LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16982 Commits
1 Branch
46 MiB
Tree: 086ca890f6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '086ca890f6'
${ noResults }
openwrt-packages-dist/lang/python/python-crypto/patches/100-CVE-2013-7459.patch

106 lines
4.3 KiB
Raw Normal View History

python-crypto: Fix two CVEs CVE-2013-7459 and CVE-2018-6594. Both patches taken from Fedora. Also took the liberty to update the PKG_SOURCE_URL to a standard one. Updated the home URL as well. Signed-off-by: Rosen Penev <rosenp@gmail.com>
6 years ago
 
  1. From 8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 Mon Sep 17 00:00:00 2001
  2. From: Legrandin <helderijs@gmail.com>
  3. Date: Sun, 22 Dec 2013 22:24:46 +0100
  4. Subject: [PATCH] Throw exception when IV is used with ECB or CTR
  5. 

  6. The IV parameter is currently ignored when initializing
  7. a cipher in ECB or CTR mode.
  8. 

  9. For CTR mode, it is confusing: it takes some time to see
  10. that a different parameter is needed (the counter).
  11. 

  12. For ECB mode, it is outright dangerous.
  13. 

  14. This patch forces an exception to be raised.
  15. ---

  16.  lib/Crypto/SelfTest/Cipher/common.py | 31 +++++++++++++++++++++++--------
  17.  src/block_template.c                 | 11 +++++++++++
  18.  2 files changed, 34 insertions(+), 8 deletions(-)
  19. 

  20. diff --git a/lib/Crypto/SelfTest/Cipher/common.py b/lib/Crypto/SelfTest/Cipher/common.py

  21. index 420b6ff..a5f8a88 100644

  22. --- a/lib/Crypto/SelfTest/Cipher/common.py

  23. +++ b/lib/Crypto/SelfTest/Cipher/common.py

  24. @@ -239,16 +239,30 @@ class RoundtripTest(unittest.TestCase):

  25.          return """%s .decrypt() output of .encrypt() should not be garbled""" % (self.module_name,)
  26.  
  27.      def runTest(self):
  28. -        for mode in (self.module.MODE_ECB, self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB, self.module.MODE_OPENPGP):

  29. +

  30. +        ## ECB mode

  31. +        mode = self.module.MODE_ECB

  32. +        encryption_cipher = self.module.new(a2b_hex(self.key), mode)

  33. +        ciphertext = encryption_cipher.encrypt(self.plaintext)

  34. +        decryption_cipher = self.module.new(a2b_hex(self.key), mode)

  35. +        decrypted_plaintext = decryption_cipher.decrypt(ciphertext)

  36. +        self.assertEqual(self.plaintext, decrypted_plaintext)

  37. +

  38. +        ## OPENPGP mode

  39. +        mode = self.module.MODE_OPENPGP

  40. +        encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)

  41. +        eiv_ciphertext = encryption_cipher.encrypt(self.plaintext)

  42. +        eiv = eiv_ciphertext[:self.module.block_size+2]

  43. +        ciphertext = eiv_ciphertext[self.module.block_size+2:]

  44. +        decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv)

  45. +        decrypted_plaintext = decryption_cipher.decrypt(ciphertext)

  46. +        self.assertEqual(self.plaintext, decrypted_plaintext)

  47. +

  48. +        ## All other non-AEAD modes (but CTR)

  49. +        for mode in (self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB):

  50.              encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
  51.              ciphertext = encryption_cipher.encrypt(self.plaintext)
  52. -            

  53. -            if mode != self.module.MODE_OPENPGP:

  54. -                decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)

  55. -            else:

  56. -                eiv = ciphertext[:self.module.block_size+2]

  57. -                ciphertext = ciphertext[self.module.block_size+2:]

  58. -                decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv)

  59. +            decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)

  60.              decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
  61.              self.assertEqual(self.plaintext, decrypted_plaintext)
  62.  
  63. diff --git a/src/block_template.c b/src/block_template.c

  64. index f940e0e..d555ceb 100644

  65. --- a/src/block_template.c

  66. +++ b/src/block_template.c

  67. @@ -170,6 +170,17 @@ ALGnew(PyObject *self, PyObject *args, PyObject *kwdict)

  68.  				"Key cannot be the null string");
  69.  		return NULL;
  70.  	}
  71. +	if (IVlen != 0 && mode == MODE_ECB)

  72. +	{

  73. +		PyErr_Format(PyExc_ValueError, "ECB mode does not use IV");

  74. +		return NULL;

  75. +	}

  76. +	if (IVlen != 0 && mode == MODE_CTR)

  77. +	{

  78. +		PyErr_Format(PyExc_ValueError,

  79. +			"CTR mode needs counter parameter, not IV");

  80. +		return NULL;

  81. +	}

  82.  	if (IVlen != BLOCK_SIZE && mode != MODE_ECB && mode != MODE_CTR)
  83.  	{
  84.  		PyErr_Format(PyExc_ValueError,
  85. From 58de28a5d32bc10e15766e5a59f41b07397cc6cb Mon Sep 17 00:00:00 2001
  86. From: Richard Mitchell <richard.j.mitchell@gmail.com>
  87. Date: Mon, 28 Apr 2014 16:58:27 +0100
  88. Subject: [PATCH] Fix speedtest run for ECB modes.
  89. 

  90. ---

  91.  pct-speedtest.py | 2 ++
  92.  1 file changed, 2 insertions(+)
  93. 

  94. diff --git a/pct-speedtest.py b/pct-speedtest.py

  95. index 4ce18be..c7b893a 100644

  96. --- a/pct-speedtest.py

  97. +++ b/pct-speedtest.py

  98. @@ -121,6 +121,8 @@ class Benchmark:

  99.          blocks = self.random_blocks(16384, 1000)
  100.          if mode is None:
  101.              cipher = module.new(key)
  102. +        elif mode==module.MODE_ECB:

  103. +            cipher = module.new(key, module.MODE_ECB)

  104.          else:
  105.              cipher = module.new(key, mode, iv)
  106.