Blame - tests/test_ssl.py - platform/external/python/pyopenssl

2008-03-21 17:04:05 -0400

[diff] [blame]

4

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

5

Unit tests for :mod:`OpenSSL.SSL`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

6

"""

7

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

8

import datetime

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

9

import sys

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

10

import uuid

11

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

12

from gc import collect, get_referrers

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

13

from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN

Jeremy Lainé

1ae7cb6

2018-03-21 14:49:42 +0100

[diff] [blame]

14

from sys import platform, getfilesystemencoding

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

15

from socket import MSG_PEEK, SHUT_RDWR, error, socket

Jean-Paul Calderone

a65cf6c

2009-07-19 10:26:52 -0400

[diff] [blame]

16

from os import makedirs

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

17

from os.path import join

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

18

from weakref import ref

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

19

from warnings import simplefilter

Jean-Paul Calderone

460cc1f

2009-03-07 11:31:12 -0500

[diff] [blame]

20

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

21

import pytest

22

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

23

from pretend import raiser

24

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

25

from six import PY3, text_type

Jean-Paul Calderone

c76c61c

2014-01-18 13:21:52 -0500

[diff] [blame]

26

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

27

from cryptography import x509

28

from cryptography.hazmat.backends import default_backend

29

from cryptography.hazmat.primitives import hashes

30

from cryptography.hazmat.primitives import serialization

31

from cryptography.hazmat.primitives.asymmetric import rsa

32

from cryptography.x509.oid import NameOID

33

34

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

35

from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

36

from OpenSSL.crypto import PKey, X509, X509Extension, X509Store

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

37

from OpenSSL.crypto import dump_privatekey, load_privatekey

38

from OpenSSL.crypto import dump_certificate, load_certificate

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

39

from OpenSSL.crypto import get_elliptic_curves

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

40

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

41

from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS

42

from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

43

from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

44

from OpenSSL.SSL import (

45

SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD,

46

TLSv1_1_METHOD, TLSv1_2_METHOD)

47

from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

48

from OpenSSL.SSL import (

49

VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE, VERIFY_NONE)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

50

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

51

from OpenSSL import SSL

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

52

from OpenSSL.SSL import (

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

53

SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH,

54

SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP,

55

SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL)

56

57

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

58

Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

59

from OpenSSL.SSL import (

Alex Gaynor

01f90a1

2019-02-07 09:14:48 -0500

[diff] [blame]

60

Context, Session, Connection, SSLeay_version)

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

61

from OpenSSL.SSL import _make_requires

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

62

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

63

from OpenSSL._util import ffi as _ffi, lib as _lib

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

64

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

65

from OpenSSL.SSL import (

66

OP_NO_QUERY_MTU, OP_COOKIE_EXCHANGE, OP_NO_TICKET, OP_NO_COMPRESSION,

67

MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

68

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

69

from OpenSSL.SSL import (

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

70

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

71

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

72

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

73

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

74

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

75

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

76

try:

77

from OpenSSL.SSL import (

78

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

79

)

80

except ImportError:

81

SSL_ST_INIT = SSL_ST_BEFORE = SSL_ST_OK = SSL_ST_RENEGOTIATE = None

82

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

83

from .util import WARNING_TYPE_EXPECTED, NON_ASCII, is_consistent_type

Hynek Schlawack

f0e6685

2015-10-16 20:18:38 +0200

[diff] [blame]

84

from .test_crypto import (

85

cleartextCertificatePEM, cleartextPrivateKeyPEM,

86

client_cert_pem, client_key_pem, server_cert_pem, server_key_pem,

87

root_cert_pem)

88

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

89

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

90

# openssl dhparam 1024 -out dh-1024.pem (note that 1024 is a small number of

91

# bits to use)

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

92

dhparam = """\

93

-----BEGIN DH PARAMETERS-----

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

94

MIGHAoGBALdUMvn+C9MM+y5BWZs11mSeH6HHoEq0UVbzVq7UojC1hbsZUuGukQ3a

95

Qh2/pwqb18BZFykrWB0zv/OkLa0kx4cuUgNrUVq1EFheBiX6YqryJ7t2sO09NQiO

96

V7H54LmltOT/hEh6QWsJqb6BQgH65bswvV/XkYGja8/T0GzvbaVzAgEC

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

97

-----END DH PARAMETERS-----

"""

Hynek Schlawack

2015-09-05 20:48:34 +0200

[diff] [blame]

101

skip_if_py3 = pytest.mark.skipif(PY3, reason="Python 2 only")

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

102

103

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

104

def join_bytes_or_unicode(prefix, suffix):

105

"""

106

Join two path components of either ``bytes`` or ``unicode``.

107

108

The return type is the same as the type of ``prefix``.

109

"""

110

# If the types are the same, nothing special is necessary.

111

if type(prefix) == type(suffix):

112

return join(prefix, suffix)

113

114

# Otherwise, coerce suffix to the type of prefix.

115

if isinstance(prefix, text_type):

116

return join(prefix, suffix.decode(getfilesystemencoding()))

117

else:

118

return join(prefix, suffix.encode(getfilesystemencoding()))

119

120

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

121

def verify_cb(conn, cert, errnum, depth, ok):

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

122

return ok

123

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

124

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

125

def socket_pair():

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

126

"""

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

127

Establish and return a pair of network sockets connected to each other.

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

128

"""

129

# Connect a pair of sockets

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(1)

client = socket()

client.setblocking(False)

Jean-Paul Calderone

f23c5d9

2009-07-23 17:58:15 -0400

[diff] [blame]

135

client.connect_ex(("127.0.0.1", port.getsockname()[1]))

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

136

client.setblocking(True)

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

137

server = port.accept()[0]

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

138

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

139

# Let's pass some unencrypted data to make sure our socket connection is

140

# fine. Just one byte, so we don't have to worry about buffers getting

141

# filled up or fragmentation.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

142

server.send(b"x")

143

assert client.recv(1024) == b"x"

144

client.send(b"y")

145

assert server.recv(1024) == b"y"

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

146

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

147

# Most of our callers want non-blocking sockets, make it easy for them.

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

148

server.setblocking(False)

149

client.setblocking(False)

Jim Shaver

46f2891

2015-05-29 19:32:16 -0400

[diff] [blame]

150

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

151

return (server, client)

152

153

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

154

def handshake(client, server):

155

conns = [client, server]

while conns:

for conn in conns:

try:

conn.do_handshake()

except WantReadError:

pass

else:

conns.remove(conn)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

166

def _create_certificate_chain():

167

"""

168

Construct and return a chain of certificates.

169

170

1. A new self-signed certificate authority certificate (cacert)

171

2. A new intermediate certificate signed by cacert (icert)

172

3. A new server certificate signed by icert (scert)

173

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

174

caext = X509Extension(b'basicConstraints', False, b'CA:true')

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

175

176

# Step 1

177

cakey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

178

cakey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

179

cacert = X509()

180

cacert.get_subject().commonName = "Authority Certificate"

181

cacert.set_issuer(cacert.get_subject())

182

cacert.set_pubkey(cakey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

183

cacert.set_notBefore(b"20000101000000Z")

184

cacert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

185

cacert.add_extensions([caext])

186

cacert.set_serial_number(0)

187

cacert.sign(cakey, "sha1")

188

189

# Step 2

190

ikey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

191

ikey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

192

icert = X509()

193

icert.get_subject().commonName = "Intermediate Certificate"

194

icert.set_issuer(cacert.get_subject())

195

icert.set_pubkey(ikey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

196

icert.set_notBefore(b"20000101000000Z")

197

icert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

198

icert.add_extensions([caext])

199

icert.set_serial_number(0)

200

icert.sign(cakey, "sha1")

201

202

# Step 3

203

skey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

204

skey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

205

scert = X509()

206

scert.get_subject().commonName = "Server Certificate"

207

scert.set_issuer(icert.get_subject())

208

scert.set_pubkey(skey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

209

scert.set_notBefore(b"20000101000000Z")

210

scert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

211

scert.add_extensions([

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

212

X509Extension(b'basicConstraints', True, b'CA:false')])

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

213

scert.set_serial_number(0)

214

scert.sign(ikey, "sha1")

215

216

return [(cakey, cacert), (ikey, icert), (skey, scert)]

217

218

Paul Kehrer

2019-01-21 12:24:02 -0600

[diff] [blame]

219

def loopback_client_factory(socket, version=SSLv23_METHOD):

220

client = Connection(Context(version), socket)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

221

client.set_connect_state()

return client

Paul Kehrer

2019-01-21 12:24:02 -0600

[diff] [blame]

225

def loopback_server_factory(socket, version=SSLv23_METHOD):

226

ctx = Context(version)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

227

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

228

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

229

server = Connection(ctx, socket)

230

server.set_accept_state()

return server

def loopback(server_factory=None, client_factory=None):

235

"""

236

Create a connected socket pair and force two connected SSL sockets

237

to talk to each other via memory BIOs.

238

"""

239

if server_factory is None:

240

server_factory = loopback_server_factory

241

if client_factory is None:

242

client_factory = loopback_client_factory

243

244

(server, client) = socket_pair()

245

server = server_factory(server)

246

client = client_factory(client)

247

248

handshake(client, server)

249

250

server.setblocking(True)

251

client.setblocking(True)

252

return server, client

253

254

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

255

def interact_in_memory(client_conn, server_conn):

256

"""

257

Try to read application bytes from each of the two `Connection` objects.

258

Copy bytes back and forth between their send/receive buffers for as long

259

as there is anything to copy. When there is nothing more to copy,

260

return `None`. If one of them actually manages to deliver some application

261

bytes, return a two-tuple of the connection from which the bytes were read

262

and the bytes themselves.

"""

wrote = True

while wrote:

# Loop until neither side has anything to say

267

wrote = False

268

269

# Copy stuff from each side's send buffer to the other side's

270

# receive buffer.

271

for (read, write) in [(client_conn, server_conn),

272

(server_conn, client_conn)]:

273

274

# Give the side a chance to generate some more bytes, or succeed.

275

try:

276

data = read.recv(2 ** 16)

277

except WantReadError:

278

# It didn't succeed, so we'll hope it generated some output.

279

pass

280

else:

281

# It did succeed, so we'll stop now and let the caller deal

# with it.

return (read, data)

while True:

# Keep copying as long as there's more stuff there.

287

try:

288

dirty = read.bio_read(4096)

289

except WantReadError:

290

# Okay, nothing more waiting to be sent. Stop

291

# processing this send buffer.

292

break

293

else:

294

# Keep track of the fact that someone generated some

295

# output.

296

wrote = True

297

write.bio_write(dirty)

298

299

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

300

def handshake_in_memory(client_conn, server_conn):

301

"""

302

Perform the TLS handshake between two `Connection` instances connected to

303

each other via memory BIOs.

304

"""

305

client_conn.set_connect_state()

306

server_conn.set_accept_state()

307

308

for conn in [client_conn, server_conn]:

309

try:

310

conn.do_handshake()

311

except WantReadError:

312

pass

313

314

interact_in_memory(client_conn, server_conn)

315

316

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

317

class TestVersion(object):

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

318

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

319

Tests for version information exposed by `OpenSSL.SSL.SSLeay_version` and

320

`OpenSSL.SSL.OPENSSL_VERSION_NUMBER`.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

321

"""

322

def test_OPENSSL_VERSION_NUMBER(self):

323

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

324

`OPENSSL_VERSION_NUMBER` is an integer with status in the low byte and

325

the patch, fix, minor, and major versions in the nibbles above that.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

326

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

327

assert isinstance(OPENSSL_VERSION_NUMBER, int)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

328

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

329

def test_SSLeay_version(self):

330

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

331

`SSLeay_version` takes a version type indicator and returns one of a

332

number of version strings based on that indicator.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

333

"""

334

versions = {}

335

for t in [SSLEAY_VERSION, SSLEAY_CFLAGS, SSLEAY_BUILT_ON,

336

SSLEAY_PLATFORM, SSLEAY_DIR]:

337

version = SSLeay_version(t)

338

versions[version] = t

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

339

assert isinstance(version, bytes)

340

assert len(versions) == 5

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

341

342

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

343

@pytest.fixture

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

344

def ca_file(tmpdir):

345

"""

346

Create a valid PEM file with CA certificates and return the path.

347

"""

348

key = rsa.generate_private_key(

349

public_exponent=65537,

350

key_size=2048,

351

backend=default_backend()

352

)

353

public_key = key.public_key()

354

355

builder = x509.CertificateBuilder()

356

builder = builder.subject_name(x509.Name([

357

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

358

]))

359

builder = builder.issuer_name(x509.Name([

360

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

361

]))

362

one_day = datetime.timedelta(1, 0, 0)

363

builder = builder.not_valid_before(datetime.datetime.today() - one_day)

364

builder = builder.not_valid_after(datetime.datetime.today() + one_day)

365

builder = builder.serial_number(int(uuid.uuid4()))

366

builder = builder.public_key(public_key)

367

builder = builder.add_extension(

368

x509.BasicConstraints(ca=True, path_length=None), critical=True,

369

)

370

371

certificate = builder.sign(

372

private_key=key, algorithm=hashes.SHA256(),

373

backend=default_backend()

374

)

375

376

ca_file = tmpdir.join("test.pem")

377

ca_file.write_binary(

378

certificate.public_bytes(

379

encoding=serialization.Encoding.PEM,

)

)

return str(ca_file).encode("ascii")

384

385

386

@pytest.fixture

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

387

def context():

388

"""

389

A simple TLS 1.0 context.

390

"""

391

return Context(TLSv1_METHOD)

392

393

394

class TestContext(object):

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

395

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

396

Unit tests for `OpenSSL.SSL.Context`.

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

397

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

398

@pytest.mark.parametrize("cipher_string", [

399

b"hello world:AES128-SHA",

400

u"hello world:AES128-SHA",

401

])

402

def test_set_cipher_list(self, context, cipher_string):

403

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

404

`Context.set_cipher_list` accepts both byte and unicode strings

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

405

for naming the ciphers which connections created with the context

406

object will be able to choose from.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

407

"""

408

context.set_cipher_list(cipher_string)

409

conn = Connection(context, None)

410

411

assert "AES128-SHA" in conn.get_cipher_list()

412

Mark Williams

df2480d

2019-02-14 19:30:07 -0800

[diff] [blame]

413

def test_set_cipher_list_wrong_type(self, context):

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

414

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

415

`Context.set_cipher_list` raises `TypeError` when passed a non-string

Mark Williams

df2480d

2019-02-14 19:30:07 -0800

[diff] [blame]

416

argument.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

417

"""

Mark Williams

df2480d

2019-02-14 19:30:07 -0800

[diff] [blame]

418

with pytest.raises(TypeError):

419

context.set_cipher_list(object())

420

421

def test_set_cipher_list_no_cipher_match(self, context):

422

"""

423

`Context.set_cipher_list` raises `OpenSSL.SSL.Error` with a

424

`"no cipher match"` reason string regardless of the TLS

425

version.

426

"""

427

with pytest.raises(Error) as excinfo:

428

context.set_cipher_list(b"imaginary-cipher")

429

assert excinfo.value.args == (

[

(

'SSL routines',

'SSL_CTX_set_cipher_list',

'no cipher match',

),

],

)

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

438

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

439

def test_load_client_ca(self, context, ca_file):

440

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

441

`Context.load_client_ca` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

442

"""

443

context.load_client_ca(ca_file)

444

445

def test_load_client_ca_invalid(self, context, tmpdir):

446

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

447

`Context.load_client_ca` raises an Error if the ca file is invalid.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

448

"""

449

ca_file = tmpdir.join("test.pem")

450

ca_file.write("")

451

452

with pytest.raises(Error) as e:

453

context.load_client_ca(str(ca_file).encode("ascii"))

454

455

assert "PEM routines" == e.value.args[0][0][0]

456

457

def test_load_client_ca_unicode(self, context, ca_file):

458

"""

459

Passing the path as unicode raises a warning but works.

460

"""

461

pytest.deprecated_call(

462

context.load_client_ca, ca_file.decode("ascii")

463

)

464

465

def test_set_session_id(self, context):

466

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

467

`Context.set_session_id` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

468

"""

469

context.set_session_id(b"abc")

470

471

def test_set_session_id_fail(self, context):

472

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

473

`Context.set_session_id` errors are propagated.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

474

"""

475

with pytest.raises(Error) as e:

476

context.set_session_id(b"abc" * 1000)

assert [

("SSL routines",

"SSL_CTX_set_session_id_context",

481

"ssl session id context too long")

482

] == e.value.args[0]

483

484

def test_set_session_id_unicode(self, context):

485

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

486

`Context.set_session_id` raises a warning if a unicode string is

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

487

passed.

488

"""

489

pytest.deprecated_call(context.set_session_id, u"abc")

490

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

491

def test_method(self):

492

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

493

`Context` can be instantiated with one of `SSLv2_METHOD`,

494

`SSLv3_METHOD`, `SSLv23_METHOD`, `TLSv1_METHOD`, `TLSv1_1_METHOD`,

495

or `TLSv1_2_METHOD`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

496

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

497

methods = [SSLv23_METHOD, TLSv1_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

498

for meth in methods:

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

499

Context(meth)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

500

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

501

maybe = [SSLv2_METHOD, SSLv3_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

for meth in maybe:

try:

Context(meth)

except (Error, ValueError):

506

# Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some

507

# don't. Difficult to say in advance.

508

pass

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

509

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

510

with pytest.raises(TypeError):

511

Context("")

512

with pytest.raises(ValueError):

513

Context(10)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

514

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

515

@skip_if_py3

516

def test_method_long(self):

517

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

518

On Python 2 `Context` accepts values of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

519

"""

520

Context(long(TLSv1_METHOD))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

521

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

522

def test_type(self):

523

"""

Alex Gaynor

01f90a1

2019-02-07 09:14:48 -0500

[diff] [blame]

524

`Context` can be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

525

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

526

assert is_consistent_type(Context, 'Context', TLSv1_METHOD)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

527

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

528

def test_use_privatekey(self):

529

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

530

`Context.use_privatekey` takes an `OpenSSL.crypto.PKey` instance.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

531

"""

532

key = PKey()

Alex Gaynor

6e9f976

2018-05-12 07:44:37 -0400

[diff] [blame]

533

key.generate_key(TYPE_RSA, 512)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

534

ctx = Context(TLSv1_METHOD)

535

ctx.use_privatekey(key)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

536

with pytest.raises(TypeError):

537

ctx.use_privatekey("")

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

538

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

539

def test_use_privatekey_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

540

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

541

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` when passed

542

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

543

"""

544

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

545

with pytest.raises(Error):

546

ctx.use_privatekey_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

547

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

548

def _use_privatekey_file_test(self, pemfile, filetype):

549

"""

550

Verify that calling ``Context.use_privatekey_file`` with the given

551

arguments does not raise an exception.

552

"""

553

key = PKey()

Alex Gaynor

6e9f976

2018-05-12 07:44:37 -0400

[diff] [blame]

554

key.generate_key(TYPE_RSA, 512)

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

555

556

with open(pemfile, "wt") as pem:

557

pem.write(

558

dump_privatekey(FILETYPE_PEM, key).decode("ascii")

559

)

560

561

ctx = Context(TLSv1_METHOD)

562

ctx.use_privatekey_file(pemfile, filetype)

563

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

564

@pytest.mark.parametrize('filetype', [object(), "", None, 1.0])

565

def test_wrong_privatekey_file_wrong_args(self, tmpfile, filetype):

566

"""

567

`Context.use_privatekey_file` raises `TypeError` when called with

568

a `filetype` which is not a valid file encoding.

569

"""

570

ctx = Context(TLSv1_METHOD)

571

with pytest.raises(TypeError):

572

ctx.use_privatekey_file(tmpfile, filetype)

573

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

574

def test_use_privatekey_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

575

"""

576

A private key can be specified from a file by passing a ``bytes``

577

instance giving the file name to ``Context.use_privatekey_file``.

578

"""

579

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

580

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

584

def test_use_privatekey_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

585

"""

586

A private key can be specified from a file by passing a ``unicode``

587

instance giving the file name to ``Context.use_privatekey_file``.

588

"""

589

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

590

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

594

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

595

def test_use_privatekey_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

596

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

597

On Python 2 `Context.use_privatekey_file` accepts a filetype of

598

type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

599

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

600

self._use_privatekey_file_test(tmpfile, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

601

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

602

def test_use_certificate_wrong_args(self):

603

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

604

`Context.use_certificate_wrong_args` raises `TypeError` when not passed

605

exactly one `OpenSSL.crypto.X509` instance as an argument.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

606

"""

607

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

608

with pytest.raises(TypeError):

609

ctx.use_certificate("hello, world")

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

610

611

def test_use_certificate_uninitialized(self):

612

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

613

`Context.use_certificate` raises `OpenSSL.SSL.Error` when passed a

614

`OpenSSL.crypto.X509` instance which has not been initialized

615

(ie, which does not actually have any certificate data).

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

616

"""

617

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

618

with pytest.raises(Error):

619

ctx.use_certificate(X509())

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

620

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

621

def test_use_certificate(self):

622

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

623

`Context.use_certificate` sets the certificate which will be

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

624

used to identify connections created using the context.

625

"""

626

# TODO

627

# Hard to assert anything. But we could set a privatekey then ask

628

# OpenSSL if the cert and key agree using check_privatekey. Then as

629

# long as check_privatekey works right we're good...

630

ctx = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

631

ctx.use_certificate(

632

load_certificate(FILETYPE_PEM, cleartextCertificatePEM)

633

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

634

635

def test_use_certificate_file_wrong_args(self):

636

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

637

`Context.use_certificate_file` raises `TypeError` if the first

638

argument is not a byte string or the second argument is not an integer.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

639

"""

640

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

641

with pytest.raises(TypeError):

642

ctx.use_certificate_file(object(), FILETYPE_PEM)

643

with pytest.raises(TypeError):

644

ctx.use_certificate_file(b"somefile", object())

645

with pytest.raises(TypeError):

646

ctx.use_certificate_file(object(), FILETYPE_PEM)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

647

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

648

def test_use_certificate_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

649

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

650

`Context.use_certificate_file` raises `OpenSSL.SSL.Error` if passed

651

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

652

"""

653

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

654

with pytest.raises(Error):

655

ctx.use_certificate_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

656

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

657

def _use_certificate_file_test(self, certificate_file):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

658

"""

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

659

Verify that calling ``Context.use_certificate_file`` with the given

660

filename doesn't raise an exception.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

661

"""

662

# TODO

663

# Hard to assert anything. But we could set a privatekey then ask

664

# OpenSSL if the cert and key agree using check_privatekey. Then as

665

# long as check_privatekey works right we're good...

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

666

with open(certificate_file, "wb") as pem_file:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

667

pem_file.write(cleartextCertificatePEM)

668

669

ctx = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

670

ctx.use_certificate_file(certificate_file)

671

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

672

def test_use_certificate_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

673

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

674

`Context.use_certificate_file` sets the certificate (given as a

675

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

676

using the context.

677

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

678

filename = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

679

self._use_certificate_file_test(filename)

680

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

681

def test_use_certificate_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

682

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

683

`Context.use_certificate_file` sets the certificate (given as a

684

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

685

using the context.

686

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

687

filename = tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

688

self._use_certificate_file_test(filename)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

689

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

690

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

691

def test_use_certificate_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

692

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

693

On Python 2 `Context.use_certificate_file` accepts a

694

filetype of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

695

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

696

pem_filename = tmpfile

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

697

with open(pem_filename, "wb") as pem_file:

698

pem_file.write(cleartextCertificatePEM)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

699

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

700

ctx = Context(TLSv1_METHOD)

701

ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

702

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

703

def test_check_privatekey_valid(self):

704

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

705

`Context.check_privatekey` returns `None` if the `Context` instance

706

has been configured to use a matched key and certificate pair.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

707

"""

708

key = load_privatekey(FILETYPE_PEM, client_key_pem)

709

cert = load_certificate(FILETYPE_PEM, client_cert_pem)

710

context = Context(TLSv1_METHOD)

711

context.use_privatekey(key)

712

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

713

assert None is context.check_privatekey()

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

714

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

715

def test_check_privatekey_invalid(self):

716

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

717

`Context.check_privatekey` raises `Error` if the `Context` instance

718

has been configured to use a key and certificate pair which don't

719

relate to each other.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

720

"""

721

key = load_privatekey(FILETYPE_PEM, client_key_pem)

722

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

723

context = Context(TLSv1_METHOD)

724

context.use_privatekey(key)

725

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

726

with pytest.raises(Error):

727

context.check_privatekey()

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

728

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

729

def test_app_data(self):

730

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

731

`Context.set_app_data` stores an object for later retrieval

732

using `Context.get_app_data`.

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

733

"""

734

app_data = object()

735

context = Context(TLSv1_METHOD)

736

context.set_app_data(app_data)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

737

assert context.get_app_data() is app_data

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

738

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

739

def test_set_options_wrong_args(self):

740

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

741

`Context.set_options` raises `TypeError` if called with

742

a non-`int` argument.

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

743

"""

744

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

745

with pytest.raises(TypeError):

746

context.set_options(None)

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

747

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

748

def test_set_options(self):

749

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

750

`Context.set_options` returns the new options value.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

751

"""

752

context = Context(TLSv1_METHOD)

753

options = context.set_options(OP_NO_SSLv2)

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

754

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

755

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

756

@skip_if_py3

757

def test_set_options_long(self):

758

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

759

On Python 2 `Context.set_options` accepts values of type

760

`long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

761

"""

762

context = Context(TLSv1_METHOD)

763

options = context.set_options(long(OP_NO_SSLv2))

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

764

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

765

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

766

def test_set_mode_wrong_args(self):

767

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

768

`Context.set_mode` raises `TypeError` if called with

769

a non-`int` argument.

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

770

"""

771

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

772

with pytest.raises(TypeError):

773

context.set_mode(None)

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

774

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

775

def test_set_mode(self):

776

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

777

`Context.set_mode` accepts a mode bitvector and returns the

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

778

newly set mode.

779

"""

780

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

781

assert MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

782

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

783

@skip_if_py3

784

def test_set_mode_long(self):

785

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

786

On Python 2 `Context.set_mode` accepts values of type `long` as well

787

as `int`.

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

788

"""

789

context = Context(TLSv1_METHOD)

790

mode = context.set_mode(long(MODE_RELEASE_BUFFERS))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

791

assert MODE_RELEASE_BUFFERS & mode

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

792

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

793

def test_set_timeout_wrong_args(self):

794

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

795

`Context.set_timeout` raises `TypeError` if called with

796

a non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

797

"""

798

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

799

with pytest.raises(TypeError):

800

context.set_timeout(None)

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

801

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

802

def test_timeout(self):

803

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

804

`Context.set_timeout` sets the session timeout for all connections

805

created using the context object. `Context.get_timeout` retrieves

806

this value.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

807

"""

808

context = Context(TLSv1_METHOD)

809

context.set_timeout(1234)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

810

assert context.get_timeout() == 1234

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

811

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

812

@skip_if_py3

813

def test_timeout_long(self):

814

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

815

On Python 2 `Context.set_timeout` accepts values of type `long` as

816

well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

817

"""

818

context = Context(TLSv1_METHOD)

819

context.set_timeout(long(1234))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

820

assert context.get_timeout() == 1234

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

821

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

822

def test_set_verify_depth_wrong_args(self):

823

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

824

`Context.set_verify_depth` raises `TypeError` if called with a

825

non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

826

"""

827

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

828

with pytest.raises(TypeError):

829

context.set_verify_depth(None)

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

830

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

831

def test_verify_depth(self):

832

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

833

`Context.set_verify_depth` sets the number of certificates in

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

834

a chain to follow before giving up. The value can be retrieved with

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

835

`Context.get_verify_depth`.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

836

"""

837

context = Context(TLSv1_METHOD)

838

context.set_verify_depth(11)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

839

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

840

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

841

@skip_if_py3

842

def test_verify_depth_long(self):

843

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

844

On Python 2 `Context.set_verify_depth` accepts values of type `long`

845

as well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

846

"""

847

context = Context(TLSv1_METHOD)

848

context.set_verify_depth(long(11))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

849

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

850

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

851

def _write_encrypted_pem(self, passphrase, tmpfile):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

852

"""

853

Write a new private key out to a new file, encrypted using the given

854

passphrase. Return the path to the new file.

855

"""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

856

key = PKey()

Alex Gaynor

6e9f976

2018-05-12 07:44:37 -0400

[diff] [blame]

857

key.generate_key(TYPE_RSA, 512)

Jean-Paul Calderone

a986883

2010-08-22 21:38:34 -0400

[diff] [blame]

858

pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

859

with open(tmpfile, 'w') as fObj:

860

fObj.write(pem.decode('ascii'))

861

return tmpfile

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

862

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

863

def test_set_passwd_cb_wrong_args(self):

864

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

865

`Context.set_passwd_cb` raises `TypeError` if called with a

866

non-callable first argument.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

867

"""

868

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

869

with pytest.raises(TypeError):

870

context.set_passwd_cb(None)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

871

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

872

def test_set_passwd_cb(self, tmpfile):

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

873

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

874

`Context.set_passwd_cb` accepts a callable which will be invoked when

875

a private key is loaded from an encrypted PEM.

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

876

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

877

passphrase = b"foobar"

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

878

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

879

calledWith = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

880

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

881

def passphraseCallback(maxlen, verify, extra):

882

calledWith.append((maxlen, verify, extra))

883

return passphrase

884

context = Context(TLSv1_METHOD)

885

context.set_passwd_cb(passphraseCallback)

886

context.use_privatekey_file(pemFile)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

887

assert len(calledWith) == 1

888

assert isinstance(calledWith[0][0], int)

889

assert isinstance(calledWith[0][1], int)

890

assert calledWith[0][2] is None

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

891

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

892

def test_passwd_callback_exception(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

893

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

894

`Context.use_privatekey_file` propagates any exception raised

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

895

by the passphrase callback.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

896

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

897

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

898

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

899

def passphraseCallback(maxlen, verify, extra):

900

raise RuntimeError("Sorry, I am a fail.")

901

902

context = Context(TLSv1_METHOD)

903

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

904

with pytest.raises(RuntimeError):

905

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

906

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

907

def test_passwd_callback_false(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

908

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

909

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

910

passphrase callback returns a false value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

911

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

912

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

913

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

914

def passphraseCallback(maxlen, verify, extra):

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

915

return b""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

916

917

context = Context(TLSv1_METHOD)

918

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

919

with pytest.raises(Error):

920

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

921

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

922

def test_passwd_callback_non_string(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

923

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

924

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

925

passphrase callback returns a true non-string value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

926

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

927

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

928

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

929

def passphraseCallback(maxlen, verify, extra):

930

return 10

931

932

context = Context(TLSv1_METHOD)

933

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

934

# TODO: Surely this is the wrong error?

935

with pytest.raises(ValueError):

936

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

937

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

938

def test_passwd_callback_too_long(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

939

"""

940

If the passphrase returned by the passphrase callback returns a string

941

longer than the indicated maximum length, it is truncated.

942

"""

943

# A priori knowledge!

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

944

passphrase = b"x" * 1024

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

945

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

946

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

947

def passphraseCallback(maxlen, verify, extra):

948

assert maxlen == 1024

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

949

return passphrase + b"y"

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

950

951

context = Context(TLSv1_METHOD)

952

context.set_passwd_cb(passphraseCallback)

953

# This shall succeed because the truncated result is the correct

954

# passphrase.

955

context.use_privatekey_file(pemFile)

956

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

957

def test_set_info_callback(self):

958

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

959

`Context.set_info_callback` accepts a callable which will be

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

960

invoked when certain information about an SSL connection is available.

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

961

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

962

(server, client) = socket_pair()

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

963

964

clientSSL = Connection(Context(TLSv1_METHOD), client)

965

clientSSL.set_connect_state()

966

967

called = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

968

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

969

def info(conn, where, ret):

970

called.append((conn, where, ret))

971

context = Context(TLSv1_METHOD)

972

context.set_info_callback(info)

973

context.use_certificate(

974

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

975

context.use_privatekey(

976

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

977

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

978

serverSSL = Connection(context, server)

979

serverSSL.set_accept_state()

980

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

981

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

982

Jean-Paul Calderone

3835e52

2014-02-02 11:12:30 -0500

[diff] [blame]

983

# The callback must always be called with a Connection instance as the

984

# first argument. It would probably be better to split this into

985

# separate tests for client and server side info callbacks so we could

986

# assert it is called with the right Connection instance. It would

987

# also be good to assert *something* about `where` and `ret`.

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

988

notConnections = [

989

conn for (conn, where, ret) in called

990

if not isinstance(conn, Connection)]

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

991

assert [] == notConnections, (

992

"Some info callback arguments were not Connection instances.")

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

993

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

994

def _load_verify_locations_test(self, *args):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

995

"""

996

Create a client context which will verify the peer certificate and call

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

997

its `load_verify_locations` method with the given arguments.

Jean-Paul Calderone

64efa2c

2011-09-11 10:00:09 -0400

[diff] [blame]

998

Then connect it to a server and ensure that the handshake succeeds.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

999

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

1000

(server, client) = socket_pair()

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1001

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1002

clientContext = Context(TLSv1_METHOD)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1003

clientContext.load_verify_locations(*args)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1004

# Require that the server certificate verify properly or the

1005

# connection will fail.

1006

clientContext.set_verify(

1007

VERIFY_PEER,

1008

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

1009

1010

clientSSL = Connection(clientContext, client)

1011

clientSSL.set_connect_state()

1012

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1013

serverContext = Context(TLSv1_METHOD)

1014

serverContext.use_certificate(

1015

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1016

serverContext.use_privatekey(

1017

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1018

1019

serverSSL = Connection(serverContext, server)

1020

serverSSL.set_accept_state()

1021

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

1022

# Without load_verify_locations above, the handshake

1023

# will fail:

1024

# Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',

1025

# 'certificate verify failed')]

1026

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1027

1028

cert = clientSSL.get_peer_certificate()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1029

assert cert.get_subject().CN == 'Testing Root CA'

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1030

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1031

def _load_verify_cafile(self, cafile):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1032

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1033

Verify that if path to a file containing a certificate is passed to

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1034

`Context.load_verify_locations` for the ``cafile`` parameter, that

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1035

certificate is used as a trust root for the purposes of verifying

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1036

connections created using that `Context`.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1037

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1038

with open(cafile, 'w') as fObj:

1039

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1040

1041

self._load_verify_locations_test(cafile)

1042

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1043

def test_load_verify_bytes_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1044

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1045

`Context.load_verify_locations` accepts a file name as a `bytes`

1046

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1047

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1048

cafile = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1049

self._load_verify_cafile(cafile)

1050

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1051

def test_load_verify_unicode_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1052

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1053

`Context.load_verify_locations` accepts a file name as a `unicode`

1054

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1055

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1056

self._load_verify_cafile(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1057

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1058

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1059

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1060

def test_load_verify_invalid_file(self, tmpfile):

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1061

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1062

`Context.load_verify_locations` raises `Error` when passed a

1063

non-existent cafile.

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1064

"""

1065

clientContext = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1066

with pytest.raises(Error):

1067

clientContext.load_verify_locations(tmpfile)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1068

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1069

def _load_verify_directory_locations_capath(self, capath):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1070

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1071

Verify that if path to a directory containing certificate files is

1072

passed to ``Context.load_verify_locations`` for the ``capath``

1073

parameter, those certificates are used as trust roots for the purposes

1074

of verifying connections created using that ``Context``.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1075

"""

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1076

makedirs(capath)

Jean-Paul Calderone

24dfb33

2011-05-04 18:10:26 -0400

[diff] [blame]

1077

# Hash values computed manually with c_rehash to avoid depending on

1078

# c_rehash in the test suite. One is from OpenSSL 0.9.8, the other

1079

# from OpenSSL 1.0.0.

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1080

for name in [b'c7adac82.0', b'c3705638.0']:

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1081

cafile = join_bytes_or_unicode(capath, name)

1082

with open(cafile, 'w') as fObj:

1083

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1084

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1085

self._load_verify_locations_test(None, capath)

1086

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1087

def test_load_verify_directory_bytes_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1088

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1089

`Context.load_verify_locations` accepts a directory name as a `bytes`

1090

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1091

"""

1092

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1093

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1094

)

1095

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1096

def test_load_verify_directory_unicode_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1097

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1098

`Context.load_verify_locations` accepts a directory name as a `unicode`

1099

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1100

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1101

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1102

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1103

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1104

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1105

def test_load_verify_locations_wrong_args(self):

1106

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1107

`Context.load_verify_locations` raises `TypeError` if with non-`str`

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1108

arguments.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1109

"""

1110

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1111

with pytest.raises(TypeError):

1112

context.load_verify_locations(object())

1113

with pytest.raises(TypeError):

1114

context.load_verify_locations(object(), object())

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1115

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1116

@pytest.mark.skipif(

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

1117

not platform.startswith("linux"),

1118

reason="Loading fallback paths is a linux-specific behavior to "

1119

"accommodate pyca/cryptography manylinux1 wheels"

1120

)

1121

def test_fallback_default_verify_paths(self, monkeypatch):

1122

"""

1123

Test that we load certificates successfully on linux from the fallback

1124

path. To do this we set the _CRYPTOGRAPHY_MANYLINUX1_CA_FILE and

1125

_CRYPTOGRAPHY_MANYLINUX1_CA_DIR vars to be equal to whatever the

1126

current OpenSSL default is and we disable

1127

SSL_CTX_SET_default_verify_paths so that it can't find certs unless

1128

it loads via fallback.

1129

"""

1130

context = Context(TLSv1_METHOD)

1131

monkeypatch.setattr(

1132

_lib, "SSL_CTX_set_default_verify_paths", lambda x: 1

)

monkeypatch.setattr(

SSL,

"_CRYPTOGRAPHY_MANYLINUX1_CA_FILE",

1137

_ffi.string(_lib.X509_get_default_cert_file())

)

monkeypatch.setattr(

SSL,

"_CRYPTOGRAPHY_MANYLINUX1_CA_DIR",

1142

_ffi.string(_lib.X509_get_default_cert_dir())

1143

)

1144

context.set_default_verify_paths()

1145

store = context.get_cert_store()

1146

sk_obj = _lib.X509_STORE_get0_objects(store._store)

1147

assert sk_obj != _ffi.NULL

1148

num = _lib.sk_X509_OBJECT_num(sk_obj)

1149

assert num != 0

1150

1151

def test_check_env_vars(self, monkeypatch):

1152

"""

1153

Test that we return True/False appropriately if the env vars are set.

1154

"""

1155

context = Context(TLSv1_METHOD)

1156

dir_var = "CUSTOM_DIR_VAR"

1157

file_var = "CUSTOM_FILE_VAR"

1158

assert context._check_env_vars_set(dir_var, file_var) is False

1159

monkeypatch.setenv(dir_var, "value")

1160

monkeypatch.setenv(file_var, "value")

1161

assert context._check_env_vars_set(dir_var, file_var) is True

1162

assert context._check_env_vars_set(dir_var, file_var) is True

1163

1164

def test_verify_no_fallback_if_env_vars_set(self, monkeypatch):

1165

"""

1166

Test that we don't use the fallback path if env vars are set.

1167

"""

1168

context = Context(TLSv1_METHOD)

1169

monkeypatch.setattr(

1170

_lib, "SSL_CTX_set_default_verify_paths", lambda x: 1

1171

)

1172

dir_env_var = _ffi.string(

1173

_lib.X509_get_default_cert_dir_env()

1174

).decode("ascii")

1175

file_env_var = _ffi.string(

1176

_lib.X509_get_default_cert_file_env()

1177

).decode("ascii")

1178

monkeypatch.setenv(dir_env_var, "value")

1179

monkeypatch.setenv(file_env_var, "value")

1180

context.set_default_verify_paths()

monkeypatch.setattr(

context,

"_fallback_default_verify_paths",

1185

raiser(SystemError)

1186

)

1187

context.set_default_verify_paths()

1188

1189

@pytest.mark.skipif(

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1190

platform == "win32",

1191

reason="set_default_verify_paths appears not to work on Windows. "

Jean-Paul Calderone

28fb8f0

2009-07-24 18:01:31 -0400

[diff] [blame]

1192

"See LP#404343 and LP#404344."

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1193

)

1194

def test_set_default_verify_paths(self):

1195

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1196

`Context.set_default_verify_paths` causes the platform-specific CA

1197

certificate locations to be used for verification purposes.

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1198

"""

1199

# Testing this requires a server with a certificate signed by one

1200

# of the CAs in the platform CA location. Getting one of those

1201

# costs money. Fortunately (or unfortunately, depending on your

1202

# perspective), it's easy to think of a public server on the

1203

# internet which has such a certificate. Connecting to the network

1204

# in a unit test is bad, but it's the only way I can think of to

1205

# really test this. -exarkun

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1206

context = Context(SSLv23_METHOD)

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1207

context.set_default_verify_paths()

1208

context.set_verify(

1209

VERIFY_PEER,

1210

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1211

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1212

client = socket()

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1213

client.connect(("encrypted.google.com", 443))

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1214

clientSSL = Connection(context, client)

1215

clientSSL.set_connect_state()

Alex Gaynor

373926c

2018-05-12 07:43:07 -0400

[diff] [blame]

1216

clientSSL.set_tlsext_host_name(b"encrypted.google.com")

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1217

clientSSL.do_handshake()

1218

clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1219

assert clientSSL.recv(1024)

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

1220

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

1221

def test_fallback_path_is_not_file_or_dir(self):

1222

"""

1223

Test that when passed empty arrays or paths that do not exist no

1224

errors are raised.

1225

"""

1226

context = Context(TLSv1_METHOD)

1227

context._fallback_default_verify_paths([], [])

1228

context._fallback_default_verify_paths(

1229

["/not/a/file"], ["/not/a/dir"]

1230

)

1231

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1232

def test_add_extra_chain_cert_invalid_cert(self):

1233

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1234

`Context.add_extra_chain_cert` raises `TypeError` if called with an

1235

object which is not an instance of `X509`.

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1236

"""

1237

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1238

with pytest.raises(TypeError):

1239

context.add_extra_chain_cert(object())

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1240

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1241

def _handshake_test(self, serverContext, clientContext):

1242

"""

1243

Verify that a client and server created with the given contexts can

1244

successfully handshake and communicate.

1245

"""

1246

serverSocket, clientSocket = socket_pair()

1247

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1248

server = Connection(serverContext, serverSocket)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1249

server.set_accept_state()

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1250

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1251

client = Connection(clientContext, clientSocket)

1252

client.set_connect_state()

1253

1254

# Make them talk to each other.

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1255

# interact_in_memory(client, server)

1256

for _ in range(3):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1257

for s in [client, server]:

1258

try:

1259

s.do_handshake()

1260

except WantReadError:

1261

pass

1262

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1263

def test_set_verify_callback_connection_argument(self):

1264

"""

1265

The first argument passed to the verify callback is the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1266

`Connection` instance for which verification is taking place.

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1267

"""

1268

serverContext = Context(TLSv1_METHOD)

1269

serverContext.use_privatekey(

1270

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1271

serverContext.use_certificate(

1272

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1273

serverConnection = Connection(serverContext, None)

1274

1275

class VerifyCallback(object):

1276

def callback(self, connection, *args):

1277

self.connection = connection

1278

return 1

1279

1280

verify = VerifyCallback()

1281

clientContext = Context(TLSv1_METHOD)

1282

clientContext.set_verify(VERIFY_PEER, verify.callback)

1283

clientConnection = Connection(clientContext, None)

1284

clientConnection.set_connect_state()

1285

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1286

handshake_in_memory(clientConnection, serverConnection)

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1287

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1288

assert verify.connection is clientConnection

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1289

Paul Kehrer

e738186

2017-11-30 20:55:25 +0800

[diff] [blame]

1290

def test_x509_in_verify_works(self):

1291

"""

1292

We had a bug where the X509 cert instantiated in the callback wrapper

1293

didn't __init__ so it was missing objects needed when calling

1294

get_subject. This test sets up a handshake where we call get_subject

1295

on the cert provided to the verify callback.

