diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/_cffi_src/openssl/engine.py | 4 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/evp.py | 26 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/hmac.py | 31 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/ssl.py | 25 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/x509.py | 44 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/multibackend.py | 7 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 46 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/decode_asn1.py | 6 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/encode_asn1.py | 78 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/hashes.py | 13 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/hmac.py | 13 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/x509.py | 17 | ||||
| -rw-r--r-- | src/cryptography/hazmat/bindings/openssl/_conditional.py | 10 | ||||
| -rw-r--r-- | src/cryptography/x509/extensions.py | 8 |
14 files changed, 218 insertions, 110 deletions
diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py index 77c97fe5..afdd54e4 100644 --- a/src/_cffi_src/openssl/engine.py +++ b/src/_cffi_src/openssl/engine.py @@ -16,12 +16,10 @@ typedef ... RSA_METHOD; typedef ... DSA_METHOD; typedef ... DH_METHOD; typedef struct { - void (*seed)(const void *, int); int (*bytes)(unsigned char *, int); - void (*cleanup)(); - void (*add)(const void *, int, double); int (*pseudorand)(unsigned char *, int); int (*status)(); + ...; } RAND_METHOD; typedef int (*ENGINE_GEN_INT_FUNC_PTR)(ENGINE *); typedef ... *ENGINE_CTRL_FUNC_PTR; diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index a91a9666..5abc6451 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -12,9 +12,7 @@ TYPES = """ typedef ... EVP_CIPHER; typedef ... EVP_CIPHER_CTX; typedef ... EVP_MD; -typedef struct env_md_ctx_st { - ...; -} EVP_MD_CTX; +typedef struct { ...; } EVP_MD_CTX; typedef ... EVP_PKEY; typedef ... EVP_PKEY_CTX; @@ -55,13 +53,11 @@ EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *); int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *, int); -EVP_MD_CTX *EVP_MD_CTX_create(void); int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *); int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, ENGINE *); int EVP_DigestUpdate(EVP_MD_CTX *, const void *, size_t); int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *); int EVP_MD_CTX_cleanup(EVP_MD_CTX *); -void EVP_MD_CTX_destroy(EVP_MD_CTX *); const EVP_MD *EVP_get_digestbyname(const char *); EVP_PKEY *EVP_PKEY_new(void); @@ -115,6 +111,12 @@ int EVP_PKEY_cmp(const EVP_PKEY *, const EVP_PKEY *); EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *); int Cryptography_EVP_PKEY_id(const EVP_PKEY *); + +/* in 1.1.0 _create and _destroy were renamed to _new and _free. The following + two functions wrap both the old and new functions so we can call them + without worrying about what OpenSSL we're running against. */ +EVP_MD_CTX *Cryptography_EVP_MD_CTX_new(void); +void Cryptography_EVP_MD_CTX_free(EVP_MD_CTX *); """ MACROS = """ @@ -235,4 +237,18 @@ int Cryptography_EVP_PKEY_id(const EVP_PKEY *key) { return key->type; #endif } +EVP_MD_CTX *Cryptography_EVP_MD_CTX_new(void) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + return EVP_MD_CTX_create(); +#else + return EVP_MD_CTX_new(); +#endif +} +void Cryptography_EVP_MD_CTX_free(EVP_MD_CTX *ctx) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) + EVP_MD_CTX_destroy(ctx); +#else + EVP_MD_CTX_free(ctx); +#endif +} """ diff --git a/src/_cffi_src/openssl/hmac.py b/src/_cffi_src/openssl/hmac.py index 7178e573..bcc8a861 100644 --- a/src/_cffi_src/openssl/hmac.py +++ b/src/_cffi_src/openssl/hmac.py @@ -9,18 +9,17 @@ INCLUDES = """ """ TYPES = """ -typedef struct { ...; } HMAC_CTX; +typedef ... HMAC_CTX; """ FUNCTIONS = """ -void HMAC_CTX_init(HMAC_CTX *); -void HMAC_CTX_cleanup(HMAC_CTX *); - int Cryptography_HMAC_Init_ex(HMAC_CTX *, const void *, int, const EVP_MD *, ENGINE *); int Cryptography_HMAC_Update(HMAC_CTX *, const unsigned char *, size_t); int Cryptography_HMAC_Final(HMAC_CTX *, unsigned char *, unsigned int *); int Cryptography_HMAC_CTX_copy(HMAC_CTX *, HMAC_CTX *); +HMAC_CTX *Cryptography_HMAC_CTX_new(void); +void Cryptography_HMAC_CTX_free(HMAC_CTX *ctx); """ MACROS = """ @@ -80,4 +79,28 @@ int Cryptography_HMAC_CTX_copy(HMAC_CTX *dst_ctx, HMAC_CTX *src_ctx) { return 0; #endif } + +HMAC_CTX *Cryptography_HMAC_CTX_new(void) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + return HMAC_CTX_new(); +#else + /* This uses OPENSSL_zalloc in 1.1.0, which is malloc + memset */ + HMAC_CTX *ctx = (HMAC_CTX *)OPENSSL_malloc(sizeof(HMAC_CTX)); + memset(ctx, 0, sizeof(HMAC_CTX)); + return ctx; +#endif +} + + + +void Cryptography_HMAC_CTX_free(HMAC_CTX *ctx) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) + return HMAC_CTX_free(ctx); +#else + if (ctx != NULL) { + HMAC_CTX_cleanup(ctx); + OPENSSL_free(ctx); + } +#endif +} """ diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index e735e9eb..a713a245 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -11,9 +11,8 @@ typedef STACK_OF(SSL_CIPHER) Cryptography_STACK_OF_SSL_CIPHER; """ TYPES = """ -/* - * Internally invented symbols to tell which versions of SSL/TLS are supported. -*/ +static const long Cryptography_HAS_SSL_ST; +static const long Cryptography_HAS_TLS_ST; static const long Cryptography_HAS_SSL2; static const long Cryptography_HAS_SSL3_METHOD; static const long Cryptography_HAS_TLSv1_1; @@ -126,6 +125,8 @@ static const long SSL_MODE_ENABLE_PARTIAL_WRITE; static const long SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; static const long SSL_MODE_AUTO_RETRY; static const long SSL3_RANDOM_SIZE; +static const long TLS_ST_BEFORE; +static const long TLS_ST_OK; typedef ... SSL_METHOD; typedef ... SSL_CTX; @@ -662,4 +663,22 @@ static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE = 0; static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE = 1; #endif +/* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were + removed */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +static const long Cryptography_HAS_SSL_ST = 1; +#else +static const long Cryptography_HAS_SSL_ST = 0; +static const long SSL_ST_BEFORE = 0; +static const long SSL_ST_OK = 0; +static const long SSL_ST_INIT = 0; +static const long SSL_ST_RENEGOTIATE = 0; +#endif +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +static const long Cryptography_HAS_TLS_ST = 1; +#else +static const long Cryptography_HAS_TLS_ST = 0; +static const long TLS_ST_BEFORE = 0; +static const long TLS_ST_OK = 0; +#endif """ diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 4cdc8274..2fe3a1bf 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -154,12 +154,6 @@ X509_EXTENSION *X509_EXTENSION_dup(X509_EXTENSION *); X509_EXTENSION *X509_get_ext(X509 *, int); int X509_get_ext_by_NID(X509 *, int, int); -/* CRYPTO_EX_DATA */ -int X509_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *, - CRYPTO_EX_free *); -int X509_set_ex_data(X509 *, int, void *); -void *X509_get_ex_data(X509 *, int); - int X509_EXTENSION_get_critical(X509_EXTENSION *); ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *); void X509_EXTENSION_free(X509_EXTENSION *); @@ -272,12 +266,22 @@ void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *); """ MACROS = """ +/* these CRYPTO_EX_DATA functions became macros in 1.1.0 */ +int X509_get_ex_new_index(long, void *, CRYPTO_EX_new *, CRYPTO_EX_dup *, + CRYPTO_EX_free *); +int X509_set_ex_data(X509 *, int, void *); +void *X509_get_ex_data(X509 *, int); + X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *); int i2d_X509_CINF(X509_CINF *, unsigned char **); int i2d_X509_CRL_INFO(X509_CRL_INFO *, unsigned char **); int i2d_X509_REQ_INFO(X509_REQ_INFO *, unsigned char **); +/* new in 1.0.2 */ +int i2d_re_X509_tbs(X509 *, unsigned char **); +void X509_get0_signature(ASN1_BIT_STRING **, X509_ALGOR **, X509 *); + long X509_get_version(X509 *); ASN1_TIME *X509_get_notBefore(X509 *); @@ -352,6 +356,34 @@ int sk_ASN1_OBJECT_push(Cryptography_STACK_OF_ASN1_OBJECT *, ASN1_OBJECT *); """ CUSTOMIZATIONS = """ +/* Added in 1.0.2 beta but we need it in all versions now due to the great + opaquing. */ +#if OPENSSL_VERSION_NUMBER < 0x10002001L || defined(LIBRESSL_VERSION_NUMBER) +/* from x509/x_x509.c version 1.0.2 */ +void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, + const X509 *x) +{ + if (psig) + *psig = x->signature; + if (palg) + *palg = x->sig_alg; +} +#endif +/* Added in 1.0.2 but we need it in all versions now due to the great + opaquing. */ +#if OPENSSL_VERSION_NUMBER < 0x10002003L || defined(LIBRESSL_VERSION_NUMBER) +/* from x509/x_x509.c */ +int i2d_re_X509_tbs(X509 *x, unsigned char **pp) +{ + /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1 + but older OpenSSLs don't have the enc ASN1_ENCODING member in the + X509 struct. Setting modified to 1 marks the encoding + (x->cert_info->enc.enc) as invalid, but since the entire struct isn't + present we don't care. */ + return i2d_X509_CINF(x->cert_info, pp); +} +#endif + /* OpenSSL 0.9.8e does not have this definition. */ #if OPENSSL_VERSION_NUMBER <= 0x0090805fL typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; diff --git a/src/cryptography/hazmat/backends/multibackend.py b/src/cryptography/hazmat/backends/multibackend.py index 65f18531..48bc7d08 100644 --- a/src/cryptography/hazmat/backends/multibackend.py +++ b/src/cryptography/hazmat/backends/multibackend.py @@ -28,6 +28,13 @@ class MultiBackend(object): name = "multibackend" def __init__(self, backends): + if len(backends) == 0: + raise ValueError( + "Multibackend cannot be initialized with no backends. If you " + "are seeing this error when trying to use default_backend() " + "please try uninstalling and reinstalling cryptography." + ) + self._backends = backends def _filtered_backends(self, interface): diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index e47f747c..c6ede932 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -975,15 +975,38 @@ class Backend(object): 'Extension not supported: {0}'.format(extension.oid) ) - pp, r = encode(self, extension.value) - obj = _txt2obj_gc(self, extension.oid.dotted_string) - x509_extension = self._lib.X509_EXTENSION_create_by_OBJ( - self._ffi.NULL, - obj, - 1 if extension.critical else 0, - _encode_asn1_str_gc(self, pp[0], r) + ext_struct = encode(self, extension.value) + nid = self._lib.OBJ_txt2nid( + extension.oid.dotted_string.encode("ascii") ) + backend.openssl_assert(nid != self._lib.NID_undef) + x509_extension = self._lib.X509V3_EXT_i2d( + nid, 1 if extension.critical else 0, ext_struct + ) + if ( + x509_extension == self._ffi.NULL and + extension.oid == x509.OID_CERTIFICATE_ISSUER + ): + # This path exists to support OpenSSL 0.9.8, which does + # not know how to encode a CERTIFICATE_ISSUER for CRLs. Once we + # drop 0.9.8 support we can remove this. + self._consume_errors() + pp = backend._ffi.new("unsigned char **") + r = self._lib.i2d_GENERAL_NAMES(ext_struct, pp) + backend.openssl_assert(r > 0) + pp = backend._ffi.gc( + pp, lambda pointer: backend._lib.OPENSSL_free(pointer[0]) + ) + obj = _txt2obj_gc(self, extension.oid.dotted_string) + x509_extension = self._lib.X509_EXTENSION_create_by_OBJ( + self._ffi.NULL, + obj, + 1 if extension.critical else 0, + _encode_asn1_str_gc(self, pp[0], r) + ) + self.openssl_assert(x509_extension != self._ffi.NULL) + if gc: x509_extension = self._ffi.gc( x509_extension, self._lib.X509_EXTENSION_free @@ -1003,11 +1026,14 @@ class Backend(object): x509_revoked, serial_number ) self.openssl_assert(res == 1) - res = self._lib.ASN1_TIME_set( - x509_revoked.revocationDate, + rev_date = self._lib.ASN1_TIME_set( + self._ffi.NULL, calendar.timegm(builder._revocation_date.timetuple()) ) - self.openssl_assert(res != self._ffi.NULL) + self.openssl_assert(rev_date != self._ffi.NULL) + rev_date = self._ffi.gc(rev_date, self._lib.ASN1_TIME_free) + res = self._lib.X509_REVOKED_set_revocationDate(x509_revoked, rev_date) + self.openssl_assert(res == 1) # add CRL entry extensions self._create_x509_extensions( extensions=builder._extensions, diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py index 140d3de4..26f56d12 100644 --- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py +++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py @@ -709,7 +709,11 @@ def _asn1_string_to_ascii(backend, asn1_string): def _asn1_string_to_utf8(backend, asn1_string): buf = backend._ffi.new("unsigned char **") res = backend._lib.ASN1_STRING_to_UTF8(buf, asn1_string) - backend.openssl_assert(res >= 0) + if res == -1: + raise ValueError( + "Unsupported ASN1 string type. Type: {0}".format(asn1_string.type) + ) + backend.openssl_assert(buf[0] != backend._ffi.NULL) buf = backend._ffi.gc( buf, lambda buffer: backend._lib.OPENSSL_free(buffer[0]) diff --git a/src/cryptography/hazmat/backends/openssl/encode_asn1.py b/src/cryptography/hazmat/backends/openssl/encode_asn1.py index b56dfa70..0ede533a 100644 --- a/src/cryptography/hazmat/backends/openssl/encode_asn1.py +++ b/src/cryptography/hazmat/backends/openssl/encode_asn1.py @@ -74,21 +74,8 @@ def _encode_asn1_str_gc(backend, data, length): return s -def _encode_extension_to_der(backend, i2d_func, value): - pp = backend._ffi.new("unsigned char **") - r = i2d_func(value, pp) - backend.openssl_assert(r > 0) - pp = backend._ffi.gc( - pp, lambda pointer: backend._lib.OPENSSL_free(pointer[0]) - ) - return pp, r - - def _encode_inhibit_any_policy(backend, inhibit_any_policy): - asn1int = _encode_asn1_int_gc(backend, inhibit_any_policy.skip_certs) - return _encode_extension_to_der( - backend, backend._lib.i2d_ASN1_INTEGER, asn1int - ) + return _encode_asn1_int_gc(backend, inhibit_any_policy.skip_certs) def _encode_name(backend, attributes): @@ -137,10 +124,7 @@ def _encode_name_entry(backend, attribute): def _encode_crl_number(backend, crl_number): - asn1int = _encode_asn1_int_gc(backend, crl_number.crl_number) - return _encode_extension_to_der( - backend, backend._lib.i2d_ASN1_INTEGER, asn1int - ) + return _encode_asn1_int_gc(backend, crl_number.crl_number) def _encode_crl_reason(backend, crl_reason): @@ -152,9 +136,7 @@ def _encode_crl_reason(backend, crl_reason): ) backend.openssl_assert(res == 1) - return _encode_extension_to_der( - backend, backend._lib.i2d_ASN1_ENUMERATED, asn1enum - ) + return asn1enum def _encode_invalidity_date(backend, invalidity_date): @@ -166,9 +148,7 @@ def _encode_invalidity_date(backend, invalidity_date): backend.openssl_assert(time != backend._ffi.NULL) time = backend._ffi.gc(time, backend._lib.ASN1_GENERALIZEDTIME_free) - return _encode_extension_to_der( - backend, backend._lib.i2d_ASN1_GENERALIZEDTIME, time - ) + return time def _encode_certificate_policies(backend, certificate_policies): @@ -218,9 +198,7 @@ def _encode_certificate_policies(backend, certificate_policies): pi.qualifiers = pqis - return _encode_extension_to_der( - backend, backend._lib.i2d_CERTIFICATEPOLICIES, cp - ) + return cp def _encode_notice_reference(backend, notice): @@ -261,10 +239,10 @@ def _txt2obj_gc(backend, name): def _encode_ocsp_nocheck(backend, ext): """ - The OCSP No Check extension is defined as a null ASN.1 value. Rather than - calling OpenSSL we can return a Python bytestring value in a list. + The OCSP No Check extension is defined as a null ASN.1 value embedded in + an ASN.1 string. """ - return [b"\x05\x00"], 2 + return _encode_asn1_str_gc(backend, b"\x05\x00", 2) def _encode_key_usage(backend, key_usage): @@ -296,9 +274,7 @@ def _encode_key_usage(backend, key_usage): res = set_bit(ku, 8, 0) backend.openssl_assert(res == 1) - return _encode_extension_to_der( - backend, backend._lib.i2d_ASN1_BIT_STRING, ku - ) + return ku def _encode_authority_key_identifier(backend, authority_keyid): @@ -322,9 +298,7 @@ def _encode_authority_key_identifier(backend, authority_keyid): backend, authority_keyid.authority_cert_serial_number ) - return _encode_extension_to_der( - backend, backend._lib.i2d_AUTHORITY_KEYID, akid - ) + return akid def _encode_basic_constraints(backend, basic_constraints): @@ -338,9 +312,7 @@ def _encode_basic_constraints(backend, basic_constraints): backend, basic_constraints.path_length ) - return _encode_extension_to_der( - backend, backend._lib.i2d_BASIC_CONSTRAINTS, constraints - ) + return constraints def _encode_authority_information_access(backend, authority_info_access): @@ -360,9 +332,7 @@ def _encode_authority_information_access(backend, authority_info_access): res = backend._lib.sk_ACCESS_DESCRIPTION_push(aia, ad) backend.openssl_assert(res >= 1) - return _encode_extension_to_der( - backend, backend._lib.i2d_AUTHORITY_INFO_ACCESS, aia - ) + return aia def _encode_general_names(backend, names): @@ -381,16 +351,11 @@ def _encode_alt_name(backend, san): general_names = backend._ffi.gc( general_names, backend._lib.GENERAL_NAMES_free ) - return _encode_extension_to_der( - backend, backend._lib.i2d_GENERAL_NAMES, general_names - ) + return general_names def _encode_subject_key_identifier(backend, ski): - asn1_str = _encode_asn1_str_gc(backend, ski.digest, len(ski.digest)) - return _encode_extension_to_der( - backend, backend._lib.i2d_ASN1_OCTET_STRING, asn1_str - ) + return _encode_asn1_str_gc(backend, ski.digest, len(ski.digest)) def _encode_general_name(backend, name): @@ -488,10 +453,7 @@ def _encode_extended_key_usage(backend, extended_key_usage): res = backend._lib.sk_ASN1_OBJECT_push(eku, obj) backend.openssl_assert(res >= 1) - eku_ptr = backend._ffi.cast("EXTENDED_KEY_USAGE *", eku) - return _encode_extension_to_der( - backend, backend._lib.i2d_EXTENDED_KEY_USAGE, eku_ptr - ) + return eku _CRLREASONFLAGS = { @@ -545,14 +507,12 @@ def _encode_crl_distribution_points(backend, crl_distribution_points): res = backend._lib.sk_DIST_POINT_push(cdp, dp) backend.openssl_assert(res >= 1) - return _encode_extension_to_der( - backend, backend._lib.i2d_CRL_DIST_POINTS, cdp - ) + return cdp def _encode_name_constraints(backend, name_constraints): nc = backend._lib.NAME_CONSTRAINTS_new() - assert nc != backend._ffi.NULL + backend.openssl_assert(nc != backend._ffi.NULL) nc = backend._ffi.gc(nc, backend._lib.NAME_CONSTRAINTS_free) permitted = _encode_general_subtree( backend, name_constraints.permitted_subtrees @@ -563,9 +523,7 @@ def _encode_name_constraints(backend, name_constraints): ) nc.excludedSubtrees = excluded - return _encode_extension_to_der( - backend, backend._lib.Cryptography_i2d_NAME_CONSTRAINTS, nc - ) + return nc def _encode_general_subtree(backend, subtrees): diff --git a/src/cryptography/hazmat/backends/openssl/hashes.py b/src/cryptography/hazmat/backends/openssl/hashes.py index 02ce5f0d..2c8fce1a 100644 --- a/src/cryptography/hazmat/backends/openssl/hashes.py +++ b/src/cryptography/hazmat/backends/openssl/hashes.py @@ -18,9 +18,10 @@ class _HashContext(object): self._backend = backend if ctx is None: - ctx = self._backend._lib.EVP_MD_CTX_create() - ctx = self._backend._ffi.gc(ctx, - self._backend._lib.EVP_MD_CTX_destroy) + ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new() + ctx = self._backend._ffi.gc( + ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free + ) evp_md = self._backend._lib.EVP_get_digestbyname( algorithm.name.encode("ascii")) if evp_md == self._backend._ffi.NULL: @@ -38,9 +39,9 @@ class _HashContext(object): algorithm = utils.read_only_property("_algorithm") def copy(self): - copied_ctx = self._backend._lib.EVP_MD_CTX_create() + copied_ctx = self._backend._lib.Cryptography_EVP_MD_CTX_new() copied_ctx = self._backend._ffi.gc( - copied_ctx, self._backend._lib.EVP_MD_CTX_destroy + copied_ctx, self._backend._lib.Cryptography_EVP_MD_CTX_free ) res = self._backend._lib.EVP_MD_CTX_copy_ex(copied_ctx, self._ctx) self._backend.openssl_assert(res != 0) @@ -57,6 +58,4 @@ class _HashContext(object): res = self._backend._lib.EVP_DigestFinal_ex(self._ctx, buf, outlen) self._backend.openssl_assert(res != 0) self._backend.openssl_assert(outlen[0] == self.algorithm.digest_size) - res = self._backend._lib.EVP_MD_CTX_cleanup(self._ctx) - self._backend.openssl_assert(res == 1) return self._backend._ffi.buffer(buf)[:outlen[0]] diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py index dcf2fbaf..ab1ad46f 100644 --- a/src/cryptography/hazmat/backends/openssl/hmac.py +++ b/src/cryptography/hazmat/backends/openssl/hmac.py @@ -20,10 +20,10 @@ class _HMACContext(object): self._backend = backend if ctx is None: - ctx = self._backend._ffi.new("HMAC_CTX *") - self._backend._lib.HMAC_CTX_init(ctx) + ctx = self._backend._lib.Cryptography_HMAC_CTX_new() + self._backend.openssl_assert(ctx != self._backend._ffi.NULL) ctx = self._backend._ffi.gc( - ctx, self._backend._lib.HMAC_CTX_cleanup + ctx, self._backend._lib.Cryptography_HMAC_CTX_free ) evp_md = self._backend._lib.EVP_get_digestbyname( algorithm.name.encode('ascii')) @@ -44,10 +44,10 @@ class _HMACContext(object): algorithm = utils.read_only_property("_algorithm") def copy(self): - copied_ctx = self._backend._ffi.new("HMAC_CTX *") - self._backend._lib.HMAC_CTX_init(copied_ctx) + copied_ctx = self._backend._lib.Cryptography_HMAC_CTX_new() + self._backend.openssl_assert(copied_ctx != self._backend._ffi.NULL) copied_ctx = self._backend._ffi.gc( - copied_ctx, self._backend._lib.HMAC_CTX_cleanup + copied_ctx, self._backend._lib.Cryptography_HMAC_CTX_free ) res = self._backend._lib.Cryptography_HMAC_CTX_copy( copied_ctx, self._ctx @@ -72,7 +72,6 @@ class _HMACContext(object): ) self._backend.openssl_assert(res != 0) self._backend.openssl_assert(outlen[0] == self.algorithm.digest_size) - self._backend._lib.HMAC_CTX_cleanup(self._ctx) return self._backend._ffi.buffer(buf)[:outlen[0]] def verify(self, signature): diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py index c71f8d92..ced3e6f1 100644 --- a/src/cryptography/hazmat/backends/openssl/x509.py +++ b/src/cryptography/hazmat/backends/openssl/x509.py @@ -97,7 +97,12 @@ class _Certificate(object): @property def signature_hash_algorithm(self): - oid = _obj2txt(self._backend, self._x509.sig_alg.algorithm) + alg = self._backend._ffi.new("X509_ALGOR **") + self._backend._lib.X509_get0_signature( + self._backend._ffi.NULL, alg, self._x509 + ) + self._backend.openssl_assert(alg[0] != self._backend._ffi.NULL) + oid = _obj2txt(self._backend, alg[0].algorithm) try: return x509._SIG_OIDS_TO_HASH[oid] except KeyError: @@ -111,13 +116,17 @@ class _Certificate(object): @property def signature(self): - return _asn1_string_to_bytes(self._backend, self._x509.signature) + sig = self._backend._ffi.new("ASN1_BIT_STRING **") + self._backend._lib.X509_get0_signature( + sig, self._backend._ffi.NULL, self._x509 + ) + self._backend.openssl_assert(sig[0] != self._backend._ffi.NULL) + return _asn1_string_to_bytes(self._backend, sig[0]) @property def tbs_certificate_bytes(self): pp = self._backend._ffi.new("unsigned char **") - # the X509_CINF struct holds the tbsCertificate data - res = self._backend._lib.i2d_X509_CINF(self._x509.cert_info, pp) + res = self._backend._lib.i2d_re_X509_tbs(self._x509, pp) self._backend.openssl_assert(res > 0) pp = self._backend._ffi.gc( pp, lambda pointer: self._backend._lib.OPENSSL_free(pointer[0]) diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index f5999312..8b918995 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -404,4 +404,14 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_AES_CTR128_ENCRYPT": [ "AES_ctr128_encrypt", ], + "Cryptography_HAS_SSL_ST": [ + "SSL_ST_BEFORE", + "SSL_ST_OK", + "SSL_ST_INIT", + "SSL_ST_RENEGOTIATE", + ], + "Cryptography_HAS_TLS_ST": [ + "TLS_ST_BEFORE", + "TLS_ST_OK", + ], } diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py index 0aa67212..87d2de1c 100644 --- a/src/cryptography/x509/extensions.py +++ b/src/cryptography/x509/extensions.py @@ -191,6 +191,14 @@ class AuthorityKeyIdentifier(object): authority_cert_serial_number=None ) + @classmethod + def from_issuer_subject_key_identifier(cls, ski): + return cls( + key_identifier=ski.value.digest, + authority_cert_issuer=None, + authority_cert_serial_number=None + ) + def __repr__(self): return ( "<AuthorityKeyIdentifier(key_identifier={0.key_identifier!r}, " |