diff --git a/backport-CVE-2023-38325.patch b/backport-CVE-2023-38325.patch deleted file mode 100644 index b20a451eb3a830e625e3156d9df4561a4ea74005..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-38325.patch +++ /dev/null @@ -1,284 +0,0 @@ -From e190ef190525999d1f599cf8c3aef5cb7f3a8bc4 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Mon, 10 Jul 2023 19:46:49 -0500 -Subject: [PATCH] Backport ssh cert fix (#9211) - -* Fix encoding of SSH certs with critical options (#9208) - -* Add tests for issue #9207 - -* Fix encoding of SSH certs with critical options - -* Test unexpected additional values for crit opts/exts - -* temporarily allow invalid ssh cert encoding - ---- - docs/development/test-vectors.rst | 4 + - .../hazmat/primitives/serialization/ssh.py | 28 ++++- - tests/hazmat/primitives/test_ssh.py | 111 +++++++++++++----- - ...p256-ed25519-non-singular-crit-opt-val.pub | 1 + - .../p256-ed25519-non-singular-ext-val.pub | 1 + - 5 files changed, 111 insertions(+), 34 deletions(-) - create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub - create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub - -diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst -index 72fdf7f..b379a54 100644 ---- a/docs/development/test-vectors.rst -+++ b/docs/development/test-vectors.rst -@@ -842,6 +842,10 @@ Custom OpenSSH Certificate Test Vectors - critical option. - * ``p256-p256-non-lexical-crit-opts.pub`` - A certificate with critical - options in non-lexical order. -+* ``p256-ed25519-non-singular-crit-opt-val.pub`` - A certificate with -+ a critical option that contains more than one value. -+* ``p256-ed25519-non-singular-ext-val.pub`` - A certificate with -+ an extension that contains more than one value. - * ``dsa-p256.pub`` - A certificate with a DSA public key signed by a P256 - CA. - * ``p256-dsa.pub`` - A certificate with a P256 public key signed by a DSA -diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py -index fa278d9..225e6fb 100644 ---- a/src/cryptography/hazmat/primitives/serialization/ssh.py -+++ b/src/cryptography/hazmat/primitives/serialization/ssh.py -@@ -1000,6 +1000,20 @@ def _parse_exts_opts(exts_opts: memoryview) -> typing.Dict[bytes, bytes]: - if last_name is not None and bname < last_name: - raise ValueError("Fields not lexically sorted") - value, exts_opts = _get_sshstr(exts_opts) -+ if len(value) > 0: -+ try: -+ value, extra = _get_sshstr(value) -+ except ValueError: -+ warnings.warn( -+ "This certificate has an incorrect encoding for critical " -+ "options or extensions. This will be an exception in " -+ "cryptography 42", -+ utils.DeprecatedIn41, -+ stacklevel=4, -+ ) -+ else: -+ if len(extra) > 0: -+ raise ValueError("Unexpected extra data after value") - result[bname] = bytes(value) - last_name = bname - return result -@@ -1387,12 +1401,22 @@ class SSHCertificateBuilder: - fcrit = _FragList() - for name, value in self._critical_options: - fcrit.put_sshstr(name) -- fcrit.put_sshstr(value) -+ if len(value) > 0: -+ foptval = _FragList() -+ foptval.put_sshstr(value) -+ fcrit.put_sshstr(foptval.tobytes()) -+ else: -+ fcrit.put_sshstr(value) - f.put_sshstr(fcrit.tobytes()) - fext = _FragList() - for name, value in self._extensions: - fext.put_sshstr(name) -- fext.put_sshstr(value) -+ if len(value) > 0: -+ fextval = _FragList() -+ fextval.put_sshstr(value) -+ fext.put_sshstr(fextval.tobytes()) -+ else: -+ fext.put_sshstr(value) - f.put_sshstr(fext.tobytes()) - f.put_sshstr(b"") # RESERVED FIELD - # encode CA public key -diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py -index c9f995b..9b2f0ea 100644 ---- a/tests/hazmat/primitives/test_ssh.py -+++ b/tests/hazmat/primitives/test_ssh.py -@@ -1072,26 +1072,28 @@ class TestSSHCertificate: - # secp256r1 public key, ed25519 signing key - cert = load_ssh_public_identity( - b"ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbm" -- b"lzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgtdU+dl9vD4xPi8afxERYo" -- b"s0c0d9/3m7XGY6fGeSkqn0AAAAIbmlzdHAyNTYAAABBBAsuVFNNj/mMyFm2xB99" -- b"G4xiaUJE1lZNjcp+S2tXYW5KorcHpusSlSqOkUPZ2l0644dgiNPDKR/R+BtYENC" -- b"8aq8AAAAAAAAAAAAAAAEAAAAUdGVzdEBjcnlwdG9ncmFwaHkuaW8AAAAaAAAACm" -- b"NyeXB0b3VzZXIAAAAIdGVzdHVzZXIAAAAAY7KyZAAAAAB2frXAAAAAAAAAAIIAA" -- b"AAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9y" -- b"d2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGV" -- b"ybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3" -- b"NoLWVkMjU1MTkAAAAg3P0eyGf2crKGwSlnChbLzTVOFKwQELE1Ve+EZ6rXF18AA" -- b"ABTAAAAC3NzaC1lZDI1NTE5AAAAQKoij8BsPj/XLb45+wHmRWKNqXeZYXyDIj8J" -- b"IE6dIymjEqq0TP6ntu5t59hTmWlDO85GnMXAVGBjFbeikBMfAQc= reaperhulk" -- b"@despoina.local" -+ b"lzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLfsFv9Gbc6LZSiJFWdYQl" -+ b"IMNI50GExXW0fBpgGVf+Y4AAAAIbmlzdHAyNTYAAABBBIzVyRgVLR4F38bIOLBN" -+ b"8CNm8Nf+eBHCVkKDKb9WDyLLD61CEmzjK/ORwFuSE4N60eIGbFidBf0D0xh7G6o" -+ b"TNxsAAAAAAAAAAAAAAAEAAAAUdGVzdEBjcnlwdG9ncmFwaHkuaW8AAAAaAAAACm" -+ b"NyeXB0b3VzZXIAAAAIdGVzdHVzZXIAAAAAY7KyZAAAAAB2frXAAAAAWAAAAA1mb" -+ b"3JjZS1jb21tYW5kAAAALAAAAChlY2hvIGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh" -+ b"YWFhYWFhYWFhYWFhAAAAD3ZlcmlmeS1yZXF1aXJlZAAAAAAAAACCAAAAFXBlcm1" -+ b"pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbm" -+ b"cAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wd" -+ b"HkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1" -+ b"NTE5AAAAICH6csEOmGbOfT2B/S/FJg3uyPsaPSZUZk2SVYlfs0KLAAAAUwAAAAt" -+ b"zc2gtZWQyNTUxOQAAAEDz2u7X5/TFbN7Ms7DP4yArhz1oWWYKkdAk7FGFkHfjtY" -+ b"/YfNQ8Oky3dCZRi7PnSzScEEjos7723dhF8/y99WwH reaperhulk@despoina." -+ b"local" - ) - assert isinstance(cert, SSHCertificate) - cert.verify_cert_signature() - signature_key = cert.signature_key() - assert isinstance(signature_key, ed25519.Ed25519PublicKey) - assert cert.nonce == ( -- b"\xb5\xd5>v_o\x0f\x8cO\x8b\xc6\x9f\xc4DX\xa2\xcd\x1c\xd1\xdf" -- b"\x7f\xden\xd7\x19\x8e\x9f\x19\xe4\xa4\xaa}" -+ b'-\xfb\x05\xbf\xd1\x9bs\xa2\xd9J"EY\xd6\x10\x94\x83\r#\x9d' -+ b"\x06\x13\x15\xd6\xd1\xf0i\x80e_\xf9\x8e" - ) - public_key = cert.public_key() - assert isinstance(public_key, ec.EllipticCurvePublicKey) -@@ -1102,7 +1104,10 @@ class TestSSHCertificate: - assert cert.valid_principals == [b"cryptouser", b"testuser"] - assert cert.valid_before == 1988015552 - assert cert.valid_after == 1672655460 -- assert cert.critical_options == {} -+ assert cert.critical_options == { -+ b"force-command": b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", -+ b"verify-required": b"", -+ } - assert cert.extensions == { - b"permit-X11-forwarding": b"", - b"permit-agent-forwarding": b"", -@@ -1111,6 +1116,31 @@ class TestSSHCertificate: - b"permit-user-rc": b"", - } - -+ def test_loads_deprecated_invalid_encoding_cert(self, backend): -+ with pytest.warns(utils.DeprecatedIn41): -+ cert = load_ssh_public_identity( -+ b"ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYT" -+ b"ItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgXE7sJ+xDVVNCO" -+ b"cEvpZS+SXIbc0nJdny/KqVbnwHslMIAAAAIbmlzdHAyNTYAAABBBI/qcLq8" -+ b"iiErpAhOWRqdMkpFSCNv7TVUcXCIfAl01JXbe2MvS4V7lFtiyrBjLSV7Iyw" -+ b"3TrulrWLibjPzZvLwmQcAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAA//" -+ b"////////8AAABUAAAADWZvcmNlLWNvbW1hbmQAAAAoZWNobyBhYWFhYWFhY" -+ b"WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYQAAAA92ZXJpZnktcmVxdWly" -+ b"ZWQAAAAAAAAAEgAAAApwZXJtaXQtcHR5AAAAAAAAAAAAAABoAAAAE2VjZHN" -+ b"hLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI/qcLq8iiErpAhOWR" -+ b"qdMkpFSCNv7TVUcXCIfAl01JXbe2MvS4V7lFtiyrBjLSV7Iyw3TrulrWLib" -+ b"jPzZvLwmQcAAABlAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABKAAAAIQCi" -+ b"eCsIhGKrZdkE1+zY5EBucrLzxFpwnm/onIT/6rapvQAAACEAuVQ1yQjlPKr" -+ b"kfsGfjeG+2umZrOS5Ycx85BQhYf0RgsA=" -+ ) -+ assert isinstance(cert, SSHCertificate) -+ cert.verify_cert_signature() -+ assert cert.extensions == {b"permit-pty": b""} -+ assert cert.critical_options == { -+ b"force-command": b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", -+ b"verify-required": b"", -+ } -+ - @pytest.mark.parametrize( - "filename", - [ -@@ -1224,6 +1254,8 @@ class TestSSHCertificate: - "p256-p256-non-lexical-extensions.pub", - "p256-p256-duplicate-crit-opts.pub", - "p256-p256-non-lexical-crit-opts.pub", -+ "p256-ed25519-non-singular-crit-opt-val.pub", -+ "p256-ed25519-non-singular-ext-val.pub", - ], - ) - def test_invalid_encodings(self, filename): -@@ -1650,6 +1682,11 @@ class TestSSHCertificateBuilder: - .valid_after(1672531200) - .valid_before(1672617600) - .type(SSHCertificateType.USER) -+ .add_extension(b"permit-pty", b"") -+ .add_critical_option( -+ b"force-command", b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ ) -+ .add_critical_option(b"verify-required", b"") - ) - cert = builder.sign(private_key) - sig_key = cert.signature_key() -@@ -1664,19 +1701,21 @@ class TestSSHCertificateBuilder: - b"4kyHpbLEIVloBjzetoqXK6u8Hjz/APuagONypNDCySDR6M7jM85HDcLoFFrbBb8" - b"pruHSTxQejMeEmJxYf8b7rNl58/IWPB1ymbNlvHL/4oSOlnrtHkjcxRWzpQ7U3g" - b"T9BThGyhCiI7EMyEHMgP3r7kTzEUwT6IavWDAAAAAAAAAAAAAAABAAAAAAAAAAA" -- b"AAAAAY7DNAAAAAABjsh6AAAAAAAAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAw" -- b"EAAQAAAQEAwXr8fndHTKpaqDA2FYo/+/e1IWhRuiIw5dar/MHGz+9Z6SPqEzC8W" -- b"TtzgCq2CKbkozBlI6MRa6WqOWYUUXThO2xJ6beAYuRJ1y77EP1J6R+gi5bQUeeC" -- b"6fWrxbWm95hIJ6245z2gDyKy79zbduq0btrZjtZWYnQ/3GwOM2pdDNuqfcKeU2N" -- b"eJMh6WyxCFZaAY83raKlyurvB48/wD7moDjcqTQwskg0ejO4zPORw3C6BRa2wW/" -- b"Ka7h0k8UHozHhJicWH/G+6zZefPyFjwdcpmzZbxy/+KEjpZ67R5I3MUVs6UO1N4" -- b"E/QU4RsoQoiOxDMhBzID96+5E8xFME+iGr1gwAAARQAAAAMcnNhLXNoYTItNTEy" -- b"AAABAKCRnfhn6MZs3jRgIDICUpUyWrDCbpStEbdzhmoxF8w2m8klR7owRH/rxOf" -- b"nWhKMGnXnoERS+az3Zh9ckiQPujkuEToORKpzu6CEWlzHSzyK1o2X548KkW76HJ" -- b"gqzwMas94HY7UOJUgKSFUI0S3jAgqXAKSa1DxvJBu5/n57aUqPq+BmAtoI8uNBo" -- b"x4F1pNEop38+oD7rUt8bZ8K0VcrubJZz806K8UNiK0mOahaEIkvZXBfzPGvSNRj" -- b"0OjDl1dLUZaP8C1o5lVRomEm7pLcgE9i+ZDq5iz+mvQrSBStlpQ5hPGuUOrZ/oY" -- b"ZLZ1G30R5tWj212MHoNZjxFxM8+f2OT4=" -+ b"AAAAAY7DNAAAAAABjsh6AAAAAWAAAAA1mb3JjZS1jb21tYW5kAAAALAAAAChlY2" -+ b"hvIGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhAAAAD3Zlcmlme" -+ b"S1yZXF1aXJlZAAAAAAAAAASAAAACnBlcm1pdC1wdHkAAAAAAAAAAAAAARcAAAAH" -+ b"c3NoLXJzYQAAAAMBAAEAAAEBAMF6/H53R0yqWqgwNhWKP/v3tSFoUboiMOXWq/z" -+ b"Bxs/vWekj6hMwvFk7c4Aqtgim5KMwZSOjEWulqjlmFFF04TtsSem3gGLkSdcu+x" -+ b"D9SekfoIuW0FHngun1q8W1pveYSCetuOc9oA8isu/c23bqtG7a2Y7WVmJ0P9xsD" -+ b"jNqXQzbqn3CnlNjXiTIelssQhWWgGPN62ipcrq7wePP8A+5qA43Kk0MLJINHozu" -+ b"MzzkcNwugUWtsFvymu4dJPFB6Mx4SYnFh/xvus2Xnz8hY8HXKZs2W8cv/ihI6We" -+ b"u0eSNzFFbOlDtTeBP0FOEbKEKIjsQzIQcyA/evuRPMRTBPohq9YMAAAEUAAAADH" -+ b"JzYS1zaGEyLTUxMgAAAQCYbbNzhflDqZAxyBpdLIX0nLAdnTeFNBudMqgo3KGND" -+ b"WlU9N17hqBEmcvIOrtNi+JKuKZW89zZrbORHvdjv6NjGSKzJD/XA25YrX1KgMEO" -+ b"wt5pzMZX+100drwrjQo+vZqeIN3FJNmT3wssge73v+JsxQrdIAz7YM2OZrFr5HM" -+ b"qZEZ5tMvAf/s5YEMDttEU4zMtmjubQyDM5KyYnZdoDT4sKi2rB8gfaigc4IdI/K" -+ b"8oXL/3Y7rHuOtejl3lUK4v6DxeRl4aqGYWmhUJc++Rh0cbDgC2S6Cq7gAfG2tND" -+ b"zbwL217Q93R08bJn1hDWuiTiaHGauSy2gPUI+cnkvlEocHM" - ) - - @pytest.mark.supported( -@@ -1702,6 +1741,11 @@ class TestSSHCertificateBuilder: - .valid_after(1672531200) - .valid_before(1672617600) - .type(SSHCertificateType.USER) -+ .add_extension(b"permit-pty", b"") -+ .add_critical_option( -+ b"force-command", b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -+ ) -+ .add_critical_option(b"verify-required", b"") - ) - cert = builder.sign(private_key) - sig_key = cert.signature_key() -@@ -1711,8 +1755,11 @@ class TestSSHCertificateBuilder: - b"ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdj" - b"AxQG9wZW5zc2guY29tAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" - b"AAAAAAAINdamAGCsQq31Uv+08lkBzoO4XLz2qYjJa8CGmj3B1EaAAAAAAAAAAAA" -- b"AAABAAAAAAAAAAAAAAAAY7DNAAAAAABjsh6AAAAAAAAAAAAAAAAAAAAAMwAAAAt" -- b"zc2gtZWQyNTUxOQAAACDXWpgBgrEKt9VL/tPJZAc6DuFy89qmIyWvAhpo9wdRGg" -- b"AAAFMAAAALc3NoLWVkMjU1MTkAAABAAlF6Lxabxs+8fkOr7KjKYei9konIG13cQ" -- b"gJ2tWf3yFcg3OuV5s/AkRmKdwHlQfTUrhRdOmDnGxeLEB0mvkVFCw==" -+ b"AAABAAAAAAAAAAAAAAAAY7DNAAAAAABjsh6AAAAAWAAAAA1mb3JjZS1jb21tYW5" -+ b"kAAAALAAAAChlY2hvIGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYW" -+ b"FhAAAAD3ZlcmlmeS1yZXF1aXJlZAAAAAAAAAASAAAACnBlcm1pdC1wdHkAAAAAA" -+ b"AAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAg11qYAYKxCrfVS/7TyWQHOg7hcvPa" -+ b"piMlrwIaaPcHURoAAABTAAAAC3NzaC1lZDI1NTE5AAAAQL2aUjeD60C2FrbgHcN" -+ b"t8yRa8IRbxvOyA9TZYDGG1dRE3DiR0fuudU20v6vqfTd1gx0S5QyEdECXLl9ZI3" -+ b"AwZgc=" - ) -diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub -new file mode 100644 -index 0000000..5510bd5 ---- /dev/null -+++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub -@@ -0,0 +1 @@ -+ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIbmlzdHAyNTYAAABBBCZWRs4GYIHGJpyXuqvfFGWN49dnJRkZJLDkFrHf6mNHhIMI3vtrLfCZwxPSfnCYWK6YofssZ1FYA6TkVJq8Xi8AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAABjsM0AAAAAAGOyHoAAAABtAAAADWZvcmNlLWNvbW1hbmQAAABBAAAAKGVjaG8gYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWEAAAARaW52YWxpZF9taXNjX2RhdGEAAAAPdmVyaWZ5LXJlcXVpcmVkAAAAAAAAABIAAAAKcGVybWl0LXB0eQAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACDdZgztgAFFC7T5PifrUy/kMu0Pnwq1au3vStKHe7FFMAAAAFMAAAALc3NoLWVkMjU1MTkAAABAt/0pBSDBFy1crBPHOBoKFoxRjKd1tKVdOrD3QVgbBfpaHfxi4vrgYe6JfQ54+vu5P+8yrMyACekT8H6hhvxHDw== -\ No newline at end of file -diff --git a/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub b/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub -new file mode 100644 -index 0000000..c44b49f ---- /dev/null -+++ b/vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub -@@ -0,0 +1 @@ -+ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIbmlzdHAyNTYAAABBBCZWRs4GYIHGJpyXuqvfFGWN49dnJRkZJLDkFrHf6mNHhIMI3vtrLfCZwxPSfnCYWK6YofssZ1FYA6TkVJq8Xi8AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAABjsM0AAAAAAGOyHoAAAAAXAAAAD3ZlcmlmeS1yZXF1aXJlZAAAAAAAAAAvAAAAFGNvbnRhaW5zLWV4dHJhLXZhbHVlAAAAEwAAAAVoZWxsbwAAAAYgd29ybGQAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACDdZgztgAFFC7T5PifrUy/kMu0Pnwq1au3vStKHe7FFMAAAAFMAAAALc3NoLWVkMjU1MTkAAABAY80oIEvooz/k3x9a+yVkjSNRfi4y/q87wVYiT7keTpP4n9JV/Vlc0u7O2QYOHfb4DUkcrvbsksKVsiqoQu5qDg== -\ No newline at end of file --- -2.27.0 - diff --git a/backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch b/backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch deleted file mode 100644 index 7f309acb03f5d852479c509179e1b046a677d0e7..0000000000000000000000000000000000000000 --- a/backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 6d71ead8d1910857e8cd778bc34c46c06e870a69 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Wed, 29 Nov 2023 11:37:52 +0800 -Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates - (#9926) - ---- - src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++- - tests/hazmat/primitives/test_pkcs7.py | 6 ++++++ - 2 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index a3fe1bc..58e7207 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -2383,9 +2383,12 @@ class Backend: - _Reasons.UNSUPPORTED_SERIALIZATION, - ) - -+ certs: list[x509.Certificate] = [] -+ if p7.d.sign == self._ffi.NULL: -+ return certs -+ - sk_x509 = p7.d.sign.cert - num = self._lib.sk_X509_num(sk_x509) -- certs = [] - for i in range(num): - x509 = self._lib.sk_X509_value(sk_x509, i) - self.openssl_assert(x509 != self._ffi.NULL) -diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py -index 4e61c5e..d8170bf 100644 ---- a/tests/hazmat/primitives/test_pkcs7.py -+++ b/tests/hazmat/primitives/test_pkcs7.py -@@ -89,6 +89,12 @@ class TestPKCS7Loading: - mode="rb", - ) - -+ def test_load_pkcs7_empty_certificates(self, backend): -+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" -+ -+ certificates = pkcs7.load_der_pkcs7_certificates(der) -+ assert certificates == [] -+ - - # We have no public verification API and won't be adding one until we get - # some requirements from users so this function exists to give us basic --- -2.33.0 - diff --git a/backport-provide-openssl-apis-related-to-SM-for-python.patch b/backport-provide-openssl-apis-related-to-SM-for-python.patch index 175e08763d8bff696e4d2cd34c5e47d53f1f7496..68f469a5e2265c599a56e0e4e1116bcecae6cdca 100644 --- a/backport-provide-openssl-apis-related-to-SM-for-python.patch +++ b/backport-provide-openssl-apis-related-to-SM-for-python.patch @@ -9,37 +9,37 @@ Signed-off-by: hanxinke 1 file changed, 7 insertions(+) diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py -index b8a3899..0797d59 100644 +index 54f5388..c304684 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py -@@ -35,6 +35,7 @@ static const int Cryptography_HAS_SCRYPT; +@@ -32,6 +32,7 @@ static const int EVP_CTRL_AEAD_SET_TAG; + + static const int Cryptography_HAS_SCRYPT; static const int Cryptography_HAS_EVP_PKEY_DHX; - static const long Cryptography_HAS_RAW_KEY; - static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF; +static const int EVP_PKEY_SM2; static const long Cryptography_HAS_300_FIPS; static const long Cryptography_HAS_300_EVP_CIPHER; - static const long Cryptography_HAS_EVP_PKEY_DH; -@@ -93,6 +94,9 @@ int EVP_DigestSignFinal(EVP_MD_CTX *, unsigned char *, size_t *); - int EVP_DigestVerifyInit(EVP_MD_CTX *, EVP_PKEY_CTX **, const EVP_MD *, - ENGINE *, EVP_PKEY *); + """ +@@ -69,6 +70,9 @@ int EVP_VerifyUpdate(EVP_MD_CTX *, const void *, size_t); + int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int, + EVP_PKEY *); +int EVP_DigestVerifyUpdate(EVP_MD_CTX *, const void *, size_t); +int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + size_t siglen); + int EVP_PKEY_set1_RSA(EVP_PKEY *, RSA *); + int EVP_PKEY_set1_DSA(EVP_PKEY *, DSA *); +@@ -84,6 +88,9 @@ int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); - EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *, ENGINE *); -@@ -158,6 +162,9 @@ EVP_PKEY *EVP_PKEY_new_raw_public_key(int, ENGINE *, const unsigned char *, - int EVP_PKEY_get_raw_private_key(const EVP_PKEY *, unsigned char *, size_t *); - int EVP_PKEY_get_raw_public_key(const EVP_PKEY *, unsigned char *, size_t *); + int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); +void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx); +const EVP_MD *EVP_sm3(void); + - int EVP_default_properties_is_fips_enabled(OSSL_LIB_CTX *); int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int); """ + -- -2.33.0 +2.27.0 diff --git a/backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch b/backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch deleted file mode 100644 index 4c34ab6c13fdc9ca77492079fbd6aa55246efc6b..0000000000000000000000000000000000000000 --- a/backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 6e9dc67ed5d8151d5b7604ad1a97b57cd367e028 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Sun, 5 Nov 2023 19:36:55 +0800 -Subject: [PATCH] raise an exception instead of returning an empty list for - pkcs7 cert loading (#9947) - -* raise an exception instead of returning an empty list - -as davidben points out in #9926 we are calling a specific load -certificates function and an empty value doesn't necessarily mean empty -because PKCS7 contains multitudes. erroring is more correct. - -* changelog - -* Update CHANGELOG.rst - -Co-authored-by: Alex Gaynor - ---------- - -Co-authored-by: Alex Gaynor ---- - src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++-- - tests/hazmat/primitives/test_pkcs7.py | 6 +++--- - 2 files changed, 8 insertions(+), 5 deletions(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index 58e7207..d42220f 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -2383,12 +2383,15 @@ class Backend: - _Reasons.UNSUPPORTED_SERIALIZATION, - ) - -- certs: list[x509.Certificate] = [] - if p7.d.sign == self._ffi.NULL: -- return certs -+ raise ValueError( -+ "The provided PKCS7 has no certificate data, but a cert " -+ "loading method was called." -+ ) - - sk_x509 = p7.d.sign.cert - num = self._lib.sk_X509_num(sk_x509) -+ certs: list[x509.Certificate] = [] - for i in range(num): - x509 = self._lib.sk_X509_value(sk_x509, i) - self.openssl_assert(x509 != self._ffi.NULL) -diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py -index d8170bf..44c1d8d 100644 ---- a/tests/hazmat/primitives/test_pkcs7.py -+++ b/tests/hazmat/primitives/test_pkcs7.py -@@ -89,11 +89,11 @@ class TestPKCS7Loading: - mode="rb", - ) - -- def test_load_pkcs7_empty_certificates(self, backend): -+ def test_load_pkcs7_empty_certificates(self): - der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" - -- certificates = pkcs7.load_der_pkcs7_certificates(der) -- assert certificates == [] -+ with pytest.raises(ValueError): -+ pkcs7.load_der_pkcs7_certificates(der) - - - # We have no public verification API and won't be adding one until we get --- -2.33.0 - diff --git a/cargo-vendor-cache.tar.gz b/cargo-vendor-cache.tar.gz index efb208c6b575447eceee5554d10a5b72343403a2..f1876f8d92316969e6b445be4322040bbd070b57 100644 Binary files a/cargo-vendor-cache.tar.gz and b/cargo-vendor-cache.tar.gz differ diff --git a/cryptography-40.0.2.tar.gz b/cryptography-40.0.2.tar.gz deleted file mode 100644 index bbae52070584452ddd2a2168c9b28219f529fc6f..0000000000000000000000000000000000000000 Binary files a/cryptography-40.0.2.tar.gz and /dev/null differ diff --git a/cryptography-42.0.2.tar.gz b/cryptography-42.0.