Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 743943 Details for
Bug 814773
dev-python/cryptography-3.4.7-r2 fails to execute with dev-libs/openssl-3.0.0
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
cryptography-3.4.x-py310_openssl30.patch
cryptography-3.4.8-py310_openssl30.patch (text/plain), 40.83 KB, created by
Perfect Gentleman
on 2021-10-09 08:30:24 UTC
(
hide
)
Description:
cryptography-3.4.x-py310_openssl30.patch
Filename:
MIME Type:
Creator:
Perfect Gentleman
Created:
2021-10-09 08:30:24 UTC
Size:
40.83 KB
patch
obsolete
>From b22146535ee98e27c0316c1ae55924610a66a051 Mon Sep 17 00:00:00 2001 >From: Alex Gaynor <alex.gaynor@gmail.com> >Date: Thu, 8 Jul 2021 22:25:23 -0400 >Subject: [PATCH 01/13] Silence overly zealous flake8 warning (#6163) > >From 0ec5170b4a30e8408b793ad92f4475d9ae8a2cc7 Mon Sep 17 00:00:00 2001 >From: Alex Gaynor <alex.gaynor@gmail.com> >Date: Sat, 26 Jun 2021 05:46:35 -0400 >Subject: [PATCH 05/13] moar linkcheck ignores (#6137) > >* moar linkcheck ignores > >* new alpine new python >diff --git a/docs/conf.py b/docs/conf.py >index 0db9dd8b842..f79db277abf 100644 >--- a/docs/conf.py >+++ b/docs/conf.py >@@ -198,6 +198,10 @@ > r"https://info.isl.ntt.co.jp/crypt/eng/camellia/", > # Inconsistent small DH params they seem incapable of fixing > r"https://www.secg.org/sec1-v2.pdf", >+ # Incomplete cert chain >+ r"https://e-trust.gosuslugi.ru", >+ # Expired cert (1 week at time of writing) >+ r"https://www.cosic.esat.kuleuven.be", > ] > > autosectionlabel_prefix_document = True > >From 9ad29595c12ad9c426d6fdcf5c873135ff3b4fc9 Mon Sep 17 00:00:00 2001 >From: James Hilliard <james.hilliard1@gmail.com> >Date: Sat, 3 Jul 2021 18:26:36 -0600 >Subject: [PATCH 06/13] Disable fail-fast in tests. (#6155) > >This makes it easier to isolate regressions by running all tests >even if one fails. > >From e33fd51c85ad97d312aac722453d35d514ea473d Mon Sep 17 00:00:00 2001 >From: Paul Kehrer <paul.l.kehrer@gmail.com> >Date: Sun, 28 Feb 2021 16:06:11 -0600 >Subject: [PATCH 08/13] fix pkcs12 parse ordering. fixes #5872 (#5879) > >* fix pkcs12 parse ordering. fixes #5872 > >* remove an unneeded print > >* simplify the test a bit more > >* index > >* black > >* Update tests/hazmat/primitives/test_pkcs12.py > >Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> > >Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com> >--- > .../hazmat/backends/openssl/backend.py | 5 +- > tests/hazmat/primitives/test_pkcs12.py | 58 ++++++++++++++++++- > 2 files changed, 59 insertions(+), 4 deletions(-) > >diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py >index 271873d92ad..a96d08d8a70 100644 >--- a/src/cryptography/hazmat/backends/openssl/backend.py >+++ b/src/cryptography/hazmat/backends/openssl/backend.py >@@ -6,6 +6,7 @@ > import collections > import contextlib > import itertools >+import typing > import warnings > from contextlib import contextmanager > >@@ -2562,9 +2563,7 @@ def serialize_key_and_certificates_to_pkcs12( > sk_x509 = self._lib.sk_X509_new_null() > sk_x509 = self._ffi.gc(sk_x509, self._lib.sk_X509_free) > >- # reverse the list when building the stack so that they're encoded >- # in the order they were originally provided. it is a mystery >- for ca in reversed(cas): >+ for ca in cas: > res = self._lib.sk_X509_push(sk_x509, ca._x509) > backend.openssl_assert(res >= 1) > >diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py >index b5de09f95ca..b1759a1bc8a 100644 >--- a/tests/hazmat/primitives/test_pkcs12.py >+++ b/tests/hazmat/primitives/test_pkcs12.py >@@ -4,13 +4,15 @@ > > > import os >+from datetime import datetime > > import pytest > > from cryptography import x509 > from cryptography.hazmat.backends.interfaces import DERSerializationBackend > from cryptography.hazmat.backends.openssl.backend import _RC2 >-from cryptography.hazmat.primitives import serialization >+from cryptography.hazmat.primitives import hashes, serialization >+from cryptography.hazmat.primitives.asymmetric import ec > from cryptography.hazmat.primitives.serialization import load_pem_private_key > from cryptography.hazmat.primitives.serialization.pkcs12 import ( > load_key_and_certificates, >@@ -273,3 +275,57 @@ def test_generate_unsupported_encryption_type(self, backend): > DummyKeySerializationEncryption(), > ) > assert str(exc.value) == "Unsupported key encryption type" >+ >+ >+def test_pkcs12_ordering(): >+ """ >+ In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we >+ accidentally thought it was **encoding** that did it, leading to bug >+ https://github.com/pyca/cryptography/issues/5872 >+ This test ensures our ordering is correct going forward. >+ """ >+ >+ def make_cert(name): >+ key = ec.generate_private_key(ec.SECP256R1()) >+ subject = x509.Name( >+ [ >+ x509.NameAttribute(x509.NameOID.COMMON_NAME, name), >+ ] >+ ) >+ now = datetime.utcnow() >+ cert = ( >+ x509.CertificateBuilder() >+ .subject_name(subject) >+ .issuer_name(subject) >+ .public_key(key.public_key()) >+ .serial_number(x509.random_serial_number()) >+ .not_valid_before(now) >+ .not_valid_after(now) >+ .sign(key, hashes.SHA256()) >+ ) >+ return (key, cert) >+ >+ # Make some certificates with distinct names. >+ a_name = "A" * 20 >+ b_name = "B" * 20 >+ c_name = "C" * 20 >+ a_key, a_cert = make_cert(a_name) >+ _, b_cert = make_cert(b_name) >+ _, c_cert = make_cert(c_name) >+ >+ # Bundle them in a PKCS#12 file in order A, B, C. >+ p12 = serialize_key_and_certificates( >+ b"p12", a_key, a_cert, [b_cert, c_cert], serialization.NoEncryption() >+ ) >+ >+ # Parse them out. The API should report them in the same order. >+ (key, cert, certs) = load_key_and_certificates(p12, None) >+ assert cert == a_cert >+ assert certs == [b_cert, c_cert] >+ >+ # The ordering in the PKCS#12 file itself should also match. >+ a_idx = p12.index(a_name.encode("utf-8")) >+ b_idx = p12.index(b_name.encode("utf-8")) >+ c_idx = p12.index(c_name.encode("utf-8")) >+ >+ assert a_idx < b_idx < c_idx > >From 3b1caebbbeb773bffccc5f79a7d3cd172e574d2d Mon Sep 17 00:00:00 2001 >From: Paul Kehrer <paul.l.kehrer@gmail.com> >Date: Thu, 22 Apr 2021 19:16:38 -0500 >Subject: [PATCH 09/13] [WIP] 3.0.0 support (#5250) > >* 3.0.0 support > >* almost...there... > >* make mypy happy >--- > src/_cffi_src/build_openssl.py | 1 + > src/_cffi_src/openssl/cryptography.py | 3 ++ > src/_cffi_src/openssl/err.py | 6 +++ > src/_cffi_src/openssl/fips.py | 2 +- > src/_cffi_src/openssl/provider.py | 40 ++++++++++++++++++ > .../hazmat/backends/openssl/backend.py | 42 ++++++++++++++++--- > .../hazmat/backends/openssl/ciphers.py | 15 ++++++- > .../hazmat/bindings/openssl/_conditional.py | 11 +++++ > .../hazmat/bindings/openssl/binding.py | 20 +++++++++ > tests/hazmat/backends/test_openssl_memleak.py | 6 ++- > tests/hazmat/bindings/test_openssl.py | 4 +- > tests/hazmat/primitives/test_dh.py | 24 ++++++++++- > 12 files changed, 163 insertions(+), 11 deletions(-) > create mode 100644 src/_cffi_src/openssl/provider.py > >diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py >index 08499d66f62..557296ed535 100644 >--- a/src/_cffi_src/build_openssl.py >+++ b/src/_cffi_src/build_openssl.py >@@ -104,6 +104,7 @@ def _extra_compile_args(platform): > "osrandom_engine", > "pem", > "pkcs12", >+ "provider", > "rand", > "rsa", > "ssl", >diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py >index e2b5a13235a..06d1e7787ec 100644 >--- a/src/_cffi_src/openssl/cryptography.py >+++ b/src/_cffi_src/openssl/cryptography.py >@@ -34,6 +34,8 @@ > > #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ > (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) >+#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ >+ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) > > #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ > (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) >@@ -53,6 +55,7 @@ > > TYPES = """ > static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; >+static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; > > static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; > static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; >diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py >index 0634b656c0f..8cfeaf5ba38 100644 >--- a/src/_cffi_src/openssl/err.py >+++ b/src/_cffi_src/openssl/err.py >@@ -18,6 +18,7 @@ > > static const int ERR_LIB_EVP; > static const int ERR_LIB_PEM; >+static const int ERR_LIB_PROV; > static const int ERR_LIB_ASN1; > static const int ERR_LIB_PKCS12; > >@@ -45,4 +46,9 @@ > """ > > CUSTOMIZATIONS = """ >+/* This define is tied to provider support and is conditionally >+ removed if Cryptography_HAS_PROVIDERS is false */ >+#ifndef ERR_LIB_PROV >+#define ERR_LIB_PROV 0 >+#endif > """ >diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py >index b9d0d64d84f..23c10af9220 100644 >--- a/src/_cffi_src/openssl/fips.py >+++ b/src/_cffi_src/openssl/fips.py >@@ -17,7 +17,7 @@ > """ > > CUSTOMIZATIONS = """ >-#if CRYPTOGRAPHY_IS_LIBRESSL >+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER > static const long Cryptography_HAS_FIPS = 0; > int (*FIPS_mode_set)(int) = NULL; > int (*FIPS_mode)(void) = NULL; >diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py >new file mode 100644 >index 00000000000..d7d659ea5ef >--- /dev/null >+++ b/src/_cffi_src/openssl/provider.py >@@ -0,0 +1,40 @@ >+# This file is dual licensed under the terms of the Apache License, Version >+# 2.0, and the BSD License. See the LICENSE file in the root of this repository >+# for complete details. >+ >+ >+INCLUDES = """ >+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER >+#include <openssl/provider.h> >+#include <openssl/proverr.h> >+#endif >+""" >+ >+TYPES = """ >+static const long Cryptography_HAS_PROVIDERS; >+ >+typedef ... OSSL_PROVIDER; >+typedef ... OSSL_LIB_CTX; >+ >+static const long PROV_R_BAD_DECRYPT; >+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH; >+""" >+ >+FUNCTIONS = """ >+OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *); >+int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); >+""" >+ >+CUSTOMIZATIONS = """ >+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER >+static const long Cryptography_HAS_PROVIDERS = 1; >+#else >+static const long Cryptography_HAS_PROVIDERS = 0; >+typedef void OSSL_PROVIDER; >+typedef void OSSL_LIB_CTX; >+static const long PROV_R_BAD_DECRYPT = 0; >+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH = 0; >+OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; >+int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; >+#endif >+""" >diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py >index a96d08d8a70..86e8f0a8813 100644 >--- a/src/cryptography/hazmat/backends/openssl/backend.py >+++ b/src/cryptography/hazmat/backends/openssl/backend.py >@@ -1281,6 +1281,11 @@ def load_der_private_key(self, data, password): > def _evp_pkey_from_der_traditional_key(self, bio_data, password): > key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL) > if key != self._ffi.NULL: >+ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will >+ # successfully load but errors are still put on the stack. Tracked >+ # as https://github.com/openssl/openssl/issues/14996 >+ self._consume_errors() >+ > key = self._ffi.gc(key, self._lib.EVP_PKEY_free) > if password is not None: > raise TypeError( >@@ -1448,6 +1453,11 @@ def _load_key(self, openssl_read_func, convert_func, data, password): > else: > self._handle_key_loading_error() > >+ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will >+ # successfully load but errors are still put on the stack. Tracked >+ # as https://github.com/openssl/openssl/issues/14996 >+ self._consume_errors() >+ > evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) > > if password is not None and userdata.called == 0: >@@ -1470,11 +1480,22 @@ def _handle_key_loading_error(self): > "incorrect format or it may be encrypted with an unsupported " > "algorithm." > ) >- elif errors[0]._lib_reason_match( >- self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT >- ) or errors[0]._lib_reason_match( >- self._lib.ERR_LIB_PKCS12, >- self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, >+ >+ elif ( >+ errors[0]._lib_reason_match( >+ self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT >+ ) >+ or errors[0]._lib_reason_match( >+ self._lib.ERR_LIB_PKCS12, >+ self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, >+ ) >+ or ( >+ self._lib.Cryptography_HAS_PROVIDERS >+ and errors[0]._lib_reason_match( >+ self._lib.ERR_LIB_PROV, >+ self._lib.PROV_R_BAD_DECRYPT, >+ ) >+ ) > ): > raise ValueError("Bad decrypt. Incorrect password?") > >@@ -2520,7 +2541,16 @@ def load_key_and_certificates_from_pkcs12(self, data, password): > if sk_x509_ptr[0] != self._ffi.NULL: > sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free) > num = self._lib.sk_X509_num(sk_x509_ptr[0]) >- for i in range(num): >+ >+ # In OpenSSL < 3.0.0 PKCS12 parsing reverses the order of the >+ # certificates. >+ indices: typing.Iterable[int] >+ if self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: >+ indices = range(num) >+ else: >+ indices = reversed(range(num)) >+ >+ for i in indices: > x509 = self._lib.sk_X509_value(sk_x509, i) > self.openssl_assert(x509 != self._ffi.NULL) > x509 = self._ffi.gc(x509, self._lib.X509_free) >diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py >index 0f96795fdc7..a2dd68944fd 100644 >--- a/src/cryptography/hazmat/backends/openssl/ciphers.py >+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py >@@ -145,7 +145,13 @@ def update_into(self, data: bytes, buf) -> int: > res = self._backend._lib.EVP_CipherUpdate( > self._ctx, outbuf, outlen, inbuf, inlen > ) >- self._backend.openssl_assert(res != 0) >+ if res == 0 and isinstance(self._mode, modes.XTS): >+ raise ValueError( >+ "In XTS mode you must supply at least a full block in the " >+ "first update call. For AES this is 16 bytes." >+ ) >+ else: >+ self._backend.openssl_assert(res != 0) > data_processed += inlen > total_out += outlen[0] > >@@ -174,6 +180,13 @@ def finalize(self) -> bytes: > errors[0]._lib_reason_match( > self._backend._lib.ERR_LIB_EVP, > self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, >+ ) >+ or ( >+ self._backend._lib.Cryptography_HAS_PROVIDERS >+ and errors[0]._lib_reason_match( >+ self._backend._lib.ERR_LIB_PROV, >+ self._backend._lib.PROV_R_WRONG_FINAL_BLOCK_LENGTH, >+ ) > ), > errors=errors, > ) >diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py >index 8654835796b..1f42c7bee71 100644 >--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py >+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py >@@ -270,6 +270,16 @@ def cryptography_has_get_proto_version(): > ] > > >+def cryptography_has_providers(): >+ return [ >+ "OSSL_PROVIDER_load", >+ "OSSL_PROVIDER_unload", >+ "ERR_LIB_PROV", >+ "PROV_R_WRONG_FINAL_BLOCK_LENGTH", >+ "PROV_R_BAD_DECRYPT", >+ ] >+ >+ > # This is a mapping of > # {condition: function-returning-names-dependent-on-that-condition} so we can > # loop over them and delete unsupported names at runtime. It will be removed >@@ -318,4 +328,5 @@ def cryptography_has_get_proto_version(): > "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, > "Cryptography_HAS_SRTP": cryptography_has_srtp, > "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version, >+ "Cryptography_HAS_PROVIDERS": cryptography_has_providers, > } >diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py >index a2bc36a83a7..6dcec26ab8a 100644 >--- a/src/cryptography/hazmat/bindings/openssl/binding.py >+++ b/src/cryptography/hazmat/bindings/openssl/binding.py >@@ -113,6 +113,8 @@ class Binding(object): > ffi = ffi > _lib_loaded = False > _init_lock = threading.Lock() >+ _legacy_provider: typing.Any = None >+ _default_provider: typing.Any = None > > def __init__(self): > self._ensure_ffi_initialized() >@@ -140,6 +142,24 @@ def _ensure_ffi_initialized(cls): > # adds all ciphers/digests for EVP > cls.lib.OpenSSL_add_all_algorithms() > cls._register_osrandom_engine() >+ # As of OpenSSL 3.0.0 we must register a legacy cipher provider >+ # to get RC2 (needed for junk asymmetric private key >+ # serialization), RC4, Blowfish, IDEA, SEED, etc. These things >+ # are ugly legacy, but we aren't going to get rid of them >+ # any time soon. >+ if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: >+ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( >+ cls.ffi.NULL, b"legacy" >+ ) >+ _openssl_assert( >+ cls.lib, cls._legacy_provider != cls.ffi.NULL >+ ) >+ cls._default_provider = cls.lib.OSSL_PROVIDER_load( >+ cls.ffi.NULL, b"default" >+ ) >+ _openssl_assert( >+ cls.lib, cls._default_provider != cls.ffi.NULL >+ ) > > @classmethod > def init_static_locks(cls): >diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py >index 0c96516fa19..0316b5d9602 100644 >--- a/tests/hazmat/backends/test_openssl_memleak.py >+++ b/tests/hazmat/backends/test_openssl_memleak.py >@@ -82,7 +82,7 @@ def free(ptr, path, line): > assert result == 1 > > # Trigger a bunch of initialization stuff. >- import cryptography.hazmat.backends.openssl >+ from cryptography.hazmat.backends.openssl.backend import backend > > start_heap = set(heap) > >@@ -91,6 +91,10 @@ def free(ptr, path, line): > gc.collect() > gc.collect() > >+ if lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: >+ lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) >+ lib.OSSL_PROVIDER_unload(backend._binding._default_provider) >+ > if lib.Cryptography_HAS_OPENSSL_CLEANUP: > lib.OPENSSL_cleanup() > >diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py >index fb9a1e36374..4d1e3b5566d 100644 >--- a/tests/hazmat/bindings/test_openssl.py >+++ b/tests/hazmat/bindings/test_openssl.py >@@ -91,7 +91,9 @@ def test_openssl_assert_error_on_stack(self): > _openssl_assert(b.lib, False) > > error = exc_info.value.err_code[0] >- assert error.code == 101183626 >+ # As of 3.0.0 OpenSSL sets func codes to 0, so the combined >+ # code is a different value >+ assert error.code in (101183626, 50331786) > assert error.lib == b.lib.ERR_LIB_EVP > assert error.func == b.lib.EVP_F_EVP_ENCRYPTFINAL_EX > assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH >diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py >index 131807fc086..bb29919f0d5 100644 >--- a/tests/hazmat/primitives/test_dh.py >+++ b/tests/hazmat/primitives/test_dh.py >@@ -180,7 +180,23 @@ def test_dh_parameters_allows_rfc3526_groups(self, backend, vector): > params = dh.DHParameterNumbers(p, int(vector["g"])) > param = params.parameters(backend) > key = param.generate_private_key() >- assert key.private_numbers().public_numbers.parameter_numbers == params >+ # In OpenSSL 3.0.0 OpenSSL maps to known groups. This results in >+ # a scenario where loading a known group with p and g returns a >+ # re-serialized form that has q as well (the Sophie Germain prime of >+ # that group). This makes a naive comparison of the parameter numbers >+ # objects fail, so we have to be a bit smarter >+ serialized_params = ( >+ key.private_numbers().public_numbers.parameter_numbers >+ ) >+ if serialized_params.q is None: >+ # This is the path OpenSSL < 3.0 takes >+ assert serialized_params == params >+ else: >+ assert serialized_params.p == params.p >+ assert serialized_params.g == params.g >+ # p = 2q + 1 since it is a Sophie Germain prime, so we can compute >+ # what we expect OpenSSL to have done here. >+ assert serialized_params.q == (params.p - 1) // 2 > > @pytest.mark.skip_fips(reason="non-FIPS parameters") > @pytest.mark.parametrize( >@@ -382,6 +398,12 @@ def test_bad_exchange(self, backend, vector): > assert symkey1 != symkey2 > > @pytest.mark.skip_fips(reason="key_size too small for FIPS") >+ @pytest.mark.supported( >+ only_if=lambda backend: ( >+ not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER >+ ), >+ skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+", >+ ) > def test_load_256bit_key_from_pkcs8(self, backend): > data = load_vectors_from_file( > os.path.join("asymmetric", "DH", "dh_key_256.pem"), > >From c0bf3d0051cc7babcd97c293b34266186491e5c4 Mon Sep 17 00:00:00 2001 >From: Paul Kehrer <paul.l.kehrer@gmail.com> >Date: Wed, 14 Apr 2021 13:15:57 -0500 >Subject: [PATCH 10/13] switch to using EVP_PKEY_derive instead of > DH_compute_key in DH (#5972) > >* switch to using EVP_PKEY_derive instead of DH_compute_key in DH > >Where checks are occurring is changing in OpenSSL 3.0 and this makes it >easier to be consistent (and is the API we should be using anyway). The >tests change because EVP_PKEY_derive now verifies that we have shared >parameters, which the test previously only verified by asserting that >the derived keys didn't match > >* review feedback > >* type ignores required for typeerror tests. some day i will remember this >--- > src/_cffi_src/openssl/dh.py | 1 - > .../hazmat/backends/openssl/dh.py | 57 ++++++++++++------- > tests/hazmat/primitives/test_dh.py | 19 ++++--- > 3 files changed, 45 insertions(+), 32 deletions(-) > >diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py >index 979dafa9425..50989e45343 100644 >--- a/src/_cffi_src/openssl/dh.py >+++ b/src/_cffi_src/openssl/dh.py >@@ -18,7 +18,6 @@ > void DH_free(DH *); > int DH_size(const DH *); > int DH_generate_key(DH *); >-int DH_compute_key(unsigned char *, const BIGNUM *, DH *); > DH *DHparams_dup(DH *); > > /* added in 1.1.0 when the DH struct was opaqued */ >diff --git a/src/cryptography/hazmat/backends/openssl/dh.py b/src/cryptography/hazmat/backends/openssl/dh.py >index 65ddaeec5fe..b928f024f56 100644 >--- a/src/cryptography/hazmat/backends/openssl/dh.py >+++ b/src/cryptography/hazmat/backends/openssl/dh.py >@@ -127,35 +127,48 @@ def private_numbers(self) -> dh.DHPrivateNumbers: > ) > > def exchange(self, peer_public_key: dh.DHPublicKey) -> bytes: >- buf = self._backend._ffi.new("unsigned char[]", self._key_size_bytes) >- pub_key = self._backend._ffi.new("BIGNUM **") >- self._backend._lib.DH_get0_key( >- peer_public_key._dh_cdata, # type: ignore[attr-defined] >- pub_key, >- self._backend._ffi.NULL, >+ if not isinstance(peer_public_key, _DHPublicKey): >+ raise TypeError("peer_public_key must be a DHPublicKey") >+ >+ ctx = self._backend._lib.EVP_PKEY_CTX_new( >+ self._evp_pkey, self._backend._ffi.NULL > ) >- self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) >- res = self._backend._lib.DH_compute_key( >- buf, pub_key[0], self._dh_cdata >+ self._backend.openssl_assert(ctx != self._backend._ffi.NULL) >+ ctx = self._backend._ffi.gc(ctx, self._backend._lib.EVP_PKEY_CTX_free) >+ res = self._backend._lib.EVP_PKEY_derive_init(ctx) >+ self._backend.openssl_assert(res == 1) >+ res = self._backend._lib.EVP_PKEY_derive_set_peer( >+ ctx, peer_public_key._evp_pkey >+ ) >+ # Invalid kex errors here in OpenSSL 3.0 because checks were moved >+ # to EVP_PKEY_derive_set_peer >+ self._exchange_assert(res == 1) >+ keylen = self._backend._ffi.new("size_t *") >+ res = self._backend._lib.EVP_PKEY_derive( >+ ctx, self._backend._ffi.NULL, keylen > ) >+ # Invalid kex errors here in OpenSSL < 3 >+ self._exchange_assert(res == 1) >+ self._backend.openssl_assert(keylen[0] > 0) >+ buf = self._backend._ffi.new("unsigned char[]", keylen[0]) >+ res = self._backend._lib.EVP_PKEY_derive(ctx, buf, keylen) >+ self._backend.openssl_assert(res == 1) > >- if res == -1: >+ key = self._backend._ffi.buffer(buf, keylen[0])[:] >+ pad = self._key_size_bytes - len(key) >+ >+ if pad > 0: >+ key = (b"\x00" * pad) + key >+ >+ return key >+ >+ def _exchange_assert(self, ok): >+ if not ok: > errors_with_text = self._backend._consume_errors_with_text() > raise ValueError( >- "Error computing shared key. Public key is likely invalid " >- "for this exchange.", >+ "Error computing shared key.", > errors_with_text, > ) >- else: >- self._backend.openssl_assert(res >= 1) >- >- key = self._backend._ffi.buffer(buf)[:res] >- pad = self._key_size_bytes - len(key) >- >- if pad > 0: >- key = (b"\x00" * pad) + key >- >- return key > > def public_key(self) -> dh.DHPublicKey: > dh_cdata = _dh_params_dup(self._dh_cdata, self._backend) >diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py >index bb29919f0d5..2914f7e776f 100644 >--- a/tests/hazmat/primitives/test_dh.py >+++ b/tests/hazmat/primitives/test_dh.py >@@ -296,6 +296,12 @@ def test_generate_dh(self, backend, with_q): > assert isinstance(key.private_numbers(), dh.DHPrivateNumbers) > assert isinstance(key.parameters(), dh.DHParameters) > >+ def test_exchange_wrong_type(self, backend): >+ parameters = FFDH3072_P.parameters(backend) >+ key1 = parameters.generate_private_key() >+ with pytest.raises(TypeError): >+ key1.exchange(b"invalidtype") # type: ignore[arg-type] >+ > def test_exchange(self, backend): > parameters = FFDH3072_P.parameters(backend) > assert isinstance(parameters, dh.DHParameters) >@@ -386,16 +392,11 @@ def test_bad_exchange(self, backend, vector): > key2 = private2.private_key(backend) > pub_key2 = key2.public_key() > >- if pub_key2.public_numbers().y >= parameters1.p: >- with pytest.raises(ValueError): >- key1.exchange(pub_key2) >- else: >- symkey1 = key1.exchange(pub_key2) >- assert symkey1 >- >- symkey2 = key2.exchange(pub_key1) >+ with pytest.raises(ValueError): >+ key1.exchange(pub_key2) > >- assert symkey1 != symkey2 >+ with pytest.raises(ValueError): >+ key2.exchange(pub_key1) > > @pytest.mark.skip_fips(reason="key_size too small for FIPS") > @pytest.mark.supported( > >From c49c6a18b8f1b1c7a958983a65ba723e14dd4f35 Mon Sep 17 00:00:00 2001 >From: Christian Heimes <cheimes@redhat.com> >Date: Mon, 10 May 2021 13:27:54 +0200 >Subject: [PATCH 11/13] Use well-defined enum representation > >Python 3.10 changed enum's object and string representation. PyCA >cryptography now uses a custom subclass of enum.Enum() will well-defined >__repr__ and __str__ from Python 3.9. > >Related: https://bugs.python.org/issue40066 >Fixes: https://github.com/pyca/cryptography/issues/5995 >Signed-off-by: Christian Heimes <cheimes@redhat.com> >--- > .github/workflows/ci.yml | 5 +++-- > src/cryptography/exceptions.py | 4 ++-- > src/cryptography/hazmat/primitives/_serialization.py | 11 ++++++----- > src/cryptography/hazmat/primitives/kdf/kbkdf.py | 5 ++--- > .../hazmat/primitives/serialization/pkcs7.py | 4 ++-- > src/cryptography/utils.py | 11 +++++++++++ > src/cryptography/x509/base.py | 4 ++-- > src/cryptography/x509/certificate_transparency.py | 7 ++++--- > src/cryptography/x509/extensions.py | 5 ++--- > src/cryptography/x509/name.py | 3 +-- > src/cryptography/x509/ocsp.py | 8 ++++---- > tests/test_cryptography_utils.py | 11 +++++++++++ > 12 files changed, 50 insertions(+), 28 deletions(-) > >diff --git a/src/cryptography/exceptions.py b/src/cryptography/exceptions.py >index f5860590571..3bd98d8252a 100644 >--- a/src/cryptography/exceptions.py >+++ b/src/cryptography/exceptions.py >@@ -3,10 +3,10 @@ > # for complete details. > > >-from enum import Enum >+from cryptography import utils > > >-class _Reasons(Enum): >+class _Reasons(utils.Enum): > BACKEND_MISSING_INTERFACE = 0 > UNSUPPORTED_HASH = 1 > UNSUPPORTED_CIPHER = 2 >diff --git a/src/cryptography/hazmat/primitives/_serialization.py b/src/cryptography/hazmat/primitives/_serialization.py >index 96a5ed9b75d..160a6b89c08 100644 >--- a/src/cryptography/hazmat/primitives/_serialization.py >+++ b/src/cryptography/hazmat/primitives/_serialization.py >@@ -3,13 +3,14 @@ > # for complete details. > > import abc >-from enum import Enum >+ >+from cryptography import utils > > # This exists to break an import cycle. These classes are normally accessible > # from the serialization module. > > >-class Encoding(Enum): >+class Encoding(utils.Enum): > PEM = "PEM" > DER = "DER" > OpenSSH = "OpenSSH" >@@ -18,14 +19,14 @@ class Encoding(Enum): > SMIME = "S/MIME" > > >-class PrivateFormat(Enum): >+class PrivateFormat(utils.Enum): > PKCS8 = "PKCS8" > TraditionalOpenSSL = "TraditionalOpenSSL" > Raw = "Raw" > OpenSSH = "OpenSSH" > > >-class PublicFormat(Enum): >+class PublicFormat(utils.Enum): > SubjectPublicKeyInfo = "X.509 subjectPublicKeyInfo with PKCS#1" > PKCS1 = "Raw PKCS#1" > OpenSSH = "OpenSSH" >@@ -34,7 +35,7 @@ class PublicFormat(Enum): > UncompressedPoint = "X9.62 Uncompressed Point" > > >-class ParameterFormat(Enum): >+class ParameterFormat(utils.Enum): > PKCS3 = "PKCS3" > > >diff --git a/src/cryptography/hazmat/primitives/kdf/kbkdf.py b/src/cryptography/hazmat/primitives/kdf/kbkdf.py >index ac36474fd7a..75fe7d51891 100644 >--- a/src/cryptography/hazmat/primitives/kdf/kbkdf.py >+++ b/src/cryptography/hazmat/primitives/kdf/kbkdf.py >@@ -4,7 +4,6 @@ > > > import typing >-from enum import Enum > > from cryptography import utils > from cryptography.exceptions import ( >@@ -19,11 +18,11 @@ > from cryptography.hazmat.primitives.kdf import KeyDerivationFunction > > >-class Mode(Enum): >+class Mode(utils.Enum): > CounterMode = "ctr" > > >-class CounterLocation(Enum): >+class CounterLocation(utils.Enum): > BeforeFixed = "before_fixed" > AfterFixed = "after_fixed" > >diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py >index bcd9e330d58..57aac7e3464 100644 >--- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py >+++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py >@@ -3,8 +3,8 @@ > # for complete details. > > import typing >-from enum import Enum > >+from cryptography import utils > from cryptography import x509 > from cryptography.hazmat.backends import _get_backend > from cryptography.hazmat.primitives import hashes, serialization >@@ -35,7 +35,7 @@ def load_der_pkcs7_certificates(data: bytes) -> typing.List[x509.Certificate]: > ] > > >-class PKCS7Options(Enum): >+class PKCS7Options(utils.Enum): > Text = "Add text/plain MIME type" > Binary = "Don't translate input data into canonical MIME format" > DetachedSignature = "Don't embed data in the PKCS7 structure" >diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py >index ef0fc44332d..9e571cfdd15 100644 >--- a/src/cryptography/utils.py >+++ b/src/cryptography/utils.py >@@ -4,6 +4,7 @@ > > > import abc >+import enum > import inspect > import sys > import typing >@@ -162,3 +163,13 @@ def inner(instance): > "int_from_bytes is deprecated, use int.from_bytes instead", > DeprecatedIn34, > ) >+ >+ >+# Python 3.10 changed representation of enums. We use well-defined object >+# representation and string representation from Python 3.9. >+class Enum(enum.Enum): >+ def __repr__(self): >+ return f"<{self.__class__.__name__}.{self._name_}: {self._value_!r}>" >+ >+ def __str__(self): >+ return f"{self.__class__.__name__}.{self._name_}" >diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py >index 5505fa3b6d5..26ec43d5649 100644 >--- a/src/cryptography/x509/base.py >+++ b/src/cryptography/x509/base.py >@@ -7,8 +7,8 @@ > import datetime > import os > import typing >-from enum import Enum > >+from cryptography import utils > from cryptography.hazmat._types import _PRIVATE_KEY_TYPES, _PUBLIC_KEY_TYPES > from cryptography.hazmat.backends import _get_backend > from cryptography.hazmat.primitives import hashes, serialization >@@ -66,7 +66,7 @@ def _convert_to_naive_utc_time(time: datetime.datetime) -> datetime.datetime: > return time > > >-class Version(Enum): >+class Version(utils.Enum): > v1 = 0 > v3 = 2 > >diff --git a/src/cryptography/x509/certificate_transparency.py b/src/cryptography/x509/certificate_transparency.py >index d51bee92eff..d80f051a68a 100644 >--- a/src/cryptography/x509/certificate_transparency.py >+++ b/src/cryptography/x509/certificate_transparency.py >@@ -5,15 +5,16 @@ > > import abc > import datetime >-from enum import Enum > >+from cryptography import utils > >-class LogEntryType(Enum): >+ >+class LogEntryType(utils.Enum): > X509_CERTIFICATE = 0 > PRE_CERTIFICATE = 1 > > >-class Version(Enum): >+class Version(utils.Enum): > v1 = 0 > > >diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py >index 6cae016a1c6..742f1fa2931 100644 >--- a/src/cryptography/x509/extensions.py >+++ b/src/cryptography/x509/extensions.py >@@ -8,7 +8,6 @@ > import hashlib > import ipaddress > import typing >-from enum import Enum > > from cryptography import utils > from cryptography.hazmat._der import ( >@@ -634,7 +633,7 @@ def __hash__(self): > crl_issuer = utils.read_only_property("_crl_issuer") > > >-class ReasonFlags(Enum): >+class ReasonFlags(utils.Enum): > unspecified = "unspecified" > key_compromise = "keyCompromise" > ca_compromise = "cACompromise" >@@ -978,7 +977,7 @@ def __hash__(self): > return hash(tuple(self._features)) > > >-class TLSFeatureType(Enum): >+class TLSFeatureType(utils.Enum): > # status_request is defined in RFC 6066 and is used for what is commonly > # called OCSP Must-Staple when present in the TLS Feature extension in an > # X.509 certificate. >diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py >index a579aa21963..9069a9f4b71 100644 >--- a/src/cryptography/x509/name.py >+++ b/src/cryptography/x509/name.py >@@ -3,14 +3,13 @@ > # for complete details. > > import typing >-from enum import Enum > > from cryptography import utils > from cryptography.hazmat.backends import _get_backend > from cryptography.x509.oid import NameOID, ObjectIdentifier > > >-class _ASN1Type(Enum): >+class _ASN1Type(utils.Enum): > UTF8String = 12 > NumericString = 18 > PrintableString = 19 >diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py >index 1c5de73e45b..bcf210c1eb3 100644 >--- a/src/cryptography/x509/ocsp.py >+++ b/src/cryptography/x509/ocsp.py >@@ -6,8 +6,8 @@ > import abc > import datetime > import typing >-from enum import Enum > >+from cryptography import utils > from cryptography import x509 > from cryptography.hazmat.primitives import hashes, serialization > from cryptography.x509.base