Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / b2fac1afaa7c0d41a263781fcf94d8a92dc31b48 / . / Lib / test / test_ssl.py
blob: 327a550645b4f01ebbd1ec27de4e6cfbf887364d [file] [log] [blame]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1# Test the support for SSL and sockets
2
3import sys
4import unittest
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]5import unittest.mock
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]6from test import support
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]7from test.support import import_helper
8from test.support import os_helper
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]9from test.support import socket_helper
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]10from test.support import threading_helper
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]11from test.support import warnings_helper
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]12import socket
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]13import select
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]14import time
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]15import datetime
16import enum
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]17import gc
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]18import os
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]19import errno
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]20import pprint
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]21import urllib.request
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]22import threading
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]23import traceback
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]24import asyncore
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]25import weakref
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]26import platform
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]27import sysconfig
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]28import functools
Christian Heimes888bbdc2017-09-07 14:18:21 -0700[diff] [blame]29try:
30 import ctypes
31except ImportError:
32 ctypes = None
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]33
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]34ssl = import_helper.import_module("ssl")
Antoine Pitrou05d936d2010-10-13 11:38:36 +0000[diff] [blame]35
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]36from ssl import TLSVersion, _TLSContentType, _TLSMessageType, _TLSAlertType
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]37
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]38Py_DEBUG = hasattr(sys, 'gettotalrefcount')
39Py_DEBUG_WIN32 = Py_DEBUG and sys.platform == 'win32'
40
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]41PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]42HOST = socket_helper.HOST
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]43IS_OPENSSL_3_0_0 = ssl.OPENSSL_VERSION_INFO >= (3, 0, 0)
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]44PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]45
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]46PROTOCOL_TO_TLS_VERSION = {}
47for proto, ver in (
48 ("PROTOCOL_SSLv23", "SSLv3"),
49 ("PROTOCOL_TLSv1", "TLSv1"),
50 ("PROTOCOL_TLSv1_1", "TLSv1_1"),
51):
52 try:
53 proto = getattr(ssl, proto)
54 ver = getattr(ssl.TLSVersion, ver)
55 except AttributeError:
56 continue
57 PROTOCOL_TO_TLS_VERSION[proto] = ver
58
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]59def data_file(*name):
60 return os.path.join(os.path.dirname(__file__), *name)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]61
Antoine Pitrou81564092010-10-08 23:06:24 +0000[diff] [blame]62# The custom key and certificate files used in test_ssl are generated
63# using Lib/test/make_ssl_certs.py.
64# Other certificates are simply fetched from the Internet servers they
65# are meant to authenticate.
66
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]67CERTFILE = data_file("keycert.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]68BYTES_CERTFILE = os.fsencode(CERTFILE)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]69ONLYCERT = data_file("ssl_cert.pem")
70ONLYKEY = data_file("ssl_key.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]71BYTES_ONLYCERT = os.fsencode(ONLYCERT)
72BYTES_ONLYKEY = os.fsencode(ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]73CERTFILE_PROTECTED = data_file("keycert.passwd.pem")
74ONLYKEY_PROTECTED = data_file("ssl_key.passwd.pem")
75KEY_PASSWORD = "somepass"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]76CAPATH = data_file("capath")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]77BYTES_CAPATH = os.fsencode(CAPATH)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]78CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
79CAFILE_CACERT = data_file("capath", "5ed36f99.0")
80
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]81CERTFILE_INFO = {
82 'issuer': ((('countryName', 'XY'),),
83 (('localityName', 'Castle Anthrax'),),
84 (('organizationName', 'Python Software Foundation'),),
85 (('commonName', 'localhost'),)),
Christian Heimese6dac002018-08-30 07:25:49 +0200[diff] [blame]86 'notAfter': 'Aug 26 14:23:15 2028 GMT',
87 'notBefore': 'Aug 29 14:23:15 2018 GMT',
88 'serialNumber': '98A7CF88C74A32ED',
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]89 'subject': ((('countryName', 'XY'),),
90 (('localityName', 'Castle Anthrax'),),
91 (('organizationName', 'Python Software Foundation'),),
92 (('commonName', 'localhost'),)),
93 'subjectAltName': (('DNS', 'localhost'),),
94 'version': 3
95}
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]96
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]97# empty CRL
98CRLFILE = data_file("revocation.crl")
99
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]100# Two keys and certs signed by the same CA (for SNI tests)
101SIGNED_CERTFILE = data_file("keycert3.pem")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]102SIGNED_CERTFILE_HOSTNAME = 'localhost'
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]103
104SIGNED_CERTFILE_INFO = {
105 'OCSP': ('http://testca.pythontest.net/testca/ocsp/',),
106 'caIssuers': ('http://testca.pythontest.net/testca/pycacert.cer',),
107 'crlDistributionPoints': ('http://testca.pythontest.net/testca/revocation.crl',),
108 'issuer': ((('countryName', 'XY'),),
109 (('organizationName', 'Python Software Foundation CA'),),
110 (('commonName', 'our-ca-server'),)),
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]111 'notAfter': 'Oct 28 14:23:16 2037 GMT',
Christian Heimese6dac002018-08-30 07:25:49 +0200[diff] [blame]112 'notBefore': 'Aug 29 14:23:16 2018 GMT',
113 'serialNumber': 'CB2D80995A69525C',
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]114 'subject': ((('countryName', 'XY'),),
115 (('localityName', 'Castle Anthrax'),),
116 (('organizationName', 'Python Software Foundation'),),
117 (('commonName', 'localhost'),)),
118 'subjectAltName': (('DNS', 'localhost'),),
119 'version': 3
120}
121
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]122SIGNED_CERTFILE2 = data_file("keycert4.pem")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]123SIGNED_CERTFILE2_HOSTNAME = 'fakehostname'
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]124SIGNED_CERTFILE_ECC = data_file("keycertecc.pem")
125SIGNED_CERTFILE_ECC_HOSTNAME = 'localhost-ecc'
126
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]127# Same certificate as pycacert.pem, but without extra text in file
128SIGNING_CA = data_file("capath", "ceff1710.0")
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]129# cert with all kinds of subject alt names
130ALLSANFILE = data_file("allsans.pem")
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]131IDNSANSFILE = data_file("idnsans.pem")
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]132NOSANFILE = data_file("nosan.pem")
133NOSAN_HOSTNAME = 'localhost'
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]134
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]135REMOTE_HOST = "self-signed.pythontest.net"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]136
137EMPTYCERT = data_file("nullcert.pem")
138BADCERT = data_file("badcert.pem")
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]139NONEXISTINGCERT = data_file("XXXnonexisting.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]140BADKEY = data_file("badkey.pem")
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]141NOKIACERT = data_file("nokia.pem")
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]142NULLBYTECERT = data_file("nullbytecert.pem")
Christian Heimesa37f5242019-01-15 23:47:42 +0100[diff] [blame]143TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]144
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]145DHFILE = data_file("ffdh3072.pem")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]146BYTES_DHFILE = os.fsencode(DHFILE)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]147
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]148# Not defined in all versions of OpenSSL
149OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
150OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
151OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
152OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]153OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
Christian Heimes6f37ebc2021-04-09 17:59:21 +0200[diff] [blame]154OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]155
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]156# Ubuntu has patched OpenSSL and changed behavior of security level 2
157# see https://bugs.python.org/issue41561#msg389003
158def is_ubuntu():
159 try:
160 # Assume that any references of "ubuntu" implies Ubuntu-like distro
161 # The workaround is not required for 18.04, but doesn't hurt either.
162 with open("/etc/os-release", encoding="utf-8") as f:
163 return "ubuntu" in f.read()
164 except FileNotFoundError:
165 return False
166
167if is_ubuntu():
168 def seclevel_workaround(*ctxs):
169 """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
170 for ctx in ctxs:
Christian Heimes34477502021-04-12 12:00:38 +0200[diff] [blame]171 if (
172 hasattr(ctx, "minimum_version") and
173 ctx.minimum_version <= ssl.TLSVersion.TLSv1_1
174 ):
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]175 ctx.set_ciphers("@SECLEVEL=1:ALL")
176else:
177 def seclevel_workaround(*ctxs):
178 pass
179
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]180
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]181def has_tls_protocol(protocol):
182 """Check if a TLS protocol is available and enabled
183
184 :param protocol: enum ssl._SSLMethod member or name
185 :return: bool
186 """
187 if isinstance(protocol, str):
188 assert protocol.startswith('PROTOCOL_')
189 protocol = getattr(ssl, protocol, None)
190 if protocol is None:
191 return False
192 if protocol in {
193 ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS_SERVER,
194 ssl.PROTOCOL_TLS_CLIENT
195 }:
196 # auto-negotiate protocols are always available
197 return True
198 name = protocol.name
199 return has_tls_version(name[len('PROTOCOL_'):])
200
201
202@functools.lru_cache
203def has_tls_version(version):
204 """Check if a TLS/SSL version is enabled
205
206 :param version: TLS version name or ssl.TLSVersion member
207 :return: bool
208 """
209 if version == "SSLv2":
210 # never supported and not even in TLSVersion enum
211 return False
212
213 if isinstance(version, str):
214 version = ssl.TLSVersion.__members__[version]
215
216 # check compile time flags like ssl.HAS_TLSv1_2
217 if not getattr(ssl, f'HAS_{version.name}'):
218 return False
219
Christian Heimes5151d642021-04-09 15:43:06 +0200[diff] [blame]220 if IS_OPENSSL_3_0_0 and version < ssl.TLSVersion.TLSv1_2:
221 # bpo43791: 3.0.0-alpha14 fails with TLSV1_ALERT_INTERNAL_ERROR
222 return False
223
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]224 # check runtime and dynamic crypto policy settings. A TLS version may
225 # be compiled in but disabled by a policy or config option.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]226 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]227 if (
Christian Heimes9f772682019-09-26 18:23:17 +0200[diff] [blame]228 hasattr(ctx, 'minimum_version') and
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]229 ctx.minimum_version != ssl.TLSVersion.MINIMUM_SUPPORTED and
230 version < ctx.minimum_version
231 ):
232 return False
233 if (
Christian Heimes9f772682019-09-26 18:23:17 +0200[diff] [blame]234 hasattr(ctx, 'maximum_version') and
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]235 ctx.maximum_version != ssl.TLSVersion.MAXIMUM_SUPPORTED and
236 version > ctx.maximum_version
237 ):
238 return False
239
240 return True
241
242
243def requires_tls_version(version):
244 """Decorator to skip tests when a required TLS version is not available
245
246 :param version: TLS version name or ssl.TLSVersion member
247 :return:
248 """
249 def decorator(func):
250 @functools.wraps(func)
251 def wrapper(*args, **kw):
252 if not has_tls_version(version):
253 raise unittest.SkipTest(f"{version} is not available.")
254 else:
255 return func(*args, **kw)
256 return wrapper
257 return decorator
258
259
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]260def handle_error(prefix):
261 exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]262 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]263 sys.stdout.write(prefix + exc_format)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]264
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]265
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]266def utc_offset(): #NOTE: ignore issues like #1647654
267 # local time = utc time + utc offset
268 if time.daylight and time.localtime().tm_isdst > 0:
269 return -time.altzone # seconds
270 return -time.timezone
271
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]272
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]273ignore_deprecation = warnings_helper.ignore_warnings(
274 category=DeprecationWarning
275)
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]276
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]277
278def test_wrap_socket(sock, *,
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]279 cert_reqs=ssl.CERT_NONE, ca_certs=None,
280 ciphers=None, certfile=None, keyfile=None,
281 **kwargs):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]282 if not kwargs.get("server_side"):
283 kwargs["server_hostname"] = SIGNED_CERTFILE_HOSTNAME
284 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
285 else:
286 context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]287 if cert_reqs is not None:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]288 if cert_reqs == ssl.CERT_NONE:
289 context.check_hostname = False
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]290 context.verify_mode = cert_reqs
291 if ca_certs is not None:
292 context.load_verify_locations(ca_certs)
293 if certfile is not None or keyfile is not None:
294 context.load_cert_chain(certfile, keyfile)
295 if ciphers is not None:
296 context.set_ciphers(ciphers)
297 return context.wrap_socket(sock, **kwargs)
298
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]299
300def testing_context(server_cert=SIGNED_CERTFILE):
301 """Create context
302
303 client_context, server_context, hostname = testing_context()
304 """
305 if server_cert == SIGNED_CERTFILE:
306 hostname = SIGNED_CERTFILE_HOSTNAME
307 elif server_cert == SIGNED_CERTFILE2:
308 hostname = SIGNED_CERTFILE2_HOSTNAME
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]309 elif server_cert == NOSANFILE:
310 hostname = NOSAN_HOSTNAME
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]311 else:
312 raise ValueError(server_cert)
313
314 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
315 client_context.load_verify_locations(SIGNING_CA)
316
317 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
318 server_context.load_cert_chain(server_cert)
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]319 server_context.load_verify_locations(SIGNING_CA)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]320
321 return client_context, server_context, hostname
322
323
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]324class BasicSocketTests(unittest.TestCase):
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]325
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]326 def test_constants(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]327 ssl.CERT_NONE
328 ssl.CERT_OPTIONAL
329 ssl.CERT_REQUIRED
Antoine Pitrou6db49442011-12-19 13:27:11 +0100[diff] [blame]330 ssl.OP_CIPHER_SERVER_PREFERENCE
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]331 ssl.OP_SINGLE_DH_USE
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]332 ssl.OP_SINGLE_ECDH_USE
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]333 ssl.OP_NO_COMPRESSION
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]334 self.assertEqual(ssl.HAS_SNI, True)
335 self.assertEqual(ssl.HAS_ECDH, True)
336 self.assertEqual(ssl.HAS_TLSv1_2, True)
337 self.assertEqual(ssl.HAS_TLSv1_3, True)
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]338 ssl.OP_NO_SSLv2
339 ssl.OP_NO_SSLv3
340 ssl.OP_NO_TLSv1
341 ssl.OP_NO_TLSv1_3
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]342 ssl.OP_NO_TLSv1_1
343 ssl.OP_NO_TLSv1_2
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]344 self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]345
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]346 def test_private_init(self):
347 with self.assertRaisesRegex(TypeError, "public constructor"):
348 with socket.socket() as s:
349 ssl.SSLSocket(s)
350
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]351 def test_str_for_enums(self):
352 # Make sure that the PROTOCOL_* constants have enum-like string
353 # reprs.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]354 proto = ssl.PROTOCOL_TLS_CLIENT
355 self.assertEqual(str(proto), 'PROTOCOL_TLS_CLIENT')
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]356 ctx = ssl.SSLContext(proto)
357 self.assertIs(ctx.protocol, proto)
358
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]359 def test_random(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]360 v = ssl.RAND_status()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]361 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]362 sys.stdout.write("\n RAND_status is %d (%s)\n"
363 % (v, (v and "sufficient randomness") or
364 "insufficient randomness"))
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]365
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]366 with warnings_helper.check_warnings():
367 data, is_cryptographic = ssl.RAND_pseudo_bytes(16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]368 self.assertEqual(len(data), 16)
369 self.assertEqual(is_cryptographic, v == 1)
370 if v:
371 data = ssl.RAND_bytes(16)
372 self.assertEqual(len(data), 16)
Victor Stinner2e2baa92011-05-25 11:15:16 +0200[diff] [blame]373 else:
374 self.assertRaises(ssl.SSLError, ssl.RAND_bytes, 16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]375
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]376 # negative num is invalid
377 self.assertRaises(ValueError, ssl.RAND_bytes, -5)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]378 with warnings_helper.check_warnings():
379 self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5)
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]380
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]381 ssl.RAND_add("this is a random string", 75.0)
Serhiy Storchaka8490f5a2015-03-20 09:00:36 +0200[diff] [blame]382 ssl.RAND_add(b"this is a random bytes object", 75.0)
383 ssl.RAND_add(bytearray(b"this is a random bytearray object"), 75.0)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]384
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]385 def test_parse_cert(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]386 # note that this uses an 'unofficial' function in _ssl.c,
387 # provided solely for this test, to exercise the certificate
388 # parsing code
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]389 self.assertEqual(
390 ssl._ssl._test_decode_cert(CERTFILE),
391 CERTFILE_INFO
392 )
393 self.assertEqual(
394 ssl._ssl._test_decode_cert(SIGNED_CERTFILE),
395 SIGNED_CERTFILE_INFO
396 )
397
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]398 # Issue #13034: the subjectAltName in some certificates
399 # (notably projects.developer.nokia.com:443) wasn't parsed
400 p = ssl._ssl._test_decode_cert(NOKIACERT)
401 if support.verbose:
402 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
403 self.assertEqual(p['subjectAltName'],
404 (('DNS', 'projects.developer.nokia.com'),
405 ('DNS', 'projects.forum.nokia.com'))
406 )
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]407 # extra OCSP and AIA fields
408 self.assertEqual(p['OCSP'], ('http://ocsp.verisign.com',))
409 self.assertEqual(p['caIssuers'],
410 ('http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',))
411 self.assertEqual(p['crlDistributionPoints'],
412 ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]413
Christian Heimesa37f5242019-01-15 23:47:42 +0100[diff] [blame]414 def test_parse_cert_CVE_2019_5010(self):
415 p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
416 if support.verbose:
417 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
418 self.assertEqual(
419 p,
420 {
421 'issuer': (
422 (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
423 'notAfter': 'Jun 14 18:00:58 2028 GMT',
424 'notBefore': 'Jun 18 18:00:58 2018 GMT',
425 'serialNumber': '02',
426 'subject': ((('countryName', 'UK'),),
427 (('commonName',
428 'codenomicon-vm-2.test.lal.cisco.com'),)),
429 'subjectAltName': (
430 ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
431 'version': 3
432 }
433 )
434
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]435 def test_parse_cert_CVE_2013_4238(self):
436 p = ssl._ssl._test_decode_cert(NULLBYTECERT)
437 if support.verbose:
438 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
439 subject = ((('countryName', 'US'),),
440 (('stateOrProvinceName', 'Oregon'),),
441 (('localityName', 'Beaverton'),),
442 (('organizationName', 'Python Software Foundation'),),
443 (('organizationalUnitName', 'Python Core Development'),),
444 (('commonName', 'null.python.org\x00example.org'),),
445 (('emailAddress', 'python-dev@python.org'),))
446 self.assertEqual(p['subject'], subject)
447 self.assertEqual(p['issuer'], subject)
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]448 if ssl._OPENSSL_API_VERSION >= (0, 9, 8):
449 san = (('DNS', 'altnull.python.org\x00example.com'),
450 ('email', 'null@python.org\x00user@example.org'),
451 ('URI', 'http://null.python.org\x00http://example.org'),
452 ('IP Address', '192.0.2.1'),
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]453 ('IP Address', '2001:DB8:0:0:0:0:0:1'))
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]454 else:
455 # OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName
456 san = (('DNS', 'altnull.python.org\x00example.com'),
457 ('email', 'null@python.org\x00user@example.org'),
458 ('URI', 'http://null.python.org\x00http://example.org'),
459 ('IP Address', '192.0.2.1'),
460 ('IP Address', '<invalid>'))
461
462 self.assertEqual(p['subjectAltName'], san)
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]463
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]464 def test_parse_all_sans(self):
465 p = ssl._ssl._test_decode_cert(ALLSANFILE)
466 self.assertEqual(p['subjectAltName'],
467 (
468 ('DNS', 'allsans'),
469 ('othername', '<unsupported>'),
470 ('othername', '<unsupported>'),
471 ('email', 'user@example.org'),
472 ('DNS', 'www.example.org'),
473 ('DirName',
474 ((('countryName', 'XY'),),
475 (('localityName', 'Castle Anthrax'),),
476 (('organizationName', 'Python Software Foundation'),),
477 (('commonName', 'dirname example'),))),
478 ('URI', 'https://www.python.org/'),
479 ('IP Address', '127.0.0.1'),
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]480 ('IP Address', '0:0:0:0:0:0:0:1'),
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]481 ('Registered ID', '1.2.3.4.5')
482 )
483 )
484
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]485 def test_DER_to_PEM(self):
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]486 with open(CAFILE_CACERT, 'r') as f:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]487 pem = f.read()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]488 d1 = ssl.PEM_cert_to_DER_cert(pem)
489 p2 = ssl.DER_cert_to_PEM_cert(d1)
490 d2 = ssl.PEM_cert_to_DER_cert(p2)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]491 self.assertEqual(d1, d2)
Antoine Pitrou9bfbe612010-04-27 22:08:08 +0000[diff] [blame]492 if not p2.startswith(ssl.PEM_HEADER + '\n'):
493 self.fail("DER-to-PEM didn't include correct header:\n%r\n" % p2)
494 if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):
495 self.fail("DER-to-PEM didn't include correct footer:\n%r\n" % p2)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]496
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]497 def test_openssl_version(self):
498 n = ssl.OPENSSL_VERSION_NUMBER
499 t = ssl.OPENSSL_VERSION_INFO
500 s = ssl.OPENSSL_VERSION
501 self.assertIsInstance(n, int)
502 self.assertIsInstance(t, tuple)
503 self.assertIsInstance(s, str)
504 # Some sanity checks follow
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]505 # >= 1.1.1
506 self.assertGreaterEqual(n, 0x10101000)
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]507 # < 4.0
508 self.assertLess(n, 0x40000000)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]509 major, minor, fix, patch, status = t
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]510 self.assertGreaterEqual(major, 1)
511 self.assertLess(major, 4)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]512 self.assertGreaterEqual(minor, 0)
513 self.assertLess(minor, 256)
514 self.assertGreaterEqual(fix, 0)
515 self.assertLess(fix, 256)
516 self.assertGreaterEqual(patch, 0)
Ned Deily05784a72015-02-05 17:20:13 +1100[diff] [blame]517 self.assertLessEqual(patch, 63)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]518 self.assertGreaterEqual(status, 0)
519 self.assertLessEqual(status, 15)
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]520
521 libressl_ver = f"LibreSSL {major:d}"
522 openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}"
523 self.assertTrue(
524 s.startswith((openssl_ver, libressl_ver)),
525 (s, t, hex(n))
526 )
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]527
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]528 @support.cpython_only
529 def test_refcycle(self):
530 # Issue #7943: an SSL object doesn't create reference cycles with
531 # itself.
532 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]533 ss = test_wrap_socket(s)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]534 wr = weakref.ref(ss)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]535 with warnings_helper.check_warnings(("", ResourceWarning)):
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]536 del ss
Victor Stinnere0b75b72016-03-21 17:26:04 +0100[diff] [blame]537 self.assertEqual(wr(), None)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]538
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]539 def test_wrapped_unconnected(self):
540 # Methods on an unconnected SSLSocket propagate the original
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]541 # OSError raise by the underlying socket object.
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]542 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]543 with test_wrap_socket(s) as ss:
Antoine Pitroue9bb4732013-01-12 21:56:56 +0100[diff] [blame]544 self.assertRaises(OSError, ss.recv, 1)
545 self.assertRaises(OSError, ss.recv_into, bytearray(b'x'))
546 self.assertRaises(OSError, ss.recvfrom, 1)
547 self.assertRaises(OSError, ss.recvfrom_into, bytearray(b'x'), 1)
548 self.assertRaises(OSError, ss.send, b'x')
549 self.assertRaises(OSError, ss.sendto, b'x', ('0.0.0.0', 0))
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]550 self.assertRaises(NotImplementedError, ss.dup)
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]551 self.assertRaises(NotImplementedError, ss.sendmsg,
552 [b'x'], (), 0, ('0.0.0.0', 0))
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]553 self.assertRaises(NotImplementedError, ss.recvmsg, 100)
554 self.assertRaises(NotImplementedError, ss.recvmsg_into,
555 [bytearray(100)])
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]556
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]557 def test_timeout(self):
558 # Issue #8524: when creating an SSL socket, the timeout of the
559 # original socket should be retained.
560 for timeout in (None, 0.0, 5.0):
561 s = socket.socket(socket.AF_INET)
562 s.settimeout(timeout)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]563 with test_wrap_socket(s) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]564 self.assertEqual(timeout, ss.gettimeout())
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]565
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]566 @ignore_deprecation
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]567 def test_errors_sslwrap(self):
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]568 sock = socket.socket()
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]569 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]570 "certfile must be specified",
571 ssl.wrap_socket, sock, keyfile=CERTFILE)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]572 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]573 "certfile must be specified for server-side operations",
574 ssl.wrap_socket, sock, server_side=True)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]575 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]576 "certfile must be specified for server-side operations",
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]577 ssl.wrap_socket, sock, server_side=True, certfile="")
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]578 with ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE) as s:
579 self.assertRaisesRegex(ValueError, "can't connect in server-side mode",
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]580 s.connect, (HOST, 8080))
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]581 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]582 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]583 ssl.wrap_socket(sock, certfile=NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]584 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]585 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]586 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]587 ssl.wrap_socket(sock,
588 certfile=CERTFILE, keyfile=NONEXISTINGCERT)
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]589 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]590 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]591 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]592 ssl.wrap_socket(sock,
593 certfile=NONEXISTINGCERT, keyfile=NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]594 self.assertEqual(cm.exception.errno, errno.ENOENT)
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]595
Martin Panter3464ea22016-02-01 21:58:11 +0000[diff] [blame]596 def bad_cert_test(self, certfile):
597 """Check that trying to use the given client certificate fails"""
598 certfile = os.path.join(os.path.dirname(__file__) or os.curdir,
599 certfile)
600 sock = socket.socket()
601 self.addCleanup(sock.close)
602 with self.assertRaises(ssl.SSLError):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]603 test_wrap_socket(sock,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]604 certfile=certfile)
Martin Panter3464ea22016-02-01 21:58:11 +0000[diff] [blame]605
606 def test_empty_cert(self):
607 """Wrapping with an empty cert file"""
608 self.bad_cert_test("nullcert.pem")
609
610 def test_malformed_cert(self):
611 """Wrapping with a badly formatted certificate (syntax error)"""
612 self.bad_cert_test("badcert.pem")
613
614 def test_malformed_key(self):
615 """Wrapping with a badly formatted key (syntax error)"""
616 self.bad_cert_test("badkey.pem")
617
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]618 @ignore_deprecation
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]619 def test_match_hostname(self):
620 def ok(cert, hostname):
621 ssl.match_hostname(cert, hostname)
622 def fail(cert, hostname):
623 self.assertRaises(ssl.CertificateError,
624 ssl.match_hostname, cert, hostname)
625
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]626 # -- Hostname matching --
627
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]628 cert = {'subject': ((('commonName', 'example.com'),),)}
629 ok(cert, 'example.com')
630 ok(cert, 'ExAmple.cOm')
631 fail(cert, 'www.example.com')
632 fail(cert, '.example.com')
633 fail(cert, 'example.org')
634 fail(cert, 'exampleXcom')
635
636 cert = {'subject': ((('commonName', '*.a.com'),),)}
637 ok(cert, 'foo.a.com')
638 fail(cert, 'bar.foo.a.com')
639 fail(cert, 'a.com')
640 fail(cert, 'Xa.com')
641 fail(cert, '.a.com')
642
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]643 # only match wildcards when they are the only thing
644 # in left-most segment
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]645 cert = {'subject': ((('commonName', 'f*.com'),),)}
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]646 fail(cert, 'foo.com')
647 fail(cert, 'f.com')
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]648 fail(cert, 'bar.com')
649 fail(cert, 'foo.a.com')
650 fail(cert, 'bar.foo.com')
651
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]652 # NULL bytes are bad, CVE-2013-4073
653 cert = {'subject': ((('commonName',
654 'null.python.org\x00example.org'),),)}
655 ok(cert, 'null.python.org\x00example.org') # or raise an error?
656 fail(cert, 'example.org')
657 fail(cert, 'null.python.org')
658
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]659 # error cases with wildcards
660 cert = {'subject': ((('commonName', '*.*.a.com'),),)}
661 fail(cert, 'bar.foo.a.com')
662 fail(cert, 'a.com')
663 fail(cert, 'Xa.com')
664 fail(cert, '.a.com')
665
666 cert = {'subject': ((('commonName', 'a.*.com'),),)}
667 fail(cert, 'a.foo.com')
668 fail(cert, 'a..com')
669 fail(cert, 'a.com')
670
671 # wildcard doesn't match IDNA prefix 'xn--'
672 idna = 'püthon.python.org'.encode("idna").decode("ascii")
673 cert = {'subject': ((('commonName', idna),),)}
674 ok(cert, idna)
675 cert = {'subject': ((('commonName', 'x*.python.org'),),)}
676 fail(cert, idna)
677 cert = {'subject': ((('commonName', 'xn--p*.python.org'),),)}
678 fail(cert, idna)
679
680 # wildcard in first fragment and IDNA A-labels in sequent fragments
681 # are supported.
682 idna = 'www*.pythön.org'.encode("idna").decode("ascii")
683 cert = {'subject': ((('commonName', idna),),)}
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]684 fail(cert, 'www.pythön.org'.encode("idna").decode("ascii"))
685 fail(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]686 fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii"))
687 fail(cert, 'pythön.org'.encode("idna").decode("ascii"))
688
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]689 # Slightly fake real-world example
690 cert = {'notAfter': 'Jun 26 21:41:46 2011 GMT',
691 'subject': ((('commonName', 'linuxfrz.org'),),),
692 'subjectAltName': (('DNS', 'linuxfr.org'),
693 ('DNS', 'linuxfr.com'),
694 ('othername', '<unsupported>'))}
695 ok(cert, 'linuxfr.org')
696 ok(cert, 'linuxfr.com')
697 # Not a "DNS" entry
698 fail(cert, '<unsupported>')
699 # When there is a subjectAltName, commonName isn't used
700 fail(cert, 'linuxfrz.org')
701
702 # A pristine real-world example
703 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
704 'subject': ((('countryName', 'US'),),
705 (('stateOrProvinceName', 'California'),),
706 (('localityName', 'Mountain View'),),
707 (('organizationName', 'Google Inc'),),
708 (('commonName', 'mail.google.com'),))}
709 ok(cert, 'mail.google.com')
710 fail(cert, 'gmail.com')
711 # Only commonName is considered
712 fail(cert, 'California')
713
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]714 # -- IPv4 matching --
715 cert = {'subject': ((('commonName', 'example.com'),),),
716 'subjectAltName': (('DNS', 'example.com'),
717 ('IP Address', '10.11.12.13'),
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]718 ('IP Address', '14.15.16.17'),
719 ('IP Address', '127.0.0.1'))}
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]720 ok(cert, '10.11.12.13')
721 ok(cert, '14.15.16.17')
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]722 # socket.inet_ntoa(socket.inet_aton('127.1')) == '127.0.0.1'
723 fail(cert, '127.1')
724 fail(cert, '14.15.16.17 ')
725 fail(cert, '14.15.16.17 extra data')
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]726 fail(cert, '14.15.16.18')
727 fail(cert, 'example.net')
728
729 # -- IPv6 matching --
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]730 if socket_helper.IPV6_ENABLED:
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]731 cert = {'subject': ((('commonName', 'example.com'),),),
732 'subjectAltName': (
733 ('DNS', 'example.com'),
734 ('IP Address', '2001:0:0:0:0:0:0:CAFE\n'),
735 ('IP Address', '2003:0:0:0:0:0:0:BABA\n'))}
736 ok(cert, '2001::cafe')
737 ok(cert, '2003::baba')
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]738 fail(cert, '2003::baba ')
739 fail(cert, '2003::baba extra data')
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]740 fail(cert, '2003::bebe')
741 fail(cert, 'example.net')
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]742
743 # -- Miscellaneous --
744
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]745 # Neither commonName nor subjectAltName
746 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
747 'subject': ((('countryName', 'US'),),
748 (('stateOrProvinceName', 'California'),),
749 (('localityName', 'Mountain View'),),
750 (('organizationName', 'Google Inc'),))}
751 fail(cert, 'mail.google.com')
752
Antoine Pitrou1c86b442011-05-06 15:19:49 +0200[diff] [blame]753 # No DNS entry in subjectAltName but a commonName
754 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
755 'subject': ((('countryName', 'US'),),
756 (('stateOrProvinceName', 'California'),),
757 (('localityName', 'Mountain View'),),
758 (('commonName', 'mail.google.com'),)),
759 'subjectAltName': (('othername', 'blabla'), )}
760 ok(cert, 'mail.google.com')
761
762 # No DNS entry subjectAltName and no commonName
763 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
764 'subject': ((('countryName', 'US'),),
765 (('stateOrProvinceName', 'California'),),
766 (('localityName', 'Mountain View'),),
767 (('organizationName', 'Google Inc'),)),
768 'subjectAltName': (('othername', 'blabla'),)}
769 fail(cert, 'google.com')
770
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]771 # Empty cert / no cert
772 self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
773 self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
774
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]775 # Issue #17980: avoid denials of service by refusing more than one
776 # wildcard per fragment.
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]777 cert = {'subject': ((('commonName', 'a*b.example.com'),),)}
778 with self.assertRaisesRegex(
779 ssl.CertificateError,
780 "partial wildcards in leftmost label are not supported"):
781 ssl.match_hostname(cert, 'axxb.example.com')
782
783 cert = {'subject': ((('commonName', 'www.*.example.com'),),)}
784 with self.assertRaisesRegex(
785 ssl.CertificateError,
786 "wildcard can only be present in the leftmost label"):
787 ssl.match_hostname(cert, 'www.sub.example.com')
788
789 cert = {'subject': ((('commonName', 'a*b*.example.com'),),)}
790 with self.assertRaisesRegex(
791 ssl.CertificateError,
792 "too many wildcards"):
793 ssl.match_hostname(cert, 'axxbxxc.example.com')
794
795 cert = {'subject': ((('commonName', '*'),),)}
796 with self.assertRaisesRegex(
797 ssl.CertificateError,
798 "sole wildcard without additional labels are not support"):
799 ssl.match_hostname(cert, 'host')
800
801 cert = {'subject': ((('commonName', '*.com'),),)}
802 with self.assertRaisesRegex(
803 ssl.CertificateError,
804 r"hostname 'com' doesn't match '\*.com'"):
805 ssl.match_hostname(cert, 'com')
806
807 # extra checks for _inet_paton()
808 for invalid in ['1', '', '1.2.3', '256.0.0.1', '127.0.0.1/24']:
809 with self.assertRaises(ValueError):
810 ssl._inet_paton(invalid)
811 for ipaddr in ['127.0.0.1', '192.168.0.1']:
812 self.assertTrue(ssl._inet_paton(ipaddr))
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]813 if socket_helper.IPV6_ENABLED:
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]814 for ipaddr in ['::1', '2001:db8:85a3::8a2e:370:7334']:
815 self.assertTrue(ssl._inet_paton(ipaddr))
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]816
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]817 def test_server_side(self):
818 # server_hostname doesn't work for server sockets
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]819 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]820 with socket.socket() as sock:
821 self.assertRaises(ValueError, ctx.wrap_socket, sock, True,
822 server_hostname="some.hostname")
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]823
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]824 def test_unknown_channel_binding(self):
825 # should raise ValueError for unknown type
Giampaolo Rodolaeb7e29f2019-04-09 00:34:02 +0200[diff] [blame]826 s = socket.create_server(('127.0.0.1', 0))
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]827 c = socket.socket(socket.AF_INET)
828 c.connect(s.getsockname())
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]829 with test_wrap_socket(c, do_handshake_on_connect=False) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]830 with self.assertRaises(ValueError):
831 ss.get_channel_binding("unknown-type")
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]832 s.close()
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]833
834 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
835 "'tls-unique' channel binding not available")
836 def test_tls_unique_channel_binding(self):
837 # unconnected should return None for known type
838 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]839 with test_wrap_socket(s) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]840 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]841 # the same for server-side
842 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]843 with test_wrap_socket(s, server_side=True, certfile=CERTFILE) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]844 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]845
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]846 def test_dealloc_warn(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]847 ss = test_wrap_socket(socket.socket(socket.AF_INET))
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]848 r = repr(ss)
849 with self.assertWarns(ResourceWarning) as cm:
850 ss = None
851 support.gc_collect()
852 self.assertIn(r, str(cm.warning.args[0]))
853
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]854 def test_get_default_verify_paths(self):
855 paths = ssl.get_default_verify_paths()
856 self.assertEqual(len(paths), 6)
857 self.assertIsInstance(paths, ssl.DefaultVerifyPaths)
858
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]859 with os_helper.EnvironmentVarGuard() as env:
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]860 env["SSL_CERT_DIR"] = CAPATH
861 env["SSL_CERT_FILE"] = CERTFILE
862 paths = ssl.get_default_verify_paths()
863 self.assertEqual(paths.cafile, CERTFILE)
864 self.assertEqual(paths.capath, CAPATH)
865
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]866 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
867 def test_enum_certificates(self):
868 self.assertTrue(ssl.enum_certificates("CA"))
869 self.assertTrue(ssl.enum_certificates("ROOT"))
870
871 self.assertRaises(TypeError, ssl.enum_certificates)
872 self.assertRaises(WindowsError, ssl.enum_certificates, "")
873
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]874 trust_oids = set()
875 for storename in ("CA", "ROOT"):
876 store = ssl.enum_certificates(storename)
877 self.assertIsInstance(store, list)
878 for element in store:
879 self.assertIsInstance(element, tuple)
880 self.assertEqual(len(element), 3)
881 cert, enc, trust = element
882 self.assertIsInstance(cert, bytes)
883 self.assertIn(enc, {"x509_asn", "pkcs_7_asn"})
Christian Heimes915cd3f2019-09-09 18:06:55 +0200[diff] [blame]884 self.assertIsInstance(trust, (frozenset, set, bool))
885 if isinstance(trust, (frozenset, set)):
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]886 trust_oids.update(trust)
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]887
888 serverAuth = "1.3.6.1.5.5.7.3.1"
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]889 self.assertIn(serverAuth, trust_oids)
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]890
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]891 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]892 def test_enum_crls(self):
893 self.assertTrue(ssl.enum_crls("CA"))
894 self.assertRaises(TypeError, ssl.enum_crls)
895 self.assertRaises(WindowsError, ssl.enum_crls, "")
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]896
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]897 crls = ssl.enum_crls("CA")
898 self.assertIsInstance(crls, list)
899 for element in crls:
900 self.assertIsInstance(element, tuple)
901 self.assertEqual(len(element), 2)
902 self.assertIsInstance(element[0], bytes)
903 self.assertIn(element[1], {"x509_asn", "pkcs_7_asn"})
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]904
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]905
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]906 def test_asn1object(self):
907 expected = (129, 'serverAuth', 'TLS Web Server Authentication',
908 '1.3.6.1.5.5.7.3.1')
909
910 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
911 self.assertEqual(val, expected)
912 self.assertEqual(val.nid, 129)
913 self.assertEqual(val.shortname, 'serverAuth')
914 self.assertEqual(val.longname, 'TLS Web Server Authentication')
915 self.assertEqual(val.oid, '1.3.6.1.5.5.7.3.1')
916 self.assertIsInstance(val, ssl._ASN1Object)
917 self.assertRaises(ValueError, ssl._ASN1Object, 'serverAuth')
918
919 val = ssl._ASN1Object.fromnid(129)
920 self.assertEqual(val, expected)
921 self.assertIsInstance(val, ssl._ASN1Object)
922 self.assertRaises(ValueError, ssl._ASN1Object.fromnid, -1)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]923 with self.assertRaisesRegex(ValueError, "unknown NID 100000"):
924 ssl._ASN1Object.fromnid(100000)
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]925 for i in range(1000):
926 try:
927 obj = ssl._ASN1Object.fromnid(i)
928 except ValueError:
929 pass
930 else:
931 self.assertIsInstance(obj.nid, int)
932 self.assertIsInstance(obj.shortname, str)
933 self.assertIsInstance(obj.longname, str)
934 self.assertIsInstance(obj.oid, (str, type(None)))
935
936 val = ssl._ASN1Object.fromname('TLS Web Server Authentication')
937 self.assertEqual(val, expected)
938 self.assertIsInstance(val, ssl._ASN1Object)
939 self.assertEqual(ssl._ASN1Object.fromname('serverAuth'), expected)
940 self.assertEqual(ssl._ASN1Object.fromname('1.3.6.1.5.5.7.3.1'),
941 expected)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]942 with self.assertRaisesRegex(ValueError, "unknown object 'serverauth'"):
943 ssl._ASN1Object.fromname('serverauth')
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]944
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]945 def test_purpose_enum(self):
946 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
947 self.assertIsInstance(ssl.Purpose.SERVER_AUTH, ssl._ASN1Object)
948 self.assertEqual(ssl.Purpose.SERVER_AUTH, val)
949 self.assertEqual(ssl.Purpose.SERVER_AUTH.nid, 129)
950 self.assertEqual(ssl.Purpose.SERVER_AUTH.shortname, 'serverAuth')
951 self.assertEqual(ssl.Purpose.SERVER_AUTH.oid,
952 '1.3.6.1.5.5.7.3.1')
953
954 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.2')
955 self.assertIsInstance(ssl.Purpose.CLIENT_AUTH, ssl._ASN1Object)
956 self.assertEqual(ssl.Purpose.CLIENT_AUTH, val)
957 self.assertEqual(ssl.Purpose.CLIENT_AUTH.nid, 130)
958 self.assertEqual(ssl.Purpose.CLIENT_AUTH.shortname, 'clientAuth')
959 self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,
960 '1.3.6.1.5.5.7.3.2')
961
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]962 def test_unsupported_dtls(self):
963 s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
964 self.addCleanup(s.close)
965 with self.assertRaises(NotImplementedError) as cx:
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]966 test_wrap_socket(s, cert_reqs=ssl.CERT_NONE)
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]967 self.assertEqual(str(cx.exception), "only stream sockets are supported")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]968 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]969 with self.assertRaises(NotImplementedError) as cx:
970 ctx.wrap_socket(s)
971 self.assertEqual(str(cx.exception), "only stream sockets are supported")
972
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]973 def cert_time_ok(self, timestring, timestamp):
974 self.assertEqual(ssl.cert_time_to_seconds(timestring), timestamp)
975
976 def cert_time_fail(self, timestring):
977 with self.assertRaises(ValueError):
978 ssl.cert_time_to_seconds(timestring)
979
980 @unittest.skipUnless(utc_offset(),
981 'local time needs to be different from UTC')
982 def test_cert_time_to_seconds_timezone(self):
983 # Issue #19940: ssl.cert_time_to_seconds() returns wrong
984 # results if local timezone is not UTC
985 self.cert_time_ok("May 9 00:00:00 2007 GMT", 1178668800.0)
986 self.cert_time_ok("Jan 5 09:34:43 2018 GMT", 1515144883.0)
987
988 def test_cert_time_to_seconds(self):
989 timestring = "Jan 5 09:34:43 2018 GMT"
990 ts = 1515144883.0
991 self.cert_time_ok(timestring, ts)
992 # accept keyword parameter, assert its name
993 self.assertEqual(ssl.cert_time_to_seconds(cert_time=timestring), ts)
994 # accept both %e and %d (space or zero generated by strftime)
995 self.cert_time_ok("Jan 05 09:34:43 2018 GMT", ts)
996 # case-insensitive
997 self.cert_time_ok("JaN 5 09:34:43 2018 GmT", ts)
998 self.cert_time_fail("Jan 5 09:34 2018 GMT") # no seconds
999 self.cert_time_fail("Jan 5 09:34:43 2018") # no GMT
1000 self.cert_time_fail("Jan 5 09:34:43 2018 UTC") # not GMT timezone
1001 self.cert_time_fail("Jan 35 09:34:43 2018 GMT") # invalid day
1002 self.cert_time_fail("Jon 5 09:34:43 2018 GMT") # invalid month
1003 self.cert_time_fail("Jan 5 24:00:00 2018 GMT") # invalid hour
1004 self.cert_time_fail("Jan 5 09:60:43 2018 GMT") # invalid minute
1005
1006 newyear_ts = 1230768000.0
1007 # leap seconds
1008 self.cert_time_ok("Dec 31 23:59:60 2008 GMT", newyear_ts)
1009 # same timestamp
1010 self.cert_time_ok("Jan 1 00:00:00 2009 GMT", newyear_ts)
1011
1012 self.cert_time_ok("Jan 5 09:34:59 2018 GMT", 1515144899)
1013 # allow 60th second (even if it is not a leap second)
1014 self.cert_time_ok("Jan 5 09:34:60 2018 GMT", 1515144900)
1015 # allow 2nd leap second for compatibility with time.strptime()
1016 self.cert_time_ok("Jan 5 09:34:61 2018 GMT", 1515144901)
1017 self.cert_time_fail("Jan 5 09:34:62 2018 GMT") # invalid seconds
1018
Mike53f7a7c2017-12-14 14:04:53 +0300[diff] [blame]1019 # no special treatment for the special value:
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]1020 # 99991231235959Z (rfc 5280)
1021 self.cert_time_ok("Dec 31 23:59:59 9999 GMT", 253402300799.0)
1022
1023 @support.run_with_locale('LC_ALL', '')
1024 def test_cert_time_to_seconds_locale(self):
1025 # `cert_time_to_seconds()` should be locale independent
1026
1027 def local_february_name():
1028 return time.strftime('%b', (1, 2, 3, 4, 5, 6, 0, 0, 0))
1029
1030 if local_february_name().lower() == 'feb':
1031 self.skipTest("locale-specific month name needs to be "
1032 "different from C locale")
1033
1034 # locale-independent
1035 self.cert_time_ok("Feb 9 00:00:00 2007 GMT", 1170979200.0)
1036 self.cert_time_fail(local_february_name() + " 9 00:00:00 2007 GMT")
1037
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1038 def test_connect_ex_error(self):
1039 server = socket.socket(socket.AF_INET)
1040 self.addCleanup(server.close)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]1041 port = socket_helper.bind_port(server) # Reserve port but don't listen
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1042 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1043 cert_reqs=ssl.CERT_REQUIRED)
1044 self.addCleanup(s.close)
1045 rc = s.connect_ex((HOST, port))
1046 # Issue #19919: Windows machines or VMs hosted on Windows
1047 # machines sometimes return EWOULDBLOCK.
1048 errors = (
1049 errno.ECONNREFUSED, errno.EHOSTUNREACH, errno.ETIMEDOUT,
1050 errno.EWOULDBLOCK,
1051 )
1052 self.assertIn(rc, errors)
1053
Christian Heimes89d15502021-04-19 06:55:30 +0200[diff] [blame]1054 def test_read_write_zero(self):
1055 # empty reads and writes now work, bpo-42854, bpo-31711
1056 client_context, server_context, hostname = testing_context()
1057 server = ThreadedEchoServer(context=server_context)
1058 with server:
1059 with client_context.wrap_socket(socket.socket(),
1060 server_hostname=hostname) as s:
1061 s.connect((HOST, server.port))
1062 self.assertEqual(s.recv(0), b"")
1063 self.assertEqual(s.send(b""), 0)
1064
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]1065
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1066class ContextTests(unittest.TestCase):
1067
1068 def test_constructor(self):
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]1069 for protocol in PROTOCOLS:
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1070 with warnings_helper.check_warnings():
1071 ctx = ssl.SSLContext(protocol)
1072 self.assertEqual(ctx.protocol, protocol)
1073 with warnings_helper.check_warnings():
1074 ctx = ssl.SSLContext()
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1075 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1076 self.assertRaises(ValueError, ssl.SSLContext, -1)
1077 self.assertRaises(ValueError, ssl.SSLContext, 42)
1078
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1079 def test_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1080 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1081 ctx.set_ciphers("ALL")
1082 ctx.set_ciphers("DEFAULT")
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1083 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
Antoine Pitrou30474062010-05-16 23:46:26 +0000[diff] [blame]1084 ctx.set_ciphers("^$:,;?*'dorothyx")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1085
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]1086 @unittest.skipUnless(PY_SSL_DEFAULT_CIPHERS == 1,
1087 "Test applies only to Python default ciphers")
1088 def test_python_ciphers(self):
1089 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1090 ciphers = ctx.get_ciphers()
1091 for suite in ciphers:
1092 name = suite['name']
1093 self.assertNotIn("PSK", name)
1094 self.assertNotIn("SRP", name)
1095 self.assertNotIn("MD5", name)
1096 self.assertNotIn("RC4", name)
1097 self.assertNotIn("3DES", name)
1098
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1099 def test_get_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1100 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesea9b2dc2016-09-06 10:45:44 +0200[diff] [blame]1101 ctx.set_ciphers('AESGCM')
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1102 names = set(d['name'] for d in ctx.get_ciphers())
Christian Heimes582282b2016-09-06 11:27:25 +0200[diff] [blame]1103 self.assertIn('AES256-GCM-SHA384', names)
1104 self.assertIn('AES128-GCM-SHA256', names)
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1105
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1106 def test_options(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1107 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Benjamin Petersona9dcdab2015-11-11 22:38:41 -0800[diff] [blame]1108 # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1109 default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1110 # SSLContext also enables these by default
1111 default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]1112 OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
Christian Heimes6f37ebc2021-04-09 17:59:21 +0200[diff] [blame]1113 OP_ENABLE_MIDDLEBOX_COMPAT |
1114 OP_IGNORE_UNEXPECTED_EOF)
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1115 self.assertEqual(default, ctx.options)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1116 with warnings_helper.check_warnings():
1117 ctx.options |= ssl.OP_NO_TLSv1
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1118 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1119 with warnings_helper.check_warnings():
1120 ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1)
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]1121 self.assertEqual(default, ctx.options)
1122 ctx.options = 0
1123 # Ubuntu has OP_NO_SSLv3 forced on by default
1124 self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1125
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1126 def test_verify_mode_protocol(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1127 with warnings_helper.check_warnings():
1128 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1129 # Default value
1130 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1131 ctx.verify_mode = ssl.CERT_OPTIONAL
1132 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
1133 ctx.verify_mode = ssl.CERT_REQUIRED
1134 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1135 ctx.verify_mode = ssl.CERT_NONE
1136 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1137 with self.assertRaises(TypeError):
1138 ctx.verify_mode = None
1139 with self.assertRaises(ValueError):
1140 ctx.verify_mode = 42
1141
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1142 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1143 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1144 self.assertFalse(ctx.check_hostname)
1145
1146 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1147 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1148 self.assertTrue(ctx.check_hostname)
1149
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1150 def test_hostname_checks_common_name(self):
1151 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1152 self.assertTrue(ctx.hostname_checks_common_name)
1153 if ssl.HAS_NEVER_CHECK_COMMON_NAME:
1154 ctx.hostname_checks_common_name = True
1155 self.assertTrue(ctx.hostname_checks_common_name)
1156 ctx.hostname_checks_common_name = False
1157 self.assertFalse(ctx.hostname_checks_common_name)
1158 ctx.hostname_checks_common_name = True
1159 self.assertTrue(ctx.hostname_checks_common_name)
1160 else:
1161 with self.assertRaises(AttributeError):
1162 ctx.hostname_checks_common_name = True
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1163
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1164 @ignore_deprecation
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1165 def test_min_max_version(self):
1166 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimes34de2d32019-01-18 16:09:30 +0100[diff] [blame]1167 # OpenSSL default is MINIMUM_SUPPORTED, however some vendors like
1168 # Fedora override the setting to TLS 1.0.
