1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from __future__ import absolute_import, division, print_function
import sys
import cffi
from cryptography.primitives import interfaces
class API(object):
"""
OpenSSL API wrapper.
"""
_modules = [
"asn1",
"bignum",
"bio",
"conf",
"crypto",
"dh",
"dsa",
"engine",
"err",
"evp",
"nid",
"opensslv",
"pem",
"pkcs7",
"pkcs12",
"rand",
"rsa",
"ssl",
"x509",
"x509name",
"x509v3",
]
def __init__(self):
self.ffi = cffi.FFI()
includes = []
functions = []
macros = []
for name in self._modules:
__import__("cryptography.bindings.openssl." + name)
module = sys.modules["cryptography.bindings.openssl." + name]
self.ffi.cdef(module.TYPES)
macros.append(module.MACROS)
functions.append(module.FUNCTIONS)
includes.append(module.INCLUDES)
# loop over the functions & macros after declaring all the types
# so we can set interdependent types in different files and still
# have them all defined before we parse the funcs & macros
for func in functions:
self.ffi.cdef(func)
for macro in macros:
self.ffi.cdef(macro)
# We include functions here so that if we got any of their definitions
# wrong, the underlying C compiler will explode. In C you are allowed
# to re-declare a function if it has the same signature. That is:
# int foo(int);
# int foo(int);
# is legal, but the following will fail to compile:
# int foo(int);
# int foo(short);
self.lib = self.ffi.verify(
source="\n".join(includes + functions),
libraries=["crypto", "ssl"],
)
self.lib.OpenSSL_add_all_algorithms()
self.lib.SSL_load_error_strings()
def openssl_version_text(self):
"""
Friendly string name of linked OpenSSL.
Example: OpenSSL 1.0.1e 11 Feb 2013
"""
return self.ffi.string(self.lib.OPENSSL_VERSION_TEXT).decode("ascii")
def supports_cipher(self, ciphername):
return (self.ffi.NULL !=
self.lib.EVP_get_cipherbyname(ciphername.encode("ascii")))
def create_block_cipher_context(self, cipher, mode):
ctx = self.lib.EVP_CIPHER_CTX_new()
ctx = self.ffi.gc(ctx, self.lib.EVP_CIPHER_CTX_free)
# TODO: compute name using a better algorithm
ciphername = "{0}-{1}-{2}".format(
cipher.name, cipher.key_size, mode.name
).lower()
evp_cipher = self.lib.EVP_get_cipherbyname(ciphername.encode("ascii"))
assert evp_cipher != self.ffi.NULL
if isinstance(mode, interfaces.ModeWithInitializationVector):
iv_nonce = mode.initialization_vector
elif isinstance(mode, interfaces.ModeWithNonce):
iv_nonce = mode.nonce
else:
iv_nonce = self.ffi.NULL
# TODO: Sometimes this needs to be a DecryptInit, when?
res = self.lib.EVP_EncryptInit_ex(
ctx, evp_cipher, self.ffi.NULL, cipher.key, iv_nonce
)
assert res != 0
# We purposely disable padding here as it's handled higher up in the
# API.
self.lib.EVP_CIPHER_CTX_set_padding(ctx, 0)
return ctx
def update_encrypt_context(self, ctx, plaintext):
block_size = self.lib.EVP_CIPHER_CTX_block_size(ctx)
buf = self.ffi.new("unsigned char[]", len(plaintext) + block_size - 1)
outlen = self.ffi.new("int *")
res = self.lib.EVP_EncryptUpdate(
ctx, buf, outlen, plaintext, len(plaintext)
)
assert res != 0
return self.ffi.buffer(buf)[:outlen[0]]
def finalize_encrypt_context(self, ctx):
block_size = self.lib.EVP_CIPHER_CTX_block_size(ctx)
buf = self.ffi.new("unsigned char[]", block_size)
outlen = self.ffi.new("int *")
res = self.lib.EVP_EncryptFinal_ex(ctx, buf, outlen)
assert res != 0
res = self.lib.EVP_CIPHER_CTX_cleanup(ctx)
assert res != 0
return self.ffi.buffer(buf)[:outlen[0]]
def supports_hash(self, hash_cls):
return (self.ffi.NULL !=
self.lib.EVP_get_digestbyname(hash_cls.name.encode("ascii")))
def create_hash_context(self, hashobject):
ctx = self.lib.EVP_MD_CTX_create()
ctx = self.ffi.gc(ctx, self.lib.EVP_MD_CTX_destroy)
evp_md = self.lib.EVP_get_digestbyname(hashobject.name.encode("ascii"))
assert evp_md != self.ffi.NULL
res = self.lib.EVP_DigestInit_ex(ctx, evp_md, self.ffi.NULL)
assert res != 0
return ctx
def update_hash_context(self, ctx, data):
res = self.lib.EVP_DigestUpdate(ctx, data, len(data))
assert res != 0
def finalize_hash_context(self, ctx, digest_size):
buf = self.ffi.new("unsigned char[]", digest_size)
res = self.lib.EVP_DigestFinal_ex(ctx, buf, self.ffi.NULL)
assert res != 0
return self.ffi.buffer(buf)[:digest_size]
def copy_hash_context(self, ctx):
copied_ctx = self.lib.EVP_MD_CTX_create()
copied_ctx = self.ffi.gc(copied_ctx, self.lib.EVP_MD_CTX_destroy)
res = self.lib.EVP_MD_CTX_copy_ex(copied_ctx, ctx)
assert res != 0
return copied_ctx
api = API()
|
