osc_pkgs/python36
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
OpenSSL32
python36/gh100372-SSLContext_load_verify_locations-trailing-data.patch
Matěj Cepl 04e45231c3
Add gh100372-SSLContext_load_verify_locations-trailing-data.patch 
(from gh#python/cpython!100373/files)

Stopping SSLContext.load_verify_locations from accepting some
cases of trailing data in DER.
2024-01-24 13:42:04 +01:00

75 lines
3.2 KiB
Diff
Raw Permalink Blame History

From 863a0a7badf3919c4a710df67e98dbf5db0a2690 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Tue, 20 Dec 2022 10:36:19 -0500
Subject: [PATCH] gh-100372: Use BIO_eof to detect EOF for SSL_FILETYPE_ASN1
In PEM, we need to parse until error and then suppress
PEM_R_NO_START_LINE, because PEM allows arbitrary leading and trailing
data. DER, however, does not. Parsing until error and suppressing
ASN1_R_HEADER_TOO_LONG doesn't quite work because that error also
covers some cases that should be rejected.
Instead, check BIO_eof early and stop the loop that way.
---
Lib/test/test_ssl.py | 2 ++
Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst | 2 ++
Modules/_ssl.c | 10 ++++++----
3 files changed, 10 insertions(+), 4 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
Index: Python-3.6.15/Lib/test/test_ssl.py
===================================================================
--- Python-3.6.15.orig/Lib/test/test_ssl.py
+++ Python-3.6.15/Lib/test/test_ssl.py
@@ -1209,6 +1209,8 @@ class ContextTests(unittest.TestCase):
"not enough data: cadata does not contain a certificate"
):
ctx.load_verify_locations(cadata=b"broken")
+ with self.assertRaises(ssl.SSLError):
+ ctx.load_verify_locations(cadata=cacert_der + b"A")
def test_load_dh_params(self):
Index: Python-3.6.15/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
===================================================================
--- /dev/null
+++ Python-3.6.15/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
@@ -0,0 +1,2 @@
+:meth:`ssl.SSLContext.load_verify_locations` no longer incorrectly accepts
+some cases of trailing data when parsing DER.
Index: Python-3.6.15/Modules/_ssl.c
===================================================================
--- Python-3.6.15.orig/Modules/_ssl.c
+++ Python-3.6.15/Modules/_ssl.c
@@ -3579,7 +3579,7 @@ _add_ca_certs(PySSLContext *self, void *
{
BIO *biobuf = NULL;
X509_STORE *store;
- int retval = -1, err, loaded = 0;
+ int retval = -1, err, loaded = 0, was_bio_eof = 0;
assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
@@ -3607,6 +3607,10 @@ _add_ca_certs(PySSLContext *self, void *
int r;
if (filetype == SSL_FILETYPE_ASN1) {
+ if (BIO_eof(biobuf)) {
+ was_bio_eof = 1;
+ break;
+ }
cert = d2i_X509_bio(biobuf, NULL);
} else {
cert = PEM_read_bio_X509(biobuf, NULL,
@@ -3642,9 +3646,7 @@ _add_ca_certs(PySSLContext *self, void *
}
_setSSLError(msg, 0, __FILE__, __LINE__);
retval = -1;
- } else if ((filetype == SSL_FILETYPE_ASN1) &&
- (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
- (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
+ } else if ((filetype == SSL_FILETYPE_ASN1) && was_bio_eof) {
/* EOF ASN1 file, not an error */
ERR_clear_error();
retval = 0;
Reference in New Issue View Git Blame Copy Permalink