Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / 91554e4c5ca3c762998296522f854a7166ba84f0 / . / Lib / test / test_ssl.py
blob: acb64f15fa0d391dd1557efb08da697a88f7c0a3 [file] [log] [blame]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1# Test the support for SSL and sockets
2
3import sys
4import unittest
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]5import unittest.mock
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]6from test import support
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]7from test.support import import_helper
8from test.support import os_helper
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]9from test.support import socket_helper
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]10from test.support import threading_helper
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]11from test.support import warnings_helper
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]12import socket
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]13import select
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]14import time
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]15import datetime
16import enum
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]17import gc
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]18import os
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]19import errno
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]20import pprint
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]21import urllib.request
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]22import threading
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]23import traceback
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]24import asyncore
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]25import weakref
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]26import platform
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]27import sysconfig
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]28import functools
Christian Heimes888bbdc2017-09-07 14:18:21 -0700[diff] [blame]29try:
30 import ctypes
31except ImportError:
32 ctypes = None
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]33
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]34ssl = import_helper.import_module("ssl")
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]35import _ssl
Antoine Pitrou05d936d2010-10-13 11:38:36 +0000[diff] [blame]36
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]37from ssl import TLSVersion, _TLSContentType, _TLSMessageType, _TLSAlertType
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]38
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]39Py_DEBUG = hasattr(sys, 'gettotalrefcount')
40Py_DEBUG_WIN32 = Py_DEBUG and sys.platform == 'win32'
41
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]42PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]43HOST = socket_helper.HOST
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]44IS_OPENSSL_3_0_0 = ssl.OPENSSL_VERSION_INFO >= (3, 0, 0)
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]45PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]46
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]47PROTOCOL_TO_TLS_VERSION = {}
48for proto, ver in (
49 ("PROTOCOL_SSLv23", "SSLv3"),
50 ("PROTOCOL_TLSv1", "TLSv1"),
51 ("PROTOCOL_TLSv1_1", "TLSv1_1"),
52):
53 try:
54 proto = getattr(ssl, proto)
55 ver = getattr(ssl.TLSVersion, ver)
56 except AttributeError:
57 continue
58 PROTOCOL_TO_TLS_VERSION[proto] = ver
59
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]60def data_file(*name):
61 return os.path.join(os.path.dirname(__file__), *name)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]62
Antoine Pitrou81564092010-10-08 23:06:24 +0000[diff] [blame]63# The custom key and certificate files used in test_ssl are generated
64# using Lib/test/make_ssl_certs.py.
65# Other certificates are simply fetched from the Internet servers they
66# are meant to authenticate.
67
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]68CERTFILE = data_file("keycert.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]69BYTES_CERTFILE = os.fsencode(CERTFILE)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]70ONLYCERT = data_file("ssl_cert.pem")
71ONLYKEY = data_file("ssl_key.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]72BYTES_ONLYCERT = os.fsencode(ONLYCERT)
73BYTES_ONLYKEY = os.fsencode(ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]74CERTFILE_PROTECTED = data_file("keycert.passwd.pem")
75ONLYKEY_PROTECTED = data_file("ssl_key.passwd.pem")
76KEY_PASSWORD = "somepass"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]77CAPATH = data_file("capath")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]78BYTES_CAPATH = os.fsencode(CAPATH)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]79CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
80CAFILE_CACERT = data_file("capath", "5ed36f99.0")
81
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]82CERTFILE_INFO = {
83 'issuer': ((('countryName', 'XY'),),
84 (('localityName', 'Castle Anthrax'),),
85 (('organizationName', 'Python Software Foundation'),),
86 (('commonName', 'localhost'),)),
Christian Heimese6dac002018-08-30 07:25:49 +0200[diff] [blame]87 'notAfter': 'Aug 26 14:23:15 2028 GMT',
88 'notBefore': 'Aug 29 14:23:15 2018 GMT',
89 'serialNumber': '98A7CF88C74A32ED',
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]90 'subject': ((('countryName', 'XY'),),
91 (('localityName', 'Castle Anthrax'),),
92 (('organizationName', 'Python Software Foundation'),),
93 (('commonName', 'localhost'),)),
94 'subjectAltName': (('DNS', 'localhost'),),
95 'version': 3
96}
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]97
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]98# empty CRL
99CRLFILE = data_file("revocation.crl")
100
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]101# Two keys and certs signed by the same CA (for SNI tests)
102SIGNED_CERTFILE = data_file("keycert3.pem")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]103SIGNED_CERTFILE_HOSTNAME = 'localhost'
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]104
105SIGNED_CERTFILE_INFO = {
106 'OCSP': ('http://testca.pythontest.net/testca/ocsp/',),
107 'caIssuers': ('http://testca.pythontest.net/testca/pycacert.cer',),
108 'crlDistributionPoints': ('http://testca.pythontest.net/testca/revocation.crl',),
109 'issuer': ((('countryName', 'XY'),),
110 (('organizationName', 'Python Software Foundation CA'),),
111 (('commonName', 'our-ca-server'),)),
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]112 'notAfter': 'Oct 28 14:23:16 2037 GMT',
Christian Heimese6dac002018-08-30 07:25:49 +0200[diff] [blame]113 'notBefore': 'Aug 29 14:23:16 2018 GMT',
114 'serialNumber': 'CB2D80995A69525C',
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]115 'subject': ((('countryName', 'XY'),),
116 (('localityName', 'Castle Anthrax'),),
117 (('organizationName', 'Python Software Foundation'),),
118 (('commonName', 'localhost'),)),
119 'subjectAltName': (('DNS', 'localhost'),),
120 'version': 3
121}
122
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]123SIGNED_CERTFILE2 = data_file("keycert4.pem")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]124SIGNED_CERTFILE2_HOSTNAME = 'fakehostname'
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]125SIGNED_CERTFILE_ECC = data_file("keycertecc.pem")
126SIGNED_CERTFILE_ECC_HOSTNAME = 'localhost-ecc'
127
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]128# Same certificate as pycacert.pem, but without extra text in file
129SIGNING_CA = data_file("capath", "ceff1710.0")
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]130# cert with all kinds of subject alt names
131ALLSANFILE = data_file("allsans.pem")
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]132IDNSANSFILE = data_file("idnsans.pem")
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]133NOSANFILE = data_file("nosan.pem")
134NOSAN_HOSTNAME = 'localhost'
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]135
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]136REMOTE_HOST = "self-signed.pythontest.net"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]137
138EMPTYCERT = data_file("nullcert.pem")
139BADCERT = data_file("badcert.pem")
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]140NONEXISTINGCERT = data_file("XXXnonexisting.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]141BADKEY = data_file("badkey.pem")
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]142NOKIACERT = data_file("nokia.pem")
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]143NULLBYTECERT = data_file("nullbytecert.pem")
Christian Heimesa37f5242019-01-15 23:47:42 +0100[diff] [blame]144TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]145
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]146DHFILE = data_file("ffdh3072.pem")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]147BYTES_DHFILE = os.fsencode(DHFILE)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]148
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]149# Not defined in all versions of OpenSSL
150OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
151OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
152OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
153OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]154OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
Christian Heimes6f37ebc2021-04-09 17:59:21 +0200[diff] [blame]155OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]156
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]157# Ubuntu has patched OpenSSL and changed behavior of security level 2
158# see https://bugs.python.org/issue41561#msg389003
159def is_ubuntu():
160 try:
161 # Assume that any references of "ubuntu" implies Ubuntu-like distro
162 # The workaround is not required for 18.04, but doesn't hurt either.
163 with open("/etc/os-release", encoding="utf-8") as f:
164 return "ubuntu" in f.read()
165 except FileNotFoundError:
166 return False
167
168if is_ubuntu():
169 def seclevel_workaround(*ctxs):
170 """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
171 for ctx in ctxs:
Christian Heimes34477502021-04-12 12:00:38 +0200[diff] [blame]172 if (
173 hasattr(ctx, "minimum_version") and
174 ctx.minimum_version <= ssl.TLSVersion.TLSv1_1
175 ):
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]176 ctx.set_ciphers("@SECLEVEL=1:ALL")
177else:
178 def seclevel_workaround(*ctxs):
179 pass
180
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]181
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]182def has_tls_protocol(protocol):
183 """Check if a TLS protocol is available and enabled
184
185 :param protocol: enum ssl._SSLMethod member or name
186 :return: bool
187 """
188 if isinstance(protocol, str):
189 assert protocol.startswith('PROTOCOL_')
190 protocol = getattr(ssl, protocol, None)
191 if protocol is None:
192 return False
193 if protocol in {
194 ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS_SERVER,
195 ssl.PROTOCOL_TLS_CLIENT
196 }:
197 # auto-negotiate protocols are always available
198 return True
199 name = protocol.name
200 return has_tls_version(name[len('PROTOCOL_'):])
201
202
203@functools.lru_cache
204def has_tls_version(version):
205 """Check if a TLS/SSL version is enabled
206
207 :param version: TLS version name or ssl.TLSVersion member
208 :return: bool
209 """
210 if version == "SSLv2":
211 # never supported and not even in TLSVersion enum
212 return False
213
214 if isinstance(version, str):
215 version = ssl.TLSVersion.__members__[version]
216
217 # check compile time flags like ssl.HAS_TLSv1_2
218 if not getattr(ssl, f'HAS_{version.name}'):
219 return False
220
Christian Heimes5151d642021-04-09 15:43:06 +0200[diff] [blame]221 if IS_OPENSSL_3_0_0 and version < ssl.TLSVersion.TLSv1_2:
222 # bpo43791: 3.0.0-alpha14 fails with TLSV1_ALERT_INTERNAL_ERROR
223 return False
224
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]225 # check runtime and dynamic crypto policy settings. A TLS version may
226 # be compiled in but disabled by a policy or config option.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]227 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]228 if (
Christian Heimes9f772682019-09-26 18:23:17 +0200[diff] [blame]229 hasattr(ctx, 'minimum_version') and
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]230 ctx.minimum_version != ssl.TLSVersion.MINIMUM_SUPPORTED and
231 version < ctx.minimum_version
232 ):
233 return False
234 if (
Christian Heimes9f772682019-09-26 18:23:17 +0200[diff] [blame]235 hasattr(ctx, 'maximum_version') and
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]236 ctx.maximum_version != ssl.TLSVersion.MAXIMUM_SUPPORTED and
237 version > ctx.maximum_version
238 ):
239 return False
240
241 return True
242
243
244def requires_tls_version(version):
245 """Decorator to skip tests when a required TLS version is not available
246
247 :param version: TLS version name or ssl.TLSVersion member
248 :return:
249 """
250 def decorator(func):
251 @functools.wraps(func)
252 def wrapper(*args, **kw):
253 if not has_tls_version(version):
254 raise unittest.SkipTest(f"{version} is not available.")
255 else:
256 return func(*args, **kw)
257 return wrapper
258 return decorator
259
260
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]261def handle_error(prefix):
262 exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]263 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]264 sys.stdout.write(prefix + exc_format)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]265
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]266
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]267def utc_offset(): #NOTE: ignore issues like #1647654
268 # local time = utc time + utc offset
269 if time.daylight and time.localtime().tm_isdst > 0:
270 return -time.altzone # seconds
271 return -time.timezone
272
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]273
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]274ignore_deprecation = warnings_helper.ignore_warnings(
275 category=DeprecationWarning
276)
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]277
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]278
279def test_wrap_socket(sock, *,
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]280 cert_reqs=ssl.CERT_NONE, ca_certs=None,
281 ciphers=None, certfile=None, keyfile=None,
282 **kwargs):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]283 if not kwargs.get("server_side"):
284 kwargs["server_hostname"] = SIGNED_CERTFILE_HOSTNAME
285 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
286 else:
287 context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]288 if cert_reqs is not None:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]289 if cert_reqs == ssl.CERT_NONE:
290 context.check_hostname = False
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]291 context.verify_mode = cert_reqs
292 if ca_certs is not None:
293 context.load_verify_locations(ca_certs)
294 if certfile is not None or keyfile is not None:
295 context.load_cert_chain(certfile, keyfile)
296 if ciphers is not None:
297 context.set_ciphers(ciphers)
298 return context.wrap_socket(sock, **kwargs)
299
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]300
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]301def testing_context(server_cert=SIGNED_CERTFILE, *, server_chain=True):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]302 """Create context
303
304 client_context, server_context, hostname = testing_context()
305 """
306 if server_cert == SIGNED_CERTFILE:
307 hostname = SIGNED_CERTFILE_HOSTNAME
308 elif server_cert == SIGNED_CERTFILE2:
309 hostname = SIGNED_CERTFILE2_HOSTNAME
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]310 elif server_cert == NOSANFILE:
311 hostname = NOSAN_HOSTNAME
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]312 else:
313 raise ValueError(server_cert)
314
315 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
316 client_context.load_verify_locations(SIGNING_CA)
317
318 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
319 server_context.load_cert_chain(server_cert)
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]320 if server_chain:
321 server_context.load_verify_locations(SIGNING_CA)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]322
323 return client_context, server_context, hostname
324
325
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]326class BasicSocketTests(unittest.TestCase):
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]327
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]328 def test_constants(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]329 ssl.CERT_NONE
330 ssl.CERT_OPTIONAL
331 ssl.CERT_REQUIRED
Antoine Pitrou6db49442011-12-19 13:27:11 +0100[diff] [blame]332 ssl.OP_CIPHER_SERVER_PREFERENCE
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]333 ssl.OP_SINGLE_DH_USE
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]334 ssl.OP_SINGLE_ECDH_USE
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]335 ssl.OP_NO_COMPRESSION
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]336 self.assertEqual(ssl.HAS_SNI, True)
337 self.assertEqual(ssl.HAS_ECDH, True)
338 self.assertEqual(ssl.HAS_TLSv1_2, True)
339 self.assertEqual(ssl.HAS_TLSv1_3, True)
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]340 ssl.OP_NO_SSLv2
341 ssl.OP_NO_SSLv3
342 ssl.OP_NO_TLSv1
343 ssl.OP_NO_TLSv1_3
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]344 ssl.OP_NO_TLSv1_1
345 ssl.OP_NO_TLSv1_2
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]346 self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]347
Christian Heimes91554e42021-05-02 09:47:45 +0200[diff] [blame^]348 def test_ssl_types(self):
349 ssl_types = [
350 _ssl._SSLContext,
351 _ssl._SSLSocket,
352 _ssl.MemoryBIO,
353 _ssl.Certificate,
354 _ssl.SSLSession,
355 _ssl.SSLError,
356 ]
357 for ssl_type in ssl_types:
358 with self.subTest(ssl_type=ssl_type):
359 with self.assertRaisesRegex(TypeError, "immutable type"):
360 ssl_type.value = None
361 with self.assertRaisesRegex(
362 TypeError,
363 "cannot create '_ssl.Certificate' instances"
364 ):
365 _ssl.Certificate()
366
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]367 def test_private_init(self):
368 with self.assertRaisesRegex(TypeError, "public constructor"):
369 with socket.socket() as s:
370 ssl.SSLSocket(s)
371
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]372 def test_str_for_enums(self):
373 # Make sure that the PROTOCOL_* constants have enum-like string
374 # reprs.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]375 proto = ssl.PROTOCOL_TLS_CLIENT
376 self.assertEqual(str(proto), 'PROTOCOL_TLS_CLIENT')
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]377 ctx = ssl.SSLContext(proto)
378 self.assertIs(ctx.protocol, proto)
379
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]380 def test_random(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]381 v = ssl.RAND_status()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]382 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]383 sys.stdout.write("\n RAND_status is %d (%s)\n"
384 % (v, (v and "sufficient randomness") or
385 "insufficient randomness"))
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]386
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]387 with warnings_helper.check_warnings():
388 data, is_cryptographic = ssl.RAND_pseudo_bytes(16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]389 self.assertEqual(len(data), 16)
390 self.assertEqual(is_cryptographic, v == 1)
391 if v:
392 data = ssl.RAND_bytes(16)
393 self.assertEqual(len(data), 16)
Victor Stinner2e2baa92011-05-25 11:15:16 +0200[diff] [blame]394 else:
395 self.assertRaises(ssl.SSLError, ssl.RAND_bytes, 16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]396
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]397 # negative num is invalid
398 self.assertRaises(ValueError, ssl.RAND_bytes, -5)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]399 with warnings_helper.check_warnings():
400 self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5)
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]401
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]402 ssl.RAND_add("this is a random string", 75.0)
Serhiy Storchaka8490f5a2015-03-20 09:00:36 +0200[diff] [blame]403 ssl.RAND_add(b"this is a random bytes object", 75.0)
404 ssl.RAND_add(bytearray(b"this is a random bytearray object"), 75.0)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]405
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]406 def test_parse_cert(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]407 # note that this uses an 'unofficial' function in _ssl.c,
408 # provided solely for this test, to exercise the certificate
409 # parsing code
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]410 self.assertEqual(
411 ssl._ssl._test_decode_cert(CERTFILE),
412 CERTFILE_INFO
413 )
414 self.assertEqual(
415 ssl._ssl._test_decode_cert(SIGNED_CERTFILE),
416 SIGNED_CERTFILE_INFO
417 )
418
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]419 # Issue #13034: the subjectAltName in some certificates
420 # (notably projects.developer.nokia.com:443) wasn't parsed
421 p = ssl._ssl._test_decode_cert(NOKIACERT)
422 if support.verbose:
423 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
424 self.assertEqual(p['subjectAltName'],
425 (('DNS', 'projects.developer.nokia.com'),
426 ('DNS', 'projects.forum.nokia.com'))
427 )
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]428 # extra OCSP and AIA fields
429 self.assertEqual(p['OCSP'], ('http://ocsp.verisign.com',))
430 self.assertEqual(p['caIssuers'],
431 ('http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',))
432 self.assertEqual(p['crlDistributionPoints'],
433 ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]434
Christian Heimesa37f5242019-01-15 23:47:42 +0100[diff] [blame]435 def test_parse_cert_CVE_2019_5010(self):
436 p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
437 if support.verbose:
438 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
439 self.assertEqual(
440 p,
441 {
442 'issuer': (
443 (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
444 'notAfter': 'Jun 14 18:00:58 2028 GMT',
445 'notBefore': 'Jun 18 18:00:58 2018 GMT',
446 'serialNumber': '02',
447 'subject': ((('countryName', 'UK'),),
448 (('commonName',
449 'codenomicon-vm-2.test.lal.cisco.com'),)),
450 'subjectAltName': (
451 ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
452 'version': 3
453 }
454 )
455
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]456 def test_parse_cert_CVE_2013_4238(self):
457 p = ssl._ssl._test_decode_cert(NULLBYTECERT)
458 if support.verbose:
459 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
460 subject = ((('countryName', 'US'),),
461 (('stateOrProvinceName', 'Oregon'),),
462 (('localityName', 'Beaverton'),),
463 (('organizationName', 'Python Software Foundation'),),
464 (('organizationalUnitName', 'Python Core Development'),),
465 (('commonName', 'null.python.org\x00example.org'),),
466 (('emailAddress', 'python-dev@python.org'),))
467 self.assertEqual(p['subject'], subject)
468 self.assertEqual(p['issuer'], subject)
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]469 if ssl._OPENSSL_API_VERSION >= (0, 9, 8):
470 san = (('DNS', 'altnull.python.org\x00example.com'),
471 ('email', 'null@python.org\x00user@example.org'),
472 ('URI', 'http://null.python.org\x00http://example.org'),
473 ('IP Address', '192.0.2.1'),
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]474 ('IP Address', '2001:DB8:0:0:0:0:0:1'))
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]475 else:
476 # OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName
477 san = (('DNS', 'altnull.python.org\x00example.com'),
478 ('email', 'null@python.org\x00user@example.org'),
479 ('URI', 'http://null.python.org\x00http://example.org'),
480 ('IP Address', '192.0.2.1'),
481 ('IP Address', '<invalid>'))
482
483 self.assertEqual(p['subjectAltName'], san)
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]484
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]485 def test_parse_all_sans(self):
486 p = ssl._ssl._test_decode_cert(ALLSANFILE)
487 self.assertEqual(p['subjectAltName'],
488 (
489 ('DNS', 'allsans'),
490 ('othername', '<unsupported>'),
491 ('othername', '<unsupported>'),
492 ('email', 'user@example.org'),
493 ('DNS', 'www.example.org'),
494 ('DirName',
495 ((('countryName', 'XY'),),
496 (('localityName', 'Castle Anthrax'),),
497 (('organizationName', 'Python Software Foundation'),),
498 (('commonName', 'dirname example'),))),
499 ('URI', 'https://www.python.org/'),
500 ('IP Address', '127.0.0.1'),
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]501 ('IP Address', '0:0:0:0:0:0:0:1'),
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]502 ('Registered ID', '1.2.3.4.5')
503 )
504 )
505
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]506 def test_DER_to_PEM(self):
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]507 with open(CAFILE_CACERT, 'r') as f:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]508 pem = f.read()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]509 d1 = ssl.PEM_cert_to_DER_cert(pem)
510 p2 = ssl.DER_cert_to_PEM_cert(d1)
511 d2 = ssl.PEM_cert_to_DER_cert(p2)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]512 self.assertEqual(d1, d2)
Antoine Pitrou9bfbe612010-04-27 22:08:08 +0000[diff] [blame]513 if not p2.startswith(ssl.PEM_HEADER + '\n'):
514 self.fail("DER-to-PEM didn't include correct header:\n%r\n" % p2)
515 if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):
516 self.fail("DER-to-PEM didn't include correct footer:\n%r\n" % p2)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]517
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]518 def test_openssl_version(self):
519 n = ssl.OPENSSL_VERSION_NUMBER
520 t = ssl.OPENSSL_VERSION_INFO
521 s = ssl.OPENSSL_VERSION
522 self.assertIsInstance(n, int)
523 self.assertIsInstance(t, tuple)
524 self.assertIsInstance(s, str)
525 # Some sanity checks follow
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]526 # >= 1.1.1
527 self.assertGreaterEqual(n, 0x10101000)
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]528 # < 4.0
529 self.assertLess(n, 0x40000000)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]530 major, minor, fix, patch, status = t
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]531 self.assertGreaterEqual(major, 1)
532 self.assertLess(major, 4)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]533 self.assertGreaterEqual(minor, 0)
534 self.assertLess(minor, 256)
535 self.assertGreaterEqual(fix, 0)
536 self.assertLess(fix, 256)
537 self.assertGreaterEqual(patch, 0)
Ned Deily05784a72015-02-05 17:20:13 +1100[diff] [blame]538 self.assertLessEqual(patch, 63)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]539 self.assertGreaterEqual(status, 0)
540 self.assertLessEqual(status, 15)
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]541
542 libressl_ver = f"LibreSSL {major:d}"
543 openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}"
544 self.assertTrue(
545 s.startswith((openssl_ver, libressl_ver)),
546 (s, t, hex(n))
547 )
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]548
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]549 @support.cpython_only
550 def test_refcycle(self):
551 # Issue #7943: an SSL object doesn't create reference cycles with
552 # itself.
553 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]554 ss = test_wrap_socket(s)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]555 wr = weakref.ref(ss)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]556 with warnings_helper.check_warnings(("", ResourceWarning)):
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]557 del ss
Victor Stinnere0b75b72016-03-21 17:26:04 +0100[diff] [blame]558 self.assertEqual(wr(), None)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]559
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]560 def test_wrapped_unconnected(self):
561 # Methods on an unconnected SSLSocket propagate the original
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]562 # OSError raise by the underlying socket object.
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]563 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]564 with test_wrap_socket(s) as ss:
Antoine Pitroue9bb4732013-01-12 21:56:56 +0100[diff] [blame]565 self.assertRaises(OSError, ss.recv, 1)
566 self.assertRaises(OSError, ss.recv_into, bytearray(b'x'))
567 self.assertRaises(OSError, ss.recvfrom, 1)
568 self.assertRaises(OSError, ss.recvfrom_into, bytearray(b'x'), 1)
569 self.assertRaises(OSError, ss.send, b'x')
570 self.assertRaises(OSError, ss.sendto, b'x', ('0.0.0.0', 0))
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]571 self.assertRaises(NotImplementedError, ss.dup)
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]572 self.assertRaises(NotImplementedError, ss.sendmsg,
573 [b'x'], (), 0, ('0.0.0.0', 0))
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]574 self.assertRaises(NotImplementedError, ss.recvmsg, 100)
575 self.assertRaises(NotImplementedError, ss.recvmsg_into,
576 [bytearray(100)])
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]577
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]578 def test_timeout(self):
579 # Issue #8524: when creating an SSL socket, the timeout of the
580 # original socket should be retained.
581 for timeout in (None, 0.0, 5.0):
582 s = socket.socket(socket.AF_INET)
583 s.settimeout(timeout)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]584 with test_wrap_socket(s) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]585 self.assertEqual(timeout, ss.gettimeout())
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]586
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]587 @ignore_deprecation
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]588 def test_errors_sslwrap(self):
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]589 sock = socket.socket()
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]590 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]591 "certfile must be specified",
592 ssl.wrap_socket, sock, keyfile=CERTFILE)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]593 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]594 "certfile must be specified for server-side operations",
595 ssl.wrap_socket, sock, server_side=True)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]596 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]597 "certfile must be specified for server-side operations",
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]598 ssl.wrap_socket, sock, server_side=True, certfile="")
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]599 with ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE) as s:
600 self.assertRaisesRegex(ValueError, "can't connect in server-side mode",
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]601 s.connect, (HOST, 8080))
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]602 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]603 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]604 ssl.wrap_socket(sock, certfile=NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]605 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]606 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]607 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]608 ssl.wrap_socket(sock,
609 certfile=CERTFILE, keyfile=NONEXISTINGCERT)
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]610 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]611 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]612 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]613 ssl.wrap_socket(sock,
614 certfile=NONEXISTINGCERT, keyfile=NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]615 self.assertEqual(cm.exception.errno, errno.ENOENT)
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]616
Martin Panter3464ea22016-02-01 21:58:11 +0000[diff] [blame]617 def bad_cert_test(self, certfile):
618 """Check that trying to use the given client certificate fails"""
619 certfile = os.path.join(os.path.dirname(__file__) or os.curdir,
620 certfile)
621 sock = socket.socket()
622 self.addCleanup(sock.close)
623 with self.assertRaises(ssl.SSLError):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]624 test_wrap_socket(sock,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]625 certfile=certfile)
Martin Panter3464ea22016-02-01 21:58:11 +0000[diff] [blame]626
627 def test_empty_cert(self):
628 """Wrapping with an empty cert file"""
629 self.bad_cert_test("nullcert.pem")
630
631 def test_malformed_cert(self):
632 """Wrapping with a badly formatted certificate (syntax error)"""
633 self.bad_cert_test("badcert.pem")
634
635 def test_malformed_key(self):
636 """Wrapping with a badly formatted key (syntax error)"""
637 self.bad_cert_test("badkey.pem")
638
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]639 @ignore_deprecation
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]640 def test_match_hostname(self):
641 def ok(cert, hostname):
642 ssl.match_hostname(cert, hostname)
643 def fail(cert, hostname):
644 self.assertRaises(ssl.CertificateError,
645 ssl.match_hostname, cert, hostname)
646
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]647 # -- Hostname matching --
648
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]649 cert = {'subject': ((('commonName', 'example.com'),),)}
650 ok(cert, 'example.com')
651 ok(cert, 'ExAmple.cOm')
652 fail(cert, 'www.example.com')
653 fail(cert, '.example.com')
654 fail(cert, 'example.org')
655 fail(cert, 'exampleXcom')
656
657 cert = {'subject': ((('commonName', '*.a.com'),),)}
658 ok(cert, 'foo.a.com')
659 fail(cert, 'bar.foo.a.com')
660 fail(cert, 'a.com')
661 fail(cert, 'Xa.com')
662 fail(cert, '.a.com')
663
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]664 # only match wildcards when they are the only thing
665 # in left-most segment
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]666 cert = {'subject': ((('commonName', 'f*.com'),),)}
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]667 fail(cert, 'foo.com')
668 fail(cert, 'f.com')
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]669 fail(cert, 'bar.com')
670 fail(cert, 'foo.a.com')
671 fail(cert, 'bar.foo.com')
672
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]673 # NULL bytes are bad, CVE-2013-4073
674 cert = {'subject': ((('commonName',
675 'null.python.org\x00example.org'),),)}
676 ok(cert, 'null.python.org\x00example.org') # or raise an error?
677 fail(cert, 'example.org')
678 fail(cert, 'null.python.org')
679
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]680 # error cases with wildcards
681 cert = {'subject': ((('commonName', '*.*.a.com'),),)}
682 fail(cert, 'bar.foo.a.com')
683 fail(cert, 'a.com')
684 fail(cert, 'Xa.com')
685 fail(cert, '.a.com')
686
687 cert = {'subject': ((('commonName', 'a.*.com'),),)}
688 fail(cert, 'a.foo.com')
689 fail(cert, 'a..com')
690 fail(cert, 'a.com')
691
692 # wildcard doesn't match IDNA prefix 'xn--'
693 idna = 'püthon.python.org'.encode("idna").decode("ascii")
694 cert = {'subject': ((('commonName', idna),),)}
695 ok(cert, idna)
696 cert = {'subject': ((('commonName', 'x*.python.org'),),)}
697 fail(cert, idna)
698 cert = {'subject': ((('commonName', 'xn--p*.python.org'),),)}
699 fail(cert, idna)
700
701 # wildcard in first fragment and IDNA A-labels in sequent fragments
702 # are supported.
703 idna = 'www*.pythön.org'.encode("idna").decode("ascii")
704 cert = {'subject': ((('commonName', idna),),)}
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]705 fail(cert, 'www.pythön.org'.encode("idna").decode("ascii"))
706 fail(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]707 fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii"))
708 fail(cert, 'pythön.org'.encode("idna").decode("ascii"))
709
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]710 # Slightly fake real-world example
711 cert = {'notAfter': 'Jun 26 21:41:46 2011 GMT',
712 'subject': ((('commonName', 'linuxfrz.org'),),),
713 'subjectAltName': (('DNS', 'linuxfr.org'),
714 ('DNS', 'linuxfr.com'),
715 ('othername', '<unsupported>'))}
716 ok(cert, 'linuxfr.org')
717 ok(cert, 'linuxfr.com')
718 # Not a "DNS" entry
719 fail(cert, '<unsupported>')
720 # When there is a subjectAltName, commonName isn't used
721 fail(cert, 'linuxfrz.org')
722
723 # A pristine real-world example
724 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
725 'subject': ((('countryName', 'US'),),
726 (('stateOrProvinceName', 'California'),),
727 (('localityName', 'Mountain View'),),
728 (('organizationName', 'Google Inc'),),
729 (('commonName', 'mail.google.com'),))}
730 ok(cert, 'mail.google.com')
731 fail(cert, 'gmail.com')
732 # Only commonName is considered
733 fail(cert, 'California')
734
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]735 # -- IPv4 matching --
736 cert = {'subject': ((('commonName', 'example.com'),),),
737 'subjectAltName': (('DNS', 'example.com'),
738 ('IP Address', '10.11.12.13'),
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]739 ('IP Address', '14.15.16.17'),
740 ('IP Address', '127.0.0.1'))}
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]741 ok(cert, '10.11.12.13')
742 ok(cert, '14.15.16.17')
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]743 # socket.inet_ntoa(socket.inet_aton('127.1')) == '127.0.0.1'
744 fail(cert, '127.1')
745 fail(cert, '14.15.16.17 ')
746 fail(cert, '14.15.16.17 extra data')
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]747 fail(cert, '14.15.16.18')
748 fail(cert, 'example.net')
749
750 # -- IPv6 matching --
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]751 if socket_helper.IPV6_ENABLED:
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]752 cert = {'subject': ((('commonName', 'example.com'),),),
753 'subjectAltName': (
754 ('DNS', 'example.com'),
755 ('IP Address', '2001:0:0:0:0:0:0:CAFE\n'),
756 ('IP Address', '2003:0:0:0:0:0:0:BABA\n'))}
757 ok(cert, '2001::cafe')
758 ok(cert, '2003::baba')
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]759 fail(cert, '2003::baba ')
760 fail(cert, '2003::baba extra data')
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]761 fail(cert, '2003::bebe')
762 fail(cert, 'example.net')
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]763
764 # -- Miscellaneous --
765
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]766 # Neither commonName nor subjectAltName
767 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
768 'subject': ((('countryName', 'US'),),
769 (('stateOrProvinceName', 'California'),),
770 (('localityName', 'Mountain View'),),
771 (('organizationName', 'Google Inc'),))}
772 fail(cert, 'mail.google.com')
773
Antoine Pitrou1c86b442011-05-06 15:19:49 +0200[diff] [blame]774 # No DNS entry in subjectAltName but a commonName
775 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
776 'subject': ((('countryName', 'US'),),
777 (('stateOrProvinceName', 'California'),),
778 (('localityName', 'Mountain View'),),
779 (('commonName', 'mail.google.com'),)),
780 'subjectAltName': (('othername', 'blabla'), )}
781 ok(cert, 'mail.google.com')
782
783 # No DNS entry subjectAltName and no commonName
784 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
785 'subject': ((('countryName', 'US'),),
786 (('stateOrProvinceName', 'California'),),
787 (('localityName', 'Mountain View'),),
788 (('organizationName', 'Google Inc'),)),
789 'subjectAltName': (('othername', 'blabla'),)}
790 fail(cert, 'google.com')
791
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]792 # Empty cert / no cert
793 self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
794 self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
795
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]796 # Issue #17980: avoid denials of service by refusing more than one
797 # wildcard per fragment.
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]798 cert = {'subject': ((('commonName', 'a*b.example.com'),),)}
799 with self.assertRaisesRegex(
800 ssl.CertificateError,
801 "partial wildcards in leftmost label are not supported"):
802 ssl.match_hostname(cert, 'axxb.example.com')
803
804 cert = {'subject': ((('commonName', 'www.*.example.com'),),)}
805 with self.assertRaisesRegex(
806 ssl.CertificateError,
807 "wildcard can only be present in the leftmost label"):
808 ssl.match_hostname(cert, 'www.sub.example.com')
809
810 cert = {'subject': ((('commonName', 'a*b*.example.com'),),)}
811 with self.assertRaisesRegex(
812 ssl.CertificateError,
813 "too many wildcards"):
814 ssl.match_hostname(cert, 'axxbxxc.example.com')
815
816 cert = {'subject': ((('commonName', '*'),),)}
817 with self.assertRaisesRegex(
818 ssl.CertificateError,
819 "sole wildcard without additional labels are not support"):
820 ssl.match_hostname(cert, 'host')
821
822 cert = {'subject': ((('commonName', '*.com'),),)}
823 with self.assertRaisesRegex(
824 ssl.CertificateError,
825 r"hostname 'com' doesn't match '\*.com'"):
826 ssl.match_hostname(cert, 'com')
827
828 # extra checks for _inet_paton()
829 for invalid in ['1', '', '1.2.3', '256.0.0.1', '127.0.0.1/24']:
830 with self.assertRaises(ValueError):
831 ssl._inet_paton(invalid)
832 for ipaddr in ['127.0.0.1', '192.168.0.1']:
833 self.assertTrue(ssl._inet_paton(ipaddr))
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]834 if socket_helper.IPV6_ENABLED:
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]835 for ipaddr in ['::1', '2001:db8:85a3::8a2e:370:7334']:
836 self.assertTrue(ssl._inet_paton(ipaddr))
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]837
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]838 def test_server_side(self):
839 # server_hostname doesn't work for server sockets
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]840 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]841 with socket.socket() as sock:
842 self.assertRaises(ValueError, ctx.wrap_socket, sock, True,
843 server_hostname="some.hostname")
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]844
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]845 def test_unknown_channel_binding(self):
846 # should raise ValueError for unknown type
Giampaolo Rodolaeb7e29f2019-04-09 00:34:02 +0200[diff] [blame]847 s = socket.create_server(('127.0.0.1', 0))
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]848 c = socket.socket(socket.AF_INET)
849 c.connect(s.getsockname())
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]850 with test_wrap_socket(c, do_handshake_on_connect=False) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]851 with self.assertRaises(ValueError):
852 ss.get_channel_binding("unknown-type")
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]853 s.close()
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]854
855 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
856 "'tls-unique' channel binding not available")
857 def test_tls_unique_channel_binding(self):
858 # unconnected should return None for known type
859 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]860 with test_wrap_socket(s) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]861 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]862 # the same for server-side
863 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]864 with test_wrap_socket(s, server_side=True, certfile=CERTFILE) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]865 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]866
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]867 def test_dealloc_warn(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]868 ss = test_wrap_socket(socket.socket(socket.AF_INET))
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]869 r = repr(ss)
870 with self.assertWarns(ResourceWarning) as cm:
871 ss = None
872 support.gc_collect()
873 self.assertIn(r, str(cm.warning.args[0]))
874
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]875 def test_get_default_verify_paths(self):
876 paths = ssl.get_default_verify_paths()
877 self.assertEqual(len(paths), 6)
878 self.assertIsInstance(paths, ssl.DefaultVerifyPaths)
879
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]880 with os_helper.EnvironmentVarGuard() as env:
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]881 env["SSL_CERT_DIR"] = CAPATH
882 env["SSL_CERT_FILE"] = CERTFILE
883 paths = ssl.get_default_verify_paths()
884 self.assertEqual(paths.cafile, CERTFILE)
885 self.assertEqual(paths.capath, CAPATH)
886
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]887 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
888 def test_enum_certificates(self):
889 self.assertTrue(ssl.enum_certificates("CA"))
890 self.assertTrue(ssl.enum_certificates("ROOT"))
891
892 self.assertRaises(TypeError, ssl.enum_certificates)
893 self.assertRaises(WindowsError, ssl.enum_certificates, "")
894
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]895 trust_oids = set()
896 for storename in ("CA", "ROOT"):
897 store = ssl.enum_certificates(storename)
898 self.assertIsInstance(store, list)
899 for element in store:
900 self.assertIsInstance(element, tuple)
901 self.assertEqual(len(element), 3)
902 cert, enc, trust = element
903 self.assertIsInstance(cert, bytes)
904 self.assertIn(enc, {"x509_asn", "pkcs_7_asn"})
Christian Heimes915cd3f2019-09-09 18:06:55 +0200[diff] [blame]905 self.assertIsInstance(trust, (frozenset, set, bool))
906 if isinstance(trust, (frozenset, set)):
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]907 trust_oids.update(trust)
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]908
909 serverAuth = "1.3.6.1.5.5.7.3.1"
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]910 self.assertIn(serverAuth, trust_oids)
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]911
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]912 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]913 def test_enum_crls(self):
914 self.assertTrue(ssl.enum_crls("CA"))
915 self.assertRaises(TypeError, ssl.enum_crls)
916 self.assertRaises(WindowsError, ssl.enum_crls, "")
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]917
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]918 crls = ssl.enum_crls("CA")
919 self.assertIsInstance(crls, list)
920 for element in crls:
921 self.assertIsInstance(element, tuple)
922 self.assertEqual(len(element), 2)
923 self.assertIsInstance(element[0], bytes)
924 self.assertIn(element[1], {"x509_asn", "pkcs_7_asn"})
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]925
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]926
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]927 def test_asn1object(self):
928 expected = (129, 'serverAuth', 'TLS Web Server Authentication',
929 '1.3.6.1.5.5.7.3.1')
930
931 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
932 self.assertEqual(val, expected)
933 self.assertEqual(val.nid, 129)
934 self.assertEqual(val.shortname, 'serverAuth')
935 self.assertEqual(val.longname, 'TLS Web Server Authentication')
936 self.assertEqual(val.oid, '1.3.6.1.5.5.7.3.1')
937 self.assertIsInstance(val, ssl._ASN1Object)
938 self.assertRaises(ValueError, ssl._ASN1Object, 'serverAuth')
939
940 val = ssl._ASN1Object.fromnid(129)
941 self.assertEqual(val, expected)
942 self.assertIsInstance(val, ssl._ASN1Object)
943 self.assertRaises(ValueError, ssl._ASN1Object.fromnid, -1)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]944 with self.assertRaisesRegex(ValueError, "unknown NID 100000"):
945 ssl._ASN1Object.fromnid(100000)
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]946 for i in range(1000):
947 try:
948 obj = ssl._ASN1Object.fromnid(i)
949 except ValueError:
950 pass
951 else:
952 self.assertIsInstance(obj.nid, int)
953 self.assertIsInstance(obj.shortname, str)
954 self.assertIsInstance(obj.longname, str)
955 self.assertIsInstance(obj.oid, (str, type(None)))
956
957 val = ssl._ASN1Object.fromname('TLS Web Server Authentication')
958 self.assertEqual(val, expected)
959 self.assertIsInstance(val, ssl._ASN1Object)
960 self.assertEqual(ssl._ASN1Object.fromname('serverAuth'), expected)
961 self.assertEqual(ssl._ASN1Object.fromname('1.3.6.1.5.5.7.3.1'),
962 expected)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]963 with self.assertRaisesRegex(ValueError, "unknown object 'serverauth'"):
964 ssl._ASN1Object.fromname('serverauth')
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]965
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]966 def test_purpose_enum(self):
967 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
968 self.assertIsInstance(ssl.Purpose.SERVER_AUTH, ssl._ASN1Object)
969 self.assertEqual(ssl.Purpose.SERVER_AUTH, val)
970 self.assertEqual(ssl.Purpose.SERVER_AUTH.nid, 129)
971 self.assertEqual(ssl.Purpose.SERVER_AUTH.shortname, 'serverAuth')
972 self.assertEqual(ssl.Purpose.SERVER_AUTH.oid,
973 '1.3.6.1.5.5.7.3.1')
974
975 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.2')
976 self.assertIsInstance(ssl.Purpose.CLIENT_AUTH, ssl._ASN1Object)
977 self.assertEqual(ssl.Purpose.CLIENT_AUTH, val)
978 self.assertEqual(ssl.Purpose.CLIENT_AUTH.nid, 130)
979 self.assertEqual(ssl.Purpose.CLIENT_AUTH.shortname, 'clientAuth')
980 self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,
981 '1.3.6.1.5.5.7.3.2')
982
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]983 def test_unsupported_dtls(self):
984 s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
985 self.addCleanup(s.close)
986 with self.assertRaises(NotImplementedError) as cx:
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]987 test_wrap_socket(s, cert_reqs=ssl.CERT_NONE)
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]988 self.assertEqual(str(cx.exception), "only stream sockets are supported")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]989 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]990 with self.assertRaises(NotImplementedError) as cx:
991 ctx.wrap_socket(s)
992 self.assertEqual(str(cx.exception), "only stream sockets are supported")
993
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]994 def cert_time_ok(self, timestring, timestamp):
995 self.assertEqual(ssl.cert_time_to_seconds(timestring), timestamp)
996
997 def cert_time_fail(self, timestring):
998 with self.assertRaises(ValueError):
999 ssl.cert_time_to_seconds(timestring)
1000
1001 @unittest.skipUnless(utc_offset(),
1002 'local time needs to be different from UTC')
1003 def test_cert_time_to_seconds_timezone(self):
1004 # Issue #19940: ssl.cert_time_to_seconds() returns wrong
1005 # results if local timezone is not UTC
1006 self.cert_time_ok("May 9 00:00:00 2007 GMT", 1178668800.0)
1007 self.cert_time_ok("Jan 5 09:34:43 2018 GMT", 1515144883.0)
1008
1009 def test_cert_time_to_seconds(self):
1010 timestring = "Jan 5 09:34:43 2018 GMT"
1011 ts = 1515144883.0
1012 self.cert_time_ok(timestring, ts)
1013 # accept keyword parameter, assert its name
1014 self.assertEqual(ssl.cert_time_to_seconds(cert_time=timestring), ts)
1015 # accept both %e and %d (space or zero generated by strftime)
1016 self.cert_time_ok("Jan 05 09:34:43 2018 GMT", ts)
1017 # case-insensitive
1018 self.cert_time_ok("JaN 5 09:34:43 2018 GmT", ts)
1019 self.cert_time_fail("Jan 5 09:34 2018 GMT") # no seconds
1020 self.cert_time_fail("Jan 5 09:34:43 2018") # no GMT
1021 self.cert_time_fail("Jan 5 09:34:43 2018 UTC") # not GMT timezone
1022 self.cert_time_fail("Jan 35 09:34:43 2018 GMT") # invalid day
1023 self.cert_time_fail("Jon 5 09:34:43 2018 GMT") # invalid month
1024 self.cert_time_fail("Jan 5 24:00:00 2018 GMT") # invalid hour
1025 self.cert_time_fail("Jan 5 09:60:43 2018 GMT") # invalid minute
1026
1027 newyear_ts = 1230768000.0
1028 # leap seconds
1029 self.cert_time_ok("Dec 31 23:59:60 2008 GMT", newyear_ts)
1030 # same timestamp
1031 self.cert_time_ok("Jan 1 00:00:00 2009 GMT", newyear_ts)
1032
1033 self.cert_time_ok("Jan 5 09:34:59 2018 GMT", 1515144899)
1034 # allow 60th second (even if it is not a leap second)
1035 self.cert_time_ok("Jan 5 09:34:60 2018 GMT", 1515144900)
1036 # allow 2nd leap second for compatibility with time.strptime()
1037 self.cert_time_ok("Jan 5 09:34:61 2018 GMT", 1515144901)
1038 self.cert_time_fail("Jan 5 09:34:62 2018 GMT") # invalid seconds
1039
Mike53f7a7c2017-12-14 14:04:53 +0300[diff] [blame]1040 # no special treatment for the special value:
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]1041 # 99991231235959Z (rfc 5280)
1042 self.cert_time_ok("Dec 31 23:59:59 9999 GMT", 253402300799.0)
1043
1044 @support.run_with_locale('LC_ALL', '')
1045 def test_cert_time_to_seconds_locale(self):
1046 # `cert_time_to_seconds()` should be locale independent
1047
1048 def local_february_name():
1049 return time.strftime('%b', (1, 2, 3, 4, 5, 6, 0, 0, 0))
1050
1051 if local_february_name().lower() == 'feb':
1052 self.skipTest("locale-specific month name needs to be "
1053 "different from C locale")
1054
1055 # locale-independent
1056 self.cert_time_ok("Feb 9 00:00:00 2007 GMT", 1170979200.0)
1057 self.cert_time_fail(local_february_name() + " 9 00:00:00 2007 GMT")
1058
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1059 def test_connect_ex_error(self):
1060 server = socket.socket(socket.AF_INET)
1061 self.addCleanup(server.close)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]1062 port = socket_helper.bind_port(server) # Reserve port but don't listen
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1063 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1064 cert_reqs=ssl.CERT_REQUIRED)
1065 self.addCleanup(s.close)
1066 rc = s.connect_ex((HOST, port))
1067 # Issue #19919: Windows machines or VMs hosted on Windows
1068 # machines sometimes return EWOULDBLOCK.
1069 errors = (
1070 errno.ECONNREFUSED, errno.EHOSTUNREACH, errno.ETIMEDOUT,
1071 errno.EWOULDBLOCK,
1072 )
1073 self.assertIn(rc, errors)
1074
Christian Heimes89d15502021-04-19 06:55:30 +0200[diff] [blame]1075 def test_read_write_zero(self):
1076 # empty reads and writes now work, bpo-42854, bpo-31711
1077 client_context, server_context, hostname = testing_context()
1078 server = ThreadedEchoServer(context=server_context)
1079 with server:
1080 with client_context.wrap_socket(socket.socket(),
1081 server_hostname=hostname) as s:
1082 s.connect((HOST, server.port))
1083 self.assertEqual(s.recv(0), b"")
1084 self.assertEqual(s.send(b""), 0)
1085
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]1086
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1087class ContextTests(unittest.TestCase):
1088
1089 def test_constructor(self):
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]1090 for protocol in PROTOCOLS:
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1091 with warnings_helper.check_warnings():
1092 ctx = ssl.SSLContext(protocol)
1093 self.assertEqual(ctx.protocol, protocol)
1094 with warnings_helper.check_warnings():
1095 ctx = ssl.SSLContext()
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1096 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1097 self.assertRaises(ValueError, ssl.SSLContext, -1)
1098 self.assertRaises(ValueError, ssl.SSLContext, 42)
1099
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1100 def test_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1101 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1102 ctx.set_ciphers("ALL")
1103 ctx.set_ciphers("DEFAULT")
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1104 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
Antoine Pitrou30474062010-05-16 23:46:26 +0000[diff] [blame]1105 ctx.set_ciphers("^$:,;?*'dorothyx")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1106
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]1107 @unittest.skipUnless(PY_SSL_DEFAULT_CIPHERS == 1,
1108 "Test applies only to Python default ciphers")
1109 def test_python_ciphers(self):
1110 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1111 ciphers = ctx.get_ciphers()
1112 for suite in ciphers:
1113 name = suite['name']
1114 self.assertNotIn("PSK", name)
1115 self.assertNotIn("SRP", name)
1116 self.assertNotIn("MD5", name)
1117 self.assertNotIn("RC4", name)
1118 self.assertNotIn("3DES", name)
1119
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1120 def test_get_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1121 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesea9b2dc2016-09-06 10:45:44 +0200[diff] [blame]1122 ctx.set_ciphers('AESGCM')
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1123 names = set(d['name'] for d in ctx.get_ciphers())
Christian Heimes582282b2016-09-06 11:27:25 +0200[diff] [blame]1124 self.assertIn('AES256-GCM-SHA384', names)
1125 self.assertIn('AES128-GCM-SHA256', names)
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1126
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1127 def test_options(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1128 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Benjamin Petersona9dcdab2015-11-11 22:38:41 -0800[diff] [blame]1129 # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1130 default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1131 # SSLContext also enables these by default
1132 default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]1133 OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
Christian Heimes6f37ebc2021-04-09 17:59:21 +0200[diff] [blame]1134 OP_ENABLE_MIDDLEBOX_COMPAT |
1135 OP_IGNORE_UNEXPECTED_EOF)
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1136 self.assertEqual(default, ctx.options)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1137 with warnings_helper.check_warnings():
1138 ctx.options |= ssl.OP_NO_TLSv1
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1139 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1140 with warnings_helper.check_warnings():
1141 ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1)
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]1142 self.assertEqual(default, ctx.options)
1143 ctx.options = 0
1144 # Ubuntu has OP_NO_SSLv3 forced on by default
1145 self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1146
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1147 def test_verify_mode_protocol(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1148 with warnings_helper.check_warnings():
1149 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1150 # Default value
1151 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1152 ctx.verify_mode = ssl.CERT_OPTIONAL
1153 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
1154 ctx.verify_mode = ssl.CERT_REQUIRED
1155 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1156 ctx.verify_mode = ssl.CERT_NONE
1157 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1158 with self.assertRaises(TypeError):
1159 ctx.verify_mode = None
1160 with self.assertRaises(ValueError):
1161 ctx.verify_mode = 42
1162
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1163 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1164 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1165 self.assertFalse(ctx.check_hostname)
1166
1167 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1168 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1169 self.assertTrue(ctx.check_hostname)
1170
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1171 def test_hostname_checks_common_name(self):
1172 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1173 self.assertTrue(ctx.hostname_checks_common_name)
1174 if ssl.HAS_NEVER_CHECK_COMMON_NAME:
1175 ctx.hostname_checks_common_name = True
1176 self.assertTrue(ctx.hostname_checks_common_name)
1177 ctx.hostname_checks_common_name = False
1178 self.assertFalse(ctx.hostname_checks_common_name)
1179 ctx.hostname_checks_common_name = True
1180 self.assertTrue(ctx.hostname_checks_common_name)
1181 else:
1182 with self.assertRaises(AttributeError):
1183 ctx.hostname_checks_common_name = True
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1184
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1185 @ignore_deprecation
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1186 def test_min_max_version(self):
1187 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimes34de2d32019-01-18 16:09:30 +0100[diff] [blame]1188 # OpenSSL default is MINIMUM_SUPPORTED, however some vendors like
1189 # Fedora override the setting to TLS 1.0.
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1190 minimum_range = {
1191 # stock OpenSSL
1192 ssl.TLSVersion.MINIMUM_SUPPORTED,
1193 # Fedora 29 uses TLS 1.0 by default
1194 ssl.TLSVersion.TLSv1,
1195 # RHEL 8 uses TLS 1.2 by default
1196 ssl.TLSVersion.TLSv1_2
1197 }
torsava34864d12019-12-02 17:15:42 +0100[diff] [blame]1198 maximum_range = {
1199 # stock OpenSSL
1200 ssl.TLSVersion.MAXIMUM_SUPPORTED,
1201 # Fedora 32 uses TLS 1.3 by default
1202 ssl.TLSVersion.TLSv1_3
1203 }
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1204
Christian Heimes34de2d32019-01-18 16:09:30 +0100[diff] [blame]1205 self.assertIn(
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1206 ctx.minimum_version, minimum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1207 )
torsava34864d12019-12-02 17:15:42 +0100[diff] [blame]1208 self.assertIn(
1209 ctx.maximum_version, maximum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1210 )
1211
1212 ctx.minimum_version = ssl.TLSVersion.TLSv1_1
1213 ctx.maximum_version = ssl.TLSVersion.TLSv1_2
1214 self.assertEqual(
1215 ctx.minimum_version, ssl.TLSVersion.TLSv1_1
1216 )
1217 self.assertEqual(
1218 ctx.maximum_version, ssl.TLSVersion.TLSv1_2
1219 )
1220
1221 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1222 ctx.maximum_version = ssl.TLSVersion.TLSv1
1223 self.assertEqual(
1224 ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
1225 )
1226 self.assertEqual(
1227 ctx.maximum_version, ssl.TLSVersion.TLSv1
1228 )
1229
1230 ctx.maximum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
1231 self.assertEqual(
1232 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
1233 )
1234
1235 ctx.maximum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1236 self.assertIn(
1237 ctx.maximum_version,
1238 {ssl.TLSVersion.TLSv1, ssl.TLSVersion.SSLv3}
1239 )
1240
1241 ctx.minimum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
1242 self.assertIn(
1243 ctx.minimum_version,
1244 {ssl.TLSVersion.TLSv1_2, ssl.TLSVersion.TLSv1_3}
1245 )
1246
1247 with self.assertRaises(ValueError):
1248 ctx.minimum_version = 42
1249
1250 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
1251
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1252 self.assertIn(
1253 ctx.minimum_version, minimum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1254 )
1255 self.assertEqual(
1256 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
1257 )
1258 with self.assertRaises(ValueError):
1259 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1260 with self.assertRaises(ValueError):
1261 ctx.maximum_version = ssl.TLSVersion.TLSv1
1262
1263
matthewhughes9348e836bb2020-07-17 09:59:15 +0100[diff] [blame]1264 @unittest.skipUnless(
1265 hasattr(ssl.SSLContext, 'security_level'),
1266 "requires OpenSSL >= 1.1.0"
1267 )
1268 def test_security_level(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1269 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
matthewhughes9348e836bb2020-07-17 09:59:15 +0100[diff] [blame]1270 # The default security callback allows for levels between 0-5
1271 # with OpenSSL defaulting to 1, however some vendors override the
1272 # default value (e.g. Debian defaults to 2)
1273 security_level_range = {
1274 0,
1275 1, # OpenSSL default
1276 2, # Debian
1277 3,
1278 4,
1279 5,
1280 }
1281 self.assertIn(ctx.security_level, security_level_range)
1282
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1283 def test_verify_flags(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1284 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Benjamin Peterson990fcaa2015-03-04 22:49:41 -0500[diff] [blame]1285 # default value
1286 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
1287 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1288 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
1289 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
1290 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
1291 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_CHAIN)
1292 ctx.verify_flags = ssl.VERIFY_DEFAULT
1293 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
Chris Burre0b4aa02021-03-18 09:24:01 +0100[diff] [blame]1294 ctx.verify_flags = ssl.VERIFY_ALLOW_PROXY_CERTS
1295 self.assertEqual(ctx.verify_flags, ssl.VERIFY_ALLOW_PROXY_CERTS)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1296 # supports any value
1297 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT
1298 self.assertEqual(ctx.verify_flags,
1299 ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT)
1300 with self.assertRaises(TypeError):
1301 ctx.verify_flags = None
1302
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1303 def test_load_cert_chain(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1304 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1305 # Combined key and cert in a single file
Benjamin Peterson1ea070e2014-11-03 21:05:01 -0500[diff] [blame]1306 ctx.load_cert_chain(CERTFILE, keyfile=None)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1307 ctx.load_cert_chain(CERTFILE, keyfile=CERTFILE)
1308 self.assertRaises(TypeError, ctx.load_cert_chain, keyfile=CERTFILE)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1309 with self.assertRaises(OSError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1310 ctx.load_cert_chain(NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]1311 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1312 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1313 ctx.load_cert_chain(BADCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1314 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1315 ctx.load_cert_chain(EMPTYCERT)
1316 # Separate key and cert
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1317 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1318 ctx.load_cert_chain(ONLYCERT, ONLYKEY)
1319 ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)
1320 ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1321 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1322 ctx.load_cert_chain(ONLYCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1323 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1324 ctx.load_cert_chain(ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1325 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1326 ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)
1327 # Mismatching key and cert
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1328 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1329 with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]1330 ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]1331 # Password protected key and cert
1332 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)
1333 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD.encode())
1334 ctx.load_cert_chain(CERTFILE_PROTECTED,
1335 password=bytearray(KEY_PASSWORD.encode()))
1336 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD)
1337 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD.encode())
1338 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED,
1339 bytearray(KEY_PASSWORD.encode()))
1340 with self.assertRaisesRegex(TypeError, "should be a string"):
1341 ctx.load_cert_chain(CERTFILE_PROTECTED, password=True)
1342 with self.assertRaises(ssl.SSLError):
1343 ctx.load_cert_chain(CERTFILE_PROTECTED, password="badpass")
1344 with self.assertRaisesRegex(ValueError, "cannot be longer"):
1345 # openssl has a fixed limit on the password buffer.
1346 # PEM_BUFSIZE is generally set to 1kb.
1347 # Return a string larger than this.
1348 ctx.load_cert_chain(CERTFILE_PROTECTED, password=b'a' * 102400)
1349 # Password callback
1350 def getpass_unicode():
1351 return KEY_PASSWORD
1352 def getpass_bytes():
1353 return KEY_PASSWORD.encode()
1354 def getpass_bytearray():
1355 return bytearray(KEY_PASSWORD.encode())
1356 def getpass_badpass():
1357 return "badpass"
1358 def getpass_huge():
1359 return b'a' * (1024 * 1024)
1360 def getpass_bad_type():
1361 return 9
1362 def getpass_exception():
1363 raise Exception('getpass error')
1364 class GetPassCallable:
1365 def __call__(self):
1366 return KEY_PASSWORD
1367 def getpass(self):
1368 return KEY_PASSWORD
1369 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_unicode)
1370 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytes)
1371 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytearray)
1372 ctx.load_cert_chain(CERTFILE_PROTECTED, password=GetPassCallable())
1373 ctx.load_cert_chain(CERTFILE_PROTECTED,
1374 password=GetPassCallable().getpass)
1375 with self.assertRaises(ssl.SSLError):
1376 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_badpass)
1377 with self.assertRaisesRegex(ValueError, "cannot be longer"):
1378 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_huge)
1379 with self.assertRaisesRegex(TypeError, "must return a string"):
1380 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bad_type)
1381 with self.assertRaisesRegex(Exception, "getpass error"):
1382 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_exception)
1383 # Make sure the password function isn't called if it isn't needed
1384 ctx.load_cert_chain(CERTFILE, password=getpass_exception)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1385
1386 def test_load_verify_locations(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1387 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1388 ctx.load_verify_locations(CERTFILE)
1389 ctx.load_verify_locations(cafile=CERTFILE, capath=None)
1390 ctx.load_verify_locations(BYTES_CERTFILE)
1391 ctx.load_verify_locations(cafile=BYTES_CERTFILE, capath=None)
1392 self.assertRaises(TypeError, ctx.load_verify_locations)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1393 self.assertRaises(TypeError, ctx.load_verify_locations, None, None, None)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1394 with self.assertRaises(OSError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1395 ctx.load_verify_locations(NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]1396 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1397 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1398 ctx.load_verify_locations(BADCERT)
1399 ctx.load_verify_locations(CERTFILE, CAPATH)
1400 ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
1401
Victor Stinner80f75e62011-01-29 11:31:20 +0000[diff] [blame]1402 # Issue #10989: crash if the second argument type is invalid
1403 self.assertRaises(TypeError, ctx.load_verify_locations, None, True)
1404
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1405 def test_load_verify_cadata(self):
1406 # test cadata
1407 with open(CAFILE_CACERT) as f:
1408 cacert_pem = f.read()
1409 cacert_der = ssl.PEM_cert_to_DER_cert(cacert_pem)
1410 with open(CAFILE_NEURONIO) as f:
1411 neuronio_pem = f.read()
1412 neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
1413
1414 # test PEM
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1415 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1416 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0)
1417 ctx.load_verify_locations(cadata=cacert_pem)
1418 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1)
1419 ctx.load_verify_locations(cadata=neuronio_pem)
1420 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1421 # cert already in hash table
1422 ctx.load_verify_locations(cadata=neuronio_pem)
1423 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1424
1425 # combined
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1426 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1427 combined = "\n".join((cacert_pem, neuronio_pem))
1428 ctx.load_verify_locations(cadata=combined)
1429 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1430
1431 # with junk around the certs
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1432 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1433 combined = ["head", cacert_pem, "other", neuronio_pem, "again",
1434 neuronio_pem, "tail"]
1435 ctx.load_verify_locations(cadata="\n".join(combined))
1436 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1437
1438 # test DER
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1439 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1440 ctx.load_verify_locations(cadata=cacert_der)
1441 ctx.load_verify_locations(cadata=neuronio_der)
1442 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1443 # cert already in hash table
1444 ctx.load_verify_locations(cadata=cacert_der)
1445 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1446
1447 # combined
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1448 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1449 combined = b"".join((cacert_der, neuronio_der))
1450 ctx.load_verify_locations(cadata=combined)
1451 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1452
1453 # error cases
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1454 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1455 self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
1456
Christian Heimesb9ad88b2021-04-23 13:51:40 +0200[diff] [blame]1457 with self.assertRaisesRegex(
1458 ssl.SSLError,
1459 "no start line: cadata does not contain a certificate"
1460 ):
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1461 ctx.load_verify_locations(cadata="broken")
Christian Heimesb9ad88b2021-04-23 13:51:40 +0200[diff] [blame]1462 with self.assertRaisesRegex(
1463 ssl.SSLError,
1464 "not enough data: cadata does not contain a certificate"
1465 ):
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1466 ctx.load_verify_locations(cadata=b"broken")
1467
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]1468 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1469 def test_load_dh_params(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1470 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1471 ctx.load_dh_params(DHFILE)
1472 if os.name != 'nt':
1473 ctx.load_dh_params(BYTES_DHFILE)
1474 self.assertRaises(TypeError, ctx.load_dh_params)
1475 self.assertRaises(TypeError, ctx.load_dh_params, None)
1476 with self.assertRaises(FileNotFoundError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1477 ctx.load_dh_params(NONEXISTINGCERT)
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1478 self.assertEqual(cm.exception.errno, errno.ENOENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1479 with self.assertRaises(ssl.SSLError) as cm:
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1480 ctx.load_dh_params(CERTFILE)
1481
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]1482 def test_session_stats(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1483 for proto in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER}:
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]1484 ctx = ssl.SSLContext(proto)
1485 self.assertEqual(ctx.session_stats(), {
1486 'number': 0,
1487 'connect': 0,
1488 'connect_good': 0,
1489 'connect_renegotiate': 0,
1490 'accept': 0,
1491 'accept_good': 0,
1492 'accept_renegotiate': 0,
1493 'hits': 0,
1494 'misses': 0,
1495 'timeouts': 0,
1496 'cache_full': 0,
1497 })
1498
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]1499 def test_set_default_verify_paths(self):
1500 # There's not much we can do to test that it acts as expected,
1501 # so just check it doesn't crash or raise an exception.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1502 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]1503 ctx.set_default_verify_paths()
1504
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]1505 @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1506 def test_set_ecdh_curve(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1507 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1508 ctx.set_ecdh_curve("prime256v1")
1509 ctx.set_ecdh_curve(b"prime256v1")
1510 self.assertRaises(TypeError, ctx.set_ecdh_curve)
1511 self.assertRaises(TypeError, ctx.set_ecdh_curve, None)
1512 self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo")
1513 self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo")
1514
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1515 def test_sni_callback(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1516 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1517
1518 # set_servername_callback expects a callable, or None
1519 self.assertRaises(TypeError, ctx.set_servername_callback)
1520 self.assertRaises(TypeError, ctx.set_servername_callback, 4)
1521 self.assertRaises(TypeError, ctx.set_servername_callback, "")
1522 self.assertRaises(TypeError, ctx.set_servername_callback, ctx)
1523
1524 def dummycallback(sock, servername, ctx):
1525 pass
1526 ctx.set_servername_callback(None)
1527 ctx.set_servername_callback(dummycallback)
1528
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1529 def test_sni_callback_refcycle(self):
1530 # Reference cycles through the servername callback are detected
1531 # and cleared.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1532 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1533 def dummycallback(sock, servername, ctx, cycle=ctx):
1534 pass
1535 ctx.set_servername_callback(dummycallback)
1536 wr = weakref.ref(ctx)
1537 del ctx, dummycallback
1538 gc.collect()
1539 self.assertIs(wr(), None)
1540
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1541 def test_cert_store_stats(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1542 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1543 self.assertEqual(ctx.cert_store_stats(),
1544 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1545 ctx.load_cert_chain(CERTFILE)
1546 self.assertEqual(ctx.cert_store_stats(),
1547 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1548 ctx.load_verify_locations(CERTFILE)
1549 self.assertEqual(ctx.cert_store_stats(),
1550 {'x509_ca': 0, 'crl': 0, 'x509': 1})
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1551 ctx.load_verify_locations(CAFILE_CACERT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1552 self.assertEqual(ctx.cert_store_stats(),
1553 {'x509_ca': 1, 'crl': 0, 'x509': 2})
1554
1555 def test_get_ca_certs(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1556 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1557 self.assertEqual(ctx.get_ca_certs(), [])
1558 # CERTFILE is not flagged as X509v3 Basic Constraints: CA:TRUE
1559 ctx.load_verify_locations(CERTFILE)
1560 self.assertEqual(ctx.get_ca_certs(), [])
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1561 # but CAFILE_CACERT is a CA cert
1562 ctx.load_verify_locations(CAFILE_CACERT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1563 self.assertEqual(ctx.get_ca_certs(),
1564 [{'issuer': ((('organizationName', 'Root CA'),),
1565 (('organizationalUnitName', 'http://www.cacert.org'),),
1566 (('commonName', 'CA Cert Signing Authority'),),
1567 (('emailAddress', 'support@cacert.org'),)),
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]1568 'notAfter': 'Mar 29 12:29:49 2033 GMT',
1569 'notBefore': 'Mar 30 12:29:49 2003 GMT',
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1570 'serialNumber': '00',
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]1571 'crlDistributionPoints': ('https://www.cacert.org/revoke.crl',),
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1572 'subject': ((('organizationName', 'Root CA'),),
1573 (('organizationalUnitName', 'http://www.cacert.org'),),
1574 (('commonName', 'CA Cert Signing Authority'),),
1575 (('emailAddress', 'support@cacert.org'),)),
1576 'version': 3}])
1577
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1578 with open(CAFILE_CACERT) as f:
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1579 pem = f.read()
1580 der = ssl.PEM_cert_to_DER_cert(pem)
1581 self.assertEqual(ctx.get_ca_certs(True), [der])
1582
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1583 def test_load_default_certs(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1584 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1585 ctx.load_default_certs()
1586
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1587 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1588 ctx.load_default_certs(ssl.Purpose.SERVER_AUTH)
1589 ctx.load_default_certs()
1590
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1591 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1592 ctx.load_default_certs(ssl.Purpose.CLIENT_AUTH)
1593
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1594 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1595 self.assertRaises(TypeError, ctx.load_default_certs, None)
1596 self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')
1597
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1598 @unittest.skipIf(sys.platform == "win32", "not-Windows specific")
Benjamin Peterson5915b0f2014-10-03 17:27:05 -0400[diff] [blame]1599 def test_load_default_certs_env(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1600 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]1601 with os_helper.EnvironmentVarGuard() as env:
Benjamin Peterson5915b0f2014-10-03 17:27:05 -0400[diff] [blame]1602 env["SSL_CERT_DIR"] = CAPATH
1603 env["SSL_CERT_FILE"] = CERTFILE
1604 ctx.load_default_certs()
1605 self.assertEqual(ctx.cert_store_stats(), {"crl": 0, "x509": 1, "x509_ca": 0})
1606
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1607 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Steve Dower68d663c2017-07-17 11:15:48 +0200[diff] [blame]1608 @unittest.skipIf(hasattr(sys, "gettotalrefcount"), "Debug build does not share environment between CRTs")
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1609 def test_load_default_certs_env_windows(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1610 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1611 ctx.load_default_certs()
1612 stats = ctx.cert_store_stats()
1613
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1614 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]1615 with os_helper.EnvironmentVarGuard() as env:
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1616 env["SSL_CERT_DIR"] = CAPATH
1617 env["SSL_CERT_FILE"] = CERTFILE
1618 ctx.load_default_certs()
1619 stats["x509"] += 1
1620 self.assertEqual(ctx.cert_store_stats(), stats)
1621
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1622 def _assert_context_options(self, ctx):
1623 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1624 if OP_NO_COMPRESSION != 0:
1625 self.assertEqual(ctx.options & OP_NO_COMPRESSION,
1626 OP_NO_COMPRESSION)
1627 if OP_SINGLE_DH_USE != 0:
1628 self.assertEqual(ctx.options & OP_SINGLE_DH_USE,
1629 OP_SINGLE_DH_USE)
1630 if OP_SINGLE_ECDH_USE != 0:
1631 self.assertEqual(ctx.options & OP_SINGLE_ECDH_USE,
1632 OP_SINGLE_ECDH_USE)
1633 if OP_CIPHER_SERVER_PREFERENCE != 0:
1634 self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
1635 OP_CIPHER_SERVER_PREFERENCE)
1636
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1637 def test_create_default_context(self):
1638 ctx = ssl.create_default_context()
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1639
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1640 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1641 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1642 self.assertTrue(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1643 self._assert_context_options(ctx)
1644
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1645 with open(SIGNING_CA) as f:
1646 cadata = f.read()
1647 ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH,
1648 cadata=cadata)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1649 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1650 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1651 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1652
1653 ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1654 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1655 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1656 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1657
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1658
1659
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1660 def test__create_stdlib_context(self):
1661 ctx = ssl._create_stdlib_context()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1662 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1663 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1664 self.assertFalse(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1665 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1666
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1667 with warnings_helper.check_warnings():
1668 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1669 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
1670 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1671 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1672
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1673 with warnings_helper.check_warnings():
1674 ctx = ssl._create_stdlib_context(
1675 ssl.PROTOCOL_TLSv1_2,
1676 cert_reqs=ssl.CERT_REQUIRED,
1677 check_hostname=True
1678 )
1679 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1_2)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1680 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimesa02c69a2013-12-02 20:59:28 +0100[diff] [blame]1681 self.assertTrue(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1682 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1683
1684 ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1685 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1686 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1687 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1688
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1689 def test_check_hostname(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1690 with warnings_helper.check_warnings():
1691 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1692 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1693 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1694
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1695 # Auto set CERT_REQUIRED
1696 ctx.check_hostname = True
1697 self.assertTrue(ctx.check_hostname)
1698 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1699 ctx.check_hostname = False
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1700 ctx.verify_mode = ssl.CERT_REQUIRED
1701 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1702 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1703
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1704 # Changing verify_mode does not affect check_hostname
1705 ctx.check_hostname = False
1706 ctx.verify_mode = ssl.CERT_NONE
1707 ctx.check_hostname = False
1708 self.assertFalse(ctx.check_hostname)
1709 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1710 # Auto set
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1711 ctx.check_hostname = True
1712 self.assertTrue(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1713 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1714
1715 ctx.check_hostname = False
1716 ctx.verify_mode = ssl.CERT_OPTIONAL
1717 ctx.check_hostname = False
1718 self.assertFalse(ctx.check_hostname)
1719 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
1720 # keep CERT_OPTIONAL
1721 ctx.check_hostname = True
1722 self.assertTrue(ctx.check_hostname)
1723 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1724
1725 # Cannot set CERT_NONE with check_hostname enabled
1726 with self.assertRaises(ValueError):
1727 ctx.verify_mode = ssl.CERT_NONE
1728 ctx.check_hostname = False
1729 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1730 ctx.verify_mode = ssl.CERT_NONE
1731 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1732
Christian Heimes5fe668c2016-09-12 00:01:11 +0200[diff] [blame]1733 def test_context_client_server(self):
1734 # PROTOCOL_TLS_CLIENT has sane defaults
1735 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1736 self.assertTrue(ctx.check_hostname)
1737 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1738
1739 # PROTOCOL_TLS_SERVER has different but also sane defaults
1740 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1741 self.assertFalse(ctx.check_hostname)
1742 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1743
Christian Heimes4df60f12017-09-15 20:26:05 +0200[diff] [blame]1744 def test_context_custom_class(self):
1745 class MySSLSocket(ssl.SSLSocket):
1746 pass
1747
1748 class MySSLObject(ssl.SSLObject):
1749 pass
1750
1751 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1752 ctx.sslsocket_class = MySSLSocket
1753 ctx.sslobject_class = MySSLObject
1754
1755 with ctx.wrap_socket(socket.socket(), server_side=True) as sock:
1756 self.assertIsInstance(sock, MySSLSocket)
1757 obj = ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO())
1758 self.assertIsInstance(obj, MySSLObject)
1759
Christian Heimes78c7d522019-06-03 21:00:10 +0200[diff] [blame]1760 def test_num_tickest(self):
1761 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1762 self.assertEqual(ctx.num_tickets, 2)
1763 ctx.num_tickets = 1
1764 self.assertEqual(ctx.num_tickets, 1)
1765 ctx.num_tickets = 0
1766 self.assertEqual(ctx.num_tickets, 0)
1767 with self.assertRaises(ValueError):
1768 ctx.num_tickets = -1
1769 with self.assertRaises(TypeError):
1770 ctx.num_tickets = None
1771
1772 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1773 self.assertEqual(ctx.num_tickets, 2)
1774 with self.assertRaises(ValueError):
1775 ctx.num_tickets = 1
1776
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1777
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1778class SSLErrorTests(unittest.TestCase):
1779
1780 def test_str(self):
1781 # The str() of a SSLError doesn't include the errno
1782 e = ssl.SSLError(1, "foo")
1783 self.assertEqual(str(e), "foo")
1784 self.assertEqual(e.errno, 1)
1785 # Same for a subclass
1786 e = ssl.SSLZeroReturnError(1, "foo")
1787 self.assertEqual(str(e), "foo")
1788 self.assertEqual(e.errno, 1)
1789
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]1790 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1791 def test_lib_reason(self):
1792 # Test the library and reason attributes
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1793 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1794 with self.assertRaises(ssl.SSLError) as cm:
1795 ctx.load_dh_params(CERTFILE)
1796 self.assertEqual(cm.exception.library, 'PEM')
1797 self.assertEqual(cm.exception.reason, 'NO_START_LINE')
1798 s = str(cm.exception)
1799 self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s)
1800
1801 def test_subclass(self):
1802 # Check that the appropriate SSLError subclass is raised
1803 # (this only tests one of them)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1804 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1805 ctx.check_hostname = False
1806 ctx.verify_mode = ssl.CERT_NONE
Giampaolo Rodolaeb7e29f2019-04-09 00:34:02 +0200[diff] [blame]1807 with socket.create_server(("127.0.0.1", 0)) as s:
1808 c = socket.create_connection(s.getsockname())
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]1809 c.setblocking(False)
1810 with ctx.wrap_socket(c, False, do_handshake_on_connect=False) as c:
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1811 with self.assertRaises(ssl.SSLWantReadError) as cm:
1812 c.do_handshake()
1813 s = str(cm.exception)
1814 self.assertTrue(s.startswith("The operation did not complete (read)"), s)
1815 # For compatibility
1816 self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)
1817
1818
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1819 def test_bad_server_hostname(self):
1820 ctx = ssl.create_default_context()
1821 with self.assertRaises(ValueError):
1822 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1823 server_hostname="")
1824 with self.assertRaises(ValueError):
1825 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1826 server_hostname=".example.org")
Christian Heimesd02ac252018-03-25 12:36:13 +0200[diff] [blame]1827 with self.assertRaises(TypeError):
1828 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1829 server_hostname="example.org\x00evil.com")
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1830
1831
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]1832class MemoryBIOTests(unittest.TestCase):
1833
1834 def test_read_write(self):
1835 bio = ssl.MemoryBIO()
1836 bio.write(b'foo')
1837 self.assertEqual(bio.read(), b'foo')
1838 self.assertEqual(bio.read(), b'')
1839 bio.write(b'foo')
1840 bio.write(b'bar')
1841 self.assertEqual(bio.read(), b'foobar')
1842 self.assertEqual(bio.read(), b'')
1843 bio.write(b'baz')
1844 self.assertEqual(bio.read(2), b'ba')
1845 self.assertEqual(bio.read(1), b'z')
1846 self.assertEqual(bio.read(1), b'')
1847
1848 def test_eof(self):
1849 bio = ssl.MemoryBIO()
1850 self.assertFalse(bio.eof)
1851 self.assertEqual(bio.read(), b'')
1852 self.assertFalse(bio.eof)
1853 bio.write(b'foo')
1854 self.assertFalse(bio.eof)
1855 bio.write_eof()
1856 self.assertFalse(bio.eof)
1857 self.assertEqual(bio.read(2), b'fo')
1858 self.assertFalse(bio.eof)
1859 self.assertEqual(bio.read(1), b'o')
1860 self.assertTrue(bio.eof)
1861 self.assertEqual(bio.read(), b'')
1862 self.assertTrue(bio.eof)
1863
1864 def test_pending(self):
1865 bio = ssl.MemoryBIO()
1866 self.assertEqual(bio.pending, 0)
1867 bio.write(b'foo')
1868 self.assertEqual(bio.pending, 3)
1869 for i in range(3):
1870 bio.read(1)
1871 self.assertEqual(bio.pending, 3-i-1)
1872 for i in range(3):
1873 bio.write(b'x')
1874 self.assertEqual(bio.pending, i+1)
1875 bio.read()
1876 self.assertEqual(bio.pending, 0)
1877
1878 def test_buffer_types(self):
1879 bio = ssl.MemoryBIO()
1880 bio.write(b'foo')
1881 self.assertEqual(bio.read(), b'foo')
1882 bio.write(bytearray(b'bar'))
1883 self.assertEqual(bio.read(), b'bar')
1884 bio.write(memoryview(b'baz'))
1885 self.assertEqual(bio.read(), b'baz')
1886
1887 def test_error_types(self):
1888 bio = ssl.MemoryBIO()
1889 self.assertRaises(TypeError, bio.write, 'foo')
1890 self.assertRaises(TypeError, bio.write, None)
1891 self.assertRaises(TypeError, bio.write, True)
1892 self.assertRaises(TypeError, bio.write, 1)
1893
1894
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]1895class SSLObjectTests(unittest.TestCase):
1896 def test_private_init(self):
1897 bio = ssl.MemoryBIO()
1898 with self.assertRaisesRegex(TypeError, "public constructor"):
1899 ssl.SSLObject(bio, bio)
1900
Nathaniel J. Smithc0da5822018-09-21 21:44:12 -0700[diff] [blame]1901 def test_unwrap(self):
1902 client_ctx, server_ctx, hostname = testing_context()
1903 c_in = ssl.MemoryBIO()
1904 c_out = ssl.MemoryBIO()
1905 s_in = ssl.MemoryBIO()
1906 s_out = ssl.MemoryBIO()
1907 client = client_ctx.wrap_bio(c_in, c_out, server_hostname=hostname)
1908 server = server_ctx.wrap_bio(s_in, s_out, server_side=True)
1909
1910 # Loop on the handshake for a bit to get it settled
1911 for _ in range(5):
1912 try:
1913 client.do_handshake()
1914 except ssl.SSLWantReadError:
1915 pass
1916 if c_out.pending:
1917 s_in.write(c_out.read())
1918 try:
1919 server.do_handshake()
1920 except ssl.SSLWantReadError:
1921 pass
1922 if s_out.pending:
1923 c_in.write(s_out.read())
1924 # Now the handshakes should be complete (don't raise WantReadError)
1925 client.do_handshake()
1926 server.do_handshake()
1927
1928 # Now if we unwrap one side unilaterally, it should send close-notify
1929 # and raise WantReadError:
1930 with self.assertRaises(ssl.SSLWantReadError):
1931 client.unwrap()
1932
1933 # But server.unwrap() does not raise, because it reads the client's
1934 # close-notify:
1935 s_in.write(c_out.read())
1936 server.unwrap()
1937
1938 # And now that the client gets the server's close-notify, it doesn't
1939 # raise either.
1940 c_in.write(s_out.read())
1941 client.unwrap()
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]1942
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1943class SimpleBackgroundTests(unittest.TestCase):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1944 """Tests that connect to a simple server running in the background"""
1945
1946 def setUp(self):
juhovh49fdf112021-04-18 21:11:48 +1000[diff] [blame]1947 self.server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1948 self.server_context.load_cert_chain(SIGNED_CERTFILE)
1949 server = ThreadedEchoServer(context=self.server_context)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1950 self.server_addr = (HOST, server.port)
1951 server.__enter__()
1952 self.addCleanup(server.__exit__, None, None, None)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1953
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1954 def test_connect(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1955 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1956 cert_reqs=ssl.CERT_NONE) as s:
1957 s.connect(self.server_addr)
1958 self.assertEqual({}, s.getpeercert())
Christian Heimesa5d07652016-09-24 10:48:05 +0200[diff] [blame]1959 self.assertFalse(s.server_side)
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1960
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1961 # this should succeed because we specify the root cert
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1962 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1963 cert_reqs=ssl.CERT_REQUIRED,
1964 ca_certs=SIGNING_CA) as s:
1965 s.connect(self.server_addr)
1966 self.assertTrue(s.getpeercert())
Christian Heimesa5d07652016-09-24 10:48:05 +0200[diff] [blame]1967 self.assertFalse(s.server_side)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1968
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1969 def test_connect_fail(self):
1970 # This should fail because we have no verification certs. Connection
1971 # failure crashes ThreadedEchoServer, so run this in an independent
1972 # test method.
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1973 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1974 cert_reqs=ssl.CERT_REQUIRED)
1975 self.addCleanup(s.close)
1976 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
1977 s.connect, self.server_addr)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1978
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1979 def test_connect_ex(self):
1980 # Issue #11326: check connect_ex() implementation
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1981 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1982 cert_reqs=ssl.CERT_REQUIRED,
1983 ca_certs=SIGNING_CA)
1984 self.addCleanup(s.close)
1985 self.assertEqual(0, s.connect_ex(self.server_addr))
1986 self.assertTrue(s.getpeercert())
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1987
1988 def test_non_blocking_connect_ex(self):
1989 # Issue #11326: non-blocking connect_ex() should allow handshake
1990 # to proceed after the socket gets ready.
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1991 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1992 cert_reqs=ssl.CERT_REQUIRED,
1993 ca_certs=SIGNING_CA,
1994 do_handshake_on_connect=False)
1995 self.addCleanup(s.close)
1996 s.setblocking(False)
1997 rc = s.connect_ex(self.server_addr)
1998 # EWOULDBLOCK under Windows, EINPROGRESS elsewhere
1999 self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK))
2000 # Wait for connect to finish
2001 select.select([], [s], [], 5.0)
2002 # Non-blocking handshake
2003 while True:
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]2004 try:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2005 s.do_handshake()
2006 break
2007 except ssl.SSLWantReadError:
2008 select.select([s], [], [], 5.0)
2009 except ssl.SSLWantWriteError:
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]2010 select.select([], [s], [], 5.0)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2011 # SSL established
2012 self.assertTrue(s.getpeercert())
Antoine Pitrou40f12ab2012-12-28 19:03:43 +0100[diff] [blame]2013
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2014 def test_connect_with_context(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2015 # Same as test_connect, but with a separately created context
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2016 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2017 ctx.check_hostname = False
2018 ctx.verify_mode = ssl.CERT_NONE
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2019 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
2020 s.connect(self.server_addr)
2021 self.assertEqual({}, s.getpeercert())
2022 # Same with a server hostname
2023 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2024 server_hostname="dummy") as s:
2025 s.connect(self.server_addr)
2026 ctx.verify_mode = ssl.CERT_REQUIRED
2027 # This should succeed because we specify the root cert
2028 ctx.load_verify_locations(SIGNING_CA)
2029 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
2030 s.connect(self.server_addr)
2031 cert = s.getpeercert()
2032 self.assertTrue(cert)
2033
2034 def test_connect_with_context_fail(self):
2035 # This should fail because we have no verification certs. Connection
2036 # failure crashes ThreadedEchoServer, so run this in an independent
2037 # test method.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2038 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2039 s = ctx.wrap_socket(
2040 socket.socket(socket.AF_INET),
2041 server_hostname=SIGNED_CERTFILE_HOSTNAME
2042 )
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2043 self.addCleanup(s.close)
2044 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
2045 s.connect, self.server_addr)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2046
2047 def test_connect_capath(self):
2048 # Verify server certificates using the `capath` argument
Antoine Pitrou467f28d2010-05-16 19:22:44 +0000[diff] [blame]2049 # NOTE: the subject hashing algorithm has been changed between
2050 # OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must
2051 # contain both versions of each certificate (same content, different
Antoine Pitroud7e4c1c2010-05-17 14:13:10 +0000[diff] [blame]2052 # filename) for this test to be portable across OpenSSL releases.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2053 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2054 ctx.load_verify_locations(capath=CAPATH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2055 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2056 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2057 s.connect(self.server_addr)
2058 cert = s.getpeercert()
2059 self.assertTrue(cert)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2060
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2061 # Same with a bytes `capath` argument
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2062 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2063 ctx.load_verify_locations(capath=BYTES_CAPATH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2064 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2065 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2066 s.connect(self.server_addr)
2067 cert = s.getpeercert()
2068 self.assertTrue(cert)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2069
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2070 def test_connect_cadata(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2071 with open(SIGNING_CA) as f:
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2072 pem = f.read()
2073 der = ssl.PEM_cert_to_DER_cert(pem)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2074 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2075 ctx.load_verify_locations(cadata=pem)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2076 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2077 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2078 s.connect(self.server_addr)
2079 cert = s.getpeercert()
2080 self.assertTrue(cert)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2081
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2082 # same with DER
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2083 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2084 ctx.load_verify_locations(cadata=der)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2085 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2086 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2087 s.connect(self.server_addr)
2088 cert = s.getpeercert()
2089 self.assertTrue(cert)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2090
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2091 @unittest.skipIf(os.name == "nt", "Can't use a socket as a file under Windows")
2092 def test_makefile_close(self):
2093 # Issue #5238: creating a file-like object with makefile() shouldn't
2094 # delay closing the underlying "real socket" (here tested with its
2095 # file descriptor, hence skipping the test under Windows).
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2096 ss = test_wrap_socket(socket.socket(socket.AF_INET))
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2097 ss.connect(self.server_addr)
2098 fd = ss.fileno()
2099 f = ss.makefile()
2100 f.close()
2101 # The fd is still open
2102 os.read(fd, 0)
2103 # Closing the SSL socket should close the fd too
2104 ss.close()
2105 gc.collect()
2106 with self.assertRaises(OSError) as e:
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2107 os.read(fd, 0)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2108 self.assertEqual(e.exception.errno, errno.EBADF)
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2109
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2110 def test_non_blocking_handshake(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2111 s = socket.socket(socket.AF_INET)
2112 s.connect(self.server_addr)
2113 s.setblocking(False)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2114 s = test_wrap_socket(s,
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2115 cert_reqs=ssl.CERT_NONE,
2116 do_handshake_on_connect=False)
2117 self.addCleanup(s.close)
2118 count = 0
2119 while True:
2120 try:
2121 count += 1
2122 s.do_handshake()
2123 break
2124 except ssl.SSLWantReadError:
2125 select.select([s], [], [])
2126 except ssl.SSLWantWriteError:
2127 select.select([], [s], [])
2128 if support.verbose:
2129 sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2130
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2131 def test_get_server_certificate(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2132 _test_get_server_certificate(self, *self.server_addr, cert=SIGNING_CA)
Antoine Pitrou5aefa662011-04-28 19:24:46 +0200[diff] [blame]2133
juhovh49fdf112021-04-18 21:11:48 +1000[diff] [blame]2134 def test_get_server_certificate_sni(self):
2135 host, port = self.server_addr
2136 server_names = []
2137
2138 # We store servername_cb arguments to make sure they match the host
2139 def servername_cb(ssl_sock, server_name, initial_context):
2140 server_names.append(server_name)
2141 self.server_context.set_servername_callback(servername_cb)
2142
2143 pem = ssl.get_server_certificate((host, port))
2144 if not pem:
2145 self.fail("No server certificate on %s:%s!" % (host, port))
2146
2147 pem = ssl.get_server_certificate((host, port), ca_certs=SIGNING_CA)
2148 if not pem:
2149 self.fail("No server certificate on %s:%s!" % (host, port))
2150 if support.verbose:
2151 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port, pem))
2152
2153 self.assertEqual(server_names, [host, host])
2154
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2155 def test_get_server_certificate_fail(self):
2156 # Connection failure crashes ThreadedEchoServer, so run this in an
2157 # independent test method
2158 _test_get_server_certificate_fail(self, *self.server_addr)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2159
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2160 def test_get_server_certificate_timeout(self):
Christian Heimesf05c2ae2021-04-24 07:54:08 +0200[diff] [blame]2161 def servername_cb(ssl_sock, server_name, initial_context):
2162 time.sleep(0.2)
2163 self.server_context.set_servername_callback(servername_cb)
2164
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2165 with self.assertRaises(socket.timeout):
2166 ssl.get_server_certificate(self.server_addr, ca_certs=SIGNING_CA,
Christian Heimesf05c2ae2021-04-24 07:54:08 +0200[diff] [blame]2167 timeout=0.1)
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2168
Antoine Pitrouf4c7bad2010-08-15 23:02:22 +0000[diff] [blame]2169 def test_ciphers(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2170 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2171 cert_reqs=ssl.CERT_NONE, ciphers="ALL") as s:
2172 s.connect(self.server_addr)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2173 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2174 cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT") as s:
2175 s.connect(self.server_addr)
2176 # Error checking can happen at instantiation or when connecting
2177 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
2178 with socket.socket(socket.AF_INET) as sock:
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2179 s = test_wrap_socket(sock,
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2180 cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
2181 s.connect(self.server_addr)
Antoine Pitroufec12ff2010-04-21 19:46:23 +0000[diff] [blame]2182
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]2183 def test_get_ca_certs_capath(self):
2184 # capath certs are loaded on request
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2185 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2186 ctx.load_verify_locations(capath=CAPATH)
2187 self.assertEqual(ctx.get_ca_certs(), [])
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2188 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2189 server_hostname='localhost') as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2190 s.connect(self.server_addr)
2191 cert = s.getpeercert()
2192 self.assertTrue(cert)
2193 self.assertEqual(len(ctx.get_ca_certs()), 1)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]2194
Christian Heimes8e7f3942013-12-05 07:41:08 +0100[diff] [blame]2195 def test_context_setget(self):
2196 # Check that the context of a connected socket can be replaced.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2197 ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2198 ctx1.load_verify_locations(capath=CAPATH)
2199 ctx2 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2200 ctx2.load_verify_locations(capath=CAPATH)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2201 s = socket.socket(socket.AF_INET)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2202 with ctx1.wrap_socket(s, server_hostname='localhost') as ss:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2203 ss.connect(self.server_addr)
2204 self.assertIs(ss.context, ctx1)
2205 self.assertIs(ss._sslobj.context, ctx1)
2206 ss.context = ctx2
2207 self.assertIs(ss.context, ctx2)
2208 self.assertIs(ss._sslobj.context, ctx2)
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2209
2210 def ssl_io_loop(self, sock, incoming, outgoing, func, *args, **kwargs):
2211 # A simple IO loop. Call func(*args) depending on the error we get
2212 # (WANT_READ or WANT_WRITE) move data between the socket and the BIOs.
Victor Stinner0d63bac2019-12-11 11:30:03 +0100[diff] [blame]2213 timeout = kwargs.get('timeout', support.SHORT_TIMEOUT)
Victor Stinner50a72af2017-09-11 09:34:24 -0700[diff] [blame]2214 deadline = time.monotonic() + timeout
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2215 count = 0
2216 while True:
Victor Stinner50a72af2017-09-11 09:34:24 -0700[diff] [blame]2217 if time.monotonic() > deadline:
2218 self.fail("timeout")
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2219 errno = None
2220 count += 1
2221 try:
2222 ret = func(*args)
2223 except ssl.SSLError as e:
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2224 if e.errno not in (ssl.SSL_ERROR_WANT_READ,
Martin Panter40b97ec2016-01-14 13:05:46 +0000[diff] [blame]2225 ssl.SSL_ERROR_WANT_WRITE):
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2226 raise
2227 errno = e.errno
2228 # Get any data from the outgoing BIO irrespective of any error, and
2229 # send it to the socket.
2230 buf = outgoing.read()
2231 sock.sendall(buf)
2232 # If there's no error, we're done. For WANT_READ, we need to get
2233 # data from the socket and put it in the incoming BIO.
2234 if errno is None:
2235 break
2236 elif errno == ssl.SSL_ERROR_WANT_READ:
2237 buf = sock.recv(32768)
2238 if buf:
2239 incoming.write(buf)
2240 else:
2241 incoming.write_eof()
2242 if support.verbose:
2243 sys.stdout.write("Needed %d calls to complete %s().\n"
2244 % (count, func.__name__))
2245 return ret
2246
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2247 def test_bio_handshake(self):
2248 sock = socket.socket(socket.AF_INET)
2249 self.addCleanup(sock.close)
2250 sock.connect(self.server_addr)
2251 incoming = ssl.MemoryBIO()
2252 outgoing = ssl.MemoryBIO()
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2253 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2254 self.assertTrue(ctx.check_hostname)
2255 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2256 ctx.load_verify_locations(SIGNING_CA)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2257 sslobj = ctx.wrap_bio(incoming, outgoing, False,
2258 SIGNED_CERTFILE_HOSTNAME)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2259 self.assertIs(sslobj._sslobj.owner, sslobj)
2260 self.assertIsNone(sslobj.cipher())
Christian Heimes68771112017-09-05 21:55:40 -0700[diff] [blame]2261 self.assertIsNone(sslobj.version())
Christian Heimes01113fa2016-09-05 23:23:24 +0200[diff] [blame]2262 self.assertIsNotNone(sslobj.shared_ciphers())
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2263 self.assertRaises(ValueError, sslobj.getpeercert)
2264 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
2265 self.assertIsNone(sslobj.get_channel_binding('tls-unique'))
2266 self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
2267 self.assertTrue(sslobj.cipher())
Christian Heimes01113fa2016-09-05 23:23:24 +0200[diff] [blame]2268 self.assertIsNotNone(sslobj.shared_ciphers())
Christian Heimes68771112017-09-05 21:55:40 -0700[diff] [blame]2269 self.assertIsNotNone(sslobj.version())
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2270 self.assertTrue(sslobj.getpeercert())
2271 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
2272 self.assertTrue(sslobj.get_channel_binding('tls-unique'))
2273 try:
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2274 self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2275 except ssl.SSLSyscallError:
2276 # If the server shuts down the TCP connection without sending a
2277 # secure shutdown message, this is reported as SSL_ERROR_SYSCALL
2278 pass
2279 self.assertRaises(ssl.SSLError, sslobj.write, b'foo')
2280
2281 def test_bio_read_write_data(self):
2282 sock = socket.socket(socket.AF_INET)
2283 self.addCleanup(sock.close)
2284 sock.connect(self.server_addr)
2285 incoming = ssl.MemoryBIO()
2286 outgoing = ssl.MemoryBIO()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2287 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2288 ctx.check_hostname = False
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2289 ctx.verify_mode = ssl.CERT_NONE
2290 sslobj = ctx.wrap_bio(incoming, outgoing, False)
2291 self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
2292 req = b'FOO\n'
2293 self.ssl_io_loop(sock, incoming, outgoing, sslobj.write, req)
2294 buf = self.ssl_io_loop(sock, incoming, outgoing, sslobj.read, 1024)
2295 self.assertEqual(buf, b'foo\n')
2296 self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2297
2298
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2299class NetworkedTests(unittest.TestCase):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2300
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2301 def test_timeout_connect_ex(self):
2302 # Issue #12065: on a timeout, connect_ex() should return the original
2303 # errno (mimicking the behaviour of non-SSL sockets).
Serhiy Storchakabfb1cf42020-04-29 10:36:20 +0300[diff] [blame]2304 with socket_helper.transient_internet(REMOTE_HOST):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2305 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2306 cert_reqs=ssl.CERT_REQUIRED,
2307 do_handshake_on_connect=False)
2308 self.addCleanup(s.close)
2309 s.settimeout(0.0000001)
2310 rc = s.connect_ex((REMOTE_HOST, 443))
2311 if rc == 0:
2312 self.skipTest("REMOTE_HOST responded too quickly")
Carl Meyer29c451c2021-03-27 15:52:28 -0600[diff] [blame]2313 elif rc == errno.ENETUNREACH:
2314 self.skipTest("Network unreachable.")
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2315 self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK))
2316
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2317 @unittest.skipUnless(socket_helper.IPV6_ENABLED, 'Needs IPv6')
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2318 def test_get_server_certificate_ipv6(self):
Serhiy Storchakabfb1cf42020-04-29 10:36:20 +0300[diff] [blame]2319 with socket_helper.transient_internet('ipv6.google.com'):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2320 _test_get_server_certificate(self, 'ipv6.google.com', 443)
2321 _test_get_server_certificate_fail(self, 'ipv6.google.com', 443)
2322
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2323
2324def _test_get_server_certificate(test, host, port, cert=None):
2325 pem = ssl.get_server_certificate((host, port))
2326 if not pem:
2327 test.fail("No server certificate on %s:%s!" % (host, port))
2328
2329 pem = ssl.get_server_certificate((host, port), ca_certs=cert)
2330 if not pem:
2331 test.fail("No server certificate on %s:%s!" % (host, port))
2332 if support.verbose:
2333 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem))
2334
2335def _test_get_server_certificate_fail(test, host, port):
2336 try:
2337 pem = ssl.get_server_certificate((host, port), ca_certs=CERTFILE)
2338 except ssl.SSLError as x:
2339 #should fail
2340 if support.verbose:
2341 sys.stdout.write("%s\n" % x)
2342 else:
2343 test.fail("Got server certificate %s for %s:%s!" % (pem, host, port))
2344
2345
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2346from test.ssl_servers import make_https_server
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]2347
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2348class ThreadedEchoServer(threading.Thread):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2349
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2350 class ConnectionHandler(threading.Thread):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2351
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2352 """A mildly complicated class, because we want it to work both
2353 with and without the SSL wrapper around the socket connection, so
2354 that we can test the STARTTLS functionality."""
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2355
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2356 def __init__(self, server, connsock, addr):
2357 self.server = server
2358 self.running = False
2359 self.sock = connsock
2360 self.addr = addr
Serhiy Storchaka5eca7f32019-09-01 12:12:52 +0300[diff] [blame]2361 self.sock.setblocking(True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2362 self.sslconn = None
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2363 threading.Thread.__init__(self)
Benjamin Peterson4171da52008-08-18 21:11:09 +0000[diff] [blame]2364 self.daemon = True
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2365
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2366 def wrap_conn(self):
2367 try:
2368 self.sslconn = self.server.context.wrap_socket(
2369 self.sock, server_side=True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2370 self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2371 except (ConnectionResetError, BrokenPipeError, ConnectionAbortedError) as e:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2372 # We treat ConnectionResetError as though it were an
2373 # SSLError - OpenSSL on Ubuntu abruptly closes the
2374 # connection when asked to use an unsupported protocol.
2375 #
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2376 # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL
2377 # tries to send session tickets after handshake.
2378 # https://github.com/openssl/openssl/issues/6342
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2379 #
2380 # ConnectionAbortedError is raised in TLS 1.3 mode, when OpenSSL
2381 # tries to send session tickets after handshake when using WinSock.
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2382 self.server.conn_errors.append(str(e))
2383 if self.server.chatty:
2384 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
2385 self.running = False
2386 self.close()
2387 return False
2388 except (ssl.SSLError, OSError) as e:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2389 # OSError may occur with wrong protocols, e.g. both
2390 # sides use PROTOCOL_TLS_SERVER.
2391 #
2392 # XXX Various errors can have happened here, for example
2393 # a mismatching protocol version, an invalid certificate,
2394 # or a low-level bug. This should be made more discriminating.
2395 #
2396 # bpo-31323: Store the exception as string to prevent
2397 # a reference leak: server -> conn_errors -> exception
2398 # -> traceback -> self (ConnectionHandler) -> server
2399 self.server.conn_errors.append(str(e))
2400 if self.server.chatty:
2401 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
2402 self.running = False
2403 self.server.stop()
2404 self.close()
2405 return False
2406 else:
2407 self.server.shared_ciphers.append(self.sslconn.shared_ciphers())
2408 if self.server.context.verify_mode == ssl.CERT_REQUIRED:
2409 cert = self.sslconn.getpeercert()
2410 if support.verbose and self.server.chatty:
2411 sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n")
2412 cert_binary = self.sslconn.getpeercert(True)
2413 if support.verbose and self.server.chatty:
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2414 if cert_binary is None:
2415 sys.stdout.write(" client did not provide a cert\n")
2416 else:
2417 sys.stdout.write(f" cert binary is {len(cert_binary)}b\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2418 cipher = self.sslconn.cipher()
2419 if support.verbose and self.server.chatty:
2420 sys.stdout.write(" server: connection cipher is now " + str(cipher) + "\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2421 return True
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2422
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2423 def read(self):
2424 if self.sslconn:
2425 return self.sslconn.read()
2426 else:
2427 return self.sock.recv(1024)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2428
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2429 def write(self, bytes):
2430 if self.sslconn:
2431 return self.sslconn.write(bytes)
2432 else:
2433 return self.sock.send(bytes)
2434
2435 def close(self):
2436 if self.sslconn:
2437 self.sslconn.close()
2438 else:
2439 self.sock.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2440
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2441 def run(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2442 self.running = True
2443 if not self.server.starttls_server:
2444 if not self.wrap_conn():
2445 return
2446 while self.running:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2447 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2448 msg = self.read()
2449 stripped = msg.strip()
2450 if not stripped:
2451 # eof, so quit this handler
2452 self.running = False
2453 try:
2454 self.sock = self.sslconn.unwrap()
2455 except OSError:
2456 # Many tests shut the TCP connection down
2457 # without an SSL shutdown. This causes
2458 # unwrap() to raise OSError with errno=0!
2459 pass
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2460 else:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2461 self.sslconn = None
2462 self.close()
2463 elif stripped == b'over':
2464 if support.verbose and self.server.connectionchatty:
2465 sys.stdout.write(" server: client closed connection\n")
2466 self.close()
2467 return
2468 elif (self.server.starttls_server and
2469 stripped == b'STARTTLS'):
2470 if support.verbose and self.server.connectionchatty:
2471 sys.stdout.write(" server: read STARTTLS from client, sending OK...\n")
2472 self.write(b"OK\n")
2473 if not self.wrap_conn():
2474 return
2475 elif (self.server.starttls_server and self.sslconn
2476 and stripped == b'ENDTLS'):
2477 if support.verbose and self.server.connectionchatty:
2478 sys.stdout.write(" server: read ENDTLS from client, sending OK...\n")
2479 self.write(b"OK\n")
2480 self.sock = self.sslconn.unwrap()
2481 self.sslconn = None
2482 if support.verbose and self.server.connectionchatty:
2483 sys.stdout.write(" server: connection is now unencrypted...\n")
2484 elif stripped == b'CB tls-unique':
2485 if support.verbose and self.server.connectionchatty:
2486 sys.stdout.write(" server: read CB tls-unique from client, sending our CB data...\n")
2487 data = self.sslconn.get_channel_binding("tls-unique")
2488 self.write(repr(data).encode("us-ascii") + b"\n")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]2489 elif stripped == b'PHA':
2490 if support.verbose and self.server.connectionchatty:
2491 sys.stdout.write(" server: initiating post handshake auth\n")
2492 try:
2493 self.sslconn.verify_client_post_handshake()
2494 except ssl.SSLError as e:
2495 self.write(repr(e).encode("us-ascii") + b"\n")
2496 else:
2497 self.write(b"OK\n")
2498 elif stripped == b'HASCERT':
2499 if self.sslconn.getpeercert() is not None:
2500 self.write(b'TRUE\n')
2501 else:
2502 self.write(b'FALSE\n')
2503 elif stripped == b'GETCERT':
2504 cert = self.sslconn.getpeercert()
2505 self.write(repr(cert).encode("us-ascii") + b"\n")
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]2506 elif stripped == b'VERIFIEDCHAIN':
2507 certs = self.sslconn._sslobj.get_verified_chain()
2508 self.write(len(certs).to_bytes(1, "big") + b"\n")
2509 elif stripped == b'UNVERIFIEDCHAIN':
2510 certs = self.sslconn._sslobj.get_unverified_chain()
2511 self.write(len(certs).to_bytes(1, "big") + b"\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2512 else:
2513 if (support.verbose and
2514 self.server.connectionchatty):
2515 ctype = (self.sslconn and "encrypted") or "unencrypted"
2516 sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
2517 % (msg, ctype, msg.lower(), ctype))
2518 self.write(msg.lower())
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2519 except OSError as e:
2520 # handles SSLError and socket errors
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2521 if self.server.chatty and support.verbose:
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2522 if isinstance(e, ConnectionError):
2523 # OpenSSL 1.1.1 sometimes raises
2524 # ConnectionResetError when connection is not
2525 # shut down gracefully.
2526 print(
2527 f" Connection reset by peer: {self.addr}"
2528 )
2529 else:
2530 handle_error("Test server failure:\n")
2531 try:
2532 self.write(b"ERROR\n")
2533 except OSError:
2534 pass
Bill Janssen2f5799b2008-06-29 00:08:12 +0000[diff] [blame]2535 self.close()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2536 self.running = False
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2537
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2538 # normally, we'd just stop here, but for the test
2539 # harness, we want to stop the server
2540 self.server.stop()
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2541
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2542 def __init__(self, certificate=None, ssl_version=None,
2543 certreqs=None, cacerts=None,
2544 chatty=True, connectionchatty=False, starttls_server=False,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2545 alpn_protocols=None,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2546 ciphers=None, context=None):
2547 if context:
2548 self.context = context
2549 else:
2550 self.context = ssl.SSLContext(ssl_version
2551 if ssl_version is not None
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2552 else ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2553 self.context.verify_mode = (certreqs if certreqs is not None
2554 else ssl.CERT_NONE)
2555 if cacerts:
2556 self.context.load_verify_locations(cacerts)
2557 if certificate:
2558 self.context.load_cert_chain(certificate)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2559 if alpn_protocols:
2560 self.context.set_alpn_protocols(alpn_protocols)
2561 if ciphers:
2562 self.context.set_ciphers(ciphers)
2563 self.chatty = chatty
2564 self.connectionchatty = connectionchatty
2565 self.starttls_server = starttls_server
2566 self.sock = socket.socket()
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2567 self.port = socket_helper.bind_port(self.sock)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2568 self.flag = None
2569 self.active = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2570 self.selected_alpn_protocols = []
2571 self.shared_ciphers = []
2572 self.conn_errors = []
2573 threading.Thread.__init__(self)
2574 self.daemon = True
2575
2576 def __enter__(self):
2577 self.start(threading.Event())
2578 self.flag.wait()
2579 return self
2580
2581 def __exit__(self, *args):
2582 self.stop()
2583 self.join()
2584
2585 def start(self, flag=None):
2586 self.flag = flag
2587 threading.Thread.start(self)
2588
2589 def run(self):
2590 self.sock.settimeout(0.05)
2591 self.sock.listen()
2592 self.active = True
2593 if self.flag:
2594 # signal an event
2595 self.flag.set()
2596 while self.active:
2597 try:
2598 newconn, connaddr = self.sock.accept()
2599 if support.verbose and self.chatty:
2600 sys.stdout.write(' server: new connection from '
2601 + repr(connaddr) + '\n')
2602 handler = self.ConnectionHandler(self, newconn, connaddr)
2603 handler.start()
2604 handler.join()
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]2605 except TimeoutError:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2606 pass
2607 except KeyboardInterrupt:
2608 self.stop()
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2609 except BaseException as e:
2610 if support.verbose and self.chatty:
2611 sys.stdout.write(
2612 ' connection handling failed: ' + repr(e) + '\n')
2613
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2614 self.sock.close()
2615
2616 def stop(self):
2617 self.active = False
2618
2619class AsyncoreEchoServer(threading.Thread):
2620
2621 # this one's based on asyncore.dispatcher
2622
2623 class EchoServer (asyncore.dispatcher):
2624
2625 class ConnectionHandler(asyncore.dispatcher_with_send):
2626
2627 def __init__(self, conn, certfile):
2628 self.socket = test_wrap_socket(conn, server_side=True,
2629 certfile=certfile,
2630 do_handshake_on_connect=False)
2631 asyncore.dispatcher_with_send.__init__(self, self.socket)
2632 self._ssl_accepting = True
2633 self._do_ssl_handshake()
2634
2635 def readable(self):
2636 if isinstance(self.socket, ssl.SSLSocket):
2637 while self.socket.pending() > 0:
2638 self.handle_read_event()
2639 return True
2640
2641 def _do_ssl_handshake(self):
2642 try:
2643 self.socket.do_handshake()
2644 except (ssl.SSLWantReadError, ssl.SSLWantWriteError):
2645 return
2646 except ssl.SSLEOFError:
2647 return self.handle_close()
2648 except ssl.SSLError:
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2649 raise
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2650 except OSError as err:
2651 if err.args[0] == errno.ECONNABORTED:
2652 return self.handle_close()
2653 else:
2654 self._ssl_accepting = False
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2655
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2656 def handle_read(self):
2657 if self._ssl_accepting:
2658 self._do_ssl_handshake()
2659 else:
2660 data = self.recv(1024)
2661 if support.verbose:
2662 sys.stdout.write(" server: read %s from client\n" % repr(data))
2663 if not data:
2664 self.close()
2665 else:
2666 self.send(data.lower())
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2667
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2668 def handle_close(self):
2669 self.close()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2670 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2671 sys.stdout.write(" server: closed connection %s\n" % self.socket)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2672
2673 def handle_error(self):
2674 raise
2675
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]2676 def __init__(self, certfile):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2677 self.certfile = certfile
2678 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2679 self.port = socket_helper.bind_port(sock, '')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2680 asyncore.dispatcher.__init__(self, sock)
2681 self.listen(5)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2682
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2683 def handle_accepted(self, sock_obj, addr):
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2684 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2685 sys.stdout.write(" server: new connection from %s:%s\n" %addr)
2686 self.ConnectionHandler(sock_obj, self.certfile)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2687
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2688 def handle_error(self):
2689 raise
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2690
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2691 def __init__(self, certfile):
2692 self.flag = None
2693 self.active = False
2694 self.server = self.EchoServer(certfile)
2695 self.port = self.server.port
2696 threading.Thread.__init__(self)
2697 self.daemon = True
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2698
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2699 def __str__(self):
2700 return "<%s %s>" % (self.__class__.__name__, self.server)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2701
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2702 def __enter__(self):
2703 self.start(threading.Event())
2704 self.flag.wait()
2705 return self
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]2706
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2707 def __exit__(self, *args):
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2708 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2709 sys.stdout.write(" cleanup: stopping server.\n")
2710 self.stop()
2711 if support.verbose:
2712 sys.stdout.write(" cleanup: joining server thread.\n")
2713 self.join()
2714 if support.verbose:
2715 sys.stdout.write(" cleanup: successfully joined.\n")
2716 # make sure that ConnectionHandler is removed from socket_map
2717 asyncore.close_all(ignore_all=True)
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2718
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2719 def start (self, flag=None):
2720 self.flag = flag
2721 threading.Thread.start(self)
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2722
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2723 def run(self):
2724 self.active = True
2725 if self.flag:
2726 self.flag.set()
2727 while self.active:
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]2728 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2729 asyncore.loop(1)
2730 except:
2731 pass
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2732
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2733 def stop(self):
2734 self.active = False
2735 self.server.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2736
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2737def server_params_test(client_context, server_context, indata=b"FOO\n",
2738 chatty=True, connectionchatty=False, sni_name=None,
2739 session=None):
2740 """
2741 Launch a server, connect a client to it and try various reads
2742 and writes.
2743 """
2744 stats = {}
2745 server = ThreadedEchoServer(context=server_context,
2746 chatty=chatty,
2747 connectionchatty=False)
2748 with server:
2749 with client_context.wrap_socket(socket.socket(),
2750 server_hostname=sni_name, session=session) as s:
2751 s.connect((HOST, server.port))
2752 for arg in [indata, bytearray(indata), memoryview(indata)]:
2753 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2754 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2755 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2756 " client: sending %r...\n" % indata)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2757 s.write(arg)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2758 outdata = s.read()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2759 if connectionchatty:
2760 if support.verbose:
2761 sys.stdout.write(" client: read %r\n" % outdata)
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2762 if outdata != indata.lower():
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2763 raise AssertionError(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2764 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
2765 % (outdata[:20], len(outdata),
2766 indata[:20].lower(), len(indata)))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2767 s.write(b"over\n")
2768 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2769 if support.verbose:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2770 sys.stdout.write(" client: closing connection.\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2771 stats.update({
2772 'compression': s.compression(),
2773 'cipher': s.cipher(),
2774 'peercert': s.getpeercert(),
2775 'client_alpn_protocol': s.selected_alpn_protocol(),
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2776 'version': s.version(),
2777 'session_reused': s.session_reused,
2778 'session': s.session,
2779 })
2780 s.close()
2781 stats['server_alpn_protocols'] = server.selected_alpn_protocols
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2782 stats['server_shared_ciphers'] = server.shared_ciphers
2783 return stats
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2784
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2785def try_protocol_combo(server_protocol, client_protocol, expect_success,
2786 certsreqs=None, server_options=0, client_options=0):
2787 """
2788 Try to SSL-connect using *client_protocol* to *server_protocol*.
2789 If *expect_success* is true, assert that the connection succeeds,
2790 if it's false, assert that the connection fails.
2791 Also, if *expect_success* is a string, assert that it is the protocol
2792 version actually used by the connection.
2793 """
2794 if certsreqs is None:
2795 certsreqs = ssl.CERT_NONE
2796 certtype = {
2797 ssl.CERT_NONE: "CERT_NONE",
2798 ssl.CERT_OPTIONAL: "CERT_OPTIONAL",
2799 ssl.CERT_REQUIRED: "CERT_REQUIRED",
2800 }[certsreqs]
2801 if support.verbose:
2802 formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n"
2803 sys.stdout.write(formatstr %
2804 (ssl.get_protocol_name(client_protocol),
2805 ssl.get_protocol_name(server_protocol),
2806 certtype))
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2807
2808 with warnings_helper.check_warnings():
2809 # ignore Deprecation warnings
2810 client_context = ssl.SSLContext(client_protocol)
2811 client_context.options |= client_options
2812 server_context = ssl.SSLContext(server_protocol)
2813 server_context.options |= server_options
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2814
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2815 min_version = PROTOCOL_TO_TLS_VERSION.get(client_protocol, None)
2816 if (min_version is not None
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2817 # SSLContext.minimum_version is only available on recent OpenSSL
2818 # (setter added in OpenSSL 1.1.0, getter added in OpenSSL 1.1.1)
2819 and hasattr(server_context, 'minimum_version')
2820 and server_protocol == ssl.PROTOCOL_TLS
2821 and server_context.minimum_version > min_version
2822 ):
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2823 # If OpenSSL configuration is strict and requires more recent TLS
2824 # version, we have to change the minimum to test old TLS versions.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2825 with warnings_helper.check_warnings():
2826 server_context.minimum_version = min_version
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2827
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2828 # NOTE: we must enable "ALL" ciphers on the client, otherwise an
2829 # SSLv23 client will send an SSLv3 hello (rather than SSLv2)
2830 # starting from OpenSSL 1.0.0 (see issue #8322).
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2831 if client_context.protocol == ssl.PROTOCOL_TLS:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2832 client_context.set_ciphers("ALL")
2833
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]2834 seclevel_workaround(server_context, client_context)
2835
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2836 for ctx in (client_context, server_context):
2837 ctx.verify_mode = certsreqs
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]2838 ctx.load_cert_chain(SIGNED_CERTFILE)
2839 ctx.load_verify_locations(SIGNING_CA)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2840 try:
2841 stats = server_params_test(client_context, server_context,
2842 chatty=False, connectionchatty=False)
2843 # Protocol mismatch can result in either an SSLError, or a
2844 # "Connection reset by peer" error.
2845 except ssl.SSLError:
2846 if expect_success:
2847 raise
2848 except OSError as e:
2849 if expect_success or e.errno != errno.ECONNRESET:
2850 raise
2851 else:
2852 if not expect_success:
2853 raise AssertionError(
2854 "Client protocol %s succeeded with server protocol %s!"
2855 % (ssl.get_protocol_name(client_protocol),
2856 ssl.get_protocol_name(server_protocol)))
2857 elif (expect_success is not True
2858 and expect_success != stats['version']):
2859 raise AssertionError("version mismatch: expected %r, got %r"
2860 % (expect_success, stats['version']))
2861
2862
2863class ThreadedTests(unittest.TestCase):
2864
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2865 def test_echo(self):
2866 """Basic test of an SSL client connecting to a server"""
2867 if support.verbose:
2868 sys.stdout.write("\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2869
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2870 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2871
2872 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_SERVER):
2873 server_params_test(client_context=client_context,
2874 server_context=server_context,
2875 chatty=True, connectionchatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2876 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2877
2878 client_context.check_hostname = False
2879 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_CLIENT):
2880 with self.assertRaises(ssl.SSLError) as e:
2881 server_params_test(client_context=server_context,
2882 server_context=client_context,
2883 chatty=True, connectionchatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2884 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2885 self.assertIn('called a function you should not call',
2886 str(e.exception))
2887
2888 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_SERVER):
2889 with self.assertRaises(ssl.SSLError) as e:
2890 server_params_test(client_context=server_context,
2891 server_context=server_context,
2892 chatty=True, connectionchatty=True)
2893 self.assertIn('called a function you should not call',
2894 str(e.exception))
2895
2896 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_CLIENT):
2897 with self.assertRaises(ssl.SSLError) as e:
2898 server_params_test(client_context=server_context,
2899 server_context=client_context,
2900 chatty=True, connectionchatty=True)
2901 self.assertIn('called a function you should not call',
2902 str(e.exception))
2903
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2904 def test_getpeercert(self):
2905 if support.verbose:
2906 sys.stdout.write("\n")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2907
2908 client_context, server_context, hostname = testing_context()
2909 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2910 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2911 with client_context.wrap_socket(socket.socket(),
2912 do_handshake_on_connect=False,
2913 server_hostname=hostname) as s:
2914 s.connect((HOST, server.port))
2915 # getpeercert() raise ValueError while the handshake isn't
2916 # done.
2917 with self.assertRaises(ValueError):
2918 s.getpeercert()
2919 s.do_handshake()
2920 cert = s.getpeercert()
2921 self.assertTrue(cert, "Can't get peer certificate.")
2922 cipher = s.cipher()
2923 if support.verbose:
2924 sys.stdout.write(pprint.pformat(cert) + '\n')
2925 sys.stdout.write("Connection cipher is " + str(cipher) + '.\n')
2926 if 'subject' not in cert:
2927 self.fail("No subject field in certificate: %s." %
2928 pprint.pformat(cert))
2929 if ((('organizationName', 'Python Software Foundation'),)
2930 not in cert['subject']):
2931 self.fail(
2932 "Missing or invalid 'organizationName' field in certificate subject; "
2933 "should be 'Python Software Foundation'.")
2934 self.assertIn('notBefore', cert)
2935 self.assertIn('notAfter', cert)
2936 before = ssl.cert_time_to_seconds(cert['notBefore'])
2937 after = ssl.cert_time_to_seconds(cert['notAfter'])
2938 self.assertLess(before, after)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2939
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2940 def test_crl_check(self):
2941 if support.verbose:
2942 sys.stdout.write("\n")
2943
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2944 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2945
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2946 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2947 self.assertEqual(client_context.verify_flags, ssl.VERIFY_DEFAULT | tf)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2948
2949 # VERIFY_DEFAULT should pass
2950 server = ThreadedEchoServer(context=server_context, chatty=True)
2951 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2952 with client_context.wrap_socket(socket.socket(),
2953 server_hostname=hostname) as s:
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2954 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2955 cert = s.getpeercert()
2956 self.assertTrue(cert, "Can't get peer certificate.")
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2957
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2958 # VERIFY_CRL_CHECK_LEAF without a loaded CRL file fails
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2959 client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2960
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2961 server = ThreadedEchoServer(context=server_context, chatty=True)
2962 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2963 with client_context.wrap_socket(socket.socket(),
2964 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2965 with self.assertRaisesRegex(ssl.SSLError,
2966 "certificate verify failed"):
2967 s.connect((HOST, server.port))
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2968
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2969 # now load a CRL file. The CRL file is signed by the CA.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2970 client_context.load_verify_locations(CRLFILE)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2971
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2972 server = ThreadedEchoServer(context=server_context, chatty=True)
2973 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2974 with client_context.wrap_socket(socket.socket(),
2975 server_hostname=hostname) as s:
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2976 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2977 cert = s.getpeercert()
2978 self.assertTrue(cert, "Can't get peer certificate.")
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2979
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2980 def test_check_hostname(self):
2981 if support.verbose:
2982 sys.stdout.write("\n")
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2983
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2984 client_context, server_context, hostname = testing_context()
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2985
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2986 # correct hostname should verify
2987 server = ThreadedEchoServer(context=server_context, chatty=True)
2988 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2989 with client_context.wrap_socket(socket.socket(),
2990 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2991 s.connect((HOST, server.port))
2992 cert = s.getpeercert()
2993 self.assertTrue(cert, "Can't get peer certificate.")
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2994
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2995 # incorrect hostname should raise an exception
2996 server = ThreadedEchoServer(context=server_context, chatty=True)
2997 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2998 with client_context.wrap_socket(socket.socket(),
2999 server_hostname="invalid") as s:
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]3000 with self.assertRaisesRegex(
3001 ssl.CertificateError,
3002 "Hostname mismatch, certificate is not valid for 'invalid'."):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3003 s.connect((HOST, server.port))
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3004
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3005 # missing server_hostname arg should cause an exception, too
3006 server = ThreadedEchoServer(context=server_context, chatty=True)
3007 with server:
3008 with socket.socket() as s:
3009 with self.assertRaisesRegex(ValueError,
3010 "check_hostname requires server_hostname"):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3011 client_context.wrap_socket(s)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3012
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]3013 @unittest.skipUnless(
3014 ssl.HAS_NEVER_CHECK_COMMON_NAME, "test requires hostname_checks_common_name"
3015 )
3016 def test_hostname_checks_common_name(self):
3017 client_context, server_context, hostname = testing_context()
3018 assert client_context.hostname_checks_common_name
3019 client_context.hostname_checks_common_name = False
3020
3021 # default cert has a SAN
3022 server = ThreadedEchoServer(context=server_context, chatty=True)
3023 with server:
3024 with client_context.wrap_socket(socket.socket(),
3025 server_hostname=hostname) as s:
3026 s.connect((HOST, server.port))
3027
3028 client_context, server_context, hostname = testing_context(NOSANFILE)
3029 client_context.hostname_checks_common_name = False
3030 server = ThreadedEchoServer(context=server_context, chatty=True)
3031 with server:
3032 with client_context.wrap_socket(socket.socket(),
3033 server_hostname=hostname) as s:
3034 with self.assertRaises(ssl.SSLCertVerificationError):
3035 s.connect((HOST, server.port))
3036
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3037 def test_ecc_cert(self):
3038 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3039 client_context.load_verify_locations(SIGNING_CA)
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3040 client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3041 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
3042
3043 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3044 # load ECC cert
3045 server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
3046
3047 # correct hostname should verify
3048 server = ThreadedEchoServer(context=server_context, chatty=True)
3049 with server:
3050 with client_context.wrap_socket(socket.socket(),
3051 server_hostname=hostname) as s:
3052 s.connect((HOST, server.port))
3053 cert = s.getpeercert()
3054 self.assertTrue(cert, "Can't get peer certificate.")
3055 cipher = s.cipher()[0].split('-')
3056 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
3057
3058 def test_dual_rsa_ecc(self):
3059 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3060 client_context.load_verify_locations(SIGNING_CA)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3061 # TODO: fix TLSv1.3 once SSLContext can restrict signature
3062 # algorithms.
