Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix various issues around X509_STORE_CTX reuse #1272

Merged
merged 3 commits into from
Nov 30, 2023

Conversation

davidben
Copy link
Contributor

This is three commits that probably should be reviewed separately. The first is a minimal fix for a weird behavior in pyOpenSSL: inspecting an X509_STORE_CTX after you have cleaned it up is pretty odd.

The next two rework X509StoreContext to just create a new X509_STORE_CTX for each verification, which avoids a whole lot of historical mess around X509_STORE_CTX's transition from being stack-allocated to heap-allocated in the OpenSSL API.

Although OpenSSL happens to leave the errors in there on
X509_STORE_CTX_cleanup, in no other OpenSSL API is accessing a cleaned
up object meaningful. Do it in the other order.
The underscore-prefixed variables were not intended to be exposed as
public API, so don't bother exposing it in the first place.
src/OpenSSL/crypto.py Outdated Show resolved Hide resolved
There's a lot of history with X509_STORE_CTX's somewhat messy transition
from a stack-allocated type to a heap-allocated type. (This is why a
double X509_STORE_CTX_init used to leak memory.) We can avoid all this
mess by just making a new X509_STORE_CTX each time.
@alex alex merged commit acb31fb into pyca:main Nov 30, 2023
36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants