bpo-18233: Only support getpeercertchain(validate=True) with OpenSSL 1.1.0+

chrisburr · chrisburr · commit a7c641d994a9 · 2020-12-09T15:09:47.000+01:00
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
@@ -2169,24 +2169,34 @@ def test_getpeercertchain(self):
             try:
                 peer_cert = s.getpeercert()
                 peer_cert_bin = s.getpeercert(True)
-                chain = s.getpeercertchain()
-                chain_bin = s.getpeercertchain(True)
+                if IS_OPENSSL_1_1_0:
+                    chain = s.getpeercertchain()
+                    chain_bin = s.getpeercertchain(True)
+                else:
+                    self.assertRaisesRegex(
+                        Exception, r'only supported by OpenSSL 1\.1\.0',
+                        s.getpeercertchain)
+                    self.assertRaisesRegex(
+                        Exception, r'only supported by OpenSSL 1\.1\.0',
+                        s.getpeercertchain, True)
                 chain_no_validate = s.getpeercertchain(validate=False)
                 chain_bin_no_validate = s.getpeercertchain(True, False)
             finally:
                 self.assertTrue(peer_cert)
-                self.assertEqual(len(chain), 2)
                 self.assertTrue(peer_cert_bin)
-                self.assertEqual(len(chain_bin), 2)
+                if IS_OPENSSL_1_1_0:
+                    self.assertEqual(len(chain), 2)
+                    self.assertEqual(len(chain_bin), 2)
 
                 # ca cert
                 ca_certs = ctx.get_ca_certs()
                 self.assertEqual(len(ca_certs), 1)
                 test_get_ca_certsert = ca_certs[0]
                 ca_cert_bin = ctx.get_ca_certs(True)[0]
 
-                self.assertEqual(chain, (peer_cert, test_get_ca_certsert))
-                self.assertEqual(chain_bin, (peer_cert_bin, ca_cert_bin))
+                if IS_OPENSSL_1_1_0:
+                    self.assertEqual(chain, (peer_cert, test_get_ca_certsert))
+                    self.assertEqual(chain_bin, (peer_cert_bin, ca_cert_bin))
                 self.assertEqual(chain_no_validate, (peer_cert,))
                 self.assertEqual(chain_bin_no_validate, (peer_cert_bin,))
 
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
@@ -2133,57 +2133,11 @@ _ssl__SSLSocket_getpeercertchain_impl(PySSLSocket *self, int binary_mode,
             return NULL;
         }
 #else
-        X509 *peer_cert = SSL_get_peer_certificate(self->ssl);
-        if (peer_cert == NULL)
-            Py_RETURN_NONE;
-
-        STACK_OF(X509) *chain = SSL_get_peer_cert_chain(self->ssl);
-        if (chain == NULL) {
-            X509_free(peer_cert);
-            Py_RETURN_NONE;
-        }
-        X509_STORE_CTX *store_ctx;
-
-        /* Initialize a store context with store (for root CA certs), the
-         * peer's cert and the peer's chain with intermediate CA certs. */
-        if ((store_ctx = X509_STORE_CTX_new()) == NULL) {
-            X509_free(peer_cert);
-            _setSSLError(NULL, 0, __FILE__, __LINE__);
-            return NULL;
-        }
-
-        if (!X509_STORE_CTX_init(store_ctx,
-                                 SSL_CTX_get_cert_store(self->ctx->ctx),
-                                 peer_cert, chain)) {
-#ifdef SSL_R_CERTIFICATE_VERIFY_FAILED
-            long e = ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERTIFICATE_VERIFY_FAILED);
-#else
-            long e = ERR_PACK(ERR_LIB_SSL, 0, 134);
-#endif
-            fill_and_set_sslerror(self, PySSLCertVerificationErrorObject, PY_SSL_ERROR_SSL, NULL, __LINE__, e);
-            X509_free(peer_cert);
-            X509_STORE_CTX_free(store_ctx);
-            goto end;
-        }
-        X509_free(peer_cert);
-
-        /* Validate peer cert using its intermediate CA certs and the
-        * context's root CA certs. */
-        if (X509_verify_cert(store_ctx) <= 0) {
-            // _setX509StoreContextError(self, store_ctx, __FILE__, __LINE__);
-#ifdef SSL_R_CERTIFICATE_VERIFY_FAILED
-            long e = ERR_PACK(ERR_LIB_SSL, 0, SSL_R_CERTIFICATE_VERIFY_FAILED);
-#else
-            long e = ERR_PACK(ERR_LIB_SSL, 0, 134);
-#endif
-            fill_and_set_sslerror(self, PySSLCertVerificationErrorObject, PY_SSL_ERROR_SSL, NULL, __LINE__, e);
-            X509_STORE_CTX_free(store_ctx);
-            goto end;
-        }
-
-        /* Get chain from store context */
-        peer_chain = X509_STORE_CTX_get1_chain(store_ctx);
-        X509_STORE_CTX_free(store_ctx);
+        PyErr_SetString(
+            PyExc_Exception,
+            "Getting verified certificate chains with SSL_get0_verified_chain"
+            " is only supported by OpenSSL 1.1.0 and later");
+        return NULL;
 #endif
     } else {
         peer_chain = SSL_get_peer_cert_chain(self->ssl);
@@ -2220,11 +2174,6 @@ _ssl__SSLSocket_getpeercertchain_impl(PySSLSocket *self, int binary_mode,
     }
 
   end:
-#ifndef OPENSSL_VERSION_1_1
-    if (validate && (peer_chain != NULL)) {
-        sk_X509_pop_free(peer_chain, X509_free);
-    }
-#endif
     return retval;
 }
 
