Hello community, here is the log from the commit of package perl-Crypt-CBC checked in at Thu Apr 3 01:49:33 CEST 2008. -------- --- perl-Crypt-CBC/perl-Crypt-CBC.changes 2007-10-08 09:44:41.000000000 +0200 +++ perl-Crypt-CBC/perl-Crypt-CBC.changes 2008-04-02 13:54:23.000000000 +0200 @@ -1,0 +2,17 @@ +Wed Apr 2 13:49:11 CEST 2008 - anicka@suse.cz + +- update to 2.28 + - Fixed bug in onesandzeroes test that causes it to fail + with Rijndael module is not installed. + - When taint mode is turned on and user is using a tainted key, + explicitly check tainting of key in order to avoid "cryptic" + failure messages from some crypt modules. + - Fixed onezeropadding test, which was not reporting + its test count properly. + - Fixed failure of oneandzeroes padding when plaintext size is + an even multiple of blocksize. + - Added new "rijndael_compat" padding method, which is compatible + with the oneandzeroes padding method used by Crypt::Rijndael in + CBC mode. + +------------------------------------------------------------------- Old: ---- Crypt-CBC-2.24.tar.bz2 New: ---- Crypt-CBC-2.28.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-Crypt-CBC.spec ++++++ --- /var/tmp/diff_new_pack.Yh2351/_old 2008-04-03 01:48:22.000000000 +0200 +++ /var/tmp/diff_new_pack.Yh2351/_new 2008-04-03 01:48:22.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package perl-Crypt-CBC (Version 2.24) +# spec file for package perl-Crypt-CBC (Version 2.28) # -# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # @@ -10,10 +10,11 @@ # norootforbuild + Name: perl-Crypt-CBC Url: http://cpan.org/modules/by-module/Crypt/ BuildRequires: perl-Crypt-Blowfish perl-Crypt-DES -Version: 2.24 +Version: 2.28 Release: 1 Requires: perl-Crypt-Blowfish perl-Crypt-DES Requires: perl = %{perl_version} @@ -53,32 +54,47 @@ %{perl_vendorlib}/Crypt %{perl_vendorarch}/auto/Crypt /var/adm/perl-modules/%{name} + %changelog -* Mon Oct 08 2007 - anicka@suse.cz +* Wed Apr 02 2008 anicka@suse.cz +- update to 2.28 + - Fixed bug in onesandzeroes test that causes it to fail + with Rijndael module is not installed. + - When taint mode is turned on and user is using a tainted key, + explicitly check tainting of key in order to avoid "cryptic" + failure messages from some crypt modules. + - Fixed onezeropadding test, which was not reporting + its test count properly. + - Fixed failure of oneandzeroes padding when plaintext size is + an even multiple of blocksize. + - Added new "rijndael_compat" padding method, which is compatible + with the oneandzeroes padding method used by Crypt::Rijndael in + CBC mode. +* Mon Oct 08 2007 anicka@suse.cz - update to 2.24 * Fixed failure to run under taint checks with Crypt::Rijndael or Crypt::OpenSSL::AES (and maybe other Crypt modules). * Added checks for other implementations of CBC which add no standard padding at all when cipher text is an even multiple of the block size. -* Tue Dec 12 2006 - anicka@suse.cz +* Tue Dec 12 2006 anicka@suse.cz - update to 2.22 * Fixed bug in which plaintext encrypted with the -literal_key option could not be decrypted using a new object created with the same -literal_key. * Added documentation confirming that -literal_key must be accompanied by a -header of 'none' and a manually specificied IV. -* Thu Oct 19 2006 - anicka@suse.cz +* Thu Oct 19 2006 anicka@suse.cz - update to 2.21 * Fixed bug in which new() failed to work when first option is -literal_key. * Added ability to pass a preinitialized Crypt::* block cipher object instead of the class name. -* Thu