible". One of the perils of writing cryptographic code -is that code that is secure looks just like code that isn't, and produces -results that are also difficult to distinguish. As a result ``cryptography`` -has, as a design philosophy: "make it hard to do insecure things". Here are a -few strategies for API design which should be both followed, and should inspire -other API choices: +is that secure code looks just like insecure code, and its results are almost +always indistinguishable. As a result ``cryptography`` has, as a design +philosophy: "make it hard to do insecure things". Here are a few strategies for +API design which should be both followed, and should inspire other API choices: If it is incorrect to ignore the result of a method, it should raise an exception, and not return a boolean ``True``/``False`` flag. For example, a @@ -77,6 +76,10 @@ whether the signature was valid. if not is_valid: raise InvalidSignature +Every recipe should include a version or algorithmic marker of some sort in its +output in order to allow transparent upgrading of the algorithms in use, as +the algorithms or parameters needed to achieve a given security margin evolve. + APIs at the :doc:`/hazmat/primitives/index` layer should always take an explicit backend, APIs at the recipes layer should automatically use the :func:`~cryptography.hazmat.backends.default_backend`, but optionally allow @@ -107,14 +110,14 @@ Don't name parameters: ...; }; -Don't include stray ``void`` parameters: +Include ``void`` if the function takes no arguments: .. code-block:: c // Good - long f(); - // Bad long f(void); + // Bad + long f(); Wrap lines at 80 characters like so: @@ -133,6 +136,22 @@ Include a space after commas between parameters: // Bad long f(int,char *) +Values set by ``#define`` should be assigned the appropriate type. If you see +this: + +.. code-block:: c + + #define SOME_INTEGER_LITERAL 0x0; + #define SOME_UNSIGNED_INTEGER_LITERAL 0x0001U; + #define SOME_STRING_LITERAL "hello"; + +...it should be added to the bindings like so: + +.. code-block:: c + + static const int SOME_INTEGER_LITERAL; + static const unsigned int SOME_UNSIGNED_INTEGER_LITERAL; + static const char *const SOME_STRING_LITERAL; Documentation ------------- @@ -163,7 +182,7 @@ as much as possible. To that end: * When documenting a generic interface, use a strong algorithm in examples. (e.g. when showing a hashing example, don't use - :class:`cryptography.hazmat.primitives.hashes.MD5`) + :class:`~cryptography.hazmat.primitives.hashes.MD5`) * When giving prescriptive advice, always provide references and supporting material. * When there is real disagreement between cryptographic experts, represent both @@ -206,7 +225,7 @@ automatically, so all you have to do is: $ py.test ... - 4294 passed in 15.24 seconds + 62746 passed in 220.43 seconds This runs the tests with the default Python interpreter. @@ -244,7 +263,8 @@ Use `tox`_ to build the documentation. For example: docs: commands succeeded congratulations :) -The HTML documentation index can now be found at ``docs/_build/html/index.html`` +The HTML documentation index can now be found at +``docs/_build/html/index.html``. .. _`GitHub`: https://github.com/pyca/cryptography diff --git a/docs/exceptions.rst b/docs/exceptions.rst index 087066b8..1fbd3267 100644 --- a/docs/exceptions.rst +++ b/docs/exceptions.rst @@ -8,6 +8,12 @@ Exceptions This is raised when a context is used after being finalized. +.. class:: InvalidSignature + + This is raised when the verify method of a hash context does not + compare equal. + + .. class:: NotYetFinalized This is raised when the AEAD tag property is accessed on a context diff --git a/docs/hazmat/backends/index.rst b/docs/hazmat/backends/index.rst index a89cf0d5..06951281 100644 --- a/docs/hazmat/backends/index.rst +++ b/docs/hazmat/backends/index.rst @@ -1,17 +1,10 @@ .. hazmat:: -Bindings +Backends ======== -.. toctree:: - :maxdepth: 1 - - openssl - interfaces - - -Getting a Backend Provider -~~~~~~~~~~~~~~~~~~~~~~~~~~ +Getting a Backend +----------------- .. currentmodule:: cryptography.hazmat.backends @@ -19,8 +12,7 @@ Getting a Backend Provider the widest number of supported cryptographic algorithms as well as supporting platform specific implementations. -You can get the default backend by calling -:func:`~default_backend`. +You can get the default backend by calling :func:`~default_backend`. The default backend will change over time as we implement new backends and the libraries we use in those backends changes. @@ -32,3 +24,11 @@ the libraries we use in those backends changes. :class:`~interfaces.CipherBackend`, :class:`~interfaces.HashBackend`, and :class:`~interfaces.HMACBackend`. +Individual Backends +------------------- + +.. toctree:: + :maxdepth: 1 + + openssl + interfaces diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst index b524943d..5b6cd64d 100644 --- a/docs/hazmat/backends/interfaces.rst +++ b/docs/hazmat/backends/interfaces.rst @@ -126,6 +126,17 @@ A specific ``backend`` may provide one or more of these interfaces. A backend with methods for using cryptographic hash functions as message authentication codes. + .. method:: hmac_supported(algorithm) + + Check if the specified ``algorithm`` is supported by this backend. + + :param algorithm: An instance of a + :class:`~cryptography.hazmat.primitives.interfaces.HashAlgorithm` + provider. + + :returns: ``True`` if the specified ``algorithm`` is supported for HMAC + by this backend, otherwise ``False``. + .. method:: create_hmac_ctx(algorithm) Create a diff --git a/docs/hazmat/backends/openssl.rst b/docs/hazmat/backends/openssl.rst index 12fbff04..99b327d9 100644 --- a/docs/hazmat/backends/openssl.rst +++ b/docs/hazmat/backends/openssl.rst @@ -1,7 +1,7 @@ .. hazmat:: -OpenSSL -======= +OpenSSL Backend +=============== These are `CFFI`_ bindings to the `OpenSSL`_ C library. @@ -21,5 +21,32 @@ These are `CFFI`_ bindings to the `OpenSSL`_ C library. and access constants. +Using your own OpenSSL on Linux +------------------------------- + +Python links to OpenSSL for its own purposes and this can sometimes cause +problems when you wish to use a different version of OpenSSL with cryptography. +If you want to use cryptography with your own build of OpenSSL you will need to +make sure that the build is configured correctly so that your version of +OpenSSL doesn't conflict with Python's. + +The options you need to add allow the linker to identify every symbol correctly +even when multiple versions of the library are linked into the same program. If +you are using your distribution's source packages these will probably be +patched in for you already, otherwise you'll need to use options something like +this when configuring OpenSSL:: + + ./config -Wl,--version-script=openssl.ld -Wl,-Bsymbolic-functions -fPIC shared + +You'll also need to generate your own ``openssl.ld`` file. For example:: + + OPENSSL_1.0.1F_CUSTOM { + global: + *; + }; + +You should replace the version string on the first line as appropriate for your +build. + .. _`CFFI`: https://cffi.readthedocs.org/ .. _`OpenSSL`: https://www.openssl.org/ diff --git a/docs/hazmat/primitives/cryptographic-hashes.rst b/docs/hazmat/primitives/cryptographic-hashes.rst index 90ca198a..38347378 100644 --- a/docs/hazmat/primitives/cryptographic-hashes.rst +++ b/docs/hazmat/primitives/cryptographic-hashes.rst @@ -28,6 +28,9 @@ Message Digests >>> digest.finalize() 'l\xa1=R\xcap\xc8\x83\xe0\xf0\xbb\x10\x1eBZ\x89\xe8bM\xe5\x1d\xb2\xd29%\x93\xafj\x84\x11\x80\x90' + If the backend doesn't support the requested ``algorithm`` an + :class:`~cryptography.exceptions.UnsupportedAlgorithm` will be raised. + Keep in mind that attacks against cryptographic hashes only get stronger with time, and that often algorithms that were once thought to be strong, become broken. Because of this it's important to include a plan for diff --git a/docs/hazmat/primitives/hmac.rst b/docs/hazmat/primitives/hmac.rst index 0c0d0220..b8f94fd2 100644 --- a/docs/hazmat/primitives/hmac.rst +++ b/docs/hazmat/primitives/hmac.rst @@ -34,6 +34,8 @@ message. >>> h.finalize() '#F\xdaI\x8b"e\xc4\xf1\xbb\x9a\x8fc\xff\xf5\xdex.\xbc\xcd/+\x8a\x86\x1d\x84\'\xc3\xa6\x1d\xd8J' + If the backend doesn't support the requested ``algorithm`` an + :class:`~cryptography.exceptions.UnsupportedAlgorithm` will be raised. :param key: Secret key as ``bytes``. :param algorithm: A @@ -69,3 +71,11 @@ message. :return bytes: The message digest as bytes. :raises cryptography.exceptions.AlreadyFinalized: + + .. method:: verify(signature) + + Finalize the current context and securely compare digest to ``signature``. + + :param bytes signature: The bytes of the HMAC signature recieved. + :raises cryptography.exceptions.AlreadyFinalized: See :meth:`finalize` + :raises cryptography.exceptions.InvalidSignature: If signature does not match digest diff --git a/docs/hazmat/primitives/interfaces.rst b/docs/hazmat/primitives/interfaces.rst index e798c0e6..edb24cd9 100644 --- a/docs/hazmat/primitives/interfaces.rst +++ b/docs/hazmat/primitives/interfaces.rst @@ -36,6 +36,17 @@ Symmetric Ciphers The number of bits in the key being used. +.. class:: BlockCipherAlgorithm + + A block cipher algorithm. + + .. attribute:: block_size + + :type: int + + The number of bits in a block. + + Cipher Modes ------------ diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index f4d0457a..30896a05 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -61,7 +61,7 @@ an "encrypt-then-MAC" formulation as `described by Colin Percival`_. provider. If the backend doesn't support the requested combination of ``cipher`` - and ``mode`` an :class:`cryptography.exceptions.UnsupportedAlgorithm` + and ``mode`` an :class:`~cryptography.exceptions.UnsupportedAlgorithm` will be raised. .. method:: decryptor() @@ -352,6 +352,16 @@ Modes Do not reuse an ``initialization_vector`` with a given ``key``. + .. note:: + + Cryptography will emit a 128-bit tag when finalizing encryption. + You can shorten a tag by truncating it to the desired length, but this + is **not recommended** as it lowers the security margins of the + authentication (`NIST SP-800-38D`_ recommends 96-bits or greater). + If you must shorten the tag the minimum allowed length is 4 bytes + (32-bits). Applications **must** verify the tag is the expected length + to guarantee the expected security margin. + :param bytes tag: The tag bytes to verify during decryption. When encrypting this must be None. @@ -390,3 +400,4 @@ Insecure Modes .. _`described by Colin Percival`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html .. _`recommends 96-bit IV length`: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf +.. _`NIST SP-800-38D`: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf diff --git a/docs/index.rst b/docs/index.rst index 776c9d37..70558bda 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -32,9 +32,24 @@ existing libraries: * Poor introspectability, and thus poor testability. * Extremely error prone APIs, and bad defaults. +Layout +------ -Contents --------- +``cryptography`` is broadly divided into two levels. One with safe +cryptographic recipes, "cryptography for humans" if you will. These are safe +and easy to use and don't require developers to make many decisions. + +The other level is low-level cryptographic primitives. These are often +dangerous and can be used incorrectly. They require making decisions and having +an in-depth knowledge of the cryptographic concepts at work. Because of the +potential danger in working at this level, this is referred to as the +"hazardous materials" or "hazmat" layer. + +We recommend using the recipes layer whenever possible, and falling back to the +hazmat layer only when necessary. + +The recipes layer +~~~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 2 @@ -42,15 +57,23 @@ Contents architecture exceptions glossary - contributing - security - community -Hazardous Materials -------------------- +The hazardous materials layer +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. toctree:: :maxdepth: 2 hazmat/primitives/index hazmat/backends/index + +The ``cryptography`` open source project +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. toctree:: + :maxdepth: 2 + + contributing + security + api-stability + community @@ -1,2 +1,7 @@ [pytest] addopts = -r s +markers = + hmac: this test requires a backend providing HMACBackend + cipher: this test requires a backend providing CipherBackend + hash: this test requires a backend providing HashBackend + supported: parametrized test requiring only_if and skip_message diff --git a/tests/conftest.py b/tests/conftest.py index 71662802..0ddc3338 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -1,5 +1,22 @@ +import pytest + +from cryptography.hazmat.backends.interfaces import ( + HMACBackend, CipherBackend, HashBackend +) + +from .utils import check_for_iface, check_backend_support + + def pytest_generate_tests(metafunc): from cryptography.hazmat.backends import _ALL_BACKENDS if "backend" in metafunc.fixturenames: metafunc.parametrize("backend", _ALL_BACKENDS) + + +@pytest.mark.trylast +def pytest_runtest_setup(item): + check_for_iface("hmac", HMACBackend, item) + check_for_iface("cipher", CipherBackend, item) + check_for_iface("hash", HashBackend, item) + check_backend_support(item) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 9c8fea2a..23f9bff1 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -23,14 +23,17 @@ from cryptography.hazmat.primitives.ciphers.algorithms import AES from cryptography.hazmat.primitives.ciphers.modes import CBC +@utils.register_interface(interfaces.Mode) class DummyMode(object): + name = "dummy-mode" + def validate_for_algorithm(self, algorithm): pass @utils.register_interface(interfaces.CipherAlgorithm) class DummyCipher(object): - pass + name = "dummy-cipher" class TestOpenSSL(object): @@ -63,15 +66,16 @@ class TestOpenSSL(object): assert b.ffi is backend.ffi assert b.lib is backend.lib - def test_nonexistent_cipher(self): + @pytest.mark.parametrize("mode", [DummyMode(), None]) + def test_nonexistent_cipher(self, mode): b = Backend() b.register_cipher_adapter( DummyCipher, - DummyMode, + type(mode), lambda backend, cipher, mode: backend.ffi.NULL ) cipher = Cipher( - DummyCipher(), DummyMode(), backend=b, + DummyCipher(), mode, backend=b, ) with pytest.raises(UnsupportedAlgorithm): cipher.encryptor() diff --git a/tests/hazmat/primitives/test_3des.py b/tests/hazmat/primitives/test_3des.py index 69ec9c9a..581c47eb 100644 --- a/tests/hazmat/primitives/test_3des.py +++ b/tests/hazmat/primitives/test_3des.py @@ -20,12 +20,21 @@ from __future__ import absolute_import, division, print_function import binascii import os +import pytest + from cryptography.hazmat.primitives.ciphers import algorithms, modes from .utils import generate_encrypt_test from ...utils import load_nist_vectors +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.TripleDES("\x00" * 8), modes.CBC("\x00" * 8) + ), + skip_message="Does not support TripleDES CBC", +) +@pytest.mark.cipher class TestTripleDES_CBC(object): test_KAT = generate_encrypt_test( load_nist_vectors, @@ -37,8 +46,8 @@ class TestTripleDES_CBC(object): "TCBCvarkey.rsp", "TCBCvartext.rsp", ], - lambda keys, iv: algorithms.TripleDES(binascii.unhexlify(keys)), - lambda keys, iv: modes.CBC(binascii.unhexlify(iv)), + lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), ) test_MMT = generate_encrypt_test( @@ -49,13 +58,20 @@ class TestTripleDES_CBC(object): "TCBCMMT2.rsp", "TCBCMMT3.rsp", ], - lambda key1, key2, key3, iv: ( - algorithms.TripleDES(binascii.unhexlify(key1 + key2 + key3)) + lambda key1, key2, key3, **kwargs: algorithms.TripleDES( + binascii.unhexlify(key1 + key2 + key3) ), - lambda key1, key2, key3, iv: modes.CBC(binascii.unhexlify(iv)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), ) +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.TripleDES("\x00" * 8), modes.OFB("\x00" * 8) + ), + skip_message="Does not support TripleDES OFB", +) +@pytest.mark.cipher class TestTripleDES_OFB(object): test_KAT = generate_encrypt_test( load_nist_vectors, @@ -67,8 +83,8 @@ class TestTripleDES_OFB(object): "TOFBvartext.rsp", "TOFBinvperm.rsp", ], - lambda keys, iv: algorithms.TripleDES(binascii.unhexlify(keys)), - lambda keys, iv: modes.OFB(binascii.unhexlify(iv)), + lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), ) test_MMT = generate_encrypt_test( @@ -79,13 +95,20 @@ class TestTripleDES_OFB(object): "TOFBMMT2.rsp", "TOFBMMT3.rsp", ], - lambda key1, key2, key3, iv: ( - algorithms.TripleDES(binascii.unhexlify(key1 + key2 + key3)) + lambda key1, key2, key3, **kwargs: algorithms.TripleDES( + binascii.unhexlify(key1 + key2 + key3) ), - lambda key1, key2, key3, iv: modes.OFB(binascii.unhexlify(iv)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), ) +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.TripleDES("\x00" * 8), modes.CFB("\x00" * 8) + ), + skip_message="Does not support TripleDES CFB", +) +@pytest.mark.cipher class TestTripleDES_CFB(object): test_KAT = generate_encrypt_test( load_nist_vectors, @@ -97,8 +120,8 @@ class TestTripleDES_CFB(object): "TCFB64varkey.rsp", "TCFB64vartext.rsp", ], - lambda keys, iv: algorithms.TripleDES(binascii.unhexlify(keys)), - lambda keys, iv: modes.CFB(binascii.unhexlify(iv)), + lambda keys, **kwargs: algorithms.TripleDES(binascii.unhexlify(keys)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), ) test_MMT = generate_encrypt_test( @@ -109,8 +132,8 @@ class TestTripleDES_CFB(object): "TCFB64MMT2.rsp", "TCFB64MMT3.rsp", ], - lambda key1, key2, key3, iv: ( - algorithms.TripleDES(binascii.unhexlify(key1 + key2 + key3)) + lambda key1, key2, key3, **kwargs: algorithms.TripleDES( + binascii.unhexlify(key1 + key2 + key3) ), - lambda key1, key2, key3, iv: modes.CFB(binascii.unhexlify(iv)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), ) diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index f7b0b9a0..8cba8c66 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -16,6 +16,8 @@ from __future__ import absolute_import, division, print_function import binascii import os +import pytest + from cryptography.hazmat.primitives.ciphers import algorithms, modes from .utils import generate_encrypt_test, generate_aead_test @@ -24,7 +26,14 @@ from ...utils import ( ) -class TestAES(object): +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.CBC("\x00" * 16) + ), + skip_message="Does not support AES CBC", +) +@pytest.mark.cipher +class TestAES_CBC(object): test_CBC = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "AES", "CBC"), @@ -45,10 +54,19 @@ class TestAES(object): "CBCMMT192.rsp", "CBCMMT256.rsp", ], - lambda key, iv: algorithms.AES(binascii.unhexlify(key)), - lambda key, iv: modes.CBC(binascii.unhexlify(iv)), + lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.ECB() + ), + skip_message="Does not support AES ECB", +) +@pytest.mark.cipher +class TestAES_ECB(object): test_ECB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "AES", "ECB"), @@ -69,10 +87,19 @@ class TestAES(object): "ECBMMT192.rsp", "ECBMMT256.rsp", ], - lambda key: algorithms.AES(binascii.unhexlify(key)), - lambda key: modes.ECB(), + lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), + lambda **kwargs: modes.ECB(), ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.OFB("\x00" * 16) + ), + skip_message="Does not support AES OFB", +) +@pytest.mark.cipher +class TestAES_OFB(object): test_OFB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "AES", "OFB"), @@ -93,10 +120,19 @@ class TestAES(object): "OFBMMT192.rsp", "OFBMMT256.rsp", ], - lambda key, iv: algorithms.AES(binascii.unhexlify(key)), - lambda key, iv: modes.OFB(binascii.unhexlify(iv)), + lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.CFB("\x00" * 16) + ), + skip_message="Does not support AES CFB", +) +@pytest.mark.cipher +class TestAES_CFB(object): test_CFB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "AES", "CFB"), @@ -117,22 +153,36 @@ class TestAES(object): "CFB128MMT192.rsp", "CFB128MMT256.rsp", ], - lambda key, iv: algorithms.AES(binascii.unhexlify(key)), - lambda key, iv: modes.CFB(binascii.unhexlify(iv)), + lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.CTR("\x00" * 16) + ), + skip_message="Does not support AES CTR", +) +@pytest.mark.cipher +class TestAES_CTR(object): test_CTR = generate_encrypt_test( load_openssl_vectors, os.path.join("ciphers", "AES", "CTR"), ["aes-128-ctr.txt", "aes-192-ctr.txt", "aes-256-ctr.txt"], - lambda key, iv: algorithms.AES(binascii.unhexlify(key)), - lambda key, iv: modes.CTR(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.CTR("\x00" * 16) - ), - skip_message="Does not support AES CTR", + lambda key, **kwargs: algorithms.AES(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CTR(binascii.unhexlify(iv)), ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.GCM("\x00" * 12) + ), + skip_message="Does not support AES GCM", +) +@pytest.mark.cipher +class TestAES_GCM(object): test_GCM = generate_aead_test( load_nist_vectors, os.path.join("ciphers", "AES", "GCM"), @@ -146,8 +196,4 @@ class TestAES(object): ], lambda key: algorithms.AES(key), lambda iv, tag: modes.GCM(iv, tag), - only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.GCM("\x00" * 12) - ), - skip_message="Does not support AES GCM", ) diff --git a/tests/hazmat/primitives/test_arc4.py b/tests/hazmat/primitives/test_arc4.py index d233bec2..33f7ff09 100644 --- a/tests/hazmat/primitives/test_arc4.py +++ b/tests/hazmat/primitives/test_arc4.py @@ -16,12 +16,21 @@ from __future__ import absolute_import, division, print_function import binascii import os +import pytest + from cryptography.hazmat.primitives.ciphers import algorithms from .utils import generate_stream_encryption_test from ...utils import load_nist_vectors +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.ARC4("\x00" * 16), None + ), + skip_message="Does not support ARC4", +) +@pytest.mark.cipher class TestARC4(object): test_rfc = generate_stream_encryption_test( load_nist_vectors, @@ -35,9 +44,5 @@ class TestARC4(object): "rfc-6229-192.txt", "rfc-6229-256.txt", ], - lambda key: algorithms.ARC4(binascii.unhexlify((key))), - only_if=lambda backend: backend.cipher_supported( - algorithms.ARC4("\x00" * 16), None - ), - skip_message="Does not support ARC4", + lambda key, **kwargs: algorithms.ARC4(binascii.unhexlify(key)), ) diff --git a/tests/hazmat/primitives/test_block.py b/tests/hazmat/primitives/test_block.py index 7c4331e0..f758ffaa 100644 --- a/tests/hazmat/primitives/test_block.py +++ b/tests/hazmat/primitives/test_block.py @@ -31,16 +31,20 @@ from .utils import ( ) -@utils.register_interface(interfaces.CipherAlgorithm) -class DummyCipher(object): - pass - - +@utils.register_interface(interfaces.Mode) class DummyMode(object): + name = "dummy-mode" + def validate_for_algorithm(self, algorithm): pass +@utils.register_interface(interfaces.CipherAlgorithm) +class DummyCipher(object): + name = "dummy-cipher" + + +@pytest.mark.cipher class TestCipher(object): def test_creates_encryptor(self, backend): cipher = Cipher( @@ -64,6 +68,7 @@ class TestCipher(object): Cipher(algorithm, mode=None, backend=backend) +@pytest.mark.cipher class