Merge pull request #105865 from adisbladis/CVE-2020-25659

python2.pkgs.cryptography: Fix CVE-2020-25659

pkgs/development/python-modules/cryptography/2.9.nix

@@ -29,6 +29,8 @@ buildPythonPackage rec {
     sha256 = "0af25w5mkd6vwns3r6ai1w5ip9xp0ms9s261zzssbpadzdr05hx0";
   };
 
+  patches = [ ./CVE-2020-25659.patch ];
+
   outputs = [ "out" "dev" ];
 
   buildInputs = [ openssl ]
@@ -70,6 +72,5 @@ buildPythonPackage rec {
       + replaceStrings [ "." ] [ "-" ] version;
     license = with licenses; [ asl20 bsd3 psfl ];
     maintainers = with maintainers; [ primeos ];
-    knownVulnerabilities = [ "CVE-2020-25659" "https://github.com/advisories/GHSA-hggm-jpg3-v476" ];
   };
 }

pkgs/development/python-modules/cryptography/CVE-2020-25659.patch

@@ -0,0 +1,76 @@
+Backported of:
+
+From 58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <[email protected]>
+Date: Sun, 25 Oct 2020 21:16:42 -0400
+Subject: [PATCH] Attempt to mitigate Bleichenbacher attacks on RSA decryption
+ (#5507)
+
+diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
+index 6e4675d..ce66c28 100644
+--- a/docs/spelling_wordlist.txt
++++ b/docs/spelling_wordlist.txt
+@@ -6,6 +6,7 @@ backend
+ Backends
+ backends
+ bcrypt
++Bleichenbacher
+ Blowfish
+ boolean
+ Botan
+diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
+index 3e4c2fd..6303f95 100644
+--- a/src/cryptography/hazmat/backends/openssl/rsa.py
++++ b/src/cryptography/hazmat/backends/openssl/rsa.py
+@@ -117,40 +117,19 @@ def _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding):
+
+     outlen = backend._ffi.new("size_t *", buf_size)
+     buf = backend._ffi.new("unsigned char[]", buf_size)
++    # Everything from this line onwards is written with the goal of being as
++    # constant-time as is practical given the constraints of Python and our
++    # API. See Bleichenbacher's '98 attack on RSA, and its many many variants.
++    # As such, you should not attempt to change this (particularly to "clean it
++    # up") without understanding why it was written this way (see
++    # Chesterton's Fence), and without measuring to verify you have not
++    # introduced observable time differences.
+     res = crypt(pkey_ctx, buf, outlen, data, len(data))
++    resbuf = backend._ffi.buffer(buf)[: outlen[0]]
++    backend._lib.ERR_clear_error()
+     if res <= 0:
+-        _handle_rsa_enc_dec_error(backend, key)
+-
+-    return backend._ffi.buffer(buf)[:outlen[0]]
+-
+-
+-def _handle_rsa_enc_dec_error(backend, key):
+-    errors = backend._consume_errors()
+-    backend.openssl_assert(errors)
+-    backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA)
+-    if isinstance(key, _RSAPublicKey):
+-        backend.openssl_assert(
+-            errors[0].reason == backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
+-        )
+-        raise ValueError(
+-            "Data too long for key size. Encrypt less data or use a "
+-            "larger key size."
+-        )
+-    else:
+-        decoding_errors = [
+-            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01,
+-            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02,
+-            backend._lib.RSA_R_OAEP_DECODING_ERROR,
+-            # Though this error looks similar to the
+-            # RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE, this occurs on decrypts,
+-            # rather than on encrypts
+-            backend._lib.RSA_R_DATA_TOO_LARGE_FOR_MODULUS,
+-        ]
+-        if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR:
+-            decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR)
+-
+-        backend.openssl_assert(errors[0].reason in decoding_errors)
+-        raise ValueError("Decryption failed.")
++        raise ValueError("Encryption/decryption failed.")
++    return resbuf
+
+
+ def _rsa_sig_determine_padding(backend, key, padding, algorithm):