update to fix leak in SSL code
diff --git a/Lib/socket.py b/Lib/socket.py
index 62eb82d..eb87673 100644
--- a/Lib/socket.py
+++ b/Lib/socket.py
@@ -174,11 +174,13 @@
if self._closed:
self.close()
+ def _real_close(self):
+ _socket.socket.close(self)
+
def close(self):
self._closed = True
if self._io_refs <= 0:
- _socket.socket.close(self)
-
+ self._real_close()
def fromfd(fd, family, type, proto=0):
""" fromfd(fd, family, type[, proto]) -> socket object
diff --git a/Lib/ssl.py b/Lib/ssl.py
index be13866..c229cd3 100644
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -80,6 +80,7 @@
from socket import error as socket_error
from socket import dup as _dup
import base64 # for DER-to-PEM translation
+import traceback
class SSLSocket(socket):
@@ -94,16 +95,13 @@
family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None,
suppress_ragged_eofs=True):
- self._base = None
-
if sock is not None:
- # copied this code from socket.accept()
- fd = sock.fileno()
- nfd = _dup(fd)
- socket.__init__(self, family=sock.family, type=sock.type,
- proto=sock.proto, fileno=nfd)
+ socket.__init__(self,
+ family=sock.family,
+ type=sock.type,
+ proto=sock.proto,
+ fileno=_dup(sock.fileno()))
sock.close()
- sock = None
elif fileno is not None:
socket.__init__(self, fileno=fileno)
else:
@@ -136,10 +134,6 @@
self.close()
raise x
- if sock and (self.fileno() != sock.fileno()):
- self._base = sock
- else:
- self._base = None
self.keyfile = keyfile
self.certfile = certfile
self.cert_reqs = cert_reqs
@@ -156,19 +150,23 @@
# raise an exception here if you wish to check for spurious closes
pass
- def read(self, len=None, buffer=None):
+ def read(self, len=0, buffer=None):
"""Read up to LEN bytes and return them.
Return zero-length string on EOF."""
self._checkClosed()
try:
if buffer:
- return self._sslobj.read(buffer, len)
+ v = self._sslobj.read(buffer, len)
else:
- return self._sslobj.read(len or 1024)
+ v = self._sslobj.read(len or 1024)
+ return v
except SSLError as x:
if x.args[0] == SSL_ERROR_EOF and self.suppress_ragged_eofs:
- return b''
+ if buffer:
+ return 0
+ else:
+ return b''
else:
raise
@@ -269,7 +267,6 @@
while True:
try:
v = self.read(nbytes, buffer)
- sys.stdout.flush()
return v
except SSLError as x:
if x.args[0] == SSL_ERROR_WANT_READ:
@@ -302,9 +299,7 @@
def _real_close(self):
self._sslobj = None
# self._closed = True
- if self._base:
- self._base.close()
- socket.close(self)
+ socket._real_close(self)
def do_handshake(self, block=False):
"""Perform a TLS/SSL handshake."""
@@ -329,8 +324,12 @@
self._sslobj = _ssl.sslwrap(self, False, self.keyfile, self.certfile,
self.cert_reqs, self.ssl_version,
self.ca_certs)
- if self.do_handshake_on_connect:
- self.do_handshake()
+ try:
+ if self.do_handshake_on_connect:
+ self.do_handshake()
+ except:
+ self._sslobj = None
+ raise
def accept(self):
"""Accepts a new connection from a remote client, and returns
@@ -348,10 +347,11 @@
self.do_handshake_on_connect),
addr)
-
def __del__(self):
+ # sys.stderr.write("__del__ on %s\n" % repr(self))
self._real_close()
+
def wrap_socket(sock, keyfile=None, certfile=None,
server_side=False, cert_reqs=CERT_NONE,
ssl_version=PROTOCOL_SSLv23, ca_certs=None,
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 18df3f4..81943a5 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -13,6 +13,7 @@
import urllib, urlparse
import shutil
import traceback
+import asyncore
from BaseHTTPServer import HTTPServer
from SimpleHTTPServer import SimpleHTTPRequestHandler
@@ -79,27 +80,6 @@
class NetworkedTests(unittest.TestCase):
- def testFetchServerCert(self):
-
- pem = ssl.get_server_certificate(("svn.python.org", 443))
- if not pem:
- raise test_support.TestFailed("No server certificate on svn.python.org:443!")
-
- try:
- pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=CERTFILE)
- except ssl.SSLError as x:
- #should fail
- if test_support.verbose:
- sys.stdout.write("%s\n" % x)
- else:
- raise test_support.TestFailed("Got server certificate %s for svn.python.org!" % pem)
-
- pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
- if not pem:
- raise test_support.TestFailed("No server certificate on svn.python.org:443!")
- if test_support.verbose:
- sys.stdout.write("\nVerified certificate for svn.python.org:443 is\n%s\n" % pem)
-
def testConnect(self):
s = ssl.wrap_socket(socket.socket(socket.AF_INET),
@@ -155,6 +135,29 @@
if test_support.verbose:
sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count)
+ def testFetchServerCert(self):
+
+ pem = ssl.get_server_certificate(("svn.python.org", 443))
+ if not pem:
+ raise test_support.TestFailed("No server certificate on svn.python.org:443!")
+
+ return
+
+ try:
+ pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=CERTFILE)
+ except ssl.SSLError as x:
+ #should fail
+ if test_support.verbose:
+ sys.stdout.write("%s\n" % x)
+ else:
+ raise test_support.TestFailed("Got server certificate %s for svn.python.org!" % pem)
+
+ pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
+ if not pem:
+ raise test_support.TestFailed("No server certificate on svn.python.org:443!")
