Compare commits
No commits in common. "c9-beta" and "c8-beta" have entirely different histories.
@ -1,60 +0,0 @@
|
|||||||
From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alex Gaynor <alex.gaynor@gmail.com>
|
|
||||||
Date: Mon, 19 Feb 2024 11:50:28 -0500
|
|
||||||
Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
|
|
||||||
match (#10423)
|
|
||||||
|
|
||||||
---
|
|
||||||
.../hazmat/backends/openssl/backend.py | 9 +++++++++
|
|
||||||
tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++
|
|
||||||
2 files changed, 27 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
|
|
||||||
index 45888f36168a..6a4aeca7521f 100644
|
|
||||||
--- a/src/cryptography/hazmat/backends/openssl/backend.py
|
|
||||||
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
|
|
||||||
@@ -623,6 +623,15 @@ def serialize_key_and_certificates_to_pkcs12(
|
|
||||||
mac_iter,
|
|
||||||
0,
|
|
||||||
)
|
|
||||||
+ if p12 == self._ffi.NULL:
|
|
||||||
+ errors = self._consume_errors()
|
|
||||||
+ raise ValueError(
|
|
||||||
+ (
|
|
||||||
+ "Failed to create PKCS12 (does the key match the "
|
|
||||||
+ "certificate?)"
|
|
||||||
+ ),
|
|
||||||
+ errors,
|
|
||||||
+ )
|
|
||||||
|
|
||||||
if (
|
|
||||||
self._lib.Cryptography_HAS_PKCS12_SET_MAC
|
|
||||||
diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
|
|
||||||
index f49c98a4ed3d..cb998c4a4bc0 100644
|
|
||||||
--- a/tests/hazmat/primitives/test_pkcs12.py
|
|
||||||
+++ b/tests/hazmat/primitives/test_pkcs12.py
|
|
||||||
@@ -660,6 +660,24 @@ def test_key_serialization_encryption_set_mac_unsupported(
|
|
||||||
b"name", cakey, cacert, [], algorithm
|
|
||||||
)
|
|
||||||
|
|
||||||
+ @pytest.mark.supported(
|
|
||||||
+ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
|
|
||||||
+ skip_message="Requires OpenSSL with PKCS12_set_mac",
|
|
||||||
+ )
|
|
||||||
+ def test_set_mac_key_certificate_mismatch(self, backend):
|
|
||||||
+ cacert, _ = _load_ca(backend)
|
|
||||||
+ key = ec.generate_private_key(ec.SECP256R1())
|
|
||||||
+ encryption = (
|
|
||||||
+ serialization.PrivateFormat.PKCS12.encryption_builder()
|
|
||||||
+ .hmac_hash(hashes.SHA256())
|
|
||||||
+ .build(b"password")
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ with pytest.raises(ValueError):
|
|
||||||
+ serialize_key_and_certificates(
|
|
||||||
+ b"name", key, cacert, [], encryption
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
|
|
||||||
@pytest.mark.skip_fips(
|
|
||||||
reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
|
|
@ -1,52 +0,0 @@
|
|||||||
From eda4f38d30c9e8bdfee282d75fc7350d50ba78f3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Charalampos Stratakis <cstratak@redhat.com>
|
|
||||||
Date: Thu, 6 Feb 2025 00:16:30 +0100
|
|
||||||
Subject: [PATCH 1/2] Use our patched copy of the openssl crate
|
|
||||||
|
|
||||||
---
|
|
||||||
src/rust/Cargo.toml | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml
|
|
||||||
index 01fba14..a352548 100644
|
|
||||||
--- a/src/rust/Cargo.toml
|
|
||||||
+++ b/src/rust/Cargo.toml
|
|
||||||
@@ -20,6 +20,9 @@ openssl = "0.10.54"
|
|
||||||
openssl-sys = "0.9.88"
|
|
||||||
foreign-types-shared = "0.1"
|
|
||||||
|
|
||||||
+[patch.crates-io]
|
|
||||||
+openssl = { path= "../../vendor/openssl" }
|
|
||||||
+
|
|
||||||
[build-dependencies]
|
|
||||||
cc = "1.0.72"
|
|
||||||
|
|
||||||
--
|
|
||||||
2.48.1
|
|
||||||
|
|
||||||
|
|
||||||
From a99434f68209631e9363ffa4dd32dacbfa376221 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Steven Fackler <sfackler@gmail.com>
|
|
||||||
Date: Sun, 2 Feb 2025 12:19:46 -0500
|
|
||||||
Subject: [PATCH 2/2] Fix lifetimes in ssl::select_next_proto
|
|
||||||
|
|
||||||
---
|
|
||||||
vendor/openssl/src/ssl/mod.rs | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/vendor/openssl/src/ssl/mod.rs b/vendor/openssl/src/ssl/mod.rs
|
|
||||||
index fb38bb3..6aa6705 100644
|
|
||||||
--- a/vendor/openssl/src/ssl/mod.rs
|
|
||||||
+++ b/vendor/openssl/src/ssl/mod.rs
|
|
||||||
@@ -696,7 +696,7 @@ cfg_if! {
|
|
||||||
///
|
|
||||||
/// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos
|
|
||||||
#[corresponds(SSL_select_next_proto)]
|
|
||||||
-pub fn select_next_proto<'a>(server: &[u8], client: &'a [u8]) -> Option<&'a [u8]> {
|
|
||||||
+pub fn select_next_proto<'a>(server: &'a [u8], client: &'a [u8]) -> Option<&'a [u8]> {
|
|
||||||
unsafe {
|
|
||||||
let mut out = ptr::null_mut();
|
|
||||||
let mut outlen = 0;
|
|
||||||
--
|
|
||||||
2.48.1
|
|
||||||
|
|
@ -8,7 +8,7 @@
|
|||||||
|
|
||||||
Name: python%{python3_pkgversion}-%{srcname}
|
Name: python%{python3_pkgversion}-%{srcname}
|
||||||
Version: 41.0.7
|
Version: 41.0.7
|
||||||
Release: 3%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: PyCA's cryptography library
|
Summary: PyCA's cryptography library
|
||||||
|
|
||||||
# We bundle various crates with cryptography which is dual licensed
|
# We bundle various crates with cryptography which is dual licensed
|
||||||
@ -83,16 +83,6 @@ Source2: conftest-skipper.py
|
|||||||
# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
|
# https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
|
||||||
Patch1: raise-an-exception-for-CVE-2023-49083.patch
|
Patch1: raise-an-exception-for-CVE-2023-49083.patch
|
||||||
|
|
||||||
# Security fix for CVE-2025-24898 in the bundled openssl crate
|
|
||||||
# Resolved upsteam:
|
|
||||||
# https://github.com/sfackler/rust-openssl/commit/f014afb230de4d77bc79dea60e7e58c2f47b60f2
|
|
||||||
Patch2: CVE-2025-24898.patch
|
|
||||||
|
|
||||||
# Security fix for CVE-2024-26130
|
|
||||||
# Resolved upstream:
|
|
||||||
# https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
|
|
||||||
Patch3: CVE-2024-26130.patch
|
|
||||||
|
|
||||||
ExclusiveArch: %{rust_arches}
|
ExclusiveArch: %{rust_arches}
|
||||||
|
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
@ -187,16 +177,13 @@ cryptography is a package designed to expose cryptographic primitives and
|
|||||||
recipes to Python developers.
|
recipes to Python developers.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%if 0%{?fedora}
|
|
||||||
%autosetup -p1 -n %{srcname}-%{version}
|
%autosetup -p1 -n %{srcname}-%{version}
|
||||||
|
%if 0%{?fedora}
|
||||||
%cargo_prep
|
%cargo_prep
|
||||||
rm src/rust/Cargo.lock
|
rm src/rust/Cargo.lock
|
||||||
%else
|
%else
|
||||||
# RHEL: use vendored Rust crates
|
# RHEL: use vendored Rust crates
|
||||||
# We unpack the vendored crates to
|
%cargo_prep -V 1
|
||||||
# be able to patch them
|
|
||||||
%autosetup -p1 -n %{srcname}-%{version} -a1
|
|
||||||
%cargo_prep -v vendor
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?fedora}
|
%if 0%{?fedora}
|
||||||
@ -212,7 +199,6 @@ sed -i 's,--no-subtests-shortletter,,' pyproject.toml
|
|||||||
|
|
||||||
%build
|
%build
|
||||||
export OPENSSL_NO_VENDOR=1
|
export OPENSSL_NO_VENDOR=1
|
||||||
export RUSTFLAGS="%build_rustflags"
|
|
||||||
%py3_build
|
%py3_build
|
||||||
|
|
||||||
%install
|
%install
|
||||||
@ -252,14 +238,6 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
|
|||||||
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
|
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Sep 05 2025 Lumir Balhar <lbalhar@redhat.com> - 41.0.7-3
|
|
||||||
- Security fix for CVE-2024-26130
|
|
||||||
Resolves: RHEL-112485
|
|
||||||
|
|
||||||
* Wed Feb 05 2025 Charalampos Stratakis <cstratak@redhat.com> - 41.0.7-2
|
|
||||||
- Security fix for CVE-2025-24898 in the bundled openssl crate
|
|
||||||
Resolves: RHEL-77735
|
|
||||||
|
|
||||||
* Tue Feb 06 2024 Miro Hrončok <mhroncok@redhat.com> - 41.0.7-1
|
* Tue Feb 06 2024 Miro Hrončok <mhroncok@redhat.com> - 41.0.7-1
|
||||||
- Update to 41.0.7, fixes CVE-2023-49083
|
- Update to 41.0.7, fixes CVE-2023-49083
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user