packages/m2crypto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!11 [sync] PR-9: Fix CVE-2020-25657

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @gitee-cmd 
Signed-off-by: @gitee-cmd
This commit is contained in:
openeuler-ci-bot 2022-08-18 02:09:03 +00:00 committed by Gitee
commit 546b1ffe64
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
6 changed files with 307 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
CVE-2020-25657-pre1.patch Normal file
View File

@ -0,0 +1,25 @@
From 83d4d9bc3aa4466e540fa00f8cc6891c0301ec82 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
Date: Fri, 31 May 2019 17:00:14 +0200
Subject: [PATCH] Remove duplicate call of the error code.
---
M2Crypto-0.30.1/tests/test_rsa.py | 2 --
1 file changed, 2 deletions(-)
diff --git a/M2Crypto-0.30.1/tests/test_rsa.py b/M2Crypto-0.30.1/tests/test_rsa.py
index 308b1b18..875b59c6 100644
--- a/M2Crypto-0.30.1/tests/test_rsa.py
+++ b/M2Crypto-0.30.1/tests/test_rsa.py
@@ -126,8 +126,6 @@ class RSATestCase(unittest.TestCase):
ctxt = priv.public_encrypt(self.data, RSA.sslv23_padding)
with self.assertRaises(RSA.RSAError):
priv.private_decrypt(ctxt, RSA.sslv23_padding)
- with self.assertRaises(RSA.RSAError):
- priv.private_decrypt(ctxt, RSA.sslv23_padding)
# no_padding
with self.assertRaises(RSA.RSAError):
--
GitLab

42
CVE-2020-25657-pre2.patch Normal file
View File

@ -0,0 +1,42 @@
From 0b22d79082afd7c564b2ac07fb0ef5d76d692586 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
Date: Fri, 7 Jun 2019 11:43:03 +0200
Subject: [PATCH] Limit tests.test_rsa.RSATestCase.test_public_encrypt just to
OpenSSL which sustains it.
Fixes #258
---
M2Crypto-0.30.1/tests/test_rsa.py | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/M2Crypto-0.30.1/tests/test_rsa.py b/M2Crypto-0.30.1/tests/test_rsa.py
index 875b59c6..7028b608 100644
--- a/M2Crypto-0.30.1/tests/test_rsa.py
+++ b/M2Crypto-0.30.1/tests/test_rsa.py
@@ -113,6 +113,8 @@ class RSATestCase(unittest.TestCase):
with self.assertRaises(TypeError):
priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding)
+ @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER < 0x1010103f,
+ 'Relies on fix which happened only in OpenSSL 1.1.1c')
def test_public_encrypt(self):
priv = RSA.load_key(self.privkey)
# pkcs1_padding, pkcs1_oaep_padding
@@ -124,11 +126,11 @@ class RSATestCase(unittest.TestCase):
# sslv23_padding
ctxt = priv.public_encrypt(self.data, RSA.sslv23_padding)
- with self.assertRaises(RSA.RSAError):
- priv.private_decrypt(ctxt, RSA.sslv23_padding)
+ res = priv.private_decrypt(ctxt, RSA.sslv23_padding)
+ self.assertEqual(res, self.data)
# no_padding
- with self.assertRaises(RSA.RSAError):
+ with six.assertRaisesRegex(self, TypeError, 'data too small'):
priv.public_encrypt(self.data, RSA.no_padding)
# Type-check the data to be encrypted.
--
GitLab

26
CVE-2020-25657-pre3.patch Normal file
View File

@ -0,0 +1,26 @@
From 3ee65bd56e92f8f3c465947b6752d92d5986dc81 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Sat, 8 Jun 2019 14:13:59 +0000
Subject: [PATCH] tests.test_rsa: Fix typo to match for proper exception
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
M2Crypto-0.30.1/tests/test_rsa.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/M2Crypto-0.30.1/tests/test_rsa.py b/M2Crypto-0.30.1/tests/test_rsa.py
index 7028b608..a1d0805f 100644
--- a/M2Crypto-0.30.1/tests/test_rsa.py
+++ b/M2Crypto-0.30.1/tests/test_rsa.py
@@ -130,7 +130,7 @@ class RSATestCase(unittest.TestCase):
self.assertEqual(res, self.data)
# no_padding
- with six.assertRaisesRegex(self, TypeError, 'data too small'):
+ with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
priv.public_encrypt(self.data, RSA.no_padding)
# Type-check the data to be encrypted.
--
GitLab

29
CVE-2020-25657-pre4.patch Normal file
View File

@ -0,0 +1,29 @@
From d06eaa88a5f491827733f32027c46de3557fbd05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
Date: Fri, 19 Feb 2021 15:53:02 +0100
Subject: [PATCH] Use of RSA_SSLV23_PADDING has been deprecated.
Fixes #293.
---
M2Crypto-0.30.1/tests/test_rsa.py | 5 -----
1 file changed, 5 deletions(-)
diff --git a/M2Crypto-0.30.1/tests/test_rsa.py b/M2Crypto-0.30.1/tests/test_rsa.py
index 3de5016a..7299785f 100644
--- a/M2Crypto-0.30.1/tests/test_rsa.py
+++ b/M2Crypto-0.30.1/tests/test_rsa.py
@@ -124,11 +124,6 @@ class RSATestCase(unittest.TestCase):
ptxt = priv.private_decrypt(ctxt, p)
self.assertEqual(ptxt, self.data)
- # sslv23_padding
- ctxt = priv.public_encrypt(self.data, RSA.sslv23_padding)
- res = priv.private_decrypt(ctxt, RSA.sslv23_padding)
- self.assertEqual(res, self.data)
-
# no_padding
with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
priv.public_encrypt(self.data, RSA.no_padding)
--
GitLab

