Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / pyopenssl / df2480da2c65cf0ddb0427803edbc04516fc237f^! / .
commitdf2480da2c65cf0ddb0427803edbc04516fc237f[log] [tgz]
authorMark Williams <mrw@enotuniq.org>Thu Feb 14 19:30:07 2019 -0800
committerAlex Gaynor <alex.gaynor@gmail.com>Thu Feb 14 22:30:07 2019 -0500
tree914c63ef539fac11414b51f97a9a865315b9331a
parentca749b54ecca378e704ede349c9c9930732af877 [diff]
Raise an Error with "no cipher match" even with TLS 1.3 (#818)

* Raise an Error with "no cipher match" even with TLS 1.3

This makes Twisted's OpenSSLAcceptableCiphers.fromOpenSSLCipherString
and seamlessly work with TLS 1.3:

https://github.com/twisted/twisted/pull/1100/files/a5df2fb373ac67b0e3032acc9291ae88dfd0b3b1#diff-df501bac724aab523150498f84749b88R1767

* Split TestContext.test_set_cipher_list_wrong_args into two tests.

diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 5d07b26..de49cf9 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py

@@ -1189,13 +1189,22 @@
         # invalid cipher string is passed, but without the following check
         # for the TLS 1.3 specific cipher suites it would never error.
         tmpconn = Connection(self, None)
-        _openssl_assert(
-            tmpconn.get_cipher_list() != [
+        if (
+            tmpconn.get_cipher_list() == [
                 'TLS_AES_256_GCM_SHA384',
                 'TLS_CHACHA20_POLY1305_SHA256',
                 'TLS_AES_128_GCM_SHA256'
             ]
-        )
+        ):
+            raise Error(
+                [
+                    (
+                        'SSL routines',
+                        'SSL_CTX_set_cipher_list',
+                        'no cipher match',
+                    ),
+                ],
+            )
 
     def set_client_ca_list(self, certificate_authorities):
         """

diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index 38511a4..986463a 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py

@@ -410,18 +410,31 @@
 
         assert "AES128-SHA" in conn.get_cipher_list()
 
-    @pytest.mark.parametrize("cipher_list,error", [
-        (object(), TypeError),
-        ("imaginary-cipher", Error),
-    ])
-    def test_set_cipher_list_wrong_args(self, context, cipher_list, error):
+    def test_set_cipher_list_wrong_type(self, context):
         """
         `Context.set_cipher_list` raises `TypeError` when passed a non-string
-        argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher
-        list string.
+        argument.
         """
-        with pytest.raises(error):
-            context.set_cipher_list(cipher_list)
+        with pytest.raises(TypeError):
+            context.set_cipher_list(object())
+
+    def test_set_cipher_list_no_cipher_match(self, context):
+        """
+        `Context.set_cipher_list` raises `OpenSSL.SSL.Error` with a
+        `"no cipher match"` reason string regardless of the TLS
+        version.
+        """
+        with pytest.raises(Error) as excinfo:
+            context.set_cipher_list(b"imaginary-cipher")
+        assert excinfo.value.args == (
+                [
+                    (
+                        'SSL routines',
+                        'SSL_CTX_set_cipher_list',
+                        'no cipher match',
+                    ),
+                ],
+            )
 
     def test_load_client_ca(self, context, ca_file):
         """