[3.12] gh-117310: Remove extra DECREF on "no ciphers" error path in _ssl._SSLContext constructor (GH-117309) (GH-117317)

miss-islington · gpshead · web-flow · commit 5a6318f2aab0 · 2024-03-28T10:04:57.000-07:00
gh-117310: Remove extra DECREF on "no ciphers" error path in `_ssl._SSLContext` constructor (GH-117309) Remove extra self DECREF on ssl "no ciphers" error path. This doesn't come up in practice because nobody links against a broken OpenSSL library that provides nothing. (cherry picked from commit 8cb7d7f) Co-authored-by: Gregory P. Smith <greg@krypto.org>
diff --git a/Misc/NEWS.d/next/Library/2024-03-27-21-05-52.gh-issue-117310.Bt2wox.rst b/Misc/NEWS.d/next/Library/2024-03-27-21-05-52.gh-issue-117310.Bt2wox.rst
@@ -0,0 +1,4 @@
+Fixed an unlikely early & extra ``Py_DECREF`` triggered crash in :mod:`ssl`
+when creating a new ``_ssl._SSLContext`` if CPython was built implausibly such
+that the default cipher list is empty **or** the SSL library it was linked
+against reports a failure from its C ``SSL_CTX_set_cipher_list()`` API.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
@@ -3143,7 +3143,6 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
         result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL");
     }
     if (result == 0) {
-        Py_DECREF(self);
         ERR_clear_error();
         PyErr_SetString(get_state_ctx(self)->PySSLErrorObject,
                         "No cipher can be selected.");

Original file line number	Diff line number	Diff line change
`@@ -3143,7 +3143,6 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)`
`3143`	`3143`	`result = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!eNULL");`
`3144`	`3144`	`}`
`3145`	`3145`	`if (result == 0) {`
`3146`		`- Py_DECREF(self);`
`3147`	`3146`	`ERR_clear_error();`
`3148`	`3147`	`PyErr_SetString(get_state_ctx(self)->PySSLErrorObject,`
`3149`	`3148`	`"No cipher can be selected.");`