Compare commits
No commits in common. 'c9' and 'c8-stream-3.9_bootstrap' have entirely different histories.
c9
...
c8-stream-
@ -1,2 +1,2 @@
|
||||
SOURCES/cryptography-36.0.1-vendor.tar.bz2
|
||||
SOURCES/cryptography-36.0.1.tar.gz
|
||||
SOURCES/cryptography-3.3.1.tar.gz
|
||||
SOURCES/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
|
||||
|
@ -1,2 +1,2 @@
|
||||
83753a12e56c7d0b56f247da937db941623ad97d SOURCES/cryptography-36.0.1-vendor.tar.bz2
|
||||
4fa9ddd61d6c962ccc36f1db98af498d5f239d06 SOURCES/cryptography-36.0.1.tar.gz
|
||||
f63b7bbf6ae3b6f4c178d1e8c1f89aac9507ba38 SOURCES/cryptography-3.3.1.tar.gz
|
||||
f98524280d6172bea44e6fe9aff332dd3cc5ed15 SOURCES/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg
|
||||
|
@ -1,71 +0,0 @@
|
||||
From d250d169e87168903a543248d0bfd6c37f2f6841 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <christian@python.org>
|
||||
Date: Tue, 22 Feb 2022 00:37:32 +0200
|
||||
Subject: [PATCH 1/5] Block TripleDES in FIPS mode (#6879)
|
||||
|
||||
* Block TripleDES in FIPS mode
|
||||
|
||||
NIST SP-800-131A rev 2 lists TripleDES Encryption as disallowed in FIPS 140-3
|
||||
decryption as legacy use. Three-key TDEA is listed as deprecated
|
||||
throughout 2023 and disallowed after 2023.
|
||||
|
||||
For simplicity we block all use of TripleDES in FIPS mode.
|
||||
|
||||
Fixes: #6875
|
||||
Signed-off-by: Christian Heimes <christian@python.org>
|
||||
|
||||
* Fix flake
|
||||
---
|
||||
src/cryptography/hazmat/backends/openssl/backend.py | 13 ++++++-------
|
||||
tests/hazmat/primitives/utils.py | 4 ++++
|
||||
2 files changed, 10 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
index 736452392..f38269e26 100644
|
||||
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
@@ -134,7 +134,9 @@ class Backend(BackendInterface):
|
||||
b"aes-192-gcm",
|
||||
b"aes-256-gcm",
|
||||
}
|
||||
- _fips_ciphers = (AES, TripleDES)
|
||||
+ # TripleDES encryption is disallowed/deprecated throughout 2023 in
|
||||
+ # FIPS 140-3. To keep it simple we denylist any use of TripleDES (TDEA).
|
||||
+ _fips_ciphers = (AES,)
|
||||
# Sometimes SHA1 is still permissible. That logic is contained
|
||||
# within the various *_supported methods.
|
||||
_fips_hashes = (
|
||||
@@ -323,12 +325,9 @@ class Backend(BackendInterface):
|
||||
|
||||
def cipher_supported(self, cipher, mode):
|
||||
if self._fips_enabled:
|
||||
- # FIPS mode requires AES or TripleDES, but only CBC/ECB allowed
|
||||
- # in TripleDES mode.
|
||||
- if not isinstance(cipher, self._fips_ciphers) or (
|
||||
- isinstance(cipher, TripleDES)
|
||||
- and not isinstance(mode, (CBC, ECB))
|
||||
- ):
|
||||
+ # FIPS mode requires AES. TripleDES is disallowed/deprecated in
|
||||
+ # FIPS 140-3.
|
||||
+ if not isinstance(cipher, self._fips_ciphers):
|
||||
return False
|
||||
|
||||
try:
|
||||
diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py
|
||||
index 93f117828..a367343ca 100644
|
||||
--- a/tests/hazmat/primitives/utils.py
|
||||
+++ b/tests/hazmat/primitives/utils.py
|
||||
@@ -469,6 +469,10 @@ def _kbkdf_cmac_counter_mode_test(backend, prf, ctr_loc, params):
|
||||
algorithm = supported_cipher_algorithms.get(prf)
|
||||
assert algorithm is not None
|
||||
|
||||
+ # TripleDES is disallowed in FIPS mode.
|
||||
+ if backend._fips_enabled and algorithm is algorithms.TripleDES:
|
||||
+ pytest.skip("TripleDES is not supported in FIPS mode.")
|
||||
+
|
||||
ctrkdf = KBKDFCMAC(
|
||||
algorithm,
|
||||
Mode.CounterMode,
|
||||
--
|
||||
2.35.1
|
||||
|
@ -1,319 +0,0 @@
|
||||
From ff80e3a27408657fef599f44ae1a9a875e005685 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <christian@python.org>
|
||||
Date: Wed, 2 Mar 2022 21:47:04 +0200
|
||||
Subject: [PATCH 2/5] Disable DSA tests in FIPS mode (#6916)
|
||||
|
||||
* Disable DSA tests in FIPS mode
|
||||
|
||||
See: #6880
|
||||
|
||||
* ignore coverage for nested FIPS check
|
||||
|
||||
* Remove if branch
|
||||
|
||||
* Remove skip modulus branch
|
||||
|
||||
* Keep tests that don't use the backend
|
||||
---
|
||||
.../hazmat/backends/openssl/backend.py | 7 ++-
|
||||
tests/hazmat/primitives/test_dsa.py | 46 +++++++++++--------
|
||||
tests/hazmat/primitives/test_serialization.py | 24 ++++++++++
|
||||
tests/x509/test_x509.py | 43 ++++++++++++++---
|
||||
tests/x509/test_x509_ext.py | 4 ++
|
||||
5 files changed, 98 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
index f38269e26..a6d0e8872 100644
|
||||
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
||||
@@ -804,7 +804,12 @@ class Backend(BackendInterface):
|
||||
self.openssl_assert(res == 1)
|
||||
return evp_pkey
|
||||
|
||||
- def dsa_hash_supported(self, algorithm):
|
||||
+ def dsa_supported(self) -> bool:
|
||||
+ return not self._fips_enabled
|
||||
+
|
||||
+ def dsa_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
|
||||
+ if not self.dsa_supported():
|
||||
+ return False
|
||||
return self.hash_supported(algorithm)
|
||||
|
||||
def dsa_parameters_supported(self, p, q, g):
|
||||
diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py
|
||||
index 6028b600d..60681683d 100644
|
||||
--- a/tests/hazmat/primitives/test_dsa.py
|
||||
+++ b/tests/hazmat/primitives/test_dsa.py
|
||||
@@ -59,7 +59,12 @@ def test_skip_if_dsa_not_supported(backend):
|
||||
_skip_if_dsa_not_supported(backend, DummyHashAlgorithm(), 1, 1, 1)
|
||||
|
||||
|
||||
-class TestDSA(object):
|
||||
+
|
||||
+@pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+)
|
||||
+class TestDSA:
|
||||
def test_generate_dsa_parameters(self, backend):
|
||||
parameters = dsa.generate_parameters(2048, backend)
|
||||
assert isinstance(parameters, dsa.DSAParameters)
|
||||
@@ -76,11 +81,6 @@ class TestDSA(object):
|
||||
),
|
||||
)
|
||||
def test_generate_dsa_keys(self, vector, backend):
|
||||
- if (
|
||||
- backend._fips_enabled
|
||||
- and vector["p"] < backend._fips_dsa_min_modulus
|
||||
- ):
|
||||
- pytest.skip("Small modulus blocked in FIPS mode")
|
||||
parameters = dsa.DSAParameterNumbers(
|
||||
p=vector["p"], q=vector["q"], g=vector["g"]
|
||||
).parameters(backend)
|
||||
@@ -389,7 +389,12 @@ class TestDSA(object):
|
||||
).private_key(backend)
|
||||
|
||||
|
||||
-class TestDSAVerification(object):
|
||||
+
|
||||
+@pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+)
|
||||
+class TestDSAVerification:
