From 3e65ed0189bafe21d83dad3361a86b68b3dcb885 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 7 Feb 2019 15:35:38 -0500 Subject: [PATCH] Workaround wheezy limitations Debian wheezy is just too old to easily work with, for that platform, use the more amenable cryptodomex library. Change-Id: Ic21d9784158d9d3f529d8c17dbe60a49f244cc7c --- builddeb | 7 +++++ wheezy.patch | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+) create mode 100644 wheezy.patch diff --git a/builddeb b/builddeb index 38c5fbf4..6abb985a 100755 --- a/builddeb +++ b/builddeb @@ -1,5 +1,12 @@ #!/bin/bash cd `dirname $0` +mkdir -p /tmp/pyghmi +cp -a * /tmp/pyghmi +cd /tmp/pyghmi +if grep wheezy /etc/os-release; then + # wheezy is difficult on pyca, use cryptodomex for that platform + patch -p1 < wheezy.patch +fi # If not PBR, use the setup.py.tmpl python -c 'import pbr' || ./makesetup VERSION=`python setup.py --version` diff --git a/wheezy.patch b/wheezy.patch new file mode 100644 index 00000000..73e08b79 --- /dev/null +++ b/wheezy.patch @@ -0,0 +1,79 @@ +diff --git a/lower-constraints.txt b/lower-constraints.txt +index a02749a..1741a51 100644 +--- a/lower-constraints.txt ++++ b/lower-constraints.txt +@@ -1,5 +1,4 @@ + coverage===4.0 +-cryptography===2.1 + fixtures===3.0.0 + openstackdocstheme==1.18.1 + oslotest===3.2.0 +diff --git a/pyghmi/ipmi/private/session.py b/pyghmi/ipmi/private/session.py +index 0cd2043..c31020d 100644 +--- a/pyghmi/ipmi/private/session.py ++++ b/pyghmi/ipmi/private/session.py +@@ -28,8 +28,8 @@ import struct + import threading + + +-from cryptography.hazmat.backends import default_backend +-from cryptography.hazmat.primitives.ciphers import algorithms, Cipher, modes ++from Cryptodome.Cipher import AES ++ + + import pyghmi.exceptions as exc + from pyghmi.ipmi.private import constants +@@ -309,10 +309,6 @@ class Session(object): + # can do something like reassign our threading and select modules + socketchecking = None + +- # Maintain single Cryptography backend for all IPMI sessions (seems to be +- # thread-safe) +- _crypto_backend = default_backend() +- + @classmethod + def _cleanup(cls): + for sesskey in list(cls.bmc_handlers): +@@ -872,14 +868,9 @@ class Session(object): + iv = os.urandom(16) + message += iv + payloadtocrypt = bytes(payload + _aespad(payload)) +- crypter = Cipher( +- algorithm=algorithms.AES(self.aeskey), +- mode=modes.CBC(iv), +- backend=self._crypto_backend +- ) +- encryptor = crypter.encryptor() +- message += encryptor.update(payloadtocrypt +- ) + encryptor.finalize() ++ crypter = AES.new(self.aeskey, AES.MODE_CBC, iv) ++ crypted = crypter.encrypt(payloadtocrypt) ++ message += crypted + else: # no confidetiality algorithm + message.append(psize & 0xff) + message.append(psize >> 8) +@@ -1367,14 +1358,9 @@ class Session(object): + payload = data[16:16 + psize] + if encrypted: + iv = data[16:32] +- crypter = Cipher( +- algorithm=algorithms.AES(self.aeskey), +- mode=modes.CBC(bytes(iv)), +- backend=self._crypto_backend +- ) +- decryptor = crypter.decryptor() +- payload = bytearray(decryptor.update(bytes(payload[16:]) +- ) + decryptor.finalize()) ++ decrypter = AES.new(self.aeskey, AES.MODE_CBC, iv) ++ decrypted = decrypter.decrypt(payload[16:]) ++ payload = decrypted + padsize = payload[-1] + 1 + payload = payload[:-padsize] + if ptype == 0: +diff --git a/requirements.txt b/requirements.txt +index 1fb58a9..26ff921 100644 +--- a/requirements.txt ++++ b/requirements.txt +@@ -1 +1 @@ +-cryptography>=2.1 # BSD/Apache-2.0 ++pycryptodomex>=2.6