+ if test_support.verbose:
+ sys.stdout.write("\nVerified certificate for svn.python.org:443 is\n%s\n" % pem)
+
try:
import threading
@@ -333,7 +336,9 @@
def stop (self):
self.active = False
- class AsyncoreHTTPSServer(threading.Thread):
+ class OurHTTPSServer(threading.Thread):
+
+ # This one's based on HTTPServer, which is based on SocketServer
class HTTPSServer(HTTPServer):
@@ -463,6 +468,92 @@
self.server.server_close()
+ class AsyncoreEchoServer(threading.Thread):
+
+ # this one's based on asyncore.dispatcher
+
+ class EchoServer (asyncore.dispatcher):
+
+ class ConnectionHandler (asyncore.dispatcher_with_send):
+
+ def __init__(self, conn, certfile):
+ self.socket = ssl.wrap_socket(conn, server_side=True,
+ certfile=certfile,
+ do_handshake_on_connect=False)
+ asyncore.dispatcher_with_send.__init__(self, self.socket)
+ # now we have to do the handshake
+ # we'll just do it the easy way, and block the connection
+ # till it's finished. If we were doing it right, we'd
+ # do this in multiple calls to handle_read...
+ self.do_handshake(block=True)
+
+ def readable(self):
+ if isinstance(self.socket, ssl.SSLSocket):
+ while self.socket.pending() > 0:
+ self.handle_read_event()
+ return True
+
+ def handle_read(self):
+ data = self.recv(1024)
+ if test_support.verbose:
+ sys.stdout.write(" server: read %s from client\n" % repr(data))
+ if not data:
+ self.close()
+ else:
+ self.send(str(data, 'ASCII', 'strict').lower().encode('ASCII', 'strict'))
+
+ def handle_close(self):
+ if test_support.verbose:
+ sys.stdout.write(" server: closed connection %s\n" % self.socket)
+
+ def handle_error(self):
+ raise
+
+ def __init__(self, port, certfile):
+ self.port = port
+ self.certfile = certfile
+ asyncore.dispatcher.__init__(self)
+ self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
+ self.bind(('', port))
+ self.listen(5)
+
+ def handle_accept(self):
+ sock_obj, addr = self.accept()
+ if test_support.verbose:
+ sys.stdout.write(" server: new connection from %s:%s\n" %addr)
+ self.ConnectionHandler(sock_obj, self.certfile)
+
+ def handle_error(self):
+ raise
+
+ def __init__(self, port, certfile):
+ self.flag = None
+ self.active = False
+ self.server = self.EchoServer(port, certfile)
+ threading.Thread.__init__(self)
+ self.setDaemon(True)
+
+ def __str__(self):
+ return "<%s %s>" % (self.__class__.__name__, self.server)
+
+ def start (self, flag=None):
+ self.flag = flag
+ threading.Thread.start(self)
+
+ def run (self):
+ self.active = True
+ if self.flag:
+ self.flag.set()
+ while self.active:
+ try:
+ asyncore.loop(1)
+ except:
+ pass
+
+ def stop (self):
+ self.active = False
+ self.server.close()
+
def badCertTest (certfile):
server = ThreadedEchoServer(TESTPORT, CERTFILE,
certreqs=ssl.CERT_REQUIRED,
@@ -509,6 +600,7 @@
client_protocol = protocol
try:
s = ssl.wrap_socket(socket.socket(),
+ server_side=False,
certfile=client_certfile,
ca_certs=cacertsfile,
cert_reqs=certreqs,
@@ -811,11 +903,9 @@
server.stop()
server.join()
- class AsyncoreTests(unittest.TestCase):
+ def testSocketServer(self):
- def testAsyncore(self):
-
- server = AsyncoreHTTPSServer(TESTPORT, CERTFILE)
+ server = OurHTTPSServer(TESTPORT, CERTFILE)
flag = threading.Event()
server.start(flag)
# wait for it to start
@@ -853,6 +943,47 @@
server.stop()
server.join()
+ def testAsyncoreServer(self):
+
+ if test_support.verbose:
+ sys.stdout.write("\n")
+
+ indata="FOO\n"
+ server = AsyncoreEchoServer(TESTPORT, CERTFILE)
+ flag = threading.Event()
+ server.start(flag)
+ # wait for it to start
+ flag.wait()
+ # try to connect
+ try:
+ s = ssl.wrap_socket(socket.socket())
+ s.connect(('127.0.0.1', TESTPORT))
+ except ssl.SSLError as x:
+ raise test_support.TestFailed("Unexpected SSL error: " + str(x))
+ except Exception as x:
+ raise test_support.TestFailed("Unexpected exception: " + str(x))
+ else:
+ if test_support.verbose:
+ sys.stdout.write(
+ " client: sending %s...\n" % (repr(indata)))
+ s.sendall(indata.encode('ASCII', 'strict'))
+ outdata = s.recv()
+ if test_support.verbose:
+ sys.stdout.write(" client: read %s\n" % repr(outdata))
+ outdata = str(outdata, 'ASCII', 'strict')
+ if outdata != indata.lower():
+ raise test_support.TestFailed(
+ "bad data <<%s>> (%d) received; expected <<%s>> (%d)\n"
+ % (repr(outdata[:min(len(outdata),20)]), len(outdata),
+ repr(indata[:min(len(indata),20)].lower()), len(indata)))
+ s.write("over\n".encode("ASCII", "strict"))
+ if test_support.verbose:
+ sys.stdout.write(" client: closing connection.\n")
+ s.close()
+ finally:
+ server.stop()
+ server.join()
+
def findtestsocket(start, end):
def testbind(i):
@@ -900,7 +1031,6 @@
thread_info = test_support.threading_setup()
if thread_info and test_support.is_resource_enabled('network'):
tests.append(ThreadedTests)
- tests.append(AsyncoreTests)
test_support.run_unittest(*tests)