On Sun, Mar 27, 2016 at 08:48:25PM +0200, Daniel Jakots wrote:
> Hi,
>
> Best news about it is that it gets rid of devel/py-unittest2.
>
> I did make test on {amd64,i386} with {python2.7,python3.4}: all's good.
Did you try building sysutils/awscli with it?
I doubt it does.
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/py-rsa/Makefile,v
> retrieving revision 1.3
> diff -u -p -r1.3 Makefile
> --- Makefile 8 Jan 2016 09:23:00 -0000 1.3
> +++ Makefile 27 Mar 2016 18:35:22 -0000
> @@ -2,10 +2,9 @@
>
> COMMENT= Python RSA implementation
>
> -MODPY_EGG_VERSION= 3.2.3
> +MODPY_EGG_VERSION= 3.4.1
> DISTNAME= rsa-${MODPY_EGG_VERSION}
> PKGNAME= py-${DISTNAME}
> -REVISION= 0
>
> CATEGORIES= security
>
> @@ -23,13 +22,7 @@ RUN_DEPENDS= devel/py-asn1${MODPY_FLAVO
> FLAVORS= python3
> FLAVOR ?=
>
> -.if ${FLAVOR:Mpython3}
> -# needs devel/py-unittest2,python3
> -#NO_TEST= Yes
> -.else
> -TEST_DEPENDS= ${RUN_DEPENDS} \
> - devel/py-unittest2
> -.endif
> +TEST_DEPENDS= ${RUN_DEPENDS}
>
> .if ${FLAVOR:Mpython3}
> post-install:
> @@ -39,6 +32,6 @@ post-install:
> .endif
>
> do-test:
> - cd ${WRKSRC} && ${MODPY_BIN} ./run_tests.py
> + cd ${WRKSRC} && ${MODPY_BIN} -m pytest
>
> .include <bsd.port.mk>
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/security/py-rsa/distinfo,v
> retrieving revision 1.1.1.1
> diff -u -p -r1.1.1.1 distinfo
> --- distinfo 6 Jan 2016 15:45:14 -0000 1.1.1.1
> +++ distinfo 27 Mar 2016 18:35:22 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (rsa-3.2.3.tar.gz) = FNsojMQNYzne32DXpHBTqwBLSol2pcWUAqIR2Pxb8h8=
> -SIZE (rsa-3.2.3.tar.gz) = 35628
> +SHA256 (rsa-3.4.1.tar.gz) = b7dNfX1uy63TfbrTKbMdhI+6X+i0CtbRLPfi5aoV5GQ=
> +SIZE (rsa-3.4.1.tar.gz) = 40938
> Index: patches/patch-rsa_pkcs1_py
> ===================================================================
> RCS file: patches/patch-rsa_pkcs1_py
> diff -N patches/patch-rsa_pkcs1_py
> --- patches/patch-rsa_pkcs1_py 8 Jan 2016 09:23:00 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,100 +0,0 @@
> -$OpenBSD: patch-rsa_pkcs1_py,v 1.1 2016/01/08 09:23:00 ajacoutot Exp $
> -
> -https://bitbucket.org/sybren/python-rsa/commits/0cbcc529926afd61c6df4f50cfc29971beafd2c2/raw/
> -
> ---- rsa/pkcs1.py.orig Thu Nov 5 21:23:16 2015
> -+++ rsa/pkcs1.py Fri Jan 8 10:20:09 2016
> -@@ -22,10 +22,10 @@ very clear example, read http://www.di-mgt.com.au/rsa_
> - At least 8 bytes of random padding is used when encrypting a message. This
> makes
> - these methods much more secure than the ones in the ``rsa`` module.
> -
> --WARNING: this module leaks information when decryption or verification
> fails.
> --The exceptions that are raised contain the Python traceback information,
> which
> --can be used to deduce where in the process the failure occurred. DO NOT PASS
> --SUCH INFORMATION to your users.
> -+WARNING: this module leaks information when decryption fails. The exceptions
> -+that are raised contain the Python traceback information, which can be used
> to
> -+deduce where in the process the failure occurred. DO NOT PASS SUCH
> INFORMATION
> -+to your users.
> - '''
> -
> - import hashlib
> -@@ -288,37 +288,23 @@ def verify(message, signature, pub_key):
> - :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the
> message.
> - :raise VerificationError: when the signature doesn't match the message.
> -
> -- .. warning::
> --
> -- Never display the stack trace of a
> -- :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in
> -- the code the exception occurred, and thus leaks information about
> the
> -- key. It's only a tiny bit of information, but every bit makes
> cracking
> -- the keys easier.
> --
> - '''
> -
> -- blocksize = common.byte_size(pub_key.n)
> -+ keylength = common.byte_size(pub_key.n)
> - encrypted = transform.bytes2int(signature)
> - decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n)
> -- clearsig = transform.int2bytes(decrypted, blocksize)
> --
> -- # If we can't find the signature marker, verification failed.
> -- if clearsig[0:2] != b('\x00\x01'):
> -- raise VerificationError('Verification failed')
> -+ clearsig = transform.int2bytes(decrypted, keylength)
> -
> -- # Find the 00 separator between the padding and the payload
> -- try:
> -- sep_idx = clearsig.index(b('\x00'), 2)
> -- except ValueError:
> -- raise VerificationError('Verification failed')
> --
> -- # Get the hash and the hash method
> -- (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:])
> -+ # Get the hash method
> -+ method_name = _find_method_hash(clearsig)
> - message_hash = _hash(message, method_name)
> -
> -- # Compare the real hash to the hash in the signature
> -- if message_hash != signature_hash:
> -+ # Reconstruct the expected padded hash
> -+ cleartext = HASH_ASN1[method_name] + message_hash
> -+ expected = _pad_for_signing(cleartext, keylength)
> -+
> -+ # Compare with the signed one
> -+ if expected != clearsig:
> - raise VerificationError('Verification failed')
> -
> - return True
> -@@ -351,24 +337,20 @@ def _hash(message, method_name):
> - return hasher.digest()
> -
> -
> --def _find_method_hash(method_hash):
> -- '''Finds the hash method and the hash itself.
> -+def _find_method_hash(clearsig):
> -+ '''Finds the hash method.
> -
> -- :param method_hash: ASN1 code for the hash method concatenated with the
> -- hash itself.
> -+ :param clearsig: full padded ASN1 and hash.
> -
> -- :return: tuple (method, hash) where ``method`` is the used hash method,
> and
> -- ``hash`` is the hash itself.
> -+ :return: the used hash method.
> -
> - :raise VerificationFailed: when the hash method cannot be found
> -
> - '''
> -
> - for (hashname, asn1code) in HASH_ASN1.items():
> -- if not method_hash.startswith(asn1code):
> -- continue
> --
> -- return (hashname, method_hash[len(asn1code):])
> -+ if asn1code in clearsig:
> -+ return hashname
> -
> - raise VerificationError('Verification failed')
> -
>
--
Antoine