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..b68881182ef1eede839a433ca3a3999b3f8366d2 Binary files /dev/null and b/cryptography-42.0.2.tar.gz differ diff --git a/python-cryptography.spec b/python-cryptography.spec index 5308738f9eaf484f0d6d055389bbd05a68f47bd5..0e400217a3b3da865b4c256512efe9672c8fbfac 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,18 +1,19 @@ %global pypi_name cryptography Name: python-%{pypi_name} -Version: 40.0.2 -Release: 5 +Version: 42.0.2 +Release: 1 Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: %{pypi_source %{pypi_name}} +# For Rust offline compile +# Decompress the source code of cryptography, then enter ./src/rust directory, +# execute "cargo vendor" to obtain "vendor" directory (Internet connection required), +# finally, tar -czvf cargo-vendor-cache.tar.gz vendor +# Note: Cargo needs to be consistent with the cargo version in the compile environment. Source1: cargo-vendor-cache.tar.gz Patch6002: backport-provide-openssl-apis-related-to-SM-for-python.patch -Patch6003: backport-CVE-2023-38325.patch -# CVE-2023-49083 -Patch6004: backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch -Patch6005: backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch BuildRequires: openssl-devel cargo BuildRequires: gcc @@ -24,15 +25,14 @@ BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} -BuildRequires: python%{python3_pkgversion}-asn1crypto >= 0.21 BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-pytz -BuildRequires: python%{python3_pkgversion}-idna >= 2.1 -BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 -BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 -BuildRequires: python%{python3_pkgversion}-setuptools-rust +BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 +BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 1.7.0 +BuildRequires: python%{python3_pkgversion}-wheel BuildRequires: python3-pip BuildRequires: python3-pytest-subtests + %description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. @@ -42,10 +42,7 @@ recipes to Python developers. Summary: PyCA's cryptography library Requires: openssl-libs -Requires: python%{python3_pkgversion}-idna >= 2.1 -Requires: python%{python3_pkgversion}-asn1crypto >= 0.21 -Requires: python%{python3_pkgversion}-six >= 1.4.1 -Requires: python%{python3_pkgversion}-cffi >= 1.7 +Requires: python%{python3_pkgversion}-cffi >= 1.12 %{?python_provide:%python_provide python%{python3_pkgversion}-%{pypi_name}} @@ -69,10 +66,10 @@ EOF %build -%py3_build +%pyproject_build %install -%py3_install +%pyproject_install %check #PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest --ignore vendor @@ -82,13 +79,16 @@ EOF #%doc AUTHORS.rst %license LICENSE LICENSE.APACHE LICENSE.BSD %{python3_sitearch}/%{pypi_name} -%{python3_sitearch}/%{pypi_name}-%{version}-py*.egg-info +%{python3_sitearch}/%{pypi_name}-%{version}.dist-info %files help %defattr(-,root,root) %doc README.rst docs %changelog +* Thu Feb 01 2024 shixuantong - 42.0.2-1 +- upgrade version to 42.0.2 + * Sat Dec 23 2023 shixuanttong - 40.0.2-5 - update author info for Patch6002