[Python-checkins] gh-100372: Use BIO_eof to detect EOF for SSL_FILETYPE_ASN1 (GH-100373)
miss-islington
webhook-mailer at python.org
Fri Mar 24 09:04:39 EDT 2023
https://github.com/python/cpython/commit/acfe02f3b05436658d92add6b168538b30f357f0
commit: acfe02f3b05436658d92add6b168538b30f357f0
branch: main
author: David Benjamin <davidben at google.com>
committer: miss-islington <31488909+miss-islington at users.noreply.github.com>
date: 2023-03-24T06:04:30-07:00
summary:
gh-100372: Use BIO_eof to detect EOF for SSL_FILETYPE_ASN1 (GH-100373)
In PEM, we need to parse until error and then suppress `PEM_R_NO_START_LINE`, because PEM allows arbitrary leading and trailing data. DER, however, does not. Parsing until error and suppressing `ASN1_R_HEADER_TOO_LONG` doesn't quite work because that error also covers some cases that should be rejected.
Instead, check `BIO_eof` early and stop the loop that way.
Automerge-Triggered-By: GH:Yhg1s
files:
A Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
M Lib/test/test_ssl.py
M Modules/_ssl.c
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 1317efb33c23..abf024fb89d2 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1289,6 +1289,8 @@ def test_load_verify_cadata(self):
"not enough data: cadata does not contain a certificate"
):
ctx.load_verify_locations(cadata=b"broken")
+ with self.assertRaises(ssl.SSLError):
+ ctx.load_verify_locations(cadata=cacert_der + b"A")
@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
def test_load_dh_params(self):
diff --git a/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst b/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
new file mode 100644
index 000000000000..ec37aff5092c
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
@@ -0,0 +1,2 @@
+:meth:`ssl.SSLContext.load_verify_locations` no longer incorrectly accepts
+some cases of trailing data when parsing DER.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 36b66cdb5310..3fbb37332f67 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -3930,7 +3930,7 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
{
BIO *biobuf = NULL;
X509_STORE *store;
- int retval = -1, err, loaded = 0;
+ int retval = -1, err, loaded = 0, was_bio_eof = 0;
assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
@@ -3958,6 +3958,10 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
int r;
if (filetype == SSL_FILETYPE_ASN1) {
+ if (BIO_eof(biobuf)) {
+ was_bio_eof = 1;
+ break;
+ }
cert = d2i_X509_bio(biobuf, NULL);
} else {
cert = PEM_read_bio_X509(biobuf, NULL,
@@ -3993,9 +3997,7 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
}
_setSSLError(get_state_ctx(self), msg, 0, __FILE__, __LINE__);
retval = -1;
- } else if ((filetype == SSL_FILETYPE_ASN1) &&
- (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
- (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
+ } else if ((filetype == SSL_FILETYPE_ASN1) && was_bio_eof) {
/* EOF ASN1 file, not an error */
ERR_clear_error();
retval = 0;
More information about the Python-checkins
mailing list