Compare commits
No commits in common. 'c9' and 'i8c' have entirely different histories.
@ -1,2 +1 @@
|
|||||||
SOURCES/cryptography-36.0.1-vendor.tar.bz2
|
SOURCES/cryptography-3.2.1.tar.gz
|
||||||
SOURCES/cryptography-36.0.1.tar.gz
|
|
||||||
|
@ -1,2 +1 @@
|
|||||||
83753a12e56c7d0b56f247da937db941623ad97d SOURCES/cryptography-36.0.1-vendor.tar.bz2
|
20708a4955dcf7e2bb53d05418273d2bc0f80ab4 SOURCES/cryptography-3.2.1.tar.gz
|
||||||
4fa9ddd61d6c962ccc36f1db98af498d5f239d06 SOURCES/cryptography-36.0.1.tar.gz
|
|
||||||
|
@ -1,71 +0,0 @@
|
|||||||
From d250d169e87168903a543248d0bfd6c37f2f6841 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Christian Heimes <christian@python.org>
|
|
||||||
Date: Tue, 22 Feb 2022 00:37:32 +0200
|
|
||||||
Subject: [PATCH 1/5] Block TripleDES in FIPS mode (#6879)
|
|
||||||
|
|
||||||
* Block TripleDES in FIPS mode
|
|
||||||
|
|
||||||
NIST SP-800-131A rev 2 lists TripleDES Encryption as disallowed in FIPS 140-3
|
|
||||||
decryption as legacy use. Three-key TDEA is listed as deprecated
|
|
||||||
throughout 2023 and disallowed after 2023.
|
|
||||||
|
|
||||||
For simplicity we block all use of TripleDES in FIPS mode.
|
|
||||||
|
|
||||||
Fixes: #6875
|
|
||||||
Signed-off-by: Christian Heimes <christian@python.org>
|
|
||||||
|
|
||||||
* Fix flake
|
|
||||||
---
|
|
||||||
src/cryptography/hazmat/backends/openssl/backend.py | 13 ++++++-------
|
|
||||||
tests/hazmat/primitives/utils.py | 4 ++++
|
|
||||||
2 files changed, 10 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
|
||||||
index 736452392..f38269e26 100644
|
|
||||||
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
|
||||||
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
|
||||||
@@ -134,7 +134,9 @@ class Backend(BackendInterface):
|
|
||||||
b"aes-192-gcm",
|
|
||||||
b"aes-256-gcm",
|
|
||||||
}
|
|
||||||
- _fips_ciphers = (AES, TripleDES)
|
|
||||||
+ # TripleDES encryption is disallowed/deprecated throughout 2023 in
|
|
||||||
+ # FIPS 140-3. To keep it simple we denylist any use of TripleDES (TDEA).
|
|
||||||
+ _fips_ciphers = (AES,)
|
|
||||||
# Sometimes SHA1 is still permissible. That logic is contained
|
|
||||||
# within the various *_supported methods.
|
|
||||||
_fips_hashes = (
|
|
||||||
@@ -323,12 +325,9 @@ class Backend(BackendInterface):
|
|
||||||
|
|
||||||
def cipher_supported(self, cipher, mode):
|
|
||||||
if self._fips_enabled:
|
|
||||||
- # FIPS mode requires AES or TripleDES, but only CBC/ECB allowed
|
|
||||||
- # in TripleDES mode.
|
|
||||||
- if not isinstance(cipher, self._fips_ciphers) or (
|
|
||||||
- isinstance(cipher, TripleDES)
|
|
||||||
- and not isinstance(mode, (CBC, ECB))
|
|
||||||
- ):
|
|
||||||
+ # FIPS mode requires AES. TripleDES is disallowed/deprecated in
|
|
||||||
+ # FIPS 140-3.
|
|
||||||
+ if not isinstance(cipher, self._fips_ciphers):
|
|
||||||
return False
|
|
||||||
|
|
||||||
try:
|
|
||||||
diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py
|
|
||||||
index 93f117828..a367343ca 100644
|
|
||||||
--- a/tests/hazmat/primitives/utils.py
|
|
||||||
+++ b/tests/hazmat/primitives/utils.py
|
|
||||||
@@ -469,6 +469,10 @@ def _kbkdf_cmac_counter_mode_test(backend, prf, ctr_loc, params):
|
|
||||||
algorithm = supported_cipher_algorithms.get(prf)
|
|
||||||
assert algorithm is not None
|
|
||||||
|
|
||||||
+ # TripleDES is disallowed in FIPS mode.
|
|
||||||
+ if backend._fips_enabled and algorithm is algorithms.TripleDES:
|
|
||||||
+ pytest.skip("TripleDES is not supported in FIPS mode.")
|
|
||||||
+
|
|
||||||
ctrkdf = KBKDFCMAC(
|
|
||||||
algorithm,
|
|
||||||
Mode.CounterMode,
|
|
||||||
--
|
|
||||||
2.35.1
|
|
||||||
|
|
@ -0,0 +1,254 @@
|
|||||||
|
From e3e043ab363387033ddfdcaf3c15d8cf8dda17ed Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <cheimes@redhat.com>
|
||||||
|
Date: Tue, 27 Oct 2020 16:42:15 +0100
|
||||||
|
Subject: [PATCH 1] Re-add deprecated and removed features
|
||||||
|
|
||||||
|
* encode_rfc6979_signature()
|
||||||
|
* decode_rfc6979_signature()
|
||||||
|
* Certificate.serial property
|
||||||
|
* MACContext
|
||||||
|
* osrandom engine is disabled
|
||||||
|
|
||||||
|
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||||
|
---
|
||||||
|
.../hazmat/backends/openssl/cmac.py | 3 +-
|
||||||
|
.../hazmat/backends/openssl/hmac.py | 3 +-
|
||||||
|
.../hazmat/backends/openssl/x509.py | 4 ++
|
||||||
|
.../hazmat/primitives/asymmetric/utils.py | 8 ++++
|
||||||
|
src/cryptography/hazmat/primitives/cmac.py | 3 +-
|
||||||
|
src/cryptography/hazmat/primitives/hmac.py | 3 +-
|
||||||
|
src/cryptography/hazmat/primitives/mac.py | 37 +++++++++++++++++++
|
||||||
|
src/cryptography/x509/extensions.py | 6 ++-
|
||||||
|
tests/hazmat/backends/test_openssl.py | 3 ++
|
||||||
|
tests/hazmat/primitives/test_asym_utils.py | 9 +++++
|
||||||
|
tests/x509/test_x509.py | 1 +
|
||||||
|
tests/x509/test_x509_ext.py | 5 +++
|
||||||
|
12 files changed, 80 insertions(+), 5 deletions(-)
|
||||||
|
create mode 100644 src/cryptography/hazmat/primitives/mac.py
|
||||||
|
|
||||||
|
diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py
|
||||||
|
index 195fc230f..5281f634d 100644
|
||||||
|
--- a/src/cryptography/hazmat/backends/openssl/cmac.py
|
||||||
|
+++ b/src/cryptography/hazmat/backends/openssl/cmac.py
|
||||||
|
@@ -11,10 +11,11 @@ from cryptography.exceptions import (
|
||||||
|
UnsupportedAlgorithm,
|
||||||
|
_Reasons,
|
||||||
|
)
|
||||||
|
-from cryptography.hazmat.primitives import constant_time
|
||||||
|
+from cryptography.hazmat.primitives import constant_time, mac
|
||||||
|
from cryptography.hazmat.primitives.ciphers.modes import CBC
|
||||||
|
|
||||||
|
|
||||||
|
+@utils.register_interface(mac.MACContext)
|
||||||
|
class _CMACContext(object):
|
||||||
|
def __init__(self, backend, algorithm, ctx=None):
|
||||||
|
if not backend.cmac_algorithm_supported(algorithm):
|
||||||
|
diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py
|
||||||
|
index 5024223b2..11c850e10 100644
|
||||||
|
--- a/src/cryptography/hazmat/backends/openssl/hmac.py
|
||||||
|
+++ b/src/cryptography/hazmat/backends/openssl/hmac.py
|
||||||
|
@@ -11,9 +11,10 @@ from cryptography.exceptions import (
|
||||||
|
UnsupportedAlgorithm,
|
||||||
|
_Reasons,
|
||||||
|
)
|
||||||
|
-from cryptography.hazmat.primitives import constant_time, hashes
|
||||||
|
+from cryptography.hazmat.primitives import constant_time, hashes, mac
|
||||||
|
|
||||||
|
|
||||||
|
+@utils.register_interface(mac.MACContext)
|
||||||
|
@utils.register_interface(hashes.HashContext)
|
||||||
|
class _HMACContext(object):
|
||||||
|
def __init__(self, backend, key, algorithm, ctx=None):
|
||||||
|
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
|
||||||
|
index 4d0dac764..c9074f59e 100644
|
||||||
|
--- a/src/cryptography/hazmat/backends/openssl/x509.py
|
||||||
|
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
|
||||||
|
@@ -73,6 +73,10 @@ class _Certificate(object):
|
||||||
|
self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
|
||||||
|
return _asn1_integer_to_int(self._backend, asn1_int)
|
||||||
|
|
||||||
|
+ @property
|
||||||
|
+ def serial(self):
|
||||||
|
+ return self.serial_number
|
||||||
|
+
|
||||||
|
def public_key(self):
|
||||||
|
pkey = self._backend._lib.X509_get_pubkey(self._x509)
|
||||||
|
if pkey == self._backend._ffi.NULL:
|
||||||
|
diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
|
||||||
|
index 5f9b67786..886d7565b 100644
|
||||||
|
--- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
|
||||||
|
+++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
|
||||||
|
@@ -39,3 +39,11 @@ class Prehashed(object):
|
||||||
|
self._digest_size = algorithm.digest_size
|
||||||
|
|
||||||
|
digest_size = utils.read_only_property("_digest_size")
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def decode_rfc6979_signature(signature):
|
||||||
|
+ return decode_dss_signature(signature)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def encode_rfc6979_signature(r, s):
|
||||||
|
+ return encode_dss_signature(r, s)
|
||||||
|
diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py
|
||||||
|
index bf962c906..7f37f13cc 100644
|
||||||
|
--- a/src/cryptography/hazmat/primitives/cmac.py
|
||||||
|
+++ b/src/cryptography/hazmat/primitives/cmac.py
|
||||||
|
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
|
||||||
|
)
|
||||||
|
from cryptography.hazmat.backends import _get_backend
|
||||||
|
from cryptography.hazmat.backends.interfaces import CMACBackend
|
||||||
|
-from cryptography.hazmat.primitives import ciphers
|
||||||
|
+from cryptography.hazmat.primitives import ciphers, mac
|
||||||
|
|
||||||
|
|
||||||
|
+@utils.register_interface(mac.MACContext)
|
||||||
|
class CMAC(object):
|
||||||
|
def __init__(self, algorithm, backend=None, ctx=None):
|
||||||
|
backend = _get_backend(backend)
|
||||||
|
diff --git a/src/cryptography/hazmat/primitives/hmac.py b/src/cryptography/hazmat/primitives/hmac.py
|
||||||
|
index 8c421dc68..6f03a1071 100644
|
||||||
|
--- a/src/cryptography/hazmat/primitives/hmac.py
|
||||||
|
+++ b/src/cryptography/hazmat/primitives/hmac.py
|
||||||
|
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
|
||||||
|
)
|
||||||
|
from cryptography.hazmat.backends import _get_backend
|
||||||
|
from cryptography.hazmat.backends.interfaces import HMACBackend
|
||||||
|
-from cryptography.hazmat.primitives import hashes
|
||||||
|
+from cryptography.hazmat.primitives import hashes, mac
|
||||||
|
|
||||||
|
|
||||||
|
+@utils.register_interface(mac.MACContext)
|
||||||
|
@utils.register_interface(hashes.HashContext)
|
||||||
|
class HMAC(object):
|
||||||
|
def __init__(self, key, algorithm, backend=None, ctx=None):
|
||||||
|
diff --git a/src/cryptography/hazmat/primitives/mac.py b/src/cryptography/hazmat/primitives/mac.py
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..4c95190ba
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/src/cryptography/hazmat/primitives/mac.py
|
||||||
|
@@ -0,0 +1,37 @@
|
||||||
|
+# This file is dual licensed under the terms of the Apache License, Version
|
||||||
|
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
|
||||||
|
+# for complete details.
|
||||||
|
+
|
||||||
|
+from __future__ import absolute_import, division, print_function
|
||||||
|
+
|
||||||
|
+import abc
|
||||||
|
+
|
||||||
|
+import six
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+@six.add_metaclass(abc.ABCMeta)
|
||||||
|
+class MACContext(object):
|
||||||
|
+ @abc.abstractmethod
|
||||||
|
+ def update(self, data):
|
||||||
|
+ """
|
||||||
|
+ Processes the provided bytes.
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ @abc.abstractmethod
|
||||||
|
+ def finalize(self):
|
||||||
|
+ """
|
||||||
|
+ Returns the message authentication code as bytes.
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ @abc.abstractmethod
|
||||||
|
+ def copy(self):
|
||||||
|
+ """
|
||||||
|
+ Return a MACContext that is a copy of the current context.
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ @abc.abstractmethod
|
||||||
|
+ def verify(self, signature):
|
||||||
|
+ """
|
||||||
|
+ Checks if the generated message authentication code matches the
|
||||||
|
+ signature.
