public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
To: git-commits@fedoraproject.org
Subject: [rpms/python3.9] rawhide: Fix ssl.SSLError: [ASN1: NOT_ENOUGH_DATA] not enough data with OpenSSL 3.5.7+
Date: Thu, 02 Jul 2026 14:03:50 GMT	[thread overview]
Message-ID: <178300103093.1.14852838130878350886.rpms-python3.9-25de62e0679f@fedoraproject.org> (raw)

A new commit has been pushed.

Repo   : rpms/python3.9
Branch : rawhide
Commit : 25de62e0679f67c5d244465a869314334bf71c1d
Author : Miro Hrončok <miro@hroncok.cz>
Date   : 2026-07-02T11:03:46+02:00
Stats  : +91/-1 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/python3.9/c/25de62e0679f67c5d244465a869314334bf71c1d?branch=rawhide

Log:
Fix ssl.SSLError: [ASN1: NOT_ENOUGH_DATA] not enough data with OpenSSL 3.5.7+

---
diff --git a/00489-openssl-3.5.7.patch b/00489-openssl-3.5.7.patch
new file mode 100644
index 0000000..d2db3fb
--- /dev/null
+++ b/00489-openssl-3.5.7.patch
@@ -0,0 +1,75 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben@google.com>
+Date: Fri, 24 Mar 2023 09:04:30 -0400
+Subject: 00489: Use BIO_eof to detect EOF for SSL_FILETYPE_ASN1
+
+In PEM, we need to parse until error and then suppress `PEM_R_NO_START_LINE`, because PEM allows arbitrary leading and trailing data. DER, however, does not. Parsing until error and suppressing `ASN1_R_HEADER_TOO_LONG` doesn't quite work because that error also covers some cases that should be rejected.
+
+Instead, check `BIO_eof` early and stop the loop that way.
+
+This fixes https://github.com/python/cpython/issues/151504 and adds compatibility with OpenSSL 3.5.7+
+
+(cherry-picked from commit acfe02f3b05436658d92add6b168538b30f357f0)
+---
+ Lib/test/test_ssl.py                                   |  2 ++
+ .../2022-12-20-10-55-14.gh-issue-100372.utfP65.rst     |  2 ++
+ Modules/_ssl.c                                         | 10 ++++++----
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
+
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index a2e771ed7f..8eaf9bf22f 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -1512,6 +1512,8 @@ class ContextTests(unittest.TestCase):
+             "not enough data: cadata does not contain a certificate"
+         ):
+             ctx.load_verify_locations(cadata=b"broken")
++        with self.assertRaises(ssl.SSLError):
++            ctx.load_verify_locations(cadata=cacert_der + b"A")
+ 
+     @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
+     def test_load_dh_params(self):
+diff --git a/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst b/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
+new file mode 100644
+index 0000000000..ec37aff509
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2022-12-20-10-55-14.gh-issue-100372.utfP65.rst
+@@ -0,0 +1,2 @@
++:meth:`ssl.SSLContext.load_verify_locations` no longer incorrectly accepts
++some cases of trailing data when parsing DER.
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index 5e0be34d6f..a6d72056b0 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -4113,7 +4113,7 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
+ {
+     BIO *biobuf = NULL;
+     X509_STORE *store;
+-    int retval = -1, err, loaded = 0;
++    int retval = -1, err, loaded = 0, was_bio_eof = 0;
+ 
+     assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
+ 
+@@ -4141,6 +4141,10 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
+         int r;
+ 
+         if (filetype == SSL_FILETYPE_ASN1) {
++            if (BIO_eof(biobuf)) {
++                was_bio_eof = 1;
++                break;
++            }
+             cert = d2i_X509_bio(biobuf, NULL);
+         } else {
+             cert = PEM_read_bio_X509(biobuf, NULL,
+@@ -4176,9 +4180,7 @@ _add_ca_certs(PySSLContext *self, const void *data, Py_ssize_t len,
+         }
+         _setSSLError(msg, 0, __FILE__, __LINE__);
+         retval = -1;
+-    } else if ((filetype == SSL_FILETYPE_ASN1) &&
+-                    (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
+-                    (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
++    } else if ((filetype == SSL_FILETYPE_ASN1) && was_bio_eof) {
+         /* EOF ASN1 file, not an error */
+         ERR_clear_error();
+         retval = 0;

diff --git a/python3.9.spec b/python3.9.spec
index 4752533..093f6e9 100644
--- a/python3.9.spec
+++ b/python3.9.spec
@@ -26,7 +26,7 @@ URL: https://www.python.org/
 #global prerel ...
 %global upstream_version %{general_version}%{?prerel}
 Version: %{general_version}%{?prerel:~%{prerel}}
-Release: 10%{?dist}
+Release: 11%{?dist}
 # Python is Python-2.0.1
 # pip is MIT and bundles:
 #   CacheControl: Apache-2.0
@@ -561,6 +561,18 @@ Patch480: 00480-cve-2026-4786.patch
 # Fix a possible UAF in {LZMA,BZ2,_Zlib}Decompressor
 Patch482: 00482-cve-2026-6100.patch
 
+# 00489 # 67185f85f0bd506e1814a2a2f5580bad5b95ce45
+# Use BIO_eof to detect EOF for SSL_FILETYPE_ASN1
+#
+# In PEM, we need to parse until error and then suppress `PEM_R_NO_START_LINE`, because PEM allows arbitrary leading and trailing data. DER, however, does not. Parsing until error and suppressing `ASN1_R_HEADER_TOO_LONG` doesn't quite work because that error also covers some cases that should be rejected.
+#
+# Instead, check `BIO_eof` early and stop the loop that way.
+#
+# This fixes https://github.com/python/cpython/issues/151504 and adds compatibility with OpenSSL 3.5.7+
+#
+# (cherry-picked from commit acfe02f3b05436658d92add6b168538b30f357f0)
+Patch489: 00489-openssl-3.5.7.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -2048,6 +2060,9 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Thu Jul 02 2026 Miro Hrončok <mhroncok@redhat.com> - 3.9.25-11
+- Fix ssl.SSLError: [ASN1: NOT_ENOUGH_DATA] not enough data with OpenSSL 3.5.7+
+
 * Wed Apr 29 2026 Lumír Balhar <lbalhar@redhat.com> - 3.9.25-10
 - Switch to bundled wheels
 

                 reply	other threads:[~2026-07-02 14:03 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=178300103093.1.14852838130878350886.rpms-python3.9-25de62e0679f@fedoraproject.org \
    --to=git-commits@fedoraproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox