author | Danek Duvall <danek.duvall@oracle.com> |
Thu, 19 Mar 2015 14:41:20 -0700 | |
changeset 3998 | 5bd484384122 |
parent 2025 | 8dbf23e740f2 |
permissions | -rw-r--r-- |
2025
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
1 |
In-house removal of PyCrypto dependency in Heat. This patch is |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
2 |
Solaris-specific and not suitable for upstream. |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
3 |
|
3998
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
4 |
--- heat-2014.2.2/heat/common/crypt.py.~1~ 2014-12-04 21:02:27.000000000 -0800 |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
5 |
+++ heat-2014.2.2/heat/common/crypt.py 2015-01-31 16:56:20.917251751 -0800 |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
6 |
@@ -13,7 +13,7 @@ |
2025
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
7 |
|
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
8 |
import base64 |
3998
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
9 |
|
2025
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
10 |
-from Crypto.Cipher import AES |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
11 |
+from M2Crypto.EVP import Cipher |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
12 |
from oslo.config import cfg |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
13 |
|
3998
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
14 |
from heat.openstack.common.crypto import utils |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
15 |
@@ -57,7 +57,9 @@ def heat_decrypt(auth_info): |
2025
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
16 |
if auth_info is None: |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
17 |
return None |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
18 |
auth = base64.b64decode(auth_info) |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
19 |
- iv = auth[:AES.block_size] |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
20 |
- cipher = AES.new(cfg.CONF.auth_encryption_key[:32], AES.MODE_CFB, iv) |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
21 |
- res = cipher.decrypt(auth[AES.block_size:]) |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
22 |
+ iv = auth[:16] |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
23 |
+ cipher = Cipher(alg='aes_256_cfb', key=cfg.CONF.auth_encryption_key[:32], |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
24 |
+ iv=iv, op=0) |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
25 |
+ padded = cipher.update(auth[16:]) |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
26 |
+ res = padded + cipher.final() |
8dbf23e740f2
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service)
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
27 |
return res |
3998
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
28 |
--- heat-2014.2.2/heat/openstack/common/crypto/utils.py.~1~ 2014-12-04 21:02:30.000000000 -0800 |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
29 |
+++ heat-2014.2.2/heat/openstack/common/crypto/utils.py 2015-01-31 16:56:20.917680985 -0800 |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
30 |
@@ -14,8 +14,8 @@ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
31 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
32 |
import base64 |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
33 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
34 |
-from Crypto.Hash import HMAC |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
35 |
-from Crypto import Random |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
36 |
+from M2Crypto import EVP |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
37 |
+from M2Crypto import Rand |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
38 |
import six |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
39 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
40 |
from heat.openstack.common.gettextutils import _ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
41 |
@@ -23,6 +23,24 @@ from heat.openstack.common import import |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
42 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
43 |
bchr = six.int2byte |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
44 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
45 |
+# Provide a mapping between the names of hash types used by PyCrypto to |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
46 |
+# their digest sizes and the corresponding algorithm name used by |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
47 |
+# M2Crypto/OpenSSL. |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
48 |
+hashmap = { |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
49 |
+ 'SHA224': (28, 'sha224'), |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
50 |
+ 'SHA256': (32, 'sha256'), |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
51 |
+ 'SHA384': (48, 'sha384'), |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
52 |
+ 'SHA512': (64, 'sha512') |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
53 |
+} |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
54 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
55 |
+# Provide a mapping between the length of a key and the algorithm name |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
56 |
+# used by M2Crypto/OpenSSL. |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
57 |
+algomap = { |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
58 |
+ 16: 'aes_128_cbc', |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
59 |
+ 24: 'aes_192_cbc', |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
60 |
+ 32: 'aes_256_cbc' |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
61 |
+} |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
62 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
63 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
64 |
class CryptoutilsException(Exception): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
65 |
"""Generic Exception for Crypto utilities.""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
66 |
@@ -39,6 +57,33 @@ class CipherBlockLengthTooBig(Cryptoutil |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
67 |
super(CryptoutilsException, self).__init__(message) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
68 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
69 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
70 |
+class CipherKeyLengthInvalid(CryptoutilsException): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
71 |