|
||||
def test_dsa_verification(self, backend, subtests):
|
||||
vectors = load_vectors_from_file(
|
||||
os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigVer.rsp"),
|
||||
@@ -481,17 +486,12 @@ class TestDSAVerification(object):
|
||||
Prehashed(hashes.SHA1()) # type: ignore[arg-type]
|
||||
)
|
||||
|
||||
- def test_prehashed_unsupported_in_verifier_ctx(self, backend):
|
||||
- public_key = DSA_KEY_1024.private_key(backend).public_key()
|
||||
- with pytest.raises(TypeError), pytest.warns(
|
||||
- CryptographyDeprecationWarning
|
||||
- ):
|
||||
- public_key.verifier(
|
||||
- b"0" * 64, Prehashed(hashes.SHA1()) # type: ignore[arg-type]
|
||||
- )
|
||||
-
|
||||
|
||||
-class TestDSASignature(object):
|
||||
+@pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+)
|
||||
+class TestDSASignature:
|
||||
def test_dsa_signing(self, backend, subtests):
|
||||
vectors = load_vectors_from_file(
|
||||
os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigGen.txt"),
|
||||
@@ -695,7 +695,11 @@ class TestDSANumberEquality(object):
|
||||
assert priv != object()
|
||||
|
||||
|
||||
-class TestDSASerialization(object):
|
||||
+@pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+)
|
||||
+class TestDSASerialization:
|
||||
@pytest.mark.parametrize(
|
||||
("fmt", "password"),
|
||||
itertools.product(
|
||||
@@ -916,7 +920,11 @@ class TestDSASerialization(object):
|
||||
)
|
||||
|
||||
|
||||
-class TestDSAPEMPublicKeySerialization(object):
|
||||
+@pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+)
|
||||
+class TestDSAPEMPublicKeySerialization:
|
||||
@pytest.mark.parametrize(
|
||||
("key_path", "loader_func", "encoding"),
|
||||
[
|
||||
diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py
|
||||
index fb6b753de..5a2b9fba5 100644
|
||||
--- a/tests/hazmat/primitives/test_serialization.py
|
||||
+++ b/tests/hazmat/primitives/test_serialization.py
|
||||
@@ -141,6 +141,10 @@ class TestDERSerialization(object):
|
||||
assert isinstance(key, rsa.RSAPrivateKey)
|
||||
_check_rsa_private_numbers(key.private_numbers())
|
||||
|
||||
+ @pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+ )
|
||||
@pytest.mark.parametrize(
|
||||
("key_path", "password"),
|
||||
[
|
||||
@@ -341,6 +345,10 @@ class TestDERSerialization(object):
|
||||
with pytest.raises(ValueError):
|
||||
load_der_public_key(b"invalid data", backend)
|
||||
|
||||
+ @pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+ )
|
||||
@pytest.mark.parametrize(
|
||||
"key_file",
|
||||
[
|
||||
@@ -422,6 +430,10 @@ class TestPEMSerialization(object):
|
||||
assert isinstance(key, rsa.RSAPrivateKey)
|
||||
_check_rsa_private_numbers(key.private_numbers())
|
||||
|
||||
+ @pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+ )
|
||||
@pytest.mark.parametrize(
|
||||
("key_path", "password"),
|
||||
[
|
||||
@@ -490,6 +502,10 @@ class TestPEMSerialization(object):
|
||||
numbers = key.public_numbers()
|
||||
assert numbers.e == 65537
|
||||
|
||||
+ @pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+ )
|
||||
@pytest.mark.parametrize(
|
||||
("key_file"),
|
||||
[
|
||||
@@ -894,6 +910,10 @@ class TestPEMSerialization(object):
|
||||
16,
|
||||
)
|
||||
|
||||
+ @pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+ )
|
||||
def test_load_pem_dsa_private_key(self, backend):
|
||||
key = load_vectors_from_file(
|
||||
os.path.join("asymmetric", "PKCS8", "unenc-dsa-pkcs8.pem"),
|
||||
@@ -2313,6 +2333,10 @@ class TestOpenSSHSerialization(object):
|
||||
DummyKeySerializationEncryption(),
|
||||
)
|
||||
|
||||
+ @pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+ )
|
||||
@pytest.mark.parametrize(
|
||||
("key_path", "supported"),
|
||||
[
|
||||
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
|
||||
index 23e97a768..7a7a52977 100644
|
||||
--- a/tests/x509/test_x509.py
|
||||
+++ b/tests/x509/test_x509.py
|
||||
@@ -2561,7 +2561,21 @@ class TestCertificateBuilder(object):
|
||||
only_if=lambda backend: backend.hash_supported(hashes.MD5()),
|
||||
skip_message="Requires OpenSSL with MD5 support",
|
||||
)
|
||||
- def test_sign_dsa_with_md5(self, backend):
|
||||
+ @pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+ )
|
||||
+ @pytest.mark.parametrize(
|
||||
+ "hash_algorithm",
|
||||
+ [
|
||||
+ hashes.MD5(),
|
||||
+ hashes.SHA3_224(),
|
||||
+ hashes.SHA3_256(),
|
||||
+ hashes.SHA3_384(),
|
||||
+ hashes.SHA3_512(),
|
||||
+ ],
|
||||
+ )
|
||||
+ def test_sign_dsa_with_unsupported_hash(self, hash_algorithm, backend):
|
||||
private_key = DSA_KEY_2048.private_key(backend)
|
||||
builder = x509.CertificateBuilder()
|
||||
builder = (
|
||||
@@ -2602,6 +2616,10 @@ class TestCertificateBuilder(object):
|
||||
with pytest.raises(ValueError):
|
||||
builder.sign(private_key, hashes.MD5(), backend)
|
||||
|
||||
+ @pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+ )
|
||||
@pytest.mark.parametrize(
|
||||
("hashalg", "hashalg_oid"),
|
||||
[
|
||||
@@ -2615,9 +2633,6 @@ class TestCertificateBuilder(object):
|
||||
def test_build_cert_with_dsa_private_key(
|
||||
self, hashalg, hashalg_oid, backend
|
||||
):
|
||||
- if backend._fips_enabled and hashalg is hashes.SHA1:
|
||||
- pytest.skip("SHA1 not supported in FIPS mode")
|
||||
-
|
||||
issuer_private_key = DSA_KEY_2048.private_key(backend)
|
||||
subject_private_key = DSA_KEY_2048.private_key(backend)
|
||||
|
||||
@@ -3646,6 +3661,10 @@ class TestCertificateSigningRequestBuilder(object):
|
||||
only_if=lambda backend: backend.hash_supported(hashes.MD5()),
|
||||
skip_message="Requires OpenSSL with MD5 support",
|
||||
)
|
||||
+ @pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+ )
|
||||
def test_sign_dsa_with_md5(self, backend):
|
||||
private_key = DSA_KEY_2048.private_key(backend)
|
||||
builder = x509.CertificateSigningRequestBuilder().subject_name(
|
||||
@@ -3969,6 +3988,10 @@ class TestCertificateSigningRequestBuilder(object):
|
||||
assert basic_constraints.value.ca is True
|
||||
assert basic_constraints.value.path_length == 2
|
||||
|
||||
+ @pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+ )
|
||||
def test_build_ca_request_with_dsa(self, backend):
