git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	David Benjamin <davidben@google.com>
	Fri, 16 Feb 2024 00:24:51 +0000 (19:24 -0500)
committer	GitHub <noreply@github.com>
	Fri, 16 Feb 2024 00:24:51 +0000 (19:24 -0500)
commit	bce693111bff906ccf9281c22371331aaff766ab
tree	adb32926f0d0560e5126a9950a3905ac15ec2646	tree \| snapshot
parent	58cb634632cd4d27e1348320665bcfa010e9cbb2	commit \| diff

gh-114572: Fix locking in cert_store_stats and get_ca_certs (#114573)

* gh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
https://github.com/openssl/openssl/pull/23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb

Misc/NEWS.d/next/Security/2024-01-26-22-14-09.gh-issue-114572.t1QMQD.rst	[new file with mode: 0644]	blob
Modules/_ssl.c		diff \| blob \| blame \| history