Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / 28f8bee5c8faf0c275665786f90e260443739cdb / . / Lib / test / test_ssl.py
blob: f942d956587f1e9839e1bc9b8c740c87e413e158 [file] [log] [blame]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1# Test the support for SSL and sockets
2
3import sys
4import unittest
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]5from test import support
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]6import socket
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]7import select
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]8import time
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]9import gc
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]10import os
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]11import errno
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]12import pprint
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]13import tempfile
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]14import urllib.request
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]15import traceback
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]16import asyncore
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]17import weakref
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]18import platform
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]19import functools
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]20
Antoine Pitrou05d936d2010-10-13 11:38:36 +0000[diff] [blame]21ssl = support.import_module("ssl")
22
23PROTOCOLS = [
Victor Stinner17ca3232011-05-10 00:48:41 +0200[diff] [blame]24 ssl.PROTOCOL_SSLv3,
Antoine Pitrou05d936d2010-10-13 11:38:36 +0000[diff] [blame]25 ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1
26]
Victor Stinner17ca3232011-05-10 00:48:41 +0200[diff] [blame]27if hasattr(ssl, 'PROTOCOL_SSLv2'):
28 PROTOCOLS.append(ssl.PROTOCOL_SSLv2)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]29
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]30HOST = support.HOST
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]31
32data_file = lambda name: os.path.join(os.path.dirname(__file__), name)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]33
Antoine Pitrou81564092010-10-08 23:06:24 +0000[diff] [blame]34# The custom key and certificate files used in test_ssl are generated
35# using Lib/test/make_ssl_certs.py.
36# Other certificates are simply fetched from the Internet servers they
37# are meant to authenticate.
38
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]39CERTFILE = data_file("keycert.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]40BYTES_CERTFILE = os.fsencode(CERTFILE)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]41ONLYCERT = data_file("ssl_cert.pem")
42ONLYKEY = data_file("ssl_key.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]43BYTES_ONLYCERT = os.fsencode(ONLYCERT)
44BYTES_ONLYKEY = os.fsencode(ONLYKEY)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]45CAPATH = data_file("capath")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]46BYTES_CAPATH = os.fsencode(CAPATH)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]47
48SVN_PYTHON_ORG_ROOT_CERT = data_file("https_svn_python_org_root.pem")
49
50EMPTYCERT = data_file("nullcert.pem")
51BADCERT = data_file("badcert.pem")
52WRONGCERT = data_file("XXXnonexisting.pem")
53BADKEY = data_file("badkey.pem")
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]54NOKIACERT = data_file("nokia.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]55
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]56
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]57def handle_error(prefix):
58 exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]59 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]60 sys.stdout.write(prefix + exc_format)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]61
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]62def can_clear_options():
63 # 0.9.8m or higher
Antoine Pitroub9ac25d2011-07-08 18:47:06 +0200[diff] [blame]64 return ssl._OPENSSL_API_VERSION >= (0, 9, 8, 13, 15)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]65
66def no_sslv2_implies_sslv3_hello():
67 # 0.9.7h or higher
68 return ssl.OPENSSL_VERSION_INFO >= (0, 9, 7, 8, 15)
69
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]70
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]71# Issue #9415: Ubuntu hijacks their OpenSSL and forcefully disables SSLv2
72def skip_if_broken_ubuntu_ssl(func):
Victor Stinner17ca3232011-05-10 00:48:41 +0200[diff] [blame]73 if hasattr(ssl, 'PROTOCOL_SSLv2'):
74 @functools.wraps(func)
75 def f(*args, **kwargs):
76 try:
77 ssl.SSLContext(ssl.PROTOCOL_SSLv2)
78 except ssl.SSLError:
79 if (ssl.OPENSSL_VERSION_INFO == (0, 9, 8, 15, 15) and
80 platform.linux_distribution() == ('debian', 'squeeze/sid', '')):
81 raise unittest.SkipTest("Patched Ubuntu OpenSSL breaks behaviour")
82 return func(*args, **kwargs)
83 return f
84 else:
85 return func
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]86
87
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]88class BasicSocketTests(unittest.TestCase):
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]89
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]90 def test_constants(self):
Victor Stinneree18b6f2011-05-10 00:38:00 +0200[diff] [blame]91 #ssl.PROTOCOL_SSLv2
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]92 ssl.PROTOCOL_SSLv23
93 ssl.PROTOCOL_SSLv3
94 ssl.PROTOCOL_TLSv1
95 ssl.CERT_NONE
96 ssl.CERT_OPTIONAL
97 ssl.CERT_REQUIRED
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]98 self.assertIn(ssl.HAS_SNI, {True, False})
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]99
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]100 def test_random(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]101 v = ssl.RAND_status()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]102 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]103 sys.stdout.write("\n RAND_status is %d (%s)\n"
104 % (v, (v and "sufficient randomness") or
105 "insufficient randomness"))
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]106 try:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]107 ssl.RAND_egd(1)
108 except TypeError:
109 pass
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]110 else:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]111 print("didn't raise TypeError")
112 ssl.RAND_add("this is a random string", 75.0)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]113
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]114 def test_parse_cert(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]115 # note that this uses an 'unofficial' function in _ssl.c,
116 # provided solely for this test, to exercise the certificate
117 # parsing code
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]118 p = ssl._ssl._test_decode_cert(CERTFILE)
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]119 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]120 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]121 self.assertEqual(p['issuer'],
122 ((('countryName', 'XY'),),
123 (('localityName', 'Castle Anthrax'),),
124 (('organizationName', 'Python Software Foundation'),),
125 (('commonName', 'localhost'),))
126 )
127 self.assertEqual(p['notAfter'], 'Oct 5 23:01:56 2020 GMT')
128 self.assertEqual(p['notBefore'], 'Oct 8 23:01:56 2010 GMT')
129 self.assertEqual(p['serialNumber'], 'D7C7381919AFC24E')
130 self.assertEqual(p['subject'],
131 ((('countryName', 'XY'),),
132 (('localityName', 'Castle Anthrax'),),
133 (('organizationName', 'Python Software Foundation'),),
134 (('commonName', 'localhost'),))
135 )
136 self.assertEqual(p['subjectAltName'], (('DNS', 'localhost'),))
137 # Issue #13034: the subjectAltName in some certificates
138 # (notably projects.developer.nokia.com:443) wasn't parsed
139 p = ssl._ssl._test_decode_cert(NOKIACERT)
140 if support.verbose:
141 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
142 self.assertEqual(p['subjectAltName'],
143 (('DNS', 'projects.developer.nokia.com'),
144 ('DNS', 'projects.forum.nokia.com'))
145 )
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]146
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]147 def test_DER_to_PEM(self):
148 with open(SVN_PYTHON_ORG_ROOT_CERT, 'r') as f:
149 pem = f.read()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]150 d1 = ssl.PEM_cert_to_DER_cert(pem)
151 p2 = ssl.DER_cert_to_PEM_cert(d1)
152 d2 = ssl.PEM_cert_to_DER_cert(p2)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]153 self.assertEqual(d1, d2)
Antoine Pitrou9bfbe612010-04-27 22:08:08 +0000[diff] [blame]154 if not p2.startswith(ssl.PEM_HEADER + '\n'):
155 self.fail("DER-to-PEM didn't include correct header:\n%r\n" % p2)
156 if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):
157 self.fail("DER-to-PEM didn't include correct footer:\n%r\n" % p2)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]158
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]159 def test_openssl_version(self):
160 n = ssl.OPENSSL_VERSION_NUMBER
161 t = ssl.OPENSSL_VERSION_INFO
162 s = ssl.OPENSSL_VERSION
163 self.assertIsInstance(n, int)
164 self.assertIsInstance(t, tuple)
165 self.assertIsInstance(s, str)
166 # Some sanity checks follow
167 # >= 0.9
168 self.assertGreaterEqual(n, 0x900000)
169 # < 2.0
170 self.assertLess(n, 0x20000000)
171 major, minor, fix, patch, status = t
172 self.assertGreaterEqual(major, 0)
173 self.assertLess(major, 2)
174 self.assertGreaterEqual(minor, 0)
175 self.assertLess(minor, 256)
176 self.assertGreaterEqual(fix, 0)
177 self.assertLess(fix, 256)
178 self.assertGreaterEqual(patch, 0)
179 self.assertLessEqual(patch, 26)
180 self.assertGreaterEqual(status, 0)
181 self.assertLessEqual(status, 15)
182 # Version string as returned by OpenSSL, the format might change
183 self.assertTrue(s.startswith("OpenSSL {:d}.{:d}.{:d}".format(major, minor, fix)),
184 (s, t))
185
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]186 @support.cpython_only
187 def test_refcycle(self):
188 # Issue #7943: an SSL object doesn't create reference cycles with
189 # itself.
190 s = socket.socket(socket.AF_INET)
191 ss = ssl.wrap_socket(s)
192 wr = weakref.ref(ss)
193 del ss
194 self.assertEqual(wr(), None)
195
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]196 def test_wrapped_unconnected(self):
197 # Methods on an unconnected SSLSocket propagate the original
198 # socket.error raise by the underlying socket object.
199 s = socket.socket(socket.AF_INET)
200 ss = ssl.wrap_socket(s)
201 self.assertRaises(socket.error, ss.recv, 1)
202 self.assertRaises(socket.error, ss.recv_into, bytearray(b'x'))
203 self.assertRaises(socket.error, ss.recvfrom, 1)
204 self.assertRaises(socket.error, ss.recvfrom_into, bytearray(b'x'), 1)
205 self.assertRaises(socket.error, ss.send, b'x')
206 self.assertRaises(socket.error, ss.sendto, b'x', ('0.0.0.0', 0))
207
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]208 def test_timeout(self):
209 # Issue #8524: when creating an SSL socket, the timeout of the
210 # original socket should be retained.
211 for timeout in (None, 0.0, 5.0):
212 s = socket.socket(socket.AF_INET)
213 s.settimeout(timeout)
214 ss = ssl.wrap_socket(s)
215 self.assertEqual(timeout, ss.gettimeout())
216
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]217 def test_errors(self):
218 sock = socket.socket()
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]219 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]220 "certfile must be specified",
221 ssl.wrap_socket, sock, keyfile=CERTFILE)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]222 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]223 "certfile must be specified for server-side operations",
224 ssl.wrap_socket, sock, server_side=True)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]225 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]226 "certfile must be specified for server-side operations",
227 ssl.wrap_socket, sock, server_side=True, certfile="")
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]228 s = ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]229 self.assertRaisesRegex(ValueError, "can't connect in server-side mode",
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]230 s.connect, (HOST, 8080))
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]231 with self.assertRaises(IOError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]232 with socket.socket() as sock:
233 ssl.wrap_socket(sock, certfile=WRONGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]234 self.assertEqual(cm.exception.errno, errno.ENOENT)
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]235 with self.assertRaises(IOError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]236 with socket.socket() as sock:
237 ssl.wrap_socket(sock, certfile=CERTFILE, keyfile=WRONGCERT)
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]238 self.assertEqual(cm.exception.errno, errno.ENOENT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]239 with self.assertRaises(IOError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]240 with socket.socket() as sock:
241 ssl.wrap_socket(sock, certfile=WRONGCERT, keyfile=WRONGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]242 self.assertEqual(cm.exception.errno, errno.ENOENT)
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]243
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]244 def test_match_hostname(self):
245 def ok(cert, hostname):
246 ssl.match_hostname(cert, hostname)
247 def fail(cert, hostname):
248 self.assertRaises(ssl.CertificateError,
249 ssl.match_hostname, cert, hostname)
250
251 cert = {'subject': ((('commonName', 'example.com'),),)}
252 ok(cert, 'example.com')
253 ok(cert, 'ExAmple.cOm')
254 fail(cert, 'www.example.com')
255 fail(cert, '.example.com')
256 fail(cert, 'example.org')
257 fail(cert, 'exampleXcom')
258
259 cert = {'subject': ((('commonName', '*.a.com'),),)}
260 ok(cert, 'foo.a.com')
261 fail(cert, 'bar.foo.a.com')
262 fail(cert, 'a.com')
263 fail(cert, 'Xa.com')
264 fail(cert, '.a.com')
265
266 cert = {'subject': ((('commonName', 'a.*.com'),),)}
267 ok(cert, 'a.foo.com')
268 fail(cert, 'a..com')
269 fail(cert, 'a.com')
270
271 cert = {'subject': ((('commonName', 'f*.com'),),)}
272 ok(cert, 'foo.com')
273 ok(cert, 'f.com')
274 fail(cert, 'bar.com')
275 fail(cert, 'foo.a.com')
276 fail(cert, 'bar.foo.com')
277
278 # Slightly fake real-world example
279 cert = {'notAfter': 'Jun 26 21:41:46 2011 GMT',
280 'subject': ((('commonName', 'linuxfrz.org'),),),
281 'subjectAltName': (('DNS', 'linuxfr.org'),
282 ('DNS', 'linuxfr.com'),
283 ('othername', '<unsupported>'))}
284 ok(cert, 'linuxfr.org')
285 ok(cert, 'linuxfr.com')
286 # Not a "DNS" entry
287 fail(cert, '<unsupported>')
288 # When there is a subjectAltName, commonName isn't used
289 fail(cert, 'linuxfrz.org')
290
291 # A pristine real-world example
292 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
293 'subject': ((('countryName', 'US'),),
294 (('stateOrProvinceName', 'California'),),
295 (('localityName', 'Mountain View'),),
296 (('organizationName', 'Google Inc'),),
297 (('commonName', 'mail.google.com'),))}
298 ok(cert, 'mail.google.com')
299 fail(cert, 'gmail.com')
300 # Only commonName is considered
301 fail(cert, 'California')
302
303 # Neither commonName nor subjectAltName
304 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
305 'subject': ((('countryName', 'US'),),
306 (('stateOrProvinceName', 'California'),),
307 (('localityName', 'Mountain View'),),
308 (('organizationName', 'Google Inc'),))}
309 fail(cert, 'mail.google.com')
310
Antoine Pitrou1c86b442011-05-06 15:19:49 +0200[diff] [blame]311 # No DNS entry in subjectAltName but a commonName
312 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
313 'subject': ((('countryName', 'US'),),
314 (('stateOrProvinceName', 'California'),),
315 (('localityName', 'Mountain View'),),
316 (('commonName', 'mail.google.com'),)),
317 'subjectAltName': (('othername', 'blabla'), )}
318 ok(cert, 'mail.google.com')
319
320 # No DNS entry subjectAltName and no commonName
321 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
322 'subject': ((('countryName', 'US'),),
323 (('stateOrProvinceName', 'California'),),
324 (('localityName', 'Mountain View'),),
325 (('organizationName', 'Google Inc'),)),
326 'subjectAltName': (('othername', 'blabla'),)}
327 fail(cert, 'google.com')
328
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]329 # Empty cert / no cert
330 self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
331 self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
332
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]333 def test_server_side(self):
334 # server_hostname doesn't work for server sockets
335 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]336 with socket.socket() as sock:
337 self.assertRaises(ValueError, ctx.wrap_socket, sock, True,
338 server_hostname="some.hostname")
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]339
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]340class ContextTests(unittest.TestCase):
341
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]342 @skip_if_broken_ubuntu_ssl
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]343 def test_constructor(self):
Victor Stinner17ca3232011-05-10 00:48:41 +0200[diff] [blame]344 if hasattr(ssl, 'PROTOCOL_SSLv2'):
345 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv2)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]346 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
347 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
348 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
349 self.assertRaises(TypeError, ssl.SSLContext)
350 self.assertRaises(ValueError, ssl.SSLContext, -1)
351 self.assertRaises(ValueError, ssl.SSLContext, 42)
352
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]353 @skip_if_broken_ubuntu_ssl
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]354 def test_protocol(self):
355 for proto in PROTOCOLS:
356 ctx = ssl.SSLContext(proto)
357 self.assertEqual(ctx.protocol, proto)
358
359 def test_ciphers(self):
360 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
361 ctx.set_ciphers("ALL")
362 ctx.set_ciphers("DEFAULT")
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]363 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
Antoine Pitrou30474062010-05-16 23:46:26 +0000[diff] [blame]364 ctx.set_ciphers("^$:,;?*'dorothyx")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]365
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]366 @skip_if_broken_ubuntu_ssl
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]367 def test_options(self):
368 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
369 # OP_ALL is the default value
370 self.assertEqual(ssl.OP_ALL, ctx.options)
371 ctx.options |= ssl.OP_NO_SSLv2
372 self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2,
373 ctx.options)
374 ctx.options |= ssl.OP_NO_SSLv3
375 self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,
376 ctx.options)
377 if can_clear_options():
378 ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1
379 self.assertEqual(ssl.OP_ALL | ssl.OP_NO_TLSv1 | ssl.OP_NO_SSLv3,
380 ctx.options)
381 ctx.options = 0
382 self.assertEqual(0, ctx.options)
383 else:
384 with self.assertRaises(ValueError):
385 ctx.options = 0
386
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]387 def test_verify(self):
388 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
389 # Default value
390 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
391 ctx.verify_mode = ssl.CERT_OPTIONAL
392 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
393 ctx.verify_mode = ssl.CERT_REQUIRED
394 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
395 ctx.verify_mode = ssl.CERT_NONE
396 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
397 with self.assertRaises(TypeError):
398 ctx.verify_mode = None
399 with self.assertRaises(ValueError):
400 ctx.verify_mode = 42
401
402 def test_load_cert_chain(self):
403 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
404 # Combined key and cert in a single file
405 ctx.load_cert_chain(CERTFILE)
406 ctx.load_cert_chain(CERTFILE, keyfile=CERTFILE)
407 self.assertRaises(TypeError, ctx.load_cert_chain, keyfile=CERTFILE)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]408 with self.assertRaises(IOError) as cm:
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]409 ctx.load_cert_chain(WRONGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]410 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]411 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]412 ctx.load_cert_chain(BADCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]413 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]414 ctx.load_cert_chain(EMPTYCERT)
415 # Separate key and cert
Antoine Pitroud0919502010-05-17 10:30:00 +0000[diff] [blame]416 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]417 ctx.load_cert_chain(ONLYCERT, ONLYKEY)
418 ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)
419 ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]420 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]421 ctx.load_cert_chain(ONLYCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]422 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]423 ctx.load_cert_chain(ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]424 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]425 ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)
426 # Mismatching key and cert
Antoine Pitroud0919502010-05-17 10:30:00 +0000[diff] [blame]427 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]428 with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
Antoine Pitrou81564092010-10-08 23:06:24 +0000[diff] [blame]429 ctx.load_cert_chain(SVN_PYTHON_ORG_ROOT_CERT, ONLYKEY)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]430
431 def test_load_verify_locations(self):
432 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
433 ctx.load_verify_locations(CERTFILE)
434 ctx.load_verify_locations(cafile=CERTFILE, capath=None)
435 ctx.load_verify_locations(BYTES_CERTFILE)
436 ctx.load_verify_locations(cafile=BYTES_CERTFILE, capath=None)
437 self.assertRaises(TypeError, ctx.load_verify_locations)
438 self.assertRaises(TypeError, ctx.load_verify_locations, None, None)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]439 with self.assertRaises(IOError) as cm:
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]440 ctx.load_verify_locations(WRONGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]441 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]442 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]443 ctx.load_verify_locations(BADCERT)
444 ctx.load_verify_locations(CERTFILE, CAPATH)
445 ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
446
Victor Stinner80f75e62011-01-29 11:31:20 +0000[diff] [blame]447 # Issue #10989: crash if the second argument type is invalid
448 self.assertRaises(TypeError, ctx.load_verify_locations, None, True)
449
Antoine Pitroueb585ad2010-10-22 18:24:20 +0000[diff] [blame]450 @skip_if_broken_ubuntu_ssl
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]451 def test_session_stats(self):
452 for proto in PROTOCOLS:
453 ctx = ssl.SSLContext(proto)
454 self.assertEqual(ctx.session_stats(), {
455 'number': 0,
456 'connect': 0,
457 'connect_good': 0,
458 'connect_renegotiate': 0,
459 'accept': 0,
460 'accept_good': 0,
461 'accept_renegotiate': 0,
462 'hits': 0,
463 'misses': 0,
464 'timeouts': 0,
465 'cache_full': 0,
466 })
467
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]468 def test_set_default_verify_paths(self):
469 # There's not much we can do to test that it acts as expected,
470 # so just check it doesn't crash or raise an exception.
471 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
472 ctx.set_default_verify_paths()
473
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]474
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]475class NetworkedTests(unittest.TestCase):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]476
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]477 def test_connect(self):
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]478 with support.transient_internet("svn.python.org"):
479 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
480 cert_reqs=ssl.CERT_NONE)
481 try:
482 s.connect(("svn.python.org", 443))
483 self.assertEqual({}, s.getpeercert())
484 finally:
485 s.close()
486
487 # this should fail because we have no verification certs
488 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
489 cert_reqs=ssl.CERT_REQUIRED)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]490 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
491 s.connect, ("svn.python.org", 443))
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]492 s.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]493
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]494 # this should succeed because we specify the root cert
495 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
496 cert_reqs=ssl.CERT_REQUIRED,
497 ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
498 try:
499 s.connect(("svn.python.org", 443))
500 self.assertTrue(s.getpeercert())
501 finally:
502 s.close()
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]503
Antoine Pitrou86cbfec2011-02-26 23:25:34 +0000[diff] [blame]504 def test_connect_ex(self):
505 # Issue #11326: check connect_ex() implementation
506 with support.transient_internet("svn.python.org"):
507 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
508 cert_reqs=ssl.CERT_REQUIRED,
509 ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
510 try:
511 self.assertEqual(0, s.connect_ex(("svn.python.org", 443)))
512 self.assertTrue(s.getpeercert())
513 finally:
514 s.close()
515
516 def test_non_blocking_connect_ex(self):
517 # Issue #11326: non-blocking connect_ex() should allow handshake
518 # to proceed after the socket gets ready.
519 with support.transient_internet("svn.python.org"):
520 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
521 cert_reqs=ssl.CERT_REQUIRED,
522 ca_certs=SVN_PYTHON_ORG_ROOT_CERT,
523 do_handshake_on_connect=False)
524 try:
525 s.setblocking(False)
526 rc = s.connect_ex(('svn.python.org', 443))
Antoine Pitroud1c98452011-02-27 15:45:16 +0000[diff] [blame]527 # EWOULDBLOCK under Windows, EINPROGRESS elsewhere
528 self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK))
Antoine Pitrou86cbfec2011-02-26 23:25:34 +0000[diff] [blame]529 # Wait for connect to finish
530 select.select([], [s], [], 5.0)
531 # Non-blocking handshake
532 while True:
533 try:
534 s.do_handshake()
535 break
536 except ssl.SSLError as err:
537 if err.args[0] == ssl.SSL_ERROR_WANT_READ:
538 select.select([s], [], [], 5.0)
539 elif err.args[0] == ssl.SSL_ERROR_WANT_WRITE:
540 select.select([], [s], [], 5.0)
541 else:
542 raise
543 # SSL established
544 self.assertTrue(s.getpeercert())
545 finally:
546 s.close()
547
Antoine Pitroub4410db2011-05-18 18:51:06 +0200[diff] [blame]548 def test_timeout_connect_ex(self):
549 # Issue #12065: on a timeout, connect_ex() should return the original
550 # errno (mimicking the behaviour of non-SSL sockets).
551 with support.transient_internet("svn.python.org"):
552 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
553 cert_reqs=ssl.CERT_REQUIRED,
554 ca_certs=SVN_PYTHON_ORG_ROOT_CERT,
555 do_handshake_on_connect=False)
556 try:
557 s.settimeout(0.0000001)
558 rc = s.connect_ex(('svn.python.org', 443))
559 if rc == 0:
560 self.skipTest("svn.python.org responded too quickly")
561 self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK))
562 finally:
563 s.close()
564
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]565 def test_connect_with_context(self):
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]566 with support.transient_internet("svn.python.org"):
567 # Same as test_connect, but with a separately created context
568 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
569 s = ctx.wrap_socket(socket.socket(socket.AF_INET))
570 s.connect(("svn.python.org", 443))
571 try:
572 self.assertEqual({}, s.getpeercert())
573 finally:
574 s.close()
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]575 # Same with a server hostname
576 s = ctx.wrap_socket(socket.socket(socket.AF_INET),
577 server_hostname="svn.python.org")
578 if ssl.HAS_SNI:
579 s.connect(("svn.python.org", 443))
580 s.close()
581 else:
582 self.assertRaises(ValueError, s.connect, ("svn.python.org", 443))
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]583 # This should fail because we have no verification certs
584 ctx.verify_mode = ssl.CERT_REQUIRED
585 s = ctx.wrap_socket(socket.socket(socket.AF_INET))
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]586 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]587 s.connect, ("svn.python.org", 443))
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]588 s.close()
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]589 # This should succeed because we specify the root cert
590 ctx.load_verify_locations(SVN_PYTHON_ORG_ROOT_CERT)
591 s = ctx.wrap_socket(socket.socket(socket.AF_INET))
592 s.connect(("svn.python.org", 443))
593 try:
594 cert = s.getpeercert()
595 self.assertTrue(cert)
596 finally:
597 s.close()
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]598
599 def test_connect_capath(self):
600 # Verify server certificates using the `capath` argument
Antoine Pitrou467f28d2010-05-16 19:22:44 +0000[diff] [blame]601 # NOTE: the subject hashing algorithm has been changed between
602 # OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must
603 # contain both versions of each certificate (same content, different
Antoine Pitroud7e4c1c2010-05-17 14:13:10 +0000[diff] [blame]604 # filename) for this test to be portable across OpenSSL releases.
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]605 with support.transient_internet("svn.python.org"):
606 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
607 ctx.verify_mode = ssl.CERT_REQUIRED
608 ctx.load_verify_locations(capath=CAPATH)
609 s = ctx.wrap_socket(socket.socket(socket.AF_INET))
610 s.connect(("svn.python.org", 443))
611 try:
612 cert = s.getpeercert()
613 self.assertTrue(cert)
614 finally:
615 s.close()
616 # Same with a bytes `capath` argument
617 ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
618 ctx.verify_mode = ssl.CERT_REQUIRED
619 ctx.load_verify_locations(capath=BYTES_CAPATH)
620 s = ctx.wrap_socket(socket.socket(socket.AF_INET))
621 s.connect(("svn.python.org", 443))
622 try:
623 cert = s.getpeercert()
624 self.assertTrue(cert)
625 finally:
626 s.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]627
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]628 @unittest.skipIf(os.name == "nt", "Can't use a socket as a file under Windows")
629 def test_makefile_close(self):
630 # Issue #5238: creating a file-like object with makefile() shouldn't
631 # delay closing the underlying "real socket" (here tested with its
632 # file descriptor, hence skipping the test under Windows).
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]633 with support.transient_internet("svn.python.org"):
634 ss = ssl.wrap_socket(socket.socket(socket.AF_INET))
635 ss.connect(("svn.python.org", 443))
636 fd = ss.fileno()
637 f = ss.makefile()
638 f.close()
639 # The fd is still open
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]640 os.read(fd, 0)
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]641 # Closing the SSL socket should close the fd too
642 ss.close()
643 gc.collect()
644 with self.assertRaises(OSError) as e:
645 os.read(fd, 0)
646 self.assertEqual(e.exception.errno, errno.EBADF)
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]647
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]648 def test_non_blocking_handshake(self):
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]649 with support.transient_internet("svn.python.org"):
650 s = socket.socket(socket.AF_INET)
651 s.connect(("svn.python.org", 443))
652 s.setblocking(False)
653 s = ssl.wrap_socket(s,
654 cert_reqs=ssl.CERT_NONE,
655 do_handshake_on_connect=False)
656 count = 0
657 while True:
658 try:
659 count += 1
660 s.do_handshake()
661 break
662 except ssl.SSLError as err:
663 if err.args[0] == ssl.SSL_ERROR_WANT_READ:
664 select.select([s], [], [])
665 elif err.args[0] == ssl.SSL_ERROR_WANT_WRITE:
666 select.select([], [s], [])
667 else:
668 raise
669 s.close()
670 if support.verbose:
671 sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]672
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]673 def test_get_server_certificate(self):
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]674 with support.transient_internet("svn.python.org"):
675 pem = ssl.get_server_certificate(("svn.python.org", 443))
676 if not pem:
677 self.fail("No server certificate on svn.python.org:443!")
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]678
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]679 try:
680 pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=CERTFILE)
681 except ssl.SSLError as x:
682 #should fail
683 if support.verbose:
684 sys.stdout.write("%s\n" % x)
685 else:
686 self.fail("Got server certificate %s for svn.python.org!" % pem)
687
688 pem = ssl.get_server_certificate(("svn.python.org", 443), ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
689 if not pem:
690 self.fail("No server certificate on svn.python.org:443!")
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]691 if support.verbose:
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]692 sys.stdout.write("\nVerified certificate for svn.python.org:443 is\n%s\n" % pem)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]693
Antoine Pitrouf4c7bad2010-08-15 23:02:22 +0000[diff] [blame]694 def test_ciphers(self):
695 remote = ("svn.python.org", 443)
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]696 with support.transient_internet(remote[0]):
Antoine Pitrouf4c7bad2010-08-15 23:02:22 +0000[diff] [blame]697 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]698 cert_reqs=ssl.CERT_NONE, ciphers="ALL")
Antoine Pitrouf4c7bad2010-08-15 23:02:22 +0000[diff] [blame]699 s.connect(remote)
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]700 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
701 cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT")
702 s.connect(remote)
703 # Error checking can happen at instantiation or when connecting
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]704 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]705 with socket.socket(socket.AF_INET) as sock:
706 s = ssl.wrap_socket(sock,
707 cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
708 s.connect(remote)
Antoine Pitrouf4c7bad2010-08-15 23:02:22 +0000[diff] [blame]709
Antoine Pitroufec12ff2010-04-21 19:46:23 +0000[diff] [blame]710 def test_algorithms(self):
711 # Issue #8484: all algorithms should be available when verifying a
712 # certificate.
Antoine Pitrou29619b22010-04-22 18:43:31 +0000[diff] [blame]713 # SHA256 was added in OpenSSL 0.9.8
714 if ssl.OPENSSL_VERSION_INFO < (0, 9, 8, 0, 15):
715 self.skipTest("SHA256 not available on %r" % ssl.OPENSSL_VERSION)
Victor Stinnerf332abb2011-01-08 03:16:05 +0000[diff] [blame]716 # https://sha2.hboeck.de/ was used until 2011-01-08 (no route to host)
717 remote = ("sha256.tbs-internet.com", 443)
Antoine Pitroufec12ff2010-04-21 19:46:23 +0000[diff] [blame]718 sha256_cert = os.path.join(os.path.dirname(__file__), "sha256.pem")
Antoine Pitrou160fd932011-01-08 10:23:29 +0000[diff] [blame]719 with support.transient_internet("sha256.tbs-internet.com"):
Antoine Pitroua88c83c2010-09-07 20:42:19 +0000[diff] [blame]720 s = ssl.wrap_socket(socket.socket(socket.AF_INET),
721 cert_reqs=ssl.CERT_REQUIRED,
722 ca_certs=sha256_cert,)
Antoine Pitroufec12ff2010-04-21 19:46:23 +0000[diff] [blame]723 try:
724 s.connect(remote)
725 if support.verbose:
726 sys.stdout.write("\nCipher with %r is %r\n" %
727 (remote, s.cipher()))
728 sys.stdout.write("Certificate is:\n%s\n" %
729 pprint.pformat(s.getpeercert()))
730 finally:
731 s.close()
732
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]733
734try:
735 import threading
736except ImportError:
737 _have_threads = False
738else:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]739 _have_threads = True
740
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]741 from test.ssl_servers import make_https_server
742
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]743 class ThreadedEchoServer(threading.Thread):
744
745 class ConnectionHandler(threading.Thread):
746
747 """A mildly complicated class, because we want it to work both
748 with and without the SSL wrapper around the socket connection, so
749 that we can test the STARTTLS functionality."""
750
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]751 def __init__(self, server, connsock, addr):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]752 self.server = server
753 self.running = False
754 self.sock = connsock
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]755 self.addr = addr
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]756 self.sock.setblocking(1)
757 self.sslconn = None
758 threading.Thread.__init__(self)
Benjamin Peterson4171da52008-08-18 21:11:09 +0000[diff] [blame]759 self.daemon = True
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]760
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]761 def wrap_conn(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]762 try:
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]763 self.sslconn = self.server.context.wrap_socket(
764 self.sock, server_side=True)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]765 except ssl.SSLError:
766 # XXX Various errors can have happened here, for example
767 # a mismatching protocol version, an invalid certificate,
768 # or a low-level bug. This should be made more discriminating.
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]769 if self.server.chatty:
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]770 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]771 self.running = False
772 self.server.stop()
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]773 self.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]774 return False
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]775 else:
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]776 if self.server.context.verify_mode == ssl.CERT_REQUIRED:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]777 cert = self.sslconn.getpeercert()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]778 if support.verbose and self.server.chatty:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]779 sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n")
780 cert_binary = self.sslconn.getpeercert(True)
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]781 if support.verbose and self.server.chatty:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]782 sys.stdout.write(" cert binary is " + str(len(cert_binary)) + " bytes\n")
783 cipher = self.sslconn.cipher()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]784 if support.verbose and self.server.chatty:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]785 sys.stdout.write(" server: connection cipher is now " + str(cipher) + "\n")
786 return True
787
788 def read(self):
789 if self.sslconn:
790 return self.sslconn.read()
791 else:
792 return self.sock.recv(1024)
793
794 def write(self, bytes):
795 if self.sslconn:
796 return self.sslconn.write(bytes)
797 else:
798 return self.sock.send(bytes)
799
800 def close(self):
801 if self.sslconn:
802 self.sslconn.close()
803 else:
804 self.sock.close()
805
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]806 def run(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]807 self.running = True
808 if not self.server.starttls_server:
809 if not self.wrap_conn():
810 return
811 while self.running:
812 try:
813 msg = self.read()
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]814 stripped = msg.strip()
815 if not stripped:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]816 # eof, so quit this handler
817 self.running = False
818 self.close()
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]819 elif stripped == b'over':
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]820 if support.verbose and self.server.connectionchatty:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]821 sys.stdout.write(" server: client closed connection\n")
822 self.close()
823 return
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]824 elif (self.server.starttls_server and
Antoine Pitrou764b8782010-04-28 22:57:15 +0000[diff] [blame]825 stripped == b'STARTTLS'):
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]826 if support.verbose and self.server.connectionchatty:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]827 sys.stdout.write(" server: read STARTTLS from client, sending OK...\n")
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]828 self.write(b"OK\n")
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]829 if not self.wrap_conn():
830 return
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]831 elif (self.server.starttls_server and self.sslconn
Antoine Pitrou764b8782010-04-28 22:57:15 +0000[diff] [blame]832 and stripped == b'ENDTLS'):
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]833 if support.verbose and self.server.connectionchatty:
834 sys.stdout.write(" server: read ENDTLS from client, sending OK...\n")
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]835 self.write(b"OK\n")
Bill Janssen40a0f662008-08-12 16:56:25 +0000[diff] [blame]836 self.sock = self.sslconn.unwrap()
837 self.sslconn = None
838 if support.verbose and self.server.connectionchatty:
839 sys.stdout.write(" server: connection is now unencrypted...\n")
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]840 else:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]841 if (support.verbose and
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]842 self.server.connectionchatty):
843 ctype = (self.sslconn and "encrypted") or "unencrypted"
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]844 sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
845 % (msg, ctype, msg.lower(), ctype))
846 self.write(msg.lower())
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]847 except socket.error:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]848 if self.server.chatty:
849 handle_error("Test server failure:\n")
850 self.close()
851 self.running = False
852 # normally, we'd just stop here, but for the test
853 # harness, we want to stop the server
854 self.server.stop()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]855
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]856 def __init__(self, certificate=None, ssl_version=None,
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]857 certreqs=None, cacerts=None,
Antoine Pitrou2d9cb9c2010-04-17 17:40:45 +0000[diff] [blame]858 chatty=True, connectionchatty=False, starttls_server=False,
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]859 ciphers=None, context=None):
860 if context:
861 self.context = context
862 else:
863 self.context = ssl.SSLContext(ssl_version
864 if ssl_version is not None
865 else ssl.PROTOCOL_TLSv1)
866 self.context.verify_mode = (certreqs if certreqs is not None
867 else ssl.CERT_NONE)
868 if cacerts:
869 self.context.load_verify_locations(cacerts)
870 if certificate:
871 self.context.load_cert_chain(certificate)
872 if ciphers:
873 self.context.set_ciphers(ciphers)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]874 self.chatty = chatty
875 self.connectionchatty = connectionchatty
876 self.starttls_server = starttls_server
877 self.sock = socket.socket()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]878 self.port = support.bind_port(self.sock)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]879 self.flag = None
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]880 self.active = False
881 threading.Thread.__init__(self)
Benjamin Peterson4171da52008-08-18 21:11:09 +0000[diff] [blame]882 self.daemon = True
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]883
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]884 def start(self, flag=None):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]885 self.flag = flag
886 threading.Thread.start(self)
887
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]888 def run(self):
Antoine Pitrouaf7c6022010-04-27 09:56:02 +0000[diff] [blame]889 self.sock.settimeout(0.05)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]890 self.sock.listen(5)
891 self.active = True
892 if self.flag:
893 # signal an event
894 self.flag.set()
895 while self.active:
896 try:
897 newconn, connaddr = self.sock.accept()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]898 if support.verbose and self.chatty:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]899 sys.stdout.write(' server: new connection from '
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]900 + repr(connaddr) + '\n')
901 handler = self.ConnectionHandler(self, newconn, connaddr)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]902 handler.start()
903 except socket.timeout:
904 pass
905 except KeyboardInterrupt:
906 self.stop()
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]907 self.sock.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]908
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]909 def stop(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]910 self.active = False
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]911
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]912 class AsyncoreEchoServer(threading.Thread):
913
914 # this one's based on asyncore.dispatcher
915
916 class EchoServer (asyncore.dispatcher):
917
918 class ConnectionHandler (asyncore.dispatcher_with_send):
919
920 def __init__(self, conn, certfile):
921 self.socket = ssl.wrap_socket(conn, server_side=True,
922 certfile=certfile,
923 do_handshake_on_connect=False)
924 asyncore.dispatcher_with_send.__init__(self, self.socket)
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]925 self._ssl_accepting = True
926 self._do_ssl_handshake()
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]927
928 def readable(self):
929 if isinstance(self.socket, ssl.SSLSocket):
930 while self.socket.pending() > 0:
931 self.handle_read_event()
932 return True
933
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]934 def _do_ssl_handshake(self):
935 try:
936 self.socket.do_handshake()
937 except ssl.SSLError as err:
938 if err.args[0] in (ssl.SSL_ERROR_WANT_READ,
939 ssl.SSL_ERROR_WANT_WRITE):
940 return
941 elif err.args[0] == ssl.SSL_ERROR_EOF:
942 return self.handle_close()
943 raise
944 except socket.error as err:
945 if err.args[0] == errno.ECONNABORTED:
946 return self.handle_close()
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]947 else:
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]948 self._ssl_accepting = False
949
950 def handle_read(self):
951 if self._ssl_accepting:
952 self._do_ssl_handshake()
953 else:
954 data = self.recv(1024)
955 if support.verbose:
956 sys.stdout.write(" server: read %s from client\n" % repr(data))
957 if not data:
958 self.close()
959 else:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]960 self.send(data.lower())
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]961
962 def handle_close(self):
Bill Janssen2f5799b2008-06-29 00:08:12 +0000[diff] [blame]963 self.close()
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]964 if support.verbose:
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]965 sys.stdout.write(" server: closed connection %s\n" % self.socket)
966
967 def handle_error(self):
968 raise
969
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]970 def __init__(self, certfile):
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]971 self.certfile = certfile
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]972 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
973 self.port = support.bind_port(sock, '')
974 asyncore.dispatcher.__init__(self, sock)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]975 self.listen(5)
976
Giampaolo Rodolà977c7072010-10-04 21:08:36 +0000[diff] [blame]977 def handle_accepted(self, sock_obj, addr):
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]978 if support.verbose:
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]979 sys.stdout.write(" server: new connection from %s:%s\n" %addr)
980 self.ConnectionHandler(sock_obj, self.certfile)
981
982 def handle_error(self):
983 raise
984
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]985 def __init__(self, certfile):
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]986 self.flag = None
987 self.active = False
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]988 self.server = self.EchoServer(certfile)
989 self.port = self.server.port
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]990 threading.Thread.__init__(self)
Benjamin Peterson4171da52008-08-18 21:11:09 +0000[diff] [blame]991 self.daemon = True
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]992
993 def __str__(self):
994 return "<%s %s>" % (self.__class__.__name__, self.server)
995
996 def start (self, flag=None):
997 self.flag = flag
998 threading.Thread.start(self)
999
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1000 def run(self):
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1001 self.active = True
1002 if self.flag:
1003 self.flag.set()
1004 while self.active:
1005 try:
1006 asyncore.loop(1)
1007 except:
1008 pass
1009
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1010 def stop(self):
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]1011 self.active = False
1012 self.server.close()
1013
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1014 def bad_cert_test(certfile):
1015 """
1016 Launch a server with CERT_REQUIRED, and check that trying to
1017 connect to it with the given client certificate fails.
1018 """
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]1019 server = ThreadedEchoServer(CERTFILE,
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1020 certreqs=ssl.CERT_REQUIRED,
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1021 cacerts=CERTFILE, chatty=False,
1022 connectionchatty=False)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1023 flag = threading.Event()
1024 server.start(flag)
1025 # wait for it to start
1026 flag.wait()
1027 # try to connect
1028 try:
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1029 try:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]1030 with socket.socket() as sock:
1031 s = ssl.wrap_socket(sock,
1032 certfile=certfile,
1033 ssl_version=ssl.PROTOCOL_TLSv1)
1034 s.connect((HOST, server.port))
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1035 except ssl.SSLError as x:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1036 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1037 sys.stdout.write("\nSSLError is %s\n" % x.args[1])
Antoine Pitrou05830aa2010-04-27 13:15:18 +0000[diff] [blame]1038 except socket.error as x:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1039 if support.verbose:
Georg Brandlb75b6392010-10-24 14:20:22 +0000[diff] [blame]1040 sys.stdout.write("\nsocket.error is %s\n" % x.args[1])
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]1041 except IOError as x:
Giampaolo Rodolàcd9dfb92010-08-29 20:56:56 +0000[diff] [blame]1042 if x.errno != errno.ENOENT:
1043 raise
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]1044 if support.verbose:
Giampaolo Rodolàcd9dfb92010-08-29 20:56:56 +0000[diff] [blame]1045 sys.stdout.write("\IOError is %s\n" % str(x))
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1046 else:
Antoine Pitroud75b2a92010-05-06 14:15:10 +0000[diff] [blame]1047 raise AssertionError("Use of invalid cert should have failed!")
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1048 finally:
1049 server.stop()
1050 server.join()
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1051
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1052 def server_params_test(client_context, server_context, indata=b"FOO\n",
1053 chatty=True, connectionchatty=False):
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1054 """
1055 Launch a server, connect a client to it and try various reads
1056 and writes.
1057 """
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1058 server = ThreadedEchoServer(context=server_context,
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1059 chatty=chatty,
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1060 connectionchatty=False)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1061 flag = threading.Event()
1062 server.start(flag)
1063 # wait for it to start
1064 flag.wait()
1065 # try to connect
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1066 try:
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1067 s = client_context.wrap_socket(socket.socket())
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]1068 s.connect((HOST, server.port))
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1069 for arg in [indata, bytearray(indata), memoryview(indata)]:
Antoine Pitrou7d7aede2009-11-25 18:55:32 +0000[diff] [blame]1070 if connectionchatty:
1071 if support.verbose:
1072 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1073 " client: sending %r...\n" % indata)
Antoine Pitrou7d7aede2009-11-25 18:55:32 +0000[diff] [blame]1074 s.write(arg)
1075 outdata = s.read()
1076 if connectionchatty:
1077 if support.verbose:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1078 sys.stdout.write(" client: read %r\n" % outdata)
Antoine Pitrou7d7aede2009-11-25 18:55:32 +0000[diff] [blame]1079 if outdata != indata.lower():
Antoine Pitroud75b2a92010-05-06 14:15:10 +0000[diff] [blame]1080 raise AssertionError(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1081 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
1082 % (outdata[:20], len(outdata),
1083 indata[:20].lower(), len(indata)))
1084 s.write(b"over\n")
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1085 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1086 if support.verbose:
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1087 sys.stdout.write(" client: closing connection.\n")
1088 s.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1089 finally:
1090 server.stop()
1091 server.join()
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1092
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1093 def try_protocol_combo(server_protocol, client_protocol, expect_success,
1094 certsreqs=None, server_options=0, client_options=0):
Benjamin Peterson2a691a82008-03-31 01:51:45 +0000[diff] [blame]1095 if certsreqs is None:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1096 certsreqs = ssl.CERT_NONE
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1097 certtype = {
1098 ssl.CERT_NONE: "CERT_NONE",
1099 ssl.CERT_OPTIONAL: "CERT_OPTIONAL",
1100 ssl.CERT_REQUIRED: "CERT_REQUIRED",
1101 }[certsreqs]
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1102 if support.verbose:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1103 formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n"
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1104 sys.stdout.write(formatstr %
1105 (ssl.get_protocol_name(client_protocol),
1106 ssl.get_protocol_name(server_protocol),
1107 certtype))
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1108 client_context = ssl.SSLContext(client_protocol)
1109 client_context.options = ssl.OP_ALL | client_options
1110 server_context = ssl.SSLContext(server_protocol)
1111 server_context.options = ssl.OP_ALL | server_options
1112 for ctx in (client_context, server_context):
1113 ctx.verify_mode = certsreqs
Antoine Pitrou2d9cb9c2010-04-17 17:40:45 +0000[diff] [blame]1114 # NOTE: we must enable "ALL" ciphers, otherwise an SSLv23 client
1115 # will send an SSLv3 hello (rather than SSLv2) starting from
1116 # OpenSSL 1.0.0 (see issue #8322).
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1117 ctx.set_ciphers("ALL")
1118 ctx.load_cert_chain(CERTFILE)
1119 ctx.load_verify_locations(CERTFILE)
1120 try:
1121 server_params_test(client_context, server_context,
1122 chatty=False, connectionchatty=False)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1123 # Protocol mismatch can result in either an SSLError, or a
1124 # "Connection reset by peer" error.
1125 except ssl.SSLError:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1126 if expect_success:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1127 raise
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1128 except socket.error as e:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1129 if expect_success or e.errno != errno.ECONNRESET:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1130 raise
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1131 else:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1132 if not expect_success:
Antoine Pitroud75b2a92010-05-06 14:15:10 +0000[diff] [blame]1133 raise AssertionError(
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1134 "Client protocol %s succeeded with server protocol %s!"
1135 % (ssl.get_protocol_name(client_protocol),
1136 ssl.get_protocol_name(server_protocol)))
1137
1138
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1139 class ThreadedTests(unittest.TestCase):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1140
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]1141 @skip_if_broken_ubuntu_ssl
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1142 def test_echo(self):
1143 """Basic test of an SSL client connecting to a server"""
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1144 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1145 sys.stdout.write("\n")
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1146 for protocol in PROTOCOLS:
1147 context = ssl.SSLContext(protocol)
1148 context.load_cert_chain(CERTFILE)
1149 server_params_test(context, context,
1150 chatty=True, connectionchatty=True)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1151
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1152 def test_getpeercert(self):
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1153 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1154 sys.stdout.write("\n")
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1155 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
1156 context.verify_mode = ssl.CERT_REQUIRED
1157 context.load_verify_locations(CERTFILE)
1158 context.load_cert_chain(CERTFILE)
1159 server = ThreadedEchoServer(context=context, chatty=False)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1160 flag = threading.Event()
1161 server.start(flag)
1162 # wait for it to start
1163 flag.wait()
1164 # try to connect
1165 try:
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1166 s = context.wrap_socket(socket.socket())
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1167 s.connect((HOST, server.port))
1168 cert = s.getpeercert()
1169 self.assertTrue(cert, "Can't get peer certificate.")
1170 cipher = s.cipher()
1171 if support.verbose:
1172 sys.stdout.write(pprint.pformat(cert) + '\n')
1173 sys.stdout.write("Connection cipher is " + str(cipher) + '.\n')
1174 if 'subject' not in cert:
1175 self.fail("No subject field in certificate: %s." %
1176 pprint.pformat(cert))
1177 if ((('organizationName', 'Python Software Foundation'),)
1178 not in cert['subject']):
1179 self.fail(
1180 "Missing or invalid 'organizationName' field in certificate subject; "
1181 "should be 'Python Software Foundation'.")
Antoine Pitroufb046912010-11-09 20:21:19 +0000[diff] [blame]1182 self.assertIn('notBefore', cert)
1183 self.assertIn('notAfter', cert)
1184 before = ssl.cert_time_to_seconds(cert['notBefore'])
1185 after = ssl.cert_time_to_seconds(cert['notAfter'])
1186 self.assertLess(before, after)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1187 s.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1188 finally:
1189 server.stop()
1190 server.join()
1191
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1192 def test_empty_cert(self):
1193 """Connecting with an empty cert file"""
1194 bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir,
1195 "nullcert.pem"))
1196 def test_malformed_cert(self):
1197 """Connecting with a badly formatted certificate (syntax error)"""
1198 bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir,
1199 "badcert.pem"))
1200 def test_nonexisting_cert(self):
1201 """Connecting with a non-existing cert file"""
1202 bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir,
1203 "wrongcert.pem"))
1204 def test_malformed_key(self):
1205 """Connecting with a badly formatted key (syntax error)"""
1206 bad_cert_test(os.path.join(os.path.dirname(__file__) or os.curdir,
1207 "badkey.pem"))
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1208
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1209 def test_rude_shutdown(self):
1210 """A brutal shutdown of an SSL server should raise an IOError
1211 in the client when attempting handshake.
1212 """
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1213 listener_ready = threading.Event()
1214 listener_gone = threading.Event()
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1215
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]1216 s = socket.socket()
1217 port = support.bind_port(s, HOST)
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1218
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]1219 # `listener` runs in a thread. It sits in an accept() until
1220 # the main thread connects. Then it rudely closes the socket,
1221 # and sets Event `listener_gone` to let the main thread know
1222 # the socket is gone.
