Fix issue 6652: Raise aiohttp.ServerFingerprintMismatch exception o…

CHANGES/6652.bugfix

@@ -0,0 +1 @@
+Raise `aiohttp.ServerFingerprintMismatch` exception on client-side if request through http proxy with mismatching server fingerprint digest: `aiohttp.ClientSession(headers=headers, connector=TCPConnector(ssl=aiohttp.Fingerprint(mismatch_digest), trust_env=True).request(...)`.

CONTRIBUTORS.txt

@@ -134,6 +134,7 @@ Franek Magiera
 Frederik Gladhorn
 Frederik Peter Aalund
 Gabriel Tremblay
+Gang Ji
 Gary Wilson Jr.
 Gennady Andreyev
 Georges Dubus

aiohttp/connector.py

@@ -1133,6 +1133,16 @@ async def _start_tls_connection(
                     # chance to do this:
                     underlying_transport.close()
                     raise
+                if isinstance(tls_transport, asyncio.Transport):
+                    fingerprint = self._get_fingerprint(req)
+                    if fingerprint:
+                        try:
+                            fingerprint.check(tls_transport)
+                        except ServerFingerprintMismatch:
+                            tls_transport.close()
+                            if not self._cleanup_closed_disabled:
+                                self._cleanup_closed_transports.append(transp)
+                            raise
         except cert_errors as exc:
             raise ClientConnectorCertificateError(req.connection_key, exc) from exc
         except ssl_errors as exc:

tests/test_proxy.py

@@ -416,6 +416,71 @@ async def make_conn() -> aiohttp.TCPConnector:
                 self.loop.run_until_complete(connector.close())
 
     @mock.patch("aiohttp.connector.ClientRequest")
+    def test_https_connect_fingerprint_mismatch(
+        self, ClientRequestMock: mock.Mock
+    ) -> None:
+        proxy_req = ClientRequest(
+            "GET", URL("http://proxy.example.com"), loop=self.loop
+        )
+        ClientRequestMock.return_value = proxy_req
+
+        proxy_resp = ClientResponse(
+            "get",
+            URL("http://proxy.example.com"),
+            request_info=mock.Mock(),
+            writer=mock.Mock(),
+            continue100=None,
+            timer=TimerNoop(),
+            traces=[],
+            loop=self.loop,
+            session=mock.Mock(),
+        )
+        proxy_req.send = make_mocked_coro(proxy_resp)
+        proxy_resp.start = make_mocked_coro(mock.Mock(status=200))
+
+        async def make_conn() -> aiohttp.TCPConnector:
+            return aiohttp.TCPConnector()
+
+        connector = self.loop.run_until_complete(make_conn())
+        connector._resolve_host = make_mocked_coro(
+            [
+                {
+                    "hostname": "hostname",
+                    "host": "127.0.0.1",
+                    "port": 80,
+                    "family": socket.AF_INET,
+                    "proto": 0,
+                    "flags": 0,
+                }
+            ]
+        )
+        fingerprint_mock = mock.Mock()
+        fingerprint_mock.check.side_effect = aiohttp.ServerFingerprintMismatch(
+            b"exp", b"got", "example.com", 8080
+        )
+        connector._get_fingerprint = mock.Mock(return_value=fingerprint_mock)
+
+        # Called on connection to http://proxy.example.com
+        self.loop.create_connection = make_mocked_coro((mock.Mock(), mock.Mock()))
+
+        # Called on connection to https://www.python.org
+        class TransportMock(asyncio.Transport):
+            def close(self) -> None:
+                pass
+
+        self.loop.start_tls = make_mocked_coro(TransportMock())
+
+        req = ClientRequest(
+            "GET",
+            URL("https://www.python.org"),
+            proxy=URL("http://proxy.example.com"),
+            loop=self.loop,
+        )
+        with self.assertRaises(aiohttp.ServerFingerprintMismatch):
+            self.loop.run_until_complete(
+                connector._create_connection(req, None, aiohttp.ClientTimeout())
+            )
+
     @mock.patch(
         "aiohttp.connector.aiohappyeyeballs.start_connection",
         autospec=True,