Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-dns/dnsviz/files/dnsviz-0.8.2-add-ed448-support.patch
blob: 1d4d88e97e6db0ff948301b428e6c7bf86e23e47 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182

From 99bb0c7430c9f954582eabd3a9581fe0db6f2e81 Mon Sep 17 00:00:00 2001
From: Pascal Ernster <git@hardfalcon.net>
Date: Mon, 22 Jul 2019 04:25:18 +0200
Subject: [PATCH] Replace libnacl with python-cryptography, add support for
 algo 16 (Ed448)

Origin: https://github.com/dnsviz/dnsviz/pull/54

---
 Dockerfile              |  2 +-
 README.md               |  8 ++++----
 contrib/dnsviz-py2.spec |  2 +-
 contrib/dnsviz-py3.spec |  2 +-
 dnsviz/crypto.py        | 30 +++++++++++++++++++++++++-----
 requirements.txt        |  2 +-
 setup.py                |  2 +-
 7 files changed, 34 insertions(+), 14 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index dc6a0d9e..61a319de 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ FROM alpine:edge
 
 RUN apk add python3 graphviz ttf-liberation libsodium bind bind-tools
 RUN apk add --virtual builddeps linux-headers python3-dev graphviz-dev gcc libc-dev openssl-dev swig && \
-	pip3 install pygraphviz m2crypto dnspython libnacl && \
+	pip3 install pygraphviz m2crypto dnspython cryptography && \
 	apk del builddeps
 
 COPY . /tmp/dnsviz
diff --git a/README.md b/README.md
index e9dcda83..03d9c3dd 100644
--- a/README.md
+++ b/README.md
@@ -41,7 +41,7 @@ Instructions for running in a Docker container are also available
 
 * M2Crypto (0.28.0 or later) - https://gitlab.com/m2crypto/m2crypto
 
-* libnacl - https://github.com/saltstack/libnacl
+* Cryptography (2.6 or later) - https://cryptography.io/
 
 Note that the software versions listed above are known to work with the current
 version of DNSViz.  Other versions might also work well together, but might
@@ -85,7 +85,7 @@ $ source ~/myenv/bin/activate
 ```
 (Note that this installs the dependencies that are python packages, but some of
 these packages have non-python dependecies, such as Graphviz (required for
-pygraphviz) and libsodium (required for libnacl), that are not installed
+pygraphviz) and OpenSSL (required for Cryptography), that are not installed
 automatically.)
 
 Next download and install DNSViz from the Python Package Index (PyPI):
@@ -121,9 +121,9 @@ $ cp dist/dnsviz-*.tar.gz ~/rpmbuild/SOURCES/
 $ cp contrib/dnsviz-py${PY_VERS}.spec ~/rpmbuild/SPECS/dnsviz.spec
 ```
 
