TODO Undesirable: revert python#114573

This concurrency fix needs reworking for use with BoringSSL.

Author: gpshead

Misc/NEWS.d/next/Security/2024-01-26-22-14-09.gh-issue-114572.t1QMQD.rst

@@ -4573,50 +4573,6 @@ set_sni_callback(PySSLContext *self, PyObject *arg, void *c)
     return 0;
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x30300000L
-static X509_OBJECT *x509_object_dup(const X509_OBJECT *obj)
-{
-    int ok;
-    X509_OBJECT *ret = X509_OBJECT_new();
-    if (ret == NULL) {
-        return NULL;
-    }
-    switch (X509_OBJECT_get_type(obj)) {
-        case X509_LU_X509:
-            ok = X509_OBJECT_set1_X509(ret, X509_OBJECT_get0_X509(obj));
-            break;
-        case X509_LU_CRL:
-            /* X509_OBJECT_get0_X509_CRL was not const-correct prior to 3.0.*/
-            ok = X509_OBJECT_set1_X509_CRL(
-                ret, X509_OBJECT_get0_X509_CRL((X509_OBJECT *)obj));
-            break;
-        default:
-            /* We cannot duplicate unrecognized types in a polyfill, but it is
-             * safe to leave an empty object. The caller will ignore it. */
-            ok = 1;
-            break;
-    }
-    if (!ok) {
-        X509_OBJECT_free(ret);
-        return NULL;
-    }
-    return ret;
-}
-
-static STACK_OF(X509_OBJECT) *
-X509_STORE_get1_objects(X509_STORE *store)
-{
-    STACK_OF(X509_OBJECT) *ret;
-    if (!X509_STORE_lock(store)) {
-        return NULL;
-    }
-    ret = sk_X509_OBJECT_deep_copy(X509_STORE_get0_objects(store),
-                                   x509_object_dup, X509_OBJECT_free);
-    X509_STORE_unlock(store);
-    return ret;
-}
-#endif
-
 PyDoc_STRVAR(PySSLContext_sni_callback_doc,
 "Set a callback that will be called when a server name is provided by the SSL/TLS client in the SNI extension.\n\
 \n\
@@ -4646,12 +4602,7 @@ _ssl__SSLContext_cert_store_stats_impl(PySSLContext *self)
     int x509 = 0, crl = 0, ca = 0, i;
 
     store = SSL_CTX_get_cert_store(self->ctx);
-    objs = X509_STORE_get1_objects(store);
-    if (objs == NULL) {
-        PyErr_SetString(PyExc_MemoryError, "failed to query cert store");
-        return NULL;
-    }
-
+    objs = X509_STORE_get0_objects(store);
     for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
         obj = sk_X509_OBJECT_value(objs, i);
         switch (X509_OBJECT_get_type(obj)) {
@@ -4665,11 +4616,12 @@ _ssl__SSLContext_cert_store_stats_impl(PySSLContext *self)
                 crl++;
                 break;
             default:
-                /* Ignore unrecognized types. */
+                /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY.
+                 * As far as I can tell they are internal states and never
+                 * stored in a cert store */
                 break;
         }
     }
-    sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
     return Py_BuildValue("{sisisi}", "x509", x509, "crl", crl,
         "x509_ca", ca);
 }
@@ -4701,12 +4653,7 @@ _ssl__SSLContext_get_ca_certs_impl(PySSLContext *self, int binary_form)
     }
 
     store = SSL_CTX_get_cert_store(self->ctx);
-    objs = X509_STORE_get1_objects(store);
-    if (objs == NULL) {
-        PyErr_SetString(PyExc_MemoryError, "failed to query cert store");
-        goto error;
-    }
-
+    objs = X509_STORE_get0_objects(store);
     for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
         X509_OBJECT *obj;
         X509 *cert;
@@ -4734,11 +4681,9 @@ _ssl__SSLContext_get_ca_certs_impl(PySSLContext *self, int binary_form)
         }
         Py_CLEAR(ci);
     }
-    sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
     return rlist;
 
   error:
-    sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
     Py_XDECREF(ci);
     Py_XDECREF(rlist);
     return NULL;