diff options
-rw-r--r-- | cryptography/hazmat/backends/openssl/backend.py | 47 | ||||
-rw-r--r-- | cryptography/hazmat/bindings/openssl/err.py | 19 | ||||
-rw-r--r-- | tests/hazmat/backends/test_openssl.py | 5 |
3 files changed, 39 insertions, 32 deletions
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index bf97e42d..7f2d81db 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -921,8 +921,25 @@ class Backend(object): if self._lib.Cryptography_HAS_EC != 1: return False - curves = self._supported_curves() - return curve.name.encode("ascii") in curves + try: + curve_nid = self._elliptic_curve_to_nid(curve) + except UnsupportedAlgorithm: + curve_nid = self._lib.NID_undef + + ctx = self._lib.EC_GROUP_new_by_curve_name(curve_nid) + + if ctx == self._ffi.NULL: + errors = self._consume_errors() + if curve_nid != self._lib.NID_undef: + assert errors[0] == ( + self._lib.ERR_LIB_EC, + self._lib.EC_F_EC_GROUP_NEW_BY_CURVE_NAME, + self._lib.EC_R_UNKNOWN_GROUP + ) + return False + else: + self._lib.EC_GROUP_free(ctx) + return True def elliptic_curve_signature_algorithm_supported( self, signature_algorithm, curve @@ -943,30 +960,6 @@ class Backend(object): return self.elliptic_curve_supported(curve) - def _supported_curves(self): - if self._lib.Cryptography_HAS_EC != 1: - return [] - - num_curves = self._lib.EC_get_builtin_curves(self._ffi.NULL, 0) - curve_array = self._ffi.new("EC_builtin_curve[]", num_curves) - num_curves_assigned = self._lib.EC_get_builtin_curves( - curve_array, num_curves) - assert num_curves == num_curves_assigned - - curves = [ - self._ffi.string(self._lib.OBJ_nid2sn(curve.nid)).decode() - for curve in curve_array - ] - - curve_aliases = { - "prime192v1": "secp192r1", - "prime256v1": "secp256r1" - } - return [ - curve_aliases.get(curve, curve) - for curve in curves - ] - def _create_ecdsa_signature_ctx(self, private_key, ecdsa): return _ECDSASignatureContext(self, private_key, ecdsa.algorithm) @@ -2005,7 +1998,7 @@ def _truncate_digest_for_ecdsa(ec_key_cdata, digest, backend): mask = 0xFF >> rshift << rshift # Set the bottom rshift bits to 0 - digest = digest[:-1] + six.int2byte(six.byte2int(digest[-1]) & mask) + digest = digest[:-1] + six.int2byte(six.indexbytes(digest, -1) & mask) return digest diff --git a/cryptography/hazmat/bindings/openssl/err.py b/cryptography/hazmat/bindings/openssl/err.py index 8ed97d0b..49f524df 100644 --- a/cryptography/hazmat/bindings/openssl/err.py +++ b/cryptography/hazmat/bindings/openssl/err.py @@ -21,6 +21,7 @@ TYPES = """ static const int Cryptography_HAS_REMOVE_THREAD_STATE; static const int Cryptography_HAS_098H_ERROR_CODES; static const int Cryptography_HAS_098C_CAMELLIA_CODES; +static const int Cryptography_HAS_EC_CODES; struct ERR_string_data_st { unsigned long error; @@ -29,6 +30,7 @@ struct ERR_string_data_st { typedef struct ERR_string_data_st ERR_STRING_DATA; static const int ERR_LIB_EVP; +static const int ERR_LIB_EC; static const int ERR_LIB_PEM; static const int ERR_LIB_ASN1; static const int ERR_LIB_RSA; @@ -172,6 +174,10 @@ static const int EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM; static const int EVP_R_WRONG_FINAL_BLOCK_LENGTH; static const int EVP_R_WRONG_PUBLIC_KEY_TYPE; +static const int EC_F_EC_GROUP_NEW_BY_CURVE_NAME; + +static const int EC_R_UNKNOWN_GROUP; + static const int PEM_F_D2I_PKCS8PRIVATEKEY_BIO; static const int PEM_F_D2I_PKCS8PRIVATEKEY_FP; static const int PEM_F_DO_PK8PKEY; @@ -306,6 +312,15 @@ static const long Cryptography_HAS_098C_CAMELLIA_CODES = 0; static const int EVP_F_CAMELLIA_INIT_KEY = 0; static const int EVP_R_CAMELLIA_KEY_SETUP_FAILED = 0; #endif + +// OpenSSL without EC. e.g. RHEL +#ifndef OPENSSL_NO_EC +static const long Cryptography_HAS_EC_CODES = 1; +#else +static const long Cryptography_HAS_EC_CODES = 0; +static const int EC_R_UNKNOWN_GROUP = 0; +static const int EC_F_EC_GROUP_NEW_BY_CURVE_NAME = 0; +#endif """ CONDITIONAL_NAMES = { @@ -324,5 +339,9 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_098C_CAMELLIA_CODES": [ "EVP_F_CAMELLIA_INIT_KEY", "EVP_R_CAMELLIA_KEY_SETUP_FAILED" + ], + "Cryptography_HAS_EC_CODES": [ + "EC_R_UNKNOWN_GROUP", + "EC_F_EC_GROUP_NEW_BY_CURVE_NAME" ] } diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index f9e692b4..7aa8f0f0 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -484,11 +484,6 @@ class TestOpenSSLNoEllipticCurve(object): None, None ) is False - def test_supported_curves(self, monkeypatch): - monkeypatch.setattr(backend._lib, "Cryptography_HAS_EC", 0) - - assert backend._supported_curves() == [] - class TestDeprecatedRSABackendMethods(object): def test_create_rsa_signature_ctx(self): |