[3.9] gh-121227: Disallow setting an empty list for NPN (GH-137161)

2025-12-08 06:10:17 +00:00 · 2025-10-07 13:09:33 +01:00 · 2025-10-07 13:09:33 +01:00 · a2cdbb6e81
commit a2cdbb6e81
parent 312de66fb5
3 changed files with 10 additions and 0 deletions
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@ -520,6 +520,8 @@ def wrap_bio(self, incoming, outgoing, server_side=False,

    def set_npn_protocols(self, npn_protocols):
        protos = bytearray()
+        if not npn_protocols:
+            raise SSLError('NPN protocols must not be empty')
        for protocol in npn_protocols:
            b = bytes(protocol, 'ascii')
            if len(b) == 0 or len(b) > 255:
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@ -4219,6 +4219,12 @@ def test_npn_protocols(self):
                if len(stats['server_npn_protocols']) else 'nothing'
            self.assertEqual(server_result, expected, msg % (server_result, "server"))

+    def test_empty_npn_protocols(self):
+        """npn_protocols cannot be empty, see CVE-2024-5642 & gh-121227"""
+        client_context, server_context, hostname = testing_context()
+        with self.assertRaises(ssl.SSLError):
+            server_context.set_npn_protocols([])
+
    def sni_contexts(self):
        server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
        server_context.load_cert_chain(SIGNED_CERTFILE)
--- a/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst
+++ b/Misc/NEWS.d/next/Security/2025-07-28-10-35-59.gh-issue-121227.Orp1wf.rst
@ -0,0 +1,2 @@
+Raise an :exc:`SSL.SSLError` if an empty *protocols* argument is passed to
+:meth:`ssl.SSLContext.set_npn_protocols` to fix ``CVE-2024-5642``.