]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit
projects / thirdparty / Python / cpython.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d4a1c8e) | patch
[3.12] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) (GH...
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Thu, 29 Feb 2024 07:53:56 +0000 (08:53 +0100)
committerGitHub <noreply@github.com>
Thu, 29 Feb 2024 07:53:56 +0000 (08:53 +0100)
commit542f3272f56f31ed04e74c40635a913fbc12d286
treed258c1cdcc0a52d8c5586d422463f52aaff62e85tree
parentd4a1c8e62817bff5cb8b86b5b387c36bcafa81dacommit | diff
[3.12] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) (GH-115547)

gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573)

* gh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
https://github.com/openssl/openssl/pull/23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
(cherry picked from commit bce693111bff906ccf9281c22371331aaff766ab)

Co-authored-by: David Benjamin <davidben@google.com>
Misc/NEWS.d/next/Security/2024-01-26-22-14-09.gh-issue-114572.t1QMQD.rst [new file with mode: 0644] blob
Modules/_ssl.c diff | blob | blame | history
Mirror of https://github.com/python/cpython.git