CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
cdc78fd36f
poky/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
Vijay Anusuri 6269fbcd4f python3-cryptography: Backport fix for CVE-2024-26130 
Upstream-Status: Backport from 97d2316727

(From OE-Core rev: 7864c4605cde4851df644dd1d2867bd28d155710)

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2024-03-25 04:11:25 -10:00

67 lines
2.5 KiB
Diff
Raw Blame History

From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Mon, 19 Feb 2024 11:50:28 -0500
Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
match (#10423)
Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55]
CVE: CVE-2024-26130
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
.../hazmat/backends/openssl/backend.py | 9 +++++++++
tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++
2 files changed, 27 insertions(+)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index c43fea0..d687931 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -2131,6 +2131,15 @@ class Backend(BackendInterface):
mac_iter,
0,
)
+ if p12 == self._ffi.NULL:
+ errors = self._consume_errors()
+ raise ValueError(
+ (
+ "Failed to create PKCS12 (does the key match the "
+ "certificate?)"
+ ),
+ errors,
+ )
self.openssl_assert(p12 != self._ffi.NULL)
p12 = self._ffi.gc(p12, self._lib.PKCS12_free)
diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
index c5cfbc0..8af4c93 100644
--- a/tests/hazmat/primitives/test_pkcs12.py
+++ b/tests/hazmat/primitives/test_pkcs12.py
@@ -25,6 +25,24 @@ from ...doubles import DummyKeySerializationEncryption
from ...utils import load_vectors_from_file
+ @pytest.mark.supported(
+ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
+ skip_message="Requires OpenSSL with PKCS12_set_mac",
+ )
+ def test_set_mac_key_certificate_mismatch(self, backend):
+ cacert, _ = _load_ca(backend)
+ key = ec.generate_private_key(ec.SECP256R1())
+ encryption = (
+ serialization.PrivateFormat.PKCS12.encryption_builder()
+ .hmac_hash(hashes.SHA256())
+ .build(b"password")
+ )
+
+ with pytest.raises(ValueError):
+ serialize_key_and_certificates(
+ b"name", key, cacert, [], encryption
+ )
+
@pytest.mark.skip_fips(
reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
)
--
2.35.7
Reference in New Issue View Git Blame Copy Permalink