|
||||||
|
+ """
|
||||||
|
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
|
||||||
|
index 130ba69b8..ddbccdf3b 100644
|
||||||
|
--- a/src/cryptography/x509/extensions.py
|
||||||
|
+++ b/src/cryptography/x509/extensions.py
|
||||||
|
@@ -218,8 +218,12 @@ class AuthorityKeyIdentifier(object):
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def from_issuer_subject_key_identifier(cls, ski):
|
||||||
|
+ if isinstance(ski, SubjectKeyIdentifier):
|
||||||
|
+ digest = ski.digest
|
||||||
|
+ else:
|
||||||
|
+ digest = ski.value.digest
|
||||||
|
return cls(
|
||||||
|
- key_identifier=ski.digest,
|
||||||
|
+ key_identifier=digest,
|
||||||
|
authority_cert_issuer=None,
|
||||||
|
authority_cert_serial_number=None,
|
||||||
|
)
|
||||||
|
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
|
||||||
|
index 2f7e7bebf..73c17d84f 100644
|
||||||
|
--- a/tests/hazmat/backends/test_openssl.py
|
||||||
|
+++ b/tests/hazmat/backends/test_openssl.py
|
||||||
|
@@ -301,6 +301,9 @@ class TestOpenSSLRandomEngine(object):
|
||||||
|
res = backend._lib.ENGINE_free(e)
|
||||||
|
assert res == 1
|
||||||
|
|
||||||
|
+ def test_rhel8_no_osrandom(self):
|
||||||
|
+ pytest.fail("osrandom engine is not FIPS compliant, see RHBZ#1762667")
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.mark.skipif(
|
||||||
|
backend._lib.CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE,
|
||||||
|
diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
|
||||||
|
index 70bff012f..334b459b5 100644
|
||||||
|
--- a/tests/hazmat/primitives/test_asym_utils.py
|
||||||
|
+++ b/tests/hazmat/primitives/test_asym_utils.py
|
||||||
|
@@ -10,6 +10,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import (
|
||||||
|
Prehashed,
|
||||||
|
decode_dss_signature,
|
||||||
|
encode_dss_signature,
|
||||||
|
+ encode_rfc6979_signature,
|
||||||
|
+ decode_rfc6979_signature
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@@ -75,3 +77,10 @@ def test_decode_dss_invalid_asn1():
|
||||||
|
def test_pass_invalid_prehashed_arg():
|
||||||
|
with pytest.raises(TypeError):
|
||||||
|
Prehashed(object())
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def test_deprecated_rfc6979_signature():
|
||||||
|
+ sig = encode_rfc6979_signature(1, 1)
|
||||||
|
+ assert sig == b"0\x06\x02\x01\x01\x02\x01\x01"
|
||||||
|
+ decoded = decode_rfc6979_signature(sig)
|
||||||
|
+ assert decoded == (1, 1)
|
||||||
|
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
|
||||||
|
index 11c80816c..e5bdf17d4 100644
|
||||||
|
--- a/tests/x509/test_x509.py
|
||||||
|
+++ b/tests/x509/test_x509.py
|
||||||
|
@@ -685,6 +685,7 @@ class TestRSACertificate(object):
|
||||||
|
)
|
||||||
|
assert isinstance(cert, x509.Certificate)
|
||||||
|
assert cert.serial_number == 11559813051657483483
|
||||||
|
+ assert cert.serial == cert.serial_number
|
||||||
|
fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
|
||||||
|
assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
|
||||||
|
assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
|
||||||
|
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
|
||||||
|
index 2cd216fb6..ac2b2c03d 100644
|
||||||
|
--- a/tests/x509/test_x509_ext.py
|
||||||
|
+++ b/tests/x509/test_x509_ext.py
|
||||||
|
@@ -3442,6 +3442,11 @@ class TestAuthorityKeyIdentifierExtension(object):
|
||||||
|
)
|
||||||
|
assert ext.value == aki
|
||||||
|
|
||||||
|
+ aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
|
||||||
|
+ ski_ext
|
||||||
|
+ )
|
||||||
|
+ assert ext.value == aki
|
||||||
|
+
|
||||||
|
|
||||||
|
class TestNameConstraints(object):
|
||||||
|
def test_ipaddress_wrong_type(self):
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -1,319 +0,0 @@
|
|||||||
From ff80e3a27408657fef599f44ae1a9a875e005685 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Christian Heimes <christian@python.org>
|
|
||||||
Date: Wed, 2 Mar 2022 21:47:04 +0200
|
|
||||||
Subject: [PATCH 2/5] Disable DSA tests in FIPS mode (#6916)
|
|
||||||
|
|
||||||
* Disable DSA tests in FIPS mode
|
|
||||||
|
|
||||||
See: #6880
|
|
||||||
|
|
||||||
* ignore coverage for nested FIPS check
|
|
||||||
|
|
||||||
* Remove if branch
|
|
||||||
|
|
||||||
* Remove skip modulus branch
|
|
||||||
|
|
||||||
* Keep tests that don't use the backend
|
|
||||||
---
|
|
||||||
.../hazmat/backends/openssl/backend.py | 7 ++-
|
|
||||||
tests/hazmat/primitives/test_dsa.py | 46 +++++++++++--------
|
|
||||||
tests/hazmat/primitives/test_serialization.py | 24 ++++++++++
|
|
||||||
tests/x509/test_x509.py | 43 ++++++++++++++---
|
|
||||||
tests/x509/test_x509_ext.py | 4 ++
|
|
||||||
5 files changed, 98 insertions(+), 26 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
|
||||||
index f38269e26..a6d0e8872 100644
|
|
||||||
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
|
||||||
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
|
||||||
@@ -804,7 +804,12 @@ class Backend(BackendInterface):
|
|
||||||
self.openssl_assert(res == 1)
|
|
||||||
return evp_pkey
|
|
||||||
|
|
||||||
- def dsa_hash_supported(self, algorithm):
|
|
||||||
+ def dsa_supported(self) -> bool:
|
|
||||||
+ return not self._fips_enabled
|
|
||||||
+
|
|
||||||
+ def dsa_hash_supported(self, algorithm: hashes.HashAlgorithm) -> bool:
|
|
||||||
+ if not self.dsa_supported():
|
|
||||||
+ return False
|
|
||||||
return self.hash_supported(algorithm)
|
|
||||||
|
|
||||||
def dsa_parameters_supported(self, p, q, g):
|
|
||||||
diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py
|
|
||||||
index 6028b600d..60681683d 100644
|
|
||||||
--- a/tests/hazmat/primitives/test_dsa.py
|
|
||||||
+++ b/tests/hazmat/primitives/test_dsa.py
|
|
||||||
@@ -59,7 +59,12 @@ def test_skip_if_dsa_not_supported(backend):
|
|
||||||
_skip_if_dsa_not_supported(backend, DummyHashAlgorithm(), 1, 1, 1)
|
|
||||||
|
|
||||||
|
|
||||||
-class TestDSA(object):
|
|
||||||
+
|
|
||||||
+@pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+)
|
|
||||||
+class TestDSA:
|
|
||||||
def test_generate_dsa_parameters(self, backend):
|
|
||||||
parameters = dsa.generate_parameters(2048, backend)
|
|
||||||
assert isinstance(parameters, dsa.DSAParameters)
|
|
||||||
@@ -76,11 +81,6 @@ class TestDSA(object):
|
|
||||||
),
|
|
||||||
)
|
|
||||||
def test_generate_dsa_keys(self, vector, backend):
|
|
||||||
- if (
|
|
||||||
- backend._fips_enabled
|
|
||||||
- and vector["p"] < backend._fips_dsa_min_modulus
|
|
||||||
- ):
|
|
||||||
- pytest.skip("Small modulus blocked in FIPS mode")
|
|
||||||
parameters = dsa.DSAParameterNumbers(
|
|
||||||
p=vector["p"], q=vector["q"], g=vector["g"]
|
|
||||||
).parameters(backend)
|
|
||||||
@@ -389,7 +389,12 @@ class TestDSA(object):
|
|
||||||
).private_key(backend)
|
|
||||||
|
|
||||||
|
|
||||||
-class TestDSAVerification(object):
|
|
||||||
+
|
|
||||||
+@pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+)
|
|
||||||
+class TestDSAVerification:
|
|
||||||
def test_dsa_verification(self, backend, subtests):
|
|
||||||
vectors = load_vectors_from_file(
|
|
||||||
os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigVer.rsp"),
|
|
||||||
@@ -481,17 +486,12 @@ class TestDSAVerification(object):
|
|
||||||
Prehashed(hashes.SHA1()) # type: ignore[arg-type]
|
|
||||||
)
|
|
||||||
|
|
||||||
- def test_prehashed_unsupported_in_verifier_ctx(self, backend):
|
|
||||||
- public_key = DSA_KEY_1024.private_key(backend).public_key()
|
|
||||||
- with pytest.raises(TypeError), pytest.warns(
|
|
||||||
- CryptographyDeprecationWarning
|
|
||||||
- ):
|
|
||||||
- public_key.verifier(
|
|
||||||
- b"0" * 64, Prehashed(hashes.SHA1()) # type: ignore[arg-type]
|
|
||||||
- )
|
|
||||||
-
|
|
||||||
|
|
||||||
-class TestDSASignature(object):
|
|
||||||
+@pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+)
|
|
||||||
+class TestDSASignature:
|
|
||||||
def test_dsa_signing(self, backend, subtests):
|
|
||||||
vectors = load_vectors_from_file(
|
|
||||||
os.path.join("asymmetric", "DSA", "FIPS_186-3", "SigGen.txt"),
|
|
||||||
@@ -695,7 +695,11 @@ class TestDSANumberEquality(object):
|
|
||||||
assert priv != object()
|
|
||||||
|
|
||||||
|
|
||||||
-class TestDSASerialization(object):
|
|
||||||
+@pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+)
|
|
||||||
+class TestDSASerialization:
|
|
||||||
@pytest.mark.parametrize(
|
|
||||||
("fmt", "password"),
|
|
||||||
itertools.product(
|
|
||||||
@@ -916,7 +920,11 @@ class TestDSASerialization(object):
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
-class TestDSAPEMPublicKeySerialization(object):
|
|
||||||
+@pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+)
|
|
||||||
+class TestDSAPEMPublicKeySerialization:
|
|
||||||
@pytest.mark.parametrize(
|
|
||||||
("key_path", "loader_func", "encoding"),
|
|
||||||
[
|
|
||||||
diff --git a/tests/hazmat/primitives/test_serialization.py b/tests/hazmat/primitives/test_serialization.py
|
|
||||||
index fb6b753de..5a2b9fba5 100644
|
|
||||||
--- a/tests/hazmat/primitives/test_serialization.py
|
|
||||||
+++ b/tests/hazmat/primitives/test_serialization.py
|
|
||||||
@@ -141,6 +141,10 @@ class TestDERSerialization(object):
|
|
||||||
assert isinstance(key, rsa.RSAPrivateKey)
|
|
||||||
_check_rsa_private_numbers(key.private_numbers())
|
|
||||||
|
|
||||||
+ @pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+ )
|
|
||||||
@pytest.mark.parametrize(
|
|
||||||
("key_path", "password"),
|
|
||||||
[
|
|
||||||
@@ -341,6 +345,10 @@ class TestDERSerialization(object):
|
|
||||||
with pytest.raises(ValueError):
|
|
||||||
load_der_public_key(b"invalid data", backend)
|
|
||||||
|
|
||||||
+ @pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+ )
|
|
||||||
@pytest.mark.parametrize(
|
|
||||||
"key_file",
|
|
||||||
[
|
|
||||||
@@ -422,6 +430,10 @@ class TestPEMSerialization(object):
|
|
||||||
assert isinstance(key, rsa.RSAPrivateKey)
|
|
||||||
_check_rsa_private_numbers(key.private_numbers())
|
|
||||||
|
|
||||||
+ @pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+ )
|
|
||||||
@pytest.mark.parametrize(
|
|
||||||
("key_path", "password"),
|
|
||||||
[
|
|
||||||
@@ -490,6 +502,10 @@ class TestPEMSerialization(object):
|
|
||||||
numbers = key.public_numbers()
|
|
||||||
assert numbers.e == 65537
|
|
||||||
|
|
||||||
+ @pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+ )
|
|
||||||
@pytest.mark.parametrize(
|
|
||||||
("key_file"),
|
|
||||||
[
|
|
||||||
@@ -894,6 +910,10 @@ class TestPEMSerialization(object):
|
|
||||||
16,
|
|
||||||
)
|
|
||||||
|
|
||||||
+ @pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+ )
|
|
||||||
def test_load_pem_dsa_private_key(self, backend):
|
|
||||||
key = load_vectors_from_file(
|
|
||||||
os.path.join("asymmetric", "PKCS8", "unenc-dsa-pkcs8.pem"),
|
|
||||||
@@ -2313,6 +2333,10 @@ class TestOpenSSHSerialization(object):
|
|
||||||
DummyKeySerializationEncryption(),
|
|
||||||
)
|
|
||||||
|
|
||||||
+ @pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+ )
|
|
||||||
@pytest.mark.parametrize(
|
|
||||||
("key_path", "supported"),
|
|
||||||
[
|
|
||||||
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
|
|
||||||
index 23e97a768..7a7a52977 100644
|
|
||||||
--- a/tests/x509/test_x509.py
|
|
||||||
+++ b/tests/x509/test_x509.py
|
|
||||||
@@ -2561,7 +2561,21 @@ class TestCertificateBuilder(object):
|
|
||||||
only_if=lambda backend: backend.hash_supported(hashes.MD5()),
|
|
||||||
skip_message="Requires OpenSSL with MD5 support",
|
|
||||||
)
|
|
||||||
- def test_sign_dsa_with_md5(self, backend):
|
|
||||||
+ @pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+ )
|
|
||||||
+ @pytest.mark.parametrize(
|
|
||||||
+ "hash_algorithm",
|
|
||||||
+ [
|
|
||||||
+ hashes.MD5(),
|
|
||||||
+ hashes.SHA3_224(),
|
|
||||||
+ hashes.SHA3_256(),
|
|
||||||
+ hashes.SHA3_384(),
|
|
||||||
+ hashes.SHA3_512(),
|
|
||||||
+ ],
|
|
||||||
+ )
|
|
||||||
+ def test_sign_dsa_with_unsupported_hash(self, hash_algorithm, backend):
|
|
||||||
private_key = DSA_KEY_2048.private_key(backend)
|
|
||||||
builder = x509.CertificateBuilder()
|
|
||||||
builder = (
|
|
||||||
@@ -2602,6 +2616,10 @@ class TestCertificateBuilder(object):
|
|
||||||
with pytest.raises(ValueError):
|
|
||||||
builder.sign(private_key, hashes.MD5(), backend)
|
|
||||||
|
|
||||||
+ @pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+ )
|
|
||||||
@pytest.mark.parametrize(
|
|
||||||
("hashalg", "hashalg_oid"),
|
|
||||||
[
|
|
||||||
@@ -2615,9 +2633,6 @@ class TestCertificateBuilder(object):
|
|
||||||
def test_build_cert_with_dsa_private_key(
|
|
||||||
self, hashalg, hashalg_oid, backend
|
|
||||||
):
|
|
||||||
- if backend._fips_enabled and hashalg is hashes.SHA1:
|
|
||||||
- pytest.skip("SHA1 not supported in FIPS mode")
|
|
||||||
-
|
|
||||||
issuer_private_key = DSA_KEY_2048.private_key(backend)
|
|
||||||
subject_private_key = DSA_KEY_2048.private_key(backend)
|
|
||||||
|
|
||||||
@@ -3646,6 +3661,10 @@ class TestCertificateSigningRequestBuilder(object):
|
|
||||||
only_if=lambda backend: backend.hash_supported(hashes.MD5()),
|
|
||||||
skip_message="Requires OpenSSL with MD5 support",
|
|
||||||
)
|
|
||||||
+ @pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+ )
|
|
||||||
def test_sign_dsa_with_md5(self, backend):
|
|
||||||
private_key = DSA_KEY_2048.private_key(backend)
|
|
||||||
builder = x509.CertificateSigningRequestBuilder().subject_name(
|
|
||||||
@@ -3969,6 +3988,10 @@ class TestCertificateSigningRequestBuilder(object):
|
|
||||||
assert basic_constraints.value.ca is True
|
|
||||||
assert basic_constraints.value.path_length == 2
|
|
||||||
|
|
||||||
+ @pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+ )
|
|
||||||
def test_build_ca_request_with_dsa(self, backend):
|
|
||||||
private_key = DSA_KEY_2048.private_key(backend)
|
|
||||||
|
|
||||||
@@ -4319,7 +4342,11 @@ class TestCertificateSigningRequestBuilder(object):
|
|
||||||
builder.sign(private_key, hashes.SHA512(), backend)
|
|
||||||
|
|
||||||
|
|
||||||
-class TestDSACertificate(object):
|
|
||||||
+@pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+)
|
|
||||||
+class TestDSACertificate:
|
|
||||||
def test_load_dsa_cert(self, backend):
|
|
||||||
cert = _load_cert(
|
|
||||||
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
|
|
||||||
@@ -4444,7 +4471,11 @@ class TestDSACertificate(object):
|
|
||||||
)
|
|
||||||
|
|
||||||
|
|
||||||
-class TestDSACertificateRequest(object):
|
|
||||||
+@pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+)
|
|
||||||
+class TestDSACertificateRequest:
|
|
||||||
@pytest.mark.parametrize(
|
|
||||||
("path", "loader_func"),
|
|
||||||
[
|
|
||||||
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
|
|
||||||
index 4173dece6..66ac43d95 100644
|
|
||||||
--- a/tests/x509/test_x509_ext.py
|
|
||||||
+++ b/tests/x509/test_x509_ext.py
|
|
||||||
@@ -1712,6 +1712,10 @@ class TestSubjectKeyIdentifierExtension(object):
|
|
||||||
ski = x509.SubjectKeyIdentifier.from_public_key(cert.public_key())
|
|
||||||
assert ext.value == ski
|
|
||||||
|
|
||||||
+ @pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend.dsa_supported(),
|
|
||||||
+ skip_message="Does not support DSA.",
|
|
||||||
+ )
|
|
||||||
def test_from_dsa_public_key(self, backend):
|
|
||||||
cert = _load_cert(
|
|
||||||
os.path.join("x509", "custom", "dsa_selfsigned_ca.pem"),
|
|
||||||
--
|
|
||||||
2.35.1
|
|
||||||
|
|
@ -0,0 +1,86 @@
|
|||||||
|
From c1c1b14d359b1360e7d14a7c0687bef9ed6fc17c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <cheimes@redhat.com>
|
||||||
|
Date: Wed, 28 Oct 2020 14:27:55 +0100
|
||||||
|
Subject: [PATCH 2] Support pytest 3.4.2
|
||||||
|
|
||||||
|
---
|
||||||
|
setup.py | 3 ++-
|
||||||
|
tests/conftest.py | 4 ++--
|
||||||
|
tests/test_utils.py | 4 ++--
|
||||||
|
tests/utils.py | 2 +-
|
||||||
|
4 files changed, 7 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/setup.py b/setup.py
|
||||||
|
index 82800a96e..5678db004 100644
|
||||||
|
--- a/setup.py
|
||||||
|
+++ b/setup.py
|
||||||
|
@@ -93,7 +93,8 @@ setup(
|
||||||
|
extras_require={
|
||||||
|
":python_version < '3'": ["enum34", "ipaddress"],
|
||||||
|
"test": [
|
||||||
|
- "pytest>=3.6.0,!=3.9.0,!=3.9.1,!=3.9.2",
|
||||||
|
+ "pytest>=3.4.2,<3.6",
|
||||||
|
+ "attrs>=17.4.0,<18.0",
|
||||||
|
"pretend",
|
||||||
|
"iso8601",
|
||||||
|
"pytz",
|
||||||
|
diff --git a/tests/conftest.py b/tests/conftest.py
|
||||||
|
index 4e3124fa7..53c194830 100644
|
||||||
|
--- a/tests/conftest.py
|
||||||
|
+++ b/tests/conftest.py
|
||||||
|
@@ -42,7 +42,7 @@ def pytest_generate_tests(metafunc):
|
||||||
|
|
||||||
|
def pytest_runtest_setup(item):
|
||||||
|
if openssl_backend._fips_enabled:
|
||||||
|
- for marker in item.iter_markers(name="skip_fips"):
|
||||||
|
+ for marker in item.get_marker(name="skip_fips") or []:
|
||||||
|
pytest.skip(marker.kwargs["reason"])
|
||||||
|
|
||||||
|
|
||||||
|
@@ -50,7 +50,7 @@ def pytest_runtest_setup(item):
|
||||||
|
def backend(request):
|
||||||
|
required_interfaces = [
|
||||||
|
mark.kwargs["interface"]
|
||||||
|
- for mark in request.node.iter_markers("requires_backend_interface")
|
||||||
|
+ for mark in request.node.get_marker("requires_backend_interface") or []
|
||||||
|
]
|
||||||
|
if not all(
|
||||||
|
isinstance(openssl_backend, iface) for iface in required_interfaces
|
||||||
|
diff --git a/tests/test_utils.py b/tests/test_utils.py
|
||||||
|
index d6afa3b34..e0a1be4f5 100644
|
||||||
|
--- a/tests/test_utils.py
|
||||||
|
+++ b/tests/test_utils.py
|
||||||
|
@@ -43,7 +43,7 @@ def test_check_backend_support_skip():
|
||||||
|
supported = pretend.stub(
|
||||||
|
kwargs={"only_if": lambda backend: False, "skip_message": "Nope"}
|
||||||
|
)
|
||||||
|
- node = pretend.stub(iter_markers=lambda x: [supported])
|
||||||
|
+ node = pretend.stub(get_marker=lambda x: [supported])
|
||||||
|
item = pretend.stub(node=node)
|
||||||
|
with pytest.raises(pytest.skip.Exception) as exc_info:
|
||||||
|
check_backend_support(True, item)
|
||||||
|
@@ -54,7 +54,7 @@ def test_check_backend_support_no_skip():
|
||||||
|
supported = pretend.stub(
|
||||||
|
