diff --git a/cve_2016-1494.diff b/cve_2016-1494.diff deleted file mode 100644 index dce6a99..0000000 --- a/cve_2016-1494.diff +++ /dev/null @@ -1,103 +0,0 @@ -# HG changeset patch -# User Filippo Valsorda -# Date 1450226563 0 -# Node ID 0cbcc529926afd61c6df4f50cfc29971beafd2c2 -# Parent 2baab06c8b867b01ec82b02118d4872a931a0437 -Fix BB'06 attack in verify() by switching from parsing to comparison - -diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py ---- a/rsa/pkcs1.py -+++ b/rsa/pkcs1.py -@@ -22,10 +22,10 @@ - At least 8 bytes of random padding is used when encrypting a message. This makes - these methods much more secure than the ones in the ``rsa`` module. - --WARNING: this module leaks information when decryption or verification fails. --The exceptions that are raised contain the Python traceback information, which --can be used to deduce where in the process the failure occurred. DO NOT PASS --SUCH INFORMATION to your users. -+WARNING: this module leaks information when decryption fails. The exceptions -+that are raised contain the Python traceback information, which can be used to -+deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION -+to your users. - ''' - - import hashlib -@@ -288,37 +288,23 @@ - :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message. - :raise VerificationError: when the signature doesn't match the message. - -- .. warning:: -- -- Never display the stack trace of a -- :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in -- the code the exception occurred, and thus leaks information about the -- key. It's only a tiny bit of information, but every bit makes cracking -- the keys easier. -- - ''' - -- blocksize = common.byte_size(pub_key.n) -+ keylength = common.byte_size(pub_key.n) - encrypted = transform.bytes2int(signature) - decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n) -- clearsig = transform.int2bytes(decrypted, blocksize) -- -- # If we can't find the signature marker, verification failed. -- if clearsig[0:2] != b('\x00\x01'): -- raise VerificationError('Verification failed') -+ clearsig = transform.int2bytes(decrypted, keylength) - -- # Find the 00 separator between the padding and the payload -- try: -- sep_idx = clearsig.index(b('\x00'), 2) -- except ValueError: -- raise VerificationError('Verification failed') -- -- # Get the hash and the hash method -- (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:]) -+ # Get the hash method -+ method_name = _find_method_hash(clearsig) - message_hash = _hash(message, method_name) - -- # Compare the real hash to the hash in the signature -- if message_hash != signature_hash: -+ # Reconstruct the expected padded hash -+ cleartext = HASH_ASN1[method_name] + message_hash -+ expected = _pad_for_signing(cleartext, keylength) -+ -+ # Compare with the signed one -+ if expected != clearsig: - raise VerificationError('Verification failed') - - return True -@@ -351,24 +337,20 @@ - return hasher.digest() - - --def _find_method_hash(method_hash): -- '''Finds the hash method and the hash itself. -+def _find_method_hash(clearsig): -+ '''Finds the hash method. - -- :param method_hash: ASN1 code for the hash method concatenated with the -- hash itself. -+ :param clearsig: full padded ASN1 and hash. - -- :return: tuple (method, hash) where ``method`` is the used hash method, and -- ``hash`` is the hash itself. -+ :return: the used hash method. - - :raise VerificationFailed: when the hash method cannot be found - - ''' - - for (hashname, asn1code) in HASH_ASN1.items(): -- if not method_hash.startswith(asn1code): -- continue -- -- return (hashname, method_hash[len(asn1code):]) -+ if asn1code in clearsig: -+ return hashname - - raise VerificationError('Verification failed') diff --git a/python-rsa.changes b/python-rsa.changes index 6ddca16..ef8ca55 100644 --- a/python-rsa.changes +++ b/python-rsa.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Mon May 1 16:30:14 UTC 2017 - toddrme2178@gmail.com + +- Update to Version 3.4.2 + * Fixed dates in CHANGELOG.txt +- Update to Version 3.4.1 + * Included tests/private.pem in MANIFEST.in + * Included README.md and CHANGELOG.txt in MANIFEST.in +- Update to Version 3.4 + * Moved development to Github: https://github.com/sybrenstuvel/python-rsa + * Solved side-channel vulnerability by implementing blinding, fixes #19 + * Deprecated the VARBLOCK format and rsa.bigfile module due to security issues, see + https://github.com/sybrenstuvel/python-rsa/issues/13 + * Integration with Travis-CI, Coveralls and Code Climate + * Deprecated the old rsa._version133 and rsa._version200 submodules, they will be + completely removed in version 4.0. + * Add an 'exponent' argument to key.newkeys() + * Switched from Solovay-Strassen to Miller-Rabin primality testing, to + comply with NIST FIPS 186-4 as probabilistic primality test + (Appendix C, subsection C.3): + * Fixed bugs #12, #14, #27, #30, #49 +- Update to Version 3.3 + * Thanks to Filippo Valsorda: Fix BB'06 attack in verify() by + switching from parsing to comparison. + * Simplified Tox configuration and dropped Python 3.2 support. The + coverage package uses a u'' prefix, which was reintroduced in 3.3 + for ease of porting. +- Update to Version 3.2.3 + * Added character encoding markers for Python 2.x +- Update to Version 3.2.1 + * Added per-file licenses + * Added support for wheel packages + * Made example code more consistent and up to date with Python 3.4 +- Update to Version 3.2 + * Mentioned support for Python 3 in setup.py +- Implement single-spec version. +- Fix source URL. +- Remove cve_2016-1494.diff, fixed in latest version. + ------------------------------------------------------------------- Tue Jan 5 18:39:56 UTC 2016 - rjschwei@suse.com diff --git a/python-rsa.spec b/python-rsa.spec index bec9614..e091bb4 100644 --- a/python-rsa.spec +++ b/python-rsa.spec @@ -1,7 +1,7 @@ # # spec file for package python-rsa # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,30 +16,32 @@ # +%bcond_without tests + +%{?!python_module:%define python_module() python-%{**} python3-%{**}} Name: python-rsa -Version: 3.1.4 +Version: 3.4.2 Release: 0 Url: http://stuvel.eu/rsa Summary: Pure-Python RSA Implementation License: Apache-2.0 Group: Development/Languages/Python -Source: http://pypi.python.org/packages/source/r/rsa/rsa-%{version}.tar.gz -Patch0: cve_2016-1494.diff +Source: https://files.pythonhosted.org/packages/source/r/rsa/rsa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildRequires: python-devel -BuildRequires: python-pyasn1 -BuildRequires: python-setuptools -BuildRequires: python-unittest2 -Requires(pre): coreutils -Requires: python-pyasn1 -Requires(pre): coreutils -Requires(post): update-alternatives -Requires(postun): update-alternatives -%if 0%{?suse_version} && 0%{?suse_version} <= 1110 -%{!?python_sitelib: %global python_sitelib %(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} -%else -BuildArch: noarch +BuildRequires: fdupes +BuildRequires: python-rpm-macros +BuildRequires: %{python_module devel} +BuildRequires: %{python_module setuptools} +BuildRequires: %{python_module pyasn1 >= 0.1.3} +%if %{with tests} +BuildRequires: %{python_module nose} %endif +Requires: python-pyasn1 >= 0.1.3 +BuildArch: noarch +Requires(pre): coreutils +Requires(post): update-alternatives +Requires(preun): update-alternatives +%python_subpackages %description Python-RSA is a pure-Python RSA implementation. It supports encryption and @@ -48,88 +50,45 @@ PKCS#1 version 1.5. %prep %setup -q -n rsa-%{version} -sed -i "s/pyrsa-priv2pub/pyrsa-priv2pub-%{py_ver}/" setup.py -sed -i "s/pyrsa-keygen/pyrsa-keygen-%{py_ver}/" setup.py -sed -i "s/pyrsa-encrypt =/pyrsa-encrypt-%{py_ver} =/" setup.py -sed -i "s/pyrsa-decrypt =/pyrsa-decrypt-%{py_ver} =/" setup.py -sed -i "s/pyrsa-sign/pyrsa-sign-%{py_ver}/" setup.py -sed -i "s/pyrsa-verify/pyrsa-verify-%{py_ver}/" setup.py -sed -i "s/pyrsa-encrypt-bigfile =/pyrsa-encrypt-bigfile-%{py_ver} =/" setup.py -sed -i "s/pyrsa-decrypt-bigfile =/pyrsa-decrypt-bigfile-%{py_ver} =/" setup.py -%patch0 -p1 %build -python setup.py build +%python_build %install -python setup.py install --prefix=%{_prefix} --root=%{buildroot} +%python_install +%python_expand %fdupes %{buildroot}%{$python_sitelib} -# for update-alternatives -mkdir -p %{buildroot}%{_sysconfdir}/alternatives -for f in pyrsa-priv2pub pyrsa-keygen pyrsa-encrypt pyrsa-decrypt pyrsa-sign \ - pyrsa-verify pyrsa-encrypt-bigfile pyrsa-decrypt-bigfile; do - touch %{buildroot}%{_sysconfdir}/alternatives/$f - ln -sf %{_sysconfdir}/alternatives/$f %{buildroot}%{_bindir}/$f -done - -%check -python run_tests.py - -%pre -# Since binaries became ghosted to be used with update-alternatives, we have to get rid -# of the old binary resulting from the non-update-alternativies-ified package: -[ -h %{_bindir}/pyrsa-priv2pub ] || rm -f %{_bindir}/pyrsa-priv2pub -[ -h %{_bindir}/pyrsa-keygen ] || rm -f %{_bindir}/pyrsa-keygen -[ -h %{_bindir}/pyrsa-encrypt ] || rm -f %{_bindir}/pyrsa-encrypt -[ -h %{_bindir}/pyrsa-decrypt ] || rm -f %{_bindir}/pyrsa-decrypt -[ -h %{_bindir}/pyrsa-sign ] || rm -f %{_bindir}/pyrsa-sign -[ -h %{_bindir}/pyrsa-verify ] || rm -f %{_bindir}/pyrsa-verify -[ -h %{_bindir}/pyrsa-encrypt-bigfile ] || rm -f %{_bindir}/pyrsa-encrypt-bigfile -[ -h %{_bindir}/pyrsa-decrypt-bigfile ] || rm -f %{_bindir}/pyrsa-decrypt-bigfile +%python_clone -a %{buildroot}%{_bindir}/pyrsa-priv2pub +%python_clone -a %{buildroot}%{_bindir}/pyrsa-decrypt +%python_clone -a %{buildroot}%{_bindir}/pyrsa-decrypt-bigfile +%python_clone -a %{buildroot}%{_bindir}/pyrsa-encrypt +%python_clone -a %{buildroot}%{_bindir}/pyrsa-encrypt-bigfile +%python_clone -a %{buildroot}%{_bindir}/pyrsa-keygen +%python_clone -a %{buildroot}%{_bindir}/pyrsa-sign +%python_clone -a %{buildroot}%{_bindir}/pyrsa-verify %post -update-alternatives \ - --install %{_bindir}/pyrsa-priv2pub pyrsa-priv2pub %{_bindir}/pyrsa-priv2pub-%{py_ver} 30 \ - --slave %{_bindir}/pyrsa-keygen pyrsa-keygen %{_bindir}/pyrsa-keygen-%{py_ver} \ - --slave %{_bindir}/pyrsa-encrypt pyrsa-encrypt %{_bindir}/pyrsa-encrypt-%{py_ver} \ - --slave %{_bindir}/pyrsa-decrypt pyrsa-decrypt %{_bindir}/pyrsa-decrypt-%{py_ver} \ - --slave %{_bindir}/pyrsa-sign pyrsa-sign %{_bindir}/pyrsa-sign-%{py_ver} \ - --slave %{_bindir}/pyrsa-verify pyrsa-verify %{_bindir}/pyrsa-verify-%{py_ver} \ - --slave %{_bindir}/pyrsa-encrypt-bigfile pyrsa-encrypt-bigfile %{_bindir}/pyrsa-encrypt-bigfile-%{py_ver} \ - --slave %{_bindir}/pyrsa-decrypt-bigfile pyrsa-decrypt-bigfile %{_bindir}/pyrsa-decrypt-bigfile-%{py_ver} \ +%{python_install_alternative pyrsa-priv2pub pyrsa-decrypt pyrsa-decrypt-bigfile pyrsa-encrypt pyrsa-encrypt-bigfile pyrsa-keygen pyrsa-sign pyrsa-verify} %preun -if [ $1 -eq 0 ] ; then - update-alternatives --remove pyrsa-priv2pub %{_bindir}/pyrsa-priv2pub-%{py_ver} -fi +%python_uninstall_alternative pyrsa-priv2pub -%files +%if %{with tests} +%check +%python_exec setup.py test +%endif + +%files %{python_files} %defattr(-,root,root,-) -%doc LICENSE README.rst -%ghost %{_sysconfdir}/alternatives/pyrsa-priv2pub -%ghost %{_sysconfdir}/alternatives/pyrsa-keygen -%ghost %{_sysconfdir}/alternatives/pyrsa-encrypt -%ghost %{_sysconfdir}/alternatives/pyrsa-decrypt -%ghost %{_sysconfdir}/alternatives/pyrsa-sign -%ghost %{_sysconfdir}/alternatives/pyrsa-verify -%ghost %{_sysconfdir}/alternatives/pyrsa-encrypt-bigfile -%ghost %{_sysconfdir}/alternatives/pyrsa-decrypt-bigfile -%{_bindir}/pyrsa-priv2pub -%{_bindir}/pyrsa-priv2pub-%{py_ver} -%{_bindir}/pyrsa-keygen -%{_bindir}/pyrsa-keygen-%{py_ver} -%{_bindir}/pyrsa-encrypt -%{_bindir}/pyrsa-encrypt-%{py_ver} -%{_bindir}/pyrsa-decrypt -%{_bindir}/pyrsa-decrypt-%{py_ver} -%{_bindir}/pyrsa-sign -%{_bindir}/pyrsa-sign-%{py_ver} -%{_bindir}/pyrsa-verify -%{_bindir}/pyrsa-verify-%{py_ver} -%{_bindir}/pyrsa-encrypt-bigfile -%{_bindir}/pyrsa-encrypt-bigfile-%{py_ver} -%{_bindir}/pyrsa-decrypt-bigfile -%{_bindir}/pyrsa-decrypt-bigfile-%{py_ver} +%doc CHANGELOG.txt LICENSE README.md +%python_alternative %{_bindir}/pyrsa-decrypt +%python_alternative %{_bindir}/pyrsa-decrypt-bigfile +%python_alternative %{_bindir}/pyrsa-encrypt +%python_alternative %{_bindir}/pyrsa-encrypt-bigfile +%python_alternative %{_bindir}/pyrsa-keygen +%python_alternative %{_bindir}/pyrsa-priv2pub +%python_alternative %{_bindir}/pyrsa-sign +%python_alternative %{_bindir}/pyrsa-verify %{python_sitelib}/* %changelog diff --git a/rsa-3.1.4.tar.gz b/rsa-3.1.4.tar.gz deleted file mode 100644 index 6156f0e..0000000 --- a/rsa-3.1.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e2b0b05936c276b1edd2e1525553233b666df9e29b5c3ba223eed738277c82a0 -size 36181 diff --git a/rsa-3.4.2.tar.gz b/rsa-3.4.2.tar.gz new file mode 100644 index 0000000..3cbaba4 --- /dev/null +++ b/rsa-3.4.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:25df4e10c263fb88b5ace923dd84bf9aa7f5019687b5e55382ffcdb8bede9db5 +size 40956