Sep 14 2006 - anicka@suse.cz +* Thu Sep 14 2006 anicka@suse.cz - update to 2.19 * Renamed Crypt::CBC-2.16-vulnerability.txt so that package installs correctly under Cygwin -* Fri Jul 14 2006 - anicka@suse.cz +* Fri Jul 14 2006 anicka@suse.cz - update to 2.18 * added lots of documentation * fixed using 8 byte IVs when generating the old-style RandomIV @@ -86,24 +102,24 @@ * versions 2.17 and higher will not decrypt messages encrypted with versions 2.16 and lower unless you pass an optional value 'randomiv' to the new() call -* Wed Apr 05 2006 - schubi@suse.de +* Wed Apr 05 2006 schubi@suse.de - Bug 153627 - VUL-0: perl-Crypt-CBC: ciphertext weakness when using certain block algorithms -* Wed Jan 25 2006 - mls@suse.de +* Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires -* Mon Jul 11 2005 - schubi@suse.de +* Mon Jul 11 2005 schubi@suse.de - update to 2.14 -* Fri Apr 15 2005 - schubi@suse.de +* Fri Apr 15 2005 schubi@suse.de - update to 2.12 -* Sun Jan 11 2004 - adrian@suse.de +* Sun Jan 11 2004 adrian@suse.de - build as user -* Fri Aug 22 2003 - mjancar@suse.cz +* Fri Aug 22 2003 mjancar@suse.cz - require the perl version we build with -* Fri Jul 18 2003 - choeger@suse.de +* Fri Jul 18 2003 choeger@suse.de - use install_vendor and new %%perl_process_packlist macro -* Tue Jun 17 2003 - choeger@suse.de +* Tue Jun 17 2003 choeger@suse.de - updated filelist - update to version 2.08 -* Mon May 19 2003 - choeger#@suse.de +* Mon May 19 2003 choeger#@suse.de - remove installed (but unpackaged) file perllocal.pod -* Wed Aug 14 2002 - choeger@suse.de +* Wed Aug 14 2002 choeger@suse.de - new package, version 2.07 ++++++ Crypt-CBC-2.24.tar.bz2 -> Crypt-CBC-2.28.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/Crypt-CBC-2.24/CBC.pm new/Crypt-CBC-2.28/CBC.pm --- old/Crypt-CBC-2.24/CBC.pm 2007-09-28 17:20:59.000000000 +0200 +++ new/Crypt-CBC-2.28/CBC.pm 2008-03-31 16:46:18.000000000 +0200 @@ -4,7 +4,7 @@ use Carp; use strict; use vars qw($VERSION); -$VERSION = '2.24'; +$VERSION = '2.28'; use constant RANDOM_DEVICE => '/dev/urandom'; @@ -116,24 +116,29 @@ unless ($rbs == $bs); } } else { - $padding = $padding eq 'null' ? \&_null_padding - :$padding eq 'space' ? \&_space_padding - :$padding eq 'oneandzeroes' ? \&_oneandzeroes_padding - :$padding eq 'standard' ? \&_standard_padding + $padding = $padding eq 'null' ? \&_null_padding + :$padding eq 'space' ? \&_space_padding + :$padding eq 'oneandzeroes' ? \&_oneandzeroes_padding + :$padding eq 'rijndael_compat'? \&_rijndael_compat + :$padding eq 'standard' ? \&_standard_padding :croak "'$padding' padding not supported. See perldoc Crypt::CBC for instructions on creating your own."; } # CONSISTENCY CHECKS # HEADER consistency if ($header_mode eq 'salt') { - croak "Cannot use salt-based key generation if literal key is specified" if $options->{literal_key}; - croak "Cannot use salt-based IV generation if literal IV is specified" if exists $options->{iv}; + croak "Cannot use salt-based key generation if literal key is specified" + if $options->{literal_key}; + croak "Cannot use salt-based IV generation if literal IV is specified" + if exists $options->{iv}; } elsif ($header_mode eq 'randomiv') { - croak "Cannot encrypt using a non-8 byte blocksize cipher when using randomiv header mode" unless $bs == 8 || $legacy_hack; + croak "Cannot encrypt using a non-8 byte blocksize cipher when using randomiv header mode" + unless $bs == 8 || $legacy_hack; } elsif ($header_mode eq 'none') { - croak "You must provide an initialization vector using -iv when using -header=>'none'" unless exists $options->{iv}; + croak "You must provide an initialization vector using -iv when using -header=>'none'" + unless exists $options->{iv}; } # KEYSIZE consistency @@ -222,6 +227,10 @@ my $bs = $self->{'blocksize'}; + croak "When using rijndael_compat padding, plaintext size must be a multiple of $bs" + if $self->{'padding'} eq \&_rijndael_compat + and length($data) % $bs; + return $result unless (length($self->{'buffer'}) >= $bs); my @blocks = unpack("a$bs "x(int(length($self->{'buffer'})/$bs)) . "a*", $self->{'buffer'}); @@ -364,12 +373,34 @@ croak "key and/or iv are missing" unless defined $self->{key} && defined $self->{civ}; + $self->_taintcheck($self->{key}); $self->{crypt} = ref $self->{cipher} ? $self->{cipher} : $self->{cipher}->new($self->{key}) or croak "Could not create $self->{cipher} object: $@"; return $result; } +sub _taintcheck { + my $self = shift; + my $key = shift; + return unless ${^TAINT}; + + my $has_scalar_util = eval "require Scalar::Util; 1"; + my $tainted; + + if ($has_scalar_util) { + $tainted = Scalar::Util::tainted($key); + } else { + local($@, $SIG{__DIE__}, $SIG{__WARN__}); + local $^W = 0; + eval { kill 0 * $key }; + $tainted = $@ =~ /^Insecure/; + } + + croak "Taint checks are turned on and your key is tainted. Please untaint the key and try again" + if $tainted; +} + sub _key_from_key { my $self = shift; my $pass = shift; @@ -468,7 +499,6 @@ sub _oneandzeroes_padding ($$$) { my ($b,$bs,$decrypt) = @_; - return unless length $b; $b = length $b ? $b : ''; if ($decrypt eq 'd') { my $hex = unpack("H*", $b); @@ -478,6 +508,17 @@ return $b . pack("C*", 128, (0) x ($bs - length($b) % $bs - 1) ); } +sub _rijndael_compat ($$$) { + my ($b,$bs,$decrypt) = @_; + return unless length $b; + if ($decrypt eq 'd') { + my $hex = unpack("H*", $b); + $hex =~ s/80*$//s; + return pack("H*", $hex); + } + return $b . pack("C*", 128, (0) x ($bs - length($b) % $bs - 1) ); +} + sub get_initialization_vector (\$) { my $self = shift; $self->iv(); @@ -628,8 +669,9 @@ 'randomiv' -- Randomiv-compatible "RandomIV" header 'none' -- prepend no header at all - -padding The padding method, one of "standard", "space", - "onesandzeroes", or "null". (default "standard") + -padding The padding method, one of "standard" (default), + "space", "oneandzeroes", "rijndael_compat", + or "null" (default "standard"). -literal_key If true, the key provided by "key" is used directly for encryption/decryption. Otherwise the actual @@ -925,7 +967,7 @@ When the last block of plaintext is shorter than the block size, it must be padded. Padding methods include: "standard" (i.e., PKCS#5), -"oneandzeroes", "space", and "null". +"oneandzeroes", "space", "rijndael_compat" and "null". standard: (default) Binary safe pads with the number of bytes that should be truncated. So, if @@ -938,14 +980,21 @@ block. If the last block is a full block and blocksize is 8, a block of "8000000000000000" will be appended. + rijndael_compat: Binary safe, with caveats + similar to oneandzeroes, except that no padding is performed if + the last block is a full block. This is provided for + compatibility with Crypt::Rijndael only and can only be used + with messages that are a multiple of the Rijndael blocksize + of 16 bytes. + null: text only pads with as many "00" necessary to fill the block. If the last - block is a full block and blocksize is 8, a block of + block is a full block and blocksize is 8, a block of "0000000000000000" will be appended. space: text