kwargs={"only_if": lambda backend: True, "skip_message": "Nope"}
|
||||||
|
)
|
||||||
|
- node = pretend.stub(iter_markers=lambda x: [supported])
|
||||||
|
+ node = pretend.stub(get_marker=lambda x: [supported])
|
||||||
|
item = pretend.stub(node=node)
|
||||||
|
assert check_backend_support(None, item) is None
|
||||||
|
|
||||||
|
diff --git a/tests/utils.py b/tests/utils.py
|
||||||
|
index 5d98af00e..a08f79c34 100644
|
||||||
|
--- a/tests/utils.py
|
||||||
|
+++ b/tests/utils.py
|
||||||
|
@@ -27,7 +27,7 @@ KeyedHashVector = collections.namedtuple(
|
||||||
|
|
||||||
|
|
||||||
|
def check_backend_support(backend, item):
|
||||||
|
- for mark in item.node.iter_markers("supported"):
|
||||||
|
+ for mark in item.node.get_marker("supported") or []:
|
||||||
|
if not mark.kwargs["only_if"](backend):
|
||||||
|
pytest.skip("{} ({})".format(mark.kwargs["skip_message"], backend))
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,73 @@
|
|||||||
|
From bea141d25bd2bc4eea7527e2d6ec1d85b2b3806d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <cheimes@redhat.com>
|
||||||
|
Date: Thu, 29 Oct 2020 09:21:06 +0100
|
||||||
|
Subject: [PATCH 3] Skip iso8601 test cases
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/test_fernet.py | 15 ++++++++++++++-
|
||||||
|
1 file changed, 14 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/tests/test_fernet.py b/tests/test_fernet.py
|
||||||
|
index 38409b03e..343f3e4ec 100644
|
||||||
|
--- a/tests/test_fernet.py
|
||||||
|
+++ b/tests/test_fernet.py
|
||||||
|
@@ -10,7 +10,10 @@ import json
|
||||||
|
import os
|
||||||
|
import time
|
||||||
|
|
||||||
|
-import iso8601
|
||||||
|
+try:
|
||||||
|
+ import iso8601
|
||||||
|
+except ImportError:
|
||||||
|
+ iso8601 = None
|
||||||
|
|
||||||
|
import pytest
|
||||||
|
|
||||||
|
@@ -24,6 +27,12 @@ from cryptography.hazmat.primitives.ciphers import algorithms, modes
|
||||||
|
import cryptography_vectors
|
||||||
|
|
||||||
|
|
||||||
|
+skip_iso8601 = pytest.mark.skipif(
|
||||||
|
+ iso8601 is None,
|
||||||
|
+ reason="is8601 is not available"
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def json_parametrize(keys, filename):
|
||||||
|
vector_file = cryptography_vectors.open_vector_file(
|
||||||
|
os.path.join("fernet", filename), "r"
|
||||||
|
@@ -49,6 +58,7 @@ def test_default_backend():
|
||||||
|
skip_message="Does not support AES CBC",
|
||||||
|
)
|
||||||
|
class TestFernet(object):
|
||||||
|
+ @skip_iso8601
|
||||||
|
@json_parametrize(
|
||||||
|
("secret", "now", "iv", "src", "token"),
|
||||||
|
"generate.json",
|
||||||
|
@@ -62,6 +72,7 @@ class TestFernet(object):
|
||||||
|
)
|
||||||
|
assert actual_token == token.encode("ascii")
|
||||||
|
|
||||||
|
+ @skip_iso8601
|
||||||
|
@json_parametrize(
|
||||||
|
("secret", "now", "src", "ttl_sec", "token"),
|
||||||
|
"verify.json",
|
||||||
|
@@ -81,6 +92,7 @@ class TestFernet(object):
|
||||||
|
payload = f.decrypt(token.encode("ascii"), ttl=ttl_sec)
|
||||||
|
assert payload == src.encode("ascii")
|
||||||
|
|
||||||
|
+ @skip_iso8601
|
||||||
|
@json_parametrize(("secret", "token", "now", "ttl_sec"), "invalid.json")
|
||||||
|
def test_invalid(self, secret, token, now, ttl_sec, backend, monkeypatch):
|
||||||
|
f = Fernet(secret.encode("ascii"), backend=backend)
|
||||||
|
@@ -117,6 +129,7 @@ class TestFernet(object):
|
||||||
|
with pytest.raises(TypeError):
|
||||||
|
f.decrypt(u"")
|
||||||
|
|
||||||
|
+ @skip_iso8601
|
||||||
|
def test_timestamp_ignored_no_ttl(self, monkeypatch, backend):
|
||||||
|
f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
|
||||||
|
pt = b"encrypt me"
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
From 20bafea414bcc08bfcb5b669ecbf9a3438ff7b78 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alex Gaynor <alex.gaynor@gmail.com>
|
|
||||||
Date: Thu, 3 Mar 2022 15:44:02 -0500
|
|
||||||
Subject: [PATCH 3/5] fixes #6927 -- handle negative return values from openssl
|
|
||||||
(#6928)
|
|
||||||
|
|
||||||
---
|
|
||||||
src/cryptography/hazmat/backends/openssl/rsa.py | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
|
|
||||||
index 9bef49d24..dd5d4990b 100644
|
|
||||||
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
|
|
||||||
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
|
|
||||||
@@ -208,7 +208,7 @@ def _rsa_sig_setup(backend, padding, algorithm, key, init_func):
|
|
||||||
if algorithm is not None:
|
|
||||||
evp_md = backend._evp_md_non_null_from_algorithm(algorithm)
|
|
||||||
res = backend._lib.EVP_PKEY_CTX_set_signature_md(pkey_ctx, evp_md)
|
|
||||||
- if res == 0:
|
|
||||||
+ if res <= 0:
|
|
||||||
backend._consume_errors()
|
|
||||||
raise UnsupportedAlgorithm(
|
|
||||||
"{} is not supported by this backend for RSA signing.".format(
|
|
||||||
--
|
|
||||||
2.35.1
|
|
||||||
|
|
@ -1,24 +0,0 @@
|
|||||||
From 820d9527070ad2c7724dcecf1a35dbac7d68621d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Christian Heimes <christian@python.org>
|
|
||||||
Date: Tue, 1 Mar 2022 16:22:51 +0100
|
|
||||||
Subject: [PATCH 4/5] Disable test_openssl_assert_error_on_stack in FIPS mode
|
|
||||||
|
|
||||||
---
|
|
||||||
tests/hazmat/bindings/test_openssl.py | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
|
|
||||||
index 129928ac0..9839aec4d 100644
|
|
||||||
--- a/tests/hazmat/bindings/test_openssl.py
|
|
||||||
+++ b/tests/hazmat/bindings/test_openssl.py
|
|
||||||
@@ -84,6 +84,7 @@ class TestOpenSSL(object):
|
|
||||||
with pytest.raises(AttributeError):
|
|
||||||
b.lib.TLS_ST_OK
|
|
||||||
|
|
||||||
+ @pytest.mark.skip_fips(reason="FIPS maps to different error codes")
|
|
||||||
def test_openssl_assert_error_on_stack(self):
|
|
||||||
b = Binding()
|
|
||||||
b.lib.ERR_put_error(
|
|
||||||
--
|
|
||||||
2.35.1
|
|
||||||
|
|
@ -0,0 +1,75 @@
|
|||||||
|
From e8ed37e0d24a1cc7482ab816ed5f25243395b2ef Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <cheimes@redhat.com>
|
||||||
|
Date: Mon, 14 Dec 2020 14:13:53 +0100
|
||||||
|
Subject: [PATCH] Revert "remove NPN bindings -- you should be using ALPN!
