This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Incorrect handling of EC_KEY_new_by_curve_name() in the _ssl module
Type: Stage: patch review
Components: Extension Modules, SSL Versions: Python 3.10, Python 3.9, Python 3.8
Status: open Resolution: fixed
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: ZackerySpytz, christian.heimes, serhiy.storchaka
Priority: normal Keywords: patch

Created on 2021-01-18 06:26 by ZackerySpytz, last changed 2022-04-11 14:59 by admin.

Pull Requests
URL Status Linked Edit
PR 24237 closed ZackerySpytz, 2021-01-18 06:28
Messages (6)
msg385173 - (view) Author: Zackery Spytz (ZackerySpytz) * (Python triager) Date: 2021-01-18 06:26
A EC_KEY_new_by_curve_name() call in the _ssl__SSLContext_impl() function is not checked for failure.
msg385175 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-01-18 07:50

The block is dead code. OpenSSL 1.0.2 and newer always defines SSL_CTX_set_ecdh_auto. All supported LibreSSL versions define SSL_CTX_set_ecdh_auto, too. I'll remove the block when PEP 644 is accepted.
msg385195 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2021-01-18 12:51
Will it be removed in master only or in all maintained version too?
msg385196 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-01-18 13:05
It really doesn't matter. The code is dead and will never trigger. Python 3.7 and newer all require OpenSSL 1.0.2, which always has defines SSL_CTX_set_ecdh_auto. In more recent versions SSL_CTX_set_ecdh_auto() is a no-op. I'll remove the code entirely when I can drop support for 1.0.2, too.
msg385202 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2021-01-18 15:39
Okay. And I have doubts that someone would backport this change to 3.6.

I do not see harm in merging PR 24237, although there is no use of it too. In any case thank you for finding this suspicious code Zackery.
msg391297 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-17 18:18
I have removed the code from master. Do you want to remove it from 3.9 and 3.8 or should we just ignore the dead code?
Date User Action Args
2022-04-11 14:59:40adminsetstatus: pending -> open
github: 87118
2021-04-17 18:18:08christian.heimessetstatus: open -> pending
resolution: fixed
messages: + msg391297
2021-01-18 15:39:39serhiy.storchakasetmessages: + msg385202
2021-01-18 13:05:21christian.heimessetmessages: + msg385196
2021-01-18 12:51:17serhiy.storchakasetnosy: + serhiy.storchaka
messages: + msg385195
2021-01-18 07:50:30christian.heimessetmessages: + msg385175
2021-01-18 06:28:57ZackerySpytzsetkeywords: + patch
stage: patch review
pull_requests: + pull_request23059
2021-01-18 06:26:19ZackerySpytzcreate