summaryrefslogtreecommitdiffstats
path: root/Modules/_ssl.c
diff options
context:
space:
mode:
authorChristian Heimes <christian@python.org>2016-09-06 21:25:35 (GMT)
committerChristian Heimes <christian@python.org>2016-09-06 21:25:35 (GMT)
commit1c03abd0262f658fc420d3bef6118e49044b9d8b (patch)
treec6abd1260aec6e3b6e02054455fc5f2138724ee8 /Modules/_ssl.c
parent03d13c0cbfe912eb0f9b9a02987b9e569f25fe19 (diff)
downloadcpython-1c03abd0262f658fc420d3bef6118e49044b9d8b.zip
cpython-1c03abd0262f658fc420d3bef6118e49044b9d8b.tar.gz
cpython-1c03abd0262f658fc420d3bef6118e49044b9d8b.tar.bz2
Issue #27691: Fix ssl module's parsing of GEN_RID subject alternative name fields in X.509 certs.
Diffstat (limited to 'Modules/_ssl.c')
-rw-r--r--Modules/_ssl.c35
1 files changed, 34 insertions, 1 deletions
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index b2838ed..a79c3a8 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1007,6 +1007,35 @@ _get_peer_alt_names (X509 *certificate) {
PyTuple_SET_ITEM(t, 1, v);
break;
+ case GEN_RID:
+ t = PyTuple_New(2);
+ if (t == NULL)
+ goto fail;
+
+ v = PyUnicode_FromString("Registered ID");
+ if (v == NULL) {
+ Py_DECREF(t);
+ goto fail;
+ }
+ PyTuple_SET_ITEM(t, 0, v);
+
+ len = i2t_ASN1_OBJECT(buf, sizeof(buf)-1, name->d.rid);
+ if (len < 0) {
+ Py_DECREF(t);
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ goto fail;
+ } else if (len >= (int)sizeof(buf)) {
+ v = PyUnicode_FromString("<INVALID>");
+ } else {
+ v = PyUnicode_FromStringAndSize(buf, len);
+ }
+ if (v == NULL) {
+ Py_DECREF(t);
+ goto fail;
+ }
+ PyTuple_SET_ITEM(t, 1, v);
+ break;
+
default:
/* for everything else, we use the OpenSSL print form */
switch (gntype) {
@@ -1033,8 +1062,12 @@ _get_peer_alt_names (X509 *certificate) {
goto fail;
}
vptr = strchr(buf, ':');
- if (vptr == NULL)
+ if (vptr == NULL) {
+ PyErr_Format(PyExc_ValueError,
+ "Invalid value %.200s",
+ buf);
goto fail;
+ }
t = PyTuple_New(2);
if (t == NULL)
goto fail;