CVE-2023-40217 Add in code for verify_client_post_handshake

rickprice · rickprice · commit 975a51bb299e · 2024-02-07T15:41:41.000-05:00
diff --git a/Lib/ssl.py b/Lib/ssl.py
@@ -851,6 +851,12 @@ def unwrap(self):
         else:
             raise ValueError("No SSL wrapper around " + str(self))
 
+    def verify_client_post_handshake(self):
+        if self._sslobj:
+            return self._sslobj.verify_client_post_handshake()
+        else:
+            raise ValueError("No SSL wrapper around " + str(self))
+
     def _real_close(self):
         self._sslobj = None
         socket._real_close(self)
@@ -952,7 +958,6 @@ def version(self):
             return None
         return self._sslobj.version()
 
-
 def wrap_socket(sock, keyfile=None, certfile=None,
                 server_side=False, cert_reqs=CERT_NONE,
                 ssl_version=PROTOCOL_TLS, ca_certs=None,
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
@@ -4610,3 +4610,27 @@ init_ssl(void)
     if (r == NULL || PyModule_AddObject(m, "_OPENSSL_API_VERSION", r))
         return;
 }
+
+/*[clinic input]
+_ssl._SSLSocket.verify_client_post_handshake
+
+Initiate TLS 1.3 post-handshake authentication
+[clinic start generated code]*/
+
+static PyObject *
+_ssl__SSLSocket_verify_client_post_handshake_impl(PySSLSocket *self)
+/*[clinic end generated code: output=532147f3b1341425 input=6bfa874810a3d889]*/
+{
+#ifdef TLS1_3_VERSION
+    int err = SSL_verify_client_post_handshake(self->ssl);
+    if (err == 0)
+        return _setSSLError(NULL, 0, __FILE__, __LINE__);
+    else
+        Py_RETURN_NONE;
+#else
+    PyErr_SetString(PyExc_NotImplementedError,
+                    "Post-handshake auth is not supported by your "
+                    "OpenSSL version.");
+    return NULL;
+#endif
+}
