From 1f943ab1a6ed391ef9474152e3f5ccb666cce4c9 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 23 Dec 2015 19:21:23 -0600 Subject: add test that fails if CRL references aren't properly retained If the X509_CRL reference is not properly retained then this test will return an openssl error or potentially a crash as it's reading freed memory to obtain the revocation_date and serial_number --- tests/test_x509.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'tests/test_x509.py') diff --git a/tests/test_x509.py b/tests/test_x509.py index ae2746e3..034e5601 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -6,6 +6,7 @@ from __future__ import absolute_import, division, print_function import binascii import datetime +import gc import ipaddress import os @@ -173,6 +174,24 @@ class TestCertificateRevocationList(object): # Check that len() works for CRLs. assert len(crl) == 12 + def test_revoked_cert_retrieval_retain_only_revoked(self, backend): + """ + This test attempts to trigger the crash condition described in + https://github.com/pyca/cryptography/issues/2557 + """ + crl = _load_cert( + os.path.join("x509", "custom", "crl_all_reasons.pem"), + x509.load_pem_x509_crl, + backend + ) + revoked = crl[11] + crl = "overwritten" + # force a gc collection to potentially X509_CRL_free if there are + # no references to the X509_CRL left. + gc.collect() + assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0) + assert revoked.serial_number == 11 + def test_extensions(self, backend): crl = _load_cert( os.path.join("x509", "custom", "crl_ian_aia_aki.pem"), -- cgit v1.2.3 From 7e75b620f1c63fcc6168fe611eafa97fd709121b Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 23 Dec 2015 19:30:35 -0600 Subject: address review comments --- tests/test_x509.py | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) (limited to 'tests/test_x509.py') diff --git a/tests/test_x509.py b/tests/test_x509.py index 034e5601..ab4d6660 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -6,7 +6,6 @@ from __future__ import absolute_import, division, print_function import binascii import datetime -import gc import ipaddress import os @@ -178,17 +177,13 @@ class TestCertificateRevocationList(object): """ This test attempts to trigger the crash condition described in https://github.com/pyca/cryptography/issues/2557 + PyPy does gc at its own pace, so it will only be reliable on CPython. """ - crl = _load_cert( + revoked = _load_cert( os.path.join("x509", "custom", "crl_all_reasons.pem"), x509.load_pem_x509_crl, backend - ) - revoked = crl[11] - crl = "overwritten" - # force a gc collection to potentially X509_CRL_free if there are - # no references to the X509_CRL left. - gc.collect() + )[11] assert revoked.revocation_date == datetime.datetime(2015, 1, 1, 0, 0) assert revoked.serial_number == 11 -- cgit v1.2.3