From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Date: Fri, 9 Apr 2021 13:46:11 +0000 (-0700)
Subject: bpo-43789: OpenSSL 3.0.0 Don't call passwd callback again in error case (GH-25303)
X-Git-Tag: v3.9.5~92
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a188bd44ac3c54dc3bf927f1b10464ab80f37549;p=thirdparty%2FPython%2Fcpython.git

bpo-43789: OpenSSL 3.0.0 Don't call passwd callback again in error case (GH-25303)

(cherry picked from commit d3b73f32ef7c693a6ae8c54eb0e62df3b5315caf)

Co-authored-by: Christian Heimes <christian@python.org>
---

diff --git a/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst b/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst
new file mode 100644
index 000000000000..1c0852946214
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst
@@ -0,0 +1,2 @@
+OpenSSL 3.0.0: Don't call the password callback function a second time when
+first call has signaled an error condition.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index aab571399758..3fbb3630886a 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -3931,6 +3931,13 @@ _password_callback(char *buf, int size, int rwflag, void *userdata)
 
     PySSL_END_ALLOW_THREADS_S(pw_info->thread_state);
 
+    if (pw_info->error) {
+        /* already failed previously. OpenSSL 3.0.0-alpha14 invokes the
+         * callback multiple times which can lead to fatal Python error in
+         * exception check. */
+        goto error;
+    }
+
     if (pw_info->callable) {
         fn_ret = _PyObject_CallNoArg(pw_info->callable);
         if (!fn_ret) {