-Install dnspython, pygraphviz, M2Crypto, and libnacl.
+Install dnspython, pygraphviz, M2Crypto, and Cryptography.
 ```
-$ sudo dnf install python${PY_VERS}-dns python${PY_VERS}-pygraphviz python${PY_VERS}-libnacl
+$ sudo dnf install python${PY_VERS}-dns python${PY_VERS}-pygraphviz python${PY_VERS}-cryptography
 ```
 For python2:
 ```
diff --git a/contrib/dnsviz-py2.spec b/contrib/dnsviz-py2.spec
index 0bea597b..65033c95 100644
--- a/contrib/dnsviz-py2.spec
+++ b/contrib/dnsviz-py2.spec
@@ -15,7 +15,7 @@ BuildRequires:  make
 Requires:       python2-pygraphviz >= 1.3
 Requires:       m2crypto >= 0.28.0
 Requires:       python2-dns >= 1.13
-Requires:       python2-libnacl
+Requires:       python2-cryptography
 
 %description
 DNSViz is a tool suite for analysis and visualization of Domain Name System
diff --git a/contrib/dnsviz-py3.spec b/contrib/dnsviz-py3.spec
index ef25f4b5..975f3e10 100644
--- a/contrib/dnsviz-py3.spec
+++ b/contrib/dnsviz-py3.spec
@@ -15,7 +15,7 @@ BuildRequires:  make
 Requires:       python3-pygraphviz >= 1.3
 Requires:       python3-m2crypto >= 0.28.0
 Requires:       python3-dns >= 1.13
-Requires:       python3-libnacl
+Requires:       python3-cryptography
 
 %description
 DNSViz is a tool suite for analysis and visualization of Domain Name System
diff --git a/dnsviz/crypto.py b/dnsviz/crypto.py
index b011cbf3..283eac4d 100644
--- a/dnsviz/crypto.py
+++ b/dnsviz/crypto.py
@@ -55,7 +55,7 @@
         'M2Crypto >= 0.21.1': (set([1,5,7,8,10]), set([1,2,4]), set([1])),
         'M2Crypto >= 0.24.0': (set([3,6,13,14]), set(), set()),
         'M2Crypto >= 0.24.0 and either openssl < 1.1.0 or openssl >= 1.1.0 plus the OpenSSL GOST Engine': (set([12]), set([3]), set()),
-        'libnacl': (set([15]), set(), set()),
+        'cryptography': (set([15,16]), set(), set()),
 }
 _logged_modules = set()
 
@@ -72,12 +72,19 @@
     _supported_digest_algs.update(set([1,2,4]))
 
 try:
-    from libnacl.sign import Verifier as ed25519Verifier
+    from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
 except ImportError:
     pass
 else:
     _supported_algs.add(15)
 
+try:
+    from cryptography.hazmat.primitives.asymmetric.ed448 import Ed448PublicKey
+except ImportError:
+    pass
+else:
+    _supported_algs.add(16)
+
 GOST_PREFIX = b'\x30\x63\x30\x1c\x06\x06\x2a\x85\x03\x02\x02\x13\x30\x12\x06\x07\x2a\x85\x03\x02\x02\x23\x01\x06\x07\x2a\x85\x03\x02\x02\x1e\x01\x03\x43\x00\x04\x40'
 GOST_ENGINE_NAME = b'gost'
 GOST_DIGEST_NAME = b'GOST R 34.11-94'
@@ -386,10 +393,21 @@ def _validate_rrsig_ec(alg, sig, msg, key):
 
 def _validate_rrsig_ed25519(alg, sig, msg, key):
     try:
-        verifier = ed25519Verifier(binascii.hexlify(key))
-        return verifier.verify(sig + msg) == msg
-    except ValueError:
+        verifier = Ed25519PublicKey.from_public_bytes(key)
+        verifier.verify(sig, msg)
+    except:
         return False
+    else:
+        return True
+
+def _validate_rrsig_ed448(alg, sig, msg, key):
+    try:
+        verifier = Ed448PublicKey.from_public_bytes(key)
+        verifier.verify(sig, msg)
+    except:
+        return False
+    else:
+        return True
 
 def validate_rrsig(alg, sig, msg, key):
     if not alg_is_supported(alg):
@@ -407,6 +425,8 @@ def validate_rrsig(alg, sig, msg, key):
         return _validate_rrsig_ec(alg, sig, msg, key)
     elif alg in (15,):
         return _validate_rrsig_ed25519(alg, sig, msg, key)
+    elif alg in (16,):
+        return _validate_rrsig_ed448(alg, sig, msg, key)
 
 def get_digest_for_nsec3(val, salt, alg, iterations):
     if not nsec3_alg_is_supported(alg):
diff --git a/requirements.txt b/requirements.txt
index d6b2de5e..af2be235 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,4 @@
 dnspython
 pygraphviz
 m2crypto
-libnacl
+cryptography
diff --git a/setup.py b/setup.py
index ba1016e3..b531c025 100644
--- a/setup.py
+++ b/setup.py
@@ -135,7 +135,7 @@ def run(self):
                 'pygraphviz (>=1.1)',
                 'm2crypto (>=0.24.0)',
                 'dnspython (>=1.11)',
-                'libnacl',
+                'cryptography (>=2.6)',
         ],
         classifiers=[
                 'Development Status :: 5 - Production/Stable',