Projects
openEuler:Mainline
python-cryptography
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 10
View file
_service:tar_scm:python-cryptography.spec
Changed
@@ -1,7 +1,7 @@ %global pypi_name cryptography Name: python-%{pypi_name} Version: 40.0.2 -Release: 1 +Release: 2 Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ @@ -9,6 +9,7 @@ Source1: cargo-vendor-cache.tar.gz Patch6002: backport-provide-openssl-apis-related-to-SM-for-python.patch +Patch6003: backport-CVE-2023-38325.patch BuildRequires: openssl-devel cargo BuildRequires: gcc @@ -85,6 +86,9 @@ %doc README.rst docs %changelog +* Tue Jul 25 2023 shixuantong <shixuantong1@huawei.com> - 40.0.2-2 +- fix CVE-2023-38325 + * Fri May 19 2023 Dongxing Wang <dxwangk@isoftstone.com> - 40.0.2-1 - Upgrade package to 40.0.2
View file
_service:tar_scm:backport-CVE-2023-38325.patch
Added
@@ -0,0 +1,284 @@ +From e190ef190525999d1f599cf8c3aef5cb7f3a8bc4 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer <paul.l.kehrer@gmail.com> +Date: Mon, 10 Jul 2023 19:46:49 -0500 +Subject: PATCH Backport ssh cert fix (#9211) + +* Fix encoding of SSH certs with critical options (#9208) + +* Add tests for issue #9207 + +* Fix encoding of SSH certs with critical options + +* Test unexpected additional values for crit opts/exts + +* temporarily allow invalid ssh cert encoding + +--- + docs/development/test-vectors.rst | 4 + + .../hazmat/primitives/serialization/ssh.py | 28 ++++- + tests/hazmat/primitives/test_ssh.py | 111 +++++++++++++----- + ...p256-ed25519-non-singular-crit-opt-val.pub | 1 + + .../p256-ed25519-non-singular-ext-val.pub | 1 + + 5 files changed, 111 insertions(+), 34 deletions(-) + create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-crit-opt-val.pub + create mode 100644 vectors/cryptography_vectors/asymmetric/OpenSSH/certs/p256-ed25519-non-singular-ext-val.pub + +diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst +index 72fdf7f..b379a54 100644 +--- a/docs/development/test-vectors.rst ++++ b/docs/development/test-vectors.rst +@@ -842,6 +842,10 @@ Custom OpenSSH Certificate Test Vectors + critical option. + * ``p256-p256-non-lexical-crit-opts.pub`` - A certificate with critical + options in non-lexical order. ++* ``p256-ed25519-non-singular-crit-opt-val.pub`` - A certificate with ++ a critical option that contains more than one value. ++* ``p256-ed25519-non-singular-ext-val.pub`` - A certificate with ++ an extension that contains more than one value. + * ``dsa-p256.pub`` - A certificate with a DSA public key signed by a P256 + CA. + * ``p256-dsa.pub`` - A certificate with a P256 public key signed by a DSA +diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py +index fa278d9..225e6fb 100644 +--- a/src/cryptography/hazmat/primitives/serialization/ssh.py ++++ b/src/cryptography/hazmat/primitives/serialization/ssh.py +@@ -1000,6 +1000,20 @@ def _parse_exts_opts(exts_opts: memoryview) -> typing.Dictbytes, bytes: + if last_name is not None and bname < last_name: + raise ValueError("Fields not lexically sorted") + value, exts_opts = _get_sshstr(exts_opts) ++ if len(value) > 0: ++ try: ++ value, extra = _get_sshstr(value) ++ except ValueError: ++ warnings.warn( ++ "This certificate has an incorrect encoding for critical " ++ "options or extensions. This will be an exception in " ++ "cryptography 42", ++ utils.DeprecatedIn41, ++ stacklevel=4, ++ ) ++ else: ++ if len(extra) > 0: ++ raise ValueError("Unexpected extra data after value") + resultbname = bytes(value) + last_name = bname + return result +@@ -1387,12 +1401,22 @@ class SSHCertificateBuilder: + fcrit = _FragList() + for name, value in self._critical_options: + fcrit.put_sshstr(name) +- fcrit.put_sshstr(value) ++ if len(value) > 0: ++ foptval = _FragList() ++ foptval.put_sshstr(value) ++ fcrit.put_sshstr(foptval.tobytes()) ++ else: ++ fcrit.put_sshstr(value) + f.put_sshstr(fcrit.tobytes()) + fext = _FragList() + for name, value in self._extensions: + fext.put_sshstr(name) +- fext.put_sshstr(value) ++ if len(value) > 0: ++ fextval = _FragList() ++ fextval.put_sshstr(value) ++ fext.put_sshstr(fextval.tobytes()) ++ else: ++ fext.put_sshstr(value) + f.put_sshstr(fext.tobytes()) + f.put_sshstr(b"") # RESERVED FIELD + # encode CA public key +diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py +index c9f995b..9b2f0ea 100644 +--- a/tests/hazmat/primitives/test_ssh.py ++++ b/tests/hazmat/primitives/test_ssh.py +@@ -1072,26 +1072,28 @@ class TestSSHCertificate: + # secp256r1 public key, ed25519 signing key + cert = load_ssh_public_identity( + b"ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbm" +- b"lzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgtdU+dl9vD4xPi8afxERYo" +- b"s0c0d9/3m7XGY6fGeSkqn0AAAAIbmlzdHAyNTYAAABBBAsuVFNNj/mMyFm2xB99" +- b"G4xiaUJE1lZNjcp+S2tXYW5KorcHpusSlSqOkUPZ2l0644dgiNPDKR/R+BtYENC" +- b"8aq8AAAAAAAAAAAAAAAEAAAAUdGVzdEBjcnlwdG9ncmFwaHkuaW8AAAAaAAAACm" +- b"NyeXB0b3VzZXIAAAAIdGVzdHVzZXIAAAAAY7KyZAAAAAB2frXAAAAAAAAAAIIAA" +- b"AAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9y" +- b"d2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGV" +- b"ybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3" +- b"NoLWVkMjU1MTkAAAAg3P0eyGf2crKGwSlnChbLzTVOFKwQELE1Ve+EZ6rXF18AA" +- b"ABTAAAAC3NzaC1lZDI1NTE5AAAAQKoij8BsPj/XLb45+wHmRWKNqXeZYXyDIj8J" +- b"IE6dIymjEqq0TP6ntu5t59hTmWlDO85GnMXAVGBjFbeikBMfAQc= reaperhulk" +- b"@despoina.local" ++ b"lzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLfsFv9Gbc6LZSiJFWdYQl" ++ b"IMNI50GExXW0fBpgGVf+Y4AAAAIbmlzdHAyNTYAAABBBIzVyRgVLR4F38bIOLBN" ++ b"8CNm8Nf+eBHCVkKDKb9WDyLLD61CEmzjK/ORwFuSE4N60eIGbFidBf0D0xh7G6o" ++ b"TNxsAAAAAAAAAAAAAAAEAAAAUdGVzdEBjcnlwdG9ncmFwaHkuaW8AAAAaAAAACm" ++ b"NyeXB0b3VzZXIAAAAIdGVzdHVzZXIAAAAAY7KyZAAAAAB2frXAAAAAWAAAAA1mb" ++ b"3JjZS1jb21tYW5kAAAALAAAAChlY2hvIGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh" ++ b"YWFhYWFhYWFhYWFhAAAAD3ZlcmlmeS1yZXF1aXJlZAAAAAAAAACCAAAAFXBlcm1" ++ b"pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbm" ++ b"cAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wd" ++ b"HkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1" ++ b"NTE5AAAAICH6csEOmGbOfT2B/S/FJg3uyPsaPSZUZk2SVYlfs0KLAAAAUwAAAAt" ++ b"zc2gtZWQyNTUxOQAAAEDz2u7X5/TFbN7Ms7DP4yArhz1oWWYKkdAk7FGFkHfjtY" ++ b"/YfNQ8Oky3dCZRi7PnSzScEEjos7723dhF8/y99WwH reaperhulk@despoina." ++ b"local" + ) + assert isinstance(cert, SSHCertificate) + cert.verify_cert_signature() + signature_key = cert.signature_key() + assert isinstance(signature_key, ed25519.Ed25519PublicKey) + assert cert.nonce == ( +- b"\xb5\xd5>v_o\x0f\x8cO\x8b\xc6\x9f\xc4DX\xa2\xcd\x1c\xd1\xdf" +- b"\x7f\xden\xd7\x19\x8e\x9f\x19\xe4\xa4\xaa}" ++ b'-\xfb\x05\xbf\xd1\x9bs\xa2\xd9J"EY\xd6\x10\x94\x83\r#\x9d' ++ b"\x06\x13\x15\xd6\xd1\xf0i\x80e_\xf9\x8e" + ) + public_key = cert.public_key() + assert isinstance(public_key, ec.EllipticCurvePublicKey) +@@ -1102,7 +1104,10 @@ class TestSSHCertificate: + assert cert.valid_principals == b"cryptouser", b"testuser" + assert cert.valid_before == 1988015552 + assert cert.valid_after == 1672655460 +- assert cert.critical_options == {} ++ assert cert.critical_options == { ++ b"force-command": b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", ++ b"verify-required": b"", ++ } + assert cert.extensions == { + b"permit-X11-forwarding": b"", + b"permit-agent-forwarding": b"", +@@ -1111,6 +1116,31 @@ class TestSSHCertificate: + b"permit-user-rc": b"", + } + ++ def test_loads_deprecated_invalid_encoding_cert(self, backend): ++ with pytest.warns(utils.DeprecatedIn41): ++ cert = load_ssh_public_identity( ++ b"ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYT" ++ b"ItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgXE7sJ+xDVVNCO" ++ b"cEvpZS+SXIbc0nJdny/KqVbnwHslMIAAAAIbmlzdHAyNTYAAABBBI/qcLq8" ++ b"iiErpAhOWRqdMkpFSCNv7TVUcXCIfAl01JXbe2MvS4V7lFtiyrBjLSV7Iyw" ++ b"3TrulrWLibjPzZvLwmQcAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAA//" ++ b"////////8AAABUAAAADWZvcmNlLWNvbW1hbmQAAAAoZWNobyBhYWFhYWFhY" ++ b"WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYQAAAA92ZXJpZnktcmVxdWly" ++ b"ZWQAAAAAAAAAEgAAAApwZXJtaXQtcHR5AAAAAAAAAAAAAABoAAAAE2VjZHN" ++ b"hLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI/qcLq8iiErpAhOWR" ++ b"qdMkpFSCNv7TVUcXCIfAl01JXbe2MvS4V7lFtiyrBjLSV7Iyw3TrulrWLib" ++ b"jPzZvLwmQcAAABlAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABKAAAAIQCi" ++ b"eCsIhGKrZdkE1+zY5EBucrLzxFpwnm/onIT/6rapvQAAACEAuVQ1yQjlPKr" ++ b"kfsGfjeG+2umZrOS5Ycx85BQhYf0RgsA=" ++ ) ++ assert isinstance(cert, SSHCertificate) ++ cert.verify_cert_signature() ++ assert cert.extensions == {b"permit-pty": b""} ++ assert cert.critical_options == { ++ b"force-command": b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", ++ b"verify-required": b"", ++ } ++ + @pytest.mark.parametrize( + "filename", + +@@ -1224,6 +1254,8 @@ class TestSSHCertificate: + "p256-p256-non-lexical-extensions.pub", + "p256-p256-duplicate-crit-opts.pub", + "p256-p256-non-lexical-crit-opts.pub", ++ "p256-ed25519-non-singular-crit-opt-val.pub", ++ "p256-ed25519-non-singular-ext-val.pub", + , + ) + def test_invalid_encodings(self, filename): +@@ -1650,6 +1682,11 @@ class TestSSHCertificateBuilder: + .valid_after(1672531200) + .valid_before(1672617600) + .type(SSHCertificateType.USER) ++ .add_extension(b"permit-pty", b"") ++ .add_critical_option( ++ b"force-command", b"echo aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ++ ) ++ .add_critical_option(b"verify-required", b"")
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2