[Python-checkins] cpython (merge 3.3 -> default): Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module,
antoine.pitrou
python-checkins at python.org
Sat Dec 28 17:31:03 CET 2013
http://hg.python.org/cpython/rev/f7dc02e6987a
changeset: 88213:f7dc02e6987a
parent: 88211:fef075ddaec9
parent: 88212:a00842b783cf
user: Antoine Pitrou <solipsis at pitrou.net>
date: Sat Dec 28 17:30:51 2013 +0100
summary:
Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
files:
Doc/library/ssl.rst | 22 ++++++++++++++--------
Lib/ssl.py | 5 +++++
Lib/test/test_ssl.py | 11 +++++++++++
Misc/NEWS | 3 +++
4 files changed, 33 insertions(+), 8 deletions(-)
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -142,13 +142,16 @@
Takes an instance ``sock`` of :class:`socket.socket`, and returns an instance
of :class:`ssl.SSLSocket`, a subtype of :class:`socket.socket`, which wraps
- the underlying socket in an SSL context. For client-side sockets, the
- context construction is lazy; if the underlying socket isn't connected yet,
- the context construction will be performed after :meth:`connect` is called on
- the socket. For server-side sockets, if the socket has no remote peer, it is
- assumed to be a listening socket, and the server-side SSL wrapping is
- automatically performed on client connections accepted via the :meth:`accept`
- method. :func:`wrap_socket` may raise :exc:`SSLError`.
+ the underlying socket in an SSL context. ``sock`` must be a
+ :data:`~socket.SOCK_STREAM` socket; other socket types are unsupported.
+
+ For client-side sockets, the context construction is lazy; if the
+ underlying socket isn't connected yet, the context construction will be
+ performed after :meth:`connect` is called on the socket. For
+ server-side sockets, if the socket has no remote peer, it is assumed
+ to be a listening socket, and the server-side SSL wrapping is
+ automatically performed on client connections accepted via the
+ :meth:`accept` method. :func:`wrap_socket` may raise :exc:`SSLError`.
The ``keyfile`` and ``certfile`` parameters specify optional files which
contain a certificate to be used to identify the local side of the
@@ -1146,7 +1149,10 @@
server_hostname=None)
Wrap an existing Python socket *sock* and return an :class:`SSLSocket`
- object. The SSL socket is tied to the context, its settings and
+ object. *sock* must be a :data:`~socket.SOCK_STREAM` socket; other socket
+ types are unsupported.
+
+ The returned SSL socket is tied to the context, its settings and
certificates. The parameters *server_side*, *do_handshake_on_connect*
and *suppress_ragged_eofs* have the same meaning as in the top-level
:func:`wrap_socket` function.
diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -150,6 +150,7 @@
from socket import getnameinfo as _getnameinfo
from socket import SHUT_RDWR as _SHUT_RDWR
from socket import socket, AF_INET, SOCK_STREAM, create_connection
+from socket import SOL_SOCKET, SO_TYPE
import base64 # for DER-to-PEM translation
import traceback
import errno
@@ -482,6 +483,10 @@
self.ssl_version = ssl_version
self.ca_certs = ca_certs
self.ciphers = ciphers
+ # Can't use sock.type as other flags (such as SOCK_NONBLOCK) get
+ # mixed in.
+ if sock.getsockopt(SOL_SOCKET, SO_TYPE) != SOCK_STREAM:
+ raise NotImplementedError("only stream sockets are supported")
if server_side and server_hostname:
raise ValueError("server_hostname can only be specified "
"in client mode")
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -632,6 +632,17 @@
self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,
'1.3.6.1.5.5.7.3.2')
+ def test_unsupported_dtls(self):
+ s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+ self.addCleanup(s.close)
+ with self.assertRaises(NotImplementedError) as cx:
+ ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE)
+ self.assertEqual(str(cx.exception), "only stream sockets are supported")
+ ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ with self.assertRaises(NotImplementedError) as cx:
+ ctx.wrap_socket(s)
+ self.assertEqual(str(cx.exception), "only stream sockets are supported")
+
class ContextTests(unittest.TestCase):
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -44,6 +44,9 @@
Library
-------
+- Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl
+ module, rather than silently let them emit clear text data.
+
- Issue #20046: Locale alias table no longer contains entities which can be
calculated. Generalized support of the euro modifier.
--
Repository URL: http://hg.python.org/cpython
More information about the Python-checkins
mailing list