delta/python-packages/cryptography.git/src/cryptography, branch alex-patch-4 github.com: pyca/cryptography.git deprecate pythons without hmac.compare_digest (#4261) 2018-05-24T21:45:25+00:00 Paul Kehrer paul.l.kehrer@gmail.com 2018-05-24T21:45:25+00:00 afdbfb13780fb78e7b277b9de07e7636ba9c5119 * deprecate the constant time bytes comparison path old python 2.7.x uses * pep8 
* deprecate the constant time bytes comparison path old python 2.7.x uses

* pep8
remove block size as a required part of HashAlgorithm (#4249) 2018-05-16T14:42:10+00:00 Paul Kehrer paul.l.kehrer@gmail.com 2018-05-16T14:42:10+00:00 20b57be8d8068c2cd05cd3917e4e99b8a36debe0 Internal block size isn't a particularly useful piece of information and constructions like SHA3 make it even harder to determine what that really means. Accordingly, we're removing it from the interface (but leaving it on all existing hashes) 
Internal block size isn't a particularly useful piece of information and
constructions like SHA3 make it even harder to determine what that
really means. Accordingly, we're removing it from the interface (but
leaving it on all existing hashes)
 Future proofing use of the six python version constants (#4238) 2018-05-15T03:47:57+00:00 Eric Brown ericwb@users.noreply.github.com 2018-05-15T03:47:57+00:00 50bad375f5dd3fbb7c7ea62896e2538dc5734be6 * Future proofing use of the six python version constants After reading [1], noticed that cryptography uses a lot of if six.PY3 blocks. The issue with this is that whenever Python 4 is released, this code in the else block will be executed even though it was only intended for Python 2. [1] http://astrofrog.github.io/blog/2016/01/12/stop-writing-python-4-incompatible-code/ Signed-off-by: Eric Brown <browne@vmware.com> * Use not PY2 instead 
* Future proofing use of the six python version constants

After reading [1], noticed that cryptography uses a lot of if six.PY3
blocks. The issue with this is that whenever Python 4 is released,
this code in the else block will be executed even though it was
only intended for Python 2.

[1] http://astrofrog.github.io/blog/2016/01/12/stop-writing-python-4-incompatible-code/

Signed-off-by: Eric Brown <browne@vmware.com>

* Use not PY2 instead
Validate the public/private halves of EC keys on import. (#4241) 2018-05-15T02:49:24+00:00 David Benjamin davidben@davidben.net 2018-05-15T02:49:24+00:00 763990efa6c158d8a4dec8d71693665d026588a2 * Validate the public/private halves of EC keys on import. OpenSSL's API is a little finicky. If one sets the public key before the private key, it does not validate that they match. If set in the other order, it does validate this. In particular, KASValidityTest_ECCStaticUnified_NOKC_ZZOnly_init.fax describes error code 7 as: Result = F (7 - IUT's Static private key d changed-prikey validity) Reordering the two operations makes those tests to fail on key import, which is what CAVP appears to have intended. * Wrap to 79 rather than 80 columns 
* Validate the public/private halves of EC keys on import.

OpenSSL's API is a little finicky. If one sets the public key before the
private key, it does not validate that they match. If set in the other
order, it does validate this.

In particular, KASValidityTest_ECCStaticUnified_NOKC_ZZOnly_init.fax
describes error code 7 as:

  Result = F (7 - IUT's Static private key d changed-prikey validity)

Reordering the two operations makes those tests to fail on key import,
which is what CAVP appears to have intended.

* Wrap to 79 rather than 80 columns
Fix some stuttering. (#4240) 2018-05-14T22:32:22+00:00 David Benjamin davidben@davidben.net 2018-05-14T22:32:22+00:00 10cabad73b4e0cc15463e43f9a94855c4db7f032 This is a remnant of the function code checking when this logic looked at both encrypt/decrypt versions of this error code. 
This is a remnant of the function code checking when this logic looked
at both encrypt/decrypt versions of this error code.
 Clean up unused EC bindings. (#4225) 2018-05-14T17:00:02+00:00 David Benjamin davidben@davidben.net 2018-05-14T17:00:02+00:00 6639dd15a7847fae731b29ce01f98cba79757838 * Clean up unused EC bindings. A lot of these are really OpenSSL internals, like the EC_METHOD business, support for custom curves which are a bad idea, and weird non-standard serializations like taking the usual point serialization and treating it as a single BIGNUM. I also didn't remove things when they're arguably part of a set. E.g. EC_POINT_add is used, but EC_POINT_dbl isn't. However, they both set at the same abstraction level (basic point operations), so it's strange to have one without the other. I also kept EC_POINT_is_on_curve because, although it is not used, OpenSSL prior to 1.1.0 doesn't perform this important check in EC_POINT_set_affine_coordinates_GFp (though it does in some of the functions which ultimately call it, like EC_KEY_set_public_key_affine_coordinates, what cryptography.io actually uses), so one should not expose the latter without the former. * Fix build issue. 
* Clean up unused EC bindings.

A lot of these are really OpenSSL internals, like the EC_METHOD
business, support for custom curves which are a bad idea, and weird
non-standard serializations like taking the usual point serialization
and treating it as a single BIGNUM.

I also didn't remove things when they're arguably part of a set. E.g.
EC_POINT_add is used, but EC_POINT_dbl isn't. However, they both set at
the same abstraction level (basic point operations), so it's strange to
have one without the other.

I also kept EC_POINT_is_on_curve because, although it is not used,
OpenSSL prior to 1.1.0 doesn't perform this important check in
EC_POINT_set_affine_coordinates_GFp (though it does in some of the
functions which ultimately call it, like
EC_KEY_set_public_key_affine_coordinates, what cryptography.io actually
uses), so one should not expose the latter without the former.

* Fix build issue.
Check for CMAC_Init errors. (#4232) 2018-05-12T19:07:21+00:00 David Benjamin davidben@davidben.net 2018-05-12T19:07:21+00:00 590692fe6a071b3c694ae8966b84b45ece9b1a07 






Add support for extracting timestamp from a Fernet token (#4229)
2018-05-12T15:57:32+00:00

Paul Kehrer
paul.l.kehrer@gmail.com

2018-05-12T15:57:32+00:00

36ad98fd5e4b7358dc2aa903b6d51569bf19c5f8

* Add API for retrieving the seconds-to-expiry for the token, given a TTL.

* Process PR feedback:

* Do compute the TTL, but just the age of the token. The caller
can decided what to do next.

* Factored out the HMAC signature verification to a separate function.

* Fixed a copy&paste mistake in the test cases

* Tests cleanup.

* `struct` no longer needed

* Document `def age()`

* typo in `age()` documentation

* token, not data

* remove test for TTL expiry that is already covered by the parameterized `test_invalid()`.

* let's call this extract_timestamp and just return timestamp

* review comments

* it's UNIX I know this





* Add API for retrieving the seconds-to-expiry for the token, given a TTL.

* Process PR feedback:

* Do compute the TTL, but just the age of the token. The caller
can decided what to do next.

* Factored out the HMAC signature verification to a separate function.

* Fixed a copy&paste mistake in the test cases

* Tests cleanup.

* `struct` no longer needed

* Document `def age()`

* typo in `age()` documentation

* token, not data

* remove test for TTL expiry that is already covered by the parameterized `test_invalid()`.

* let's call this extract_timestamp and just return timestamp

* review comments

* it's UNIX I know this







fixed variable name to be correct (#4226)
2018-05-12T03:04:22+00:00

Alex Gaynor
alex.gaynor@gmail.com

2018-05-12T03:04:22+00:00

6c9a13f438c3d01c905cbbae269efce0748ac692












adding name so that 1.3.6.1.4.1.11129.2.4.2 is no longer and 'Unknown OID' (#4218)
2018-05-07T19:01:07+00:00

Joshua Crowgey
jcrowgey@u.washington.edu

2018-05-07T19:01:07+00:00

0f24bfee532f108118b5b9704f4d838096aa97d6