delta/python-packages/cryptography.git/src, branch alex-patch-4 github.com: pyca/cryptography.git deprecate pythons without hmac.compare_digest (#4261) 2018-05-24T21:45:25+00:00 Paul Kehrer paul.l.kehrer@gmail.com 2018-05-24T21:45:25+00:00 afdbfb13780fb78e7b277b9de07e7636ba9c5119 * deprecate the constant time bytes comparison path old python 2.7.x uses * pep8 
* deprecate the constant time bytes comparison path old python 2.7.x uses

* pep8
Fixed build errors on HP-UX. (#4259) 2018-05-22T12:19:02+00:00 dumol dumol@chevah.com 2018-05-22T12:19:02+00:00 0a22d486ec9175926aed29a5f4ea963843ebccfa * Fixed build errors on HP-UX. * PEP 8 style fix. * No return for void function. * PEP 8 style fix, take 2. 
* Fixed build errors on HP-UX.

* PEP 8 style fix.

* No return for void function.

* PEP 8 style fix, take 2.
remove block size as a required part of HashAlgorithm (#4249) 2018-05-16T14:42:10+00:00 Paul Kehrer paul.l.kehrer@gmail.com 2018-05-16T14:42:10+00:00 20b57be8d8068c2cd05cd3917e4e99b8a36debe0 Internal block size isn't a particularly useful piece of information and constructions like SHA3 make it even harder to determine what that really means. Accordingly, we're removing it from the interface (but leaving it on all existing hashes) 
Internal block size isn't a particularly useful piece of information and
constructions like SHA3 make it even harder to determine what that
really means. Accordingly, we're removing it from the interface (but
leaving it on all existing hashes)
 Cleanup unused err bindings. (#4246) 2018-05-16T01:32:05+00:00 David Benjamin davidben@davidben.net 2018-05-16T01:32:05+00:00 18370510b5ea1cfeec514b7662b61ac7ebfb33d5 This removes: - ERR_get_state which really shouldn't be public API. - A bunch of functions that are really mostly useful within the library to add new errors. NB: I say mostly because they are also useful when trying to register a new error library, as osrandom does, but osrandom is written in C. Python code is more likely to be consuming errors. - All function codes but EVP_F_EVP_ENCRYPTFINAL_EX because tests still reference it. Per PR #3609, function codes are kind of unstable. This finishes that up and cleans up the bindings. - The "line" versions of querying the error queue, just because no one seems to be using them and there's a lot. - Error-printing functions, which make less sense in Python since you'd probably wrap in an exception. Error codes probably could also do with cleaning, but I've left them alone for now. 
This removes:

- ERR_get_state which really shouldn't be public API.

- A bunch of functions that are really mostly useful within the library
  to add new errors. NB: I say mostly because they are also useful when
  trying to register a new error library, as osrandom does, but osrandom
  is written in C. Python code is more likely to be consuming errors.

- All function codes but EVP_F_EVP_ENCRYPTFINAL_EX because tests still
  reference it. Per PR #3609, function codes are kind of unstable. This
  finishes that up and cleans up the bindings.

- The "line" versions of querying the error queue, just because no one
  seems to be using them and there's a lot.

- Error-printing functions, which make less sense in Python since you'd
  probably wrap in an exception.

Error codes probably could also do with cleaning, but I've left them
alone for now.
 Remove ECDSA_sign_setup and *sign_ex bindings. (#4245) 2018-05-15T22:12:51+00:00 David Benjamin davidben@davidben.net 2018-05-15T22:12:51+00:00 e564aebd759090c35c374085931f3ada693dab1e They are unused. These functions have two purposes. They can be used to pass your own value of k, or to amoritize the cost of generating k. Messing up k is catastrophic to ECDSA, so best not to expose that one. ECDSA signing is also quite fast, so there isn't much point in the latter. (The API comes from DSA, which is a bit slower.) Moreover, ECDSA_sign is not the same as ECDSA_sign_setup + ECDSA_sign_ex. OpenSSL has some nonce hardening features that have to get skipped when doing this. 
They are unused.

These functions have two purposes. They can be used to pass your own
value of k, or to amoritize the cost of generating k. Messing up k is
catastrophic to ECDSA, so best not to expose that one. ECDSA signing is
also quite fast, so there isn't much point in the latter. (The API comes
from DSA, which is a bit slower.) Moreover, ECDSA_sign is not the same
as ECDSA_sign_setup + ECDSA_sign_ex. OpenSSL has some nonce hardening
features that have to get skipped when doing this.
 Future proofing use of the six python version constants (#4238) 2018-05-15T03:47:57+00:00 Eric Brown ericwb@users.noreply.github.com 2018-05-15T03:47:57+00:00 50bad375f5dd3fbb7c7ea62896e2538dc5734be6 * Future proofing use of the six python version constants After reading [1], noticed that cryptography uses a lot of if six.PY3 blocks. The issue with this is that whenever Python 4 is released, this code in the else block will be executed even though it was only intended for Python 2. [1] http://astrofrog.github.io/blog/2016/01/12/stop-writing-python-4-incompatible-code/ Signed-off-by: Eric Brown <browne@vmware.com> * Use not PY2 instead 
* Future proofing use of the six python version constants

After reading [1], noticed that cryptography uses a lot of if six.PY3
blocks. The issue with this is that whenever Python 4 is released,
this code in the else block will be executed even though it was
only intended for Python 2.

[1] http://astrofrog.github.io/blog/2016/01/12/stop-writing-python-4-incompatible-code/

Signed-off-by: Eric Brown <browne@vmware.com>

* Use not PY2 instead
Remove some unused RSA bindings. (#4243) 2018-05-15T03:41:27+00:00 David Benjamin davidben@davidben.net 2018-05-15T03:41:27+00:00 b2165c2ef0fdf8d63c3b4780648266e37d39df2d RSA_blinding_off is a silly function. RSA_SSLV23_PADDING and RSA_X931_PADDING are obsolete. The low-level padding functions appear unused and the EVP_PKEY stuff is probably a bit nicer than expecting callers to RSA_NO_PADDING and do the padding by hand. 
RSA_blinding_off is a silly function. RSA_SSLV23_PADDING and
RSA_X931_PADDING are obsolete. The low-level padding functions appear
unused and the EVP_PKEY stuff is probably a bit nicer than expecting
callers to RSA_NO_PADDING and do the padding by hand.
 Validate the public/private halves of EC keys on import. (#4241) 2018-05-15T02:49:24+00:00 David Benjamin davidben@davidben.net 2018-05-15T02:49:24+00:00 763990efa6c158d8a4dec8d71693665d026588a2 * Validate the public/private halves of EC keys on import. OpenSSL's API is a little finicky. If one sets the public key before the private key, it does not validate that they match. If set in the other order, it does validate this. In particular, KASValidityTest_ECCStaticUnified_NOKC_ZZOnly_init.fax describes error code 7 as: Result = F (7 - IUT's Static private key d changed-prikey validity) Reordering the two operations makes those tests to fail on key import, which is what CAVP appears to have intended. * Wrap to 79 rather than 80 columns 
* Validate the public/private halves of EC keys on import.

OpenSSL's API is a little finicky. If one sets the public key before the
private key, it does not validate that they match. If set in the other
order, it does validate this.

In particular, KASValidityTest_ECCStaticUnified_NOKC_ZZOnly_init.fax
describes error code 7 as:

  Result = F (7 - IUT's Static private key d changed-prikey validity)

Reordering the two operations makes those tests to fail on key import,
which is what CAVP appears to have intended.

* Wrap to 79 rather than 80 columns
Fix some stuttering. (#4240) 2018-05-14T22:32:22+00:00 David Benjamin davidben@davidben.net 2018-05-14T22:32:22+00:00 10cabad73b4e0cc15463e43f9a94855c4db7f032 This is a remnant of the function code checking when this logic looked at both encrypt/decrypt versions of this error code. 
This is a remnant of the function code checking when this logic looked
at both encrypt/decrypt versions of this error code.
 Remove some unused RAND bindings. (#4239) 2018-05-14T20:09:36+00:00 David Benjamin davidben@davidben.net 2018-05-14T20:09:36+00:00 db131983f4e6ae6c2ec34072fbff0e30d967c8c7 These are unused. (And not especially useful.) 
These are unused. (And not especially useful.)