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1223 def listener():
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1224 s.listen(5)
1225 listener_ready.set()
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]1226 newsock, addr = s.accept()
1227 newsock.close()
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]1228 s.close()
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1229 listener_gone.set()
1230
1231 def connector():
1232 listener_ready.wait()
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]1233 with socket.socket() as c:
1234 c.connect((HOST, port))
1235 listener_gone.wait()
1236 try:
1237 ssl_sock = ssl.wrap_socket(c)
1238 except IOError:
1239 pass
1240 else:
1241 self.fail('connecting to closed SSL socket should have failed')
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1242
1243 t = threading.Thread(target=listener)
1244 t.start()
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]1245 try:
1246 connector()
1247 finally:
1248 t.join()
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1249
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]1250 @skip_if_broken_ubuntu_ssl
Victor Stinneree18b6f2011-05-10 00:38:00 +0200[diff] [blame]1251 @unittest.skipUnless(hasattr(ssl, 'PROTOCOL_SSLv2'), "need SSLv2")
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1252 def test_protocol_sslv2(self):
1253 """Connecting to an SSLv2 server with various client options"""
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1254 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1255 sys.stdout.write("\n")
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1256 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
1257 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
1258 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
1259 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True)
1260 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
1261 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1262 # SSLv23 client with specific SSL options
1263 if no_sslv2_implies_sslv3_hello():
1264 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
1265 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, False,
1266 client_options=ssl.OP_NO_SSLv2)
1267 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
1268 client_options=ssl.OP_NO_SSLv3)
1269 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv23, True,
1270 client_options=ssl.OP_NO_TLSv1)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1271
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]1272 @skip_if_broken_ubuntu_ssl
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1273 def test_protocol_sslv23(self):
1274 """Connecting to an SSLv23 server with various client options"""
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1275 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1276 sys.stdout.write("\n")
Victor Stinneree18b6f2011-05-10 00:38:00 +0200[diff] [blame]1277 if hasattr(ssl, 'PROTOCOL_SSLv2'):
1278 try:
1279 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv2, True)
1280 except (ssl.SSLError, socket.error) as x:
1281 # this fails on some older versions of OpenSSL (0.9.7l, for instance)
1282 if support.verbose:
1283 sys.stdout.write(
1284 " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
1285 % str(x))
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1286 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True)
1287 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True)
1288 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1289
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1290 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)
1291 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_OPTIONAL)
1292 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1293
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1294 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)
1295 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True, ssl.CERT_REQUIRED)
1296 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1297
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1298 # Server with specific SSL options
1299 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv3, False,
1300 server_options=ssl.OP_NO_SSLv3)
1301 # Will choose TLSv1
1302 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_SSLv23, True,
1303 server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
1304 try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1, False,
1305 server_options=ssl.OP_NO_TLSv1)
1306
1307
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]1308 @skip_if_broken_ubuntu_ssl
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1309 def test_protocol_sslv3(self):
1310 """Connecting to an SSLv3 server with various client options"""
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1311 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1312 sys.stdout.write("\n")
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1313 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True)
1314 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_OPTIONAL)
1315 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, True, ssl.CERT_REQUIRED)
Victor Stinneree18b6f2011-05-10 00:38:00 +0200[diff] [blame]1316 if hasattr(ssl, 'PROTOCOL_SSLv2'):
1317 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
Barry Warsaw46ae0ef2011-10-28 16:52:17 -0400[diff] [blame]1318 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, False,
1319 client_options=ssl.OP_NO_SSLv3)
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1320 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1321 if no_sslv2_implies_sslv3_hello():
1322 # No SSLv2 => client will use an SSLv3 hello on recent OpenSSLs
1323 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23, True,
1324 client_options=ssl.OP_NO_SSLv2)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1325
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]1326 @skip_if_broken_ubuntu_ssl
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1327 def test_protocol_tlsv1(self):
1328 """Connecting to a TLSv1 server with various client options"""
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1329 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1330 sys.stdout.write("\n")
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1331 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True)
1332 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_OPTIONAL)
1333 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, True, ssl.CERT_REQUIRED)
Victor Stinneree18b6f2011-05-10 00:38:00 +0200[diff] [blame]1334 if hasattr(ssl, 'PROTOCOL_SSLv2'):
1335 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1336 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
Barry Warsaw46ae0ef2011-10-28 16:52:17 -0400[diff] [blame]1337 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False,
1338 client_options=ssl.OP_NO_TLSv1)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1339
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1340 def test_starttls(self):
1341 """Switching from clear text to encrypted and back again."""
1342 msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1343
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]1344 server = ThreadedEchoServer(CERTFILE,
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1345 ssl_version=ssl.PROTOCOL_TLSv1,
1346 starttls_server=True,
1347 chatty=True,
1348 connectionchatty=True)
1349 flag = threading.Event()
1350 server.start(flag)
1351 # wait for it to start
1352 flag.wait()
1353 # try to connect
1354 wrapped = False
1355 try:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1356 s = socket.socket()
1357 s.setblocking(1)
1358 s.connect((HOST, server.port))
1359 if support.verbose:
1360 sys.stdout.write("\n")
1361 for indata in msgs:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1362 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1363 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1364 " client: sending %r...\n" % indata)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1365 if wrapped:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1366 conn.write(indata)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1367 outdata = conn.read()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1368 else:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1369 s.send(indata)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1370 outdata = s.recv(1024)
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1371 msg = outdata.strip().lower()
1372 if indata == b"STARTTLS" and msg.startswith(b"ok"):
1373 # STARTTLS ok, switch to secure mode
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1374 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1375 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1376 " client: read %r from server, starting TLS...\n"
1377 % msg)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1378 conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1)
1379 wrapped = True
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1380 elif indata == b"ENDTLS" and msg.startswith(b"ok"):
1381 # ENDTLS ok, switch back to clear text
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1382 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1383 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1384 " client: read %r from server, ending TLS...\n"
1385 % msg)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1386 s = conn.unwrap()
1387 wrapped = False
1388 else:
1389 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1390 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1391 " client: read %r from server\n" % msg)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1392 if support.verbose:
1393 sys.stdout.write(" client: closing connection.\n")
1394 if wrapped:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1395 conn.write(b"over\n")
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1396 else:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1397 s.send(b"over\n")
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1398 if wrapped:
1399 conn.close()
1400 else:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1401 s.close()
1402 finally:
1403 server.stop()
1404 server.join()
1405
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1406 def test_socketserver(self):
1407 """Using a SocketServer to create and manage SSL connections."""
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]1408 server = make_https_server(self, CERTFILE)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1409 # try to connect
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]1410 if support.verbose:
1411 sys.stdout.write('\n')
1412 with open(CERTFILE, 'rb') as f:
1413 d1 = f.read()
1414 d2 = ''
1415 # now fetch the same data from the HTTPS server
1416 url = 'https://%s:%d/%s' % (
1417 HOST, server.port, os.path.split(CERTFILE)[1])
1418 f = urllib.request.urlopen(url)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1419 try:
Barry Warsaw820c1202008-06-12 04:06:45 +0000[diff] [blame]1420 dlen = f.info().get("content-length")
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1421 if dlen and (int(dlen) > 0):
1422 d2 = f.read(int(dlen))
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1423 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1424 sys.stdout.write(
1425 " client: read %d bytes from remote server '%s'\n"
1426 % (len(d2), server))
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1427 finally:
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]1428 f.close()
1429 self.assertEqual(d1, d2)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1430
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1431 def test_asyncore_server(self):
1432 """Check the example asyncore integration."""
1433 indata = "TEST MESSAGE of mixed case\n"
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1434
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1435 if support.verbose:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1436 sys.stdout.write("\n")
1437
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1438 indata = b"FOO\n"
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]1439 server = AsyncoreEchoServer(CERTFILE)
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1440 flag = threading.Event()
1441 server.start(flag)
1442 # wait for it to start
1443 flag.wait()
1444 # try to connect
1445 try:
1446 s = ssl.wrap_socket(socket.socket())
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1447 s.connect(('127.0.0.1', server.port))
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1448 if support.verbose:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1449 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1450 " client: sending %r...\n" % indata)
1451 s.write(indata)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1452 outdata = s.read()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1453 if support.verbose:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1454 sys.stdout.write(" client: read %r\n" % outdata)
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1455 if outdata != indata.lower():
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1456 self.fail(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1457 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
1458 % (outdata[:20], len(outdata),
1459 indata[:20].lower(), len(indata)))
1460 s.write(b"over\n")
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1461 if support.verbose:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1462 sys.stdout.write(" client: closing connection.\n")
1463 s.close()
Antoine Pitroued986362010-08-15 23:28:10 +0000[diff] [blame]1464 if support.verbose:
1465 sys.stdout.write(" client: connection closed.\n")
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1466 finally:
Antoine Pitroued986362010-08-15 23:28:10 +0000[diff] [blame]1467 if support.verbose:
1468 sys.stdout.write(" cleanup: stopping server.\n")
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1469 server.stop()
Antoine Pitroued986362010-08-15 23:28:10 +0000[diff] [blame]1470 if support.verbose:
1471 sys.stdout.write(" cleanup: joining server thread.\n")
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1472 server.join()
Antoine Pitroued986362010-08-15 23:28:10 +0000[diff] [blame]1473 if support.verbose:
1474 sys.stdout.write(" cleanup: successfully joined.\n")
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]1475
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1476 def test_recv_send(self):
1477 """Test recv(), send() and friends."""
