Merge pull request #751 from lvh/master
Add GPG key fingerprint for lvh
diff --git a/cryptography/exceptions.py b/cryptography/exceptions.py
index b496259..a26dbe1 100644
--- a/cryptography/exceptions.py
+++ b/cryptography/exceptions.py
@@ -16,6 +16,18 @@
pass
+class UnsupportedCipher(UnsupportedAlgorithm):
+ pass
+
+
+class UnsupportedHash(UnsupportedAlgorithm):
+ pass
+
+
+class UnsupportedPadding(UnsupportedAlgorithm):
+ pass
+
+
class AlreadyFinalized(Exception):
pass
@@ -46,7 +58,3 @@
class InvalidToken(Exception):
pass
-
-
-class UnsupportedPadding(Exception):
- pass
diff --git a/cryptography/hazmat/backends/commoncrypto/backend.py b/cryptography/hazmat/backends/commoncrypto/backend.py
index 4a451d3..53228b3 100644
--- a/cryptography/hazmat/backends/commoncrypto/backend.py
+++ b/cryptography/hazmat/backends/commoncrypto/backend.py
@@ -17,7 +17,7 @@
from cryptography import utils
from cryptography.exceptions import (
- UnsupportedAlgorithm, InvalidTag, InternalError
+ InvalidTag, InternalError, UnsupportedCipher, UnsupportedHash
)
from cryptography.hazmat.backends.interfaces import (
HashBackend, HMACBackend, CipherBackend, PBKDF2HMACBackend
@@ -273,7 +273,7 @@
try:
cipher_enum, mode_enum = registry[type(cipher), type(mode)]
except KeyError:
- raise UnsupportedAlgorithm(
+ raise UnsupportedCipher(
"cipher {0} in {1} mode is not supported "
"by this backend".format(
cipher.name, mode.name if mode else mode)
@@ -346,7 +346,7 @@
try:
cipher_enum, mode_enum = registry[type(cipher), type(mode)]
except KeyError:
- raise UnsupportedAlgorithm(
+ raise UnsupportedCipher(
"cipher {0} in {1} mode is not supported "
"by this backend".format(
cipher.name, mode.name if mode else mode)
@@ -420,7 +420,7 @@
try:
methods = self._backend._hash_mapping[self.algorithm.name]
except KeyError:
- raise UnsupportedAlgorithm(
+ raise UnsupportedHash(
"{0} is not a supported hash on this backend".format(
algorithm.name)
)
@@ -463,7 +463,7 @@
try:
alg = self._backend._supported_hmac_algorithms[algorithm.name]
except KeyError:
- raise UnsupportedAlgorithm(
+ raise UnsupportedHash(
"{0} is not a supported HMAC hash on this backend".format(
algorithm.name)
)
diff --git a/cryptography/hazmat/backends/multibackend.py b/cryptography/hazmat/backends/multibackend.py
index de1fff7..cca82a5 100644
--- a/cryptography/hazmat/backends/multibackend.py
+++ b/cryptography/hazmat/backends/multibackend.py
@@ -14,7 +14,9 @@
from __future__ import absolute_import, division, print_function
from cryptography import utils
-from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.exceptions import (
+ UnsupportedAlgorithm, UnsupportedCipher, UnsupportedHash
+)
from cryptography.hazmat.backends.interfaces import (
CipherBackend, HashBackend, HMACBackend, PBKDF2HMACBackend, RSABackend
)
@@ -46,17 +48,17 @@
for b in self._filtered_backends(CipherBackend):
try:
return b.create_symmetric_encryption_ctx(algorithm, mode)
- except UnsupportedAlgorithm:
+ except UnsupportedCipher:
pass
- raise UnsupportedAlgorithm
+ raise UnsupportedCipher
def create_symmetric_decryption_ctx(self, algorithm, mode):
for b in self._filtered_backends(CipherBackend):
try:
return b.create_symmetric_decryption_ctx(algorithm, mode)
- except UnsupportedAlgorithm:
+ except UnsupportedCipher:
pass
- raise UnsupportedAlgorithm
+ raise UnsupportedCipher
def hash_supported(self, algorithm):
return any(
@@ -68,9 +70,9 @@
for b in self._filtered_backends(HashBackend):
try:
return b.create_hash_ctx(algorithm)
- except UnsupportedAlgorithm:
+ except UnsupportedHash:
pass
- raise UnsupportedAlgorithm
+ raise UnsupportedHash
def hmac_supported(self, algorithm):
return any(
@@ -82,9 +84,9 @@
for b in self._filtered_backends(HMACBackend):
try:
return b.create_hmac_ctx(key, algorithm)
- except UnsupportedAlgorithm:
+ except UnsupportedHash:
pass
- raise UnsupportedAlgorithm
+ raise UnsupportedHash
def pbkdf2_hmac_supported(self, algorithm):
return any(
@@ -99,9 +101,9 @@
return b.derive_pbkdf2_hmac(
algorithm, length, salt, iterations, key_material
)
- except UnsupportedAlgorithm:
+ except UnsupportedHash:
pass
- raise UnsupportedAlgorithm
+ raise UnsupportedHash
def generate_rsa_private_key(self, public_exponent, key_size):
for b in self._filtered_backends(RSABackend):
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index f05ee3d..b4625aa 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -18,8 +18,8 @@
from cryptography import utils
from cryptography.exceptions import (
- UnsupportedAlgorithm, InvalidTag, InternalError, AlreadyFinalized,
- UnsupportedPadding, InvalidSignature
+ InvalidTag, InternalError, AlreadyFinalized, UnsupportedCipher,
+ UnsupportedHash, UnsupportedPadding, InvalidSignature
)
from cryptography.hazmat.backends.interfaces import (
CipherBackend, HashBackend, HMACBackend, PBKDF2HMACBackend, RSABackend
@@ -211,7 +211,7 @@
assert res == 1
else:
if not isinstance(algorithm, hashes.SHA1):
- raise UnsupportedAlgorithm(
+ raise UnsupportedHash(
"This version of OpenSSL only supports PBKDF2HMAC with "
"SHA1"
)
@@ -377,7 +377,7 @@
try:
adapter = registry[type(cipher), type(mode)]
except KeyError:
- raise UnsupportedAlgorithm(
+ raise UnsupportedCipher(
"cipher {0} in {1} mode is not supported "
"by this backend".format(
cipher.name, mode.name if mode else mode)
@@ -385,7 +385,7 @@
evp_cipher = adapter(self._backend, cipher, mode)
if evp_cipher == self._backend._ffi.NULL:
- raise UnsupportedAlgorithm(
+ raise UnsupportedCipher(
"cipher {0} in {1} mode is not supported "
"by this backend".format(
cipher.name, mode.name if mode else mode)
@@ -438,6 +438,15 @@
self._ctx = ctx
def update(self, data):
+ # OpenSSL 0.9.8e has an assertion in its EVP code that causes it
+ # to SIGABRT if you call update with an empty byte string. This can be
+ # removed when we drop support for 0.9.8e (CentOS/RHEL 5). This branch
+ # should be taken only when length is zero and mode is not GCM because
+ # AES GCM can return improper tag values if you don't call update
+ # with empty plaintext when authenticating AAD for ...reasons.
+ if len(data) == 0 and not isinstance(self._mode, GCM):
+ return b""
+
buf = self._backend._ffi.new("unsigned char[]",
len(data) + self._block_size - 1)
outlen = self._backend._ffi.new("int *")
@@ -517,7 +526,7 @@
evp_md = self._backend._lib.EVP_get_digestbyname(
algorithm.name.encode("ascii"))
if evp_md == self._backend._ffi.NULL:
- raise UnsupportedAlgorithm(
+ raise UnsupportedHash(
"{0} is not a supported hash on this backend".format(
algorithm.name)
)
@@ -567,7 +576,7 @@
evp_md = self._backend._lib.EVP_get_digestbyname(
algorithm.name.encode('ascii'))
if evp_md == self._backend._ffi.NULL:
- raise UnsupportedAlgorithm(
+ raise UnsupportedHash(
"{0} is not a supported hash on this backend".format(
algorithm.name)
)
diff --git a/cryptography/hazmat/bindings/openssl/dsa.py b/cryptography/hazmat/bindings/openssl/dsa.py
index e04507c..664296d 100644
--- a/cryptography/hazmat/bindings/openssl/dsa.py
+++ b/cryptography/hazmat/bindings/openssl/dsa.py
@@ -35,6 +35,7 @@
DSA *DSA_generate_parameters(int, unsigned char *, int, int *, unsigned long *,
void (*)(int, int, void *), void *);
int DSA_generate_key(DSA *);
+DSA *DSA_new(void);
void DSA_free(DSA *);
"""
diff --git a/cryptography/hazmat/bindings/openssl/err.py b/cryptography/hazmat/bindings/openssl/err.py
index 56e9a6b..f2058ad 100644
--- a/cryptography/hazmat/bindings/openssl/err.py
+++ b/cryptography/hazmat/bindings/openssl/err.py
@@ -265,7 +265,7 @@
#else
static const long Cryptography_HAS_REMOVE_THREAD_STATE = 0;
typedef uint32_t CRYPTO_THREADID;
-void (*ERR_remove_thread_state)(const CRYPTO_THREADID *);
+void (*ERR_remove_thread_state)(const CRYPTO_THREADID *) = NULL;
#endif
"""
diff --git a/cryptography/hazmat/primitives/kdf/pbkdf2.py b/cryptography/hazmat/primitives/kdf/pbkdf2.py
index 71b8821..3942778 100644
--- a/cryptography/hazmat/primitives/kdf/pbkdf2.py
+++ b/cryptography/hazmat/primitives/kdf/pbkdf2.py
@@ -17,7 +17,7 @@
from cryptography import utils
from cryptography.exceptions import (
- InvalidKey, UnsupportedAlgorithm, AlreadyFinalized
+ InvalidKey, UnsupportedHash, AlreadyFinalized
)
from cryptography.hazmat.primitives import constant_time, interfaces
@@ -26,7 +26,7 @@
class PBKDF2HMAC(object):
def __init__(self, algorithm, length, salt, iterations, backend):
if not backend.pbkdf2_hmac_supported(algorithm):
- raise UnsupportedAlgorithm(
+ raise UnsupportedHash(
"{0} is not supported for PBKDF2 by this backend".format(
algorithm.name)
)
diff --git a/docs/exceptions.rst b/docs/exceptions.rst
index 7f9ae34..48c4bca 100644
--- a/docs/exceptions.rst
+++ b/docs/exceptions.rst
@@ -25,11 +25,24 @@
This is raised when additional data is added to a context after update
has already been called.
+.. class:: UnsupportedCipher
-.. class:: UnsupportedAlgorithm
+ .. versionadded:: 0.3
- This is raised when a backend doesn't support the requested algorithm (or
- combination of algorithms).
+ This is raised when a backend doesn't support the requested cipher
+ algorithm and mode combination.
+
+.. class:: UnsupportedHash
+
+ .. versionadded:: 0.3
+
+ This is raised when a backend doesn't support the requested hash algorithm.
+
+.. class:: UnsupportedPadding
+
+ .. versionadded:: 0.3
+
+ This is raised when the requested padding is not supported by the backend.
.. class:: InvalidKey
@@ -43,7 +56,3 @@
This is raised when the verify method of a one time password function's
computed token does not match the expected token.
-
-.. class:: UnsupportedPadding
-
- This is raised when the chosen padding is not supported by the backend.
diff --git a/docs/hazmat/backends/interfaces.rst b/docs/hazmat/backends/interfaces.rst
index af19fbc..a7a9661 100644
--- a/docs/hazmat/backends/interfaces.rst
+++ b/docs/hazmat/backends/interfaces.rst
@@ -258,7 +258,7 @@
style key serialization.
.. method:: load_openssl_pem_private_key(data, password)
-
+
:param bytes data: PEM data to deserialize.
:param bytes password: The password to use if this data is encrypted.
diff --git a/docs/hazmat/primitives/cryptographic-hashes.rst b/docs/hazmat/primitives/cryptographic-hashes.rst
index 6c56aca..86b8585 100644
--- a/docs/hazmat/primitives/cryptographic-hashes.rst
+++ b/docs/hazmat/primitives/cryptographic-hashes.rst
@@ -29,7 +29,7 @@
'l\xa1=R\xcap\xc8\x83\xe0\xf0\xbb\x10\x1eBZ\x89\xe8bM\xe5\x1d\xb2\xd29%\x93\xafj\x84\x11\x80\x90'
If the backend doesn't support the requested ``algorithm`` an
- :class:`~cryptography.exceptions.UnsupportedAlgorithm` will be raised.
+ :class:`~cryptography.exceptions.UnsupportedHash` will be raised.
Keep in mind that attacks against cryptographic hashes only get stronger
with time, and that often algorithms that were once thought to be strong,
diff --git a/docs/hazmat/primitives/hmac.rst b/docs/hazmat/primitives/hmac.rst
index 0118be7..1a2838f 100644
--- a/docs/hazmat/primitives/hmac.rst
+++ b/docs/hazmat/primitives/hmac.rst
@@ -35,7 +35,7 @@
'#F\xdaI\x8b"e\xc4\xf1\xbb\x9a\x8fc\xff\xf5\xdex.\xbc\xcd/+\x8a\x86\x1d\x84\'\xc3\xa6\x1d\xd8J'
If the backend doesn't support the requested ``algorithm`` an
- :class:`~cryptography.exceptions.UnsupportedAlgorithm` will be raised.
+ :class:`~cryptography.exceptions.UnsupportedHash` will be raised.
To check that a given signature is correct use the :meth:`verify` method.
You will receive an exception if the signature is wrong:
diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index 2306c5b..2bc25c5 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -61,7 +61,7 @@
provider.
If the backend doesn't support the requested combination of ``cipher``
- and ``mode`` an :class:`~cryptography.exceptions.UnsupportedAlgorithm`
+ and ``mode`` an :class:`~cryptography.exceptions.UnsupportedCipher`
will be raised.
.. method:: decryptor()
@@ -71,7 +71,7 @@
provider.
If the backend doesn't support the requested combination of ``cipher``
- and ``mode`` an :class:`cryptography.exceptions.UnsupportedAlgorithm`
+ and ``mode`` an :class:`cryptography.exceptions.UnsupportedCipher`
will be raised.
.. _symmetric-encryption-algorithms:
diff --git a/tests/hazmat/backends/test_commoncrypto.py b/tests/hazmat/backends/test_commoncrypto.py
index 7cc0f72..7feb0c7 100644
--- a/tests/hazmat/backends/test_commoncrypto.py
+++ b/tests/hazmat/backends/test_commoncrypto.py
@@ -14,7 +14,7 @@
import pytest
from cryptography import utils
-from cryptography.exceptions import UnsupportedAlgorithm, InternalError
+from cryptography.exceptions import UnsupportedCipher, InternalError
from cryptography.hazmat.bindings.commoncrypto.binding import Binding
from cryptography.hazmat.primitives import interfaces
from cryptography.hazmat.primitives.ciphers.algorithms import AES
@@ -61,5 +61,5 @@
cipher = Cipher(
DummyCipher(), GCM(b"fake_iv_here"), backend=b,
)
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedCipher):
cipher.encryptor()
diff --git a/tests/hazmat/backends/test_multibackend.py b/tests/hazmat/backends/test_multibackend.py
index 6316818..87ef044 100644
--- a/tests/hazmat/backends/test_multibackend.py
+++ b/tests/hazmat/backends/test_multibackend.py
@@ -14,7 +14,9 @@
import pytest
from cryptography import utils
-from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.exceptions import (
+ UnsupportedAlgorithm, UnsupportedCipher, UnsupportedHash
+)
from cryptography.hazmat.backends.interfaces import (
CipherBackend, HashBackend, HMACBackend, PBKDF2HMACBackend, RSABackend
)
@@ -34,11 +36,11 @@
def create_symmetric_encryption_ctx(self, algorithm, mode):
if not self.cipher_supported(algorithm, mode):
- raise UnsupportedAlgorithm
+ raise UnsupportedCipher
def create_symmetric_decryption_ctx(self, algorithm, mode):
if not self.cipher_supported(algorithm, mode):
- raise UnsupportedAlgorithm
+ raise UnsupportedCipher
@utils.register_interface(HashBackend)
@@ -51,7 +53,7 @@
def create_hash_ctx(self, algorithm):
if not self.hash_supported(algorithm):
- raise UnsupportedAlgorithm
+ raise UnsupportedHash
@utils.register_interface(HMACBackend)
@@ -64,7 +66,7 @@
def create_hmac_ctx(self, key, algorithm):
if not self.hmac_supported(algorithm):
- raise UnsupportedAlgorithm
+ raise UnsupportedHash
@utils.register_interface(PBKDF2HMACBackend)
@@ -78,7 +80,7 @@
def derive_pbkdf2_hmac(self, algorithm, length, salt, iterations,
key_material):
if not self.pbkdf2_hmac_supported(algorithm):
- raise UnsupportedAlgorithm
+ raise UnsupportedHash
@utils.register_interface(RSABackend)
@@ -119,9 +121,9 @@
modes.CBC(b"\x00" * 16),
backend=backend
)
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedCipher):
cipher.encryptor()
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedCipher):
cipher.decryptor()
def test_hashes(self):
@@ -132,7 +134,7 @@
hashes.Hash(hashes.MD5(), backend=backend)
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedHash):
hashes.Hash(hashes.SHA1(), backend=backend)
def test_hmac(self):
@@ -143,7 +145,7 @@
hmac.HMAC(b"", hashes.MD5(), backend=backend)
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedHash):
hmac.HMAC(b"", hashes.SHA1(), backend=backend)
def test_pbkdf2(self):
@@ -154,7 +156,7 @@
backend.derive_pbkdf2_hmac(hashes.MD5(), 10, b"", 10, b"")
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedHash):
backend.derive_pbkdf2_hmac(hashes.SHA1(), 10, b"", 10, b"")
def test_rsa(self):
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 42c1b39..c679218 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -14,7 +14,9 @@
import pytest
from cryptography import utils
-from cryptography.exceptions import UnsupportedAlgorithm, InternalError
+from cryptography.exceptions import (
+ UnsupportedCipher, UnsupportedHash, InternalError
+)
from cryptography.hazmat.backends.openssl.backend import backend, Backend
from cryptography.hazmat.primitives import interfaces, hashes
from cryptography.hazmat.primitives.ciphers import Cipher
@@ -68,7 +70,7 @@
cipher = Cipher(
DummyCipher(), mode, backend=b,
)
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedCipher):
cipher.encryptor()
def test_consume_errors(self):
@@ -130,7 +132,7 @@
def test_derive_pbkdf2_raises_unsupported_on_old_openssl(self):
if backend.pbkdf2_hmac_supported(hashes.SHA256()):
pytest.skip("Requires an older OpenSSL")
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedHash):
backend.derive_pbkdf2_hmac(hashes.SHA256(), 10, b"", 1000, b"")
# This test is not in the next class because to check if it's really
diff --git a/tests/hazmat/primitives/test_block.py b/tests/hazmat/primitives/test_block.py
index f758ffa..8ff00fd 100644
--- a/tests/hazmat/primitives/test_block.py
+++ b/tests/hazmat/primitives/test_block.py
@@ -18,9 +18,7 @@
import pytest
from cryptography import utils
-from cryptography.exceptions import (
- UnsupportedAlgorithm, AlreadyFinalized,
-)
+from cryptography.exceptions import UnsupportedCipher, AlreadyFinalized
from cryptography.hazmat.primitives import interfaces
from cryptography.hazmat.primitives.ciphers import (
Cipher, algorithms, modes
@@ -116,10 +114,10 @@
cipher = Cipher(
DummyCipher(), mode, backend
)
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedCipher):
cipher.encryptor()
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedCipher):
cipher.decryptor()
def test_incorrectly_padded(self, backend):
diff --git a/tests/hazmat/primitives/test_hashes.py b/tests/hazmat/primitives/test_hashes.py
index 9ca2fee..fc53d63 100644
--- a/tests/hazmat/primitives/test_hashes.py
+++ b/tests/hazmat/primitives/test_hashes.py
@@ -20,7 +20,7 @@
import six
from cryptography import utils
-from cryptography.exceptions import AlreadyFinalized, UnsupportedAlgorithm
+from cryptography.exceptions import AlreadyFinalized, UnsupportedHash
from cryptography.hazmat.primitives import hashes, interfaces
from .utils import generate_base_hash_test
@@ -65,7 +65,7 @@
h.finalize()
def test_unsupported_hash(self, backend):
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedHash):
hashes.Hash(UnsupportedDummyHash(), backend)
diff --git a/tests/hazmat/primitives/test_hmac.py b/tests/hazmat/primitives/test_hmac.py
index dd9cdaa..88bed52 100644
--- a/tests/hazmat/primitives/test_hmac.py
+++ b/tests/hazmat/primitives/test_hmac.py
@@ -21,7 +21,7 @@
from cryptography import utils
from cryptography.exceptions import (
- AlreadyFinalized, UnsupportedAlgorithm, InvalidSignature
+ AlreadyFinalized, UnsupportedHash, InvalidSignature
)
from cryptography.hazmat.primitives import hashes, hmac, interfaces
@@ -102,5 +102,5 @@
h.verify(six.u(''))
def test_unsupported_hash(self, backend):
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedHash):
hmac.HMAC(b"key", UnsupportedDummyHash(), backend)
diff --git a/tests/hazmat/primitives/test_pbkdf2hmac.py b/tests/hazmat/primitives/test_pbkdf2hmac.py
index 6ad225a..f895935 100644
--- a/tests/hazmat/primitives/test_pbkdf2hmac.py
+++ b/tests/hazmat/primitives/test_pbkdf2hmac.py
@@ -18,7 +18,7 @@
from cryptography import utils
from cryptography.exceptions import (
- InvalidKey, UnsupportedAlgorithm, AlreadyFinalized
+ InvalidKey, UnsupportedHash, AlreadyFinalized
)
from cryptography.hazmat.primitives import hashes, interfaces
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
@@ -48,7 +48,7 @@
kdf.verify(b"password", key)
def test_unsupported_algorithm(self):
- with pytest.raises(UnsupportedAlgorithm):
+ with pytest.raises(UnsupportedHash):
PBKDF2HMAC(DummyHash(), 20, b"salt", 10, default_backend())
def test_invalid_key(self):