Accepting request 494648 from home:TheBlackCat:branches:devel:languages:python

singlespec version again. Resubmission with executables using update-alternatives. OBS-URL: https://build.opensuse.org/request/show/494648 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-rsa?expand=0&rev=20
2017-05-17 15:15:23 +00:00 · 2017-05-17 15:15:23 +00:00 · 26c71eca4d
commit 26c71eca4d
parent c45d4d1a46
5 changed files with 89 additions and 194 deletions
--- a/cve_2016-1494.diff
+++ b/cve_2016-1494.diff
@ -1,103 +0,0 @@
-# HG changeset patch
-# User Filippo Valsorda <hi@filippo.io>
-# Date 1450226563 0
-# Node ID 0cbcc529926afd61c6df4f50cfc29971beafd2c2
-# Parent  2baab06c8b867b01ec82b02118d4872a931a0437
-Fix BB'06 attack in verify() by switching from parsing to comparison
-
-diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
--- a/rsa/pkcs1.py
-+++ b/rsa/pkcs1.py
-@@ -22,10 +22,10 @@
- At least 8 bytes of random padding is used when encrypting a message. This makes
- these methods much more secure than the ones in the ``rsa`` module.
- 
-WARNING: this module leaks information when decryption or verification fails.
-The exceptions that are raised contain the Python traceback information, which
-can be used to deduce where in the process the failure occurred. DO NOT PASS
-SUCH INFORMATION to your users.
-+WARNING: this module leaks information when decryption fails. The exceptions
-+that are raised contain the Python traceback information, which can be used to
-+deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION
-+to your users.
- '''
- 
- import hashlib
-@@ -288,37 +288,23 @@
-     :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message.
-     :raise VerificationError: when the signature doesn't match the message.
- 
-    .. warning::
-
-        Never display the stack trace of a
-        :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in
-        the code the exception occurred, and thus leaks information about the
-        key. It's only a tiny bit of information, but every bit makes cracking
-        the keys easier.
-
-     '''
-     
-    blocksize = common.byte_size(pub_key.n)
-+    keylength = common.byte_size(pub_key.n)
-     encrypted = transform.bytes2int(signature)
-     decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n)
-    clearsig = transform.int2bytes(decrypted, blocksize)
-
-    # If we can't find the signature  marker, verification failed.
-    if clearsig[0:2] != b('\x00\x01'):
-        raise VerificationError('Verification failed')
-+    clearsig = transform.int2bytes(decrypted, keylength)
-     
-    # Find the 00 separator between the padding and the payload
-    try:
-        sep_idx = clearsig.index(b('\x00'), 2)
-    except ValueError:
-        raise VerificationError('Verification failed')
-    
-    # Get the hash and the hash method
-    (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:])
-+    # Get the hash method
-+    method_name = _find_method_hash(clearsig)
-     message_hash = _hash(message, method_name)
- 
-    # Compare the real hash to the hash in the signature
-    if message_hash != signature_hash:
-+    # Reconstruct the expected padded hash
-+    cleartext = HASH_ASN1[method_name] + message_hash
-+    expected = _pad_for_signing(cleartext, keylength)
-+
-+    # Compare with the signed one
-+    if expected != clearsig:
-         raise VerificationError('Verification failed')
- 
-     return True
-@@ -351,24 +337,20 @@
-     return hasher.digest()
- 
- 
-def _find_method_hash(method_hash):
-    '''Finds the hash method and the hash itself.
-+def _find_method_hash(clearsig):
-+    '''Finds the hash method.
-     
-    :param method_hash: ASN1 code for the hash method concatenated with the
-        hash itself.
-+    :param clearsig: full padded ASN1 and hash.
-     
-    :return: tuple (method, hash) where ``method`` is the used hash method, and
-        ``hash`` is the hash itself.
-+    :return: the used hash method.
-     
-     :raise VerificationFailed: when the hash method cannot be found
- 
-     '''
- 
-     for (hashname, asn1code) in HASH_ASN1.items():
-        if not method_hash.startswith(asn1code):
-            continue
-        
-        return (hashname, method_hash[len(asn1code):])
-+        if asn1code in clearsig:
-+            return hashname
-     
-     raise VerificationError('Verification failed')
--- a/python-rsa.changes
+++ b/python-rsa.changes
@ -1,3 +1,42 @@
+-------------------------------------------------------------------
+Mon May  1 16:30:14 UTC 2017 - toddrme2178@gmail.com
+
+- Update to Version 3.4.2
+  * Fixed dates in CHANGELOG.txt
+- Update to Version 3.4.1
+  * Included tests/private.pem in MANIFEST.in
+  * Included README.md and CHANGELOG.txt in MANIFEST.in
+- Update to Version 3.4
+  * Moved development to Github: https://github.com/sybrenstuvel/python-rsa
+  * Solved side-channel vulnerability by implementing blinding, fixes #19
+  * Deprecated the VARBLOCK format and rsa.bigfile module due to security issues, see
+    https://github.com/sybrenstuvel/python-rsa/issues/13
+  * Integration with Travis-CI, Coveralls and Code Climate
+  * Deprecated the old rsa._version133 and rsa._version200 submodules, they will be
+    completely removed in version 4.0.
+  * Add an 'exponent' argument to key.newkeys()
+  * Switched from Solovay-Strassen to Miller-Rabin primality testing, to
+    comply with NIST FIPS 186-4 as probabilistic primality test
+    (Appendix C, subsection C.3):
+  * Fixed bugs #12, #14, #27, #30, #49
+- Update to Version 3.3
+  * Thanks to Filippo Valsorda: Fix BB'06 attack in verify() by
+    switching from parsing to comparison.
+  * Simplified Tox configuration and dropped Python 3.2 support. The
+    coverage package uses a u'' prefix, which was reintroduced in 3.3
+    for ease of porting.
+- Update to Version 3.2.3
+  * Added character encoding markers for Python 2.x
+- Update to Version 3.2.1
+  * Added per-file licenses
+  * Added support for wheel packages
+  * Made example code more consistent and up to date with Python 3.4
+- Update to Version 3.2
+  * Mentioned support for Python 3 in setup.py
+- Implement single-spec version.
+- Fix source URL.
+- Remove cve_2016-1494.diff, fixed in latest version.
+
 -------------------------------------------------------------------
 Tue Jan  5 18:39:56 UTC 2016 - rjschwei@suse.com

--- a/python-rsa.spec
+++ b/python-rsa.spec
@ -1,7 +1,7 @@
 #
 # spec file for package python-rsa
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -16,30 +16,32 @@
 #


+%bcond_without tests
+
+%{?!python_module:%define python_module() python-%{**} python3-%{**}}
 Name:           python-rsa
-Version:        3.1.4
+Version:        3.4.2
 Release:        0
 Url:            http://stuvel.eu/rsa
 Summary:        Pure-Python RSA Implementation
 License:        Apache-2.0
 Group:          Development/Languages/Python
-Source:         http://pypi.python.org/packages/source/r/rsa/rsa-%{version}.tar.gz
-Patch0:         cve_2016-1494.diff
+Source:         http://files.pythonhosted.org/packages/source/r/rsa/rsa-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-BuildRequires:  python-devel
-BuildRequires:  python-pyasn1
-BuildRequires:  python-setuptools
-BuildRequires:  python-unittest2
-Requires(pre):  coreutils
-Requires:       python-pyasn1
-Requires(pre):  coreutils
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
-%if 0%{?suse_version} && 0%{?suse_version} <= 1110
-%{!?python_sitelib: %global python_sitelib %(python -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
-%else
-BuildArch:      noarch
+BuildRequires:  fdupes
+BuildRequires:  python-rpm-macros
+BuildRequires:  %{python_module devel}
+BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module pyasn1 >= 0.1.3}
+%if %{with tests}
+BuildRequires:  %{python_module nose}
 %endif
+Requires:       python-pyasn1 >= 0.1.3
+BuildArch:      noarch
+Requires(pre):    coreutils
+Requires(post):   update-alternatives
+Requires(preun):  update-alternatives
+%python_subpackages

 %description
 Python-RSA is a pure-Python RSA implementation. It supports encryption and
@ -48,88 +50,45 @@ PKCS#1 version 1.5.

 %prep
 %setup -q -n rsa-%{version}
-sed -i "s/pyrsa-priv2pub/pyrsa-priv2pub-%{py_ver}/" setup.py
-sed -i "s/pyrsa-keygen/pyrsa-keygen-%{py_ver}/" setup.py
-sed -i "s/pyrsa-encrypt =/pyrsa-encrypt-%{py_ver} =/" setup.py
-sed -i "s/pyrsa-decrypt =/pyrsa-decrypt-%{py_ver} =/" setup.py
-sed -i "s/pyrsa-sign/pyrsa-sign-%{py_ver}/" setup.py
-sed -i "s/pyrsa-verify/pyrsa-verify-%{py_ver}/" setup.py
-sed -i "s/pyrsa-encrypt-bigfile =/pyrsa-encrypt-bigfile-%{py_ver} =/" setup.py
-sed -i "s/pyrsa-decrypt-bigfile =/pyrsa-decrypt-bigfile-%{py_ver} =/" setup.py
-%patch0 -p1

 %build
-python setup.py build
+%python_build

 %install
-python setup.py install --prefix=%{_prefix} --root=%{buildroot}
+%python_install
+%python_expand %fdupes %{buildroot}%{$python_sitelib}

-# for update-alternatives
-mkdir -p %{buildroot}%{_sysconfdir}/alternatives
-for f in pyrsa-priv2pub pyrsa-keygen pyrsa-encrypt pyrsa-decrypt pyrsa-sign \
-         pyrsa-verify pyrsa-encrypt-bigfile pyrsa-decrypt-bigfile; do
-    touch %{buildroot}%{_sysconfdir}/alternatives/$f
-    ln -sf %{_sysconfdir}/alternatives/$f %{buildroot}%{_bindir}/$f
-done
-
-%check
-python run_tests.py
-
-%pre
-# Since binaries became ghosted to be used with update-alternatives, we have to get rid
-# of the old binary resulting from the non-update-alternativies-ified package:
-[ -h %{_bindir}/pyrsa-priv2pub ] || rm -f %{_bindir}/pyrsa-priv2pub
-[ -h %{_bindir}/pyrsa-keygen ] || rm -f %{_bindir}/pyrsa-keygen
-[ -h %{_bindir}/pyrsa-encrypt ] || rm -f %{_bindir}/pyrsa-encrypt
-[ -h %{_bindir}/pyrsa-decrypt ] || rm -f %{_bindir}/pyrsa-decrypt
-[ -h %{_bindir}/pyrsa-sign ] || rm -f %{_bindir}/pyrsa-sign
-[ -h %{_bindir}/pyrsa-verify ] || rm -f %{_bindir}/pyrsa-verify
-[ -h %{_bindir}/pyrsa-encrypt-bigfile ] || rm -f %{_bindir}/pyrsa-encrypt-bigfile
-[ -h %{_bindir}/pyrsa-decrypt-bigfile ] || rm -f %{_bindir}/pyrsa-decrypt-bigfile
+%python_clone -a %{buildroot}%{_bindir}/pyrsa-priv2pub
+%python_clone -a %{buildroot}%{_bindir}/pyrsa-decrypt
+%python_clone -a %{buildroot}%{_bindir}/pyrsa-decrypt-bigfile
+%python_clone -a %{buildroot}%{_bindir}/pyrsa-encrypt
+%python_clone -a %{buildroot}%{_bindir}/pyrsa-encrypt-bigfile
+%python_clone -a %{buildroot}%{_bindir}/pyrsa-keygen
+%python_clone -a %{buildroot}%{_bindir}/pyrsa-sign
+%python_clone -a %{buildroot}%{_bindir}/pyrsa-verify

 %post
-update-alternatives \
-    --install %{_bindir}/pyrsa-priv2pub pyrsa-priv2pub %{_bindir}/pyrsa-priv2pub-%{py_ver} 30 \
-    --slave %{_bindir}/pyrsa-keygen pyrsa-keygen %{_bindir}/pyrsa-keygen-%{py_ver} \
-    --slave %{_bindir}/pyrsa-encrypt pyrsa-encrypt %{_bindir}/pyrsa-encrypt-%{py_ver} \
-    --slave %{_bindir}/pyrsa-decrypt pyrsa-decrypt %{_bindir}/pyrsa-decrypt-%{py_ver} \
-    --slave %{_bindir}/pyrsa-sign pyrsa-sign %{_bindir}/pyrsa-sign-%{py_ver} \
-    --slave %{_bindir}/pyrsa-verify pyrsa-verify %{_bindir}/pyrsa-verify-%{py_ver} \
-    --slave %{_bindir}/pyrsa-encrypt-bigfile pyrsa-encrypt-bigfile %{_bindir}/pyrsa-encrypt-bigfile-%{py_ver} \
-    --slave %{_bindir}/pyrsa-decrypt-bigfile pyrsa-decrypt-bigfile %{_bindir}/pyrsa-decrypt-bigfile-%{py_ver} \
+%{python_install_alternative pyrsa-priv2pub pyrsa-decrypt pyrsa-decrypt-bigfile pyrsa-encrypt pyrsa-encrypt-bigfile pyrsa-keygen pyrsa-sign pyrsa-verify}

 %preun
-if [ $1 -eq 0 ] ; then
-    update-alternatives --remove pyrsa-priv2pub %{_bindir}/pyrsa-priv2pub-%{py_ver}
-fi
+%python_uninstall_alternative pyrsa-priv2pub

-%files
+%if %{with tests}
+%check
+%python_exec setup.py test
+%endif
+
+%files %{python_files}
 %defattr(-,root,root,-)
-%doc LICENSE README.rst
-%ghost %{_sysconfdir}/alternatives/pyrsa-priv2pub
-%ghost %{_sysconfdir}/alternatives/pyrsa-keygen
-%ghost %{_sysconfdir}/alternatives/pyrsa-encrypt
-%ghost %{_sysconfdir}/alternatives/pyrsa-decrypt
-%ghost %{_sysconfdir}/alternatives/pyrsa-sign
-%ghost %{_sysconfdir}/alternatives/pyrsa-verify
-%ghost %{_sysconfdir}/alternatives/pyrsa-encrypt-bigfile
-%ghost %{_sysconfdir}/alternatives/pyrsa-decrypt-bigfile
-%{_bindir}/pyrsa-priv2pub
-%{_bindir}/pyrsa-priv2pub-%{py_ver}
-%{_bindir}/pyrsa-keygen
-%{_bindir}/pyrsa-keygen-%{py_ver}
-%{_bindir}/pyrsa-encrypt
-%{_bindir}/pyrsa-encrypt-%{py_ver}
-%{_bindir}/pyrsa-decrypt
-%{_bindir}/pyrsa-decrypt-%{py_ver}
-%{_bindir}/pyrsa-sign
-%{_bindir}/pyrsa-sign-%{py_ver}
-%{_bindir}/pyrsa-verify
-%{_bindir}/pyrsa-verify-%{py_ver}
-%{_bindir}/pyrsa-encrypt-bigfile
-%{_bindir}/pyrsa-encrypt-bigfile-%{py_ver}
-%{_bindir}/pyrsa-decrypt-bigfile
-%{_bindir}/pyrsa-decrypt-bigfile-%{py_ver}
+%doc CHANGELOG.txt LICENSE README.md
+%python_alternative %{_bindir}/pyrsa-decrypt
+%python_alternative %{_bindir}/pyrsa-decrypt-bigfile
+%python_alternative %{_bindir}/pyrsa-encrypt
+%python_alternative %{_bindir}/pyrsa-encrypt-bigfile
+%python_alternative %{_bindir}/pyrsa-keygen
+%python_alternative %{_bindir}/pyrsa-priv2pub
+%python_alternative %{_bindir}/pyrsa-sign
+%python_alternative %{_bindir}/pyrsa-verify
 %{python_sitelib}/*

 %changelog
--- a/rsa-3.1.4.tar.gz
+++ b/rsa-3.1.4.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e2b0b05936c276b1edd2e1525553233b666df9e29b5c3ba223eed738277c82a0
-size 36181
--- a/rsa-3.4.2.tar.gz
+++ b/rsa-3.4.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:25df4e10c263fb88b5ace923dd84bf9aa7f5019687b5e55382ffcdb8bede9db5
+size 40956