+ """The encryption key length is invalid for AES-CBC.""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
72 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
73 |
+ def __init__(self, keylen): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
74 |
+ msg = _("Encryption key length of %d is invalid for AES-CBC.") |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
75 |
+ message = msg % keylen |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
76 |
+ super(CryptoutilsException, self).__init__(message) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
77 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
78 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
79 |
+class CipherTypeNotSupported(CryptoutilsException): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
80 |
+ """The encryption cipher type is not supported.""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
81 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
82 |
+ def __init__(self, enctype): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
83 |
+ msg = _("Encryption cipher type %s is not supported") |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
84 |
+ message = msg % enctype |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
85 |
+ super(CryptoutilsException, self).__init__(message) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
86 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
87 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
88 |
+class HashTypeNotSupported(CryptoutilsException): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
89 |
+ """The message authentication hash function is not supported.""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
90 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
91 |
+ def __init__(self, hashtype): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
92 |
+ msg = _("Message authentication hash function %s is not supported") |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
93 |
+ message = msg % hashtype |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
94 |
+ super(CryptoutilsException, self).__init__(message) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
95 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
96 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
97 |
class HKDFOutputLengthTooLong(CryptoutilsException): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
98 |
"""The amount of Key Material asked is too much.""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
99 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
100 |
@@ -55,8 +100,10 @@ class HKDF(object): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
101 |
""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
102 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
103 |
def __init__(self, hashtype='SHA256'): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
104 |
- self.hashfn = importutils.import_module('Crypto.Hash.' + hashtype) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
105 |
- self.max_okm_length = 255 * self.hashfn.digest_size |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
106 |
+ if hashtype not in hashmap: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
107 |
+ raise HashTypeNotSupported(hashtype) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
108 |
+ (self.digest_size, self.algo) = hashmap[hashtype] |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
109 |
+ self.max_okm_length = 255 * self.digest_size |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
110 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
111 |
def extract(self, ikm, salt=None): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
112 |
"""An extract function that can be used to derive a robust key given |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
113 |
@@ -67,9 +114,9 @@ class HKDF(object): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
114 |
:param salt: optional salt value (a non-secret random value) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
115 |
""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
116 |
if salt is None: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
117 |
- salt = b'\x00' * self.hashfn.digest_size |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
118 |
+ salt = b'\x00' * self.digest_size |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
119 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
120 |
- return HMAC.new(salt, ikm, self.hashfn).digest() |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
121 |
+ return EVP.hmac(salt, ikm, self.algo) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
122 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
123 |
def expand(self, prk, info, length): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
124 |
"""An expand function that will return arbitrary length output that can |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
125 |
@@ -83,12 +130,12 @@ class HKDF(object): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
126 |
if length > self.max_okm_length: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
127 |
raise HKDFOutputLengthTooLong(length, self.max_okm_length) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
128 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
129 |
- N = (length + self.hashfn.digest_size - 1) // self.hashfn.digest_size |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
130 |
+ N = (length + self.digest_size - 1) // self.digest_size |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
131 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
132 |
okm = b"" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
133 |
tmp = b"" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
134 |
for block in range(1, N + 1): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
135 |
- tmp = HMAC.new(prk, tmp + info + bchr(block), self.hashfn).digest() |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
136 |
+ tmp = EVP.hmac(prk, tmp + info + bchr(block), self.algo) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
137 |
okm += tmp |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
138 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
139 |
return okm[:length] |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
140 |
@@ -108,11 +155,15 @@ class SymmetricCrypto(object): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
141 |
""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
142 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
143 |
def __init__(self, enctype='AES', hashtype='SHA256'): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
144 |
