Add gh100372-SSLContext_load_verify_locations-trailing-data.patch

(from gh#python/cpython!100373/files) Stopping SSLContext.load_verify_locations from accepting some cases of trailing data in DER.
2024-01-24 11:33:46 +01:00 · 2024-01-24 11:33:46 +01:00 · 04e45231c3
commit 04e45231c3
parent 75bc4cb3a1
3 changed files with 82 additions and 0 deletions
--- a/gh100372-SSLContext_load_verify_locations-trailing-data.patch
+++ b/gh100372-SSLContext_load_verify_locations-trailing-data.patch
@ -0,0 +1,74 @@
+From 863a0a7badf3919c4a710df67e98dbf5db0a2690 Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben@google.com>
+Date: Tue, 20 Dec 2022 10:36:19 -0500
+Subject: [PATCH] gh-100372: Use BIO_eof to detect EOF for SSL_FILETYPE_ASN1
+
+In PEM, we need to parse until error and then suppress
+PEM_R_NO_START_LINE, because PEM allows arbitrary leading and trailing
+data. DER, however, does not. Parsing until error and suppressing
+ASN1_R_HEADER_TOO_LONG doesn't quite work because that error also
+covers some cases that should be rejected.
+
+Instead, check BIO_eof early and stop the loop that way.
+---
+ Lib/test/test_ssl.py                                                    |    2 ++
+ Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst |    2 ++
+ Modules/_ssl.c                                                          |   10 ++++++----
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
+
+Index: Python-3.6.15/Lib/test/test_ssl.py
+===================================================================
+--- Python-3.6.15.orig/Lib/test/test_ssl.py
+++ Python-3.6.15/Lib/test/test_ssl.py
+@@ -1209,6 +1209,8 @@ class ContextTests(unittest.TestCase):
+             "not enough data: cadata does not contain a certificate"
+         ):
+             ctx.load_verify_locations(cadata=b"broken")
+        with self.assertRaises(ssl.SSLError):
+            ctx.load_verify_locations(cadata=cacert_der + b"A")
+ 
+ 
+     def test_load_dh_params(self):
+Index: Python-3.6.15/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
+===================================================================
+--- /dev/null
+++ Python-3.6.15/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
+@@ -0,0 +1,2 @@
+:meth:`ssl.SSLContext.load_verify_locations` no longer incorrectly accepts
+some cases of trailing data when parsing DER.
+Index: Python-3.6.15/Modules/_ssl.c
+===================================================================
+--- Python-3.6.15.orig/Modules/_ssl.c
+++ Python-3.6.15/Modules/_ssl.c
+@@ -3579,7 +3579,7 @@ _add_ca_certs(PySSLContext *self, void *
+ {
+     BIO *biobuf = NULL;
+     X509_STORE *store;
+-    int retval = -1, err, loaded = 0;
+    int retval = -1, err, loaded = 0, was_bio_eof = 0;
+ 
+     assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
+ 
+@@ -3607,6 +3607,10 @@ _add_ca_certs(PySSLContext *self, void *
+         int r;
+ 
+         if (filetype == SSL_FILETYPE_ASN1) {
+            if (BIO_eof(biobuf)) {
+                was_bio_eof = 1;
+                break;
+            }
+             cert = d2i_X509_bio(biobuf, NULL);
+         } else {
+             cert = PEM_read_bio_X509(biobuf, NULL,
+@@ -3642,9 +3646,7 @@ _add_ca_certs(PySSLContext *self, void *
+         }
+         _setSSLError(msg, 0, __FILE__, __LINE__);
+         retval = -1;
+-    } else if ((filetype == SSL_FILETYPE_ASN1) &&
+-                    (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
+-                    (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
+    } else if ((filetype == SSL_FILETYPE_ASN1) && was_bio_eof) {
+         /* EOF ASN1 file, not an error */
+         ERR_clear_error();
+         retval = 0;
--- a/python36.changes
+++ b/python36.changes
@ -22,6 +22,10 @@ Thu Jan 11 15:14:09 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 - Add bpo43920-fix-load_verify_locations-errmsgs.patch (from
  gh#python/cpython!25554) to make load_verify_locations(cadata)
  error message consistent.
+- Add gh100372-SSLContext_load_verify_locations-trailing-data.patch
+  (from gh#python/cpython!100373/files) to stopping
+  SSLContext.load_verify_locations from accepting some cases of
+  trailing data in DER.

 -------------------------------------------------------------------
 Mon Sep 11 06:28:43 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
--- a/python36.spec
+++ b/python36.spec
@ -254,6 +254,9 @@ Patch62:        crash-PyCFuncPtr_new-ctypes.patch
 # PATCH-FIX-UPSTREAM bpo43920-fix-load_verify_locations-errmsgs.patch bsc#1217782 mcepl@suse.com
 # Make load_verify_locations(cadata) error message consistent (from gh#python/cpython!25554)
 Patch63:        bpo43920-fix-load_verify_locations-errmsgs.patch
+# PATCH-FIX-UPSTREAM gh100372-SSLContext_load_verify_locations-trailing-data.patch bsc#1217782 mcepl@suse.com
+# SSLContext.load_verify_locations stop accepting some cases of trailing data in DER (from gh#python/cpython!100373)
+Patch64:        gh100372-SSLContext_load_verify_locations-trailing-data.patch
 BuildRequires:  automake
 BuildRequires:  fdupes
 BuildRequires:  gmp-devel
@ -556,6 +559,7 @@ other applications.
 %patch -P 61 -p1
 %patch -P 62 -p1
 %patch -P 63 -p1
+%patch -P 64 -p1

 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac