glance/patches/01-nopycrypto.patch

	01-nopycrypto.patch revision 2605
In-house removal of PyCrypto dependency in Glance.  This patch is
Solaris-specific and not suitable for upstream.

Convert urlsafe_encrypt() and urlsafe_decrypt() to use M2Crypto instead
of PyCrypto.

--- glance-2013.1.4/glance.egg-info/requires.txt.orig   Thu Jan 16 22:08:47 2014
+++ glance-2013.1.4/glance.egg-info/requires.txt    Thu Jan 16 22:23:01 2014
@@ -11,7 +11,7 @@
 sqlalchemy-migrate>=0.7
 httplib2
 kombu
-pycrypto>=2.1.0alpha1
+M2Crypto>=0.21.1
 iso8601>=0.1.4
 oslo.config>=1.1.0
 python-swiftclient>=1.2,<2
--- glance-2013.1.4/glance/common/crypt.py.orig Thu Oct 17 11:22:18 2013
+++ glance-2013.1.4/glance/common/crypt.py  Thu Jan 16 22:42:41 2014
@@ -4,6 +4,8 @@
 # Copyright 2011 OpenStack LLC.
 # All Rights Reserved.
 #
+# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+#
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
@@ -21,12 +23,27 @@
 """

 import base64
+import os

-from Crypto.Cipher import AES
-from Crypto import Random
-from Crypto.Random import random
+from M2Crypto.EVP import Cipher

+from glance.common import exception

+
+def _key_to_alg(key):
+    """Return a M2Crypto-compatible AES-CBC algorithm name given a key."""
+    aes_algs = {
+        128: 'aes_128_cbc',
+        192: 'aes_192_cbc',
+        256: 'aes_256_cbc'
+    }
+
+    keylen = 8 * len(key)
+    if keylen not in aes_algs:
+        msg = ('Invalid AES key length, %d bits') % keylen
+        raise exception.Invalid(msg)
+    return aes_algs[keylen]
+
 def urlsafe_encrypt(key, plaintext, blocksize=16):
     """
     Encrypts plaintext. Resulting ciphertext will contain URL-safe characters
@@ -36,20 +53,12 @@

     :returns : Resulting ciphertext
     """
-    def pad(text):
-        """
-        Pads text to be encrypted
-        """
-        pad_length = (blocksize - len(text) % blocksize)
-        sr = random.StrongRandom()
-        pad = ''.join(chr(sr.randint(1, 0xFF)) for i in range(pad_length - 1))
-        # We use chr(0) as a delimiter between text and padding
-        return text + chr(0) + pad

     # random initial 16 bytes for CBC
-    init_vector = Random.get_random_bytes(16)
-    cypher = AES.new(key, AES.MODE_CBC, init_vector)
-    padded = cypher.encrypt(pad(str(plaintext)))
+    init_vector = os.urandom(16)
+    cipher = Cipher(alg=_key_to_alg(key), key=key, iv=init_vector, op=1)
+    padded = cipher.update(str(plaintext))
+    padded = padded + cipher.final()
     return base64.urlsafe_b64encode(init_vector + padded)


@@ -63,6 +72,7 @@
     """
     # Cast from unicode
     ciphertext = base64.urlsafe_b64decode(str(ciphertext))
-    cypher = AES.new(key, AES.MODE_CBC, ciphertext[:16])
-    padded = cypher.decrypt(ciphertext[16:])
-    return padded[:padded.rfind(chr(0))]
+    cipher = Cipher(alg=_key_to_alg(key), key=key, iv=ciphertext[:16], op=0)
+    padded = cipher.update(ciphertext[16:])
+    padded = padded + cipher.final()
+    return padded
--- glance-2013.1.4/tools/pip-requires.orig Thu Oct 17 11:22:19 2013
+++ glance-2013.1.4/tools/pip-requires  Thu Jan 16 22:22:56 2014
@@ -15,7 +15,7 @@
 sqlalchemy-migrate>=0.7
 httplib2
 kombu
-pycrypto>=2.1.0alpha1
+M2Crypto>=0.21.1
 iso8601>=0.1.4
 oslo.config>=1.1.0