Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit af9c34f

Browse files
benfoglebenfogle
authored
gh-96931: Fix incorrect results in ssl.SSLSocket.shared_ciphers (#96932)
1 parent ea93bde commit af9c34f

4 files changed

Lines changed: 33 additions & 12 deletions

File tree

Doc/library/ssl.rst

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1218,7 +1218,7 @@ SSL sockets also have the following additional methods and attributes:
12181218

12191219
.. method:: SSLSocket.shared_ciphers()
12201220

1221-
Return the list of ciphers shared by the client during the handshake. Each
1221+
Return the list of ciphers available in both the client and server. Each
12221222
entry of the returned list is a three-value tuple containing the name of the
12231223
cipher, the version of the SSL protocol that defines its use, and the number
12241224
of secret bits the cipher uses. :meth:`~SSLSocket.shared_ciphers` returns

Lib/test/test_ssl.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2082,13 +2082,13 @@ def test_bio_handshake(self):
20822082
self.assertIs(sslobj._sslobj.owner, sslobj)
20832083
self.assertIsNone(sslobj.cipher())
20842084
self.assertIsNone(sslobj.version())
2085-
self.assertIsNotNone(sslobj.shared_ciphers())
2085+
self.assertIsNone(sslobj.shared_ciphers())
20862086
self.assertRaises(ValueError, sslobj.getpeercert)
20872087
if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
20882088
self.assertIsNone(sslobj.get_channel_binding('tls-unique'))
20892089
self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
20902090
self.assertTrue(sslobj.cipher())
2091-
self.assertIsNotNone(sslobj.shared_ciphers())
2091+
self.assertIsNone(sslobj.shared_ciphers())
20922092
self.assertIsNotNone(sslobj.version())
20932093
self.assertTrue(sslobj.getpeercert())
20942094
if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
@@ -4051,7 +4051,7 @@ def cb_wrong_return_type(ssl_sock, server_name, initial_context):
40514051
def test_shared_ciphers(self):
40524052
client_context, server_context, hostname = testing_context()
40534053
client_context.set_ciphers("AES128:AES256")
4054-
server_context.set_ciphers("AES256")
4054+
server_context.set_ciphers("AES256:eNULL")
40554055
expected_algs = [
40564056
"AES256", "AES-256",
40574057
# TLS 1.3 ciphers are always enabled

Misc/NEWS.d/next/Library/2022-09-19-08-12-58.gh-issue-96931.x0WQhh.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Fix incorrect results from :meth:`ssl.SSLSocket.shared_ciphers`

Modules/_ssl.c

Lines changed: 28 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1998,24 +1998,44 @@ static PyObject *
19981998
_ssl__SSLSocket_shared_ciphers_impl(PySSLSocket *self)
19991999
/*[clinic end generated code: output=3d174ead2e42c4fd input=0bfe149da8fe6306]*/
20002000
{
2001-
STACK_OF(SSL_CIPHER) *ciphers;
2002-
int i;
2001+
STACK_OF(SSL_CIPHER) *server_ciphers;
2002+
STACK_OF(SSL_CIPHER) *client_ciphers;
2003+
int i, len;
20032004
PyObject *res;
2005+
const SSL_CIPHER* cipher;
2006+
2007+
/* Rather than use SSL_get_shared_ciphers, we use an equivalent algorithm because:
2008+
2009+
1) It returns a colon seperated list of strings, in an undefined
2010+
order, that we would have to post process back into tuples.
2011+
2) It will return a truncated string with no indication that it has
2012+
done so, if the buffer is too small.
2013+
*/
20042014

2005-
ciphers = SSL_get_ciphers(self->ssl);
2006-
if (!ciphers)
2015+
server_ciphers = SSL_get_ciphers(self->ssl);
2016+
if (!server_ciphers)
20072017
Py_RETURN_NONE;
2008-
res = PyList_New(sk_SSL_CIPHER_num(ciphers));
2018+
client_ciphers = SSL_get_client_ciphers(self->ssl);
2019+
if (!client_ciphers)
2020+
Py_RETURN_NONE;
2021+
2022+
res = PyList_New(sk_SSL_CIPHER_num(server_ciphers));
20092023
if (!res)
20102024
return NULL;
2011-
for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
2012-
PyObject *tup = cipher_to_tuple(sk_SSL_CIPHER_value(ciphers, i));
2025+
len = 0;
2026+
for (i = 0; i < sk_SSL_CIPHER_num(server_ciphers); i++) {
2027+
cipher = sk_SSL_CIPHER_value(server_ciphers, i);
2028+
if (sk_SSL_CIPHER_find(client_ciphers, cipher) < 0)
2029+
continue;
2030+
2031+
PyObject *tup = cipher_to_tuple(cipher);
20132032
if (!tup) {
20142033
Py_DECREF(res);
20152034
return NULL;
20162035
}
2017-
PyList_SET_ITEM(res, i, tup);
2036+
PyList_SET_ITEM(res, len++, tup);
20182037
}
2038+
Py_SET_SIZE(res, len);
20192039
return res;
20202040
}
20212041

0 commit comments

Comments
 (0)