File CVE-2020-36242-buffer-overflow.patch of Package python-cryptography.27134
From 3fe555d8e4fb52f21fc297dea88a03d52f319306 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 19 Jul 2020 00:00:18 -0500
Subject: [PATCH 1/3] chunked update_into
---
.../hazmat/backends/openssl/ciphers.py | 39 ++++++++++++-------
tests/hazmat/primitives/test_ciphers.py | 17 ++++++++
2 files changed, 43 insertions(+), 13 deletions(-)
Index: cryptography-2.8/src/cryptography/hazmat/backends/openssl/ciphers.py
===================================================================
--- cryptography-2.8.orig/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ cryptography-2.8/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -17,6 +17,7 @@ from cryptography.hazmat.primitives.ciph
class _CipherContext(object):
_ENCRYPT = 1
_DECRYPT = 0
+ _MAX_CHUNK_SIZE = 2 ** 30 - 1
def __init__(self, backend, cipher, mode, operation):
self._backend = backend
@@ -125,22 +126,32 @@ class _CipherContext(object):
return bytes(buf[:n])
def update_into(self, data, buf):
- if len(buf) < (len(data) + self._block_size_bytes - 1):
+ total_data_len = len(data)
+ if len(buf) < (total_data_len + self._block_size_bytes - 1):
raise ValueError(
"buffer must be at least {} bytes for this "
"payload".format(len(data) + self._block_size_bytes - 1)
)
- buf = self._backend._ffi.cast(
- "unsigned char *", self._backend._ffi.from_buffer(buf)
- )
+ data_processed = 0
+ total_out = 0
outlen = self._backend._ffi.new("int *")
- res = self._backend._lib.EVP_CipherUpdate(
- self._ctx, buf, outlen,
- self._backend._ffi.from_buffer(data), len(data)
- )
- self._backend.openssl_assert(res != 0)
- return outlen[0]
+ baseoutbuf = self._backend._ffi.from_buffer(buf)
+ baseinbuf = self._backend._ffi.from_buffer(data)
+
+ while data_processed != total_data_len:
+ outbuf = baseoutbuf + total_out
+ inbuf = baseinbuf + data_processed
+ inlen = min(self._MAX_CHUNK_SIZE, total_data_len - data_processed)
+
+ res = self._backend._lib.EVP_CipherUpdate(
+ self._ctx, outbuf, outlen, inbuf, inlen
+ )
+ self._backend.openssl_assert(res != 0)
+ data_processed += inlen
+ total_out += outlen[0]
+
+ return total_out
def finalize(self):
# OpenSSL 1.0.1 on Ubuntu 12.04 (and possibly other distributions)
Index: cryptography-2.8/tests/hazmat/primitives/test_ciphers.py
===================================================================
--- cryptography-2.8.orig/tests/hazmat/primitives/test_ciphers.py
+++ cryptography-2.8/tests/hazmat/primitives/test_ciphers.py
@@ -309,3 +309,20 @@ class TestCipherUpdateInto(object):
buf = bytearray(5)
with pytest.raises(ValueError):
encryptor.update_into(b"testing", buf)
+
+ def test_update_into_auto_chunking(self, backend, monkeypatch):
+ key = b"\x00" * 16
+ c = ciphers.Cipher(AES(key), modes.ECB(), backend)
+ encryptor = c.encryptor()
+ # Lower max chunk size so we can test chunking
+ monkeypatch.setattr(encryptor._ctx, "_MAX_CHUNK_SIZE", 40)
+ buf = bytearray(527)
+ pt = b"abcdefghijklmnopqrstuvwxyz012345" * 16 # 512 bytes
+ processed = encryptor.update_into(pt, buf)
+ assert processed == 512
+ decryptor = c.decryptor()
+ # Change max chunk size to verify alternate boundaries don't matter
+ monkeypatch.setattr(decryptor._ctx, "_MAX_CHUNK_SIZE", 73)
+ decbuf = bytearray(527)
+ decprocessed = decryptor.update_into(buf[:processed], decbuf)
+ assert decbuf[:decprocessed] == pt