Add bpo43920-fix-load_verify_locations-errmsgs.patch

(from gh#python/cpython!25554) Making load_verify_locations(cadata) error message consistent.
2024-01-24 11:55:16 +01:00 · 2024-01-24 11:55:16 +01:00 · 75bc4cb3a1
commit 75bc4cb3a1
parent 4812bf97a2
4 changed files with 177 additions and 37 deletions
--- a/bpo-43522-fix-SSLContext.hostname_checks_common_name.patch
+++ b/bpo-43522-fix-SSLContext.hostname_checks_common_name.patch
@ -25,13 +25,15 @@ Signed-off-by: Christian Heimes <christian@python.org>
 Lib/test/test_ssl.py                                              |   26 +
 Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst |    1 
 Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst |    2 
- Modules/_ssl.c                                                    |   41 +
- 17 files changed, 878 insertions(+), 539 deletions(-)
+ Modules/_ssl.c                                                    |   40 +
+ 17 files changed, 877 insertions(+), 539 deletions(-)
 create mode 100644 Lib/test/nosan.pem
 create mode 100644 Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst

--- a/Lib/ssl.py
-+++ b/Lib/ssl.py
+Index: Python-3.6.15/Lib/ssl.py
+===================================================================
+--- Python-3.6.15.orig/Lib/ssl.py
+++ Python-3.6.15/Lib/ssl.py
@@ -173,6 +173,7 @@ if _ssl.HAS_TLS_UNIQUE:
 else:
     CHANNEL_BINDING_TYPES = []
@ -64,8 +66,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
     @property
     def verify_flags(self):
         return VerifyFlags(super().verify_flags)
--- a/Lib/test/allsans.pem
-+++ b/Lib/test/allsans.pem
+Index: Python-3.6.15/Lib/test/allsans.pem
+===================================================================
+--- Python-3.6.15.orig/Lib/test/allsans.pem
+++ Python-3.6.15/Lib/test/allsans.pem
@@ -1,81 +1,170 @@
 -----BEGIN PRIVATE KEY-----
 -MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCg/pM6dP7BTFNc
@ -314,8 +318,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
 +hDj7K/vq3YjoncGbZ4c9eXs9fmEfcDy3yEwXpQyjKMerSBEU95h62k77kXaJCqbG
 +cuCW2fGA6miQN1zGacfXvMfRrlupElnG5GxhqYu6UbMT
 -----END CERTIFICATE-----
--- a/Lib/test/capath/b1930218.0
-+++ b/Lib/test/capath/b1930218.0
+Index: Python-3.6.15/Lib/test/capath/b1930218.0
+===================================================================
+--- Python-3.6.15.orig/Lib/test/capath/b1930218.0
+++ Python-3.6.15/Lib/test/capath/b1930218.0
@@ -1,26 +1,26 @@
 -----BEGIN CERTIFICATE-----
 MIIEbTCCAtWgAwIBAgIJAMstgJlaaVJbMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
@ -363,8 +369,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
 +Dp0K+qtbNfuIkXdMjYydqc/8q8LmWgV7fgRuOc+Tzmc7esuvtjbh+3FkRdSm8M7v
 +dQSZaZrliAoQAnSJ7HWERIBI38H36TfOzpKSXIkiCHMf
 -----END CERTIFICATE-----
--- a/Lib/test/capath/ceff1710.0
-+++ b/Lib/test/capath/ceff1710.0
+Index: Python-3.6.15/Lib/test/capath/ceff1710.0
+===================================================================
+--- Python-3.6.15.orig/Lib/test/capath/ceff1710.0
+++ Python-3.6.15/Lib/test/capath/ceff1710.0
@@ -1,26 +1,26 @@
 -----BEGIN CERTIFICATE-----
 MIIEbTCCAtWgAwIBAgIJAMstgJlaaVJbMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
@ -412,8 +420,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
 +Dp0K+qtbNfuIkXdMjYydqc/8q8LmWgV7fgRuOc+Tzmc7esuvtjbh+3FkRdSm8M7v
 +dQSZaZrliAoQAnSJ7HWERIBI38H36TfOzpKSXIkiCHMf
 -----END CERTIFICATE-----
--- a/Lib/test/keycert2.pem
-+++ b/Lib/test/keycert2.pem
+Index: Python-3.6.15/Lib/test/keycert2.pem
+===================================================================
+--- Python-3.6.15.orig/Lib/test/keycert2.pem
+++ Python-3.6.15/Lib/test/keycert2.pem
@@ -1,66 +1,66 @@
 -----BEGIN PRIVATE KEY-----
 -MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDKjrjWZlfOs1Ch
@ -543,8 +553,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
 +GhIglMrgqJflTHAI/PvEsCKM1O0Un2dVGWsUCzPfhj1cKmagyb0Zd+2Tk9xGSRs9
 +2ceXMxRCjOJwEHUCFuTYeqowabdlpi0nyPbSn7JIwCpT
 -----END CERTIFICATE-----
--- a/Lib/test/keycert3.pem
-+++ b/Lib/test/keycert3.pem
+Index: Python-3.6.15/Lib/test/keycert3.pem
+===================================================================
+--- Python-3.6.15.orig/Lib/test/keycert3.pem
+++ Python-3.6.15/Lib/test/keycert3.pem
@@ -1,84 +1,84 @@
 -----BEGIN PRIVATE KEY-----
 -MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCfKC83Qe9/ZGMW
@ -812,8 +824,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
 +P7iAIQdqcRVtBetRs1mN1BVGfgKoEwEWmb0DzHBxKiMWeK/R1QGdBLRjk5oEOpIu
 +5n5zk6X+UJu9DupUhm985RR3/sIoWkoO1y2M6e1hKbJT/2wEvA==
 -----END CERTIFICATE-----
--- a/Lib/test/keycert4.pem
-+++ b/Lib/test/keycert4.pem
+Index: Python-3.6.15/Lib/test/keycert4.pem
+===================================================================
+--- Python-3.6.15.orig/Lib/test/keycert4.pem
+++ Python-3.6.15/Lib/test/keycert4.pem
@@ -1,84 +1,84 @@
 -----BEGIN PRIVATE KEY-----
 -MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDGjpiHzq7ghxhM
@ -1081,8 +1095,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
 +Xi4szXouKq62dWpfoBqbtmctsKUcVLyMcH4VK8BQ4wO7pKX8RQHJP6e4GNw+CAeh
 +m/W9lb1J6BB8kX0txMKYtrdRadcKaEC1D4WgqWd3xmjLDlg0s1jnyHwJZw==
 -----END CERTIFICATE-----
--- a/Lib/test/make_ssl_certs.py
-+++ b/Lib/test/make_ssl_certs.py
+Index: Python-3.6.15/Lib/test/make_ssl_certs.py
+===================================================================
+--- Python-3.6.15.orig/Lib/test/make_ssl_certs.py
+++ Python-3.6.15/Lib/test/make_ssl_certs.py
@@ -7,6 +7,9 @@ import shutil
 import tempfile
 from subprocess import *
@ -1220,8 +1236,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
     unmake_ca()
     print("update Lib/test/test_ssl.py and Lib/test/test_asyncio/util.py")
     print_cert('keycert.pem')
+Index: Python-3.6.15/Lib/test/nosan.pem
+===================================================================
 --- /dev/null
-+++ b/Lib/test/nosan.pem
+++ Python-3.6.15/Lib/test/nosan.pem
@@ -0,0 +1,130 @@
 +-----BEGIN PRIVATE KEY-----
 +MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCv3sUoOE4F7Pye
@ -1353,8 +1371,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
 +qvWVb/bK1QaPG3mT44a6jf6oEI+VPhQJv8qIWeKTtuwDqX7dH18T0ymzpvNq3zBT
 +RMjN5YJXvJw=
 +-----END CERTIFICATE-----
--- a/Lib/test/pycacert.pem
-+++ b/Lib/test/pycacert.pem
+Index: Python-3.6.15/Lib/test/pycacert.pem
+===================================================================
+--- Python-3.6.15.orig/Lib/test/pycacert.pem
