[Python-modules-commits] [python-cryptography] 01/03: Stable update.

Sun May 28 02:42:32 UTC 2017

This is an automated email from the git hooks/post-receive script.

mithrandi pushed a commit to branch jessie
in repository python-cryptography.

commit 049f6b060d76d5ed349c3ac28a0acf21a941d087
Author: Tristan Seligmann <mithrandi at debian.org>
Date:   Sun Jan 1 22:22:59 2017 +0200

    Stable update.
    
    * Stable update.
    * Backport the fix for CVE-2016-9243 (HKDF returns an empty byte string
      for small key sizes).
---
 debian/changelog          |  8 ++++++++
 debian/patches/3215.patch | 45 +++++++++++++++++++++++++++++++++++++++++++++
 debian/patches/series     |  1 +
 3 files changed, 54 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 20bd11a..a21aa7e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+python-cryptography (0.6.1-1+deb8u1) stable; urgency=high
+
+  * Stable update.
+  * Backport the fix for CVE-2016-9243 (HKDF returns an empty byte string
+    for small key sizes).
+
+ -- Tristan Seligmann <mithrandi at debian.org>  Sun, 01 Jan 2017 22:19:17 +0200
+
 python-cryptography (0.6.1-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/patches/3215.patch b/debian/patches/3215.patch
new file mode 100644
index 0000000..98a2de5
--- /dev/null
+++ b/debian/patches/3215.patch
@@ -0,0 +1,45 @@
+From d945a5213f2b2bbb189bbc2be407aa35e0dab204 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor at gmail.com>
+Date: Sat, 5 Nov 2016 21:18:15 -0400
+Subject: [PATCH] Fixes #3211 -- fixed hkdf's output with short length
+
+---
+ src/cryptography/hazmat/primitives/kdf/hkdf.py |  2 +-
+ tests/hazmat/primitives/test_hkdf.py           | 11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/primitives/kdf/hkdf.py b/src/cryptography/hazmat/primitives/kdf/hkdf.py
+index f738bbd..82ed9b1 100644
+--- a/src/cryptography/hazmat/primitives/kdf/hkdf.py
++++ b/src/cryptography/hazmat/primitives/kdf/hkdf.py
+@@ -91,7 +91,7 @@ def _expand(self, key_material):
+         output = [b""]
+         counter = 1
+ 
+-        while (self._algorithm.digest_size // 8) * len(output) < self._length:
++        while self._algorithm.digest_size * (len(output) - 1) < self._length:
+             h = hmac.HMAC(key_material, self._algorithm, backend=self._backend)
+             h.update(output[-1])
+             h.update(self._info)
+diff --git a/tests/hazmat/primitives/test_hkdf.py b/tests/hazmat/primitives/test_hkdf.py
+index e33529c..a05fd75 100644
+--- a/tests/hazmat/primitives/test_hkdf.py
++++ b/tests/hazmat/primitives/test_hkdf.py
+@@ -142,6 +142,17 @@ def test_unicode_typeerror(self, backend):
+ 
+             hkdf.verify(b"foo", u"bar")
+ 
++    def test_derive_short_output(self, backend):
++        hkdf = HKDF(
++            hashes.SHA256(),
++            4,
++            salt=None,
++            info=None,
++            backend=backend
++        )
++
++        assert hkdf.derive(b"\x01" * 16) == b"gJ\xfb{"
++
+ 
+ @pytest.mark.requires_backend_interface(interface=HMACBackend)
+ class TestHKDFExpand(object):
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..6e8954b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+3215.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-cryptography.git

