1 files changed, 176 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch
new file mode 100644
index 0000000000..38ecd7a276
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch
@@ -0,0 +1,176 @@
+Backport patch to fix CVE-2020-25657.
+Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958]
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
+Date: Tue, 28 Jun 2022 21:17:01 +0200
+Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA
+ decryption API (CVE-2020-25657)
+Fixes #282
+---
+ src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++--------
+ src/SWIG/_rsa.i           | 20 ++++++++++++--------
+ tests/test_rsa.py         | 15 +++++++--------
+ 3 files changed, 31 insertions(+), 24 deletions(-)
+diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c
+index aba9eb6d..a9f30da9 100644
+--- a/src/SWIG/_m2crypto_wrap.c
+++ b/src/SWIG/_m2crypto_wrap.c
+@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) {
+     tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
+         (unsigned char *)tbuf, rsa, padding);
+     if (tlen == -1) {
+-        m2_PyErr_Msg(_rsa_err);
+        ERR_clear_error();
+        PyErr_Clear();
+         PyMem_Free(tbuf);
+-        return NULL;
+        Py_RETURN_NONE;
+     }
+ 
+     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
+@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) {
+     tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
+         (unsigned char *)tbuf, rsa, padding);
+     if (tlen == -1) {
+-        m2_PyErr_Msg(_rsa_err);
+        ERR_clear_error();
+        PyErr_Clear();
+         PyMem_Free(tbuf);
+-        return NULL;
+        Py_RETURN_NONE;
+     }
+ 
+     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
+@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) {
+     tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
+         (unsigned char *)tbuf, rsa, padding);
+     if (tlen == -1) {
+-        m2_PyErr_Msg(_rsa_err);
+        ERR_clear_error();
+        PyErr_Clear();
+         PyMem_Free(tbuf);
+-        return NULL;
+        Py_RETURN_NONE;
+     }
+ 
+     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
+@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) {
+     tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
+         (unsigned char *)tbuf, rsa, padding);
+     if (tlen == -1) {
+-        m2_PyErr_Msg(_rsa_err);
+        ERR_clear_error();
+        PyErr_Clear();
+         PyMem_Free(tbuf);
+-        return NULL;
+        Py_RETURN_NONE;
+     }
+     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
+ 
+diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i
+index bc714e01..1377b8be 100644
+--- a/src/SWIG/_rsa.i
+++ b/src/SWIG/_rsa.i
+@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) {
+     tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
+         (unsigned char *)tbuf, rsa, padding);
+     if (tlen == -1) {
+-        m2_PyErr_Msg(_rsa_err);
+        ERR_clear_error();
+        PyErr_Clear();
+         PyMem_Free(tbuf);
+-        return NULL;
+        Py_RETURN_NONE;
+     }
+ 
+     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
+@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) {
+     tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
+         (unsigned char *)tbuf, rsa, padding);
+     if (tlen == -1) {
+-        m2_PyErr_Msg(_rsa_err);
+        ERR_clear_error();
+        PyErr_Clear();
+         PyMem_Free(tbuf);
+-        return NULL;
+        Py_RETURN_NONE;
+     }
+ 
+     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
+@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) {
+     tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
+         (unsigned char *)tbuf, rsa, padding);
+     if (tlen == -1) {
+-        m2_PyErr_Msg(_rsa_err);
+        ERR_clear_error();
+        PyErr_Clear();
+         PyMem_Free(tbuf);
+-        return NULL;
+        Py_RETURN_NONE;
+     }
+ 
+     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
+@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) {
+     tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
+         (unsigned char *)tbuf, rsa, padding);
+     if (tlen == -1) {
+-        m2_PyErr_Msg(_rsa_err);
+        ERR_clear_error();
+        PyErr_Clear();
+         PyMem_Free(tbuf);
+-        return NULL;
+        Py_RETURN_NONE;
+     }
+     ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
+ 
+diff --git a/tests/test_rsa.py b/tests/test_rsa.py
+index 7bb3af75..5e75d681 100644
+--- a/tests/test_rsa.py
+++ b/tests/test_rsa.py
+@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase):
+         # The other paddings.
+         for padding in self.s_padding_nok:
+             p = getattr(RSA, padding)
+-            with self.assertRaises(RSA.RSAError):
+-                priv.private_encrypt(self.data, p)
+            # Exception disabled as a part of mitigation against CVE-2020-25657
+            # with self.assertRaises(RSA.RSAError):
+            priv.private_encrypt(self.data, p)
+         # Type-check the data to be encrypted.
+         with self.assertRaises(TypeError):
+             priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding)
+@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase):
+             self.assertEqual(ptxt, self.data)
+ 
+         # no_padding
+-        with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
+-            priv.public_encrypt(self.data, RSA.no_padding)
+        # Exception disabled as a part of mitigation against CVE-2020-25657
+        # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
+        priv.public_encrypt(self.data, RSA.no_padding)
+ 
+         # Type-check the data to be encrypted.
+        # Exception disabled as a part of mitigation against CVE-2020-25657
+         with self.assertRaises(TypeError):
+             priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding)
+ 
+@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase):
+                          b'\000\000\000\003\001\000\001')  # aka 65537 aka 0xf4
+         with self.assertRaises(RSA.RSAError):
+             setattr(rsa, 'e', '\000\000\000\003\001\000\001')
+-        with self.assertRaises(RSA.RSAError):
+-            rsa.private_encrypt(1)
+-        with self.assertRaises(RSA.RSAError):
+-            rsa.private_decrypt(1)
+         assert rsa.check_key()
+ 
+     def test_loadpub_bad(self):
+-- 
+GitLab

diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch new file mode 100644 index 0000000000..38ecd7a276 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch
@@ -0,0 +1,176 @@
	1	Backport patch to fix CVE-2020-25657.
	2
	3	Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958]
	4
	5	Signed-off-by: Kai Kang <kai.kang@windriver.com>
	6
	7	From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001
	8	From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
	9	Date: Tue, 28 Jun 2022 21:17:01 +0200
	10	Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA
	11	decryption API (CVE-2020-25657)
	12
	13	Fixes #282
	14	---
	15	src/SWIG/_m2crypto_wrap.c \| 20 ++++++++++++--------
	16	src/SWIG/_rsa.i \| 20 ++++++++++++--------
	17	tests/test_rsa.py \| 15 +++++++--------
	18	3 files changed, 31 insertions(+), 24 deletions(-)
	19
	20	diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c
	21	index aba9eb6d..a9f30da9 100644
	22	--- a/src/SWIG/_m2crypto_wrap.c
	23	+++ b/src/SWIG/_m2crypto_wrap.c
	24	@@ -7040,9 +7040,10 @@ PyObject rsa_private_encrypt(RSA rsa, PyObject *from, int padding) {
	25	tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
	26	(unsigned char *)tbuf, rsa, padding);
	27	if (tlen == -1) {
	28	- m2_PyErr_Msg(_rsa_err);
	29	+ ERR_clear_error();
	30	+ PyErr_Clear();
	31	PyMem_Free(tbuf);
	32	- return NULL;
	33	+ Py_RETURN_NONE;
	34	}
	35
	36	ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
	37	@@ -7070,9 +7071,10 @@ PyObject rsa_public_decrypt(RSA rsa, PyObject *from, int padding) {
	38	tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
	39	(unsigned char *)tbuf, rsa, padding);
	40	if (tlen == -1) {
	41	- m2_PyErr_Msg(_rsa_err);
	42	+ ERR_clear_error();
	43	+ PyErr_Clear();
	44	PyMem_Free(tbuf);
	45	- return NULL;
	46	+ Py_RETURN_NONE;
	47	}
	48
	49	ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
	50	@@ -7097,9 +7099,10 @@ PyObject rsa_public_encrypt(RSA rsa, PyObject *from, int padding) {
	51	tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
	52	(unsigned char *)tbuf, rsa, padding);
	53	if (tlen == -1) {
	54	- m2_PyErr_Msg(_rsa_err);
	55	+ ERR_clear_error();
	56	+ PyErr_Clear();
	57	PyMem_Free(tbuf);
	58	- return NULL;
	59	+ Py_RETURN_NONE;
	60	}
	61
	62	ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
	63	@@ -7124,9 +7127,10 @@ PyObject rsa_private_decrypt(RSA rsa, PyObject *from, int padding) {
	64	tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
	65	(unsigned char *)tbuf, rsa, padding);
	66	if (tlen == -1) {
	67	- m2_PyErr_Msg(_rsa_err);
	68	+ ERR_clear_error();
	69	+ PyErr_Clear();
	70	PyMem_Free(tbuf);
	71	- return NULL;
	72	+ Py_RETURN_NONE;
	73	}
	74	ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
	75
	76	diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i
	77	index bc714e01..1377b8be 100644
	78	--- a/src/SWIG/_rsa.i
	79	+++ b/src/SWIG/_rsa.i
	80	@@ -239,9 +239,10 @@ PyObject rsa_private_encrypt(RSA rsa, PyObject *from, int padding) {
	81	tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
	82	(unsigned char *)tbuf, rsa, padding);
	83	if (tlen == -1) {
	84	- m2_PyErr_Msg(_rsa_err);
	85	+ ERR_clear_error();
	86	+ PyErr_Clear();
	87	PyMem_Free(tbuf);
	88	- return NULL;
	89	+ Py_RETURN_NONE;
	90	}
	91
	92	ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
	93	@@ -269,9 +270,10 @@ PyObject rsa_public_decrypt(RSA rsa, PyObject *from, int padding) {
	94	tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
	95	(unsigned char *)tbuf, rsa, padding);
	96	if (tlen == -1) {
	97	- m2_PyErr_Msg(_rsa_err);
	98	+ ERR_clear_error();
	99	+ PyErr_Clear();
	100	PyMem_Free(tbuf);
	101	- return NULL;
	102	+ Py_RETURN_NONE;
	103	}
	104
	105	ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
	106	@@ -296,9 +298,10 @@ PyObject rsa_public_encrypt(RSA rsa, PyObject *from, int padding) {
	107	tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
	108	(unsigned char *)tbuf, rsa, padding);
	109	if (tlen == -1) {
	110	- m2_PyErr_Msg(_rsa_err);
	111	+ ERR_clear_error();
	112	+ PyErr_Clear();
	113	PyMem_Free(tbuf);
	114	- return NULL;
	115	+ Py_RETURN_NONE;
	116	}
	117
	118	ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
	119	@@ -323,9 +326,10 @@ PyObject rsa_private_decrypt(RSA rsa, PyObject *from, int padding) {
	120	tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
	121	(unsigned char *)tbuf, rsa, padding);
	122	if (tlen == -1) {
	123	- m2_PyErr_Msg(_rsa_err);
	124	+ ERR_clear_error();
	125	+ PyErr_Clear();
	126	PyMem_Free(tbuf);
	127	- return NULL;
	128	+ Py_RETURN_NONE;
	129	}
	130	ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
	131
	132	diff --git a/tests/test_rsa.py b/tests/test_rsa.py
	133	index 7bb3af75..5e75d681 100644
	134	--- a/tests/test_rsa.py
	135	+++ b/tests/test_rsa.py
	136	@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase):
	137	# The other paddings.
	138	for padding in self.s_padding_nok:
	139	p = getattr(RSA, padding)
	140	- with self.assertRaises(RSA.RSAError):
	141	- priv.private_encrypt(self.data, p)
	142	+ # Exception disabled as a part of mitigation against CVE-2020-25657
	143	+ # with self.assertRaises(RSA.RSAError):
	144	+ priv.private_encrypt(self.data, p)
	145	# Type-check the data to be encrypted.
	146	with self.assertRaises(TypeError):
	147	priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding)
	148	@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase):
	149	self.assertEqual(ptxt, self.data)
	150
	151	# no_padding
	152	- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
	153	- priv.public_encrypt(self.data, RSA.no_padding)
	154	+ # Exception disabled as a part of mitigation against CVE-2020-25657
	155	+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
	156	+ priv.public_encrypt(self.data, RSA.no_padding)
	157
	158	# Type-check the data to be encrypted.
	159	+ # Exception disabled as a part of mitigation against CVE-2020-25657
	160	with self.assertRaises(TypeError):
	161	priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding)
	162
	163	@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase):
	164	b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4
	165	with self.assertRaises(RSA.RSAError):
	166	setattr(rsa, 'e', '\000\000\000\003\001\000\001')
	167	- with self.assertRaises(RSA.RSAError):
	168	- rsa.private_encrypt(1)
	169	- with self.assertRaises(RSA.RSAError):
	170	- rsa.private_decrypt(1)
	171	assert rsa.check_key()
	172
	173	def test_loadpub_bad(self):
	174	--
	175	GitLab
	176