Bug#843631: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
Hi Sandro, I appreciate your frustration here, and as the maintainer of python-cryptography of course I'm responsible when there are issues with the package. That said, I did actually test pyopenssl before uploading this version, and it was working locally; in addition, the diff from 1.5.2 to 1.5.3 is almost trivial (I've attached it for reference); the HKDF fix is a one line change plus an added test, and the only other changes are bumping the version number, so I'm still looking into the actual cause of the problem. I think the mistake I made when testing locally was that I didn't update my build chroot first; if the problem is related to newer build-dependencies (eg. python-cffi) then that would explain why my local package does not exhibit the problem while the one from the buildds does. (Of course this is the result of rushing the 1.5.3 update; I do know better than to rush out a "trivial" update, as these things often turn out to be less trivial than assumed, but I felt there was some urgency to getting the new package into unstable as the security issue is more likely to affect users there and I guess I let this override my better judgement) I will follow up again once I track down the root cause of the problem. commit c551c1690dc2ec0a12f779eaab780da45e40d1c6 Author: Tristan SeligmannDate: Tue Nov 8 05:34:19 2016 +0200 Import python-cryptography_1.5.3.orig.tar.gz diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 0bfd328..9b0bf29 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,13 @@ Changelog = +1.5.3 - 2016-11-05 +~~ + +* **SECURITY ISSUE**: Fixed a bug where ``HKDF`` would return an empty + byte-string if used with a ``length`` less than ``algorithm.digest_size``. + Credit to **Markus Döring** for reporting the issue. + 1.5.2 - 2016-09-26 ~~ diff --git a/PKG-INFO b/PKG-INFO index 3c67042..9de24de 100644 --- a/PKG-INFO +++ b/PKG-INFO @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: cryptography -Version: 1.5.2 +Version: 1.5.3 Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers. Home-page: https://github.com/pyca/cryptography Author: The cryptography developers diff --git a/src/cryptography.egg-info/PKG-INFO b/src/cryptography.egg-info/PKG-INFO index 3c67042..9de24de 100644 --- a/src/cryptography.egg-info/PKG-INFO +++ b/src/cryptography.egg-info/PKG-INFO @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: cryptography -Version: 1.5.2 +Version: 1.5.3 Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers. Home-page: https://github.com/pyca/cryptography Author: The cryptography developers diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 02d6494..6baca0d 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -14,7 +14,7 @@ __summary__ = ("cryptography is a package which provides cryptographic recipes" " and primitives to Python developers.") __uri__ = "https://github.com/pyca/cryptography; -__version__ = "1.5.2" +__version__ = "1.5.3" __author__ = "The cryptography developers" __email__ = "cryptography-...@python.org" diff --git a/src/cryptography/hazmat/primitives/kdf/hkdf.py b/src/cryptography/hazmat/primitives/kdf/hkdf.py index f738bbd..82ed9b1 100644 --- a/src/cryptography/hazmat/primitives/kdf/hkdf.py +++ b/src/cryptography/hazmat/primitives/kdf/hkdf.py @@ -91,7 +91,7 @@ class HKDFExpand(object): output = [b""] counter = 1 -while (self._algorithm.digest_size // 8) * len(output) < self._length: +while self._algorithm.digest_size * (len(output) - 1) < self._length: h = hmac.HMAC(key_material, self._algorithm, backend=self._backend) h.update(output[-1]) h.update(self._info) diff --git a/tests/hazmat/primitives/test_hkdf.py b/tests/hazmat/primitives/test_hkdf.py index e33529c..a05fd75 100644 --- a/tests/hazmat/primitives/test_hkdf.py +++ b/tests/hazmat/primitives/test_hkdf.py @@ -142,6 +142,17 @@ class TestHKDF(object): hkdf.verify(b"foo", u"bar") +def test_derive_short_output(self, backend): +hkdf = HKDF( +hashes.SHA256(), +4, +salt=None, +info=None, +backend=backend +) + +assert hkdf.derive(b"\x01" * 16) == b"gJ\xfb{" + @pytest.mark.requires_backend_interface(interface=HMACBackend) class TestHKDFExpand(object):
Bug#843631: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
control: clone -1 -2 control: reassign -2 pyopenssl control: retitle -2 AttributeError: 'module' object has no attribute 'SSL_ST_INIT' gaah actually cloning On Tue, Nov 8, 2016 at 9:08 AM, Sandro Tosiwrote: > control: clone -1 > control: reassign -1 python-cryptography > control: retitle -1 STOP BREAKING PYOPENSSL WHEN UPLOADING CRYPTOGRAPHY > >> from OpenSSL import rand, crypto, SSL >> File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 112, in >> >> SSL_ST_INIT = _lib.SSL_ST_INIT >> AttributeError: 'module' object has no attribute 'SSL_ST_INIT' > > _lib in SSL.py comes from _utils.lib, which is: > > ``` > from cryptography.hazmat.bindings.openssl.binding import Binding > > binding = Binding() > binding.init_static_locks() > ffi = binding.ffi > lib = binding.lib > ``` > > and not surprisingly there was an update to python-cryptography > yesterday. my mirror still has the old version (1.5.2-1) and works > fine, you have installed 1.5.3-1 and it's broken. George, i'll try to > upgrade pyopenssl soon and taht will hopefully fix this. > > Tristan, this is the third or forth time you updated > python-cryptography and broke pyopenssl. This has to stop. now. and > forever. You've proved you're unable to deal with cryptography without > causing a huge about of issues to downstream packages, so learn to > test your reverse dependencies, even more in this case since > cryptography and pyopenssl are so tightly coupled, or orphan > cryptography and let a skillful maintainer pick it up. > > -- > Sandro "morph" Tosi > My website: http://sandrotosi.me/ > Me at Debian: http://wiki.debian.org/SandroTosi > G+: https://plus.google.com/u/0/+SandroTosi -- Sandro "morph" Tosi My website: http://sandrotosi.me/ Me at Debian: http://wiki.debian.org/SandroTosi G+: https://plus.google.com/u/0/+SandroTosi
Bug#843631: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
control: clone -1 control: reassign -1 python-cryptography control: retitle -1 STOP BREAKING PYOPENSSL WHEN UPLOADING CRYPTOGRAPHY > from OpenSSL import rand, crypto, SSL > File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 112, in > > SSL_ST_INIT = _lib.SSL_ST_INIT > AttributeError: 'module' object has no attribute 'SSL_ST_INIT' _lib in SSL.py comes from _utils.lib, which is: ``` from cryptography.hazmat.bindings.openssl.binding import Binding binding = Binding() binding.init_static_locks() ffi = binding.ffi lib = binding.lib ``` and not surprisingly there was an update to python-cryptography yesterday. my mirror still has the old version (1.5.2-1) and works fine, you have installed 1.5.3-1 and it's broken. George, i'll try to upgrade pyopenssl soon and taht will hopefully fix this. Tristan, this is the third or forth time you updated python-cryptography and broke pyopenssl. This has to stop. now. and forever. You've proved you're unable to deal with cryptography without causing a huge about of issues to downstream packages, so learn to test your reverse dependencies, even more in this case since cryptography and pyopenssl are so tightly coupled, or orphan cryptography and let a skillful maintainer pick it up. -- Sandro "morph" Tosi My website: http://sandrotosi.me/ Me at Debian: http://wiki.debian.org/SandroTosi G+: https://plus.google.com/u/0/+SandroTosi
Bug#843631: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
affects 843631 ansible thanks Sorry for the paste indentation fail (the irony of this being a bug in a python package is not lost on me...) ``` ERROR! Unexpected Exception: 'module' object has no attribute 'SSL_ST_INIT' the full traceback was: Traceback (most recent call last): File "/usr/bin/ansible-playbook", line 92, in exit_code = cli.run() File "/usr/lib/python2.7/dist-packages/ansible/cli/playbook.py", line 154, in run results = pbex.run() File "/usr/lib/python2.7/dist-packages/ansible/executor/playbook_executor.py", line 81, in run self._tqm.load_callbacks() File "/usr/lib/python2.7/dist-packages/ansible/executor/task_queue_manager.py", line 171, in load_callbacks for callback_plugin in callback_loader.all(class_only=True): File "/usr/lib/python2.7/dist-packages/ansible/plugins/__init__.py", line 368, in all self._module_cache[path] = self._load_module_source(name, path) File "/usr/lib/python2.7/dist-packages/ansible/plugins/__init__.py", line 319, in _load_module_source module = imp.load_source(name, path, module_file) File "/usr/lib/python2.7/dist-packages/ansible/plugins/callback/hipchat.py", line 32, in from ansible.module_utils.urls import open_url File "/usr/lib/python2.7/dist-packages/ansible/module_utils/urls.py", line 128, in from urllib3.contrib.pyopenssl import ssl_wrap_socket File "/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 54, in import OpenSSL.SSL File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in from OpenSSL import rand, crypto, SSL File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 112, in SSL_ST_INIT = _lib.SSL_ST_INIT AttributeError: 'module' object has no attribute 'SSL_ST_INIT' ``` George
Bug#843631: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
Package: python-openssl Version: 16.1.0-1 Severity: critical Justification: breaks unrelated software Hello, I get the following exception when running my Ansible playbook. Looking at the trace the error appears to be coming all the way from Python OpenSSL library, so filing a bug here. ``` Traceback (most recent call last): File "/usr/bin/ansible-playbook", line 92, in exit_code = cli.run() File "/usr/lib/python2.7/dist-packages/ansible/cli/playbook.py", line 154, in run results = pbex.run() File "/usr/lib/python2.7/dist-packages/ansible/executor/playbook_executor.py", line 81, in run self._tqm.load_callbacks() File "/usr/lib/python2.7/dist-packages/ansible/executor/task_queue_manager.py", line 171, in load_callbacks for callback_plugin in callback_loader.all(class_only=True): File "/usr/lib/python2.7/dist-packages/ansible/plugins/__init__.py", line 368, in all self._module_cache[path] = self._load_module_source(name, path) File "/usr/lib/python2.7/dist-packages/ansible/plugins/__init__.py", line 319, in _load_module_source module = imp.load_source(name, path, module_file) File "/usr/lib/python2.7/dist-packages/ansible/plugins/callback/hipchat.py", line 32, in from ansible.module_utils.urls import open_url File "/usr/lib/python2.7/dist-packages/ansible/module_utils/urls.py", line 128, in from urllib3.contrib.pyopenssl import ssl_wrap_socket File "/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 54, in import OpenSSL.SSL File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in from OpenSSL import rand, crypto, SSL File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 112, in SSL_ST_INIT = _lib.SSL_ST_INIT AttributeError: 'module' object has no attribute 'SSL_ST_INIT'u ``` Best regards, George -- System Information: Debian Release: stretch/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages python-openssl depends on: ii python-cryptography 1.5.3-1 ii python-six 1.10.0-3 pn python:any python-openssl recommends no packages. Versions of packages python-openssl suggests: pn python-openssl-dbg pn python-openssl-doc -- no debconf information