[gentoo-commits] repo/gentoo:master commit in: dev-python/rsa/, dev-python/rsa/files/ - gentoo-commits

From:	"Michał Górny" <mgorny@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-python/rsa/, dev-python/rsa/files/
Date:	Sun, 29 Mar 2020 07:31:48
Message-Id:	`1585467076.273961d6c3f521505238e0db5d39f8fafdb8562e.mgorny@gentoo`

1

commit:     273961d6c3f521505238e0db5d39f8fafdb8562e

2

Author:     Michał Górny <mgorny <AT> gentoo <DOT> org>

3

AuthorDate: Sun Mar 29 07:21:05 2020 +0000

4

Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>

5

CommitDate: Sun Mar 29 07:31:16 2020 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=273961d6

7

8

dev-python/rsa: Remove redundant versions

9

10

Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>

11

12

 dev-python/rsa/Manifest                            |   1 -

13

 dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch | 104 ---------------------

14

 dev-python/rsa/rsa-3.2.3-r1.ebuild                 |  38 --------

15

 3 files changed, 143 deletions(-)

16

17

diff --git a/dev-python/rsa/Manifest b/dev-python/rsa/Manifest

18

index 7c5f4761d40..86ef505328b 100644

19

--- a/dev-python/rsa/Manifest

20

+++ b/dev-python/rsa/Manifest

21

@@ -1,3 +1,2 @@

22

-DIST rsa-3.2.3.tar.gz 35628 BLAKE2B fa30e8212d0102b7763a5e8eb408d0778520d85d9428e12b603fdfa5982c559682c04fec2eac4723a8c9e06c9ed77365021a832c8ad96b07fa07eb93c5a626e2 SHA512 52b33e0278e6e1fed64b1cdebed29f7caa31fae733c2d5875e6cba5a045aaa829616799d8de84fdb63c546780dbdafcabf1f85f25930b8e663861151479ef7e2

23

 DIST rsa-3.4.2.tar.gz 40956 BLAKE2B 9a6353c84329303c655e7a25fcfa2ca42ea846c913fac0c26fee4a27bb85f9380de876b2ec07ae2212eb37efe5d2e401b2672f187f74bbeee1e9ef1099629e36 SHA512 62b0ff31fb3b9c18ae65bd102329e69726b853560576b1b66b9b89b26d3ff79154239af7e7a581b6a27c7017cc013f738762cd9662777ef594cc11c5b1f8e267

24

 DIST rsa-4.0.tar.gz 37385 BLAKE2B 2621ee732f15ea12283b723efb5e88847d3e030e8115bb4a3e986099fc94adc3409202d54b4350b0888deefd8dc801d8d3e57fef9e85f386ead53e4412da6d05 SHA512 e11106741cc4275246c986d39b3f028b5a4df6fbffdd08a78072ac3d3a9a7ade7a39789c504a2705f54d858a9bdbf03981251f32f9c45baba71e4a986e14b24e

25

26

diff --git a/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch b/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch

27

deleted file mode 100644

28

index bfcfc33ed01..00000000000

29

--- a/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch

30

+++ /dev/null

31

@@ -1,104 +0,0 @@

32

-# HG changeset patch

33

-# User Filippo Valsorda <hi@×××××××.io>

34

-# Date 1450226563 0

35

-# Node ID 0cbcc529926afd61c6df4f50cfc29971beafd2c2

36

-# Parent  2baab06c8b867b01ec82b02118d4872a931a0437

37

-Fix BB'06 attack in verify() by switching from parsing to comparison

38

-

39

-diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py

40

---- a/rsa/pkcs1.py

41

-+++ b/rsa/pkcs1.py

42

-@@ -22,10 +22,10 @@

43

- At least 8 bytes of random padding is used when encrypting a message. This makes

44

- these methods much more secure than the ones in the ``rsa`` module.

45

-

46

--WARNING: this module leaks information when decryption or verification fails.

47

--The exceptions that are raised contain the Python traceback information, which

48

--can be used to deduce where in the process the failure occurred. DO NOT PASS

49

--SUCH INFORMATION to your users.

50

-+WARNING: this module leaks information when decryption fails. The exceptions

51

-+that are raised contain the Python traceback information, which can be used to

52

-+deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION

53

-+to your users.

54

- '''

55

-

56

- import hashlib

57

-@@ -288,37 +288,23 @@

58

-     :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message.

59

-     :raise VerificationError: when the signature doesn't match the message.

60

-

61

--    .. warning::

62

--

63

--        Never display the stack trace of a

64

--        :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in

65

--        the code the exception occurred, and thus leaks information about the

66

--        key. It's only a tiny bit of information, but every bit makes cracking

67

--        the keys easier.

68

--

69

-     '''

70

-

71

--    blocksize = common.byte_size(pub_key.n)

72

-+    keylength = common.byte_size(pub_key.n)

73

-     encrypted = transform.bytes2int(signature)

74

-     decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n)

75

--    clearsig = transform.int2bytes(decrypted, blocksize)

76

--

77

--    # If we can't find the signature  marker, verification failed.

78

--    if clearsig[0:2] != b('\x00\x01'):

79

--        raise VerificationError('Verification failed')

80

-+    clearsig = transform.int2bytes(decrypted, keylength)

81

-

82

--    # Find the 00 separator between the padding and the payload

83

--    try:

84

--        sep_idx = clearsig.index(b('\x00'), 2)

85

--    except ValueError:

86

--        raise VerificationError('Verification failed')

87

--

88

--    # Get the hash and the hash method

89

--    (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:])

90

-+    # Get the hash method

91

-+    method_name = _find_method_hash(clearsig)

92

-     message_hash = _hash(message, method_name)

93

-

94

--    # Compare the real hash to the hash in the signature

95

--    if message_hash != signature_hash:

96

-+    # Reconstruct the expected padded hash

97

-+    cleartext = HASH_ASN1[method_name] + message_hash

98

-+    expected = _pad_for_signing(cleartext, keylength)

99

-+

100

-+    # Compare with the signed one

101

-+    if expected != clearsig:

102

-         raise VerificationError('Verification failed')

103

-

104

-     return True

105

-@@ -351,24 +337,20 @@

106

-     return hasher.digest()

107

-

108

-

109

--def _find_method_hash(method_hash):

110

--    '''Finds the hash method and the hash itself.

111

-+def _find_method_hash(clearsig):

112

-+    '''Finds the hash method.

113

-

114

--    :param method_hash: ASN1 code for the hash method concatenated with the

115

--        hash itself.

116

-+    :param clearsig: full padded ASN1 and hash.

117

-

118

--    :return: tuple (method, hash) where ``method`` is the used hash method, and

119

--        ``hash`` is the hash itself.

120

-+    :return: the used hash method.

121

-

122

-     :raise VerificationFailed: when the hash method cannot be found

123

-

124

-     '''

125

-

126

-     for (hashname, asn1code) in HASH_ASN1.items():

127

--        if not method_hash.startswith(asn1code):

128

--            continue

129

--

130

--        return (hashname, method_hash[len(asn1code):])

131

-+        if asn1code in clearsig:

132

-+            return hashname

133

-

134

-     raise VerificationError('Verification failed')

135

-

136

137

diff --git a/dev-python/rsa/rsa-3.2.3-r1.ebuild b/dev-python/rsa/rsa-3.2.3-r1.ebuild

138

deleted file mode 100644

139

index 0abc603ef08..00000000000

140

--- a/dev-python/rsa/rsa-3.2.3-r1.ebuild

141

+++ /dev/null

142

@@ -1,38 +0,0 @@

143

-# Copyright 1999-2020 Gentoo Authors

144

-# Distributed under the terms of the GNU General Public License v2

145

-

146

-EAPI=5

147

-

148

-PYTHON_COMPAT=( python3_{6,7} )

149

-

150

-inherit distutils-r1

151

-

152

-DESCRIPTION="Pure-Python RSA implementation"

153

-HOMEPAGE="https://stuvel.eu/rsa https://pypi.org/project/rsa/"

154

-SRC_URI="mirror://pypi/${P:0:1}/${PN}/${P}.tar.gz"

155

-

156

-LICENSE="Apache-2.0"

157

-SLOT="0"

158

-KEYWORDS="amd64 arm x86"

159

-IUSE="test"

160

-RESTRICT="!test? ( test )"

161

-

162

-RDEPEND="

163

-	>=dev-python/pyasn1-0.1.3[${PYTHON_USEDEP}]

164

-	dev-python/traceback2[${PYTHON_USEDEP}]

165

-	"

166

-DEPEND="${RDEPEND}

167

-	>=dev-python/setuptools-0.6.10[${PYTHON_USEDEP}]

168

-	test? (

169

-		dev-python/nose[${PYTHON_USEDEP}]

170

-		dev-python/unittest2[${PYTHON_USEDEP}]

171

-		)

172

-	"

173

-

174

-PATCHES=(

175

-	"${FILESDIR}"/${P}-CVE-2016-1494.patch

176

-)

177

-

178

-python_test() {

179

-	nosetests --verbose || die

180

-}

1	commit: 273961d6c3f521505238e0db5d39f8fafdb8562e
2	Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
3	AuthorDate: Sun Mar 29 07:21:05 2020 +0000
4	Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
5	CommitDate: Sun Mar 29 07:31:16 2020 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=273961d6
7
8	dev-python/rsa: Remove redundant versions
9
10	Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
11
12	dev-python/rsa/Manifest \| 1 -
13	dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch \| 104 ---------------------
14	dev-python/rsa/rsa-3.2.3-r1.ebuild \| 38 --------
15	3 files changed, 143 deletions(-)
16
17	diff --git a/dev-python/rsa/Manifest b/dev-python/rsa/Manifest
18	index 7c5f4761d40..86ef505328b 100644
19	--- a/dev-python/rsa/Manifest
20	+++ b/dev-python/rsa/Manifest
21	@@ -1,3 +1,2 @@
22	-DIST rsa-3.2.3.tar.gz 35628 BLAKE2B fa30e8212d0102b7763a5e8eb408d0778520d85d9428e12b603fdfa5982c559682c04fec2eac4723a8c9e06c9ed77365021a832c8ad96b07fa07eb93c5a626e2 SHA512 52b33e0278e6e1fed64b1cdebed29f7caa31fae733c2d5875e6cba5a045aaa829616799d8de84fdb63c546780dbdafcabf1f85f25930b8e663861151479ef7e2
23	DIST rsa-3.4.2.tar.gz 40956 BLAKE2B 9a6353c84329303c655e7a25fcfa2ca42ea846c913fac0c26fee4a27bb85f9380de876b2ec07ae2212eb37efe5d2e401b2672f187f74bbeee1e9ef1099629e36 SHA512 62b0ff31fb3b9c18ae65bd102329e69726b853560576b1b66b9b89b26d3ff79154239af7e7a581b6a27c7017cc013f738762cd9662777ef594cc11c5b1f8e267
24	DIST rsa-4.0.tar.gz 37385 BLAKE2B 2621ee732f15ea12283b723efb5e88847d3e030e8115bb4a3e986099fc94adc3409202d54b4350b0888deefd8dc801d8d3e57fef9e85f386ead53e4412da6d05 SHA512 e11106741cc4275246c986d39b3f028b5a4df6fbffdd08a78072ac3d3a9a7ade7a39789c504a2705f54d858a9bdbf03981251f32f9c45baba71e4a986e14b24e
25
26	diff --git a/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch b/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch
27	deleted file mode 100644
28	index bfcfc33ed01..00000000000
29	--- a/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch
30	+++ /dev/null
31	@@ -1,104 +0,0 @@
32	-# HG changeset patch
33	-# User Filippo Valsorda <hi@×××××××.io>
34	-# Date 1450226563 0
35	-# Node ID 0cbcc529926afd61c6df4f50cfc29971beafd2c2
36	-# Parent 2baab06c8b867b01ec82b02118d4872a931a0437
37	-Fix BB'06 attack in verify() by switching from parsing to comparison
38	-
39	-diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
40	---- a/rsa/pkcs1.py
41	-+++ b/rsa/pkcs1.py
42	-@@ -22,10 +22,10 @@
43	- At least 8 bytes of random padding is used when encrypting a message. This makes
44	- these methods much more secure than the ones in the ``rsa`` module.
45	-
46	--WARNING: this module leaks information when decryption or verification fails.
47	--The exceptions that are raised contain the Python traceback information, which
48	--can be used to deduce where in the process the failure occurred. DO NOT PASS
49	--SUCH INFORMATION to your users.
50	-+WARNING: this module leaks information when decryption fails. The exceptions
51	-+that are raised contain the Python traceback information, which can be used to
52	-+deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION
53	-+to your users.
54	- '''
55	-
56	- import hashlib
57	-@@ -288,37 +288,23 @@
58	- :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message.
59	- :raise VerificationError: when the signature doesn't match the message.
60	-
61	-- .. warning::
62	--
63	-- Never display the stack trace of a
64	-- :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in
65	-- the code the exception occurred, and thus leaks information about the
66	-- key. It's only a tiny bit of information, but every bit makes cracking
67	-- the keys easier.
68	--
69	- '''
70	-
71	-- blocksize = common.byte_size(pub_key.n)
72	-+ keylength = common.byte_size(pub_key.n)
73	- encrypted = transform.bytes2int(signature)
74	- decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n)
75	-- clearsig = transform.int2bytes(decrypted, blocksize)
76	--
77	-- # If we can't find the signature marker, verification failed.
78	-- if clearsig[0:2] != b('\x00\x01'):
79	-- raise VerificationError('Verification failed')
80	-+ clearsig = transform.int2bytes(decrypted, keylength)
81	-
82	-- # Find the 00 separator between the padding and the payload
83	-- try:
84	-- sep_idx = clearsig.index(b('\x00'), 2)
85	-- except ValueError:
86	-- raise VerificationError('Verification failed')
87	--
88	-- # Get the hash and the hash method
89	-- (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:])
90	-+ # Get the hash method
91	-+ method_name = _find_method_hash(clearsig)
92	- message_hash = _hash(message, method_name)
93	-
94	-- # Compare the real hash to the hash in the signature
95	-- if message_hash != signature_hash:
96	-+ # Reconstruct the expected padded hash
97	-+ cleartext = HASH_ASN1[method_name] + message_hash
98	-+ expected = _pad_for_signing(cleartext, keylength)
99	-+
100	-+ # Compare with the signed one
101	-+ if expected != clearsig:
102	- raise VerificationError('Verification failed')
103	-
104	- return True
105	-@@ -351,24 +337,20 @@
106	- return hasher.digest()
107	-
108	-
109	--def _find_method_hash(method_hash):
110	-- '''Finds the hash method and the hash itself.
111	-+def _find_method_hash(clearsig):
112	-+ '''Finds the hash method.
113	-
114	-- :param method_hash: ASN1 code for the hash method concatenated with the
115	-- hash itself.
116	-+ :param clearsig: full padded ASN1 and hash.
117	-
118	-- :return: tuple (method, hash) where ``method`` is the used hash method, and
119	-- ``hash`` is the hash itself.
120	-+ :return: the used hash method.
121	-
122	- :raise VerificationFailed: when the hash method cannot be found
123	-
124	- '''
125	-
126	- for (hashname, asn1code) in HASH_ASN1.items():
127	-- if not method_hash.startswith(asn1code):
128	-- continue
129	--
130	-- return (hashname, method_hash[len(asn1code):])
131	-+ if asn1code in clearsig:
132	-+ return hashname
133	-
134	- raise VerificationError('Verification failed')
135	-
136
137	diff --git a/dev-python/rsa/rsa-3.2.3-r1.ebuild b/dev-python/rsa/rsa-3.2.3-r1.ebuild
138	deleted file mode 100644
139	index 0abc603ef08..00000000000
140	--- a/dev-python/rsa/rsa-3.2.3-r1.ebuild
141	+++ /dev/null
142	@@ -1,38 +0,0 @@
143	-# Copyright 1999-2020 Gentoo Authors
144	-# Distributed under the terms of the GNU General Public License v2
145	-
146	-EAPI=5
147	-
148	-PYTHON_COMPAT=( python3_{6,7} )
149	-
150	-inherit distutils-r1
151	-
152	-DESCRIPTION="Pure-Python RSA implementation"
153	-HOMEPAGE="https://stuvel.eu/rsa https://pypi.org/project/rsa/"
154	-SRC_URI="mirror://pypi/${P:0:1}/${PN}/${P}.tar.gz"
155	-
156	-LICENSE="Apache-2.0"
157	-SLOT="0"
158	-KEYWORDS="amd64 arm x86"
159	-IUSE="test"
160	-RESTRICT="!test? ( test )"
161	-
162	-RDEPEND="
163	- >=dev-python/pyasn1-0.1.3[${PYTHON_USEDEP}]
164	- dev-python/traceback2[${PYTHON_USEDEP}]
165	- "
166	-DEPEND="${RDEPEND}
167	- >=dev-python/setuptools-0.6.10[${PYTHON_USEDEP}]
168	- test? (
169	- dev-python/nose[${PYTHON_USEDEP}]
170	- dev-python/unittest2[${PYTHON_USEDEP}]
171	- )
172	- "
173	-
174	-PATCHES=(
175	- "${FILESDIR}"/${P}-CVE-2016-1494.patch
176	-)
177	-
178	-python_test() {
179	- nosetests --verbose \|\| die
180	-}

Gentoo Archives: gentoo-commits