3063 client_context.options |= ssl.OP_NO_TLSv1_3
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3064 # only ECDSA certs
3065 client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
3066 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
3067
3068 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3069 # load ECC and RSA key/cert pairs
3070 server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
3071 server_context.load_cert_chain(SIGNED_CERTFILE)
3072
3073 # correct hostname should verify
3074 server = ThreadedEchoServer(context=server_context, chatty=True)
3075 with server:
3076 with client_context.wrap_socket(socket.socket(),
3077 server_hostname=hostname) as s:
3078 s.connect((HOST, server.port))
3079 cert = s.getpeercert()
3080 self.assertTrue(cert, "Can't get peer certificate.")
3081 cipher = s.cipher()[0].split('-')
3082 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
3083
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3084 def test_check_hostname_idn(self):
3085 if support.verbose:
3086 sys.stdout.write("\n")
3087
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3088 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3089 server_context.load_cert_chain(IDNSANSFILE)
3090
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3091 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3092 context.verify_mode = ssl.CERT_REQUIRED
3093 context.check_hostname = True
3094 context.load_verify_locations(SIGNING_CA)
3095
3096 # correct hostname should verify, when specified in several
3097 # different ways
3098 idn_hostnames = [
3099 ('könig.idn.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3100 'xn--knig-5qa.idn.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3101 ('xn--knig-5qa.idn.pythontest.net',
3102 'xn--knig-5qa.idn.pythontest.net'),
3103 (b'xn--knig-5qa.idn.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3104 'xn--knig-5qa.idn.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3105
3106 ('königsgäßchen.idna2003.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3107 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3108 ('xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
3109 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
3110 (b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3111 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
3112
3113 # ('königsgäßchen.idna2008.pythontest.net',
3114 # 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3115 ('xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
3116 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3117 (b'xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
3118 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3119
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3120 ]
3121 for server_hostname, expected_hostname in idn_hostnames:
3122 server = ThreadedEchoServer(context=server_context, chatty=True)
3123 with server:
3124 with context.wrap_socket(socket.socket(),
3125 server_hostname=server_hostname) as s:
3126 self.assertEqual(s.server_hostname, expected_hostname)
3127 s.connect((HOST, server.port))
3128 cert = s.getpeercert()
3129 self.assertEqual(s.server_hostname, expected_hostname)
3130 self.assertTrue(cert, "Can't get peer certificate.")
3131
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3132 # incorrect hostname should raise an exception
3133 server = ThreadedEchoServer(context=server_context, chatty=True)
3134 with server:
3135 with context.wrap_socket(socket.socket(),
3136 server_hostname="python.example.org") as s:
3137 with self.assertRaises(ssl.CertificateError):
3138 s.connect((HOST, server.port))
3139
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3140 def test_wrong_cert_tls12(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3141 """Connecting when the server rejects the client's certificate
3142
3143 Launch a server with CERT_REQUIRED, and check that trying to
3144 connect to it with a wrong client certificate fails.
3145 """
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3146 client_context, server_context, hostname = testing_context()
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]3147 # load client cert that is not signed by trusted CA
3148 client_context.load_cert_chain(CERTFILE)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3149 # require TLS client authentication
3150 server_context.verify_mode = ssl.CERT_REQUIRED
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3151 # TLS 1.3 has different handshake
3152 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3153
3154 server = ThreadedEchoServer(
3155 context=server_context, chatty=True, connectionchatty=True,
3156 )
3157
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3158 with server, \
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3159 client_context.wrap_socket(socket.socket(),
3160 server_hostname=hostname) as s:
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3161 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3162 # Expect either an SSL error about the server rejecting
3163 # the connection, or a low-level connection reset (which
3164 # sometimes happens on Windows)
3165 s.connect((HOST, server.port))
3166 except ssl.SSLError as e:
3167 if support.verbose:
3168 sys.stdout.write("\nSSLError is %r\n" % e)
3169 except OSError as e:
3170 if e.errno != errno.ECONNRESET:
3171 raise
3172 if support.verbose:
3173 sys.stdout.write("\nsocket.error is %r\n" % e)
3174 else:
3175 self.fail("Use of invalid cert should have failed!")
3176
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3177 @requires_tls_version('TLSv1_3')
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3178 def test_wrong_cert_tls13(self):
3179 client_context, server_context, hostname = testing_context()
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]3180 # load client cert that is not signed by trusted CA
3181 client_context.load_cert_chain(CERTFILE)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3182 server_context.verify_mode = ssl.CERT_REQUIRED
3183 server_context.minimum_version = ssl.TLSVersion.TLSv1_3
3184 client_context.minimum_version = ssl.TLSVersion.TLSv1_3
3185
3186 server = ThreadedEchoServer(
3187 context=server_context, chatty=True, connectionchatty=True,
3188 )
3189 with server, \
3190 client_context.wrap_socket(socket.socket(),
3191 server_hostname=hostname) as s:
3192 # TLS 1.3 perform client cert exchange after handshake
3193 s.connect((HOST, server.port))
3194 try:
3195 s.write(b'data')
Christian Heimese0472392021-04-23 20:03:25 +0200[diff] [blame]3196 s.read(1000)
3197 s.write(b'should have failed already')
3198 s.read(1000)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3199 except ssl.SSLError as e:
3200 if support.verbose:
3201 sys.stdout.write("\nSSLError is %r\n" % e)
3202 except OSError as e:
3203 if e.errno != errno.ECONNRESET:
3204 raise
3205 if support.verbose:
3206 sys.stdout.write("\nsocket.error is %r\n" % e)
3207 else:
Christian Heimese0472392021-04-23 20:03:25 +0200[diff] [blame]3208 if sys.platform == "win32":
3209 self.skipTest(
3210 "Ignoring failed test_wrong_cert_tls13 test case. "
3211 "The test is flaky on Windows, see bpo-43921."
3212 )
3213 else:
3214 self.fail("Use of invalid cert should have failed!")
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3215
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3216 def test_rude_shutdown(self):
3217 """A brutal shutdown of an SSL server should raise an OSError
3218 in the client when attempting handshake.
3219 """
3220 listener_ready = threading.Event()
3221 listener_gone = threading.Event()
3222
3223 s = socket.socket()
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3224 port = socket_helper.bind_port(s, HOST)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3225
3226 # `listener` runs in a thread. It sits in an accept() until
3227 # the main thread connects. Then it rudely closes the socket,
3228 # and sets Event `listener_gone` to let the main thread know
3229 # the socket is gone.
3230 def listener():
3231 s.listen()
3232 listener_ready.set()
3233 newsock, addr = s.accept()
3234 newsock.close()
3235 s.close()
3236 listener_gone.set()
3237
3238 def connector():
3239 listener_ready.wait()
3240 with socket.socket() as c:
3241 c.connect((HOST, port))
3242 listener_gone.wait()
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]3243 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3244 ssl_sock = test_wrap_socket(c)
3245 except OSError:
3246 pass
3247 else:
3248 self.fail('connecting to closed SSL socket should have failed')
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3249
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3250 t = threading.Thread(target=listener)
3251 t.start()
3252 try:
3253 connector()
3254 finally:
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]3255 t.join()
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]3256
Christian Heimesb3ad0e52017-09-08 12:00:19 -0700[diff] [blame]3257 def test_ssl_cert_verify_error(self):
3258 if support.verbose:
3259 sys.stdout.write("\n")
3260
3261 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3262 server_context.load_cert_chain(SIGNED_CERTFILE)
3263
3264 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3265
3266 server = ThreadedEchoServer(context=server_context, chatty=True)
3267 with server:
3268 with context.wrap_socket(socket.socket(),
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3269 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Christian Heimesb3ad0e52017-09-08 12:00:19 -0700[diff] [blame]3270 try:
3271 s.connect((HOST, server.port))
3272 except ssl.SSLError as e:
3273 msg = 'unable to get local issuer certificate'
3274 self.assertIsInstance(e, ssl.SSLCertVerificationError)
3275 self.assertEqual(e.verify_code, 20)
3276 self.assertEqual(e.verify_message, msg)
3277 self.assertIn(msg, repr(e))
3278 self.assertIn('certificate verify failed', repr(e))
3279
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3280 @requires_tls_version('SSLv2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3281 def test_protocol_sslv2(self):
3282 """Connecting to an SSLv2 server with various client options"""
3283 if support.verbose:
3284 sys.stdout.write("\n")
3285 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
3286 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
3287 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3288 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3289 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3290 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
3291 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
3292 # SSLv23 client with specific SSL options
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3293 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3294 client_options=ssl.OP_NO_SSLv3)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3295 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3296 client_options=ssl.OP_NO_TLSv1)
Antoine Pitrou242db722013-05-01 20:52:07 +0200[diff] [blame]3297
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3298 def test_PROTOCOL_TLS(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3299 """Connecting to an SSLv23 server with various client options"""
3300 if support.verbose:
3301 sys.stdout.write("\n")
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3302 if has_tls_version('SSLv2'):
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]3303 try:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3304 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv2, True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3305 except OSError as x:
3306 # this fails on some older versions of OpenSSL (0.9.7l, for instance)
3307 if support.verbose:
3308 sys.stdout.write(
3309 " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
3310 % str(x))
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3311 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3312 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False)
3313 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3314 if has_tls_version('TLSv1'):
3315 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]3316
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3317 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3318 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
3319 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_OPTIONAL)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3320 if has_tls_version('TLSv1'):
3321 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3322
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3323 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3324 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
3325 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3326 if has_tls_version('TLSv1'):
3327 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3328
3329 # Server with specific SSL options
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3330 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3331 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3332 server_options=ssl.OP_NO_SSLv3)
3333 # Will choose TLSv1
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3334 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3335 server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3336 if has_tls_version('TLSv1'):
3337 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, False,
3338 server_options=ssl.OP_NO_TLSv1)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3339
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3340 @requires_tls_version('SSLv3')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3341 def test_protocol_sslv3(self):
3342 """Connecting to an SSLv3 server with various client options"""
3343 if support.verbose:
3344 sys.stdout.write("\n")
3345 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3')
3346 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
3347 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3348 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3349 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3350 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3351 client_options=ssl.OP_NO_SSLv3)
3352 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3353
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3354 @requires_tls_version('TLSv1')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3355 def test_protocol_tlsv1(self):
3356 """Connecting to a TLSv1 server with various client options"""
3357 if support.verbose:
3358 sys.stdout.write("\n")
3359 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
3360 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
3361 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3362 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3363 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3364 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3365 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3366 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3367 client_options=ssl.OP_NO_TLSv1)
3368
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3369 @requires_tls_version('TLSv1_1')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3370 def test_protocol_tlsv1_1(self):
3371 """Connecting to a TLSv1.1 server with various client options.
3372 Testing against older TLS versions."""
3373 if support.verbose:
3374 sys.stdout.write("\n")
3375 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3376 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3377 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3378 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3379 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3380 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3381 client_options=ssl.OP_NO_TLSv1_1)
3382
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3383 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3384 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
3385 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3386
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3387 @requires_tls_version('TLSv1_2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3388 def test_protocol_tlsv1_2(self):
3389 """Connecting to a TLSv1.2 server with various client options.
3390 Testing against older TLS versions."""
3391 if support.verbose:
3392 sys.stdout.write("\n")
3393 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2',
3394 server_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,
3395 client_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3396 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3397 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3398 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3399 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3400 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3401 client_options=ssl.OP_NO_TLSv1_2)
3402
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3403 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3404 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)
3405 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)
3406 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
3407 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
3408
3409 def test_starttls(self):
3410 """Switching from clear text to encrypted and back again."""
3411 msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
3412
3413 server = ThreadedEchoServer(CERTFILE,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3414 starttls_server=True,
3415 chatty=True,
3416 connectionchatty=True)
3417 wrapped = False
3418 with server:
3419 s = socket.socket()
Serhiy Storchaka5eca7f32019-09-01 12:12:52 +0300[diff] [blame]3420 s.setblocking(True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3421 s.connect((HOST, server.port))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3422 if support.verbose:
3423 sys.stdout.write("\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3424 for indata in msgs:
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3425 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3426 sys.stdout.write(
3427 " client: sending %r...\n" % indata)
3428 if wrapped:
3429 conn.write(indata)
3430 outdata = conn.read()
3431 else:
3432 s.send(indata)
3433 outdata = s.recv(1024)
3434 msg = outdata.strip().lower()
3435 if indata == b"STARTTLS" and msg.startswith(b"ok"):
3436 # STARTTLS ok, switch to secure mode
3437 if support.verbose:
3438 sys.stdout.write(
3439 " client: read %r from server, starting TLS...\n"
3440 % msg)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3441 conn = test_wrap_socket(s)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3442 wrapped = True
3443 elif indata == b"ENDTLS" and msg.startswith(b"ok"):
3444 # ENDTLS ok, switch back to clear text
3445 if support.verbose:
3446 sys.stdout.write(
3447 " client: read %r from server, ending TLS...\n"
3448 % msg)
3449 s = conn.unwrap()
3450 wrapped = False
3451 else:
3452 if support.verbose:
3453 sys.stdout.write(
3454 " client: read %r from server\n" % msg)
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3455 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3456 sys.stdout.write(" client: closing connection.\n")
3457 if wrapped:
3458 conn.write(b"over\n")
3459 else:
3460 s.send(b"over\n")
3461 if wrapped:
3462 conn.close()
3463 else:
3464 s.close()
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3465
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3466 def test_socketserver(self):
3467 """Using socketserver to create and manage SSL connections."""
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3468 server = make_https_server(self, certfile=SIGNED_CERTFILE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3469 # try to connect
3470 if support.verbose:
3471 sys.stdout.write('\n')
3472 with open(CERTFILE, 'rb') as f:
3473 d1 = f.read()
3474 d2 = ''
3475 # now fetch the same data from the HTTPS server
3476 url = 'https://localhost:%d/%s' % (
3477 server.port, os.path.split(CERTFILE)[1])
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3478 context = ssl.create_default_context(cafile=SIGNING_CA)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3479 f = urllib.request.urlopen(url, context=context)
3480 try:
3481 dlen = f.info().get("content-length")
3482 if dlen and (int(dlen) > 0):
3483 d2 = f.read(int(dlen))
3484 if support.verbose:
3485 sys.stdout.write(
3486 " client: read %d bytes from remote server '%s'\n"
3487 % (len(d2), server))
3488 finally:
3489 f.close()
3490 self.assertEqual(d1, d2)
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3491
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3492 def test_asyncore_server(self):
3493 """Check the example asyncore integration."""
3494 if support.verbose:
3495 sys.stdout.write("\n")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]3496
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3497 indata = b"FOO\n"
3498 server = AsyncoreEchoServer(CERTFILE)
3499 with server:
3500 s = test_wrap_socket(socket.socket())
3501 s.connect(('127.0.0.1', server.port))
3502 if support.verbose:
3503 sys.stdout.write(
3504 " client: sending %r...\n" % indata)
3505 s.write(indata)
3506 outdata = s.read()
3507 if support.verbose:
3508 sys.stdout.write(" client: read %r\n" % outdata)
3509 if outdata != indata.lower():
3510 self.fail(
3511 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
3512 % (outdata[:20], len(outdata),
3513 indata[:20].lower(), len(indata)))
3514 s.write(b"over\n")
3515 if support.verbose:
3516 sys.stdout.write(" client: closing connection.\n")
3517 s.close()
3518 if support.verbose:
3519 sys.stdout.write(" client: connection closed.\n")
Benjamin Petersoncca27322015-01-23 16:35:37 -0500[diff] [blame]3520
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3521 def test_recv_send(self):
3522 """Test recv(), send() and friends."""
3523 if support.verbose:
3524 sys.stdout.write("\n")
3525
3526 server = ThreadedEchoServer(CERTFILE,
3527 certreqs=ssl.CERT_NONE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3528 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3529 cacerts=CERTFILE,
3530 chatty=True,
3531 connectionchatty=False)
3532 with server:
3533 s = test_wrap_socket(socket.socket(),
3534 server_side=False,
3535 certfile=CERTFILE,
3536 ca_certs=CERTFILE,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3537 cert_reqs=ssl.CERT_NONE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3538 s.connect((HOST, server.port))
3539 # helper methods for standardising recv* method signatures
3540 def _recv_into():
3541 b = bytearray(b"\0"*100)
3542 count = s.recv_into(b)
3543 return b[:count]
3544
3545 def _recvfrom_into():
3546 b = bytearray(b"\0"*100)
3547 count, addr = s.recvfrom_into(b)
3548 return b[:count]
3549
3550 # (name, method, expect success?, *args, return value func)
3551 send_methods = [
3552 ('send', s.send, True, [], len),
3553 ('sendto', s.sendto, False, ["some.address"], len),
3554 ('sendall', s.sendall, True, [], lambda x: None),
3555 ]
3556 # (name, method, whether to expect success, *args)
3557 recv_methods = [
3558 ('recv', s.recv, True, []),
3559 ('recvfrom', s.recvfrom, False, ["some.address"]),
3560 ('recv_into', _recv_into, True, []),
3561 ('recvfrom_into', _recvfrom_into, False, []),
3562 ]
3563 data_prefix = "PREFIX_"
3564
3565 for (meth_name, send_meth, expect_success, args,
3566 ret_val_meth) in send_methods:
3567 indata = (data_prefix + meth_name).encode('ascii')
3568 try:
3569 ret = send_meth(indata, *args)
3570 msg = "sending with {}".format(meth_name)
3571 self.assertEqual(ret, ret_val_meth(indata), msg=msg)
3572 outdata = s.read()
3573 if outdata != indata.lower():
3574 self.fail(
3575 "While sending with <<{name:s}>> bad data "
3576 "<<{outdata:r}>> ({nout:d}) received; "
3577 "expected <<{indata:r}>> ({nin:d})\n".format(
3578 name=meth_name, outdata=outdata[:20],
3579 nout=len(outdata),
3580 indata=indata[:20], nin=len(indata)
3581 )
3582 )
3583 except ValueError as e:
3584 if expect_success:
3585 self.fail(
3586 "Failed to send with method <<{name:s}>>; "
3587 "expected to succeed.\n".format(name=meth_name)
3588 )
3589 if not str(e).startswith(meth_name):
3590 self.fail(
3591 "Method <<{name:s}>> failed with unexpected "
3592 "exception message: {exp:s}\n".format(
3593 name=meth_name, exp=e
3594 )
3595 )
3596
3597 for meth_name, recv_meth, expect_success, args in recv_methods:
3598 indata = (data_prefix + meth_name).encode('ascii')
3599 try:
3600 s.send(indata)
3601 outdata = recv_meth(*args)
3602 if outdata != indata.lower():
3603 self.fail(
3604 "While receiving with <<{name:s}>> bad data "
3605 "<<{outdata:r}>> ({nout:d}) received; "
3606 "expected <<{indata:r}>> ({nin:d})\n".format(
3607 name=meth_name, outdata=outdata[:20],
3608 nout=len(outdata),
3609 indata=indata[:20], nin=len(indata)
3610 )
3611 )
3612 except ValueError as e:
3613 if expect_success:
3614 self.fail(
3615 "Failed to receive with method <<{name:s}>>; "
3616 "expected to succeed.\n".format(name=meth_name)
3617 )
3618 if not str(e).startswith(meth_name):
3619 self.fail(
3620 "Method <<{name:s}>> failed with unexpected "
3621 "exception message: {exp:s}\n".format(
3622 name=meth_name, exp=e
3623 )
3624 )
3625 # consume data
3626 s.read()
3627
3628 # read(-1, buffer) is supported, even though read(-1) is not
3629 data = b"data"
3630 s.send(data)
3631 buffer = bytearray(len(data))
3632 self.assertEqual(s.read(-1, buffer), len(data))
3633 self.assertEqual(buffer, data)
3634
Christian Heimes888bbdc2017-09-07 14:18:21 -0700[diff] [blame]3635 # sendall accepts bytes-like objects
3636 if ctypes is not None:
3637 ubyte = ctypes.c_ubyte * len(data)
3638 byteslike = ubyte.from_buffer_copy(data)
3639 s.sendall(byteslike)
3640 self.assertEqual(s.read(), data)
3641
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3642 # Make sure sendmsg et al are disallowed to avoid
3643 # inadvertent disclosure of data and/or corruption
3644 # of the encrypted data stream
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]3645 self.assertRaises(NotImplementedError, s.dup)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3646 self.assertRaises(NotImplementedError, s.sendmsg, [b"data"])
3647 self.assertRaises(NotImplementedError, s.recvmsg, 100)
3648 self.assertRaises(NotImplementedError,
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]3649 s.recvmsg_into, [bytearray(100)])
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3650 s.write(b"over\n")
3651
3652 self.assertRaises(ValueError, s.recv, -1)
3653 self.assertRaises(ValueError, s.read, -1)
3654
3655 s.close()
3656
3657 def test_recv_zero(self):
3658 server = ThreadedEchoServer(CERTFILE)
3659 server.__enter__()
3660 self.addCleanup(server.__exit__, None, None)
3661 s = socket.create_connection((HOST, server.port))
3662 self.addCleanup(s.close)
3663 s = test_wrap_socket(s, suppress_ragged_eofs=False)
3664 self.addCleanup(s.close)
3665
3666 # recv/read(0) should return no data
3667 s.send(b"data")
3668 self.assertEqual(s.recv(0), b"")
3669 self.assertEqual(s.read(0), b"")
3670 self.assertEqual(s.read(), b"data")
3671
3672 # Should not block if the other end sends no data
3673 s.setblocking(False)
3674 self.assertEqual(s.recv(0), b"")
3675 self.assertEqual(s.recv_into(bytearray()), 0)
3676
3677 def test_nonblocking_send(self):
3678 server = ThreadedEchoServer(CERTFILE,
3679 certreqs=ssl.CERT_NONE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3680 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3681 cacerts=CERTFILE,
3682 chatty=True,
3683 connectionchatty=False)
3684 with server:
3685 s = test_wrap_socket(socket.socket(),
3686 server_side=False,
3687 certfile=CERTFILE,
3688 ca_certs=CERTFILE,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3689 cert_reqs=ssl.CERT_NONE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3690 s.connect((HOST, server.port))
3691 s.setblocking(False)
3692
3693 # If we keep sending data, at some point the buffers
3694 # will be full and the call will block
3695 buf = bytearray(8192)
3696 def fill_buffer():
3697 while True:
3698 s.send(buf)
3699 self.assertRaises((ssl.SSLWantWriteError,
3700 ssl.SSLWantReadError), fill_buffer)
3701
3702 # Now read all the output and discard it
3703 s.setblocking(True)
3704 s.close()
3705
3706 def test_handshake_timeout(self):
3707 # Issue #5103: SSL handshake must respect the socket timeout
3708 server = socket.socket(socket.AF_INET)
3709 host = "127.0.0.1"
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3710 port = socket_helper.bind_port(server)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3711 started = threading.Event()
3712 finish = False
3713
3714 def serve():
3715 server.listen()
3716 started.set()
3717 conns = []
3718 while not finish:
3719 r, w, e = select.select([server], [], [], 0.1)
3720 if server in r:
3721 # Let the socket hang around rather than having
3722 # it closed by garbage collection.
3723 conns.append(server.accept()[0])
3724 for sock in conns:
3725 sock.close()
3726
3727 t = threading.Thread(target=serve)
3728 t.start()
3729 started.wait()
3730
3731 try:
3732 try:
3733 c = socket.socket(socket.AF_INET)
3734 c.settimeout(0.2)
3735 c.connect((host, port))
3736 # Will attempt handshake and time out
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]3737 self.assertRaisesRegex(TimeoutError, "timed out",
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3738 test_wrap_socket, c)
3739 finally:
3740 c.close()
3741 try:
3742 c = socket.socket(socket.AF_INET)
3743 c = test_wrap_socket(c)
3744 c.settimeout(0.2)
3745 # Will attempt handshake and time out
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]3746 self.assertRaisesRegex(TimeoutError, "timed out",
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3747 c.connect, (host, port))
3748 finally:
3749 c.close()
3750 finally:
3751 finish = True
3752 t.join()
3753 server.close()
3754
3755 def test_server_accept(self):
3756 # Issue #16357: accept() on a SSLSocket created through
3757 # SSLContext.wrap_socket().
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3758 client_ctx, server_ctx, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3759 server = socket.socket(socket.AF_INET)
3760 host = "127.0.0.1"
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3761 port = socket_helper.bind_port(server)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3762 server = server_ctx.wrap_socket(server, server_side=True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3763 self.assertTrue(server.server_side)
3764
3765 evt = threading.Event()
3766 remote = None
3767 peer = None
3768 def serve():
3769 nonlocal remote, peer
3770 server.listen()
3771 # Block on the accept and wait on the connection to close.
3772 evt.set()
3773 remote, peer = server.accept()
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3774 remote.send(remote.recv(4))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3775
3776 t = threading.Thread(target=serve)
3777 t.start()
3778 # Client wait until server setup and perform a connect.
3779 evt.wait()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3780 client = client_ctx.wrap_socket(
3781 socket.socket(), server_hostname=hostname
3782 )
3783 client.connect((hostname, port))
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3784 client.send(b'data')
3785 client.recv()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3786 client_addr = client.getsockname()
3787 client.close()
3788 t.join()
3789 remote.close()
3790 server.close()
3791 # Sanity checks.
3792 self.assertIsInstance(remote, ssl.SSLSocket)
3793 self.assertEqual(peer, client_addr)
3794
3795 def test_getpeercert_enotconn(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3796 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3797 context.check_hostname = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3798 with context.wrap_socket(socket.socket()) as sock:
3799 with self.assertRaises(OSError) as cm:
3800 sock.getpeercert()
3801 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
3802
3803 def test_do_handshake_enotconn(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3804 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3805 context.check_hostname = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3806 with context.wrap_socket(socket.socket()) as sock:
3807 with self.assertRaises(OSError) as cm:
3808 sock.do_handshake()
3809 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
3810
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3811 def test_no_shared_ciphers(self):
3812 client_context, server_context, hostname = testing_context()
3813 # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
3814 client_context.options |= ssl.OP_NO_TLSv1_3
Victor Stinner5e922652018-09-07 17:30:33 +0200[diff] [blame]3815 # Force different suites on client and server
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3816 client_context.set_ciphers("AES128")
3817 server_context.set_ciphers("AES256")
3818 with ThreadedEchoServer(context=server_context) as server:
3819 with client_context.wrap_socket(socket.socket(),
3820 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3821 with self.assertRaises(OSError):
3822 s.connect((HOST, server.port))
3823 self.assertIn("no shared cipher", server.conn_errors[0])
3824
3825 def test_version_basic(self):
3826 """
3827 Basic tests for SSLSocket.version().
3828 More tests are done in the test_protocol_*() methods.
3829 """
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3830 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3831 context.check_hostname = False
3832 context.verify_mode = ssl.CERT_NONE
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3833 with ThreadedEchoServer(CERTFILE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3834 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3835 chatty=False) as server:
3836 with context.wrap_socket(socket.socket()) as s:
3837 self.assertIs(s.version(), None)
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]3838 self.assertIs(s._sslobj, None)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3839 s.connect((HOST, server.port))
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]3840 self.assertEqual(s.version(), 'TLSv1.3')
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]3841 self.assertIs(s._sslobj, None)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3842 self.assertIs(s.version(), None)
3843
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3844 @requires_tls_version('TLSv1_3')
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3845 def test_tls1_3(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3846 client_context, server_context, hostname = testing_context()
3847 client_context.minimum_version = ssl.TLSVersion.TLSv1_3
3848 with ThreadedEchoServer(context=server_context) as server:
3849 with client_context.wrap_socket(socket.socket(),
3850 server_hostname=hostname) as s:
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3851 s.connect((HOST, server.port))
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3852 self.assertIn(s.cipher()[0], {
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3853 'TLS_AES_256_GCM_SHA384',
3854 'TLS_CHACHA20_POLY1305_SHA256',
3855 'TLS_AES_128_GCM_SHA256',
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3856 })
3857 self.assertEqual(s.version(), 'TLSv1.3')
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3858
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3859 @requires_tls_version('TLSv1_2')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3860 @requires_tls_version('TLSv1')
3861 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3862 def test_min_max_version_tlsv1_2(self):
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3863 client_context, server_context, hostname = testing_context()
3864 # client TLSv1.0 to 1.2
3865 client_context.minimum_version = ssl.TLSVersion.TLSv1
3866 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
3867 # server only TLSv1.2
3868 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
3869 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
3870
3871 with ThreadedEchoServer(context=server_context) as server:
3872 with client_context.wrap_socket(socket.socket(),
3873 server_hostname=hostname) as s:
3874 s.connect((HOST, server.port))
3875 self.assertEqual(s.version(), 'TLSv1.2')
3876
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3877 @requires_tls_version('TLSv1_1')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3878 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3879 def test_min_max_version_tlsv1_1(self):
3880 client_context, server_context, hostname = testing_context()
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3881 # client 1.0 to 1.2, server 1.0 to 1.1
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3882 client_context.minimum_version = ssl.TLSVersion.TLSv1
3883 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3884 server_context.minimum_version = ssl.TLSVersion.TLSv1
3885 server_context.maximum_version = ssl.TLSVersion.TLSv1_1
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3886 seclevel_workaround(client_context, server_context)
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3887
3888 with ThreadedEchoServer(context=server_context) as server:
3889 with client_context.wrap_socket(socket.socket(),
3890 server_hostname=hostname) as s:
3891 s.connect((HOST, server.port))
3892 self.assertEqual(s.version(), 'TLSv1.1')
3893
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3894 @requires_tls_version('TLSv1_2')
Christian Heimesce04e712020-11-18 13:10:53 +0100[diff] [blame]3895 @requires_tls_version('TLSv1')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3896 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3897 def test_min_max_version_mismatch(self):
3898 client_context, server_context, hostname = testing_context()
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3899 # client 1.0, server 1.2 (mismatch)
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3900 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesc9bc49c2019-09-11 19:24:47 +0200[diff] [blame]3901 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]3902 client_context.maximum_version = ssl.TLSVersion.TLSv1
Christian Heimesde606ea2019-09-11 19:48:58 +0200[diff] [blame]3903 client_context.minimum_version = ssl.TLSVersion.TLSv1
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3904 seclevel_workaround(client_context, server_context)
3905
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3906 with ThreadedEchoServer(context=server_context) as server:
3907 with client_context.wrap_socket(socket.socket(),
3908 server_hostname=hostname) as s:
3909 with self.assertRaises(ssl.SSLError) as e:
3910 s.connect((HOST, server.port))
3911 self.assertIn("alert", str(e.exception))
3912
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3913 @requires_tls_version('SSLv3')
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3914 def test_min_max_version_sslv3(self):
3915 client_context, server_context, hostname = testing_context()
3916 server_context.minimum_version = ssl.TLSVersion.SSLv3
3917 client_context.minimum_version = ssl.TLSVersion.SSLv3
3918 client_context.maximum_version = ssl.TLSVersion.SSLv3
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3919 seclevel_workaround(client_context, server_context)
3920
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3921 with ThreadedEchoServer(context=server_context) as server:
3922 with client_context.wrap_socket(socket.socket(),
3923 server_hostname=hostname) as s:
3924 s.connect((HOST, server.port))
3925 self.assertEqual(s.version(), 'SSLv3')
3926
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3927 def test_default_ecdh_curve(self):
3928 # Issue #21015: elliptic curve-based Diffie Hellman key exchange
3929 # should be enabled by default on SSL contexts.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3930 client_context, server_context, hostname = testing_context()
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3931 # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
3932 # cipher name.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3933 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3934 # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
3935 # explicitly using the 'ECCdraft' cipher alias. Otherwise,
3936 # our default cipher list should prefer ECDH-based ciphers
3937 # automatically.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3938 with ThreadedEchoServer(context=server_context) as server:
3939 with client_context.wrap_socket(socket.socket(),
3940 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3941 s.connect((HOST, server.port))
3942 self.assertIn("ECDH", s.cipher()[0])
3943
3944 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
3945 "'tls-unique' channel binding not available")
3946 def test_tls_unique_channel_binding(self):
3947 """Test tls-unique channel binding."""
3948 if support.verbose:
3949 sys.stdout.write("\n")
3950
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3951 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3952
3953 server = ThreadedEchoServer(context=server_context,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3954 chatty=True,
3955 connectionchatty=False)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3956
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3957 with server:
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3958 with client_context.wrap_socket(
3959 socket.socket(),
3960 server_hostname=hostname) as s:
3961 s.connect((HOST, server.port))
3962 # get the data
3963 cb_data = s.get_channel_binding("tls-unique")
3964 if support.verbose:
3965 sys.stdout.write(
3966 " got channel binding data: {0!r}\n".format(cb_data))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3967
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3968 # check if it is sane
3969 self.assertIsNotNone(cb_data)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3970 if s.version() == 'TLSv1.3':
3971 self.assertEqual(len(cb_data), 48)
3972 else:
3973 self.assertEqual(len(cb_data), 12) # True for TLSv1
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3974
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3975 # and compare with the peers version
3976 s.write(b"CB tls-unique\n")
3977 peer_data_repr = s.read().strip()
3978 self.assertEqual(peer_data_repr,
3979 repr(cb_data).encode("us-ascii"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3980
3981 # now, again
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3982 with client_context.wrap_socket(
3983 socket.socket(),
3984 server_hostname=hostname) as s:
3985 s.connect((HOST, server.port))
3986 new_cb_data = s.get_channel_binding("tls-unique")
3987 if support.verbose:
3988 sys.stdout.write(
3989 "got another channel binding data: {0!r}\n".format(
3990 new_cb_data)
3991 )
3992 # is it really unique
3993 self.assertNotEqual(cb_data, new_cb_data)
3994 self.assertIsNotNone(cb_data)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3995 if s.version() == 'TLSv1.3':
3996 self.assertEqual(len(cb_data), 48)
3997 else:
3998 self.assertEqual(len(cb_data), 12) # True for TLSv1
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3999 s.write(b"CB tls-unique\n")
4000 peer_data_repr = s.read().strip()
4001 self.assertEqual(peer_data_repr,
4002 repr(new_cb_data).encode("us-ascii"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4003
4004 def test_compression(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4005 client_context, server_context, hostname = testing_context()
4006 stats = server_params_test(client_context, server_context,
4007 chatty=True, connectionchatty=True,
4008 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4009 if support.verbose:
4010 sys.stdout.write(" got compression: {!r}\n".format(stats['compression']))
4011 self.assertIn(stats['compression'], { None, 'ZLIB', 'RLE' })
4012
4013 @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
4014 "ssl.OP_NO_COMPRESSION needed for this test")
4015 def test_compression_disabled(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4016 client_context, server_context, hostname = testing_context()
4017 client_context.options |= ssl.OP_NO_COMPRESSION
4018 server_context.options |= ssl.OP_NO_COMPRESSION
4019 stats = server_params_test(client_context, server_context,
4020 chatty=True, connectionchatty=True,
4021 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4022 self.assertIs(stats['compression'], None)
4023
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4024 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4025 def test_dh_params(self):
4026 # Check we can get a connection with ephemeral Diffie-Hellman
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4027 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4028 # test scenario needs TLS <= 1.2
4029 client_context.options |= ssl.OP_NO_TLSv1_3
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4030 server_context.load_dh_params(DHFILE)
4031 server_context.set_ciphers("kEDH")
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4032 server_context.options |= ssl.OP_NO_TLSv1_3
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4033 stats = server_params_test(client_context, server_context,
4034 chatty=True, connectionchatty=True,
4035 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4036 cipher = stats["cipher"][0]
4037 parts = cipher.split("-")
4038 if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
4039 self.fail("Non-DH cipher: " + cipher[0])
4040
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4041 def test_ecdh_curve(self):
4042 # server secp384r1, client auto
4043 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4044
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4045 server_context.set_ecdh_curve("secp384r1")
4046 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4047 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4048 stats = server_params_test(client_context, server_context,
4049 chatty=True, connectionchatty=True,
4050 sni_name=hostname)
4051
4052 # server auto, client secp384r1
4053 client_context, server_context, hostname = testing_context()
4054 client_context.set_ecdh_curve("secp384r1")
4055 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4056 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4057 stats = server_params_test(client_context, server_context,
4058 chatty=True, connectionchatty=True,
4059 sni_name=hostname)
4060
4061 # server / client curve mismatch
4062 client_context, server_context, hostname = testing_context()
4063 client_context.set_ecdh_curve("prime256v1")
4064 server_context.set_ecdh_curve("secp384r1")
4065 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4066 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
4067 with self.assertRaises(ssl.SSLError):
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4068 server_params_test(client_context, server_context,
4069 chatty=True, connectionchatty=True,
4070 sni_name=hostname)
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4071
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4072 def test_selected_alpn_protocol(self):
4073 # selected_alpn_protocol() is None unless ALPN is used.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4074 client_context, server_context, hostname = testing_context()
4075 stats = server_params_test(client_context, server_context,
4076 chatty=True, connectionchatty=True,
4077 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4078 self.assertIs(stats['client_alpn_protocol'], None)
4079
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4080 def test_selected_alpn_protocol_if_server_uses_alpn(self):
4081 # selected_alpn_protocol() is None unless ALPN is used by the client.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4082 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4083 server_context.set_alpn_protocols(['foo', 'bar'])
4084 stats = server_params_test(client_context, server_context,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4085 chatty=True, connectionchatty=True,
4086 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4087 self.assertIs(stats['client_alpn_protocol'], None)
4088
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4089 def test_alpn_protocols(self):
4090 server_protocols = ['foo', 'bar', 'milkshake']
4091 protocol_tests = [
4092 (['foo', 'bar'], 'foo'),
4093 (['bar', 'foo'], 'foo'),
4094 (['milkshake'], 'milkshake'),
4095 (['http/3.0', 'http/4.0'], None)
4096 ]
4097 for client_protocols, expected in protocol_tests:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4098 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4099 server_context.set_alpn_protocols(server_protocols)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4100 client_context.set_alpn_protocols(client_protocols)
4101
4102 try:
4103 stats = server_params_test(client_context,
4104 server_context,
4105 chatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4106 connectionchatty=True,
4107 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4108 except ssl.SSLError as e:
4109 stats = e
4110
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4111 msg = "failed trying %s (s) and %s (c).\n" \
4112 "was expecting %s, but got %%s from the %%s" \
4113 % (str(server_protocols), str(client_protocols),
4114 str(expected))
4115 client_result = stats['client_alpn_protocol']
4116 self.assertEqual(client_result, expected,
4117 msg % (client_result, "client"))
4118 server_result = stats['server_alpn_protocols'][-1] \
4119 if len(stats['server_alpn_protocols']) else 'nothing'
4120 self.assertEqual(server_result, expected,
4121 msg % (server_result, "server"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4122
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4123 def test_npn_protocols(self):
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4124 assert not ssl.HAS_NPN
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4125
4126 def sni_contexts(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4127 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4128 server_context.load_cert_chain(SIGNED_CERTFILE)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4129 other_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4130 other_context.load_cert_chain(SIGNED_CERTFILE2)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4131 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4132 client_context.load_verify_locations(SIGNING_CA)
4133 return server_context, other_context, client_context
4134
4135 def check_common_name(self, stats, name):
4136 cert = stats['peercert']
4137 self.assertIn((('commonName', name),), cert['subject'])
4138
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4139 def test_sni_callback(self):
4140 calls = []
4141 server_context, other_context, client_context = self.sni_contexts()
4142
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4143 client_context.check_hostname = False
4144
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4145 def servername_cb(ssl_sock, server_name, initial_context):
4146 calls.append((server_name, initial_context))
4147 if server_name is not None:
4148 ssl_sock.context = other_context
4149 server_context.set_servername_callback(servername_cb)
4150
4151 stats = server_params_test(client_context, server_context,
4152 chatty=True,
4153 sni_name='supermessage')
4154 # The hostname was fetched properly, and the certificate was
4155 # changed for the connection.
4156 self.assertEqual(calls, [("supermessage", server_context)])
4157 # CERTFILE4 was selected
4158 self.check_common_name(stats, 'fakehostname')
4159
4160 calls = []
4161 # The callback is called with server_name=None
4162 stats = server_params_test(client_context, server_context,
4163 chatty=True,
4164 sni_name=None)
4165 self.assertEqual(calls, [(None, server_context)])
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4166 self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4167
4168 # Check disabling the callback
4169 calls = []
4170 server_context.set_servername_callback(None)
4171
4172 stats = server_params_test(client_context, server_context,
4173 chatty=True,
4174 sni_name='notfunny')
4175 # Certificate didn't change
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4176 self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4177 self.assertEqual(calls, [])
4178
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4179 def test_sni_callback_alert(self):
4180 # Returning a TLS alert is reflected to the connecting client
4181 server_context, other_context, client_context = self.sni_contexts()
4182
4183 def cb_returning_alert(ssl_sock, server_name, initial_context):
4184 return ssl.ALERT_DESCRIPTION_ACCESS_DENIED
4185 server_context.set_servername_callback(cb_returning_alert)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4186 with self.assertRaises(ssl.SSLError) as cm:
4187 stats = server_params_test(client_context, server_context,
4188 chatty=False,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4189 sni_name='supermessage')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4190 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_ACCESS_DENIED')
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4191
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4192 def test_sni_callback_raising(self):
4193 # Raising fails the connection with a TLS handshake failure alert.
4194 server_context, other_context, client_context = self.sni_contexts()
4195
4196 def cb_raising(ssl_sock, server_name, initial_context):
4197 1/0
4198 server_context.set_servername_callback(cb_raising)
4199
Victor Stinner00253502019-06-03 03:51:43 +0200[diff] [blame]4200 with support.catch_unraisable_exception() as catch:
4201 with self.assertRaises(ssl.SSLError) as cm:
4202 stats = server_params_test(client_context, server_context,
4203 chatty=False,
4204 sni_name='supermessage')
4205
4206 self.assertEqual(cm.exception.reason,
4207 'SSLV3_ALERT_HANDSHAKE_FAILURE')
4208 self.assertEqual(catch.unraisable.exc_type, ZeroDivisionError)
Antoine Pitrou50b24d02013-04-11 20:48:42 +0200[diff] [blame]4209
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4210 def test_sni_callback_wrong_return_type(self):
4211 # Returning the wrong return type terminates the TLS connection
4212 # with an internal error alert.
4213 server_context, other_context, client_context = self.sni_contexts()
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4214
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4215 def cb_wrong_return_type(ssl_sock, server_name, initial_context):
4216 return "foo"
4217 server_context.set_servername_callback(cb_wrong_return_type)
4218
Victor Stinner00253502019-06-03 03:51:43 +0200[diff] [blame]4219 with support.catch_unraisable_exception() as catch:
4220 with self.assertRaises(ssl.SSLError) as cm:
4221 stats = server_params_test(client_context, server_context,
4222 chatty=False,
4223 sni_name='supermessage')
4224
4225
4226 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR')
4227 self.assertEqual(catch.unraisable.exc_type, TypeError)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4228
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4229 def test_shared_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4230 client_context, server_context, hostname = testing_context()
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]4231 client_context.set_ciphers("AES128:AES256")
4232 server_context.set_ciphers("AES256")
4233 expected_algs = [
4234 "AES256", "AES-256",
4235 # TLS 1.3 ciphers are always enabled
4236 "TLS_CHACHA20", "TLS_AES",
4237 ]
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4238
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4239 stats = server_params_test(client_context, server_context,
4240 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4241 ciphers = stats['server_shared_ciphers'][0]
4242 self.assertGreater(len(ciphers), 0)
4243 for name, tls_version, bits in ciphers:
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]4244 if not any(alg in name for alg in expected_algs):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4245 self.fail(name)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4246
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4247 def test_read_write_after_close_raises_valuerror(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4248 client_context, server_context, hostname = testing_context()
4249 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4250
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4251 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4252 s = client_context.wrap_socket(socket.socket(),
4253 server_hostname=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4254 s.connect((HOST, server.port))
4255 s.close()
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4256
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4257 self.assertRaises(ValueError, s.read, 1024)
4258 self.assertRaises(ValueError, s.write, b'hello')
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4259
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4260 def test_sendfile(self):
4261 TEST_DATA = b"x" * 512
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4262 with open(os_helper.TESTFN, 'wb') as f:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4263 f.write(TEST_DATA)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4264 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4265 client_context, server_context, hostname = testing_context()
4266 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4267 with server:
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4268 with client_context.wrap_socket(socket.socket(),
4269 server_hostname=hostname) as s:
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4270 s.connect((HOST, server.port))
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4271 with open(os_helper.TESTFN, 'rb') as file:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4272 s.sendfile(file)
4273 self.assertEqual(s.recv(1024), TEST_DATA)
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4274
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4275 def test_session(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4276 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4277 # TODO: sessions aren't compatible with TLSv1.3 yet
4278 client_context.options |= ssl.OP_NO_TLSv1_3
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4279
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4280 # first connection without session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4281 stats = server_params_test(client_context, server_context,
4282 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4283 session = stats['session']
4284 self.assertTrue(session.id)
4285 self.assertGreater(session.time, 0)
4286 self.assertGreater(session.timeout, 0)
4287 self.assertTrue(session.has_ticket)
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4288 self.assertGreater(session.ticket_lifetime_hint, 0)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4289 self.assertFalse(stats['session_reused'])
4290 sess_stat = server_context.session_stats()
4291 self.assertEqual(sess_stat['accept'], 1)
4292 self.assertEqual(sess_stat['hits'], 0)
Giampaolo Rodola'915d1412014-06-11 03:54:30 +0200[diff] [blame]4293
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4294 # reuse session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4295 stats = server_params_test(client_context, server_context,
4296 session=session, sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4297 sess_stat = server_context.session_stats()
4298 self.assertEqual(sess_stat['accept'], 2)
4299 self.assertEqual(sess_stat['hits'], 1)
4300 self.assertTrue(stats['session_reused'])
4301 session2 = stats['session']
4302 self.assertEqual(session2.id, session.id)
4303 self.assertEqual(session2, session)
4304 self.assertIsNot(session2, session)
4305 self.assertGreaterEqual(session2.time, session.time)
4306 self.assertGreaterEqual(session2.timeout, session.timeout)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4307
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4308 # another one without session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4309 stats = server_params_test(client_context, server_context,
4310 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4311 self.assertFalse(stats['session_reused'])
4312 session3 = stats['session']
4313 self.assertNotEqual(session3.id, session.id)
4314 self.assertNotEqual(session3, session)
4315 sess_stat = server_context.session_stats()
4316 self.assertEqual(sess_stat['accept'], 3)
4317 self.assertEqual(sess_stat['hits'], 1)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4318
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4319 # reuse session again
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4320 stats = server_params_test(client_context, server_context,
4321 session=session, sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4322 self.assertTrue(stats['session_reused'])
4323 session4 = stats['session']
4324 self.assertEqual(session4.id, session.id)
4325 self.assertEqual(session4, session)
4326 self.assertGreaterEqual(session4.time, session.time)
4327 self.assertGreaterEqual(session4.timeout, session.timeout)
4328 sess_stat = server_context.session_stats()
4329 self.assertEqual(sess_stat['accept'], 4)
4330 self.assertEqual(sess_stat['hits'], 2)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4331
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4332 def test_session_handling(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4333 client_context, server_context, hostname = testing_context()
4334 client_context2, _, _ = testing_context()
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4335
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4336 # TODO: session reuse does not work with TLSv1.3
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4337 client_context.options |= ssl.OP_NO_TLSv1_3
4338 client_context2.options |= ssl.OP_NO_TLSv1_3
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]4339
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4340 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4341 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4342 with client_context.wrap_socket(socket.socket(),
4343 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4344 # session is None before handshake
4345 self.assertEqual(s.session, None)
4346 self.assertEqual(s.session_reused, None)
4347 s.connect((HOST, server.port))
4348 session = s.session
4349 self.assertTrue(session)
4350 with self.assertRaises(TypeError) as e:
4351 s.session = object
Ned Deily4531ec72018-06-11 20:26:28 -0400[diff] [blame]4352 self.assertEqual(str(e.exception), 'Value is not a SSLSession.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4353
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4354 with client_context.wrap_socket(socket.socket(),
4355 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4356 s.connect((HOST, server.port))
4357 # cannot set session after handshake
4358 with self.assertRaises(ValueError) as e:
4359 s.session = session
4360 self.assertEqual(str(e.exception),
4361 'Cannot set session after handshake.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4362
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4363 with client_context.wrap_socket(socket.socket(),
4364 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4365 # can set session before handshake and before the
4366 # connection was established
4367 s.session = session
4368 s.connect((HOST, server.port))
4369 self.assertEqual(s.session.id, session.id)
4370 self.assertEqual(s.session, session)
4371 self.assertEqual(s.session_reused, True)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4372
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4373 with client_context2.wrap_socket(socket.socket(),
4374 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4375 # cannot re-use session with a different SSLContext
4376 with self.assertRaises(ValueError) as e:
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4377 s.session = session
4378 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4379 self.assertEqual(str(e.exception),
4380 'Session refers to a different SSLContext.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4381
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]4382
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]4383@unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4384class TestPostHandshakeAuth(unittest.TestCase):
4385 def test_pha_setter(self):
4386 protocols = [
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4387 ssl.PROTOCOL_TLS_SERVER, ssl.PROTOCOL_TLS_CLIENT
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4388 ]
4389 for protocol in protocols:
4390 ctx = ssl.SSLContext(protocol)
4391 self.assertEqual(ctx.post_handshake_auth, False)
4392
4393 ctx.post_handshake_auth = True
4394 self.assertEqual(ctx.post_handshake_auth, True)
4395
4396 ctx.verify_mode = ssl.CERT_REQUIRED
4397 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
4398 self.assertEqual(ctx.post_handshake_auth, True)
4399
4400 ctx.post_handshake_auth = False
4401 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
4402 self.assertEqual(ctx.post_handshake_auth, False)
4403
4404 ctx.verify_mode = ssl.CERT_OPTIONAL
4405 ctx.post_handshake_auth = True
4406 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
4407 self.assertEqual(ctx.post_handshake_auth, True)
4408
4409 def test_pha_required(self):
4410 client_context, server_context, hostname = testing_context()
4411 server_context.post_handshake_auth = True
4412 server_context.verify_mode = ssl.CERT_REQUIRED
4413 client_context.post_handshake_auth = True
4414 client_context.load_cert_chain(SIGNED_CERTFILE)
4415
4416 server = ThreadedEchoServer(context=server_context, chatty=False)
4417 with server:
4418 with client_context.wrap_socket(socket.socket(),
4419 server_hostname=hostname) as s:
4420 s.connect((HOST, server.port))
4421 s.write(b'HASCERT')
4422 self.assertEqual(s.recv(1024), b'FALSE\n')
4423 s.write(b'PHA')
4424 self.assertEqual(s.recv(1024), b'OK\n')
4425 s.write(b'HASCERT')
4426 self.assertEqual(s.recv(1024), b'TRUE\n')
4427 # PHA method just returns true when cert is already available
4428 s.write(b'PHA')
4429 self.assertEqual(s.recv(1024), b'OK\n')
4430 s.write(b'GETCERT')
4431 cert_text = s.recv(4096).decode('us-ascii')
4432 self.assertIn('Python Software Foundation CA', cert_text)
4433
4434 def test_pha_required_nocert(self):
4435 client_context, server_context, hostname = testing_context()
4436 server_context.post_handshake_auth = True
4437 server_context.verify_mode = ssl.CERT_REQUIRED
4438 client_context.post_handshake_auth = True
4439
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4440 def msg_cb(conn, direction, version, content_type, msg_type, data):
4441 if support.verbose and content_type == _TLSContentType.ALERT:
4442 info = (conn, direction, version, content_type, msg_type, data)
4443 sys.stdout.write(f"TLS: {info!r}\n")
4444
4445 server_context._msg_callback = msg_cb
4446 client_context._msg_callback = msg_cb
4447
4448 server = ThreadedEchoServer(context=server_context, chatty=True)
4449 with server:
4450 with client_context.wrap_socket(socket.socket(),
4451 server_hostname=hostname) as s:
4452 s.connect((HOST, server.port))
4453 s.write(b'PHA')
Christian Heimesce9a0642021-04-24 15:08:13 +0200[diff] [blame]4454 # test sometimes fails with EOF error. Test passes as long as
4455 # server aborts connection with an error.