|
||||||
|
(#4765)"
|
||||||
|
|
||||||
|
This reverts commit 99bf4e4605cbe54bad597da1ebe4cc323909083c.
|
||||||
|
---
|
||||||
|
src/_cffi_src/openssl/ssl.py | 20 +++++++++++++++++++-
|
||||||
|
tests/hazmat/bindings/test_openssl.py | 4 ++++
|
||||||
|
2 files changed, 23 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
|
||||||
|
index c38e309a1..fa854f5dd 100644
|
||||||
|
--- a/src/_cffi_src/openssl/ssl.py
|
||||||
|
+++ b/src/_cffi_src/openssl/ssl.py
|
||||||
|
@@ -138,6 +138,8 @@ static const long SSL3_RANDOM_SIZE;
|
||||||
|
static const long TLS_ST_BEFORE;
|
||||||
|
static const long TLS_ST_OK;
|
||||||
|
|
||||||
|
+static const long OPENSSL_NPN_NEGOTIATED;
|
||||||
|
+
|
||||||
|
typedef ... SSL_METHOD;
|
||||||
|
typedef ... SSL_CTX;
|
||||||
|
|
||||||
|
@@ -401,9 +403,25 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *);
|
||||||
|
|
||||||
|
long SSL_session_reused(SSL *);
|
||||||
|
|
||||||
|
+void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *,
|
||||||
|
+ int (*)(SSL *,
|
||||||
|
+ const unsigned char **,
|
||||||
|
+ unsigned int *,
|
||||||
|
+ void *),
|
||||||
|
+ void *);
|
||||||
|
+void SSL_CTX_set_next_proto_select_cb(SSL_CTX *,
|
||||||
|
+ int (*)(SSL *,
|
||||||
|
+ unsigned char **,
|
||||||
|
+ unsigned char *,
|
||||||
|
+ const unsigned char *,
|
||||||
|
+ unsigned int,
|
||||||
|
+ void *),
|
||||||
|
+ void *);
|
||||||
|
int SSL_select_next_proto(unsigned char **, unsigned char *,
|
||||||
|
const unsigned char *, unsigned int,
|
||||||
|
const unsigned char *, unsigned int);
|
||||||
|
+void SSL_get0_next_proto_negotiated(const SSL *,
|
||||||
|
+ const unsigned char **, unsigned *);
|
||||||
|
|
||||||
|
int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *);
|
||||||
|
const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int);
|
||||||
|
@@ -601,7 +619,7 @@ static const long Cryptography_HAS_TLSv1_2 = 1;
|
||||||
|
static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
|
||||||
|
static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
|
||||||
|
static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
|
||||||
|
-static const long Cryptography_HAS_NEXTPROTONEG = 0;
|
||||||
|
+static const long Cryptography_HAS_NEXTPROTONEG = 1;
|
||||||
|
static const long Cryptography_HAS_ALPN = 1;
|
||||||
|
|
||||||
|
#if CRYPTOGRAPHY_IS_LIBRESSL
|
||||||
|
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
|
||||||
|
index ecee34091..aeb12a0dc 100644
|
||||||
|
--- a/tests/hazmat/bindings/test_openssl.py
|
||||||
|
+++ b/tests/hazmat/bindings/test_openssl.py
|
||||||
|
@@ -137,3 +137,7 @@ class TestOpenSSL(object):
|
||||||
|
)
|
||||||
|
with pytest.raises(RuntimeError):
|
||||||
|
_verify_openssl_version(lib)
|
||||||
|
+
|
||||||
|
+ def test_npn_binding(self):
|
||||||
|
+ b = Binding()
|
||||||
|
+ assert b.lib.Cryptography_HAS_NEXTPROTONEG
|
||||||
|
--
|
||||||
|
2.29.2
|
||||||
|
|
@ -0,0 +1,18 @@
|
|||||||
|
From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Paul Kehrer <paul.l.kehrer@gmail.com>
|
||||||
|
Date: Sun, 7 Feb 2021 11:04:43 -0600
|
||||||
|
Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242
|
||||||
|
|
||||||
|
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
|
||||||
|
index 2b10681b31..0f96795fdc 100644
|
||||||
|
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
|
||||||
|
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
|
||||||
|
@@ -16,7 +16,7 @@
|
||||||
|
class _CipherContext(object):
|
||||||
|
_ENCRYPT = 1
|
||||||
|
_DECRYPT = 0
|
||||||
|
- _MAX_CHUNK_SIZE = 2 ** 31 - 1
|
||||||
|
+ _MAX_CHUNK_SIZE = 2 ** 30 - 1
|
||||||
|
|
||||||
|
def __init__(self, backend, cipher, mode, operation):
|
||||||
|
self._backend = backend
|
@ -1,67 +0,0 @@
|
|||||||
From 89af85f9d4fc2ef3e89ad1b2a58c751f00f54a4f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alex Gaynor <alex.gaynor@gmail.com>
|
|
||||||
Date: Thu, 3 Mar 2022 16:24:21 -0500
|
|
||||||
Subject: [PATCH 5/5] Fixed serialization of keyusage ext with no bits (#6930)
|
|
||||||
|
|
||||||
fixes #6926
|
|
||||||
---
|
|
||||||
src/rust/src/x509/extensions.rs | 17 +++++++++++------
|
|
||||||
tests/x509/test_x509_ext.py | 14 ++++++++++++++
|
|
||||||
2 files changed, 25 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs
|
|
||||||
index 606566dd9..68b9839a0 100644
|
|
||||||
--- a/src/rust/src/x509/extensions.rs
|
|
||||||
+++ b/src/rust/src/x509/extensions.rs
|
|
||||||
@@ -135,12 +135,17 @@ pub(crate) fn encode_extension(
|
|
||||||
certificate::set_bit(&mut bs, 7, ext.getattr("encipher_only")?.is_true()?);
|
|
||||||
certificate::set_bit(&mut bs, 8, ext.getattr("decipher_only")?.is_true()?);
|
|
||||||
}
|
|
||||||
- let bits = if bs[1] == 0 { &bs[..1] } else { &bs[..] };
|
|
||||||
- let unused_bits = bits.last().unwrap().trailing_zeros() as u8;
|
|
||||||
- Ok(Some(asn1::write_single(&asn1::BitString::new(
|
|
||||||
- bits,
|
|
||||||
- unused_bits,
|
|
||||||
- ))))
|
|
||||||
+ let (bits, unused_bits) = if bs[1] == 0 {
|
|
||||||
+ if bs[0] == 0 {
|
|
||||||
+ (&[][..], 0)
|
|
||||||
+ } else {
|
|
||||||
+ (&bs[..1], bs[0].trailing_zeros() as u8)
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ (&bs[..], bs[1].trailing_zeros() as u8)
|
|
||||||
+ };
|
|
||||||
+ let v = asn1::BitString::new(bits, unused_bits).unwrap();
|
|
||||||
+ Ok(Some(asn1::write_single(&v)))
|
|
||||||
