summaryrefslogtreecommitdiff
path: root/src/cryptography/hazmat/backends/openssl/ciphers.py
Commit message (Collapse)AuthorAgeFilesLines
* Use from __future__ import annotations everywhere (#8643)Alex Gaynor2023-03-311-3/+3
|
* drop support for openssl < 1.1.1d (#8449)Paul Kehrer2023-03-241-1/+1
| | | | | This removes the OS random engine, which contained the only CPython PSF licensed code in the repository. Accordingly, that license has now been removed.
* Don't allow update_into to mutate immutable objects (#8230)Alex Gaynor2023-02-071-1/+1
|
* Use the ruff 'pyupgrade' checks (#8104)Alex Gaynor2023-01-201-2/+2
|
* Switch from flake8 to ruff (#7920)Alex Gaynor2022-12-211-1/+0
| | | It's more than 60x faster.
* Remove explicit subclassing of object now that all classes are new-style (#6830)Alex Gaynor2022-01-301-1/+1
| | | As someone who first with Python in 2.4 or so, this habit is going to be hard to break.
* Format for new black (#6828)Alex Gaynor2022-01-291-1/+1
|
* Improve type coverage on some backend internals (#6776)Alex Gaynor2022-01-021-2/+4
|
* type encryptor/decryptor (#6744)Paul Kehrer2021-12-231-7/+2
| | | | | | | | | | | * type encryptor/decryptor This makes Cipher generic over mode and then uses that generic type to determine the return type of encryptor/decryptor. This makes the type signature look weird for the constructor with tools like pylance, but mypy itself enforces the typing properly and pylance correctly shows the resulting encryptor/decryptor return type. All hail abusing generics * type the insides of cipher a bit more
* more cipher typing (#6738)Paul Kehrer2021-12-221-1/+1
| | | | bytes is an alias that includes bytearray and memoryview so we can type update_into's buf
* more backend typing (#6731)Paul Kehrer2021-12-211-1/+5
| | | | | | | * more backend typing slow progress in a variety of places * type checking isn't the only way we run code
* Remove read_only_property and precisely type all these getters (#6668)Alex Gaynor2021-11-291-1/+4
| | | | | | | * Remove read_only_property and precisely type all these getters * flake8 * unused
* Simplify how we test boring, in a way that'll be extensible to the future ↵Alex Gaynor2021-11-101-5/+11
| | | | | | | | | (#6575) * Simplify how we test boring, in a way that'll be extensible to the future * Break out what we ignore * Get fernet tests passing on boringssl
* raise a ValueError if the AEAD tag is too long (#6246)Paul Kehrer2021-09-041-1/+8
| | | | | | | | | | | | * raise a ValueError if the GCM tag is too long this is checked in both the GCM mode constructor as well as finalize_with_tag * make it work * fix * import ordering
* Added handling for OpenSSL "xts duplicated keys" error. (#6085)Angus Gratton2021-06-091-1/+22
| | | | | | | | | | | | | | | | | | | | | * Added handling for OpenSSL "xts duplicated keys" error. Closes #5998 This error value was added pre-OpenSSL 1.1.1d here: https://github.com/openssl/openssl/commit/2a5f63c9a61be7582620c4b5da202bb3fd7e4138 and refined to only cover encryption shortly after: https://github.com/openssl/openssl/commit/58ae5a47da1e4843b0cd1846eb297b341d0e7201 * test_aes: Remove unnecessary assignment * xts: Update duplicated keys check for OpenSSL 3 providers Also, change the exception message slightly: - Now matches the tense used by openssl - Turns out decryption *is* checked for duplicate keys by OpenSSL 3 when in FIPS mode
* [WIP] 3.0.0 support (#5250)Paul Kehrer2021-04-221-0/+8
| | | | | | | * 3.0.0 support * almost...there... * make mypy happy
* fix XTS less than one block length. fixes #5885 (#5925)Paul Kehrer2021-03-211-1/+7
| | | | | * fix XTS less than one block length. fixes #5885 * make XTS test key happy
* port changelog and fix back to master for CVE-2020-36242 (#5748)Paul Kehrer2021-02-071-1/+1
|
* Added typing for more of ciphers (#5738)Alex Gaynor2021-02-011-5/+5
|
* Update APIs to use non-deprecated OpenSSL ones where possible (#5633)Alex Gaynor2020-12-101-1/+1
| | | cherry picked from #4920
* Remove __future__ import from our code (#5610)Alex Gaynor2020-12-091-1/+0
|
* chunking didn't actually work (#5499)Paul Kehrer2020-10-251-1/+1
|
* chunked update_into (#5419)Paul Kehrer2020-08-241-13/+21
| | | | | | | * chunked update_into * all pointer arithmetic all the time * review feedback
* Improve debugability of this internal error (#5399)Alex Gaynor2020-08-151-1/+2
|
* Paint it Black by the Rolling Stones (#5324)Alex Gaynor2020-07-201-28/+46
|
* See if we can remove an OpenSSL 1.0.1 workaround (#5184)Alex Gaynor2020-04-061-8/+0
|
* Drop support for OpenSSL 1.0.1 (#5178)Alex Gaynor2020-04-041-17/+0
|
* Simplify string formatting (#4757)Alex Gaynor2019-02-201-4/+4
|
* Improve error message for unsupported ciphers (#4650)Alex Gaynor2018-12-181-6/+8
| | | | | | | | | | | | * Improve error message for unsupported ciphers * fix spacing * include the openssl version number in the message * backwards * pep8
* allow bytes-like for key/iv/data for symmetric encryption (#4621)Paul Kehrer2018-12-091-8/+13
| | | | | | | | | | | | | | | | | | * allow bytearrays for key/iv for symmetric encryption * bump pypy/cffi requirements * update docs, fix some tests * old openssl is naught but pain * revert a typo * use trusty for old pypy * better error msg again * restore match
* disallow implicit tag truncation with finalize_with_tag (#4342)Paul Kehrer2018-07-171-0/+5
|
* Fix some stuttering. (#4240)David Benjamin2018-05-141-3/+0
| | | | This is a remnant of the function code checking when this logic looked at both encrypt/decrypt versions of this error code.
* Add support for AES XTS (#3900)Paul Kehrer2017-10-011-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | * Add support for AES XTS We drop the non-byte aligned test vectors because according to NIST http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSVS.pdf "An implementation may support a data unit length that is not a multiple of 8 bits." OpenSSL does not support this, so we can't use those test vectors. * fix docs and pep8 * docs fix * the spellchecker is so frustrating * add note about AES 192 for XTS (it's not supported) * docs work * enforce key length on ECB mode in AES as well (thanks XTS) * a few more words about why we exclude some test vectors for XTS
* add ChaCha20 support (#3919)Paul Kehrer2017-09-281-0/+2
| | | | | | | | | | * add ChaCha20 support * review feedback * 256 divided by 8 is what again? * ...
* bind EVP_CTRL_AEAD even when on < 1.1.0 (#3679)Paul Kehrer2017-06-041-4/+4
|
* fix libressl error/refactor some error handling (#3609)Paul Kehrer2017-05-261-4/+2
| | | | | | | | | | | | | | | | | | | | | | | * add libre so I can see the error * add the libre error needed and refactor error handling a bit We were historically matching on lib + func + reason, but func is somewhat unstable so now we match on lib + reason only. Of course, in this case libressl changed both lib and reason so it wouldn't have mattered. All error handling from the error queue in openssl is an illusion * fix a typo, probably an unneeded branch * review feedback * refactor tests to support libressl insert additional rant about libre here, although admittedly these tests were assuming stability where openssl itself guarantees none * better assert, fix flake8
* Simplify the update (#3586)Alex Gaynor2017-05-231-7/+3
| | | | | | * Simplify the update * wtf, cant reproduce issue
* Fixed #3533 -- made GCM mode object immutable (#3553)Alex Gaynor2017-05-201-23/+32
| | | | | | | | | | | | | | | | | | | | | | | | * Fixed #3533 -- made GCM mode object immutable * flake8 * Fix for older openssl * fix * fix * sigh, fix * fixed * dropped negation * computers are bad * A test * This implements an interface
* use openssl constants (#3534)Paul Kehrer2017-05-031-5/+13
|
* postpone GCM authentication tag requirement until finalization (#3421)Philipp Gesang2017-05-021-1/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * postpone GCM authentication tag requirement until finalization Add a .finalize_with_tag() variant of the .finalize() function of the GCM context. At the same time, do not enforce the requirement of supplying the tag with the mode ctor. This facilitates streamed decryption when the MAC is appended to the ciphertext and cannot be efficiently retrieved ahead of decryption. According to the GCM spec (section 7.2: “Algorithm for the Authenticated Decryption Function”), the tag itself is not needed until the ciphertext has been decrypted. Addresses #3380 Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> * disallow delayed GCM tag passing for legacy OpenSSL Old versions of Ubuntu supported by Cryptography ship a v1.0.1 of OpenSSL which is no longer supported by upstream. This library seems to cause erratic test failures with the delayed GCM tag functionality which are not reproducible outside the CI. Unfortunately OpenSSL v1.0.1 does not even document the required API (``EVP_EncryptInit(3)``) so there is no by-the-book fix. For backends of version 1.0.1 and earlier, verify the GCM tag at the same stage as before. Also, indicate to the user that late passing of GCM tags is unsupported by throwing ``NotImplementedError`` for these backend versions if - the method ``finalize_with_tag()`` is invoked, or - the mode ctor is called without passing a tag. Unit tests have been adapted to account for different backend versions.
* add support for update_into on CipherContext (#3190)Paul Kehrer2017-02-161-0/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * add support for update_into on CipherContext This allows you to provide your own buffer (like recv_into) to improve performance when repeatedly calling encrypt/decrypt on large payloads. * another skip_if * more skip_if complexity * maybe do this right * correct number of args * coverage for the coverage gods * add a cffi minimum test tox target and travis builder This tests against macOS so we capture some commoncrypto branches * extra arg * need to actually install py35 * fix * coverage for GCM decrypt in CC * no longer relevant * 1.8 now * pep8 * dramatically simplify * update docs * remove unneeded test * changelog entry * test improvements * coverage fix * add some comments to example * move the comments to their own line * fix and move comment
* Drop 1.0.0 (#3312)Alex Gaynor2016-12-131-35/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * delete the 1.0.0 support * drop the version check * drop the AES-CTR stuff * Update the example * openssl truncates for us now * delete unused test * unused imports * Remove a bunch of conditional bindings for NPN * no more 1.0.0 builders * libressl fix * update the docs * remove dead branches * oops * this is a word, damnit * spelling * try removing this * this test is not needed * unused import
* Resolved some more CFFI warnings; these are also unsigned (#3163)Alex Gaynor2016-09-221-2/+2
|
* fix inconsistency in utilization of block_size in openssl cipher impl (#3131)Paul Kehrer2016-09-021-7/+6
| | | | | | | | | * fix inconsistency in utilization of block_size in openssl cipher impl Previously we over-allocated our buffers because we treated a bit size as bytes. * rename property
* Removed some code that existed for OpenSSL 0.9.8 (#2983)Alex Gaynor2016-06-181-11/+3
| | | Refs #2982
* Use InternalError for stuffAlex Gaynor2015-09-261-16/+14
|
* convert the rest of the openssl backend to using openssl_assertPaul Kehrer2015-09-251-11/+10
|
* export interfaces from base in ciphers, update docsPaul Kehrer2015-02-141-6/+7
|
* move cipher and mode interfacesPaul Kehrer2015-02-131-14/+13
|
* Update the license header for every source file, as well as the documentation.Alex Gaynor2014-11-161-12/+3
| | | | Fixes #1209
View Lorry Controller Status