bpo-33136: Harden ssl module against CVE-2018-8970 (GH-6229)

Harden ssl module against LibreSSL CVE-2018-8970. X509_VERIFY_PARAM_set1_host() is called with an explicit namelen. A new test ensures that NULL bytes are not allowed. Signed-off-by: Christian Heimes <christian@python.org>
author: Christian Heimes <christian@python.org> 2018-03-25 12:36:13 +0200
committer: GitHub <noreply@github.com> 2018-03-25 12:36:13 +0200
commit: d02ac25ab0879f1a6de6937573bf00a16b7bd22e (patch)
tree: a0843a85918e73dc71d7279eac60382928c95de7 /Lib/test/test_ssl.py
parent: e4ce9fa89cb542dced553710b05de85202bc4715 (diff)
download: cpython-git-d02ac25ab0879f1a6de6937573bf00a16b7bd22e.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 8d98b805b4..36580d55b9 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -1660,6 +1660,9 @@ class SSLErrorTests(unittest.TestCase):
         with self.assertRaises(ValueError):
             ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
                          server_hostname=".example.org")
+        with self.assertRaises(TypeError):
+            ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
+                         server_hostname="example.org\x00evil.com")
 
 
 class MemoryBIOTests(unittest.TestCase):
author	Christian Heimes <christian@python.org>	2018-03-25 12:36:13 +0200
committer	GitHub <noreply@github.com>	2018-03-25 12:36:13 +0200
commit	d02ac25ab0879f1a6de6937573bf00a16b7bd22e (patch)
tree	a0843a85918e73dc71d7279eac60382928c95de7 /Lib/test/test_ssl.py
parent	e4ce9fa89cb542dced553710b05de85202bc4715 (diff)
download	cpython-git-d02ac25ab0879f1a6de6937573bf00a16b7bd22e.tar.gz