|
||||
private_key = DSA_KEY_2048.private_key(backend)
|
||||
|
||||
@@ -4319,7 +4342,11 @@ class TestCertificateSigningRequestBuilder(object):
|
||||
builder.sign(private_key, hashes.SHA512(), backend)
|
||||
|
||||
|
||||
-class TestDSACertificate(object):
|
||||
+@pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+)
|
||||
+class TestDSACertificate:
|
||||
def test_load_dsa_cert(self, backend):
|
||||
cert = _load_cert(
|
||||
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
|
||||
@@ -4444,7 +4471,11 @@ class TestDSACertificate(object):
|
||||
)
|
||||
|
||||
|
||||
-class TestDSACertificateRequest(object):
|
||||
+@pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+)
|
||||
+class TestDSACertificateRequest:
|
||||
@pytest.mark.parametrize(
|
||||
("path", "loader_func"),
|
||||
[
|
||||
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
|
||||
index 4173dece6..66ac43d95 100644
|
||||
--- a/tests/x509/test_x509_ext.py
|
||||
+++ b/tests/x509/test_x509_ext.py
|
||||
@@ -1712,6 +1712,10 @@ class TestSubjectKeyIdentifierExtension(object):
|
||||
ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key())
|
||||
assert ext.value == ski
|
||||
|
||||
+ @pytest.mark.supported(
|
||||
+ only_if=lambda backend: backend.dsa_supported(),
|
||||
+ skip_message="Does not support DSA.",
|
||||
+ )
|
||||
def test_from_dsa_public_key(self, backend):
|
||||
cert = _load_cert(
|
||||
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
|
||||
--
|
||||
2.35.1
|
||||
|
@ -1,26 +0,0 @@
|
||||
From 20bafea414bcc08bfcb5b669ecbf9a3438ff7b78 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Gaynor <alex.gaynor@gmail.com>
|
||||
Date: Thu, 3 Mar 2022 15:44:02 -0500
|
||||
Subject: [PATCH 3/5] fixes #6927 -- handle negative return values from openssl
|
||||
(#6928)
|
||||
|
||||
---
|
||||
src/cryptography/hazmat/backends/openssl/rsa.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
|
||||
index 9bef49d24..dd5d4990b 100644
|
||||
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
|
||||
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
|
||||
@@ -208,7 +208,7 @@ def _rsa_sig_setup(backend, padding, algorithm, key, init_func):
|
||||
if algorithm is not None:
|
||||
evp_md = backend._evp_md_non_null_from_algorithm(algorithm)
|
||||
res = backend._lib.EVP_PKEY_CTX_set_signature_md(pkey_ctx, evp_md)
|
||||
- if res == 0:
|
||||
+ if res <= 0:
|
||||
backend._consume_errors()
|
||||
raise UnsupportedAlgorithm(
|
||||
"{} is not supported by this backend for RSA signing.".format(
|
||||
--
|
||||
2.35.1
|
||||
|
@ -1,24 +0,0 @@
|
||||
From 820d9527070ad2c7724dcecf1a35dbac7d68621d Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <christian@python.org>
|
||||
Date: Tue, 1 Mar 2022 16:22:51 +0100
|
||||
Subject: [PATCH 4/5] Disable test_openssl_assert_error_on_stack in FIPS mode
|
||||
|
||||
---
|
||||
tests/hazmat/bindings/test_openssl.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
|
||||
index 129928ac0..9839aec4d 100644
|
||||
--- a/tests/hazmat/bindings/test_openssl.py
|
||||
+++ b/tests/hazmat/bindings/test_openssl.py
|
||||
@@ -84,6 +84,7 @@ class TestOpenSSL(object):
|
||||
with pytest.raises(AttributeError):
|
||||
b.lib.TLS_ST_OK
|
||||
|
||||
+ @pytest.mark.skip_fips(reason="FIPS maps to different error codes")
|
||||
def test_openssl_assert_error_on_stack(self):
|
||||
b = Binding()
|
||||
b.lib.ERR_put_error(
|
||||
--
|
||||
2.35.1
|
||||
|
@ -1,67 +0,0 @@
|
||||
From 89af85f9d4fc2ef3e89ad1b2a58c751f00f54a4f Mon Sep 17 00:00:00 2001
|
||||
From: Alex Gaynor <alex.gaynor@gmail.com>
|
||||
Date: Thu, 3 Mar 2022 16:24:21 -0500
|
||||
Subject: [PATCH 5/5] Fixed serialization of keyusage ext with no bits (#6930)
|
||||
|
||||
fixes #6926
|
||||
---
|
||||
src/rust/src/x509/extensions.rs | 17 +++++++++++------
|
||||
tests/x509/test_x509_ext.py | 14 ++++++++++++++
|
||||
2 files changed, 25 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs
|
||||
index 606566dd9..68b9839a0 100644
|
||||
--- a/src/rust/src/x509/extensions.rs
|
||||
+++ b/src/rust/src/x509/extensions.rs
|
||||
@@ -135,12 +135,17 @@ pub(crate) fn encode_extension(
|
||||
certificate::set_bit(&mut bs, 7, ext.getattr("encipher_only")?.is_true()?);
|
||||
certificate::set_bit(&mut bs, 8, ext.getattr("decipher_only")?.is_true()?);
|
||||
}
|
||||
- let bits = if bs[1] == 0 { &bs[..1] } else { &bs[..] };
|
||||
- let unused_bits = bits.last().unwrap().trailing_zeros() as u8;
|
||||
- Ok(Some(asn1::write_single(&asn1::BitString::new(
|
||||
- bits,
|
||||
- unused_bits,
|
||||
- ))))
|
||||
+ let (bits, unused_bits) = if bs[1] == 0 {
|
||||
+ if bs[0] == 0 {
|
||||
+ (&[][..], 0)
|
||||
+ } else {
|
||||
+ (&bs[..1], bs[0].trailing_zeros() as u8)
|
||||
+ }
|
||||
+ } else {
|
||||
+ (&bs[..], bs[1].trailing_zeros() as u8)
|
||||
+ };
|
||||
+ let v = asn1::BitString::new(bits, unused_bits).unwrap();
|
||||
+ Ok(Some(asn1::write_single(&v)))
|
||||
} else if oid == &*oid::AUTHORITY_INFORMATION_ACCESS_OID
|
||||
|| oid == &*oid::SUBJECT_INFORMATION_ACCESS_OID
|
||||
{
|
||||
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
|
||||
index 66ac43d95..2bbba8ec6 100644
|
||||
--- a/tests/x509/test_x509_ext.py
|
||||
+++ b/tests/x509/test_x509_ext.py
|
||||
@@ -1137,6 +1137,20 @@ class TestKeyUsage(object):
|
||||
),
|
||||
b"\x03\x02\x02\x94",
|
||||
),
|
||||
+ (
|
||||
+ x509.KeyUsage(
|
||||
+ digital_signature=False,
|
||||
+ content_commitment=False,
|
||||
+ key_encipherment=False,
|
||||
+ data_encipherment=False,
|
||||
+ key_agreement=False,
|
||||
+ key_cert_sign=False,
|
||||
+ crl_sign=False,
|
||||
+ encipher_only=False,
|
||||
+ decipher_only=False,
|
||||
+ ),
|
||||
+ b"\x03\x01\x00",
|
||||
+ ),
|
||||
],
|
||||
)
|
||||
def test_public_bytes(self, ext, serialized):
|
||||
--
|
||||
2.35.1
|
||||
|
@ -1,42 +0,0 @@
|
||||
From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001
|
||||
From: Alex Gaynor <alex.gaynor@gmail.com>
|
||||
Date: Tue, 31 Jan 2023 08:33:54 -0500
|
||||
Subject: [PATCH] Don't allow update_into to mutate immutable objects
|
||||
|
||||
---
|
||||