import ( >@@ -27,12 +27,12 @@ > } > > >-class OCSPResponderEncoding(Enum): >+class OCSPResponderEncoding(utils.Enum): > HASH = "By Hash" > NAME = "By Name" > > >-class OCSPResponseStatus(Enum): >+class OCSPResponseStatus(utils.Enum): > SUCCESSFUL = 0 > MALFORMED_REQUEST = 1 > INTERNAL_ERROR = 2 >@@ -58,7 +58,7 @@ def _verify_algorithm(algorithm): > ) > > >-class OCSPCertStatus(Enum): >+class OCSPCertStatus(utils.Enum): > GOOD = 0 > REVOKED = 1 > UNKNOWN = 2 >diff --git a/tests/test_cryptography_utils.py b/tests/test_cryptography_utils.py >index 6b795e0c683..803997ac06e 100644 >--- a/tests/test_cryptography_utils.py >+++ b/tests/test_cryptography_utils.py >@@ -2,6 +2,7 @@ > # 2.0, and the BSD License. See the LICENSE file in the root of this repository > # for complete details. > >+import enum > import typing > > import pytest >@@ -51,3 +52,13 @@ def t(self): > assert len(accesses) == 1 > assert t.t == 14 > assert len(accesses) == 1 >+ >+ >+def test_enum(): >+ class TestEnum(utils.Enum): >+ value = "something" >+ >+ assert issubclass(TestEnum, enum.Enum) >+ assert isinstance(TestEnum.value, enum.Enum) >+ assert repr(TestEnum.value) == "<TestEnum.value: 'something'>" >+ assert str(TestEnum.value) == "TestEnum.value" > >From 82b3dd14c87c81323fc8b09b1a5dddff0628afff Mon Sep 17 00:00:00 2001 >From: Paul Kehrer <paul.l.kehrer@gmail.com> >Date: Wed, 30 Jun 2021 06:14:42 -0500 >Subject: [PATCH 12/13] 3.0.0 deprecated func and it isn't useful to us in > general (#6148) > >remove it everywhere and assert on the code/lib/reason >--- > src/cryptography/hazmat/bindings/openssl/binding.py | 11 ++++------- > tests/hazmat/bindings/test_openssl.py | 5 ++--- > 2 files changed, 6 insertions(+), 10 deletions(-) > >diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py >index 6dcec26ab8a..f651ab67238 100644 >--- a/src/cryptography/hazmat/bindings/openssl/binding.py >+++ b/src/cryptography/hazmat/bindings/openssl/binding.py >@@ -15,15 +15,14 @@ > from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES > > _OpenSSLErrorWithText = collections.namedtuple( >- "_OpenSSLErrorWithText", ["code", "lib", "func", "reason", "reason_text"] >+ "_OpenSSLErrorWithText", ["code", "lib", "reason", "reason_text"] > ) > > > class _OpenSSLError(object): >- def __init__(self, code, lib, func, reason): >+ def __init__(self, code, lib, reason): > self._code = code > self._lib = lib >- self._func = func > self._reason = reason > > def _lib_reason_match(self, lib, reason): >@@ -31,7 +30,6 @@ def _lib_reason_match(self, lib, reason): > > code = utils.read_only_property("_code") > lib = utils.read_only_property("_lib") >- func = utils.read_only_property("_func") > reason = utils.read_only_property("_reason") > > >@@ -43,10 +41,9 @@ def _consume_errors(lib): > break > > err_lib = lib.ERR_GET_LIB(code) >- err_func = lib.ERR_GET_FUNC(code) > err_reason = lib.ERR_GET_REASON(code) > >- errors.append(_OpenSSLError(code, err_lib, err_func, err_reason)) >+ errors.append(_OpenSSLError(code, err_lib, err_reason)) > > return errors > >@@ -60,7 +57,7 @@ def _errors_with_text(errors): > > errors_with_text.append( > _OpenSSLErrorWithText( >- err.code, err.lib, err.func, err.reason, err_text_reason >+ err.code, err.lib, err.reason, err_text_reason > ) > ) > >diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py >index 4d1e3b5566d..1d9b87bad52 100644 >--- a/tests/hazmat/bindings/test_openssl.py >+++ b/tests/hazmat/bindings/test_openssl.py >@@ -91,11 +91,10 @@ def test_openssl_assert_error_on_stack(self): > _openssl_assert(b.lib, False) > > error = exc_info.value.err_code[0] >- # As of 3.0.0 OpenSSL sets func codes to 0, so the combined >- # code is a different value >+ # As of 3.0.0 OpenSSL no longer sets func codes (which we now also >+ # ignore), so the combined code is a different value > assert error.code in (101183626, 50331786) > assert error.lib == b.lib.ERR_LIB_EVP >- assert error.func == b.lib.EVP_F_EVP_ENCRYPTFINAL_EX > assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH > assert b"data not multiple of block length" in error.reason_text > > >From 18091c8a8c5bc3a8d2e34d2530ce7d072d896b90 Mon Sep 17 00:00:00 2001 >From: Paul Kehrer <paul.l.kehrer@gmail.com> >Date: Wed, 30 Jun 2021 21:12:46 -0500 >Subject: [PATCH 13/13] remove unneeded binding (#6150) > >--- > src/_cffi_src/openssl/err.py | 1 - > 1 file changed, 1 deletion(-) > >diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py >index 8cfeaf5ba38..8d838d4fcac 100644 >--- a/src/_cffi_src/openssl/err.py >+++ b/src/_cffi_src/openssl/err.py >@@ -40,7 +40,6 @@ > void ERR_put_error(int, int, int, const char *, int); > > int ERR_GET_LIB(unsigned long); >-int ERR_GET_FUNC(unsigned long); > int ERR_GET_REASON(unsigned long); > > """
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 814773
: 743943