+++ Python-3.6.15/Lib/test/pycacert.pem
@@ -3,97 +3,97 @@ Certificate:
         Version: 3 (0x2)
         Serial Number:
@ -1526,8 +1546,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
 +Dp0K+qtbNfuIkXdMjYydqc/8q8LmWgV7fgRuOc+Tzmc7esuvtjbh+3FkRdSm8M7v
 +dQSZaZrliAoQAnSJ7HWERIBI38H36TfOzpKSXIkiCHMf
 -----END CERTIFICATE-----
--- a/Lib/test/pycakey.pem
-+++ b/Lib/test/pycakey.pem
+Index: Python-3.6.15/Lib/test/pycakey.pem
+===================================================================
+--- Python-3.6.15.orig/Lib/test/pycakey.pem
+++ Python-3.6.15/Lib/test/pycakey.pem
@@ -1,40 +1,40 @@
 -----BEGIN PRIVATE KEY-----
 -MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQCX7VVBujYXldtx
@ -1607,8 +1629,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
 +6eTeMLcsIJ+Fp7gG0ve2EdQwhVSVMFEu4Q4C2FcJeU++L4kYpY7sTnAjUtiLvtHn
 +yp3jllEn3CBD8Uhs4B+sL/6p
 -----END PRIVATE KEY-----
--- a/Lib/test/revocation.crl
-+++ b/Lib/test/revocation.crl
+Index: Python-3.6.15/Lib/test/revocation.crl
+===================================================================
+--- Python-3.6.15.orig/Lib/test/revocation.crl
+++ Python-3.6.15/Lib/test/revocation.crl
@@ -1,14 +1,14 @@
 -----BEGIN X509 CRL-----
 MIICJjCBjwIBATANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJYWTEmMCQGA1UE
@ -1634,8 +1658,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
 +BLJOSOSu2vVUH5GUIrpvK9FTySKYa+MGryoPasuqZNfwpaXK+ON2G6QsmcXPWZY0
 +Dry6t0w2geW6UYVGmb831i8ZP3JVVVwcwi0=
 -----END X509 CRL-----
--- a/Lib/test/test_asyncio/test_events.py
-+++ b/Lib/test/test_asyncio/test_events.py
+Index: Python-3.6.15/Lib/test/test_asyncio/test_events.py
+===================================================================
+--- Python-3.6.15.orig/Lib/test/test_asyncio/test_events.py
+++ Python-3.6.15/Lib/test/test_asyncio/test_events.py
@@ -72,7 +72,7 @@ PEERCERT = {
     'issuer': ((('countryName', 'XY'),),
             (('organizationName', 'Python Software Foundation CA'),),
@ -1654,8 +1680,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
     def check_terminated(self, returncode):
         if sys.platform == 'win32':
             self.assertIsInstance(returncode, int)
--- a/Lib/test/test_ssl.py
-+++ b/Lib/test/test_ssl.py
+Index: Python-3.6.15/Lib/test/test_ssl.py
+===================================================================
+--- Python-3.6.15.orig/Lib/test/test_ssl.py
+++ Python-3.6.15/Lib/test/test_ssl.py
@@ -75,6 +75,8 @@ SIGNED_CERTFILE2 = data_file("keycert4.p
 SIGNING_CA = data_file("capath", "ceff1710.0")
 # cert with all kinds of subject alt names
@ -1696,23 +1724,28 @@ Signed-off-by: Christian Heimes <christian@python.org>
         def test_wrong_cert(self):
             """Connecting when the server rejects the client's certificate
 
+Index: Python-3.6.15/Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst
+===================================================================
 --- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst
+++ Python-3.6.15/Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst
@@ -0,0 +1 @@
 +Fix problem with :attr:`~ssl.SSLContext.hostname_checks_common_name`. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*.
