author | Devjani Ray <devjani.ray@oracle.com> |
Fri, 05 Feb 2016 17:54:17 -0500 | |
changeset 5405 | 66fd59fecd68 |
parent 3998 | 5bd484384122 |
permissions | -rw-r--r-- |
3998
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
1 |
In-house removal of PyCrypto dependency in keystoneclient. This patch |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
2 |
is Solaris-specific and not suitable for upstream. |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
3 |
|
5405
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
3998
diff
changeset
|
4 |
--- python-keystoneclient-1.3.0/keystoneclient/middleware/memcache_crypt.py.~1~ 2015-03-25 14:00:24.000000000 -0600 |
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
3998
diff
changeset
|
5 |
+++ python-keystoneclient-1.3.0/keystoneclient/middleware/memcache_crypt.py 2015-04-27 17:29:37.082689412 -0600 |
3998
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
6 |
@@ -17,7 +17,7 @@ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
7 |
Utilities for memcache encryption and integrity check. |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
8 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
9 |
Data should be serialized before entering these functions. Encryption |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
10 |
-has a dependency on the pycrypto. If pycrypto is not available, |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
11 |
+has a dependency on M2Crypto. If M2Crypto is not available, |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
12 |
CryptoUnavailableError will be raised. |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
13 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
14 |
This module will not be called unless signing or encryption is enabled |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
15 |
@@ -37,9 +37,10 @@ import sys |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
16 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
17 |
import six |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
18 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
19 |
-# make sure pycrypto is available |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
20 |
+# make sure M2Crypto is available |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
21 |
try: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
22 |
- from Crypto.Cipher import AES |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
23 |
+ from M2Crypto.EVP import Cipher |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
24 |
+ AES = Cipher |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
25 |
except ImportError: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
26 |
AES = None |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
27 |
|
5405
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
3998
diff
changeset
|
28 |
@@ -72,6 +73,12 @@ class CryptoUnavailableError(Exception): |
3998
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
29 |
pass |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
30 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
31 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
32 |
+class InvalidKeyLength(Exception): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
33 |
+ """raise when AES key length is an invalid value. |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
34 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
35 |
+ """ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
36 |
+ pass |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
37 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
38 |
def assert_crypto_availability(f): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
39 |
"""Ensure Crypto module is available.""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
40 |
|
5405
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
3998
diff
changeset
|
41 |
@@ -131,31 +138,44 @@ def sign_data(key, data): |
3998
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
42 |
return base64.b64encode(mac) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
43 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
44 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
45 |
+def _key_to_alg(key): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
46 |
+ """Return a M2Crypto-compatible AES-CBC algorithm name given a key.""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
47 |
+ aes_algs = { |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
48 |
+ 128: 'aes_128_cbc', |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
49 |
+ 192: 'aes_192_cbc', |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
50 |
+ 256: 'aes_256_cbc' |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
51 |
+ } |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
52 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
53 |
+ keylen = 8 * len(key) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
54 |
+ if keylen not in aes_algs: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
55 |
+ msg = ('Invalid AES key length, %d bits') % keylen |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
56 |
+ raise InvalidKeyLength(msg) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
57 |
+ return aes_algs[keylen] |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
58 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
59 |
+ |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
60 |
@assert_crypto_availability |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
61 |
def encrypt_data(key, data): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
62 |
"""Encrypt the data with the given secret key. |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
63 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
64 |
- Padding is n bytes of the value n, where 1 <= n <= blocksize. |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
65 |
""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
66 |
iv = os.urandom(16) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
67 |
- cipher = AES.new(key, AES.MODE_CBC, iv) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
68 |
- padding = 16 - len(data) % 16 |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
69 |
- return iv + cipher.encrypt(data + six.int2byte(padding) * padding) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
70 |
+ cipher = Cipher(alg=_key_to_alg(key), key=key, iv=iv, op=1) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
71 |
+ result = cipher.update(data) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
72 |
+ return iv + result + cipher.final() |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
73 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
74 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
75 |
@assert_crypto_availability |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
76 |
def decrypt_data(key, data): |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
77 |
"""Decrypt the data with the given secret key.""" |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
78 |
iv = data[:16] |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
79 |
- cipher = AES.new(key, AES.MODE_CBC, iv) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
80 |
+ cipher = Cipher(alg=_key_to_alg(key), key=key, iv=iv, op=0) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
81 |
try: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
82 |
- result = cipher.decrypt(data[16:]) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
83 |
+ result = cipher.update(data[16:]) |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
84 |
+ result = result + cipher.final() |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
85 |
except Exception: |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
86 |
raise DecryptError('Encrypted data appears to be corrupted.') |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
87 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
88 |
- # Strip the last n padding bytes where n is the last value in |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
89 |
- # the plaintext |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
90 |
- return result[:-1 * six.byte2int([result[-1]])] |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
91 |
+ return result |
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
92 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
93 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
94 |
def protect_data(keys, data): |