packages/python-cryptography
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 3.3.1

Browse Source 
(cherry picked from commit 11a1ce9abe2eeb792e8f11cb0b5b096d73c566c0)
This commit is contained in:
lyn1001 2021-08-18 14:16:53 +08:00 committed by openeuler-sync-bot
parent f10e574a07
commit 14253c8bcc
6 changed files with 35 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
backport-CVE-2020-36242-pre1.patch
View File

@ -1,98 +0,0 @@
From f90ba1808ee9bd9a13c5673b776484644f29d7ba Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 23 Aug 2020 23:41:33 -0500
Subject: [PATCH] chunked update_into (#5419)
* chunked update_into
* all pointer arithmetic all the time
* review feedback
---
.../hazmat/backends/openssl/ciphers.py | 30 ++++++++++++++--------
tests/hazmat/primitives/test_ciphers.py | 17 ++++++++++++
2 files changed, 37 insertions(+), 10 deletions(-)
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index 94b48f5..8426db9 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -17,6 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes
class _CipherContext(object):
_ENCRYPT = 1
_DECRYPT = 0
+ _MAX_CHUNK_SIZE = 2 ** 31
def __init__(self, backend, cipher, mode, operation):
self._backend = backend
@@ -125,23 +126,32 @@ class _CipherContext(object):
return bytes(buf[:n])
def update_into(self, data, buf):
- if len(buf) < (len(data) + self._block_size_bytes - 1):
+ total_data_len = len(data)
+ if len(buf) < (total_data_len + self._block_size_bytes - 1):
raise ValueError(
"buffer must be at least {} bytes for this "
"payload".format(len(data) + self._block_size_bytes - 1)
)
- buf = self._backend._ffi.cast(
- "unsigned char *", self._backend._ffi.from_buffer(buf)
- )
+ data_processed = 0
+ total_out = 0
outlen = self._backend._ffi.new("int *")
- res = self._backend._lib.EVP_CipherUpdate(
- self._ctx, buf, outlen,
- self._backend._ffi.from_buffer(data), len(data)
- )
- self._backend.openssl_assert(res != 0)
- return outlen[0]
+ baseoutbuf = self._backend._ffi.from_buffer(buf)
+ baseinbuf = self._backend._ffi.from_buffer(data)
+
+ while data_processed != total_data_len:
+ outbuf = baseoutbuf + total_out
+ inbuf = baseinbuf + data_processed
+ inlen = min(self._MAX_CHUNK_SIZE, total_data_len - data_processed)
+
+ res = self._backend._lib.EVP_CipherUpdate(
+ self._ctx, outbuf, outlen, inbuf, inlen
+ )
+ self._backend.openssl_assert(res != 0)
+ data_processed += inlen
+ total_out += outlen[0]
+ return total_out
def finalize(self):
# OpenSSL 1.0.1 on Ubuntu 12.04 (and possibly other distributions)
# appears to have a bug where you must make at least one call to update
diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
index f29ba9a..b88610e 100644
--- a/tests/hazmat/primitives/test_ciphers.py
+++ b/tests/hazmat/primitives/test_ciphers.py
@@ -309,3 +309,20 @@ class TestCipherUpdateInto(object):
buf = bytearray(5)
with pytest.raises(ValueError):
encryptor.update_into(b"testing", buf)
+
+ def test_update_into_auto_chunking(self, backend, monkeypatch):
+ key = b"\x00" * 16
+ c = ciphers.Cipher(AES(key), modes.ECB(), backend)
+ encryptor = c.encryptor()
+ # Lower max chunk size so we can test chunking
+ monkeypatch.setattr(encryptor._ctx, "_MAX_CHUNK_SIZE", 40)
+ buf = bytearray(527)
+ pt = b"abcdefghijklmnopqrstuvwxyz012345" * 16 # 512 bytes
+ processed = encryptor.update_into(pt, buf)
+ assert processed == 512
+ decryptor = c.decryptor()
+ # Change max chunk size to verify alternate boundaries don't matter
+ monkeypatch.setattr(decryptor._ctx, "_MAX_CHUNK_SIZE", 73)
+ decbuf = bytearray(527)
+ decprocessed = decryptor.update_into(buf[:processed], decbuf)
+ assert decbuf[:decprocessed] == pt
--
1.8.3.1

43
backport-CVE-2020-36242-pre2.patch
View File

@ -1,43 +0,0 @@
From 836a92a28fbe9df8c37121e340b91ed9cd519ddd Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 25 Oct 2020 06:15:18 -0700
Subject: [PATCH] chunking didn't actually work (#5499)
---
src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
tests/hazmat/primitives/test_ciphers.py | 9 +++++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index 26f2b76..cc08e30 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes
class _CipherContext(object):
_ENCRYPT = 1
_DECRYPT = 0
- _MAX_CHUNK_SIZE = 2 ** 31
+ _MAX_CHUNK_SIZE = 2 ** 31 - 1
def __init__(self, backend, cipher, mode, operation):
self._backend = backend
diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
index b88610e..fd9048b 100644
--- a/tests/hazmat/primitives/test_ciphers.py
+++ b/tests/hazmat/primitives/test_ciphers.py
@@ -326,3 +326,12 @@ class TestCipherUpdateInto(object):
decbuf = bytearray(527)
decprocessed = decryptor.update_into(buf[:processed], decbuf)
assert decbuf[:decprocessed] == pt
+
+ def test_max_chunk_size_fits_in_int32(self, backend):
+ # max chunk must fit in signed int32 or else a call large enough to
+ # cause chunking will result in the very OverflowError we want to
+ # avoid with chunking.
+ key = b"\x00" * 16
+ c = ciphers.Cipher(AES(key), modes.ECB(), backend)
+ encryptor = c.encryptor()
+ backend._ffi.new("int *", encryptor._ctx._MAX_CHUNK_SIZE)
--
1.8.3.1

30
backport-CVE-2020-36242.patch
View File

@ -1,15 +1,35 @@
From 06cbf77371881e80ea4b5e349136dcc53749fc0c Mon Sep 17 00:00:00 2001 From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com> From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 7 Feb 2021 11:20:09 -0600 Date: Sun, 7 Feb 2021 11:04:43 -0600
Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242 Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242
(#5748)
--- ---
CHANGELOG.rst | 9 +++++++++
src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-) 2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 3cb53d0..4dd7146 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,6 +1,15 @@
Changelog
=========
+.. _v3-3-2:
+
+3.3.2 - 2021-02-07
+~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls
+ when symmetrically encrypting very large payloads (>2GB) could result in an
+ integer overflow, leading to buffer overflows. *CVE-2020-36242*
+
.. _v3-3-1:
3.3.1 - 2020-12-09
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index cc08e30..47c72e9 100644 index 1e805d2..ad5dad3 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py --- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes @@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes

BIN
cryptography-2.9.2.tar.gz
View File

Binary file not shown.

BIN
cryptography-3.3.1.tar.gz Normal file
View File

Binary file not shown.

24
python-cryptography.spec
View File

@ -1,17 +1,15 @@
%bcond_with python2 %bcond_with python2
%bcond_without python3 %bcond_without python3
%global srcname cryptography
Name: python-cryptography Name: python-%{srcname}
Version: 2.9.2 Version: 3.3.1
Release: 3 Release: 1
Summary: PyCA's cryptography library Summary: PyCA's cryptography library
License: ASL 2.0 or BSD License: ASL 2.0 or BSD
URL: https://cryptography.io/en/latest/ URL: https://cryptography.io/en/latest/
Source0: https://pypi.io/packages/source/c/cryptography/cryptography-%{version}.tar.gz Source0: %{pypi_source}
Patch6000: backport-CVE-2020-36242-pre1.patch Patch6000: backport-CVE-2020-36242.patch
Patch6001: backport-CVE-2020-36242-pre2.patch
Patch6002: backport-CVE-2020-36242.patch
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: gcc BuildRequires: gcc
@ -95,15 +93,10 @@ find . -name .keep -print -delete
%py3_install %py3_install
%check %check
# skip hypothesis tests
rm -rf tests/hypothesis
# see https://github.com/pyca/cryptography/issues/4885 for the deselected test
%if %{with python2} %if %{with python2}
PYTHONPATH=%{buildroot}%{python2_sitearch} %{__python2} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" PYTHONPATH=%{buildroot}%{python2_sitearch} %{__python2} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)"
%endif %endif
# skip hypothesis tests
rm -rf tests/hypothesis
PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)"
%if %{with python2} %if %{with python2}
@ -126,6 +119,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
%doc README.rst docs %doc README.rst docs
%changelog %changelog
* Thu Aug 12 2021 liyanan <liyanan32@huawei.com> - 3.3.1-1
- update to 3.3.1
* Wed Mar 24 2021 shixuantong <shixuantong@huawei.com> - 2.9.2-3 * Wed Mar 24 2021 shixuantong <shixuantong@huawei.com> - 2.9.2-3
- remove %{py3dir} - remove %{py3dir}