- self.cipher = importutils.import_module('Crypto.Cipher.' + enctype) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
145 |
- self.hashfn = importutils.import_module('Crypto.Hash.' + hashtype) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
146 |
+ if enctype != 'AES': |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
147 |
+ raise CipherTypeNotSupported(enctype) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
148 |
+ if hashtype not in hashmap: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
149 |
+ raise HashTypeNotSupported(hashtype) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
150 |
+ self.algo = hashmap[hashtype][1] |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
151 |
+ self.block_size = 16 |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
152 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
153 |
def new_key(self, size): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
154 |
- return Random.new().read(size) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
155 |
+ return Rand.rand_bytes(size) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
156 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
157 |
def encrypt(self, key, msg, b64encode=True): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
158 |
"""Encrypt the provided msg and returns the cyphertext optionally |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
159 |
@@ -129,19 +180,14 @@ class SymmetricCrypto(object): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
160 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
161 |
:returns enc: a block of encrypted data. |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
162 |
""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
163 |
- iv = Random.new().read(self.cipher.block_size) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
164 |
- cipher = self.cipher.new(key, self.cipher.MODE_CBC, iv) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
165 |
- |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
166 |
- # CBC mode requires a fixed block size. Append padding and length of |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
167 |
- # padding. |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
168 |
- if self.cipher.block_size > MAX_CB_SIZE: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
169 |
- raise CipherBlockLengthTooBig(self.cipher.block_size, MAX_CB_SIZE) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
170 |
- r = len(msg) % self.cipher.block_size |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
171 |
- padlen = self.cipher.block_size - r - 1 |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
172 |
- msg += b'\x00' * padlen |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
173 |
- msg += bchr(padlen) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
174 |
+ keylen = len(key) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
175 |
+ if keylen not in algomap: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
176 |
+ raise CipherKeyLengthInvalid(keylen) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
177 |
+ iv = Rand.rand_bytes(self.block_size) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
178 |
+ cipher = EVP.Cipher(algomap[keylen], key, iv, 1) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
179 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
180 |
- enc = iv + cipher.encrypt(msg) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
181 |
+ enc = iv + cipher.update(msg) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
182 |
+ enc += cipher.final() |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
183 |
if b64encode: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
184 |
enc = base64.b64encode(enc) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
185 |
return enc |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
186 |
@@ -157,14 +203,16 @@ class SymmetricCrypto(object): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
187 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
188 |
:returns plain: the plaintext message. |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
189 |
""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
190 |
+ keylen = len(key) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
191 |
+ if keylen not in algomap: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
192 |
+ raise CipherKeyLengthInvalid(keylen) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
193 |
if b64decode: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
194 |
msg = base64.b64decode(msg) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
195 |
- iv = msg[:self.cipher.block_size] |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
196 |
- cipher = self.cipher.new(key, self.cipher.MODE_CBC, iv) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
197 |
+ iv = msg[:self.block_size] |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
198 |
+ cipher = EVP.Cipher(algomap[keylen], key, iv, 0) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
199 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
200 |
- padded = cipher.decrypt(msg[self.cipher.block_size:]) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
201 |
- l = ord(padded[-1:]) + 1 |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
202 |
- plain = padded[:-l] |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
203 |
+ padded = cipher.update(msg[self.block_size:]) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
204 |
+ plain = padded + cipher.final() |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
205 |
return plain |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
206 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
207 |
def sign(self, key, msg, b64encode=True): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
208 |
@@ -177,8 +225,7 @@ class SymmetricCrypto(object): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
209 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
210 |
:returns out: a base64 encoded signature. |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
211 |
""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
212 |
- h = HMAC.new(key, msg, self.hashfn) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
213 |
- out = h.digest() |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
214 |
+ out = EVP.hmac(key, msg, self.algo) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
215 |
if b64encode: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
216 |
out = base64.b64encode(out) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
2025
diff
changeset
|
217 |
return out |