Skip to content

Commit 0df2eb5

Browse files
frenzymadnessambv
frenzymadness
and
ambv
authored
[3.8] gh-108310: Fix TestPreHandshakeClose tests in test_ssl (#110718)
The new class is part of the fix for CVE-2023-40217: b4bcc06 but it's not in the lists of tests so they're not executed. The new tests also need `SHORT_TIMEOUT` constant not available in test.support in 3.8. Co-authored-by: Łukasz Langa <lukasz@langa.pl>
1 parent 01845a1 commit 0df2eb5

File tree

2 files changed

+11
-6
lines changed

2 files changed

+11
-6
lines changed

Lib/test/test_ssl.py

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -150,6 +150,9 @@ def data_file(*name):
150150
OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
151151
OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
152152

153+
# *_TIMEOUT constants are available in test.support in 3.9+
154+
SHORT_TIMEOUT = 30.0
155+
153156
# Ubuntu has patched OpenSSL and changed behavior of security level 2
154157
# see https://bugs.python.org/issue41561#msg389003
155158
def is_ubuntu():
@@ -4835,7 +4838,7 @@ def __init__(self, *, name, call_after_accept, timeout=None):
48354838
self.listener = None # set by .start()
48364839
self.port = None # set by .start()
48374840
if timeout is None:
4838-
self.timeout = support.SHORT_TIMEOUT
4841+
self.timeout = SHORT_TIMEOUT
48394842
else:
48404843
self.timeout = timeout
48414844
super().__init__(name=name)
@@ -4917,7 +4920,7 @@ def test_preauth_data_to_tls_server(self):
49174920

49184921
def call_after_accept(unused):
49194922
server_accept_called.set()
4920-
if not ready_for_server_wrap_socket.wait(support.SHORT_TIMEOUT):
4923+
if not ready_for_server_wrap_socket.wait(SHORT_TIMEOUT):
49214924
raise RuntimeError("wrap_socket event never set, test may fail.")
49224925
return False # Tell the server thread to continue.
49234926

@@ -4961,7 +4964,7 @@ def test_preauth_data_to_tls_client(self):
49614964
client_can_continue_with_wrap_socket = threading.Event()
49624965

49634966
def call_after_accept(conn_to_client):
4964-
if not server_can_continue_with_wrap_socket.wait(support.SHORT_TIMEOUT):
4967+
if not server_can_continue_with_wrap_socket.wait(SHORT_TIMEOUT):
49654968
print("ERROR: test client took too long")
49664969

49674970
# This forces an immediate connection close via RST on .close().
@@ -4987,7 +4990,7 @@ def call_after_accept(conn_to_client):
49874990
client.connect(server.listener.getsockname())
49884991
server_can_continue_with_wrap_socket.set()
49894992

4990-
if not client_can_continue_with_wrap_socket.wait(support.SHORT_TIMEOUT):
4993+
if not client_can_continue_with_wrap_socket.wait(SHORT_TIMEOUT):
49914994
self.fail("test server took too long")
49924995
ssl_ctx = ssl.create_default_context()
49934996
try:
@@ -5026,7 +5029,7 @@ def connect(self):
50265029
http.client.HTTPConnection.connect(self)
50275030

50285031
# Wait for our fault injection server to have done its thing.
5029-
if not server_responding.wait(support.SHORT_TIMEOUT) and support.verbose:
5032+
if not server_responding.wait(SHORT_TIMEOUT) and support.verbose:
50305033
sys.stdout.write("server_responding event never set.")
50315034
self.sock = self._context.wrap_socket(
50325035
self.sock, server_hostname=self.host)
@@ -5104,7 +5107,7 @@ def test_main(verbose=False):
51045107
tests = [
51055108
ContextTests, BasicSocketTests, SSLErrorTests, MemoryBIOTests,
51065109
SSLObjectTests, SimpleBackgroundTests, ThreadedTests,
5107-
TestPostHandshakeAuth, TestSSLDebug
5110+
TestPostHandshakeAuth, TestSSLDebug, TestPreHandshakeClose
51085111
]
51095112

51105113
if support.is_resource_enabled('network'):

Misc/NEWS.d/next/Tests/2023-10-11-16-02-55.gh-issue-108310.URRe8Y.rst

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
SSL tests for pre-handshake close were previously not enabled on Python 3.8
2+
due to an incorrect backport. This is now fixed. Patch by Lumír Balhar.

0 commit comments

Comments
 (0)