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1478 if support.verbose:
1479 sys.stdout.write("\n")
1480
1481 server = ThreadedEchoServer(CERTFILE,
1482 certreqs=ssl.CERT_NONE,
1483 ssl_version=ssl.PROTOCOL_TLSv1,
1484 cacerts=CERTFILE,
1485 chatty=True,
1486 connectionchatty=False)
1487 flag = threading.Event()
1488 server.start(flag)
1489 # wait for it to start
1490 flag.wait()
1491 # try to connect
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]1492 s = ssl.wrap_socket(socket.socket(),
1493 server_side=False,
1494 certfile=CERTFILE,
1495 ca_certs=CERTFILE,
1496 cert_reqs=ssl.CERT_NONE,
1497 ssl_version=ssl.PROTOCOL_TLSv1)
1498 s.connect((HOST, server.port))
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1499 try:
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1500 # helper methods for standardising recv* method signatures
1501 def _recv_into():
1502 b = bytearray(b"\0"*100)
1503 count = s.recv_into(b)
1504 return b[:count]
1505
1506 def _recvfrom_into():
1507 b = bytearray(b"\0"*100)
1508 count, addr = s.recvfrom_into(b)
1509 return b[:count]
1510
1511 # (name, method, whether to expect success, *args)
1512 send_methods = [
1513 ('send', s.send, True, []),
1514 ('sendto', s.sendto, False, ["some.address"]),
1515 ('sendall', s.sendall, True, []),
1516 ]
1517 recv_methods = [
1518 ('recv', s.recv, True, []),
1519 ('recvfrom', s.recvfrom, False, ["some.address"]),
1520 ('recv_into', _recv_into, True, []),
1521 ('recvfrom_into', _recvfrom_into, False, []),
1522 ]
1523 data_prefix = "PREFIX_"
1524
1525 for meth_name, send_meth, expect_success, args in send_methods:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1526 indata = (data_prefix + meth_name).encode('ascii')
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1527 try:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1528 send_meth(indata, *args)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1529 outdata = s.read()
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1530 if outdata != indata.lower():
Georg Brandl89fad142010-03-14 10:23:39 +0000[diff] [blame]1531 self.fail(
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1532 "While sending with <<{name:s}>> bad data "
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1533 "<<{outdata:r}>> ({nout:d}) received; "
1534 "expected <<{indata:r}>> ({nin:d})\n".format(
1535 name=meth_name, outdata=outdata[:20],
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1536 nout=len(outdata),
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1537 indata=indata[:20], nin=len(indata)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1538 )
1539 )
1540 except ValueError as e:
1541 if expect_success:
Georg Brandl89fad142010-03-14 10:23:39 +0000[diff] [blame]1542 self.fail(
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1543 "Failed to send with method <<{name:s}>>; "
1544 "expected to succeed.\n".format(name=meth_name)
1545 )
1546 if not str(e).startswith(meth_name):
Georg Brandl89fad142010-03-14 10:23:39 +0000[diff] [blame]1547 self.fail(
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1548 "Method <<{name:s}>> failed with unexpected "
1549 "exception message: {exp:s}\n".format(
1550 name=meth_name, exp=e
1551 )
1552 )
1553
1554 for meth_name, recv_meth, expect_success, args in recv_methods:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1555 indata = (data_prefix + meth_name).encode('ascii')
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1556 try:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1557 s.send(indata)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1558 outdata = recv_meth(*args)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1559 if outdata != indata.lower():
Georg Brandl89fad142010-03-14 10:23:39 +0000[diff] [blame]1560 self.fail(
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1561 "While receiving with <<{name:s}>> bad data "
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1562 "<<{outdata:r}>> ({nout:d}) received; "
1563 "expected <<{indata:r}>> ({nin:d})\n".format(
1564 name=meth_name, outdata=outdata[:20],
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1565 nout=len(outdata),
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1566 indata=indata[:20], nin=len(indata)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1567 )
1568 )
1569 except ValueError as e:
1570 if expect_success:
Georg Brandl89fad142010-03-14 10:23:39 +0000[diff] [blame]1571 self.fail(
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1572 "Failed to receive with method <<{name:s}>>; "
1573 "expected to succeed.\n".format(name=meth_name)
1574 )
1575 if not str(e).startswith(meth_name):
Georg Brandl89fad142010-03-14 10:23:39 +0000[diff] [blame]1576 self.fail(
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1577 "Method <<{name:s}>> failed with unexpected "
1578 "exception message: {exp:s}\n".format(
1579 name=meth_name, exp=e
1580 )
1581 )
1582 # consume data
1583 s.read()
1584
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1585 s.write(b"over\n")
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1586 s.close()
1587 finally:
1588 server.stop()
1589 server.join()
1590
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]1591 def test_handshake_timeout(self):
1592 # Issue #5103: SSL handshake must respect the socket timeout
1593 server = socket.socket(socket.AF_INET)
1594 host = "127.0.0.1"
1595 port = support.bind_port(server)
1596 started = threading.Event()
1597 finish = False
1598
1599 def serve():
1600 server.listen(5)
1601 started.set()
1602 conns = []
1603 while not finish:
1604 r, w, e = select.select([server], [], [], 0.1)
1605 if server in r:
1606 # Let the socket hang around rather than having
1607 # it closed by garbage collection.
1608 conns.append(server.accept()[0])
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]1609 for sock in conns:
1610 sock.close()
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]1611
1612 t = threading.Thread(target=serve)
1613 t.start()
1614 started.wait()
1615
1616 try:
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]1617 try:
1618 c = socket.socket(socket.AF_INET)
1619 c.settimeout(0.2)
1620 c.connect((host, port))
1621 # Will attempt handshake and time out
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1622 self.assertRaisesRegex(socket.timeout, "timed out",
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1623 ssl.wrap_socket, c)
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]1624 finally:
1625 c.close()
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]1626 try:
1627 c = socket.socket(socket.AF_INET)
1628 c = ssl.wrap_socket(c)
1629 c.settimeout(0.2)
1630 # Will attempt handshake and time out
Antoine Pitrouc4df7842010-12-03 19:59:41 +0000[diff] [blame]1631 self.assertRaisesRegex(socket.timeout, "timed out",
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1632 c.connect, (host, port))
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]1633 finally:
1634 c.close()
1635 finally:
1636 finish = True
1637 t.join()
1638 server.close()
1639
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]1640
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1641def test_main(verbose=False):
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]1642 if support.verbose:
1643 plats = {
1644 'Linux': platform.linux_distribution,
1645 'Mac': platform.mac_ver,
1646 'Windows': platform.win32_ver,
1647 }
1648 for name, func in plats.items():
1649 plat = func()
1650 if plat and plat[0]:
1651 plat = '%s %r' % (name, plat)
1652 break
1653 else:
1654 plat = repr(platform.platform())
1655 print("test_ssl: testing with %r %r" %
1656 (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
1657 print(" under %s" % plat)
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]1658 print(" HAS_SNI = %r" % ssl.HAS_SNI)
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]1659
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1660 for filename in [
1661 CERTFILE, SVN_PYTHON_ORG_ROOT_CERT, BYTES_CERTFILE,
1662 ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,
1663 BADCERT, BADKEY, EMPTYCERT]:
1664 if not os.path.exists(filename):
1665 raise support.TestFailed("Can't read certificate file %r" % filename)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1666
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1667 tests = [ContextTests, BasicSocketTests]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1668
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1669 if support.is_resource_enabled('network'):
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1670 tests.append(NetworkedTests)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1671
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1672 if _have_threads:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]1673 thread_info = support.threading_setup()
1674 if thread_info and support.is_resource_enabled('network'):
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]1675 tests.append(ThreadedTests)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1676
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1677 try:
1678 support.run_unittest(*tests)
1679 finally:
1680 if _have_threads:
1681 support.threading_cleanup(*thread_info)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1682
1683if __name__ == "__main__":
1684 test_main()