3 files changed, 179 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch b/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch
new file mode 100644
index 0000000000..c5d7ca3860
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch
@@ -0,0 +1,99 @@
+From 7dee5927eb528f7ddebd62fbab31232d505acc22 Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Sun, 23 Aug 2020 23:41:33 -0500
+Subject: [PATCH] chunked update_into (#5419)
+* chunked update_into
+* all pointer arithmetic all the time
+* review feedback
+Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/f90ba1808ee9bd9a13c5673b776484644f29d7ba]
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ .../hazmat/backends/openssl/ciphers.py        | 31 +++++++++++++------
+ tests/hazmat/primitives/test_ciphers.py       | 17 ++++++++++
+ 2 files changed, 38 insertions(+), 10 deletions(-)
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index 94b48f52..86bc94b3 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -17,6 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes
+ class _CipherContext(object):
+     _ENCRYPT = 1
+     _DECRYPT = 0
+    _MAX_CHUNK_SIZE = 2 ** 31
+ 
+     def __init__(self, backend, cipher, mode, operation):
+         self._backend = backend
+@@ -125,22 +126,32 @@ class _CipherContext(object):
+         return bytes(buf[:n])
+ 
+     def update_into(self, data, buf):
+-        if len(buf) < (len(data) + self._block_size_bytes - 1):
+        total_data_len = len(data)
+        if len(buf) < (total_data_len + self._block_size_bytes - 1):
+             raise ValueError(
+                 "buffer must be at least {} bytes for this "
+                 "payload".format(len(data) + self._block_size_bytes - 1)
+             )
+ 
+-        buf = self._backend._ffi.cast(
+-            "unsigned char *", self._backend._ffi.from_buffer(buf)
+-        )
+        data_processed = 0
+        total_out = 0
+         outlen = self._backend._ffi.new("int *")
+-        res = self._backend._lib.EVP_CipherUpdate(
+-            self._ctx, buf, outlen,
+-            self._backend._ffi.from_buffer(data), len(data)
+-        )
+-        self._backend.openssl_assert(res != 0)
+-        return outlen[0]
+        baseoutbuf = self._backend._ffi.from_buffer(buf)
+        baseinbuf = self._backend._ffi.from_buffer(data)
+
+        while data_processed != total_data_len:
+            outbuf = baseoutbuf + total_out
+            inbuf = baseinbuf + data_processed
+            inlen = min(self._MAX_CHUNK_SIZE, total_data_len - data_processed)
+
+            res = self._backend._lib.EVP_CipherUpdate(
+                self._ctx, outbuf, outlen, inbuf, inlen
+            )
+            self._backend.openssl_assert(res != 0)
+            data_processed += inlen
+            total_out += outlen[0]
+
+        return total_out
+ 
+     def finalize(self):
+         # OpenSSL 1.0.1 on Ubuntu 12.04 (and possibly other distributions)
+diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
+index f29ba9a9..b88610e7 100644
+--- a/tests/hazmat/primitives/test_ciphers.py
+++ b/tests/hazmat/primitives/test_ciphers.py
+@@ -309,3 +309,20 @@ class TestCipherUpdateInto(object):
+         buf = bytearray(5)
+         with pytest.raises(ValueError):
+             encryptor.update_into(b"testing", buf)
+
+    def test_update_into_auto_chunking(self, backend, monkeypatch):
+        key = b"\x00" * 16
+        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
+        encryptor = c.encryptor()
+        # Lower max chunk size so we can test chunking
+        monkeypatch.setattr(encryptor._ctx, "_MAX_CHUNK_SIZE", 40)
+        buf = bytearray(527)
+        pt = b"abcdefghijklmnopqrstuvwxyz012345" * 16  # 512 bytes
+        processed = encryptor.update_into(pt, buf)
+        assert processed == 512
+        decryptor = c.decryptor()
+        # Change max chunk size to verify alternate boundaries don't matter
+        monkeypatch.setattr(decryptor._ctx, "_MAX_CHUNK_SIZE", 73)
+        decbuf = bytearray(527)
+        decprocessed = decryptor.update_into(buf[:processed], decbuf)
+        assert decbuf[:decprocessed] == pt
diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch b/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch
new file mode 100644
index 0000000000..f28f414197
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch
@@ -0,0 +1,43 @@
+From 7c72190620c3ccaeeab53fdd93547ca4d37b2f6b Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Sun, 25 Oct 2020 06:15:18 -0700
+Subject: [PATCH] chunking didn't actually work (#5499)
+Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/836a92a28fbe9df8c37121e340b91ed9cd519ddd]
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
+ tests/hazmat/primitives/test_ciphers.py             | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index 86bc94b3..2b7da80c 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes
+ class _CipherContext(object):
+     _ENCRYPT = 1
+     _DECRYPT = 0
+-    _MAX_CHUNK_SIZE = 2 ** 31
+    _MAX_CHUNK_SIZE = 2 ** 31 - 1
+ 
+     def __init__(self, backend, cipher, mode, operation):
+         self._backend = backend
+diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
+index b88610e7..fd9048b7 100644
+--- a/tests/hazmat/primitives/test_ciphers.py
+++ b/tests/hazmat/primitives/test_ciphers.py
+@@ -326,3 +326,12 @@ class TestCipherUpdateInto(object):
+         decbuf = bytearray(527)
+         decprocessed = decryptor.update_into(buf[:processed], decbuf)
+         assert decbuf[:decprocessed] == pt
+
+    def test_max_chunk_size_fits_in_int32(self, backend):
+        # max chunk must fit in signed int32 or else a call large enough to
+        # cause chunking will result in the very OverflowError we want to
+        # avoid with chunking.
+        key = b"\x00" * 16
+        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
+        encryptor = c.encryptor()
+        backend._ffi.new("int *", encryptor._ctx._MAX_CHUNK_SIZE)
diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch b/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch
new file mode 100644
index 0000000000..449dd692e6
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch
@@ -0,0 +1,37 @@
+From 6d0a76521abe287f5ddb5cd1cfbc799d35f08cf9 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Sun, 7 Feb 2021 11:36:56 -0500
+Subject: [PATCH] correct buffer overflows cause by integer overflow in openssl
+ (#5747)
+* correct buffer overflows cause by integer overflow in openssl
+frustratingly, there is no test for this -- that's because testing this
+requires allocating more memory than is available in CI.
+fixes #5615.
+* backport CI fixes
+* another CI backport
+Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/82b6ce28389f0a317bc55ba2091a74b346db7cae]
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+ src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index 2b7da80c..7ef5f1ea 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes
+ class _CipherContext(object):
+     _ENCRYPT = 1
+     _DECRYPT = 0
+-    _MAX_CHUNK_SIZE = 2 ** 31 - 1
+    _MAX_CHUNK_SIZE = 2 ** 30 - 1
+ 
+     def __init__(self, backend, cipher, mode, operation):
+         self._backend = backend

diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch b/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch new file mode 100644 index 0000000000..c5d7ca3860 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0001-chunked-update_into-5419.patch
@@ -0,0 +1,99 @@
	1	From 7dee5927eb528f7ddebd62fbab31232d505acc22 Mon Sep 17 00:00:00 2001
