Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / a460ab3134cd5cf3932c2125aec012851268f0cc / . / Lib / test / test_ssl.py
blob: 71260bd9827db406b74827ee64399166b930e47d [file] [log] [blame]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]1# Test the support for SSL and sockets
2
3import sys
4import unittest
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]5import unittest.mock
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]6from test import support
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]7from test.support import import_helper
8from test.support import os_helper
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]9from test.support import socket_helper
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]10from test.support import threading_helper
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]11from test.support import warnings_helper
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]12import socket
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]13import select
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]14import time
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]15import datetime
16import enum
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]17import gc
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]18import os
Antoine Pitroucfcd8ad2010-04-23 23:31:47 +0000[diff] [blame]19import errno
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]20import pprint
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]21import urllib.request
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]22import threading
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]23import traceback
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]24import asyncore
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]25import weakref
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]26import platform
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]27import sysconfig
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]28import functools
Christian Heimes888bbdc2017-09-07 14:18:21 -0700[diff] [blame]29try:
30 import ctypes
31except ImportError:
32 ctypes = None
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]33
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]34ssl = import_helper.import_module("ssl")
Antoine Pitrou05d936d2010-10-13 11:38:36 +0000[diff] [blame]35
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]36from ssl import TLSVersion, _TLSContentType, _TLSMessageType, _TLSAlertType
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]37
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]38Py_DEBUG = hasattr(sys, 'gettotalrefcount')
39Py_DEBUG_WIN32 = Py_DEBUG and sys.platform == 'win32'
40
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]41PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]42HOST = socket_helper.HOST
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]43IS_OPENSSL_3_0_0 = ssl.OPENSSL_VERSION_INFO >= (3, 0, 0)
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]44PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]45
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]46PROTOCOL_TO_TLS_VERSION = {}
47for proto, ver in (
48 ("PROTOCOL_SSLv23", "SSLv3"),
49 ("PROTOCOL_TLSv1", "TLSv1"),
50 ("PROTOCOL_TLSv1_1", "TLSv1_1"),
51):
52 try:
53 proto = getattr(ssl, proto)
54 ver = getattr(ssl.TLSVersion, ver)
55 except AttributeError:
56 continue
57 PROTOCOL_TO_TLS_VERSION[proto] = ver
58
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]59def data_file(*name):
60 return os.path.join(os.path.dirname(__file__), *name)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]61
Antoine Pitrou81564092010-10-08 23:06:24 +0000[diff] [blame]62# The custom key and certificate files used in test_ssl are generated
63# using Lib/test/make_ssl_certs.py.
64# Other certificates are simply fetched from the Internet servers they
65# are meant to authenticate.
66
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]67CERTFILE = data_file("keycert.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]68BYTES_CERTFILE = os.fsencode(CERTFILE)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]69ONLYCERT = data_file("ssl_cert.pem")
70ONLYKEY = data_file("ssl_key.pem")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]71BYTES_ONLYCERT = os.fsencode(ONLYCERT)
72BYTES_ONLYKEY = os.fsencode(ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]73CERTFILE_PROTECTED = data_file("keycert.passwd.pem")
74ONLYKEY_PROTECTED = data_file("ssl_key.passwd.pem")
75KEY_PASSWORD = "somepass"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]76CAPATH = data_file("capath")
Victor Stinner313a1202010-06-11 23:56:51 +0000[diff] [blame]77BYTES_CAPATH = os.fsencode(CAPATH)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]78CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
79CAFILE_CACERT = data_file("capath", "5ed36f99.0")
80
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]81CERTFILE_INFO = {
82 'issuer': ((('countryName', 'XY'),),
83 (('localityName', 'Castle Anthrax'),),
84 (('organizationName', 'Python Software Foundation'),),
85 (('commonName', 'localhost'),)),
Christian Heimese6dac002018-08-30 07:25:49 +0200[diff] [blame]86 'notAfter': 'Aug 26 14:23:15 2028 GMT',
87 'notBefore': 'Aug 29 14:23:15 2018 GMT',
88 'serialNumber': '98A7CF88C74A32ED',
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]89 'subject': ((('countryName', 'XY'),),
90 (('localityName', 'Castle Anthrax'),),
91 (('organizationName', 'Python Software Foundation'),),
92 (('commonName', 'localhost'),)),
93 'subjectAltName': (('DNS', 'localhost'),),
94 'version': 3
95}
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]96
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]97# empty CRL
98CRLFILE = data_file("revocation.crl")
99
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]100# Two keys and certs signed by the same CA (for SNI tests)
101SIGNED_CERTFILE = data_file("keycert3.pem")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]102SIGNED_CERTFILE_HOSTNAME = 'localhost'
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]103
104SIGNED_CERTFILE_INFO = {
105 'OCSP': ('http://testca.pythontest.net/testca/ocsp/',),
106 'caIssuers': ('http://testca.pythontest.net/testca/pycacert.cer',),
107 'crlDistributionPoints': ('http://testca.pythontest.net/testca/revocation.crl',),
108 'issuer': ((('countryName', 'XY'),),
109 (('organizationName', 'Python Software Foundation CA'),),
110 (('commonName', 'our-ca-server'),)),
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]111 'notAfter': 'Oct 28 14:23:16 2037 GMT',
Christian Heimese6dac002018-08-30 07:25:49 +0200[diff] [blame]112 'notBefore': 'Aug 29 14:23:16 2018 GMT',
113 'serialNumber': 'CB2D80995A69525C',
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]114 'subject': ((('countryName', 'XY'),),
115 (('localityName', 'Castle Anthrax'),),
116 (('organizationName', 'Python Software Foundation'),),
117 (('commonName', 'localhost'),)),
118 'subjectAltName': (('DNS', 'localhost'),),
119 'version': 3
120}
121
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]122SIGNED_CERTFILE2 = data_file("keycert4.pem")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]123SIGNED_CERTFILE2_HOSTNAME = 'fakehostname'
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]124SIGNED_CERTFILE_ECC = data_file("keycertecc.pem")
125SIGNED_CERTFILE_ECC_HOSTNAME = 'localhost-ecc'
126
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]127# Same certificate as pycacert.pem, but without extra text in file
128SIGNING_CA = data_file("capath", "ceff1710.0")
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]129# cert with all kinds of subject alt names
130ALLSANFILE = data_file("allsans.pem")
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]131IDNSANSFILE = data_file("idnsans.pem")
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]132NOSANFILE = data_file("nosan.pem")
133NOSAN_HOSTNAME = 'localhost'
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]134
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]135REMOTE_HOST = "self-signed.pythontest.net"
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]136
137EMPTYCERT = data_file("nullcert.pem")
138BADCERT = data_file("badcert.pem")
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]139NONEXISTINGCERT = data_file("XXXnonexisting.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]140BADKEY = data_file("badkey.pem")
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]141NOKIACERT = data_file("nokia.pem")
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]142NULLBYTECERT = data_file("nullbytecert.pem")
Christian Heimesa37f5242019-01-15 23:47:42 +0100[diff] [blame]143TALOS_INVALID_CRLDP = data_file("talos-2019-0758.pem")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]144
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]145DHFILE = data_file("ffdh3072.pem")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]146BYTES_DHFILE = os.fsencode(DHFILE)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]147
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]148# Not defined in all versions of OpenSSL
149OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
150OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
151OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
152OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]153OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
Christian Heimes6f37ebc2021-04-09 17:59:21 +0200[diff] [blame]154OP_IGNORE_UNEXPECTED_EOF = getattr(ssl, "OP_IGNORE_UNEXPECTED_EOF", 0)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]155
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]156# Ubuntu has patched OpenSSL and changed behavior of security level 2
157# see https://bugs.python.org/issue41561#msg389003
158def is_ubuntu():
159 try:
160 # Assume that any references of "ubuntu" implies Ubuntu-like distro
161 # The workaround is not required for 18.04, but doesn't hurt either.
162 with open("/etc/os-release", encoding="utf-8") as f:
163 return "ubuntu" in f.read()
164 except FileNotFoundError:
165 return False
166
167if is_ubuntu():
168 def seclevel_workaround(*ctxs):
169 """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
170 for ctx in ctxs:
Christian Heimes34477502021-04-12 12:00:38 +0200[diff] [blame]171 if (
172 hasattr(ctx, "minimum_version") and
173 ctx.minimum_version <= ssl.TLSVersion.TLSv1_1
174 ):
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]175 ctx.set_ciphers("@SECLEVEL=1:ALL")
176else:
177 def seclevel_workaround(*ctxs):
178 pass
179
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]180
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]181def has_tls_protocol(protocol):
182 """Check if a TLS protocol is available and enabled
183
184 :param protocol: enum ssl._SSLMethod member or name
185 :return: bool
186 """
187 if isinstance(protocol, str):
188 assert protocol.startswith('PROTOCOL_')
189 protocol = getattr(ssl, protocol, None)
190 if protocol is None:
191 return False
192 if protocol in {
193 ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS_SERVER,
194 ssl.PROTOCOL_TLS_CLIENT
195 }:
196 # auto-negotiate protocols are always available
197 return True
198 name = protocol.name
199 return has_tls_version(name[len('PROTOCOL_'):])
200
201
202@functools.lru_cache
203def has_tls_version(version):
204 """Check if a TLS/SSL version is enabled
205
206 :param version: TLS version name or ssl.TLSVersion member
207 :return: bool
208 """
209 if version == "SSLv2":
210 # never supported and not even in TLSVersion enum
211 return False
212
213 if isinstance(version, str):
214 version = ssl.TLSVersion.__members__[version]
215
216 # check compile time flags like ssl.HAS_TLSv1_2
217 if not getattr(ssl, f'HAS_{version.name}'):
218 return False
219
Christian Heimes5151d642021-04-09 15:43:06 +0200[diff] [blame]220 if IS_OPENSSL_3_0_0 and version < ssl.TLSVersion.TLSv1_2:
221 # bpo43791: 3.0.0-alpha14 fails with TLSV1_ALERT_INTERNAL_ERROR
222 return False
223
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]224 # check runtime and dynamic crypto policy settings. A TLS version may
225 # be compiled in but disabled by a policy or config option.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]226 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]227 if (
Christian Heimes9f772682019-09-26 18:23:17 +0200[diff] [blame]228 hasattr(ctx, 'minimum_version') and
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]229 ctx.minimum_version != ssl.TLSVersion.MINIMUM_SUPPORTED and
230 version < ctx.minimum_version
231 ):
232 return False
233 if (
Christian Heimes9f772682019-09-26 18:23:17 +0200[diff] [blame]234 hasattr(ctx, 'maximum_version') and
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]235 ctx.maximum_version != ssl.TLSVersion.MAXIMUM_SUPPORTED and
236 version > ctx.maximum_version
237 ):
238 return False
239
240 return True
241
242
243def requires_tls_version(version):
244 """Decorator to skip tests when a required TLS version is not available
245
246 :param version: TLS version name or ssl.TLSVersion member
247 :return:
248 """
249 def decorator(func):
250 @functools.wraps(func)
251 def wrapper(*args, **kw):
252 if not has_tls_version(version):
253 raise unittest.SkipTest(f"{version} is not available.")
254 else:
255 return func(*args, **kw)
256 return wrapper
257 return decorator
258
259
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]260def handle_error(prefix):
261 exc_format = ' '.join(traceback.format_exception(*sys.exc_info()))
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]262 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]263 sys.stdout.write(prefix + exc_format)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]264
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]265
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]266def utc_offset(): #NOTE: ignore issues like #1647654
267 # local time = utc time + utc offset
268 if time.daylight and time.localtime().tm_isdst > 0:
269 return -time.altzone # seconds
270 return -time.timezone
271
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]272
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]273ignore_deprecation = warnings_helper.ignore_warnings(
274 category=DeprecationWarning
275)
Antoine Pitrou23df4832010-08-04 17:14:06 +0000[diff] [blame]276
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]277
278def test_wrap_socket(sock, *,
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]279 cert_reqs=ssl.CERT_NONE, ca_certs=None,
280 ciphers=None, certfile=None, keyfile=None,
281 **kwargs):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]282 if not kwargs.get("server_side"):
283 kwargs["server_hostname"] = SIGNED_CERTFILE_HOSTNAME
284 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
285 else:
286 context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]287 if cert_reqs is not None:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]288 if cert_reqs == ssl.CERT_NONE:
289 context.check_hostname = False
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]290 context.verify_mode = cert_reqs
291 if ca_certs is not None:
292 context.load_verify_locations(ca_certs)
293 if certfile is not None or keyfile is not None:
294 context.load_cert_chain(certfile, keyfile)
295 if ciphers is not None:
296 context.set_ciphers(ciphers)
297 return context.wrap_socket(sock, **kwargs)
298
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]299
300def testing_context(server_cert=SIGNED_CERTFILE):
301 """Create context
302
303 client_context, server_context, hostname = testing_context()
304 """
305 if server_cert == SIGNED_CERTFILE:
306 hostname = SIGNED_CERTFILE_HOSTNAME
307 elif server_cert == SIGNED_CERTFILE2:
308 hostname = SIGNED_CERTFILE2_HOSTNAME
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]309 elif server_cert == NOSANFILE:
310 hostname = NOSAN_HOSTNAME
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]311 else:
312 raise ValueError(server_cert)
313
314 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
315 client_context.load_verify_locations(SIGNING_CA)
316
317 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
318 server_context.load_cert_chain(server_cert)
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]319 server_context.load_verify_locations(SIGNING_CA)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]320
321 return client_context, server_context, hostname
322
323
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]324class BasicSocketTests(unittest.TestCase):
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]325
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]326 def test_constants(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]327 ssl.CERT_NONE
328 ssl.CERT_OPTIONAL
329 ssl.CERT_REQUIRED
Antoine Pitrou6db49442011-12-19 13:27:11 +0100[diff] [blame]330 ssl.OP_CIPHER_SERVER_PREFERENCE
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]331 ssl.OP_SINGLE_DH_USE
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]332 ssl.OP_SINGLE_ECDH_USE
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]333 ssl.OP_NO_COMPRESSION
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]334 self.assertEqual(ssl.HAS_SNI, True)
335 self.assertEqual(ssl.HAS_ECDH, True)
336 self.assertEqual(ssl.HAS_TLSv1_2, True)
337 self.assertEqual(ssl.HAS_TLSv1_3, True)
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]338 ssl.OP_NO_SSLv2
339 ssl.OP_NO_SSLv3
340 ssl.OP_NO_TLSv1
341 ssl.OP_NO_TLSv1_3
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]342 ssl.OP_NO_TLSv1_1
343 ssl.OP_NO_TLSv1_2
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]344 self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]345
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]346 def test_private_init(self):
347 with self.assertRaisesRegex(TypeError, "public constructor"):
348 with socket.socket() as s:
349 ssl.SSLSocket(s)
350
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]351 def test_str_for_enums(self):
352 # Make sure that the PROTOCOL_* constants have enum-like string
353 # reprs.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]354 proto = ssl.PROTOCOL_TLS_CLIENT
355 self.assertEqual(str(proto), 'PROTOCOL_TLS_CLIENT')
Antoine Pitrou172f0252014-04-18 20:33:08 +0200[diff] [blame]356 ctx = ssl.SSLContext(proto)
357 self.assertIs(ctx.protocol, proto)
358
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]359 def test_random(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]360 v = ssl.RAND_status()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]361 if support.verbose:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]362 sys.stdout.write("\n RAND_status is %d (%s)\n"
363 % (v, (v and "sufficient randomness") or
364 "insufficient randomness"))
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]365
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]366 with warnings_helper.check_warnings():
367 data, is_cryptographic = ssl.RAND_pseudo_bytes(16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]368 self.assertEqual(len(data), 16)
369 self.assertEqual(is_cryptographic, v == 1)
370 if v:
371 data = ssl.RAND_bytes(16)
372 self.assertEqual(len(data), 16)
Victor Stinner2e2baa92011-05-25 11:15:16 +0200[diff] [blame]373 else:
374 self.assertRaises(ssl.SSLError, ssl.RAND_bytes, 16)
Victor Stinner99c8b162011-05-24 12:05:19 +0200[diff] [blame]375
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]376 # negative num is invalid
377 self.assertRaises(ValueError, ssl.RAND_bytes, -5)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]378 with warnings_helper.check_warnings():
379 self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5)
Victor Stinner1e81a392013-12-19 16:47:04 +0100[diff] [blame]380
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]381 ssl.RAND_add("this is a random string", 75.0)
Serhiy Storchaka8490f5a2015-03-20 09:00:36 +0200[diff] [blame]382 ssl.RAND_add(b"this is a random bytes object", 75.0)
383 ssl.RAND_add(bytearray(b"this is a random bytearray object"), 75.0)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]384
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]385 def test_parse_cert(self):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]386 # note that this uses an 'unofficial' function in _ssl.c,
387 # provided solely for this test, to exercise the certificate
388 # parsing code
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]389 self.assertEqual(
390 ssl._ssl._test_decode_cert(CERTFILE),
391 CERTFILE_INFO
392 )
393 self.assertEqual(
394 ssl._ssl._test_decode_cert(SIGNED_CERTFILE),
395 SIGNED_CERTFILE_INFO
396 )
397
Antoine Pitroud8c347a2011-10-01 19:20:25 +0200[diff] [blame]398 # Issue #13034: the subjectAltName in some certificates
399 # (notably projects.developer.nokia.com:443) wasn't parsed
400 p = ssl._ssl._test_decode_cert(NOKIACERT)
401 if support.verbose:
402 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
403 self.assertEqual(p['subjectAltName'],
404 (('DNS', 'projects.developer.nokia.com'),
405 ('DNS', 'projects.forum.nokia.com'))
406 )
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]407 # extra OCSP and AIA fields
408 self.assertEqual(p['OCSP'], ('http://ocsp.verisign.com',))
409 self.assertEqual(p['caIssuers'],
410 ('http://SVRIntl-G3-aia.verisign.com/SVRIntlG3.cer',))
411 self.assertEqual(p['crlDistributionPoints'],
412 ('http://SVRIntl-G3-crl.verisign.com/SVRIntlG3.crl',))
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]413
Christian Heimesa37f5242019-01-15 23:47:42 +0100[diff] [blame]414 def test_parse_cert_CVE_2019_5010(self):
415 p = ssl._ssl._test_decode_cert(TALOS_INVALID_CRLDP)
416 if support.verbose:
417 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
418 self.assertEqual(
419 p,
420 {
421 'issuer': (
422 (('countryName', 'UK'),), (('commonName', 'cody-ca'),)),
423 'notAfter': 'Jun 14 18:00:58 2028 GMT',
424 'notBefore': 'Jun 18 18:00:58 2018 GMT',
425 'serialNumber': '02',
426 'subject': ((('countryName', 'UK'),),
427 (('commonName',
428 'codenomicon-vm-2.test.lal.cisco.com'),)),
429 'subjectAltName': (
430 ('DNS', 'codenomicon-vm-2.test.lal.cisco.com'),),
431 'version': 3
432 }
433 )
434
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]435 def test_parse_cert_CVE_2013_4238(self):
436 p = ssl._ssl._test_decode_cert(NULLBYTECERT)
437 if support.verbose:
438 sys.stdout.write("\n" + pprint.pformat(p) + "\n")
439 subject = ((('countryName', 'US'),),
440 (('stateOrProvinceName', 'Oregon'),),
441 (('localityName', 'Beaverton'),),
442 (('organizationName', 'Python Software Foundation'),),
443 (('organizationalUnitName', 'Python Core Development'),),
444 (('commonName', 'null.python.org\x00example.org'),),
445 (('emailAddress', 'python-dev@python.org'),))
446 self.assertEqual(p['subject'], subject)
447 self.assertEqual(p['issuer'], subject)
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]448 if ssl._OPENSSL_API_VERSION >= (0, 9, 8):
449 san = (('DNS', 'altnull.python.org\x00example.com'),
450 ('email', 'null@python.org\x00user@example.org'),
451 ('URI', 'http://null.python.org\x00http://example.org'),
452 ('IP Address', '192.0.2.1'),
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]453 ('IP Address', '2001:DB8:0:0:0:0:0:1'))
Christian Heimes157c9832013-08-25 14:12:41 +0200[diff] [blame]454 else:
455 # OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName
456 san = (('DNS', 'altnull.python.org\x00example.com'),
457 ('email', 'null@python.org\x00user@example.org'),
458 ('URI', 'http://null.python.org\x00http://example.org'),
459 ('IP Address', '192.0.2.1'),
460 ('IP Address', '<invalid>'))
461
462 self.assertEqual(p['subjectAltName'], san)
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]463
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]464 def test_parse_all_sans(self):
465 p = ssl._ssl._test_decode_cert(ALLSANFILE)
466 self.assertEqual(p['subjectAltName'],
467 (
468 ('DNS', 'allsans'),
469 ('othername', '<unsupported>'),
470 ('othername', '<unsupported>'),
471 ('email', 'user@example.org'),
472 ('DNS', 'www.example.org'),
473 ('DirName',
474 ((('countryName', 'XY'),),
475 (('localityName', 'Castle Anthrax'),),
476 (('organizationName', 'Python Software Foundation'),),
477 (('commonName', 'dirname example'),))),
478 ('URI', 'https://www.python.org/'),
479 ('IP Address', '127.0.0.1'),
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]480 ('IP Address', '0:0:0:0:0:0:0:1'),
Christian Heimes1c03abd2016-09-06 23:25:35 +0200[diff] [blame]481 ('Registered ID', '1.2.3.4.5')
482 )
483 )
484
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]485 def test_DER_to_PEM(self):
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]486 with open(CAFILE_CACERT, 'r') as f:
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]487 pem = f.read()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]488 d1 = ssl.PEM_cert_to_DER_cert(pem)
489 p2 = ssl.DER_cert_to_PEM_cert(d1)
490 d2 = ssl.PEM_cert_to_DER_cert(p2)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]491 self.assertEqual(d1, d2)
Antoine Pitrou9bfbe612010-04-27 22:08:08 +0000[diff] [blame]492 if not p2.startswith(ssl.PEM_HEADER + '\n'):
493 self.fail("DER-to-PEM didn't include correct header:\n%r\n" % p2)
494 if not p2.endswith('\n' + ssl.PEM_FOOTER + '\n'):
495 self.fail("DER-to-PEM didn't include correct footer:\n%r\n" % p2)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]496
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]497 def test_openssl_version(self):
498 n = ssl.OPENSSL_VERSION_NUMBER
499 t = ssl.OPENSSL_VERSION_INFO
500 s = ssl.OPENSSL_VERSION
501 self.assertIsInstance(n, int)
502 self.assertIsInstance(t, tuple)
503 self.assertIsInstance(s, str)
504 # Some sanity checks follow
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]505 # >= 1.1.1
506 self.assertGreaterEqual(n, 0x10101000)
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]507 # < 4.0
508 self.assertLess(n, 0x40000000)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]509 major, minor, fix, patch, status = t
Christian Heimes2b7de662019-12-07 17:59:36 +0100[diff] [blame]510 self.assertGreaterEqual(major, 1)
511 self.assertLess(major, 4)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]512 self.assertGreaterEqual(minor, 0)
513 self.assertLess(minor, 256)
514 self.assertGreaterEqual(fix, 0)
515 self.assertLess(fix, 256)
516 self.assertGreaterEqual(patch, 0)
Ned Deily05784a72015-02-05 17:20:13 +1100[diff] [blame]517 self.assertLessEqual(patch, 63)
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]518 self.assertGreaterEqual(status, 0)
519 self.assertLessEqual(status, 15)
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]520
521 libressl_ver = f"LibreSSL {major:d}"
522 openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}"
523 self.assertTrue(
524 s.startswith((openssl_ver, libressl_ver)),
525 (s, t, hex(n))
526 )
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]527
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]528 @support.cpython_only
529 def test_refcycle(self):
530 # Issue #7943: an SSL object doesn't create reference cycles with
531 # itself.
532 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]533 ss = test_wrap_socket(s)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]534 wr = weakref.ref(ss)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]535 with warnings_helper.check_warnings(("", ResourceWarning)):
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]536 del ss
Victor Stinnere0b75b72016-03-21 17:26:04 +0100[diff] [blame]537 self.assertEqual(wr(), None)
Antoine Pitrou9d543662010-04-23 23:10:32 +0000[diff] [blame]538
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]539 def test_wrapped_unconnected(self):
540 # Methods on an unconnected SSLSocket propagate the original
Andrew Svetlov0832af62012-12-18 23:10:48 +0200[diff] [blame]541 # OSError raise by the underlying socket object.
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]542 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]543 with test_wrap_socket(s) as ss:
Antoine Pitroue9bb4732013-01-12 21:56:56 +0100[diff] [blame]544 self.assertRaises(OSError, ss.recv, 1)
545 self.assertRaises(OSError, ss.recv_into, bytearray(b'x'))
546 self.assertRaises(OSError, ss.recvfrom, 1)
547 self.assertRaises(OSError, ss.recvfrom_into, bytearray(b'x'), 1)
548 self.assertRaises(OSError, ss.send, b'x')
549 self.assertRaises(OSError, ss.sendto, b'x', ('0.0.0.0', 0))
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]550 self.assertRaises(NotImplementedError, ss.dup)
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]551 self.assertRaises(NotImplementedError, ss.sendmsg,
552 [b'x'], (), 0, ('0.0.0.0', 0))
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]553 self.assertRaises(NotImplementedError, ss.recvmsg, 100)
554 self.assertRaises(NotImplementedError, ss.recvmsg_into,
555 [bytearray(100)])
Antoine Pitroua468adc2010-09-14 14:43:44 +0000[diff] [blame]556
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]557 def test_timeout(self):
558 # Issue #8524: when creating an SSL socket, the timeout of the
559 # original socket should be retained.
560 for timeout in (None, 0.0, 5.0):
561 s = socket.socket(socket.AF_INET)
562 s.settimeout(timeout)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]563 with test_wrap_socket(s) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]564 self.assertEqual(timeout, ss.gettimeout())
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]565
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]566 @ignore_deprecation
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]567 def test_errors_sslwrap(self):
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]568 sock = socket.socket()
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]569 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]570 "certfile must be specified",
571 ssl.wrap_socket, sock, keyfile=CERTFILE)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]572 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]573 "certfile must be specified for server-side operations",
574 ssl.wrap_socket, sock, server_side=True)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]575 self.assertRaisesRegex(ValueError,
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]576 "certfile must be specified for server-side operations",
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]577 ssl.wrap_socket, sock, server_side=True, certfile="")
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]578 with ssl.wrap_socket(sock, server_side=True, certfile=CERTFILE) as s:
579 self.assertRaisesRegex(ValueError, "can't connect in server-side mode",
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]580 s.connect, (HOST, 8080))
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]581 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]582 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]583 ssl.wrap_socket(sock, certfile=NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]584 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]585 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]586 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]587 ssl.wrap_socket(sock,
588 certfile=CERTFILE, keyfile=NONEXISTINGCERT)
Giampaolo Rodolà8b7da622010-08-30 18:28:05 +0000[diff] [blame]589 self.assertEqual(cm.exception.errno, errno.ENOENT)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]590 with self.assertRaises(OSError) as cm:
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]591 with socket.socket() as sock:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]592 ssl.wrap_socket(sock,
593 certfile=NONEXISTINGCERT, keyfile=NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]594 self.assertEqual(cm.exception.errno, errno.ENOENT)
Giampaolo Rodolà745ab382010-08-29 19:25:49 +0000[diff] [blame]595
Martin Panter3464ea22016-02-01 21:58:11 +0000[diff] [blame]596 def bad_cert_test(self, certfile):
597 """Check that trying to use the given client certificate fails"""
598 certfile = os.path.join(os.path.dirname(__file__) or os.curdir,
599 certfile)
600 sock = socket.socket()
601 self.addCleanup(sock.close)
602 with self.assertRaises(ssl.SSLError):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]603 test_wrap_socket(sock,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]604 certfile=certfile)
Martin Panter3464ea22016-02-01 21:58:11 +0000[diff] [blame]605
606 def test_empty_cert(self):
607 """Wrapping with an empty cert file"""
608 self.bad_cert_test("nullcert.pem")
609
610 def test_malformed_cert(self):
611 """Wrapping with a badly formatted certificate (syntax error)"""
612 self.bad_cert_test("badcert.pem")
613
614 def test_malformed_key(self):
615 """Wrapping with a badly formatted key (syntax error)"""
616 self.bad_cert_test("badkey.pem")
617
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]618 @ignore_deprecation
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]619 def test_match_hostname(self):
620 def ok(cert, hostname):
621 ssl.match_hostname(cert, hostname)
622 def fail(cert, hostname):
623 self.assertRaises(ssl.CertificateError,
624 ssl.match_hostname, cert, hostname)
625
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]626 # -- Hostname matching --
627
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]628 cert = {'subject': ((('commonName', 'example.com'),),)}
629 ok(cert, 'example.com')
630 ok(cert, 'ExAmple.cOm')
631 fail(cert, 'www.example.com')
632 fail(cert, '.example.com')
633 fail(cert, 'example.org')
634 fail(cert, 'exampleXcom')
635
636 cert = {'subject': ((('commonName', '*.a.com'),),)}
637 ok(cert, 'foo.a.com')
638 fail(cert, 'bar.foo.a.com')
639 fail(cert, 'a.com')
640 fail(cert, 'Xa.com')
641 fail(cert, '.a.com')
642
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]643 # only match wildcards when they are the only thing
644 # in left-most segment
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]645 cert = {'subject': ((('commonName', 'f*.com'),),)}
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]646 fail(cert, 'foo.com')
647 fail(cert, 'f.com')
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]648 fail(cert, 'bar.com')
649 fail(cert, 'foo.a.com')
650 fail(cert, 'bar.foo.com')
651
Christian Heimes824f7f32013-08-17 00:54:47 +0200[diff] [blame]652 # NULL bytes are bad, CVE-2013-4073
653 cert = {'subject': ((('commonName',
654 'null.python.org\x00example.org'),),)}
655 ok(cert, 'null.python.org\x00example.org') # or raise an error?
656 fail(cert, 'example.org')
657 fail(cert, 'null.python.org')
658
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]659 # error cases with wildcards
660 cert = {'subject': ((('commonName', '*.*.a.com'),),)}
661 fail(cert, 'bar.foo.a.com')
662 fail(cert, 'a.com')
663 fail(cert, 'Xa.com')
664 fail(cert, '.a.com')
665
666 cert = {'subject': ((('commonName', 'a.*.com'),),)}
667 fail(cert, 'a.foo.com')
668 fail(cert, 'a..com')
669 fail(cert, 'a.com')
670
671 # wildcard doesn't match IDNA prefix 'xn--'
672 idna = 'püthon.python.org'.encode("idna").decode("ascii")
673 cert = {'subject': ((('commonName', idna),),)}
674 ok(cert, idna)
675 cert = {'subject': ((('commonName', 'x*.python.org'),),)}
676 fail(cert, idna)
677 cert = {'subject': ((('commonName', 'xn--p*.python.org'),),)}
678 fail(cert, idna)
679
680 # wildcard in first fragment and IDNA A-labels in sequent fragments
681 # are supported.
682 idna = 'www*.pythön.org'.encode("idna").decode("ascii")
683 cert = {'subject': ((('commonName', idna),),)}
Mandeep Singhede2ac92017-11-27 04:01:27 +0530[diff] [blame]684 fail(cert, 'www.pythön.org'.encode("idna").decode("ascii"))
685 fail(cert, 'www1.pythön.org'.encode("idna").decode("ascii"))
Georg Brandl72c98d32013-10-27 07:16:53 +0100[diff] [blame]686 fail(cert, 'ftp.pythön.org'.encode("idna").decode("ascii"))
687 fail(cert, 'pythön.org'.encode("idna").decode("ascii"))
688
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]689 # Slightly fake real-world example
690 cert = {'notAfter': 'Jun 26 21:41:46 2011 GMT',
691 'subject': ((('commonName', 'linuxfrz.org'),),),
692 'subjectAltName': (('DNS', 'linuxfr.org'),
693 ('DNS', 'linuxfr.com'),
694 ('othername', '<unsupported>'))}
695 ok(cert, 'linuxfr.org')
696 ok(cert, 'linuxfr.com')
697 # Not a "DNS" entry
698 fail(cert, '<unsupported>')
699 # When there is a subjectAltName, commonName isn't used
700 fail(cert, 'linuxfrz.org')
701
702 # A pristine real-world example
703 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
704 'subject': ((('countryName', 'US'),),
705 (('stateOrProvinceName', 'California'),),
706 (('localityName', 'Mountain View'),),
707 (('organizationName', 'Google Inc'),),
708 (('commonName', 'mail.google.com'),))}
709 ok(cert, 'mail.google.com')
710 fail(cert, 'gmail.com')
711 # Only commonName is considered
712 fail(cert, 'California')
713
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]714 # -- IPv4 matching --
715 cert = {'subject': ((('commonName', 'example.com'),),),
716 'subjectAltName': (('DNS', 'example.com'),
717 ('IP Address', '10.11.12.13'),
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]718 ('IP Address', '14.15.16.17'),
719 ('IP Address', '127.0.0.1'))}
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]720 ok(cert, '10.11.12.13')
721 ok(cert, '14.15.16.17')
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]722 # socket.inet_ntoa(socket.inet_aton('127.1')) == '127.0.0.1'
723 fail(cert, '127.1')
724 fail(cert, '14.15.16.17 ')
725 fail(cert, '14.15.16.17 extra data')
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]726 fail(cert, '14.15.16.18')
727 fail(cert, 'example.net')
728
729 # -- IPv6 matching --
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]730 if socket_helper.IPV6_ENABLED:
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]731 cert = {'subject': ((('commonName', 'example.com'),),),
732 'subjectAltName': (
733 ('DNS', 'example.com'),
734 ('IP Address', '2001:0:0:0:0:0:0:CAFE\n'),
735 ('IP Address', '2003:0:0:0:0:0:0:BABA\n'))}
736 ok(cert, '2001::cafe')
737 ok(cert, '2003::baba')
Christian Heimes477b1b22019-07-02 20:39:42 +0200[diff] [blame]738 fail(cert, '2003::baba ')
739 fail(cert, '2003::baba extra data')
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]740 fail(cert, '2003::bebe')
741 fail(cert, 'example.net')
Antoine Pitrouc481bfb2015-02-15 18:12:20 +0100[diff] [blame]742
743 # -- Miscellaneous --
744
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]745 # Neither commonName nor subjectAltName
746 cert = {'notAfter': 'Dec 18 23:59:59 2011 GMT',
747 'subject': ((('countryName', 'US'),),
748 (('stateOrProvinceName', 'California'),),
749 (('localityName', 'Mountain View'),),
750 (('organizationName', 'Google Inc'),))}
751 fail(cert, 'mail.google.com')
752
Antoine Pitrou1c86b442011-05-06 15:19:49 +0200[diff] [blame]753 # No DNS entry in subjectAltName but a commonName
754 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
755 'subject': ((('countryName', 'US'),),
756 (('stateOrProvinceName', 'California'),),
757 (('localityName', 'Mountain View'),),
758 (('commonName', 'mail.google.com'),)),
759 'subjectAltName': (('othername', 'blabla'), )}
760 ok(cert, 'mail.google.com')
761
762 # No DNS entry subjectAltName and no commonName
763 cert = {'notAfter': 'Dec 18 23:59:59 2099 GMT',
764 'subject': ((('countryName', 'US'),),
765 (('stateOrProvinceName', 'California'),),
766 (('localityName', 'Mountain View'),),
767 (('organizationName', 'Google Inc'),)),
768 'subjectAltName': (('othername', 'blabla'),)}
769 fail(cert, 'google.com')
770
Antoine Pitrou59fdd672010-10-08 10:37:08 +0000[diff] [blame]771 # Empty cert / no cert
772 self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
773 self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
774
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]775 # Issue #17980: avoid denials of service by refusing more than one
776 # wildcard per fragment.
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]777 cert = {'subject': ((('commonName', 'a*b.example.com'),),)}
778 with self.assertRaisesRegex(
779 ssl.CertificateError,
780 "partial wildcards in leftmost label are not supported"):
781 ssl.match_hostname(cert, 'axxb.example.com')
782
783 cert = {'subject': ((('commonName', 'www.*.example.com'),),)}
784 with self.assertRaisesRegex(
785 ssl.CertificateError,
786 "wildcard can only be present in the leftmost label"):
787 ssl.match_hostname(cert, 'www.sub.example.com')
788
789 cert = {'subject': ((('commonName', 'a*b*.example.com'),),)}
790 with self.assertRaisesRegex(
791 ssl.CertificateError,
792 "too many wildcards"):
793 ssl.match_hostname(cert, 'axxbxxc.example.com')
794
795 cert = {'subject': ((('commonName', '*'),),)}
796 with self.assertRaisesRegex(
797 ssl.CertificateError,
798 "sole wildcard without additional labels are not support"):
799 ssl.match_hostname(cert, 'host')
800
801 cert = {'subject': ((('commonName', '*.com'),),)}
802 with self.assertRaisesRegex(
803 ssl.CertificateError,
804 r"hostname 'com' doesn't match '\*.com'"):
805 ssl.match_hostname(cert, 'com')
806
807 # extra checks for _inet_paton()
808 for invalid in ['1', '', '1.2.3', '256.0.0.1', '127.0.0.1/24']:
809 with self.assertRaises(ValueError):
810 ssl._inet_paton(invalid)
811 for ipaddr in ['127.0.0.1', '192.168.0.1']:
812 self.assertTrue(ssl._inet_paton(ipaddr))
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]813 if socket_helper.IPV6_ENABLED:
Christian Heimesaef12832018-02-24 14:35:56 +0100[diff] [blame]814 for ipaddr in ['::1', '2001:db8:85a3::8a2e:370:7334']:
815 self.assertTrue(ssl._inet_paton(ipaddr))
Antoine Pitrou636f93c2013-05-18 17:56:42 +0200[diff] [blame]816
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]817 def test_server_side(self):
818 # server_hostname doesn't work for server sockets
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]819 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroud2eca372010-10-29 23:41:37 +0000[diff] [blame]820 with socket.socket() as sock:
821 self.assertRaises(ValueError, ctx.wrap_socket, sock, True,
822 server_hostname="some.hostname")
Antoine Pitrou04f6a322010-04-05 21:40:07 +0000[diff] [blame]823
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]824 def test_unknown_channel_binding(self):
825 # should raise ValueError for unknown type
Giampaolo Rodolaeb7e29f2019-04-09 00:34:02 +0200[diff] [blame]826 s = socket.create_server(('127.0.0.1', 0))
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]827 c = socket.socket(socket.AF_INET)
828 c.connect(s.getsockname())
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]829 with test_wrap_socket(c, do_handshake_on_connect=False) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]830 with self.assertRaises(ValueError):
831 ss.get_channel_binding("unknown-type")
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]832 s.close()
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]833
834 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
835 "'tls-unique' channel binding not available")
836 def test_tls_unique_channel_binding(self):
837 # unconnected should return None for known type
838 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]839 with test_wrap_socket(s) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]840 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]841 # the same for server-side
842 s = socket.socket(socket.AF_INET)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]843 with test_wrap_socket(s, server_side=True, certfile=CERTFILE) as ss:
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]844 self.assertIsNone(ss.get_channel_binding("tls-unique"))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]845
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]846 def test_dealloc_warn(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]847 ss = test_wrap_socket(socket.socket(socket.AF_INET))
Benjamin Peterson36f7b972013-01-10 14:16:20 -0600[diff] [blame]848 r = repr(ss)
849 with self.assertWarns(ResourceWarning) as cm:
850 ss = None
851 support.gc_collect()
852 self.assertIn(r, str(cm.warning.args[0]))
853
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]854 def test_get_default_verify_paths(self):
855 paths = ssl.get_default_verify_paths()
856 self.assertEqual(len(paths), 6)
857 self.assertIsInstance(paths, ssl.DefaultVerifyPaths)
858
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]859 with os_helper.EnvironmentVarGuard() as env:
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]860 env["SSL_CERT_DIR"] = CAPATH
861 env["SSL_CERT_FILE"] = CERTFILE
862 paths = ssl.get_default_verify_paths()
863 self.assertEqual(paths.cafile, CERTFILE)
864 self.assertEqual(paths.capath, CAPATH)
865
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]866 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
867 def test_enum_certificates(self):
868 self.assertTrue(ssl.enum_certificates("CA"))
869 self.assertTrue(ssl.enum_certificates("ROOT"))
870
871 self.assertRaises(TypeError, ssl.enum_certificates)
872 self.assertRaises(WindowsError, ssl.enum_certificates, "")
873
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]874 trust_oids = set()
875 for storename in ("CA", "ROOT"):
876 store = ssl.enum_certificates(storename)
877 self.assertIsInstance(store, list)
878 for element in store:
879 self.assertIsInstance(element, tuple)
880 self.assertEqual(len(element), 3)
881 cert, enc, trust = element
882 self.assertIsInstance(cert, bytes)
883 self.assertIn(enc, {"x509_asn", "pkcs_7_asn"})
Christian Heimes915cd3f2019-09-09 18:06:55 +0200[diff] [blame]884 self.assertIsInstance(trust, (frozenset, set, bool))
885 if isinstance(trust, (frozenset, set)):
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]886 trust_oids.update(trust)
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]887
888 serverAuth = "1.3.6.1.5.5.7.3.1"
Christian Heimesc2d65e12013-11-22 16:13:55 +0100[diff] [blame]889 self.assertIn(serverAuth, trust_oids)
Christian Heimes6d7ad132013-06-09 18:02:55 +0200[diff] [blame]890
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]891 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]892 def test_enum_crls(self):
893 self.assertTrue(ssl.enum_crls("CA"))
894 self.assertRaises(TypeError, ssl.enum_crls)
895 self.assertRaises(WindowsError, ssl.enum_crls, "")
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]896
Christian Heimes44109d72013-11-22 01:51:30 +0100[diff] [blame]897 crls = ssl.enum_crls("CA")
898 self.assertIsInstance(crls, list)
899 for element in crls:
900 self.assertIsInstance(element, tuple)
901 self.assertEqual(len(element), 2)
902 self.assertIsInstance(element[0], bytes)
903 self.assertIn(element[1], {"x509_asn", "pkcs_7_asn"})
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]904
Christian Heimes46bebee2013-06-09 19:03:31 +0200[diff] [blame]905
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]906 def test_asn1object(self):
907 expected = (129, 'serverAuth', 'TLS Web Server Authentication',
908 '1.3.6.1.5.5.7.3.1')
909
910 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
911 self.assertEqual(val, expected)
912 self.assertEqual(val.nid, 129)
913 self.assertEqual(val.shortname, 'serverAuth')
914 self.assertEqual(val.longname, 'TLS Web Server Authentication')
915 self.assertEqual(val.oid, '1.3.6.1.5.5.7.3.1')
916 self.assertIsInstance(val, ssl._ASN1Object)
917 self.assertRaises(ValueError, ssl._ASN1Object, 'serverAuth')
918
919 val = ssl._ASN1Object.fromnid(129)
920 self.assertEqual(val, expected)
921 self.assertIsInstance(val, ssl._ASN1Object)
922 self.assertRaises(ValueError, ssl._ASN1Object.fromnid, -1)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]923 with self.assertRaisesRegex(ValueError, "unknown NID 100000"):
924 ssl._ASN1Object.fromnid(100000)
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]925 for i in range(1000):
926 try:
927 obj = ssl._ASN1Object.fromnid(i)
928 except ValueError:
929 pass
930 else:
931 self.assertIsInstance(obj.nid, int)
932 self.assertIsInstance(obj.shortname, str)
933 self.assertIsInstance(obj.longname, str)
934 self.assertIsInstance(obj.oid, (str, type(None)))
935
936 val = ssl._ASN1Object.fromname('TLS Web Server Authentication')
937 self.assertEqual(val, expected)
938 self.assertIsInstance(val, ssl._ASN1Object)
939 self.assertEqual(ssl._ASN1Object.fromname('serverAuth'), expected)
940 self.assertEqual(ssl._ASN1Object.fromname('1.3.6.1.5.5.7.3.1'),
941 expected)
Christian Heimes5398e1a2013-11-22 16:20:53 +0100[diff] [blame]942 with self.assertRaisesRegex(ValueError, "unknown object 'serverauth'"):
943 ssl._ASN1Object.fromname('serverauth')
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]944
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]945 def test_purpose_enum(self):
946 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.1')
947 self.assertIsInstance(ssl.Purpose.SERVER_AUTH, ssl._ASN1Object)
948 self.assertEqual(ssl.Purpose.SERVER_AUTH, val)
949 self.assertEqual(ssl.Purpose.SERVER_AUTH.nid, 129)
950 self.assertEqual(ssl.Purpose.SERVER_AUTH.shortname, 'serverAuth')
951 self.assertEqual(ssl.Purpose.SERVER_AUTH.oid,
952 '1.3.6.1.5.5.7.3.1')
953
954 val = ssl._ASN1Object('1.3.6.1.5.5.7.3.2')
955 self.assertIsInstance(ssl.Purpose.CLIENT_AUTH, ssl._ASN1Object)
956 self.assertEqual(ssl.Purpose.CLIENT_AUTH, val)
957 self.assertEqual(ssl.Purpose.CLIENT_AUTH.nid, 130)
958 self.assertEqual(ssl.Purpose.CLIENT_AUTH.shortname, 'clientAuth')
959 self.assertEqual(ssl.Purpose.CLIENT_AUTH.oid,
960 '1.3.6.1.5.5.7.3.2')
961
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]962 def test_unsupported_dtls(self):
963 s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
964 self.addCleanup(s.close)
965 with self.assertRaises(NotImplementedError) as cx:
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]966 test_wrap_socket(s, cert_reqs=ssl.CERT_NONE)
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]967 self.assertEqual(str(cx.exception), "only stream sockets are supported")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]968 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou3e86ba42013-12-28 17:26:33 +0100[diff] [blame]969 with self.assertRaises(NotImplementedError) as cx:
970 ctx.wrap_socket(s)
971 self.assertEqual(str(cx.exception), "only stream sockets are supported")
972
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]973 def cert_time_ok(self, timestring, timestamp):
974 self.assertEqual(ssl.cert_time_to_seconds(timestring), timestamp)
975
976 def cert_time_fail(self, timestring):
977 with self.assertRaises(ValueError):
978 ssl.cert_time_to_seconds(timestring)
979
980 @unittest.skipUnless(utc_offset(),
981 'local time needs to be different from UTC')
982 def test_cert_time_to_seconds_timezone(self):
983 # Issue #19940: ssl.cert_time_to_seconds() returns wrong
984 # results if local timezone is not UTC
985 self.cert_time_ok("May 9 00:00:00 2007 GMT", 1178668800.0)
986 self.cert_time_ok("Jan 5 09:34:43 2018 GMT", 1515144883.0)
987
988 def test_cert_time_to_seconds(self):
989 timestring = "Jan 5 09:34:43 2018 GMT"
990 ts = 1515144883.0
991 self.cert_time_ok(timestring, ts)
992 # accept keyword parameter, assert its name
993 self.assertEqual(ssl.cert_time_to_seconds(cert_time=timestring), ts)
994 # accept both %e and %d (space or zero generated by strftime)
995 self.cert_time_ok("Jan 05 09:34:43 2018 GMT", ts)
996 # case-insensitive
997 self.cert_time_ok("JaN 5 09:34:43 2018 GmT", ts)
998 self.cert_time_fail("Jan 5 09:34 2018 GMT") # no seconds
999 self.cert_time_fail("Jan 5 09:34:43 2018") # no GMT
1000 self.cert_time_fail("Jan 5 09:34:43 2018 UTC") # not GMT timezone
1001 self.cert_time_fail("Jan 35 09:34:43 2018 GMT") # invalid day
1002 self.cert_time_fail("Jon 5 09:34:43 2018 GMT") # invalid month
1003 self.cert_time_fail("Jan 5 24:00:00 2018 GMT") # invalid hour
1004 self.cert_time_fail("Jan 5 09:60:43 2018 GMT") # invalid minute
1005
1006 newyear_ts = 1230768000.0
1007 # leap seconds
1008 self.cert_time_ok("Dec 31 23:59:60 2008 GMT", newyear_ts)
1009 # same timestamp
1010 self.cert_time_ok("Jan 1 00:00:00 2009 GMT", newyear_ts)
1011
1012 self.cert_time_ok("Jan 5 09:34:59 2018 GMT", 1515144899)
1013 # allow 60th second (even if it is not a leap second)
1014 self.cert_time_ok("Jan 5 09:34:60 2018 GMT", 1515144900)
1015 # allow 2nd leap second for compatibility with time.strptime()
1016 self.cert_time_ok("Jan 5 09:34:61 2018 GMT", 1515144901)
1017 self.cert_time_fail("Jan 5 09:34:62 2018 GMT") # invalid seconds
1018
Mike53f7a7c2017-12-14 14:04:53 +0300[diff] [blame]1019 # no special treatment for the special value:
Antoine Pitrouc695c952014-04-28 20:57:36 +0200[diff] [blame]1020 # 99991231235959Z (rfc 5280)
1021 self.cert_time_ok("Dec 31 23:59:59 9999 GMT", 253402300799.0)
1022
1023 @support.run_with_locale('LC_ALL', '')
1024 def test_cert_time_to_seconds_locale(self):
1025 # `cert_time_to_seconds()` should be locale independent
1026
1027 def local_february_name():
1028 return time.strftime('%b', (1, 2, 3, 4, 5, 6, 0, 0, 0))
1029
1030 if local_february_name().lower() == 'feb':
1031 self.skipTest("locale-specific month name needs to be "
1032 "different from C locale")
1033
1034 # locale-independent
1035 self.cert_time_ok("Feb 9 00:00:00 2007 GMT", 1170979200.0)
1036 self.cert_time_fail(local_february_name() + " 9 00:00:00 2007 GMT")
1037
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1038 def test_connect_ex_error(self):
1039 server = socket.socket(socket.AF_INET)
1040 self.addCleanup(server.close)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]1041 port = socket_helper.bind_port(server) # Reserve port but don't listen
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1042 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1043 cert_reqs=ssl.CERT_REQUIRED)
1044 self.addCleanup(s.close)
1045 rc = s.connect_ex((HOST, port))
1046 # Issue #19919: Windows machines or VMs hosted on Windows
1047 # machines sometimes return EWOULDBLOCK.
1048 errors = (
1049 errno.ECONNREFUSED, errno.EHOSTUNREACH, errno.ETIMEDOUT,
1050 errno.EWOULDBLOCK,
1051 )
1052 self.assertIn(rc, errors)
1053
Christian Heimes89d15502021-04-19 06:55:30 +0200[diff] [blame]1054 def test_read_write_zero(self):
1055 # empty reads and writes now work, bpo-42854, bpo-31711
1056 client_context, server_context, hostname = testing_context()
1057 server = ThreadedEchoServer(context=server_context)
1058 with server:
1059 with client_context.wrap_socket(socket.socket(),
1060 server_hostname=hostname) as s:
1061 s.connect((HOST, server.port))
1062 self.assertEqual(s.recv(0), b"")
1063 self.assertEqual(s.send(b""), 0)
1064
Christian Heimesa6bc95a2013-11-17 19:59:14 +0100[diff] [blame]1065
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1066class ContextTests(unittest.TestCase):
1067
1068 def test_constructor(self):
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]1069 for protocol in PROTOCOLS:
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1070 with warnings_helper.check_warnings():
1071 ctx = ssl.SSLContext(protocol)
1072 self.assertEqual(ctx.protocol, protocol)
1073 with warnings_helper.check_warnings():
1074 ctx = ssl.SSLContext()
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1075 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1076 self.assertRaises(ValueError, ssl.SSLContext, -1)
1077 self.assertRaises(ValueError, ssl.SSLContext, 42)
1078
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1079 def test_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1080 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1081 ctx.set_ciphers("ALL")
1082 ctx.set_ciphers("DEFAULT")
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1083 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
Antoine Pitrou30474062010-05-16 23:46:26 +0000[diff] [blame]1084 ctx.set_ciphers("^$:,;?*'dorothyx")
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1085
Christian Heimes892d66e2018-01-29 14:10:18 +0100[diff] [blame]1086 @unittest.skipUnless(PY_SSL_DEFAULT_CIPHERS == 1,
1087 "Test applies only to Python default ciphers")
1088 def test_python_ciphers(self):
1089 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1090 ciphers = ctx.get_ciphers()
1091 for suite in ciphers:
1092 name = suite['name']
1093 self.assertNotIn("PSK", name)
1094 self.assertNotIn("SRP", name)
1095 self.assertNotIn("MD5", name)
1096 self.assertNotIn("RC4", name)
1097 self.assertNotIn("3DES", name)
1098
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1099 def test_get_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1100 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesea9b2dc2016-09-06 10:45:44 +0200[diff] [blame]1101 ctx.set_ciphers('AESGCM')
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1102 names = set(d['name'] for d in ctx.get_ciphers())
Christian Heimes582282b2016-09-06 11:27:25 +0200[diff] [blame]1103 self.assertIn('AES256-GCM-SHA384', names)
1104 self.assertIn('AES128-GCM-SHA256', names)
Christian Heimes25bfcd52016-09-06 00:04:45 +0200[diff] [blame]1105
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1106 def test_options(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1107 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Benjamin Petersona9dcdab2015-11-11 22:38:41 -0800[diff] [blame]1108 # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1109 default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1110 # SSLContext also enables these by default
1111 default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]1112 OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
Christian Heimes6f37ebc2021-04-09 17:59:21 +0200[diff] [blame]1113 OP_ENABLE_MIDDLEBOX_COMPAT |
1114 OP_IGNORE_UNEXPECTED_EOF)
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1115 self.assertEqual(default, ctx.options)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1116 with warnings_helper.check_warnings():
1117 ctx.options |= ssl.OP_NO_TLSv1
Christian Heimes598894f2016-09-05 23:19:05 +0200[diff] [blame]1118 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1119 with warnings_helper.check_warnings():
1120 ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1)
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]1121 self.assertEqual(default, ctx.options)
1122 ctx.options = 0
1123 # Ubuntu has OP_NO_SSLv3 forced on by default
1124 self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)
Antoine Pitroub5218772010-05-21 09:56:06 +0000[diff] [blame]1125
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1126 def test_verify_mode_protocol(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1127 with warnings_helper.check_warnings():
1128 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1129 # Default value
1130 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1131 ctx.verify_mode = ssl.CERT_OPTIONAL
1132 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
1133 ctx.verify_mode = ssl.CERT_REQUIRED
1134 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1135 ctx.verify_mode = ssl.CERT_NONE
1136 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1137 with self.assertRaises(TypeError):
1138 ctx.verify_mode = None
1139 with self.assertRaises(ValueError):
1140 ctx.verify_mode = 42
1141
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1142 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1143 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1144 self.assertFalse(ctx.check_hostname)
1145
1146 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1147 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1148 self.assertTrue(ctx.check_hostname)
1149
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1150 def test_hostname_checks_common_name(self):
1151 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1152 self.assertTrue(ctx.hostname_checks_common_name)
1153 if ssl.HAS_NEVER_CHECK_COMMON_NAME:
1154 ctx.hostname_checks_common_name = True
1155 self.assertTrue(ctx.hostname_checks_common_name)
1156 ctx.hostname_checks_common_name = False
1157 self.assertFalse(ctx.hostname_checks_common_name)
1158 ctx.hostname_checks_common_name = True
1159 self.assertTrue(ctx.hostname_checks_common_name)
1160 else:
1161 with self.assertRaises(AttributeError):
1162 ctx.hostname_checks_common_name = True
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1163
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1164 @ignore_deprecation
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1165 def test_min_max_version(self):
1166 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimes34de2d32019-01-18 16:09:30 +0100[diff] [blame]1167 # OpenSSL default is MINIMUM_SUPPORTED, however some vendors like
1168 # Fedora override the setting to TLS 1.0.
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1169 minimum_range = {
1170 # stock OpenSSL
1171 ssl.TLSVersion.MINIMUM_SUPPORTED,
1172 # Fedora 29 uses TLS 1.0 by default
1173 ssl.TLSVersion.TLSv1,
1174 # RHEL 8 uses TLS 1.2 by default
1175 ssl.TLSVersion.TLSv1_2
1176 }
torsava34864d12019-12-02 17:15:42 +0100[diff] [blame]1177 maximum_range = {
1178 # stock OpenSSL
1179 ssl.TLSVersion.MAXIMUM_SUPPORTED,
1180 # Fedora 32 uses TLS 1.3 by default
1181 ssl.TLSVersion.TLSv1_3
1182 }
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1183
Christian Heimes34de2d32019-01-18 16:09:30 +0100[diff] [blame]1184 self.assertIn(
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1185 ctx.minimum_version, minimum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1186 )
torsava34864d12019-12-02 17:15:42 +0100[diff] [blame]1187 self.assertIn(
1188 ctx.maximum_version, maximum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1189 )
1190
1191 ctx.minimum_version = ssl.TLSVersion.TLSv1_1
1192 ctx.maximum_version = ssl.TLSVersion.TLSv1_2
1193 self.assertEqual(
1194 ctx.minimum_version, ssl.TLSVersion.TLSv1_1
1195 )
1196 self.assertEqual(
1197 ctx.maximum_version, ssl.TLSVersion.TLSv1_2
1198 )
1199
1200 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1201 ctx.maximum_version = ssl.TLSVersion.TLSv1
1202 self.assertEqual(
1203 ctx.minimum_version, ssl.TLSVersion.MINIMUM_SUPPORTED
1204 )
1205 self.assertEqual(
1206 ctx.maximum_version, ssl.TLSVersion.TLSv1
1207 )
1208
1209 ctx.maximum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
1210 self.assertEqual(
1211 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
1212 )
1213
1214 ctx.maximum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1215 self.assertIn(
1216 ctx.maximum_version,
1217 {ssl.TLSVersion.TLSv1, ssl.TLSVersion.SSLv3}
1218 )
1219
1220 ctx.minimum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
1221 self.assertIn(
1222 ctx.minimum_version,
1223 {ssl.TLSVersion.TLSv1_2, ssl.TLSVersion.TLSv1_3}
1224 )
1225
1226 with self.assertRaises(ValueError):
1227 ctx.minimum_version = 42
1228
1229 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1)
1230
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]1231 self.assertIn(
1232 ctx.minimum_version, minimum_range
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]1233 )
1234 self.assertEqual(
1235 ctx.maximum_version, ssl.TLSVersion.MAXIMUM_SUPPORTED
1236 )
1237 with self.assertRaises(ValueError):
1238 ctx.minimum_version = ssl.TLSVersion.MINIMUM_SUPPORTED
1239 with self.assertRaises(ValueError):
1240 ctx.maximum_version = ssl.TLSVersion.TLSv1
1241
1242
matthewhughes9348e836bb2020-07-17 09:59:15 +0100[diff] [blame]1243 @unittest.skipUnless(
1244 hasattr(ssl.SSLContext, 'security_level'),
1245 "requires OpenSSL >= 1.1.0"
1246 )
1247 def test_security_level(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1248 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
matthewhughes9348e836bb2020-07-17 09:59:15 +0100[diff] [blame]1249 # The default security callback allows for levels between 0-5
1250 # with OpenSSL defaulting to 1, however some vendors override the
1251 # default value (e.g. Debian defaults to 2)
1252 security_level_range = {
1253 0,
1254 1, # OpenSSL default
1255 2, # Debian
1256 3,
1257 4,
1258 5,
1259 }
1260 self.assertIn(ctx.security_level, security_level_range)
1261
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1262 def test_verify_flags(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1263 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Benjamin Peterson990fcaa2015-03-04 22:49:41 -0500[diff] [blame]1264 # default value
1265 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
1266 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT | tf)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1267 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF
1268 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_LEAF)
1269 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_CHAIN
1270 self.assertEqual(ctx.verify_flags, ssl.VERIFY_CRL_CHECK_CHAIN)
1271 ctx.verify_flags = ssl.VERIFY_DEFAULT
1272 self.assertEqual(ctx.verify_flags, ssl.VERIFY_DEFAULT)
Chris Burre0b4aa02021-03-18 09:24:01 +0100[diff] [blame]1273 ctx.verify_flags = ssl.VERIFY_ALLOW_PROXY_CERTS
1274 self.assertEqual(ctx.verify_flags, ssl.VERIFY_ALLOW_PROXY_CERTS)
Christian Heimes22587792013-11-21 23:56:13 +0100[diff] [blame]1275 # supports any value
1276 ctx.verify_flags = ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT
1277 self.assertEqual(ctx.verify_flags,
1278 ssl.VERIFY_CRL_CHECK_LEAF | ssl.VERIFY_X509_STRICT)
1279 with self.assertRaises(TypeError):
1280 ctx.verify_flags = None
1281
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1282 def test_load_cert_chain(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1283 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1284 # Combined key and cert in a single file
Benjamin Peterson1ea070e2014-11-03 21:05:01 -0500[diff] [blame]1285 ctx.load_cert_chain(CERTFILE, keyfile=None)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1286 ctx.load_cert_chain(CERTFILE, keyfile=CERTFILE)
1287 self.assertRaises(TypeError, ctx.load_cert_chain, keyfile=CERTFILE)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1288 with self.assertRaises(OSError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1289 ctx.load_cert_chain(NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]1290 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1291 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1292 ctx.load_cert_chain(BADCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1293 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1294 ctx.load_cert_chain(EMPTYCERT)
1295 # Separate key and cert
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1296 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1297 ctx.load_cert_chain(ONLYCERT, ONLYKEY)
1298 ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)
1299 ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1300 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1301 ctx.load_cert_chain(ONLYCERT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1302 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1303 ctx.load_cert_chain(ONLYKEY)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1304 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1305 ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)
1306 # Mismatching key and cert
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1307 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1308 with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
Martin Panter3d81d932016-01-14 09:36:00 +0000[diff] [blame]1309 ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY)
Antoine Pitrou4fd1e6a2011-08-25 14:39:44 +0200[diff] [blame]1310 # Password protected key and cert
1311 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)
1312 ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD.encode())
1313 ctx.load_cert_chain(CERTFILE_PROTECTED,
1314 password=bytearray(KEY_PASSWORD.encode()))
1315 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD)
1316 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED, KEY_PASSWORD.encode())
1317 ctx.load_cert_chain(ONLYCERT, ONLYKEY_PROTECTED,
1318 bytearray(KEY_PASSWORD.encode()))
1319 with self.assertRaisesRegex(TypeError, "should be a string"):
1320 ctx.load_cert_chain(CERTFILE_PROTECTED, password=True)
1321 with self.assertRaises(ssl.SSLError):
1322 ctx.load_cert_chain(CERTFILE_PROTECTED, password="badpass")
1323 with self.assertRaisesRegex(ValueError, "cannot be longer"):
1324 # openssl has a fixed limit on the password buffer.
1325 # PEM_BUFSIZE is generally set to 1kb.
1326 # Return a string larger than this.
1327 ctx.load_cert_chain(CERTFILE_PROTECTED, password=b'a' * 102400)
1328 # Password callback
1329 def getpass_unicode():
1330 return KEY_PASSWORD
1331 def getpass_bytes():
1332 return KEY_PASSWORD.encode()
1333 def getpass_bytearray():
1334 return bytearray(KEY_PASSWORD.encode())
1335 def getpass_badpass():
1336 return "badpass"
1337 def getpass_huge():
1338 return b'a' * (1024 * 1024)
1339 def getpass_bad_type():
1340 return 9
1341 def getpass_exception():
1342 raise Exception('getpass error')
1343 class GetPassCallable:
1344 def __call__(self):
1345 return KEY_PASSWORD
1346 def getpass(self):
1347 return KEY_PASSWORD
1348 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_unicode)
1349 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytes)
1350 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bytearray)
1351 ctx.load_cert_chain(CERTFILE_PROTECTED, password=GetPassCallable())
1352 ctx.load_cert_chain(CERTFILE_PROTECTED,
1353 password=GetPassCallable().getpass)
1354 with self.assertRaises(ssl.SSLError):
1355 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_badpass)
1356 with self.assertRaisesRegex(ValueError, "cannot be longer"):
1357 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_huge)
1358 with self.assertRaisesRegex(TypeError, "must return a string"):
1359 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_bad_type)
1360 with self.assertRaisesRegex(Exception, "getpass error"):
1361 ctx.load_cert_chain(CERTFILE_PROTECTED, password=getpass_exception)
1362 # Make sure the password function isn't called if it isn't needed
1363 ctx.load_cert_chain(CERTFILE, password=getpass_exception)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1364
1365 def test_load_verify_locations(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1366 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1367 ctx.load_verify_locations(CERTFILE)
1368 ctx.load_verify_locations(cafile=CERTFILE, capath=None)
1369 ctx.load_verify_locations(BYTES_CERTFILE)
1370 ctx.load_verify_locations(cafile=BYTES_CERTFILE, capath=None)
1371 self.assertRaises(TypeError, ctx.load_verify_locations)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1372 self.assertRaises(TypeError, ctx.load_verify_locations, None, None, None)
Andrew Svetlovf7a17b42012-12-25 16:47:37 +0200[diff] [blame]1373 with self.assertRaises(OSError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1374 ctx.load_verify_locations(NONEXISTINGCERT)
Giampaolo Rodolà4a656eb2010-08-29 22:50:39 +0000[diff] [blame]1375 self.assertEqual(cm.exception.errno, errno.ENOENT)
Ezio Melottied3a7d22010-12-01 02:32:32 +0000[diff] [blame]1376 with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1377 ctx.load_verify_locations(BADCERT)
1378 ctx.load_verify_locations(CERTFILE, CAPATH)
1379 ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
1380
Victor Stinner80f75e62011-01-29 11:31:20 +0000[diff] [blame]1381 # Issue #10989: crash if the second argument type is invalid
1382 self.assertRaises(TypeError, ctx.load_verify_locations, None, True)
1383
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1384 def test_load_verify_cadata(self):
1385 # test cadata
1386 with open(CAFILE_CACERT) as f:
1387 cacert_pem = f.read()
1388 cacert_der = ssl.PEM_cert_to_DER_cert(cacert_pem)
1389 with open(CAFILE_NEURONIO) as f:
1390 neuronio_pem = f.read()
1391 neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
1392
1393 # test PEM
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1394 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1395 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0)
1396 ctx.load_verify_locations(cadata=cacert_pem)
1397 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1)
1398 ctx.load_verify_locations(cadata=neuronio_pem)
1399 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1400 # cert already in hash table
1401 ctx.load_verify_locations(cadata=neuronio_pem)
1402 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1403
1404 # combined
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1405 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1406 combined = "\n".join((cacert_pem, neuronio_pem))
1407 ctx.load_verify_locations(cadata=combined)
1408 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1409
1410 # with junk around the certs
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1411 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1412 combined = ["head", cacert_pem, "other", neuronio_pem, "again",
1413 neuronio_pem, "tail"]
1414 ctx.load_verify_locations(cadata="\n".join(combined))
1415 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1416
1417 # test DER
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1418 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1419 ctx.load_verify_locations(cadata=cacert_der)
1420 ctx.load_verify_locations(cadata=neuronio_der)
1421 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1422 # cert already in hash table
1423 ctx.load_verify_locations(cadata=cacert_der)
1424 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1425
1426 # combined
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1427 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1428 combined = b"".join((cacert_der, neuronio_der))
1429 ctx.load_verify_locations(cadata=combined)
1430 self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
1431
1432 # error cases
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1433 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1434 self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
1435
Christian Heimesb9ad88b2021-04-23 13:51:40 +0200[diff] [blame]1436 with self.assertRaisesRegex(
1437 ssl.SSLError,
1438 "no start line: cadata does not contain a certificate"
1439 ):
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1440 ctx.load_verify_locations(cadata="broken")
Christian Heimesb9ad88b2021-04-23 13:51:40 +0200[diff] [blame]1441 with self.assertRaisesRegex(
1442 ssl.SSLError,
1443 "not enough data: cadata does not contain a certificate"
1444 ):
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]1445 ctx.load_verify_locations(cadata=b"broken")
1446
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]1447 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1448 def test_load_dh_params(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1449 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1450 ctx.load_dh_params(DHFILE)
1451 if os.name != 'nt':
1452 ctx.load_dh_params(BYTES_DHFILE)
1453 self.assertRaises(TypeError, ctx.load_dh_params)
1454 self.assertRaises(TypeError, ctx.load_dh_params, None)
1455 with self.assertRaises(FileNotFoundError) as cm:
Martin Panter407b62f2016-01-30 03:41:43 +0000[diff] [blame]1456 ctx.load_dh_params(NONEXISTINGCERT)
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1457 self.assertEqual(cm.exception.errno, errno.ENOENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1458 with self.assertRaises(ssl.SSLError) as cm:
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]1459 ctx.load_dh_params(CERTFILE)
1460
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]1461 def test_session_stats(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1462 for proto in {ssl.PROTOCOL_TLS_CLIENT, ssl.PROTOCOL_TLS_SERVER}:
Antoine Pitroub0182c82010-10-12 20:09:02 +0000[diff] [blame]1463 ctx = ssl.SSLContext(proto)
1464 self.assertEqual(ctx.session_stats(), {
1465 'number': 0,
1466 'connect': 0,
1467 'connect_good': 0,
1468 'connect_renegotiate': 0,
1469 'accept': 0,
1470 'accept_good': 0,
1471 'accept_renegotiate': 0,
1472 'hits': 0,
1473 'misses': 0,
1474 'timeouts': 0,
1475 'cache_full': 0,
1476 })
1477
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]1478 def test_set_default_verify_paths(self):
1479 # There's not much we can do to test that it acts as expected,
1480 # so just check it doesn't crash or raise an exception.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1481 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou664c2d12010-11-17 20:29:42 +0000[diff] [blame]1482 ctx.set_default_verify_paths()
1483
Antoine Pitrou501da612011-12-21 09:27:41 +0100[diff] [blame]1484 @unittest.skipUnless(ssl.HAS_ECDH, "ECDH disabled on this OpenSSL build")
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1485 def test_set_ecdh_curve(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1486 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou923df6f2011-12-19 17:16:51 +0100[diff] [blame]1487 ctx.set_ecdh_curve("prime256v1")
1488 ctx.set_ecdh_curve(b"prime256v1")
1489 self.assertRaises(TypeError, ctx.set_ecdh_curve)
1490 self.assertRaises(TypeError, ctx.set_ecdh_curve, None)
1491 self.assertRaises(ValueError, ctx.set_ecdh_curve, "foo")
1492 self.assertRaises(ValueError, ctx.set_ecdh_curve, b"foo")
1493
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1494 def test_sni_callback(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1495 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1496
1497 # set_servername_callback expects a callable, or None
1498 self.assertRaises(TypeError, ctx.set_servername_callback)
1499 self.assertRaises(TypeError, ctx.set_servername_callback, 4)
1500 self.assertRaises(TypeError, ctx.set_servername_callback, "")
1501 self.assertRaises(TypeError, ctx.set_servername_callback, ctx)
1502
1503 def dummycallback(sock, servername, ctx):
1504 pass
1505 ctx.set_servername_callback(None)
1506 ctx.set_servername_callback(dummycallback)
1507
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1508 def test_sni_callback_refcycle(self):
1509 # Reference cycles through the servername callback are detected
1510 # and cleared.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1511 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]1512 def dummycallback(sock, servername, ctx, cycle=ctx):
1513 pass
1514 ctx.set_servername_callback(dummycallback)
1515 wr = weakref.ref(ctx)
1516 del ctx, dummycallback
1517 gc.collect()
1518 self.assertIs(wr(), None)
1519
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1520 def test_cert_store_stats(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1521 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1522 self.assertEqual(ctx.cert_store_stats(),
1523 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1524 ctx.load_cert_chain(CERTFILE)
1525 self.assertEqual(ctx.cert_store_stats(),
1526 {'x509_ca': 0, 'crl': 0, 'x509': 0})
1527 ctx.load_verify_locations(CERTFILE)
1528 self.assertEqual(ctx.cert_store_stats(),
1529 {'x509_ca': 0, 'crl': 0, 'x509': 1})
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1530 ctx.load_verify_locations(CAFILE_CACERT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1531 self.assertEqual(ctx.cert_store_stats(),
1532 {'x509_ca': 1, 'crl': 0, 'x509': 2})
1533
1534 def test_get_ca_certs(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1535 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1536 self.assertEqual(ctx.get_ca_certs(), [])
1537 # CERTFILE is not flagged as X509v3 Basic Constraints: CA:TRUE
1538 ctx.load_verify_locations(CERTFILE)
1539 self.assertEqual(ctx.get_ca_certs(), [])
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1540 # but CAFILE_CACERT is a CA cert
1541 ctx.load_verify_locations(CAFILE_CACERT)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1542 self.assertEqual(ctx.get_ca_certs(),
1543 [{'issuer': ((('organizationName', 'Root CA'),),
1544 (('organizationalUnitName', 'http://www.cacert.org'),),
1545 (('commonName', 'CA Cert Signing Authority'),),
1546 (('emailAddress', 'support@cacert.org'),)),
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]1547 'notAfter': 'Mar 29 12:29:49 2033 GMT',
1548 'notBefore': 'Mar 30 12:29:49 2003 GMT',
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1549 'serialNumber': '00',
Christian Heimesbd3a7f92013-11-21 03:40:15 +0100[diff] [blame]1550 'crlDistributionPoints': ('https://www.cacert.org/revoke.crl',),
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1551 'subject': ((('organizationName', 'Root CA'),),
1552 (('organizationalUnitName', 'http://www.cacert.org'),),
1553 (('commonName', 'CA Cert Signing Authority'),),
1554 (('emailAddress', 'support@cacert.org'),)),
1555 'version': 3}])
1556
Martin Panterb55f8b72016-01-14 12:53:56 +0000[diff] [blame]1557 with open(CAFILE_CACERT) as f:
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]1558 pem = f.read()
1559 der = ssl.PEM_cert_to_DER_cert(pem)
1560 self.assertEqual(ctx.get_ca_certs(True), [der])
1561
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1562 def test_load_default_certs(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1563 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1564 ctx.load_default_certs()
1565
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1566 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1567 ctx.load_default_certs(ssl.Purpose.SERVER_AUTH)
1568 ctx.load_default_certs()
1569
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1570 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1571 ctx.load_default_certs(ssl.Purpose.CLIENT_AUTH)
1572
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1573 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes72d28502013-11-23 13:56:58 +0100[diff] [blame]1574 self.assertRaises(TypeError, ctx.load_default_certs, None)
1575 self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')
1576
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1577 @unittest.skipIf(sys.platform == "win32", "not-Windows specific")
Benjamin Peterson5915b0f2014-10-03 17:27:05 -0400[diff] [blame]1578 def test_load_default_certs_env(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1579 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]1580 with os_helper.EnvironmentVarGuard() as env:
Benjamin Peterson5915b0f2014-10-03 17:27:05 -0400[diff] [blame]1581 env["SSL_CERT_DIR"] = CAPATH
1582 env["SSL_CERT_FILE"] = CERTFILE
1583 ctx.load_default_certs()
1584 self.assertEqual(ctx.cert_store_stats(), {"crl": 0, "x509": 1, "x509_ca": 0})
1585
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1586 @unittest.skipUnless(sys.platform == "win32", "Windows specific")
Steve Dower68d663c2017-07-17 11:15:48 +0200[diff] [blame]1587 @unittest.skipIf(hasattr(sys, "gettotalrefcount"), "Debug build does not share environment between CRTs")
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1588 def test_load_default_certs_env_windows(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1589 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1590 ctx.load_default_certs()
1591 stats = ctx.cert_store_stats()
1592
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1593 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]1594 with os_helper.EnvironmentVarGuard() as env:
Benjamin Peterson91244e02014-10-03 18:17:15 -0400[diff] [blame]1595 env["SSL_CERT_DIR"] = CAPATH
1596 env["SSL_CERT_FILE"] = CERTFILE
1597 ctx.load_default_certs()
1598 stats["x509"] += 1
1599 self.assertEqual(ctx.cert_store_stats(), stats)
1600
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1601 def _assert_context_options(self, ctx):
1602 self.assertEqual(ctx.options & ssl.OP_NO_SSLv2, ssl.OP_NO_SSLv2)
1603 if OP_NO_COMPRESSION != 0:
1604 self.assertEqual(ctx.options & OP_NO_COMPRESSION,
1605 OP_NO_COMPRESSION)
1606 if OP_SINGLE_DH_USE != 0:
1607 self.assertEqual(ctx.options & OP_SINGLE_DH_USE,
1608 OP_SINGLE_DH_USE)
1609 if OP_SINGLE_ECDH_USE != 0:
1610 self.assertEqual(ctx.options & OP_SINGLE_ECDH_USE,
1611 OP_SINGLE_ECDH_USE)
1612 if OP_CIPHER_SERVER_PREFERENCE != 0:
1613 self.assertEqual(ctx.options & OP_CIPHER_SERVER_PREFERENCE,
1614 OP_CIPHER_SERVER_PREFERENCE)
1615
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1616 def test_create_default_context(self):
1617 ctx = ssl.create_default_context()
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1618
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1619 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1620 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1621 self.assertTrue(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1622 self._assert_context_options(ctx)
1623
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1624 with open(SIGNING_CA) as f:
1625 cadata = f.read()
1626 ctx = ssl.create_default_context(cafile=SIGNING_CA, capath=CAPATH,
1627 cadata=cadata)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1628 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1629 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1630 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1631
1632 ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1633 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1634 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1635 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1636
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1637
1638
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1639 def test__create_stdlib_context(self):
1640 ctx = ssl._create_stdlib_context()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1641 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1642 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1643 self.assertFalse(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1644 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1645
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1646 with warnings_helper.check_warnings():
1647 ctx = ssl._create_stdlib_context(ssl.PROTOCOL_TLSv1)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1648 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1)
1649 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1650 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1651
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1652 with warnings_helper.check_warnings():
1653 ctx = ssl._create_stdlib_context(
1654 ssl.PROTOCOL_TLSv1_2,
1655 cert_reqs=ssl.CERT_REQUIRED,
1656 check_hostname=True
1657 )
1658 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLSv1_2)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1659 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimesa02c69a2013-12-02 20:59:28 +0100[diff] [blame]1660 self.assertTrue(ctx.check_hostname)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1661 self._assert_context_options(ctx)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1662
1663 ctx = ssl._create_stdlib_context(purpose=ssl.Purpose.CLIENT_AUTH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1664 self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS_SERVER)
Christian Heimes67986f92013-11-23 22:43:47 +0100[diff] [blame]1665 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes358cfd42016-09-10 22:43:48 +0200[diff] [blame]1666 self._assert_context_options(ctx)
Christian Heimes4c05b472013-11-23 15:58:30 +0100[diff] [blame]1667
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1668 def test_check_hostname(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1669 with warnings_helper.check_warnings():
1670 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1671 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1672 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1673
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1674 # Auto set CERT_REQUIRED
1675 ctx.check_hostname = True
1676 self.assertTrue(ctx.check_hostname)
1677 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1678 ctx.check_hostname = False
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1679 ctx.verify_mode = ssl.CERT_REQUIRED
1680 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1681 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1682
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1683 # Changing verify_mode does not affect check_hostname
1684 ctx.check_hostname = False
1685 ctx.verify_mode = ssl.CERT_NONE
1686 ctx.check_hostname = False
1687 self.assertFalse(ctx.check_hostname)
1688 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1689 # Auto set
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1690 ctx.check_hostname = True
1691 self.assertTrue(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1692 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1693
1694 ctx.check_hostname = False
1695 ctx.verify_mode = ssl.CERT_OPTIONAL
1696 ctx.check_hostname = False
1697 self.assertFalse(ctx.check_hostname)
1698 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
1699 # keep CERT_OPTIONAL
1700 ctx.check_hostname = True
1701 self.assertTrue(ctx.check_hostname)
1702 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1703
1704 # Cannot set CERT_NONE with check_hostname enabled
1705 with self.assertRaises(ValueError):
1706 ctx.verify_mode = ssl.CERT_NONE
1707 ctx.check_hostname = False
1708 self.assertFalse(ctx.check_hostname)
Christian Heimese82c0342017-09-15 20:29:57 +0200[diff] [blame]1709 ctx.verify_mode = ssl.CERT_NONE
1710 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
Christian Heimes1aa9a752013-12-02 02:41:19 +0100[diff] [blame]1711
Christian Heimes5fe668c2016-09-12 00:01:11 +0200[diff] [blame]1712 def test_context_client_server(self):
1713 # PROTOCOL_TLS_CLIENT has sane defaults
1714 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1715 self.assertTrue(ctx.check_hostname)
1716 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
1717
1718 # PROTOCOL_TLS_SERVER has different but also sane defaults
1719 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1720 self.assertFalse(ctx.check_hostname)
1721 self.assertEqual(ctx.verify_mode, ssl.CERT_NONE)
1722
Christian Heimes4df60f12017-09-15 20:26:05 +0200[diff] [blame]1723 def test_context_custom_class(self):
1724 class MySSLSocket(ssl.SSLSocket):
1725 pass
1726
1727 class MySSLObject(ssl.SSLObject):
1728 pass
1729
1730 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1731 ctx.sslsocket_class = MySSLSocket
1732 ctx.sslobject_class = MySSLObject
1733
1734 with ctx.wrap_socket(socket.socket(), server_side=True) as sock:
1735 self.assertIsInstance(sock, MySSLSocket)
1736 obj = ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO())
1737 self.assertIsInstance(obj, MySSLObject)
1738
Christian Heimes78c7d522019-06-03 21:00:10 +0200[diff] [blame]1739 def test_num_tickest(self):
1740 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1741 self.assertEqual(ctx.num_tickets, 2)
1742 ctx.num_tickets = 1
1743 self.assertEqual(ctx.num_tickets, 1)
1744 ctx.num_tickets = 0
1745 self.assertEqual(ctx.num_tickets, 0)
1746 with self.assertRaises(ValueError):
1747 ctx.num_tickets = -1
1748 with self.assertRaises(TypeError):
1749 ctx.num_tickets = None
1750
1751 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1752 self.assertEqual(ctx.num_tickets, 2)
1753 with self.assertRaises(ValueError):
1754 ctx.num_tickets = 1
1755
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1756
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1757class SSLErrorTests(unittest.TestCase):
1758
1759 def test_str(self):
1760 # The str() of a SSLError doesn't include the errno
1761 e = ssl.SSLError(1, "foo")
1762 self.assertEqual(str(e), "foo")
1763 self.assertEqual(e.errno, 1)
1764 # Same for a subclass
1765 e = ssl.SSLZeroReturnError(1, "foo")
1766 self.assertEqual(str(e), "foo")
1767 self.assertEqual(e.errno, 1)
1768
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]1769 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1770 def test_lib_reason(self):
1771 # Test the library and reason attributes
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1772 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1773 with self.assertRaises(ssl.SSLError) as cm:
1774 ctx.load_dh_params(CERTFILE)
1775 self.assertEqual(cm.exception.library, 'PEM')
1776 self.assertEqual(cm.exception.reason, 'NO_START_LINE')
1777 s = str(cm.exception)
1778 self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s)
1779
1780 def test_subclass(self):
1781 # Check that the appropriate SSLError subclass is raised
1782 # (this only tests one of them)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]1783 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1784 ctx.check_hostname = False
1785 ctx.verify_mode = ssl.CERT_NONE
Giampaolo Rodolaeb7e29f2019-04-09 00:34:02 +0200[diff] [blame]1786 with socket.create_server(("127.0.0.1", 0)) as s:
1787 c = socket.create_connection(s.getsockname())
Antoine Pitroue1ceb502013-01-12 21:54:44 +0100[diff] [blame]1788 c.setblocking(False)
1789 with ctx.wrap_socket(c, False, do_handshake_on_connect=False) as c:
Antoine Pitrou3b36fb12012-06-22 21:11:52 +0200[diff] [blame]1790 with self.assertRaises(ssl.SSLWantReadError) as cm:
1791 c.do_handshake()
1792 s = str(cm.exception)
1793 self.assertTrue(s.startswith("The operation did not complete (read)"), s)
1794 # For compatibility
1795 self.assertEqual(cm.exception.errno, ssl.SSL_ERROR_WANT_READ)
1796
1797
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1798 def test_bad_server_hostname(self):
1799 ctx = ssl.create_default_context()
1800 with self.assertRaises(ValueError):
1801 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1802 server_hostname="")
1803 with self.assertRaises(ValueError):
1804 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1805 server_hostname=".example.org")
Christian Heimesd02ac252018-03-25 12:36:13 +0200[diff] [blame]1806 with self.assertRaises(TypeError):
1807 ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO(),
1808 server_hostname="example.org\x00evil.com")
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]1809
1810
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]1811class MemoryBIOTests(unittest.TestCase):
1812
1813 def test_read_write(self):
1814 bio = ssl.MemoryBIO()
1815 bio.write(b'foo')
1816 self.assertEqual(bio.read(), b'foo')
1817 self.assertEqual(bio.read(), b'')
1818 bio.write(b'foo')
1819 bio.write(b'bar')
1820 self.assertEqual(bio.read(), b'foobar')
1821 self.assertEqual(bio.read(), b'')
1822 bio.write(b'baz')
1823 self.assertEqual(bio.read(2), b'ba')
1824 self.assertEqual(bio.read(1), b'z')
1825 self.assertEqual(bio.read(1), b'')
1826
1827 def test_eof(self):
1828 bio = ssl.MemoryBIO()
1829 self.assertFalse(bio.eof)
1830 self.assertEqual(bio.read(), b'')
1831 self.assertFalse(bio.eof)
1832 bio.write(b'foo')
1833 self.assertFalse(bio.eof)
1834 bio.write_eof()
1835 self.assertFalse(bio.eof)
1836 self.assertEqual(bio.read(2), b'fo')
1837 self.assertFalse(bio.eof)
1838 self.assertEqual(bio.read(1), b'o')
1839 self.assertTrue(bio.eof)
1840 self.assertEqual(bio.read(), b'')
1841 self.assertTrue(bio.eof)
1842
1843 def test_pending(self):
1844 bio = ssl.MemoryBIO()
1845 self.assertEqual(bio.pending, 0)
1846 bio.write(b'foo')
1847 self.assertEqual(bio.pending, 3)
1848 for i in range(3):
1849 bio.read(1)
1850 self.assertEqual(bio.pending, 3-i-1)
1851 for i in range(3):
1852 bio.write(b'x')
1853 self.assertEqual(bio.pending, i+1)
1854 bio.read()
1855 self.assertEqual(bio.pending, 0)
1856
1857 def test_buffer_types(self):
1858 bio = ssl.MemoryBIO()
1859 bio.write(b'foo')
1860 self.assertEqual(bio.read(), b'foo')
1861 bio.write(bytearray(b'bar'))
1862 self.assertEqual(bio.read(), b'bar')
1863 bio.write(memoryview(b'baz'))
1864 self.assertEqual(bio.read(), b'baz')
1865
1866 def test_error_types(self):
1867 bio = ssl.MemoryBIO()
1868 self.assertRaises(TypeError, bio.write, 'foo')
1869 self.assertRaises(TypeError, bio.write, None)
1870 self.assertRaises(TypeError, bio.write, True)
1871 self.assertRaises(TypeError, bio.write, 1)
1872
1873
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]1874class SSLObjectTests(unittest.TestCase):
1875 def test_private_init(self):
1876 bio = ssl.MemoryBIO()
1877 with self.assertRaisesRegex(TypeError, "public constructor"):
1878 ssl.SSLObject(bio, bio)
1879
Nathaniel J. Smithc0da5822018-09-21 21:44:12 -0700[diff] [blame]1880 def test_unwrap(self):
1881 client_ctx, server_ctx, hostname = testing_context()
1882 c_in = ssl.MemoryBIO()
1883 c_out = ssl.MemoryBIO()
1884 s_in = ssl.MemoryBIO()
1885 s_out = ssl.MemoryBIO()
1886 client = client_ctx.wrap_bio(c_in, c_out, server_hostname=hostname)
1887 server = server_ctx.wrap_bio(s_in, s_out, server_side=True)
1888
1889 # Loop on the handshake for a bit to get it settled
1890 for _ in range(5):
1891 try:
1892 client.do_handshake()
1893 except ssl.SSLWantReadError:
1894 pass
1895 if c_out.pending:
1896 s_in.write(c_out.read())
1897 try:
1898 server.do_handshake()
1899 except ssl.SSLWantReadError:
1900 pass
1901 if s_out.pending:
1902 c_in.write(s_out.read())
1903 # Now the handshakes should be complete (don't raise WantReadError)
1904 client.do_handshake()
1905 server.do_handshake()
1906
1907 # Now if we unwrap one side unilaterally, it should send close-notify
1908 # and raise WantReadError:
1909 with self.assertRaises(ssl.SSLWantReadError):
1910 client.unwrap()
1911
1912 # But server.unwrap() does not raise, because it reads the client's
1913 # close-notify:
1914 s_in.write(c_out.read())
1915 server.unwrap()
1916
1917 # And now that the client gets the server's close-notify, it doesn't
1918 # raise either.
1919 c_in.write(s_out.read())
1920 client.unwrap()
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]1921
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1922class SimpleBackgroundTests(unittest.TestCase):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1923 """Tests that connect to a simple server running in the background"""
1924
1925 def setUp(self):
juhovh49fdf112021-04-18 21:11:48 +1000[diff] [blame]1926 self.server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
1927 self.server_context.load_cert_chain(SIGNED_CERTFILE)
1928 server = ThreadedEchoServer(context=self.server_context)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1929 self.server_addr = (HOST, server.port)
1930 server.__enter__()
1931 self.addCleanup(server.__exit__, None, None, None)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1932
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]1933 def test_connect(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1934 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1935 cert_reqs=ssl.CERT_NONE) as s:
1936 s.connect(self.server_addr)
1937 self.assertEqual({}, s.getpeercert())
Christian Heimesa5d07652016-09-24 10:48:05 +0200[diff] [blame]1938 self.assertFalse(s.server_side)
Antoine Pitrou350c7222010-09-09 13:31:46 +0000[diff] [blame]1939
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1940 # this should succeed because we specify the root cert
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1941 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1942 cert_reqs=ssl.CERT_REQUIRED,
1943 ca_certs=SIGNING_CA) as s:
1944 s.connect(self.server_addr)
1945 self.assertTrue(s.getpeercert())
Christian Heimesa5d07652016-09-24 10:48:05 +0200[diff] [blame]1946 self.assertFalse(s.server_side)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]1947
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1948 def test_connect_fail(self):
1949 # This should fail because we have no verification certs. Connection
1950 # failure crashes ThreadedEchoServer, so run this in an independent
1951 # test method.
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1952 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1953 cert_reqs=ssl.CERT_REQUIRED)
1954 self.addCleanup(s.close)
1955 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
1956 s.connect, self.server_addr)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1957
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1958 def test_connect_ex(self):
1959 # Issue #11326: check connect_ex() implementation
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1960 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1961 cert_reqs=ssl.CERT_REQUIRED,
1962 ca_certs=SIGNING_CA)
1963 self.addCleanup(s.close)
1964 self.assertEqual(0, s.connect_ex(self.server_addr))
1965 self.assertTrue(s.getpeercert())
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1966
1967 def test_non_blocking_connect_ex(self):
1968 # Issue #11326: non-blocking connect_ex() should allow handshake
1969 # to proceed after the socket gets ready.
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]1970 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1971 cert_reqs=ssl.CERT_REQUIRED,
1972 ca_certs=SIGNING_CA,
1973 do_handshake_on_connect=False)
1974 self.addCleanup(s.close)
1975 s.setblocking(False)
1976 rc = s.connect_ex(self.server_addr)
1977 # EWOULDBLOCK under Windows, EINPROGRESS elsewhere
1978 self.assertIn(rc, (0, errno.EINPROGRESS, errno.EWOULDBLOCK))
1979 # Wait for connect to finish
1980 select.select([], [s], [], 5.0)
1981 # Non-blocking handshake
1982 while True:
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1983 try:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1984 s.do_handshake()
1985 break
1986 except ssl.SSLWantReadError:
1987 select.select([s], [], [], 5.0)
1988 except ssl.SSLWantWriteError:
Antoine Pitroue93bf7a2011-02-26 23:24:06 +0000[diff] [blame]1989 select.select([], [s], [], 5.0)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1990 # SSL established
1991 self.assertTrue(s.getpeercert())
Antoine Pitrou40f12ab2012-12-28 19:03:43 +0100[diff] [blame]1992
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]1993 def test_connect_with_context(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1994 # Same as test_connect, but with a separately created context
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]1995 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
1996 ctx.check_hostname = False
1997 ctx.verify_mode = ssl.CERT_NONE
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]1998 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
1999 s.connect(self.server_addr)
2000 self.assertEqual({}, s.getpeercert())
2001 # Same with a server hostname
2002 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2003 server_hostname="dummy") as s:
2004 s.connect(self.server_addr)
2005 ctx.verify_mode = ssl.CERT_REQUIRED
2006 # This should succeed because we specify the root cert
2007 ctx.load_verify_locations(SIGNING_CA)
2008 with ctx.wrap_socket(socket.socket(socket.AF_INET)) as s:
2009 s.connect(self.server_addr)
2010 cert = s.getpeercert()
2011 self.assertTrue(cert)
2012
2013 def test_connect_with_context_fail(self):
2014 # This should fail because we have no verification certs. Connection
2015 # failure crashes ThreadedEchoServer, so run this in an independent
2016 # test method.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2017 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2018 s = ctx.wrap_socket(
2019 socket.socket(socket.AF_INET),
2020 server_hostname=SIGNED_CERTFILE_HOSTNAME
2021 )
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2022 self.addCleanup(s.close)
2023 self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
2024 s.connect, self.server_addr)
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]2025
2026 def test_connect_capath(self):
2027 # Verify server certificates using the `capath` argument
Antoine Pitrou467f28d2010-05-16 19:22:44 +0000[diff] [blame]2028 # NOTE: the subject hashing algorithm has been changed between
2029 # OpenSSL 0.9.8n and 1.0.0, as a result the capath directory must
2030 # contain both versions of each certificate (same content, different
Antoine Pitroud7e4c1c2010-05-17 14:13:10 +0000[diff] [blame]2031 # filename) for this test to be portable across OpenSSL releases.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2032 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2033 ctx.load_verify_locations(capath=CAPATH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2034 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2035 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2036 s.connect(self.server_addr)
2037 cert = s.getpeercert()
2038 self.assertTrue(cert)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2039
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2040 # Same with a bytes `capath` argument
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2041 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2042 ctx.load_verify_locations(capath=BYTES_CAPATH)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2043 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2044 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2045 s.connect(self.server_addr)
2046 cert = s.getpeercert()
2047 self.assertTrue(cert)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2048
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2049 def test_connect_cadata(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2050 with open(SIGNING_CA) as f:
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2051 pem = f.read()
2052 der = ssl.PEM_cert_to_DER_cert(pem)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2053 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2054 ctx.load_verify_locations(cadata=pem)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2055 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2056 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2057 s.connect(self.server_addr)
2058 cert = s.getpeercert()
2059 self.assertTrue(cert)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2060
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2061 # same with DER
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2062 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2063 ctx.load_verify_locations(cadata=der)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2064 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2065 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2066 s.connect(self.server_addr)
2067 cert = s.getpeercert()
2068 self.assertTrue(cert)
Christian Heimesefff7062013-11-21 03:35:02 +0100[diff] [blame]2069
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2070 @unittest.skipIf(os.name == "nt", "Can't use a socket as a file under Windows")
2071 def test_makefile_close(self):
2072 # Issue #5238: creating a file-like object with makefile() shouldn't
2073 # delay closing the underlying "real socket" (here tested with its
2074 # file descriptor, hence skipping the test under Windows).
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2075 ss = test_wrap_socket(socket.socket(socket.AF_INET))
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2076 ss.connect(self.server_addr)
2077 fd = ss.fileno()
2078 f = ss.makefile()
2079 f.close()
2080 # The fd is still open
2081 os.read(fd, 0)
2082 # Closing the SSL socket should close the fd too
2083 ss.close()
2084 gc.collect()
2085 with self.assertRaises(OSError) as e:
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2086 os.read(fd, 0)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2087 self.assertEqual(e.exception.errno, errno.EBADF)
Antoine Pitroue3220242010-04-24 11:13:53 +0000[diff] [blame]2088
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2089 def test_non_blocking_handshake(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2090 s = socket.socket(socket.AF_INET)
2091 s.connect(self.server_addr)
2092 s.setblocking(False)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2093 s = test_wrap_socket(s,
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2094 cert_reqs=ssl.CERT_NONE,
2095 do_handshake_on_connect=False)
2096 self.addCleanup(s.close)
2097 count = 0
2098 while True:
2099 try:
2100 count += 1
2101 s.do_handshake()
2102 break
2103 except ssl.SSLWantReadError:
2104 select.select([s], [], [])
2105 except ssl.SSLWantWriteError:
2106 select.select([], [s], [])
2107 if support.verbose:
2108 sys.stdout.write("\nNeeded %d calls to do_handshake() to establish session.\n" % count)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2109
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2110 def test_get_server_certificate(self):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2111 _test_get_server_certificate(self, *self.server_addr, cert=SIGNING_CA)
Antoine Pitrou5aefa662011-04-28 19:24:46 +0200[diff] [blame]2112
juhovh49fdf112021-04-18 21:11:48 +1000[diff] [blame]2113 def test_get_server_certificate_sni(self):
2114 host, port = self.server_addr
2115 server_names = []
2116
2117 # We store servername_cb arguments to make sure they match the host
2118 def servername_cb(ssl_sock, server_name, initial_context):
2119 server_names.append(server_name)
2120 self.server_context.set_servername_callback(servername_cb)
2121
2122 pem = ssl.get_server_certificate((host, port))
2123 if not pem:
2124 self.fail("No server certificate on %s:%s!" % (host, port))
2125
2126 pem = ssl.get_server_certificate((host, port), ca_certs=SIGNING_CA)
2127 if not pem:
2128 self.fail("No server certificate on %s:%s!" % (host, port))
2129 if support.verbose:
2130 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port, pem))
2131
2132 self.assertEqual(server_names, [host, host])
2133
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2134 def test_get_server_certificate_fail(self):
2135 # Connection failure crashes ThreadedEchoServer, so run this in an
2136 # independent test method
2137 _test_get_server_certificate_fail(self, *self.server_addr)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2138
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2139 def test_get_server_certificate_timeout(self):
Christian Heimesf05c2ae2021-04-24 07:54:08 +0200[diff] [blame]2140 def servername_cb(ssl_sock, server_name, initial_context):
2141 time.sleep(0.2)
2142 self.server_context.set_servername_callback(servername_cb)
2143
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2144 with self.assertRaises(socket.timeout):
2145 ssl.get_server_certificate(self.server_addr, ca_certs=SIGNING_CA,
Christian Heimesf05c2ae2021-04-24 07:54:08 +0200[diff] [blame]2146 timeout=0.1)
Zackery Spytzb2fac1a2021-04-23 22:46:01 -0600[diff] [blame]2147
Antoine Pitrouf4c7bad2010-08-15 23:02:22 +0000[diff] [blame]2148 def test_ciphers(self):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2149 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2150 cert_reqs=ssl.CERT_NONE, ciphers="ALL") as s:
2151 s.connect(self.server_addr)
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2152 with test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2153 cert_reqs=ssl.CERT_NONE, ciphers="DEFAULT") as s:
2154 s.connect(self.server_addr)
2155 # Error checking can happen at instantiation or when connecting
2156 with self.assertRaisesRegex(ssl.SSLError, "No cipher can be selected"):
2157 with socket.socket(socket.AF_INET) as sock:
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2158 s = test_wrap_socket(sock,
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2159 cert_reqs=ssl.CERT_NONE, ciphers="^$:,;?*'dorothyx")
2160 s.connect(self.server_addr)
Antoine Pitroufec12ff2010-04-21 19:46:23 +0000[diff] [blame]2161
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]2162 def test_get_ca_certs_capath(self):
2163 # capath certs are loaded on request
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2164 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2165 ctx.load_verify_locations(capath=CAPATH)
2166 self.assertEqual(ctx.get_ca_certs(), [])
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2167 with ctx.wrap_socket(socket.socket(socket.AF_INET),
2168 server_hostname='localhost') as s:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2169 s.connect(self.server_addr)
2170 cert = s.getpeercert()
2171 self.assertTrue(cert)
2172 self.assertEqual(len(ctx.get_ca_certs()), 1)
Christian Heimes9a5395a2013-06-17 15:44:12 +0200[diff] [blame]2173
Christian Heimes8e7f3942013-12-05 07:41:08 +0100[diff] [blame]2174 def test_context_setget(self):
2175 # Check that the context of a connected socket can be replaced.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2176 ctx1 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2177 ctx1.load_verify_locations(capath=CAPATH)
2178 ctx2 = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2179 ctx2.load_verify_locations(capath=CAPATH)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2180 s = socket.socket(socket.AF_INET)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2181 with ctx1.wrap_socket(s, server_hostname='localhost') as ss:
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2182 ss.connect(self.server_addr)
2183 self.assertIs(ss.context, ctx1)
2184 self.assertIs(ss._sslobj.context, ctx1)
2185 ss.context = ctx2
2186 self.assertIs(ss.context, ctx2)
2187 self.assertIs(ss._sslobj.context, ctx2)
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2188
2189 def ssl_io_loop(self, sock, incoming, outgoing, func, *args, **kwargs):
2190 # A simple IO loop. Call func(*args) depending on the error we get
2191 # (WANT_READ or WANT_WRITE) move data between the socket and the BIOs.
Victor Stinner0d63bac2019-12-11 11:30:03 +0100[diff] [blame]2192 timeout = kwargs.get('timeout', support.SHORT_TIMEOUT)
Victor Stinner50a72af2017-09-11 09:34:24 -0700[diff] [blame]2193 deadline = time.monotonic() + timeout
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2194 count = 0
2195 while True:
Victor Stinner50a72af2017-09-11 09:34:24 -0700[diff] [blame]2196 if time.monotonic() > deadline:
2197 self.fail("timeout")
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2198 errno = None
2199 count += 1
2200 try:
2201 ret = func(*args)
2202 except ssl.SSLError as e:
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2203 if e.errno not in (ssl.SSL_ERROR_WANT_READ,
Martin Panter40b97ec2016-01-14 13:05:46 +0000[diff] [blame]2204 ssl.SSL_ERROR_WANT_WRITE):
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2205 raise
2206 errno = e.errno
2207 # Get any data from the outgoing BIO irrespective of any error, and
2208 # send it to the socket.
2209 buf = outgoing.read()
2210 sock.sendall(buf)
2211 # If there's no error, we're done. For WANT_READ, we need to get
2212 # data from the socket and put it in the incoming BIO.
2213 if errno is None:
2214 break
2215 elif errno == ssl.SSL_ERROR_WANT_READ:
2216 buf = sock.recv(32768)
2217 if buf:
2218 incoming.write(buf)
2219 else:
2220 incoming.write_eof()
2221 if support.verbose:
2222 sys.stdout.write("Needed %d calls to complete %s().\n"
2223 % (count, func.__name__))
2224 return ret
2225
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2226 def test_bio_handshake(self):
2227 sock = socket.socket(socket.AF_INET)
2228 self.addCleanup(sock.close)
2229 sock.connect(self.server_addr)
2230 incoming = ssl.MemoryBIO()
2231 outgoing = ssl.MemoryBIO()
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2232 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2233 self.assertTrue(ctx.check_hostname)
2234 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2235 ctx.load_verify_locations(SIGNING_CA)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2236 sslobj = ctx.wrap_bio(incoming, outgoing, False,
2237 SIGNED_CERTFILE_HOSTNAME)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2238 self.assertIs(sslobj._sslobj.owner, sslobj)
2239 self.assertIsNone(sslobj.cipher())
Christian Heimes68771112017-09-05 21:55:40 -0700[diff] [blame]2240 self.assertIsNone(sslobj.version())
Christian Heimes01113fa2016-09-05 23:23:24 +0200[diff] [blame]2241 self.assertIsNotNone(sslobj.shared_ciphers())
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2242 self.assertRaises(ValueError, sslobj.getpeercert)
2243 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
2244 self.assertIsNone(sslobj.get_channel_binding('tls-unique'))
2245 self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
2246 self.assertTrue(sslobj.cipher())
Christian Heimes01113fa2016-09-05 23:23:24 +0200[diff] [blame]2247 self.assertIsNotNone(sslobj.shared_ciphers())
Christian Heimes68771112017-09-05 21:55:40 -0700[diff] [blame]2248 self.assertIsNotNone(sslobj.version())
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2249 self.assertTrue(sslobj.getpeercert())
2250 if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
2251 self.assertTrue(sslobj.get_channel_binding('tls-unique'))
2252 try:
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2253 self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2254 except ssl.SSLSyscallError:
2255 # If the server shuts down the TCP connection without sending a
2256 # secure shutdown message, this is reported as SSL_ERROR_SYSCALL
2257 pass
2258 self.assertRaises(ssl.SSLError, sslobj.write, b'foo')
2259
2260 def test_bio_read_write_data(self):
2261 sock = socket.socket(socket.AF_INET)
2262 self.addCleanup(sock.close)
2263 sock.connect(self.server_addr)
2264 incoming = ssl.MemoryBIO()
2265 outgoing = ssl.MemoryBIO()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2266 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
2267 ctx.check_hostname = False
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2268 ctx.verify_mode = ssl.CERT_NONE
2269 sslobj = ctx.wrap_bio(incoming, outgoing, False)
2270 self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
2271 req = b'FOO\n'
2272 self.ssl_io_loop(sock, incoming, outgoing, sslobj.write, req)
2273 buf = self.ssl_io_loop(sock, incoming, outgoing, sslobj.read, 1024)
2274 self.assertEqual(buf, b'foo\n')
2275 self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
Antoine Pitroub1fdf472014-10-05 20:41:53 +0200[diff] [blame]2276
2277
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2278class NetworkedTests(unittest.TestCase):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2279
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2280 def test_timeout_connect_ex(self):
2281 # Issue #12065: on a timeout, connect_ex() should return the original
2282 # errno (mimicking the behaviour of non-SSL sockets).
Serhiy Storchakabfb1cf42020-04-29 10:36:20 +0300[diff] [blame]2283 with socket_helper.transient_internet(REMOTE_HOST):
Christian Heimesd0486372016-09-10 23:23:33 +0200[diff] [blame]2284 s = test_wrap_socket(socket.socket(socket.AF_INET),
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2285 cert_reqs=ssl.CERT_REQUIRED,
2286 do_handshake_on_connect=False)
2287 self.addCleanup(s.close)
2288 s.settimeout(0.0000001)
2289 rc = s.connect_ex((REMOTE_HOST, 443))
2290 if rc == 0:
2291 self.skipTest("REMOTE_HOST responded too quickly")
Carl Meyer29c451c2021-03-27 15:52:28 -0600[diff] [blame]2292 elif rc == errno.ENETUNREACH:
2293 self.skipTest("Network unreachable.")
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2294 self.assertIn(rc, (errno.EAGAIN, errno.EWOULDBLOCK))
2295
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2296 @unittest.skipUnless(socket_helper.IPV6_ENABLED, 'Needs IPv6')
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2297 def test_get_server_certificate_ipv6(self):
Serhiy Storchakabfb1cf42020-04-29 10:36:20 +0300[diff] [blame]2298 with socket_helper.transient_internet('ipv6.google.com'):
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2299 _test_get_server_certificate(self, 'ipv6.google.com', 443)
2300 _test_get_server_certificate_fail(self, 'ipv6.google.com', 443)
2301
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]2302
2303def _test_get_server_certificate(test, host, port, cert=None):
2304 pem = ssl.get_server_certificate((host, port))
2305 if not pem:
2306 test.fail("No server certificate on %s:%s!" % (host, port))
2307
2308 pem = ssl.get_server_certificate((host, port), ca_certs=cert)
2309 if not pem:
2310 test.fail("No server certificate on %s:%s!" % (host, port))
2311 if support.verbose:
2312 sys.stdout.write("\nVerified certificate for %s:%s is\n%s\n" % (host, port ,pem))
2313
2314def _test_get_server_certificate_fail(test, host, port):
2315 try:
2316 pem = ssl.get_server_certificate((host, port), ca_certs=CERTFILE)
2317 except ssl.SSLError as x:
2318 #should fail
2319 if support.verbose:
2320 sys.stdout.write("%s\n" % x)
2321 else:
2322 test.fail("Got server certificate %s for %s:%s!" % (pem, host, port))
2323
2324
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2325from test.ssl_servers import make_https_server
Antoine Pitrou803e6d62010-10-13 10:36:15 +0000[diff] [blame]2326
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2327class ThreadedEchoServer(threading.Thread):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2328
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2329 class ConnectionHandler(threading.Thread):
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2330
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2331 """A mildly complicated class, because we want it to work both
2332 with and without the SSL wrapper around the socket connection, so
2333 that we can test the STARTTLS functionality."""
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2334
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2335 def __init__(self, server, connsock, addr):
2336 self.server = server
2337 self.running = False
2338 self.sock = connsock
2339 self.addr = addr
Serhiy Storchaka5eca7f32019-09-01 12:12:52 +0300[diff] [blame]2340 self.sock.setblocking(True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2341 self.sslconn = None
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2342 threading.Thread.__init__(self)
Benjamin Peterson4171da52008-08-18 21:11:09 +0000[diff] [blame]2343 self.daemon = True
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2344
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2345 def wrap_conn(self):
2346 try:
2347 self.sslconn = self.server.context.wrap_socket(
2348 self.sock, server_side=True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2349 self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2350 except (ConnectionResetError, BrokenPipeError, ConnectionAbortedError) as e:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2351 # We treat ConnectionResetError as though it were an
2352 # SSLError - OpenSSL on Ubuntu abruptly closes the
2353 # connection when asked to use an unsupported protocol.
2354 #
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2355 # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL
2356 # tries to send session tickets after handshake.
2357 # https://github.com/openssl/openssl/issues/6342
Paul Monsonfb7e7502019-05-15 15:38:55 -0700[diff] [blame]2358 #
2359 # ConnectionAbortedError is raised in TLS 1.3 mode, when OpenSSL
2360 # tries to send session tickets after handshake when using WinSock.
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2361 self.server.conn_errors.append(str(e))
2362 if self.server.chatty:
2363 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
2364 self.running = False
2365 self.close()
2366 return False
2367 except (ssl.SSLError, OSError) as e:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2368 # OSError may occur with wrong protocols, e.g. both
2369 # sides use PROTOCOL_TLS_SERVER.
2370 #
2371 # XXX Various errors can have happened here, for example
2372 # a mismatching protocol version, an invalid certificate,
2373 # or a low-level bug. This should be made more discriminating.
2374 #
2375 # bpo-31323: Store the exception as string to prevent
2376 # a reference leak: server -> conn_errors -> exception
2377 # -> traceback -> self (ConnectionHandler) -> server
2378 self.server.conn_errors.append(str(e))
2379 if self.server.chatty:
2380 handle_error("\n server: bad connection attempt from " + repr(self.addr) + ":\n")
2381 self.running = False
2382 self.server.stop()
2383 self.close()
2384 return False
2385 else:
2386 self.server.shared_ciphers.append(self.sslconn.shared_ciphers())
2387 if self.server.context.verify_mode == ssl.CERT_REQUIRED:
2388 cert = self.sslconn.getpeercert()
2389 if support.verbose and self.server.chatty:
2390 sys.stdout.write(" client cert is " + pprint.pformat(cert) + "\n")
2391 cert_binary = self.sslconn.getpeercert(True)
2392 if support.verbose and self.server.chatty:
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2393 if cert_binary is None:
2394 sys.stdout.write(" client did not provide a cert\n")
2395 else:
2396 sys.stdout.write(f" cert binary is {len(cert_binary)}b\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2397 cipher = self.sslconn.cipher()
2398 if support.verbose and self.server.chatty:
2399 sys.stdout.write(" server: connection cipher is now " + str(cipher) + "\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2400 return True
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2401
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2402 def read(self):
2403 if self.sslconn:
2404 return self.sslconn.read()
2405 else:
2406 return self.sock.recv(1024)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2407
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2408 def write(self, bytes):
2409 if self.sslconn:
2410 return self.sslconn.write(bytes)
2411 else:
2412 return self.sock.send(bytes)
2413
2414 def close(self):
2415 if self.sslconn:
2416 self.sslconn.close()
2417 else:
2418 self.sock.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2419
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2420 def run(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2421 self.running = True
2422 if not self.server.starttls_server:
2423 if not self.wrap_conn():
2424 return
2425 while self.running:
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2426 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2427 msg = self.read()
2428 stripped = msg.strip()
2429 if not stripped:
2430 # eof, so quit this handler
2431 self.running = False
2432 try:
2433 self.sock = self.sslconn.unwrap()
2434 except OSError:
2435 # Many tests shut the TCP connection down
2436 # without an SSL shutdown. This causes
2437 # unwrap() to raise OSError with errno=0!
2438 pass
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2439 else:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2440 self.sslconn = None
2441 self.close()
2442 elif stripped == b'over':
2443 if support.verbose and self.server.connectionchatty:
2444 sys.stdout.write(" server: client closed connection\n")
2445 self.close()
2446 return
2447 elif (self.server.starttls_server and
2448 stripped == b'STARTTLS'):
2449 if support.verbose and self.server.connectionchatty:
2450 sys.stdout.write(" server: read STARTTLS from client, sending OK...\n")
2451 self.write(b"OK\n")
2452 if not self.wrap_conn():
2453 return
2454 elif (self.server.starttls_server and self.sslconn
2455 and stripped == b'ENDTLS'):
2456 if support.verbose and self.server.connectionchatty:
2457 sys.stdout.write(" server: read ENDTLS from client, sending OK...\n")
2458 self.write(b"OK\n")
2459 self.sock = self.sslconn.unwrap()
2460 self.sslconn = None
2461 if support.verbose and self.server.connectionchatty:
2462 sys.stdout.write(" server: connection is now unencrypted...\n")
2463 elif stripped == b'CB tls-unique':
2464 if support.verbose and self.server.connectionchatty:
2465 sys.stdout.write(" server: read CB tls-unique from client, sending our CB data...\n")
2466 data = self.sslconn.get_channel_binding("tls-unique")
2467 self.write(repr(data).encode("us-ascii") + b"\n")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]2468 elif stripped == b'PHA':
2469 if support.verbose and self.server.connectionchatty:
2470 sys.stdout.write(" server: initiating post handshake auth\n")
2471 try:
2472 self.sslconn.verify_client_post_handshake()
2473 except ssl.SSLError as e:
2474 self.write(repr(e).encode("us-ascii") + b"\n")
2475 else:
2476 self.write(b"OK\n")
2477 elif stripped == b'HASCERT':
2478 if self.sslconn.getpeercert() is not None:
2479 self.write(b'TRUE\n')
2480 else:
2481 self.write(b'FALSE\n')
2482 elif stripped == b'GETCERT':
2483 cert = self.sslconn.getpeercert()
2484 self.write(repr(cert).encode("us-ascii") + b"\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2485 else:
2486 if (support.verbose and
2487 self.server.connectionchatty):
2488 ctype = (self.sslconn and "encrypted") or "unencrypted"
2489 sys.stdout.write(" server: read %r (%s), sending back %r (%s)...\n"
2490 % (msg, ctype, msg.lower(), ctype))
2491 self.write(msg.lower())
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2492 except OSError as e:
2493 # handles SSLError and socket errors
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2494 if self.server.chatty and support.verbose:
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]2495 if isinstance(e, ConnectionError):
2496 # OpenSSL 1.1.1 sometimes raises
2497 # ConnectionResetError when connection is not
2498 # shut down gracefully.
2499 print(
2500 f" Connection reset by peer: {self.addr}"
2501 )
2502 else:
2503 handle_error("Test server failure:\n")
2504 try:
2505 self.write(b"ERROR\n")
2506 except OSError:
2507 pass
Bill Janssen2f5799b2008-06-29 00:08:12 +0000[diff] [blame]2508 self.close()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2509 self.running = False
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2510
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2511 # normally, we'd just stop here, but for the test
2512 # harness, we want to stop the server
2513 self.server.stop()
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2514
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2515 def __init__(self, certificate=None, ssl_version=None,
2516 certreqs=None, cacerts=None,
2517 chatty=True, connectionchatty=False, starttls_server=False,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2518 alpn_protocols=None,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2519 ciphers=None, context=None):
2520 if context:
2521 self.context = context
2522 else:
2523 self.context = ssl.SSLContext(ssl_version
2524 if ssl_version is not None
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2525 else ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2526 self.context.verify_mode = (certreqs if certreqs is not None
2527 else ssl.CERT_NONE)
2528 if cacerts:
2529 self.context.load_verify_locations(cacerts)
2530 if certificate:
2531 self.context.load_cert_chain(certificate)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2532 if alpn_protocols:
2533 self.context.set_alpn_protocols(alpn_protocols)
2534 if ciphers:
2535 self.context.set_ciphers(ciphers)
2536 self.chatty = chatty
2537 self.connectionchatty = connectionchatty
2538 self.starttls_server = starttls_server
2539 self.sock = socket.socket()
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2540 self.port = socket_helper.bind_port(self.sock)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2541 self.flag = None
2542 self.active = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2543 self.selected_alpn_protocols = []
2544 self.shared_ciphers = []
2545 self.conn_errors = []
2546 threading.Thread.__init__(self)
2547 self.daemon = True
2548
2549 def __enter__(self):
2550 self.start(threading.Event())
2551 self.flag.wait()
2552 return self
2553
2554 def __exit__(self, *args):
2555 self.stop()
2556 self.join()
2557
2558 def start(self, flag=None):
2559 self.flag = flag
2560 threading.Thread.start(self)
2561
2562 def run(self):
2563 self.sock.settimeout(0.05)
2564 self.sock.listen()
2565 self.active = True
2566 if self.flag:
2567 # signal an event
2568 self.flag.set()
2569 while self.active:
2570 try:
2571 newconn, connaddr = self.sock.accept()
2572 if support.verbose and self.chatty:
2573 sys.stdout.write(' server: new connection from '
2574 + repr(connaddr) + '\n')
2575 handler = self.ConnectionHandler(self, newconn, connaddr)
2576 handler.start()
2577 handler.join()
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]2578 except TimeoutError:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2579 pass
2580 except KeyboardInterrupt:
2581 self.stop()
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]2582 except BaseException as e:
2583 if support.verbose and self.chatty:
2584 sys.stdout.write(
2585 ' connection handling failed: ' + repr(e) + '\n')
2586
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2587 self.sock.close()
2588
2589 def stop(self):
2590 self.active = False
2591
2592class AsyncoreEchoServer(threading.Thread):
2593
2594 # this one's based on asyncore.dispatcher
2595
2596 class EchoServer (asyncore.dispatcher):
2597
2598 class ConnectionHandler(asyncore.dispatcher_with_send):
2599
2600 def __init__(self, conn, certfile):
2601 self.socket = test_wrap_socket(conn, server_side=True,
2602 certfile=certfile,
2603 do_handshake_on_connect=False)
2604 asyncore.dispatcher_with_send.__init__(self, self.socket)
2605 self._ssl_accepting = True
2606 self._do_ssl_handshake()
2607
2608 def readable(self):
2609 if isinstance(self.socket, ssl.SSLSocket):
2610 while self.socket.pending() > 0:
2611 self.handle_read_event()
2612 return True
2613
2614 def _do_ssl_handshake(self):
2615 try:
2616 self.socket.do_handshake()
2617 except (ssl.SSLWantReadError, ssl.SSLWantWriteError):
2618 return
2619 except ssl.SSLEOFError:
2620 return self.handle_close()
2621 except ssl.SSLError:
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2622 raise
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2623 except OSError as err:
2624 if err.args[0] == errno.ECONNABORTED:
2625 return self.handle_close()
2626 else:
2627 self._ssl_accepting = False
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2628
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2629 def handle_read(self):
2630 if self._ssl_accepting:
2631 self._do_ssl_handshake()
2632 else:
2633 data = self.recv(1024)
2634 if support.verbose:
2635 sys.stdout.write(" server: read %s from client\n" % repr(data))
2636 if not data:
2637 self.close()
2638 else:
2639 self.send(data.lower())
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2640
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2641 def handle_close(self):
2642 self.close()
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2643 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2644 sys.stdout.write(" server: closed connection %s\n" % self.socket)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2645
2646 def handle_error(self):
2647 raise
2648
Trent Nelson78520002008-04-10 20:54:35 +0000[diff] [blame]2649 def __init__(self, certfile):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2650 self.certfile = certfile
2651 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]2652 self.port = socket_helper.bind_port(sock, '')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2653 asyncore.dispatcher.__init__(self, sock)
2654 self.listen(5)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2655
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2656 def handle_accepted(self, sock_obj, addr):
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2657 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2658 sys.stdout.write(" server: new connection from %s:%s\n" %addr)
2659 self.ConnectionHandler(sock_obj, self.certfile)
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2660
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2661 def handle_error(self):
2662 raise
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2663
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2664 def __init__(self, certfile):
2665 self.flag = None
2666 self.active = False
2667 self.server = self.EchoServer(certfile)
2668 self.port = self.server.port
2669 threading.Thread.__init__(self)
2670 self.daemon = True
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2671
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2672 def __str__(self):
2673 return "<%s %s>" % (self.__class__.__name__, self.server)
Bill Janssen54cc54c2007-12-14 22:08:56 +0000[diff] [blame]2674
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2675 def __enter__(self):
2676 self.start(threading.Event())
2677 self.flag.wait()
2678 return self
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]2679
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2680 def __exit__(self, *args):
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2681 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2682 sys.stdout.write(" cleanup: stopping server.\n")
2683 self.stop()
2684 if support.verbose:
2685 sys.stdout.write(" cleanup: joining server thread.\n")
2686 self.join()
2687 if support.verbose:
2688 sys.stdout.write(" cleanup: successfully joined.\n")
2689 # make sure that ConnectionHandler is removed from socket_map
2690 asyncore.close_all(ignore_all=True)
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2691
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2692 def start (self, flag=None):
2693 self.flag = flag
2694 threading.Thread.start(self)
Antoine Pitrou2463e5f2013-03-28 22:24:43 +0100[diff] [blame]2695
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2696 def run(self):
2697 self.active = True
2698 if self.flag:
2699 self.flag.set()
2700 while self.active:
Antoine Pitrou773b5db2010-04-27 08:53:36 +0000[diff] [blame]2701 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2702 asyncore.loop(1)
2703 except:
2704 pass
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2705
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2706 def stop(self):
2707 self.active = False
2708 self.server.close()
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]2709
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2710def server_params_test(client_context, server_context, indata=b"FOO\n",
2711 chatty=True, connectionchatty=False, sni_name=None,
2712 session=None):
2713 """
2714 Launch a server, connect a client to it and try various reads
2715 and writes.
2716 """
2717 stats = {}
2718 server = ThreadedEchoServer(context=server_context,
2719 chatty=chatty,
2720 connectionchatty=False)
2721 with server:
2722 with client_context.wrap_socket(socket.socket(),
2723 server_hostname=sni_name, session=session) as s:
2724 s.connect((HOST, server.port))
2725 for arg in [indata, bytearray(indata), memoryview(indata)]:
2726 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2727 if support.verbose:
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2728 sys.stdout.write(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2729 " client: sending %r...\n" % indata)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2730 s.write(arg)
Antoine Pitrou18c913e2010-04-27 10:59:39 +0000[diff] [blame]2731 outdata = s.read()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2732 if connectionchatty:
2733 if support.verbose:
2734 sys.stdout.write(" client: read %r\n" % outdata)
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2735 if outdata != indata.lower():
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2736 raise AssertionError(
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]2737 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
2738 % (outdata[:20], len(outdata),
2739 indata[:20].lower(), len(indata)))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2740 s.write(b"over\n")
2741 if connectionchatty:
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]2742 if support.verbose:
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2743 sys.stdout.write(" client: closing connection.\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2744 stats.update({
2745 'compression': s.compression(),
2746 'cipher': s.cipher(),
2747 'peercert': s.getpeercert(),
2748 'client_alpn_protocol': s.selected_alpn_protocol(),
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2749 'version': s.version(),
2750 'session_reused': s.session_reused,
2751 'session': s.session,
2752 })
2753 s.close()
2754 stats['server_alpn_protocols'] = server.selected_alpn_protocols
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2755 stats['server_shared_ciphers'] = server.shared_ciphers
2756 return stats
Trent Nelson6b240cd2008-04-10 20:12:06 +0000[diff] [blame]2757
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2758def try_protocol_combo(server_protocol, client_protocol, expect_success,
2759 certsreqs=None, server_options=0, client_options=0):
2760 """
2761 Try to SSL-connect using *client_protocol* to *server_protocol*.
2762 If *expect_success* is true, assert that the connection succeeds,
2763 if it's false, assert that the connection fails.
2764 Also, if *expect_success* is a string, assert that it is the protocol
2765 version actually used by the connection.
2766 """
2767 if certsreqs is None:
2768 certsreqs = ssl.CERT_NONE
2769 certtype = {
2770 ssl.CERT_NONE: "CERT_NONE",
2771 ssl.CERT_OPTIONAL: "CERT_OPTIONAL",
2772 ssl.CERT_REQUIRED: "CERT_REQUIRED",
2773 }[certsreqs]
2774 if support.verbose:
2775 formatstr = (expect_success and " %s->%s %s\n") or " {%s->%s} %s\n"
2776 sys.stdout.write(formatstr %
2777 (ssl.get_protocol_name(client_protocol),
2778 ssl.get_protocol_name(server_protocol),
2779 certtype))
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2780
2781 with warnings_helper.check_warnings():
2782 # ignore Deprecation warnings
2783 client_context = ssl.SSLContext(client_protocol)
2784 client_context.options |= client_options
2785 server_context = ssl.SSLContext(server_protocol)
2786 server_context.options |= server_options
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2787
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2788 min_version = PROTOCOL_TO_TLS_VERSION.get(client_protocol, None)
2789 if (min_version is not None
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2790 # SSLContext.minimum_version is only available on recent OpenSSL
2791 # (setter added in OpenSSL 1.1.0, getter added in OpenSSL 1.1.1)
2792 and hasattr(server_context, 'minimum_version')
2793 and server_protocol == ssl.PROTOCOL_TLS
2794 and server_context.minimum_version > min_version
2795 ):
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2796 # If OpenSSL configuration is strict and requires more recent TLS
2797 # version, we have to change the minimum to test old TLS versions.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]2798 with warnings_helper.check_warnings():
2799 server_context.minimum_version = min_version
Victor Stinner3ef63442019-02-19 18:06:03 +0100[diff] [blame]2800
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2801 # NOTE: we must enable "ALL" ciphers on the client, otherwise an
2802 # SSLv23 client will send an SSLv3 hello (rather than SSLv2)
2803 # starting from OpenSSL 1.0.0 (see issue #8322).
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2804 if client_context.protocol == ssl.PROTOCOL_TLS:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2805 client_context.set_ciphers("ALL")
2806
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]2807 seclevel_workaround(server_context, client_context)
2808
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2809 for ctx in (client_context, server_context):
2810 ctx.verify_mode = certsreqs
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]2811 ctx.load_cert_chain(SIGNED_CERTFILE)
2812 ctx.load_verify_locations(SIGNING_CA)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2813 try:
2814 stats = server_params_test(client_context, server_context,
2815 chatty=False, connectionchatty=False)
2816 # Protocol mismatch can result in either an SSLError, or a
2817 # "Connection reset by peer" error.
2818 except ssl.SSLError:
2819 if expect_success:
2820 raise
2821 except OSError as e:
2822 if expect_success or e.errno != errno.ECONNRESET:
2823 raise
2824 else:
2825 if not expect_success:
2826 raise AssertionError(
2827 "Client protocol %s succeeded with server protocol %s!"
2828 % (ssl.get_protocol_name(client_protocol),
2829 ssl.get_protocol_name(server_protocol)))
2830 elif (expect_success is not True
2831 and expect_success != stats['version']):
2832 raise AssertionError("version mismatch: expected %r, got %r"
2833 % (expect_success, stats['version']))
2834
2835
2836class ThreadedTests(unittest.TestCase):
2837
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2838 def test_echo(self):
2839 """Basic test of an SSL client connecting to a server"""
2840 if support.verbose:
2841 sys.stdout.write("\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2842
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2843 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2844
2845 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_SERVER):
2846 server_params_test(client_context=client_context,
2847 server_context=server_context,
2848 chatty=True, connectionchatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2849 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2850
2851 client_context.check_hostname = False
2852 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_CLIENT):
2853 with self.assertRaises(ssl.SSLError) as e:
2854 server_params_test(client_context=server_context,
2855 server_context=client_context,
2856 chatty=True, connectionchatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2857 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2858 self.assertIn('called a function you should not call',
2859 str(e.exception))
2860
2861 with self.subTest(client=ssl.PROTOCOL_TLS_SERVER, server=ssl.PROTOCOL_TLS_SERVER):
2862 with self.assertRaises(ssl.SSLError) as e:
2863 server_params_test(client_context=server_context,
2864 server_context=server_context,
2865 chatty=True, connectionchatty=True)
2866 self.assertIn('called a function you should not call',
2867 str(e.exception))
2868
2869 with self.subTest(client=ssl.PROTOCOL_TLS_CLIENT, server=ssl.PROTOCOL_TLS_CLIENT):
2870 with self.assertRaises(ssl.SSLError) as e:
2871 server_params_test(client_context=server_context,
2872 server_context=client_context,
2873 chatty=True, connectionchatty=True)
2874 self.assertIn('called a function you should not call',
2875 str(e.exception))
2876
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2877 def test_getpeercert(self):
2878 if support.verbose:
2879 sys.stdout.write("\n")
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2880
2881 client_context, server_context, hostname = testing_context()
2882 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2883 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2884 with client_context.wrap_socket(socket.socket(),
2885 do_handshake_on_connect=False,
2886 server_hostname=hostname) as s:
2887 s.connect((HOST, server.port))
2888 # getpeercert() raise ValueError while the handshake isn't
2889 # done.
2890 with self.assertRaises(ValueError):
2891 s.getpeercert()
2892 s.do_handshake()
2893 cert = s.getpeercert()
2894 self.assertTrue(cert, "Can't get peer certificate.")
2895 cipher = s.cipher()
2896 if support.verbose:
2897 sys.stdout.write(pprint.pformat(cert) + '\n')
2898 sys.stdout.write("Connection cipher is " + str(cipher) + '.\n')
2899 if 'subject' not in cert:
2900 self.fail("No subject field in certificate: %s." %
2901 pprint.pformat(cert))
2902 if ((('organizationName', 'Python Software Foundation'),)
2903 not in cert['subject']):
2904 self.fail(
2905 "Missing or invalid 'organizationName' field in certificate subject; "
2906 "should be 'Python Software Foundation'.")
2907 self.assertIn('notBefore', cert)
2908 self.assertIn('notAfter', cert)
2909 before = ssl.cert_time_to_seconds(cert['notBefore'])
2910 after = ssl.cert_time_to_seconds(cert['notAfter'])
2911 self.assertLess(before, after)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2912
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2913 def test_crl_check(self):
2914 if support.verbose:
2915 sys.stdout.write("\n")
2916
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2917 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2918
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2919 tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2920 self.assertEqual(client_context.verify_flags, ssl.VERIFY_DEFAULT | tf)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2921
2922 # VERIFY_DEFAULT should pass
2923 server = ThreadedEchoServer(context=server_context, chatty=True)
2924 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2925 with client_context.wrap_socket(socket.socket(),
2926 server_hostname=hostname) as s:
Antoine Pitrou65a3f4b2011-12-21 16:52:40 +0100[diff] [blame]2927 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2928 cert = s.getpeercert()
2929 self.assertTrue(cert, "Can't get peer certificate.")
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2930
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2931 # VERIFY_CRL_CHECK_LEAF without a loaded CRL file fails
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2932 client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2933
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2934 server = ThreadedEchoServer(context=server_context, chatty=True)
2935 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2936 with client_context.wrap_socket(socket.socket(),
2937 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2938 with self.assertRaisesRegex(ssl.SSLError,
2939 "certificate verify failed"):
2940 s.connect((HOST, server.port))
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2941
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2942 # now load a CRL file. The CRL file is signed by the CA.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2943 client_context.load_verify_locations(CRLFILE)
Bill Janssen58afe4c2008-09-08 16:45:19 +0000[diff] [blame]2944
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2945 server = ThreadedEchoServer(context=server_context, chatty=True)
2946 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2947 with client_context.wrap_socket(socket.socket(),
2948 server_hostname=hostname) as s:
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2949 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2950 cert = s.getpeercert()
2951 self.assertTrue(cert, "Can't get peer certificate.")
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2952
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2953 def test_check_hostname(self):
2954 if support.verbose:
2955 sys.stdout.write("\n")
Antoine Pitroub4bebda2014-04-29 10:03:28 +0200[diff] [blame]2956
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2957 client_context, server_context, hostname = testing_context()
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2958
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2959 # correct hostname should verify
2960 server = ThreadedEchoServer(context=server_context, chatty=True)
2961 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2962 with client_context.wrap_socket(socket.socket(),
2963 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2964 s.connect((HOST, server.port))
2965 cert = s.getpeercert()
2966 self.assertTrue(cert, "Can't get peer certificate.")
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2967
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2968 # incorrect hostname should raise an exception
2969 server = ThreadedEchoServer(context=server_context, chatty=True)
2970 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2971 with client_context.wrap_socket(socket.socket(),
2972 server_hostname="invalid") as s:
Christian Heimes61d478c2018-01-27 15:51:38 +0100[diff] [blame]2973 with self.assertRaisesRegex(
2974 ssl.CertificateError,
2975 "Hostname mismatch, certificate is not valid for 'invalid'."):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2976 s.connect((HOST, server.port))
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]2977
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2978 # missing server_hostname arg should cause an exception, too
2979 server = ThreadedEchoServer(context=server_context, chatty=True)
2980 with server:
2981 with socket.socket() as s:
2982 with self.assertRaisesRegex(ValueError,
2983 "check_hostname requires server_hostname"):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]2984 client_context.wrap_socket(s)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]2985
Christian Heimesb467d9a2021-04-17 10:07:19 +0200[diff] [blame]2986 @unittest.skipUnless(
2987 ssl.HAS_NEVER_CHECK_COMMON_NAME, "test requires hostname_checks_common_name"
2988 )
2989 def test_hostname_checks_common_name(self):
2990 client_context, server_context, hostname = testing_context()
2991 assert client_context.hostname_checks_common_name
2992 client_context.hostname_checks_common_name = False
2993
2994 # default cert has a SAN
2995 server = ThreadedEchoServer(context=server_context, chatty=True)
2996 with server:
2997 with client_context.wrap_socket(socket.socket(),
2998 server_hostname=hostname) as s:
2999 s.connect((HOST, server.port))
3000
3001 client_context, server_context, hostname = testing_context(NOSANFILE)
3002 client_context.hostname_checks_common_name = False
3003 server = ThreadedEchoServer(context=server_context, chatty=True)
3004 with server:
3005 with client_context.wrap_socket(socket.socket(),
3006 server_hostname=hostname) as s:
3007 with self.assertRaises(ssl.SSLCertVerificationError):
3008 s.connect((HOST, server.port))
3009
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3010 def test_ecc_cert(self):
3011 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3012 client_context.load_verify_locations(SIGNING_CA)
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3013 client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3014 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
3015
3016 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3017 # load ECC cert
3018 server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
3019
3020 # correct hostname should verify
3021 server = ThreadedEchoServer(context=server_context, chatty=True)
3022 with server:
3023 with client_context.wrap_socket(socket.socket(),
3024 server_hostname=hostname) as s:
3025 s.connect((HOST, server.port))
3026 cert = s.getpeercert()
3027 self.assertTrue(cert, "Can't get peer certificate.")
3028 cipher = s.cipher()[0].split('-')
3029 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
3030
3031 def test_dual_rsa_ecc(self):
3032 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3033 client_context.load_verify_locations(SIGNING_CA)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3034 # TODO: fix TLSv1.3 once SSLContext can restrict signature
3035 # algorithms.
3036 client_context.options |= ssl.OP_NO_TLSv1_3
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3037 # only ECDSA certs
3038 client_context.set_ciphers('ECDHE:ECDSA:!NULL:!aRSA')
3039 hostname = SIGNED_CERTFILE_ECC_HOSTNAME
3040
3041 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3042 # load ECC and RSA key/cert pairs
3043 server_context.load_cert_chain(SIGNED_CERTFILE_ECC)
3044 server_context.load_cert_chain(SIGNED_CERTFILE)
3045
3046 # correct hostname should verify
3047 server = ThreadedEchoServer(context=server_context, chatty=True)
3048 with server:
3049 with client_context.wrap_socket(socket.socket(),
3050 server_hostname=hostname) as s:
3051 s.connect((HOST, server.port))
3052 cert = s.getpeercert()
3053 self.assertTrue(cert, "Can't get peer certificate.")
3054 cipher = s.cipher()[0].split('-')
3055 self.assertTrue(cipher[:2], ('ECDHE', 'ECDSA'))
3056
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3057 def test_check_hostname_idn(self):
3058 if support.verbose:
3059 sys.stdout.write("\n")
3060
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3061 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3062 server_context.load_cert_chain(IDNSANSFILE)
3063
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3064 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3065 context.verify_mode = ssl.CERT_REQUIRED
3066 context.check_hostname = True
3067 context.load_verify_locations(SIGNING_CA)
3068
3069 # correct hostname should verify, when specified in several
3070 # different ways
3071 idn_hostnames = [
3072 ('könig.idn.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3073 'xn--knig-5qa.idn.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3074 ('xn--knig-5qa.idn.pythontest.net',
3075 'xn--knig-5qa.idn.pythontest.net'),
3076 (b'xn--knig-5qa.idn.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3077 'xn--knig-5qa.idn.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3078
3079 ('königsgäßchen.idna2003.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3080 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3081 ('xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
3082 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
3083 (b'xn--knigsgsschen-lcb0w.idna2003.pythontest.net',
Christian Heimes11a14932018-02-24 02:35:08 +0100[diff] [blame]3084 'xn--knigsgsschen-lcb0w.idna2003.pythontest.net'),
3085
3086 # ('königsgäßchen.idna2008.pythontest.net',
3087 # 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3088 ('xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
3089 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3090 (b'xn--knigsgchen-b4a3dun.idna2008.pythontest.net',
3091 'xn--knigsgchen-b4a3dun.idna2008.pythontest.net'),
3092
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3093 ]
3094 for server_hostname, expected_hostname in idn_hostnames:
3095 server = ThreadedEchoServer(context=server_context, chatty=True)
3096 with server:
3097 with context.wrap_socket(socket.socket(),
3098 server_hostname=server_hostname) as s:
3099 self.assertEqual(s.server_hostname, expected_hostname)
3100 s.connect((HOST, server.port))
3101 cert = s.getpeercert()
3102 self.assertEqual(s.server_hostname, expected_hostname)
3103 self.assertTrue(cert, "Can't get peer certificate.")
3104
Christian Heimes66e57422018-01-29 14:25:13 +0100[diff] [blame]3105 # incorrect hostname should raise an exception
3106 server = ThreadedEchoServer(context=server_context, chatty=True)
3107 with server:
3108 with context.wrap_socket(socket.socket(),
3109 server_hostname="python.example.org") as s:
3110 with self.assertRaises(ssl.CertificateError):
3111 s.connect((HOST, server.port))
3112
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3113 def test_wrong_cert_tls12(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3114 """Connecting when the server rejects the client's certificate
3115
3116 Launch a server with CERT_REQUIRED, and check that trying to
3117 connect to it with a wrong client certificate fails.
3118 """
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3119 client_context, server_context, hostname = testing_context()
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]3120 # load client cert that is not signed by trusted CA
3121 client_context.load_cert_chain(CERTFILE)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3122 # require TLS client authentication
3123 server_context.verify_mode = ssl.CERT_REQUIRED
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3124 # TLS 1.3 has different handshake
3125 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3126
3127 server = ThreadedEchoServer(
3128 context=server_context, chatty=True, connectionchatty=True,
3129 )
3130
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3131 with server, \
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3132 client_context.wrap_socket(socket.socket(),
3133 server_hostname=hostname) as s:
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3134 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3135 # Expect either an SSL error about the server rejecting
3136 # the connection, or a low-level connection reset (which
3137 # sometimes happens on Windows)
3138 s.connect((HOST, server.port))
3139 except ssl.SSLError as e:
3140 if support.verbose:
3141 sys.stdout.write("\nSSLError is %r\n" % e)
3142 except OSError as e:
3143 if e.errno != errno.ECONNRESET:
3144 raise
3145 if support.verbose:
3146 sys.stdout.write("\nsocket.error is %r\n" % e)
3147 else:
3148 self.fail("Use of invalid cert should have failed!")
3149
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3150 @requires_tls_version('TLSv1_3')
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3151 def test_wrong_cert_tls13(self):
3152 client_context, server_context, hostname = testing_context()
Christian Heimes88bfd0b2018-08-14 12:54:19 +0200[diff] [blame]3153 # load client cert that is not signed by trusted CA
3154 client_context.load_cert_chain(CERTFILE)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3155 server_context.verify_mode = ssl.CERT_REQUIRED
3156 server_context.minimum_version = ssl.TLSVersion.TLSv1_3
3157 client_context.minimum_version = ssl.TLSVersion.TLSv1_3
3158
3159 server = ThreadedEchoServer(
3160 context=server_context, chatty=True, connectionchatty=True,
3161 )
3162 with server, \
3163 client_context.wrap_socket(socket.socket(),
3164 server_hostname=hostname) as s:
3165 # TLS 1.3 perform client cert exchange after handshake
3166 s.connect((HOST, server.port))
3167 try:
3168 s.write(b'data')
Christian Heimese0472392021-04-23 20:03:25 +0200[diff] [blame]3169 s.read(1000)
3170 s.write(b'should have failed already')
3171 s.read(1000)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3172 except ssl.SSLError as e:
3173 if support.verbose:
3174 sys.stdout.write("\nSSLError is %r\n" % e)
3175 except OSError as e:
3176 if e.errno != errno.ECONNRESET:
3177 raise
3178 if support.verbose:
3179 sys.stdout.write("\nsocket.error is %r\n" % e)
3180 else:
Christian Heimese0472392021-04-23 20:03:25 +0200[diff] [blame]3181 if sys.platform == "win32":
3182 self.skipTest(
3183 "Ignoring failed test_wrong_cert_tls13 test case. "
3184 "The test is flaky on Windows, see bpo-43921."
3185 )
3186 else:
3187 self.fail("Use of invalid cert should have failed!")
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3188
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3189 def test_rude_shutdown(self):
3190 """A brutal shutdown of an SSL server should raise an OSError
3191 in the client when attempting handshake.
3192 """
3193 listener_ready = threading.Event()
3194 listener_gone = threading.Event()
3195
3196 s = socket.socket()
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3197 port = socket_helper.bind_port(s, HOST)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3198
3199 # `listener` runs in a thread. It sits in an accept() until
3200 # the main thread connects. Then it rudely closes the socket,
3201 # and sets Event `listener_gone` to let the main thread know
3202 # the socket is gone.
3203 def listener():
3204 s.listen()
3205 listener_ready.set()
3206 newsock, addr = s.accept()
3207 newsock.close()
3208 s.close()
3209 listener_gone.set()
3210
3211 def connector():
3212 listener_ready.wait()
3213 with socket.socket() as c:
3214 c.connect((HOST, port))
3215 listener_gone.wait()
Antoine Pitrou40f08742010-04-24 22:04:40 +0000[diff] [blame]3216 try:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3217 ssl_sock = test_wrap_socket(c)
3218 except OSError:
3219 pass
3220 else:
3221 self.fail('connecting to closed SSL socket should have failed')
Antoine Pitroud3f8ab82010-04-24 21:26:44 +0000[diff] [blame]3222
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3223 t = threading.Thread(target=listener)
3224 t.start()
3225 try:
3226 connector()
3227 finally:
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]3228 t.join()
Antoine Pitrou5c89b4e2012-11-11 01:25:36 +0100[diff] [blame]3229
Christian Heimesb3ad0e52017-09-08 12:00:19 -0700[diff] [blame]3230 def test_ssl_cert_verify_error(self):
3231 if support.verbose:
3232 sys.stdout.write("\n")
3233
3234 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
3235 server_context.load_cert_chain(SIGNED_CERTFILE)
3236
3237 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3238
3239 server = ThreadedEchoServer(context=server_context, chatty=True)
3240 with server:
3241 with context.wrap_socket(socket.socket(),
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3242 server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
Christian Heimesb3ad0e52017-09-08 12:00:19 -0700[diff] [blame]3243 try:
3244 s.connect((HOST, server.port))
3245 except ssl.SSLError as e:
3246 msg = 'unable to get local issuer certificate'
3247 self.assertIsInstance(e, ssl.SSLCertVerificationError)
3248 self.assertEqual(e.verify_code, 20)
3249 self.assertEqual(e.verify_message, msg)
3250 self.assertIn(msg, repr(e))
3251 self.assertIn('certificate verify failed', repr(e))
3252
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3253 @requires_tls_version('SSLv2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3254 def test_protocol_sslv2(self):
3255 """Connecting to an SSLv2 server with various client options"""
3256 if support.verbose:
3257 sys.stdout.write("\n")
3258 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True)
3259 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_OPTIONAL)
3260 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv2, True, ssl.CERT_REQUIRED)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3261 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3262 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3263 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, False)
3264 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1, False)
3265 # SSLv23 client with specific SSL options
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3266 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3267 client_options=ssl.OP_NO_SSLv3)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3268 try_protocol_combo(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3269 client_options=ssl.OP_NO_TLSv1)
Antoine Pitrou242db722013-05-01 20:52:07 +0200[diff] [blame]3270
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3271 def test_PROTOCOL_TLS(self):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3272 """Connecting to an SSLv23 server with various client options"""
3273 if support.verbose:
3274 sys.stdout.write("\n")
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3275 if has_tls_version('SSLv2'):
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]3276 try:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3277 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv2, True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3278 except OSError as x:
3279 # this fails on some older versions of OpenSSL (0.9.7l, for instance)
3280 if support.verbose:
3281 sys.stdout.write(
3282 " SSL2 client to SSL23 server test unexpectedly failed:\n %s\n"
3283 % str(x))
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3284 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3285 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False)
3286 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3287 if has_tls_version('TLSv1'):
3288 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1')
Antoine Pitrou8f85f902012-01-03 22:46:48 +0100[diff] [blame]3289
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3290 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3291 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_OPTIONAL)
3292 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_OPTIONAL)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3293 if has_tls_version('TLSv1'):
3294 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3295
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3296 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3297 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False, ssl.CERT_REQUIRED)
3298 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True, ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3299 if has_tls_version('TLSv1'):
3300 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3301
3302 # Server with specific SSL options
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3303 if has_tls_version('SSLv3'):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3304 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv3, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3305 server_options=ssl.OP_NO_SSLv3)
3306 # Will choose TLSv1
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3307 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLS, True,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3308 server_options=ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3309 if has_tls_version('TLSv1'):
3310 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1, False,
3311 server_options=ssl.OP_NO_TLSv1)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3312
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3313 @requires_tls_version('SSLv3')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3314 def test_protocol_sslv3(self):
3315 """Connecting to an SSLv3 server with various client options"""
3316 if support.verbose:
3317 sys.stdout.write("\n")
3318 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3')
3319 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_OPTIONAL)
3320 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv3, 'SSLv3', ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3321 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3322 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv2, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3323 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3324 client_options=ssl.OP_NO_SSLv3)
3325 try_protocol_combo(ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_TLSv1, False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3326
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3327 @requires_tls_version('TLSv1')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3328 def test_protocol_tlsv1(self):
3329 """Connecting to a TLSv1 server with various client options"""
3330 if support.verbose:
3331 sys.stdout.write("\n")
3332 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
3333 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
3334 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3335 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3336 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3337 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3338 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3339 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3340 client_options=ssl.OP_NO_TLSv1)
3341
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3342 @requires_tls_version('TLSv1_1')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3343 def test_protocol_tlsv1_1(self):
3344 """Connecting to a TLSv1.1 server with various client options.
3345 Testing against older TLS versions."""
3346 if support.verbose:
3347 sys.stdout.write("\n")
3348 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3349 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3350 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3351 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3352 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3353 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3354 client_options=ssl.OP_NO_TLSv1_1)
3355
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3356 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3357 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
3358 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3359
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3360 @requires_tls_version('TLSv1_2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3361 def test_protocol_tlsv1_2(self):
3362 """Connecting to a TLSv1.2 server with various client options.
3363 Testing against older TLS versions."""
3364 if support.verbose:
3365 sys.stdout.write("\n")
3366 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2',
3367 server_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,
3368 client_options=ssl.OP_NO_SSLv3|ssl.OP_NO_SSLv2,)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3369 if has_tls_version('SSLv2'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3370 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv2, False)
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3371 if has_tls_version('SSLv3'):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3372 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_SSLv3, False)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3373 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLS, False,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3374 client_options=ssl.OP_NO_TLSv1_2)
3375
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3376 try_protocol_combo(ssl.PROTOCOL_TLS, ssl.PROTOCOL_TLSv1_2, 'TLSv1.2')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3377 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1, False)
3378 try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_2, False)
3379 try_protocol_combo(ssl.PROTOCOL_TLSv1_2, ssl.PROTOCOL_TLSv1_1, False)
3380 try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_2, False)
3381
3382 def test_starttls(self):
3383 """Switching from clear text to encrypted and back again."""
3384 msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
3385
3386 server = ThreadedEchoServer(CERTFILE,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3387 starttls_server=True,
3388 chatty=True,
3389 connectionchatty=True)
3390 wrapped = False
3391 with server:
3392 s = socket.socket()
Serhiy Storchaka5eca7f32019-09-01 12:12:52 +0300[diff] [blame]3393 s.setblocking(True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3394 s.connect((HOST, server.port))
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3395 if support.verbose:
3396 sys.stdout.write("\n")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3397 for indata in msgs:
Antoine Pitroud6494802011-07-21 01:11:30 +0200[diff] [blame]3398 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3399 sys.stdout.write(
3400 " client: sending %r...\n" % indata)
3401 if wrapped:
3402 conn.write(indata)
3403 outdata = conn.read()
3404 else:
3405 s.send(indata)
3406 outdata = s.recv(1024)
3407 msg = outdata.strip().lower()
3408 if indata == b"STARTTLS" and msg.startswith(b"ok"):
3409 # STARTTLS ok, switch to secure mode
3410 if support.verbose:
3411 sys.stdout.write(
3412 " client: read %r from server, starting TLS...\n"
3413 % msg)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3414 conn = test_wrap_socket(s)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3415 wrapped = True
3416 elif indata == b"ENDTLS" and msg.startswith(b"ok"):
3417 # ENDTLS ok, switch back to clear text
3418 if support.verbose:
3419 sys.stdout.write(
3420 " client: read %r from server, ending TLS...\n"
3421 % msg)
3422 s = conn.unwrap()
3423 wrapped = False
3424 else:
3425 if support.verbose:
3426 sys.stdout.write(
3427 " client: read %r from server\n" % msg)
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3428 if support.verbose:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3429 sys.stdout.write(" client: closing connection.\n")
3430 if wrapped:
3431 conn.write(b"over\n")
3432 else:
3433 s.send(b"over\n")
3434 if wrapped:
3435 conn.close()
3436 else:
3437 s.close()
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3438
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3439 def test_socketserver(self):
3440 """Using socketserver to create and manage SSL connections."""
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3441 server = make_https_server(self, certfile=SIGNED_CERTFILE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3442 # try to connect
3443 if support.verbose:
3444 sys.stdout.write('\n')
3445 with open(CERTFILE, 'rb') as f:
3446 d1 = f.read()
3447 d2 = ''
3448 # now fetch the same data from the HTTPS server
3449 url = 'https://localhost:%d/%s' % (
3450 server.port, os.path.split(CERTFILE)[1])
Christian Heimesbd5c7d22018-01-20 15:16:30 +0100[diff] [blame]3451 context = ssl.create_default_context(cafile=SIGNING_CA)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3452 f = urllib.request.urlopen(url, context=context)
3453 try:
3454 dlen = f.info().get("content-length")
3455 if dlen and (int(dlen) > 0):
3456 d2 = f.read(int(dlen))
3457 if support.verbose:
3458 sys.stdout.write(
3459 " client: read %d bytes from remote server '%s'\n"
3460 % (len(d2), server))
3461 finally:
3462 f.close()
3463 self.assertEqual(d1, d2)
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]3464
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3465 def test_asyncore_server(self):
3466 """Check the example asyncore integration."""
3467 if support.verbose:
3468 sys.stdout.write("\n")
Antoine Pitrou0e576f12011-12-22 10:03:38 +0100[diff] [blame]3469
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3470 indata = b"FOO\n"
3471 server = AsyncoreEchoServer(CERTFILE)
3472 with server:
3473 s = test_wrap_socket(socket.socket())
3474 s.connect(('127.0.0.1', server.port))
3475 if support.verbose:
3476 sys.stdout.write(
3477 " client: sending %r...\n" % indata)
3478 s.write(indata)
3479 outdata = s.read()
3480 if support.verbose:
3481 sys.stdout.write(" client: read %r\n" % outdata)
3482 if outdata != indata.lower():
3483 self.fail(
3484 "bad data <<%r>> (%d) received; expected <<%r>> (%d)\n"
3485 % (outdata[:20], len(outdata),
3486 indata[:20].lower(), len(indata)))
3487 s.write(b"over\n")
3488 if support.verbose:
3489 sys.stdout.write(" client: closing connection.\n")
3490 s.close()
3491 if support.verbose:
3492 sys.stdout.write(" client: connection closed.\n")
Benjamin Petersoncca27322015-01-23 16:35:37 -0500[diff] [blame]3493
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3494 def test_recv_send(self):
3495 """Test recv(), send() and friends."""
3496 if support.verbose:
3497 sys.stdout.write("\n")
3498
3499 server = ThreadedEchoServer(CERTFILE,
3500 certreqs=ssl.CERT_NONE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3501 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3502 cacerts=CERTFILE,
3503 chatty=True,
3504 connectionchatty=False)
3505 with server:
3506 s = test_wrap_socket(socket.socket(),
3507 server_side=False,
3508 certfile=CERTFILE,
3509 ca_certs=CERTFILE,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3510 cert_reqs=ssl.CERT_NONE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3511 s.connect((HOST, server.port))
3512 # helper methods for standardising recv* method signatures
3513 def _recv_into():
3514 b = bytearray(b"\0"*100)
3515 count = s.recv_into(b)
3516 return b[:count]
3517
3518 def _recvfrom_into():
3519 b = bytearray(b"\0"*100)
3520 count, addr = s.recvfrom_into(b)
3521 return b[:count]
3522
3523 # (name, method, expect success?, *args, return value func)
3524 send_methods = [
3525 ('send', s.send, True, [], len),
3526 ('sendto', s.sendto, False, ["some.address"], len),
3527 ('sendall', s.sendall, True, [], lambda x: None),
3528 ]
3529 # (name, method, whether to expect success, *args)
3530 recv_methods = [
3531 ('recv', s.recv, True, []),
3532 ('recvfrom', s.recvfrom, False, ["some.address"]),
3533 ('recv_into', _recv_into, True, []),
3534 ('recvfrom_into', _recvfrom_into, False, []),
3535 ]
3536 data_prefix = "PREFIX_"
3537
3538 for (meth_name, send_meth, expect_success, args,
3539 ret_val_meth) in send_methods:
3540 indata = (data_prefix + meth_name).encode('ascii')
3541 try:
3542 ret = send_meth(indata, *args)
3543 msg = "sending with {}".format(meth_name)
3544 self.assertEqual(ret, ret_val_meth(indata), msg=msg)
3545 outdata = s.read()
3546 if outdata != indata.lower():
3547 self.fail(
3548 "While sending with <<{name:s}>> bad data "
3549 "<<{outdata:r}>> ({nout:d}) received; "
3550 "expected <<{indata:r}>> ({nin:d})\n".format(
3551 name=meth_name, outdata=outdata[:20],
3552 nout=len(outdata),
3553 indata=indata[:20], nin=len(indata)
3554 )
3555 )
3556 except ValueError as e:
3557 if expect_success:
3558 self.fail(
3559 "Failed to send with method <<{name:s}>>; "
3560 "expected to succeed.\n".format(name=meth_name)
3561 )
3562 if not str(e).startswith(meth_name):
3563 self.fail(
3564 "Method <<{name:s}>> failed with unexpected "
3565 "exception message: {exp:s}\n".format(
3566 name=meth_name, exp=e
3567 )
3568 )
3569
3570 for meth_name, recv_meth, expect_success, args in recv_methods:
3571 indata = (data_prefix + meth_name).encode('ascii')
3572 try:
3573 s.send(indata)
3574 outdata = recv_meth(*args)
3575 if outdata != indata.lower():
3576 self.fail(
3577 "While receiving with <<{name:s}>> bad data "
3578 "<<{outdata:r}>> ({nout:d}) received; "
3579 "expected <<{indata:r}>> ({nin:d})\n".format(
3580 name=meth_name, outdata=outdata[:20],
3581 nout=len(outdata),
3582 indata=indata[:20], nin=len(indata)
3583 )
3584 )
3585 except ValueError as e:
3586 if expect_success:
3587 self.fail(
3588 "Failed to receive with method <<{name:s}>>; "
3589 "expected to succeed.\n".format(name=meth_name)
3590 )
3591 if not str(e).startswith(meth_name):
3592 self.fail(
3593 "Method <<{name:s}>> failed with unexpected "
3594 "exception message: {exp:s}\n".format(
3595 name=meth_name, exp=e
3596 )
3597 )
3598 # consume data
3599 s.read()
3600
3601 # read(-1, buffer) is supported, even though read(-1) is not
3602 data = b"data"
3603 s.send(data)
3604 buffer = bytearray(len(data))
3605 self.assertEqual(s.read(-1, buffer), len(data))
3606 self.assertEqual(buffer, data)
3607
Christian Heimes888bbdc2017-09-07 14:18:21 -0700[diff] [blame]3608 # sendall accepts bytes-like objects
3609 if ctypes is not None:
3610 ubyte = ctypes.c_ubyte * len(data)
3611 byteslike = ubyte.from_buffer_copy(data)
3612 s.sendall(byteslike)
3613 self.assertEqual(s.read(), data)
3614
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3615 # Make sure sendmsg et al are disallowed to avoid
3616 # inadvertent disclosure of data and/or corruption
3617 # of the encrypted data stream
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]3618 self.assertRaises(NotImplementedError, s.dup)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3619 self.assertRaises(NotImplementedError, s.sendmsg, [b"data"])
3620 self.assertRaises(NotImplementedError, s.recvmsg, 100)
3621 self.assertRaises(NotImplementedError,
Serhiy Storchaka42b1d612018-12-06 22:36:55 +0200[diff] [blame]3622 s.recvmsg_into, [bytearray(100)])
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3623 s.write(b"over\n")
3624
3625 self.assertRaises(ValueError, s.recv, -1)
3626 self.assertRaises(ValueError, s.read, -1)
3627
3628 s.close()
3629
3630 def test_recv_zero(self):
3631 server = ThreadedEchoServer(CERTFILE)
3632 server.__enter__()
3633 self.addCleanup(server.__exit__, None, None)
3634 s = socket.create_connection((HOST, server.port))
3635 self.addCleanup(s.close)
3636 s = test_wrap_socket(s, suppress_ragged_eofs=False)
3637 self.addCleanup(s.close)
3638
3639 # recv/read(0) should return no data
3640 s.send(b"data")
3641 self.assertEqual(s.recv(0), b"")
3642 self.assertEqual(s.read(0), b"")
3643 self.assertEqual(s.read(), b"data")
3644
3645 # Should not block if the other end sends no data
3646 s.setblocking(False)
3647 self.assertEqual(s.recv(0), b"")
3648 self.assertEqual(s.recv_into(bytearray()), 0)
3649
3650 def test_nonblocking_send(self):
3651 server = ThreadedEchoServer(CERTFILE,
3652 certreqs=ssl.CERT_NONE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3653 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3654 cacerts=CERTFILE,
3655 chatty=True,
3656 connectionchatty=False)
3657 with server:
3658 s = test_wrap_socket(socket.socket(),
3659 server_side=False,
3660 certfile=CERTFILE,
3661 ca_certs=CERTFILE,
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3662 cert_reqs=ssl.CERT_NONE)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3663 s.connect((HOST, server.port))
3664 s.setblocking(False)
3665
3666 # If we keep sending data, at some point the buffers
3667 # will be full and the call will block
3668 buf = bytearray(8192)
3669 def fill_buffer():
3670 while True:
3671 s.send(buf)
3672 self.assertRaises((ssl.SSLWantWriteError,
3673 ssl.SSLWantReadError), fill_buffer)
3674
3675 # Now read all the output and discard it
3676 s.setblocking(True)
3677 s.close()
3678
3679 def test_handshake_timeout(self):
3680 # Issue #5103: SSL handshake must respect the socket timeout
3681 server = socket.socket(socket.AF_INET)
3682 host = "127.0.0.1"
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3683 port = socket_helper.bind_port(server)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3684 started = threading.Event()
3685 finish = False
3686
3687 def serve():
3688 server.listen()
3689 started.set()
3690 conns = []
3691 while not finish:
3692 r, w, e = select.select([server], [], [], 0.1)
3693 if server in r:
3694 # Let the socket hang around rather than having
3695 # it closed by garbage collection.
3696 conns.append(server.accept()[0])
3697 for sock in conns:
3698 sock.close()
3699
3700 t = threading.Thread(target=serve)
3701 t.start()
3702 started.wait()
3703
3704 try:
3705 try:
3706 c = socket.socket(socket.AF_INET)
3707 c.settimeout(0.2)
3708 c.connect((host, port))
3709 # Will attempt handshake and time out
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]3710 self.assertRaisesRegex(TimeoutError, "timed out",
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3711 test_wrap_socket, c)
3712 finally:
3713 c.close()
3714 try:
3715 c = socket.socket(socket.AF_INET)
3716 c = test_wrap_socket(c)
3717 c.settimeout(0.2)
3718 # Will attempt handshake and time out
Christian Heimes03c8ddd2020-11-20 09:26:07 +0100[diff] [blame]3719 self.assertRaisesRegex(TimeoutError, "timed out",
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3720 c.connect, (host, port))
3721 finally:
3722 c.close()
3723 finally:
3724 finish = True
3725 t.join()
3726 server.close()
3727
3728 def test_server_accept(self):
3729 # Issue #16357: accept() on a SSLSocket created through
3730 # SSLContext.wrap_socket().
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3731 client_ctx, server_ctx, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3732 server = socket.socket(socket.AF_INET)
3733 host = "127.0.0.1"
Serhiy Storchaka16994912020-04-25 10:06:29 +0300[diff] [blame]3734 port = socket_helper.bind_port(server)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3735 server = server_ctx.wrap_socket(server, server_side=True)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3736 self.assertTrue(server.server_side)
3737
3738 evt = threading.Event()
3739 remote = None
3740 peer = None
3741 def serve():
3742 nonlocal remote, peer
3743 server.listen()
3744 # Block on the accept and wait on the connection to close.
3745 evt.set()
3746 remote, peer = server.accept()
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3747 remote.send(remote.recv(4))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3748
3749 t = threading.Thread(target=serve)
3750 t.start()
3751 # Client wait until server setup and perform a connect.
3752 evt.wait()
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3753 client = client_ctx.wrap_socket(
3754 socket.socket(), server_hostname=hostname
3755 )
3756 client.connect((hostname, port))
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3757 client.send(b'data')
3758 client.recv()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3759 client_addr = client.getsockname()
3760 client.close()
3761 t.join()
3762 remote.close()
3763 server.close()
3764 # Sanity checks.
3765 self.assertIsInstance(remote, ssl.SSLSocket)
3766 self.assertEqual(peer, client_addr)
3767
3768 def test_getpeercert_enotconn(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3769 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3770 context.check_hostname = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3771 with context.wrap_socket(socket.socket()) as sock:
3772 with self.assertRaises(OSError) as cm:
3773 sock.getpeercert()
3774 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
3775
3776 def test_do_handshake_enotconn(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3777 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3778 context.check_hostname = False
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3779 with context.wrap_socket(socket.socket()) as sock:
3780 with self.assertRaises(OSError) as cm:
3781 sock.do_handshake()
3782 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
3783
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3784 def test_no_shared_ciphers(self):
3785 client_context, server_context, hostname = testing_context()
3786 # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
3787 client_context.options |= ssl.OP_NO_TLSv1_3
Victor Stinner5e922652018-09-07 17:30:33 +0200[diff] [blame]3788 # Force different suites on client and server
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3789 client_context.set_ciphers("AES128")
3790 server_context.set_ciphers("AES256")
3791 with ThreadedEchoServer(context=server_context) as server:
3792 with client_context.wrap_socket(socket.socket(),
3793 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3794 with self.assertRaises(OSError):
3795 s.connect((HOST, server.port))
3796 self.assertIn("no shared cipher", server.conn_errors[0])
3797
3798 def test_version_basic(self):
3799 """
3800 Basic tests for SSLSocket.version().
3801 More tests are done in the test_protocol_*() methods.
3802 """
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3803 context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
3804 context.check_hostname = False
3805 context.verify_mode = ssl.CERT_NONE
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3806 with ThreadedEchoServer(CERTFILE,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3807 ssl_version=ssl.PROTOCOL_TLS_SERVER,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3808 chatty=False) as server:
3809 with context.wrap_socket(socket.socket()) as s:
3810 self.assertIs(s.version(), None)
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]3811 self.assertIs(s._sslobj, None)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3812 s.connect((HOST, server.port))
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]3813 self.assertEqual(s.version(), 'TLSv1.3')
Christian Heimes141c5e82018-02-24 21:10:57 +0100[diff] [blame]3814 self.assertIs(s._sslobj, None)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3815 self.assertIs(s.version(), None)
3816
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3817 @requires_tls_version('TLSv1_3')
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3818 def test_tls1_3(self):
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3819 client_context, server_context, hostname = testing_context()
3820 client_context.minimum_version = ssl.TLSVersion.TLSv1_3
3821 with ThreadedEchoServer(context=server_context) as server:
3822 with client_context.wrap_socket(socket.socket(),
3823 server_hostname=hostname) as s:
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3824 s.connect((HOST, server.port))
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3825 self.assertIn(s.cipher()[0], {
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]3826 'TLS_AES_256_GCM_SHA384',
3827 'TLS_CHACHA20_POLY1305_SHA256',
3828 'TLS_AES_128_GCM_SHA256',
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3829 })
3830 self.assertEqual(s.version(), 'TLSv1.3')
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3831
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3832 @requires_tls_version('TLSv1_2')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3833 @requires_tls_version('TLSv1')
3834 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3835 def test_min_max_version_tlsv1_2(self):
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3836 client_context, server_context, hostname = testing_context()
3837 # client TLSv1.0 to 1.2
3838 client_context.minimum_version = ssl.TLSVersion.TLSv1
3839 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
3840 # server only TLSv1.2
3841 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
3842 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
3843
3844 with ThreadedEchoServer(context=server_context) as server:
3845 with client_context.wrap_socket(socket.socket(),
3846 server_hostname=hostname) as s:
3847 s.connect((HOST, server.port))
3848 self.assertEqual(s.version(), 'TLSv1.2')
3849
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3850 @requires_tls_version('TLSv1_1')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3851 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3852 def test_min_max_version_tlsv1_1(self):
3853 client_context, server_context, hostname = testing_context()
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3854 # client 1.0 to 1.2, server 1.0 to 1.1
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3855 client_context.minimum_version = ssl.TLSVersion.TLSv1
3856 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3857 server_context.minimum_version = ssl.TLSVersion.TLSv1
3858 server_context.maximum_version = ssl.TLSVersion.TLSv1_1
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3859 seclevel_workaround(client_context, server_context)
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3860
3861 with ThreadedEchoServer(context=server_context) as server:
3862 with client_context.wrap_socket(socket.socket(),
3863 server_hostname=hostname) as s:
3864 s.connect((HOST, server.port))
3865 self.assertEqual(s.version(), 'TLSv1.1')
3866
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3867 @requires_tls_version('TLSv1_2')
Christian Heimesce04e712020-11-18 13:10:53 +0100[diff] [blame]3868 @requires_tls_version('TLSv1')
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3869 @ignore_deprecation
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3870 def test_min_max_version_mismatch(self):
3871 client_context, server_context, hostname = testing_context()
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3872 # client 1.0, server 1.2 (mismatch)
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3873 server_context.maximum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesc9bc49c2019-09-11 19:24:47 +0200[diff] [blame]3874 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]3875 client_context.maximum_version = ssl.TLSVersion.TLSv1
Christian Heimesde606ea2019-09-11 19:48:58 +0200[diff] [blame]3876 client_context.minimum_version = ssl.TLSVersion.TLSv1
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3877 seclevel_workaround(client_context, server_context)
3878
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3879 with ThreadedEchoServer(context=server_context) as server:
3880 with client_context.wrap_socket(socket.socket(),
3881 server_hostname=hostname) as s:
3882 with self.assertRaises(ssl.SSLError) as e:
3883 s.connect((HOST, server.port))
3884 self.assertIn("alert", str(e.exception))
3885
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]3886 @requires_tls_version('SSLv3')
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3887 def test_min_max_version_sslv3(self):
3888 client_context, server_context, hostname = testing_context()
3889 server_context.minimum_version = ssl.TLSVersion.SSLv3
3890 client_context.minimum_version = ssl.TLSVersion.SSLv3
3891 client_context.maximum_version = ssl.TLSVersion.SSLv3
Christian Heimesf6c6b582021-03-18 23:06:50 +0100[diff] [blame]3892 seclevel_workaround(client_context, server_context)
3893
Christian Heimes698dde12018-02-27 11:54:43 +0100[diff] [blame]3894 with ThreadedEchoServer(context=server_context) as server:
3895 with client_context.wrap_socket(socket.socket(),
3896 server_hostname=hostname) as s:
3897 s.connect((HOST, server.port))
3898 self.assertEqual(s.version(), 'SSLv3')
3899
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3900 def test_default_ecdh_curve(self):
3901 # Issue #21015: elliptic curve-based Diffie Hellman key exchange
3902 # should be enabled by default on SSL contexts.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3903 client_context, server_context, hostname = testing_context()
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]3904 # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
3905 # cipher name.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3906 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3907 # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
3908 # explicitly using the 'ECCdraft' cipher alias. Otherwise,
3909 # our default cipher list should prefer ECDH-based ciphers
3910 # automatically.
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]3911 with ThreadedEchoServer(context=server_context) as server:
3912 with client_context.wrap_socket(socket.socket(),
3913 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3914 s.connect((HOST, server.port))
3915 self.assertIn("ECDH", s.cipher()[0])
3916
3917 @unittest.skipUnless("tls-unique" in ssl.CHANNEL_BINDING_TYPES,
3918 "'tls-unique' channel binding not available")
3919 def test_tls_unique_channel_binding(self):
3920 """Test tls-unique channel binding."""
3921 if support.verbose:
3922 sys.stdout.write("\n")
3923
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3924 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3925
3926 server = ThreadedEchoServer(context=server_context,
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3927 chatty=True,
3928 connectionchatty=False)
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3929
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3930 with server:
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3931 with client_context.wrap_socket(
3932 socket.socket(),
3933 server_hostname=hostname) as s:
3934 s.connect((HOST, server.port))
3935 # get the data
3936 cb_data = s.get_channel_binding("tls-unique")
3937 if support.verbose:
3938 sys.stdout.write(
3939 " got channel binding data: {0!r}\n".format(cb_data))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3940
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3941 # check if it is sane
3942 self.assertIsNotNone(cb_data)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3943 if s.version() == 'TLSv1.3':
3944 self.assertEqual(len(cb_data), 48)
3945 else:
3946 self.assertEqual(len(cb_data), 12) # True for TLSv1
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3947
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3948 # and compare with the peers version
3949 s.write(b"CB tls-unique\n")
3950 peer_data_repr = s.read().strip()
3951 self.assertEqual(peer_data_repr,
3952 repr(cb_data).encode("us-ascii"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3953
3954 # now, again
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3955 with client_context.wrap_socket(
3956 socket.socket(),
3957 server_hostname=hostname) as s:
3958 s.connect((HOST, server.port))
3959 new_cb_data = s.get_channel_binding("tls-unique")
3960 if support.verbose:
3961 sys.stdout.write(
3962 "got another channel binding data: {0!r}\n".format(
3963 new_cb_data)
3964 )
3965 # is it really unique
3966 self.assertNotEqual(cb_data, new_cb_data)
3967 self.assertIsNotNone(cb_data)
Christian Heimes529525f2018-05-23 22:24:45 +0200[diff] [blame]3968 if s.version() == 'TLSv1.3':
3969 self.assertEqual(len(cb_data), 48)
3970 else:
3971 self.assertEqual(len(cb_data), 12) # True for TLSv1
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]3972 s.write(b"CB tls-unique\n")
3973 peer_data_repr = s.read().strip()
3974 self.assertEqual(peer_data_repr,
3975 repr(new_cb_data).encode("us-ascii"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3976
3977 def test_compression(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3978 client_context, server_context, hostname = testing_context()
3979 stats = server_params_test(client_context, server_context,
3980 chatty=True, connectionchatty=True,
3981 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3982 if support.verbose:
3983 sys.stdout.write(" got compression: {!r}\n".format(stats['compression']))
3984 self.assertIn(stats['compression'], { None, 'ZLIB', 'RLE' })
3985
3986 @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
3987 "ssl.OP_NO_COMPRESSION needed for this test")
3988 def test_compression_disabled(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]3989 client_context, server_context, hostname = testing_context()
3990 client_context.options |= ssl.OP_NO_COMPRESSION
3991 server_context.options |= ssl.OP_NO_COMPRESSION
3992 stats = server_params_test(client_context, server_context,
3993 chatty=True, connectionchatty=True,
3994 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3995 self.assertIs(stats['compression'], None)
3996
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]3997 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]3998 def test_dh_params(self):
3999 # Check we can get a connection with ephemeral Diffie-Hellman
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4000 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4001 # test scenario needs TLS <= 1.2
4002 client_context.options |= ssl.OP_NO_TLSv1_3
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4003 server_context.load_dh_params(DHFILE)
4004 server_context.set_ciphers("kEDH")
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4005 server_context.options |= ssl.OP_NO_TLSv1_3
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4006 stats = server_params_test(client_context, server_context,
4007 chatty=True, connectionchatty=True,
4008 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4009 cipher = stats["cipher"][0]
4010 parts = cipher.split("-")
4011 if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
4012 self.fail("Non-DH cipher: " + cipher[0])
4013
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4014 def test_ecdh_curve(self):
4015 # server secp384r1, client auto
4016 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4017
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4018 server_context.set_ecdh_curve("secp384r1")
4019 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4020 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4021 stats = server_params_test(client_context, server_context,
4022 chatty=True, connectionchatty=True,
4023 sni_name=hostname)
4024
4025 # server auto, client secp384r1
4026 client_context, server_context, hostname = testing_context()
4027 client_context.set_ecdh_curve("secp384r1")
4028 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4029 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4030 stats = server_params_test(client_context, server_context,
4031 chatty=True, connectionchatty=True,
4032 sni_name=hostname)
4033
4034 # server / client curve mismatch
4035 client_context, server_context, hostname = testing_context()
4036 client_context.set_ecdh_curve("prime256v1")
4037 server_context.set_ecdh_curve("secp384r1")
4038 server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
Christian Heimesd37b74f2021-04-19 08:31:29 +0200[diff] [blame]4039 server_context.minimum_version = ssl.TLSVersion.TLSv1_2
4040 with self.assertRaises(ssl.SSLError):
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4041 server_params_test(client_context, server_context,
4042 chatty=True, connectionchatty=True,
4043 sni_name=hostname)
Christian Heimesb7b92252018-02-25 09:49:31 +0100[diff] [blame]4044
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4045 def test_selected_alpn_protocol(self):
4046 # selected_alpn_protocol() is None unless ALPN is used.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4047 client_context, server_context, hostname = testing_context()
4048 stats = server_params_test(client_context, server_context,
4049 chatty=True, connectionchatty=True,
4050 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4051 self.assertIs(stats['client_alpn_protocol'], None)
4052
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4053 def test_selected_alpn_protocol_if_server_uses_alpn(self):
4054 # selected_alpn_protocol() is None unless ALPN is used by the client.
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4055 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4056 server_context.set_alpn_protocols(['foo', 'bar'])
4057 stats = server_params_test(client_context, server_context,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4058 chatty=True, connectionchatty=True,
4059 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4060 self.assertIs(stats['client_alpn_protocol'], None)
4061
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4062 def test_alpn_protocols(self):
4063 server_protocols = ['foo', 'bar', 'milkshake']
4064 protocol_tests = [
4065 (['foo', 'bar'], 'foo'),
4066 (['bar', 'foo'], 'foo'),
4067 (['milkshake'], 'milkshake'),
4068 (['http/3.0', 'http/4.0'], None)
4069 ]
4070 for client_protocols, expected in protocol_tests:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4071 client_context, server_context, hostname = testing_context()
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4072 server_context.set_alpn_protocols(server_protocols)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4073 client_context.set_alpn_protocols(client_protocols)
4074
4075 try:
4076 stats = server_params_test(client_context,
4077 server_context,
4078 chatty=True,
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4079 connectionchatty=True,
4080 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4081 except ssl.SSLError as e:
4082 stats = e
4083
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4084 msg = "failed trying %s (s) and %s (c).\n" \
4085 "was expecting %s, but got %%s from the %%s" \
4086 % (str(server_protocols), str(client_protocols),
4087 str(expected))
4088 client_result = stats['client_alpn_protocol']
4089 self.assertEqual(client_result, expected,
4090 msg % (client_result, "client"))
4091 server_result = stats['server_alpn_protocols'][-1] \
4092 if len(stats['server_alpn_protocols']) else 'nothing'
4093 self.assertEqual(server_result, expected,
4094 msg % (server_result, "server"))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4095
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4096 def test_npn_protocols(self):
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4097 assert not ssl.HAS_NPN
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4098
4099 def sni_contexts(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4100 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4101 server_context.load_cert_chain(SIGNED_CERTFILE)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4102 other_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4103 other_context.load_cert_chain(SIGNED_CERTFILE2)
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4104 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4105 client_context.load_verify_locations(SIGNING_CA)
4106 return server_context, other_context, client_context
4107
4108 def check_common_name(self, stats, name):
4109 cert = stats['peercert']
4110 self.assertIn((('commonName', name),), cert['subject'])
4111
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4112 def test_sni_callback(self):
4113 calls = []
4114 server_context, other_context, client_context = self.sni_contexts()
4115
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4116 client_context.check_hostname = False
4117
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4118 def servername_cb(ssl_sock, server_name, initial_context):
4119 calls.append((server_name, initial_context))
4120 if server_name is not None:
4121 ssl_sock.context = other_context
4122 server_context.set_servername_callback(servername_cb)
4123
4124 stats = server_params_test(client_context, server_context,
4125 chatty=True,
4126 sni_name='supermessage')
4127 # The hostname was fetched properly, and the certificate was
4128 # changed for the connection.
4129 self.assertEqual(calls, [("supermessage", server_context)])
4130 # CERTFILE4 was selected
4131 self.check_common_name(stats, 'fakehostname')
4132
4133 calls = []
4134 # The callback is called with server_name=None
4135 stats = server_params_test(client_context, server_context,
4136 chatty=True,
4137 sni_name=None)
4138 self.assertEqual(calls, [(None, server_context)])
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4139 self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4140
4141 # Check disabling the callback
4142 calls = []
4143 server_context.set_servername_callback(None)
4144
4145 stats = server_params_test(client_context, server_context,
4146 chatty=True,
4147 sni_name='notfunny')
4148 # Certificate didn't change
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4149 self.check_common_name(stats, SIGNED_CERTFILE_HOSTNAME)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4150 self.assertEqual(calls, [])
4151
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4152 def test_sni_callback_alert(self):
4153 # Returning a TLS alert is reflected to the connecting client
4154 server_context, other_context, client_context = self.sni_contexts()
4155
4156 def cb_returning_alert(ssl_sock, server_name, initial_context):
4157 return ssl.ALERT_DESCRIPTION_ACCESS_DENIED
4158 server_context.set_servername_callback(cb_returning_alert)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4159 with self.assertRaises(ssl.SSLError) as cm:
4160 stats = server_params_test(client_context, server_context,
4161 chatty=False,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4162 sni_name='supermessage')
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4163 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_ACCESS_DENIED')
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4164
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4165 def test_sni_callback_raising(self):
4166 # Raising fails the connection with a TLS handshake failure alert.
4167 server_context, other_context, client_context = self.sni_contexts()
4168
4169 def cb_raising(ssl_sock, server_name, initial_context):
4170 1/0
4171 server_context.set_servername_callback(cb_raising)
4172
Victor Stinner00253502019-06-03 03:51:43 +0200[diff] [blame]4173 with support.catch_unraisable_exception() as catch:
4174 with self.assertRaises(ssl.SSLError) as cm:
4175 stats = server_params_test(client_context, server_context,
4176 chatty=False,
4177 sni_name='supermessage')
4178
4179 self.assertEqual(cm.exception.reason,
4180 'SSLV3_ALERT_HANDSHAKE_FAILURE')
4181 self.assertEqual(catch.unraisable.exc_type, ZeroDivisionError)
Antoine Pitrou50b24d02013-04-11 20:48:42 +0200[diff] [blame]4182
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4183 def test_sni_callback_wrong_return_type(self):
4184 # Returning the wrong return type terminates the TLS connection
4185 # with an internal error alert.
4186 server_context, other_context, client_context = self.sni_contexts()
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4187
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4188 def cb_wrong_return_type(ssl_sock, server_name, initial_context):
4189 return "foo"
4190 server_context.set_servername_callback(cb_wrong_return_type)
4191
Victor Stinner00253502019-06-03 03:51:43 +0200[diff] [blame]4192 with support.catch_unraisable_exception() as catch:
4193 with self.assertRaises(ssl.SSLError) as cm:
4194 stats = server_params_test(client_context, server_context,
4195 chatty=False,
4196 sni_name='supermessage')
4197
4198
4199 self.assertEqual(cm.exception.reason, 'TLSV1_ALERT_INTERNAL_ERROR')
4200 self.assertEqual(catch.unraisable.exc_type, TypeError)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4201
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4202 def test_shared_ciphers(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4203 client_context, server_context, hostname = testing_context()
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]4204 client_context.set_ciphers("AES128:AES256")
4205 server_context.set_ciphers("AES256")
4206 expected_algs = [
4207 "AES256", "AES-256",
4208 # TLS 1.3 ciphers are always enabled
4209 "TLS_CHACHA20", "TLS_AES",
4210 ]
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4211
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4212 stats = server_params_test(client_context, server_context,
4213 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4214 ciphers = stats['server_shared_ciphers'][0]
4215 self.assertGreater(len(ciphers), 0)
4216 for name, tls_version, bits in ciphers:
Christian Heimese8eb6cb2018-05-22 22:50:12 +0200[diff] [blame]4217 if not any(alg in name for alg in expected_algs):
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4218 self.fail(name)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4219
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4220 def test_read_write_after_close_raises_valuerror(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4221 client_context, server_context, hostname = testing_context()
4222 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4223
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4224 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4225 s = client_context.wrap_socket(socket.socket(),
4226 server_hostname=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4227 s.connect((HOST, server.port))
4228 s.close()
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4229
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4230 self.assertRaises(ValueError, s.read, 1024)
4231 self.assertRaises(ValueError, s.write, b'hello')
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4232
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4233 def test_sendfile(self):
4234 TEST_DATA = b"x" * 512
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4235 with open(os_helper.TESTFN, 'wb') as f:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4236 f.write(TEST_DATA)
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4237 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4238 client_context, server_context, hostname = testing_context()
4239 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4240 with server:
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4241 with client_context.wrap_socket(socket.socket(),
4242 server_hostname=hostname) as s:
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4243 s.connect((HOST, server.port))
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4244 with open(os_helper.TESTFN, 'rb') as file:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4245 s.sendfile(file)
4246 self.assertEqual(s.recv(1024), TEST_DATA)
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4247
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4248 def test_session(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4249 client_context, server_context, hostname = testing_context()
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4250 # TODO: sessions aren't compatible with TLSv1.3 yet
4251 client_context.options |= ssl.OP_NO_TLSv1_3
Antoine Pitrou60a26e02013-07-20 19:35:16 +0200[diff] [blame]4252
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4253 # first connection without session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4254 stats = server_params_test(client_context, server_context,
4255 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4256 session = stats['session']
4257 self.assertTrue(session.id)
4258 self.assertGreater(session.time, 0)
4259 self.assertGreater(session.timeout, 0)
4260 self.assertTrue(session.has_ticket)
Christian Heimes39258d32021-04-17 11:36:35 +0200[diff] [blame]4261 self.assertGreater(session.ticket_lifetime_hint, 0)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4262 self.assertFalse(stats['session_reused'])
4263 sess_stat = server_context.session_stats()
4264 self.assertEqual(sess_stat['accept'], 1)
4265 self.assertEqual(sess_stat['hits'], 0)
Giampaolo Rodola'915d1412014-06-11 03:54:30 +0200[diff] [blame]4266
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4267 # reuse session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4268 stats = server_params_test(client_context, server_context,
4269 session=session, sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4270 sess_stat = server_context.session_stats()
4271 self.assertEqual(sess_stat['accept'], 2)
4272 self.assertEqual(sess_stat['hits'], 1)
4273 self.assertTrue(stats['session_reused'])
4274 session2 = stats['session']
4275 self.assertEqual(session2.id, session.id)
4276 self.assertEqual(session2, session)
4277 self.assertIsNot(session2, session)
4278 self.assertGreaterEqual(session2.time, session.time)
4279 self.assertGreaterEqual(session2.timeout, session.timeout)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4280
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4281 # another one without session
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4282 stats = server_params_test(client_context, server_context,
4283 sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4284 self.assertFalse(stats['session_reused'])
4285 session3 = stats['session']
4286 self.assertNotEqual(session3.id, session.id)
4287 self.assertNotEqual(session3, session)
4288 sess_stat = server_context.session_stats()
4289 self.assertEqual(sess_stat['accept'], 3)
4290 self.assertEqual(sess_stat['hits'], 1)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4291
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4292 # reuse session again
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4293 stats = server_params_test(client_context, server_context,
4294 session=session, sni_name=hostname)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4295 self.assertTrue(stats['session_reused'])
4296 session4 = stats['session']
4297 self.assertEqual(session4.id, session.id)
4298 self.assertEqual(session4, session)
4299 self.assertGreaterEqual(session4.time, session.time)
4300 self.assertGreaterEqual(session4.timeout, session.timeout)
4301 sess_stat = server_context.session_stats()
4302 self.assertEqual(sess_stat['accept'], 4)
4303 self.assertEqual(sess_stat['hits'], 2)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4304
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4305 def test_session_handling(self):
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4306 client_context, server_context, hostname = testing_context()
4307 client_context2, _, _ = testing_context()
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4308
Christian Heimes05d9fe32018-02-27 08:55:39 +0100[diff] [blame]4309 # TODO: session reuse does not work with TLSv1.3
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4310 client_context.options |= ssl.OP_NO_TLSv1_3
4311 client_context2.options |= ssl.OP_NO_TLSv1_3
Christian Heimescb5b68a2017-09-07 18:07:00 -0700[diff] [blame]4312
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4313 server = ThreadedEchoServer(context=server_context, chatty=False)
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4314 with server:
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4315 with client_context.wrap_socket(socket.socket(),
4316 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4317 # session is None before handshake
4318 self.assertEqual(s.session, None)
4319 self.assertEqual(s.session_reused, None)
4320 s.connect((HOST, server.port))
4321 session = s.session
4322 self.assertTrue(session)
4323 with self.assertRaises(TypeError) as e:
4324 s.session = object
Ned Deily4531ec72018-06-11 20:26:28 -0400[diff] [blame]4325 self.assertEqual(str(e.exception), 'Value is not a SSLSession.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4326
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4327 with client_context.wrap_socket(socket.socket(),
4328 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4329 s.connect((HOST, server.port))
4330 # cannot set session after handshake
4331 with self.assertRaises(ValueError) as e:
4332 s.session = session
4333 self.assertEqual(str(e.exception),
4334 'Cannot set session after handshake.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4335
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4336 with client_context.wrap_socket(socket.socket(),
4337 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4338 # can set session before handshake and before the
4339 # connection was established
4340 s.session = session
4341 s.connect((HOST, server.port))
4342 self.assertEqual(s.session.id, session.id)
4343 self.assertEqual(s.session, session)
4344 self.assertEqual(s.session_reused, True)
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4345
Christian Heimesa170fa12017-09-15 20:27:30 +0200[diff] [blame]4346 with client_context2.wrap_socket(socket.socket(),
4347 server_hostname=hostname) as s:
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4348 # cannot re-use session with a different SSLContext
4349 with self.assertRaises(ValueError) as e:
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4350 s.session = session
4351 s.connect((HOST, server.port))
Antoine Pitroua6a4dc82017-09-07 18:56:24 +0200[diff] [blame]4352 self.assertEqual(str(e.exception),
4353 'Session refers to a different SSLContext.')
Christian Heimes99a65702016-09-10 23:44:53 +0200[diff] [blame]4354
Antoine Pitrou8abdb8a2011-12-20 10:13:40 +0100[diff] [blame]4355
Christian Heimesdf6ac7e2019-09-26 17:02:59 +0200[diff] [blame]4356@unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3")
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4357class TestPostHandshakeAuth(unittest.TestCase):
4358 def test_pha_setter(self):
4359 protocols = [
Christian Heimes2875c602021-04-19 07:27:10 +0200[diff] [blame]4360 ssl.PROTOCOL_TLS_SERVER, ssl.PROTOCOL_TLS_CLIENT
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4361 ]
4362 for protocol in protocols:
4363 ctx = ssl.SSLContext(protocol)
4364 self.assertEqual(ctx.post_handshake_auth, False)
4365
4366 ctx.post_handshake_auth = True
4367 self.assertEqual(ctx.post_handshake_auth, True)
4368
4369 ctx.verify_mode = ssl.CERT_REQUIRED
4370 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
4371 self.assertEqual(ctx.post_handshake_auth, True)
4372
4373 ctx.post_handshake_auth = False
4374 self.assertEqual(ctx.verify_mode, ssl.CERT_REQUIRED)
4375 self.assertEqual(ctx.post_handshake_auth, False)
4376
4377 ctx.verify_mode = ssl.CERT_OPTIONAL
4378 ctx.post_handshake_auth = True
4379 self.assertEqual(ctx.verify_mode, ssl.CERT_OPTIONAL)
4380 self.assertEqual(ctx.post_handshake_auth, True)
4381
4382 def test_pha_required(self):
4383 client_context, server_context, hostname = testing_context()
4384 server_context.post_handshake_auth = True
4385 server_context.verify_mode = ssl.CERT_REQUIRED
4386 client_context.post_handshake_auth = True
4387 client_context.load_cert_chain(SIGNED_CERTFILE)
4388
4389 server = ThreadedEchoServer(context=server_context, chatty=False)
4390 with server:
4391 with client_context.wrap_socket(socket.socket(),
4392 server_hostname=hostname) as s:
4393 s.connect((HOST, server.port))
4394 s.write(b'HASCERT')
4395 self.assertEqual(s.recv(1024), b'FALSE\n')
4396 s.write(b'PHA')
4397 self.assertEqual(s.recv(1024), b'OK\n')
4398 s.write(b'HASCERT')
4399 self.assertEqual(s.recv(1024), b'TRUE\n')
4400 # PHA method just returns true when cert is already available
4401 s.write(b'PHA')
4402 self.assertEqual(s.recv(1024), b'OK\n')
4403 s.write(b'GETCERT')
4404 cert_text = s.recv(4096).decode('us-ascii')
4405 self.assertIn('Python Software Foundation CA', cert_text)
4406
4407 def test_pha_required_nocert(self):
4408 client_context, server_context, hostname = testing_context()
4409 server_context.post_handshake_auth = True
4410 server_context.verify_mode = ssl.CERT_REQUIRED
4411 client_context.post_handshake_auth = True
4412
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4413 def msg_cb(conn, direction, version, content_type, msg_type, data):
4414 if support.verbose and content_type == _TLSContentType.ALERT:
4415 info = (conn, direction, version, content_type, msg_type, data)
4416 sys.stdout.write(f"TLS: {info!r}\n")
4417
4418 server_context._msg_callback = msg_cb
4419 client_context._msg_callback = msg_cb
4420
4421 server = ThreadedEchoServer(context=server_context, chatty=True)
4422 with server:
4423 with client_context.wrap_socket(socket.socket(),
4424 server_hostname=hostname) as s:
4425 s.connect((HOST, server.port))
4426 s.write(b'PHA')
4427 with self.assertRaisesRegex(
4428 ssl.SSLError,
4429 'tlsv13 alert certificate required'
4430 ):
Victor Stinner73ea5462019-07-09 14:33:49 +0200[diff] [blame]4431 # receive CertificateRequest
4432 self.assertEqual(s.recv(1024), b'OK\n')
4433 # send empty Certificate + Finish
4434 s.write(b'HASCERT')
4435 # receive alert
Christian Heimesc8666cf2021-04-24 09:17:54 +0200[diff] [blame]4436 s.recv(1024)
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4437
4438 def test_pha_optional(self):
4439 if support.verbose:
4440 sys.stdout.write("\n")
4441
4442 client_context, server_context, hostname = testing_context()
4443 server_context.post_handshake_auth = True
4444 server_context.verify_mode = ssl.CERT_REQUIRED
4445 client_context.post_handshake_auth = True
4446 client_context.load_cert_chain(SIGNED_CERTFILE)
4447
4448 # check CERT_OPTIONAL
4449 server_context.verify_mode = ssl.CERT_OPTIONAL
4450 server = ThreadedEchoServer(context=server_context, chatty=False)
4451 with server:
4452 with client_context.wrap_socket(socket.socket(),
4453 server_hostname=hostname) as s:
4454 s.connect((HOST, server.port))
4455 s.write(b'HASCERT')
4456 self.assertEqual(s.recv(1024), b'FALSE\n')
4457 s.write(b'PHA')
4458 self.assertEqual(s.recv(1024), b'OK\n')
4459 s.write(b'HASCERT')
4460 self.assertEqual(s.recv(1024), b'TRUE\n')
4461
4462 def test_pha_optional_nocert(self):
4463 if support.verbose:
4464 sys.stdout.write("\n")
4465
4466 client_context, server_context, hostname = testing_context()
4467 server_context.post_handshake_auth = True
4468 server_context.verify_mode = ssl.CERT_OPTIONAL
4469 client_context.post_handshake_auth = True
4470
4471 server = ThreadedEchoServer(context=server_context, chatty=False)
4472 with server:
4473 with client_context.wrap_socket(socket.socket(),
4474 server_hostname=hostname) as s:
4475 s.connect((HOST, server.port))
4476 s.write(b'HASCERT')
4477 self.assertEqual(s.recv(1024), b'FALSE\n')
4478 s.write(b'PHA')
4479 self.assertEqual(s.recv(1024), b'OK\n')
penguindustin96466302019-05-06 14:57:17 -0400[diff] [blame]4480 # optional doesn't fail when client does not have a cert
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4481 s.write(b'HASCERT')
4482 self.assertEqual(s.recv(1024), b'FALSE\n')
4483
4484 def test_pha_no_pha_client(self):
4485 client_context, server_context, hostname = testing_context()
4486 server_context.post_handshake_auth = True
4487 server_context.verify_mode = ssl.CERT_REQUIRED
4488 client_context.load_cert_chain(SIGNED_CERTFILE)
4489
4490 server = ThreadedEchoServer(context=server_context, chatty=False)
4491 with server:
4492 with client_context.wrap_socket(socket.socket(),
4493 server_hostname=hostname) as s:
4494 s.connect((HOST, server.port))
4495 with self.assertRaisesRegex(ssl.SSLError, 'not server'):
4496 s.verify_client_post_handshake()
4497 s.write(b'PHA')
4498 self.assertIn(b'extension not received', s.recv(1024))
4499
4500 def test_pha_no_pha_server(self):
4501 # server doesn't have PHA enabled, cert is requested in handshake
4502 client_context, server_context, hostname = testing_context()
4503 server_context.verify_mode = ssl.CERT_REQUIRED
4504 client_context.post_handshake_auth = True
4505 client_context.load_cert_chain(SIGNED_CERTFILE)
4506
4507 server = ThreadedEchoServer(context=server_context, chatty=False)
4508 with server:
4509 with client_context.wrap_socket(socket.socket(),
4510 server_hostname=hostname) as s:
4511 s.connect((HOST, server.port))
4512 s.write(b'HASCERT')
4513 self.assertEqual(s.recv(1024), b'TRUE\n')
4514 # PHA doesn't fail if there is already a cert
4515 s.write(b'PHA')
4516 self.assertEqual(s.recv(1024), b'OK\n')
4517 s.write(b'HASCERT')
4518 self.assertEqual(s.recv(1024), b'TRUE\n')
4519
4520 def test_pha_not_tls13(self):
4521 # TLS 1.2
4522 client_context, server_context, hostname = testing_context()
4523 server_context.verify_mode = ssl.CERT_REQUIRED
4524 client_context.maximum_version = ssl.TLSVersion.TLSv1_2
4525 client_context.post_handshake_auth = True
4526 client_context.load_cert_chain(SIGNED_CERTFILE)
4527
4528 server = ThreadedEchoServer(context=server_context, chatty=False)
4529 with server:
4530 with client_context.wrap_socket(socket.socket(),
4531 server_hostname=hostname) as s:
4532 s.connect((HOST, server.port))
4533 # PHA fails for TLS != 1.3
4534 s.write(b'PHA')
4535 self.assertIn(b'WRONG_SSL_VERSION', s.recv(1024))
4536
Christian Heimesf0f59302019-07-01 08:29:17 +0200[diff] [blame]4537 def test_bpo37428_pha_cert_none(self):
4538 # verify that post_handshake_auth does not implicitly enable cert
4539 # validation.
4540 hostname = SIGNED_CERTFILE_HOSTNAME
4541 client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4542 client_context.post_handshake_auth = True
4543 client_context.load_cert_chain(SIGNED_CERTFILE)
4544 # no cert validation and CA on client side
4545 client_context.check_hostname = False
4546 client_context.verify_mode = ssl.CERT_NONE
4547
4548 server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
4549 server_context.load_cert_chain(SIGNED_CERTFILE)
4550 server_context.load_verify_locations(SIGNING_CA)
4551 server_context.post_handshake_auth = True
4552 server_context.verify_mode = ssl.CERT_REQUIRED
4553
4554 server = ThreadedEchoServer(context=server_context, chatty=False)
4555 with server:
4556 with client_context.wrap_socket(socket.socket(),
4557 server_hostname=hostname) as s:
4558 s.connect((HOST, server.port))
4559 s.write(b'HASCERT')
4560 self.assertEqual(s.recv(1024), b'FALSE\n')
4561 s.write(b'PHA')
4562 self.assertEqual(s.recv(1024), b'OK\n')
4563 s.write(b'HASCERT')
4564 self.assertEqual(s.recv(1024), b'TRUE\n')
4565 # server cert has not been validated
4566 self.assertEqual(s.getpeercert(), {})
4567
Christian Heimes9fb051f2018-09-23 08:32:31 +0200[diff] [blame]4568
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4569HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
4570requires_keylog = unittest.skipUnless(
4571 HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')
4572
4573class TestSSLDebug(unittest.TestCase):
4574
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4575 def keylog_lines(self, fname=os_helper.TESTFN):
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4576 with open(fname) as f:
4577 return len(list(f))
4578
4579 @requires_keylog
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4580 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4581 def test_keylog_defaults(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4582 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4583 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4584 self.assertEqual(ctx.keylog_filename, None)
4585
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4586 self.assertFalse(os.path.isfile(os_helper.TESTFN))
4587 ctx.keylog_filename = os_helper.TESTFN
4588 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
4589 self.assertTrue(os.path.isfile(os_helper.TESTFN))
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4590 self.assertEqual(self.keylog_lines(), 1)
4591
4592 ctx.keylog_filename = None
4593 self.assertEqual(ctx.keylog_filename, None)
4594
4595 with self.assertRaises((IsADirectoryError, PermissionError)):
4596 # Windows raises PermissionError
4597 ctx.keylog_filename = os.path.dirname(
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4598 os.path.abspath(os_helper.TESTFN))
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4599
4600 with self.assertRaises(TypeError):
4601 ctx.keylog_filename = 1
4602
4603 @requires_keylog
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4604 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4605 def test_keylog_filename(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4606 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4607 client_context, server_context, hostname = testing_context()
4608
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4609 client_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4610 server = ThreadedEchoServer(context=server_context, chatty=False)
4611 with server:
4612 with client_context.wrap_socket(socket.socket(),
4613 server_hostname=hostname) as s:
4614 s.connect((HOST, server.port))
4615 # header, 5 lines for TLS 1.3
4616 self.assertEqual(self.keylog_lines(), 6)
4617
4618 client_context.keylog_filename = None
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4619 server_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4620 server = ThreadedEchoServer(context=server_context, chatty=False)
4621 with server:
4622 with client_context.wrap_socket(socket.socket(),
4623 server_hostname=hostname) as s:
4624 s.connect((HOST, server.port))
4625 self.assertGreaterEqual(self.keylog_lines(), 11)
4626
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4627 client_context.keylog_filename = os_helper.TESTFN
4628 server_context.keylog_filename = os_helper.TESTFN
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4629 server = ThreadedEchoServer(context=server_context, chatty=False)
4630 with server:
4631 with client_context.wrap_socket(socket.socket(),
4632 server_hostname=hostname) as s:
4633 s.connect((HOST, server.port))
4634 self.assertGreaterEqual(self.keylog_lines(), 21)
4635
4636 client_context.keylog_filename = None
4637 server_context.keylog_filename = None
4638
4639 @requires_keylog
4640 @unittest.skipIf(sys.flags.ignore_environment,
4641 "test is not compatible with ignore_environment")
Paul Monsonf3550692019-06-19 13:09:54 -0700[diff] [blame]4642 @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4643 def test_keylog_env(self):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4644 self.addCleanup(os_helper.unlink, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4645 with unittest.mock.patch.dict(os.environ):
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4646 os.environ['SSLKEYLOGFILE'] = os_helper.TESTFN
4647 self.assertEqual(os.environ['SSLKEYLOGFILE'], os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4648
4649 ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
4650 self.assertEqual(ctx.keylog_filename, None)
4651
4652 ctx = ssl.create_default_context()
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4653 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4654
4655 ctx = ssl._create_stdlib_context()
Hai Shia7f5d932020-08-04 00:41:24 +0800[diff] [blame]4656 self.assertEqual(ctx.keylog_filename, os_helper.TESTFN)
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4657
4658 def test_msg_callback(self):
4659 client_context, server_context, hostname = testing_context()
4660
4661 def msg_cb(conn, direction, version, content_type, msg_type, data):
4662 pass
4663
4664 self.assertIs(client_context._msg_callback, None)
4665 client_context._msg_callback = msg_cb
4666 self.assertIs(client_context._msg_callback, msg_cb)
4667 with self.assertRaises(TypeError):
4668 client_context._msg_callback = object()
4669
4670 def test_msg_callback_tls12(self):
4671 client_context, server_context, hostname = testing_context()
4672 client_context.options |= ssl.OP_NO_TLSv1_3
4673
4674 msg = []
4675
4676 def msg_cb(conn, direction, version, content_type, msg_type, data):
4677 self.assertIsInstance(conn, ssl.SSLSocket)
4678 self.assertIsInstance(data, bytes)
4679 self.assertIn(direction, {'read', 'write'})
4680 msg.append((direction, version, content_type, msg_type))
4681
4682 client_context._msg_callback = msg_cb
4683
4684 server = ThreadedEchoServer(context=server_context, chatty=False)
4685 with server:
4686 with client_context.wrap_socket(socket.socket(),
4687 server_hostname=hostname) as s:
4688 s.connect((HOST, server.port))
4689
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4690 self.assertIn(
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4691 ("read", TLSVersion.TLSv1_2, _TLSContentType.HANDSHAKE,
4692 _TLSMessageType.SERVER_KEY_EXCHANGE),
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4693 msg
4694 )
4695 self.assertIn(
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4696 ("write", TLSVersion.TLSv1_2, _TLSContentType.CHANGE_CIPHER_SPEC,
4697 _TLSMessageType.CHANGE_CIPHER_SPEC),
Christian Heimese35d1ba2019-06-03 20:40:15 +0200[diff] [blame]4698 msg
4699 )
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4700
Christian Heimes77cde502021-03-21 16:13:09 +0100[diff] [blame]4701 def test_msg_callback_deadlock_bpo43577(self):
4702 client_context, server_context, hostname = testing_context()
4703 server_context2 = testing_context()[1]
4704
4705 def msg_cb(conn, direction, version, content_type, msg_type, data):
4706 pass
4707
4708 def sni_cb(sock, servername, ctx):
4709 sock.context = server_context2
4710
4711 server_context._msg_callback = msg_cb
4712 server_context.sni_callback = sni_cb
4713
4714 server = ThreadedEchoServer(context=server_context, chatty=False)
4715 with server:
4716 with client_context.wrap_socket(socket.socket(),
4717 server_hostname=hostname) as s:
4718 s.connect((HOST, server.port))
4719 with client_context.wrap_socket(socket.socket(),
4720 server_hostname=hostname) as s:
4721 s.connect((HOST, server.port))
4722
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4723
Ethan Furmana02cb472021-04-21 10:20:44 -0700[diff] [blame]4724class TestEnumerations(unittest.TestCase):
4725
4726 def test_tlsversion(self):
4727 class CheckedTLSVersion(enum.IntEnum):
4728 MINIMUM_SUPPORTED = _ssl.PROTO_MINIMUM_SUPPORTED
4729 SSLv3 = _ssl.PROTO_SSLv3
4730 TLSv1 = _ssl.PROTO_TLSv1
4731 TLSv1_1 = _ssl.PROTO_TLSv1_1
4732 TLSv1_2 = _ssl.PROTO_TLSv1_2
4733 TLSv1_3 = _ssl.PROTO_TLSv1_3
4734 MAXIMUM_SUPPORTED = _ssl.PROTO_MAXIMUM_SUPPORTED
4735 enum._test_simple_enum(CheckedTLSVersion, TLSVersion)
4736
4737 def test_tlscontenttype(self):
4738 class Checked_TLSContentType(enum.IntEnum):
4739 """Content types (record layer)
4740
4741 See RFC 8446, section B.1
4742 """
4743 CHANGE_CIPHER_SPEC = 20
4744 ALERT = 21
4745 HANDSHAKE = 22
4746 APPLICATION_DATA = 23
4747 # pseudo content types
4748 HEADER = 0x100
4749 INNER_CONTENT_TYPE = 0x101
4750 enum._test_simple_enum(Checked_TLSContentType, _TLSContentType)
4751
4752 def test_tlsalerttype(self):
4753 class Checked_TLSAlertType(enum.IntEnum):
4754 """Alert types for TLSContentType.ALERT messages
4755
4756 See RFC 8466, section B.2
4757 """
4758 CLOSE_NOTIFY = 0
4759 UNEXPECTED_MESSAGE = 10
4760 BAD_RECORD_MAC = 20
4761 DECRYPTION_FAILED = 21
4762 RECORD_OVERFLOW = 22
4763 DECOMPRESSION_FAILURE = 30
4764 HANDSHAKE_FAILURE = 40
4765 NO_CERTIFICATE = 41
4766 BAD_CERTIFICATE = 42
4767 UNSUPPORTED_CERTIFICATE = 43
4768 CERTIFICATE_REVOKED = 44
4769 CERTIFICATE_EXPIRED = 45
4770 CERTIFICATE_UNKNOWN = 46
4771 ILLEGAL_PARAMETER = 47
4772 UNKNOWN_CA = 48
4773 ACCESS_DENIED = 49
4774 DECODE_ERROR = 50
4775 DECRYPT_ERROR = 51
4776 EXPORT_RESTRICTION = 60
4777 PROTOCOL_VERSION = 70
4778 INSUFFICIENT_SECURITY = 71
4779 INTERNAL_ERROR = 80
4780 INAPPROPRIATE_FALLBACK = 86
4781 USER_CANCELED = 90
4782 NO_RENEGOTIATION = 100
4783 MISSING_EXTENSION = 109
4784 UNSUPPORTED_EXTENSION = 110
4785 CERTIFICATE_UNOBTAINABLE = 111
4786 UNRECOGNIZED_NAME = 112
4787 BAD_CERTIFICATE_STATUS_RESPONSE = 113
4788 BAD_CERTIFICATE_HASH_VALUE = 114
4789 UNKNOWN_PSK_IDENTITY = 115
4790 CERTIFICATE_REQUIRED = 116
4791 NO_APPLICATION_PROTOCOL = 120
4792 enum._test_simple_enum(Checked_TLSAlertType, _TLSAlertType)
4793
4794 def test_tlsmessagetype(self):
4795 class Checked_TLSMessageType(enum.IntEnum):
4796 """Message types (handshake protocol)
4797
4798 See RFC 8446, section B.3
4799 """
4800 HELLO_REQUEST = 0
4801 CLIENT_HELLO = 1
4802 SERVER_HELLO = 2
4803 HELLO_VERIFY_REQUEST = 3
4804 NEWSESSION_TICKET = 4
4805 END_OF_EARLY_DATA = 5
4806 HELLO_RETRY_REQUEST = 6
4807 ENCRYPTED_EXTENSIONS = 8
4808 CERTIFICATE = 11
4809 SERVER_KEY_EXCHANGE = 12
4810 CERTIFICATE_REQUEST = 13
4811 SERVER_DONE = 14
4812 CERTIFICATE_VERIFY = 15
4813 CLIENT_KEY_EXCHANGE = 16
4814 FINISHED = 20
4815 CERTIFICATE_URL = 21
4816 CERTIFICATE_STATUS = 22
4817 SUPPLEMENTAL_DATA = 23
4818 KEY_UPDATE = 24
4819 NEXT_PROTO = 67
4820 MESSAGE_HASH = 254
4821 CHANGE_CIPHER_SPEC = 0x0101
4822 enum._test_simple_enum(Checked_TLSMessageType, _TLSMessageType)
4823
4824 def test_sslmethod(self):
4825 Checked_SSLMethod = enum._old_convert_(
4826 enum.IntEnum, '_SSLMethod', 'ssl',
4827 lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
4828 source=ssl._ssl,
4829 )
4830 enum._test_simple_enum(Checked_SSLMethod, ssl._SSLMethod)
4831
4832 def test_options(self):
4833 CheckedOptions = enum._old_convert_(
4834 enum.FlagEnum, 'Options', 'ssl',
4835 lambda name: name.startswith('OP_'),
4836 source=ssl._ssl,
4837 )
4838 enum._test_simple_enum(CheckedOptions, ssl.Options)
4839
4840
4841 def test_alertdescription(self):
4842 CheckedAlertDescription = enum._old_convert_(
4843 enum.IntEnum, 'AlertDescription', 'ssl',
4844 lambda name: name.startswith('ALERT_DESCRIPTION_'),
4845 source=ssl._ssl,
4846 )
4847 enum._test_simple_enum(CheckedAlertDescription, ssl.AlertDescription)
4848
4849 def test_sslerrornumber(self):
4850 Checked_SSLMethod = enum._old_convert_(
4851 enum.IntEnum, '_SSLMethod', 'ssl',
4852 lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23',
4853 source=ssl._ssl,
4854 )
4855 enum._test_simple_enum(Checked_SSLMethod, ssl._SSLMethod)
4856
4857 def test_verifyflags(self):
4858 CheckedVerifyFlags = enum._old_convert_(
4859 enum.FlagEnum, 'VerifyFlags', 'ssl',
4860 lambda name: name.startswith('VERIFY_'),
4861 source=ssl._ssl,
4862 )
4863 enum._test_simple_enum(CheckedVerifyFlags, ssl.VerifyFlags)
4864
4865 def test_verifymode(self):
4866 CheckedVerifyMode = enum._old_convert_(
4867 enum.IntEnum, 'VerifyMode', 'ssl',
4868 lambda name: name.startswith('CERT_'),
4869 source=ssl._ssl,
4870 )
4871 enum._test_simple_enum(CheckedVerifyMode, ssl.VerifyMode)
4872
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4873def test_main(verbose=False):
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4874 if support.verbose:
4875 plats = {
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4876 'Mac': platform.mac_ver,
4877 'Windows': platform.win32_ver,
4878 }
Petr Viktorin8b94b412018-05-16 11:51:18 -0400[diff] [blame]4879 for name, func in plats.items():
4880 plat = func()
4881 if plat and plat[0]:
4882 plat = '%s %r' % (name, plat)
4883 break
4884 else:
4885 plat = repr(platform.platform())
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4886 print("test_ssl: testing with %r %r" %
4887 (ssl.OPENSSL_VERSION, ssl.OPENSSL_VERSION_INFO))
4888 print(" under %s" % plat)
Antoine Pitroud5323212010-10-22 18:19:07 +0000[diff] [blame]4889 print(" HAS_SNI = %r" % ssl.HAS_SNI)
Antoine Pitrou609ef012013-03-29 18:09:06 +0100[diff] [blame]4890 print(" OP_ALL = 0x%8x" % ssl.OP_ALL)
4891 try:
4892 print(" OP_NO_TLSv1_1 = 0x%8x" % ssl.OP_NO_TLSv1_1)
4893 except AttributeError:
4894 pass
Antoine Pitrou15cee622010-08-04 16:45:21 +0000[diff] [blame]4895
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4896 for filename in [
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]4897 CERTFILE, BYTES_CERTFILE,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4898 ONLYCERT, ONLYKEY, BYTES_ONLYCERT, BYTES_ONLYKEY,
Antoine Pitrou58ddc9d2013-01-05 21:20:29 +0100[diff] [blame]4899 SIGNED_CERTFILE, SIGNED_CERTFILE2, SIGNING_CA,
Antoine Pitrou152efa22010-05-16 18:19:27 +0000[diff] [blame]4900 BADCERT, BADKEY, EMPTYCERT]:
4901 if not os.path.exists(filename):
4902 raise support.TestFailed("Can't read certificate file %r" % filename)
Thomas Wouters1b7f8912007-09-19 03:06:30 +0000[diff] [blame]4903
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]4904 tests = [
4905 ContextTests, BasicSocketTests, SSLErrorTests, MemoryBIOTests,
Christian Heimes9d50ab52018-02-27 10:17:30 +0100[diff] [blame]4906 SSLObjectTests, SimpleBackgroundTests, ThreadedTests,
Christian Heimesc7f70692019-05-31 11:44:05 +0200[diff] [blame]4907 TestPostHandshakeAuth, TestSSLDebug
Martin Panter3840b2a2016-03-27 01:53:46 +0000[diff] [blame]4908 ]
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4909
Benjamin Petersonee8712c2008-05-20 21:35:26 +0000[diff] [blame]4910 if support.is_resource_enabled('network'):
Bill Janssen6e027db2007-11-15 22:23:56 +0000[diff] [blame]4911 tests.append(NetworkedTests)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4912
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]4913 thread_info = threading_helper.threading_setup()
Antoine Pitrou480a1242010-04-28 21:37:09 +0000[diff] [blame]4914 try:
4915 support.run_unittest(*tests)
4916 finally:
Hai Shie80697d2020-05-28 06:10:27 +0800[diff] [blame]4917 threading_helper.threading_cleanup(*thread_info)
Thomas Woutersed03b412007-08-28 21:37:11 +0000[diff] [blame]4918
4919if __name__ == "__main__":
4920 test_main()