12 changed files with 374 additions and 7 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -0,0 +1 @@
+1
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,63 @@
-SOURCES/cryptography-41.0.7-vendor.tar.bz2
-SOURCES/cryptography-41.0.7.tar.gz
+/results_python-cryptography
+/*.src.rpm
+/cryptography-1.3.1.tar.gz
+/cryptography-1.5.3.tar.gz
+/cryptography-1.7.1.tar.gz
+/cryptography-1.7.2.tar.gz
+/cryptography-1.9.tar.gz
+/cryptography-2.0.2.tar.gz
+/cryptography-2.1.tar.gz
+/cryptography-2.1.3.tar.gz
+/cryptography-2.1.4.tar.gz
+/cryptography-2.2.1.tar.gz
+/cryptography-2.3.tar.gz
+/cryptography-2.5.tar.gz
+/cryptography-2.6.1.tar.gz
+/cryptography-2.7.tar.gz
+/cryptography-2.8.tar.gz
+/cryptography-2.9.tar.gz
+/cryptography-2.9.tar.gz.asc
+/cryptography-3.0.tar.gz
+/cryptography-3.0.tar.gz.asc
+/cryptography-3.1.tar.gz
+/cryptography-3.1.tar.gz.asc
+/cryptography-3.2.tar.gz
+/cryptography-3.2.tar.gz.asc
+/cryptography-3.2.1.tar.gz
+/cryptography-3.2.1.tar.gz.asc
+/cryptography-3.3.1.tar.gz
+/cryptography-3.3.1.tar.gz.asc
+/cryptography-3.4.tar.gz
+/cryptography-3.4.tar.gz.asc
+/cryptography-3.4.1.tar.gz
+/cryptography-3.4.1.tar.gz.asc
+/cryptography-3.4.2.tar.gz
+/cryptography-3.4.2.tar.gz.asc
+/cryptography-3.4.4.tar.gz
+/cryptography-3.4.4.tar.gz.asc
+/cryptography-3.4.5.tar.gz
+/cryptography-3.4.5.tar.gz.asc
+/cryptography-3.4.6.tar.gz
+/cryptography-3.4.6.tar.gz.asc
+/cryptography-3.4.7.tar.gz
+/cryptography-3.4.7-vendor.tar.bz2
+/cryptography-35.0.0.tar.gz
+/cryptography-35.0.0-vendor.tar.bz2
+/cryptography-36.0.0.tar.gz
+/cryptography-36.0.0-vendor.tar.bz2
+/cryptography-37.0.2.tar.gz
+/cryptography-37.0.2-vendor.tar.bz2
+/cryptography-39.0.2.tar.gz
+/cryptography-39.0.2-vendor.tar.bz2
+/cryptography-40.0.0.tar.gz
+/cryptography-40.0.0-vendor.tar.bz2
+/cryptography-40.0.1.tar.gz
+/cryptography-40.0.1-vendor.tar.bz2
+/cryptography-40.0.2.tar.gz
+/cryptography-40.0.2-vendor.tar.bz2
+/cryptography-41.0.3.tar.gz
+/cryptography-41.0.3-vendor.tar.bz2
+/cryptography-41.0.5-vendor.tar.bz2
+/cryptography-41.0.5.tar.gz
+/cryptography-41.0.7.tar.gz
+/cryptography-41.0.7-vendor.tar.bz2
--- a/.python3.12-cryptography.metadata
+++ b/.python3.12-cryptography.metadata
@ -1,2 +0,0 @@
-94ad9fc97d92aae28d40392189655dbf932a1803 SOURCES/cryptography-41.0.7-vendor.tar.bz2
-fd245c3045ca9b3861f794d1a54cf97e629c19bf SOURCES/cryptography-41.0.7.tar.gz
--- a/CVE-2024-26130.patch
+++ b/CVE-2024-26130.patch
@ -0,0 +1,60 @@
+From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 19 Feb 2024 11:50:28 -0500
+Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
+ match (#10423)
+
+---
+ .../hazmat/backends/openssl/backend.py         |  9 +++++++++
+ tests/hazmat/primitives/test_pkcs12.py         | 18 ++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index 45888f36168a..6a4aeca7521f 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -623,6 +623,15 @@ def serialize_key_and_certificates_to_pkcs12(
+                     mac_iter,
+                     0,
+                 )
+                if p12 == self._ffi.NULL:
+                    errors = self._consume_errors()
+                    raise ValueError(
+                        (
+                            "Failed to create PKCS12 (does the key match the "
+                            "certificate?)"
+                        ),
+                        errors,
+                    )
+ 
+             if (
+                 self._lib.Cryptography_HAS_PKCS12_SET_MAC
+diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
+index f49c98a4ed3d..cb998c4a4bc0 100644
+--- a/tests/hazmat/primitives/test_pkcs12.py
+++ b/tests/hazmat/primitives/test_pkcs12.py
+@@ -660,6 +660,24 @@ def test_key_serialization_encryption_set_mac_unsupported(
+                 b"name", cakey, cacert, [], algorithm
+             )
+ 
+    @pytest.mark.supported(
+        only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
+        skip_message="Requires OpenSSL with PKCS12_set_mac",
+    )
+    def test_set_mac_key_certificate_mismatch(self, backend):
+        cacert, _ = _load_ca(backend)
+        key = ec.generate_private_key(ec.SECP256R1())
+        encryption = (
+            serialization.PrivateFormat.PKCS12.encryption_builder()
+            .hmac_hash(hashes.SHA256())
+            .build(b"password")
+        )
+
+        with pytest.raises(ValueError):
+            serialize_key_and_certificates(
+                b"name", key, cacert, [], encryption
+            )
+
+ 
+ @pytest.mark.skip_fips(
+     reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
--- a/CVE-2025-24898.patch
+++ b/CVE-2025-24898.patch
@ -0,0 +1,52 @@
+From eda4f38d30c9e8bdfee282d75fc7350d50ba78f3 Mon Sep 17 00:00:00 2001
+From: Charalampos Stratakis <cstratak@redhat.com>
+Date: Thu, 6 Feb 2025 00:16:30 +0100
+Subject: [PATCH 1/2] Use our patched copy of the openssl crate
+
+---
+ src/rust/Cargo.toml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml
+index 01fba14..a352548 100644
+--- a/src/rust/Cargo.toml
+++ b/src/rust/Cargo.toml
+@@ -20,6 +20,9 @@ openssl = "0.10.54"
+ openssl-sys = "0.9.88"
+ foreign-types-shared = "0.1"
+ 
+[patch.crates-io]
+openssl = { path= "../../vendor/openssl" }
+
+ [build-dependencies]
+ cc = "1.0.72"
+ 
+-- 
+2.48.1
+
+
+From a99434f68209631e9363ffa4dd32dacbfa376221 Mon Sep 17 00:00:00 2001
+From: Steven Fackler <sfackler@gmail.com>
+Date: Sun, 2 Feb 2025 12:19:46 -0500
+Subject: [PATCH 2/2] Fix lifetimes in ssl::select_next_proto
+
+---
+ vendor/openssl/src/ssl/mod.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vendor/openssl/src/ssl/mod.rs b/vendor/openssl/src/ssl/mod.rs
+index fb38bb3..6aa6705 100644
+--- a/vendor/openssl/src/ssl/mod.rs
+++ b/vendor/openssl/src/ssl/mod.rs
+@@ -696,7 +696,7 @@ cfg_if! {
+ ///
+ /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos
+ #[corresponds(SSL_select_next_proto)]
+-pub fn select_next_proto<'a>(server: &[u8], client: &'a [u8]) -> Option<&'a [u8]> {
+pub fn select_next_proto<'a>(server: &'a [u8], client: &'a [u8]) -> Option<&'a [u8]> {
+     unsafe {
+         let mut out = ptr::null_mut();
+         let mut outlen = 0;
+-- 
+2.48.1
+
--- a/SOURCES/conftest-skipper.py
+++ b/SOURCES/conftest-skipper.py
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,7 @@
+--- !Policy
+
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/plan.fmf
+++ b/plan.fmf
@ -0,0 +1,52 @@
+execute:
+  how: tmt
+discover:
+  how: shell
+  dist-git-source: true
+  dist-git-install-builddeps: true
+  tests:
+  - name: bundled tests - Prepare part
+    require:
+    - python3.12-pytest
+    - python3.12-cryptography
+    - python3.12-pip
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      rm -rf tests/hypothesis/ tests/test_fernet.py \
+        tests/hazmat/primitives/test_scrypt.py &&
+      cat $TMT_TREE/conftest-skipper.py  >> tests/conftest.py &&
+      sed -i -e 's/ --benchmark-disable//' pyproject.toml &&
+      pip3.12 install pytz==2022.7.1 pytest-subtests==0.11.0
+  - name: unittests-basic
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors pytest-3.12 tests/test_*.py
+  - name: unittests-x509
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors OPENSSL_ENABLE_SHA1_SIGNATURES=yes pytest-3.12 tests/x509/
+  - name: unittests-hazmat
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors pytest-3.12 -k 'not test_openssl_memleak' tests/hazmat/backends/ tests/hazmat/bindings/
+  - name: unittests-primitives-aead
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors pytest-3.12 tests/hazmat/primitives/test_aead.py
+  - name: unittests-primitives-aes
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors pytest-3.12 tests/hazmat/primitives/test_aes.py::TestAESModeCBC \
+            tests/hazmat/primitives/test_aes.py::TestAESModeCTR \
+            tests/hazmat/primitives/test_aes_gcm.py::TestAESModeGCM
+  - name: unittests-primitives-a-e
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors pytest-3.12 tests/hazmat/primitives/test_arc4.py \
+            tests/hazmat/primitives/test_asym_utils.py \
+            tests/hazmat/primitives/test_[b-e]*.py
+  - name: unittests-primitives-f-z
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors OPENSSL_ENABLE_SHA1_SIGNATURES=yes pytest-3.12 tests/hazmat/primitives/test_[f-z]*.py \
+            tests/hazmat/primitives/twofactor
--- a/SPECS/python3.12-cryptography.spec
+++ b/SPECS/python3.12-cryptography.spec
@ -8,7 +8,7 @@

