aboutsummaryrefslogtreecommitdiffstats
path: root/docs
Commit message (Collapse)AuthorAgeFilesLines
...
* Make the code compatible with the latest sphinx release (#3543)Alex Gaynor2017-05-171-15/+6
|
* Fixes #3538 -- Make our OpenSSL EC verifier's implementation match the API ↵Alex Gaynor2017-05-101-14/+19
| | | | | | | | | | | | | | (#3539) * Document our real API for EC verification, not an accident * formatting consistency * fix the code itself * fixed class name * fixed a test too
* add a changelog entry for finalize_with_tag and move the note (#3531)Paul Kehrer2017-05-021-4/+4
|
* postpone GCM authentication tag requirement until finalization (#3421)Philipp Gesang2017-05-021-8/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * postpone GCM authentication tag requirement until finalization Add a .finalize_with_tag() variant of the .finalize() function of the GCM context. At the same time, do not enforce the requirement of supplying the tag with the mode ctor. This facilitates streamed decryption when the MAC is appended to the ciphertext and cannot be efficiently retrieved ahead of decryption. According to the GCM spec (section 7.2: “Algorithm for the Authenticated Decryption Function”), the tag itself is not needed until the ciphertext has been decrypted. Addresses #3380 Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> * disallow delayed GCM tag passing for legacy OpenSSL Old versions of Ubuntu supported by Cryptography ship a v1.0.1 of OpenSSL which is no longer supported by upstream. This library seems to cause erratic test failures with the delayed GCM tag functionality which are not reproducible outside the CI. Unfortunately OpenSSL v1.0.1 does not even document the required API (``EVP_EncryptInit(3)``) so there is no by-the-book fix. For backends of version 1.0.1 and earlier, verify the GCM tag at the same stage as before. Also, indicate to the user that late passing of GCM tags is unsupported by throwing ``NotImplementedError`` for these backend versions if - the method ``finalize_with_tag()`` is invoked, or - the mode ctor is called without passing a tag. Unit tests have been adapted to account for different backend versions.
* Update docs to reflect a change that occured long ago with bindings (#3517)Alex Gaynor2017-04-261-3/+4
|
* format some function names in docs (#3511)Alex Gaynor2017-04-211-1/+1
|
* Fixed #3489 -- document that we don't have wheels for pypy (#3496)Alex Gaynor2017-04-092-0/+5
| | | | | | * Fixed #3489 -- document that we don't have wheels for pypy * homebrew is a word
* I don't know what a bug issue is (#3481)Alex Gaynor2017-03-241-1/+1
|
* Update symmetric-encryption.rst (#3479)gdmnbt2017-03-231-0/+1
| | | | | | | | | | * Update symmetric-encryption.rst Import default_backend so the example works out-of-the-box. * Update symmetric-encryption.rst * newline nit
* Another site goes HTTPS! (#3477)Alex Gaynor2017-03-231-1/+1
|
* Use some more recent version numbers in examples (#3474)Alex Gaynor2017-03-221-3/+3
|
* From time to time, we ignore our own policy (#3475)Alex Gaynor2017-03-221-0/+4
|
* Use stronger language (#3476)Alex Gaynor2017-03-221-2/+1
|
* Interfaces for SCTs, feedback wanted (#3467)Alex Gaynor2017-03-222-0/+80
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Stub API for SCTs, feedback wanted * grr, flake8 * port this to being an ABC * finish up the __init__ * Two necessary enums * Roll this back * Wrote some docs * spell words correctly * linky * more details * use the words UTC * coverage * Define MMD for the kids at some * linky linky
* add captions to the split toctrees (#3466)anarcat2017-03-201-9/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | * add captions to the split toctrees this will render the table of contents with separators in the RTD theme. right now, the table of contents is quite confusing on the [RTD site][] - that is because there are 3 distinct `toctree` directives, but no `:caption:` field. instead, there are headers in the `index.rst` but those are not parsed by RTD. [RTD site]: https://cryptography.io/en/latest/ by moving those headers in the `:caption:` field, we keep the heading, but it will also be shown in the left table of contents on the RTD site. for an example of that pattern, see the [scrapy documentation][]. they go even further by hiding the `toctree` elements completely and adding explanations on every section, but this is out of scope here for now. [scrapy documentation]: https://doc.scrapy.org/en/latest/index.html * remove spurious backtics in caption they do not work in that field, apparently.
