[Python-checkins] [3.9] bpo-43920: Make load_verify_locations(cadata) error message consistent (GH-25554) (GH-25555)
tiran
webhook-mailer at python.org
Fri Apr 23 08:23:41 EDT 2021
https://github.com/python/cpython/commit/e259a77f21bdfc7d4195913b379cbd6daee45d0d
commit: e259a77f21bdfc7d4195913b379cbd6daee45d0d
branch: 3.9
author: Christian Heimes <christian at python.org>
committer: tiran <christian at python.org>
date: 2021-04-23T14:23:35+02:00
summary:
[3.9] bpo-43920: Make load_verify_locations(cadata) error message consistent (GH-25554) (GH-25555)
Signed-off-by: Christian Heimes <christian at python.org>.
(cherry picked from commit b9ad88be0304136c3fe5959c65a5d2c75490cd80)
Co-authored-by: Christian Heimes <christian at python.org>
files:
A Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
M Lib/test/test_ssl.py
M Modules/_ssl.c
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 15d6520229c925..c69f0d8bffc0a3 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1478,12 +1478,17 @@ def test_load_verify_cadata(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
- with self.assertRaisesRegex(ssl.SSLError, "no start line"):
+ with self.assertRaisesRegex(
+ ssl.SSLError,
+ "no start line: cadata does not contain a certificate"
+ ):
ctx.load_verify_locations(cadata="broken")
- with self.assertRaisesRegex(ssl.SSLError, "not enough data"):
+ with self.assertRaisesRegex(
+ ssl.SSLError,
+ "not enough data: cadata does not contain a certificate"
+ ):
ctx.load_verify_locations(cadata=b"broken")
-
@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
def test_load_dh_params(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
diff --git a/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst b/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
new file mode 100644
index 00000000000000..28ff0fb3afa9d3
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
@@ -0,0 +1,2 @@
+OpenSSL 3.0.0: :meth:`~ssl.SSLContext.load_verify_locations` now returns a
+consistent error message when cadata contains no valid certificate.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 3f145900325c82..97e314b21fd1a5 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -4095,7 +4095,7 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
{
BIO *biobuf = NULL;
X509_STORE *store;
- int retval = 0, err, loaded = 0;
+ int retval = -1, err, loaded = 0;
assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
@@ -4149,23 +4149,32 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
}
err = ERR_peek_last_error();
- if ((filetype == SSL_FILETYPE_ASN1) &&
- (loaded > 0) &&
- (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
- (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
+ if (loaded == 0) {
+ const char *msg = NULL;
+ if (filetype == SSL_FILETYPE_PEM) {
+ msg = "no start line: cadata does not contain a certificate";
+ } else {
+ msg = "not enough data: cadata does not contain a certificate";
+ }
+ _setSSLError(msg, 0, __FILE__, __LINE__);
+ retval = -1;
+ } else if ((filetype == SSL_FILETYPE_ASN1) &&
+ (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
+ (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
/* EOF ASN1 file, not an error */
ERR_clear_error();
retval = 0;
} else if ((filetype == SSL_FILETYPE_PEM) &&
- (loaded > 0) &&
(ERR_GET_LIB(err) == ERR_LIB_PEM) &&
(ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
/* EOF PEM file, not an error */
ERR_clear_error();
retval = 0;
- } else {
+ } else if (err != 0) {
_setSSLError(NULL, 0, __FILE__, __LINE__);
retval = -1;
+ } else {
+ retval = 0;
}
BIO_free(biobuf);
More information about the Python-checkins
mailing list