From 94661a3db809b6a4aa4533cb958e0cc2210e4c63 Mon Sep 17 00:00:00 2001 From: Ivan Nikolchev Date: Wed, 3 Jun 2020 17:20:06 +0200 Subject: [PATCH] check if the ciphers are supported by m2crypto before using them --- .travis.yml | 4 ++++ tlslite/utils/cryptomath.py | 9 +++++++++ tlslite/utils/openssl_aes.py | 10 +++++++++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index c4f718460..bb91791bc 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,6 +15,7 @@ addons: apt_packages: # needed for M2Crypto - swig + - libssl-dev # needed for GMPY - libgmp-dev before_cache: @@ -46,6 +47,8 @@ jobs: env: TACKPY=true - python: 3.4 env: TACKPY=true + - python: 2.6 + env: M2CRYPTO_OLD=true - python: 2.7 env: M2CRYPTO=true - python: 3.5 @@ -135,6 +138,7 @@ install: - if [[ -e build-requirements-${TRAVIS_PYTHON_VERSION}.txt ]]; then travis_retry pip install -r build-requirements-${TRAVIS_PYTHON_VERSION}.txt; else travis_retry pip install -r build-requirements.txt; fi - if [[ $TACKPY == 'true' ]]; then travis_retry pip install tackpy; fi - if [[ $M2CRYPTO == 'true' ]]; then travis_retry pip install --pre m2crypto; fi + - if [[ $M2CRYPTO_OLD == 'true' ]]; then travis_retry pip install --global-option=build_ext --global-option="-I/usr/include/x86_64-linux-gnu" m2crypto==0.20.2; fi - if [[ $PYCRYPTO == 'true' ]]; then travis_retry pip install pycrypto; fi - if [[ $PYCRYPTODOME == 'true' ]]; then travis_retry pip install pycryptodome; fi - if [[ $GMPY == 'true' ]]; then travis_retry pip install gmpy; fi diff --git a/tlslite/utils/cryptomath.py b/tlslite/utils/cryptomath.py index fa921b271..c3c81a05d 100644 --- a/tlslite/utils/cryptomath.py +++ b/tlslite/utils/cryptomath.py @@ -27,9 +27,13 @@ # ************************************************************************** # Try to load M2Crypto/OpenSSL +# pylint: disable=invalid-name try: from M2Crypto import m2 m2cryptoLoaded = True + M2CRYPTO_AES_CTR = False + if hasattr(m2, 'aes_192_ctr'): + M2CRYPTO_AES_CTR = True try: with open('/proc/sys/crypto/fips_enabled', 'r') as fipsFile: @@ -39,8 +43,13 @@ # looks like we're running in container, likely not FIPS mode m2cryptoLoaded = True + # If AES-CBC is not available, don't use m2crypto + if not hasattr(m2, 'aes_192_cbc'): + m2cryptoLoaded = False + except ImportError: m2cryptoLoaded = False +# pylint: enable=invalid-name #Try to load GMPY try: diff --git a/tlslite/utils/openssl_aes.py b/tlslite/utils/openssl_aes.py index afb4b4d1a..21b16c3a4 100644 --- a/tlslite/utils/openssl_aes.py +++ b/tlslite/utils/openssl_aes.py @@ -5,16 +5,24 @@ from .cryptomath import * from .aes import * +from .python_aes import Python_AES_CTR if m2cryptoLoaded: def new(key, mode, IV): # IV argument name is a part of the interface # pylint: disable=invalid-name + """ + Try using AES CTR from m2crpyto, + if it is not available fall back to the + python implementation. + """ if mode == 2: return OpenSSL_AES(key, mode, IV) elif mode == 6: - return OpenSSL_CTR(key, mode, IV) + if M2CRYPTO_AES_CTR: + return OpenSSL_CTR(key, mode, IV) + return Python_AES_CTR(key, mode, IV) else: raise NotImplementedError()