Commit 63cc99d9 authored by Antoine Pitrou's avatar Antoine Pitrou

Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module,...

Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
parent e891de3c
...@@ -69,13 +69,16 @@ Functions, Constants, and Exceptions ...@@ -69,13 +69,16 @@ Functions, Constants, and Exceptions
Takes an instance ``sock`` of :class:`socket.socket`, and returns an instance Takes an instance ``sock`` of :class:`socket.socket`, and returns an instance
of :class:`ssl.SSLSocket`, a subtype of :class:`socket.socket`, which wraps of :class:`ssl.SSLSocket`, a subtype of :class:`socket.socket`, which wraps
the underlying socket in an SSL context. For client-side sockets, the the underlying socket in an SSL context. ``sock`` must be a
context construction is lazy; if the underlying socket isn't connected yet, :data:`~socket.SOCK_STREAM` socket; other socket types are unsupported.
the context construction will be performed after :meth:`connect` is called on
the socket. For server-side sockets, if the socket has no remote peer, it is For client-side sockets, the context construction is lazy; if the
assumed to be a listening socket, and the server-side SSL wrapping is underlying socket isn't connected yet, the context construction will be
automatically performed on client connections accepted via the :meth:`accept` performed after :meth:`connect` is called on the socket. For
method. :func:`wrap_socket` may raise :exc:`SSLError`. server-side sockets, if the socket has no remote peer, it is assumed
to be a listening socket, and the server-side SSL wrapping is
automatically performed on client connections accepted via the
:meth:`accept` method. :func:`wrap_socket` may raise :exc:`SSLError`.
The ``keyfile`` and ``certfile`` parameters specify optional files which The ``keyfile`` and ``certfile`` parameters specify optional files which
contain a certificate to be used to identify the local side of the contain a certificate to be used to identify the local side of the
......
...@@ -89,6 +89,7 @@ else: ...@@ -89,6 +89,7 @@ else:
from socket import socket, _fileobject, _delegate_methods, error as socket_error from socket import socket, _fileobject, _delegate_methods, error as socket_error
from socket import getnameinfo as _getnameinfo from socket import getnameinfo as _getnameinfo
from socket import SOL_SOCKET, SO_TYPE, SOCK_STREAM
import base64 # for DER-to-PEM translation import base64 # for DER-to-PEM translation
import errno import errno
...@@ -108,6 +109,10 @@ class SSLSocket(socket): ...@@ -108,6 +109,10 @@ class SSLSocket(socket):
ssl_version=PROTOCOL_SSLv23, ca_certs=None, ssl_version=PROTOCOL_SSLv23, ca_certs=None,
do_handshake_on_connect=True, do_handshake_on_connect=True,
suppress_ragged_eofs=True, ciphers=None): suppress_ragged_eofs=True, ciphers=None):
# Can't use sock.type as other flags (such as SOCK_NONBLOCK) get
# mixed in.
if sock.getsockopt(SOL_SOCKET, SO_TYPE) != SOCK_STREAM:
raise NotImplementedError("only stream sockets are supported")
socket.__init__(self, _sock=sock._sock) socket.__init__(self, _sock=sock._sock)
# The initializer for socket overrides the methods send(), recv(), etc. # The initializer for socket overrides the methods send(), recv(), etc.
# in the instancce, which we don't need -- but we want to provide the # in the instancce, which we don't need -- but we want to provide the
......
...@@ -232,6 +232,13 @@ class BasicSocketTests(unittest.TestCase): ...@@ -232,6 +232,13 @@ class BasicSocketTests(unittest.TestCase):
self.assertRaises(socket.error, ss.send, b'x') self.assertRaises(socket.error, ss.send, b'x')
self.assertRaises(socket.error, ss.sendto, b'x', ('0.0.0.0', 0)) self.assertRaises(socket.error, ss.sendto, b'x', ('0.0.0.0', 0))
def test_unsupported_dtls(self):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.addCleanup(s.close)
with self.assertRaises(NotImplementedError) as cx:
ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE)
self.assertEqual(str(cx.exception), "only stream sockets are supported")
class NetworkedTests(unittest.TestCase): class NetworkedTests(unittest.TestCase):
......
...@@ -27,6 +27,9 @@ Core and Builtins ...@@ -27,6 +27,9 @@ Core and Builtins
Library Library
------- -------
- Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl
module, rather than silently let them emit clear text data.
- Issue #20027: Fixed locale aliases for devanagari locales. - Issue #20027: Fixed locale aliases for devanagari locales.
- Issue #20067: Tkinter variables now work when wantobjects is false. - Issue #20067: Tkinter variables now work when wantobjects is false.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment