From 0df2eb5b267fb56d93faf561024548a8816a0269 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lum=C3=ADr=20=27Frenzy=27=20Balhar?= Date: Wed, 17 Jan 2024 14:43:00 +0100 Subject: [PATCH] [3.8] gh-108310: Fix TestPreHandshakeClose tests in test_ssl (#110718) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The new class is part of the fix for CVE-2023-40217: https://github.com/python/cpython/commit/b4bcc06a9cfe13d96d5270809d963f8ba278f89b but it's not in the lists of tests so they're not executed. The new tests also need `SHORT_TIMEOUT` constant not available in test.support in 3.8. Co-authored-by: Łukasz Langa --- Lib/test/test_ssl.py | 15 +++++++++------ ...2023-10-11-16-02-55.gh-issue-108310.URRe8Y.rst | 2 ++ 2 files changed, 11 insertions(+), 6 deletions(-) create mode 100644 Misc/NEWS.d/next/Tests/2023-10-11-16-02-55.gh-issue-108310.URRe8Y.rst diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 67d3c09d36276c..e729c627064287 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -150,6 +150,9 @@ def data_file(*name): OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0) OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0) +# *_TIMEOUT constants are available in test.support in 3.9+ +SHORT_TIMEOUT = 30.0 + # Ubuntu has patched OpenSSL and changed behavior of security level 2 # see https://bugs.python.org/issue41561#msg389003 def is_ubuntu(): @@ -4835,7 +4838,7 @@ def __init__(self, *, name, call_after_accept, timeout=None): self.listener = None # set by .start() self.port = None # set by .start() if timeout is None: - self.timeout = support.SHORT_TIMEOUT + self.timeout = SHORT_TIMEOUT else: self.timeout = timeout super().__init__(name=name) @@ -4917,7 +4920,7 @@ def test_preauth_data_to_tls_server(self): def call_after_accept(unused): server_accept_called.set() - if not ready_for_server_wrap_socket.wait(support.SHORT_TIMEOUT): + if not ready_for_server_wrap_socket.wait(SHORT_TIMEOUT): raise RuntimeError("wrap_socket event never set, test may fail.") return False # Tell the server thread to continue. @@ -4961,7 +4964,7 @@ def test_preauth_data_to_tls_client(self): client_can_continue_with_wrap_socket = threading.Event() def call_after_accept(conn_to_client): - if not server_can_continue_with_wrap_socket.wait(support.SHORT_TIMEOUT): + if not server_can_continue_with_wrap_socket.wait(SHORT_TIMEOUT): print("ERROR: test client took too long") # This forces an immediate connection close via RST on .close(). @@ -4987,7 +4990,7 @@ def call_after_accept(conn_to_client): client.connect(server.listener.getsockname()) server_can_continue_with_wrap_socket.set() - if not client_can_continue_with_wrap_socket.wait(support.SHORT_TIMEOUT): + if not client_can_continue_with_wrap_socket.wait(SHORT_TIMEOUT): self.fail("test server took too long") ssl_ctx = ssl.create_default_context() try: @@ -5026,7 +5029,7 @@ def connect(self): http.client.HTTPConnection.connect(self) # Wait for our fault injection server to have done its thing. - if not server_responding.wait(support.SHORT_TIMEOUT) and support.verbose: + if not server_responding.wait(SHORT_TIMEOUT) and support.verbose: sys.stdout.write("server_responding event never set.") self.sock = self._context.wrap_socket( self.sock, server_hostname=self.host) @@ -5104,7 +5107,7 @@ def test_main(verbose=False): tests = [ ContextTests, BasicSocketTests, SSLErrorTests, MemoryBIOTests, SSLObjectTests, SimpleBackgroundTests, ThreadedTests, - TestPostHandshakeAuth, TestSSLDebug + TestPostHandshakeAuth, TestSSLDebug, TestPreHandshakeClose ] if support.is_resource_enabled('network'): diff --git a/Misc/NEWS.d/next/Tests/2023-10-11-16-02-55.gh-issue-108310.URRe8Y.rst b/Misc/NEWS.d/next/Tests/2023-10-11-16-02-55.gh-issue-108310.URRe8Y.rst new file mode 100644 index 00000000000000..87f0a3b0ddfd30 --- /dev/null +++ b/Misc/NEWS.d/next/Tests/2023-10-11-16-02-55.gh-issue-108310.URRe8Y.rst @@ -0,0 +1,2 @@ +SSL tests for pre-handshake close were previously not enabled on Python 3.8 +due to an incorrect backport. This is now fixed. Patch by Lumír Balhar.