TestCipherContext(object): def test_use_after_finalize(self, backend): cipher = Cipher( @@ -106,9 +111,10 @@ class TestCipherContext(object): assert pt == b"a" * 80 decryptor.finalize() - def test_nonexistent_cipher(self, backend): + @pytest.mark.parametrize("mode", [DummyMode(), None]) + def test_nonexistent_cipher(self, backend, mode): cipher = Cipher( - DummyCipher(), DummyMode(), backend + DummyCipher(), mode, backend ) with pytest.raises(UnsupportedAlgorithm): cipher.encryptor() @@ -133,22 +139,21 @@ class TestCipherContext(object): decryptor.finalize() +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.AES("\x00" * 16), modes.GCM("\x00" * 12) + ), + skip_message="Does not support AES GCM", +) +@pytest.mark.cipher class TestAEADCipherContext(object): test_aead_exceptions = generate_aead_exception_test( algorithms.AES, modes.GCM, - only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.GCM("\x00" * 12) - ), - skip_message="Does not support AES GCM", ) test_aead_tag_exceptions = generate_aead_tag_exception_test( algorithms.AES, modes.GCM, - only_if=lambda backend: backend.cipher_supported( - algorithms.AES("\x00" * 16), modes.GCM("\x00" * 12) - ), - skip_message="Does not support AES GCM", ) diff --git a/tests/hazmat/primitives/test_blowfish.py b/tests/hazmat/primitives/test_blowfish.py index d5fbed6f..18512a6e 100644 --- a/tests/hazmat/primitives/test_blowfish.py +++ b/tests/hazmat/primitives/test_blowfish.py @@ -16,57 +16,77 @@ from __future__ import absolute_import, division, print_function import binascii import os +import pytest + from cryptography.hazmat.primitives.ciphers import algorithms, modes from .utils import generate_encrypt_test from ...utils import load_nist_vectors -class TestBlowfish(object): +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Blowfish("\x00" * 56), modes.ECB() + ), + skip_message="Does not support Blowfish ECB", +) +@pytest.mark.cipher +class TestBlowfish_ECB(object): test_ECB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-ecb.txt"], - lambda key: algorithms.Blowfish(binascii.unhexlify(key)), - lambda key: modes.ECB(), - only_if=lambda backend: backend.cipher_supported( - algorithms.Blowfish("\x00" * 56), modes.ECB() - ), - skip_message="Does not support Blowfish ECB", + lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)), + lambda **kwargs: modes.ECB(), ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Blowfish("\x00" * 56), modes.CBC("\x00" * 8) + ), + skip_message="Does not support Blowfish CBC", +) +@pytest.mark.cipher +class TestBlowfish_CBC(object): test_CBC = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-cbc.txt"], - lambda key, iv: algorithms.Blowfish(binascii.unhexlify(key)), - lambda key, iv: modes.CBC(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.Blowfish("\x00" * 56), modes.CBC("\x00" * 8) - ), - skip_message="Does not support Blowfish CBC", + lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Blowfish("\x00" * 56), modes.OFB("\x00" * 8) + ), + skip_message="Does not support Blowfish OFB", +) +@pytest.mark.cipher +class TestBlowfish_OFB(object): test_OFB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-ofb.txt"], - lambda key, iv: algorithms.Blowfish(binascii.unhexlify(key)), - lambda key, iv: modes.OFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.Blowfish("\x00" * 56), modes.OFB("\x00" * 8) - ), - skip_message="Does not support Blowfish OFB", + lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Blowfish("\x00" * 56), modes.CFB("\x00" * 8) + ), + skip_message="Does not support Blowfish CFB", +) +@pytest.mark.cipher +class TestBlowfish_CFB(object): test_CFB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "Blowfish"), ["bf-cfb.txt"], - lambda key, iv: algorithms.Blowfish(binascii.unhexlify(key)), - lambda key, iv: modes.CFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.Blowfish("\x00" * 56), modes.CFB("\x00" * 8) - ), - skip_message="Does not support Blowfish CFB", + lambda key, **kwargs: algorithms.Blowfish(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), ) diff --git a/tests/hazmat/primitives/test_camellia.py b/tests/hazmat/primitives/test_camellia.py index a2c935d9..7c56f6f9 100644 --- a/tests/hazmat/primitives/test_camellia.py +++ b/tests/hazmat/primitives/test_camellia.py @@ -16,6 +16,8 @@ from __future__ import absolute_import, division, print_function import binascii import os +import pytest + from cryptography.hazmat.primitives.ciphers import algorithms, modes from .utils import generate_encrypt_test @@ -24,7 +26,14 @@ from ...utils import ( ) -class TestCamellia(object): +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Camellia("\x00" * 16), modes.ECB() + ), + skip_message="Does not support Camellia ECB", +) +@pytest.mark.cipher +class TestCamellia_ECB(object): test_ECB = generate_encrypt_test( load_cryptrec_vectors, os.path.join("ciphers", "Camellia"), @@ -33,46 +42,57 @@ class TestCamellia(object): "camellia-192-ecb.txt", "camellia-256-ecb.txt" ], - lambda key: algorithms.Camellia(binascii.unhexlify((key))), - lambda key: modes.ECB(), - only_if=lambda backend: backend.cipher_supported( - algorithms.Camellia("\x00" * 16), modes.ECB() - ), - skip_message="Does not support Camellia ECB", + lambda key, **kwargs: algorithms.Camellia(binascii.unhexlify(key)), + lambda **kwargs: modes.ECB(), ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Camellia("\x00" * 16), modes.CBC("\x00" * 16) + ), + skip_message="Does not support Camellia CBC", +) +@pytest.mark.cipher +class TestCamellia_CBC(object): test_CBC = generate_encrypt_test( load_openssl_vectors, os.path.join("ciphers", "Camellia"), ["camellia-cbc.txt"], - lambda key, iv: algorithms.Camellia(binascii.unhexlify(key)), - lambda key, iv: modes.CBC(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.Camellia("\x00" * 16), modes.CBC("\x00" * 16) - ), - skip_message="Does not support Camellia CBC", + lambda key, **kwargs: algorithms.Camellia(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)), ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Camellia("\x00" * 16), modes.OFB("\x00" * 16) + ), + skip_message="Does not support Camellia OFB", +) +@pytest.mark.cipher +class TestCamellia_OFB(object): test_OFB = generate_encrypt_test( load_openssl_vectors, os.path.join("ciphers", "Camellia"), ["camellia-ofb.txt"], - lambda key, iv: algorithms.Camellia(binascii.unhexlify(key)), - lambda key, iv: modes.OFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.Camellia("\x00" * 16), modes.OFB("\x00" * 16) - ), - skip_message="Does not support Camellia OFB", + lambda key, **kwargs: algorithms.Camellia(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)), ) + +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.Camellia("\x00" * 16), modes.CFB("\x00" * 16) + ), + skip_message="Does not support Camellia CFB", +) +@pytest.mark.cipher +class TestCamellia_CFB(object): test_CFB = generate_encrypt_test( load_openssl_vectors, os.path.join("ciphers", "Camellia"), ["camellia-cfb.txt"], - lambda key, iv: algorithms.Camellia(binascii.unhexlify(key)), - lambda key, iv: modes.CFB(binascii.unhexlify(iv)), - only_if=lambda backend: backend.cipher_supported( - algorithms.Camellia("\x00" * 16), modes.CFB("\x00" * 16) - ), - skip_message="Does not support Camellia CFB", + lambda key, **kwargs: algorithms.Camellia(binascii.unhexlify(key)), + lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)), ) diff --git a/tests/hazmat/primitives/test_cast5.py b/tests/hazmat/primitives/test_cast5.py index a283dafc..d65a86b2 100644 --- a/tests/hazmat/primitives/test_cast5.py +++ b/tests/hazmat/primitives/test_cast5.py @@ -16,21 +16,26 @@ from __future__ import absolute_import, division, print_function import binascii import os +import pytest + from cryptography.hazmat.primitives.ciphers import algorithms, modes from .utils import generate_encrypt_test from ...utils import load_nist_vectors +@pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + algorithms.CAST5("\x00" * 16), modes.ECB() + ), + skip_message="Does not support CAST5 ECB", +) +@pytest.mark.cipher class TestCAST5(object): test_ECB = generate_encrypt_test( load_nist_vectors, os.path.join("ciphers", "CAST5"), ["cast5-ecb.txt"], - lambda key: algorithms.CAST5(binascii.unhexlify((key))), - lambda key: modes.ECB(), - only_if=lambda backend: backend.cipher_supported( - algorithms.CAST5("\x00" * 16), modes.ECB() - ), - skip_message="Does not support CAST5 ECB", + lambda key, **kwargs: algorithms.CAST5(binascii.unhexlify((key))), + lambda **kwargs: modes.ECB(), ) diff --git a/tests/hazmat/primitives/test_hash_vectors.py b/tests/hazmat/primitives/test_hash_vectors.py index a8655812..13ffc3fd 100644 --- a/tests/hazmat/primitives/test_hash_vectors.py +++ b/tests/hazmat/primitives/test_hash_vectors.py @@ -15,12 +15,19 @@ from __future__ import absolute_import, division, print_function import os +import pytest + from cryptography.hazmat.primitives import hashes from .utils import generate_hash_test, generate_long_string_hash_test from ...utils import load_hash_vectors +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA1), + skip_message="Does not support SHA1", +) +@pytest.mark.hash class TestSHA1(object): test_SHA1 = generate_hash_test( load_hash_vectors, @@ -30,11 +37,14 @@ class TestSHA1(object): "SHA1ShortMsg.rsp", ], hashes.SHA1(), - only_if=lambda backend: backend.hash_supported(hashes.SHA1), - skip_message="Does not support SHA1", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA224), + skip_message="Does not support SHA224", +) +@pytest.mark.hash class TestSHA224(object): test_SHA224 = generate_hash_test( load_hash_vectors, @@ -44,11 +54,14 @@ class TestSHA224(object): "SHA224ShortMsg.rsp", ], hashes.SHA224(), - only_if=lambda backend: backend.hash_supported(hashes.SHA224), - skip_message="Does not support SHA224", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA256), + skip_message="Does not support SHA256", +) +@pytest.mark.hash class TestSHA256(object): test_SHA256 = generate_hash_test( load_hash_vectors, @@ -58,11 +71,14 @@ class TestSHA256(object): "SHA256ShortMsg.rsp", ], hashes.SHA256(), - only_if=lambda backend: backend.hash_supported(hashes.SHA256), - skip_message="Does not support SHA256", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA384), + skip_message="Does not support SHA384", +) +@pytest.mark.hash class TestSHA384(object): test_SHA384 = generate_hash_test( load_hash_vectors, @@ -72,11 +88,14 @@ class TestSHA384(object): "SHA384ShortMsg.rsp", ], hashes.SHA384(), - only_if=lambda backend: backend.hash_supported(hashes.SHA384), - skip_message="Does not support SHA384", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA512), + skip_message="Does not support SHA512", +) +@pytest.mark.hash class TestSHA512(object): test_SHA512 = generate_hash_test( load_hash_vectors, @@ -86,11 +105,14 @@ class TestSHA512(object): "SHA512ShortMsg.rsp", ], hashes.SHA512(), - only_if=lambda backend: backend.hash_supported(hashes.SHA512), - skip_message="Does not support SHA512", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.RIPEMD160), + skip_message="Does not support RIPEMD160", +) +@pytest.mark.hash class TestRIPEMD160(object): test_RIPEMD160 = generate_hash_test( load_hash_vectors, @@ -99,18 +121,19 @@ class TestRIPEMD160(object): "ripevectors.txt", ], hashes.RIPEMD160(), - only_if=lambda backend: backend.hash_supported(hashes.RIPEMD160), - skip_message="Does not support RIPEMD160", ) test_RIPEMD160_long_string = generate_long_string_hash_test( hashes.RIPEMD160(), "52783243c1697bdbe16d37f97f68f08325dc1528", - only_if=lambda backend: backend.hash_supported(hashes.RIPEMD160), - skip_message="Does not support RIPEMD160", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.Whirlpool), + skip_message="Does not support Whirlpool", +) +@pytest.mark.hash class TestWhirlpool(object): test_whirlpool = generate_hash_test( load_hash_vectors, @@ -119,8 +142,6 @@ class TestWhirlpool(object): "iso-test-vectors.txt", ], hashes.Whirlpool(), - only_if=lambda backend: backend.hash_supported(hashes.Whirlpool), - skip_message="Does not support Whirlpool", ) test_whirlpool_long_string = generate_long_string_hash_test( @@ -128,11 +149,14 @@ class TestWhirlpool(object): ("0c99005beb57eff50a7cf005560ddf5d29057fd86b2" "0bfd62deca0f1ccea4af51fc15490eddc47af32bb2b" "66c34ff9ad8c6008ad677f77126953b226e4ed8b01"), - only_if=lambda backend: backend.hash_supported(hashes.Whirlpool), - skip_message="Does not support Whirlpool", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.MD5), + skip_message="Does not support MD5", +) +@pytest.mark.hash class TestMD5(object): test_md5 = generate_hash_test( load_hash_vectors, @@ -141,6 +165,4 @@ class TestMD5(object): "rfc-1321.txt", ], hashes.MD5(), - only_if=lambda backend: backend.hash_supported(hashes.MD5), - skip_message="Does not support MD5", ) diff --git a/tests/hazmat/primitives/test_hashes.py b/tests/hazmat/primitives/test_hashes.py index ff42e8f4..c907ef61 100644 --- a/tests/hazmat/primitives/test_hashes.py +++ b/tests/hazmat/primitives/test_hashes.py @@ -19,12 +19,19 @@ import pytest import six -from cryptography.exceptions import AlreadyFinalized -from cryptography.hazmat.primitives import hashes +from cryptography import utils +from cryptography.exceptions import AlreadyFinalized, UnsupportedAlgorithm +from cryptography.hazmat.primitives import hashes, interfaces from .utils import generate_base_hash_test +@utils.register_interface(interfaces.HashAlgorithm) +class UnsupportedDummyHash(object): + name = "unsupported-dummy-hash" + + +@pytest.mark.hash class TestHashContext(object): def test_hash_reject_unicode(self, backend): m = hashes.Hash(hashes.SHA1(), backend=backend) @@ -57,82 +64,110 @@ class TestHashContext(object): with pytest.raises(AlreadyFinalized): h.finalize() + def test_unsupported_hash(self, backend): + with pytest.raises(UnsupportedAlgorithm): + hashes.Hash(UnsupportedDummyHash(), backend) + +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA1), + skip_message="Does not support SHA1", +) +@pytest.mark.hash class TestSHA1(object): test_SHA1 = generate_base_hash_test( hashes.SHA1(), digest_size=20, block_size=64, - only_if=lambda backend: backend.hash_supported(hashes.SHA1), - skip_message="Does not support SHA1", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA224), + skip_message="Does not support SHA224", +) +@pytest.mark.hash class TestSHA224(object): test_SHA224 = generate_base_hash_test( hashes.SHA224(), digest_size=28, block_size=64, - only_if=lambda backend: backend.hash_supported(hashes.SHA224), - skip_message="Does not support SHA224", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA256), + skip_message="Does not support SHA256", +) +@pytest.mark.hash class TestSHA256(object): test_SHA256 = generate_base_hash_test( hashes.SHA256(), digest_size=32, block_size=64, - only_if=lambda backend: backend.hash_supported(hashes.SHA256), - skip_message="Does not support SHA256", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA384), + skip_message="Does not support SHA384", +) +@pytest.mark.hash class TestSHA384(object): test_SHA384 = generate_base_hash_test( hashes.SHA384(), digest_size=48, block_size=128, - only_if=lambda backend: backend.hash_supported(hashes.SHA384), - skip_message="Does not support SHA384", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.SHA512), + skip_message="Does not support SHA512", +) +@pytest.mark.hash class TestSHA512(object): test_SHA512 = generate_base_hash_test( hashes.SHA512(), digest_size=64, block_size=128, - only_if=lambda