add support for update_into on CipherContext #3190
Conversation
|
@reaperhulk, thanks for your PR! By analyzing the history of the files in this pull request, we identified @public, @alex and @Ayrx to be potential reviewers. |
reaperhulk
force-pushed
the
update-into
branch
2 times, most recently
from
e414eef to
3b875b5
Compare
|
(I am considering this blocked until we drop 1.0.0 because I don't want to modify our CI to cover that branch, so this PR will languish until we start the dev cycle for 1.8) |
reaperhulk
force-pushed
the
update-into
branch
from
3b875b5 to
40077be
Compare
|
Jenkins, retest this please |
reaperhulk
force-pushed
the
update-into
branch
from
53f6e01 to
dc19fe7
Compare
Current coverage is 99.94% (diff: 94.32%)@@ master #3190 diff @@
========================================
Files 134 134
Lines 15245 15380 +135
Methods 0 0
Messages 0 0
Branches 1570 1585 +15
========================================
+ Hits 15245 15372 +127
- Misses 0 5 +5
- Partials 0 3 +3
|
|
Failing tests relevant. |
reaperhulk
changed the title
|
To get full coverage on this I had to add a new tox target |
reaperhulk
force-pushed
the
update-into
branch
from
b7624e0 to
b49318d
Compare
src/cryptography/utils.py
Outdated
| @@ -10,6 +10,8 @@ | |||
| import sys | |||
| import warnings | |||
|
|
|||
| from pkg_resources import parse_version | |||
There was a problem hiding this comment.
Doing this will trigger the import side effects we tried to avoid in #3347. Maybe we should do a simpler version check?
There was a problem hiding this comment.
Is there any other not-hacky version parser lying around we can use?
There was a problem hiding this comment.
cc @dstufft who might know
There was a problem hiding this comment.
There was a problem hiding this comment.
Thanks @dstufft! @sigmavirus24 also suggested it in IRC so that looks like the path to go.
.travis.yml
Outdated
| @@ -67,6 +67,10 @@ matrix: | |||
| env: TOXENV=py27 CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=0 | |||
| - language: generic | |||
| os: osx | |||
| osx_image: xcode8 | |||
| env: TOXENV=py35-cffi-min CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 | |||
There was a problem hiding this comment.
Yes, but now that I look at the code that's because we have conditional branches for update_into on both the commoncrypto and openssl backends. We could just assume we have a sufficiently new version in those classes but then do the version check at the CipherContext layer in hazmat.primitives.ciphers.base. That would simplify this whole thing.
There was a problem hiding this comment.
(And it would make it so this doesn't have to be a macOS job)
| This method allows you to avoid a memory copy by passing a writable | ||
| buffer and reading the resulting data. You are responsible for | ||
| correctly sizing the buffer and properly handling the data. Failure | ||
| to do so correctly can result in crashes. This method should only |
There was a problem hiding this comment.
Why crashes? Can't we check the buffer sizes and error cleanly?
There was a problem hiding this comment.
We actually do, this msg should be updated
|
|
||
| :param bytes data: The data you wish to pass into the context. | ||
| :param buf: A writable Python buffer that the data will be written | ||
| into. This buffer should be ``n - 1`` bytes bigger than the size of |
There was a problem hiding this comment.
I think this would be clearer if you wrote it as len(data) + n - 1
src/cryptography/utils.py
Outdated
| @@ -10,6 +10,8 @@ | |||
| import sys | |||
| import warnings | |||
|
|
|||
| from pkg_resources import parse_version | |||
There was a problem hiding this comment.
Is there any other not-hacky version parser lying around we can use?
tox.ini
Outdated
| @@ -48,6 +48,14 @@ commands = | |||
| pip list | |||
| py.test --capture=no --strict {posargs} | |||
|
|
|||
| # This target downgrades cffi to the minimum supported in setup.py | |||
There was a problem hiding this comment.
Please add a comment to setup.py saying this needs to be updated if the minimimum cffi version is changed.
tox.ini
Outdated
| coverage | ||
| ./vectors | ||
| cffi==1.4.1 | ||
| basepython = python3.5 |
There was a problem hiding this comment.
At this point if we want this to be a py3 build maybe it should be 3.6?
This allows you to provide your own buffer (like recv_into) to improve performance when repeatedly calling encrypt/decrypt on large payloads.
This tests against macOS so we capture some commoncrypto branches
|
french toast is a great version
…On Tue, Feb 14, 2017 at 7:53 AM, Donald Stufft ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In src/cryptography/utils.py
<#3190>:
> @@ -10,6 +10,8 @@
import sys
import warnings
+from pkg_resources import parse_version
https://packaging.pypa.io/en/latest/version/ ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3190>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAADBCd0ZigloEx7hD-ahvOAqbBmF5hGks5rcc4MgaJpZM4KRo5B>
.
--
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6
|
reaperhulk
force-pushed
the
update-into
branch
from
ed21475 to
eb2ed24
Compare
reaperhulk
force-pushed
the
update-into
branch
from
01d30da to
6ccdba3
Compare
|
Jenkins, retest this please |
| >>> iv = os.urandom(16) | ||
| >>> cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend) | ||
| >>> encryptor = cipher.encryptor() | ||
| >>> buf = bytearray(31) |
There was a problem hiding this comment.
Can you add comments throughout this example?
There was a problem hiding this comment.
I took a swing at adding some comments. Hopefully they're useful.
| @@ -488,12 +488,12 @@ Interfaces | |||
| >>> iv = os.urandom(16) | |||
| >>> cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend) | |||
| >>> encryptor = cipher.encryptor() | |||
| >>> buf = bytearray(31) | |||
| >>> buf = bytearray(31) # size the buffer to b len(data) + n - 1 | |||
| >>> len_encrypted = encryptor.update_into(b"a secret message", buf) | ||
| >>> ct = bytes(buf[:len_encrypted]) + encryptor.finalize() | ||
| >>> ct = bytes(buf[:len_encrypted]) + encryptor.finalize() # get the ciphertext from the buffer reading only the bytes written to it (len_encrypted) |
There was a problem hiding this comment.
Maybe put the comment on the line above the code, so it doesn't wrap so long?
| >>> iv = os.urandom(16) | ||
| >>> cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend) | ||
| >>> encryptor = cipher.encryptor() | ||
| >>> buf = bytearray(31) # size the buffer to b len(data) + n - 1 |
There was a problem hiding this comment.
I still don't understand this comment :-)
This allows you to provide your own buffer (like recv_into) to improve performance when repeatedly calling encrypt/decrypt on large payloads.
Even if you're calling
updatemillions of times this is not necessarily a performance win at very small sizes (e.g. 16 bytes per call). In testing it is 21% faster when callingupdaterepeatedly with 32KB payloads.This is still WIP as at least one branch will not be covered (update_into on OpenSSL 1.0.0 AES CTR) and I'm not sure I'm happy with testing yet.
fixes #3119