gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw

[ambv]

Instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data.

The vulnerability is caused when a socket is connected, data is sent by the malicious peer and stored in a buffer, and then the malicious peer closes the socket within a small timing window before the other peers’ TLS handshake can begin. After this sequence of events the closed socket will not immediately attempt a TLS handshake due to not being connected but will also allow the buffered data to be read as if a successful TLS handshake had occurred.

• Issue: CVE-2023-40217: Bypass TLS handshake on closed sockets #108310

[bedevere-bot]

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 Windows10 3.x has failed when building commit 0cb0c23.

What do you need to do:

1. Don't panic.
2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/146/builds/6080) and take a look at the build logs.
4. Check if the failure is related to this commit (0cb0c23) or if it is a false positive.
5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/146/builds/6080

Failed tests:

• test_sqlite3

Failed subtests:

• test_interact_quit - test.test_sqlite3.test_cli.InteractiveSession.test_interact_quit

Summary of the results of the build (if available):

== Tests result: FAILURE then ENV CHANGED ==

415 tests OK.

10 slowest tests:

• test_math: 4 min 38 sec
• test_multiprocessing_spawn: 4 min 32 sec
• test_tokenize: 2 min 41 sec
• test_peg_generator: 2 min 38 sec
• test_wmi: 2 min 26 sec
• test_unparse: 2 min 22 sec
• test_concurrent_futures: 1 min 52 sec
• test_capi: 1 min 40 sec
• test_pickle: 1 min 34 sec
• test_unicodedata: 1 min 32 sec

1 test altered the execution environment:
test_ssl

31 tests skipped:
test.test_asyncio.test_unix_events test_curses test_dbm_gnu
test_dbm_ndbm test_devpoll test_epoll test_fcntl test_fork1
test_gdb test_grp test_ioctl test_kqueue test_multiprocessing_fork
test_multiprocessing_forkserver test_openpty test_perf_profiler
test_perfmaps test_poll test_posix test_pty test_pwd test_readline
test_resource test_syslog test_threadsignals test_wait3 test_wait4
test_xxlimited test_xxtestfuzz test_zipfile64 test_zoneinfo

1 re-run test:
test_sqlite3

Total duration: 21 min 31 sec

Click to see traceback logs

Traceback (most recent call last):
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\test\test_sqlite3\test_cli.py", line 103, in test_interact_quit
    out, err = proc.communicate(input=".quit", timeout=self.TIMEOUT)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\subprocess.py", line 1209, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\subprocess.py", line 1628, in _communicate
    raise TimeoutExpired(self.args, orig_timeout)
subprocess.TimeoutExpired: Command '['D:\\buildarea\\3.x.bolen-windows10\\build\\PCbuild\\amd64\\python_d.exe', '-Xutf8', '-m', 'sqlite3']' timed out after 3.0 seconds


Traceback (most recent call last):
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\threading.py", line 1059, in _bootstrap_inner
    self.run()
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\test\test_ssl.py", line 4708, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "D:\buildarea\3.x.bolen-windows10\build\Lib\socket.py", line 295, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k

[bedevere-bot]

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot ARM64 Windows 3.x has failed when building commit 0cb0c23.

What do you need to do:

1. Don't panic.
2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/729/builds/5277) and take a look at the build logs.
4. Check if the failure is related to this commit (0cb0c23) or if it is a false positive.
5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/729/builds/5277

Summary of the results of the build (if available):

== Tests result: ENV CHANGED ==

413 tests OK.

10 slowest tests:

• test_math: 7 min 34 sec
• test_peg_generator: 6 min 8 sec
• test_multiprocessing_spawn: 4 min 39 sec
• test_tokenize: 2 min 52 sec
• test_unparse: 2 min 35 sec
• test_tarfile: 2 min 17 sec
• test_venv: 1 min 56 sec
• test_compileall: 1 min 52 sec
• test_concurrent_futures: 1 min 47 sec
• test_unicodedata: 1 min 47 sec

1 test altered the execution environment:
test_ssl

33 tests skipped:
test.test_asyncio.test_unix_events test_curses test_dbm_gnu
test_dbm_ndbm test_devpoll test_epoll test_fcntl test_fork1
test_gdb test_grp test_ioctl test_kqueue test_multiprocessing_fork
test_multiprocessing_forkserver test_openpty test_perf_profiler
test_perfmaps test_poll test_posix test_pty test_pwd test_readline
test_resource test_syslog test_threadsignals test_tkinter test_ttk
test_wait3 test_wait4 test_xxlimited test_xxtestfuzz
test_zipfile64 test_zoneinfo

Total duration: 22 min

Click to see traceback logs

Traceback (most recent call last):
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64\build\Lib\threading.py", line 1059, in _bootstrap_inner
    self.run()
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64\build\Lib\test\test_ssl.py", line 4708, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64\build\Lib\socket.py", line 295, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k

[bedevere-bot]

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot ARM64 Windows Non-Debug 3.x has failed when building commit 0cb0c23.

What do you need to do:

1. Don't panic.
2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/730/builds/8723) and take a look at the build logs.
4. Check if the failure is related to this commit (0cb0c23) or if it is a false positive.
5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/730/builds/8723

Summary of the results of the build (if available):

== Tests result: ENV CHANGED ==

414 tests OK.

10 slowest tests:

• test_peg_generator: 4 min 2 sec
• test_multiprocessing_spawn: 2 min 2 sec
• test_concurrent_futures: 1 min 18 sec
• test_socket: 1 min 6 sec
• test_math: 59.9 sec
• test_mmap: 57.8 sec
• test_hashlib: 54.6 sec
• test_largefile: 44.7 sec
• test_io: 38.1 sec
• test_ssl: 37.9 sec

1 test altered the execution environment:
test_ssl

32 tests skipped:
test.test_asyncio.test_unix_events test_curses test_dbm_gnu
test_dbm_ndbm test_devpoll test_epoll test_fcntl test_fork1
test_gdb test_grp test_ioctl test_kqueue test_multiprocessing_fork
test_multiprocessing_forkserver test_openpty test_perf_profiler
test_perfmaps test_poll test_posix test_pty test_pwd test_readline
test_resource test_syslog test_threadsignals test_tkinter test_ttk
test_wait3 test_wait4 test_xxtestfuzz test_zipfile64 test_zoneinfo

Total duration: 9 min 2 sec

Click to see traceback logs

Traceback (most recent call last):
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64.nondebug\build\Lib\threading.py", line 1059, in _bootstrap_inner
    self.run()
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64.nondebug\build\Lib\test\test_ssl.py", line 4708, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Workspace\buildarea\3.x.linaro-win-arm64.nondebug\build\Lib\socket.py", line 295, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k

[bedevere-bot]

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot AMD64 Windows11 Bigmem 3.x has failed when building commit 0cb0c23.

What do you need to do:

1. Don't panic.
2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
3. Go to the page of the buildbot that failed (https://buildbot.python.org/all/#builders/1079/builds/2039) and take a look at the build logs.
4. Check if the failure is related to this commit (0cb0c23) or if it is a false positive.
5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/all/#builders/1079/builds/2039

Summary of the results of the build (if available):

== Tests result: ENV CHANGED ==

415 tests OK.

10 slowest tests:

• test_bigmem: 42 min 31 sec
• test_lzma: 33 min 22 sec
• test_bz2: 20 min 47 sec
• test_array: 7 min 24 sec
• test_zlib: 4 min 53 sec
• test_hashlib: 3 min 57 sec
• test_multiprocessing_spawn: 1 min 54 sec
• test_math: 1 min 40 sec
• test_concurrent_futures: 1 min 15 sec
• test_pickle: 1 min 15 sec

1 test altered the execution environment:
test_ssl

31 tests skipped:
test.test_asyncio.test_unix_events test_curses test_dbm_gnu
test_dbm_ndbm test_devpoll test_epoll test_fcntl test_fork1
test_gdb test_grp test_ioctl test_kqueue test_multiprocessing_fork
test_multiprocessing_forkserver test_openpty test_perf_profiler
test_perfmaps test_poll test_posix test_pty test_pwd test_readline
test_resource test_syslog test_threadsignals test_wait3 test_wait4
test_xxlimited test_xxtestfuzz test_zipfile64 test_zoneinfo

Total duration: 1 hour 1 min

Click to see traceback logs

Traceback (most recent call last):
  File "R:\buildarea\3.x.ambv-bb-win11.bigmem\build\Lib\threading.py", line 1059, in _bootstrap_inner
    self.run()
  File "R:\buildarea\3.x.ambv-bb-win11.bigmem\build\Lib\test\test_ssl.py", line 4708, in run
    conn, address = self.listener.accept()
                    ^^^^^^^^^^^^^^^^^^^^^^
  File "R:\buildarea\3.x.ambv-bb-win11.bigmem\build\Lib\socket.py", line 295, in accept
    fd, addr = self._accept()
               ^^^^^^^^^^^^^^
TimeoutError: timed out
k