diff options
| author | Bill Janssen <janssen@parc.com> | 2007-12-14 22:08:56 (GMT) |
|---|---|---|
| committer | Bill Janssen <janssen@parc.com> | 2007-12-14 22:08:56 (GMT) |
| commit | 54cc54c1fe26328d62c70fa55350ad89868c1d61 (patch) | |
| tree | 54bae6f8c8e2b081c9793cd3d1e7b799cdadabee /Lib | |
| parent | 517b9ddda231467e87aafd243c6c561f68d34490 (diff) | |
| download | cpython-54cc54c1fe26328d62c70fa55350ad89868c1d61.zip cpython-54cc54c1fe26328d62c70fa55350ad89868c1d61.tar.gz cpython-54cc54c1fe26328d62c70fa55350ad89868c1d61.tar.bz2 | |
update to fix leak in SSL code
Diffstat (limited to 'Lib')
| -rw-r--r-- | Lib/socket.py | 6 | ||||
| -rw-r--r-- | Lib/ssl.py | 46 | ||||
| -rw-r--r-- | Lib/test/test_ssl.py | 184 |
3 files changed, 184 insertions, 52 deletions
diff --git a/Lib/socket.py b/Lib/socket.py index 62eb82d..eb87673 100644 --- a/Lib/socket.py +++ b/Lib/socket.py @@ -174,11 +174,13 @@ class socket(_socket.socket): if self._closed: self.close() + def _real_close(self): + _socket.socket.close(self) + def close(self): self._closed = True if self._io_refs <= 0: - _socket.socket.close(self) - + self._real_close() def fromfd(fd, family, type, proto=0): """ fromfd(fd, family, type[, proto]) -> socket object @@ -80,6 +80,7 @@ from socket import getnameinfo as _getnameinfo from socket import error as socket_error from socket import dup as _dup import base64 # for DER-to-PEM translation +import traceback class SSLSocket(socket): @@ -94,16 +95,13 @@ class SSLSocket(socket): family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None, suppress_ragged_eofs=True): - self._base = None - if sock is not None: - # copied this code from socket.accept() - fd = sock.fileno() - nfd = _dup(fd) - socket.__init__(self, family=sock.family, type=sock.type, - proto=sock.proto, fileno=nfd) + socket.__init__(self, + family=sock.family, + type=sock.type, + proto=sock.proto, + fileno=_dup(sock.fileno())) sock.close() - sock = None elif fileno is not None: socket.__init__(self, fileno=fileno) else: @@ -136,10 +134,6 @@ class SSLSocket(socket): self.close() raise x - if sock and (self.fileno() != sock.fileno()): - self._base = sock - else: - self._base = None self.keyfile = keyfile self.certfile = certfile self.cert_reqs = cert_reqs @@ -156,19 +150,23 @@ class SSLSocket(socket): # raise an exception here if you wish to check for spurious closes pass - def read(self, len=None, buffer=None): + def read(self, len=0, buffer=None): """Read up to LEN bytes and return them. Return zero-length string on EOF.""" self._checkClosed() try: if buffer: - return self._sslobj.read(buffer, len) + v = self._sslobj.read(buffer, len) else: - return self._sslobj.read(len or 1024) + v = self._sslobj.read(len or 1024) + return v except SSLError as x: if x.args[0] == SSL_ERROR_EOF and self.suppress_ragged_eofs: - return b'' + if buffer: + return 0 + else: + return b'' else: raise @@ -269,7 +267,6 @@ class SSLSocket(socket): while True: try: v = self.read(nbytes, buffer) - sys.stdout.flush() return v except SSLError as x: if x.args[0] == SSL_ERROR_WANT_READ: @@ -302,9 +299,7 @@ class SSLSocket(socket): def _real_close(self): self._sslobj = None # self._closed = True - if self._base: - self._base.close() - socket.close(self) + socket._real_close(self) def do_handshake(self, block=False): """Perform a TLS/SSL handshake.""" @@ -329,8 +324,12 @@ class SSLSocket(socket): self._sslobj = _ssl.sslwrap(self, False, self.keyfile, self.certfile, self.cert_reqs, self.ssl_version, self.ca_certs) - if self.do_handshake_on_connect: - self.do_handshake() + try: + if self.do_handshake_on_connect: + self.do_handshake() + except: + self._sslobj = None + raise def accept(self): """Accepts a new connection from a remote client, and returns @@ -348,10 +347,11 @@ class SSLSocket(socket): self.do_handshake_on_connect), addr) - def __del__(self): + # sys.stderr.write("__del__ on %s\n" % repr(self)) self._real_close() + def wrap_socket(sock, keyfile=None, certfile=None, server_side=False, cert_reqs=CERT_NONE, ssl_version=PROTOCOL_SSLv23, ca_certs=None, diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 18df3f4..81943a5 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -13,6 +13,7 @@ import pprint import urllib, urlparse import shutil import traceback +import asyncore from BaseHTTPServer import HTTPServer from SimpleHTTPServer import SimpleHTTPRequestHandler @@ -79,27 +80,6 @@ class BasicTests(unittest.TestCase): class NetworkedTests(unittest.TestCase): - def testFetchServerCert(self): - - pem = ssl.get_server_certificate(("svn.python.org", 443)) - if not pem: - raise test_support.TestFailed("No server certificate on svn.python.org:443!") - - try: - pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=CERTFILE) - except ssl.SSLError as x: - #should fail - if test_support.verbose: - sys.stdout.write("%s\n" % x) - else: - raise test_support.TestFailed("Got server certificate %s for svn.python.org!" % pem) - - pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=SVN_PYTHON_ORG_ROOT_CERT) - if not pem: - raise test_support.TestFailed("No server certificate on svn.python.org:443!") - if test_support.verbose: - sys.stdout.write("\nVerified certificate for svn.python.org:443 is\n%s\n" % pem) - def testConnect(self): s = ssl.wrap_socket(socket.socket(socket.AF_INET), @@ -155,6 +135,29 @@ class NetworkedTests(unittest.TestCase): if test_support.verbose: sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count) + def testFetchServerCert(self): + + pem = ssl.get_server_certificate(("svn.python.org", 443)) + if not pem: + raise test_support.TestFailed("No server certificate on svn.python.org:443!") + + return + + try: + pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=CERTFILE) + except ssl.SSLError as x: + #should fail + if test_support.verbose: + sys.stdout.write("%s\n" % x) + else: + raise test_support.TestFailed("Got server certificate %s for svn.python.org!" % pem) + + pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=SVN_PYTHON_ORG_ROOT_CERT) + if not pem: + raise test_support.TestFailed("No server certificate on svn.python.org:443!") + if test_support.verbose: + sys.stdout.write("\nVerified certificate for svn.python.org:443 is\n%s\n" % pem) + try: import threading @@ -333,7 +336,9 @@ else: def stop (self): self.active = False - class AsyncoreHTTPSServer(threading.Thread): + class OurHTTPSServer(threading.Thread): + + # This one's based on HTTPServer, which is based on SocketServer class HTTPSServer(HTTPServer): @@ -463,6 +468,92 @@ else: self.server.server_close() + class AsyncoreEchoServer(threading.Thread): + + # this one's based on asyncore.dispatcher + + class EchoServer (asyncore.dispatcher): + + class ConnectionHandler (asyncore.dispatcher_with_send): + + def __init__(self, conn, certfile): + self.socket = ssl.wrap_socket(conn, server_side=True, + certfile=certfile, + do_handshake_on_connect=False) + asyncore.dispatcher_with_send.