From 4f2d7949f03e1c198bc888f2d05f421d35c57e21 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 9 Oct 2017 18:53:29 +0100 Subject: reinit the tree, so we can have metadata --- dev-python/rsa/Manifest | 8 ++ dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch | 104 +++++++++++++++++++++ dev-python/rsa/metadata.xml | 11 +++ dev-python/rsa/rsa-3.2.3-r1.ebuild | 37 ++++++++ dev-python/rsa/rsa-3.4.2.ebuild | 33 +++++++ 5 files changed, 193 insertions(+) create mode 100644 dev-python/rsa/Manifest create mode 100644 dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch create mode 100644 dev-python/rsa/metadata.xml create mode 100644 dev-python/rsa/rsa-3.2.3-r1.ebuild create mode 100644 dev-python/rsa/rsa-3.4.2.ebuild (limited to 'dev-python/rsa') diff --git a/dev-python/rsa/Manifest b/dev-python/rsa/Manifest new file mode 100644 index 000000000000..40c2d0a1e60b --- /dev/null +++ b/dev-python/rsa/Manifest @@ -0,0 +1,8 @@ +AUX rsa-3.2.3-CVE-2016-1494.patch 3843 SHA256 83bf8df7def9e6cea4c85e8f40d5cba66845d52555b0d38d673670910e36f2e6 SHA512 9150b25bc1a9dacc8eee0fb93d46b9d024c868d540097b9166be9a7879fe116d8fd47cacaaf5614b86cd44e7cd10602a0ad290eb2ef116539683101d4057a231 WHIRLPOOL decdf0021c3d01f9269e17afcefa349dde2721fa167f901b0dc5b7fd923dfe20aa0a26d79a43d6906c0877f2a4be80c23a90b656046c9f25c10882c215b672f3 +DIST rsa-3.2.3.tar.gz 35628 SHA256 14db288cc40d6339dedf60d7a47053ab004b4a8976a5c59402a211d8fc5bf21f SHA512 52b33e0278e6e1fed64b1cdebed29f7caa31fae733c2d5875e6cba5a045aaa829616799d8de84fdb63c546780dbdafcabf1f85f25930b8e663861151479ef7e2 WHIRLPOOL 5814f912849bed4f98f8bef20dcf2fb9b28af70b970f324cadab90f0c67ff42c32792f7a6306edf1884d4cf6fe35d27f47c833358c2d03c582faba60fba1490d +DIST rsa-3.4.2.tar.gz 40956 SHA256 25df4e10c263fb88b5ace923dd84bf9aa7f5019687b5e55382ffcdb8bede9db5 SHA512 62b0ff31fb3b9c18ae65bd102329e69726b853560576b1b66b9b89b26d3ff79154239af7e7a581b6a27c7017cc013f738762cd9662777ef594cc11c5b1f8e267 WHIRLPOOL d8d51f7ffc47af5fbc48199860171c38fe6f08b5a510bfed20513c22df8a614565703c9d89939ff1092a7c6392fbdef8bacf41cc839a9943b120b1fa4cf8d496 +EBUILD rsa-3.2.3-r1.ebuild 779 SHA256 9b4da0643e8efe74b4f8a930e33ed784d0cbfbf84846d3dbb4b9dbf446cf9f59 SHA512 a9d79f2488611d25aea1dc0255c08054328953ca2bd73026c424f81f355450ec21c4e00fa1348ac96a4560f8e1ceca51deb1515b38cf1597575adeb2b2336974 WHIRLPOOL 98779de4f27cd9975f2bf470439fb7c8db370d25a92a0d0476efb293627ebbdf8ea250b4d12b4c3e9b293dfd8f231e2186a9c906e5c14bf7682c149c2d932e5f +EBUILD rsa-3.4.2.ebuild 736 SHA256 feac335f1b97800f6c6736d6bb8bcd85dded362acbe38bd4af7979346dd7c3fc SHA512 bd828c8b02a32b51f0f0b175bfefbf29d3957117aa449a82c6d1ca3ee085accdbaf8beb5b4599e7f4f8d353cd87081d6e22b8fb965316a4e3d82b08f4a288d0c WHIRLPOOL a0a0daa29f8367b928231648ac7f9548f1ef973b8c9feee6484530abefa32287c9174d10d31ce95a69ca94514bd7f1628da1ec7fc029322ca9d01ab58a1be322 +MISC ChangeLog 4693 SHA256 a44f187d58fa946b560c29b230bb5392cf2eb27df0c2d9628527271142b74e43 SHA512 59fc05b26269b8455a4fdf71f8ad676740e3646bd1a50842ddb57bc966112973270572fc9ecd84f95a6564b4cab3f2ec4b7211010819bf98a54990891842c13b WHIRLPOOL bb6bd453283e71d83a8f1dd277d9907a98760bcf537abb625e0b586d57a789af917b461d33f0e70c9458d806ffccaf1688bcfb10adc68c22638ff5924da2f823 +MISC ChangeLog-2015 1753 SHA256 df896f385bd9064fcc4518ef8fad0f1c3a4ae96aafb805528bd24ec7653e5bf1 SHA512 3d60bfff1eac837799c264d426e4b7884a1dc9db5dac58712fc61c5eebb817fd21505b45f378b275a4006eb5fb0f7dfff2325ed248ce2d8811bf3fac08935c6a WHIRLPOOL ddb1660ae98aa5e8f33be46ccf6bc5974468b200621a830c16cf50919f60b5e4d07d4be24b127e2e88c9ac620335834700b03c2b619572cf5bc462ef9e31049c +MISC metadata.xml 316 SHA256 4a8d0bb11f587256e0847f1a35a74d53644ef183975d47bc22cc815943c81698 SHA512 4d8c48ae8e4360727f5c4b83e426f42a597a175dfa2a965c9f966e5824a83291c78d3e8e636d21b4f28d73f7e912abc7db1b09078baaa0e3a1b25713abd3d0a1 WHIRLPOOL 1d143ea409a28a21debdb7524a0956899513f985a348f5d984461f001d96cf9f8268abae96f3d7938fef2da91984676bd062cfec306ceaf631fdd3c5f0e8c10b diff --git a/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch b/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch new file mode 100644 index 000000000000..bfcfc33ed01b --- /dev/null +++ b/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch @@ -0,0 +1,104 @@ +# HG changeset patch +# User Filippo Valsorda +# Date 1450226563 0 +# Node ID 0cbcc529926afd61c6df4f50cfc29971beafd2c2 +# Parent 2baab06c8b867b01ec82b02118d4872a931a0437 +Fix BB'06 attack in verify() by switching from parsing to comparison + +diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py +--- a/rsa/pkcs1.py ++++ b/rsa/pkcs1.py +@@ -22,10 +22,10 @@ + At least 8 bytes of random padding is used when encrypting a message. This makes + these methods much more secure than the ones in the ``rsa`` module. + +-WARNING: this module leaks information when decryption or verification fails. +-The exceptions that are raised contain the Python traceback information, which +-can be used to deduce where in the process the failure occurred. DO NOT PASS +-SUCH INFORMATION to your users. ++WARNING: this module leaks information when decryption fails. The exceptions ++that are raised contain the Python traceback information, which can be used to ++deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION ++to your users. + ''' + + import hashlib +@@ -288,37 +288,23 @@ + :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message. + :raise VerificationError: when the signature doesn't match the message. + +- .. warning:: +- +- Never display the stack trace of a +- :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in +- the code the exception occurred, and thus leaks information about the +- key. It's only a tiny bit of information, but every bit makes cracking +- the keys easier. +- + ''' + +- blocksize = common.byte_size(pub_key.n) ++ keylength = common.byte_size(pub_key.n) + encrypted = transform.bytes2int(signature) + decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n) +- clearsig = transform.int2bytes(decrypted, blocksize) +- +- # If we can't find the signature marker, verification failed. +- if clearsig[0:2] != b('\x00\x01'): +- raise VerificationError('Verification failed') ++ clearsig = transform.int2bytes(decrypted, keylength) + +- # Find the 00 separator between the padding and the payload +- try: +- sep_idx = clearsig.index(b('\x00'), 2) +- except ValueError: +- raise VerificationError('Verification failed') +- +- # Get the hash and the hash method +- (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:]) ++ # Get the hash method ++ method_name = _find_method_hash(clearsig) + message_hash = _hash(message, method_name) + +- # Compare the real hash to the hash in the signature +- if message_hash != signature_hash: ++ # Reconstruct the expected padded hash ++ cleartext = HASH_ASN1[method_name] + message_hash ++ expected = _pad_for_signing(cleartext, keylength) ++ ++ # Compare with the signed one ++ if expected != clearsig: + raise VerificationError('Verification failed') + + return True +@@ -351,24 +337,20 @@ + return hasher.digest() + + +-def _find_method_hash(method_hash): +- '''Finds the hash method and the hash itself. ++def _find_method_hash(clearsig): ++ '''Finds the hash method. + +- :param method_hash: ASN1 code for the hash method concatenated with the +- hash itself. ++ :param clearsig: full padded ASN1 and hash. + +- :return: tuple (method, hash) where ``method`` is the used hash method, and +- ``hash`` is the hash itself. ++ :return: the used hash method. + + :raise VerificationFailed: when the hash method cannot be found + + ''' + + for (hashname, asn1code) in HASH_ASN1.items(): +- if not method_hash.startswith(asn1code): +- continue +- +- return (hashname, method_hash[len(asn1code):]) ++ if asn1code in clearsig: ++ return hashname + + raise VerificationError('Verification failed') + diff --git a/dev-python/rsa/metadata.xml b/dev-python/rsa/metadata.xml new file mode 100644 index 000000000000..35bbfa239754 --- /dev/null +++ b/dev-python/rsa/metadata.xml @@ -0,0 +1,11 @@ + + + + + python@gentoo.org + Python + + + rsa + + diff --git a/dev-python/rsa/rsa-3.2.3-r1.ebuild b/dev-python/rsa/rsa-3.2.3-r1.ebuild new file mode 100644 index 000000000000..132b888c45b1 --- /dev/null +++ b/dev-python/rsa/rsa-3.2.3-r1.ebuild @@ -0,0 +1,37 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 + +PYTHON_COMPAT=( python2_7 python3_{4,5,6} pypy ) + +inherit distutils-r1 + +DESCRIPTION="Pure-Python RSA implementation" +HOMEPAGE="http://stuvel.eu/rsa https://pypi.python.org/pypi/rsa" +SRC_URI="mirror://pypi/${P:0:1}/${PN}/${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="amd64 arm x86" +IUSE="test" + +RDEPEND=" + >=dev-python/pyasn1-0.1.3[${PYTHON_USEDEP}] + dev-python/traceback2[${PYTHON_USEDEP}] + " +DEPEND="${RDEPEND} + >=dev-python/setuptools-0.6.10[${PYTHON_USEDEP}] + test? ( + dev-python/nose[${PYTHON_USEDEP}] + dev-python/unittest2[${PYTHON_USEDEP}] + ) + " + +PATCHES=( + "${FILESDIR}"/${P}-CVE-2016-1494.patch +) + +python_test() { + nosetests --verbose || die +} diff --git a/dev-python/rsa/rsa-3.4.2.ebuild b/dev-python/rsa/rsa-3.4.2.ebuild new file mode 100644 index 000000000000..437b656e1002 --- /dev/null +++ b/dev-python/rsa/rsa-3.4.2.ebuild @@ -0,0 +1,33 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 + +PYTHON_COMPAT=( python2_7 python3_{4,5,6} pypy ) + +inherit distutils-r1 + +DESCRIPTION="Pure-Python RSA implementation" +HOMEPAGE="http://stuvel.eu/rsa https://pypi.python.org/pypi/rsa" +SRC_URI="mirror://pypi/${P:0:1}/${PN}/${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~x86" +IUSE="test" + +RDEPEND=" + >=dev-python/pyasn1-0.1.3[${PYTHON_USEDEP}] + dev-python/traceback2[${PYTHON_USEDEP}] + " +DEPEND="${RDEPEND} + >=dev-python/setuptools-0.6.10[${PYTHON_USEDEP}] + test? ( + dev-python/nose[${PYTHON_USEDEP}] + dev-python/unittest2[${PYTHON_USEDEP}] + ) + " + +python_test() { + nosetests --verbose || die +} -- cgit v1.2.3