bpo-32185: Don't send IP in SNI TLS extension (#5865)

author Christian Heimes <christian@python.org>

Sun, 25 Feb 2018 08:47:02 +0000 (09:47 +0100)

committer GitHub <noreply@github.com>

Sun, 25 Feb 2018 08:47:02 +0000 (09:47 +0100)
author Christian Heimes <christian@python.org>
Sun, 25 Feb 2018 08:47:02 +0000 (09:47 +0100)
committer GitHub <noreply@github.com>
Sun, 25 Feb 2018 08:47:02 +0000 (09:47 +0100)
diff --git a/Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst b/Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst

new file mode 100644 (file)

index 0000000..bfb2533
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst
@@ -0,0 +1,2 @@
+The SSL module no longer sends IP addresses in SNI TLS extension on
+platforms with OpenSSL 1.0.2+ or inet_pton.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c

index df8c6a7d96d8d875e4ff8d3d021bdb5856c7207e..e8cffef14de0b8ca3cd400090697fd77c946543f 100644 (file)
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -55,6 +55,11 @@ static PySocketModule_APIObject PySocketModule;
  #include <sys/poll.h>
  #endif
  
+#ifndef MS_WINDOWS
+/* inet_pton */
+#include <arpa/inet.h>
+#endif
+
  /* Don't warn about deprecated functions */
  #ifdef __GNUC__
  #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
@@ -667,8 +672,41 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
      SSL_set_mode(self->ssl, mode);
  
  #if HAVE_SNI
-    if (server_hostname != NULL)
-        SSL_set_tlsext_host_name(self->ssl, server_hostname);
+    if (server_hostname != NULL) {
+/* Don't send SNI for IP addresses. We cannot simply use inet_aton() and
+ * inet_pton() here. inet_aton() may be linked weakly and inet_pton() isn't
+ * available on all platforms. Use OpenSSL's IP address parser. It's
+ * available since 1.0.2 and LibreSSL since at least 2.3.0. */
+        int send_sni = 1;
+#if OPENSSL_VERSION_NUMBER >= 0x10200000L
+        ASN1_OCTET_STRING *ip = a2i_IPADDRESS(server_hostname);
+        if (ip == NULL) {
+            send_sni = 1;
+            ERR_clear_error();
+        } else {
+            send_sni = 0;
+            ASN1_OCTET_STRING_free(ip);
+        }
+#elif defined(HAVE_INET_PTON)
+#ifdef ENABLE_IPV6
+        char packed[Py_MAX(sizeof(struct in_addr), sizeof(struct in6_addr))];
+#else
+        char packed[sizeof(struct in_addr)];
+#endif /* ENABLE_IPV6 */
+        if (inet_pton(AF_INET, server_hostname, packed)) {
+            send_sni = 0;
+#ifdef ENABLE_IPV6
+        } else if(inet_pton(AF_INET6, server_hostname, packed)) {
+            send_sni = 0;
+#endif /* ENABLE_IPV6 */
+        } else {
+            send_sni = 1;
+        }
+#endif /* HAVE_INET_PTON */
+        if (send_sni) {
+            SSL_set_tlsext_host_name(self->ssl, server_hostname);
+        }
+    }
  #endif
  
      /* If the socket is in non-blocking mode or timeout mode, set the BIO
author	Christian Heimes <christian@python.org>
	Sun, 25 Feb 2018 08:47:02 +0000 (09:47 +0100)
committer	GitHub <noreply@github.com>
	Sun, 25 Feb 2018 08:47:02 +0000 (09:47 +0100)
Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst	[new file with mode: 0644]	patch \| blob
Modules/_ssl.c		patch \| blob \| history