r8014 - in /branches/upstream/libcrypt-cbc-perl/current: CBC.pm Changes META.yml README.compatibility

gregoa-guest at users.alioth.debian.org gregoa-guest at users.alioth.debian.org
Sat Sep 29 11:56:28 UTC 2007


Author: gregoa-guest
Date: Sat Sep 29 11:56:28 2007
New Revision: 8014

URL: http://svn.debian.org/wsvn/?sc=1&rev=8014
Log:
[svn-upgrade] Integrating new upstream version, libcrypt-cbc-perl (2.24)

Modified:
    branches/upstream/libcrypt-cbc-perl/current/CBC.pm
    branches/upstream/libcrypt-cbc-perl/current/Changes
    branches/upstream/libcrypt-cbc-perl/current/META.yml
    branches/upstream/libcrypt-cbc-perl/current/README.compatibility

Modified: branches/upstream/libcrypt-cbc-perl/current/CBC.pm
URL: http://svn.debian.org/wsvn/branches/upstream/libcrypt-cbc-perl/current/CBC.pm?rev=8014&op=diff
==============================================================================
--- branches/upstream/libcrypt-cbc-perl/current/CBC.pm (original)
+++ branches/upstream/libcrypt-cbc-perl/current/CBC.pm Sat Sep 29 11:56:28 2007
@@ -4,7 +4,7 @@
 use Carp;
 use strict;
 use vars qw($VERSION);
-$VERSION = '2.22';
+$VERSION = '2.24';
 
 use constant RANDOM_DEVICE => '/dev/urandom';
 
@@ -422,15 +422,23 @@
   } else {
     $result = pack("C*",map {rand(256)} 1..$length);
   }
-  $result;
+  # Clear taint and check length
+  $result =~ /^(.{$length})$/s or croak "Invalid length while gathering $length randim bytes";
+  return $1;
 }
 
 sub _standard_padding ($$$) {
   my ($b,$bs,$decrypt) = @_;
   $b = length $b ? $b : '';
   if ($decrypt eq 'd') {
-     substr($b, -unpack("C",substr($b,-1)))='';
-     return $b;
+    my $pad_length = unpack("C",substr($b,-1));
+
+    # sanity check for implementations that don't pad correctly
+    return $b unless $pad_length >= 0 && $pad_length <= $bs;
+    my @pad_chars = unpack("C*",substr($b,-$pad_length));
+    return $b if grep {$pad_length != $_} @pad_chars;
+
+    return substr($b,0,$bs-$pad_length);
   }
   my $pad = $bs - length($b) % $bs;
   return $b . pack("C*",($pad)x$pad);

Modified: branches/upstream/libcrypt-cbc-perl/current/Changes
URL: http://svn.debian.org/wsvn/branches/upstream/libcrypt-cbc-perl/current/Changes?rev=8014&op=diff
==============================================================================
--- branches/upstream/libcrypt-cbc-perl/current/Changes (original)
+++ branches/upstream/libcrypt-cbc-perl/current/Changes Sat Sep 29 11:56:28 2007
@@ -1,4 +1,14 @@
 Revision history for Perl extension Crypt::CBC.
+2.24	Fri Sep 28 11:21:07 EDT 2007
+	- Fixed failure to run under taint checks with Crypt::Rijndael
+	or Crypt::OpenSSL::AES (and maybe other Crypt modules). See 
+	http://rt.cpan.org/Public/Bug/Display.html?id=29646.
+
+2.23	Fri Apr 13 14:50:21 EDT 2007
+	- Added checks for other implementations of CBC which add no
+	standard padding at all when cipher text is an even multiple
+	of the block size.
+
 2.22	Sun Oct 29 16:50:32 EST 2006
 	- Fixed bug in which plaintext encrypted with the -literal_key
 	option could not be decrypted using a new object created with

Modified: branches/upstream/libcrypt-cbc-perl/current/META.yml
URL: http://svn.debian.org/wsvn/branches/upstream/libcrypt-cbc-perl/current/META.yml?rev=8014&op=diff
==============================================================================
--- branches/upstream/libcrypt-cbc-perl/current/META.yml (original)
+++ branches/upstream/libcrypt-cbc-perl/current/META.yml Sat Sep 29 11:56:28 2007
@@ -1,11 +1,12 @@
-# http://module-build.sourceforge.net/META-spec.html
-#XXXXXXX This is a prototype!!!  It will change in the future!!! XXXXX#
-name:         Crypt-CBC
-version:      2.22
-version_from: CBC.pm
-installdirs:  site
-requires:
+--- #YAML:1.0
+name:                Crypt-CBC
+version:             2.24
+abstract:            ~
+license:             ~
+generated_by:        ExtUtils::MakeMaker version 6.32
+distribution_type:   module
+requires:     
     Digest::MD5:                   2.00
-
-distribution_type: module
-generated_by: ExtUtils::MakeMaker version 6.17
+meta-spec:
+    url:     http://module-build.sourceforge.net/META-spec-v1.2.html
+    version: 1.2

Modified: branches/upstream/libcrypt-cbc-perl/current/README.compatibility
URL: http://svn.debian.org/wsvn/branches/upstream/libcrypt-cbc-perl/current/README.compatibility?rev=8014&op=diff
==============================================================================
--- branches/upstream/libcrypt-cbc-perl/current/README.compatibility (original)
+++ branches/upstream/libcrypt-cbc-perl/current/README.compatibility Sat Sep 29 11:56:28 2007
@@ -1,0 +1,44 @@
+Compatibility Notes
+-------------------
+
+Crypt::CBC version 2.17 and higher contains changes designed to make
+encrypted messages more secure. In particular, Crypt::CBC now works
+correctly with ciphers that use block sizes greater than 8 bytes,
+which includes Rijndael, the basis for the AES encryption system. It
+also interoperates seamlessly with the OpenSSL library. Unfortunately,
+these changes break compatibility with messages encrypted with
+versions 2.16 and lower.
+
+To successfully decrypt messages encrypted with Crypt::CBC 2.16 and
+lower, follow these steps:
+
+1) Pass Crypt::CBC->new() the option -header=>'randomiv'. Example:
+
+ my $cbc = Crypt::CBC->new(-key     => $key,
+                           -cipher  => 'Blowfish',
+			   -header  => 'randomiv');
+
+This tells Crypt::CBC to decrypt messages using the legacy "randomiv"
+style header rather than the default SSL-compatible "salt" style
+header.
+
+2) If the legacy messages were encrypted using Rijndael, also pass
+Crypt::CBC the -insecure_legacy_decrypt=>1 option:
+
+ my $cbc = Crypt::CBC->new(-key                     => $key,
+                           -cipher                  => 'Rijndael',
+			   -header                  => 'randomiv',
+                           -insecure_legacy_decrypt => 1 );
+
+
+This tells Crypt::CBC to allow you to decrypt Rijndael messages that
+were incorrectly encrypted by pre-2.17 versions. It is important to
+realize that Rijndael messages encrypted by version 2.16 and lower
+*ARE NOT SECURE*. New versions of Crypt::CBC will refuse to encrypt
+Rijndael messages in a way that is backward compatible with 2.16 and
+lower.
+
+I apologize for any inconvenience this causes.
+
+Lincoln Stein
+Spring 2006




More information about the Pkg-perl-cvs-commits mailing list