170
CVE-2020-25657.patch Normal file
View File

@ -0,0 +1,170 @@
From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
Date: Tue, 28 Jun 2022 21:17:01 +0200
Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA
decryption API (CVE-2020-25657)
Fixes #282
---
M2Crypto-0.30.1/SWIG/_m2crypto_wrap.c | 20 ++++++++++++--------
M2Crypto-0.30.1/SWIG/_rsa.i | 20 ++++++++++++--------
M2Crypto-0.30.1/tests/test_rsa.py | 15 +++++++--------
3 files changed, 31 insertions(+), 24 deletions(-)
diff --git a/M2Crypto-0.30.1/SWIG/_m2crypto_wrap.c b/M2Crypto-0.30.1/SWIG/_m2crypto_wrap.c
index aba9eb6d..a9f30da9 100644
--- a/M2Crypto-0.30.1/SWIG/_m2crypto_wrap.c
+++ b/M2Crypto-0.30.1/SWIG/_m2crypto_wrap.c
@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
diff --git a/M2Crypto-0.30.1/SWIG/_rsa.i b/M2Crypto-0.30.1/SWIG/_rsa.i
index bc714e01..1377b8be 100644
--- a/M2Crypto-0.30.1/SWIG/_rsa.i
+++ b/M2Crypto-0.30.1/SWIG/_rsa.i
@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
diff --git a/M2Crypto-0.30.1/tests/test_rsa.py b/M2Crypto-0.30.1/tests/test_rsa.py
index 7bb3af75..5e75d681 100644
--- a/M2Crypto-0.30.1/tests/test_rsa.py
+++ b/M2Crypto-0.30.1/tests/test_rsa.py
@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase):
# The other paddings.
for padding in self.s_padding_nok:
p = getattr(RSA, padding)
- with self.assertRaises(RSA.RSAError):
- priv.private_encrypt(self.data, p)
+ # Exception disabled as a part of mitigation against CVE-2020-25657
+ # with self.assertRaises(RSA.RSAError):
+ priv.private_encrypt(self.data, p)
# Type-check the data to be encrypted.
with self.assertRaises(TypeError):
priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding)
@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase):
self.assertEqual(ptxt, self.data)
# no_padding
- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
- priv.public_encrypt(self.data, RSA.no_padding)
+ # Exception disabled as a part of mitigation against CVE-2020-25657
+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
+ priv.public_encrypt(self.data, RSA.no_padding)
# Type-check the data to be encrypted.
+ # Exception disabled as a part of mitigation against CVE-2020-25657
with self.assertRaises(TypeError):
priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding)
@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase):
b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4
with self.assertRaises(RSA.RSAError):
setattr(rsa, 'e', '\000\000\000\003\001\000\001')
- with self.assertRaises(RSA.RSAError):
- rsa.private_encrypt(1)
- with self.assertRaises(RSA.RSAError):
- rsa.private_decrypt(1)
assert rsa.check_key()
def test_loadpub_bad(self):
--
GitLab

16
m2crypto.spec
View File

@ -1,11 +1,22 @@
Name: m2crypto
Summary: A crypto and SSL toolkit for Python
Version: 0.30.1
Release: 4
Release: 5
License: MIT
URL: https://gitlab.com/m2crypto/m2crypto/
Source0: https://files.pythonhosted.org/packages/41/50/7d85dc99b1c4f29eca83873d851ec29a8e484a66b31351e62e30be9db7d1/M2Crypto-0.30.1.tar.gz
Source1: https://files.pythonhosted.org/packages/41/50/7d85dc99b1c4f29eca83873d851ec29a8e484a66b31351e62e30be9db7d1/M2Crypto-0.30.1.tar.gz.asc
# https://gitlab.com/m2crypto/m2crypto/commit/83d4d9bc3aa4466e540fa00f8cc6891c0301ec82
Patch0: CVE-2020-25657-pre1.patch
# https://gitlab.com/m2crypto/m2crypto/commit/0b22d79082afd7c564b2ac07fb0ef5d76d692586
Patch1: CVE-2020-25657-pre2.patch
# https://gitlab.com/m2crypto/m2crypto/commit/3ee65bd56e92f8f3c465947b6752d92d5986dc81
Patch2: CVE-2020-25657-pre3.patch
# https://gitlab.com/m2crypto/m2crypto/commit/d06eaa88a5f491827733f32027c46de3557fbd05
Patch3: CVE-2020-25657-pre4.patch
# https://gitlab.com/m2crypto/m2crypto/commit/84c53958def0f510e92119fca14d74f94215827a
Patch4: CVE-2020-25657.patch
Requires: python2-typing
@ -66,6 +77,9 @@ cd ../M2Crypto-python3
%{python3_sitearch}/M2Crypto-*.egg-info
%changelog
* Wed Aug 17 2022 yaoxin <yaoxin30@h-partners.com> - 0.30.1-5
- Fix CVE-2020-25657
* Thu Aug 18 2020 xinghe <xinghe1@huawei.com> - 0.30.1-4
- add release version for update