only same as "null", but with "20". - + Both the standard and oneandzeroes paddings are binary safe. The space and null paddings are recommended only for text data. Which type of padding you use depends on whether you wish to communicate diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/Crypt-CBC-2.24/Changes new/Crypt-CBC-2.28/Changes --- old/Crypt-CBC-2.24/Changes 2007-09-28 17:22:43.000000000 +0200 +++ new/Crypt-CBC-2.28/Changes 2008-03-31 16:46:59.000000000 +0200 @@ -1,4 +1,24 @@ Revision history for Perl extension Crypt::CBC. +2.28 Mon Mar 31 10:46:25 EDT 2008 + - Fixed bug in onesandzeroes test that causes it to fail with Rijndael module + is not installed. + +2.27 Fri Mar 28 10:13:32 EDT 2008 + - When taint mode is turned on and user is using a tainted key, explicitly check + tainting of key in order to avoid "cryptic" failure messages from some crypt + modules. + +2.26 Thu Mar 20 16:41:23 EDT 2008 + - Fixed onezeropadding test, which was not reporting its test count + properly. + +2.25 Fri Jan 11 15:26:27 EST 2008 + - Fixed failure of oneandzeroes padding when plaintext size is + an even multiple of blocksize. + - Added new "rijndael_compat" padding method, which is compatible + with the oneandzeroes padding method used by Crypt::Rijndael in + CBC mode. + 2.24 Fri Sep 28 11:21:07 EDT 2007 - Fixed failure to run under taint checks with Crypt::Rijndael or Crypt::OpenSSL::AES (and maybe other Crypt modules). See diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/Crypt-CBC-2.24/MANIFEST new/Crypt-CBC-2.28/MANIFEST --- old/Crypt-CBC-2.24/MANIFEST 2006-08-13 04:32:38.000000000 +0200 +++ new/Crypt-CBC-2.28/MANIFEST 2008-03-28 15:16:08.000000000 +0100 @@ -4,7 +4,6 @@ META.yml Module meta-data (added by MakeMaker) Makefile.PL README -README.compatibility Crypt-CBC-2.16-vulnerability.txt eg/aes.pl eg/des.pl @@ -16,6 +15,7 @@ t/IDEA.t t/PCBC.t t/Rijndael.t +t/onezeropadding.t t/Rijndael_compat.t t/func.t t/null_data.t diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/Crypt-CBC-2.24/META.yml new/Crypt-CBC-2.28/META.yml --- old/Crypt-CBC-2.24/META.yml 2007-09-28 17:24:59.000000000 +0200 +++ new/Crypt-CBC-2.28/META.yml 2008-03-31 16:56:08.000000000 +0200 @@ -1,12 +1,11 @@ ---- #YAML:1.0 -name: Crypt-CBC -version: 2.24 -abstract: ~ -license: ~ -generated_by: ExtUtils::MakeMaker version 6.32 -distribution_type: module -requires: +# http://module-build.sourceforge.net/META-spec.html +#XXXXXXX This is a prototype!!! It will change in the future!!! XXXXX# +name: Crypt-CBC +version: 2.28 +version_from: CBC.pm +installdirs: site +requires: Digest::MD5: 2.00 -meta-spec: - url: http://module-build.sourceforge.net/META-spec-v1.2.html - version: 1.2 + +distribution_type: module +generated_by: ExtUtils::MakeMaker version 6.30_01 diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/Crypt-CBC-2.24/README.compatibility new/Crypt-CBC-2.28/README.compatibility --- old/Crypt-CBC-2.24/README.compatibility 2006-06-07 01:15:10.000000000 +0200 +++ new/Crypt-CBC-2.28/README.compatibility 1970-01-01 01:00:00.000000000 +0100 @@ -1,44 +0,0 @@ -Compatibility Notes -------------------- - -Crypt::CBC version 2.17 and higher contains changes designed to make -encrypted messages more secure. In particular, Crypt::CBC now works -correctly with ciphers that use block sizes greater than 8 bytes, -which includes Rijndael, the basis for the AES encryption system. It -also interoperates seamlessly with the OpenSSL library. Unfortunately, -these changes break compatibility with messages