Pullup ticket #5223 - requested by sevan

security/py-crypto: security patch

Revisions pulled up:
- security/py-crypto/Makefile                                   1.40
- security/py-crypto/distinfo                                   1.13
- security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py 1.2
- security/py-crypto/patches/patch-src_block_template.c         1.1

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   sevan
   Date:           Tue Mar  7 23:17:51 UTC 2017

   Modified Files:
           pkgsrc/security/py-crypto: Makefile distinfo
   Added Files:
           pkgsrc/security/py-crypto/patches:
               patch-lib_Crypto_SelfTest_Cipher_common.py
               patch-src_block_template.c

   Log Message:
   Patch CVE-2013-7459, obtained from:
   https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
   Bump rev.

   Reviewed by: wiz


   To generate a diff of this commit:
   cvs rdiff -u -r1.39 -r1.40 pkgsrc/security/py-crypto/Makefile
   cvs rdiff -u -r1.11 -r1.12 pkgsrc/security/py-crypto/distinfo
   cvs rdiff -u -r0 -r1.1 \
       pkgsrc/security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py \
       pkgsrc/security/py-crypto/patches/patch-src_block_template.c

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   sevan
   Date:           Wed Mar  8 01:09:00 UTC 2017

   Modified Files:
           pkgsrc/security/py-crypto: distinfo
           pkgsrc/security/py-crypto/patches:
               patch-lib_Crypto_SelfTest_Cipher_common.py

   Log Message:
   Tabs vs spaces!
   Unbreak with the Python 3 versions of the package.
   Heads up by Daniel Jakots.


   To generate a diff of this commit:
   cvs rdiff -u -r1.12 -r1.13 pkgsrc/security/py-crypto/distinfo
   cvs rdiff -u -r1.1 -r1.2 \
       pkgsrc/security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py

4 files changed, 79 insertions, 3 deletions

diff --git a/security/py-crypto/Makefile b/security/py-crypto/Makefile
index e6a61d39d2b..b605b31955a 100644
--- a/security/py-crypto/Makefile
+++ b/security/py-crypto/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.36 2016/03/05 11:29:25 jperkin Exp $
+# $NetBSD: Makefile,v 1.36.8.1 2017/03/13 07:39:32 spz Exp $
 
 DISTNAME=	pycrypto-2.6.1
 PKGNAME=	${DISTNAME:S/^py/${PYPKGPREFIX}-/}
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	security python
 MASTER_SITES=	http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/
 
diff --git a/security/py-crypto/distinfo b/security/py-crypto/distinfo
index 23a8bca0ea7..0c8ba346240 100644
--- a/security/py-crypto/distinfo
+++ b/security/py-crypto/distinfo
@@ -1,7 +1,9 @@
-$NetBSD: distinfo,v 1.11 2015/11/04 01:18:03 agc Exp $
+$NetBSD: distinfo,v 1.11.10.1 2017/03/13 07:39:32 spz Exp $
 
 SHA1 (pycrypto-2.6.1.tar.gz) = aeda3ed41caf1766409d4efc689b9ca30ad6aeb2
 RMD160 (pycrypto-2.6.1.tar.gz) = ac0db079e5e4be9daf739e094c10e96291dbc009
 SHA512 (pycrypto-2.6.1.tar.gz) = 20a4aed4dac4e9e61d773ebc1d48ea577e9870c33f396be53d075a9bf8487d93e75e200179882d81e452efd0f6751789bac434f6f431b3e7c1c8ef9dba392847
 Size (pycrypto-2.6.1.tar.gz) = 446240 bytes
 SHA1 (patch-ab) = 2c72b0e70fdebd2e62aff28284afd919e935de08
+SHA1 (patch-lib_Crypto_SelfTest_Cipher_common.py) = d505f84217614a5a0065addcebab46da15c204e7
+SHA1 (patch-src_block_template.c) = 646bb15e41290922c417a2104e401c82379e97dd
diff --git a/security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py b/security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py
new file mode 100644
index 00000000000..3661b6b3d84
--- /dev/null
+++ b/security/py-crypto/patches/patch-lib_Crypto_SelfTest_Cipher_common.py
@@ -0,0 +1,49 @@
+$NetBSD: patch-lib_Crypto_SelfTest_Cipher_common.py,v 1.2.2.2 2017/03/13 07:39:32 spz Exp $
+
+CVE-2013-7459 backport
+https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
+
+--- lib/Crypto/SelfTest/Cipher/common.py.orig	2017-03-07 16:48:08.000000000 +0000
++++ lib/Crypto/SelfTest/Cipher/common.py
+@@ -239,19 +239,33 @@ class RoundtripTest(unittest.TestCase):
+         return """%s .decrypt() output of .encrypt() should not be garbled""" % (self.module_name,)
+ 
+     def runTest(self):
+-        for mode in (self.module.MODE_ECB, self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB, self.module.MODE_OPENPGP):
++        ## ECB mode
++        mode = self.module.MODE_ECB
++        encryption_cipher = self.module.new(a2b_hex(self.key), mode)
++        ciphertext = encryption_cipher.encrypt(self.plaintext)
++        decryption_cipher = self.module.new(a2b_hex(self.key), mode)
++        decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
++        self.assertEqual(self.plaintext, decrypted_plaintext)
++
++        ## OPENPGP mode
++        mode = self.module.MODE_OPENPGP
++        encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
++        eiv_ciphertext = encryption_cipher.encrypt(self.plaintext)
++        eiv = eiv_ciphertext[:self.module.block_size+2]
++        ciphertext = eiv_ciphertext[self.module.block_size+2:]
++        decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv)
++        decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
++        self.assertEqual(self.plaintext, decrypted_plaintext)
++
++        ## All other non-AEAD modes (but CTR)
++        for mode in (self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB):
+             encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
+             ciphertext = encryption_cipher.encrypt(self.plaintext)
+-            
+-            if mode != self.module.MODE_OPENPGP:
+-                decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
+-            else:
+-                eiv = ciphertext[:self.module.block_size+2]
+-                ciphertext = ciphertext[self.module.block_size+2:]
+-                decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv)
++            decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
+             decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
+             self.assertEqual(self.plaintext, decrypted_plaintext)
+ 
++
+ class PGPTest(unittest.TestCase):
+     def __init__(self, module, params):
+         unittest.TestCase.__init__(self)
diff --git a/security/py-crypto/patches/patch-src_block_template.c b/security/py-crypto/patches/patch-src_block_template.c
new file mode 100644
index 00000000000..b33290629d9
--- /dev/null
+++ b/security/py-crypto/patches/patch-src_block_template.c
@@ -0,0 +1,25 @@
+$NetBSD: patch-src_block_template.c,v 1.1.2.2 2017/03/13 07:39:32 spz Exp $
+
+CVE-2013-7459 backport
+https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
+
+--- src/block_template.c.orig	2017-03-07 16:58:09.000000000 +0000
++++ src/block_template.c
+@@ -170,6 +170,17 @@ ALGnew(PyObject *self, PyObject *args, P
+ 				"Key cannot be the null string");
+ 		return NULL;
+ 	}
++	if (IVlen != 0 && mode == MODE_ECB)
++	{
++		PyErr_Format(PyExc_ValueError, "ECB mode does not use IV");
++		return NULL;
++	}
++	if (IVlen != 0 && mode == MODE_CTR)
++	{
++		PyErr_Format(PyExc_ValueError,
++			"CTR mode needs counter parameter, not IV");
++		return NULL;
++	}
+ 	if (IVlen != BLOCK_SIZE && mode != MODE_ECB && mode != MODE_CTR)
+ 	{
+ 		PyErr_Format(PyExc_ValueError,