]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit
projects / thirdparty / Python / cpython.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d0524ca) | patch
[3.10] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) (...
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Tue, 20 Feb 2024 16:35:27 +0000 (17:35 +0100)
committerGitHub <noreply@github.com>
Tue, 20 Feb 2024 16:35:27 +0000 (16:35 +0000)
commit37324b421b72b7bc9934e27aba85d48d4773002e
treebd84f002d2c8131f07bca53a687a2deb907c58c0tree | snapshot
parentd0524caed0f3b77f271640460d0dff1a4c784087commit | diff
[3.10] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) (#115548)

gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573)

* gh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
https://github.com/openssl/openssl/pull/23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
(cherry picked from commit bce693111bff906ccf9281c22371331aaff766ab)

Co-authored-by: David Benjamin <davidben@google.com>
Misc/NEWS.d/next/Security/2024-01-26-22-14-09.gh-issue-114572.t1QMQD.rst [new file with mode: 0644] blob
Modules/_ssl.c diff | blob | blame | history
Mirror of https://github.com/python/cpython.git