+Index: Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst
+===================================================================
 --- /dev/null
-+++ b/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst
+++ Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst
@@ -0,0 +1,2 @@
 +OpenSSL 3.0.0: Don't call the password callback function a second time when
 +first call has signaled an error condition.
--- a/Modules/_ssl.c
-+++ b/Modules/_ssl.c
-@@ -690,6 +690,15 @@ newPySSLSocket(PySSLContext *sslctx, PyS
+Index: Python-3.6.15/Modules/_ssl.c
+===================================================================
+--- Python-3.6.15.orig/Modules/_ssl.c
+++ Python-3.6.15/Modules/_ssl.c
+@@ -690,6 +690,14 @@ newPySSLSocket(PySSLContext *sslctx, PyS
         _setSSLError(NULL, 0, __FILE__, __LINE__);
         return NULL;
     }
 +    /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */
-+     int OpenSSL_ver = OPENSSL_VERSION;
 +#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION < 0x101010cf
 +     X509_VERIFY_PARAM *ssl_verification_params = SSL_get0_param(self->ssl);
 +     X509_VERIFY_PARAM *ssl_ctx_verification_params = SSL_CTX_get0_param(ctx);
@ -1723,7 +1756,7 @@ Signed-off-by: Christian Heimes <christian@python.org>
     SSL_set_app_data(self->ssl, self);
     if (sock) {
         SSL_set_fd(self->ssl, Py_SAFE_DOWNCAST(sock->sock_fd, SOCKET_T, int));
-@@ -3411,6 +3420,13 @@ _password_callback(char *buf, int size,
+@@ -3411,6 +3419,13 @@ _password_callback(char *buf, int size,
 
     PySSL_END_ALLOW_THREADS_S(pw_info->thread_state);
 
@ -1737,7 +1770,7 @@ Signed-off-by: Christian Heimes <christian@python.org>
     if (pw_info->callable) {
         fn_ret = PyObject_CallFunctionObjArgs(pw_info->callable, NULL);
         if (!fn_ret) {
-@@ -5605,6 +5621,31 @@ PyInit__ssl(void)
+@@ -5605,6 +5620,31 @@ PyInit__ssl(void)
                             SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
 #endif
 
--- a/bpo43920-fix-load_verify_locations-errmsgs.patch
+++ b/bpo43920-fix-load_verify_locations-errmsgs.patch
@ -0,0 +1,100 @@
+From be6a5a3494dcf5c2f309acf959dd4d32ab846afb Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Fri, 23 Apr 2021 11:56:31 +0200
+Subject: [PATCH] bpo-43920: Make load_verify_locations(cadata) error message
+ consistent
+
+Signed-off-by: Christian Heimes <christian@python.org>
+---
+ Lib/test/test_ssl.py                                              |   10 +++-
+ Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst |    2
+ Lib/test/test_ssl.py                                              |   10 ++-
+ Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst |    2
+ Lib/test/test_ssl.py                                              |   10 +++-
+ Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst |    2
+ Modules/_ssl.c                                                    |   25 ++++++----
+ 3 files changed, 27 insertions(+), 10 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
+
+Index: Python-3.6.15/Lib/test/test_ssl.py
+===================================================================
+--- Python-3.6.15.orig/Lib/test/test_ssl.py
+++ Python-3.6.15/Lib/test/test_ssl.py
+@@ -1199,9 +1199,15 @@ class ContextTests(unittest.TestCase):
+         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+         self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
+
+-        with self.assertRaisesRegex(ssl.SSLError, "no start line"):
+        with self.assertRaisesRegex(
+            ssl.SSLError,
+            "no start line: cadata does not contain a certificate"
+        ):
+             ctx.load_verify_locations(cadata="broken")
+-        with self.assertRaisesRegex(ssl.SSLError, "not enough data"):
+        with self.assertRaisesRegex(
+            ssl.SSLError,
+            "not enough data: cadata does not contain a certificate"
+        ):
+             ctx.load_verify_locations(cadata=b"broken")
+
+
+Index: Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
+===================================================================
+--- /dev/null
+++ Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
+@@ -0,0 +1,2 @@
+OpenSSL 3.0.0: :meth:`~ssl.SSLContext.load_verify_locations` now returns a
+consistent error message when cadata contains no valid certificate.
+Index: Python-3.6.15/Modules/_ssl.c
+===================================================================
+--- Python-3.6.15.orig/Modules/_ssl.c
+++ Python-3.6.15/Modules/_ssl.c
+@@ -3579,7 +3579,7 @@ _add_ca_certs(PySSLContext *self, void *
+ {
+     BIO *biobuf = NULL;
+     X509_STORE *store;
+-    int retval = 0, err, loaded = 0;
+    int retval = -1, err, loaded = 0;
+
+     assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
+
+@@ -3633,23 +3633,32 @@ _add_ca_certs(PySSLContext *self, void *
+     }
+
+     err = ERR_peek_last_error();
+-    if ((filetype == SSL_FILETYPE_ASN1) &&
+-            (loaded > 0) &&
+-            (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
+-            (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
+    if (loaded == 0) {
+        const char *msg = NULL;
+        if (filetype == SSL_FILETYPE_PEM) {
+            msg = "no start line: cadata does not contain a certificate";
+        } else {
+            msg = "not enough data: cadata does not contain a certificate";
+        }
+        _setSSLError(msg, 0, __FILE__, __LINE__);
+        retval = -1;
+    } else if ((filetype == SSL_FILETYPE_ASN1) &&
+                    (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
+                    (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
+         /* EOF ASN1 file, not an error */
+         ERR_clear_error();
+         retval = 0;
+     } else if ((filetype == SSL_FILETYPE_PEM) &&
+-                   (loaded > 0) &&
+                    (ERR_GET_LIB(err) == ERR_LIB_PEM) &&
+                    (ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
+         /* EOF PEM file, not an error */
+         ERR_clear_error();
+         retval = 0;
+-    } else {
+-        _setSSLError(NULL, 0, __FILE__, __LINE__);
+    } else if (err != 0) {
+         _setSSLError(NULL, 0, __FILE__, __LINE__);
+         retval = -1;
+    } else {
+        retval = 0;
+     }
+
+     BIO_free(biobuf);
--- a/python36.changes
+++ b/python36.changes
@ -19,6 +19,9 @@ Thu Jan 11 15:14:09 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
 - Add crash-PyCFuncPtr_new-ctypes.patch (from
  gh#python/cpython#89863 and bpo#27987).
 - Fix CVE-2020-10735-DoS-no-limit-int-size.patch corrupted by quilt
+- Add bpo43920-fix-load_verify_locations-errmsgs.patch (from
+  gh#python/cpython!25554) to make load_verify_locations(cadata)
+  error message consistent.

 -------------------------------------------------------------------
 Mon Sep 11 06:28:43 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
--- a/python36.spec
+++ b/python36.spec
@ -251,6 +251,9 @@ Patch61:        bpo4379-skipTLS10-11-OpenSSL3.patch
 # PATCH-FIX-UPSTREAM crash-PyCFuncPtr_new-ctypes.patch gh#python/cpython#89863 mcepl@suse.com
 # fix SEGV in PyCFuncPtr_new in ctypes (fix from bpo#27987)
 Patch62:        crash-PyCFuncPtr_new-ctypes.patch
+# PATCH-FIX-UPSTREAM bpo43920-fix-load_verify_locations-errmsgs.patch bsc#1217782 mcepl@suse.com
+# Make load_verify_locations(cadata) error message consistent (from gh#python/cpython!25554)
+Patch63:        bpo43920-fix-load_verify_locations-errmsgs.patch
 BuildRequires:  automake
 BuildRequires:  fdupes
 BuildRequires:  gmp-devel
@ -552,6 +555,7 @@ other applications.
 %patch -P 60 -p1
 %patch -P 61 -p1
 %patch -P 62 -p1
+%patch -P 63 -p1

 # drop Autoconf version requirement
 sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac