bpo-43920: Make load_verify_locations(cadata) error message consistent (GH-25554)
Signed-off-by: Christian Heimes <christian@python.org>
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 0b8cef6..8c84657 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1433,12 +1433,17 @@ def test_load_verify_cadata(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
- with self.assertRaisesRegex(ssl.SSLError, "no start line"):
+ with self.assertRaisesRegex(
+ ssl.SSLError,
+ "no start line: cadata does not contain a certificate"
+ ):
ctx.load_verify_locations(cadata="broken")
- with self.assertRaisesRegex(ssl.SSLError, "not enough data"):
+ with self.assertRaisesRegex(
+ ssl.SSLError,
+ "not enough data: cadata does not contain a certificate"
+ ):
ctx.load_verify_locations(cadata=b"broken")
-
@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
def test_load_dh_params(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
diff --git a/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst b/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
new file mode 100644
index 0000000..28ff0fb
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
@@ -0,0 +1,2 @@
+OpenSSL 3.0.0: :meth:`~ssl.SSLContext.load_verify_locations` now returns a
+consistent error message when cadata contains no valid certificate.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index e28c128..0daa13e 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -3791,7 +3791,7 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
{
BIO *biobuf = NULL;
X509_STORE *store;
- int retval = 0, err, loaded = 0;
+ int retval = -1, err, loaded = 0;
assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
@@ -3845,23 +3845,32 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
}
err = ERR_peek_last_error();
- if ((filetype == SSL_FILETYPE_ASN1) &&
- (loaded > 0) &&
- (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
- (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
+ if (loaded == 0) {
+ const char *msg = NULL;
+ if (filetype == SSL_FILETYPE_PEM) {
+ msg = "no start line: cadata does not contain a certificate";
+ } else {
+ msg = "not enough data: cadata does not contain a certificate";
+ }
+ _setSSLError(get_state_ctx(self), msg, 0, __FILE__, __LINE__);
+ retval = -1;
+ } else if ((filetype == SSL_FILETYPE_ASN1) &&
+ (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
+ (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
/* EOF ASN1 file, not an error */
ERR_clear_error();
retval = 0;
} else if ((filetype == SSL_FILETYPE_PEM) &&
- (loaded > 0) &&
(ERR_GET_LIB(err) == ERR_LIB_PEM) &&
(ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
/* EOF PEM file, not an error */
ERR_clear_error();
retval = 0;
- } else {
+ } else if (err != 0) {
_setSSLError(get_state_ctx(self), NULL, 0, __FILE__, __LINE__);
retval = -1;
+ } else {
+ retval = 0;
}
BIO_free(biobuf);