Re: update security/py-rsa to 3.4.1
On Sun, Mar 27, 2016 at 08:48:25PM +0200, Daniel Jakots wrote: > Hi, > > Best news about it is that it gets rid of devel/py-unittest2. > > I did make test on {amd64,i386} with {python2.7,python3.4}: all's good. Did you try building sysutils/awscli with it? I doubt it does. > Index: Makefile > === > RCS file: /cvs/ports/security/py-rsa/Makefile,v > retrieving revision 1.3 > diff -u -p -r1.3 Makefile > --- Makefile 8 Jan 2016 09:23:00 - 1.3 > +++ Makefile 27 Mar 2016 18:35:22 - > @@ -2,10 +2,9 @@ > > COMMENT= Python RSA implementation > > -MODPY_EGG_VERSION= 3.2.3 > +MODPY_EGG_VERSION= 3.4.1 > DISTNAME=rsa-${MODPY_EGG_VERSION} > PKGNAME= py-${DISTNAME} > -REVISION=0 > > CATEGORIES= security > > @@ -23,13 +22,7 @@ RUN_DEPENDS= devel/py-asn1${MODPY_FLAVO > FLAVORS= python3 > FLAVOR ?= > > -.if ${FLAVOR:Mpython3} > -# needs devel/py-unittest2,python3 > -#NO_TEST=Yes > -.else > -TEST_DEPENDS=${RUN_DEPENDS} \ > - devel/py-unittest2 > -.endif > +TEST_DEPENDS=${RUN_DEPENDS} > > .if ${FLAVOR:Mpython3} > post-install: > @@ -39,6 +32,6 @@ post-install: > .endif > > do-test: > - cd ${WRKSRC} && ${MODPY_BIN} ./run_tests.py > + cd ${WRKSRC} && ${MODPY_BIN} -m pytest > > .include > Index: distinfo > === > RCS file: /cvs/ports/security/py-rsa/distinfo,v > retrieving revision 1.1.1.1 > diff -u -p -r1.1.1.1 distinfo > --- distinfo 6 Jan 2016 15:45:14 - 1.1.1.1 > +++ distinfo 27 Mar 2016 18:35:22 - > @@ -1,2 +1,2 @@ > -SHA256 (rsa-3.2.3.tar.gz) = FNsojMQNYzne32DXpHBTqwBLSol2pcWUAqIR2Pxb8h8= > -SIZE (rsa-3.2.3.tar.gz) = 35628 > +SHA256 (rsa-3.4.1.tar.gz) = b7dNfX1uy63TfbrTKbMdhI+6X+i0CtbRLPfi5aoV5GQ= > +SIZE (rsa-3.4.1.tar.gz) = 40938 > Index: patches/patch-rsa_pkcs1_py > === > RCS file: patches/patch-rsa_pkcs1_py > diff -N patches/patch-rsa_pkcs1_py > --- patches/patch-rsa_pkcs1_py8 Jan 2016 09:23:00 - 1.1 > +++ /dev/null 1 Jan 1970 00:00:00 - > @@ -1,100 +0,0 @@ > -$OpenBSD: patch-rsa_pkcs1_py,v 1.1 2016/01/08 09:23:00 ajacoutot Exp $ > - > -https://bitbucket.org/sybren/python-rsa/commits/0cbcc529926afd61c6df4f50cfc29971beafd2c2/raw/ > - > rsa/pkcs1.py.origThu Nov 5 21:23:16 2015 > -+++ rsa/pkcs1.py Fri Jan 8 10:20:09 2016 > -@@ -22,10 +22,10 @@ very clear example, read http://www.di-mgt.com.au/rsa_ > - At least 8 bytes of random padding is used when encrypting a message. This > makes > - these methods much more secure than the ones in the ``rsa`` module. > - > --WARNING: this module leaks information when decryption or verification > fails. > --The exceptions that are raised contain the Python traceback information, > which > --can be used to deduce where in the process the failure occurred. DO NOT PASS > --SUCH INFORMATION to your users. > -+WARNING: this module leaks information when decryption fails. The exceptions > -+that are raised contain the Python traceback information, which can be used > to > -+deduce where in the process the failure occurred. DO NOT PASS SUCH > INFORMATION > -+to your users. > - ''' > - > - import hashlib > -@@ -288,37 +288,23 @@ def verify(message, signature, pub_key): > - :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the > message. > - :raise VerificationError: when the signature doesn't match the message. > - > --.. warning:: > -- > --Never display the stack trace of a > --:py:class:`rsa.pkcs1.VerificationError` exception. It shows where in > --the code the exception occurred, and thus leaks information about > the > --key. It's only a tiny bit of information, but every bit makes > cracking > --the keys easier. > -- > - ''' > - > --blocksize = common.byte_size(pub_key.n) > -+keylength = common.byte_size(pub_key.n) > - encrypted = transform.bytes2int(signature) > - decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n) > --clearsig = transform.int2bytes(decrypted, blocksize) > -- > --# If we can't find the signature marker, verification failed. > --if clearsig[0:2] != b('\x00\x01'): > --raise VerificationError('Verification failed') > -+clearsig = transform.int2bytes(decrypted, keylength) > - > --# Find the 00 separator between the padding and the payload > --try: > --sep_idx = clearsig.index(b('\x00'), 2) > --except ValueError: > --raise VerificationError('Verification failed') > -- > --# Get the hash and the hash method > --(method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:]) > -+# Get the hash method > -+method_name =
Re: update security/py-rsa to 3.4.1