 Name:           python%{python3_pkgversion}-%{srcname}
 Version:        41.0.7
-Release:        1%{?dist}
+Release:        3%{?dist}
 Summary:        PyCA's cryptography library

 # We bundle various crates with cryptography which is dual licensed
@ -83,6 +83,16 @@ Source2:        conftest-skipper.py
 # https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
 Patch1:         raise-an-exception-for-CVE-2023-49083.patch

+# Security fix for CVE-2025-24898 in the bundled openssl crate
+# Resolved upsteam:
+# https://github.com/sfackler/rust-openssl/commit/f014afb230de4d77bc79dea60e7e58c2f47b60f2
+Patch2:         CVE-2025-24898.patch
+
+# Security fix for CVE-2024-26130
+# Resolved upstream:
+# https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
+Patch3:         CVE-2024-26130.patch
+
 ExclusiveArch:  %{rust_arches}

 BuildRequires:  openssl-devel
@ -177,13 +187,16 @@ cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.

 %prep
-%autosetup -p1 -n %{srcname}-%{version}
 %if 0%{?fedora}
+%autosetup -p1 -n %{srcname}-%{version}
 %cargo_prep
 rm src/rust/Cargo.lock
 %else
 # RHEL: use vendored Rust crates
-%cargo_prep -V 1
+# We unpack the vendored crates to
+# be able to patch them
+%autosetup -p1 -n %{srcname}-%{version} -a1
+%cargo_prep -v vendor
 %endif

 %if 0%{?fedora}
@ -199,6 +212,7 @@ sed -i 's,--no-subtests-shortletter,,' pyproject.toml

 %build
 export OPENSSL_NO_VENDOR=1
+export RUSTFLAGS="%build_rustflags"
 %py3_build

 %install
@ -238,6 +252,14 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info

