classification
Title: Neither DTLS nor error for SSLSocket.sendto() of UDP socket
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.4, Python 3.3, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, giampaolo.rodola, janssen, pitrou, python-dev, vajrasky
Priority: normal Keywords: patch

Created on 2013-10-28 12:56 by christian.heimes, last changed 2013-12-28 16:36 by pitrou. This issue is now closed.

Files
File name Uploaded Description Edit
raises_error_on_wrap_socket_with_sock_dgram.patch vajrasky, 2013-11-04 08:34 review
raises_error_on_wrap_socket_with_sock_dgram_v2.patch vajrasky, 2013-12-23 02:31 review
Messages (9)
msg201535 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-10-28 12:56
Python's SSL module doesn't support DTLS (datagram TLS for UDP). The SSL code doesn't complain when an UDP socket is wrapped in a SSL socket. It happily sends the bytes unprotected and not encrypted over the wire:

>>> import ssl, socket
>>> sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
>>> ssock = ssl.wrap_socket(sock)
>>> ssock.sendto(b"data", ("localhost", 12345))
4

TCP sockets at least complain that the connection hasn't been established yet.

>>> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
>>> ssock = ssl.wrap_socket(sock)
>>> ssock.sendto(b"data", ("localhost", 12345))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/heimes/dev/python/cpython/Lib/ssl.py", line 517, in sendto
    return socket.sendto(self, data, flags_or_addr)
BrokenPipeError: [Errno 32] Broken pipe
msg201536 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2013-10-28 12:58
I think either sendto() or wrap_socket() should raise some kind of error for UDP instead of silently sending unencrypted data.
msg201540 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-10-28 13:23
Agreed, this should definitely be fixed.
msg202095 - (view) Author: Vajrasky Kok (vajrasky) * Date: 2013-11-04 08:34
Attached the patch to raise error when using sock dgram in wrap_socket.

I am still unsure whether I should put the validation in C code (private function _wrap_socket) or not.
msg206840 - (view) Author: Vajrasky Kok (vajrasky) * Date: 2013-12-23 02:31
Thanks, Antoine, for the review! Attached the patch to address Antoine's concern.
msg207036 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-12-28 16:13
Actually, it seems the patch is flawed:

>>> sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
>>> sock.type
2
>>> sock.settimeout(0)
>>> sock.type
2050

But getsockopt() returns the expected value:

>>> sock.getsockopt(socket.SOL_SOCKET, socket.SO_TYPE)
2
msg207037 - (view) Author: Roundup Robot (python-dev) Date: 2013-12-28 16:31
New changeset a00842b783cf by Antoine Pitrou in branch '3.3':
Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
http://hg.python.org/cpython/rev/a00842b783cf

New changeset f7dc02e6987a by Antoine Pitrou in branch 'default':
Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
http://hg.python.org/cpython/rev/f7dc02e6987a
msg207038 - (view) Author: Roundup Robot (python-dev) Date: 2013-12-28 16:35
New changeset 44841d81bf14 by Antoine Pitrou in branch '2.7':
Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl module, rather than silently let them emit clear text data.
http://hg.python.org/cpython/rev/44841d81bf14
msg207039 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-12-28 16:36
Updated patch is stricter (it checks for SOCK_STREAM). Pushed!
History
Date User Action Args
2013-12-28 16:36:28pitrousetstatus: open -> closed
resolution: fixed
messages: + msg207039

stage: needs patch -> resolved
2013-12-28 16:35:21python-devsetmessages: + msg207038
2013-12-28 16:31:01python-devsetnosy: + python-dev
messages: + msg207037
2013-12-28 16:13:59pitrousetmessages: + msg207036
2013-12-23 02:31:31vajraskysetfiles: + raises_error_on_wrap_socket_with_sock_dgram_v2.patch

messages: + msg206840
2013-11-04 08:34:11vajraskysetfiles: + raises_error_on_wrap_socket_with_sock_dgram.patch

nosy: + vajrasky
messages: + msg202095

keywords: + patch
2013-10-28 13:23:23pitrousetmessages: + msg201540
components: + Library (Lib), - Extension Modules
stage: needs patch
2013-10-28 12:58:33christian.heimessetnosy: + janssen, pitrou, giampaolo.rodola
messages: + msg201536
2013-10-28 12:56:51christian.heimescreate