Daniel Jakotswrites: > Hi, > > Best news about it is that it gets rid of devel/py-unittest2. > > I did make test on {amd64,i386} with {python2.7,python3.4}: all's good. As discussed, better get tests for sysutils/awscli. Note that you're missing a test-dep on devel/py-test${MODPY_FLAVOR}. TEST_DEPENDS can be moved up, below RUN_DEPENDS. With those items addressed, ok jca@ -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
update security/py-rsa to 3.4.1
Hi, Best news about it is that it gets rid of devel/py-unittest2. I did make test on {amd64,i386} with {python2.7,python3.4}: all's good. Cheers, Daniel Index: Makefile === RCS file: /cvs/ports/security/py-rsa/Makefile,v retrieving revision 1.3 diff -u -p -r1.3 Makefile --- Makefile8 Jan 2016 09:23:00 - 1.3 +++ Makefile27 Mar 2016 18:35:22 - @@ -2,10 +2,9 @@ COMMENT= Python RSA implementation -MODPY_EGG_VERSION= 3.2.3 +MODPY_EGG_VERSION= 3.4.1 DISTNAME= rsa-${MODPY_EGG_VERSION} PKGNAME= py-${DISTNAME} -REVISION= 0 CATEGORIES=security @@ -23,13 +22,7 @@ RUN_DEPENDS= devel/py-asn1${MODPY_FLAVO FLAVORS= python3 FLAVOR ?= -.if ${FLAVOR:Mpython3} -# needs devel/py-unittest2,python3 -#NO_TEST= Yes -.else -TEST_DEPENDS= ${RUN_DEPENDS} \ - devel/py-unittest2 -.endif +TEST_DEPENDS= ${RUN_DEPENDS} .if ${FLAVOR:Mpython3} post-install: @@ -39,6 +32,6 @@ post-install: .endif do-test: - cd ${WRKSRC} && ${MODPY_BIN} ./run_tests.py + cd ${WRKSRC} && ${MODPY_BIN} -m pytest .include Index: distinfo === RCS file: /cvs/ports/security/py-rsa/distinfo,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 distinfo --- distinfo6 Jan 2016 15:45:14 - 1.1.1.1 +++ distinfo27 Mar 2016 18:35:22 - @@ -1,2 +1,2 @@ -SHA256 (rsa-3.2.3.tar.gz) = FNsojMQNYzne32DXpHBTqwBLSol2pcWUAqIR2Pxb8h8= -SIZE (rsa-3.2.3.tar.gz) = 35628 +SHA256 (rsa-3.4.1.tar.gz) = b7dNfX1uy63TfbrTKbMdhI+6X+i0CtbRLPfi5aoV5GQ= +SIZE (rsa-3.4.1.tar.gz) = 40938 Index: patches/patch-rsa_pkcs1_py === RCS file: patches/patch-rsa_pkcs1_py diff -N patches/patch-rsa_pkcs1_py --- patches/patch-rsa_pkcs1_py 8 Jan 2016 09:23:00 - 1.1 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,100 +0,0 @@ -$OpenBSD: patch-rsa_pkcs1_py,v 1.1 2016/01/08 09:23:00 ajacoutot Exp $ - -https://bitbucket.org/sybren/python-rsa/commits/0cbcc529926afd61c6df4f50cfc29971beafd2c2/raw/ - rsa/pkcs1.py.orig Thu Nov 5 21:23:16 2015 -+++ rsa/pkcs1.py Fri Jan 8 10:20:09 2016 -@@ -22,10 +22,10 @@ very clear example, read http://www.di-mgt.com.au/rsa_ - At least 8 bytes of random padding is used when encrypting a message. This makes - these methods much more secure than the ones in the ``rsa`` module. - --WARNING: this module leaks information when decryption or verification fails. --The exceptions that are raised contain the Python traceback information, which --can be used to deduce where in the process the failure occurred. DO NOT PASS --SUCH INFORMATION to your users. -+WARNING: this module leaks information when decryption fails. The exceptions -+that are raised contain the Python traceback information, which can be used to -+deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION -+to your users. - ''' - - import hashlib -@@ -288,37 +288,23 @@ def verify(message, signature, pub_key): - :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message. - :raise VerificationError: when the signature doesn't match the message. - --.. warning:: -- --Never display the stack trace of a --:py:class:`rsa.pkcs1.VerificationError` exception. It shows where in --the code the exception occurred, and thus leaks information about the --key. It's only a tiny bit of information, but every bit makes cracking --the keys easier. -- - ''' - --blocksize = common.byte_size(pub_key.n) -+keylength = common.byte_size(pub_key.n) - encrypted = transform.bytes2int(signature) - decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n) --clearsig = transform.int2bytes(decrypted, blocksize) -- --# If we can't find the signature marker, verification failed. --if clearsig[0:2] != b('\x00\x01'): --raise VerificationError('Verification failed') -+clearsig = transform.int2bytes(decrypted, keylength) - --# Find the 00 separator between the padding and the payload --try: --sep_idx = clearsig.index(b('\x00'), 2) --except ValueError: --raise VerificationError('Verification failed') -- --# Get the hash and the hash method --(method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:]) -+# Get the hash method -+method_name = _find_method_hash(clearsig) - message_hash = _hash(message, method_name) - --# Compare the real hash to the hash in the signature --if message_hash != signature_hash: -+# Reconstruct the expected padded hash -+cleartext = HASH_ASN1[method_name] + message_hash -+expected = _pad_for_signing(cleartext, keylength) -+ -+# Compare with the signed one -+if