aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Exposed OpenSSL prime methods (#4292)Quinten Stokkink2018-06-221-0/+6
| | | These are required by the Tribler project.
* Perform an OPENSSL_cleanup before checking the heap in our memleak tests (#4293)Alex Gaynor2018-06-203-1/+18
| | | | | | | | | | * Perform an OPENSSL_cleanup before checking the heap in our memleak tests * Make this binding conditional * typo * need to put this call before we reset the function ptrs
* Add clearer message when key type is not bytes (#4289)Vladyslav Moisieienkov2018-06-203-0/+39
| | | | | | | | | | | | * Add clearer message in Cipher when key is not bytes * Change location of key type check to verify_key_size function * Replace formated error message with static * Add key type check tests to all ciphers constructors * Change key type error message to lowercase
* Correctly pass bytes; refs #4289 (#4290)Alex Gaynor2018-06-191-1/+1
|
* Correct pass bytes; refs #4289 (#4291)Alex Gaynor2018-06-191-1/+1
|
* Document project as stable and ready for use in production (#4284)Jon Dufresne2018-06-161-0/+1
|
* add downstream tests for awslabs/aws-dynamodb-encryption-python (#4280)Matt Bullock2018-06-122-0/+9
| | | | | | * add downstream tests for awslabs/aws-dynamodb-encryption-python * require recent OpenSSL for awslabs/dynamodb-encryption-python downstream tests
* Test certbot with OpenSSL 1.1.0 (#4278)Alex Gaynor2018-06-081-1/+1
| | | Their tests appear to require ALPN now, and the OpenSSL 1.0.1 that comes with the travis image doesn't have ALPN.
* LibreSSL 2.7.x support (#4270)Paul Kehrer2018-05-3010-17/+29
| | | | | | | | * libre 2.7.3 compatibility * add a changelog * actually build against 2.7.3
* Removes branches in bindings for various OpenSSL 1.1.0 prereleases (#4269)Alex Gaynor2018-05-316-18/+8
| | | | | | | | | | | | | | | | * Remove defines for openssl 1.1.0 pre * Update bio.py * Update dh.py * Update dsa.py * Update rsa.py * Update x509_vfy.py * Compress branches
* simplify and parametrize DSA tests (#4267)Paul Kehrer2018-05-301-431/+239
|
* parametrize a few things in test_ec (#4268)Paul Kehrer2018-05-301-30/+13
|
* deprecate pythons without hmac.compare_digest (#4261)Paul Kehrer2018-05-243-0/+13
| | | | | | * deprecate the constant time bytes comparison path old python 2.7.x uses * pep8
* Fixed build errors on HP-UX. (#4259)dumol2018-05-222-2/+2
| | | | | | | | | | * Fixed build errors on HP-UX. * PEP 8 style fix. * No return for void function. * PEP 8 style fix, take 2.
* build and test libre on travis (#4256)Paul Kehrer2018-05-214-24/+27
| | | | | | * build and test libre on travis * remove libressl jenkinsfile data
* Make AuthorityKeyIdentifier docs reflect reality (#4252)Thom Dixon2018-05-181-1/+1
| | | The `AuthorityKeyIdentifier.authority_cert_issuer` docs state that it returns a `Name` instance, but it [actually returns a list of `GeneralName` instances or `None`](https://github.com/pyca/cryptography/blob/master/src/cryptography/x509/extensions.py#L157).
* Fixes #4228 -- move downstream builders to travis (#4250)Alex Gaynor2018-05-163-132/+76
| | | | | | * Fixes #4228 -- move downstream builders to travis * Use upstream twisted now that we've confirmed the problem
* remove block size as a required part of HashAlgorithm (#4249)Paul Kehrer2018-05-162-12/+0
| | | | | | Internal block size isn't a particularly useful piece of information and constructions like SHA3 make it even harder to determine what that really means. Accordingly, we're removing it from the interface (but leaving it on all existing hashes)
* Only send coverage for tox builds, in prep for #4228 (#4248)Alex Gaynor2018-05-161-10/+12
|
* satisfy shellcheck (#4247)Alex Gaynor2018-05-161-3/+3
|
* Cleanup unused err bindings. (#4246)David Benjamin2018-05-151-106/+0
| | | | | | | | | | | | | | | | | | | | | | | This removes: - ERR_get_state which really shouldn't be public API. - A bunch of functions that are really mostly useful within the library to add new errors. NB: I say mostly because they are also useful when trying to register a new error library, as osrandom does, but osrandom is written in C. Python code is more likely to be consuming errors. - All function codes but EVP_F_EVP_ENCRYPTFINAL_EX because tests still reference it. Per PR #3609, function codes are kind of unstable. This finishes that up and cleans up the bindings. - The "line" versions of querying the error queue, just because no one seems to be using them and there's a lot. - Error-printing functions, which make less sense in Python since you'd probably wrap in an exception. Error codes probably could also do with cleaning, but I've left them alone for now.
* Remove ECDSA_sign_setup and *sign_ex bindings. (#4245)David Benjamin2018-05-151-5/+0
| | | | | | | | | | | They are unused. These functions have two purposes. They can be used to pass your own value of k, or to amoritize the cost of generating k. Messing up k is catastrophic to ECDSA, so best not to expose that one. ECDSA signing is also quite fast, so there isn't much point in the latter. (The API comes from DSA, which is a bit slower.) Moreover, ECDSA_sign is not the same as ECDSA_sign_setup + ECDSA_sign_ex. OpenSSL has some nonce hardening features that have to get skipped when doing this.
* Remove macOS travis stuff, we don't intend to reenable it (#4244)Alex Gaynor2018-05-153-136/+27
|
* Future proofing use of the six python version constants (#4238)Eric Brown2018-05-143-27/+27
| | | | | | | | | | | | | | | * Future proofing use of the six python version constants After reading [1], noticed that cryptography uses a lot of if six.PY3 blocks. The issue with this is that whenever Python 4 is released, this code in the else block will be executed even though it was only intended for Python 2. [1] http://astrofrog.github.io/blog/2016/01/12/stop-writing-python-4-incompatible-code/ Signed-off-by: Eric Brown <browne@vmware.com> * Use not PY2 instead
* Remove some unused RSA bindings. (#4243)David Benjamin2018-05-141-11/+0
| | | | | | RSA_blinding_off is a silly function. RSA_SSLV23_PADDING and RSA_X931_PADDING are obsolete. The low-level padding functions appear unused and the EVP_PKEY stuff is probably a bit nicer than expecting callers to RSA_NO_PADDING and do the padding by hand.
* Validate the public/private halves of EC keys on import. (#4241)David Benjamin2018-05-142-6/+7
| | | | | | | | | | | | | | | | | | * Validate the public/private halves of EC keys on import. OpenSSL's API is a little finicky. If one sets the public key before the private key, it does not validate that they match. If set in the other order, it does validate this. In particular, KASValidityTest_ECCStaticUnified_NOKC_ZZOnly_init.fax describes error code 7 as: Result = F (7 - IUT's Static private key d changed-prikey validity) Reordering the two operations makes those tests to fail on key import, which is what CAVP appears to have intended. * Wrap to 79 rather than 80 columns
* Fix some stuttering. (#4240)David Benjamin2018-05-141-3/+0
| | | | This is a remnant of the function code checking when this logic looked at both encrypt/decrypt versions of this error code.
* Remove some unused RAND bindings. (#4239)David Benjamin2018-05-141-4/+0
| | | These are unused. (And not especially useful.)
* Clean up unused EC bindings. (#4225)David Benjamin2018-05-142-83/+0
| | | | | | | | | | | | | | | | | | | | | | | * Clean up unused EC bindings. A lot of these are really OpenSSL internals, like the EC_METHOD business, support for custom curves which are a bad idea, and weird non-standard serializations like taking the usual point serialization and treating it as a single BIGNUM. I also didn't remove things when they're arguably part of a set. E.g. EC_POINT_add is used, but EC_POINT_dbl isn't. However, they both set at the same abstraction level (basic point operations), so it's strange to have one without the other. I also kept EC_POINT_is_on_curve because, although it is not used, OpenSSL prior to 1.1.0 doesn't perform this important check in EC_POINT_set_affine_coordinates_GFp (though it does in some of the functions which ultimately call it, like EC_KEY_set_public_key_affine_coordinates, what cryptography.io actually uses), so one should not expose the latter without the former. * Fix build issue.
* Remove unused BIO bindings. (#4220)David Benjamin2018-05-141-107/+3
| | | | | | | | | | | | | * Remove unused BIO bindings. This also folds in the const bits from 1.1.0, on the assumption that, now that the function pointer check is gone, it will just cause cffi to generate more conservative pointer types that work for 1.0.2 as well. * Restore some functions used externally. Datagram BIO_CTRL_* constants are intentionally omitted per discussion on the PR.
