[meta-python] python3-m2crypto: fix CVE-2020-25657 and buildpaths qa issue

Message ID	20221125023844.40757-1-kai.kang@windriver.com
State	Under Review
Headers	show Return-Path: <kai.kang@eng.windriver.com> ip: 205.220.178.238, mailfrom: prvs=8328dbcb4c=kai.kang@windriver.com) From: <kai.kang@windriver.com> To: <openembedded-devel@lists.openembedded.org> Subject: [meta-python][PATCH] python3-m2crypto: fix CVE-2020-25657 and buildpaths qa issue Date: Fri, 25 Nov 2022 10:38:44 +0800 Message-ID: <20221125023844.40757-1-kai.kang@windriver.com> MIME-Version: 1.0 Content-Type: text/plain
Series	[meta-python] python3-m2crypto: fix CVE-2020-25657 and buildpaths qa issue \| expand [meta-python] python3-m2crypto: fix CVE-2020-25657 and buildpaths qa issue

diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch new file mode 100644 index 000000000..38ecd7a27 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-m2crypto/CVE-2020-25657.patch @@ -0,0 +1,176 @@ +Backport patch to fix CVE-2020-25657. + +Upstream-Status: Backport [https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu> +Date: Tue, 28 Jun 2022 21:17:01 +0200 +Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA + decryption API (CVE-2020-25657) + +Fixes #282 +--- + src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++-------- + src/SWIG/_rsa.i | 20 ++++++++++++-------- + tests/test_rsa.py | 15 +++++++-------- + 3 files changed, 31 insertions(+), 24 deletions(-) + +diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c +index aba9eb6d..a9f30da9 100644 +--- a/src/SWIG/_m2crypto_wrap.c ++++ b/src/SWIG/_m2crypto_wrap.c +@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { + tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, + (unsigned char *)tbuf, rsa, padding); + if (tlen == -1) { +- m2_PyErr_Msg(_rsa_err); ++ ERR_clear_error(); ++ PyErr_Clear(); + PyMem_Free(tbuf); +- return NULL; ++ Py_RETURN_NONE; + } + + ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); +@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { + tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, + (unsigned char *)tbuf, rsa, padding); + if (tlen == -1) { +- m2_PyErr_Msg(_rsa_err); ++ ERR_clear_error(); ++ PyErr_Clear(); + PyMem_Free(tbuf); +- return NULL; ++ Py_RETURN_NONE; + } + + ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); +@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { + tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, + (unsigned char *)tbuf, rsa, padding); + if (tlen == -1) { +- m2_PyErr_Msg(_rsa_err); ++ ERR_clear_error(); ++ PyErr_Clear(); + PyMem_Free(tbuf); +- return NULL; ++ Py_RETURN_NONE; + } + + ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); +@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { + tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, + (unsigned char *)tbuf, rsa, padding); + if (tlen == -1) { +- m2_PyErr_Msg(_rsa_err); ++ ERR_clear_error(); ++ PyErr_Clear(); + PyMem_Free(tbuf); +- return NULL; ++ Py_RETURN_NONE; + } + ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); + +diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i +index bc714e01..1377b8be 100644 +--- a/src/SWIG/_rsa.i ++++ b/src/SWIG/_rsa.i +@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) { + tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf, + (unsigned char *)tbuf, rsa, padding); + if (tlen == -1) { +- m2_PyErr_Msg(_rsa_err); ++ ERR_clear_error(); ++ PyErr_Clear(); + PyMem_Free(tbuf); +- return NULL; ++ Py_RETURN_NONE; + } + + ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); +@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) { + tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf, + (unsigned char *)tbuf, rsa, padding); + if (tlen == -1) { +- m2_PyErr_Msg(_rsa_err); ++ ERR_clear_error(); ++ PyErr_Clear(); + PyMem_Free(tbuf); +- return NULL; ++ Py_RETURN_NONE; + } + + ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); +@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) { + tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf, + (unsigned char *)tbuf, rsa, padding); + if (tlen == -1) { +- m2_PyErr_Msg(_rsa_err); ++ ERR_clear_error(); ++ PyErr_Clear(); + PyMem_Free(tbuf); +- return NULL; ++ Py_RETURN_NONE; + } + + ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); +@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) { + tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf, + (unsigned char *)tbuf, rsa, padding); + if (tlen == -1) { +- m2_PyErr_Msg(_rsa_err); ++ ERR_clear_error(); ++ PyErr_Clear(); + PyMem_Free(tbuf); +- return NULL; ++ Py_RETURN_NONE; + } + ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen); + +diff --git a/tests/test_rsa.py b/tests/test_rsa.py +index 7bb3af75..5e75d681 100644 +--- a/tests/test_rsa.py ++++ b/tests/test_rsa.py +@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase): + # The other paddings. + for padding in self.s_padding_nok: + p = getattr(RSA, padding) +- with self.assertRaises(RSA.RSAError): +- priv.private_encrypt(self.data, p) ++ # Exception disabled as a part of mitigation against CVE-2020-25657 ++ # with self.assertRaises(RSA.RSAError): ++ priv.private_encrypt(self.data, p) + # Type-check the data to be encrypted. + with self.assertRaises(TypeError): + priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding) +@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase): + self.assertEqual(ptxt, self.data) + + # no_padding +- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): +- priv.public_encrypt(self.data, RSA.no_padding) ++ # Exception disabled as a part of mitigation against CVE-2020-25657 ++ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): ++ priv.public_encrypt(self.data, RSA.no_padding) + + # Type-check the data to be encrypted. ++ # Exception disabled as a part of mitigation against CVE-2020-25657 + with self.assertRaises(TypeError): + priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding) + +@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase): + b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4 + with self.assertRaises(RSA.RSAError): + setattr(rsa, 'e', '\000\000\000\003\001\000\001') +- with self.assertRaises(RSA.RSAError): +- rsa.private_encrypt(1) +- with self.assertRaises(RSA.RSAError): +- rsa.private_decrypt(1) + assert rsa.check_key() + + def test_loadpub_bad(self): +-- +GitLab + diff --git a/meta-python/recipes-devtools/python/python3-m2crypto/avoid-host-contamination.patch b/meta-python/recipes-devtools/python/python3-m2crypto/avoid-host-contamination.patch index 9d9b8449b..3cd6f7c27 100644 --- a/meta-python/recipes-devtools/python/python3-m2crypto/avoid-host-contamination.patch +++ b/meta-python/recipes-devtools/python/python3-m2crypto/avoid-host-contamination.patch @@ -1,6 +1,6 @@ Filter out '/usr/include' for swig to avoid host contamination issue. -Upstream-Status: Upstream-Status: Inappropriate [cross compile specific] +Upstream-Status: Inappropriate [cross compile specific] Signed-off-by: Kai Kang <kai.kang@windriver.com> --- diff --git a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb b/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb index 51a0dd676..40e3bfb31 100644 --- a/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb +++ b/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb @@ -7,10 +7,11 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=b0e1f0b7d0ce8a62c18b1287b991800e" FILESEXTRAPATHS:prepend := "${THISDIR}/python-m2crypto:" SRC_URI += "file://0001-setup.py-link-in-sysroot-not-in-host-directories.patch \ - file://cross-compile-platform.patch \ - file://avoid-host-contamination.patch \ - file://0001-setup.py-address-openssl-3.x-build-issue.patch \ - " + file://cross-compile-platform.patch \ + file://avoid-host-contamination.patch \ + file://0001-setup.py-address-openssl-3.x-build-issue.patch \ + file://CVE-2020-25657.patch \ + " SRC_URI[sha256sum] = "99f2260a30901c949a8dc6d5f82cd5312ffb8abc92e76633baf231bbbcb2decb" PYPI_PACKAGE = "M2Crypto" @@ -34,7 +35,7 @@ DISTUTILS_INSTALL_ARGS += "build_ext --openssl=${STAGING_EXECPREFIXDIR}" SWIG_FEATURES:x86 = "-D__i386__" SWIG_FEATURES:x32 = "-D__ILP32__" -SWIG_FEATURES ?= "-D__${HOST_ARCH}__ ${@['-D__ILP32__','-D__LP64__'][d.getVar('SITEINFO_BITS') != '32']}" +SWIG_FEATURES ?= "-D__${HOST_ARCH}__ ${@['-D__ILP32__','-D__LP64__'][d.getVar('SITEINFO_BITS') != '32']} -DOPENSSL_FILE='openssl/macros.h'" SWIG_FEATURES:append:riscv64 = " -D__SIZEOF_POINTER__=${SITEINFO_BITS}/8 -D__riscv_xlen=${SITEINFO_BITS}" SWIG_FEATURES:append:riscv32 = " -D__SIZEOF_POINTER__=${SITEINFO_BITS}/8 -D__riscv_xlen=${SITEINFO_BITS}"

[meta-python] python3-m2crypto: fix CVE-2020-25657 and buildpaths qa issue

Commit Message

Patch