Merge remote-tracking branch 'upstream/main' into tob-x509-cv-skeleton

pyca · Oct 24, 2023 · 4745642 · 4745642
2 parents 625fa41 + 54873e1
commit 4745642
Show file tree

Hide file tree

Showing 8 changed files with 146 additions and 109 deletions.
diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml
@@ -15,7 +15,7 @@ runs:
       id: normalized-key
       run: echo "key=$(echo "${{ inputs.key }}" | tr -d ',')" >> $GITHUB_OUTPUT
       shell: bash
-    - uses: Swatinem/rust-cache@a95ba195448af2da9b00fb742d14ffaaf3c21f43  # v2.7.0
+    - uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8  # v2.7.1
       with:
         key: ${{ steps.normalized-key.outputs.key }}
         workspaces: "./src/rust/ -> target"
diff --git a/.github/requirements/publish-requirements.txt b/.github/requirements/publish-requirements.txt
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -29,23 +29,23 @@ jobs:
         PYTHON:
           - {VERSION: "3.12", NOXSESSION: "flake"}
           - {VERSION: "3.12", NOXSESSION: "rust"}
-          - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3"}}
+          - {VERSION: "3.12", NOXSESSION: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4"}}
           - {VERSION: "pypy-3.9", NOXSESSION: "tests-nocoverage"}
           - {VERSION: "pypy-3.10", NOXSESSION: "tests-nocoverage"}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1w"}}
-          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.11"}}
-          - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3"}}
-          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}}
-          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}}
-          - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}}
+          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.0.12"}}
+          - {VERSION: "3.12", NOXSESSION: "tests-ssh", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4"}}
+          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}}
+          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.4", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}}
+          - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-alpha2"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}}
           - {VERSION: "3.12", NOXSESSION: "tests-randomorder"}
           # Latest commit on the BoringSSL master branch, as of Oct 21, 2023.
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "bfa8369795b7533a222a72b7a1bc928941cd66bf"}}
-          # Latest commit on the OpenSSL master branch, as of Oct 21, 2023.
-          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "b6eb95fa4439ea6254a5330487dabb2a499fb6c8"}}
+          # Latest commit on the OpenSSL master branch, as of Oct 24, 2023.
+          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "fac61ea4618c83826b51aebf03cbc2bc3ac7b8c8"}}
           # Builds with various Rust versions. Includes MSRV and next
           # potential future MSRV:
           # 1.64 - maturin

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -38,7 +38,17 @@ Changelog
   :meth:`~cryptography.x509.CertificateRevocationList.next_update`,
   :meth:`~cryptography.x509.CertificateRevocationList.last_update`
   in favor of the new timezone-aware variants mentioned above.
+* Added support for
+  :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`
+  on LibreSSL.
+
+.. _v41-0-5:
+
+41.0.5 - 2023-10-24
+~~~~~~~~~~~~~~~~~~~
 
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4.
+* Added a function to support an upcoming ``pyOpenSSL`` release.
 
 .. _v41-0-4:
 

diff --git a/ci-constraints-requirements.txt b/ci-constraints-requirements.txt
@@ -11,7 +11,7 @@ argcomplete==3.1.2
     # via nox
 babel==2.13.0
     # via sphinx
-black==23.10.0
+black==23.10.1
     # via cryptography (pyproject.toml)
 bleach==6.1.0
     # via readme-renderer
@@ -21,7 +21,7 @@ build==1.0.3
     #   cryptography (pyproject.toml)
 certifi==2023.7.22
     # via requests
-charset-normalizer==3.3.0
+charset-normalizer==3.3.1
     # via requests
 check-sdist==0.1.3
     # via cryptography (pyproject.toml)
@@ -185,7 +185,7 @@ urllib3==2.0.7
     # via
     #   requests
     #   twine
-virtualenv==20.24.5
+virtualenv==20.24.6
     # via nox
 webencodings==0.5.1
     # via bleach

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -264,8 +264,14 @@ def _register_default_ciphers(self) -> None:
         self.register_cipher_adapter(
             TripleDES, ECB, GetCipherByName("des-ede3")
         )
+        # ChaCha20 uses the Long Name "chacha20" in OpenSSL, but in LibreSSL
+        # it uses "chacha"
         self.register_cipher_adapter(
-            ChaCha20, type(None), GetCipherByName("chacha20")
+            ChaCha20,
+            type(None),
+            GetCipherByName(
+                "chacha" if self._lib.CRYPTOGRAPHY_IS_LIBRESSL else "chacha20"
+            ),
         )
         self.register_cipher_adapter(AES, XTS, _get_xts_cipher)
         for mode_cls in [ECB, CBC, OFB, CFB, CTR]:

diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock
diff --git a/tests/hazmat/primitives/test_chacha20.py b/tests/hazmat/primitives/test_chacha20.py
@@ -69,3 +69,24 @@ def test_invalid_nonce(self):
     def test_invalid_key_type(self):
         with pytest.raises(TypeError, match="key must be bytes"):
             algorithms.ChaCha20("0" * 32, b"0" * 16)  # type:ignore[arg-type]
+
+    def test_partial_blocks(self, backend):
+        # Test that partial blocks and counter increments are handled
+        # correctly. Successive calls to update should return the same
+        # as if the entire input was passed in a single call:
+        # update(pt[0:n]) + update(pt[n:m]) + update(pt[m:]) == update(pt)
+        key = bytearray(os.urandom(32))
+        nonce = bytearray(os.urandom(16))
+        cipher = Cipher(algorithms.ChaCha20(key, nonce), None, backend)
+        pt = bytearray(os.urandom(96 * 3))
+
+        enc_full = cipher.encryptor()
+        ct_full = enc_full.update(pt)
+
+        enc_partial = cipher.encryptor()
+        len_partial = len(pt) // 3
+        ct_partial_1 = enc_partial.update(pt[:len_partial])
+        ct_partial_2 = enc_partial.update(pt[len_partial : len_partial * 2])
+        ct_partial_3 = enc_partial.update(pt[len_partial * 2 :])
+
+        assert ct_full == ct_partial_1 + ct_partial_2 + ct_partial_3