* Refs #3461 -- added the OID for the SCT x.509 extension (#3464)Alex Gaynor2017-03-201-0/+6
| | | | | | * Refs #3461 -- added the OID for the SCT x.509 extension * Version added
* Refs #3461 -- added a test vector with SCTs (#3462)Alex Gaynor2017-03-192-0/+3
| | | | | | * Refs #3461 -- added a test vector with SCTs * timestamp is a word
* Be on brand: it's macOS (#3456)Alex Gaynor2017-03-156-12/+12
| | | | | | * Be on brand: it's macOS * line wrap
* update dev docs to also say macOS and use openssl 1.1 (#3452)Paul Kehrer2017-03-141-4/+4
|
* fix typo (#3442)Ofek Lev2017-03-121-1/+1
|
* it's called macOS and let's document openssl 1.1.0 installation on mac (#3437)Paul Kehrer2017-03-091-15/+15
| | | | | | * it's called macOS and let's document openssl 1.1.0 installation on mac * wrap that line
* document that we're not building universal wheels now (#3436)Paul Kehrer2017-03-091-7/+4
| | | Also updates the doing a release documentation
* DH subgroup order (q) (#3369)Aviv Palivoda2017-03-053-5/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Support DH q (subgroup order) * Change RFC5114.txt to NIST format * Add tests for DH q * Update docs for DH q * Fix pep8 * Improve test covergae for DH q * Create _dh_params_dup that copy q if DHparams_dup don't On OpenSSL < 1.0.2 DHparams_dup don't copy q. _dh_params_dup call DHparams_dup and if the version is smaller than 1.0.2 copy q manually * Copy q manually on libressl * Add to test vectors serialized RFC5114 2048 bit DH parameters with 224 bit subgroup * Support serialization of DH with q * Add tests for serialization of DH with q * Support DH serialization with q only if Cryptography_HAS_EVP_PKEY_DHX is true * Raise exception when trying to serialize DH X9.42 when not supported * raise unsupported key type when deserilizing DH X9.42 if not supported * pep8 fixes * Fix test_serialization * Add dhx_serialization_supported method to DHBacked * document q in dh_parameters_supported * Rename dhx_serialization_supported to dh_x942_serialization_supported
* Update NIST urls in docs (#3418)Alex Gaynor2017-02-273-4/+4
|
* SHA-1 is broken, run for the hills (#3417)Alex Gaynor2017-02-231-15/+16
|
* Use HTTPS urls for a few more websites (#3416)Alex Gaynor2017-02-232-3/+3
|
* This is HTTPS now (#3407)Alex Gaynor2017-02-182-2/+2
|
* Two random grammar fixes (#3402)Alex Gaynor2017-02-182-2/+2
|
* add support for update_into on CipherContext (#3190)Paul Kehrer2017-02-161-0/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * add support for update_into on CipherContext This allows you to provide your own buffer (like recv_into) to improve performance when repeatedly calling encrypt/decrypt on large payloads. * another skip_if * more skip_if complexity * maybe do this right * correct number of args * coverage for the coverage gods * add a cffi minimum test tox target and travis builder This tests against macOS so we capture some commoncrypto branches * extra arg * need to actually install py35 * fix * coverage for GCM decrypt in CC * no longer relevant * 1.8 now * pep8 * dramatically simplify * update docs * remove unneeded test * changelog entry * test improvements * coverage fix * add some comments to example * move the comments to their own line * fix and move comment
* faq entry for setuptools_ext issues (#3393)Paul Kehrer2017-02-131-0/+5
|
* Update tutorial.rst (#3394)AlexanderWeyman2017-02-131-2/+2
| | | eliminated inconsitency of variable name in sample code
* support defining which windows libraries to link with an env var (#3356)Paul Kehrer2017-02-091-1/+7
| | | | | | | | | | | | * support defining which windows libraries to link with an env var CRYPTOGRAPHY_WINDOWS_LIBRARIES is your new friend * add some docs * change to CRYPTOGRAPHY_WINDOWS_LINK_OPENSSL110 * lib prefixing is not a thing msvc does, right
* DH serialization (#3297)Aviv Palivoda2017-02-072-0/+60
| | | | | | | | | | | | | | | | | | * DH keys support serialization * Add DH serialization documentation * Add tests for DH keys serialization in DER encoding * update version to 1.8 * Allow only SubjectPublicKeyInfo serialization * Remove support in TraditionalOpenSSL format * Fix pep8 * Refactor dh serialization tests
* Point people to python3-dev if needed (#3359)Alex Gaynor2017-01-211-2/+4
| | | | | | | | * Point people to python3-dev if needed * oops, syntax fix * Fedora/RHEL as well
* Removed dead link from docs (#3360)Alex Gaynor2017-01-211-3/+2
|
* add a SAN to the certificatebuilder example (#3353)Paul Kehrer2017-01-181-0/+6
| | | | Evidently users copy/paste these examples so adding a SAN here will help people screw up less. Fixes #3314
* fix #3308 (#3352)Paul Kehrer2017-01-181-3/+1
|
* It is 2017, in UTC (#3342)Alex Gaynor2016-12-311-1/+1
|
* Fixed #3334 -- added Python 3.6 support (#3335)Alex Gaynor2016-12-231-2/+2
| | | | | | | | | | * Fixed #3334 -- added Python 3.6 support * install py36 * empty commit to retrigger travis * this is an impressively dumb typo
* add openssl_version_number & doc openssl_version_text (#3329)Paul Kehrer2016-12-211-0/+14
| | | | | | | | | | * add openssl_version_number & doc openssl_version_text fixes #3315 * more docs + actually assert on the test... * text
* We test the latest version of 1.1.0 (#3327)Alex Gaynor2016-12-181-1/+1
|
* Drop 1.0.0 (#3312)Alex Gaynor2016-12-135-30/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * delete the 1.0.0 support * drop the version check * drop the AES-CTR stuff * Update the example * openssl truncates for us now * delete unused test * unused imports * Remove a bunch of conditional bindings for NPN * no more 1.0.0 builders * libressl fix * update the docs * remove dead branches * oops * this is a word, damnit * spelling * try removing this * this test is not needed * unused import
* document DHBackend is implemented for OpenSSL (#3304)Paul Kehrer2016-12-111-0/+1
|
* Scrypt docs code example contradict RFC 7914 (#3302) (#3303)Nick Badger2016-12-102-12/+15
| | | | | | | | | | | | * Scrypt docs code example contradict RFC 7914 (#3302) * More secure example difficulty of parameter n in scrypt docs (#3302) * Change link text to scrypt paper (#3302) * Change link text to scrypt paper, part deux (#3302) * Add "logins" to spelling wordlist
* New osrandom_engine in C (#3229)Christian Heimes2016-12-092-0/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * New osrandom_engine in C Inspired by Python/random.c and the old implementation. Signed-off-by: Christian Heimes <christian@python.org> * osrandom_engine * Fix naming bug caused by search 'n replace mistake * Make it easier to override osrandom auto-detection * Add engine ctrl and backend API to get implementation from ENGINE Signed-off-by: Christian Heimes <christian@python.org> * Better test coverage, documentation, LICENSE Signed-off-by: Christian Heimes <christian@python.org> * Coverage is hard. Signed-off-by: Christian Heimes <christian@python.org> * * enable win32 check * read() returns size_t Signed-off-by: Christian Heimes <christian@python.org> * Add macOS to spelling list. Remove dead code from header file. Signed-off-by: Christian Heimes <christian@python.org> * remove CCRandomGenerateBytes path and update getentropy to work on macOS This change allows us to test all the engines in our CI: * getentropy (tested by macOS sierra) * getrandom (tested on several linux builders) * /dev/urandom (tested on FreeBSD, OS X 10.11 and below, & older linux) * CryptGenRandom (tested on windows builders) I also fixed bugs preventing compilation in the getentropy code * getentropy() returns int and is restricted to 256 bytes on macOS, too. Signed-off-by: Christian Heimes <christian@python.org> * add versionadded * Re-add import of os module * Fixes related to Alex's recent review. Signed-off-by: Christian Heimes <christian@python.org> * Add error reporting and fail for EAGAIN Add error reporting strings for various error cases. This gives us much nicer and understandable error messages. SYS_getrandom() EAGAIN is now an error. Cryptography refuses to initialize its osrandom engine when the Kernel's CPRNG hasn't been seeded yet. Signed-off-by: Christian Heimes <christian@python.org>
* Sierra is a thing (#3294)Alex Gaynor2016-12-021-2/+2
|
* OpenSSL DH backend implementation [Second attempt] (#2914)Aviv Palivoda2016-11-264-45/+135
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Start of OpenSSL DH backend implementation * Supporting DH in MultiBackend * DHBackend has dh_parameters_supported method * Removed DHParametersWithNumbers and DHPrivateKeyWithNumbers from documentation * Removed ExchangeContext. exchange is a method of DHPrivateKeyWithSerialization * PEP8 fixes * Fixed TestDH.test_bad_tls_exchange * Fixed generate_private_key reference in dh documentation * test DH multibackend support * testing DH coversion to serialized * Validating that we receive serialized class in test_generate_dh * Testing DH exchange symmetric key padding * struct DH is now opaqued * PEP8 fixes * Testing load_dh_private_numbers throws ValueError when DH_check fails * Using openssl_assert * Passing keywords arguments in DH key exchange example * test_dh::test_bad_tls_exchange now uses pre calculated parameters * TestDH - Add test that the computed secret is equivalent to the definition by comparing with secret computed in pure python * Add missing generator parameter to DHBackend interface docs. * Include parameter type in DHBackend abc docs. * Add docs for dh.generate_parameters function * Remove the dh Numbers section, and move the DHNumbers class docs to where they are first used. * Add note of big endian byte packing to DH exchange method. * DH documentation updates. Add single sentence overview with wikipedia link. Add paragraph on assembling using Numbers objects. Add link to backend interface docs. First section was all indented, I think by mistake. * Add exchange method to DHPrivateKey abstract base class. * Small tweaks to DH documentation - remove Provider. * Add endian to dictionary * Use utils.int_from_bytes in test_tls_exchange_algorithm * Removed duplicate line * Change dh.rst exchange algorithm from doctest to code-block The example in the Diffie-Hellman exhange algorithm is using 2048 bits key. Generating the parameters of 2048 takes long time. This caused the automated tests to fail. In order to pass the tests we change the example to code-block so it will not run in the doc tests. * Fix dh docs * Document the generator in DHBackend relevant methods * Fix dh tests * use DHparams_dup * Fix key type to unsigned char as expected by DH_compute_key * Validate that DH generator is 2 or 5 * test dh exchange using botan vectors * group all numbers classes * Simplify _DHPrivateKey * Rename test with serialized to numbers * Move bad exchange params to external vector file * update exchange versionadded to 1.7 * Make key_size bit accurate * Change botan link * Added CHANGELOG entry
* Error out on OpenSSL 1.0.0 by default (#3276)Alex Gaynor2016-11-222-6/+15
| | | | | | * Error out on OpenSSL 1.0.0 by default * what the heck
* update docs and changelog for prehashed support (#3268)Paul Kehrer2016-11-201-3/+15
|
* add support for prehashing in ECDSA sign/verify (#3267)Paul Kehrer2016-11-201-1/+5
| | | | | | * add support for prehashing in ECDSA sign/verify * move signature_algorithm check to its own function