1296

"""

1297

serverContext = Context(TLSv1_METHOD)

1298

serverContext.use_privatekey(

1299

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1300

serverContext.use_certificate(

1301

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1302

serverConnection = Connection(serverContext, None)

1303

1304

def verify_cb_get_subject(conn, cert, errnum, depth, ok):

1305

assert cert.get_subject()

1306

return 1

1307

1308

clientContext = Context(TLSv1_METHOD)

1309

clientContext.set_verify(VERIFY_PEER, verify_cb_get_subject)

1310

clientConnection = Connection(clientContext, None)

1311

clientConnection.set_connect_state()

1312

1313

handshake_in_memory(clientConnection, serverConnection)

1314

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1315

def test_set_verify_callback_exception(self):

1316

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1317

If the verify callback passed to `Context.set_verify` raises an

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1318

exception, verification fails and the exception is propagated to the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1319

caller of `Connection.do_handshake`.

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1320

"""

Paul Kehrer

2019-01-21 12:24:02 -0600

[diff] [blame]

1321

serverContext = Context(TLSv1_2_METHOD)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1322

serverContext.use_privatekey(

1323

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1324

serverContext.use_certificate(

1325

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1326

Paul Kehrer

2019-01-21 12:24:02 -0600

[diff] [blame]

1327

clientContext = Context(TLSv1_2_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1328

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1329

def verify_callback(*args):

1330

raise Exception("silly verify failure")

1331

clientContext.set_verify(VERIFY_PEER, verify_callback)

1332

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1333

with pytest.raises(Exception) as exc:

1334

self._handshake_test(serverContext, clientContext)

1335

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1336

assert "silly verify failure" == str(exc.value)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1337

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1338

def test_add_extra_chain_cert(self, tmpdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1339

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1340

`Context.add_extra_chain_cert` accepts an `X509`

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1341

instance to add to the certificate chain.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1342

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1343

See `_create_certificate_chain` for the details of the

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1344

certificate chain tested.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1345

1346

The chain is tested by starting a server with scert and connecting

1347

to it with a client which trusts cacert and requires verification to

1348

succeed.

1349

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1350

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1351

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1352

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1353

# Dump the CA certificate to a file because that's the only way to load

1354

# it as a trusted CA in the client context.

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1355

for cert, name in [(cacert, 'ca.pem'),

1356

(icert, 'i.pem'),

1357

(scert, 's.pem')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1358

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1359

f.write(dump_certificate(FILETYPE_PEM, cert).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1360

Hynek Schlawack

1902c01

2015-04-16 15:06:41 -0400

[diff] [blame]

1361

for key, name in [(cakey, 'ca.key'),

1362

(ikey, 'i.key'),

1363

(skey, 's.key')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1364

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1365

f.write(dump_privatekey(FILETYPE_PEM, key).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1366

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1367

# Create the server context

1368

serverContext = Context(TLSv1_METHOD)

1369

serverContext.use_privatekey(skey)

1370

serverContext.use_certificate(scert)

Jean-Paul Calderone

16cf03d

2010-09-08 18:53:39 -0400

[diff] [blame]

1371

# The client already has cacert, we only need to give them icert.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1372

serverContext.add_extra_chain_cert(icert)

1373

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1374

# Create the client

1375

clientContext = Context(TLSv1_METHOD)

1376

clientContext.set_verify(

1377

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1378

clientContext.load_verify_locations(str(tmpdir.join("ca.pem")))

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1379

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1380

# Try it out.

1381

self._handshake_test(serverContext, clientContext)

1382

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1383

def _use_certificate_chain_file_test(self, certdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1384

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1385

Verify that `Context.use_certificate_chain_file` reads a

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1386

certificate chain from a specified file.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1387

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1388

The chain is tested by starting a server with scert and connecting to

1389

it with a client which trusts cacert and requires verification to

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1390

succeed.

1391

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1392

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1393

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1394

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1395

makedirs(certdir)

1396

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1397

chainFile = join_bytes_or_unicode(certdir, "chain.pem")

1398

caFile = join_bytes_or_unicode(certdir, "ca.pem")

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1399

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1400

# Write out the chain file.

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1401

with open(chainFile, 'wb') as fObj:

1402

# Most specific to least general.

1403

fObj.write(dump_certificate(FILETYPE_PEM, scert))

1404

fObj.write(dump_certificate(FILETYPE_PEM, icert))

1405

fObj.write(dump_certificate(FILETYPE_PEM, cacert))

1406

1407

with open(caFile, 'w') as fObj:

1408

fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode('ascii'))

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1409

1410

serverContext = Context(TLSv1_METHOD)

1411

serverContext.use_certificate_chain_file(chainFile)

1412

serverContext.use_privatekey(skey)

1413

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1414

clientContext = Context(TLSv1_METHOD)

1415

clientContext.set_verify(

1416

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1417

clientContext.load_verify_locations(caFile)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1418

1419

self._handshake_test(serverContext, clientContext)

1420

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1421

def test_use_certificate_chain_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1422

"""

1423

``Context.use_certificate_chain_file`` accepts the name of a file (as

1424

an instance of ``bytes``) to specify additional certificates to use to

1425

construct and verify a trust chain.

1426

"""

1427

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1428

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1429

)

1430

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1431

def test_use_certificate_chain_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1432

"""

1433

``Context.use_certificate_chain_file`` accepts the name of a file (as

1434

an instance of ``unicode``) to specify additional certificates to use

1435

to construct and verify a trust chain.

1436

"""

1437

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1438

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1439

)

1440

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1441

def test_use_certificate_chain_file_wrong_args(self):

1442

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1443

`Context.use_certificate_chain_file` raises `TypeError` if passed a

1444

non-byte string single argument.

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1445

"""

1446

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1447

with pytest.raises(TypeError):

1448

context.use_certificate_chain_file(object())

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1449

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1450

def test_use_certificate_chain_file_missing_file(self, tmpfile):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1451

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1452

`Context.use_certificate_chain_file` raises `OpenSSL.SSL.Error` when

1453

passed a bad chain file name (for example, the name of a file which

1454

does not exist).

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1455

"""

1456

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1457

with pytest.raises(Error):

1458

context.use_certificate_chain_file(tmpfile)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1459

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1460

def test_set_verify_mode(self):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1461

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1462

`Context.get_verify_mode` returns the verify mode flags previously

1463

passed to `Context.set_verify`.

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1464

"""

1465

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1466

assert context.get_verify_mode() == 0

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1467

context.set_verify(

1468

VERIFY_PEER | VERIFY_CLIENT_ONCE, lambda *args: None)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1469

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1470

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1471

@skip_if_py3

1472

def test_set_verify_mode_long(self):

1473

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1474

On Python 2 `Context.set_verify_mode` accepts values of type `long`

1475

as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1476

"""

1477

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1478

assert context.get_verify_mode() == 0

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1479

context.set_verify(

Hynek Schlawack

b4ceed3

2015-09-05 20:55:19 +0200

[diff] [blame]

1480

long(VERIFY_PEER | VERIFY_CLIENT_ONCE), lambda *args: None

1481

) # pragma: nocover

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1482

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1483

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1484

@pytest.mark.parametrize('mode', [None, 1.0, object(), 'mode'])

1485

def test_set_verify_wrong_mode_arg(self, mode):

1486

"""

1487

`Context.set_verify` raises `TypeError` if the first argument is

1488

not an integer.

1489

"""

1490

context = Context(TLSv1_METHOD)

1491

with pytest.raises(TypeError):

1492

context.set_verify(mode=mode, callback=lambda *args: None)

1493

1494

@pytest.mark.parametrize('callback', [None, 1.0, 'mode', ('foo', 'bar')])

1495

def test_set_verify_wrong_callable_arg(self, callback):

1496

"""

Alex Gaynor

40bc0f1

2018-05-14 14:06:16 -0400

[diff] [blame]

1497

`Context.set_verify` raises `TypeError` if the second argument

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1498

is not callable.