__init__(self, self.socket) + # now we have to do the handshake + # we'll just do it the easy way, and block the connection + # till it's finished. If we were doing it right, we'd + # do this in multiple calls to handle_read... + self.do_handshake(block=True) + + def readable(self): + if isinstance(self.socket, ssl.SSLSocket): + while self.socket.pending() > 0: + self.handle_read_event() + return True + + def handle_read(self): + data = self.recv(1024) + if test_support.verbose: + sys.stdout.write(" server: read %s from client\n" % repr(data)) + if not data: + self.close() + else: + self.send(str(data, 'ASCII', 'strict').lower().encode('ASCII', 'strict')) + + def handle_close(self): + if test_support.verbose: + sys.stdout.write(" server: closed connection %s\n" % self.socket) + + def handle_error(self): + raise + + def __init__(self, port, certfile): + self.port = port + self.certfile = certfile + asyncore.dispatcher.__init__(self) + self.create_socket(socket.AF_INET, socket.SOCK_STREAM) + self.bind(('', port)) + self.listen(5) + + def handle_accept(self): + sock_obj, addr = self.accept() + if test_support.verbose: + sys.stdout.write(" server: new connection from %s:%s\n" %addr) + self.ConnectionHandler(sock_obj, self.certfile) + + def handle_error(self): + raise + + def __init__(self, port, certfile): + self.flag = None + self.active = False + self.server = self.EchoServer(port, certfile) + threading.Thread.__init__(self) + self.setDaemon(True) + + def __str__(self): + return "<%s %s>" % (self.__class__.__name__, self.server) + + def start (self, flag=None): + self.flag = flag + threading.Thread.start(self) + + def run (self): + self.active = True + if self.flag: + self.flag.set() + while self.active: + try: + asyncore.loop(1) + except: + pass + + def stop (self): + self.active = False + self.server.close() + def badCertTest (certfile): server = ThreadedEchoServer(TESTPORT, CERTFILE, certreqs=ssl.CERT_REQUIRED, @@ -509,6 +600,7 @@ else: client_protocol = protocol try: s = ssl.wrap_socket(socket.socket(), + server_side=False, certfile=client_certfile, ca_certs=cacertsfile, cert_reqs=certreqs, @@ -811,11 +903,9 @@ else: server.stop() server.join() - class AsyncoreTests(unittest.TestCase): - - def testAsyncore(self): + def testSocketServer(self): - server = AsyncoreHTTPSServer(TESTPORT, CERTFILE) + server = OurHTTPSServer(TESTPORT, CERTFILE) flag = threading.Event() server.start(flag) # wait for it to start @@ -853,6 +943,47 @@ else: server.stop() server.join() + def testAsyncoreServer(self): + + if test_support.verbose: + sys.stdout.write("\n") + + indata="FOO\n" + server = AsyncoreEchoServer(TESTPORT, CERTFILE) + flag = threading.Event() + server.start(flag) + # wait for it to start + flag.wait() + # try to connect + try: + s = ssl.wrap_socket(socket.socket()) + s.connect(('127.0.0.1', TESTPORT)) + except ssl.SSLError as x: + raise test_support.TestFailed("Unexpected SSL error: " + str(x)) + except Exception as x: + raise test_support.TestFailed("Unexpected exception: " + str(x)) + else: + if test_support.verbose: + sys.stdout.write( + " client: sending %s...\n" % (repr(indata))) + s.sendall(indata.encode('ASCII', 'strict')) + outdata = s.recv() + if test_support.verbose: + sys.stdout.write(" client: read %s\n" % repr(outdata)) + outdata = str(outdata, 'ASCII', 'strict') + if outdata != indata.lower(): + raise test_support.TestFailed( + "bad data <<%s>> (%d) received; expected <<%s>> (%d)\n" + % (repr(outdata[:min(len(outdata),20)]), len(outdata), + repr(indata[:min(len(indata),20)].lower()), len(indata))) + s.write("over\n".encode("ASCII", "strict")) + if test_support.verbose: + sys.stdout.write(" client: closing connection.\n") + s.close() + finally: + server.stop() + server.join() + def findtestsocket(start, end): def testbind(i): @@ -900,7 +1031,6 @@ def test_main(verbose=False): thread_info = test_support.threading_setup() if thread_info and test_support.is_resource_enabled('network'): tests.append(ThreadedTests) - tests.append(AsyncoreTests) test_support.run_unittest(*tests) |