diff options
author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2017-02-13 21:28:02 -0600 |
---|---|---|
committer | Alex Gaynor <alex.gaynor@gmail.com> | 2017-02-13 19:28:02 -0800 |
commit | a39b20d6fff2c943cca15139605c73ded0d070f0 (patch) | |
tree | 4e2f918c3101bfcce23158a03f2809c8dbb6690b | |
parent | 4a90c254278231d7defeac304a3cfd752e96e786 (diff) | |
download | cryptography-a39b20d6fff2c943cca15139605c73ded0d070f0.tar.gz cryptography-a39b20d6fff2c943cca15139605c73ded0d070f0.tar.bz2 cryptography-a39b20d6fff2c943cca15139605c73ded0d070f0.zip |
Refactor binding initialization to allow specified errors (#3278)
If pyca/cryptography sees any errors on the error stack during its own
initialization it immediately raises InternalError and refuses to
proceed. This was a safety measure since we weren't sure if it was
safe to proceed. However, reality has intervened and we have to
bow to the god of pragmatism and just clear the error queue. In
practice this is safe since we religiously check the error queue
in operation.
-rw-r--r-- | src/cryptography/hazmat/bindings/openssl/binding.py | 7 | ||||
-rw-r--r-- | tests/hazmat/bindings/test_openssl.py | 14 |
2 files changed, 19 insertions, 2 deletions
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 6f9359c7..59092c0d 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -90,7 +90,12 @@ class Binding(object): @classmethod def _register_osrandom_engine(cls): - _openssl_assert(cls.lib, cls.lib.ERR_peek_error() == 0) + # Clear any errors extant in the queue before we start. In many + # scenarios other things may be interacting with OpenSSL in the same + # process space and it has proven untenable to assume that they will + # reliably clear the error queue. Once we clear it here we will + # error on any subsequent unexpected item in the stack. + cls.lib.ERR_clear_error() cls._osrandom_engine_id = cls.lib.Cryptography_osrandom_engine_id cls._osrandom_engine_name = cls.lib.Cryptography_osrandom_engine_name result = cls.lib.Cryptography_add_osrandom_engine() diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 85b51725..449e581e 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -8,7 +8,7 @@ import pytest from cryptography.exceptions import InternalError from cryptography.hazmat.bindings.openssl.binding import ( - Binding, _OpenSSLErrorWithText, _openssl_assert + Binding, _OpenSSLErrorWithText, _consume_errors, _openssl_assert ) @@ -110,3 +110,15 @@ class TestOpenSSL(object): b'ex:data not multiple of block length' ) )] + + def test_check_startup_errors_are_allowed(self): + b = Binding() + b.lib.ERR_put_error( + b.lib.ERR_LIB_EVP, + b.lib.EVP_F_EVP_ENCRYPTFINAL_EX, + b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, + b"", + -1 + ) + b._register_osrandom_engine() + assert _consume_errors(b.lib) == [] |