encrypted with -versions 2.16 and lower. - -To successfully decrypt messages encrypted with Crypt::CBC 2.16 and -lower, follow these steps: - -1) Pass Crypt::CBC->new() the option -header=>'randomiv'. Example: - - my $cbc = Crypt::CBC->new(-key => $key, - -cipher => 'Blowfish', - -header => 'randomiv'); - -This tells Crypt::CBC to decrypt messages using the legacy "randomiv" -style header rather than the default SSL-compatible "salt" style -header. - -2) If the legacy messages were encrypted using Rijndael, also pass -Crypt::CBC the -insecure_legacy_decrypt=>1 option: - - my $cbc = Crypt::CBC->new(-key => $key, - -cipher => 'Rijndael', - -header => 'randomiv', - -insecure_legacy_decrypt => 1 ); - - -This tells Crypt::CBC to allow you to decrypt Rijndael messages that -were incorrectly encrypted by pre-2.17 versions. It is important to -realize that Rijndael messages encrypted by version 2.16 and lower -*ARE NOT SECURE*. New versions of Crypt::CBC will refuse to encrypt -Rijndael messages in a way that is backward compatible with 2.16 and -lower. - -I apologize for any inconvenience this causes. - -Lincoln Stein -Spring 2006 diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/Crypt-CBC-2.24/t/null_data.t new/Crypt-CBC-2.28/t/null_data.t --- old/Crypt-CBC-2.24/t/null_data.t 2006-01-10 00:34:34.000000000 +0100 +++ new/Crypt-CBC-2.28/t/null_data.t 2008-01-11 21:15:37.000000000 +0100 @@ -40,8 +40,8 @@ for my $mod (@in) { for my $pad (@pads) { - my $cipher = Crypt::CBC->new(-key => 'secret', - -cipher => $mod, + my $cipher = Crypt::CBC->new(-key => 'secret', + -cipher => $mod, -padding => $pad, ); for my $length (1..128) { diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/Crypt-CBC-2.24/t/onezeropadding.t new/Crypt-CBC-2.28/t/onezeropadding.t --- old/Crypt-CBC-2.24/t/onezeropadding.t 1970-01-01 01:00:00.000000000 +0100 +++ new/Crypt-CBC-2.28/t/onezeropadding.t 2008-03-31 16:45:58.000000000 +0200 @@ -0,0 +1,50 @@ +#!/usr/local/bin/perl + +use lib '..','../blib/lib','.','./blib/lib'; + +my (@mods,@pads,@in,$tnum); + +@mods = qw/Rijndael + Blowfish + Blowfish_PP + IDEA + DES + /; + +for $mod (@mods) { + eval "use Crypt::$mod(); 1" && push @in,$mod; +} + +unless ($#in > -1) { + print "1..0 # Skipped: no cryptographic modules found\n"; + exit; +} else { + print "1..2\n"; +} + +sub test { + local($^W) = 0; + my($num, $true,$msg) = @_; + $$num++; + print($true ? "ok $$num\n" : "not ok $$num $msg\n"); +} + +$tnum = 0; + +eval "use Crypt::CBC"; +print STDERR "using Crypt\:\:$in[0] for testing\n"; +test(\$tnum,!$@,"Couldn't load module"); + + +my $cipher = Crypt::CBC->new( + -key => 'aaab', + -cipher => $in[0], + -padding => "oneandzeroes", +); +my $string = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX'; + +my $work = $cipher->encrypt($string); #Encrypt string +my $plain = $cipher->decrypt($work); #...and decrypt + +test(\$tnum,$string eq $plain,"oneandzeroes padding not working\n"); + diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/Crypt-CBC-2.24/t/Rijndael_compat.t new/Crypt-CBC-2.28/t/Rijndael_compat.t --- old/Crypt-CBC-2.24/t/Rijndael_compat.t 2006-01-10 00:43:20.000000000 +0100 +++ new/Crypt-CBC-2.28/t/Rijndael_compat.t 2008-01-11 21:12:26.000000000 +0100 @@ -48,7 +48,7 @@ -iv => 'f' x $bs, -literal_key => 1, -header => 'none', - -padding => 'oneandzeroes' + -padding => 'rijndael_compat', ), "Couldn't create new object"); test(3,$j = Crypt::Rijndael->new('a' x $ks, Crypt::Rijndael->MODE_CBC), ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org