Add gh100372-SSLContext_load_verify_locations-trailing-data.patch
(from gh#python/cpython!100373/files) Stopping SSLContext.load_verify_locations from accepting some cases of trailing data in DER.
This commit is contained in:
parent
75bc4cb3a1
commit
04e45231c3
@ -0,0 +1,74 @@
|
|||||||
|
From 863a0a7badf3919c4a710df67e98dbf5db0a2690 Mon Sep 17 00:00:00 2001
|
||||||
|
From: David Benjamin <davidben@google.com>
|
||||||
|
Date: Tue, 20 Dec 2022 10:36:19 -0500
|
||||||
|
Subject: [PATCH] gh-100372: Use BIO_eof to detect EOF for SSL_FILETYPE_ASN1
|
||||||
|
|
||||||
|
In PEM, we need to parse until error and then suppress
|
||||||
|
PEM_R_NO_START_LINE, because PEM allows arbitrary leading and trailing
|
||||||
|
data. DER, however, does not. Parsing until error and suppressing
|
||||||
|
ASN1_R_HEADER_TOO_LONG doesn't quite work because that error also
|
||||||
|
covers some cases that should be rejected.
|
||||||
|
|
||||||
|
Instead, check BIO_eof early and stop the loop that way.
|
||||||
|
---
|
||||||
|
Lib/test/test_ssl.py | 2 ++
|
||||||
|
Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst | 2 ++
|
||||||
|
Modules/_ssl.c | 10 ++++++----
|
||||||
|
3 files changed, 10 insertions(+), 4 deletions(-)
|
||||||
|
create mode 100644 Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
|
||||||
|
|
||||||
|
Index: Python-3.6.15/Lib/test/test_ssl.py
|
||||||
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/test_ssl.py
|
||||||
|
+++ Python-3.6.15/Lib/test/test_ssl.py
|
||||||
|
@@ -1209,6 +1209,8 @@ class ContextTests(unittest.TestCase):
|
||||||
|
"not enough data: cadata does not contain a certificate"
|
||||||
|
):
|
||||||
|
ctx.load_verify_locations(cadata=b"broken")
|
||||||
|
+ with self.assertRaises(ssl.SSLError):
|
||||||
|
+ ctx.load_verify_locations(cadata=cacert_der + b"A")
|
||||||
|
|
||||||
|
|
||||||
|
def test_load_dh_params(self):
|
||||||
|
Index: Python-3.6.15/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
|
||||||
|
===================================================================
|
||||||
|
--- /dev/null
|
||||||
|
+++ Python-3.6.15/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+:meth:`ssl.SSLContext.load_verify_locations` no longer incorrectly accepts
|
||||||
|
+some cases of trailing data when parsing DER.
|
||||||
|
Index: Python-3.6.15/Modules/_ssl.c
|
||||||
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Modules/_ssl.c
|
||||||
|
+++ Python-3.6.15/Modules/_ssl.c
|
||||||
|
@@ -3579,7 +3579,7 @@ _add_ca_certs(PySSLContext *self, void *
|
||||||
|
{
|
||||||
|
BIO *biobuf = NULL;
|
||||||
|
X509_STORE *store;
|
||||||
|
- int retval = -1, err, loaded = 0;
|
||||||
|
+ int retval = -1, err, loaded = 0, was_bio_eof = 0;
|
||||||
|
|
||||||
|
assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
|
||||||
|
|
||||||
|
@@ -3607,6 +3607,10 @@ _add_ca_certs(PySSLContext *self, void *
|
||||||
|
int r;
|
||||||
|
|
||||||
|
if (filetype == SSL_FILETYPE_ASN1) {
|
||||||
|
+ if (BIO_eof(biobuf)) {
|
||||||
|
+ was_bio_eof = 1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
cert = d2i_X509_bio(biobuf, NULL);
|
||||||
|
} else {
|
||||||
|
cert = PEM_read_bio_X509(biobuf, NULL,
|
||||||
|
@@ -3642,9 +3646,7 @@ _add_ca_certs(PySSLContext *self, void *
|
||||||
|
}
|
||||||
|
_setSSLError(msg, 0, __FILE__, __LINE__);
|
||||||
|
retval = -1;
|
||||||
|
- } else if ((filetype == SSL_FILETYPE_ASN1) &&
|
||||||
|
- (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
|
||||||
|
- (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
|
||||||
|
+ } else if ((filetype == SSL_FILETYPE_ASN1) && was_bio_eof) {
|
||||||
|
/* EOF ASN1 file, not an error */
|
||||||
|
ERR_clear_error();
|
||||||
|
retval = 0;
|
@ -22,6 +22,10 @@ Thu Jan 11 15:14:09 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
|
|||||||
- Add bpo43920-fix-load_verify_locations-errmsgs.patch (from
|
- Add bpo43920-fix-load_verify_locations-errmsgs.patch (from
|
||||||
gh#python/cpython!25554) to make load_verify_locations(cadata)
|
gh#python/cpython!25554) to make load_verify_locations(cadata)
|
||||||
error message consistent.
|
error message consistent.
|
||||||
|
- Add gh100372-SSLContext_load_verify_locations-trailing-data.patch
|
||||||
|
(from gh#python/cpython!100373/files) to stopping
|
||||||
|
SSLContext.load_verify_locations from accepting some cases of
|
||||||
|
trailing data in DER.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Sep 11 06:28:43 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
|
Mon Sep 11 06:28:43 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
|
||||||
|
@ -254,6 +254,9 @@ Patch62: crash-PyCFuncPtr_new-ctypes.patch
|
|||||||
# PATCH-FIX-UPSTREAM bpo43920-fix-load_verify_locations-errmsgs.patch bsc#1217782 mcepl@suse.com
|
# PATCH-FIX-UPSTREAM bpo43920-fix-load_verify_locations-errmsgs.patch bsc#1217782 mcepl@suse.com
|
||||||
# Make load_verify_locations(cadata) error message consistent (from gh#python/cpython!25554)
|
# Make load_verify_locations(cadata) error message consistent (from gh#python/cpython!25554)
|
||||||
Patch63: bpo43920-fix-load_verify_locations-errmsgs.patch
|
Patch63: bpo43920-fix-load_verify_locations-errmsgs.patch
|
||||||
|
# PATCH-FIX-UPSTREAM gh100372-SSLContext_load_verify_locations-trailing-data.patch bsc#1217782 mcepl@suse.com
|
||||||
|
# SSLContext.load_verify_locations stop accepting some cases of trailing data in DER (from gh#python/cpython!100373)
|
||||||
|
Patch64: gh100372-SSLContext_load_verify_locations-trailing-data.patch
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: gmp-devel
|
BuildRequires: gmp-devel
|
||||||
@ -556,6 +559,7 @@ other applications.
|
|||||||
%patch -P 61 -p1
|
%patch -P 61 -p1
|
||||||
%patch -P 62 -p1
|
%patch -P 62 -p1
|
||||||
%patch -P 63 -p1
|
%patch -P 63 -p1
|
||||||
|
%patch -P 64 -p1
|
||||||
|
|
||||||
# drop Autoconf version requirement
|
# drop Autoconf version requirement
|
||||||
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
||||||
|
Loading…
Reference in New Issue
Block a user