summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTrevor Gamblin <tgamblin@baylibre.com>2023-07-25 15:09:39 -0400
committerKhem Raj <raj.khem@gmail.com>2023-07-25 12:46:19 -0700
commitfe48529f1c763ffaea6835837da41421c9a18ee1 (patch)
tree17234c435e13081f6bdf0b13951a7098a2e0fc86
parent109055a814b1018e484e1eb178ed0657b741d275 (diff)
downloadmeta-openembedded-fe48529f1c763ffaea6835837da41421c9a18ee1.tar.gz
python3-m2crypto: upgrade 0.38.0 -> 0.39.0
Remove the CVE-2020-25657 patch, as it is fixed in 0.39.0: [tgamblin@megalith m2crypto]$ git log --oneline --grep="CVE-2020-25657" 84c5395 Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) [tgamblin@megalith m2crypto]$ git tag --contains 84c53958def0f510e92119fca14d74f94215827a 0.39.0 Changelog (https://gitlab.com/m2crypto/m2crypto/-/blob/master/CHANGES?ref_type=heads): 0.39.0 - 2023-01-31 ------------------- - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE COMPLETELY REMOVED IN THE NEXT RELEASE. - Remove dependency on parameterized and use unittest.subTest instead. - Upgrade embedded six.py module to 1.16.0 (really tiny inconsequential changes). - Make tests working on MacOS again (test_bio_membuf: Use fork) - Use OpenSSL_version_num() instead of unrealiable parsing of .h file. - Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) - Add functionality to extract EC key from public key + Update tests - Worked around compatibility issues with OpenSSL 3.* - Support for Twisted has been deprecated (they have their own SSL support anyway). - Generate TAP while testing. - Stop using GitHub for testing. - Accept a small deviation from time in the testsuite (for systems with non-standard HZ kernel parameter). - Use the default BIO.__del__ rather tha overriding in BIO.File (avoid a memleak). - Resolve "X509_Name.as_der() method from X509.py -> class X509_Name caused segmentation fault" Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat
-rw-r--r--meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch176
-rw-r--r--meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb (renamed from meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb)3
2 files changed, 1 insertions, 178 deletions
diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch
deleted file mode 100644
index 38ecd7a276..0000000000
--- a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch
+++ /dev/null
@@ -1,176 +0,0 @@
1Backport patch to fix CVE-2020-25657.
2
3Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958]
4
5Signed-off-by: Kai Kang <kai.kang@windriver.com>
6
7From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001
8From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
9Date: Tue, 28 Jun 2022 21:17:01 +0200
10Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA
11 decryption API (CVE-2020-25657)
12
13Fixes #282
14---
15 src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++--------
16 src/SWIG/_rsa.i | 20 ++++++++++++--------
17 tests/test_rsa.py | 15 +++++++--------
18 3 files changed, 31 insertions(+), 24 deletions(-)
19
20diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c
21index aba9eb6d..a9f30da9 100644
22--- a/src/SWIG/_m2crypto_wrap.c
23+++ b/src/SWIG/_m2crypto_wrap.c
24@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) {
25 tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
26 (unsigned char *)tbuf, rsa, padding);
27 if (tlen == -1) {
28- m2_PyErr_Msg(_rsa_err);
29+ ERR_clear_error();
30+ PyErr_Clear();
31 PyMem_Free(tbuf);
32- return NULL;
33+ Py_RETURN_NONE;
34 }
35
36 ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
37@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) {
38 tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
39 (unsigned char *)tbuf, rsa, padding);
40 if (tlen == -1) {
41- m2_PyErr_Msg(_rsa_err);
42+ ERR_clear_error();
43+ PyErr_Clear();
44 PyMem_Free(tbuf);
45- return NULL;
46+ Py_RETURN_NONE;
47 }
48
49 ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
50@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) {
51 tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
52 (unsigned char *)tbuf, rsa, padding);
53 if (tlen == -1) {
54- m2_PyErr_Msg(_rsa_err);
55+ ERR_clear_error();
56+ PyErr_Clear();
57 PyMem_Free(tbuf);
58- return NULL;
59+ Py_RETURN_NONE;
60 }
61
62 ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
63@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) {
64 tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
65 (unsigned char *)tbuf, rsa, padding);
66 if (tlen == -1) {
67- m2_PyErr_Msg(_rsa_err);
68+ ERR_clear_error();
69+ PyErr_Clear();
70 PyMem_Free(tbuf);
71- return NULL;
72+ Py_RETURN_NONE;
73 }
74 ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
75
76diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i
77index bc714e01..1377b8be 100644
78--- a/src/SWIG/_rsa.i
79+++ b/src/SWIG/_rsa.i
80@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) {
81 tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
82 (unsigned char *)tbuf, rsa, padding);
83 if (tlen == -1) {
84- m2_PyErr_Msg(_rsa_err);
85+ ERR_clear_error();
86+ PyErr_Clear();
87 PyMem_Free(tbuf);
88- return NULL;
89+ Py_RETURN_NONE;
90 }
91
92 ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
93@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) {
94 tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
95 (unsigned char *)tbuf, rsa, padding);
96 if (tlen == -1) {
97- m2_PyErr_Msg(_rsa_err);
98+ ERR_clear_error();
99+ PyErr_Clear();
100 PyMem_Free(tbuf);
101- return NULL;
102+ Py_RETURN_NONE;
103 }
104
105 ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
106@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) {
107 tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
108 (unsigned char *)tbuf, rsa, padding);
109 if (tlen == -1) {
110- m2_PyErr_Msg(_rsa_err);
111+ ERR_clear_error();
112+ PyErr_Clear();
113 PyMem_Free(tbuf);
114- return NULL;
115+ Py_RETURN_NONE;
116 }
117
118 ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
119@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) {
120 tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
121 (unsigned char *)tbuf, rsa, padding);
122 if (tlen == -1) {
123- m2_PyErr_Msg(_rsa_err);
124+ ERR_clear_error();
125+ PyErr_Clear();
126 PyMem_Free(tbuf);
127- return NULL;
128+ Py_RETURN_NONE;
129 }
130 ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
131
132diff --git a/tests/test_rsa.py b/tests/test_rsa.py
133index 7bb3af75..5e75d681 100644
134--- a/tests/test_rsa.py
135+++ b/tests/test_rsa.py
136@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase):
137 # The other paddings.
138 for padding in self.s_padding_nok:
139 p = getattr(RSA, padding)
140- with self.assertRaises(RSA.RSAError):
141- priv.private_encrypt(self.data, p)
142+ # Exception disabled as a part of mitigation against CVE-2020-25657
143+ # with self.assertRaises(RSA.RSAError):
144+ priv.private_encrypt(self.data, p)
145 # Type-check the data to be encrypted.
146 with self.assertRaises(TypeError):
147 priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding)
148@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase):
149 self.assertEqual(ptxt, self.data)
150
151 # no_padding
152- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
153- priv.public_encrypt(self.data, RSA.no_padding)
154+ # Exception disabled as a part of mitigation against CVE-2020-25657
155+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
156+ priv.public_encrypt(self.data, RSA.no_padding)
157
158 # Type-check the data to be encrypted.
159+ # Exception disabled as a part of mitigation against CVE-2020-25657
160 with self.assertRaises(TypeError):
161 priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding)
162
163@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase):
164 b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4
165 with self.assertRaises(RSA.RSAError):
166 setattr(rsa, 'e', '\000\000\000\003\001\000\001')
167- with self.assertRaises(RSA.RSAError):
168- rsa.private_encrypt(1)
169- with self.assertRaises(RSA.RSAError):
170- rsa.private_decrypt(1)
171 assert rsa.check_key()
172
173 def test_loadpub_bad(self):
174--
175GitLab
176
diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb
index 40e3bfb316..3a4a700bf7 100644
--- a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb
+++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.39.0.bb
@@ -10,9 +10,8 @@ SRC_URI += "file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \
10 file://cross-compile-platform.patch \ 10 file://cross-compile-platform.patch \
11 file://avoid-host-contamination.patch \ 11 file://avoid-host-contamination.patch \
12 file://0001-setup.py-address-openssl-3.x-build-issue.patch \ 12 file://0001-setup.py-address-openssl-3.x-build-issue.patch \
13 file://CVE-2020-25657.patch \
14 " 13 "
15SRC_URI[sha256sum] = "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb" 14SRC_URI[sha256sum] = "24c0f471358b8b19ad4c8aa9da12e868030b65c1fdb3279d006df60c9501338a"
16 15
17PYPI_PACKAGE = "M2Crypto" 16PYPI_PACKAGE = "M2Crypto"
18inherit pypi siteinfo setuptools3 17inherit pypi siteinfo setuptools3
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-05 00:32:52 +0000