Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssl: Fix locking in cert_store_stats and get_ca_certs #114572

Closed
davidben opened this issue Jan 25, 2024 · 1 comment
Closed

ssl: Fix locking in cert_store_stats and get_ca_certs #114572

davidben opened this issue Jan 25, 2024 · 1 comment
Labels
type-bug An unexpected behavior, bug, or error

Comments

@davidben
Copy link
Contributor

davidben commented Jan 25, 2024

Bug report

Bug description:

Filing this to attach a PR to.

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with X509_STORE_get0_objects, but reading the result requires a lock. See openssl/openssl#23224 for details.

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux, macOS

Linked PRs

@davidben davidben added the type-bug An unexpected behavior, bug, or error label Jan 25, 2024
davidben added a commit to davidben/cpython that referenced this issue Jan 25, 2024
cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.
alex pushed a commit that referenced this issue Feb 16, 2024
* gh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 16, 2024
…thonGH-114573)

* pythongh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
(cherry picked from commit bce6931)

Co-authored-by: David Benjamin <davidben@google.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 16, 2024
…thonGH-114573)

* pythongh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
(cherry picked from commit bce6931)

Co-authored-by: David Benjamin <davidben@google.com>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Feb 16, 2024
…thonGH-114573)

* pythongh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
(cherry picked from commit bce6931)

Co-authored-by: David Benjamin <davidben@google.com>
pablogsal pushed a commit that referenced this issue Feb 20, 2024
…H-114573) (#115549)

gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573)

* gh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
(cherry picked from commit bce6931)

Co-authored-by: David Benjamin <davidben@google.com>
pablogsal pushed a commit that referenced this issue Feb 20, 2024
…H-114573) (#115548)

gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573)

* gh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
(cherry picked from commit bce6931)

Co-authored-by: David Benjamin <davidben@google.com>
encukou pushed a commit that referenced this issue Feb 29, 2024
…H-114573) (GH-115547)

gh-114572: Fix locking in cert_store_stats and get_ca_certs (GH-114573)

* gh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
(cherry picked from commit bce6931)

Co-authored-by: David Benjamin <davidben@google.com>
@hugovk
Copy link
Member

hugovk commented Mar 15, 2024

Closing as the PR has been merged and backported. Thanks!

@hugovk hugovk closed this as completed Mar 15, 2024
diegorusso pushed a commit to diegorusso/cpython that referenced this issue Apr 17, 2024
…thon#114573)

* pythongh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
sethmlarson added a commit to sethmlarson/cpython that referenced this issue Apr 30, 2024
…ca_certs

(cherry picked from commit 732c7d5)

Co-authored-by: Seth Michael Larson <seth@python.org>
ambv pushed a commit that referenced this issue May 10, 2024
gentoo-bot pushed a commit to gentoo/cpython that referenced this issue May 21, 2024
…rts (pythonGH-114573) (python#115548)

pythongh-114572: Fix locking in cert_store_stats and get_ca_certs (pythonGH-114573)

* pythongh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
(cherry picked from commit bce6931)

Co-authored-by: David Benjamin <davidben@google.com>
gentoo-bot pushed a commit to gentoo/cpython that referenced this issue May 21, 2024
…rts (pythonGH-114573) (python#115548)

pythongh-114572: Fix locking in cert_store_stats and get_ca_certs (pythonGH-114573)

* pythongh-114572: Fix locking in cert_store_stats and get_ca_certs

cert_store_stats and get_ca_certs query the SSLContext's X509_STORE with
X509_STORE_get0_objects, but reading the result requires a lock. See
openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that PR.
X509_STORE_get1_objects does not exist in current OpenSSLs, but we can
polyfill it with X509_STORE_lock and X509_STORE_unlock.

* Work around const-correctness problem

* Add missing X509_STORE_get1_objects failure check

* Add blurb
(cherry picked from commit bce6931)

Co-authored-by: David Benjamin <davidben@google.com>
mcepl pushed a commit to openSUSE-Python/cpython that referenced this issue Jun 21, 2024
cert_store_stats and get_ca_certs query the SSLContext's
X509_STORE with X509_STORE_get0_objects, but reading the result
requires a lock. See gh#openssl/openssl#23224 for details.

Instead, use X509_STORE_get1_objects, newly added in that
PR. X509_STORE_get1_objects does not exist in current
OpenSSLs, but we can polyfill it with X509_STORE_lock and
X509_STORE_unlock.

From-PR: gh#python/cpython!114573
Fixes: gh#python#114572
Fixes: bsc#1226447 (CVE-2024-0397)
Patch: CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
rickprice added a commit to ActiveState/cpython that referenced this issue Jun 27, 2024
rickprice added a commit to ActiveState/cpython that referenced this issue Jun 27, 2024
rickprice added a commit to ActiveState/cpython that referenced this issue Jun 27, 2024
Backported from : [3.8] pythongh-114572: Fix locking in cert_store_stats and get_ca_certs python#118442
icanhasmath added a commit to ActiveState/cpython that referenced this issue Jun 27, 2024
rickprice added a commit to ActiveState/cpython that referenced this issue Jun 28, 2024
rickprice added a commit to ActiveState/cpython that referenced this issue Jun 28, 2024
rickprice added a commit to ActiveState/cpython that referenced this issue Jun 29, 2024
rickprice added a commit to ActiveState/cpython that referenced this issue Jun 29, 2024
Backported from : [3.8] pythongh-114572: Fix locking in cert_store_stats and
get_ca_certs python#118442
rickprice added a commit to ActiveState/cpython that referenced this issue Jul 12, 2024
Backported from : [3.8] pythongh-114572: Fix locking in cert_store_stats and
get_ca_certs python#118442
icanhasmath pushed a commit to ActiveState/cpython that referenced this issue Aug 8, 2024
Backported from : [3.8] pythongh-114572: Fix locking in cert_store_stats and get_ca_certs python#118442
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type-bug An unexpected behavior, bug, or error
Projects
None yet
Development

No branches or pull requests

2 participants