Check for invalid ALPN lists before calling OpenSSL, for consistency (#1056)

* Check for invalid ALPN lists before calling OpenSSL, for consistency Fixes gh-1043 * Soothe flake8
author: Nathaniel J. Smith <njs@pobox.com> 2021-10-27 15:37:33 -0700
committer: GitHub <noreply@github.com> 2021-10-27 18:37:33 -0400
commit: 45c5678e48839e08cd290285c052a65ecb4cac80 (patch)
tree: 5896a3d321de29c29fdc49ac1cf005c55b4afa42
parent: 2ea56348beb51d78310a1a34abd7cdace1350794 (diff)
download: pyopenssl-45c5678e48839e08cd290285c052a65ecb4cac80.tar.gz
2 files changed, 13 insertions, 1 deletions
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 59f21ce..8ed91a2 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -1421,6 +1421,12 @@ class Context(object):
             This list should be a Python list of bytestrings representing the
             protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
         """
+        # Different versions of OpenSSL are inconsistent about how they handle
+        # empty proto lists (see #1043), so we avoid the problem entirely by
+        # rejecting them ourselves.
+        if not protos:
+            raise ValueError("at least one protocol must be specified")
+
         # Take the list of protocols and join them together, prefixing them
         # with their lengths.
         protostr = b"".join(
@@ -2449,6 +2455,12 @@ class Connection(object):
             This list should be a Python list of bytestrings representing the
             protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
         """
+        # Different versions of OpenSSL are inconsistent about how they handle
+        # empty proto lists (see #1043), so we avoid the problem entirely by
+        # rejecting them ourselves.
+        if not protos:
+            raise ValueError("at least one protocol must be specified")
+
         # Take the list of protocols and join them together, prefixing them
         # with their lengths.
         protostr = b"".join(
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index ffc505d..ca363b4 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -1928,7 +1928,7 @@ class TestApplicationLayerProtoNegotiation(object):
         protocols list. Ensure that we produce a user-visible error.
         """
         context = Context(SSLv23_METHOD)
-        with pytest.raises(Error):
+        with pytest.raises(ValueError):
             context.set_alpn_protos([])
 
     def test_alpn_set_on_connection(self):
author	Nathaniel J. Smith <njs@pobox.com>	2021-10-27 15:37:33 -0700
committer	GitHub <noreply@github.com>	2021-10-27 18:37:33 -0400
commit	45c5678e48839e08cd290285c052a65ecb4cac80 (patch)
tree	5896a3d321de29c29fdc49ac1cf005c55b4afa42
parent	2ea56348beb51d78310a1a34abd7cdace1350794 (diff)
download	pyopenssl-45c5678e48839e08cd290285c052a65ecb4cac80.tar.gz