 %changelog
+* Fri Sep 05 2025 Lumir Balhar <lbalhar@redhat.com> - 41.0.7-3
+- Security fix for CVE-2024-26130
+Resolves: RHEL-112485
+
+* Wed Feb 05 2025 Charalampos Stratakis <cstratak@redhat.com> - 41.0.7-2
+- Security fix for CVE-2025-24898 in the bundled openssl crate
+Resolves: RHEL-77735
+
 * Tue Feb 06 2024 Miro Hrončok <mhroncok@redhat.com> - 41.0.7-1
 - Update to 41.0.7, fixes CVE-2023-49083

--- a/SOURCES/raise-an-exception-for-CVE-2023-49083.patch
+++ b/SOURCES/raise-an-exception-for-CVE-2023-49083.patch
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307
+SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e
--- a/vendor_rust.py
+++ b/vendor_rust.py
@ -0,0 +1,112 @@
+#!/usr/bin/python3
+"""Vendor PyCA cryptography's Rust crates
+"""
+import argparse
+import os
+import re
+import tarfile
+import tempfile
+import shutil
+import subprocess
+import sys
+
+VENDOR_DIR = "vendor"
+CARGO_TOML = "src/rust/Cargo.toml"
+RE_VERSION = re.compile("Version:\s*(.*)")
+
+parser = argparse.ArgumentParser(description="Vendor Rust packages")
+parser.add_argument(
+    "--spec", default="python-cryptography.spec", help="cryptography source tar bundle"
+)
+
+
+def cargo(cmd, manifest):
+    args = ["cargo", cmd, f"--manifest-path={manifest}"]
+    return subprocess.check_call(
+        args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={}
+    )
+
+
+def tar_reset(tarinfo):
+    """Reset user, group, mtime, and mode to create reproducible tar"""
+    tarinfo.uid = 0
+    tarinfo.gid = 0
+    tarinfo.uname = "root"
+    tarinfo.gname = "root"
+    tarinfo.mtime = 0
+    if tarinfo.type == tarfile.DIRTYPE:
+        tarinfo.mode = 0o755
+    else:
+        tarinfo.mode = 0o644
+    if tarinfo.pax_headers:
+        raise ValueError(tarinfo.name, tarinfo.pax_headers)
+    return tarinfo
+
+
+def tar_reproducible(tar, basedir):
+    """Create reproducible tar file"""
+
+    content = [basedir]
+    for root, dirs, files in os.walk(basedir):
+        for directory in dirs:
+            content.append(os.path.join(root, directory))
+        for filename in files:
+            content.append(os.path.join(root, filename))
+    content.sort()
+
+    for fn in content:
+        tar.add(fn, filter=tar_reset, recursive=False, arcname=fn)
+
+
+def main():
+    args = parser.parse_args()
+    spec = args.spec
+
+    # change cwd to work in bundle directory
+    here = os.path.dirname(os.path.abspath(spec))
+    os.chdir(here)
+
+    # extract version number from bundle name
+    with open(spec) as f:
+        for line in f:
+            mo = RE_VERSION.search(line)
+            if mo is not None:
+                version = mo.group(1)
+                break
+        else:
+            raise ValueError(f"Cannot find version in {spec}")
+
+    bundle_file = f"cryptography-{version}.tar.gz"
+    vendor_file = f"cryptography-{version}-vendor.tar.bz2"
+
+    # remove existing vendor directory and file
+    if os.path.isdir(VENDOR_DIR):
+        shutil.rmtree(VENDOR_DIR)
+    try:
+        os.unlink(vendor_file)
+    except FileNotFoundError:
+        pass
+
+    print(f"Getting crates for {bundle_file}", file=sys.stderr)
+
+    # extract tar file in tempdir
+    # fetch and vendor Rust crates
+    with tempfile.TemporaryDirectory(dir=here) as tmp:
+        with tarfile.open(bundle_file) as tar:
+            tar.extractall(path=tmp)
+        manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML)
+        cargo("fetch", manifest)
+        cargo("vendor", manifest)
+
+    print("\nCreating tar ball...", file=sys.stderr)
+    with tarfile.open(vendor_file, "x:bz2") as tar:
+        tar_reproducible(tar, VENDOR_DIR)
+
+    # remove vendor dir
+    shutil.rmtree(VENDOR_DIR)
+
+    parser.exit(0, f"Created {vendor_file}\n")
+
+
+if __name__ == "__main__":
+    main()