backend: backend.hash_supported(hashes.SHA512), - skip_message="Does not support SHA512", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.RIPEMD160), + skip_message="Does not support RIPEMD160", +) +@pytest.mark.hash class TestRIPEMD160(object): test_RIPEMD160 = generate_base_hash_test( hashes.RIPEMD160(), digest_size=20, block_size=64, - only_if=lambda backend: backend.hash_supported(hashes.RIPEMD160), - skip_message="Does not support RIPEMD160", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.Whirlpool), + skip_message="Does not support Whirlpool", +) +@pytest.mark.hash class TestWhirlpool(object): test_Whirlpool = generate_base_hash_test( hashes.Whirlpool(), digest_size=64, block_size=64, - only_if=lambda backend: backend.hash_supported(hashes.Whirlpool), - skip_message="Does not support Whirlpool", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hash_supported(hashes.MD5), + skip_message="Does not support MD5", +) +@pytest.mark.hash class TestMD5(object): test_MD5 = generate_base_hash_test( hashes.MD5(), digest_size=16, block_size=64, - only_if=lambda backend: backend.hash_supported(hashes.MD5), - skip_message="Does not support MD5", ) diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py index 992bcb1a..04913af6 100644 --- a/tests/hazmat/primitives/test_hmac.py +++ b/tests/hazmat/primitives/test_hmac.py @@ -19,19 +19,33 @@ import pytest import six -from cryptography.exceptions import AlreadyFinalized -from cryptography.hazmat.primitives import hashes, hmac +from cryptography import utils +from cryptography.exceptions import ( + AlreadyFinalized, UnsupportedAlgorithm, InvalidSignature +) +from cryptography.hazmat.primitives import hashes, hmac, interfaces from .utils import generate_base_hmac_test -class TestHMAC(object): +@utils.register_interface(interfaces.HashAlgorithm) +class UnsupportedDummyHash(object): + name = "unsupported-dummy-hash" + + +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.MD5), + skip_message="Does not support MD5", +) +@pytest.mark.hmac +class TestHMACCopy(object): test_copy = generate_base_hmac_test( hashes.MD5(), - only_if=lambda backend: backend.hash_supported(hashes.MD5), - skip_message="Does not support MD5", ) + +@pytest.mark.hmac +class TestHMAC(object): def test_hmac_reject_unicode(self, backend): h = hmac.HMAC(b"mykey", hashes.SHA1(), backend=backend) with pytest.raises(TypeError): @@ -63,3 +77,30 @@ class TestHMAC(object): with pytest.raises(AlreadyFinalized): h.finalize() + + def test_verify(self, backend): + h = hmac.HMAC(b'', hashes.SHA1(), backend=backend) + digest = h.finalize() + + h = hmac.HMAC(b'', hashes.SHA1(), backend=backend) + h.verify(digest) + + with pytest.raises(AlreadyFinalized): + h.verify(b'') + + def test_invalid_verify(self, backend): + h = hmac.HMAC(b'', hashes.SHA1(), backend=backend) + with pytest.raises(InvalidSignature): + h.verify(b'') + + with pytest.raises(AlreadyFinalized): + h.verify(b'') + + def test_verify_reject_unicode(self, backend): + h = hmac.HMAC(b'', hashes.SHA1(), backend=backend) + with pytest.raises(TypeError): + h.verify(six.u('')) + + def test_unsupported_hash(self, backend): + with pytest.raises(UnsupportedAlgorithm): + hmac.HMAC(b"key", UnsupportedDummyHash(), backend) diff --git a/tests/hazmat/primitives/test_hmac_vectors.py b/tests/hazmat/primitives/test_hmac_vectors.py index 7d0f156a..c5644459 100644 --- a/tests/hazmat/primitives/test_hmac_vectors.py +++ b/tests/hazmat/primitives/test_hmac_vectors.py @@ -13,12 +13,19 @@ from __future__ import absolute_import, division, print_function +import pytest + from cryptography.hazmat.primitives import hashes from .utils import generate_hmac_test from ...utils import load_hash_vectors +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.MD5), + skip_message="Does not support MD5", +) +@pytest.mark.hmac class TestHMAC_MD5(object): test_hmac_md5 = generate_hmac_test( load_hash_vectors, @@ -27,11 +34,14 @@ class TestHMAC_MD5(object): "rfc-2202-md5.txt", ], hashes.MD5(), - only_if=lambda backend: backend.hash_supported(hashes.MD5), - skip_message="Does not support MD5", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.SHA1), + skip_message="Does not support SHA1", +) +@pytest.mark.hmac class TestHMAC_SHA1(object): test_hmac_sha1 = generate_hmac_test( load_hash_vectors, @@ -40,11 +50,14 @@ class TestHMAC_SHA1(object): "rfc-2202-sha1.txt", ], hashes.SHA1(), - only_if=lambda backend: backend.hash_supported(hashes.SHA1), - skip_message="Does not support SHA1", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.SHA224), + skip_message="Does not support SHA224", +) +@pytest.mark.hmac class TestHMAC_SHA224(object): test_hmac_sha224 = generate_hmac_test( load_hash_vectors, @@ -53,11 +66,14 @@ class TestHMAC_SHA224(object): "rfc-4231-sha224.txt", ], hashes.SHA224(), - only_if=lambda backend: backend.hash_supported(hashes.SHA224), - skip_message="Does not support SHA224", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.SHA256), + skip_message="Does not support SHA256", +) +@pytest.mark.hmac class TestHMAC_SHA256(object): test_hmac_sha256 = generate_hmac_test( load_hash_vectors, @@ -66,11 +82,14 @@ class TestHMAC_SHA256(object): "rfc-4231-sha256.txt", ], hashes.SHA256(), - only_if=lambda backend: backend.hash_supported(hashes.SHA256), - skip_message="Does not support SHA256", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.SHA384), + skip_message="Does not support SHA384", +) +@pytest.mark.hmac class TestHMAC_SHA384(object): test_hmac_sha384 = generate_hmac_test( load_hash_vectors, @@ -79,11 +98,14 @@ class TestHMAC_SHA384(object): "rfc-4231-sha384.txt", ], hashes.SHA384(), - only_if=lambda backend: backend.hash_supported(hashes.SHA384), - skip_message="Does not support SHA384", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.SHA512), + skip_message="Does not support SHA512", +) +@pytest.mark.hmac class TestHMAC_SHA512(object): test_hmac_sha512 = generate_hmac_test( load_hash_vectors, @@ -92,11 +114,14 @@ class TestHMAC_SHA512(object): "rfc-4231-sha512.txt", ], hashes.SHA512(), - only_if=lambda backend: backend.hash_supported(hashes.SHA512), - skip_message="Does not support SHA512", ) +@pytest.mark.supported( + only_if=lambda backend: backend.hmac_supported(hashes.RIPEMD160), + skip_message="Does not support RIPEMD160", +) +@pytest.mark.hmac class TestHMAC_RIPEMD160(object): test_hmac_ripemd160 = generate_hmac_test( load_hash_vectors, @@ -105,6 +130,4 @@ class TestHMAC_RIPEMD160(object): "rfc-2286-ripemd160.txt", ], hashes.RIPEMD160(), - only_if=lambda backend: backend.hash_supported(hashes.RIPEMD160), - skip_message="Does not support RIPEMD160", ) diff --git a/tests/hazmat/primitives/test_utils.py b/tests/hazmat/primitives/test_utils.py deleted file mode 100644 index c39364c7..00000000 --- a/tests/hazmat/primitives/test_utils.py +++ /dev/null @@ -1,117 +0,0 @@ -import pytest - -from .utils import ( - base_hash_test, encrypt_test, hash_test, long_string_hash_test, - base_hmac_test, hmac_test, stream_encryption_test, aead_test, - aead_exception_test, aead_tag_exception_test, -) - - -class TestEncryptTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - encrypt_test( - None, None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestAEADTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - aead_test( - None, None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestAEADExceptionTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - aead_exception_test( - None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestAEADTagExceptionTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - aead_tag_exception_test( - None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestHashTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - hash_test( - None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestBaseHashTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - base_hash_test( - None, None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestLongHashTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - long_string_hash_test( - None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestHMACTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - hmac_test( - None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestBaseHMACTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - base_hmac_test( - None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" - - -class TestStreamEncryptionTest(object): - def test_skips_if_only_if_returns_false(self): - with pytest.raises(pytest.skip.Exception) as exc_info: - stream_encryption_test( - None, None, None, - only_if=lambda backend: False, - skip_message="message!" - ) - assert exc_info.value.args[0] == "message!" diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py index b06f9b29..cdcf84cb 100644 --- a/tests/hazmat/primitives/utils.py +++ b/tests/hazmat/primitives/utils.py @@ -3,7 +3,6 @@ import os import pytest -from cryptography.hazmat.backends import _ALL_BACKENDS from cryptography.hazmat.primitives import hashes, hmac from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.exceptions import ( @@ -13,34 +12,29 @@ from cryptography.exceptions import ( from ...utils import load_vectors_from_file +def _load_all_params(path, file_names, param_loader): + all_params = [] + for file_name in file_names: + all_params.extend( + load_vectors_from_file(os.path.join(path, file_name), param_loader) + ) + return all_params + + def generate_encrypt_test(param_loader, path, file_names, cipher_factory, - mode_factory, only_if=lambda backend: True, - skip_message=None): - def test_encryption(self): - for backend in _ALL_BACKENDS: - for file_name in file_names: - for params in load_vectors_from_file( - os.path.join(path, file_name), - param_loader - ): - yield ( - encrypt_test, - backend, - cipher_factory, - mode_factory, - params, - only_if, - skip_message - ) + mode_factory): + all_params = _load_all_params(path, file_names, param_loader) + + @pytest.mark.parametrize("params", all_params) + def test_encryption(self, backend, params): + encrypt_test(backend, cipher_factory, mode_factory, params) + return test_encryption -def encrypt_test(backend, cipher_factory, mode_factory, params, only_if, - skip_message): - if not only_if(backend): - pytest.skip(skip_message) - plaintext = params.pop("plaintext") - ciphertext = params.pop("ciphertext") +def encrypt_test(backend, cipher_factory, mode_factory, params): + plaintext = params["plaintext"] + ciphertext = params["ciphertext"] cipher = Cipher( cipher_factory(**params), mode_factory(**params), @@ -57,34 +51,21 @@ def encrypt_test(backend, cipher_factory, mode_factory, params, only_if, def generate_aead_test(param_loader, path, file_names, cipher_factory, - mode_factory, only_if, skip_message): - def test_aead(self): - for backend in _ALL_BACKENDS: - for file_name in file_names: - for params in load_vectors_from_file( - os.path.join(path, file_name), - param_loader - ): - yield ( - aead_test, - backend, - cipher_factory, - mode_factory, - params, - only_if, - skip_message - ) + mode_factory): + all_params = _load_all_params(path, file_names, param_loader) + + @pytest.mark.parametrize("params", all_params) + def test_aead(self, backend, params): + aead_test(backend, cipher_factory, mode_factory, params) + return test_aead -def aead_test(backend, cipher_factory, mode_factory, params, only_if, - skip_message): - if not only_if(backend): - pytest.skip(skip_message) +def aead_test(backend, cipher_factory, mode_factory, params): if params.get("pt") is not None: - plaintext = params.pop("pt") - ciphertext = params.pop("ct") - aad = params.pop("aad") + plaintext = params["pt"] + ciphertext = params["ct"] + aad = params["aad"] if params.get("fail") is True: cipher = Cipher( cipher_factory(binascii.unhexlify(params["key"])), @@ -123,33 +104,19 @@ def aead_test(backend, cipher_factory, mode_factory, params, only_if, def generate_stream_encryption_test(param_loader, path, file_names, - cipher_factory, only_if=None, - skip_message=None): - def test_stream_encryption(self): - for backend in _ALL_BACKENDS: - for file_name in file_names: - for params in load_vectors_from_file( - os.path.join(path, file_name), - param_loader - ): - yield ( - stream_encryption_test, - backend, - cipher_factory, - params, - only_if, - skip_message - ) + cipher_factory): + all_params = _load_all_params(path, file_names, param_loader) + + @pytest.mark.parametrize("params", all_params) + def test_stream_encryption(self, backend, params): + stream_encryption_test(backend, cipher_factory, params) return test_stream_encryption -def stream_encryption_test(backend, cipher_factory, params, only_if, - skip_message): - if not only_if(backend): - pytest.skip(skip_message) - plaintext = params.pop("plaintext") - ciphertext = params.pop("ciphertext") - offset = params.pop("offset") +def stream_encryption_test(backend, cipher_factory, params): + plaintext = params["plaintext"] + ciphertext = params["ciphertext"] + offset = params["offset"] cipher = Cipher(cipher_factory(**params), None, backend=backend) encryptor = cipher.encryptor() # throw away offset bytes @@ -164,29 +131,16 @@ def stream_encryption_test(backend, cipher_factory, params, only_if, assert actual_plaintext == binascii.unhexlify(plaintext) -def generate_hash_test(param_loader, path, file_names, hash_cls, - only_if=None, skip_message=None): - def test_hash(self): - for backend in _ALL_BACKENDS: - for file_name in file_names: - for params in load_vectors_from_file( - os.path.join(path, file_name), - param_loader - ): - yield ( - hash_test, - backend, - hash_cls, - params, - only_if, - skip_message - ) +def generate_hash_test(param_loader, path, file_names, hash_cls): + all_params = _load_all_params(path, file_names, param_loader) + + @pytest.mark.parametrize("params", all_params) + def test_hash(self, backend, params): + hash_test(backend, hash_cls, params) return test_hash -def hash_test(backend, algorithm, params, only_if, skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) +def hash_test(backend, algorithm, params): msg = params[0] md = params[1] m = hashes.Hash(algorithm, backend=backend) @@ -195,27 +149,13 @@ def hash_test(backend, algorithm, params, only_if, skip_message): assert m.finalize() == binascii.unhexlify(expected_md) -def generate_base_hash_test(algorithm, digest_size, block_size, - only_if=None, skip_message=None): - def test_base_hash(self): - for backend in _ALL_BACKENDS: - yield ( - base_hash_test, - backend, - algorithm, - digest_size, - block_size, - only_if, - skip_message, - ) +def generate_base_hash_test(algorithm, digest_size, block_size): + def test_base_hash(self, backend): + base_hash_test(backend, algorithm, digest_size, block_size) return test_base_hash -def base_hash_test(backend, algorithm, digest_size, block_size, only_if, - skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - +def base_hash_test(backend, algorithm, digest_size, block_size): m = hashes.Hash(algorithm, backend=backend) assert m.algorithm.digest_size == digest_size assert m.algorithm.block_size == block_size @@ -230,52 +170,42 @@ def base_hash_test(backend, algorithm, digest_size, block_size, only_if, assert copy.finalize() == m.finalize() -def generate_long_string_hash_test(hash_factory, md, only_if=None, - skip_message=None): - def test_long_string_hash(self): - for backend in _ALL_BACKENDS: - yield( - long_string_hash_test, - backend, - hash_factory, - md, - only_if, - skip_message - ) +def