diff options
| author | Martin Jansa <martin.jansa@gmail.com> | 2022-05-10 18:30:12 +0200 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2022-05-25 19:34:39 -0700 |
| commit | b99a386cd1398f1272798bbe3e4fc6c1be560e36 (patch) | |
| tree | 8c126a8d9cb691044ebbee67fc0ab8c3e3b18201 /meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch | |
| parent | abd7cf838d51900ad445a26e501baeb51b4ef1e8 (diff) | |
| download | meta-openembedded-b99a386cd1398f1272798bbe3e4fc6c1be560e36.tar.gz | |
python3-cryptography: backport 3 changes to fix CVE-2020-36242
* backport the actual code change from
https://github.com/pyca/cryptography/pull/5747
without the docs and CI changes (which aren't applicable on old 2.8
version) and backport 2 older changes to make this fix applicable
on 2.8.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch')
| -rw-r--r-- | meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch b/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch new file mode 100644 index 0000000000..f28f414197 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch | |||
| @@ -0,0 +1,43 @@ | |||
| 1 | From 7c72190620c3ccaeeab53fdd93547ca4d37b2f6b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Paul Kehrer <paul.l.kehrer@gmail.com> | ||
| 3 | Date: Sun, 25 Oct 2020 06:15:18 -0700 | ||
| 4 | Subject: [PATCH] chunking didn't actually work (#5499) | ||
| 5 | |||
| 6 | Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/836a92a28fbe9df8c37121e340b91ed9cd519ddd] | ||
| 7 | |||
| 8 | Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> | ||
| 9 | --- | ||
| 10 | src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- | ||
| 11 | tests/hazmat/primitives/test_ciphers.py | 9 +++++++++ | ||
| 12 | 2 files changed, 10 insertions(+), 1 deletion(-) | ||
| 13 | |||
| 14 | diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py | ||
| 15 | index 86bc94b3..2b7da80c 100644 | ||
| 16 | --- a/src/cryptography/hazmat/backends/openssl/ciphers.py | ||
| 17 | +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py | ||
| 18 | @@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes | ||
| 19 | class _CipherContext(object): | ||
| 20 | _ENCRYPT = 1 | ||
| 21 | _DECRYPT = 0 | ||
| 22 | - _MAX_CHUNK_SIZE = 2 ** 31 | ||
| 23 | + _MAX_CHUNK_SIZE = 2 ** 31 - 1 | ||
| 24 | |||
| 25 | def __init__(self, backend, cipher, mode, operation): | ||
| 26 | self._backend = backend | ||
| 27 | diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py | ||
| 28 | index b88610e7..fd9048b7 100644 | ||
| 29 | --- a/tests/hazmat/primitives/test_ciphers.py | ||
| 30 | +++ b/tests/hazmat/primitives/test_ciphers.py | ||
| 31 | @@ -326,3 +326,12 @@ class TestCipherUpdateInto(object): | ||
| 32 | decbuf = bytearray(527) | ||
| 33 | decprocessed = decryptor.update_into(buf[:processed], decbuf) | ||
| 34 | assert decbuf[:decprocessed] == pt | ||
| 35 | + | ||
| 36 | + def test_max_chunk_size_fits_in_int32(self, backend): | ||
| 37 | + # max chunk must fit in signed int32 or else a call large enough to | ||
| 38 | + # cause chunking will result in the very OverflowError we want to | ||
| 39 | + # avoid with chunking. | ||
| 40 | + key = b"\x00" * 16 | ||
| 41 | + c = ciphers.Cipher(AES(key), modes.ECB(), backend) | ||
| 42 | + encryptor = c.encryptor() | ||
| 43 | + backend._ffi.new("int *", encryptor._ctx._MAX_CHUNK_SIZE) | ||