Issue 42952: Incorrect handling of EC_KEY_new_by_curve_name() in the _ssl module

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/87118

classification

Title:	Incorrect handling of EC_KEY_new_by_curve_name() in the _ssl module
Type:		Stage:	patch review
Components:	Extension Modules, SSL	Versions:	Python 3.10, Python 3.9, Python 3.8

process

Status:	open	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:	christian.heimes	Nosy List:	ZackerySpytz, christian.heimes, serhiy.storchaka
Priority:	normal	Keywords:	patch

Created on 2021-01-18 06:26 by ZackerySpytz, last changed 2022-04-11 14:59 by admin.

Pull Requests
URL	Status	Linked	Edit
PR 24237	closed	ZackerySpytz, 2021-01-18 06:28

Messages (6)
msg385173 - (view)	Author: Zackery Spytz (ZackerySpytz) *	Date: 2021-01-18 06:26
A EC_KEY_new_by_curve_name() call in the _ssl__SSLContext_impl() function is not checked for failure.
msg385175 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2021-01-18 07:50
Thanks! The block is dead code. OpenSSL 1.0.2 and newer always defines SSL_CTX_set_ecdh_auto. All supported LibreSSL versions define SSL_CTX_set_ecdh_auto, too. I'll remove the block when PEP 644 is accepted.
msg385195 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) *	Date: 2021-01-18 12:51
Will it be removed in master only or in all maintained version too?
msg385196 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2021-01-18 13:05
It really doesn't matter. The code is dead and will never trigger. Python 3.7 and newer all require OpenSSL 1.0.2, which always has defines SSL_CTX_set_ecdh_auto. In more recent versions SSL_CTX_set_ecdh_auto() is a no-op. I'll remove the code entirely when I can drop support for 1.0.2, too.
msg385202 - (view)	Author: Serhiy Storchaka (serhiy.storchaka) *	Date: 2021-01-18 15:39
Okay. And I have doubts that someone would backport this change to 3.6. I do not see harm in merging PR 24237, although there is no use of it too. In any case thank you for finding this suspicious code Zackery.
msg391297 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2021-04-17 18:18
I have removed the code from master. Do you want to remove it from 3.9 and 3.8 or should we just ignore the dead code?

History
Date	User	Action	Args
2022-04-11 14:59:40	admin	set	status: pending -> open github: 87118
2021-04-17 18:18:08	christian.heimes	set	status: open -> pending resolution: fixed messages: + msg391297
2021-01-18 15:39:39	serhiy.storchaka	set	messages: + msg385202
2021-01-18 13:05:21	christian.heimes	set	messages: + msg385196
2021-01-18 12:51:17	serhiy.storchaka	set	nosy: + serhiy.storchaka messages: + msg385195
2021-01-18 07:50:30	christian.heimes	set	messages: + msg385175
2021-01-18 06:28:57	ZackerySpytz	set	keywords: + patch stage: patch review pull_requests: + pull_request23059
2021-01-18 06:26:19	ZackerySpytz	create