Skip to content

Commit

Permalink
Move a few more constants fully to Rust (#10428)
Browse files Browse the repository at this point in the history
  • Loading branch information
alex authored Feb 19, 2024
1 parent 48290a5 commit 732eea3
Show file tree
Hide file tree
Showing 10 changed files with 25 additions and 24 deletions.
5 changes: 0 additions & 5 deletions src/_cffi_src/openssl/cryptography.py
Original file line number Diff line number Diff line change
Expand Up @@ -53,11 +53,6 @@
"""

TYPES = """
static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER;
static const int CRYPTOGRAPHY_OPENSSL_320_OR_GREATER;
static const int CRYPTOGRAPHY_IS_LIBRESSL;
static const int CRYPTOGRAPHY_IS_BORINGSSL;
"""

FUNCTIONS = """
Expand Down
2 changes: 1 addition & 1 deletion src/cryptography/hazmat/bindings/openssl/binding.py
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ def __init__(self) -> None:
def _enable_fips(self) -> None:
# This function enables FIPS mode for OpenSSL 3.0.0 on installs that
# have the FIPS provider installed properly.
_openssl_assert(self.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)
_openssl_assert(openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)
self.lib._fips_provider = self.lib.OSSL_PROVIDER_load(
self.ffi.NULL, b"fips"
)
Expand Down
8 changes: 4 additions & 4 deletions tests/hazmat/backends/test_openssl.py
Original file line number Diff line number Diff line change
Expand Up @@ -59,13 +59,13 @@ def test_openssl_version_text(self):
# Verify the correspondence between these two. And do it in a way that
# ensures coverage.
if version.startswith("LibreSSL"):
assert backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
if backend._lib.CRYPTOGRAPHY_IS_LIBRESSL:
assert rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL
if rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL:
assert version.startswith("LibreSSL")

if version.startswith("BoringSSL"):
assert backend._lib.CRYPTOGRAPHY_IS_BORINGSSL
if backend._lib.CRYPTOGRAPHY_IS_BORINGSSL:
assert rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
if rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL:
assert version.startswith("BoringSSL")

def test_openssl_version_number(self):
Expand Down
10 changes: 5 additions & 5 deletions tests/hazmat/bindings/test_openssl.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ def test_ssl_ctx_options(self):
# Test that we're properly handling 32-bit unsigned on all platforms.
b = Binding()
# SSL_OP_ALL is 0 on BoringSSL
if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL:
if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL:
assert b.lib.SSL_OP_ALL > 0
ctx = b.lib.SSL_CTX_new(b.lib.TLS_method())
assert ctx != b.ffi.NULL
Expand All @@ -39,7 +39,7 @@ def test_ssl_options(self):
# Test that we're properly handling 32-bit unsigned on all platforms.
b = Binding()
# SSL_OP_ALL is 0 on BoringSSL
if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL:
if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL:
assert b.lib.SSL_OP_ALL > 0
ctx = b.lib.SSL_CTX_new(b.lib.TLS_method())
assert ctx != b.ffi.NULL
Expand All @@ -55,7 +55,7 @@ def test_ssl_options(self):
def test_conditional_removal(self):
b = Binding()

if not b.lib.CRYPTOGRAPHY_IS_LIBRESSL:
if not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL:
assert b.lib.TLS_ST_OK
else:
with pytest.raises(AttributeError):
Expand All @@ -76,7 +76,7 @@ def test_openssl_assert_error_on_stack(self):
error = exc_info.value.err_code[0]
assert error.lib == b.lib.ERR_LIB_EVP
assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH
if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL:
if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL:
assert b"data not multiple of block length" in error.reason_text

def test_version_mismatch(self):
Expand All @@ -103,5 +103,5 @@ def test_rust_internal_error(self):
error = exc_info.value.err_code[0]
assert error.lib == b.lib.ERR_LIB_EVP
assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH
if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL:
if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL:
assert b"data not multiple of block length" in error.reason_text
3 changes: 2 additions & 1 deletion tests/hazmat/primitives/test_aes.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

import pytest

from cryptography.hazmat.bindings._rust import openssl as rust_openssl
from cryptography.hazmat.primitives.ciphers import algorithms, base, modes

from ...doubles import DummyMode
Expand Down Expand Up @@ -61,7 +62,7 @@ def test_xts_too_short(self, backend):
enc.update(b"0" * 15)

@pytest.mark.supported(
only_if=lambda backend: (not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL),
only_if=lambda backend: not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL,
skip_message="duplicate key encryption error added in OpenSSL 1.1.1d",
)
def test_xts_no_duplicate_keys_encryption(self, backend):
Expand Down
3 changes: 2 additions & 1 deletion tests/hazmat/primitives/test_dh.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

import pytest

from cryptography.hazmat.bindings._rust import openssl as rust_openssl
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import dh

Expand Down Expand Up @@ -379,7 +380,7 @@ def test_bad_exchange(self, backend, vector):
@pytest.mark.skip_fips(reason="key_size too small for FIPS")
@pytest.mark.supported(
only_if=lambda backend: (
not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
),
skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+",
)
Expand Down
5 changes: 3 additions & 2 deletions tests/hazmat/primitives/test_ec.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
import pytest

from cryptography import exceptions, utils, x509
from cryptography.hazmat.bindings._rust import openssl as rust_openssl
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.asymmetric.utils import (
Expand Down Expand Up @@ -133,7 +134,7 @@ def test_derive_point_at_infinity(backend):
# BoringSSL rejects infinity points before it ever gets to us, so it
# uses a more generic error message.
match = (
"infinity" if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL else "Invalid"
"infinity" if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL else "Invalid"
)
with pytest.raises(ValueError, match=match):
ec.derive_private_key(q, ec.SECP256R1())
Expand Down Expand Up @@ -423,7 +424,7 @@ def test_load_invalid_ec_key_from_pem(self, backend):
# uses a more generic error message.
match = (
r"infinity|invalid form"
if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL
if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
else None
)
with pytest.raises(ValueError, match=match):
Expand Down
5 changes: 3 additions & 2 deletions tests/hazmat/primitives/test_pkcs12.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@

from cryptography import x509
from cryptography.exceptions import UnsupportedAlgorithm
from cryptography.hazmat.bindings._rust import openssl as rust_openssl
from cryptography.hazmat.decrepit.ciphers.algorithms import RC2
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import (
Expand Down Expand Up @@ -558,7 +559,7 @@ def test_key_serialization_encryption(
):
if (
enc_alg is PBES.PBESv2SHA256AndAES256CBC
) and not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
) and not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
pytest.skip("PBESv2 is not supported on OpenSSL < 3.0")

if (
Expand Down Expand Up @@ -615,7 +616,7 @@ def test_key_serialization_encryption(

@pytest.mark.supported(
only_if=lambda backend: (
not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
),
skip_message="Requires OpenSSL < 3.0.0 (or Libre/Boring)",
)
Expand Down
3 changes: 2 additions & 1 deletion tests/hazmat/primitives/test_pkcs7.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@

from cryptography import x509
from cryptography.exceptions import _Reasons
from cryptography.hazmat.bindings._rust import openssl as rust_openssl
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa
from cryptography.hazmat.primitives.serialization import pkcs7
Expand Down Expand Up @@ -148,7 +149,7 @@ def _pkcs7_verify(encoding, sig, msg, certs, options, backend):
backend.openssl_assert(res == 1)
# OpenSSL 3.0 leaves a random bio error on the stack:
# https://github.com/openssl/openssl/issues/16681
if backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
if rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
backend._consume_errors()


Expand Down
5 changes: 3 additions & 2 deletions tests/hazmat/primitives/test_rsa.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
UnsupportedAlgorithm,
_Reasons,
)
from cryptography.hazmat.bindings._rust import openssl as rust_openssl
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import padding, rsa
from cryptography.hazmat.primitives.asymmetric import utils as asym_utils
Expand Down Expand Up @@ -251,7 +252,7 @@ def test_load_pss_vect_example_keys(self, pkcs1_example):
assert public_num.e == public_num2.e

@pytest.mark.supported(
only_if=lambda backend: not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL,
only_if=lambda backend: not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL,
skip_message="Does not support RSA PSS loading",
)
@pytest.mark.parametrize(
Expand Down Expand Up @@ -302,7 +303,7 @@ def test_load_pss_pub_keys_strips_constraints(self, backend):
)

@pytest.mark.supported(
only_if=lambda backend: backend._lib.CRYPTOGRAPHY_IS_BORINGSSL,
only_if=lambda backend: rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL,
skip_message="Test requires a backend without RSA-PSS key support",
)
def test_load_pss_unsupported(self, backend):
Expand Down

0 comments on commit 732eea3

Please sign in to comment.