generate_long_string_hash_test(hash_factory, md): + def test_long_string_hash(self, backend): + long_string_hash_test(backend, hash_factory, md) return test_long_string_hash -def long_string_hash_test(backend, algorithm, md, only_if, skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) +def long_string_hash_test(backend, algorithm, md): m = hashes.Hash(algorithm, backend=backend) m.update(b"a" * 1000000) assert m.finalize() == binascii.unhexlify(md.lower().encode("ascii")) -def generate_hmac_test(param_loader, path, file_names, algorithm, - only_if=None, skip_message=None): - def test_hmac(self): - for backend in _ALL_BACKENDS: - for file_name in file_names: - for params in load_vectors_from_file( - os.path.join(path, file_name), - param_loader - ): - yield ( - hmac_test, - backend, - algorithm, - params, - only_if, - skip_message - ) +def generate_base_hmac_test(hash_cls): + def test_base_hmac(self, backend): + base_hmac_test(backend, hash_cls) + return test_base_hmac + + +def base_hmac_test(backend, algorithm): + key = b"ab" + h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) + h_copy = h.copy() + assert h != h_copy + assert h._ctx != h_copy._ctx + + +def generate_hmac_test(param_loader, path, file_names, algorithm): + all_params = _load_all_params(path, file_names, param_loader) + + @pytest.mark.parametrize("params", all_params) + def test_hmac(self, backend, params): + hmac_test(backend, algorithm, params) return test_hmac -def hmac_test(backend, algorithm, params, only_if, skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) +def hmac_test(backend, algorithm, params): msg = params[0] md = params[1] key = params[2] @@ -284,48 +214,13 @@ def hmac_test(backend, algorithm, params, only_if, skip_message): assert h.finalize() == binascii.unhexlify(md.encode("ascii")) -def generate_base_hmac_test(hash_cls, only_if=None, skip_message=None): - def test_base_hmac(self): - for backend in _ALL_BACKENDS: - yield ( - base_hmac_test, - backend, - hash_cls, - only_if, - skip_message, - ) - return test_base_hmac - - -def base_hmac_test(backend, algorithm, only_if, skip_message): - if only_if is not None and not only_if(backend): - pytest.skip(skip_message) - key = b"ab" - h = hmac.HMAC(binascii.unhexlify(key), algorithm, backend=backend) - h_copy = h.copy() - assert h != h_copy - assert h._ctx != h_copy._ctx - - -def generate_aead_exception_test(cipher_factory, mode_factory, - only_if, skip_message): - def test_aead_exception(self): - for backend in _ALL_BACKENDS: - yield ( - aead_exception_test, - backend, - cipher_factory, - mode_factory, - only_if, - skip_message - ) +def generate_aead_exception_test(cipher_factory, mode_factory): + def test_aead_exception(self, backend): + aead_exception_test(backend, cipher_factory, mode_factory) return test_aead_exception -def aead_exception_test(backend, cipher_factory, mode_factory, - only_if, skip_message): - if not only_if(backend): - pytest.skip(skip_message) +def aead_exception_test(backend, cipher_factory, mode_factory): cipher = Cipher( cipher_factory(binascii.unhexlify(b"0" * 32)), mode_factory(binascii.unhexlify(b"0" * 24)), @@ -355,25 +250,13 @@ def aead_exception_test(backend, cipher_factory, mode_factory, decryptor.tag -def generate_aead_tag_exception_test(cipher_factory, mode_factory, - only_if, skip_message): - def test_aead_tag_exception(self): - for backend in _ALL_BACKENDS: - yield ( - aead_tag_exception_test, - backend, - cipher_factory, - mode_factory, - only_if, - skip_message - ) +def generate_aead_tag_exception_test(cipher_factory, mode_factory): + def test_aead_tag_exception(self, backend): + aead_tag_exception_test(backend, cipher_factory, mode_factory) return test_aead_tag_exception -def aead_tag_exception_test(backend, cipher_factory, mode_factory, - only_if, skip_message): - if not only_if(backend): - pytest.skip(skip_message) +def aead_tag_exception_test(backend, cipher_factory, mode_factory): cipher = Cipher( cipher_factory(binascii.unhexlify(b"0" * 32)), mode_factory(binascii.unhexlify(b"0" * 24)), @@ -383,6 +266,13 @@ def aead_tag_exception_test(backend, cipher_factory, mode_factory, cipher.decryptor() cipher = Cipher( cipher_factory(binascii.unhexlify(b"0" * 32)), + mode_factory(binascii.unhexlify(b"0" * 24), b"000"), + backend + ) + with pytest.raises(ValueError): + cipher.decryptor() + cipher = Cipher( + cipher_factory(binascii.unhexlify(b"0" * 32)), mode_factory(binascii.unhexlify(b"0" * 24), b"0" * 16), backend ) diff --git a/tests/test_utils.py b/tests/test_utils.py index 5c58fd76..c640367e 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -14,14 +14,64 @@ import os import textwrap +import pretend + import pytest from .utils import ( load_nist_vectors, load_vectors_from_file, load_cryptrec_vectors, - load_openssl_vectors, load_hash_vectors, + load_openssl_vectors, load_hash_vectors, check_for_iface, + check_backend_support ) +class FakeInterface(object): + pass + + +def test_check_for_iface(): + item = pretend.stub(keywords=["fake_name"], funcargs={"backend": True}) + with pytest.raises(pytest.skip.Exception) as exc_info: + check_for_iface("fake_name", FakeInterface, item) + assert exc_info.value.args[0] == "True backend does not support fake_name" + + item = pretend.stub( + keywords=["fake_name"], + funcargs={"backend": FakeInterface()} + ) + check_for_iface("fake_name", FakeInterface, item) + + +def test_check_backend_support_skip(): + supported = pretend.stub( + kwargs={"only_if": lambda backend: False, "skip_message": "Nope"} + ) + item = pretend.stub(keywords={"supported": supported}, + funcargs={"backend": True}) + with pytest.raises(pytest.skip.Exception) as exc_info: + check_backend_support(item) + assert exc_info.value.args[0] == "Nope" + + +def test_check_backend_support_no_skip(): + supported = pretend.stub( + kwargs={"only_if": lambda backend: True, "skip_message": "Nope"} + ) + item = pretend.stub(keywords={"supported": supported}, + funcargs={"backend": True}) + assert check_backend_support(item) is None + + +def test_check_backend_support_no_backend(): + supported = pretend.stub( + kwargs={"only_if": "notalambda", "skip_message": "Nope"} + ) + item = pretend.stub(keywords={"supported": supported}, + funcargs={}) + with pytest.raises(ValueError): + check_backend_support(item) + + def test_load_nist_vectors(): vector_data = textwrap.dedent(""" # CAVS 11.1 diff --git a/tests/utils.py b/tests/utils.py index 94f97d59..beb2ca5d 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -11,7 +11,27 @@ # See the License for the specific language governing permissions and # limitations under the License. -import os.path +import os + +import pytest + + +def check_for_iface(name, iface, item): + if name in item.keywords and "backend" in item.funcargs: + if not isinstance(item.funcargs["backend"], iface): + pytest.skip("{0} backend does not support {1}".format( + item.funcargs["backend"], name + )) + + +def check_backend_support(item): + supported = item.keywords.get("supported") + if supported and "backend" in item.funcargs: + if not supported.kwargs["only_if"](item.funcargs["backend"]): + pytest.skip(supported.kwargs["skip_message"]) + elif supported: + raise ValueError("This mark is only available on methods that take a " + "backend") def load_vectors_from_file(filename, loader): @@ -7,7 +7,7 @@ deps = coverage pretend commands = - coverage run --source=cryptography/,tests/ -m pytest --strict + coverage run --source=cryptography/,tests/ -m pytest --capture=no --strict coverage report -m [testenv:docs] @@ -24,7 +24,7 @@ commands = # Temporarily disable coverage on pypy because of performance problems with # coverage.py on pypy. [testenv:pypy] -commands = py.test +commands = py.test --capture=no [testenv:pep8] deps = flake8 |