1499

"""

1500

context = Context(TLSv1_METHOD)

1501

with pytest.raises(TypeError):

1502

context.set_verify(mode=VERIFY_PEER, callback=callback)

1503

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1504

def test_load_tmp_dh_wrong_args(self):

1505

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1506

`Context.load_tmp_dh` raises `TypeError` if called with a

1507

non-`str` argument.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1508

"""

1509

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1510

with pytest.raises(TypeError):

1511

context.load_tmp_dh(object())

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1512

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1513

def test_load_tmp_dh_missing_file(self):

1514

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1515

`Context.load_tmp_dh` raises `OpenSSL.SSL.Error` if the

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1516

specified file does not exist.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1517

"""

1518

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1519

with pytest.raises(Error):

1520

context.load_tmp_dh(b"hello")

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1521

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1522

def _load_tmp_dh_test(self, dhfilename):

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

1523

"""

1524

Verify that calling ``Context.load_tmp_dh`` with the given filename

1525

does not raise an exception.

1526

"""

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1527

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1528

with open(dhfilename, "w") as dhfile:

1529

dhfile.write(dhparam)

1530

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1531

context.load_tmp_dh(dhfilename)

1532

# XXX What should I assert here? -exarkun

1533

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1534

def test_load_tmp_dh_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1535

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1536

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1537

specified file (given as ``bytes``).

1538

"""

1539

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1540

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1541

)

1542

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1543

def test_load_tmp_dh_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1544

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1545

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1546

specified file (given as ``unicode``).

1547

"""

1548

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1549

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1550

)

1551

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1552

def test_set_tmp_ecdh(self):

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1553

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1554

`Context.set_tmp_ecdh` sets the elliptic curve for Diffie-Hellman to

1555

the specified curve.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1556

"""

1557

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1558

for curve in get_elliptic_curves():

Hynek Schlawack

a07fa8c

2015-10-17 10:15:28 +0200

[diff] [blame]

1559

if curve.name.startswith(u"Oakley-"):

Hynek Schlawack

7408aff

2015-10-17 09:51:16 +0200

[diff] [blame]

1560

# Setting Oakley-EC2N-4 and Oakley-EC2N-3 adds

1561

# ('bignum routines', 'BN_mod_inverse', 'no inverse') to the

1562

# error queue on OpenSSL 1.0.2.

1563

continue

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1564

# The only easily "assertable" thing is that it does not raise an

1565

# exception.

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1566

context.set_tmp_ecdh(curve)

Alex Gaynor

12dc084

2014-01-17 12:51:31 -0600

[diff] [blame]

1567

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1568

def test_set_session_cache_mode_wrong_args(self):

1569

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1570

`Context.set_session_cache_mode` raises `TypeError` if called with

1571

a non-integer argument.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1572

called with other than one integer argument.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1573

"""

1574

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1575

with pytest.raises(TypeError):

1576

context.set_session_cache_mode(object())

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1577

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1578

def test_session_cache_mode(self):

1579

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1580

`Context.set_session_cache_mode` specifies how sessions are cached.

1581

The setting can be retrieved via `Context.get_session_cache_mode`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1582

"""

1583

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1584

context.set_session_cache_mode(SESS_CACHE_OFF)

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1585

off = context.set_session_cache_mode(SESS_CACHE_BOTH)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1586

assert SESS_CACHE_OFF == off

1587

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1588

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1589

@skip_if_py3

1590

def test_session_cache_mode_long(self):

1591

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1592

On Python 2 `Context.set_session_cache_mode` accepts values

1593

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1594

"""

1595

context = Context(TLSv1_METHOD)

1596

context.set_session_cache_mode(long(SESS_CACHE_BOTH))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1597

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1598

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1599

def test_get_cert_store(self):

1600

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1601

`Context.get_cert_store` returns a `X509Store` instance.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1602

"""

1603

context = Context(TLSv1_METHOD)

1604

store = context.get_cert_store()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1605

assert isinstance(store, X509Store)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1606

Jeremy Lainé

02261ad

2018-05-16 18:33:25 +0200

[diff] [blame]

1607

def test_set_tlsext_use_srtp_not_bytes(self):

1608

"""

1609

`Context.set_tlsext_use_srtp' enables negotiating SRTP keying material.

1610

1611

It raises a TypeError if the list of profiles is not a byte string.

1612

"""

1613

context = Context(TLSv1_METHOD)

1614

with pytest.raises(TypeError):

1615

context.set_tlsext_use_srtp(text_type('SRTP_AES128_CM_SHA1_80'))

1616

1617

def test_set_tlsext_use_srtp_invalid_profile(self):

1618

"""

1619

`Context.set_tlsext_use_srtp' enables negotiating SRTP keying material.

1620

1621

It raises an Error if the call to OpenSSL fails.

1622

"""

1623

context = Context(TLSv1_METHOD)

1624

with pytest.raises(Error):

1625

context.set_tlsext_use_srtp(b'SRTP_BOGUS')

1626

1627

def test_set_tlsext_use_srtp_valid(self):

1628

"""

1629

`Context.set_tlsext_use_srtp' enables negotiating SRTP keying material.

1630

1631

It does not return anything.

1632

"""

1633

context = Context(TLSv1_METHOD)

1634

assert context.set_tlsext_use_srtp(b'SRTP_AES128_CM_SHA1_80') is None

1635

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1636

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1637

class TestServerNameCallback(object):

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1638

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1639

Tests for `Context.set_tlsext_servername_callback` and its

1640

interaction with `Connection`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1641

"""

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1642

def test_old_callback_forgotten(self):

1643

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1644

If `Context.set_tlsext_servername_callback` is used to specify

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1645

a new callback, the one it replaces is dereferenced.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1646

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1647

def callback(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1648

pass

1649

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1650

def replacement(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1651

pass

1652

1653

context = Context(TLSv1_METHOD)

1654

context.set_tlsext_servername_callback(callback)

1655

1656

tracker = ref(callback)

1657

del callback

1658

1659

context.set_tlsext_servername_callback(replacement)

Jean-Paul Calderone

d4033eb

2014-01-11 08:21:46 -0500

[diff] [blame]

1660

1661

# One run of the garbage collector happens to work on CPython. PyPy

1662

# doesn't collect the underlying object until a second run for whatever

1663

# reason. That's fine, it still demonstrates our code has properly

1664

# dropped the reference.

1665

collect()

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1666

collect()

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

1667

1668

callback = tracker()

1669

if callback is not None:

1670

referrers = get_referrers(callback)

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1671

if len(referrers) > 1: # pragma: nocover

1672

pytest.fail("Some references remain: %r" % (referrers,))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1673

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1674

def test_no_servername(self):

1675

"""

1676

When a client specifies no server name, the callback passed to

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1677

`Context.set_tlsext_servername_callback` is invoked and the

1678

result of `Connection.get_servername` is `None`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1679

"""

1680

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1681

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1682

def servername(conn):

1683

args.append((conn, conn.get_servername()))

1684

context = Context(TLSv1_METHOD)

1685

context.set_tlsext_servername_callback(servername)

1686

1687

# Lose our reference to it. The Context is responsible for keeping it

# alive now.

del servername

collect()

# Necessary to actually accept the connection

1693

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1694

context.use_certificate(

1695

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1696

1697

# Do a little connection to trigger the logic

1698

server = Connection(context, None)

1699

server.set_accept_state()

1700

1701

client = Connection(Context(TLSv1_METHOD), None)

1702

client.set_connect_state()

1703

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1704

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1705

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1706

assert args == [(server, None)]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1707

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1708

def test_servername(self):

1709

"""

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1710

When a client specifies a server name in its hello message, the

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1711

callback passed to `Contexts.set_tlsext_servername_callback` is

1712

invoked and the result of `Connection.get_servername` is that

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1713

server name.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1714

"""

1715

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1716

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1717

def servername(conn):

1718

args.append((conn, conn.get_servername()))

1719

context = Context(TLSv1_METHOD)

1720

context.set_tlsext_servername_callback(servername)

1721

1722

# Necessary to actually accept the connection

1723

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1724

context.use_certificate(

1725

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1726

1727

# Do a little connection to trigger the logic

1728

server = Connection(context, None)

1729

server.set_accept_state()

1730

1731

client = Connection(Context(TLSv1_METHOD), None)

1732

client.set_connect_state()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

1733

client.set_tlsext_host_name(b"foo1.example.com")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1734

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1735

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1736

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1737

assert args == [(server, b"foo1.example.com")]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1738

1739

Paul Kehrer

4d57590

2019-02-26 21:42:12 +0800

[diff] [blame^]

1740

@pytest.mark.skipif(

1741

not _lib.Cryptography_HAS_NEXTPROTONEG, reason="NPN is not available"

1742

)

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1743

class TestNextProtoNegotiation(object):

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1744

"""

1745

Test for Next Protocol Negotiation in PyOpenSSL.