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1169 minimum_range = {
1170 # stock OpenSSL
1171 ssl.TLSVersion.MINIMUM_SUPPORTED,
1172 # Fedora 29 uses TLS 1.0 by default
1173 ssl.TLSVersion.TLSv1,
1174 # RHEL 8 uses TLS 1.2 by default
1175 ssl.TLSVersion.TLSv1_2
1176 }
torsava34864d12019-12-02 17:15:42 +0100[diff] [blame]1177 maximum_range = {
1178 # stock OpenSSL
1179 ssl.TLSVersion.MAXIMUM_SUPPORTED,
1180 # Fedora 32 uses TLS 1.3 by default
1181 ssl.TLSVersion.TLSv1_3
1182 }
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1183
Christian Heimes34de2d32019-01-18 16:09:30 +0100[diff] [blame]1184 self.assertIn(
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1185 ctx.minimum_version, minimum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1186 )
torsava34864d12019-12-02 17:15:42 +0100[diff] [blame]1187 self.assertIn(
1188 ctx.maximum_version, maximum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1189 )
1190
1191 ctx.minimum_version = ssl.TLSVersion.TLSv1_1
1192 ctx.maximum_version = ssl.TLSVersion.TLSv1_2
1193 self.assertEqual(
1194 ctx.minimum_version, ssl.TLSVersion.TLSv1_1
1195 )
1196 self.assertEqual(
1197 ctx.maximum_version, ssl.TLSVersion.TLSv1_2
1198 )
1199
1200 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1201 ctx.maximum_version = ssl.TLSVersion.TLSv1
1202 self.assertEqual(
1203 ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
1204 )
1205 self.assertEqual(
1206 ctx.maximum_version, ssl.TLSVersion.TLSv1
1207 )
1208
1209 ctx.maximum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
1210 self.assertEqual(
1211 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
1212 )
1213
1214 ctx.maximum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1215 self.assertIn(
1216 ctx.maximum_version,
1217 {ssl.TLSVersion.TLSv1, ssl.TLSVersion.SSLv3}
1218 )
1219
1220 ctx.minimum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
1221 self.assertIn(
1222 ctx.minimum_version,
1223 {ssl.TLSVersion.TLSv1_2, ssl.TLSVersion.TLSv1_3}
1224 )
1225
1226 with self.assertRaises(ValueError):
1227 ctx.minimum_version = 42
1228
1229 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
1230
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1231 self.assertIn(
1232 ctx.minimum_version, minimum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1233 )
1234 self.assertEqual(
1235 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
1236 )
1237 with self.assertRaises(ValueError):
1238 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1239 with self.assertRaises(ValueError):
1240 ctx.maximum_version = ssl.TLSVersion.TLSv1
1241
1242
matthewhughes9348e836bb2020-07-17 09:59:15 +0100[diff] [blame]1243 @unittest.skipUnless(
1244 hasattr(ssl.SSLContext, 'security_level'),
1245 "requires OpenSSL >= 1.1.0"
1246 )
1247 def test_security_level(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1248 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
matthewhughes9348e836bb2020-07-17 09:59:15 +0100[diff] [blame]1249 # The default security callback allows for levels between 0-5
1250 # with OpenSSL defaulting to 1, however some vendors override the
1251 # default value (e.g. Debian defaults to 2)
1252 security_level_range = {
1253 0,
1254 1, # OpenSSL default
1255 2, # Debian
1256 3,
1257 4,
1258 5,
1259 }
1260 self.assertIn(ctx.security_level, security_level_range)
1261
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1262 def test_verify_flags(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1263 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Benjamin Peterson990fcaa2015-03-04 22:49:41 -0500[diff] [blame]1264 # default value
1265 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
1266 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1267 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
1268 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
1269 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
1270 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_CHAIN)
1271 ctx.verify_flags = ssl.VERIFY_DEFAULT
1272 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
Chris Burre0b4aa02021-03-18 09:24:01 +0100[diff] [blame]1273 ctx.verify_flags = ssl.VERIFY_ALLOW_PROXY_CERTS
1274 self.assertEqual(ctx.verify_flags, ssl.VERIFY_ALLOW_PROXY_CERTS)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1275 # supports any value
1276 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT
1277 self.assertEqual(ctx.verify_flags,
1278 ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT)
1279 with self.assertRaises(TypeError):
1280 ctx.verify_flags = None
1281
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1282 def test_load_cert_chain(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1283 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1284 # Combined key and cert in a single file
Benjamin Peterson1ea070e2014-11-03 21:05:01 -0500[diff] [blame]1285 ctx.load_cert_chain(CERTFILE, keyfile=None)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1286 ctx.load_cert_chain(CERTFILE, keyfile=CERTFILE)
1287 self.assertRaises(TypeError, ctx.load_cert_chain, keyfile=CERTFILE)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1288 with self.assertRaises(OSError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1289 ctx.load_cert_chain(NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]1290 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1291 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1292 ctx.load_cert_chain(BADCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1293 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1294 ctx.load_cert_chain(EMPTYCERT)
1295 # Separate key and cert
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1296 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1297 ctx.load_cert_chain(ONLYCERT, ONLYKEY)
1298 ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)
1299 ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1300 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1301 ctx.load_cert_chain(ONLYCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1302 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1303 ctx.load_cert_chain(ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1304 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1305 ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)
1306 # Mismatching key and cert
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1307 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1308 with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]1309 ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]1310 # Password protected key and cert
1311 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)
1312 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD.encode())
1313 ctx.load_cert_chain(CERTFILE_PROTECTED,
1314 password=bytearray(KEY_PASSWORD.encode()))
1315 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD)
1316 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD.encode())
1317 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED,
1318 bytearray(KEY_PASSWORD.encode()))
1319 with self.assertRaisesRegex(TypeError, "should be a string"):
1320 ctx.load_cert_chain(CERTFILE_PROTECTED, password=True)
1321 with self.assertRaises(ssl.SSLError):
1322 ctx.load_cert_chain(CERTFILE_PROTECTED, password="badpass")
1323 with self.assertRaisesRegex(ValueError, "cannot be longer"):
1324 # openssl has a fixed limit on the password buffer.
1325 # PEM_BUFSIZE is generally set to 1kb.
1326 # Return a string larger than this.
1327 ctx.load_cert_chain(CERTFILE_PROTECTED, password=b'a' * 102400)
1328 # Password callback
1329 def getpass_unicode():
1330 return KEY_PASSWORD
1331 def getpass_bytes():
1332 return KEY_PASSWORD.encode()
1333 def getpass_bytearray():
1334 return bytearray(KEY_PASSWORD.encode())
1335 def getpass_badpass():
1336 return "badpass"
1337 def getpass_huge():
1338 return b'a' * (1024 * 1024)
1339 def getpass_bad_type():
1340 return 9
1341 def getpass_exception():
1342 raise Exception('getpass error')
1343 class GetPassCallable:
1344 def __call__(self):
1345 return KEY_PASSWORD
1346 def getpass(self):
1347 return KEY_PASSWORD
1348 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_unicode)
1349 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytes)
1350 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytearray)
1351 ctx.load_cert_chain(CERTFILE_PROTECTED, password=GetPassCallable())
1352 ctx.load_cert_chain(CERTFILE_PROTECTED,
1353 password=GetPassCallable().getpass)
1354 with self.assertRaises(ssl.SSLError):
1355 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_badpass)
1356 with self.assertRaisesRegex(ValueError, "cannot be longer"):
1357 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_huge)
1358 with self.assertRaisesRegex(TypeError, "must return a string"):
1359 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bad_type)
1360 with self.assertRaisesRegex(Exception, "getpass error"):
1361 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_exception)
1362 # Make sure the password function isn't called if it isn't needed
1363 ctx.load_cert_chain(CERTFILE, password=getpass_exception)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1364
1365 def test_load_verify_locations(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1366 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1367 ctx.load_verify_locations(CERTFILE)
1368 ctx.load_verify_locations(cafile=CERTFILE, capath=None)
1369 ctx.load_verify_locations(BYTES_CERTFILE)
1370 ctx.load_verify_locations(cafile=BYTES_CERTFILE, capath=None)
1371 self.assertRaises(TypeError, ctx.load_verify_locations)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1372 self.assertRaises(TypeError, ctx.load_verify_locations, None, None, None)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1373 with self.assertRaises(OSError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1374 ctx.load_verify_locations(NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]1375 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1376 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1377 ctx.load_verify_locations(BADCERT)
1378 ctx.load_verify_locations(CERTFILE, CAPATH)
1379 ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
1380
Victor Stinner80f75e62011-01-29 11:31:20 +0000[diff] [blame]1381 # Issue #10989: crash if the second argument type is invalid
1382 self.assertRaises(TypeError, ctx.load_verify_locations, None, True)
1383
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1384 def test_load_verify_cadata(self):
1385 # test cadata
1386 with open(CAFILE_CACERT) as f:
1387 cacert_pem = f.read()
1388 cacert_der = ssl.PEM_cert_to_DER_cert(cacert_pem)
1389 with open(CAFILE_NEURONIO) as f:
1390 neuronio_pem = f.read()
1391 neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
1392
1393 # test PEM
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1394 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1395 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0)
1396 ctx.load_verify_locations(cadata=cacert_pem)
1397 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1)
1398 ctx.load_verify_locations(cadata=neuronio_pem)
1399 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1400 # cert already in hash table
1401 ctx.load_verify_locations(cadata=neuronio_pem)
1402 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1403
1404 # combined
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1405 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1406 combined = "\n".join((cacert_pem, neuronio_pem))
1407 ctx.load_verify_locations(cadata=combined)
1408 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1409
1410 # with junk around the certs
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1411 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1412 combined = ["head", cacert_pem, "other", neuronio_pem, "again",
1413 neuronio_pem, "tail"]
1414 ctx.load_verify_locations(cadata="\n".join(combined))
1415 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1416
1417 # test DER
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1418 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1419 ctx.load_verify_locations(cadata=cacert_der)
1420 ctx.load_verify_locations(cadata=neuronio_der)
1421 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1422 # cert already in hash table
1423 ctx.load_verify_locations(cadata=cacert_der)
1424 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1425
1426 # combined
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1427 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1428 combined = b"".join((cacert_der, neuronio_der))
1429 ctx.load_verify_locations(cadata=combined)
1430 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1431
1432 # error cases
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1433 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1434 self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
1435
Christian Heimesb9ad88b2021-04-23 13:51:40 +0200[diff] [blame]1436 with self.assertRaisesRegex(
1437 ssl.SSLError,
1438 "no start line: cadata does not contain a certificate"
1439 ):
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1440 ctx.load_verify_locations(cadata="broken")
Christian Heimesb9ad88b2021-04-23 13:51:40 +0200[diff] [blame]1441 with self.assertRaisesRegex(
1442 ssl.SSLError,
1443 "not enough data: cadata does not contain a certificate"
1444 ):
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1445 ctx.load_verify_locations(cadata=b"broken")
1446
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]1447 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1448 def test_load_dh_params(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1449 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1450 ctx.load_dh_params(DHFILE)
1451 if os.name != 'nt':
1452 ctx.load_dh_params(BYTES_DHFILE)
1453 self.assertRaises(TypeError, ctx.load_dh_params)
1454 self.assertRaises(TypeError, ctx.load_dh_params, None)
1455 with self.assertRaises(FileNotFoundError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1456 ctx.load_dh_params(NONEXISTINGCERT)
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1457 self.assertEqual(cm.exception.errno, errno.ENOENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1458 with self.assertRaises(ssl.SSLError) as cm:
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1459 ctx.load_dh_params(CERTFILE)
1460
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]1461 def test_session_stats(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1462 for proto in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER}:
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]1463 ctx = ssl.SSLContext(proto)
1464 self.assertEqual(ctx.session_stats(), {
1465 'number': 0,
1466 'connect': 0,
1467 'connect_good': 0,
1468 'connect_renegotiate': 0,
1469 'accept': 0,
1470 'accept_good': 0,
1471 'accept_renegotiate': 0,
1472 'hits': 0,
1473 'misses': 0,
1474 'timeouts': 0,
1475 'cache_full': 0,
1476 })
1477
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]1478 def test_set_default_verify_paths(self):
1479 # There's not much we can do to test that it acts as expected,
1480 # so just check it doesn't crash or raise an exception.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1481 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]1482 ctx.set_default_verify_paths()
1483
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]1484 @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1485 def test_set_ecdh_curve(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1486 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1487 ctx.set_ecdh_curve("prime256v1")
1488 ctx.set_ecdh_curve(b"prime256v1")
1489 self.assertRaises(TypeError, ctx.set_ecdh_curve)
1490 self.assertRaises(TypeError, ctx.set_ecdh_curve, None)
1491 self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo")
1492 self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo")
1493
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1494 def test_sni_callback(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1495 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1496
1497 # set_servername_callback expects a callable, or None
1498 self.assertRaises(TypeError, ctx.set_servername_callback)
1499 self.assertRaises(TypeError, ctx.set_servername_callback, 4)
1500 self.assertRaises(TypeError, ctx.set_servername_callback, "")
1501 self.assertRaises(TypeError, ctx.set_servername_callback, ctx)
1502
1503 def dummycallback(sock, servername, ctx):
1504 pass
1505 ctx.set_servername_callback(None)
1506 ctx.set_servername_callback(dummycallback)
1507
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1508 def test_sni_callback_refcycle(self):
1509 # Reference cycles through the servername callback are detected
1510 # and cleared.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1511 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1512 def dummycallback(sock, servername, ctx, cycle=ctx):
1513 pass
1514 ctx.set_servername_callback(dummycallback)
1515 wr = weakref.ref(ctx)
1516 del ctx, dummycallback
1517 gc.collect()
1518 self.assertIs(wr(), None)
1519
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1520 def test_cert_store_stats(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1521 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1522 self.assertEqual(ctx.cert_store_stats(),
1523 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1524 ctx.load_cert_chain(CERTFILE)
1525 self.assertEqual(ctx.cert_store_stats(),
1526 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1527 ctx.load_verify_locations(CERTFILE)
1528 self.assertEqual(ctx.cert_store_stats(),
1529 {'x509_ca': 0, 'crl': 0, 'x509': 1})
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1530 ctx.load_verify_locations(CAFILE_CACERT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1531 self.assertEqual(ctx.cert_store_stats(),
1532 {'x509_ca': 1, 'crl': 0, 'x509': 2})
1533
1534 def test_get_ca_certs(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1535 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1536 self.assertEqual(ctx.get_ca_certs(), [])
1537 # CERTFILE is not flagged as X509v3 Basic Constraints: CA:TRUE
1538 ctx.load_verify_locations(CERTFILE)
1539 self.assertEqual(ctx.get_ca_certs(), [])
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1540 # but CAFILE_CACERT is a CA cert
1541 ctx.load_verify_locations(CAFILE_CACERT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1542 self.assertEqual(ctx.get_ca_certs(),
1543 [{'issuer': ((('organizationName', 'Root CA'),),
1544 (('organizationalUnitName', 'http://www.cacert.org'),),
1545 (('commonName', 'CA Cert Signing Authority'),),
1546 (('emailAddress', 'support@cacert.org'),)),
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]1547 'notAfter': 'Mar 29 12:29:49 2033 GMT',
1548 'notBefore': 'Mar 30 12:29:49 2003 GMT',
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1549 'serialNumber': '00',
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]1550 'crlDistributionPoints': ('https://www.cacert.org/revoke.crl',),
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1551 'subject': ((('organizationName', 'Root CA'),),
1552 (('organizationalUnitName', 'http://www.cacert.org'),),
1553 (('commonName', 'CA Cert Signing Authority'),),
1554 (('emailAddress', 'support@cacert.org'),)),
1555 'version': 3}])
1556
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1557 with open(CAFILE_CACERT) as f:
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1558 pem = f.read()
1559 der = ssl.PEM_cert_to_DER_cert(pem)
1560 self.assertEqual(ctx.get_ca_certs(True), [der])
1561
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1562 def test_load_default_certs(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1563 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1564 ctx.load_default_certs()
1565
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1566 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1567 ctx.load_default_certs(ssl.Purpose.SERVER_AUTH)
1568 ctx.load_default_certs()
1569
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1570 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1571 ctx.load_default_certs(ssl.Purpose.CLIENT_AUTH)
1572
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1573 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1574 self.assertRaises(TypeError, ctx.load_default_certs, None)
1575 self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')
1576
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1577 @unittest.skipIf(sys.platform == "win32", "not-Windows specific")
Benjamin Peterson5915b0f2014-10-03 17:27:05 -0400[diff] [blame]1578 def test_load_default_certs_env(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1579 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]1580 with os_helper.EnvironmentVarGuard() as env:
Benjamin Peterson5915b0f2014-10-03 17:27:05 -0400[diff] [blame]1581 env["SSL_CERT_DIR"] = CAPATH
1582 env["SSL_CERT_FILE"] = CERTFILE
1583 ctx.load_default_certs()
1584 self.assertEqual(ctx.cert_store_stats(), {"crl": 0, "x509": 1, "x509_ca": 0})
1585
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1586 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Steve Dower68d663c2017-07-17 11:15:48 +0200[diff] [blame]1587 @unittest.skipIf(hasattr(sys, "gettotalrefcount"), "Debug build does not share environment between CRTs")
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1588 def test_load_default_certs_env_windows(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1589 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1590 ctx.load_default_certs()
1591 stats = ctx.cert_store_stats()
1592
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1593 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]1594 with os_helper.EnvironmentVarGuard() as env:
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1595 env["SSL_CERT_DIR"] = CAPATH
1596 env["SSL_CERT_FILE"] = CERTFILE
1597 ctx.load_default_certs()
1598 stats["x509"] += 1
1599 self.assertEqual(ctx.cert_store_stats(), stats)
1600
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1601 def _assert_context_options(self, ctx):
1602 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1603 if OP_NO_COMPRESSION != 0:
1604 self.assertEqual(ctx.options & OP_NO_COMPRESSION,
1605 OP_NO_COMPRESSION)
1606 if OP_SINGLE_DH_USE != 0:
1607 self.assertEqual(ctx.options & OP_SINGLE_DH_USE,
1608 OP_SINGLE_DH_USE)
1609 if OP_SINGLE_ECDH_USE != 0:
1610 self.assertEqual(ctx.options & OP_SINGLE_ECDH_USE,
1611 OP_SINGLE_ECDH_USE)
1612 if OP_CIPHER_SERVER_PREFERENCE != 0:
1613 self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
1614 OP_CIPHER_SERVER_PREFERENCE)
1615
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1616 def test_create_default_context(self):
1617 ctx = ssl.create_default_context()
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1618
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1619 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1620 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1621 self.assertTrue(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1622 self._assert_context_options(ctx)
1623
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1624 with open(SIGNING_CA) as f:
1625 cadata = f.read()
1626 ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH,
1627 cadata=cadata)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1628 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1629 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1630 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1631
1632 ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1633 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1634 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1635 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1636
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1637
1638
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1639 def test__create_stdlib_context(self):
1640 ctx = ssl._create_stdlib_context()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1641 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1642 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1643 self.assertFalse(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1644 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1645
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1646 with warnings_helper.check_warnings():
1647 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1648 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
1649 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1650 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1651
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1652 with warnings_helper.check_warnings():
1653 ctx = ssl._create_stdlib_context(
1654 ssl.PROTOCOL_TLSv1_2,
1655 cert_reqs=ssl.CERT_REQUIRED,
1656 check_hostname=True
1657 )
1658 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1_2)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1659 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimesa02c69a2013-12-02 20:59:28 +0100[diff] [blame]1660 self.assertTrue(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1661 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1662
1663 ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1664 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1665 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1666 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1667
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1668 def test_check_hostname(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1669 with warnings_helper.check_warnings():
1670 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1671 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1672 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1673
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1674 # Auto set CERT_REQUIRED
1675 ctx.check_hostname = True
1676 self.assertTrue(ctx.check_hostname)
1677 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1678 ctx.check_hostname = False
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1679 ctx.verify_mode = ssl.CERT_REQUIRED
1680 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1681 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1682
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1683 # Changing verify_mode does not affect check_hostname
1684 ctx.check_hostname = False
1685 ctx.verify_mode = ssl.CERT_NONE
1686 ctx.check_hostname = False
1687 self.assertFalse(ctx.check_hostname)
1688 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1689 # Auto set
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1690 ctx.check_hostname = True
1691 self.assertTrue(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1692 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1693
1694 ctx.check_hostname = False
1695 ctx.verify_mode = ssl.CERT_OPTIONAL
1696 ctx.check_hostname = False
1697 self.assertFalse(ctx.check_hostname)
1698 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
1699 # keep CERT_OPTIONAL
1700 ctx.check_hostname = True
1701 self.assertTrue(ctx.check_hostname)
1702 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1703
1704 # Cannot set CERT_NONE with check_hostname enabled
1705 with self.assertRaises(ValueError):
1706 ctx.verify_mode = ssl.CERT_NONE
1707 ctx.check_hostname = False
1708 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1709 ctx.verify_mode = ssl.CERT_NONE
1710 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1711
Christian Heimes5fe668c2016-09-12 00:01:11 +0200[diff] [blame]1712 def test_context_client_server(self):
1713 # PROTOCOL_TLS_CLIENT has sane defaults
1714 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1715 self.assertTrue(ctx.check_hostname)
1716 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1717
1718 # PROTOCOL_TLS_SERVER has different but also sane defaults
1719 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1720 self.assertFalse(ctx.check_hostname)
1721 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1722
Christian Heimes4df60f12017-09-15 20:26:05 +0200[diff] [blame]1723 def test_context_custom_class(self):
1724 class MySSLSocket(ssl.SSLSocket):
1725 pass
1726
1727 class MySSLObject(ssl.SSLObject):
1728 pass
1729
1730 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1731 ctx.sslsocket_class = MySSLSocket
1732 ctx.sslobject_class = MySSLObject
1733
1734 with ctx.wrap_socket(socket.socket(), server_side=True) as sock:
1735 self.assertIsInstance(sock, MySSLSocket)
1736 obj = ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO())
1737 self.assertIsInstance(obj, MySSLObject)
1738
Christian Heimes78c7d522019-06-03 21:00:10 +0200[diff] [blame]1739 def test_num_tickest(self):
1740 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1741 self.assertEqual(ctx.num_tickets, 2)
1742 ctx.num_tickets = 1
1743 self.assertEqual(ctx.num_tickets, 1)
1744 ctx.num_tickets = 0
1745 self.assertEqual(ctx.num_tickets, 0)
1746 with self.assertRaises(ValueError):
1747 ctx.num_tickets = -1
1748 with self.assertRaises(TypeError):
1749 ctx.num_tickets = None
1750
1751 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1752 self.assertEqual(ctx.num_tickets, 2)
1753 with self.assertRaises(ValueError):
1754 ctx.num_tickets = 1
1755
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1756
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1757class SSLErrorTests(unittest.TestCase):
1758
1759 def test_str(self):
1760 # The str() of a SSLError doesn't include the errno
1761 e = ssl.SSLError(1, "foo")
1762 self.assertEqual(str(e), "foo")
1763 self.assertEqual(e.errno, 1)
1764 # Same for a subclass
1765 e = ssl.SSLZeroReturnError(1, "foo")
1766 self.assertEqual(str(e), "foo")
1767 self.assertEqual(e.errno, 1)
1768
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]1769 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1770 def test_lib_reason(self):
1771 # Test the library and reason attributes
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1772 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1773 with self.assertRaises(ssl.SSLError) as cm:
1774 ctx.load_dh_params(CERTFILE)
1775 self.assertEqual(cm.exception.library, 'PEM')
1776 self.assertEqual(cm.exception.reason, 'NO_START_LINE')
1777 s = str(cm.exception)
1778 self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s)
1779
1780 def test_subclass(self):
1781 # Check that the appropriate SSLError subclass is raised
1782 # (this only tests one of them)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1783 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1784 ctx.check_hostname = False
1785 ctx.verify_mode = ssl.CERT_NONE
Giampaolo Rodolaeb7e29f2019-04-09 00:34:02 +0200[diff] [blame]1786 with socket.create_server(("127.0.0.1", 0)) as s:
1787 c = socket.create_connection(s.getsockname())
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]1788 c.setblocking(False)
1789 with ctx.wrap_socket(c, False, do_handshake_on_connect=False) as c:
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1790 with self.assertRaises(ssl.SSLWantReadError) as cm:
1791 c.do_handshake()
1792 s = str(cm.exception)
1793 self.assertTrue(s.startswith("The operation did not complete (read)"), s)
1794 # For compatibility
1795 self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)
1796
1797
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1798 def test_bad_server_hostname(self):
1799 ctx = ssl.create_default_context()
1800 with self.assertRaises(ValueError):
1801 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1802 server_hostname="")
1803 with self.assertRaises(ValueError):
1804 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1805 server_hostname=".example.org")
Christian Heimesd02ac252018-03-25 12:36:13 +0200[diff] [blame]1806 with self.assertRaises(TypeError):
1807 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1808 server_hostname="example.org\x00evil.com")
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1809
1810
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]1811class MemoryBIOTests(unittest.TestCase):
1812
1813 def test_read_write(self):
1814 bio = ssl.MemoryBIO()
1815 bio.write(b'foo')
1816 self.assertEqual(bio.read(), b'foo')
1817 self.assertEqual(bio.read(), b'')
1818 bio.write(b'foo')
1819 bio.write(b'bar')
1820 self.assertEqual(bio.read(), b'foobar')
1821 self.assertEqual(bio.read(), b'')
1822 bio.write(b'baz')
1823 self.assertEqual(bio.read(2), b'ba')
1824 self.assertEqual(bio.read(1), b'z')
1825 self.assertEqual(bio.read(1), b'')
1826
1827 def test_eof(self):
1828 bio = ssl.MemoryBIO()
1829 self.assertFalse(bio.eof)
1830 self.assertEqual(bio.read(), b'')
1831 self.assertFalse(bio.eof)
1832 bio.write(b'foo')
1833 self.assertFalse(bio.eof)
1834 bio.write_eof()
1835 self.assertFalse(bio.eof)
1836 self.assertEqual(bio.read(2), b'fo')
1837 self.assertFalse(bio.eof)
1838 self.assertEqual(bio.read(1), b'o')
1839 self.assertTrue(bio.eof)
1840 self.assertEqual(bio.read(), b'')
1841 self.assertTrue(bio.eof)
1842
1843 def test_pending(self):
1844 bio = ssl.MemoryBIO()
1845 self.assertEqual(bio.pending, 0)
1846 bio.write(b'foo')
1847 self.assertEqual(bio.pending, 3)
1848 for i in range(3):
1849 bio.read(1)
1850 self.assertEqual(bio.pending, 3-i-1)
1851 for i in range(3):
1852 bio.write(b'x')
1853 self.assertEqual(bio.pending, i+1)
1854 bio.read()
1855 self.assertEqual(bio.pending, 0)
1856
1857 def test_buffer_types(self):
1858 bio = ssl.MemoryBIO()
1859 bio.write(b'foo')
1860 self.assertEqual(bio.read(), b'foo')
1861 bio.write(bytearray(b'bar'))
1862 self.assertEqual(bio.read(), b'bar')
1863 bio.write(memoryview(b'baz'))
1864 self.assertEqual(bio.read(), b'baz')
1865
1866 def test_error_types(self):
1867 bio = ssl.MemoryBIO()
1868 self.assertRaises(TypeError, bio.write, 'foo')
1869 self.assertRaises(TypeError, bio.write, None)
1870 self.assertRaises(TypeError, bio.write, True)
1871 self.assertRaises(TypeError, bio.write, 1)
1872
1873
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]1874class SSLObjectTests(unittest.TestCase):
1875 def test_private_init(self):
1876 bio = ssl.MemoryBIO()
1877 with self.assertRaisesRegex(TypeError, "public constructor"):
1878 ssl.SSLObject(bio, bio)
1879
Nathaniel J. Smithc0da5822018-09-21 21:44:12 -0700[diff] [blame]1880 def test_unwrap(self):
1881 client_ctx, server_ctx, hostname = testing_context()
1882 c_in = ssl.MemoryBIO()
1883 c_out = ssl.MemoryBIO()
1884 s_in = ssl.MemoryBIO()
1885 s_out = ssl.MemoryBIO()
1886 client = client_ctx.wrap_bio(c_in, c_out, server_hostname=hostname)
1887 server = server_ctx.wrap_bio(s_in, s_out, server_side=True)
1888
1889 # Loop on the handshake for a bit to get it settled
1890 for _ in range(5):
1891 try:
1892 client.do_handshake()
1893 except ssl.SSLWantReadError:
1894 pass
1895 if c_out.pending:
1896 s_in.write(c_out.read())
1897 try:
1898 server.do_handshake()
1899 except ssl.SSLWantReadError:
1900 pass
1901 if s_out.pending:
1902 c_in.write(s_out.read())
1903 # Now the handshakes should be complete (don't raise WantReadError)
1904 client.do_handshake()
1905 server.do_handshake()
1906
1907 # Now if we unwrap one side unilaterally, it should send close-notify
1908 # and raise WantReadError:
1909 with self.assertRaises(ssl.SSLWantReadError):
1910 client.unwrap()
1911
1912 # But server.unwrap() does not raise, because it reads the client's
1913 # close-notify:
1914 s_in.write(c_out.read())
1915 server.unwrap()
1916
1917 # And now that the client gets the server's close-notify, it doesn't
1918 # raise either.
