[3.12] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573)#115547
Merged
encukou merged 1 commit intopython:3.12from Feb 29, 2024
Merged
[3.12] gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573)#115547encukou merged 1 commit intopython:3.12from
encukou merged 1 commit intopython:3.12from
Conversation
…thonGH-114573) * pythongh-114572: Fix locking in cert_store_stats and get_ca_certs cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details. Instead, use X509_STORE_get1_objects, newly added in that PR. X509_STORE_get1_objects does not exist in current OpenSSLs, but we can polyfill it with X509_STORE_lock and X509_STORE_unlock. * Work around const-correctness problem * Add missing X509_STORE_get1_objects failure check * Add blurb (cherry picked from commit bce6931) Co-authored-by: David Benjamin <davidben@google.com>
This was referenced Feb 16, 2024
encukou
approved these changes
Feb 29, 2024
Member
encukou
left a comment
encukou
left a comment
There was a problem hiding this comment.
I'm not an OpenSSL expert by far, but the change looks good to me*, and it's the same patch as in the other branches.
(*were this not a backport, I'd ask about using feature detection rather than OPENSSL_VERSION_NUMBER, but this is not the place for that)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.
Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.
Work around const-correctness problem
Add missing X509_STORE_get1_objects failure check
Add blurb
(cherry picked from commit bce6931)
Co-authored-by: David Benjamin davidben@google.com