Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / 3562df8732f66848342874526d0ce12392d7d62e^! / . / src / OpenSSL
commit3562df8732f66848342874526d0ce12392d7d62e[log] [tgz]
authorArne Schwabe <arne@rfc2549.org>Fri Nov 27 19:29:49 2020 +0100
committerGitHub <noreply@github.com>Fri Nov 27 12:29:49 2020 -0600
tree8ff18795804fd4a6fe4675d9dfacdd4bb6444d8b
parentf3667e95188e8c14458a7943c7efab3776b04711 [diff]
Keep reference to SSL verify_call in Connection object (#956)

* Keep reference to SSL verify_call in Connection object

If a set_verify is used on a context before and after a Connection
the reference in the SSL* object still points to the old _verify_helper
object. Since this object has no longer any references to it, the
callback can result in a segfault.

This commit fixes the issues by ensuring that as long as the
Connection object/SSL* object lives a reference to the callback
function is held.

* Add Unit test for set_verify_callback deference
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 3153426..230b403 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py

@@ -1485,6 +1485,12 @@
         # avoid them getting freed.
         self._alpn_select_callback_args = None
 
+        # Reference the verify_callback of the Context. This ensures that if
+        # set_verify is called again after the SSL object has been created we
+        # do not point to a dangling reference
+        self._verify_helper = context._verify_helper
+        self._verify_callback = context._verify_callback
+
         self._reverse_mapping[self._ssl] = self
 
         if socket is None: