Skip to content

bpo-37702: Fix SSL certificate-store-handles leak #14999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 12 commits into from
Closed

bpo-37702: Fix SSL certificate-store-handles leak #14999

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
8ba1079
bpo-37702: Fix SSL certificate-store-handles leak
neonene Jul 29, 2019
bdfd6ba
Update 2019-07-29-16-49-31.bpo-37702.Lj2f5e.rst
neonene Aug 24, 2019
5bbf09a
Update Modules/_ssl.c
neonene Aug 24, 2019
f8b70e0
Update _ssl.c
neonene Aug 24, 2019
a814e6a
Update _ssl.c
neonene Aug 25, 2019
a62f754
bpo-37702: comment for function call to each handle
neonene Aug 25, 2019
f12ab78
close handles in ssl_collect_certificates()
neonene Aug 26, 2019
5e079bf
comments (correct english)
neonene Aug 26, 2019
2963e03
indent, comments (correct english)
neonene Aug 27, 2019
e47aa04
make the system store list a global static
neonene Aug 27, 2019
9c09ed7
surround #define replacement with parenthesis
neonene Aug 28, 2019
b03a553
add a function to close handles
neonene Aug 29, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Windows/2019-07-29-16-49-31.bpo-37702.Lj2f5e.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Fix memory leak on Windows in creating an SSLContext object or
running urllib.request.urlopen('https://...').
77 changes: 44 additions & 33 deletions Modules/_ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5543,51 +5543,67 @@ parseKeyUsage(PCCERT_CONTEXT pCertCtx, DWORD flags)
return retval;
}

static DWORD system_stores[] = {
CERT_SYSTEM_STORE_LOCAL_MACHINE,
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE,
CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY,
CERT_SYSTEM_STORE_CURRENT_USER,
CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY,
CERT_SYSTEM_STORE_SERVICES,
CERT_SYSTEM_STORE_USERS
};

#define SYSTEM_STORES_COUNT (sizeof(system_stores) / sizeof(DWORD))

static BOOL
cert_close_stores(HCERTSTORE hCollectionStore, HCERTSTORE *system_store_handles)
{
size_t i;
BOOL success = CertCloseStore(hCollectionStore, 0);
for (i = 0; i < SYSTEM_STORES_COUNT; i++) {
if (system_store_handles[i] &&
!CertCloseStore(system_store_handles[i], 0)) {
success = 0;
}
}
return success;
}

static HCERTSTORE
ssl_collect_certificates(const char *store_name)
ssl_collect_certificates(const char *store_name, HCERTSTORE *system_store_handles)
{
/* this function collects the system certificate stores listed in
* system_stores into a collection certificate store for being
* enumerated. The store must be readable to be added to the
* store collection.
*/

HCERTSTORE hCollectionStore = NULL, hSystemStore = NULL;
static DWORD system_stores[] = {
CERT_SYSTEM_STORE_LOCAL_MACHINE,
CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE,
CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY,
CERT_SYSTEM_STORE_CURRENT_USER,
CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY,
CERT_SYSTEM_STORE_SERVICES,
CERT_SYSTEM_STORE_USERS};
HCERTSTORE hCollectionStore, hSystemStore;
size_t i, storesAdded;
BOOL result;

hCollectionStore = CertOpenStore(CERT_STORE_PROV_COLLECTION, 0,
(HCRYPTPROV)NULL, 0, NULL);
if (!hCollectionStore) {
return NULL;
}
storesAdded = 0;
for (i = 0; i < sizeof(system_stores) / sizeof(DWORD); i++) {
for (i = 0; i < SYSTEM_STORES_COUNT; i++) {
system_store_handles[i] = NULL;
hSystemStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0,
(HCRYPTPROV)NULL,
CERT_STORE_READONLY_FLAG |
system_stores[i], store_name);
if (hSystemStore) {
result = CertAddStoreToCollection(hCollectionStore, hSystemStore,
CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, 0);
if (result) {
++storesAdded;
system_store_handles[i] = hSystemStore;
if (CertAddStoreToCollection(hCollectionStore, hSystemStore,
CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, 0)) {
storesAdded = 1;
}
}
}
if (storesAdded == 0) {
CertCloseStore(hCollectionStore, CERT_CLOSE_STORE_FORCE_FLAG);
if (!storesAdded) {
cert_close_stores(hCollectionStore, system_store_handles);
return NULL;
}

return hCollectionStore;
}

Expand Down Expand Up @@ -5622,7 +5638,8 @@ static PyObject *
_ssl_enum_certificates_impl(PyObject *module, const char *store_name)
/*[clinic end generated code: output=5134dc8bb3a3c893 input=915f60d70461ea4e]*/
{
HCERTSTORE hCollectionStore = NULL;
HCERTSTORE hCollectionStore;
HCERTSTORE system_store_handles[SYSTEM_STORES_COUNT];
PCCERT_CONTEXT pCertCtx = NULL;
PyObject *keyusage = NULL, *cert = NULL, *enc = NULL, *tup = NULL;
PyObject *result = NULL;
Expand All @@ -5631,7 +5648,7 @@ _ssl_enum_certificates_impl(PyObject *module, const char *store_name)
if (result == NULL) {
return NULL;
}
hCollectionStore = ssl_collect_certificates(store_name);
hCollectionStore = ssl_collect_certificates(store_name, system_store_handles);
if (hCollectionStore == NULL) {
Py_DECREF(result);
return PyErr_SetFromWindowsErr(GetLastError());
Expand Down Expand Up @@ -5686,15 +5703,11 @@ _ssl_enum_certificates_impl(PyObject *module, const char *store_name)
Py_XDECREF(keyusage);
Py_XDECREF(tup);

/* CERT_CLOSE_STORE_FORCE_FLAG forces freeing of memory for all contexts
associated with the store, in this case our collection store and the
associated system stores. */
if (!CertCloseStore(hCollectionStore, CERT_CLOSE_STORE_FORCE_FLAG)) {
if (!cert_close_stores(hCollectionStore, system_store_handles)) {
/* This error case might shadow another exception.*/
Py_XDECREF(result);
return PyErr_SetFromWindowsErr(GetLastError());
}

return result;
}

Expand All @@ -5714,7 +5727,8 @@ static PyObject *
_ssl_enum_crls_impl(PyObject *module, const char *store_name)
/*[clinic end generated code: output=bce467f60ccd03b6 input=a1f1d7629f1c5d3d]*/
{
HCERTSTORE hCollectionStore = NULL;
HCERTSTORE hCollectionStore;
HCERTSTORE system_store_handles[SYSTEM_STORES_COUNT];
PCCRL_CONTEXT pCrlCtx = NULL;
PyObject *crl = NULL, *enc = NULL, *tup = NULL;
PyObject *result = NULL;
Expand All @@ -5723,7 +5737,7 @@ _ssl_enum_crls_impl(PyObject *module, const char *store_name)
if (result == NULL) {
return NULL;
}
hCollectionStore = ssl_collect_certificates(store_name);
hCollectionStore = ssl_collect_certificates(store_name, system_store_handles);
if (hCollectionStore == NULL) {
Py_DECREF(result);
return PyErr_SetFromWindowsErr(GetLastError());
Expand Down Expand Up @@ -5767,10 +5781,7 @@ _ssl_enum_crls_impl(PyObject *module, const char *store_name)
Py_XDECREF(enc);
Py_XDECREF(tup);

/* CERT_CLOSE_STORE_FORCE_FLAG forces freeing of memory for all contexts
associated with the store, in this case our collection store and the
associated system stores. */
if (!CertCloseStore(hCollectionStore, CERT_CLOSE_STORE_FORCE_FLAG)) {
if (!cert_close_stores(hCollectionStore, system_store_handles)) {
/* This error case might shadow another exception.*/
Py_XDECREF(result);
return PyErr_SetFromWindowsErr(GetLastError());
Expand Down