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4456 with self.assertRaisesRegex(
4457 ssl.SSLError,
Christian Heimesce9a0642021-04-24 15:08:13 +0200[diff] [blame]4458 '(certificate required|EOF occurred)'
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4459 ):
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4460 # receive CertificateRequest
4461 self.assertEqual(s.recv(1024), b'OK\n')
4462 # send empty Certificate + Finish
4463 s.write(b'HASCERT')
4464 # receive alert
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4465 s.recv(1024)
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4466
4467 def test_pha_optional(self):
4468 if support.verbose:
4469 sys.stdout.write("\n")
4470
4471 client_context, server_context, hostname = testing_context()
4472 server_context.post_handshake_auth = True
4473 server_context.verify_mode = ssl.CERT_REQUIRED
4474 client_context.post_handshake_auth = True
4475 client_context.load_cert_chain(SIGNED_CERTFILE)
4476
4477 # check CERT_OPTIONAL
4478 server_context.verify_mode = ssl.CERT_OPTIONAL
4479 server = ThreadedEchoServer(context=server_context, chatty=False)
4480 with server:
4481 with client_context.wrap_socket(socket.socket(),
4482 server_hostname=hostname) as s:
4483 s.connect((HOST, server.port))
4484 s.write(b'HASCERT')
4485 self.assertEqual(s.recv(1024), b'FALSE\n')
4486 s.write(b'PHA')
4487 self.assertEqual(s.recv(1024), b'OK\n')
4488 s.write(b'HASCERT')
4489 self.assertEqual(s.recv(1024), b'TRUE\n')
4490
4491 def test_pha_optional_nocert(self):
4492 if support.verbose:
4493 sys.stdout.write("\n")
4494
4495 client_context, server_context, hostname = testing_context()
4496 server_context.post_handshake_auth = True
4497 server_context.verify_mode = ssl.CERT_OPTIONAL
4498 client_context.post_handshake_auth = True
4499
4500 server = ThreadedEchoServer(context=server_context, chatty=False)
4501 with server:
4502 with client_context.wrap_socket(socket.socket(),
4503 server_hostname=hostname) as s:
4504 s.connect((HOST, server.port))
4505 s.write(b'HASCERT')
4506 self.assertEqual(s.recv(1024), b'FALSE\n')
4507 s.write(b'PHA')
4508 self.assertEqual(s.recv(1024), b'OK\n')
penguindustin96466302019-05-06 14:57:17 -0400[diff] [blame]4509 # optional doesn't fail when client does not have a cert
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4510 s.write(b'HASCERT')
4511 self.assertEqual(s.recv(1024), b'FALSE\n')
4512
4513 def test_pha_no_pha_client(self):
4514 client_context, server_context, hostname = testing_context()
4515 server_context.post_handshake_auth = True
4516 server_context.verify_mode = ssl.CERT_REQUIRED
4517 client_context.load_cert_chain(SIGNED_CERTFILE)
4518
4519 server = ThreadedEchoServer(context=server_context, chatty=False)
4520 with server:
4521 with client_context.wrap_socket(socket.socket(),
4522 server_hostname=hostname) as s:
4523 s.connect((HOST, server.port))
4524 with self.assertRaisesRegex(ssl.SSLError, 'not server'):
4525 s.verify_client_post_handshake()
4526 s.write(b'PHA')
4527 self.assertIn(b'extension not received', s.recv(1024))
4528
4529 def test_pha_no_pha_server(self):
4530 # server doesn't have PHA enabled, cert is requested in handshake
4531 client_context, server_context, hostname = testing_context()
4532 server_context.verify_mode = ssl.CERT_REQUIRED
4533 client_context.post_handshake_auth = True
4534 client_context.load_cert_chain(SIGNED_CERTFILE)
4535
4536 server = ThreadedEchoServer(context=server_context, chatty=False)
4537 with server:
4538 with client_context.wrap_socket(socket.socket(),
4539 server_hostname=hostname) as s:
4540 s.connect((HOST, server.port))
4541 s.write(b'HASCERT')
4542 self.assertEqual(s.recv(1024), b'TRUE\n')
4543 # PHA doesn't fail if there is already a cert
4544 s.write(b'PHA')
4545 self.assertEqual(s.recv(1024), b'OK\n')
4546 s.write(b'HASCERT')
4547 self.assertEqual(s.recv(1024), b'TRUE\n')
4548
4549 def test_pha_not_tls13(self):
4550 # TLS 1.2
4551 client_context, server_context, hostname = testing_context()
4552 server_context.verify_mode = ssl.CERT_REQUIRED
4553 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
4554 client_context.post_handshake_auth = True
4555 client_context.load_cert_chain(SIGNED_CERTFILE)
4556
4557 server = ThreadedEchoServer(context=server_context, chatty=False)
4558 with server:
4559 with client_context.wrap_socket(socket.socket(),
4560 server_hostname=hostname) as s:
4561 s.connect((HOST, server.port))
4562 # PHA fails for TLS != 1.3
4563 s.write(b'PHA')
4564 self.assertIn(b'WRONG_SSL_VERSION', s.recv(1024))
4565
Christian Heimesf0f59302019-07-01 08:29:17 +0200[diff] [blame]4566 def test_bpo37428_pha_cert_none(self):
4567 # verify that post_handshake_auth does not implicitly enable cert
4568 # validation.
4569 hostname = SIGNED_CERTFILE_HOSTNAME
4570 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4571 client_context.post_handshake_auth = True
4572 client_context.load_cert_chain(SIGNED_CERTFILE)
4573 # no cert validation and CA on client side
4574 client_context.check_hostname = False
4575 client_context.verify_mode = ssl.CERT_NONE
4576
4577 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
4578 server_context.load_cert_chain(SIGNED_CERTFILE)
4579 server_context.load_verify_locations(SIGNING_CA)
4580 server_context.post_handshake_auth = True
4581 server_context.verify_mode = ssl.CERT_REQUIRED
4582
4583 server = ThreadedEchoServer(context=server_context, chatty=False)
4584 with server:
4585 with client_context.wrap_socket(socket.socket(),
4586 server_hostname=hostname) as s:
4587 s.connect((HOST, server.port))
4588 s.write(b'HASCERT')
4589 self.assertEqual(s.recv(1024), b'FALSE\n')
4590 s.write(b'PHA')
4591 self.assertEqual(s.recv(1024), b'OK\n')
4592 s.write(b'HASCERT')
4593 self.assertEqual(s.recv(1024), b'TRUE\n')
4594 # server cert has not been validated
4595 self.assertEqual(s.getpeercert(), {})
4596
Christian Heimes666991f2021-04-26 15:01:40 +0200[diff] [blame]4597 def test_internal_chain_client(self):
4598 client_context, server_context, hostname = testing_context(
4599 server_chain=False
4600 )
4601 server = ThreadedEchoServer(context=server_context, chatty=False)
4602 with server:
4603 with client_context.wrap_socket(
4604 socket.socket(),
4605 server_hostname=hostname
4606 ) as s:
4607 s.connect((HOST, server.port))
4608 vc = s._sslobj.get_verified_chain()
4609 self.assertEqual(len(vc), 2)
4610 ee, ca = vc
4611 uvc = s._sslobj.get_unverified_chain()
4612 self.assertEqual(len(uvc), 1)
4613
4614 self.assertEqual(ee, uvc[0])
4615 self.assertEqual(hash(ee), hash(uvc[0]))
4616 self.assertEqual(repr(ee), repr(uvc[0]))
4617
4618 self.assertNotEqual(ee, ca)
4619 self.assertNotEqual(hash(ee), hash(ca))
4620 self.assertNotEqual(repr(ee), repr(ca))
4621 self.assertNotEqual(ee.get_info(), ca.get_info())
4622 self.assertIn("CN=localhost", repr(ee))
4623 self.assertIn("CN=our-ca-server", repr(ca))
4624
4625 pem = ee.public_bytes(_ssl.ENCODING_PEM)
4626 der = ee.public_bytes(_ssl.ENCODING_DER)
4627 self.assertIsInstance(pem, str)
4628 self.assertIn("-----BEGIN CERTIFICATE-----", pem)
4629 self.assertIsInstance(der, bytes)
4630 self.assertEqual(
4631 ssl.PEM_cert_to_DER_cert(pem), der
4632 )
4633
4634 def test_internal_chain_server(self):
4635 client_context, server_context, hostname = testing_context()
4636 client_context.load_cert_chain(SIGNED_CERTFILE)
4637 server_context.verify_mode = ssl.CERT_REQUIRED
4638 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
4639
4640 server = ThreadedEchoServer(context=server_context, chatty=False)
4641 with server:
4642 with client_context.wrap_socket(
4643 socket.socket(),
4644 server_hostname=hostname
4645 ) as s:
4646 s.connect((HOST, server.port))
4647 s.write(b'VERIFIEDCHAIN\n')
4648 res = s.recv(1024)
4649 self.assertEqual(res, b'\x02\n')
4650 s.write(b'UNVERIFIEDCHAIN\n')
4651 res = s.recv(1024)
4652 self.assertEqual(res, b'\x02\n')
4653
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4654
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4655HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
4656requires_keylog = unittest.skipUnless(
4657 HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')
4658
4659class TestSSLDebug(unittest.TestCase):
4660
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4661 def keylog_lines(self, fname=os_helper.TESTFN):
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4662 with open(fname) as f:
4663 return len(list(f))
4664
4665 @requires_keylog
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4666 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4667 def test_keylog_defaults(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4668 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4669 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4670 self.assertEqual(ctx.keylog_filename, None)
4671
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4672 self.assertFalse(os.path.isfile(os_helper.TESTFN))
4673 ctx.keylog_filename = os_helper.TESTFN
4674 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
4675 self.assertTrue(os.path.isfile(os_helper.TESTFN))
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4676 self.assertEqual(self.keylog_lines(), 1)
4677
4678 ctx.keylog_filename = None
4679 self.assertEqual(ctx.keylog_filename, None)
4680
4681 with self.assertRaises((IsADirectoryError, PermissionError)):
4682 # Windows raises PermissionError
4683 ctx.keylog_filename = os.path.dirname(
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4684 os.path.abspath(os_helper.TESTFN))
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4685
4686 with self.assertRaises(TypeError):
4687 ctx.keylog_filename = 1
4688
4689 @requires_keylog
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4690 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4691 def test_keylog_filename(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4692 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4693 client_context, server_context, hostname = testing_context()
4694
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4695 client_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4696 server = ThreadedEchoServer(context=server_context, chatty=False)
4697 with server:
4698 with client_context.wrap_socket(socket.socket(),
4699 server_hostname=hostname) as s:
4700 s.connect((HOST, server.port))
4701 # header, 5 lines for TLS 1.3
4702 self.assertEqual(self.keylog_lines(), 6)
4703
4704 client_context.keylog_filename = None
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4705 server_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4706 server = ThreadedEchoServer(context=server_context, chatty=False)
4707 with server:
4708 with client_context.wrap_socket(socket.socket(),
4709 server_hostname=hostname) as s:
4710 s.connect((HOST, server.port))
4711 self.assertGreaterEqual(self.keylog_lines(), 11)
4712
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4713 client_context.keylog_filename = os_helper.TESTFN
4714 server_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4715 server = ThreadedEchoServer(context=server_context, chatty=False)
4716 with server:
4717 with client_context.wrap_socket(socket.socket(),
4718 server_hostname=hostname) as s:
4719 s.connect((HOST, server.port))
4720 self.assertGreaterEqual(self.keylog_lines(), 21)
4721
4722 client_context.keylog_filename = None
4723 server_context.keylog_filename = None
4724
4725 @requires_keylog
4726 @unittest.skipIf(sys.flags.ignore_environment,
4727 "test is not compatible with ignore_environment")
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4728 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4729 def test_keylog_env(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4730 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4731 with unittest.mock.patch.dict(os.environ):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4732 os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
4733 self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4734
4735 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4736 self.assertEqual(ctx.keylog_filename, None)
4737
4738 ctx = ssl.create_default_context()
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4739 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4740
4741 ctx = ssl._create_stdlib_context()
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4742 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4743
4744 def test_msg_callback(self):
4745 client_context, server_context, hostname = testing_context()
4746
4747 def msg_cb(conn, direction, version, content_type, msg_type, data):
4748 pass
4749
4750 self.assertIs(client_context._msg_callback, None)
4751 client_context._msg_callback = msg_cb
4752 self.assertIs(client_context._msg_callback, msg_cb)
4753 with self.assertRaises(TypeError):
4754 client_context._msg_callback = object()
4755
4756 def test_msg_callback_tls12(self):
4757 client_context, server_context, hostname = testing_context()
4758 client_context.options |= ssl.OP_NO_TLSv1_3
4759
4760 msg = []
4761
4762 def msg_cb(conn, direction, version, content_type, msg_type, data):
4763 self.assertIsInstance(conn, ssl.SSLSocket)
4764 self.assertIsInstance(data, bytes)
4765 self.assertIn(direction, {'read', 'write'})
4766 msg.append((direction, version, content_type, msg_type))
4767
4768 client_context._msg_callback = msg_cb
4769
4770 server = ThreadedEchoServer(context=server_context, chatty=False)
4771 with server:
4772 with client_context.wrap_socket(socket.socket(),
4773 server_hostname=hostname) as s:
4774 s.connect((HOST, server.port))
4775
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4776 self.assertIn(
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4777 ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
4778 _TLSMessageType.SERVER_KEY_EXCHANGE),
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4779 msg
4780 )
4781 self.assertIn(
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4782 ("write", TLSVersion.TLSv1_2, _TLSContentType.CHANGE_CIPHER_SPEC,
4783 _TLSMessageType.CHANGE_CIPHER_SPEC),
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4784 msg
4785 )
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4786
Christian Heimes77cde502021-03-21 16:13:09 +0100[diff] [blame]4787 def test_msg_callback_deadlock_bpo43577(self):
4788 client_context, server_context, hostname = testing_context()
4789 server_context2 = testing_context()[1]
4790
4791 def msg_cb(conn, direction, version, content_type, msg_type, data):
4792 pass
4793
4794 def sni_cb(sock, servername, ctx):
4795 sock.context = server_context2
4796
4797 server_context._msg_callback = msg_cb
4798 server_context.sni_callback = sni_cb
4799
4800 server = ThreadedEchoServer(context=server_context, chatty=False)
4801 with server:
4802 with client_context.wrap_socket(socket.socket(),
4803 server_hostname=hostname) as s:
4804 s.connect((HOST, server.port))
4805 with client_context.wrap_socket(socket.socket(),
4806 server_hostname=hostname) as s:
4807 s.connect((HOST, server.port))
4808
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4809
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]4810class TestEnumerations(unittest.TestCase):
4811
4812 def test_tlsversion(self):
4813 class CheckedTLSVersion(enum.IntEnum):
4814 MINIMUM_SUPPORTED = _ssl.PROTO_MINIMUM_SUPPORTED
4815 SSLv3 = _ssl.PROTO_SSLv3
4816 TLSv1 = _ssl.PROTO_TLSv1
4817 TLSv1_1 = _ssl.PROTO_TLSv1_1
4818 TLSv1_2 = _ssl.PROTO_TLSv1_2
4819 TLSv1_3 = _ssl.PROTO_TLSv1_3
4820 MAXIMUM_SUPPORTED = _ssl.PROTO_MAXIMUM_SUPPORTED
4821 enum._test_simple_enum(CheckedTLSVersion, TLSVersion)
4822
4823 def test_tlscontenttype(self):
4824 class Checked_TLSContentType(enum.IntEnum):
4825 """Content types (record layer)
4826
4827 See RFC 8446, section B.1
4828 """
4829 CHANGE_CIPHER_SPEC = 20
4830 ALERT = 21
4831 HANDSHAKE = 22
4832 APPLICATION_DATA = 23
4833 # pseudo content types
4834 HEADER = 0x100
4835 INNER_CONTENT_TYPE = 0x101
4836 enum._test_simple_enum(Checked_TLSContentType, _TLSContentType)
4837
4838 def test_tlsalerttype(self):
4839 class Checked_TLSAlertType(enum.IntEnum):
4840 """Alert types for TLSContentType.ALERT messages
4841
4842 See RFC 8466, section B.2
4843 """
4844 CLOSE_NOTIFY = 0
4845 UNEXPECTED_MESSAGE = 10
4846 BAD_RECORD_MAC = 20
4847 DECRYPTION_FAILED = 21
4848 RECORD_OVERFLOW = 22
4849 DECOMPRESSION_FAILURE = 30
4850 HANDSHAKE_FAILURE = 40
4851 NO_CERTIFICATE = 41
4852 BAD_CERTIFICATE = 42
4853 UNSUPPORTED_CERTIFICATE = 43
4854 CERTIFICATE_REVOKED = 44
4855 CERTIFICATE_EXPIRED = 45
4856 CERTIFICATE_UNKNOWN = 46
4857 ILLEGAL_PARAMETER = 47
4858 UNKNOWN_CA = 48
4859 ACCESS_DENIED = 49
4860 DECODE_ERROR = 50
4861 DECRYPT_ERROR = 51
4862 EXPORT_RESTRICTION = 60
4863 PROTOCOL_VERSION = 70
4864 INSUFFICIENT_SECURITY = 71
4865 INTERNAL_ERROR = 80
4866 INAPPROPRIATE_FALLBACK = 86
4867 USER_CANCELED = 90
4868 NO_RENEGOTIATION = 100
4869 MISSING_EXTENSION = 109
4870 UNSUPPORTED_EXTENSION = 110
4871 CERTIFICATE_UNOBTAINABLE = 111
4872 UNRECOGNIZED_NAME = 112
4873 BAD_CERTIFICATE_STATUS_RESPONSE = 113
4874 BAD_CERTIFICATE_HASH_VALUE = 114
4875 UNKNOWN_PSK_IDENTITY = 115
4876 CERTIFICATE_REQUIRED = 116
4877 NO_APPLICATION_PROTOCOL = 120
4878 enum._test_simple_enum(Checked_TLSAlertType, _TLSAlertType)
4879
4880 def test_tlsmessagetype(self):
4881 class Checked_TLSMessageType(enum.IntEnum):
4882 """Message types (handshake protocol)
4883
4884 See RFC 8446, section B.3
4885 """
4886 HELLO_REQUEST = 0
4887 CLIENT_HELLO = 1
4888 SERVER_HELLO = 2
4889 HELLO_VERIFY_REQUEST = 3
4890 NEWSESSION_TICKET = 4
4891 END_OF_EARLY_DATA = 5
4892 HELLO_RETRY_REQUEST = 6
4893 ENCRYPTED_EXTENSIONS = 8
4894 CERTIFICATE = 11
4895 SERVER_KEY_EXCHANGE = 12
4896 CERTIFICATE_REQUEST = 13
4897 SERVER_DONE = 14
4898 CERTIFICATE_VERIFY = 15
4899 CLIENT_KEY_EXCHANGE = 16
4900 FINISHED = 20
4901 CERTIFICATE_URL = 21
4902 CERTIFICATE_STATUS = 22
4903 SUPPLEMENTAL_DATA = 23
4904 KEY_UPDATE = 24
4905 NEXT_PROTO = 67
4906 MESSAGE_HASH = 254
4907 CHANGE_CIPHER_SPEC = 0x0101
4908 enum._test_simple_enum(Checked_TLSMessageType, _TLSMessageType)
4909
4910 def test_sslmethod(self):
4911 Checked_SSLMethod = enum._old_convert_(
4912 enum.IntEnum, '_SSLMethod', 'ssl',
4913 lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
4914 source=ssl._ssl,
4915 )
4916 enum._test_simple_enum(Checked_SSLMethod, ssl._SSLMethod)
4917
4918 def test_options(self):
4919 CheckedOptions = enum._old_convert_(
4920 enum.FlagEnum, 'Options', 'ssl',
4921 lambda name: name.startswith('OP_'),
4922 source=ssl._ssl,
4923 )
4924 enum._test_simple_enum(CheckedOptions, ssl.Options)
4925
4926
4927 def test_alertdescription(self):
4928 CheckedAlertDescription = enum._old_convert_(
4929 enum.IntEnum, 'AlertDescription', 'ssl',
4930 lambda name: name.startswith('ALERT_DESCRIPTION_'),
4931 source=ssl._ssl,
4932 )
4933 enum._test_simple_enum(CheckedAlertDescription, ssl.AlertDescription)
4934
4935 def test_sslerrornumber(self):
4936 Checked_SSLMethod = enum._old_convert_(
4937 enum.IntEnum, '_SSLMethod', 'ssl',
4938 lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
4939 source=ssl._ssl,
4940 )
4941 enum._test_simple_enum(Checked_SSLMethod, ssl._SSLMethod)
4942
4943 def test_verifyflags(self):
4944 CheckedVerifyFlags = enum._old_convert_(
4945 enum.FlagEnum, 'VerifyFlags', 'ssl',
4946 lambda name: name.startswith('VERIFY_'),
4947 source=ssl._ssl,
4948 )
4949 enum._test_simple_enum(CheckedVerifyFlags, ssl.VerifyFlags)
4950
4951 def test_verifymode(self):
4952 CheckedVerifyMode = enum._old_convert_(
4953 enum.IntEnum, 'VerifyMode', 'ssl',
4954 lambda name: name.startswith('CERT_'),
4955 source=ssl._ssl,
4956 )
4957 enum._test_simple_enum(CheckedVerifyMode, ssl.VerifyMode)
4958
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4959def test_main(verbose=False):
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4960 if support.verbose:
4961 plats = {
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4962 'Mac': platform.mac_ver,
4963 'Windows': platform.win32_ver,
4964 }
Petr Viktorin8b94b412018-05-16 11:51:18 -0400[diff] [blame]4965 for name, func in plats.items():
4966 plat = func()
4967 if plat and plat[0]:
4968 plat = '%s %r' % (name, plat)
4969 break
4970 else:
4971 plat = repr(platform.platform())
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4972 print("test_ssl: testing with %r %r" %
4973 (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
4974 print(" under %s" % plat)
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]4975 print(" HAS_SNI = %r" % ssl.HAS_SNI)
Antoine Pitrou609ef012013-03-29 18:09:06 +0100[diff] [blame]4976 print(" OP_ALL = 0x%8x" % ssl.OP_ALL)
4977 try:
4978 print(" OP_NO_TLSv1_1 = 0x%8x" % ssl.OP_NO_TLSv1_1)
4979 except AttributeError:
4980 pass
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4981
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4982 for filename in [
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]4983 CERTFILE, BYTES_CERTFILE,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4984 ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4985 SIGNED_CERTFILE, SIGNED_CERTFILE2, SIGNING_CA,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4986 BADCERT, BADKEY, EMPTYCERT]:
4987 if not os.path.exists(filename):
4988 raise support.TestFailed("Can't read certificate file %r" % filename)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]4989
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]4990 tests = [
4991 ContextTests, BasicSocketTests, SSLErrorTests, MemoryBIOTests,
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]4992 SSLObjectTests, SimpleBackgroundTests, ThreadedTests,
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4993 TestPostHandshakeAuth, TestSSLDebug
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]4994 ]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4995
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]4996 if support.is_resource_enabled('network'):
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]4997 tests.append(NetworkedTests)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4998
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]4999 thread_info = threading_helper.threading_setup()
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]5000 try:
5001 support.run_unittest(*tests)
5002 finally:
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]5003 threading_helper.threading_cleanup(*thread_info)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]5004
5005if __name__ == "__main__":
5006 test_main()