From 6b22d6663dcba1a08a3662d9d0205005be6bcd86 Mon Sep 17 00:00:00 2001 From: Christopher Grebs Date: Fri, 4 Sep 2015 23:14:33 +0200 Subject: Add support for RSA_R_OAEP_DECODING_ERROR error flag. --- src/_cffi_src/openssl/err.py | 9 +++++++++ src/cryptography/hazmat/backends/openssl/rsa.py | 3 +++ src/cryptography/hazmat/bindings/openssl/_conditional.py | 3 +++ 3 files changed, 15 insertions(+) diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py index 6ec13775..3eb783ee 100644 --- a/src/_cffi_src/openssl/err.py +++ b/src/_cffi_src/openssl/err.py @@ -14,6 +14,7 @@ static const int Cryptography_HAS_098H_ERROR_CODES; static const int Cryptography_HAS_098C_CAMELLIA_CODES; static const int Cryptography_HAS_EC_CODES; static const int Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR; +static const int Cryptography_HAS_RSA_R_OAEP_DECODING_ERROR; struct ERR_string_data_st { unsigned long error; @@ -230,6 +231,7 @@ static const int RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY; static const int RSA_R_BLOCK_TYPE_IS_NOT_01; static const int RSA_R_BLOCK_TYPE_IS_NOT_02; static const int RSA_R_PKCS_DECODING_ERROR; +static const int RSA_R_OAEP_DECODING_ERROR; static const int RSA_F_RSA_SIGN; """ @@ -334,4 +336,11 @@ static const long Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR = 1; static const long Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR = 0; static const long RSA_R_PKCS_DECODING_ERROR = 0; #endif + +#ifdef RSA_R_OAEP_DECODING_ERROR +static const long Cryptography_HAS_RSA_R_OAEP_DECODING_ERROR = 1; +#else +static const long Cryptography_HAS_RSA_R_OAEP_DECODING_ERROR = 0; +static const long RSA_R_OAEP_DECODING_ERROR = 0; +#endif """ diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py index 664f6d35..1be6f059 100644 --- a/src/cryptography/hazmat/backends/openssl/rsa.py +++ b/src/cryptography/hazmat/backends/openssl/rsa.py @@ -142,6 +142,9 @@ def _handle_rsa_enc_dec_error(backend, key): if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR: decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR) + if backend._lib.Cryptography_HAS_RSA_R_OAEP_DECODING_ERROR: + decoding_errors.append(backend._lib.RSA_R_OAEP_DECODING_ERROR) + assert errors[0].reason in decoding_errors raise ValueError("Decryption failed.") diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 206c2915..c4e39db9 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -219,6 +219,9 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR": [ "RSA_R_PKCS_DECODING_ERROR" ], + "Cryptography_HAS_RSA_R_OAEP_DECODING_ERROR": [ + "RSA_R_OAEP_DECODING_ERROR" + ], "Cryptography_HAS_GCM": [ "EVP_CTRL_GCM_GET_TAG", "EVP_CTRL_GCM_SET_TAG", -- cgit v1.2.3 From 525f713629a181e7dbaf3e8a84fc4373dbaeb4e4 Mon Sep 17 00:00:00 2001 From: Christopher Grebs Date: Fri, 4 Sep 2015 23:46:40 +0200 Subject: Add simple test that would fail on decryption --- tests/hazmat/backends/test_openssl.py | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index ad2daf7d..98023e9d 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -456,6 +456,29 @@ class TestOpenSSLRSA(object): ) ) + def test_supported_oaep_decrypt(self): + private_key = RSA_KEY_512.private_key(backend) + + ciphertext = private_key.public_key().encrypt( + b'secure data', + padding.OAEP( + mgf=padding.MGF1(algorithm=hashes.SHA1()), + algorithm=hashes.SHA1(), + label=None + ) + ) + + decrypted = private_key.decrypt( + ciphertext, + padding.OAEP( + mgf=padding.MGF1(algorithm=hashes.SHA1()), + algorithm=hashes.SHA1(), + label=None + ) + ) + + assert decrypted == b'secure data' + @pytest.mark.skipif( backend._lib.OPENSSL_VERSION_NUMBER <= 0x10001000, -- cgit v1.2.3 From b6b810a5114fb0d0cdc0550eceab3734afb4dd41 Mon Sep 17 00:00:00 2001 From: Christopher Grebs Date: Sat, 5 Sep 2015 00:06:38 +0200 Subject: Fixed test scenario to use different key. --- tests/hazmat/backends/test_openssl.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 98023e9d..a551b3fc 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -30,7 +30,7 @@ from cryptography.hazmat.primitives.ciphers.algorithms import AES from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR, Mode from ..primitives.fixtures_dsa import DSA_KEY_2048 -from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 +from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512, RSA_KEY_512_ALT from ..primitives.test_ec import _skip_curve_unsupported from ...utils import load_vectors_from_file, raises_unsupported_algorithm @@ -468,7 +468,7 @@ class TestOpenSSLRSA(object): ) ) - decrypted = private_key.decrypt( + decrypted = RSA_KEY_512_ALT.private_key(backend).decrypt( ciphertext, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA1()), -- cgit v1.2.3 From cb77736766fcd123ba2edd15502127455a4d7d6f Mon Sep 17 00:00:00 2001 From: Christopher Grebs Date: Sat, 5 Sep 2015 00:08:55 +0200 Subject: Fix test again and add pytest.raises statement --- tests/hazmat/backends/test_openssl.py | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index a551b3fc..545ca6c2 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -468,16 +468,15 @@ class TestOpenSSLRSA(object): ) ) - decrypted = RSA_KEY_512_ALT.private_key(backend).decrypt( - ciphertext, - padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), - label=None + with pytest.raises(ValueError): + RSA_KEY_512_ALT.private_key(backend).decrypt( + ciphertext, + padding.OAEP( + mgf=padding.MGF1(algorithm=hashes.SHA1()), + algorithm=hashes.SHA1(), + label=None + ) ) - ) - - assert decrypted == b'secure data' @pytest.mark.skipif( -- cgit v1.2.3 From b4ff1182c4e6587369df0e96d072b06d40a8dd0c Mon Sep 17 00:00:00 2001 From: Christopher Grebs Date: Sat, 5 Sep 2015 00:25:25 +0200 Subject: Move private key initialization out of pytest.raises block --- tests/hazmat/backends/test_openssl.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 545ca6c2..37633d6c 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -468,8 +468,10 @@ class TestOpenSSLRSA(object): ) ) + private_key_alt = RSA_KEY_512_ALT.private_key(backend) + with pytest.raises(ValueError): - RSA_KEY_512_ALT.private_key(backend).decrypt( + private_key_alt.decrypt( ciphertext, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA1()), -- cgit v1.2.3 From 9413994899cdfcfef45f429b5a9d47b8f194179b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 27 Dec 2015 22:55:17 -0600 Subject: pep8 fix, rename test, add a comment to explain it --- tests/hazmat/backends/test_openssl.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 37633d6c..665504b4 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -30,7 +30,9 @@ from cryptography.hazmat.primitives.ciphers.algorithms import AES from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR, Mode from ..primitives.fixtures_dsa import DSA_KEY_2048 -from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512, RSA_KEY_512_ALT +from ..primitives.fixtures_rsa import ( + RSA_KEY_2048, RSA_KEY_512, RSA_KEY_512_ALT +) from ..primitives.test_ec import _skip_curve_unsupported from ...utils import load_vectors_from_file, raises_unsupported_algorithm @@ -456,7 +458,9 @@ class TestOpenSSLRSA(object): ) ) - def test_supported_oaep_decrypt(self): + def test_invalid_oaep_decryption(self): + # More recent versions of OpenSSL may raise RSA_R_OAEP_DECODING_ERROR + # This test triggers it and confirms that we properly handle it. private_key = RSA_KEY_512.private_key(backend) ciphertext = private_key.public_key().encrypt( -- cgit v1.2.3 From 7721785f388fbbfa3072e600931eefbf019442b7 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 27 Dec 2015 23:14:17 -0600 Subject: move test --- tests/hazmat/backends/test_openssl.py | 30 +--------------------------- tests/hazmat/primitives/test_rsa.py | 37 +++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 29 deletions(-) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 665504b4..ad2daf7d 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -30,9 +30,7 @@ from cryptography.hazmat.primitives.ciphers.algorithms import AES from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR, Mode from ..primitives.fixtures_dsa import DSA_KEY_2048 -from ..primitives.fixtures_rsa import ( - RSA_KEY_2048, RSA_KEY_512, RSA_KEY_512_ALT -) +from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 from ..primitives.test_ec import _skip_curve_unsupported from ...utils import load_vectors_from_file, raises_unsupported_algorithm @@ -458,32 +456,6 @@ class TestOpenSSLRSA(object): ) ) - def test_invalid_oaep_decryption(self): - # More recent versions of OpenSSL may raise RSA_R_OAEP_DECODING_ERROR - # This test triggers it and confirms that we properly handle it. - private_key = RSA_KEY_512.private_key(backend) - - ciphertext = private_key.public_key().encrypt( - b'secure data', - padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), - label=None - ) - ) - - private_key_alt = RSA_KEY_512_ALT.private_key(backend) - - with pytest.raises(ValueError): - private_key_alt.decrypt( - ciphertext, - padding.OAEP( - mgf=padding.MGF1(algorithm=hashes.SHA1()), - algorithm=hashes.SHA1(), - label=None - ) - ) - @pytest.mark.skipif( backend._lib.OPENSSL_VERSION_NUMBER <= 0x10001000, diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index 0b83fd65..b6213d6d 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -1194,6 +1194,43 @@ class TestRSADecryption(object): ) assert message == binascii.unhexlify(example["message"]) + @pytest.mark.supported( + only_if=lambda backend: backend.rsa_padding_supported( + padding.OAEP( + mgf=padding.MGF1(algorithm=hashes.SHA1()), + algorithm=hashes.SHA1(), + label=None + ) + ), + skip_message="Does not support OAEP." + ) + def test_invalid_oaep_decryption(self, backend): + # More recent versions of OpenSSL may raise RSA_R_OAEP_DECODING_ERROR + # This test triggers it and confirms that we properly handle it. Other + # backends should also return the proper ValueError. + private_key = RSA_KEY_512.private_key(backend) + + ciphertext = private_key.public_key().encrypt( + b'secure data', + padding.OAEP( + mgf=padding.MGF1(algorithm=hashes.SHA1()), + algorithm=hashes.SHA1(), + label=None + ) + ) + + private_key_alt = RSA_KEY_512_ALT.private_key(backend) + + with pytest.raises(ValueError): + private_key_alt.decrypt( + ciphertext, + padding.OAEP( + mgf=padding.MGF1(algorithm=hashes.SHA1()), + algorithm=hashes.SHA1(), + label=None + ) + ) + def test_unsupported_oaep_mgf(self, backend): private_key = RSA_KEY_512.private_key(backend) with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_MGF): -- cgit v1.2.3 From c809360573fc2ef659c154740c32e98f35fc5da9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Sun, 27 Dec 2015 23:55:39 -0600 Subject: RSA_R_OAEP_DECODING_ERROR is pretty ubiquitous --- src/_cffi_src/openssl/err.py | 8 -------- src/cryptography/hazmat/backends/openssl/rsa.py | 4 +--- src/cryptography/hazmat/bindings/openssl/_conditional.py | 3 --- 3 files changed, 1 insertion(+), 14 deletions(-) diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py index 3eb783ee..9d97be16 100644 --- a/src/_cffi_src/openssl/err.py +++ b/src/_cffi_src/openssl/err.py @@ -14,7 +14,6 @@ static const int Cryptography_HAS_098H_ERROR_CODES; static const int Cryptography_HAS_098C_CAMELLIA_CODES; static const int Cryptography_HAS_EC_CODES; static const int Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR; -static const int Cryptography_HAS_RSA_R_OAEP_DECODING_ERROR; struct ERR_string_data_st { unsigned long error; @@ -336,11 +335,4 @@ static const long Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR = 1; static const long Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR = 0; static const long RSA_R_PKCS_DECODING_ERROR = 0; #endif - -#ifdef RSA_R_OAEP_DECODING_ERROR -static const long Cryptography_HAS_RSA_R_OAEP_DECODING_ERROR = 1; -#else -static const long Cryptography_HAS_RSA_R_OAEP_DECODING_ERROR = 0; -static const long RSA_R_OAEP_DECODING_ERROR = 0; -#endif """ diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py index 1be6f059..033cd3b1 100644 --- a/src/cryptography/hazmat/backends/openssl/rsa.py +++ b/src/cryptography/hazmat/backends/openssl/rsa.py @@ -138,13 +138,11 @@ def _handle_rsa_enc_dec_error(backend, key): decoding_errors = [ backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01, backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02, + backend._lib.RSA_R_OAEP_DECODING_ERROR, ] if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR: decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR) - if backend._lib.Cryptography_HAS_RSA_R_OAEP_DECODING_ERROR: - decoding_errors.append(backend._lib.RSA_R_OAEP_DECODING_ERROR) - assert errors[0].reason in decoding_errors raise ValueError("Decryption failed.") diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index c4e39db9..206c2915 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -219,9 +219,6 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR": [ "RSA_R_PKCS_DECODING_ERROR" ], - "Cryptography_HAS_RSA_R_OAEP_DECODING_ERROR": [ - "RSA_R_OAEP_DECODING_ERROR" - ], "Cryptography_HAS_GCM": [ "EVP_CTRL_GCM_GET_TAG", "EVP_CTRL_GCM_SET_TAG", -- cgit v1.2.3