Skip to content

[3.12] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) #115547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 29, 2024
Merged

[3.12] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573) #115547

merged 1 commit into from
Feb 29, 2024
+64 −5

Conversation

@miss-islington
Copy link
Contributor

@miss-islington miss-islington commented Feb 16, 2024

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

  • Work around const-correctness problem

  • Add missing X509_STORE_get1_objects failure check

  • Add blurb
    (cherry picked from commit bce6931)

Co-authored-by: David Benjamin davidben@google.com

@davidben @miss-islington
pythongh-114572: Fix locking in cert_store_stats and get_ca_certs (py…
5ecee31 
…thonGH-114573)

* pythongh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
(cherry picked from commit bce6931)

Co-authored-by: David Benjamin <davidben@google.com>
This was referenced Feb 16, 2024
Merged
Closed
@sethmlarson sethmlarson requested a review from Yhg1s February 20, 2024 14:32
encukou
encukou approved these changes Feb 29, 2024
View reviewed changes
Copy link
Member

@encukou encukou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not an OpenSSL expert by far, but the change looks good to me*, and it's the same patch as in the other branches.
(*were this not a backport, I'd ask about using feature detection rather than OPENSSL_VERSION_NUMBER, but this is not the place for that)

@encukou encukou merged commit 542f327 into python:3.12 Feb 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@encukou encukou encukou approved these changes

@Yhg1s Yhg1s Awaiting requested review from Yhg1s

Assignees

No one assigned

Labels

release-blocker type-security A security issue

Projects

Release and Deferred blockers 🚫
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@miss-islington @encukou @sethmlarson @davidben