Support cryptography>=42.0 (and restore TLS tests)

secdev · Jan 27, 2024 · ae79fcb · ae79fcb
1 parent d71014a
commit ae79fcb
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 33 deletions.
diff --git a/scapy/layers/tls/crypto/groups.py b/scapy/layers/tls/crypto/groups.py
@@ -22,39 +22,11 @@
     from cryptography.hazmat.backends import default_backend
     from cryptography.hazmat.primitives.asymmetric import dh, ec
     from cryptography.hazmat.primitives import serialization
+    from cryptography.hazmat.primitives.asymmetric.dh import DHParameterNumbers
 if conf.crypto_valid_advanced:
     from cryptography.hazmat.primitives.asymmetric import x25519
     from cryptography.hazmat.primitives.asymmetric import x448
 
-# We have to start by a dirty hack in order to allow long generators,
-# which some versions of openssl love to use...
-
-if conf.crypto_valid:
-    from cryptography.hazmat.primitives.asymmetric.dh import DHParameterNumbers
-
-    try:
-        # We test with dummy values whether the size limitation has been removed.  # noqa: E501
-        pn_test = DHParameterNumbers(2, 7)
-    except ValueError:
-        # We get rid of the limitation through the cryptography v1.9 __init__.
-
-        def DHParameterNumbers__init__hack(self, p, g, q=None):
-            if (
-                not isinstance(p, int) or
-                not isinstance(g, int)
-            ):
-                raise TypeError("p and g must be integers")
-            if q is not None and not isinstance(q, int):
-                raise TypeError("q must be integer or None")
-
-            self._p = p
-            self._g = g
-            self._q = q
-
-        DHParameterNumbers.__init__ = DHParameterNumbers__init__hack
-
-    # End of hack.
-
 
 _ffdh_groups = {}
 
@@ -459,7 +431,12 @@ def _tls_named_groups_import(group, pubbytes):
                     import_point = x448.X448PublicKey.from_public_bytes
                 return import_point(pubbytes)
         else:
-            curve = ec._CURVE_TYPES[_tls_named_curves[group]]()
+            curve = ec._CURVE_TYPES[_tls_named_curves[group]]
+            try:
+                # cryptography < 42
+                curve = curve()
+            except TypeError:
+                pass
             try:  # cryptography >= 2.5
                 return ec.EllipticCurvePublicKey.from_encoded_point(
                     curve,
@@ -516,7 +493,12 @@ def _tls_named_groups_generate(group):
                     "Your cryptography version doesn't support " + group_name
                 )
         else:
-            curve = ec._CURVE_TYPES[_tls_named_curves[group]]()
+            curve = ec._CURVE_TYPES[_tls_named_curves[group]]
+            try:
+                # cryptography < 42
+                curve = curve()
+            except TypeError:
+                pass
             return ec.generate_private_key(curve, default_backend())
 
 # Below lies ghost code since the shift from 'ecdsa' to 'cryptography' lib.

diff --git a/test/configs/cryptography.utsc b/test/configs/cryptography.utsc
@@ -1,6 +1,6 @@
 {
   "testfiles": [
-    "test/tls*.uts",
+    "test/scapy/layers/tls/tls*.uts",
     "test/scapy/layers/dot11.uts",
     "test/scapy/layers/ipsec.uts",
     "test/contrib/macsec.uts"

diff --git a/test/scapy/layers/dot11.uts b/test/scapy/layers/dot11.uts
@@ -484,7 +484,7 @@ assert isinstance(p, Dot11WEP)
 conf.crypto_valid = bck_conf_crypto_valid
 
 conf.wepkey = "Fobar"
-r = raw(Dot11WEP()/LLC()/SNAP()/IP()/TCP(seq=12345678))
+r = raw(Dot11WEP()/LLC()/SNAP()/IP(src="127.0.0.1", dst="127.0.0.1")/TCP(seq=12345678))
 r
 assert r == b'\x00\x00\x00\x00\xe3OjYLw\xc3x_%\xd0\xcf\xdeu-\xc3pH#\x1eK\xae\xf5\xde\xe7\xb8\x1d,\xa1\xfe\xe83\xca\xe1\xfe\xbd\xfe\xec\x00)T`\xde.\x93Td\x95C\x0f\x07\xdd'
 p = Dot11WEP(r)