- update CVE-2020-25657-Bleichenbacher-attack.patch to actually
contain the fix rather than just being empty (CVE-2020-25657, bsc#1178829) OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-M2Crypto?expand=0&rev=111
This commit is contained in:
parent
739a52ed54
commit
85680b0b27
@ -0,0 +1,170 @@
|
|||||||
|
From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
|
||||||
|
Date: Tue, 28 Jun 2022 21:17:01 +0200
|
||||||
|
Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA
|
||||||
|
decryption API (CVE-2020-25657)
|
||||||
|
|
||||||
|
Fixes #282
|
||||||
|
---
|
||||||
|
src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++--------
|
||||||
|
src/SWIG/_rsa.i | 20 ++++++++++++--------
|
||||||
|
tests/test_rsa.py | 15 +++++++--------
|
||||||
|
3 files changed, 31 insertions(+), 24 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c
|
||||||
|
index aba9eb6d..a9f30da9 100644
|
||||||
|
--- a/src/SWIG/_m2crypto_wrap.c
|
||||||
|
+++ b/src/SWIG/_m2crypto_wrap.c
|
||||||
|
@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) {
|
||||||
|
tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
|
||||||
|
(unsigned char *)tbuf, rsa, padding);
|
||||||
|
if (tlen == -1) {
|
||||||
|
- m2_PyErr_Msg(_rsa_err);
|
||||||
|
+ ERR_clear_error();
|
||||||
|
+ PyErr_Clear();
|
||||||
|
PyMem_Free(tbuf);
|
||||||
|
- return NULL;
|
||||||
|
+ Py_RETURN_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
||||||
|
@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) {
|
||||||
|
tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
|
||||||
|
(unsigned char *)tbuf, rsa, padding);
|
||||||
|
if (tlen == -1) {
|
||||||
|
- m2_PyErr_Msg(_rsa_err);
|
||||||
|
+ ERR_clear_error();
|
||||||
|
+ PyErr_Clear();
|
||||||
|
PyMem_Free(tbuf);
|
||||||
|
- return NULL;
|
||||||
|
+ Py_RETURN_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
||||||
|
@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) {
|
||||||
|
tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
|
||||||
|
(unsigned char *)tbuf, rsa, padding);
|
||||||
|
if (tlen == -1) {
|
||||||
|
- m2_PyErr_Msg(_rsa_err);
|
||||||
|
+ ERR_clear_error();
|
||||||
|
+ PyErr_Clear();
|
||||||
|
PyMem_Free(tbuf);
|
||||||
|
- return NULL;
|
||||||
|
+ Py_RETURN_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
||||||
|
@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) {
|
||||||
|
tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
|
||||||
|
(unsigned char *)tbuf, rsa, padding);
|
||||||
|
if (tlen == -1) {
|
||||||
|
- m2_PyErr_Msg(_rsa_err);
|
||||||
|
+ ERR_clear_error();
|
||||||
|
+ PyErr_Clear();
|
||||||
|
PyMem_Free(tbuf);
|
||||||
|
- return NULL;
|
||||||
|
+ Py_RETURN_NONE;
|
||||||
|
}
|
||||||
|
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
||||||
|
|
||||||
|
diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i
|
||||||
|
index bc714e01..1377b8be 100644
|
||||||
|
--- a/src/SWIG/_rsa.i
|
||||||
|
+++ b/src/SWIG/_rsa.i
|
||||||
|
@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) {
|
||||||
|
tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
|
||||||
|
(unsigned char *)tbuf, rsa, padding);
|
||||||
|
if (tlen == -1) {
|
||||||
|
- m2_PyErr_Msg(_rsa_err);
|
||||||
|
+ ERR_clear_error();
|
||||||
|
+ PyErr_Clear();
|
||||||
|
PyMem_Free(tbuf);
|
||||||
|
- return NULL;
|
||||||
|
+ Py_RETURN_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
||||||
|
@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) {
|
||||||
|
tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
|
||||||
|
(unsigned char *)tbuf, rsa, padding);
|
||||||
|
if (tlen == -1) {
|
||||||
|
- m2_PyErr_Msg(_rsa_err);
|
||||||
|
+ ERR_clear_error();
|
||||||
|
+ PyErr_Clear();
|
||||||
|
PyMem_Free(tbuf);
|
||||||
|
- return NULL;
|
||||||
|
+ Py_RETURN_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
||||||
|
@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) {
|
||||||
|
tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
|
||||||
|
(unsigned char *)tbuf, rsa, padding);
|
||||||
|
if (tlen == -1) {
|
||||||
|
- m2_PyErr_Msg(_rsa_err);
|
||||||
|
+ ERR_clear_error();
|
||||||
|
+ PyErr_Clear();
|
||||||
|
PyMem_Free(tbuf);
|
||||||
|
- return NULL;
|
||||||
|
+ Py_RETURN_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
||||||
|
@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) {
|
||||||
|
tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
|
||||||
|
(unsigned char *)tbuf, rsa, padding);
|
||||||
|
if (tlen == -1) {
|
||||||
|
- m2_PyErr_Msg(_rsa_err);
|
||||||
|
+ ERR_clear_error();
|
||||||
|
+ PyErr_Clear();
|
||||||
|
PyMem_Free(tbuf);
|
||||||
|
- return NULL;
|
||||||
|
+ Py_RETURN_NONE;
|
||||||
|
}
|
||||||
|
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
||||||
|
|
||||||
|
diff --git a/tests/test_rsa.py b/tests/test_rsa.py
|
||||||
|
index 7bb3af75..5e75d681 100644
|
||||||
|
--- a/tests/test_rsa.py
|
||||||
|
+++ b/tests/test_rsa.py
|
||||||
|
@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase):
|
||||||
|
# The other paddings.
|
||||||
|
for padding in self.s_padding_nok:
|
||||||
|
p = getattr(RSA, padding)
|
||||||
|
- with self.assertRaises(RSA.RSAError):
|
||||||
|
- priv.private_encrypt(self.data, p)
|
||||||
|
+ # Exception disabled as a part of mitigation against CVE-2020-25657
|
||||||
|
+ # with self.assertRaises(RSA.RSAError):
|
||||||
|
+ priv.private_encrypt(self.data, p)
|
||||||
|
# Type-check the data to be encrypted.
|
||||||
|
with self.assertRaises(TypeError):
|
||||||
|
priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding)
|
||||||
|
@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase):
|
||||||
|
self.assertEqual(ptxt, self.data)
|
||||||
|
|
||||||
|
# no_padding
|
||||||
|
- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
|
||||||
|
- priv.public_encrypt(self.data, RSA.no_padding)
|
||||||
|
+ # Exception disabled as a part of mitigation against CVE-2020-25657
|
||||||
|
+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
|
||||||
|
+ priv.public_encrypt(self.data, RSA.no_padding)
|
||||||
|
|
||||||
|
# Type-check the data to be encrypted.
|
||||||
|
+ # Exception disabled as a part of mitigation against CVE-2020-25657
|
||||||
|
with self.assertRaises(TypeError):
|
||||||
|
priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding)
|
||||||
|
|
||||||
|
@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase):
|
||||||
|
b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4
|
||||||
|
with self.assertRaises(RSA.RSAError):
|
||||||
|
setattr(rsa, 'e', '\000\000\000\003\001\000\001')
|
||||||
|
- with self.assertRaises(RSA.RSAError):
|
||||||
|
- rsa.private_encrypt(1)
|
||||||
|
- with self.assertRaises(RSA.RSAError):
|
||||||
|
- rsa.private_decrypt(1)
|
||||||
|
assert rsa.check_key()
|
||||||
|
|
||||||
|
def test_loadpub_bad(self):
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 3 16:48:00 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
|
- update CVE-2020-25657-Bleichenbacher-attack.patch to actually
|
||||||
|
contain the fix rather than just being empty (CVE-2020-25657,
|
||||||
|
bsc#1178829)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Jul 12 20:49:47 UTC 2022 - Matej Cepl <mcepl@suse.com>
|
Tue Jul 12 20:49:47 UTC 2022 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user