Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bpo-31711: Fix for calling SSLSocket.send with empty input. #7559

Closed
wants to merge 6 commits into from
Closed

bpo-31711: Fix for calling SSLSocket.send with empty input. #7559

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9a3f389
Fix for calling SSLSocket.send with empty input.
rkondratenko Jun 9, 2018
8cd70f8
Added news entry for previous commit
rkondratenko Jun 9, 2018
7c90059
Moving check for empty input in SSLSocket.send()
rkondratenko Jun 14, 2018
49fa684
Adding test for empty input in SSLSocket.send()
rkondratenko Jun 14, 2018
8ed37b4
Fixing misprint in comment
rkondratenko Jun 18, 2018
94fbeb1
Added missing space in comments
rkondratenko Aug 1, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion Lib/test/test_ssl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2466,7 +2466,7 @@ def server_params_test(client_context, server_context, indata=b"FOO\n",
sys.stdout.write(
" client: sending %r...\n" % indata)
s.write(arg)
outdata = s.read()
outdata = s.read() if len(arg) > 0 else b''
if connectionchatty:
if support.verbose:
sys.stdout.write(" client: read %r\n" % outdata)
Expand Down Expand Up @@ -2578,6 +2578,14 @@ def test_echo(self):
chatty=True, connectionchatty=True,
sni_name=hostname)

## Testing that SSLSocket can handle empty input
with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_SERVER):
server_params_test(client_context=client_context,
server_context=server_context,
indata = b'',
chatty=True, connectionchatty=True,
sni_name=hostname)

client_context.check_hostname = False
with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_CLIENT):
with self.assertRaises(ssl.SSLError) as e:
Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Library/2018-06-09-17-15-35.bpo-31711.sOj9dl.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Avoiding triggering undefined behaviour from SSL_write when calling
SSLSocket.send() with empty input.
7 changes: 7 additions & 0 deletions Modules/_ssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2247,6 +2247,13 @@ _ssl__SSLSocket_write_impl(PySSLSocket *self, Py_buffer *b)
"string longer than %d bytes", INT_MAX);
goto error;
}
if (b->len == 0) {
/* Sending 0 bytes to SSL_write is undefined behaviour per OpenSSL documentation.
* SSLSocket imitates normal socket in Python.
* We have to guard against empty input here. */
Py_XDECREF(sock);
return PyLong_FromLong(0);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This breaks implicit handshake and possible TLS 1.3 edge cases, see comment.

}

if (sock != NULL) {
/* just in case the blocking state of the socket has been changed */
Expand Down