src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
|
||||
tests/hazmat/primitives/test_ciphers.py | 8 ++++++++
|
||||
2 files changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
|
||||
index 286583f9325..075d68fb905 100644
|
||||
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
|
||||
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
|
||||
@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int:
|
||||
data_processed = 0
|
||||
total_out = 0
|
||||
outlen = self._backend._ffi.new("int *")
|
||||
- baseoutbuf = self._backend._ffi.from_buffer(buf)
|
||||
+ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
|
||||
baseinbuf = self._backend._ffi.from_buffer(data)
|
||||
|
||||
while data_processed != total_data_len:
|
||||
diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
|
||||
index 02127dd9cab..bf3b047dec2 100644
|
||||
--- a/tests/hazmat/primitives/test_ciphers.py
|
||||
+++ b/tests/hazmat/primitives/test_ciphers.py
|
||||
@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend):
|
||||
with pytest.raises(ValueError):
|
||||
encryptor.update_into(b"testing", buf)
|
||||
|
||||
+ def test_update_into_immutable(self, backend):
|
||||
+ key = b"\x00" * 16
|
||||
+ c = ciphers.Cipher(AES(key), modes.ECB(), backend)
|
||||
+ encryptor = c.encryptor()
|
||||
+ buf = b"\x00" * 32
|
||||
+ with pytest.raises((TypeError, BufferError)):
|
||||
+ encryptor.update_into(b"testing", buf)
|
||||
+
|
||||
@pytest.mark.supported(
|
||||
only_if=lambda backend: backend.cipher_supported(
|
||||
AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
|
@ -1,83 +0,0 @@
|
||||
From ca92d13436944090faa79ffc25378c45ec564a4d Mon Sep 17 00:00:00 2001
|
||||
From: Alex Gaynor <alex.gaynor@gmail.com>
|
||||
Date: Wed, 14 Dec 2022 01:50:06 -0500
|
||||
Subject: [PATCH] Adapt for OpenSSL RSA bleichenbacher mitigation (#7895)
|
||||
|
||||
Attempt to work-around wycheproof tests
|
||||
---
|
||||
src/_cffi_src/openssl/rsa.py | 8 ++++++++
|
||||
tests/hazmat/primitives/test_rsa.py | 5 +++--
|
||||
tests/wycheproof/test_rsa.py | 20 +++++++++++++++-----
|
||||
3 files changed, 26 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/_cffi_src/openssl/rsa.py b/src/_cffi_src/openssl/rsa.py
|
||||
index 5d1e163b1..2682ea1e4 100644
|
||||
--- a/src/_cffi_src/openssl/rsa.py
|
||||
+++ b/src/_cffi_src/openssl/rsa.py
|
||||
@@ -18,6 +18,8 @@ static const int RSA_F4;
|
||||
|
||||
static const int Cryptography_HAS_RSA_OAEP_MD;
|
||||
static const int Cryptography_HAS_RSA_OAEP_LABEL;
|
||||
+
|
||||
+static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION;
|
||||
"""
|
||||
|
||||
FUNCTIONS = """
|
||||
@@ -57,4 +59,10 @@ int (*EVP_PKEY_CTX_set_rsa_oaep_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL;
|
||||
int (*EVP_PKEY_CTX_set0_rsa_oaep_label)(EVP_PKEY_CTX *, unsigned char *,
|
||||
int) = NULL;
|
||||
#endif
|
||||
+
|
||||
+#if defined(EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION)
|
||||
+static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION = 1;
|
||||
+#else
|
||||
+static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION = 0;
