Commit 4005c5bd authored by Tristan Seligmann's avatar Tristan Seligmann

Import python-cryptography_1.9.orig.tar.gz

parent 55816224
......@@ -36,3 +36,4 @@ PGP key fingerprints are enclosed in parentheses.
* Fraser Tweedale <ftweedal@redhat.com>
* Ofek Lev <ofekmeister@gmail.com> (FFB6 B92B 30B1 7848 546E 9912 972F E913 DAD5 A46E)
* Erik Daguerre <fallenwolf@wolfthefallen.com>
* Aviv Palivoda <palaviv@gmail.com>
This diff is collapsed.
Metadata-Version: 1.1
Name: cryptography
Version: 1.7.1
Version: 1.9
Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The cryptography developers
Author-email: cryptography-dev@python.org
License: BSD or Apache License, Version 2.0
Description: Cryptography
============
Description: pyca/cryptography
=================
.. image:: https://img.shields.io/pypi/v/cryptography.svg
:target: https://pypi.python.org/pypi/cryptography/
......@@ -26,10 +26,10 @@ Description: Cryptography
``cryptography`` is a package which provides cryptographic recipes and
primitives to Python developers. Our goal is for it to be your "cryptographic
standard library". It supports Python 2.6-2.7, Python 3.3+, and PyPy 2.6+.
standard library". It supports Python 2.6-2.7, Python 3.3+, and PyPy 5.3+.
``cryptography`` includes both high level recipes, and low level interfaces to
common cryptographic algorithms such as symmetric ciphers, message digests and
``cryptography`` includes both high level recipes and low level interfaces to
common cryptographic algorithms such as symmetric ciphers, message digests, and
key derivation functions. For example, to encrypt something with
``cryptography``'s high level symmetric encryption recipe:
......@@ -89,6 +89,7 @@ Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Classifier: Topic :: Security :: Cryptography
Cryptography
============
pyca/cryptography
=================
.. image:: https://img.shields.io/pypi/v/cryptography.svg
:target: https://pypi.python.org/pypi/cryptography/
......@@ -18,10 +18,10 @@ Cryptography
``cryptography`` is a package which provides cryptographic recipes and
primitives to Python developers. Our goal is for it to be your "cryptographic
standard library". It supports Python 2.6-2.7, Python 3.3+, and PyPy 2.6+.
standard library". It supports Python 2.6-2.7, Python 3.3+, and PyPy 5.3+.
``cryptography`` includes both high level recipes, and low level interfaces to
common cryptographic algorithms such as symmetric ciphers, message digests and
``cryptography`` includes both high level recipes and low level interfaces to
common cryptographic algorithms such as symmetric ciphers, message digests, and
key derivation functions. For example, to encrypt something with
``cryptography``'s high level symmetric encryption recipe:
......
......@@ -49,3 +49,7 @@ entirely. In that case, here's how the process will work:
In short, code that runs without warnings will always continue to work for a
period of two releases.
From time to time, we may decide to deprecate an API that is particularly
widely used. In these cases, we may decide to provide an extended deprecation
period, at our discretion.
......@@ -9,8 +9,7 @@ You can find ``cryptography`` all over the web:
* `Documentation`_
* IRC: ``#cryptography-dev`` on ``irc.freenode.net``
Wherever we interact, we strive to follow the `Python Community Code of
Conduct`_.
Wherever we interact, we adhere to the `Python Community Code of Conduct`_.
.. _`Mailing list`: https://mail.python.org/mailman/listinfo/cryptography-dev
......
......@@ -71,7 +71,7 @@ master_doc = 'index'
# General information about the project.
project = 'Cryptography'
copyright = '2013-2016, Individual Contributors'
copyright = '2013-2017, Individual Contributors'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
......@@ -177,3 +177,8 @@ epub_theme = 'epub'
# Retry requests in the linkcheck builder so that we're resillient against
# transient network errors.
linkcheck_retries = 2
linkcheck_ignore = [
# Certificate is issued by a Japanese CA that isn't publicly trusted
"https://www.cryptrec.go.jp",
]
......@@ -6,7 +6,7 @@ from __future__ import absolute_import, division, print_function
from docutils import nodes
from sphinx.util.compat import Directive, make_admonition
from sphinx.util.compat import Directive
DANGER_MESSAGE = """
......@@ -29,20 +29,11 @@ class HazmatDirective(Directive):
if self.content:
message += DANGER_ALTERNATE.format(alternate=self.content[0])
ad = make_admonition(
Hazmat,
self.name,
[],
self.options,
nodes.paragraph("", message),
self.lineno,
self.content_offset,
self.block_text,
self.state,
self.state_machine
)
ad[0].line = self.lineno
return ad
content = nodes.paragraph("", message)
admonition_node = Hazmat("\n".join(content))
self.state.nested_parse(content, self.content_offset, admonition_node)
admonition_node.line = self.lineno
return [admonition_node]
class Hazmat(nodes.Admonition, nodes.Element):
......
......@@ -88,9 +88,10 @@ Adding constant, types, functions...
You can create bindings for any name that exists in some version of
the library you're binding against. However, the project also has to
keep supporting older versions of the library. In order to achieve
this, binding modules have ``CUSTOMIZATIONS`` and
``CONDITIONAL_NAMES`` constants.
keep supporting older versions of the library. In order to achieve this,
binding modules have a ``CUSTOMIZATIONS`` constant, and there is a
``CONDITIONAL_NAMES`` constants in
``src/cryptography/hazmat/bindings/openssl/_conditional.py``.
Let's say you want to enable quantum transmogrification. The upstream
library implements this as the following API::
......@@ -183,9 +184,9 @@ Caveats
Sometimes, a set of loosely related features are added in the same
version, and it's impractical to create ``#ifdef`` statements for each
one. In that case, it may make sense to either check for a particular
version. For example, to check for OpenSSL 1.0.0 or newer::
version. For example, to check for OpenSSL 1.1.0 or newer::
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
Sometimes, the version of a library on a particular platform will have
features that you thought it wouldn't, based on its version.
......
......@@ -30,8 +30,8 @@ to check spelling in the documentation.
You are now ready to run the tests and build the documentation.
OpenSSL on OS X
~~~~~~~~~~~~~~~
OpenSSL on macOS
~~~~~~~~~~~~~~~~
You must have installed `OpenSSL`_ via `Homebrew`_ or `MacPorts`_ and must set
``CFLAGS`` and ``LDFLAGS`` environment variables before installing the
......@@ -41,12 +41,12 @@ For example, with `Homebrew`_:
.. code-block:: console
$ env LDFLAGS="-L$(brew --prefix openssl)/lib" \
CFLAGS="-I$(brew --prefix openssl)/include" \
$ env LDFLAGS="-L$(brew --prefix openssl@1.1)/lib" \
CFLAGS="-I$(brew --prefix openssl@1.1)/include" \
pip install --requirement ./dev-requirements.txt
Alternatively for a static build you can specify
``CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1`` and ensure ``LDFLAGS`` points to the
``CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1`` and ensure ``LDFLAGS`` points to the
absolute path for the `OpenSSL`_ libraries before calling pip.
.. tip::
......@@ -86,20 +86,6 @@ You may not have all the required Python versions installed, in which case you
will see one or more ``InterpreterNotFound`` errors.
Explicit backend selection
--------------------------
While testing you may want to run tests against a subset of the backends that
cryptography supports. Explicit backend selection can be done via the
``--backend`` flag. This flag should be passed to ``py.test`` with a comma
delimited list of backend names.
.. code-block:: console
$ tox -- --backend=openssl
$ py.test --backend=openssl,commoncrypto
Building documentation
----------------------
......@@ -118,7 +104,7 @@ Use `tox`_ to build the documentation. For example:
The HTML documentation index can now be found at
``docs/_build/html/index.html``.
.. _`Homebrew`: http://brew.sh
.. _`Homebrew`: https://brew.sh
.. _`MacPorts`: https://www.macports.org
.. _`OpenSSL`: https://www.openssl.org
.. _`pytest`: https://pypi.python.org/pypi/pytest
......
......@@ -154,7 +154,7 @@ So, specifically:
* Use Sphinx parameter/attribute documentation `syntax`_.
.. _`Write comments as complete sentences.`: http://nedbatchelder.com/blog/201401/comments_should_be_sentences.html
.. _`Write comments as complete sentences.`: https://nedbatchelder.com/blog/201401/comments_should_be_sentences.html
.. _`syntax`: http://sphinx-doc.org/domains.html#info-field-lists
.. _`Studies have shown`: https://smartbear.com/SmartBear/media/pdfs/11_Best_Practices_for_Peer_Code_Review.pdf
.. _`our mailing list`: https://mail.python.org/mailman/listinfo/cryptography-dev
......
......@@ -96,7 +96,34 @@ Key exchange
* ``vectors/cryptography_vectors/asymmetric/DH/bad_exchange.txt`` contains
Diffie-Hellman vector pairs that were generated using OpenSSL
DH_generate_parameters_ex and DH_generate_key.
``DH_generate_parameters_ex`` and ``DH_generate_key``.
* ``vectors/cryptography_vectors/asymmetric/DH/dhp.pem``,
``vectors/cryptography_vectors/asymmetric/DH/dhkey.pem`` and
``vectors/cryptography_vectors/asymmetric/DH/dhpub.pem`` contains
Diffie-Hellman parameters and key respectively. The keys were
generated using OpenSSL following `DHKE`_ guide.
``vectors/cryptography_vectors/asymmetric/DH/dhkey.txt`` contains
all parameter in text.
``vectors/cryptography_vectors/asymmetric/DH/dhp.der``,
``vectors/cryptography_vectors/asymmetric/DH/dhkey.der`` and
``vectors/cryptography_vectors/asymmetric/DH/dhpub.der`` contains
are the above parameters and keys in DER format.
* ``vectors/cryptography_vectors/asymmetric/DH/dhp_rfc5114_2.pem``,
``vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.pem`` and
``vectors/cryptography_vectors/asymmetric/DH/dhpub_rfc5114_2.pem`` contains
Diffie-Hellman parameters and key respectively. The keys were
generated using OpenSSL following `DHKE`_ guide. When creating the
parameters we added the `-pkeyopt dh_rfc5114:2` option to use
RFC5114 2048 bit DH parameters with 224 bit subgroup.
``vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.txt`` contains
all parameter in text.
``vectors/cryptography_vectors/asymmetric/DH/dhp_rfc5114_2.der``,
``vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.der`` and
``vectors/cryptography_vectors/asymmetric/DH/dhpub_rfc5114_2.der`` contains
are the above parameters and keys in DER format.
X.509
~~~~~
......@@ -127,6 +154,11 @@ X.509
* ``alternate-rsa-sha1-oid.pem`` - A certificate from an
`unknown signature OID`_ Mozilla bug that uses an alternate signature OID for
RSA with SHA1.
* ``badssl-sct.pem`` - A certificate with the certificate transparency signed
certificate timestamp extension.
* ``bigoid.pem`` - A certificate with a rather long OID in the
Certificate Policies extension. We need to make sure we can parse
long OIDs.
Custom X.509 Vectors
~~~~~~~~~~~~~~~~~~~~
......@@ -444,7 +476,7 @@ header format (substituting the correct information):
.. _`Camellia page`: https://info.isl.ntt.co.jp/crypt/eng/camellia/
.. _`CRYPTREC`: https://www.cryptrec.go.jp
.. _`OpenSSL's test vectors`: https://github.com/openssl/openssl/blob/97cf1f6c2854a3a955fd7dd3a1f113deba00c9ef/crypto/evp/evptests.txt#L232
.. _`RIPEMD website`: http://homes.esat.kuleuven.be/~bosselae/ripemd160.html
.. _`RIPEMD website`: https://homes.esat.kuleuven.be/~bosselae/ripemd160.html
.. _`Whirlpool website`: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
.. _`draft RFC`: https://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01
.. _`Specification repository`: https://github.com/fernet/spec
......@@ -459,8 +491,8 @@ header format (substituting the correct information):
.. _`GnuTLS example keys`: https://gitlab.com/gnutls/gnutls/commit/ad2061deafdd7db78fd405f9d143b0a7c579da7b
.. _`NESSIE IDEA vectors`: https://www.cosic.esat.kuleuven.be/nessie/testvectors/bc/idea/Idea-128-64.verified.test-vectors
.. _`NESSIE`: https://en.wikipedia.org/wiki/NESSIE
.. _`Ed25519 website`: http://ed25519.cr.yp.to/software.html
.. _`NIST SP-800-38B`: http://csrc.nist.gov/publications/nistpubs/800-38B/Updated_CMAC_Examples.pdf
.. _`Ed25519 website`: https://ed25519.cr.yp.to/software.html
.. _`NIST SP-800-38B`: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf
.. _`NIST PKI Testing`: http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html
.. _`testx509.pem`: https://github.com/openssl/openssl/blob/master/test/testx509.pem
.. _`DigiCert Global Root G3`: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt
......@@ -471,3 +503,4 @@ header format (substituting the correct information):
.. _`test/evptests.txt`: https://github.com/openssl/openssl/blob/2d0b44126763f989a4cbffbffe9d0c7518158bb7/test/evptests.txt
.. _`unknown signature OID`: https://bugzilla.mozilla.org/show_bug.cgi?id=405966
.. _`botan`: https://github.com/randombit/botan/blob/57789bdfc55061002b2727d0b32587612829a37c/src/tests/data/pubkey/dh.vec
.. _`DHKE`: https://sandilands.info/sgordon/diffie-hellman-secret-key-exchange-with-openssl
......@@ -6,24 +6,20 @@ Doing a release of ``cryptography`` requires a few steps.
Verifying and upgrading OpenSSL version
---------------------------------------
The release process uses a static build for Windows and OS X wheels. Check that
the Windows and OS X Jenkins builders have the latest version of OpenSSL
The release process uses a static build for Windows and macOS wheels. Check
that the Windows and macOS Jenkins builders have the latest version of OpenSSL
installed before performing the release. If they do not:
Upgrading Windows
~~~~~~~~~~~~~~~~~
Run the ``openssl-release`` Jenkins job, then copy the resulting artifacts to
the Windows builders and unzip them in the root of the file system.
Run the ``openssl-release-1.1`` Jenkins job, then copy the resulting artifacts
to the Windows builders and unzip them in the root of the file system.
Upgrading OS X
~~~~~~~~~~~~~~
Upgrading macOS
~~~~~~~~~~~~~~~
``brew update`` and then ``brew upgrade openssl --universal --build-bottle`` to
build a universal library (32-bit and 64-bit) compatible with all Intel Macs.
This can be confirmed by using
``lipo -info /usr/local/opt/openssl/lib/libssl.dylib`` to see the available
architectures.
Run the ``update-brew-openssl`` Jenkins job.
Bumping the version number
--------------------------
......@@ -45,7 +41,7 @@ The commit that merged the version number bump is now the official release
commit for this release. You will need to have ``gpg`` installed and a ``gpg``
key in order to do a release. Once this has happened:
* Run ``invoke release {version}``.
* Run ``python release.py {version}``.
The release should now be available on PyPI and a tag should be available in
the repository.
......
......@@ -14,21 +14,42 @@ to NaCl.
If you prefer NaCl's design, we highly recommend `PyNaCl`_.
Compiling ``cryptography`` on OS X produces a ``fatal error: 'openssl/aes.h' file not found`` error
---------------------------------------------------------------------------------------------------
This happens because OS X 10.11 no longer includes a copy of OpenSSL.
Why use ``cryptography``?
-------------------------
If you've done cryptographic work in Python before you have likely encountered
other libraries in Python such as *M2Crypto*, *PyCrypto*, or *PyOpenSSL*. In
building ``cryptography`` we wanted to address a few issues we observed in the
legacy libraries:
* Extremely error prone APIs and insecure defaults.
* Use of poor implementations of algorithms (i.e. ones with known side-channel
attacks).
* Lack of maintenance.
* Lack of high level APIs.
* Lack of PyPy and Python 3 support.
* Poor introspectability and thus poor testability.
* Absence of algorithms such as
:class:`AES-GCM <cryptography.hazmat.primitives.ciphers.modes.GCM>` and
:class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDF`.
Compiling ``cryptography`` on macOS produces a ``fatal error: 'openssl/aes.h' file not found`` error
----------------------------------------------------------------------------------------------------
This happens because macOS 10.11 no longer includes a copy of OpenSSL.
``cryptography`` now provides wheels which include a statically linked copy of
OpenSSL. You're seeing this error because your copy of pip is too old to find
our wheel files. Upgrade your copy of pip with ``pip install -U pip`` and then
try install ``cryptography`` again.
If you are using PyPy, we do not currently ship ``cryptography`` wheels for
PyPy. You will need to install your own copy of OpenSSL -- we recommend using
Homebrew.
Starting ``cryptography`` using ``mod_wsgi`` produces an ``InternalError`` during a call in ``_register_osrandom_engine``
-------------------------------------------------------------------------------------------------------------------------
This happens because ``mod_wsgi`` uses sub-interpreters, which can cause a
problem during initialization of the OpenSSL backend. To resolve this set the
`WSGIApplicationGroup`_ to ``%{GLOBAL}`` in the ``mod_wsgi`` configuration.
Upgrade to the latest ``cryptography`` and this issue should be resolved.
``cryptography`` raised an ``InternalError`` and I'm not sure what to do?
-------------------------------------------------------------------------
......@@ -40,27 +61,19 @@ If you have no other libraries using OpenSSL in your process, or they do not
appear to be at fault, it's possible that this is a bug in ``cryptography``.
Please file an `issue`_ with instructions on how to reproduce it.
Importing cryptography causes a ``RuntimeError`` about OpenSSL 1.0.0
--------------------------------------------------------------------
The OpenSSL project has dropped support for the 1.0.0 release series. Since it
is no longer receiving security patches from upstream, ``cryptography`` is also
dropping support for it. To fix this issue you should upgrade to a newer
version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer
operating system.
Installing ``cryptography`` fails with ``ImportError: No module named setuptools_ext``
--------------------------------------------------------------------------------------
For the 1.7 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_100``
environment variable. Please note that this is *temporary* and will be removed
in ``cryptography`` 1.8.
Your ``cffi`` package is out of date. ``pip install -U cffi`` to update it.
Installing cryptography with OpenSSL 0.9.8 fails
------------------------------------------------
Installing cryptography with OpenSSL 0.9.8 or 1.0.0 fails
---------------------------------------------------------
The OpenSSL project has dropped support for the 0.9.8 release series. Since it
is no longer receiving security patches from upstream, ``cryptography`` is also
dropping support for it. To fix this issue you should upgrade to a newer
version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer
operating system.
The OpenSSL project has dropped support for the 0.9.8 and 1.0.0 release series.
Since they are no longer receiving security patches from upstream,
``cryptography`` is also dropping support for them. To fix this issue you
should upgrade to a newer version of OpenSSL (1.0.1 or later). This may require
you to upgrade to a newer operating system.
.. _`NaCl`: https://nacl.cr.yp.to/
.. _`PyNaCl`: https://pynacl.readthedocs.io
......
......@@ -113,7 +113,7 @@ Using passwords with Fernet
It is possible to use passwords with Fernet. To do this, you need to run the
password through a key derivation function such as
:class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`, bcrypt or
scrypt.
:class:`~cryptography.hazmat.primitives.kdf.scrypt.Scrypt`.
.. doctest::
......@@ -145,7 +145,7 @@ to derive the same key from the password in the future.
The iteration count used should be adjusted to be as high as your server can
tolerate. A good default is at least 100,000 iterations which is what Django
`recommends`_ in 2014.
recommended in 2014.
Implementation
--------------
......@@ -163,7 +163,13 @@ Specifically it uses:
For complete details consult the `specification`_.
Limitations
-----------
Fernet is ideal for encrypting data that easily fits in memory. As a design
feature it does not expose unauthenticated bytes. Unfortunately, this makes it
generally unsuitable for very large files at this time.
.. _`Fernet`: https://github.com/fernet/spec/
.. _`specification`: https://github.com/fernet/spec/blob/master/Spec.md
.. _`recommends`: https://github.com/django/django/blob/master/django/utils/crypto.py#L148
.. hazmat::
CommonCrypto backend
====================
The `CommonCrypto`_ C library provided by Apple on OS X and iOS. The
CommonCrypto backend is only supported on OS X versions 10.8 and above.
.. currentmodule:: cryptography.hazmat.backends.commoncrypto.backend
.. versionadded:: 0.2
.. data:: cryptography.hazmat.backends.commoncrypto.backend
This is the exposed API for the CommonCrypto backend.
It implements the following interfaces:
* :class:`~cryptography.hazmat.backends.interfaces.CipherBackend`
* :class:`~cryptography.hazmat.backends.interfaces.HashBackend`
* :class:`~cryptography.hazmat.backends.interfaces.HMACBackend`
* :class:`~cryptography.hazmat.backends.interfaces.PBKDF2HMACBackend`
It has one additional public attribute.
.. attribute:: name
The string name of this backend: ``"commoncrypto"``
.. _`CommonCrypto`: https://developer.apple.com/library/content/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html#//apple_ref/doc/uid/TP40011172-CH9-SW10
......@@ -8,15 +8,11 @@ Getting a backend
.. currentmodule:: cryptography.hazmat.backends
``cryptography`` aims to support multiple backends to ensure it can provide
the widest number of supported cryptographic algorithms as well as supporting
platform specific implementations.
``cryptography`` was originally designed to support multiple backends, but
this design has been deprecated.
You can get the default backend by calling :func:`~default_backend`.
The default backend will change over time as we implement new backends and
the libraries we use in those backends changes.
.. function:: default_backend()
......@@ -31,6 +27,4 @@ Individual backends
:maxdepth: 1
openssl
commoncrypto
multibackend
interfaces
......@@ -22,7 +22,6 @@ A specific ``backend`` may provide one or more of these interfaces.
The following backends implement this interface:
* :doc:`/hazmat/backends/openssl`
* :doc:`/hazmat/backends/commoncrypto`
.. method:: cipher_supported(cipher, mode)
......@@ -84,7 +83,6 @@ A specific ``backend`` may provide one or more of these interfaces.
The following backends implement this interface:
* :doc:`/hazmat/backends/openssl`
* :doc:`/hazmat/backends/commoncrypto`
.. method:: hash_supported(algorithm)
......@@ -118,7 +116,6 @@ A specific ``backend`` may provide one or more of these interfaces.
The following backends implement this interface:
* :doc:`/hazmat/backends/openssl`
* :doc:`/hazmat/backends/commoncrypto`
.. method:: hmac_supported(algorithm)
......@@ -162,14 +159,14 @@ A specific ``backend`` may provide one or more of these interfaces.
.. method:: create_cmac_ctx(algorithm)
Create a
:class:`~cryptography.hazmat.primitives.interfaces.MACContext` that
:class:`~cryptography.hazmat.primitives.mac.MACContext` that
uses the specified ``algorithm`` to calculate a message authentication code.
:param algorithm: An instance of
:class:`~cryptography.hazmat.primitives.ciphers.BlockCipherAlgorithm`.
:returns:
:class:`~cryptography.hazmat.primitives.interfaces.MACContext`
:class:`~cryptography.hazmat.primitives.mac.MACContext`
.. class:: PBKDF2HMACBackend
......@@ -181,7 +178,6 @@ A specific ``backend`` may provide one or more of these interfaces.
The following backends implement this interface:
* :doc:`/hazmat/backends/openssl`
* :doc:`/hazmat/backends/commoncrypto`
.. method:: pbkdf2_hmac_supported(algorithm)
......@@ -666,14 +662,23 @@ A specific ``backend`` may provide one or more of these interfaces.
:raises cryptography.exceptions.UnsupportedAlgorithm: This is raised
when any backend specific criteria are not met.
.. method:: dh_parameters_supported(p, g)
.. method:: dh_parameters_supported(p, g, q=None)
:param int p: The p value of the DH key.
:param int g: The g value of the DH key.
:returns: ``True`` if the given values of ``p`` and ``g`` are supported
by this backend, otherwise ``False``.
:param int q: The q value of the DH key.
:returns: ``True`` if the given values of ``p``, ``g`` and ``q``
are supported by this backend, otherwise ``False``.
.. versionadded:: 1.8
.. method:: dh_x942_serialization_supported()
:returns: True if serialization of DH objects with
subgroup order (q) is supported by this backend.
.. class:: ScryptBackend
......
.. hazmat::
MultiBackend
============
.. currentmodule:: cryptography.hazmat.backends.multibackend
.. class:: MultiBackend(backends)
.. versionadded:: 0.2
This class allows you to combine multiple backends into a single backend
that offers the combined features of all of its constituents.
.. testsetup::
from cryptography import utils
from cryptography.exceptions import UnsupportedAlgorithm, _Reasons
from cryptography.hazmat.backends.interfaces import HashBackend
from cryptography.hazmat.backends.openssl.backend import backend as backend2
@utils.register_interface(HashBackend)
class DummyHashBackend(object):
def hash_supported(self, algorithm):
return False
def create_hash_ctx(self, algorithm):
raise UnsupportedAlgorithm("", _Reasons.UNSUPPORTED_HASH)
backend1 = DummyHashBackend()
.. doctest::
>>> from cryptography.hazmat.backends.multibackend import MultiBackend
>>> from cryptography.hazmat.primitives import hashes
>>> backend1.hash_supported(hashes.SHA256())
False
>>> backend2.hash_supported(hashes.SHA256())
True
>>> multi_backend = MultiBackend([backend1, backend2])
>>> multi_backend.hash_supported(hashes.SHA256())
True
:param backends: A ``list`` of backend objects. Backends are checked for
feature support in the order they appear in this list.
......@@ -3,7 +3,7 @@
OpenSSL backend
===============
The `OpenSSL`_ C library. Cryptography supports OpenSSL version ``1.0.0`` and
The `OpenSSL`_ C library. Cryptography supports OpenSSL version 1.0.1 and
greater.
.. data:: cryptography.hazmat.backends.openssl.backend
......@@ -36,6 +36,20 @@ greater.
The string name of this backend: ``"openssl"``
.. method:: openssl_version_text()
:return text: The friendly string name of the loaded OpenSSL library.
This is not necessarily the same version as it was compiled against.
.. method:: openssl_version_number()
.. versionadded:: 1.8
:return int: The integer version of the loaded OpenSSL library. This is
defined in ``opensslv.h`` as ``OPENSSL_VERSION_NUMBER`` and is
typically shown in hexadecimal (e.g. ``0x1010003f``). This is
not necessarily the same version as it was compiled against.
.. method:: activate_osrandom_engine()
Activates the OS random engine. This will effectively disable OpenSSL's
......@@ -78,7 +92,7 @@ When importing only the binding it is added to the engine list but
OS random sources
-----------------
On OS X and FreeBSD ``/dev/urandom`` is an alias for ``/dev/random`` and
On macOS and FreeBSD ``/dev/urandom`` is an alias for ``/dev/random`` and
utilizes the `Yarrow`_ algorithm.
On Windows the implementation of ``CryptGenRandom`` depends on which version of
......
.. hazmat::
CommonCrypto binding
====================
.. currentmodule:: cryptography.hazmat.bindings.commoncrypto.binding
.. versionadded:: 0.2
These are `CFFI`_ bindings to the `CommonCrypto`_ C library. It is only
available on Mac OS X versions 10.8 and above.
.. class:: cryptography.hazmat.bindings.commoncrypto.binding.Binding()
This is the exposed API for the CommonCrypto bindings. It has two public
attributes:
.. attribute:: ffi
This is a ``cffi.FFI`` instance. It can be used to allocate and
otherwise manipulate CommonCrypto structures.