1919 c_in.write(s_out.read())
1920 client.unwrap()
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]1921
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1922class SimpleBackgroundTests(unittest.TestCase):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1923 """Tests that connect to a simple server running in the background"""
1924
1925 def setUp(self):
juhovh49fdf112021-04-18 21:11:48 +1000[diff] [blame]1926 self.server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1927 self.server_context.load_cert_chain(SIGNED_CERTFILE)
1928 server = ThreadedEchoServer(context=self.server_context)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1929 self.server_addr = (HOST, server.port)
1930 server.__enter__()
1931 self.addCleanup(server.__exit__, None, None, None)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1932
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1933 def test_connect(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1934 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1935 cert_reqs=ssl.CERT_NONE) as s:
1936 s.connect(self.server_addr)
1937 self.assertEqual({}, s.getpeercert())
Christian Heimesa5d07652016-09-24 10:48:05 +0200[diff] [blame]1938 self.assertFalse(s.server_side)
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1939
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1940 # this should succeed because we specify the root cert
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1941 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1942 cert_reqs=ssl.CERT_REQUIRED,
1943 ca_certs=SIGNING_CA) as s:
1944 s.connect(self.server_addr)
1945 self.assertTrue(s.getpeercert())
Christian Heimesa5d07652016-09-24 10:48:05 +0200[diff] [blame]1946 self.assertFalse(s.server_side)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1947
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1948 def test_connect_fail(self):
1949 # This should fail because we have no verification certs. Connection
1950 # failure crashes ThreadedEchoServer, so run this in an independent
1951 # test method.
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1952 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1953 cert_reqs=ssl.CERT_REQUIRED)
1954 self.addCleanup(s.close)
1955 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
1956 s.connect, self.server_addr)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1957
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1958 def test_connect_ex(self):
1959 # Issue #11326: check connect_ex() implementation
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1960 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1961 cert_reqs=ssl.CERT_REQUIRED,
1962 ca_certs=SIGNING_CA)
1963 self.addCleanup(s.close)
1964 self.assertEqual(0, s.connect_ex(self.server_addr))
1965 self.assertTrue(s.getpeercert())
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1966
1967 def test_non_blocking_connect_ex(self):
1968 # Issue #11326: non-blocking connect_ex() should allow handshake
1969 # to proceed after the socket gets ready.
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1970 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1971 cert_reqs=ssl.CERT_REQUIRED,
1972 ca_certs=SIGNING_CA,
1973 do_handshake_on_connect=False)
1974 self.addCleanup(s.close)
1975 s.setblocking(False)
1976 rc = s.connect_ex(self.server_addr)
1977 # EWOULDBLOCK under Windows, EINPROGRESS elsewhere
1978 self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK))
1979 # Wait for connect to finish
1980 select.select([], [s], [], 5.0)
1981 # Non-blocking handshake
1982 while True:
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1983 try:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1984 s.do_handshake()
1985 break
1986 except ssl.SSLWantReadError:
1987 select.select([s], [], [], 5.0)
1988 except ssl.SSLWantWriteError:
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1989 select.select([], [s], [], 5.0)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1990 # SSL established
1991 self.assertTrue(s.getpeercert())
Antoine Pitrou40f12ab2012-12-28 19:03:43 +0100[diff] [blame]1992
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1993 def test_connect_with_context(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1994 # Same as test_connect, but with a separately created context
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1995 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1996 ctx.check_hostname = False
1997 ctx.verify_mode = ssl.CERT_NONE
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1998 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
1999 s.connect(self.server_addr)
2000 self.assertEqual({}, s.getpeercert())
2001 # Same with a server hostname
2002 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2003 server_hostname="dummy") as s:
2004 s.connect(self.server_addr)
2005 ctx.verify_mode = ssl.CERT_REQUIRED
2006 # This should succeed because we specify the root cert
2007 ctx.load_verify_locations(SIGNING_CA)
2008 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
2009 s.connect(self.server_addr)
2010 cert = s.getpeercert()
2011 self.assertTrue(cert)
2012
2013 def test_connect_with_context_fail(self):
2014 # This should fail because we have no verification certs. Connection
2015 # failure crashes ThreadedEchoServer, so run this in an independent
2016 # test method.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2017 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2018 s = ctx.wrap_socket(
2019 socket.socket(socket.AF_INET),
2020 server_hostname=SIGNED_CERTFILE_HOSTNAME
2021 )
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2022 self.addCleanup(s.close)
2023 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
2024 s.connect, self.server_addr)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2025
2026 def test_connect_capath(self):
2027 # Verify server certificates using the `capath` argument
Antoine Pitrou467f28d2010-05-16 19:22:44 +0000[diff] [blame]2028 # NOTE: the subject hashing algorithm has been changed between
2029 # OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must
2030 # contain both versions of each certificate (same content, different
Antoine Pitroud7e4c1c2010-05-17 14:13:10 +0000[diff] [blame]2031 # filename) for this test to be portable across OpenSSL releases.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2032 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2033 ctx.load_verify_locations(capath=CAPATH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2034 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2035 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2036 s.connect(self.server_addr)
2037 cert = s.getpeercert()
2038 self.assertTrue(cert)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2039
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2040 # Same with a bytes `capath` argument
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2041 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2042 ctx.load_verify_locations(capath=BYTES_CAPATH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2043 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2044 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2045 s.connect(self.server_addr)
2046 cert = s.getpeercert()
2047 self.assertTrue(cert)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2048
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2049 def test_connect_cadata(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2050 with open(SIGNING_CA) as f:
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2051 pem = f.read()
2052 der = ssl.PEM_cert_to_DER_cert(pem)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2053 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2054 ctx.load_verify_locations(cadata=pem)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2055 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2056 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2057 s.connect(self.server_addr)
2058 cert = s.getpeercert()
2059 self.assertTrue(cert)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2060
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2061 # same with DER
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2062 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2063 ctx.load_verify_locations(cadata=der)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2064 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2065 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2066 s.connect(self.server_addr)
2067 cert = s.getpeercert()
2068 self.assertTrue(cert)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2069
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2070 @unittest.skipIf(os.name == "nt", "Can't use a socket as a file under Windows")
2071 def test_makefile_close(self):
2072 # Issue #5238: creating a file-like object with makefile() shouldn't
2073 # delay closing the underlying "real socket" (here tested with its
2074 # file descriptor, hence skipping the test under Windows).
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2075 ss = test_wrap_socket(socket.socket(socket.AF_INET))
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2076 ss.connect(self.server_addr)
2077 fd = ss.fileno()
2078 f = ss.makefile()
2079 f.close()
2080 # The fd is still open
2081 os.read(fd, 0)
2082 # Closing the SSL socket should close the fd too
2083 ss.close()
2084 gc.collect()
2085 with self.assertRaises(OSError) as e:
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2086 os.read(fd, 0)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2087 self.assertEqual(e.exception.errno, errno.EBADF)
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2088
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2089 def test_non_blocking_handshake(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2090 s = socket.socket(socket.AF_INET)
2091 s.connect(self.server_addr)
2092 s.setblocking(False)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2093 s = test_wrap_socket(s,
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2094 cert_reqs=ssl.CERT_NONE,
2095 do_handshake_on_connect=False)
2096 self.addCleanup(s.close)
2097 count = 0
2098 while True:
2099 try:
2100 count += 1
2101 s.do_handshake()
2102 break
2103 except ssl.SSLWantReadError:
2104 select.select([s], [], [])
2105 except ssl.SSLWantWriteError:
2106 select.select([], [s], [])
2107 if support.verbose:
2108 sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2109
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2110 def test_get_server_certificate(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2111 _test_get_server_certificate(self, *self.server_addr, cert=SIGNING_CA)
Antoine Pitrou5aefa662011-04-28 19:24:46 +0200[diff] [blame]2112
juhovh49fdf112021-04-18 21:11:48 +1000[diff] [blame]2113 def test_get_server_certificate_sni(self):
2114 host, port = self.server_addr
2115 server_names = []
2116
2117 # We store servername_cb arguments to make sure they match the host
2118 def servername_cb(ssl_sock, server_name, initial_context):
2119 server_names.append(server_name)
2120 self.server_context.set_servername_callback(servername_cb)
2121
2122 pem = ssl.get_server_certificate((host, port))
2123 if not pem:
2124 self.fail("No server certificate on %s:%s!" % (host, port))
2125
2126 pem = ssl.get_server_certificate((host, port), ca_certs=SIGNING_CA)
2127 if not pem:
2128 self.fail("No server certificate on %s:%s!" % (host, port))
2129 if support.verbose:
2130 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port, pem))
2131
2132 self.assertEqual(server_names, [host, host])
2133
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2134 def test_get_server_certificate_fail(self):
2135 # Connection failure crashes ThreadedEchoServer, so run this in an
2136 # independent test method
2137 _test_get_server_certificate_fail(self, *self.server_addr)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2138
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame^]2139 def test_get_server_certificate_timeout(self):
2140 with self.assertRaises(socket.timeout):
2141 ssl.get_server_certificate(self.server_addr, ca_certs=SIGNING_CA,
2142 timeout=0.0001)
2143
Antoine Pitrouf4c7bad2010-08-15 23:02:22 +0000[diff] [blame]2144 def test_ciphers(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2145 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2146 cert_reqs=ssl.CERT_NONE, ciphers="ALL") as s:
2147 s.connect(self.server_addr)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2148 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2149 cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT") as s:
2150 s.connect(self.server_addr)
2151 # Error checking can happen at instantiation or when connecting
2152 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
2153 with socket.socket(socket.AF_INET) as sock:
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2154 s = test_wrap_socket(sock,
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2155 cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
2156 s.connect(self.server_addr)
Antoine Pitroufec12ff2010-04-21 19:46:23 +0000[diff] [blame]2157
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]2158 def test_get_ca_certs_capath(self):
2159 # capath certs are loaded on request
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2160 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2161 ctx.load_verify_locations(capath=CAPATH)
2162 self.assertEqual(ctx.get_ca_certs(), [])
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2163 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2164 server_hostname='localhost') as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2165 s.connect(self.server_addr)
2166 cert = s.getpeercert()
2167 self.assertTrue(cert)
2168 self.assertEqual(len(ctx.get_ca_certs()), 1)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]2169
Christian Heimes8e7f3942013-12-05 07:41:08 +0100[diff] [blame]2170 def test_context_setget(self):
2171 # Check that the context of a connected socket can be replaced.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2172 ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2173 ctx1.load_verify_locations(capath=CAPATH)
2174 ctx2 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2175 ctx2.load_verify_locations(capath=CAPATH)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2176 s = socket.socket(socket.AF_INET)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2177 with ctx1.wrap_socket(s, server_hostname='localhost') as ss:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2178 ss.connect(self.server_addr)
2179 self.assertIs(ss.context, ctx1)
2180 self.assertIs(ss._sslobj.context, ctx1)
2181 ss.context = ctx2
2182 self.assertIs(ss.context, ctx2)
2183 self.assertIs(ss._sslobj.context, ctx2)
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2184
2185 def ssl_io_loop(self, sock, incoming, outgoing, func, *args, **kwargs):
2186 # A simple IO loop. Call func(*args) depending on the error we get
2187 # (WANT_READ or WANT_WRITE) move data between the socket and the BIOs.
Victor Stinner0d63bac2019-12-11 11:30:03 +0100[diff] [blame]2188 timeout = kwargs.get('timeout', support.SHORT_TIMEOUT)
Victor Stinner50a72af2017-09-11 09:34:24 -0700[diff] [blame]2189 deadline = time.monotonic() + timeout
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2190 count = 0
2191 while True:
Victor Stinner50a72af2017-09-11 09:34:24 -0700[diff] [blame]2192 if time.monotonic() > deadline:
2193 self.fail("timeout")
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2194 errno = None
2195 count += 1
2196 try:
2197 ret = func(*args)
2198 except ssl.SSLError as e:
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2199 if e.errno not in (ssl.SSL_ERROR_WANT_READ,
Martin Panter40b97ec2016-01-14 13:05:46 +0000[diff] [blame]2200 ssl.SSL_ERROR_WANT_WRITE):
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2201 raise
2202 errno = e.errno
2203 # Get any data from the outgoing BIO irrespective of any error, and
2204 # send it to the socket.
2205 buf = outgoing.read()
2206 sock.sendall(buf)
2207 # If there's no error, we're done. For WANT_READ, we need to get
2208 # data from the socket and put it in the incoming BIO.
2209 if errno is None:
2210 break
2211 elif errno == ssl.SSL_ERROR_WANT_READ:
2212 buf = sock.recv(32768)
2213 if buf:
2214 incoming.write(buf)
2215 else:
2216 incoming.write_eof()
2217 if support.verbose:
2218 sys.stdout.write("Needed %d calls to complete %s().\n"
2219 % (count, func.__name__))
2220 return ret
2221
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2222 def test_bio_handshake(self):
2223 sock = socket.socket(socket.AF_INET)
2224 self.addCleanup(sock.close)
2225 sock.connect(self.server_addr)
2226 incoming = ssl.MemoryBIO()
2227 outgoing = ssl.MemoryBIO()
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2228 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2229 self.assertTrue(ctx.check_hostname)
2230 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2231 ctx.load_verify_locations(SIGNING_CA)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2232 sslobj = ctx.wrap_bio(incoming, outgoing, False,
2233 SIGNED_CERTFILE_HOSTNAME)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2234 self.assertIs(sslobj._sslobj.owner, sslobj)
2235 self.assertIsNone(sslobj.cipher())
Christian Heimes68771112017-09-05 21:55:40 -0700[diff] [blame]2236 self.assertIsNone(sslobj.version())
Christian Heimes01113fa2016-09-05 23:23:24 +0200[diff] [blame]2237 self.assertIsNotNone(sslobj.shared_ciphers())
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2238 self.assertRaises(ValueError, sslobj.getpeercert)
2239 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
2240 self.assertIsNone(sslobj.get_channel_binding('tls-unique'))
2241 self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
2242 self.assertTrue(sslobj.cipher())
Christian Heimes01113fa2016-09-05 23:23:24 +0200[diff] [blame]2243 self.assertIsNotNone(sslobj.shared_ciphers())
Christian Heimes68771112017-09-05 21:55:40 -0700[diff] [blame]2244 self.assertIsNotNone(sslobj.version())
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2245 self.assertTrue(sslobj.getpeercert())
2246 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
2247 self.assertTrue(sslobj.get_channel_binding('tls-unique'))
2248 try:
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2249 self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2250 except ssl.SSLSyscallError:
2251 # If the server shuts down the TCP connection without sending a
2252 # secure shutdown message, this is reported as SSL_ERROR_SYSCALL
2253 pass
2254 self.assertRaises(ssl.SSLError, sslobj.write, b'foo')
2255
2256 def test_bio_read_write_data(self):
2257 sock = socket.socket(socket.AF_INET)
2258 self.addCleanup(sock.close)
2259 sock.connect(self.server_addr)
2260 incoming = ssl.MemoryBIO()
2261 outgoing = ssl.MemoryBIO()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2262 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2263 ctx.check_hostname = False
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2264 ctx.verify_mode = ssl.CERT_NONE
2265 sslobj = ctx.wrap_bio(incoming, outgoing, False)
2266 self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
2267 req = b'FOO\n'
2268 self.ssl_io_loop(sock, incoming, outgoing, sslobj.write, req)
2269 buf = self.ssl_io_loop(sock, incoming, outgoing, sslobj.read, 1024)
2270 self.assertEqual(buf, b'foo\n')
2271 self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2272
2273
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2274class NetworkedTests(unittest.TestCase):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2275
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2276 def test_timeout_connect_ex(self):
2277 # Issue #12065: on a timeout, connect_ex() should return the original
2278 # errno (mimicking the behaviour of non-SSL sockets).
Serhiy Storchakabfb1cf42020-04-29 10:36:20 +0300[diff] [blame]2279 with socket_helper.transient_internet(REMOTE_HOST):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2280 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2281 cert_reqs=ssl.CERT_REQUIRED,
2282 do_handshake_on_connect=False)
2283 self.addCleanup(s.close)
2284 s.settimeout(0.0000001)
2285 rc = s.connect_ex((REMOTE_HOST, 443))
2286 if rc == 0:
2287 self.skipTest("REMOTE_HOST responded too quickly")
Carl Meyer29c451c2021-03-27 15:52:28 -0600[diff] [blame]2288 elif rc == errno.ENETUNREACH:
2289 self.skipTest("Network unreachable.")
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2290 self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK))
2291
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2292 @unittest.skipUnless(socket_helper.IPV6_ENABLED, 'Needs IPv6')
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2293 def test_get_server_certificate_ipv6(self):
Serhiy Storchakabfb1cf42020-04-29 10:36:20 +0300[diff] [blame]2294 with socket_helper.transient_internet('ipv6.google.com'):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2295 _test_get_server_certificate(self, 'ipv6.google.com', 443)
2296 _test_get_server_certificate_fail(self, 'ipv6.google.com', 443)
2297
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2298
2299def _test_get_server_certificate(test, host, port, cert=None):
2300 pem = ssl.get_server_certificate((host, port))
2301 if not pem:
2302 test.fail("No server certificate on %s:%s!" % (host, port))
2303
2304 pem = ssl.get_server_certificate((host, port), ca_certs=cert)
2305 if not pem:
2306 test.fail("No server certificate on %s:%s!" % (host, port))
2307 if support.verbose:
2308 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem))
2309
2310def _test_get_server_certificate_fail(test, host, port):
2311 try:
2312 pem = ssl.get_server_certificate((host, port), ca_certs=CERTFILE)
2313 except ssl.SSLError as x:
2314 #should fail
2315 if support.verbose:
2316 sys.stdout.write("%s\n" % x)
2317 else:
2318 test.fail("Got server certificate %s for %s:%s!" % (pem, host, port))
2319
2320
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2321from test.ssl_servers import make_https_server
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]2322
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2323class ThreadedEchoServer(threading.Thread):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2324
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2325 class ConnectionHandler(threading.Thread):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2326
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2327 """A mildly complicated class, because we want it to work both
2328 with and without the SSL wrapper around the socket connection, so
2329 that we can test the STARTTLS functionality."""
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2330
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2331 def __init__(self, server, connsock, addr):
2332 self.server = server
2333 self.running = False
2334 self.sock = connsock
2335 self.addr = addr
Serhiy Storchaka5eca7f32019-09-01 12:12:52 +0300[diff] [blame]2336 self.sock.setblocking(True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2337 self.sslconn = None
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2338 threading.Thread.__init__(self)
Benjamin Peterson4171da52008-08-18 21:11:09 +0000[diff] [blame]2339 self.daemon = True
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2340
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2341 def wrap_conn(self):
2342 try:
2343 self.sslconn = self.server.context.wrap_socket(
2344 self.sock, server_side=True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2345 self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2346 except (ConnectionResetError, BrokenPipeError, ConnectionAbortedError) as e:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2347 # We treat ConnectionResetError as though it were an
2348 # SSLError - OpenSSL on Ubuntu abruptly closes the
2349 # connection when asked to use an unsupported protocol.
2350 #
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2351 # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL
2352 # tries to send session tickets after handshake.
2353 # https://github.com/openssl/openssl/issues/6342
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2354 #
2355 # ConnectionAbortedError is raised in TLS 1.3 mode, when OpenSSL
2356 # tries to send session tickets after handshake when using WinSock.
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2357 self.server.conn_errors.append(str(e))
2358 if self.server.chatty:
2359 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
2360 self.running = False
2361 self.close()
2362 return False
2363 except (ssl.SSLError, OSError) as e:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2364 # OSError may occur with wrong protocols, e.g. both
2365 # sides use PROTOCOL_TLS_SERVER.
2366 #
2367 # XXX Various errors can have happened here, for example
2368 # a mismatching protocol version, an invalid certificate,
2369 # or a low-level bug. This should be made more discriminating.
2370 #
2371 # bpo-31323: Store the exception as string to prevent
2372 # a reference leak: server -> conn_errors -> exception
2373 # -> traceback -> self (ConnectionHandler) -> server
2374 self.server.conn_errors.append(str(e))
2375 if self.server.chatty:
2376 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
2377 self.running = False
2378 self.server.stop()
2379 self.close()
2380 return False
2381 else:
2382 self.server.shared_ciphers.append(self.sslconn.shared_ciphers())
2383 if self.server.context.verify_mode == ssl.CERT_REQUIRED:
2384 cert = self.sslconn.getpeercert()
2385 if support.verbose and self.server.chatty:
2386 sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n")
2387 cert_binary = self.sslconn.getpeercert(True)
2388 if support.verbose and self.server.chatty:
2389 sys.stdout.write(" cert binary is " + str(len(cert_binary)) + " bytes\n")
2390 cipher = self.sslconn.cipher()
2391 if support.verbose and self.server.chatty:
2392 sys.stdout.write(" server: connection cipher is now " + str(cipher) + "\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2393 return True
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2394
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2395 def read(self):
2396 if self.sslconn:
2397 return self.sslconn.read()
2398 else:
2399 return self.sock.recv(1024)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2400
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2401 def write(self, bytes):
2402 if self.sslconn:
2403 return self.sslconn.write(bytes)
2404 else:
2405 return self.sock.send(bytes)
2406
2407 def close(self):
2408 if self.sslconn:
2409 self.sslconn.close()
2410 else:
2411 self.sock.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2412
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2413 def run(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2414 self.running = True
2415 if not self.server.starttls_server:
2416 if not self.wrap_conn():
2417 return
2418 while self.running:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2419 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2420 msg = self.read()
2421 stripped = msg.strip()
2422 if not stripped:
2423 # eof, so quit this handler
2424 self.running = False
2425 try:
2426 self.sock = self.sslconn.unwrap()
2427 except OSError:
2428 # Many tests shut the TCP connection down
2429 # without an SSL shutdown. This causes
2430 # unwrap() to raise OSError with errno=0!
2431 pass
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2432 else:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2433 self.sslconn = None
2434 self.close()
2435 elif stripped == b'over':
2436 if support.verbose and self.server.connectionchatty:
2437 sys.stdout.write(" server: client closed connection\n")
2438 self.close()
2439 return
2440 elif (self.server.starttls_server and
2441 stripped == b'STARTTLS'):
2442 if support.verbose and self.server.connectionchatty:
2443 sys.stdout.write(" server: read STARTTLS from client, sending OK...\n")
2444 self.write(b"OK\n")
2445 if not self.wrap_conn():
2446 return
2447 elif (self.server.starttls_server and self.sslconn
2448 and stripped == b'ENDTLS'):
2449 if support.verbose and self.server.connectionchatty:
2450 sys.stdout.write(" server: read ENDTLS from client, sending OK...\n")
2451 self.write(b"OK\n")
2452 self.sock = self.sslconn.unwrap()
2453 self.sslconn = None
2454 if support.verbose and self.server.connectionchatty:
2455 sys.stdout.write(" server: connection is now unencrypted...\n")
2456 elif stripped == b'CB tls-unique':
2457 if support.verbose and self.server.connectionchatty:
2458 sys.stdout.write(" server: read CB tls-unique from client, sending our CB data...\n")
2459 data = self.sslconn.get_channel_binding("tls-unique")
2460 self.write(repr(data).encode("us-ascii") + b"\n")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]2461 elif stripped == b'PHA':
2462 if support.verbose and self.server.connectionchatty:
2463 sys.stdout.write(" server: initiating post handshake auth\n")
2464 try:
2465 self.sslconn.verify_client_post_handshake()
2466 except ssl.SSLError as e:
2467 self.write(repr(e).encode("us-ascii") + b"\n")
2468 else:
2469 self.write(b"OK\n")
2470 elif stripped == b'HASCERT':
2471 if self.sslconn.getpeercert() is not None:
2472 self.write(b'TRUE\n')
2473 else:
2474 self.write(b'FALSE\n')
2475 elif stripped == b'GETCERT':
2476 cert = self.sslconn.getpeercert()
2477 self.write(repr(cert).encode("us-ascii") + b"\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2478 else:
2479 if (support.verbose and
2480 self.server.connectionchatty):
2481 ctype = (self.sslconn and "encrypted") or "unencrypted"
2482 sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
2483 % (msg, ctype, msg.lower(), ctype))
2484 self.write(msg.lower())
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2485 except (ConnectionResetError, ConnectionAbortedError):
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2486 # XXX: OpenSSL 1.1.1 sometimes raises ConnectionResetError
2487 # when connection is not shut down gracefully.
2488 if self.server.chatty and support.verbose:
2489 sys.stdout.write(
2490 " Connection reset by peer: {}\n".format(
2491 self.addr)
2492 )
2493 self.close()
2494 self.running = False
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2495 except ssl.SSLError as err:
2496 # On Windows sometimes test_pha_required_nocert receives the
2497 # PEER_DID_NOT_RETURN_A_CERTIFICATE exception
2498 # before the 'tlsv13 alert certificate required' exception.
2499 # If the server is stopped when PEER_DID_NOT_RETURN_A_CERTIFICATE
2500 # is received test_pha_required_nocert fails with ConnectionResetError
2501 # because the underlying socket is closed
2502 if 'PEER_DID_NOT_RETURN_A_CERTIFICATE' == err.reason:
2503 if self.server.chatty and support.verbose:
2504 sys.stdout.write(err.args[1])
2505 # test_pha_required_nocert is expecting this exception
2506 raise ssl.SSLError('tlsv13 alert certificate required')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2507 except OSError:
2508 if self.server.chatty:
2509 handle_error("Test server failure:\n")
Bill Janssen2f5799b2008-06-29 00:08:12 +0000[diff] [blame]2510 self.close()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2511 self.running = False
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2512
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2513 # normally, we'd just stop here, but for the test
2514 # harness, we want to stop the server
2515 self.server.stop()
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2516
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2517 def __init__(self, certificate=None, ssl_version=None,
2518 certreqs=None, cacerts=None,
2519 chatty=True, connectionchatty=False, starttls_server=False,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2520 alpn_protocols=None,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2521 ciphers=None, context=None):
2522 if context:
2523 self.context = context
2524 else:
2525 self.context = ssl.SSLContext(ssl_version
2526 if ssl_version is not None
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2527 else ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2528 self.context.verify_mode = (certreqs if certreqs is not None
2529 else ssl.CERT_NONE)
2530 if cacerts:
2531 self.context.load_verify_locations(cacerts)
2532 if certificate:
2533 self.context.load_cert_chain(certificate)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2534 if alpn_protocols:
2535 self.context.set_alpn_protocols(alpn_protocols)
2536 if ciphers:
2537 self.context.set_ciphers(ciphers)
2538 self.chatty = chatty
2539 self.connectionchatty = connectionchatty
2540 self.starttls_server = starttls_server
2541 self.sock = socket.socket()
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2542 self.port = socket_helper.bind_port(self.sock)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2543 self.flag = None
2544 self.active = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2545 self.selected_alpn_protocols = []
2546 self.shared_ciphers = []
2547 self.conn_errors = []
2548 threading.Thread.__init__(self)
2549 self.daemon = True
2550
2551 def __enter__(self):
2552 self.start(threading.Event())
2553 self.flag.wait()
2554 return self
2555
2556 def __exit__(self, *args):
2557 self.stop()
2558 self.join()
2559
2560 def start(self, flag=None):
2561 self.flag = flag
2562 threading.Thread.start(self)
2563
2564 def run(self):
2565 self.sock.settimeout(0.05)
2566 self.sock.listen()
2567 self.active = True
2568 if self.flag:
2569 # signal an event
2570 self.flag.set()
2571 while self.active:
2572 try:
2573 newconn, connaddr = self.sock.accept()
2574 if support.verbose and self.chatty:
2575 sys.stdout.write(' server: new connection from '
2576 + repr(connaddr) + '\n')
2577 handler = self.ConnectionHandler(self, newconn, connaddr)
2578 handler.start()
2579 handler.join()
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]2580 except TimeoutError:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2581 pass
2582 except KeyboardInterrupt:
2583 self.stop()
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2584 except BaseException as e:
2585 if support.verbose and self.chatty:
2586 sys.stdout.write(
2587 ' connection handling failed: ' + repr(e) + '\n')
2588
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2589 self.sock.close()
2590
2591 def stop(self):
2592 self.active = False
2593
2594class AsyncoreEchoServer(threading.Thread):
2595
2596 # this one's based on asyncore.dispatcher
2597
2598 class EchoServer (asyncore.dispatcher):
2599
2600 class ConnectionHandler(asyncore.dispatcher_with_send):
2601
2602 def __init__(self, conn, certfile):
2603 self.socket = test_wrap_socket(conn, server_side=True,
2604 certfile=certfile,
2605 do_handshake_on_connect=False)
2606 asyncore.dispatcher_with_send.__init__(self, self.socket)
2607 self._ssl_accepting = True
2608 self._do_ssl_handshake()
2609
2610 def readable(self):
2611 if isinstance(self.socket, ssl.SSLSocket):
2612 while self.socket.pending() > 0:
2613 self.handle_read_event()
2614 return True
2615
2616 def _do_ssl_handshake(self):
2617 try:
2618 self.socket.do_handshake()
2619 except (ssl.SSLWantReadError, ssl.SSLWantWriteError):
2620 return
2621 except ssl.SSLEOFError:
2622 return self.handle_close()
2623 except ssl.SSLError:
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2624 raise
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2625 except OSError as err:
2626 if err.args[0] == errno.ECONNABORTED:
2627 return self.handle_close()
2628 else:
2629 self._ssl_accepting = False
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2630
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2631 def handle_read(self):
2632 if self._ssl_accepting:
2633 self._do_ssl_handshake()
2634 else:
2635 data = self.recv(1024)
2636 if support.verbose:
2637 sys.stdout.write(" server: read %s from client\n" % repr(data))
2638 if not data:
2639 self.close()
2640 else:
2641 self.send(data.lower())
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2642
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2643 def handle_close(self):
2644 self.close()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2645 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2646 sys.stdout.write(" server: closed connection %s\n" % self.socket)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2647
2648 def handle_error(self):
2649 raise
2650
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]2651 def __init__(self, certfile):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2652 self.certfile = certfile
2653 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2654 self.port = socket_helper.bind_port(sock, '')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2655 asyncore.dispatcher.__init__(self, sock)
2656 self.listen(5)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2657
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2658 def handle_accepted(self, sock_obj, addr):
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2659 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2660 sys.stdout.write(" server: new connection from %s:%s\n" %addr)
2661 self.ConnectionHandler(sock_obj, self.certfile)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2662
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2663 def handle_error(self):
2664 raise
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2665
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2666 def __init__(self, certfile):
2667 self.flag = None
2668 self.active = False
2669 self.server = self.EchoServer(certfile)
2670 self.port = self.server.port
2671 threading.Thread.__init__(self)
2672 self.daemon = True
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2673
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2674 def __str__(self):
2675 return "<%s %s>" % (self.__class__.__name__, self.server)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2676
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2677 def __enter__(self):
2678 self.start(threading.Event())
2679 self.flag.wait()
2680 return self
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]2681
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2682 def __exit__(self, *args):
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2683 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2684 sys.stdout.write(" cleanup: stopping server.\n")
2685 self.stop()
2686 if support.verbose:
2687 sys.stdout.write(" cleanup: joining server thread.\n")
2688 self.join()
2689 if support.verbose:
2690 sys.stdout.write(" cleanup: successfully joined.\n")
2691 # make sure that ConnectionHandler is removed from socket_map
2692 asyncore.close_all(ignore_all=True)
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2693
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2694 def start (self, flag=None):
2695 self.flag = flag
2696 threading.Thread.start(self)
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2697
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2698 def run(self):
2699 self.active = True
2700 if self.flag:
2701 self.flag.set()
2702 while self.active:
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]2703 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2704 asyncore.loop(1)
2705 except:
2706 pass
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2707
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2708 def stop(self):
2709 self.active = False
2710 self.server.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2711
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2712def server_params_test(client_context, server_context, indata=b"FOO\n",
2713 chatty=True, connectionchatty=False, sni_name=None,
2714 session=None):
2715 """
2716 Launch a server, connect a client to it and try various reads
2717 and writes.
2718 """
2719 stats = {}
2720 server = ThreadedEchoServer(context=server_context,
2721 chatty=chatty,
2722 connectionchatty=False)
2723 with server:
2724 with client_context.wrap_socket(socket.socket(),
2725 server_hostname=sni_name, session=session) as s:
2726 s.connect((HOST, server.port))
2727 for arg in [indata, bytearray(indata), memoryview(indata)]:
2728 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2729 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2730 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2731 " client: sending %r...\n" % indata)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2732 s.write(arg)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2733 outdata = s.read()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2734 if connectionchatty:
2735 if support.verbose:
2736 sys.stdout.write(" client: read %r\n" % outdata)
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2737 if outdata != indata.lower():
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2738 raise AssertionError(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2739 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
2740 % (outdata[:20], len(outdata),
2741 indata[:20].lower(), len(indata)))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2742 s.write(b"over\n")
2743 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2744 if support.verbose:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2745 sys.stdout.write(" client: closing connection.\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2746 stats.update({
2747 'compression': s.compression(),
2748 'cipher': s.cipher(),
2749 'peercert': s.getpeercert(),
2750 'client_alpn_protocol': s.selected_alpn_protocol(),
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2751 'version': s.version(),
2752 'session_reused': s.session_reused,
2753 'session': s.session,
2754 })
2755 s.close()
2756 stats['server_alpn_protocols'] = server.selected_alpn_protocols
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2757 stats['server_shared_ciphers'] = server.shared_ciphers
2758 return stats
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2759
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2760def try_protocol_combo(server_protocol, client_protocol, expect_success,
2761 certsreqs=None, server_options=0, client_options=0):
2762 """
2763 Try to SSL-connect using *client_protocol* to *server_protocol*.
2764 If *expect_success* is true, assert that the connection succeeds,
2765 if it's false, assert that the connection fails.
2766 Also, if *expect_success* is a string, assert that it is the protocol
2767 version actually used by the connection.
2768 """
2769 if certsreqs is None:
2770 certsreqs = ssl.CERT_NONE
2771 certtype = {
2772 ssl.CERT_NONE: "CERT_NONE",
2773 ssl.CERT_OPTIONAL: "CERT_OPTIONAL",
2774 ssl.CERT_REQUIRED: "CERT_REQUIRED",
2775 }[certsreqs]
2776 if support.verbose:
2777 formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n"
2778 sys.stdout.write(formatstr %
2779 (ssl.get_protocol_name(client_protocol),
2780 ssl.get_protocol_name(server_protocol),
2781 certtype))
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2782
2783 with warnings_helper.check_warnings():
2784 # ignore Deprecation warnings
2785 client_context = ssl.SSLContext(client_protocol)
2786 client_context.options |= client_options
2787 server_context = ssl.SSLContext(server_protocol)
2788 server_context.options |= server_options
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2789
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2790 min_version = PROTOCOL_TO_TLS_VERSION.get(client_protocol, None)
2791 if (min_version is not None
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2792 # SSLContext.minimum_version is only available on recent OpenSSL
2793 # (setter added in OpenSSL 1.1.0, getter added in OpenSSL 1.1.1)
2794 and hasattr(server_context, 'minimum_version')
2795 and server_protocol == ssl.PROTOCOL_TLS
2796 and server_context.minimum_version > min_version
2797 ):
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2798 # If OpenSSL configuration is strict and requires more recent TLS
2799 # version, we have to change the minimum to test old TLS versions.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2800 with warnings_helper.check_warnings():
2801 server_context.minimum_version = min_version
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2802
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2803 # NOTE: we must enable "ALL" ciphers on the client, otherwise an
2804 # SSLv23 client will send an SSLv3 hello (rather than SSLv2)
2805 # starting from OpenSSL 1.0.0 (see issue #8322).
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2806 if client_context.protocol == ssl.PROTOCOL_TLS:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2807 client_context.set_ciphers("ALL")
2808
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]2809 seclevel_workaround(server_context, client_context)
2810
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2811 for ctx in (client_context, server_context):
2812 ctx.verify_mode = certsreqs
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]2813 ctx.load_cert_chain(SIGNED_CERTFILE)
2814 ctx.load_verify_locations(SIGNING_CA)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2815 try:
2816 stats = server_params_test(client_context, server_context,
2817 chatty=False, connectionchatty=False)
2818 # Protocol mismatch can result in either an SSLError, or a
2819 # "Connection reset by peer" error.
2820 except ssl.SSLError:
2821 if expect_success:
2822 raise
2823 except OSError as e:
2824 if expect_success or e.errno != errno.ECONNRESET:
2825 raise
2826 else:
2827 if not expect_success:
2828 raise AssertionError(
2829 "Client protocol %s succeeded with server protocol %s!"
2830 % (ssl.get_protocol_name(client_protocol),
2831 ssl.get_protocol_name(server_protocol)))
2832 elif (expect_success is not True
2833 and expect_success != stats['version']):
2834 raise AssertionError("version mismatch: expected %r, got %r"
2835 % (expect_success, stats['version']))
2836
2837
2838class ThreadedTests(unittest.TestCase):
2839
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2840 def test_echo(self):
2841 """Basic test of an SSL client connecting to a server"""
2842 if support.verbose:
2843 sys.stdout.write("\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2844
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2845 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2846
2847 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_SERVER):
2848 server_params_test(client_context=client_context,
2849 server_context=server_context,
2850 chatty=True, connectionchatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2851 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2852
2853 client_context.check_hostname = False
2854 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_CLIENT):
2855 with self.assertRaises(ssl.SSLError) as e:
2856 server_params_test(client_context=server_context,
2857 server_context=client_context,
2858 chatty=True, connectionchatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2859 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2860 self.assertIn('called a function you should not call',
2861 str(e.exception))
2862
2863 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_SERVER):
2864 with self.assertRaises(ssl.SSLError) as e:
2865 server_params_test(client_context=server_context,
2866 server_context=server_context,
2867 chatty=True, connectionchatty=True)
2868 self.assertIn('called a function you should not call',
2869 str(e.exception))
2870
2871 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_CLIENT):
2872 with self.assertRaises(ssl.SSLError) as e:
2873 server_params_test(client_context=server_context,
2874 server_context=client_context,
2875 chatty=True, connectionchatty=True)
2876 self.assertIn('called a function you should not call',
2877 str(e.exception))
2878
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2879 def test_getpeercert(self):
2880 if support.verbose:
2881 sys.stdout.write("\n")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2882
2883 client_context, server_context, hostname = testing_context()
2884 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2885 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2886 with client_context.wrap_socket(socket.socket(),
2887 do_handshake_on_connect=False,
2888 server_hostname=hostname) as s:
2889 s.connect((HOST, server.port))
2890 # getpeercert() raise ValueError while the handshake isn't
2891 # done.
2892 with self.assertRaises(ValueError):
2893 s.getpeercert()
2894 s.do_handshake()
2895 cert = s.getpeercert()
2896 self.assertTrue(cert, "Can't get peer certificate.")
2897 cipher = s.cipher()
2898 if support.verbose:
2899 sys.stdout.write(pprint.pformat(cert) + '\n')
2900 sys.stdout.write("Connection cipher is " + str(cipher) + '.\n')
2901 if 'subject' not in cert:
2902 self.fail("No subject field in certificate: %s." %
2903 pprint.pformat(cert))
2904 if ((('organizationName', 'Python Software Foundation'),)
2905 not in cert['subject']):
2906 self.fail(
2907 "Missing or invalid 'organizationName' field in certificate subject; "
2908 "should be 'Python Software Foundation'.")
2909 self.assertIn('notBefore', cert)
2910 self.assertIn('notAfter', cert)
2911 before = ssl.cert_time_to_seconds(cert['notBefore'])
2912 after = ssl.cert_time_to_seconds(cert['notAfter'])
2913 self.assertLess(before, after)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2914
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2915 def test_crl_check(self):
2916 if support.verbose:
2917 sys.stdout.write("\n")
2918
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2919 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2920
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2921 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2922 self.assertEqual(client_context.verify_flags, ssl.VERIFY_DEFAULT | tf)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2923
2924 # VERIFY_DEFAULT should pass
2925 server = ThreadedEchoServer(context=server_context, chatty=True)
2926 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2927 with client_context.wrap_socket(socket.socket(),
2928 server_hostname=hostname) as s:
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2929 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2930 cert = s.getpeercert()
2931 self.assertTrue(cert, "Can't get peer certificate.")
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2932
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2933 # VERIFY_CRL_CHECK_LEAF without a loaded CRL file fails
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2934 client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2935
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2936 server = ThreadedEchoServer(context=server_context, chatty=True)
2937 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2938 with client_context.wrap_socket(socket.socket(),
2939 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2940 with self.assertRaisesRegex(ssl.SSLError,
2941 "certificate verify failed"):
2942 s.connect((HOST, server.port))
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2943
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2944 # now load a CRL file. The CRL file is signed by the CA.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2945 client_context.load_verify_locations(CRLFILE)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2946
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2947 server = ThreadedEchoServer(context=server_context, chatty=True)
2948 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2949 with client_context.wrap_socket(socket.socket(),
2950 server_hostname=hostname) as s:
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2951 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2952 cert = s.getpeercert()
2953 self.assertTrue(cert, "Can't get peer certificate.")
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2954
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2955 def test_check_hostname(self):
2956 if support.verbose:
2957 sys.stdout.write("\n")
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2958
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2959 client_context, server_context, hostname = testing_context()
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2960
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2961 # correct hostname should verify
2962 server = ThreadedEchoServer(context=server_context, chatty=True)
2963 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2964 with client_context.wrap_socket(socket.socket(),
2965 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2966 s.connect((HOST, server.port))
2967 cert = s.getpeercert()
2968 self.assertTrue(cert, "Can't get peer certificate.")
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2969
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2970 # incorrect hostname should raise an exception
2971 server = ThreadedEchoServer(context=server_context, chatty=True)
2972 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2973 with client_context.wrap_socket(socket.socket(),
2974 server_hostname="invalid") as s:
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]2975 with self.assertRaisesRegex(
2976 ssl.CertificateError,
2977 "Hostname mismatch, certificate is not valid for 'invalid'."):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2978 s.connect((HOST, server.port))
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2979
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2980 # missing server_hostname arg should cause an exception, too
2981 server = ThreadedEchoServer(context=server_context, chatty=True)
2982 with server:
2983 with socket.socket() as s:
2984 with self.assertRaisesRegex(ValueError,
2985 "check_hostname requires server_hostname"):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2986 client_context.wrap_socket(s)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2987
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]2988 @unittest.skipUnless(
2989 ssl.HAS_NEVER_CHECK_COMMON_NAME, "test requires hostname_checks_common_name"
2990 )
2991 def test_hostname_checks_common_name(self):
2992 client_context, server_context, hostname = testing_context()
2993 assert client_context.hostname_checks_common_name
2994 client_context.hostname_checks_common_name = False
2995
2996 # default cert has a SAN
2997 server = ThreadedEchoServer(context=server_context, chatty=True)
2998 with server:
2999 with client_context.wrap_socket(socket.socket(),
3000 server_hostname=hostname) as s:
3001 s.connect((HOST, server.port))
3002
3003 client_context, server_context, hostname = testing_context(NOSANFILE)
3004 client_context.hostname_checks_common_name = False
3005 server = ThreadedEchoServer(context=server_context, chatty=True)
3006 with server:
3007 with client_context.wrap_socket(socket.socket(),
3008 server_hostname=hostname) as s:
3009 with self.assertRaises(ssl.SSLCertVerificationError):
3010 s.connect((HOST, server.port))
3011
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3012 def test_ecc_cert(self):
3013 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3014 client_context.load_verify_locations(SIGNING_CA)
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3015 client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3016 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
3017
3018 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3019 # load ECC cert
3020 server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
3021
3022 # correct hostname should verify
3023 server = ThreadedEchoServer(context=server_context, chatty=True)
3024 with server:
3025 with client_context.wrap_socket(socket.socket(),
3026 server_hostname=hostname) as s:
3027 s.connect((HOST, server.port))
3028 cert = s.getpeercert()
3029 self.assertTrue(cert, "Can't get peer certificate.")
3030 cipher = s.cipher()[0].split('-')
3031 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
3032
3033 def test_dual_rsa_ecc(self):
3034 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3035 client_context.load_verify_locations(SIGNING_CA)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3036 # TODO: fix TLSv1.3 once SSLContext can restrict signature
3037 # algorithms.
3038 client_context.options |= ssl.OP_NO_TLSv1_3
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3039 # only ECDSA certs
3040 client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
3041 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
3042
3043 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3044 # load ECC and RSA key/cert pairs
3045 server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
3046 server_context.load_cert_chain(SIGNED_CERTFILE)
3047
3048 # correct hostname should verify
3049 server = ThreadedEchoServer(context=server_context, chatty=True)
3050 with server:
3051 with client_context.wrap_socket(socket.socket(),
3052 server_hostname=hostname) as s:
3053 s.connect((HOST, server.port))
3054 cert = s.getpeercert()
3055 self.assertTrue(cert, "Can't get peer certificate.")
3056 cipher = s.cipher()[0].split('-')
3057 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
3058
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3059 def test_check_hostname_idn(self):
3060 if support.verbose:
3061 sys.stdout.write("\n")
3062
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3063 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3064 server_context.load_cert_chain(IDNSANSFILE)
3065
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3066 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3067 context.verify_mode = ssl.CERT_REQUIRED
3068 context.check_hostname = True
3069 context.load_verify_locations(SIGNING_CA)
3070
3071 # correct hostname should verify, when specified in several
3072 # different ways
3073 idn_hostnames = [
3074 ('könig.idn.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3075 'xn--knig-5qa.idn.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3076 ('xn--knig-5qa.idn.pythontest.net',
3077 'xn--knig-5qa.idn.pythontest.net'),
3078 (b'xn--knig-5qa.idn.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3079 'xn--knig-5qa.idn.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3080
3081 ('königsgäßchen.idna2003.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3082 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3083 ('xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
3084 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
3085 (b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3086 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
3087
3088 # ('königsgäßchen.idna2008.pythontest.net',
3089 # 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3090 ('xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
3091 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3092 (b'xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
3093 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3094
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3095 ]
3096 for server_hostname, expected_hostname in idn_hostnames:
3097 server = ThreadedEchoServer(context=server_context, chatty=True)
3098 with server:
3099 with context.wrap_socket(socket.socket(),
3100 server_hostname=server_hostname) as s:
3101 self.assertEqual(s.server_hostname, expected_hostname)
3102 s.connect((HOST, server.port))
3103 cert = s.getpeercert()
3104 self.assertEqual(s.server_hostname, expected_hostname)
3105 self.assertTrue(cert, "Can't get peer certificate.")
3106
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3107 # incorrect hostname should raise an exception
3108 server = ThreadedEchoServer(context=server_context, chatty=True)
3109 with server:
3110 with context.wrap_socket(socket.socket(),
3111 server_hostname="python.example.org") as s:
3112 with self.assertRaises(ssl.CertificateError):
3113 s.connect((HOST, server.port))
3114
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3115 def test_wrong_cert_tls12(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3116 """Connecting when the server rejects the client's certificate
3117
3118 Launch a server with CERT_REQUIRED, and check that trying to
3119 connect to it with a wrong client certificate fails.
3120 """
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3121 client_context, server_context, hostname = testing_context()
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]3122 # load client cert that is not signed by trusted CA
3123 client_context.load_cert_chain(CERTFILE)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3124 # require TLS client authentication
3125 server_context.verify_mode = ssl.CERT_REQUIRED
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3126 # TLS 1.3 has different handshake
3127 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3128
3129 server = ThreadedEchoServer(
3130 context=server_context, chatty=True, connectionchatty=True,
3131 )
3132
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3133 with server, \
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3134 client_context.wrap_socket(socket.socket(),
3135 server_hostname=hostname) as s:
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3136 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3137 # Expect either an SSL error about the server rejecting
3138 # the connection, or a low-level connection reset (which
3139 # sometimes happens on Windows)
3140 s.connect((HOST, server.port))
3141 except ssl.SSLError as e:
3142 if support.verbose:
3143 sys.stdout.write("\nSSLError is %r\n" % e)
3144 except OSError as e:
3145 if e.errno != errno.ECONNRESET:
3146 raise
3147 if support.verbose:
3148 sys.stdout.write("\nsocket.error is %r\n" % e)
3149 else:
3150 self.fail("Use of invalid cert should have failed!")
3151
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3152 @requires_tls_version('TLSv1_3')
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3153 def test_wrong_cert_tls13(self):
3154 client_context, server_context, hostname = testing_context()
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]3155 # load client cert that is not signed by trusted CA
3156 client_context.load_cert_chain(CERTFILE)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3157 server_context.verify_mode = ssl.CERT_REQUIRED
3158 server_context.minimum_version = ssl.TLSVersion.TLSv1_3
3159 client_context.minimum_version = ssl.TLSVersion.TLSv1_3
3160
3161 server = ThreadedEchoServer(
3162 context=server_context, chatty=True, connectionchatty=True,
3163 )
3164 with server, \
3165 client_context.wrap_socket(socket.socket(),
3166 server_hostname=hostname) as s:
3167 # TLS 1.3 perform client cert exchange after handshake
3168 s.connect((HOST, server.port))
3169 try:
3170 s.write(b'data')
Christian Heimese0472392021-04-23 20:03:25 +0200[diff] [blame]3171 s.read(1000)
3172 s.write(b'should have failed already')
3173 s.read(1000)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3174 except ssl.SSLError as e:
3175 if support.verbose:
3176 sys.stdout.write("\nSSLError is %r\n" % e)
3177 except OSError as e:
3178 if e.errno != errno.ECONNRESET:
3179 raise
3180 if support.verbose:
3181 sys.stdout.write("\nsocket.error is %r\n" % e)
3182 else:
Christian Heimese0472392021-04-23 20:03:25 +0200[diff] [blame]3183 if sys.platform == "win32":
3184 self.skipTest(
3185 "Ignoring failed test_wrong_cert_tls13 test case. "
3186 "The test is flaky on Windows, see bpo-43921."
3187 )
3188 else:
3189 self.fail("Use of invalid cert should have failed!")
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3190
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3191 def test_rude_shutdown(self):
3192 """A brutal shutdown of an SSL server should raise an OSError
3193 in the client when attempting handshake.
3194 """
3195 listener_ready = threading.Event()
3196 listener_gone = threading.Event()
3197
3198 s = socket.socket()
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3199 port = socket_helper.bind_port(s, HOST)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3200
3201 # `listener` runs in a thread. It sits in an accept() until
3202 # the main thread connects. Then it rudely closes the socket,
3203 # and sets Event `listener_gone` to let the main thread know
3204 # the socket is gone.
3205 def listener():
3206 s.listen()
3207 listener_ready.set()
3208 newsock, addr = s.accept()
3209 newsock.close()
3210 s.close()
3211 listener_gone.set()
3212
3213 def connector():
3214 listener_ready.wait()
3215 with socket.socket() as c:
3216 c.connect((HOST, port))
3217 listener_gone.wait()
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]3218 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3219 ssl_sock = test_wrap_socket(c)
3220 except OSError:
3221 pass
3222 else:
3223 self.fail('connecting to closed SSL socket should have failed')
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3224
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3225 t = threading.Thread(target=listener)
3226 t.start()
3227 try:
3228 connector()
3229 finally:
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]3230 t.join()
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]3231
Christian Heimesb3ad0e52017-09-08 12:00:19 -0700[diff] [blame]3232 def test_ssl_cert_verify_error(self):
3233 if support.verbose:
3234 sys.stdout.write("\n")
3235
3236 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3237 server_context.load_cert_chain(SIGNED_CERTFILE)
3238
3239 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3240
3241 server = ThreadedEchoServer(context=server_context, chatty=True)
3242 with server:
3243 with context.wrap_socket(socket.socket(),
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3244 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Christian Heimesb3ad0e52017-09-08 12:00:19 -0700[diff] [blame]3245 try:
3246 s.connect((HOST, server.port))
3247 except ssl.SSLError as e:
3248 msg = 'unable to get local issuer certificate'
3249 self.assertIsInstance(e, ssl.SSLCertVerificationError)
3250 self.assertEqual(e.verify_code, 20)
3251 self.assertEqual(e.verify_message, msg)
3252 self.assertIn(msg, repr(e))
3253 self.assertIn('certificate verify failed', repr(e))
3254
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3255 @requires_tls_version('SSLv2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3256 def test_protocol_sslv2(self):
3257 """Connecting to an SSLv2 server with various client options"""
3258 if support.verbose:
3259 sys.stdout.write("\n")
3260 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
3261 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
3262 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3263 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3264 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3265 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
3266 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
3267 # SSLv23 client with specific SSL options
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3268 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3269 client_options=ssl.OP_NO_SSLv3)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3270 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3271 client_options=ssl.OP_NO_TLSv1)
Antoine Pitrou242db722013-05-01 20:52:07 +0200[diff] [blame]3272
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3273 def test_PROTOCOL_TLS(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3274 """Connecting to an SSLv23 server with various client options"""
3275 if support.verbose:
3276 sys.stdout.write("\n")
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3277 if has_tls_version('SSLv2'):
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]3278 try:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3279 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv2, True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3280 except OSError as x:
3281 # this fails on some older versions of OpenSSL (0.9.7l, for instance)
3282 if support.verbose:
3283 sys.stdout.write(
3284 " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
3285 % str(x))
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3286 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3287 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False)
3288 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3289 if has_tls_version('TLSv1'):
3290 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]3291
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3292 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3293 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
3294 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_OPTIONAL)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3295 if has_tls_version('TLSv1'):
3296 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3297
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3298 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3299 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
3300 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3301 if has_tls_version('TLSv1'):
3302 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3303
3304 # Server with specific SSL options
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3305 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3306 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3307 server_options=ssl.OP_NO_SSLv3)
3308 # Will choose TLSv1
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3309 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3310 server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3311 if has_tls_version('TLSv1'):
3312 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, False,
3313 server_options=ssl.OP_NO_TLSv1)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3314
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3315 @requires_tls_version('SSLv3')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3316 def test_protocol_sslv3(self):
3317 """Connecting to an SSLv3 server with various client options"""
3318 if support.verbose:
3319 sys.stdout.write("\n")
3320 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3')
3321 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
3322 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3323 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3324 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3325 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3326 client_options=ssl.OP_NO_SSLv3)
3327 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3328
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3329 @requires_tls_version('TLSv1')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3330 def test_protocol_tlsv1(self):
3331 """Connecting to a TLSv1 server with various client options"""
3332 if support.verbose:
3333 sys.stdout.write("\n")
3334 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
3335 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
3336 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3337 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3338 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3339 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3340 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3341 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3342 client_options=ssl.OP_NO_TLSv1)
3343
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3344 @requires_tls_version('TLSv1_1')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3345 def test_protocol_tlsv1_1(self):
3346 """Connecting to a TLSv1.1 server with various client options.
3347 Testing against older TLS versions."""
3348 if support.verbose:
3349 sys.stdout.write("\n")
3350 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3351 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3352 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3353 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3354 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3355 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3356 client_options=ssl.OP_NO_TLSv1_1)
3357
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3358 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3359 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
3360 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3361
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3362 @requires_tls_version('TLSv1_2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3363 def test_protocol_tlsv1_2(self):
3364 """Connecting to a TLSv1.2 server with various client options.
3365 Testing against older TLS versions."""
3366 if support.verbose:
3367 sys.stdout.write("\n")
3368 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2',
3369 server_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,
3370 client_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3371 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3372 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3373 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3374 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3375 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3376 client_options=ssl.OP_NO_TLSv1_2)
3377
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3378 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3379 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)
3380 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)
3381 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
3382 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
3383
3384 def test_starttls(self):
3385 """Switching from clear text to encrypted and back again."""
3386 msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
3387
3388 server = ThreadedEchoServer(CERTFILE,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3389 starttls_server=True,
3390 chatty=True,
3391 connectionchatty=True)
3392 wrapped = False
3393 with server:
3394 s = socket.socket()
Serhiy Storchaka5eca7f32019-09-01 12:12:52 +0300[diff] [blame]3395 s.setblocking(True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3396 s.connect((HOST, server.port))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3397 if support.verbose:
3398 sys.stdout.write("\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3399 for indata in msgs:
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3400 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3401 sys.stdout.write(
3402 " client: sending %r...\n" % indata)
3403 if wrapped:
3404 conn.write(indata)
3405 outdata = conn.read()
3406 else:
3407 s.send(indata)
3408 outdata = s.recv(1024)
3409 msg = outdata.strip().lower()
3410 if indata == b"STARTTLS" and msg.startswith(b"ok"):
3411 # STARTTLS ok, switch to secure mode
3412 if support.verbose:
3413 sys.stdout.write(
3414 " client: read %r from server, starting TLS...\n"
3415 % msg)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3416 conn = test_wrap_socket(s)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3417 wrapped = True
3418 elif indata == b"ENDTLS" and msg.startswith(b"ok"):
3419 # ENDTLS ok, switch back to clear text
3420 if support.verbose:
3421 sys.stdout.write(
3422 " client: read %r from server, ending TLS...\n"
3423 % msg)
3424 s = conn.unwrap()
3425 wrapped = False
3426 else:
3427 if support.verbose:
3428 sys.stdout.write(
3429 " client: read %r from server\n" % msg)
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3430 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3431 sys.stdout.write(" client: closing connection.\n")
3432 if wrapped:
3433 conn.write(b"over\n")
3434 else:
3435 s.send(b"over\n")
3436 if wrapped:
3437 conn.close()
3438 else:
3439 s.close()
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3440
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3441 def test_socketserver(self):
3442 """Using socketserver to create and manage SSL connections."""
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3443 server = make_https_server(self, certfile=SIGNED_CERTFILE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3444 # try to connect
3445 if support.verbose:
3446 sys.stdout.write('\n')
3447 with open(CERTFILE, 'rb') as f:
3448 d1 = f.read()
3449 d2 = ''
3450 # now fetch the same data from the HTTPS server
3451 url = 'https://localhost:%d/%s' % (
3452 server.port, os.path.split(CERTFILE)[1])
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3453 context = ssl.create_default_context(cafile=SIGNING_CA)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3454 f = urllib.request.urlopen(url, context=context)
3455 try:
3456 dlen = f.info().get("content-length")
3457 if dlen and (int(dlen) > 0):
3458 d2 = f.read(int(dlen))
3459 if support.verbose:
3460 sys.stdout.write(
3461 " client: read %d bytes from remote server '%s'\n"
3462 % (len(d2), server))
3463 finally:
3464 f.close()
3465 self.assertEqual(d1, d2)
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3466
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3467 def test_asyncore_server(self):
3468 """Check the example asyncore integration."""
3469 if support.verbose:
3470 sys.stdout.write("\n")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]3471
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3472 indata = b"FOO\n"
3473 server = AsyncoreEchoServer(CERTFILE)
3474 with server:
3475 s = test_wrap_socket(socket.socket())
3476 s.connect(('127.0.0.1', server.port))
3477 if support.verbose:
3478 sys.stdout.write(
3479 " client: sending %r...\n" % indata)
3480 s.write(indata)
3481 outdata = s.read()
3482 if support.verbose:
3483 sys.stdout.write(" client: read %r\n" % outdata)
3484 if outdata != indata.lower():
3485 self.fail(
3486 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
3487 % (outdata[:20], len(outdata),
3488 indata[:20].lower(), len(indata)))
3489 s.write(b"over\n")
3490 if support.verbose:
3491 sys.stdout.write(" client: closing connection.\n")
3492 s.close()
3493 if support.verbose:
3494 sys.stdout.write(" client: connection closed.\n")
Benjamin Petersoncca27322015-01-23 16:35:37 -0500[diff] [blame]3495
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3496 def test_recv_send(self):
3497 """Test recv(), send() and friends."""
3498 if support.verbose:
3499 sys.stdout.write("\n")
3500
3501 server = ThreadedEchoServer(CERTFILE,
3502 certreqs=ssl.CERT_NONE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3503 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3504 cacerts=CERTFILE,
3505 chatty=True,
3506 connectionchatty=False)
3507 with server:
3508 s = test_wrap_socket(socket.socket(),
3509 server_side=False,
3510 certfile=CERTFILE,
3511 ca_certs=CERTFILE,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3512 cert_reqs=ssl.CERT_NONE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3513 s.connect((HOST, server.port))
3514 # helper methods for standardising recv* method signatures
3515 def _recv_into():
3516 b = bytearray(b"\0"*100)
3517 count = s.recv_into(b)
3518 return b[:count]
3519
3520 def _recvfrom_into():
3521 b = bytearray(b"\0"*100)
3522 count, addr = s.recvfrom_into(b)
3523 return b[:count]
3524
3525 # (name, method, expect success?, *args, return value func)
3526 send_methods = [
3527 ('send', s.send, True, [], len),
3528 ('sendto', s.sendto, False, ["some.address"], len),
3529 ('sendall', s.sendall, True, [], lambda x: None),
3530 ]
3531 # (name, method, whether to expect success, *args)
3532 recv_methods = [
3533 ('recv', s.recv, True, []),
3534 ('recvfrom', s.recvfrom, False, ["some.address"]),
3535 ('recv_into', _recv_into, True, []),
3536 ('recvfrom_into', _recvfrom_into, False, []),
3537 ]
3538 data_prefix = "PREFIX_"
3539
3540 for (meth_name, send_meth, expect_success, args,
3541 ret_val_meth) in send_methods:
3542 indata = (data_prefix + meth_name).encode('ascii')
3543 try:
3544 ret = send_meth(indata, *args)
3545 msg = "sending with {}".format(meth_name)
3546 self.assertEqual(ret, ret_val_meth(indata), msg=msg)
3547 outdata = s.read()
3548 if outdata != indata.lower():
3549 self.fail(
3550 "While sending with <<{name:s}>> bad data "
3551 "<<{outdata:r}>> ({nout:d}) received; "
3552 "expected <<{indata:r}>> ({nin:d})\n".format(
3553 name=meth_name, outdata=outdata[:20],
3554 nout=len(outdata),
3555 indata=indata[:20], nin=len(indata)
3556 )
3557 )
3558 except ValueError as e:
3559 if expect_success:
3560 self.fail(
3561 "Failed to send with method <<{name:s}>>; "
3562 "expected to succeed.\n".format(name=meth_name)
3563 )
3564 if not str(e).startswith(meth_name):
3565 self.fail(
3566 "Method <<{name:s}>> failed with unexpected "
3567 "exception message: {exp:s}\n".format(
3568 name=meth_name, exp=e
3569 )
3570 )
3571
3572 for meth_name, recv_meth, expect_success, args in recv_methods:
3573 indata = (data_prefix + meth_name).encode('ascii')
3574 try:
3575 s.send(indata)
3576 outdata = recv_meth(*args)
3577 if outdata != indata.lower():
3578 self.fail(
3579 "While receiving with <<{name:s}>> bad data "
3580 "<<{outdata:r}>> ({nout:d}) received; "
3581 "expected <<{indata:r}>> ({nin:d})\n".format(
3582 name=meth_name, outdata=outdata[:20],
3583 nout=len(outdata),
3584 indata=indata[:20], nin=len(indata)
3585 )
3586 )
3587 except ValueError as e:
3588 if expect_success:
3589 self.fail(
3590 "Failed to receive with method <<{name:s}>>; "
3591 "expected to succeed.\n".format(name=meth_name)
3592 )
3593 if not str(e).startswith(meth_name):
3594 self.fail(
3595 "Method <<{name:s}>> failed with unexpected "
3596 "exception message: {exp:s}\n".format(
3597 name=meth_name, exp=e
3598 )
3599 )
3600 # consume data
3601 s.read()
3602
3603 # read(-1, buffer) is supported, even though read(-1) is not
3604 data = b"data"
3605 s.send(data)
3606 buffer = bytearray(len(data))
3607 self.assertEqual(s.read(-1, buffer), len(data))
3608 self.assertEqual(buffer, data)
3609
Christian Heimes888bbdc2017-09-07 14:18:21 -0700[diff] [blame]3610 # sendall accepts bytes-like objects
3611 if ctypes is not None:
3612 ubyte = ctypes.c_ubyte * len(data)
3613 byteslike = ubyte.from_buffer_copy(data)
3614 s.sendall(byteslike)
3615 self.assertEqual(s.read(), data)
3616
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3617 # Make sure sendmsg et al are disallowed to avoid
3618 # inadvertent disclosure of data and/or corruption
3619 # of the encrypted data stream
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]3620 self.assertRaises(NotImplementedError, s.dup)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3621 self.assertRaises(NotImplementedError, s.sendmsg, [b"data"])
3622 self.assertRaises(NotImplementedError, s.recvmsg, 100)
3623 self.assertRaises(NotImplementedError,
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]3624 s.recvmsg_into, [bytearray(100)])
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3625 s.write(b"over\n")
3626
3627 self.assertRaises(ValueError, s.recv, -1)
3628 self.assertRaises(ValueError, s.read, -1)
3629
3630 s.close()
3631
3632 def test_recv_zero(self):
3633 server = ThreadedEchoServer(CERTFILE)
3634 server.__enter__()
3635 self.addCleanup(server.__exit__, None, None)
3636 s = socket.create_connection((HOST, server.port))
3637 self.addCleanup(s.close)
3638 s = test_wrap_socket(s, suppress_ragged_eofs=False)
3639 self.addCleanup(s.close)
3640
3641 # recv/read(0) should return no data
3642 s.send(b"data")
3643 self.assertEqual(s.recv(0), b"")
3644 self.assertEqual(s.read(0), b"")
3645 self.assertEqual(s.read(), b"data")
3646
3647 # Should not block if the other end sends no data
3648 s.setblocking(False)
3649 self.assertEqual(s.recv(0), b"")
3650 self.assertEqual(s.recv_into(bytearray()), 0)
3651
3652 def test_nonblocking_send(self):
3653 server = ThreadedEchoServer(CERTFILE,
3654 certreqs=ssl.CERT_NONE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3655 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3656 cacerts=CERTFILE,
3657 chatty=True,
3658 connectionchatty=False)
3659 with server:
3660 s = test_wrap_socket(socket.socket(),
3661 server_side=False,
3662 certfile=CERTFILE,
3663 ca_certs=CERTFILE,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3664 cert_reqs=ssl.CERT_NONE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3665 s.connect((HOST, server.port))
3666 s.setblocking(False)
3667
3668 # If we keep sending data, at some point the buffers
3669 # will be full and the call will block
3670 buf = bytearray(8192)
3671 def fill_buffer():
3672 while True:
3673 s.send(buf)
3674 self.assertRaises((ssl.SSLWantWriteError,
3675 ssl.SSLWantReadError), fill_buffer)
3676
3677 # Now read all the output and discard it
3678 s.setblocking(True)
3679 s.close()
3680
3681 def test_handshake_timeout(self):
3682 # Issue #5103: SSL handshake must respect the socket timeout
3683 server = socket.socket(socket.AF_INET)
3684 host = "127.0.0.1"
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3685 port = socket_helper.bind_port(server)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3686 started = threading.Event()
3687 finish = False
3688
3689 def serve():
3690 server.listen()
3691 started.set()
3692 conns = []
3693 while not finish:
3694 r, w, e = select.select([server], [], [], 0.1)
3695 if server in r:
3696 # Let the socket hang around rather than having
3697 # it closed by garbage collection.
3698 conns.append(server.accept()[0])
3699 for sock in conns:
3700 sock.close()
3701
3702 t = threading.Thread(target=serve)
3703 t.start()
3704 started.wait()
3705
3706 try:
3707 try:
3708 c = socket.socket(socket.AF_INET)
3709 c.settimeout(0.2)
3710 c.connect((host, port))
3711 # Will attempt handshake and time out
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]3712 self.assertRaisesRegex(TimeoutError, "timed out",
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3713 test_wrap_socket, c)
3714 finally:
3715 c.close()
3716 try:
3717 c = socket.socket(socket.AF_INET)
3718 c = test_wrap_socket(c)
3719 c.settimeout(0.2)
3720 # Will attempt handshake and time out
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]3721 self.assertRaisesRegex(TimeoutError, "timed out",
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3722 c.connect, (host, port))
3723 finally:
3724 c.close()
3725 finally:
3726 finish = True
3727 t.join()
3728 server.close()
3729
3730 def test_server_accept(self):
3731 # Issue #16357: accept() on a SSLSocket created through
3732 # SSLContext.wrap_socket().
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3733 client_ctx, server_ctx, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3734 server = socket.socket(socket.AF_INET)
3735 host = "127.0.0.1"
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3736 port = socket_helper.bind_port(server)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3737 server = server_ctx.wrap_socket(server, server_side=True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3738 self.assertTrue(server.server_side)
3739
3740 evt = threading.Event()
3741 remote = None
3742 peer = None
3743 def serve():
3744 nonlocal remote, peer
3745 server.listen()
3746 # Block on the accept and wait on the connection to close.
3747 evt.set()
3748 remote, peer = server.accept()
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3749 remote.send(remote.recv(4))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3750
3751 t = threading.Thread(target=serve)
3752 t.start()
3753 # Client wait until server setup and perform a connect.
3754 evt.wait()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3755 client = client_ctx.wrap_socket(
3756 socket.socket(), server_hostname=hostname
3757 )
3758 client.connect((hostname, port))
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3759 client.send(b'data')
3760 client.recv()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3761 client_addr = client.getsockname()
3762 client.close()
3763 t.join()
3764 remote.close()
3765 server.close()
3766 # Sanity checks.
3767 self.assertIsInstance(remote, ssl.SSLSocket)
3768 self.assertEqual(peer, client_addr)
3769
3770 def test_getpeercert_enotconn(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3771 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3772 context.check_hostname = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3773 with context.wrap_socket(socket.socket()) as sock:
3774 with self.assertRaises(OSError) as cm:
3775 sock.getpeercert()
3776 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
3777
3778 def test_do_handshake_enotconn(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3779 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3780 context.check_hostname = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3781 with context.wrap_socket(socket.socket()) as sock:
3782 with self.assertRaises(OSError) as cm:
3783 sock.do_handshake()
3784 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
3785
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3786 def test_no_shared_ciphers(self):
3787 client_context, server_context, hostname = testing_context()
3788 # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
3789 client_context.options |= ssl.OP_NO_TLSv1_3
Victor Stinner5e922652018-09-07 17:30:33 +0200[diff] [blame]3790 # Force different suites on client and server
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3791 client_context.set_ciphers("AES128")
3792 server_context.set_ciphers("AES256")
3793 with ThreadedEchoServer(context=server_context) as server:
3794 with client_context.wrap_socket(socket.socket(),
3795 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3796 with self.assertRaises(OSError):
3797 s.connect((HOST, server.port))
3798 self.assertIn("no shared cipher", server.conn_errors[0])
3799
3800 def test_version_basic(self):
3801 """
3802 Basic tests for SSLSocket.version().
3803 More tests are done in the test_protocol_*() methods.
3804 """
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3805 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3806 context.check_hostname = False
3807 context.verify_mode = ssl.CERT_NONE
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3808 with ThreadedEchoServer(CERTFILE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3809 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3810 chatty=False) as server:
3811 with context.wrap_socket(socket.socket()) as s:
3812 self.assertIs(s.version(), None)
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]3813 self.assertIs(s._sslobj, None)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3814 s.connect((HOST, server.port))
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]3815 self.assertEqual(s.version(), 'TLSv1.3')
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]3816 self.assertIs(s._sslobj, None)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3817 self.assertIs(s.version(), None)
3818
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3819 @requires_tls_version('TLSv1_3')
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3820 def test_tls1_3(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3821 client_context, server_context, hostname = testing_context()
3822 client_context.minimum_version = ssl.TLSVersion.TLSv1_3
3823 with ThreadedEchoServer(context=server_context) as server:
3824 with client_context.wrap_socket(socket.socket(),
3825 server_hostname=hostname) as s:
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3826 s.connect((HOST, server.port))
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3827 self.assertIn(s.cipher()[0], {
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3828 'TLS_AES_256_GCM_SHA384',
3829 'TLS_CHACHA20_POLY1305_SHA256',
3830 'TLS_AES_128_GCM_SHA256',
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3831 })
3832 self.assertEqual(s.version(), 'TLSv1.3')
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3833
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3834 @requires_tls_version('TLSv1_2')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3835 @requires_tls_version('TLSv1')
3836 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3837 def test_min_max_version_tlsv1_2(self):
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3838 client_context, server_context, hostname = testing_context()
3839 # client TLSv1.0 to 1.2
3840 client_context.minimum_version = ssl.TLSVersion.TLSv1
3841 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
3842 # server only TLSv1.2
3843 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
3844 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
3845
3846 with ThreadedEchoServer(context=server_context) as server:
3847 with client_context.wrap_socket(socket.socket(),
3848 server_hostname=hostname) as s:
3849 s.connect((HOST, server.port))
3850 self.assertEqual(s.version(), 'TLSv1.2')
3851
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3852 @requires_tls_version('TLSv1_1')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3853 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3854 def test_min_max_version_tlsv1_1(self):
3855 client_context, server_context, hostname = testing_context()
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3856 # client 1.0 to 1.2, server 1.0 to 1.1
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3857 client_context.minimum_version = ssl.TLSVersion.TLSv1
3858 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3859 server_context.minimum_version = ssl.TLSVersion.TLSv1
3860 server_context.maximum_version = ssl.TLSVersion.TLSv1_1
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3861 seclevel_workaround(client_context, server_context)
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3862
3863 with ThreadedEchoServer(context=server_context) as server:
3864 with client_context.wrap_socket(socket.socket(),
3865 server_hostname=hostname) as s:
3866 s.connect((HOST, server.port))
3867 self.assertEqual(s.version(), 'TLSv1.1')
3868
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3869 @requires_tls_version('TLSv1_2')
Christian Heimesce04e712020-11-18 13:10:53 +0100[diff] [blame]3870 @requires_tls_version('TLSv1')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3871 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3872 def test_min_max_version_mismatch(self):
3873 client_context, server_context, hostname = testing_context()
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3874 # client 1.0, server 1.2 (mismatch)
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3875 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesc9bc49c2019-09-11 19:24:47 +0200[diff] [blame]3876 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]3877 client_context.maximum_version = ssl.TLSVersion.TLSv1
Christian Heimesde606ea2019-09-11 19:48:58 +0200[diff] [blame]3878 client_context.minimum_version = ssl.TLSVersion.TLSv1
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3879 seclevel_workaround(client_context, server_context)
3880
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3881 with ThreadedEchoServer(context=server_context) as server:
3882 with client_context.wrap_socket(socket.socket(),
3883 server_hostname=hostname) as s:
3884 with self.assertRaises(ssl.SSLError) as e:
3885 s.connect((HOST, server.port))
3886 self.assertIn("alert", str(e.exception))
3887
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3888 @requires_tls_version('SSLv3')
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3889 def test_min_max_version_sslv3(self):
3890 client_context, server_context, hostname = testing_context()
3891 server_context.minimum_version = ssl.TLSVersion.SSLv3
3892 client_context.minimum_version = ssl.TLSVersion.SSLv3
3893 client_context.maximum_version = ssl.TLSVersion.SSLv3
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3894 seclevel_workaround(client_context, server_context)
3895
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3896 with ThreadedEchoServer(context=server_context) as server:
3897 with client_context.wrap_socket(socket.socket(),
3898 server_hostname=hostname) as s:
3899 s.connect((HOST, server.port))
3900 self.assertEqual(s.version(), 'SSLv3')
3901
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3902 def test_default_ecdh_curve(self):
3903 # Issue #21015: elliptic curve-based Diffie Hellman key exchange
3904 # should be enabled by default on SSL contexts.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3905 client_context, server_context, hostname = testing_context()
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3906 # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
3907 # cipher name.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3908 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3909 # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
3910 # explicitly using the 'ECCdraft' cipher alias. Otherwise,
3911 # our default cipher list should prefer ECDH-based ciphers
3912 # automatically.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3913 with ThreadedEchoServer(context=server_context) as server:
3914 with client_context.wrap_socket(socket.socket(),
3915 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3916 s.connect((HOST, server.port))
3917 self.assertIn("ECDH", s.cipher()[0])
3918
3919 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
3920 "'tls-unique' channel binding not available")
3921 def test_tls_unique_channel_binding(self):
3922 """Test tls-unique channel binding."""
3923 if support.verbose:
3924 sys.stdout.write("\n")
3925
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3926 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3927
3928 server = ThreadedEchoServer(context=server_context,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3929 chatty=True,
3930 connectionchatty=False)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3931
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3932 with server:
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3933 with client_context.wrap_socket(
3934 socket.socket(),
3935 server_hostname=hostname) as s:
3936 s.connect((HOST, server.port))
3937 # get the data
3938 cb_data = s.get_channel_binding("tls-unique")
3939 if support.verbose:
3940 sys.stdout.write(
3941 " got channel binding data: {0!r}\n".format(cb_data))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3942
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3943 # check if it is sane
3944 self.assertIsNotNone(cb_data)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3945 if s.version() == 'TLSv1.3':
3946 self.assertEqual(len(cb_data), 48)
3947 else:
3948 self.assertEqual(len(cb_data), 12) # True for TLSv1
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3949
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3950 # and compare with the peers version
3951 s.write(b"CB tls-unique\n")
3952 peer_data_repr = s.read().strip()
3953 self.assertEqual(peer_data_repr,
3954 repr(cb_data).encode("us-ascii"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3955
3956 # now, again
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3957 with client_context.wrap_socket(
3958 socket.socket(),
3959 server_hostname=hostname) as s:
3960 s.connect((HOST, server.port))
3961 new_cb_data = s.get_channel_binding("tls-unique")
3962 if support.verbose:
3963 sys.stdout.write(
3964 "got another channel binding data: {0!r}\n".format(
3965 new_cb_data)
3966 )
3967 # is it really unique
3968 self.assertNotEqual(cb_data, new_cb_data)
3969 self.assertIsNotNone(cb_data)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3970 if s.version() == 'TLSv1.3':
3971 self.assertEqual(len(cb_data), 48)
3972 else:
3973 self.assertEqual(len(cb_data), 12) # True for TLSv1
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3974 s.write(b"CB tls-unique\n")
3975 peer_data_repr = s.read().strip()
3976 self.assertEqual(peer_data_repr,
3977 repr(new_cb_data).encode("us-ascii"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3978
3979 def test_compression(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3980 client_context, server_context, hostname = testing_context()
3981 stats = server_params_test(client_context, server_context,
3982 chatty=True, connectionchatty=True,
3983 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3984 if support.verbose:
3985 sys.stdout.write(" got compression: {!r}\n".format(stats['compression']))
3986 self.assertIn(stats['compression'], { None, 'ZLIB', 'RLE' })
3987
3988 @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
3989 "ssl.OP_NO_COMPRESSION needed for this test")
3990 def test_compression_disabled(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3991 client_context, server_context, hostname = testing_context()
3992 client_context.options |= ssl.OP_NO_COMPRESSION
3993 server_context.options |= ssl.OP_NO_COMPRESSION
3994 stats = server_params_test(client_context, server_context,
3995 chatty=True, connectionchatty=True,
3996 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3997 self.assertIs(stats['compression'], None)
3998
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]3999 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4000 def test_dh_params(self):
4001 # Check we can get a connection with ephemeral Diffie-Hellman
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4002 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4003 # test scenario needs TLS <= 1.2
4004 client_context.options |= ssl.OP_NO_TLSv1_3
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4005 server_context.load_dh_params(DHFILE)
4006 server_context.set_ciphers("kEDH")
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4007 server_context.options |= ssl.OP_NO_TLSv1_3
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4008 stats = server_params_test(client_context, server_context,
4009 chatty=True, connectionchatty=True,
4010 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4011 cipher = stats["cipher"][0]
4012 parts = cipher.split("-")
4013 if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
4014 self.fail("Non-DH cipher: " + cipher[0])
4015
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4016 def test_ecdh_curve(self):
4017 # server secp384r1, client auto
4018 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4019
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4020 server_context.set_ecdh_curve("secp384r1")
4021 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4022 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4023 stats = server_params_test(client_context, server_context,
4024 chatty=True, connectionchatty=True,
4025 sni_name=hostname)
4026
4027 # server auto, client secp384r1
4028 client_context, server_context, hostname = testing_context()
4029 client_context.set_ecdh_curve("secp384r1")
4030 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4031 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4032 stats = server_params_test(client_context, server_context,
4033 chatty=True, connectionchatty=True,
4034 sni_name=hostname)
4035
4036 # server / client curve mismatch
4037 client_context, server_context, hostname = testing_context()
4038 client_context.set_ecdh_curve("prime256v1")
4039 server_context.set_ecdh_curve("secp384r1")
4040 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4041 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
4042 with self.assertRaises(ssl.SSLError):
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4043 server_params_test(client_context, server_context,
4044 chatty=True, connectionchatty=True,
4045 sni_name=hostname)
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4046
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4047 def test_selected_alpn_protocol(self):
4048 # selected_alpn_protocol() is None unless ALPN is used.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4049 client_context, server_context, hostname = testing_context()
4050 stats = server_params_test(client_context, server_context,
4051 chatty=True, connectionchatty=True,
4052 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4053 self.assertIs(stats['client_alpn_protocol'], None)
4054
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4055 def test_selected_alpn_protocol_if_server_uses_alpn(self):
4056 # selected_alpn_protocol() is None unless ALPN is used by the client.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4057 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4058 server_context.set_alpn_protocols(['foo', 'bar'])
4059 stats = server_params_test(client_context, server_context,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4060 chatty=True, connectionchatty=True,
4061 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4062 self.assertIs(stats['client_alpn_protocol'], None)
4063
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4064 def test_alpn_protocols(self):
4065 server_protocols = ['foo', 'bar', 'milkshake']
4066 protocol_tests = [
4067 (['foo', 'bar'], 'foo'),
4068 (['bar', 'foo'], 'foo'),
4069 (['milkshake'], 'milkshake'),
4070 (['http/3.0', 'http/4.0'], None)
4071 ]
4072 for client_protocols, expected in protocol_tests:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4073 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4074 server_context.set_alpn_protocols(server_protocols)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4075 client_context.set_alpn_protocols(client_protocols)
4076
4077 try:
4078 stats = server_params_test(client_context,
4079 server_context,
4080 chatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4081 connectionchatty=True,
4082 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4083 except ssl.SSLError as e:
4084 stats = e
4085
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4086 msg = "failed trying %s (s) and %s (c).\n" \
4087 "was expecting %s, but got %%s from the %%s" \
4088 % (str(server_protocols), str(client_protocols),
4089 str(expected))
4090 client_result = stats['client_alpn_protocol']
4091 self.assertEqual(client_result, expected,
4092 msg % (client_result, "client"))
4093 server_result = stats['server_alpn_protocols'][-1] \
4094 if len(stats['server_alpn_protocols']) else 'nothing'
4095 self.assertEqual(server_result, expected,
4096 msg % (server_result, "server"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4097
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4098 def test_npn_protocols(self):
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4099 assert not ssl.HAS_NPN
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4100
4101 def sni_contexts(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4102 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4103 server_context.load_cert_chain(SIGNED_CERTFILE)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4104 other_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4105 other_context.load_cert_chain(SIGNED_CERTFILE2)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4106 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4107 client_context.load_verify_locations(SIGNING_CA)
4108 return server_context, other_context, client_context
4109
4110 def check_common_name(self, stats, name):
4111 cert = stats['peercert']
4112 self.assertIn((('commonName', name),), cert['subject'])
4113
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4114 def test_sni_callback(self):
4115 calls = []
4116 server_context, other_context, client_context = self.sni_contexts()
4117
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4118 client_context.check_hostname = False
4119
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4120 def servername_cb(ssl_sock, server_name, initial_context):
4121 calls.append((server_name, initial_context))
4122 if server_name is not None:
4123 ssl_sock.context = other_context
4124 server_context.set_servername_callback(servername_cb)
4125
4126 stats = server_params_test(client_context, server_context,
4127 chatty=True,
4128 sni_name='supermessage')
4129 # The hostname was fetched properly, and the certificate was
4130 # changed for the connection.
4131 self.assertEqual(calls, [("supermessage", server_context)])
4132 # CERTFILE4 was selected
4133 self.check_common_name(stats, 'fakehostname')
4134
4135 calls = []
4136 # The callback is called with server_name=None
4137 stats = server_params_test(client_context, server_context,
4138 chatty=True,
4139 sni_name=None)
4140 self.assertEqual(calls, [(None, server_context)])
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4141 self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4142
4143 # Check disabling the callback
4144 calls = []
4145 server_context.set_servername_callback(None)
4146
4147 stats = server_params_test(client_context, server_context,
4148 chatty=True,
4149 sni_name='notfunny')
4150 # Certificate didn't change
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4151 self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4152 self.assertEqual(calls, [])
4153
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4154 def test_sni_callback_alert(self):
4155 # Returning a TLS alert is reflected to the connecting client
4156 server_context, other_context, client_context = self.sni_contexts()
4157
4158 def cb_returning_alert(ssl_sock, server_name, initial_context):
4159 return ssl.ALERT_DESCRIPTION_ACCESS_DENIED
4160 server_context.set_servername_callback(cb_returning_alert)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4161 with self.assertRaises(ssl.SSLError) as cm:
4162 stats = server_params_test(client_context, server_context,
4163 chatty=False,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4164 sni_name='supermessage')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4165 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_ACCESS_DENIED')
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4166
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4167 def test_sni_callback_raising(self):
4168 # Raising fails the connection with a TLS handshake failure alert.
4169 server_context, other_context, client_context = self.sni_contexts()
4170
4171 def cb_raising(ssl_sock, server_name, initial_context):
4172 1/0
4173 server_context.set_servername_callback(cb_raising)
4174
Victor Stinner00253502019-06-03 03:51:43 +0200[diff] [blame]4175 with support.catch_unraisable_exception() as catch:
4176 with self.assertRaises(ssl.SSLError) as cm:
4177 stats = server_params_test(client_context, server_context,
4178 chatty=False,
4179 sni_name='supermessage')
4180
4181 self.assertEqual(cm.exception.reason,
4182 'SSLV3_ALERT_HANDSHAKE_FAILURE')
4183 self.assertEqual(catch.unraisable.exc_type, ZeroDivisionError)
Antoine Pitrou50b24d02013-04-11 20:48:42 +0200[diff] [blame]4184
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4185 def test_sni_callback_wrong_return_type(self):
4186 # Returning the wrong return type terminates the TLS connection
4187 # with an internal error alert.
4188 server_context, other_context, client_context = self.sni_contexts()
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4189
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4190 def cb_wrong_return_type(ssl_sock, server_name, initial_context):
4191 return "foo"
4192 server_context.set_servername_callback(cb_wrong_return_type)
4193
Victor Stinner00253502019-06-03 03:51:43 +0200[diff] [blame]4194 with support.catch_unraisable_exception() as catch:
4195 with self.assertRaises(ssl.SSLError) as cm:
4196 stats = server_params_test(client_context, server_context,
4197 chatty=False,
4198 sni_name='supermessage')
4199
4200
4201 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR')
4202 self.assertEqual(catch.unraisable.exc_type, TypeError)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4203
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4204 def test_shared_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4205 client_context, server_context, hostname = testing_context()
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]4206 client_context.set_ciphers("AES128:AES256")
4207 server_context.set_ciphers("AES256")
4208 expected_algs = [
4209 "AES256", "AES-256",
4210 # TLS 1.3 ciphers are always enabled
4211 "TLS_CHACHA20", "TLS_AES",
4212 ]
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4213
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4214 stats = server_params_test(client_context, server_context,
4215 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4216 ciphers = stats['server_shared_ciphers'][0]
4217 self.assertGreater(len(ciphers), 0)
4218 for name, tls_version, bits in ciphers:
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]4219 if not any(alg in name for alg in expected_algs):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4220 self.fail(name)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4221
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4222 def test_read_write_after_close_raises_valuerror(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4223 client_context, server_context, hostname = testing_context()
4224 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4225
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4226 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4227 s = client_context.wrap_socket(socket.socket(),
4228 server_hostname=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4229 s.connect((HOST, server.port))
4230 s.close()
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4231
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4232 self.assertRaises(ValueError, s.read, 1024)
4233 self.assertRaises(ValueError, s.write, b'hello')
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4234
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4235 def test_sendfile(self):
4236 TEST_DATA = b"x" * 512
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4237 with open(os_helper.TESTFN, 'wb') as f:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4238 f.write(TEST_DATA)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4239 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4240 client_context, server_context, hostname = testing_context()
4241 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4242 with server:
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4243 with client_context.wrap_socket(socket.socket(),
4244 server_hostname=hostname) as s:
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4245 s.connect((HOST, server.port))
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4246 with open(os_helper.TESTFN, 'rb') as file:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4247 s.sendfile(file)
4248 self.assertEqual(s.recv(1024), TEST_DATA)
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4249
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4250 def test_session(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4251 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4252 # TODO: sessions aren't compatible with TLSv1.3 yet
4253 client_context.options |= ssl.OP_NO_TLSv1_3
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4254
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4255 # first connection without session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4256 stats = server_params_test(client_context, server_context,
4257 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4258 session = stats['session']
4259 self.assertTrue(session.id)
4260 self.assertGreater(session.time, 0)
4261 self.assertGreater(session.timeout, 0)
4262 self.assertTrue(session.has_ticket)
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4263 self.assertGreater(session.ticket_lifetime_hint, 0)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4264 self.assertFalse(stats['session_reused'])
4265 sess_stat = server_context.session_stats()
4266 self.assertEqual(sess_stat['accept'], 1)
4267 self.assertEqual(sess_stat['hits'], 0)
Giampaolo Rodola'915d1412014-06-11 03:54:30 +0200[diff] [blame]4268
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4269 # reuse session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4270 stats = server_params_test(client_context, server_context,
4271 session=session, sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4272 sess_stat = server_context.session_stats()
4273 self.assertEqual(sess_stat['accept'], 2)
4274 self.assertEqual(sess_stat['hits'], 1)
4275 self.assertTrue(stats['session_reused'])
4276 session2 = stats['session']
4277 self.assertEqual(session2.id, session.id)
4278 self.assertEqual(session2, session)
4279 self.assertIsNot(session2, session)
4280 self.assertGreaterEqual(session2.time, session.time)
4281 self.assertGreaterEqual(session2.timeout, session.timeout)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4282
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4283 # another one without session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4284 stats = server_params_test(client_context, server_context,
4285 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4286 self.assertFalse(stats['session_reused'])
4287 session3 = stats['session']
4288 self.assertNotEqual(session3.id, session.id)
4289 self.assertNotEqual(session3, session)
4290 sess_stat = server_context.session_stats()
4291 self.assertEqual(sess_stat['accept'], 3)
4292 self.assertEqual(sess_stat['hits'], 1)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4293
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4294 # reuse session again
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4295 stats = server_params_test(client_context, server_context,
4296 session=session, sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4297 self.assertTrue(stats['session_reused'])
4298 session4 = stats['session']
4299 self.assertEqual(session4.id, session.id)
4300 self.assertEqual(session4, session)
4301 self.assertGreaterEqual(session4.time, session.time)
4302 self.assertGreaterEqual(session4.timeout, session.timeout)
4303 sess_stat = server_context.session_stats()
4304 self.assertEqual(sess_stat['accept'], 4)
4305 self.assertEqual(sess_stat['hits'], 2)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4306
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4307 def test_session_handling(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4308 client_context, server_context, hostname = testing_context()
4309 client_context2, _, _ = testing_context()
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4310
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4311 # TODO: session reuse does not work with TLSv1.3
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4312 client_context.options |= ssl.OP_NO_TLSv1_3
4313 client_context2.options |= ssl.OP_NO_TLSv1_3
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]4314
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4315 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4316 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4317 with client_context.wrap_socket(socket.socket(),
4318 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4319 # session is None before handshake
4320 self.assertEqual(s.session, None)
4321 self.assertEqual(s.session_reused, None)
4322 s.connect((HOST, server.port))
4323 session = s.session
4324 self.assertTrue(session)
4325 with self.assertRaises(TypeError) as e:
4326 s.session = object
Ned Deily4531ec72018-06-11 20:26:28 -0400[diff] [blame]4327 self.assertEqual(str(e.exception), 'Value is not a SSLSession.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4328
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4329 with client_context.wrap_socket(socket.socket(),
4330 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4331 s.connect((HOST, server.port))
4332 # cannot set session after handshake
4333 with self.assertRaises(ValueError) as e:
4334 s.session = session
4335 self.assertEqual(str(e.exception),
4336 'Cannot set session after handshake.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4337
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4338 with client_context.wrap_socket(socket.socket(),
4339 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4340 # can set session before handshake and before the
4341 # connection was established
4342 s.session = session
4343 s.connect((HOST, server.port))
4344 self.assertEqual(s.session.id, session.id)
4345 self.assertEqual(s.session, session)
4346 self.assertEqual(s.session_reused, True)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4347
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4348 with client_context2.wrap_socket(socket.socket(),
4349 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4350 # cannot re-use session with a different SSLContext
4351 with self.assertRaises(ValueError) as e:
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4352 s.session = session
4353 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4354 self.assertEqual(str(e.exception),
4355 'Session refers to a different SSLContext.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4356
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]4357
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]4358@unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4359class TestPostHandshakeAuth(unittest.TestCase):
4360 def test_pha_setter(self):
4361 protocols = [
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4362 ssl.PROTOCOL_TLS_SERVER, ssl.PROTOCOL_TLS_CLIENT
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4363 ]
4364 for protocol in protocols:
4365 ctx = ssl.SSLContext(protocol)
4366 self.assertEqual(ctx.post_handshake_auth, False)
4367
4368 ctx.post_handshake_auth = True
4369 self.assertEqual(ctx.post_handshake_auth, True)
4370
4371 ctx.verify_mode = ssl.CERT_REQUIRED
4372 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
4373 self.assertEqual(ctx.post_handshake_auth, True)
4374
4375 ctx.post_handshake_auth = False
4376 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
4377 self.assertEqual(ctx.post_handshake_auth, False)
4378
4379 ctx.verify_mode = ssl.CERT_OPTIONAL
4380 ctx.post_handshake_auth = True
4381 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
4382 self.assertEqual(ctx.post_handshake_auth, True)
4383
4384 def test_pha_required(self):
4385 client_context, server_context, hostname = testing_context()
4386 server_context.post_handshake_auth = True
4387 server_context.verify_mode = ssl.CERT_REQUIRED
4388 client_context.post_handshake_auth = True
4389 client_context.load_cert_chain(SIGNED_CERTFILE)
4390
4391 server = ThreadedEchoServer(context=server_context, chatty=False)
4392 with server:
4393 with client_context.wrap_socket(socket.socket(),
4394 server_hostname=hostname) as s:
4395 s.connect((HOST, server.port))
4396 s.write(b'HASCERT')
4397 self.assertEqual(s.recv(1024), b'FALSE\n')
4398 s.write(b'PHA')
4399 self.assertEqual(s.recv(1024), b'OK\n')
4400 s.write(b'HASCERT')
4401 self.assertEqual(s.recv(1024), b'TRUE\n')
4402 # PHA method just returns true when cert is already available
4403 s.write(b'PHA')
4404 self.assertEqual(s.recv(1024), b'OK\n')
4405 s.write(b'GETCERT')
4406 cert_text = s.recv(4096).decode('us-ascii')
4407 self.assertIn('Python Software Foundation CA', cert_text)
4408
4409 def test_pha_required_nocert(self):
4410 client_context, server_context, hostname = testing_context()
4411 server_context.post_handshake_auth = True
4412 server_context.verify_mode = ssl.CERT_REQUIRED
4413 client_context.post_handshake_auth = True
4414
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4415 # Ignore expected SSLError in ConnectionHandler of ThreadedEchoServer
4416 # (it is only raised sometimes on Windows)
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]4417 with threading_helper.catch_threading_exception() as cm:
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4418 server = ThreadedEchoServer(context=server_context, chatty=False)
4419 with server:
4420 with client_context.wrap_socket(socket.socket(),
4421 server_hostname=hostname) as s:
4422 s.connect((HOST, server.port))
4423 s.write(b'PHA')
4424 # receive CertificateRequest
4425 self.assertEqual(s.recv(1024), b'OK\n')
4426 # send empty Certificate + Finish
4427 s.write(b'HASCERT')
4428 # receive alert
4429 with self.assertRaisesRegex(
4430 ssl.SSLError,
4431 'tlsv13 alert certificate required'):
4432 s.recv(1024)
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4433
4434 def test_pha_optional(self):
4435 if support.verbose:
4436 sys.stdout.write("\n")
4437
4438 client_context, server_context, hostname = testing_context()
4439 server_context.post_handshake_auth = True
4440 server_context.verify_mode = ssl.CERT_REQUIRED
4441 client_context.post_handshake_auth = True
4442 client_context.load_cert_chain(SIGNED_CERTFILE)
4443
4444 # check CERT_OPTIONAL
4445 server_context.verify_mode = ssl.CERT_OPTIONAL
4446 server = ThreadedEchoServer(context=server_context, chatty=False)
4447 with server:
4448 with client_context.wrap_socket(socket.socket(),
4449 server_hostname=hostname) as s:
4450 s.connect((HOST, server.port))
4451 s.write(b'HASCERT')
4452 self.assertEqual(s.recv(1024), b'FALSE\n')
4453 s.write(b'PHA')
4454 self.assertEqual(s.recv(1024), b'OK\n')
4455 s.write(b'HASCERT')
4456 self.assertEqual(s.recv(1024), b'TRUE\n')
4457
4458 def test_pha_optional_nocert(self):
4459 if support.verbose:
4460 sys.stdout.write("\n")
4461
4462 client_context, server_context, hostname = testing_context()
4463 server_context.post_handshake_auth = True
4464 server_context.verify_mode = ssl.CERT_OPTIONAL
4465 client_context.post_handshake_auth = True
4466
4467 server = ThreadedEchoServer(context=server_context, chatty=False)
4468 with server:
4469 with client_context.wrap_socket(socket.socket(),
4470 server_hostname=hostname) as s:
4471 s.connect((HOST, server.port))
4472 s.write(b'HASCERT')
4473 self.assertEqual(s.recv(1024), b'FALSE\n')
4474 s.write(b'PHA')
4475 self.assertEqual(s.recv(1024), b'OK\n')
penguindustin96466302019-05-06 14:57:17 -0400[diff] [blame]4476 # optional doesn't fail when client does not have a cert
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4477 s.write(b'HASCERT')
4478 self.assertEqual(s.recv(1024), b'FALSE\n')
4479
4480 def test_pha_no_pha_client(self):
4481 client_context, server_context, hostname = testing_context()
4482 server_context.post_handshake_auth = True
4483 server_context.verify_mode = ssl.CERT_REQUIRED
4484 client_context.load_cert_chain(SIGNED_CERTFILE)
4485
4486 server = ThreadedEchoServer(context=server_context, chatty=False)
4487 with server:
4488 with client_context.wrap_socket(socket.socket(),
4489 server_hostname=hostname) as s:
4490 s.connect((HOST, server.port))
4491 with self.assertRaisesRegex(ssl.SSLError, 'not server'):
4492 s.verify_client_post_handshake()
4493 s.write(b'PHA')
4494 self.assertIn(b'extension not received', s.recv(1024))
4495
4496 def test_pha_no_pha_server(self):
4497 # server doesn't have PHA enabled, cert is requested in handshake
4498 client_context, server_context, hostname = testing_context()
4499 server_context.verify_mode = ssl.CERT_REQUIRED
4500 client_context.post_handshake_auth = True
4501 client_context.load_cert_chain(SIGNED_CERTFILE)
4502
4503 server = ThreadedEchoServer(context=server_context, chatty=False)
4504 with server:
4505 with client_context.wrap_socket(socket.socket(),
4506 server_hostname=hostname) as s:
4507 s.connect((HOST, server.port))
4508 s.write(b'HASCERT')
4509 self.assertEqual(s.recv(1024), b'TRUE\n')
4510 # PHA doesn't fail if there is already a cert
4511 s.write(b'PHA')
4512 self.assertEqual(s.recv(1024), b'OK\n')
4513 s.write(b'HASCERT')
4514 self.assertEqual(s.recv(1024), b'TRUE\n')
4515
4516 def test_pha_not_tls13(self):
4517 # TLS 1.2
4518 client_context, server_context, hostname = testing_context()
4519 server_context.verify_mode = ssl.CERT_REQUIRED
4520 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
4521 client_context.post_handshake_auth = True
4522 client_context.load_cert_chain(SIGNED_CERTFILE)
4523
4524 server = ThreadedEchoServer(context=server_context, chatty=False)
4525 with server:
4526 with client_context.wrap_socket(socket.socket(),
4527 server_hostname=hostname) as s:
4528 s.connect((HOST, server.port))
4529 # PHA fails for TLS != 1.3
4530 s.write(b'PHA')
4531 self.assertIn(b'WRONG_SSL_VERSION', s.recv(1024))
4532
Christian Heimesf0f59302019-07-01 08:29:17 +0200[diff] [blame]4533 def test_bpo37428_pha_cert_none(self):
4534 # verify that post_handshake_auth does not implicitly enable cert
4535 # validation.
4536 hostname = SIGNED_CERTFILE_HOSTNAME
4537 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4538 client_context.post_handshake_auth = True
4539 client_context.load_cert_chain(SIGNED_CERTFILE)
4540 # no cert validation and CA on client side
4541 client_context.check_hostname = False
4542 client_context.verify_mode = ssl.CERT_NONE
4543
4544 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
4545 server_context.load_cert_chain(SIGNED_CERTFILE)
4546 server_context.load_verify_locations(SIGNING_CA)
4547 server_context.post_handshake_auth = True
4548 server_context.verify_mode = ssl.CERT_REQUIRED
4549
4550 server = ThreadedEchoServer(context=server_context, chatty=False)
4551 with server:
4552 with client_context.wrap_socket(socket.socket(),
4553 server_hostname=hostname) as s:
4554 s.connect((HOST, server.port))
4555 s.write(b'HASCERT')
4556 self.assertEqual(s.recv(1024), b'FALSE\n')
4557 s.write(b'PHA')
4558 self.assertEqual(s.recv(1024), b'OK\n')
4559 s.write(b'HASCERT')
4560 self.assertEqual(s.recv(1024), b'TRUE\n')
4561 # server cert has not been validated
4562 self.assertEqual(s.getpeercert(), {})
4563
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4564
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4565HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
4566requires_keylog = unittest.skipUnless(
4567 HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')
4568
4569class TestSSLDebug(unittest.TestCase):
4570
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4571 def keylog_lines(self, fname=os_helper.TESTFN):
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4572 with open(fname) as f:
4573 return len(list(f))
4574
4575 @requires_keylog
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4576 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4577 def test_keylog_defaults(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4578 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4579 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4580 self.assertEqual(ctx.keylog_filename, None)
4581
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4582 self.assertFalse(os.path.isfile(os_helper.TESTFN))
4583 ctx.keylog_filename = os_helper.TESTFN
4584 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
4585 self.assertTrue(os.path.isfile(os_helper.TESTFN))
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4586 self.assertEqual(self.keylog_lines(), 1)
4587
4588 ctx.keylog_filename = None
4589 self.assertEqual(ctx.keylog_filename, None)
4590
4591 with self.assertRaises((IsADirectoryError, PermissionError)):
4592 # Windows raises PermissionError
4593 ctx.keylog_filename = os.path.dirname(
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4594 os.path.abspath(os_helper.TESTFN))
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4595
4596 with self.assertRaises(TypeError):
4597 ctx.keylog_filename = 1
4598
4599 @requires_keylog
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4600 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4601 def test_keylog_filename(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4602 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4603 client_context, server_context, hostname = testing_context()
4604
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4605 client_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4606 server = ThreadedEchoServer(context=server_context, chatty=False)
4607 with server:
4608 with client_context.wrap_socket(socket.socket(),
4609 server_hostname=hostname) as s:
4610 s.connect((HOST, server.port))
4611 # header, 5 lines for TLS 1.3
4612 self.assertEqual(self.keylog_lines(), 6)
4613
4614 client_context.keylog_filename = None
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4615 server_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4616 server = ThreadedEchoServer(context=server_context, chatty=False)
4617 with server:
4618 with client_context.wrap_socket(socket.socket(),
4619 server_hostname=hostname) as s:
4620 s.connect((HOST, server.port))
4621 self.assertGreaterEqual(self.keylog_lines(), 11)
4622
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4623 client_context.keylog_filename = os_helper.TESTFN
4624 server_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4625 server = ThreadedEchoServer(context=server_context, chatty=False)
4626 with server:
4627 with client_context.wrap_socket(socket.socket(),
4628 server_hostname=hostname) as s:
4629 s.connect((HOST, server.port))
4630 self.assertGreaterEqual(self.keylog_lines(), 21)
4631
4632 client_context.keylog_filename = None
4633 server_context.keylog_filename = None
4634
4635 @requires_keylog
4636 @unittest.skipIf(sys.flags.ignore_environment,
4637 "test is not compatible with ignore_environment")
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4638 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4639 def test_keylog_env(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4640 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4641 with unittest.mock.patch.dict(os.environ):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4642 os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
4643 self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4644
4645 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4646 self.assertEqual(ctx.keylog_filename, None)
4647
4648 ctx = ssl.create_default_context()
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4649 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4650
4651 ctx = ssl._create_stdlib_context()
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4652 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4653
4654 def test_msg_callback(self):
4655 client_context, server_context, hostname = testing_context()
4656
4657 def msg_cb(conn, direction, version, content_type, msg_type, data):
4658 pass
4659
4660 self.assertIs(client_context._msg_callback, None)
4661 client_context._msg_callback = msg_cb
4662 self.assertIs(client_context._msg_callback, msg_cb)
4663 with self.assertRaises(TypeError):
4664 client_context._msg_callback = object()
4665
4666 def test_msg_callback_tls12(self):
4667 client_context, server_context, hostname = testing_context()
4668 client_context.options |= ssl.OP_NO_TLSv1_3
4669
4670 msg = []
4671
4672 def msg_cb(conn, direction, version, content_type, msg_type, data):
4673 self.assertIsInstance(conn, ssl.SSLSocket)
4674 self.assertIsInstance(data, bytes)
4675 self.assertIn(direction, {'read', 'write'})
4676 msg.append((direction, version, content_type, msg_type))
4677
4678 client_context._msg_callback = msg_cb
4679
4680 server = ThreadedEchoServer(context=server_context, chatty=False)
4681 with server:
4682 with client_context.wrap_socket(socket.socket(),
4683 server_hostname=hostname) as s:
4684 s.connect((HOST, server.port))
4685
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4686 self.assertIn(
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4687 ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
4688 _TLSMessageType.SERVER_KEY_EXCHANGE),
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4689 msg
4690 )
4691 self.assertIn(
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4692 ("write", TLSVersion.TLSv1_2, _TLSContentType.CHANGE_CIPHER_SPEC,
4693 _TLSMessageType.CHANGE_CIPHER_SPEC),
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4694 msg
4695 )
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4696
Christian Heimes77cde502021-03-21 16:13:09 +0100[diff] [blame]4697 def test_msg_callback_deadlock_bpo43577(self):
4698 client_context, server_context, hostname = testing_context()
4699 server_context2 = testing_context()[1]
4700
4701 def msg_cb(conn, direction, version, content_type, msg_type, data):
4702 pass
4703
4704 def sni_cb(sock, servername, ctx):
4705 sock.context = server_context2
4706
4707 server_context._msg_callback = msg_cb
4708 server_context.sni_callback = sni_cb
4709
4710 server = ThreadedEchoServer(context=server_context, chatty=False)
4711 with server:
4712 with client_context.wrap_socket(socket.socket(),
4713 server_hostname=hostname) as s:
4714 s.connect((HOST, server.port))
4715 with client_context.wrap_socket(socket.socket(),
4716 server_hostname=hostname) as s:
4717 s.connect((HOST, server.port))
4718
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4719
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]4720class TestEnumerations(unittest.TestCase):
4721
4722 def test_tlsversion(self):
4723 class CheckedTLSVersion(enum.IntEnum):
4724 MINIMUM_SUPPORTED = _ssl.PROTO_MINIMUM_SUPPORTED
4725 SSLv3 = _ssl.PROTO_SSLv3
4726 TLSv1 = _ssl.PROTO_TLSv1
4727 TLSv1_1 = _ssl.PROTO_TLSv1_1
4728 TLSv1_2 = _ssl.PROTO_TLSv1_2
4729 TLSv1_3 = _ssl.PROTO_TLSv1_3
4730 MAXIMUM_SUPPORTED = _ssl.PROTO_MAXIMUM_SUPPORTED
4731 enum._test_simple_enum(CheckedTLSVersion, TLSVersion)
4732
4733 def test_tlscontenttype(self):
4734 class Checked_TLSContentType(enum.IntEnum):
4735 """Content types (record layer)
4736
4737 See RFC 8446, section B.1
4738 """
4739 CHANGE_CIPHER_SPEC = 20
4740 ALERT = 21
4741 HANDSHAKE = 22
4742 APPLICATION_DATA = 23
4743 # pseudo content types
4744 HEADER = 0x100
4745 INNER_CONTENT_TYPE = 0x101
4746 enum._test_simple_enum(Checked_TLSContentType, _TLSContentType)
4747
4748 def test_tlsalerttype(self):
4749 class Checked_TLSAlertType(enum.IntEnum):
4750 """Alert types for TLSContentType.ALERT messages
4751
4752 See RFC 8466, section B.2
4753 """
4754 CLOSE_NOTIFY = 0
4755 UNEXPECTED_MESSAGE = 10
4756 BAD_RECORD_MAC = 20
4757 DECRYPTION_FAILED = 21
4758 RECORD_OVERFLOW = 22
4759 DECOMPRESSION_FAILURE = 30
4760 HANDSHAKE_FAILURE = 40
4761 NO_CERTIFICATE = 41
4762 BAD_CERTIFICATE = 42
4763 UNSUPPORTED_CERTIFICATE = 43
4764 CERTIFICATE_REVOKED = 44
4765 CERTIFICATE_EXPIRED = 45
4766 CERTIFICATE_UNKNOWN = 46
4767 ILLEGAL_PARAMETER = 47
4768 UNKNOWN_CA = 48
4769 ACCESS_DENIED = 49
4770 DECODE_ERROR = 50
4771 DECRYPT_ERROR = 51
4772 EXPORT_RESTRICTION = 60
4773 PROTOCOL_VERSION = 70
4774 INSUFFICIENT_SECURITY = 71
4775 INTERNAL_ERROR = 80
4776 INAPPROPRIATE_FALLBACK = 86
4777 USER_CANCELED = 90
4778 NO_RENEGOTIATION = 100
4779 MISSING_EXTENSION = 109
4780 UNSUPPORTED_EXTENSION = 110
4781 CERTIFICATE_UNOBTAINABLE = 111
4782 UNRECOGNIZED_NAME = 112
4783 BAD_CERTIFICATE_STATUS_RESPONSE = 113
4784 BAD_CERTIFICATE_HASH_VALUE = 114
4785 UNKNOWN_PSK_IDENTITY = 115
4786 CERTIFICATE_REQUIRED = 116
4787 NO_APPLICATION_PROTOCOL = 120
4788 enum._test_simple_enum(Checked_TLSAlertType, _TLSAlertType)
4789
4790 def test_tlsmessagetype(self):
4791 class Checked_TLSMessageType(enum.IntEnum):
4792 """Message types (handshake protocol)
4793
4794 See RFC 8446, section B.3
4795 """
4796 HELLO_REQUEST = 0
4797 CLIENT_HELLO = 1
4798 SERVER_HELLO = 2
4799 HELLO_VERIFY_REQUEST = 3
4800 NEWSESSION_TICKET = 4
4801 END_OF_EARLY_DATA = 5
4802 HELLO_RETRY_REQUEST = 6
4803 ENCRYPTED_EXTENSIONS = 8
4804 CERTIFICATE = 11
4805 SERVER_KEY_EXCHANGE = 12
4806 CERTIFICATE_REQUEST = 13
4807 SERVER_DONE = 14
4808 CERTIFICATE_VERIFY = 15
4809 CLIENT_KEY_EXCHANGE = 16
4810 FINISHED = 20
4811 CERTIFICATE_URL = 21
4812 CERTIFICATE_STATUS = 22
4813 SUPPLEMENTAL_DATA = 23
4814 KEY_UPDATE = 24
4815 NEXT_PROTO = 67
4816 MESSAGE_HASH = 254
4817 CHANGE_CIPHER_SPEC = 0x0101
4818 enum._test_simple_enum(Checked_TLSMessageType, _TLSMessageType)
4819
4820 def test_sslmethod(self):
4821 Checked_SSLMethod = enum._old_convert_(
4822 enum.IntEnum, '_SSLMethod', 'ssl',
4823 lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
4824 source=ssl._ssl,
4825 )
4826 enum._test_simple_enum(Checked_SSLMethod, ssl._SSLMethod)
4827
4828 def test_options(self):
4829 CheckedOptions = enum._old_convert_(
4830 enum.FlagEnum, 'Options', 'ssl',
4831 lambda name: name.startswith('OP_'),
4832 source=ssl._ssl,
4833 )
4834 enum._test_simple_enum(CheckedOptions, ssl.Options)
4835
4836
4837 def test_alertdescription(self):
4838 CheckedAlertDescription = enum._old_convert_(
4839 enum.IntEnum, 'AlertDescription', 'ssl',
4840 lambda name: name.startswith('ALERT_DESCRIPTION_'),
4841 source=ssl._ssl,
4842 )
4843 enum._test_simple_enum(CheckedAlertDescription, ssl.AlertDescription)
4844
4845 def test_sslerrornumber(self):
4846 Checked_SSLMethod = enum._old_convert_(
4847 enum.IntEnum, '_SSLMethod', 'ssl',
4848 lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
4849 source=ssl._ssl,
4850 )
4851 enum._test_simple_enum(Checked_SSLMethod, ssl._SSLMethod)
4852
4853 def test_verifyflags(self):
4854 CheckedVerifyFlags = enum._old_convert_(
4855 enum.FlagEnum, 'VerifyFlags', 'ssl',
4856 lambda name: name.startswith('VERIFY_'),
4857 source=ssl._ssl,
4858 )
4859 enum._test_simple_enum(CheckedVerifyFlags, ssl.VerifyFlags)
4860
4861 def test_verifymode(self):
4862 CheckedVerifyMode = enum._old_convert_(
4863 enum.IntEnum, 'VerifyMode', 'ssl',
4864 lambda name: name.startswith('CERT_'),
4865 source=ssl._ssl,
4866 )
4867 enum._test_simple_enum(CheckedVerifyMode, ssl.VerifyMode)
4868
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4869def test_main(verbose=False):
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4870 if support.verbose:
4871 plats = {
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4872 'Mac': platform.mac_ver,
4873 'Windows': platform.win32_ver,
4874 }
Petr Viktorin8b94b412018-05-16 11:51:18 -0400[diff] [blame]4875 for name, func in plats.items():
4876 plat = func()
4877 if plat and plat[0]:
4878 plat = '%s %r' % (name, plat)
4879 break
4880 else:
4881 plat = repr(platform.platform())
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4882 print("test_ssl: testing with %r %r" %
4883 (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
4884 print(" under %s" % plat)
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]4885 print(" HAS_SNI = %r" % ssl.HAS_SNI)
Antoine Pitrou609ef012013-03-29 18:09:06 +0100[diff] [blame]4886 print(" OP_ALL = 0x%8x" % ssl.OP_ALL)
4887 try:
4888 print(" OP_NO_TLSv1_1 = 0x%8x" % ssl.OP_NO_TLSv1_1)
4889 except AttributeError:
4890 pass
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4891
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4892 for filename in [
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]4893 CERTFILE, BYTES_CERTFILE,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4894 ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4895 SIGNED_CERTFILE, SIGNED_CERTFILE2, SIGNING_CA,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4896 BADCERT, BADKEY, EMPTYCERT]:
4897 if not os.path.exists(filename):
4898 raise support.TestFailed("Can't read certificate file %r" % filename)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]4899
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]4900 tests = [
4901 ContextTests, BasicSocketTests, SSLErrorTests, MemoryBIOTests,
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]4902 SSLObjectTests, SimpleBackgroundTests, ThreadedTests,
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4903 TestPostHandshakeAuth, TestSSLDebug
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]4904 ]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4905
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]4906 if support.is_resource_enabled('network'):
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]4907 tests.append(NetworkedTests)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4908
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]4909 thread_info = threading_helper.threading_setup()
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]4910 try:
4911 support.run_unittest(*tests)
4912 finally:
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]4913 threading_helper.threading_cleanup(*thread_info)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4914
4915if __name__ == "__main__":
4916 test_main()