Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

gh-137583: Only lock the SSL context, not the SSL socket#137588

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
ZeroIntensity merged 16 commits intopython:mainfromZeroIntensity:ssl-deadlock
Aug 10, 2025
Merged
Show file tree
Hide file tree
Changes from14 commits
Commits
Show all changes
16 commits
Select commitHold shift + click to select a range
0a070e2
Only lock the SSL context, not the SSL socket.
ZeroIntensityAug 9, 2025
42a0351
Fix the test.
ZeroIntensityAug 9, 2025
c776679
Fix race conditions in the test case.
ZeroIntensityAug 9, 2025
90d93c3
I now realize that approach was bad.
ZeroIntensityAug 9, 2025
7ea2613
Some other fixups.
ZeroIntensityAug 9, 2025
5ff4efc
I give up.
ZeroIntensityAug 9, 2025
cf630d7
Stupid workaround.
ZeroIntensityAug 9, 2025
f3ec86c
Add blurb.
ZeroIntensityAug 9, 2025
12a68a5
Fix blurb.
ZeroIntensityAug 9, 2025
d45f6a8
Supposedly this *actually* fixes the blurb.
ZeroIntensityAug 9, 2025
6799b03
Avoid Sphinx references for the blurb.
ZeroIntensityAug 9, 2025
38e29f9
Fix race condition in the test case (for real this time).
ZeroIntensityAug 9, 2025
64f7480
Fix the blurb (hopefully for the last time).
ZeroIntensityAug 9, 2025
6da074e
Fix the Windows buildbots.
ZeroIntensityAug 9, 2025
bb99322
Blurb fixup.
ZeroIntensityAug 10, 2025
36a4d66
Ugh.
ZeroIntensityAug 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletionsLib/test/test_ssl.py
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -4620,6 +4620,42 @@ def server_callback(identity):
with client_context.wrap_socket(socket.socket()) as s:
s.connect((HOST, server.port))

def test_thread_recv_while_main_thread_sends(self):
# GH-137583: Locking was added to calls to send() and recv() on SSL
# socket objects. This seemed fine at the surface level because those
# calls weren't re-entrant, but recv() calls would implicitly mimick
# holding a lock by blocking until it received data. This means that
# if a thread started to infinitely block until data was received, calls
# to send() would deadlock, because it would wait forever on the lock
# that the recv() call held.
data = b"1" * 1024
event = threading.Event()
def background(sock):
event.set()
received = sock.recv(len(data))
self.assertEqual(received, data)

client_context, server_context, hostname = testing_context()
server = ThreadedEchoServer(context=server_context)
with server:
with client_context.wrap_socket(socket.socket(),
server_hostname=hostname) as sock:
sock.connect((HOST, server.port))
sock.settimeout(1)
sock.setblocking(1)
# Ensure that the server is ready to accept requests
sock.sendall(b"123")
self.assertEqual(sock.recv(3), b"123")
with threading_helper.catch_threading_exception() as cm:
thread = threading.Thread(target=background,
args=(sock,), daemon=True)
thread.start()
event.wait()
sock.sendall(data)
thread.join()
if cm.exc_value is not None:
raise cm.exc_value


@unittest.skipUnless(has_tls_version('TLSv1_3') and ssl.HAS_PHA,
"Test needs TLS 1.3 PHA")
Expand Down
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
Fix a deadlock introduced in 3.13.6 when a call to
:meth:`ssl.SSLSocket.recv <socket.socket.recv>` was blocked in one thread, while another
attempted to call :meth:`ssl.SSLSocket.send <socket.socket.send>` to unblock it in another
thread.
Copy link

@aaugustinaaugustinAug 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I'd simplify this as follows:

Fix a regression in 3.13.6 when a call to:meth:`ssl.SSLSocket.recv <socket.socket.recv>` in a thread would block calling:meth:`ssl.SSLSocket.send <socket.socket.send>` in another thread.

Indeed, the problem happens even without a dependency betweenrecv andsend.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I don't think we even need to mentionsend at all. Ifrecv was blocked, it's not possible to access most methods on anSSLSocket, because they'll also try to acquire that same lock.

aaugustin reacted with thumbs up emoji
38 changes: 20 additions & 18 deletionsModules/_ssl.c
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -366,9 +366,6 @@ typedef struct {
* and shutdown methods check for chained exceptions.
*/
PyObject *exc;
/* Lock to synchronize calls when the thread state is detached.
See also gh-134698. */
PyMutex tstate_mutex;
} PySSLSocket;

#define PySSLSocket_CAST(op) ((PySSLSocket *)(op))
Expand DownExpand Up@@ -918,7 +915,6 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
self->server_hostname = NULL;
self->err = err;
self->exc = NULL;
self->tstate_mutex = (PyMutex){0};

/* Make sure the SSL error state is initialized */
ERR_clear_error();
Expand DownExpand Up@@ -994,12 +990,12 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
}

PySSL_BEGIN_ALLOW_THREADS(self)
Py_BEGIN_ALLOW_THREADS;
if (socket_type == PY_SSL_CLIENT)
SSL_set_connect_state(self->ssl);
else
SSL_set_accept_state(self->ssl);
PySSL_END_ALLOW_THREADS(self)
Py_END_ALLOW_THREADS;

self->socket_type = socket_type;
if (sock != NULL) {
Expand DownExpand Up@@ -1068,10 +1064,11 @@ _ssl__SSLSocket_do_handshake_impl(PySSLSocket *self)
/* Actually negotiate SSL connection */
/* XXX If SSL_do_handshake() returns 0, it's also a failure. */
do {
PySSL_BEGIN_ALLOW_THREADS(self)
Py_BEGIN_ALLOW_THREADS
ret = SSL_do_handshake(self->ssl);
err = _PySSL_errno(ret < 1, self->ssl, ret);
PySSL_END_ALLOW_THREADS(self)
Py_END_ALLOW_THREADS;
_PySSL_FIX_ERRNO;
self->err = err;

if (PyErr_CheckSignals())
Expand DownExpand Up@@ -2615,10 +2612,11 @@ _ssl__SSLSocket_sendfile_impl(PySSLSocket *self, int fd, Py_off_t offset,
}

do {
PySSL_BEGIN_ALLOW_THREADS(self)
Py_BEGIN_ALLOW_THREADS
retval = SSL_sendfile(self->ssl, fd, (off_t)offset, size, flags);
err = _PySSL_errno(retval < 0, self->ssl, (int)retval);
PySSL_END_ALLOW_THREADS(self)
Py_END_ALLOW_THREADS;
_PySSL_FIX_ERRNO;
self->err = err;

if (PyErr_CheckSignals()) {
Expand DownExpand Up@@ -2746,10 +2744,11 @@ _ssl__SSLSocket_write_impl(PySSLSocket *self, Py_buffer *b)
}

do {
PySSL_BEGIN_ALLOW_THREADS(self)
Py_BEGIN_ALLOW_THREADS;
retval = SSL_write_ex(self->ssl, b->buf, (size_t)b->len, &count);
err = _PySSL_errno(retval == 0, self->ssl, retval);
PySSL_END_ALLOW_THREADS(self)
Py_END_ALLOW_THREADS;
_PySSL_FIX_ERRNO;
self->err = err;

if (PyErr_CheckSignals())
Expand DownExpand Up@@ -2807,10 +2806,11 @@ _ssl__SSLSocket_pending_impl(PySSLSocket *self)
int count = 0;
_PySSLError err;

PySSL_BEGIN_ALLOW_THREADS(self)
Py_BEGIN_ALLOW_THREADS;
count = SSL_pending(self->ssl);
err = _PySSL_errno(count < 0, self->ssl, count);
PySSL_END_ALLOW_THREADS(self)
Py_END_ALLOW_THREADS;
_PySSL_FIX_ERRNO;
self->err = err;

if (count < 0)
Expand DownExpand Up@@ -2901,10 +2901,11 @@ _ssl__SSLSocket_read_impl(PySSLSocket *self, Py_ssize_t len,
deadline = _PyDeadline_Init(timeout);

do {
PySSL_BEGIN_ALLOW_THREADS(self)
Py_BEGIN_ALLOW_THREADS;
retval = SSL_read_ex(self->ssl, mem, (size_t)len, &count);
err = _PySSL_errno(retval == 0, self->ssl, retval);
PySSL_END_ALLOW_THREADS(self)
Py_END_ALLOW_THREADS;
_PySSL_FIX_ERRNO;
self->err = err;

if (PyErr_CheckSignals())
Expand DownExpand Up@@ -3003,7 +3004,7 @@ _ssl__SSLSocket_shutdown_impl(PySSLSocket *self)
}

while (1) {
PySSL_BEGIN_ALLOW_THREADS(self)
Py_BEGIN_ALLOW_THREADS;
/* Disable read-ahead so that unwrap can work correctly.
* Otherwise OpenSSL might read in too much data,
* eating clear text data that happens to be
Expand All@@ -3016,7 +3017,8 @@ _ssl__SSLSocket_shutdown_impl(PySSLSocket *self)
SSL_set_read_ahead(self->ssl, 0);
ret = SSL_shutdown(self->ssl);
err = _PySSL_errno(ret < 0, self->ssl, ret);
PySSL_END_ALLOW_THREADS(self)
Py_END_ALLOW_THREADS;
_PySSL_FIX_ERRNO;
self->err = err;

/* If err == 1, a secure shutdown with SSL_shutdown() is complete */
Expand Down
1 change: 0 additions & 1 deletionModules/_ssl/debughelpers.c
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -140,7 +140,6 @@ _PySSL_keylog_callback(const SSL *ssl, const char *line)
* critical debug helper.
*/

assert(PyMutex_IsLocked(&ssl_obj->tstate_mutex));
Py_BEGIN_ALLOW_THREADS
PyThread_acquire_lock(lock, 1);
res = BIO_printf(ssl_obj->ctx->keylog_bio, "%s\n", line);
Expand Down
Loading
[8]ページ先頭
©2009-2025 Movatter.jp