osc_pkgs/python36
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
OpenSSL32
python36/bpo43920-fix-load_verify_locations-errmsgs.patch
Matěj Cepl 75bc4cb3a1
Add bpo43920-fix-load_verify_locations-errmsgs.patch 
(from gh#python/cpython!25554)

Making load_verify_locations(cadata) error message consistent.
2024-01-24 13:41:26 +01:00

101 lines
4.1 KiB
Diff
Raw Permalink Blame History

From be6a5a3494dcf5c2f309acf959dd4d32ab846afb Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Fri, 23 Apr 2021 11:56:31 +0200
Subject: [PATCH] bpo-43920: Make load_verify_locations(cadata) error message
consistent
Signed-off-by: Christian Heimes <christian@python.org>
---
Lib/test/test_ssl.py | 10 +++-
Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst | 2
Lib/test/test_ssl.py | 10 ++-
Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst | 2
Lib/test/test_ssl.py | 10 +++-
Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst | 2
Modules/_ssl.c | 25 ++++++----
3 files changed, 27 insertions(+), 10 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
Index: Python-3.6.15/Lib/test/test_ssl.py
===================================================================
--- Python-3.6.15.orig/Lib/test/test_ssl.py
+++ Python-3.6.15/Lib/test/test_ssl.py
@@ -1199,9 +1199,15 @@ class ContextTests(unittest.TestCase):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
- with self.assertRaisesRegex(ssl.SSLError, "no start line"):
+ with self.assertRaisesRegex(
+ ssl.SSLError,
+ "no start line: cadata does not contain a certificate"
+ ):
ctx.load_verify_locations(cadata="broken")
- with self.assertRaisesRegex(ssl.SSLError, "not enough data"):
+ with self.assertRaisesRegex(
+ ssl.SSLError,
+ "not enough data: cadata does not contain a certificate"
+ ):
ctx.load_verify_locations(cadata=b"broken")
Index: Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
===================================================================
--- /dev/null
+++ Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
@@ -0,0 +1,2 @@
+OpenSSL 3.0.0: :meth:`~ssl.SSLContext.load_verify_locations` now returns a
+consistent error message when cadata contains no valid certificate.
Index: Python-3.6.15/Modules/_ssl.c
===================================================================
--- Python-3.6.15.orig/Modules/_ssl.c
+++ Python-3.6.15/Modules/_ssl.c
@@ -3579,7 +3579,7 @@ _add_ca_certs(PySSLContext *self, void *
{
BIO *biobuf = NULL;
X509_STORE *store;
- int retval = 0, err, loaded = 0;
+ int retval = -1, err, loaded = 0;
assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
@@ -3633,23 +3633,32 @@ _add_ca_certs(PySSLContext *self, void *
}
err = ERR_peek_last_error();
- if ((filetype == SSL_FILETYPE_ASN1) &&
- (loaded > 0) &&
- (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
- (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
+ if (loaded == 0) {
+ const char *msg = NULL;
+ if (filetype == SSL_FILETYPE_PEM) {
+ msg = "no start line: cadata does not contain a certificate";
+ } else {
+ msg = "not enough data: cadata does not contain a certificate";
+ }
+ _setSSLError(msg, 0, __FILE__, __LINE__);
+ retval = -1;
+ } else if ((filetype == SSL_FILETYPE_ASN1) &&
+ (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
+ (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
/* EOF ASN1 file, not an error */
ERR_clear_error();
retval = 0;
} else if ((filetype == SSL_FILETYPE_PEM) &&
- (loaded > 0) &&
(ERR_GET_LIB(err) == ERR_LIB_PEM) &&
(ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
/* EOF PEM file, not an error */
ERR_clear_error();
retval = 0;
- } else {
- _setSSLError(NULL, 0, __FILE__, __LINE__);
+ } else if (err != 0) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
retval = -1;
+ } else {
+ retval = 0;
}
BIO_free(biobuf);
Reference in New Issue View Git Blame Copy Permalink