diff options
| author | Christian Heimes <christian@python.org> | 2021-04-23 14:37:09 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-04-23 14:37:09 (GMT) |
| commit | 82b6c0909aae423d9c8f4ff7d0e8df16106dbe28 (patch) | |
| tree | c88f60ec30477620ec70b1802fa888c22c277005 | |
| parent | faad2bd87f9e1c24837dd772f0597f4ab9416c66 (diff) | |
| download | cpython-82b6c0909aae423d9c8f4ff7d0e8df16106dbe28.zip cpython-82b6c0909aae423d9c8f4ff7d0e8df16106dbe28.tar.gz cpython-82b6c0909aae423d9c8f4ff7d0e8df16106dbe28.tar.bz2 | |
[3.8] bpo-43920: Make load_verify_locations(cadata) error message consistent (GH-25554) (GH-25556)
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit b9ad88be0304136c3fe5959c65a5d2c75490cd80)
Co-authored-by: Christian Heimes <christian@python.org>
| -rw-r--r-- | Lib/test/test_ssl.py | 11 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst | 2 | ||||
| -rw-r--r-- | Modules/_ssl.c | 23 |
3 files changed, 26 insertions, 10 deletions
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 4ed1b3c..1fa0241 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -1475,12 +1475,17 @@ class ContextTests(unittest.TestCase): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object) - with self.assertRaisesRegex(ssl.SSLError, "no start line"): + with self.assertRaisesRegex( + ssl.SSLError, + "no start line: cadata does not contain a certificate" + ): ctx.load_verify_locations(cadata="broken") - with self.assertRaisesRegex(ssl.SSLError, "not enough data"): + with self.assertRaisesRegex( + ssl.SSLError, + "not enough data: cadata does not contain a certificate" + ): ctx.load_verify_locations(cadata=b"broken") - def test_load_dh_params(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ctx.load_dh_params(DHFILE) diff --git a/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst b/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst new file mode 100644 index 0000000..28ff0fb --- /dev/null +++ b/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst @@ -0,0 +1,2 @@ +OpenSSL 3.0.0: :meth:`~ssl.SSLContext.load_verify_locations` now returns a +consistent error message when cadata contains no valid certificate. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index d275f22..d6a2fb8 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -4097,7 +4097,7 @@ _add_ca_certs(PySSLContext *self, void *data, Py_ssize_t len, { BIO *biobuf = NULL; X509_STORE *store; - int retval = 0, err, loaded = 0; + int retval = -1, err, loaded = 0; assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM); @@ -4151,23 +4151,32 @@ _add_ca_certs(PySSLContext *self, void *data, Py_ssize_t len, } err = ERR_peek_last_error(); - if ((filetype == SSL_FILETYPE_ASN1) && - (loaded > 0) && - (ERR_GET_LIB(err) == ERR_LIB_ASN1) && - (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) { + if (loaded == 0) { + const char *msg = NULL; + if (filetype == SSL_FILETYPE_PEM) { + msg = "no start line: cadata does not contain a certificate"; + } else { + msg = "not enough data: cadata does not contain a certificate"; + } + _setSSLError(msg, 0, __FILE__, __LINE__); + retval = -1; + } else if ((filetype == SSL_FILETYPE_ASN1) && + (ERR_GET_LIB(err) == ERR_LIB_ASN1) && + (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) { /* EOF ASN1 file, not an error */ ERR_clear_error(); retval = 0; } else if ((filetype == SSL_FILETYPE_PEM) && - (loaded > 0) && (ERR_GET_LIB(err) == ERR_LIB_PEM) && (ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) { /* EOF PEM file, not an error */ ERR_clear_error(); retval = 0; - } else { + } else if (err != 0) { _setSSLError(NULL, 0, __FILE__, __LINE__); retval = -1; + } else { + retval = 0; } BIO_free(biobuf); |