| author | Devjani Ray <devjani.ray@oracle.com> |
| Fri, 05 Feb 2016 17:54:17 -0500 | |
| changeset 5405 | 66fd59fecd68 |
| parent 3998 | 5bd484384122 |
| permissions | -rw-r--r-- |
|
3998
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
1 |
In-house removal of PyCrypto dependency in keystonemiddleware. This |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
2 |
patch is Solaris-specific and not suitable for upstream. |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
3 |
|
|
5405
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
3998
diff
changeset
|
4 |
--- keystonemiddleware-1.5.0/keystonemiddleware/auth_token/_memcache_crypt.py.~1~ 2015-03-11 11:41:14.000000000 -0600 |
|
66fd59fecd68
PSARC 2015/535 OpenStack service updates for Kilo
Devjani Ray <devjani.ray@oracle.com>
parents:
3998
diff
changeset
|
5 |
+++ keystonemiddleware-1.5.0/keystonemiddleware/auth_token/_memcache_crypt.py 2015-04-27 17:30:54.664848743 -0600 |
|
3998
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
6 |
@@ -17,7 +17,7 @@ |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
7 |
Utilities for memcache encryption and integrity check. |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
8 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
9 |
Data should be serialized before entering these functions. Encryption |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
10 |
-has a dependency on the pycrypto. If pycrypto is not available, |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
11 |
+has a dependency on M2Crypto. If M2Crypto is not available, |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
12 |
CryptoUnavailableError will be raised. |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
13 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
14 |
This module will not be called unless signing or encryption is enabled |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
15 |
@@ -38,9 +38,10 @@ import sys |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
16 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
17 |
from keystonemiddleware.i18n import _ |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
18 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
19 |
-# make sure pycrypto is available |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
20 |
+# make sure M2Crypto is available |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
21 |
try: |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
22 |
- from Crypto.Cipher import AES |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
23 |
+ from M2Crypto.EVP import Cipher |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
24 |
+ AES = Cipher |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
25 |
except ImportError: |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
26 |
AES = None |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
27 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
28 |
@@ -73,6 +74,13 @@ class CryptoUnavailableError(Exception): |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
29 |
pass |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
30 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
31 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
32 |
+class InvalidKeyLength(Exception): |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
33 |
+ """raise when AES key length is an invalid value. |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
34 |
+ |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
35 |
+ """ |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
36 |
+ pass |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
37 |
+ |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
38 |
+ |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
39 |
def assert_crypto_availability(f): |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
40 |
"""Ensure Crypto module is available.""" |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
41 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
42 |
@@ -132,31 +140,44 @@ def sign_data(key, data): |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
43 |
return base64.b64encode(mac) |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
44 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
45 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
46 |
+def _key_to_alg(key): |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
47 |
+ """Return a M2Crypto-compatible AES-CBC algorithm name given a key.""" |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
48 |
+ aes_algs = {
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
49 |
+ 128: 'aes_128_cbc', |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
50 |
+ 192: 'aes_192_cbc', |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
51 |
+ 256: 'aes_256_cbc' |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
52 |
+ } |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
53 |
+ |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
54 |
+ keylen = 8 * len(key) |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
55 |
+ if keylen not in aes_algs: |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
56 |
+ msg = ('Invalid AES key length, %d bits') % keylen
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
57 |
+ raise InvalidKeyLength(msg) |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
58 |
+ return aes_algs[keylen] |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
59 |
+ |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
60 |
+ |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
61 |
@assert_crypto_availability |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
62 |
def encrypt_data(key, data): |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
63 |
"""Encrypt the data with the given secret key. |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
64 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
65 |
- Padding is n bytes of the value n, where 1 <= n <= blocksize. |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
66 |
""" |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
67 |
iv = os.urandom(16) |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
68 |
- cipher = AES.new(key, AES.MODE_CBC, iv) |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
69 |
- padding = 16 - len(data) % 16 |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
70 |
- return iv + cipher.encrypt(data + six.int2byte(padding) * padding) |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
71 |
+ cipher = Cipher(alg=_key_to_alg(key), key=key, iv=iv, op=1) |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
72 |
+ result = cipher.update(data) |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
73 |
+ return iv + result + cipher.final() |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
74 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
75 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
76 |
@assert_crypto_availability |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
77 |
def decrypt_data(key, data): |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
78 |
"""Decrypt the data with the given secret key.""" |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
79 |
iv = data[:16] |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
80 |
- cipher = AES.new(key, AES.MODE_CBC, iv) |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
81 |
+ cipher = Cipher(alg=_key_to_alg(key), key=key, iv=iv, op=0) |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
82 |
try: |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
83 |
- result = cipher.decrypt(data[16:]) |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
84 |
+ result = cipher.update(data[16:]) |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
85 |
+ result = result + cipher.final() |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
86 |
except Exception: |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
87 |
raise DecryptError(_('Encrypted data appears to be corrupted.'))
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
88 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
89 |
- # Strip the last n padding bytes where n is the last value in |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
90 |
- # the plaintext |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
91 |
- return result[:-1 * six.byte2int([result[-1]])] |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
92 |
+ return result |
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
93 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
94 |
|
|
5bd484384122
PSARC 2015/110 OpenStack service updates for Juno
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
95 |
def protect_data(keys, data): |