Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gh-80192: Use windows api if ssl cert verification fails #127622

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
+121 −1
Open

gh-80192: Use windows api if ssl cert verification fails #127622

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9d28198
Use windows api if ssl cert verification fails
tobil4sk Dec 5, 2024
d3da5df
Use const where appropriate
tobil4sk Dec 5, 2024
b8f5bd5
Refactor error translation into separate function
tobil4sk Dec 5, 2024
c9ad0a3
Fix PEP 7 violations
tobil4sk Dec 5, 2024
80b21bd
Add reference to news entry
tobil4sk Dec 5, 2024
2435d4d
Fix error translation resulting in test fail
tobil4sk Dec 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Misc/NEWS.d/next/Windows/2024-12-05-00-21-11.gh-issue-80192.28PTj4.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fixed valid :mod:`ssl` certificates being rejected.
121 changes: 120 additions & 1 deletion Modules/_ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2996,6 +2996,125 @@ static PyType_Spec PySSLSocket_spec = {
.slots = PySSLSocket_slots,
};

#ifdef _MSC_VER
static const unsigned char *
_get_cert_bytes(const X509 *cert, int *length)
{
unsigned char *cert_bytes;
int cert_bytes_length = i2d_X509(cert, NULL);
if (cert_bytes_length <= 0) {
return NULL;
}

cert_bytes = PyMem_RawMalloc(cert_bytes_length);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to use pymalloc (PyMem_Malloc) here? Typically, we only need RawMalloc if we plan on using it inside Py_BEGIN_ALLOW_THREADS areas.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using PyMem_Malloc I got the following error in my sample program:
Fatal Python error: _PyMem_DebugMalloc: Python memory allocator called without holding the GIL

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I figured. It might be worth adding a comment mentioning that the GIL isn't held (so no Python APIs can get called).

if (cert_bytes == NULL) {
return NULL;
}

if (i2d_X509(cert, &cert_bytes) <= 0) {
return NULL;
}

*length = cert_bytes_length;

/* i2d_X509 moves the input pointer to the end of the data */
return cert_bytes - cert_bytes_length;
}


static int
_translate_policy_status_error(int error)
{
switch (error) {
case TRUST_E_CERT_SIGNATURE:
return X509_V_ERR_CERT_SIGNATURE_FAILURE;
case CERT_E_UNTRUSTEDROOT:
return X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
case CERT_E_CHAINING:
return X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
case CERT_E_EXPIRED:
return X509_V_ERR_CERT_HAS_EXPIRED;
case CERT_E_INVALID_POLICY:
return X509_V_ERR_INVALID_POLICY_EXTENSION;
tobil4sk marked this conversation as resolved.
Show resolved Hide resolved
case CERT_E_WRONG_USAGE:
case CERT_E_CRITICAL:
case CERT_E_PURPOSE:
case CERT_E_ROLE:
return X509_V_ERR_INVALID_PURPOSE;
case CERT_E_VALIDITYPERIODNESTING:
default:
return X509_V_ERR_APPLICATION_VERIFICATION;
}
}


static int
_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
{
int ret = 0;
/* windows api calls below do not check for hostname mismatch */
if (preverify_ok
|| X509_STORE_CTX_get_error(ctx) == X509_V_ERR_HOSTNAME_MISMATCH)
{
return preverify_ok;
}

HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG,
NULL);
if (store == NULL) {
return ret;
}

int cert_bytes_length;
const X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
const BYTE *cert_bytes = _get_cert_bytes(cert, &cert_bytes_length);
if (cert_bytes == NULL) {
goto error_1;
}

PCCERT_CONTEXT primary_context = NULL;
if (!CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING,
cert_bytes, cert_bytes_length,
CERT_STORE_ADD_REPLACE_EXISTING,
&primary_context))
{
goto error_2;
}
PCCERT_CHAIN_CONTEXT chain_context = NULL;
CERT_CHAIN_PARA parameters = {0};
if (!CertGetCertificateChain(NULL, primary_context, NULL, store,
&parameters, 0, NULL, &chain_context))
{
goto error_3;
}
CERT_CHAIN_POLICY_PARA policy_parameters = {0};
CERT_CHAIN_POLICY_STATUS policy_status = {0};
if (CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_SSL, chain_context,
&policy_parameters, &policy_status))
{
if (policy_status.dwError == CERT_TRUST_NO_ERROR) {
ret = 1;
}
else {
int err = _translate_policy_status_error(policy_status.dwError);
X509_STORE_CTX_set_error(ctx, err);
}
}

CertFreeCertificateChain(chain_context);
error_3:
CertFreeCertificateContext(primary_context);
error_2:
PyMem_RawFree((void *)cert_bytes);
error_1:
CertCloseStore(store, 0);
return ret;
}
#else
#define _verify_callback NULL
#endif

/*
* _SSLContext objects
*/
Expand Down Expand Up @@ -3024,7 +3143,7 @@ _set_verify_mode(PySSLContext *self, enum py_ssl_cert_requirements n)
/* bpo-37428: newPySSLSocket() sets SSL_VERIFY_POST_HANDSHAKE flag for
* server sockets and SSL_set_post_handshake_auth() for client. */

SSL_CTX_set_verify(self->ctx, mode, NULL);
SSL_CTX_set_verify(self->ctx, mode, _verify_callback);
return 0;
}

Expand Down
Loading