diff options
| author | Christian Heimes <christian@python.org> | 2018-02-25 08:47:02 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-02-25 08:47:02 (GMT) |
| commit | e9370a47389903bb72badc95032ec84a0ebbf8cc (patch) | |
| tree | 766fb8c736a2185e86347046b1133110830e4501 | |
| parent | fc9471a888f373aedff3c118ae9a6cbf2037bd7c (diff) | |
| download | cpython-e9370a47389903bb72badc95032ec84a0ebbf8cc.zip cpython-e9370a47389903bb72badc95032ec84a0ebbf8cc.tar.gz cpython-e9370a47389903bb72badc95032ec84a0ebbf8cc.tar.bz2 | |
bpo-32185: Don't send IP in SNI TLS extension (#5865)
The SSL module no longer sends IP addresses in SNI TLS extension on
platforms with OpenSSL 1.0.2+ or inet_pton.
Signed-off-by: Christian Heimes <christian@python.org>
| -rw-r--r-- | Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst | 2 | ||||
| -rw-r--r-- | Modules/_ssl.c | 42 |
2 files changed, 42 insertions, 2 deletions
diff --git a/Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst b/Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst new file mode 100644 index 0000000..bfb2533 --- /dev/null +++ b/Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst @@ -0,0 +1,2 @@ +The SSL module no longer sends IP addresses in SNI TLS extension on +platforms with OpenSSL 1.0.2+ or inet_pton. diff --git a/Modules/_ssl.c b/Modules/_ssl.c index df8c6a7..e8cffef 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -55,6 +55,11 @@ static PySocketModule_APIObject PySocketModule; #include <sys/poll.h> #endif +#ifndef MS_WINDOWS +/* inet_pton */ +#include <arpa/inet.h> +#endif + /* Don't warn about deprecated functions */ #ifdef __GNUC__ #pragma GCC diagnostic ignored "-Wdeprecated-declarations" @@ -667,8 +672,41 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock, SSL_set_mode(self->ssl, mode); #if HAVE_SNI - if (server_hostname != NULL) - SSL_set_tlsext_host_name(self->ssl, server_hostname); + if (server_hostname != NULL) { +/* Don't send SNI for IP addresses. We cannot simply use inet_aton() and + * inet_pton() here. inet_aton() may be linked weakly and inet_pton() isn't + * available on all platforms. Use OpenSSL's IP address parser. It's + * available since 1.0.2 and LibreSSL since at least 2.3.0. */ + int send_sni = 1; +#if OPENSSL_VERSION_NUMBER >= 0x10200000L + ASN1_OCTET_STRING *ip = a2i_IPADDRESS(server_hostname); + if (ip == NULL) { + send_sni = 1; + ERR_clear_error(); + } else { + send_sni = 0; + ASN1_OCTET_STRING_free(ip); + } +#elif defined(HAVE_INET_PTON) +#ifdef ENABLE_IPV6 + char packed[Py_MAX(sizeof(struct in_addr), sizeof(struct in6_addr))]; +#else + char packed[sizeof(struct in_addr)]; +#endif /* ENABLE_IPV6 */ + if (inet_pton(AF_INET, server_hostname, packed)) { + send_sni = 0; +#ifdef ENABLE_IPV6 + } else if(inet_pton(AF_INET6, server_hostname, packed)) { + send_sni = 0; +#endif /* ENABLE_IPV6 */ + } else { + send_sni = 1; + } +#endif /* HAVE_INET_PTON */ + if (send_sni) { + SSL_set_tlsext_host_name(self->ssl, server_hostname); + } + } #endif /* If the socket is in non-blocking mode or timeout mode, set the BIO |