* Add SHA512/224 and SHA512/256 test vectors from NIST CAVP (#4237)Paul Kehrer2018-05-149-1/+7121
|
* Use pytest instead of py.test per upstream recommendation, #dropthedot (#4236)Ville Skyttä2018-05-132-2/+2
| | | | http://blog.pytest.org/2016/whats-new-in-pytest-30/ https://twitter.com/hashtag/dropthedot
* Run no longer used debugging output from travis (#4233)Alex Gaynor2018-05-121-4/+0
|
* switch to py3 on docs job (#4230)Paul Kehrer2018-05-1213-49/+50
| | | | | | * switch to py3 on docs job * somehow unicode isn't a word
* Check for CMAC_Init errors. (#4232)David Benjamin2018-05-121-1/+2
|
* Fixed some confusing type descriptions in docs (#4231)Alex Gaynor2018-05-121-4/+1
|
* Add support for extracting timestamp from a Fernet token (#4229)Paul Kehrer2018-05-124-6/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add API for retrieving the seconds-to-expiry for the token, given a TTL. * Process PR feedback: * Do compute the TTL, but just the age of the token. The caller can decided what to do next. * Factored out the HMAC signature verification to a separate function. * Fixed a copy&paste mistake in the test cases * Tests cleanup. * `struct` no longer needed * Document `def age()` * typo in `age()` documentation * token, not data * remove test for TTL expiry that is already covered by the parameterized `test_invalid()`. * let's call this extract_timestamp and just return timestamp * review comments * it's UNIX I know this
* Fix some callback type signatures. (#4227)David Benjamin2018-05-121-3/+3
| | | | | | | | | | | | | | | | * Fix some callback type signatures. SSL_CTX_set_psk_server_callback: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_psk_server_callback.html https://github.com/openssl/openssl/blob/OpenSSL_1_0_2/ssl/ssl.h#L1355 https://github.com/openssl/openssl/blob/OpenSSL_1_1_0/include/openssl/ssl.h#L734 SSL_CTX_set_tlsext_servername_callback: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_tlsext_servername_callback.html https://github.com/openssl/openssl/blob/OpenSSL_1_0_2/ssl/s3_lib.c#L3964 https://github.com/openssl/openssl/blob/OpenSSL_1_1_0/ssl/s3_lib.c#L3499 * Missed a spot
* fixed variable name to be correct (#4226)Alex Gaynor2018-05-111-3/+3
|
* Use a checklist for bumping openssl version (#4221)Alex Gaynor2018-05-092-19/+16
| | | | | | | | * Use a checklist for bumping openssl version * words * empty commit to retrigger jenkins
* add SHA3 and SHAKE vectors (#4213)Paul Kehrer2018-05-0921-0/+20714
| | | These can be used when OpenSSL 1.1.1 is released
* Remove unused BN bindings. (#4219)David Benjamin2018-05-091-28/+2
| | | | | | | | | | * Remove unused BN bindings. These appear to be unused in both cryptography.io and PyOpenSSL. * Restore symbols used by pyUmbral. Along the way, fix some mistranscribed consts.
* adding name so that 1.3.6.1.4.1.11129.2.4.2 is no longer and 'Unknown OID' ↵Joshua Crowgey2018-05-071-0/+3
| | | | (#4218)
* update link to draft rfc (#4214)Alex Gaynor2018-05-021-1/+1
|
* Updated pip wheel option in installation script. (#4212)Justin Holmes2018-04-301-1/+1
|
* Remove cffi branch for pypy that's not needed (#4209)Alex Gaynor2018-04-281-2/+1
| | | | | | * Remove cffi branch for pypy that's not needed * simplify further
* Expose OpenSSL constant time bignum arithmetic (#4200)Tux2018-04-242-0/+15
| | | | | | | | | | | | | | | | | | | * Expose BIGNUM constant time operations This commit exposes the following functions: BN_set_flags BN_get_flags BN_MONT_CTX_new BN_MONT_CTX_set BN_MONT_CTX_free BN_mod_exp_mont BN_mod_exp_mont_consttime This commit also exposes the BN_FLG_CONSTTIME flag. * Add myself to AUTHORS
* Add Session functions, necessary to implement new features in Python 3.6. ↵Amaury Forgeot d'Arc2018-04-241-0/+14
| | | | (#4205)
* bump openssl version in travis (#4204)Alex Gaynor2018-04-221-3/+3
|
* Remove setup.py branch (#4203)Alex Gaynor2018-04-221-3/+1
|