python3-cryptography: Backport fix for CVE-2024-26130

Upstream-Status: Backport from 97d2316727 (From OE-Core rev: 7864c4605cde4851df644dd1d2867bd28d155710) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-01-01 13:58:04 +00:00 · 2024-03-19 18:02:09 +05:30 · 2024-03-19 18:02:09 +05:30 · 6269fbcd4f
commit 6269fbcd4f
parent 9fce626d58
2 changed files with 67 additions and 0 deletions
--- a/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
@ -0,0 +1,66 @@
+From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 19 Feb 2024 11:50:28 -0500
+Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
+ match (#10423)
+
+Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55]
+CVE: CVE-2024-26130
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ .../hazmat/backends/openssl/backend.py         |  9 +++++++++
+ tests/hazmat/primitives/test_pkcs12.py         | 18 ++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index c43fea0..d687931 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2131,6 +2131,15 @@ class Backend(BackendInterface):
+                     mac_iter,
+                     0,
+                 )
+                if p12 == self._ffi.NULL:
+                    errors = self._consume_errors()
+                    raise ValueError(
+                        (
+                            "Failed to create PKCS12 (does the key match the "
+                            "certificate?)"
+                        ),
+                        errors,
+                    )
+ 
+         self.openssl_assert(p12 != self._ffi.NULL)
+         p12 = self._ffi.gc(p12, self._lib.PKCS12_free)
+diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
+index c5cfbc0..8af4c93 100644
+--- a/tests/hazmat/primitives/test_pkcs12.py
+++ b/tests/hazmat/primitives/test_pkcs12.py
+@@ -25,6 +25,24 @@ from ...doubles import DummyKeySerializationEncryption
+ from ...utils import load_vectors_from_file
+ 
+ 
+   @pytest.mark.supported(
+       only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
+       skip_message="Requires OpenSSL with PKCS12_set_mac",
+   )
+   def test_set_mac_key_certificate_mismatch(self, backend):
+       cacert, _ = _load_ca(backend)
+       key = ec.generate_private_key(ec.SECP256R1())
+       encryption = (
+           serialization.PrivateFormat.PKCS12.encryption_builder()
+           .hmac_hash(hashes.SHA256())
+           .build(b"password")
+       )
+
+       with pytest.raises(ValueError):
+           serialize_key_and_certificates(
+               b"name", key, cacert, [], encryption
+           )
+
+ @pytest.mark.skip_fips(
+     reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
+ )
+-- 
+2.35.7
+
--- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
@ -19,6 +19,7 @@ SRC_URI += " \
    file://fix-leak-metric.patch \
    file://CVE-2023-23931.patch \
    file://CVE-2023-49083.patch \
+    file://CVE-2024-26130.patch \
 "

 inherit pypi python_setuptools3_rust