diff options
| -rw-r--r-- | Doc/library/ssl.rst | 22 | ||||
| -rw-r--r-- | Lib/ssl.py | 5 | ||||
| -rw-r--r-- | Lib/test/test_ssl.py | 11 | ||||
| -rw-r--r-- | Misc/NEWS | 3 | 
4 files changed, 33 insertions, 8 deletions
| diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index e2d3c3f851..76bb432a60 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -142,13 +142,16 @@ instead.     Takes an instance ``sock`` of :class:`socket.socket`, and returns an instance     of :class:`ssl.SSLSocket`, a subtype of :class:`socket.socket`, which wraps -   the underlying socket in an SSL context.  For client-side sockets, the -   context construction is lazy; if the underlying socket isn't connected yet, -   the context construction will be performed after :meth:`connect` is called on -   the socket.  For server-side sockets, if the socket has no remote peer, it is -   assumed to be a listening socket, and the server-side SSL wrapping is -   automatically performed on client connections accepted via the :meth:`accept` -   method.  :func:`wrap_socket` may raise :exc:`SSLError`. +   the underlying socket in an SSL context.  ``sock`` must be a +   :data:`~socket.SOCK_STREAM` socket; other socket types are unsupported. + +   For client-side sockets, the context construction is lazy; if the +   underlying socket isn't connected yet, the context construction will be +   performed after :meth:`connect` is called on the socket.  For +   server-side sockets, if the socket has no remote peer, it is assumed +   to be a listening socket, and the server-side SSL wrapping is +   automatically performed on client connections accepted via the +   :meth:`accept` method.  :func:`wrap_socket` may raise :exc:`SSLError`.     The ``keyfile`` and ``certfile`` parameters specify optional files which     contain a certificate to be used to identify the local side of the @@ -1146,7 +1149,10 @@ to speed up repeated connections from the same clients.        server_hostname=None)     Wrap an existing Python socket *sock* and return an :class:`SSLSocket` -   object.  The SSL socket is tied to the context, its settings and +   object.  *sock* must be a :data:`~socket.SOCK_STREAM` socket; other socket +   types are unsupported. + +   The returned SSL socket is tied to the context, its settings and     certificates.  The parameters *server_side*, *do_handshake_on_connect*     and *suppress_ragged_eofs* have the same meaning as in the top-level     :func:`wrap_socket` function. diff --git a/Lib/ssl.py b/Lib/ssl.py index 052a118abb..4408e7b743 100644 --- a/Lib/ssl.py +++ b/Lib/ssl.py @@ -150,6 +150,7 @@ if sys.platform == "win32":  from socket import getnameinfo as _getnameinfo  from socket import SHUT_RDWR as _SHUT_RDWR  from socket import socket, AF_INET, SOCK_STREAM, create_connection +from socket import SOL_SOCKET, SO_TYPE  import base64        # for DER-to-PEM translation  import traceback  import errno @@ -482,6 +483,10 @@ class SSLSocket(socket):              self.ssl_version = ssl_version              self.ca_certs = ca_certs              self.ciphers = ciphers +        # Can't use sock.type as other flags (such as SOCK_NONBLOCK) get +        # mixed in. +        if sock.getsockopt(SOL_SOCKET, SO_TYPE) != SOCK_STREAM: +            raise NotImplementedError("only stream sockets are supported")          if server_side and server_hostname:              raise ValueError("server_hostname can only be specified "                               "in client mode") diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 6eb88d729e..14d3cc1e96 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -632,6 +632,17 @@ class BasicSocketTests(unittest.TestCase):          self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,                                '1.3.6.1.5.5.7.3.2') +    def test_unsupported_dtls(self): +        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +        self.addCleanup(s.close) +        with self.assertRaises(NotImplementedError) as cx: +            ssl.wrap_socket(s, cert_reqs=ssl.CERT_NONE) +        self.assertEqual(str(cx.exception), "only stream sockets are supported") +        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) +        with self.assertRaises(NotImplementedError) as cx: +            ctx.wrap_socket(s) +        self.assertEqual(str(cx.exception), "only stream sockets are supported") +  class ContextTests(unittest.TestCase): @@ -44,6 +44,9 @@ Core and Builtins  Library  ------- +- Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl +  module, rather than silently let them emit clear text data. +  - Issue #20046: Locale alias table no longer contains entities which can be    calculated.  Generalized support of the euro modifier. | 
