Merge branch 'develop'

Synss · Jul 1, 2018 · 4fb1938 · 4fb1938
2 parents b7841a0 + a37d487
commit 4fb1938
Show file tree

Hide file tree

Showing 25 changed files with 959 additions and 417 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -7,7 +7,7 @@ version: 2
 jobs:
   build:
     docker:
-      - image: circleci/python:2.7
+      - image: circleci/python:2.7.14-jessie
     working_directory: ~/python-mbedtls
     steps:
       - checkout
@@ -22,63 +22,63 @@ jobs:
 
       - restore_cache:
           keys:
-            - py27-2.7.14
+            - py27-v1-{{ arch }}-2.7.15
       - run:
-          name: install python 2.7.14
+          name: install python 2.7
           command: |
-            if [ ! -d ".pyenv/versions/2.7.14" ]; then
+            if [ ! -d ".pyenv/versions/2.7.15" ]; then
               eval "$(pyenv init -)"
-              pyenv install 2.7.14
+              pyenv install 2.7.15
             fi
       - save_cache:
-          key: py27-2.7.14
+          key: py27-v1-{{ arch }}-2.7.15
           paths:
-            - .pyenv/versions/2.7.14
+            - .pyenv/versions/2.7.15
 
       - restore_cache:
           keys:
-            - py34-3.4.8
+            - py34-v1-{{ arch }}-3.4.8
       - run:
-          name: install python 3.4.8
+          name: install python 3.4
           command: |
             if [ ! -d ".pyenv/versions/3.4.8" ]; then
               eval "$(pyenv init -)"
               pyenv install 3.4.8
             fi
       - save_cache:
-          key: py34-3.4.8
+          key: py34-v1-{{ arch }}-3.4.8
           paths:
             - .pyenv/versions/3.4.8
 
       - restore_cache:
           keys:
-            - py35-3.5.5
+            - py35-v1-{{ arch }}-3.5.5
       - run:
-          name: install python 3.5.5
+          name: install python 3.5
           command: |
             if [ ! -d ".pyenv/versions/3.5.5" ]; then
               eval "$(pyenv init -)"
               pyenv install 3.5.5
             fi
       - save_cache:
-          key: py35-3.5.5
+          key: py35-v1-{{ arch }}-3.5.5
           paths:
             - .pyenv/versions/3.5.5
 
       - restore_cache:
           keys:
-            - py36-3.6.4
+            - py36-v1-{{ arch }}-3.6.5
       - run:
-          name: install python 3.6.4
+          name: install python 3.6
           command: |
-            if [ ! -d ".pyenv/versions/3.6.4" ]; then
+            if [ ! -d ".pyenv/versions/3.6.5" ]; then
               eval "$(pyenv init -)"
-              pyenv install 3.6.4
+              pyenv install 3.6.5
             fi
       - save_cache:
-          key: py36-3.6.4
+          key: py36-v1-{{ arch }}-3.6.5
           paths:
-            - .pyenv/versions/3.6.4
+            - .pyenv/versions/3.6.5
 
       - run:
           name: setup environment
@@ -117,7 +117,7 @@ jobs:
           name: run tests
           command: |
             eval "$(pyenv init -)"
-            pyenv shell 2.7.14 3.4.8 3.5.5 3.6.4
+            pyenv shell 2.7.15 3.4.8 3.5.5 3.6.5
             . venv/bin/activate
             detox
 
@@ -133,6 +133,20 @@ jobs:
               twine upload dist/*
             fi
 
+      - run:
+          name: save logs
+          command: |
+            mkdir -p out/log
+            cp .tox/*/log/py*.log out/log || true
+          when: on_fail
+
+      - run:
+          name: save dist
+          command: |
+            mkdir -p out/dist
+            cp dist/* out/dist
+          when: on_success
+
       - store_artifacts:
-          path: dist
-          destination: dist
+          path: out
+          destination: artifacts
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,19 @@
+[next]
+
+* Support Diffie-Hellman-Merkle key exchange.
+* MPIs (multi-precision integers) now implement the full
+`numbers.Integral` API.
+* MPIs are erased from memory upon garbage collection.
+* The `mpi` library is now public (renamed `_mpi` -> `mpi`).
+
+API Changes
+
+* pk: Methods that were previously returning a long integer now
+return an MPI.
+* exceptions: Rename `_ErrorBase` -> `MbedTLSError`.  It is now
+the only new exception.
+* exceptions: `mbedtls_strerror()` generates the error message.
+
 [0.10.0] - 2018-05-07
 
 Support elliptic curve cryptography

diff --git a/README.rst b/README.rst
@@ -242,6 +242,46 @@ Now, client and server may generate their shared secret::
    True
 
 
+Diffie-Hellman-Merkle key exchange
+----------------------------------
+
+The classes DHServer and DHClient may be used for DH Key exchange.  The
+classes have the same API as ECDHServer and ECDHClient, respectively.
+
+The key exchange is as follow::
+
+   >>> from mbedtls import pk
+   >>> srv = pk.DHServer(23, 5)
+   >>> cli = pk.DHClient(23, 5)
+
+The values 23 and 5 are the prime modulus (P) and the generator (G).
+
+The server generates the ServerKeyExchange payload::
+
+   >>> ske = srv.generate()
+   >>> cli.import_SKE(ske)
+
+The payload ends with :math:`G^X mod P` where `X` is the secret value of
+the server.
+
+::
+
+   >>> cke = cli.generate()
+   >>> srv.import_CKE(cke)
+
+`cke` is :math:`G^Y mod P` (with `Y` the secret value from the client)
+returned as its representation in bytes so that it can be readily
+transported over the network.
+
+As in ECDH, client and server may now generate their shared secret::
+
+   >>> secret = srv.generate_secret()
+   >>> cli.generate_secret() == secret
+   True
+   >>> srv.shared_secret == cli.shared_secret
+   True
+
+
 X.509 Certificate writing and parsing with `mbedtls.x509`
 ---------------------------------------------------------
 

diff --git a/mbedtls/_mpi.pyx b/mbedtls/_mpi.pyx
diff --git a/mbedtls/cipher/AES.pyx b/mbedtls/cipher/AES.pyx
@@ -35,8 +35,8 @@ def new(key, mode, iv=None):
 
     """
     if len(key) not in {16, 24, 32}:
-        raise InvalidKeyLengthError(
-            "key size must 16, 24, or 32 bytes, got %i" % len(key))
+        raise MbedTLSError(
+            msg="key size must 16, 24, or 32 bytes, got %i" % len(key))
     if mode not in {
         _cipher.MODE_ECB, 
         _cipher.MODE_CBC, 
@@ -45,7 +45,7 @@ def new(key, mode, iv=None):
         _cipher.MODE_GCM, 
         _cipher.MODE_CCM
     }:
-        raise FeatureUnavailableError("unsupported mode %r" % mode)
+        raise MbedTLSError(msg="unsupported mode %r" % mode)
     mode_name = _cipher._get_mode_name(mode)
     if mode is _cipher.MODE_CFB:
         mode_name += "128"

diff --git a/mbedtls/cipher/ARC4.pyx b/mbedtls/cipher/ARC4.pyx
@@ -31,7 +31,7 @@ def new(key, mode=None, iv=None):
 
     """
     if len(key) != key_size:
-        raise InvalidKeyLengthError(
-            "key size must be %i bytes, got %i" % (key_size, len(key)))
+        raise MbedTLSError(
+            msg="key size must be %i bytes, got %i" % (key_size, len(key)))
     name = ("ARC4-%i" % (len(key) * 8)).encode("ascii")
     return _cipher.Cipher(name, key, mode, iv)
diff --git a/mbedtls/cipher/Blowfish.pyx b/mbedtls/cipher/Blowfish.pyx
@@ -32,15 +32,16 @@ def new(key, mode, iv=None):
 
     """
     if len(key) not in range(4, 57):
-        raise InvalidKeyLengthError(
-            "key size must be 4 to 57 bytes, got %i" % (key_size, len(key)))
+        raise MbedTLSError(
+            msg="key size must be 4 to 57 bytes, got %i" % (
+                key_size, len(key)))
     if mode not in {
         _cipher.MODE_ECB,
         _cipher.MODE_CBC,
         _cipher.MODE_CFB,
         _cipher.MODE_CTR,
     }:
-        raise FeatureUnavailableError("unsupported mode %r" % mode)
+        raise MbedTLSError(msg="unsupported mode %r" % mode)
     mode_name = _cipher._get_mode_name(mode)
     if mode is _cipher.MODE_CFB:
         mode_name += "64"

diff --git a/mbedtls/cipher/Camellia.pyx b/mbedtls/cipher/Camellia.pyx
@@ -31,8 +31,8 @@ def new(key, mode, iv=None):
 
     """
     if len(key) not in {16, 24, 32}:
-        raise InvalidKeyLengthError(
-            "key size must 16, 24, or 32 bytes, got %r" % len(key))
+        raise MbedTLSError(
+            msg="key size must 16, 24, or 32 bytes, got %r" % len(key))
     if mode not in {
         _cipher.MODE_ECB,
         _cipher.MODE_CBC,
@@ -41,7 +41,7 @@ def new(key, mode, iv=None):
         _cipher.MODE_GCM,
         _cipher.MODE_CCM,
     }:
-        raise FeatureUnavailableError("unsupported mode %r" % mode)
+        raise MbedTLSError(msg="unsupported mode %r" % mode)
     mode_name = _cipher._get_mode_name(mode)
     if mode is _cipher.MODE_CFB:
         mode_name += "128"

diff --git a/mbedtls/cipher/DES.pyx b/mbedtls/cipher/DES.pyx
@@ -43,13 +43,12 @@ def new(key, mode, iv=None):
 
     """
     if len(key) != key_size:
-        raise InvalidKeyLengthError(
-            "key size must be 16 bytes, got %r" % len(key))
+        raise MbedTLSError(msg="key size must be 16 bytes, got %r" % len(key))
     if mode not in {
         _cipher.MODE_ECB,
         _cipher.MODE_CBC,
     }:
-        raise FeatureUnavailableError("unsupported mode %r" % mode)
+        raise MbedTLSError(msg="unsupported mode %r" % mode)
     mode_name = _cipher._get_mode_name(mode)
     name = ("DES-%s" % mode_name).encode("ascii")
     return _cipher.Cipher(name, key, mode, iv)
diff --git a/mbedtls/cipher/DES3.pyx b/mbedtls/cipher/DES3.pyx
@@ -34,13 +34,13 @@ def new(key, mode, iv=None):
 
     """
     if len(key) != key_size:
-        raise InvalidKeyLengthError(
-            "key size must be %i bytes, got %i" % (key_size, len(key)))
+        raise MbedTLSError(
+            msg="key size must be %i bytes, got %i" % (key_size, len(key)))
     if mode not in {
         _cipher.MODE_ECB,
         _cipher.MODE_CBC,
     }:
-        raise FeatureUnavailableError("unsupported mode %r" % mode)
+        raise MbedTLSError(msg="unsupported mode %r" % mode)
     mode_name = _cipher._get_mode_name(mode)
     name = ("DES-EDE3-%s" % mode_name).encode("ascii")
     return _cipher.Cipher(name, key, mode, iv)