]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit
projects / thirdparty / Python / cpython.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5a0d51b) | patch
[3.11] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) (...
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Tue, 20 Feb 2024 16:34:44 +0000 (17:34 +0100)
committerGitHub <noreply@github.com>
Tue, 20 Feb 2024 16:34:44 +0000 (16:34 +0000)
commit01c37f1d0714f5822d34063ca7180b595abf589d
treef8dce5a0982ab60525fec81bdabae808f0a3fcebtree | snapshot
parent5a0d51b6291f55652e0ac577988fbb5f28279e04commit | diff
[3.11] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) (#115549)

gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573)

* gh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
https://github.com/openssl/openssl/pull/23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
(cherry picked from commit bce693111bff906ccf9281c22371331aaff766ab)

Co-authored-by: David Benjamin <davidben@google.com>
Misc/NEWS.d/next/Security/2024-01-26-22-14-09.gh-issue-114572.t1QMQD.rst [new file with mode: 0644] blob
Modules/_ssl.c diff | blob | blame | history
Mirror of https://github.com/python/cpython.git