summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* De-Sphinx CHANGELOG & add rel info to descriptionHynek Schlawack2016-03-135-25/+40
|
* Merge pull request #440 from hynek/examplesPaul Kehrer2016-03-1312-102/+182
|\ | | | | Polish up examples (somewhat)
| * Polish up examples (somewhat)Hynek Schlawack2016-03-1312-102/+182
| | | | | | | | | | | | | | | | | | - Mention them in the docs (arguably a bit hamfistedly). - Make the README an RST. - Make them pass flake8 and add flake8 to tox.ini They should all be rewritten and made Python 3-friendly but that's out of scope here.
* | Merge pull request #442 from hynek/more-422Paul Kehrer2016-03-135-11/+18
|\ \ | | | | | | Pluck more unrelated bits from #422
| * | Pluck more unrelated bits from #422Hynek Schlawack2016-03-135-11/+18
|/ /
* | Merge pull request #441 from hynek/deprecate-2.6Cory Benfield2016-03-131-3/+4
|\ \ | |/ |/| Deprecate Python 2.6
| * Deprecate Python 2.6Hynek Schlawack2016-03-131-3/+4
|/ | | | Bind actual drop to cryptography.
* Merge pull request #433 from reaperhulk/opaque-x509-extAlex Gaynor2016-03-112-7/+76
|\ | | | | treat x509 extension objects as opaque pointers
| * move to separate pytest class + add one more test casePaul Kehrer2016-03-111-12/+26
| |
| * what's a bytesPaul Kehrer2016-03-111-1/+1
| |
| * first revoked cert in the CRL has NID_crl_reason first in listPaul Kehrer2016-03-111-2/+2
| | | | | | | | | | so we'll use the second revoked because to cover this branch we need to see a NID that's not NID_crl_reason
| * add a test to confirm crl.get_reason ignores unsupported extensionsPaul Kehrer2016-03-111-0/+50
| |
| * treat x509 extension objects as opaque pointersPaul Kehrer2016-03-111-6/+11
| |
* | Merge pull request #437 from hynek/fix-set_cipher_list-modern-opensslPaul Kehrer2016-03-117-75/+79
|\ \ | |/ |/| Fix set_cipher_list on modern OpenSSL
| * Assert against True explicitlyHynek Schlawack2016-03-111-1/+1
| |
| * More explicit assertHynek Schlawack2016-03-111-1/+1
| |
| * GrammarHynek Schlawack2016-03-112-4/+4
| |
| * Fix set_cipher_list on modern OpenSSLHynek Schlawack2016-03-117-75/+79
|/ | | | Also port forward a few changes from #422.
* Merge pull request #435 from reaperhulk/m-asn1-time-dupHynek Schlawack2016-03-113-29/+5
|\ | | | | X509_REVOKED_dup is a thing cryptography can do for you
| * bytesPaul Kehrer2016-03-101-1/+1
| |
| * fix test and a missing X509_REVOKED_dup callPaul Kehrer2016-03-092-1/+3
| |
| * bump cryptography version requirementPaul Kehrer2016-03-091-1/+1
| |
| * remove X509_REVOKED_dup entirely since cryptography can do thisPaul Kehrer2016-03-091-27/+1
| | | | | | | | This also removes the use of M_ASN1_TIME_dup
* | Merge pull request #434 from reaperhulk/dsa-paramsAlex Gaynor2016-03-101-3/+10
|\ \ | |/ |/| switch to DSA_generate_parameters_ex
| * gc the DSA key a different wayPaul Kehrer2016-03-101-1/+3
| |
| * switch to DSA_generate_parameters_exPaul Kehrer2016-03-091-2/+7
|/
* Merge pull request #430 from reaperhulk/changelog-entryHynek Schlawack2016-03-031-0/+2
|\ | | | | add changelog entry for the fix in #428
| * add changelog entry for the fix in #428Paul Kehrer2016-03-021-0/+2
|/
* Merge pull request #428 from cmurphy/fix_signature_buffer_sizeCory Benfield2016-03-022-2/+70
|\ | | | | Fix signature buffer size for RSA keys
| * Fix signature buffer size for RSA keysColleen Murphy2016-03-012-2/+70
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When using the pyOpenSSL crypto module to sign data using a large key, e.g. 8192 bit, a memory allocation error occurs. A test case to show this, which comes from OpenStack Glance, is: ``` $ openssl genrsa -out server.key 8192 $ ... $ cat test.py from OpenSSL import crypto import uuid key_file = 'server.key' with open(key_file, 'r') as keyfile: key_str = keyfile.read() key = crypto.load_privatekey(crypto.FILETYPE_PEM, key_str) data = str(uuid.uuid4()) digest = 'sha256' crypto.sign(key, data, digest) $ python test.py *** Error in `python': free(): invalid next size (normal): 0x0000000002879050 *** Aborted ``` Other errors that may appear to the user are: ``` Segmentation Fault ``` ``` *** Error in `python': double free or corruption (!prev): 0x0000000001245300 *** Aborted ``` ``` *** Error in `python': munmap_chunk(): invalid pointer: 0x0000000001fde540 *** Aborted ``` The reason this happens is that the sign function of the crypto module hard-codes the size of the signature buffer to 512 bytes (4096 bits). An RSA key generates a signature that can be up to the size of the private key modulus, so for an 8192 bit key, a buffer for a 4096 bit signature is too short and causes a memory allocation error. Technically the maximum size key this code should be able to handle is 4096 bits, but due to memory allocation alignment the problem only becomes apparent for keys of at least 4161 bits. This patch does two things. First, it determines the correct size of the signature buffer, in bytes, based on the real size of the private key, and passes that the buffer allocation instead of the static number 512. Second, it no longer passes in a signature length. This is because the OpenSSL EVP_SignFinal function uses this argument as an output and completely ignores it as an input[1], so there is no need for us to set it. This is only a problem for RSA keys, and this patch only affects RSA keys. For DSA keys, the key size is restricted to 1024 bits (128 bytes), and the signature a DSA key will generate will be about 46 bytes, so this buffer will still be big enough for DSA signatures. [1] https://github.com/openssl/openssl/blob/349807608f31b20af01a342d0072bb92e0b036e2/crypto/evp/p_sign.c#L74
* Merge pull request #416 from Lukasa/docs/asn1Alex Gaynor2016-02-071-3/+7
|\ | | | | Explain that FILETYPE_ASN1 is DER.
| * Code review feedback (belatedly!)Cory Benfield2016-02-071-6/+3
| |
| * Reformat.Cory Benfield2016-01-221-5/+7
| |
| * Explain that FILETYPE_ASN1 is DER.Cory Benfield2016-01-221-1/+6
| |
* | Merge pull request #420 from reaperhulk/pypy4Hynek Schlawack2016-02-071-3/+15
|\ \ | | | | | | use pypy4 in travis CI
| * | these are no longer allowed to failPaul Kehrer2016-02-031-3/+0
| | |
| * | use pypy4 in travis CIPaul Kehrer2016-02-021-0/+15
|/ /
* | Merge pull request #418 from hynek/masterAlex Gaynor2016-01-314-5/+27
|\ \ | | | | | | Make pyOpenSSL future-proof
| * | Rename legacy to 1.1Hynek Schlawack2016-01-312-9/+9
| | |
| * | PyPy is still very broken on TravisHynek Schlawack2016-01-311-0/+1
| | |
| * | Make pyOpenSSL future-proofHynek Schlawack2016-01-314-5/+26
|/ / | | | | | | Notably stop breaking cryptography 1.3.
* | Merge pull request #417 from hynek/masterCory Benfield2016-01-311-36/+2
|\ \ | |/ |/| Greatly simplify test_state_string
| * Greatly simplify test_state_stringHynek Schlawack2016-01-311-36/+2
|/ | | | It used to more or less a functional test. No wonder it was rather flaky.
* Merge pull request #415 from reaperhulk/fix-414Hynek Schlawack2016-01-221-5/+2
|\ | | | | compare datetimes directly for the expiry check
| * compare datetimes directly for the expiry checkPaul Kehrer2016-01-211-5/+2
|/
* Merge pull request #412 from hynek/masterCory Benfield2016-01-194-9/+9
|\ | | | | 2016 snook up on us
| * 2016 snook up on usHynek Schlawack2016-01-194-9/+9
|/
* Merge pull request #411 from hynek/masterAlex Gaynor2016-01-191-0/+2
|\ | | | | Add changelog entry for #304
| * Add changelog entry for #304Hynek Schlawack2016-01-191-0/+2
|/
* Merge pull request #304 from chakatodd/get_app_dataHynek Schlawack2016-01-182-1/+3
|\ | | | | Fixed AttributeError when calling get_app_data()
View Lorry Controller Status