!16 init python-rsa package for openstack wallaby

From: @liksh Reviewed-by: Signed-off-by:
2021-08-20 03:34:33 +00:00 · 2021-08-20 03:34:33 +00:00 · 692e18ea0d
commit 692e18ea0d
parent 25a427ef5e b39f6e70f3
6 changed files with 8 additions and 116 deletions
--- a/0001-CVE-2020-13757.patch
+++ b/0001-CVE-2020-13757.patch
@ -1,48 +0,0 @@
-From 93af6f2f89a9bf28361e67716c4240e691520f30 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
-Date: Wed, 3 Jun 2020 14:39:23 +0200
-Subject: [PATCH] Fix CVE-2020-13757: detect cyphertext modifications by
- prepending zero bytes
-
-Reject cyphertexts that have been modified by prepending zero bytes, by
-checking the cyphertext length against the expected size (given the
-decryption key). This resolves CVE-2020-13757.
-
-The same approach is used when verifying a signature.
-
-Thanks Carnil for pointing this out on https://github.com/sybrenstuvel/python-rsa/issues/146
---
- rsa/pkcs1.py        |  9 +++++++++
- 1 files changed, 9 insertions(+)
-
-diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
-index 28f0dc5..cdf830b 100644
--- a/rsa/pkcs1.py
-+++ b/rsa/pkcs1.py
-@@ -232,6 +232,12 @@ def decrypt(crypto, priv_key):
-     decrypted = priv_key.blinded_decrypt(encrypted)
-     cleartext = transform.int2bytes(decrypted, blocksize)
- 
-+    # Detect leading zeroes in the crypto. These are not reflected in the
-+    # encrypted value (as leading zeroes do not influence the value of an
-+    # integer). This fixes CVE-2020-13757.
-+    if len(crypto) > blocksize:
-+        raise DecryptionError('Decryption failed')
-+
-     # If we can't find the cleartext marker, decryption failed.
-     if cleartext[0:2] != b('\x00\x02'):
-         raise DecryptionError('Decryption failed')
-@@ -310,6 +316,9 @@ def verify(message, signature, pub_key):
-     cleartext = HASH_ASN1[method_name] + message_hash
-     expected = _pad_for_signing(cleartext, keylength)
- 
-+    if len(signature) != keylength:
-+        raise VerificationError('Verification failed')
-+
-     # Compare with the signed one
-     if expected != clearsig:
-         raise VerificationError('Verification failed')
- 
-- 
-1.8.3.1
-
--- a/0002-CVE-2020-25658.patch
+++ b/0002-CVE-2020-25658.patch
@ -1,62 +0,0 @@
-From dae8ce0d85478e16f2368b2341632775313d41ed Mon Sep 17 00:00:00 2001
-From: sybrenstuvel <sybren@stuvel.eu>
-Date: Sun, 15 Nov 2020 15:18:38 +0100
-Subject: [PATCH] Fix #165: CVE-2020-25658 - Bleichenbacher-style timing oracle
-
-Use as many constant-time comparisons as practical in the
-`rsa.pkcs1.decrypt` function.
-
-`cleartext.index(b'\x00', 2)` will still be non-constant-time. The
-alternative would be to iterate over all the data byte by byte in
-Python, which is several orders of magnitude slower. Given that a
-perfect constant-time implementation is very hard or even impossible to
-do in Python [1], I chose the more performant option here.
-
-[1]: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
-source link:https://github.com/sybrenstuvel/python-rsa/commit/dae8ce0d85478e16f2368b2341632775313d41ed
-
-Signed-off-by: sybrenstuvel <sybren@stuvel.eu>
---
- rsa/pkcs1.py | 12 ++++++++----
- 1 file changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
-index cdf830b..7b210a5 100644
--- a/rsa/pkcs1.py
-+++ b/rsa/pkcs1.py
-@@ -30,6 +30,7 @@ to your users.
- 
- import hashlib
- import os
-+from hmac import compare_digest
- 
- from rsa._compat import b
- from rsa import common, transform, core
-@@ -235,17 +236,20 @@ def decrypt(crypto, priv_key):
-     # Detect leading zeroes in the crypto. These are not reflected in the
-     # encrypted value (as leading zeroes do not influence the value of an
-     # integer). This fixes CVE-2020-13757.
-    if len(crypto) > blocksize:
-        raise DecryptionError('Decryption failed')
-+    crypto_len_bad = len(crypto) > blocksize
- 
-     # If we can't find the cleartext marker, decryption failed.
-    if cleartext[0:2] != b('\x00\x02'):
-        raise DecryptionError('Decryption failed')
-+    cleartext_marker_bad = not compare_digest(cleartext[:2], b'\x00\x02')
- 
-     # Find the 00 separator between the padding and the message
-     try:
-         sep_idx = cleartext.index(b('\x00'), 2)
-     except ValueError:
-+        sep_idx = -1
-+    sep_idx_bad = sep_idx < 0
-+
-+    anything_bad = crypto_len_bad | cleartext_marker_bad | sep_idx_bad
-+    if anything_bad:
-         raise DecryptionError('Decryption failed')
- 
-     return cleartext[sep_idx + 1:]
-- 
-2.27.0
-
--- a/python-rsa.spec
+++ b/python-rsa.spec
@ -1,14 +1,12 @@
 Name:           python-rsa
-Version:        3.4.2
-Release:        14
+Version:        4.7.2
+Release:        1
 Summary:        Pure-Python RSA implementation
 License:        ASL 2.0
 URL:            http://stuvel.eu/rsa
 Source0:        https://pypi.python.org/packages/source/r/rsa/rsa-%{version}.tar.gz
 BuildArch:      noarch

-Patch1: 0001-CVE-2020-13757.patch
-Patch2: 0002-CVE-2020-25658.patch

 %description
 Python-RSA is a pure-Python RSA implementation. It supports
@ -19,6 +17,7 @@ and key generation according to PKCS#1 version 1.5.
 %{?python_provide:%python_provide python3-rsa}
 Summary:        Pure-Python RSA implementation
 BuildRequires:  python3-devel, python3-setuptools, python3-pyasn1 >= 0.1.3, python3-unittest2
+BuildRequires:	python3-mypy
 Requires:       python3-pyasn1 >= 0.1.3, python3-setuptools

 %description -n python3-rsa
@ -40,8 +39,6 @@ mv $RPM_BUILD_ROOT%{_bindir}/pyrsa-encrypt $RPM_BUILD_ROOT%{_bindir}/pyrsa-encry
 mv $RPM_BUILD_ROOT%{_bindir}/pyrsa-decrypt $RPM_BUILD_ROOT%{_bindir}/pyrsa-decrypt-3
 mv $RPM_BUILD_ROOT%{_bindir}/pyrsa-sign $RPM_BUILD_ROOT%{_bindir}/pyrsa-sign-3
 mv $RPM_BUILD_ROOT%{_bindir}/pyrsa-verify $RPM_BUILD_ROOT%{_bindir}/pyrsa-verify-3
-mv $RPM_BUILD_ROOT%{_bindir}/pyrsa-encrypt-bigfile $RPM_BUILD_ROOT%{_bindir}/pyrsa-encrypt-bigfile-3
-mv $RPM_BUILD_ROOT%{_bindir}/pyrsa-decrypt-bigfile $RPM_BUILD_ROOT%{_bindir}/pyrsa-decrypt-bigfile-3

 %files -n python3-rsa
 %doc README.md
@ -53,6 +50,9 @@ mv $RPM_BUILD_ROOT%{_bindir}/pyrsa-decrypt-bigfile $RPM_BUILD_ROOT%{_bindir}/pyr
 %{__python3} setup.py test

 %changelog
+* Mon Aug 09 2021 OpenStack_SIG <openstack@openeuler.org> - 4.7.2-1
+- Package update to 4.7.2
+
 * Tue Dec 15 2020 yanglongkang <yanglongkang@huawei.com> - 3.4.2-14
 - fix CVE-2020-25658

@ -64,3 +64,4 @@ mv $RPM_BUILD_ROOT%{_bindir}/pyrsa-decrypt-bigfile $RPM_BUILD_ROOT%{_bindir}/pyr

 * Mon Feb 10 2020 Ruijun Ge <geruijun@huawei.com> - 3.4.2-11
 - package init
+
--- a/python-rsa.yaml
+++ b/python-rsa.yaml
@ -2,3 +2,4 @@ version_control: github
 src_repo: sybrenstuevl/python-rsa
 tag_prefix: version-
 seperator: .
+
--- a/rsa-3.4.2.tar.gz
+++ b/rsa-3.4.2.tar.gz
--- a/rsa-4.7.2.tar.gz
+++ b/rsa-4.7.2.tar.gz