aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-x.travis/install.sh12
-rw-r--r--CHANGELOG.rst11
-rw-r--r--cryptography/hazmat/backends/openssl/backend.py15
-rw-r--r--cryptography/hazmat/backends/openssl/rsa.py12
-rw-r--r--cryptography/hazmat/bindings/openssl/err.py18
-rw-r--r--docs/installation.rst4
6 files changed, 56 insertions, 16 deletions
diff --git a/.travis/install.sh b/.travis/install.sh
index 0c64ba93..01affab4 100755
--- a/.travis/install.sh
+++ b/.travis/install.sh
@@ -10,16 +10,16 @@ else
fi
if [[ "${OPENSSL}" == "0.9.8" ]]; then
- if [[ "$DARWIN" = true ]]; then
- # travis has openssl installed via brew already, but let's be sure
- if [[ "$(brew list | grep openssl)" != "openssl" ]]; then
- brew install openssl
- fi
- else
+ if [[ "$DARWIN" = false ]]; then
sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu/ lucid main"
sudo apt-get -y update
sudo apt-get install -y --force-yes libssl-dev/lucid
fi
+else
+ if [[ "$DARWIN" = true ]]; then
+ brew update
+ brew upgrade openssl
+ fi
fi
if [[ "${TOX_ENV}" == "docs" ]]; then
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 8258279b..e1f8b115 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,6 +6,17 @@ Changelog
.. note:: This version is not yet released and is under active development.
+0.6.1 - 2014-10-15
+~~~~~~~~~~~~~~~~~~
+
+* Updated Windows wheels to be compiled against OpenSSL 1.0.1j.
+* Fixed an issue where OpenSSL 1.0.1j changed the errors returned by some
+ functions.
+* Added our license file to the ``cryptography-vectors`` package.
+* Implemented DSA hash truncation support (per FIPS 186-3) in the OpenSSL
+ backend. This works around an issue in 1.0.0, 1.0.0a, and 1.0.0b where
+ truncation was not implemented.
+
0.6 - 2014-09-29
~~~~~~~~~~~~~~~~
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index a449a55e..6fad6fc7 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -742,10 +742,17 @@ class Backend(object):
if not errors:
raise ValueError("Could not unserialize key data.")
- elif errors[0][1:] == (
- self._lib.ERR_LIB_EVP,
- self._lib.EVP_F_EVP_DECRYPTFINAL_EX,
- self._lib.EVP_R_BAD_DECRYPT
+ elif errors[0][1:] in (
+ (
+ self._lib.ERR_LIB_EVP,
+ self._lib.EVP_F_EVP_DECRYPTFINAL_EX,
+ self._lib.EVP_R_BAD_DECRYPT
+ ),
+ (
+ self._lib.ERR_LIB_PKCS12,
+ self._lib.PKCS12_F_PKCS12_PBE_CRYPT,
+ self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR,
+ )
):
raise ValueError("Bad decrypt. Incorrect password?")
diff --git a/cryptography/hazmat/backends/openssl/rsa.py b/cryptography/hazmat/backends/openssl/rsa.py
index d24bea57..7312fcb2 100644
--- a/cryptography/hazmat/backends/openssl/rsa.py
+++ b/cryptography/hazmat/backends/openssl/rsa.py
@@ -142,10 +142,14 @@ def _handle_rsa_enc_dec_error(backend, key):
"larger key size."
)
else:
- assert (
- errors[0].reason == backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01 or
- errors[0].reason == backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02
- )
+ decoding_errors = [
+ backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01,
+ backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02,
+ ]
+ if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR:
+ decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR)
+
+ assert errors[0].reason in decoding_errors
raise ValueError("Decryption failed.")
diff --git a/cryptography/hazmat/bindings/openssl/err.py b/cryptography/hazmat/bindings/openssl/err.py
index 232060a2..4e44a2eb 100644
--- a/cryptography/hazmat/bindings/openssl/err.py
+++ b/cryptography/hazmat/bindings/openssl/err.py
@@ -22,6 +22,7 @@ static const int Cryptography_HAS_REMOVE_THREAD_STATE;
static const int Cryptography_HAS_098H_ERROR_CODES;
static const int Cryptography_HAS_098C_CAMELLIA_CODES;
static const int Cryptography_HAS_EC_CODES;
+static const int Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR;
struct ERR_string_data_st {
unsigned long error;
@@ -34,6 +35,7 @@ static const int ERR_LIB_EC;
static const int ERR_LIB_PEM;
static const int ERR_LIB_ASN1;
static const int ERR_LIB_RSA;
+static const int ERR_LIB_PKCS12;
static const int ASN1_F_ASN1_ENUMERATED_TO_BN;
static const int ASN1_F_ASN1_EX_C2I;
@@ -76,6 +78,7 @@ static const int ASN1_F_OID_MODULE_INIT;
static const int ASN1_F_PARSE_TAGGING;
static const int ASN1_F_PKCS5_PBE_SET;
static const int ASN1_F_X509_CINF_NEW;
+
static const int ASN1_R_BOOLEAN_IS_WRONG_LENGTH;
static const int ASN1_R_BUFFER_TOO_SMALL;
static const int ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER;
@@ -222,10 +225,15 @@ static const int PEM_R_SHORT_HEADER;
static const int PEM_R_UNSUPPORTED_CIPHER;
static const int PEM_R_UNSUPPORTED_ENCRYPTION;
+static const int PKCS12_F_PKCS12_PBE_CRYPT;
+
+static const int PKCS12_R_PKCS12_CIPHERFINAL_ERROR;
+
static const int RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY;
static const int RSA_R_BLOCK_TYPE_IS_NOT_01;
static const int RSA_R_BLOCK_TYPE_IS_NOT_02;
+static const int RSA_R_PKCS_DECODING_ERROR;
"""
FUNCTIONS = """
@@ -321,6 +329,13 @@ static const long Cryptography_HAS_EC_CODES = 0;
static const int EC_R_UNKNOWN_GROUP = 0;
static const int EC_F_EC_GROUP_NEW_BY_CURVE_NAME = 0;
#endif
+
+#ifdef RSA_R_PKCS_DECODING_ERROR
+static const long Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR = 1;
+#else
+static const long Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR = 0;
+static const long RSA_R_PKCS_DECODING_ERROR = 0;
+#endif
"""
CONDITIONAL_NAMES = {
@@ -343,5 +358,8 @@ CONDITIONAL_NAMES = {
"Cryptography_HAS_EC_CODES": [
"EC_R_UNKNOWN_GROUP",
"EC_F_EC_GROUP_NEW_BY_CURVE_NAME"
+ ],
+ "Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR": [
+ "RSA_R_PKCS_DECODING_ERROR"
]
}
diff --git a/docs/installation.rst b/docs/installation.rst
index 76f0439a..d1b6e69d 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -25,12 +25,12 @@ OpenSSL releases:
* ``OpenSSL 0.9.8e-fips-rhel5`` (``RHEL/CentOS 5``)
* ``OpenSSL 0.9.8k``
-* ``OpenSSL 0.9.8y``
+* ``OpenSSL 0.9.8za``
* ``OpenSSL 1.0.0-fips`` (``RHEL/CentOS 6.4``)
* ``OpenSSL 1.0.1``
* ``OpenSSL 1.0.1e-fips`` (``RHEL/CentOS 7``)
* ``OpenSSL 1.0.1e-freebsd``
-* ``OpenSSL 1.0.1h``
+* ``OpenSSL 1.0.1-latest`` (The most recent 1.0.1 release)
* ``OpenSSL 1.0.2 beta``
On Windows