} else if oid == &*oid::AUTHORITY_INFORMATION_ACCESS_OID
|
|
||||||
|| oid == &*oid::SUBJECT_INFORMATION_ACCESS_OID
|
|
||||||
{
|
|
||||||
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
|
|
||||||
index 66ac43d95..2bbba8ec6 100644
|
|
||||||
--- a/tests/x509/test_x509_ext.py
|
|
||||||
+++ b/tests/x509/test_x509_ext.py
|
|
||||||
@@ -1137,6 +1137,20 @@ class TestKeyUsage(object):
|
|
||||||
),
|
|
||||||
b"\x03\x02\x02\x94",
|
|
||||||
),
|
|
||||||
+ (
|
|
||||||
+ x509.KeyUsage(
|
|
||||||
+ digital_signature=False,
|
|
||||||
+ content_commitment=False,
|
|
||||||
+ key_encipherment=False,
|
|
||||||
+ data_encipherment=False,
|
|
||||||
+ key_agreement=False,
|
|
||||||
+ key_cert_sign=False,
|
|
||||||
+ crl_sign=False,
|
|
||||||
+ encipher_only=False,
|
|
||||||
+ decipher_only=False,
|
|
||||||
+ ),
|
|
||||||
+ b"\x03\x01\x00",
|
|
||||||
+ ),
|
|
||||||
],
|
|
||||||
)
|
|
||||||
def test_public_bytes(self, ext, serialized):
|
|
||||||
--
|
|
||||||
2.35.1
|
|
||||||
|
|
@ -1,83 +0,0 @@
|
|||||||
From ca92d13436944090faa79ffc25378c45ec564a4d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alex Gaynor <alex.gaynor@gmail.com>
|
|
||||||
Date: Wed, 14 Dec 2022 01:50:06 -0500
|
|
||||||
Subject: [PATCH] Adapt for OpenSSL RSA bleichenbacher mitigation (#7895)
|
|
||||||
|
|
||||||
Attempt to work-around wycheproof tests
|
|
||||||
---
|
|
||||||
src/_cffi_src/openssl/rsa.py | 8 ++++++++
|
|
||||||
tests/hazmat/primitives/test_rsa.py | 5 +++--
|
|
||||||
tests/wycheproof/test_rsa.py | 20 +++++++++++++++-----
|
|
||||||
3 files changed, 26 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/_cffi_src/openssl/rsa.py b/src/_cffi_src/openssl/rsa.py
|
|
||||||
index 5d1e163b1..2682ea1e4 100644
|
|
||||||
--- a/src/_cffi_src/openssl/rsa.py
|
|
||||||
+++ b/src/_cffi_src/openssl/rsa.py
|
|
||||||
@@ -18,6 +18,8 @@ static const int RSA_F4;
|
|
||||||
|
|
||||||
static const int Cryptography_HAS_RSA_OAEP_MD;
|
|
||||||
static const int Cryptography_HAS_RSA_OAEP_LABEL;
|
|
||||||
+
|
|
||||||
+static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION;
|
|
||||||
"""
|
|
||||||
|
|
||||||
FUNCTIONS = """
|
|
||||||
@@ -57,4 +59,10 @@ int (*EVP_PKEY_CTX_set_rsa_oaep_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL;
|
|
||||||
int (*EVP_PKEY_CTX_set0_rsa_oaep_label)(EVP_PKEY_CTX *, unsigned char *,
|
|
||||||
int) = NULL;
|
|
||||||
#endif
|
|
||||||
+
|
|
||||||
+#if defined(EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION)
|
|
||||||
+static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION = 1;
|
|
||||||
+#else
|
|
||||||
+static const int Cryptography_HAS_IMPLICIT_RSA_REJECTION = 0;
|
|
||||||
+#endif
|
|
||||||
"""
|
|
||||||
diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
|
|
||||||
index 4fb205db4..0315489dc 100644
|
|
||||||
--- a/tests/hazmat/primitives/test_rsa.py
|
|
||||||
+++ b/tests/hazmat/primitives/test_rsa.py
|
|
||||||
@@ -1551,8 +1551,9 @@ class TestRSADecryption(object):
|
|
||||||
private_key.decrypt(b"0" * 256, DummyAsymmetricPadding())
|
|
||||||
|
|
||||||
@pytest.mark.supported(
|
|
||||||
- only_if=lambda backend: backend.rsa_padding_supported(
|
|
||||||
- padding.PKCS1v15()
|
|
||||||
+ only_if=lambda backend: (
|
|
||||||
+ backend.rsa_padding_supported(padding.PKCS1v15())
|
|
||||||
+ and not backend._lib.Cryptography_HAS_IMPLICIT_RSA_REJECTION
|
|
||||||
),
|
|
||||||
skip_message="Does not support PKCS1v1.5.",
|
|
||||||
)
|
|
||||||
diff --git a/tests/wycheproof/test_rsa.py b/tests/wycheproof/test_rsa.py
|
|
||||||
index 79fd682b7..e6bd8af8a 100644
|
|
||||||
--- a/tests/wycheproof/test_rsa.py
|
|
||||||
+++ b/tests/wycheproof/test_rsa.py
|
|
||||||
@@ -245,8 +245,18 @@ def test_rsa_pkcs1_encryption(backend, wycheproof):
|
|
||||||
)
|
|
||||||
assert pt == binascii.unhexlify(wycheproof.testcase["msg"])
|
|
||||||
else:
|
|
||||||
- with pytest.raises(ValueError):
|
|
||||||
- key.decrypt(
|
|
||||||
- binascii.unhexlify(wycheproof.testcase["ct"]),
|
|
||||||
- padding.PKCS1v15(),
|
|
||||||
- )
|
|
||||||
+ if backend._lib.Cryptography_HAS_IMPLICIT_RSA_REJECTION:
|
|
||||||
+ try:
|
|
||||||
+ assert key.decrypt(
|
|
||||||
+ binascii.unhexlify(wycheproof.testcase["ct"]),
|
|
||||||
+ padding.PKCS1v15(),
|
|
||||||
+ ) != binascii.unhexlify(wycheproof.testcase["ct"])
|
|
||||||
+ except ValueError:
|
|
||||||
+ # Some raise ValueError due to length mismatch.
|
|
||||||
+ pass
|
|
||||||
+ else:
|
|
||||||
+ with pytest.raises(ValueError):
|
|
||||||
+ key.decrypt(
|
|
||||||
+ binascii.unhexlify(wycheproof.testcase["ct"]),
|
|
||||||
+ padding.PKCS1v15(),
|
|
||||||
+ )
|
|
||||||
--
|
|
||||||
2.40.1
|
|
||||||
|
|
@ -1,22 +0,0 @@
|
|||||||
|
|
||||||
class Skipper:
|
|
||||||
"""Skip iso8601 and pretend tests
|
|
||||||
|
|
||||||
RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip
|
|
||||||
all tests that use the excluded modules.
|
|
||||||
"""
|
|
||||||
|
|
||||||
def parse_date(self, datestring):
|
|
||||||
pytest.skip(f"iso8601 module is not available.")
|
|
||||||
|
|
||||||
def stub(self, **kwargs):
|
|
||||||
pytest.skip(f"pretend module is not available.")
|
|
||||||
|
|
||||||
def raiser(self, exc):
|
|
||||||
pytest.skip(f"pretend module is not available.")
|
|
||||||
|
|
||||||
|
|
||||||
import sys
|
|
||||||
|
|
||||||
sys.modules["iso8601"] = sys.modules["pretend"] = Skipper()
|
|
||||||
|
|
Loading…
Reference in new issue