-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible bug introduced in 4.7 #173
Comments
@alvaroabascar Thanks for raising this. I've got a similar issue - we're using Luigi and communicating with GCS, however, I've got a full stack trace:
Reverting to Looking at the diff (version-4.6...version-4.7) I can see that the |
This looks like a problem the initalisation of
This was tested with Python-RSA 4.7 and Google-Auth 1.24.0. I want to get this fixed, but to do that in a non-hackish way, I need to be able to reproduce the issue myself first. |
Hi @sybrenstuvel - I had a look at that
|
@alvaroabascar Could you confirm if DVC is using threads or subprocesses in the call that you originally reported failing? That might help confirm / deny my guess number 2 above 🙏🏻 |
Hi @jamescooke, we always see this error when we make a call (in our case to big query with google-cloud-bigquery) inside a Thread, so I think number 2 is the right guess. |
Excellent, that explains why I couldn't reproduce it with a single thread. Still, I don't see how multithreading could cause this exact error, as the |
hmmm even with this code I cannot reproduce the problem:
I still wouldn't mind having a way to reproduce the problem myself. |
@sybrenstuvel I agree it would be great to reproduce locally and simply.
Happy to try! 😊 👍🏻 |
I have reason to believe the issue might be with multithreading and using multiple keys. |
Yes I also faced this issue in bigquery when doing a multithread call. |
Computing the blinding factor and its inverse was done in a thread-unsafe manner. Locking the computation & update of the blinding factors, and passing these around in frame- and stack-bound data, solves this.
Computing the blinding factor and its inverse was done in a thread-unsafe manner. Locking the computation & update of the blinding factors, and passing these around in frame- and stack-bound data, solves this.
Computing the blinding factor and its inverse was done in a thread-unsafe manner. Locking the computation & update of the blinding factors, and passing these around in frame- and stack-bound data, solves this.
The code below seems to reproduce the issue. It at least shows a threading-related issue, so let's hope it's the same one :) @jamescooke (or anyone else in a position to test) could you try this version of the library, to see if it fixes things for you? rsa-4.7.1.dev0-source-and-wheel.zip
|
@sybrenstuvel This looks good. I've run the code above and had it fail with Python 3.8.6 and I'll be able to test the wheel on the work project where I found the bug on Tuesday and will ping back here. |
@sybrenstuvel Good news is that I got to test this earlier than I thought, bad news is that I've got a new error 😞
|
This really must be related to how the key objects are created. This wouldn't happen if they'd just use the regular Can you help me figure out how to reproduce this on my machine? |
Computing the blinding factor and its inverse was done in a thread-unsafe manner. Locking the computation & update of the blinding factors, and passing these around in frame- and stack-bound data, solves this. This fixes part of the issues reported in #173, but there is more going on in that particular report.
I have released the threading fix as version 4.7.1. All that's now left of this issue is the Google Cloud Service weirdness. |
@sybrenstuvel Thanks for pushing the threading fix so quickly 🙌🏻
I had a look at the Google GCS code when this bug first came up, but nothing jumped out at me as strange about the init calls. However, there could be some monkey patching or tweaks happening elsewhere in the code base. The only way I know how to reproduce this easily is with Luigi and a GCS account - let me know if you want me to put together a small example of that, maybe as a gist? |
Thanks @busunkim96 for providing the answer to this riddle. It turns out the pickling/unpickling functions didn't take the new properties ( |
Thanks for doing a release quickly @sybrenstuvel - can confirm it's working with 🙌🏻 |
- Update from 4.0 to 4.8 - Update of rootfile - Changelog - Switch to [Poetry](https://python-poetry.org/) for dependency and release management. - Compatibility with Python 3.10. - Chain exceptions using `raise new_exception from old_exception` ([#157](sybrenstuvel/python-rsa#157)) - Added marker file for PEP 561. This will allow type checking tools in dependent projects to use type annotations from Python-RSA ([#136](sybrenstuvel/python-rsa#136)). - Use the Chinese Remainder Theorem when decrypting with a private key. This makes decryption 2-4x faster ([#163](sybrenstuvel/python-rsa#163)). - Fix picking/unpickling issue introduced in 4.7 ([#173](sybrenstuvel/python-rsa#173)) - Fix threading issue introduced in 4.7 ([#173](sybrenstuvel/python-rsa#173)) - Fix [#165](sybrenstuvel/python-rsa#165): CVE-2020-25658 - Bleichenbacher-style timing oracle in PKCS#1 v1.5 decryption code - Add padding length check as described by PKCS#1 v1.5 (Fixes [#164](sybrenstuvel/python-rsa#164)) - Reuse of blinding factors to speed up blinding operations. Fixes [#162](sybrenstuvel/python-rsa#162). - Declare & test support for Python 3.9 Version 4.4 and 4.6 are almost a re-tagged release of version 4.2. It requires Python 3.5+. To avoid older Python installations from trying to upgrade to RSA 4.4, this is now made explicit in the `python_requires` argument in `setup.py`. There was a mistake releasing 4.4 as "3.5+ only", which made it necessary to retag 4.4 as 4.6 as well. No functional changes compared to version 4.2. Version 4.3 and 4.5 are almost a re-tagged release of version 4.0. It is the last to support Python 2.7. This is now made explicit in the `python_requires` argument in `setup.py`. Python 3.4 is not supported by this release. There was a mistake releasing 4.4 as "3.5+ only", which made it necessary to retag 4.3 as 4.5 as well. Two security fixes have also been backported, so 4.3 = 4.0 + these two fixes. - Choose blinding factor relatively prime to N. Thanks Christian Heimes for pointing this out. - Reject cyphertexts (when decrypting) and signatures (when verifying) that have been modified by prepending zero bytes. This resolves CVE-2020-13757. Thanks Carnil for pointing this out. - Rolled back the switch to Poetry, and reverted back to using Pipenv + setup.py for dependency management. There apparently is an issue no-binary installs of packages build with Poetry. This fixes [#148](sybrenstuvel/python-rsa#148) - Limited SHA3 support to those Python versions (3.6+) that support it natively. The third-party library that adds support for this to Python 3.5 is a binary package, and thus breaks the pure-Python nature of Python-RSA. This should fix [#147](sybrenstuvel/python-rsa#147). - Added support for Python 3.8. - Dropped support for Python 2 and 3.4. - Added type annotations to the source code. This will make Python-RSA easier to use in your IDE, and allows better type checking. - Added static type checking via [MyPy](http://mypy-lang.org/). - Fix [#129](sybrenstuvel/python-rsa#129) Installing from source gives UnicodeDecodeError. - Switched to using [Poetry](https://poetry.eustace.io/) for package management. - Added support for SHA3 hashing: SHA3-256, SHA3-384, SHA3-512. This is natively supported by Python 3.6+ and supported via a third-party library on Python 3.5. - Choose blinding factor relatively prime to N. Thanks Christian Heimes for pointing this out. - Reject cyphertexts (when decrypting) and signatures (when verifying) that have been modified by prepending zero bytes. This resolves CVE-2020-13757. Thanks Adelapie for pointing this out. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Hi! I am a a dvc user. This library connects to Google Cloud Storage, and it can use a google service key to authenticate. When authenticating in this way, the
google-auth
library fails with{"error":"invalid_grant","error_description":"Invalid JWT Signature."}
. This happens withrsa==4.7
but not with withrsa==4.6
. After some research, we found that restoring the4.6
version of thersa/key.py
file solves the problem.The text was updated successfully, but these errors were encountered: