python3-cryptography: Backport fix for CVE-2024-26130

Upstream-Status: Backport from https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 (From OE-Core rev: 7864c4605cde4851df644dd1d2867bd28d155710) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2024-03-19 18:02:09 +0530
committer: Steve Sakoman <steve@sakoman.com> 2024-03-25 04:11:25 -1000
commit: 6269fbcd4fa38b2e81f695cf84d8ae2b19afad58 (patch)
tree: 7cbc22feb4729d7c65821cb44b2c4c1ea1698f85
parent: 9fce626d584260fd9a86e11e3fe367e93645cf5b (diff)
download: poky-6269fbcd4fa38b2e81f695cf84d8ae2b19afad58.tar.gz
2 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
new file mode 100644
index 0000000000..ff113e8cc7
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
@@ -0,0 +1,66 @@
+From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 19 Feb 2024 11:50:28 -0500
+Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
+ match (#10423)
+Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55]
+CVE: CVE-2024-26130
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../hazmat/backends/openssl/backend.py         |  9 +++++++++
+ tests/hazmat/primitives/test_pkcs12.py         | 18 ++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index c43fea0..d687931 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2131,6 +2131,15 @@ class Backend(BackendInterface):
+                     mac_iter,
+                     0,
+                 )
+                if p12 == self._ffi.NULL:
+                    errors = self._consume_errors()
+                    raise ValueError(
+                        (
+                            "Failed to create PKCS12 (does the key match the "
+                            "certificate?)"
+                        ),
+                        errors,
+                    )
+ 
+         self.openssl_assert(p12 != self._ffi.NULL)
+         p12 = self._ffi.gc(p12, self._lib.PKCS12_free)
+diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
+index c5cfbc0..8af4c93 100644
+--- a/tests/hazmat/primitives/test_pkcs12.py
+++ b/tests/hazmat/primitives/test_pkcs12.py
+@@ -25,6 +25,24 @@ from ...doubles import DummyKeySerializationEncryption
+ from ...utils import load_vectors_from_file
+ 
+ 
+   @pytest.mark.supported(
+       only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
+       skip_message="Requires OpenSSL with PKCS12_set_mac",
+   )
+   def test_set_mac_key_certificate_mismatch(self, backend):
+       cacert, _ = _load_ca(backend)
+       key = ec.generate_private_key(ec.SECP256R1())
+       encryption = (
+           serialization.PrivateFormat.PKCS12.encryption_builder()
+           .hmac_hash(hashes.SHA256())
+           .build(b"password")
+       )
+
+       with pytest.raises(ValueError):
+           serialize_key_and_certificates(
+               b"name", key, cacert, [], encryption
+           )
+
+ @pytest.mark.skip_fips(
+     reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
+ )
+-- 
+2.35.7
diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
index c429c75e1b..83381f225c 100644
--- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
@@ -19,6 +19,7 @@ SRC_URI += " \
    file://fix-leak-metric.patch \
    file://CVE-2023-23931.patch \
    file://CVE-2023-49083.patch \
+    file://CVE-2024-26130.patch \
 "
 inherit pypi python_setuptools3_rust
author	Vijay Anusuri <vanusuri@mvista.com>	2024-03-19 18:02:09 +0530
committer	Steve Sakoman <steve@sakoman.com>	2024-03-25 04:11:25 -1000
commit	6269fbcd4fa38b2e81f695cf84d8ae2b19afad58 (patch)
tree	7cbc22feb4729d7c65821cb44b2c4c1ea1698f85
parent	9fce626d584260fd9a86e11e3fe367e93645cf5b (diff)
download	poky-6269fbcd4fa38b2e81f695cf84d8ae2b19afad58.tar.gz

diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch new file mode 100644 index 0000000000..ff113e8cc7 --- /dev/null +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
@@ -0,0 +1,66 @@
		1	From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
		2	From: Alex Gaynor <alex.gaynor@gmail.com>
		3	Date: Mon, 19 Feb 2024 11:50:28 -0500
		4	Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
		5	match (#10423)
		6
		7	Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55]
		8	CVE: CVE-2024-26130
		9	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		10	---
		11	.../hazmat/backends/openssl/backend.py \| 9 +++++++++
		12	tests/hazmat/primitives/test_pkcs12.py \| 18 ++++++++++++++++++
		13	2 files changed, 27 insertions(+)
		14
		15	diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
		16	index c43fea0..d687931 100644
		17	--- a/src/cryptography/hazmat/backends/openssl/backend.py
		18	+++ b/src/cryptography/hazmat/backends/openssl/backend.py
		19	@@ -2131,6 +2131,15 @@ class Backend(BackendInterface):
		20	mac_iter,
		21	0,
		22	)
		23	+ if p12 == self._ffi.NULL:
		24	+ errors = self._consume_errors()
		25	+ raise ValueError(
		26	+ (
		27	+ "Failed to create PKCS12 (does the key match the "
		28	+ "certificate?)"
		29	+ ),
		30	+ errors,
		31	+ )
		32
		33	self.openssl_assert(p12 != self._ffi.NULL)
		34	p12 = self._ffi.gc(p12, self._lib.PKCS12_free)
		35	diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
		36	index c5cfbc0..8af4c93 100644
		37	--- a/tests/hazmat/primitives/test_pkcs12.py
		38	+++ b/tests/hazmat/primitives/test_pkcs12.py
		39	@@ -25,6 +25,24 @@ from ...doubles import DummyKeySerializationEncryption
		40	from ...utils import load_vectors_from_file
		41
		42
		43	+ @pytest.mark.supported(
		44	+ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
		45	+ skip_message="Requires OpenSSL with PKCS12_set_mac",
		46	+ )
		47	+ def test_set_mac_key_certificate_mismatch(self, backend):
		48	+ cacert, _ = _load_ca(backend)
		49	+ key = ec.generate_private_key(ec.SECP256R1())
		50	+ encryption = (
		51	+ serialization.PrivateFormat.PKCS12.encryption_builder()
		52	+ .hmac_hash(hashes.SHA256())
		53	+ .build(b"password")
		54	+ )
		55	+
		56	+ with pytest.raises(ValueError):
		57	+ serialize_key_and_certificates(
		58	+ b"name", key, cacert, [], encryption
		59	+ )
		60	+
		61	@pytest.mark.skip_fips(
		62	reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
		63	)
		64	--
		65	2.35.7
		66


diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb index c429c75e1b..83381f225c 100644 --- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb +++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
@@ -19,6 +19,7 @@ SRC_URI += " \
19	file://fix-leak-metric.patch \	19	file://fix-leak-metric.patch \
20	file://CVE-2023-23931.patch \	20	file://CVE-2023-23931.patch \
21	file://CVE-2023-49083.patch \	21	file://CVE-2023-49083.patch \
		22	file://CVE-2024-26130.patch \
22	"	23	"
23		24
24	inherit pypi python_setuptools3_rust	25	inherit pypi python_setuptools3_rust