|
||||
+#endif
|
||||
"""
|
||||
diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
|
||||
index 4fb205db4..0315489dc 100644
|
||||
--- a/tests/hazmat/primitives/test_rsa.py
|
||||
+++ b/tests/hazmat/primitives/test_rsa.py
|
||||
@@ -1551,8 +1551,9 @@ class TestRSADecryption(object):
|
||||
private_key.decrypt(b"0" * 256, DummyAsymmetricPadding())
|
||||
|
||||
@pytest.mark.supported(
|
||||
- only_if=lambda backend: backend.rsa_padding_supported(
|
||||
- padding.PKCS1v15()
|
||||
+ only_if=lambda backend: (
|
||||
+ backend.rsa_padding_supported(padding.PKCS1v15())
|
||||
+ and not backend._lib.Cryptography_HAS_IMPLICIT_RSA_REJECTION
|
||||
),
|
||||
skip_message="Does not support PKCS1v1.5.",
|
||||
)
|
||||
diff --git a/tests/wycheproof/test_rsa.py b/tests/wycheproof/test_rsa.py
|
||||
index 79fd682b7..e6bd8af8a 100644
|
||||
--- a/tests/wycheproof/test_rsa.py
|
||||
+++ b/tests/wycheproof/test_rsa.py
|
||||
@@ -245,8 +245,18 @@ def test_rsa_pkcs1_encryption(backend, wycheproof):
|
||||
)
|
||||
assert pt == binascii.unhexlify(wycheproof.testcase["msg"])
|
||||
else:
|
||||
- with pytest.raises(ValueError):
|
||||
- key.decrypt(
|
||||
- binascii.unhexlify(wycheproof.testcase["ct"]),
|
||||
- padding.PKCS1v15(),
|
||||
- )
|
||||
+ if backend._lib.Cryptography_HAS_IMPLICIT_RSA_REJECTION:
|
||||
+ try:
|
||||
+ assert key.decrypt(
|
||||
+ binascii.unhexlify(wycheproof.testcase["ct"]),
|
||||
+ padding.PKCS1v15(),
|
||||
+ ) != binascii.unhexlify(wycheproof.testcase["ct"])
|
||||
+ except ValueError:
|
||||
+ # Some raise ValueError due to length mismatch.
|
||||
+ pass
|
||||
+ else:
|
||||
+ with pytest.raises(ValueError):
|
||||
+ key.decrypt(
|
||||
+ binascii.unhexlify(wycheproof.testcase["ct"]),
|
||||
+ padding.PKCS1v15(),
|
||||
+ )
|
||||
--
|
||||
2.40.1
|
||||
|
@ -1,22 +0,0 @@
|
||||
|
||||
class Skipper:
|
||||
"""Skip iso8601 and pretend tests
|
||||
|
||||
RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip
|
||||
all tests that use the excluded modules.
|
||||
"""
|
||||
|
||||
def parse_date(self, datestring):
|
||||
pytest.skip(f"iso8601 module is not available.")
|
||||
|
||||
def stub(self, **kwargs):
|
||||
pytest.skip(f"pretend module is not available.")
|
||||
|
||||
def raiser(self, exc):
|
||||
pytest.skip(f"pretend module is not available.")
|
||||
|
||||
|
||||
import sys
|
||||
|
||||
sys.modules["iso8601"] = sys.modules["pretend"] = Skipper()
|
||||
|
@ -0,0 +1,11 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCAAdFiEEBf2foWz3VzUNkaVgI1rl8Sn57ZgFAl/RhUIACgkQI1rl8Sn5
|
||||
7ZibhQgAuSzb/GFPzSnTZN+lRPMTeDH33Eave/Z/ykvIfw81pGJi3h/Nb33A3u9N
|
||||
NRgoOvjnSBAB9T3ck/S//vj+0mH1fZIpiiop8oUUxEJQ+/I7o5Mo++H8kjPB8PA2
|
||||
IsELZCb7peQ1B6TWKIOV0mnprYRwvHUUM6oe8oblU3Zy/ptHm/ZQsEVx4J5pbach
|
||||
S6AB3BnAlM36jBZLE3IIVplX27xAt/o83KUGtpfTQ//O9CQ6YjvTppXMwwo91AUK
|
||||
4TsSN+CBvX7WiCDZjcVuv5QL1gcEZHv2UauliD5n8CEkyWA15ahHvLHhFSb1ECV3
|
||||
wRRIWsY2HUMvNddCt9QHEFQajficCA==
|
||||
=2lBg
|
||||
-----END PGP SIGNATURE-----
|
Loading…
Reference in new issue