Attachment 578385 Details for Bug 810013 – Proposed patch to fix the bug

[patch] Proposed patch to fix the bug

0001-Add-fix-for-rhbz-810013.patch (text/plain), 5.20 KB, created by Stanislav Ochotnicky on 2012-04-18 15:11:53 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stanislav Ochotnicky

Created: 2012-04-18 15:11:53 UTC

Size: 5.20 KB

patch

obsolete

>From 780aaea5fc26573daa7d5950e9265fa1c32a4914 Mon Sep 17 00:00:00 2001
>From: Stanislav Ochotnicky <sochotnicky@redhat.com>
>Date: Wed, 18 Apr 2012 17:10:40 +0200
>Subject: [PATCH] Add fix for rhbz#810013
>
>---
> python-elixir-aes-encryption-addition.patch |   88 +++++++++++++++++++++++++++
> python-elixir.spec                          |    7 ++-
> 2 files changed, 94 insertions(+), 1 deletions(-)
> create mode 100644 python-elixir-aes-encryption-addition.patch
>
>diff --git a/python-elixir-aes-encryption-addition.patch b/python-elixir-aes-encryption-addition.patch
>new file mode 100644
>index 0000000..de6f17a
>--- /dev/null
>+++ b/python-elixir-aes-encryption-addition.patch
>@@ -0,0 +1,88 @@
>+diff --git a/elixir/ext/encrypted.py b/elixir/ext/encrypted.py
>+index 5e4e16b..e19c24e 100644
>+--- a/elixir/ext/encrypted.py
>++++ b/elixir/ext/encrypted.py
>+@@ -26,7 +26,9 @@ ssn columns on save, update, and load.  Different secrets can be specified on
>+ an entity by entity basis, for added security.
>+ '''
>+ 
>+-from Crypto.Cipher          import Blowfish
>++import sys
>++import os
>++from Crypto.Cipher          import Blowfish, AES
>+ from elixir.statements      import Statement
>+ from sqlalchemy.orm         import MapperExtension, EXT_CONTINUE
>+ 
>+@@ -37,7 +39,9 @@ __doc_all__ = []
>+ #
>+ # encryption and decryption functions
>+ #
>+-
>++# WARNING!!! Blowfish encryption method is vulnerable to attacks
>++# because it doesn't properly use random seed. It is provided just for
>++# backward compatibility needed to migrate data. Use AES instead!
>+ def encrypt_value(value, secret):
>+     return Blowfish.new(secret, Blowfish.MODE_CFB) \
>+                    .encrypt(value).encode('string_escape')
>+@@ -46,29 +50,57 @@ def decrypt_value(value, secret):
>+     return Blowfish.new(secret, Blowfish.MODE_CFB) \
>+                    .decrypt(value.decode('string_escape'))
>+ 
>++# Crypto.Cipher.AES is AES128
>++def encrypt_value_aes(value, secret):
>++    iv = os.urandom(AES.block_size)
>++
>++    pad_len = AES.block_size - len(value) % AES.block_size
>++    padded_value = value + pad_len * chr(pad_len)
>++    res = iv + AES.new(secret, AES.MODE_CBC, iv).encrypt(padded_value)
>++    return res.encode('string_escape')
>++
>++def decrypt_value_aes(value, secret):
>++    value = value.decode('string_escape')
>++    iv = value[:AES.block_size]
>++    encrypted = value[AES.block_size:]
>++
>++    padded_value = AES.new(secret, AES.MODE_CBC, iv).decrypt(encrypted)
>++    pad_len = ord(padded_value[-1])
>++    assert pad_len >= 1 and pad_len <= AES.block_size
>++    return padded_value[:-pad_len]
>++
>++
>+ 
>+ try:
>+     from sqlalchemy.orm import EXT_PASS
>+     SA05orlater = False
>+ except ImportError:
>+     SA05orlater = True
>+-
>+ #
>+ # acts_as_encrypted statement
>+ #
>+ 
>+ class ActsAsEncrypted(object):
>+ 
>+-    def __init__(self, entity, for_fields=[], with_secret='abcdef'):
>++    def __init__(self, entity, for_fields=[], with_secret='abcdef', with_aes=False):
>++        if not with_aes:
>++            sys.stderr.write("""WARNING!!! Blowfish encryption method is
>++vulnerable to attacks. Migrate your data and use with_aes=True""")
>+ 
>+         def perform_encryption(instance, decrypt=False):
>+             for column_name in for_fields:
>+                 current_value = getattr(instance, column_name)
>+                 if current_value:
>+                     if decrypt:
>+-                        new_value = decrypt_value(current_value, with_secret)
>++                        if with_aes:
>++                            new_value = decrypt_value_aes(current_value, with_secret)
>++                        else:
>++                            new_value = decrypt_value(current_value, with_secret)
>+                     else:
>+-                        new_value = encrypt_value(current_value, with_secret)
>++                        if with_aes:
>++                            new_value = encrypt_value_aes(current_value, with_secret)
>++                        else:
>++                            new_value = encrypt_value(current_value, with_secret)
>+                     setattr(instance, column_name, new_value)
>+ 
>+         def perform_decryption(instance):
>diff --git a/python-elixir.spec b/python-elixir.spec
>index 0a8ea8f..66f55e5 100644
>--- a/python-elixir.spec
>+++ b/python-elixir.spec
>@@ -2,13 +2,14 @@
> 
> Name:           python-elixir
> Version:        0.6.1
>-Release:        5%{?dist}
>+Release:        6%{?dist}
> Summary:        A declarative mapper for SQLAlchemy
> 
> Group:          Development/Languages
> License:        MIT
> URL:            http://elixir.ematia.de/
> Source0:        http://pypi.python.org/packages/source/E/Elixir/Elixir-%{version}.tar.gz
>+Patch0:         python-elixir-aes-encryption-addition.patch
> BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
> 
> BuildArch:      noarch
>@@ -30,6 +31,7 @@ not need the full expressiveness of SQLAlchemy's manual mapper definitions.
> 
> %prep
> %setup -q -n Elixir-%{version}
>+%patch0 -p1
> 
> 
> %build
>@@ -56,6 +58,9 @@ rm -rf $RPM_BUILD_ROOT
> 
> 
> %changelog
>+* Wed Apr 18 2012 Stanislav Ochotnicky <sochotnicky@redhat.com> - 0.6.1-6
>+- Add fix for rhbz#810013
>+
> * Fri Apr 23 2010 Stanislav Ochotnicky <sochotnicky@redhat.com> - 0.6.1-5
> - Added missing python-crypto to Requires
> - Added test-suite execution with BuildRequires updated
>-- 
>1.7.7.6
>

Flags:

sochotni: review?

Actions: View | Diff

Attachments on bug 810013: 577963 | 578385 | 582122