From d3b73f32ef7c693a6ae8c54eb0e62df3b5315caf Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 9 Apr 2021 15:23:38 +0200 Subject: bpo-43789: OpenSSL 3.0.0 Don't call passwd callback again in error case (GH-25303) --- Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst | 2 ++ Modules/_ssl.c | 7 +++++++ 2 files changed, 9 insertions(+) create mode 100644 Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst diff --git a/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst b/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst new file mode 100644 index 0000000..1c08529 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst @@ -0,0 +1,2 @@ +OpenSSL 3.0.0: Don't call the password callback function a second time when +first call has signaled an error condition. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index f3c3b20..94b06dd 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -3926,6 +3926,13 @@ _password_callback(char *buf, int size, int rwflag, void *userdata) PySSL_END_ALLOW_THREADS_S(pw_info->thread_state); + if (pw_info->error) { + /* already failed previously. OpenSSL 3.0.0-alpha14 invokes the + * callback multiple times which can lead to fatal Python error in + * exception check. */ + goto error; + } + if (pw_info->callable) { fn_ret = _PyObject_CallNoArg(pw_info->callable); if (!fn_ret) { -- cgit v0.12