Bug#843631: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

2016-11-08 Thread Tristan Seligmann 
Hi Sandro,

I appreciate your frustration here, and as the maintainer of
python-cryptography of course I'm responsible when there are issues with
the package.

That said, I did actually test pyopenssl before uploading this version, and
it was working locally; in addition, the diff from 1.5.2 to 1.5.3 is almost
trivial (I've attached it for reference); the HKDF fix is a one line change
plus an added test, and the only other changes are bumping the version
number, so I'm still looking into the actual cause of the problem.

I think the mistake I made when testing locally was that I didn't update my
build chroot first; if the problem is related to newer build-dependencies
(eg. python-cffi) then that would explain why my local package does not
exhibit the problem while the one from the buildds does. (Of course this is
the result of rushing the 1.5.3 update; I do know better than to rush out a
"trivial" update, as these things often turn out to be less trivial than
assumed, but I felt there was some urgency to getting the new package into
unstable as the security issue is more likely to affect users there and I
guess I let this override my better judgement)

I will follow up again once I track down the root cause of the problem.
commit c551c1690dc2ec0a12f779eaab780da45e40d1c6
Author: Tristan Seligmann 
Date:   Tue Nov 8 05:34:19 2016 +0200

Import python-cryptography_1.5.3.orig.tar.gz

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 0bfd328..9b0bf29 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,6 +1,13 @@
 Changelog
 =
 
+1.5.3 - 2016-11-05
+~~
+
+* **SECURITY ISSUE**: Fixed a bug where ``HKDF`` would return an empty
+  byte-string if used with a ``length`` less than ``algorithm.digest_size``.
+  Credit to **Markus Döring** for reporting the issue.
+
 1.5.2 - 2016-09-26
 ~~
 
diff --git a/PKG-INFO b/PKG-INFO
index 3c67042..9de24de 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.1
 Name: cryptography
-Version: 1.5.2
+Version: 1.5.3
 Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
 Home-page: https://github.com/pyca/cryptography
 Author: The cryptography developers
diff --git a/src/cryptography.egg-info/PKG-INFO b/src/cryptography.egg-info/PKG-INFO
index 3c67042..9de24de 100644
--- a/src/cryptography.egg-info/PKG-INFO
+++ b/src/cryptography.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
 Metadata-Version: 1.1
 Name: cryptography
-Version: 1.5.2
+Version: 1.5.3
 Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
 Home-page: https://github.com/pyca/cryptography
 Author: The cryptography developers
diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py
index 02d6494..6baca0d 100644
--- a/src/cryptography/__about__.py
+++ b/src/cryptography/__about__.py
@@ -14,7 +14,7 @@ __summary__ = ("cryptography is a package which provides cryptographic recipes"
" and primitives to Python developers.")
 __uri__ = "https://github.com/pyca/cryptography;
 
-__version__ = "1.5.2"
+__version__ = "1.5.3"
 
 __author__ = "The cryptography developers"
 __email__ = "cryptography-...@python.org"
diff --git a/src/cryptography/hazmat/primitives/kdf/hkdf.py b/src/cryptography/hazmat/primitives/kdf/hkdf.py
index f738bbd..82ed9b1 100644
--- a/src/cryptography/hazmat/primitives/kdf/hkdf.py
+++ b/src/cryptography/hazmat/primitives/kdf/hkdf.py
@@ -91,7 +91,7 @@ class HKDFExpand(object):
 output = [b""]
 counter = 1
 
-while (self._algorithm.digest_size // 8) * len(output) < self._length:
+while self._algorithm.digest_size * (len(output) - 1) < self._length:
 h = hmac.HMAC(key_material, self._algorithm, backend=self._backend)
 h.update(output[-1])
 h.update(self._info)
diff --git a/tests/hazmat/primitives/test_hkdf.py b/tests/hazmat/primitives/test_hkdf.py
index e33529c..a05fd75 100644
--- a/tests/hazmat/primitives/test_hkdf.py
+++ b/tests/hazmat/primitives/test_hkdf.py
@@ -142,6 +142,17 @@ class TestHKDF(object):
 
 hkdf.verify(b"foo", u"bar")
 
+def test_derive_short_output(self, backend):
+hkdf = HKDF(
+hashes.SHA256(),
+4,
+salt=None,
+info=None,
+backend=backend
+)
+
+assert hkdf.derive(b"\x01" * 16) == b"gJ\xfb{"
+
 
 @pytest.mark.requires_backend_interface(interface=HMACBackend)
 class TestHKDFExpand(object):

Bug#843631: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

2016-11-08 Thread Sandro Tosi 
control: clone -1 -2
control: reassign -2 pyopenssl
control: retitle -2 AttributeError: 'module' object has no attribute
'SSL_ST_INIT'

gaah actually cloning

On Tue, Nov 8, 2016 at 9:08 AM, Sandro Tosi  wrote:
> control: clone -1
> control: reassign -1 python-cryptography
> control: retitle -1 STOP BREAKING PYOPENSSL WHEN UPLOADING CRYPTOGRAPHY
>
>> from OpenSSL import rand, crypto, SSL
>>   File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 112, in 
>> 
>> SSL_ST_INIT = _lib.SSL_ST_INIT
>> AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
>
> _lib in SSL.py comes from _utils.lib, which is:
>
> ```
> from cryptography.hazmat.bindings.openssl.binding import Binding
>
> binding = Binding()
> binding.init_static_locks()
> ffi = binding.ffi
> lib = binding.lib
> ```
>
> and not surprisingly there was an update to python-cryptography
> yesterday. my mirror still has the old version (1.5.2-1) and works
> fine, you have installed 1.5.3-1 and it's broken. George, i'll try to
> upgrade pyopenssl soon and taht will hopefully fix this.
>
> Tristan, this is the third or forth time you updated
> python-cryptography and broke pyopenssl. This has to stop. now. and
> forever. You've proved you're unable to deal with cryptography without
> causing a huge about of issues to downstream packages, so learn to
> test your reverse dependencies, even more in this case since
> cryptography and pyopenssl are so tightly coupled, or orphan
> cryptography and let a skillful maintainer pick it up.
>
> --
> Sandro "morph" Tosi
> My website: http://sandrotosi.me/
> Me at Debian: http://wiki.debian.org/SandroTosi
> G+: https://plus.google.com/u/0/+SandroTosi



-- 
Sandro "morph" Tosi
My website: http://sandrotosi.me/
Me at Debian: http://wiki.debian.org/SandroTosi
G+: https://plus.google.com/u/0/+SandroTosi

Bug#843631: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

2016-11-08 Thread Sandro Tosi 
control: clone -1
control: reassign -1 python-cryptography
control: retitle -1 STOP BREAKING PYOPENSSL WHEN UPLOADING CRYPTOGRAPHY

> from OpenSSL import rand, crypto, SSL
>   File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 112, in 
> 
> SSL_ST_INIT = _lib.SSL_ST_INIT
> AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

_lib in SSL.py comes from _utils.lib, which is:

```
from cryptography.hazmat.bindings.openssl.binding import Binding

binding = Binding()
binding.init_static_locks()
ffi = binding.ffi
lib = binding.lib
```

and not surprisingly there was an update to python-cryptography
yesterday. my mirror still has the old version (1.5.2-1) and works
fine, you have installed 1.5.3-1 and it's broken. George, i'll try to
upgrade pyopenssl soon and taht will hopefully fix this.

Tristan, this is the third or forth time you updated
python-cryptography and broke pyopenssl. This has to stop. now. and
forever. You've proved you're unable to deal with cryptography without
causing a huge about of issues to downstream packages, so learn to
test your reverse dependencies, even more in this case since
cryptography and pyopenssl are so tightly coupled, or orphan
cryptography and let a skillful maintainer pick it up.

-- 
Sandro "morph" Tosi
My website: http://sandrotosi.me/
Me at Debian: http://wiki.debian.org/SandroTosi
G+: https://plus.google.com/u/0/+SandroTosi

Bug#843631: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

2016-11-08 Thread George B. 
affects 843631 ansible
thanks

Sorry for the paste indentation fail (the irony of this being a bug in
a python package is not lost on me...)

```
ERROR! Unexpected Exception: 'module' object has no attribute 'SSL_ST_INIT'
the full traceback was:

Traceback (most recent call last):
  File "/usr/bin/ansible-playbook", line 92, in 
exit_code = cli.run()
  File "/usr/lib/python2.7/dist-packages/ansible/cli/playbook.py",
line 154, in run
results = pbex.run()
  File "/usr/lib/python2.7/dist-packages/ansible/executor/playbook_executor.py",
line 81, in run
self._tqm.load_callbacks()
  File 
"/usr/lib/python2.7/dist-packages/ansible/executor/task_queue_manager.py",
line 171, in load_callbacks
for callback_plugin in callback_loader.all(class_only=True):
  File "/usr/lib/python2.7/dist-packages/ansible/plugins/__init__.py",
line 368, in all
self._module_cache[path] = self._load_module_source(name, path)
  File "/usr/lib/python2.7/dist-packages/ansible/plugins/__init__.py",
line 319, in _load_module_source
module = imp.load_source(name, path, module_file)
  File "/usr/lib/python2.7/dist-packages/ansible/plugins/callback/hipchat.py",
line 32, in 
from ansible.module_utils.urls import open_url
  File "/usr/lib/python2.7/dist-packages/ansible/module_utils/urls.py",
line 128, in 
from urllib3.contrib.pyopenssl import ssl_wrap_socket
  File "/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py",
line 54, in 
import OpenSSL.SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8,
in 
from OpenSSL import rand, crypto, SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 112, in 
SSL_ST_INIT = _lib.SSL_ST_INIT
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
```


George

Bug#843631: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'

2016-11-08 Thread George B. 
Package: python-openssl
Version: 16.1.0-1
Severity: critical
Justification: breaks unrelated software

Hello,

I get the following exception when running my Ansible playbook. Looking
at the trace the error appears to be coming all the way from Python
OpenSSL library, so filing a bug here.

```
Traceback (most recent call last):
  File "/usr/bin/ansible-playbook", line 92, in 
  exit_code = cli.run()
File "/usr/lib/python2.7/dist-packages/ansible/cli/playbook.py",
line 154, in run
results = pbex.run()
  File
  
"/usr/lib/python2.7/dist-packages/ansible/executor/playbook_executor.py",
  line 81, in run
  self._tqm.load_callbacks()
File

"/usr/lib/python2.7/dist-packages/ansible/executor/task_queue_manager.py",
line 171, in load_callbacks
for callback_plugin in
callback_loader.all(class_only=True):
  File
  
"/usr/lib/python2.7/dist-packages/ansible/plugins/__init__.py",
  line 368, in all
  self._module_cache[path] =
  self._load_module_source(name, path)
File

"/usr/lib/python2.7/dist-packages/ansible/plugins/__init__.py",
line 319, in _load_module_source
module = imp.load_source(name, path,
module_file)
  File
  
"/usr/lib/python2.7/dist-packages/ansible/plugins/callback/hipchat.py",
  line 32, in 
  from ansible.module_utils.urls
  import open_url
File

"/usr/lib/python2.7/dist-packages/ansible/module_utils/urls.py",
line 128, in 
from
urllib3.contrib.pyopenssl
import ssl_wrap_socket
  File
  
"/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py",
  line 54, in 
  import OpenSSL.SSL
File

"/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py",
line 8, in

from OpenSSL
import rand,
crypto, SSL
  File
  
"/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py",
  line 112,
  in
  
  SSL_ST_INIT
  =
  
_lib.SSL_ST_INIT
  
AttributeError:
  'module'
  object
  has no
  attribute
  'SSL_ST_INIT'u
```


Best regards,

George

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python-openssl depends on:
ii  python-cryptography  1.5.3-1
ii  python-six   1.10.0-3
pn  python:any   

python-openssl recommends no packages.

Versions of packages python-openssl suggests:
pn  python-openssl-dbg  
pn  python-openssl-doc  

-- no debconf information