	2	From: Paul Kehrer <paul.l.kehrer@gmail.com>
	3	Date: Sun, 23 Aug 2020 23:41:33 -0500
	4	Subject: [PATCH] chunked update_into (#5419)
	5
	6	* chunked update_into
	7
	8	* all pointer arithmetic all the time
	9
	10	* review feedback
	11
	12	Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/f90ba1808ee9bd9a13c5673b776484644f29d7ba]
	13
	14	Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
	15	---
	16	.../hazmat/backends/openssl/ciphers.py \| 31 +++++++++++++------
	17	tests/hazmat/primitives/test_ciphers.py \| 17 ++++++++++
	18	2 files changed, 38 insertions(+), 10 deletions(-)
	19
	20	diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
	21	index 94b48f52..86bc94b3 100644
	22	--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
	23	+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
	24	@@ -17,6 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes
	25	class _CipherContext(object):
	26	_ENCRYPT = 1
	27	_DECRYPT = 0
	28	+ _MAX_CHUNK_SIZE = 2 ** 31
	29
	30	def __init__(self, backend, cipher, mode, operation):
	31	self._backend = backend
	32	@@ -125,22 +126,32 @@ class _CipherContext(object):
	33	return bytes(buf[:n])
	34
	35	def update_into(self, data, buf):
	36	- if len(buf) < (len(data) + self._block_size_bytes - 1):
	37	+ total_data_len = len(data)
	38	+ if len(buf) < (total_data_len + self._block_size_bytes - 1):
	39	raise ValueError(
	40	"buffer must be at least {} bytes for this "
	41	"payload".format(len(data) + self._block_size_bytes - 1)
	42	)
	43
	44	- buf = self._backend._ffi.cast(
	45	- "unsigned char *", self._backend._ffi.from_buffer(buf)
	46	- )
	47	+ data_processed = 0
	48	+ total_out = 0
	49	outlen = self._backend._ffi.new("int *")
	50	- res = self._backend._lib.EVP_CipherUpdate(
	51	- self._ctx, buf, outlen,
	52	- self._backend._ffi.from_buffer(data), len(data)
	53	- )
	54	- self._backend.openssl_assert(res != 0)
	55	- return outlen[0]
	56	+ baseoutbuf = self._backend._ffi.from_buffer(buf)
	57	+ baseinbuf = self._backend._ffi.from_buffer(data)
	58	+
	59	+ while data_processed != total_data_len:
	60	+ outbuf = baseoutbuf + total_out
	61	+ inbuf = baseinbuf + data_processed
	62	+ inlen = min(self._MAX_CHUNK_SIZE, total_data_len - data_processed)
	63	+
	64	+ res = self._backend._lib.EVP_CipherUpdate(
	65	+ self._ctx, outbuf, outlen, inbuf, inlen
	66	+ )
	67	+ self._backend.openssl_assert(res != 0)
	68	+ data_processed += inlen
	69	+ total_out += outlen[0]
	70	+
	71	+ return total_out
	72
	73	def finalize(self):
	74	# OpenSSL 1.0.1 on Ubuntu 12.04 (and possibly other distributions)
	75	diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
	76	index f29ba9a9..b88610e7 100644
	77	--- a/tests/hazmat/primitives/test_ciphers.py
	78	+++ b/tests/hazmat/primitives/test_ciphers.py
	79	@@ -309,3 +309,20 @@ class TestCipherUpdateInto(object):
	80	buf = bytearray(5)
	81	with pytest.raises(ValueError):
	82	encryptor.update_into(b"testing", buf)
	83	+
	84	+ def test_update_into_auto_chunking(self, backend, monkeypatch):
	85	+ key = b"\x00" * 16
	86	+ c = ciphers.Cipher(AES(key), modes.ECB(), backend)
	87	+ encryptor = c.encryptor()
	88	+ # Lower max chunk size so we can test chunking
	89	+ monkeypatch.setattr(encryptor._ctx, "_MAX_CHUNK_SIZE", 40)
	90	+ buf = bytearray(527)
	91	+ pt = b"abcdefghijklmnopqrstuvwxyz012345" * 16 # 512 bytes
	92	+ processed = encryptor.update_into(pt, buf)
	93	+ assert processed == 512
	94	+ decryptor = c.decryptor()
	95	+ # Change max chunk size to verify alternate boundaries don't matter
	96	+ monkeypatch.setattr(decryptor._ctx, "_MAX_CHUNK_SIZE", 73)
	97	+ decbuf = bytearray(527)
	98	+ decprocessed = decryptor.update_into(buf[:processed], decbuf)
	99	+ assert decbuf[:decprocessed] == pt


diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch b/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch new file mode 100644 index 0000000000..f28f414197 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0002-chunking-didn-t-actually-work-5499.patch
@@ -0,0 +1,43 @@
	1	From 7c72190620c3ccaeeab53fdd93547ca4d37b2f6b Mon Sep 17 00:00:00 2001
	2	From: Paul Kehrer <paul.l.kehrer@gmail.com>
	3	Date: Sun, 25 Oct 2020 06:15:18 -0700
	4	Subject: [PATCH] chunking didn't actually work (#5499)
	5
	6	Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/836a92a28fbe9df8c37121e340b91ed9cd519ddd]
	7
	8	Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
	9	---
	10	src/cryptography/hazmat/backends/openssl/ciphers.py \| 2 +-
	11	tests/hazmat/primitives/test_ciphers.py \| 9 +++++++++
	12	2 files changed, 10 insertions(+), 1 deletion(-)
	13
	14	diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
	15	index 86bc94b3..2b7da80c 100644
	16	--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
	17	+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
	18	@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes
	19	class _CipherContext(object):
	20	_ENCRYPT = 1
	21	_DECRYPT = 0
	22	- _MAX_CHUNK_SIZE = 2 ** 31
	23	+ _MAX_CHUNK_SIZE = 2 ** 31 - 1
	24
	25	def __init__(self, backend, cipher, mode, operation):
	26	self._backend = backend
	27	diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
	28	index b88610e7..fd9048b7 100644
	29	--- a/tests/hazmat/primitives/test_ciphers.py
	30	+++ b/tests/hazmat/primitives/test_ciphers.py
	31	@@ -326,3 +326,12 @@ class TestCipherUpdateInto(object):
	32	decbuf = bytearray(527)
	33	decprocessed = decryptor.update_into(buf[:processed], decbuf)
	34	assert decbuf[:decprocessed] == pt
	35	+
	36	+ def test_max_chunk_size_fits_in_int32(self, backend):
	37	+ # max chunk must fit in signed int32 or else a call large enough to
	38	+ # cause chunking will result in the very OverflowError we want to
	39	+ # avoid with chunking.
	40	+ key = b"\x00" * 16
	41	+ c = ciphers.Cipher(AES(key), modes.ECB(), backend)
	42	+ encryptor = c.encryptor()
	43	+ backend._ffi.new("int *", encryptor._ctx._MAX_CHUNK_SIZE)


diff --git a/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch b/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch new file mode 100644 index 0000000000..449dd692e6 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-cryptography/0003-correct-buffer-overflows-cause-by-integer-overflow-i.patch
@@ -0,0 +1,37 @@
	1	From 6d0a76521abe287f5ddb5cd1cfbc799d35f08cf9 Mon Sep 17 00:00:00 2001
	2	From: Alex Gaynor <alex.gaynor@gmail.com>
	3	Date: Sun, 7 Feb 2021 11:36:56 -0500
	4	Subject: [PATCH] correct buffer overflows cause by integer overflow in openssl
	5	(#5747)
	6
	7	* correct buffer overflows cause by integer overflow in openssl
	8
	9	frustratingly, there is no test for this -- that's because testing this
	10	requires allocating more memory than is available in CI.
	11
	12	fixes #5615.
	13
	14	* backport CI fixes
	15
	16	* another CI backport
	17
	18	Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/82b6ce28389f0a317bc55ba2091a74b346db7cae]
	19
	20	Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
	21	---
	22	src/cryptography/hazmat/backends/openssl/ciphers.py \| 2 +-
	23	1 file changed, 1 insertion(+), 1 deletion(-)
	24
	25	diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
	26	index 2b7da80c..7ef5f1ea 100644
	27	--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
	28	+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
	29	@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes
	30	class _CipherContext(object):
	31	_ENCRYPT = 1
	32	_DECRYPT = 0
	33	- _MAX_CHUNK_SIZE = 2 ** 31 - 1
	34	+ _MAX_CHUNK_SIZE = 2 ** 30 - 1
	35
	36	def __init__(self, backend, cipher, mode, operation):
	37	self._backend = backend