1746

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1747

def test_npn_success(self):

1748

"""

1749

Tests that clients and servers that agree on the negotiated next

1750

protocol can correct establish a connection, and that the agreed

1751

protocol is reported by the connections.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1758

return [b'http/1.1', b'spdy/2']

1759

1760

def select(conn, options):

1761

select_args.append((conn, options))

1762

return b'spdy/2'

1763

1764

server_context = Context(TLSv1_METHOD)

1765

server_context.set_npn_advertise_callback(advertise)

1766

1767

client_context = Context(TLSv1_METHOD)

1768

client_context.set_npn_select_callback(select)

1769

1770

# Necessary to actually accept the connection

1771

server_context.use_privatekey(

1772

load_privatekey(FILETYPE_PEM, server_key_pem))

1773

server_context.use_certificate(

1774

load_certificate(FILETYPE_PEM, server_cert_pem))

1775

1776

# Do a little connection to trigger the logic

1777

server = Connection(server_context, None)

1778

server.set_accept_state()

1779

1780

client = Connection(client_context, None)

1781

client.set_connect_state()

1782

1783

interact_in_memory(server, client)

1784

1785

assert advertise_args == [(server,)]

1786

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1787

1788

assert server.get_next_proto_negotiated() == b'spdy/2'

1789

assert client.get_next_proto_negotiated() == b'spdy/2'

1790

1791

def test_npn_client_fail(self):

1792

"""

1793

Tests that when clients and servers cannot agree on what protocol

1794

to use next that the TLS connection does not get established.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1801

return [b'http/1.1', b'spdy/2']

1802

1803

def select(conn, options):

1804

select_args.append((conn, options))

1805

return b''

1806

1807

server_context = Context(TLSv1_METHOD)

1808

server_context.set_npn_advertise_callback(advertise)

1809

1810

client_context = Context(TLSv1_METHOD)

1811

client_context.set_npn_select_callback(select)

1812

1813

# Necessary to actually accept the connection

1814

server_context.use_privatekey(

1815

load_privatekey(FILETYPE_PEM, server_key_pem))

1816

server_context.use_certificate(

1817

load_certificate(FILETYPE_PEM, server_cert_pem))

1818

1819

# Do a little connection to trigger the logic

1820

server = Connection(server_context, None)

1821

server.set_accept_state()

1822

1823

client = Connection(client_context, None)

1824

client.set_connect_state()

1825

1826

# If the client doesn't return anything, the connection will fail.

1827

with pytest.raises(Error):

1828

interact_in_memory(server, client)

1829

1830

assert advertise_args == [(server,)]

1831

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1832

1833

def test_npn_select_error(self):

1834

"""

1835

Test that we can handle exceptions in the select callback. If

1836

select fails it should be fatal to the connection.

"""

advertise_args = []

def advertise(conn):

advertise_args.append((conn,))

1842

return [b'http/1.1', b'spdy/2']

1843

1844

def select(conn, options):

1845

raise TypeError

1846

1847

server_context = Context(TLSv1_METHOD)

1848

server_context.set_npn_advertise_callback(advertise)

1849

1850

client_context = Context(TLSv1_METHOD)

1851

client_context.set_npn_select_callback(select)

1852

1853

# Necessary to actually accept the connection

1854

server_context.use_privatekey(

1855

load_privatekey(FILETYPE_PEM, server_key_pem))

1856

server_context.use_certificate(

1857

load_certificate(FILETYPE_PEM, server_cert_pem))

1858

1859

# Do a little connection to trigger the logic

1860

server = Connection(server_context, None)

1861

server.set_accept_state()

1862

1863

client = Connection(client_context, None)

1864

client.set_connect_state()

1865

1866

# If the callback throws an exception it should be raised here.

1867

with pytest.raises(TypeError):

1868

interact_in_memory(server, client)

1869

assert advertise_args == [(server,), ]

1870

1871

def test_npn_advertise_error(self):

1872

"""

1873

Test that we can handle exceptions in the advertise callback. If

1874

advertise fails no NPN is advertised to the client.

"""

select_args = []

def advertise(conn):

raise TypeError

def select(conn, options): # pragma: nocover

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1882

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1883

Assert later that no args are actually appended.

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1884

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1885

select_args.append((conn, options))

1886

return b''

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1887

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1888

server_context = Context(TLSv1_METHOD)

1889

server_context.set_npn_advertise_callback(advertise)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1890

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1891

client_context = Context(TLSv1_METHOD)

1892

client_context.set_npn_select_callback(select)

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1893

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1894

# Necessary to actually accept the connection

1895

server_context.use_privatekey(

1896

load_privatekey(FILETYPE_PEM, server_key_pem))

1897

server_context.use_certificate(

1898

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1899

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1900

# Do a little connection to trigger the logic

1901

server = Connection(server_context, None)

1902

server.set_accept_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1903

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1904

client = Connection(client_context, None)

1905

client.set_connect_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1906

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1907

# If the client doesn't return anything, the connection will fail.

1908

with pytest.raises(TypeError):

1909

interact_in_memory(server, client)

1910

assert select_args == []

Cory Benfield

0ea76e7

2015-03-22 09:05:28 +0000

[diff] [blame]

1911

1912

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1913

class TestApplicationLayerProtoNegotiation(object):

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1914

"""

1915

Tests for ALPN in PyOpenSSL.

1916

"""

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1917

# Skip tests on versions that don't support ALPN.

1918

if _lib.Cryptography_HAS_ALPN:

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1919

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1920

def test_alpn_success(self):

1921

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1922

Clients and servers that agree on the negotiated ALPN protocol can

1923

correct establish a connection, and the agreed protocol is reported

1924

by the connections.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1925

"""

1926

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1927

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1928

def select(conn, options):

1929

select_args.append((conn, options))

1930

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1931

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1932

client_context = Context(TLSv1_METHOD)

1933

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1934

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1935

server_context = Context(TLSv1_METHOD)

1936

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1937

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1938

# Necessary to actually accept the connection

1939

server_context.use_privatekey(

1940

load_privatekey(FILETYPE_PEM, server_key_pem))

1941

server_context.use_certificate(

1942

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1943

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1944

# Do a little connection to trigger the logic

1945

server = Connection(server_context, None)

1946

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1947

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1948

client = Connection(client_context, None)

1949

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1950

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1951

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1952

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1953

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1954

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1955

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1956

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1957

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1958

def test_alpn_set_on_connection(self):

1959

"""

1960

The same as test_alpn_success, but setting the ALPN protocols on

1961

the connection rather than the context.

1962

"""

1963

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1964

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1965

def select(conn, options):

1966

select_args.append((conn, options))

1967

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1968

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1969

# Setup the client context but don't set any ALPN protocols.

1970

client_context = Context(TLSv1_METHOD)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1971

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1972

server_context = Context(TLSv1_METHOD)

1973

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1974

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1975

# Necessary to actually accept the connection

1976

server_context.use_privatekey(

1977

load_privatekey(FILETYPE_PEM, server_key_pem))

1978

server_context.use_certificate(

1979

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1980

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1981

# Do a little connection to trigger the logic

1982

server = Connection(server_context, None)

1983

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1984

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1985

# Set the ALPN protocols on the client connection.

1986

client = Connection(client_context, None)

1987

client.set_alpn_protos([b'http/1.1', b'spdy/2'])

1988

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1989

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1990

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1991

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1992

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1993

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1994

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1995

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1996

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1997

def test_alpn_server_fail(self):

1998

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1999

When clients and servers cannot agree on what protocol to use next

2000

the TLS connection does not get established.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2001

"""

2002

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2003

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2004

def select(conn, options):

2005

select_args.append((conn, options))

2006

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2007

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2008

client_context = Context(TLSv1_METHOD)

2009

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2010

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2011

server_context = Context(TLSv1_METHOD)

2012

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2013

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2014

# Necessary to actually accept the connection

2015

server_context.use_privatekey(

2016

load_privatekey(FILETYPE_PEM, server_key_pem))

2017

server_context.use_certificate(

2018

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2019

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2020

# Do a little connection to trigger the logic

2021

server = Connection(server_context, None)

2022

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2023

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2024

client = Connection(client_context, None)

2025

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2026

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2027

# If the client doesn't return anything, the connection will fail.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2028

with pytest.raises(Error):

2029

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2030

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2031

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2032

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2033

def test_alpn_no_server(self):

2034

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

2035

When clients and servers cannot agree on what protocol to use next

2036

because the server doesn't offer ALPN, no protocol is negotiated.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2037

"""

2038

client_context = Context(TLSv1_METHOD)

2039

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2040

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2041

server_context = Context(TLSv1_METHOD)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2042

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2043

# Necessary to actually accept the connection

2044

server_context.use_privatekey(

2045

load_privatekey(FILETYPE_PEM, server_key_pem))

2046

server_context.use_certificate(

2047

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2048

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2049

# Do a little connection to trigger the logic

2050

server = Connection(server_context, None)

2051

server.set_accept_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2052

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2053

client = Connection(client_context, None)

2054

client.set_connect_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2055

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2056

# Do the dance.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2057

interact_in_memory(server, client)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2058

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2059

assert client.get_alpn_proto_negotiated() == b''

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2060

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2061

def test_alpn_callback_exception(self):

2062

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

2063

We can handle exceptions in the ALPN select callback.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2064

"""

2065

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2066

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2067

def select(conn, options):

2068

select_args.append((conn, options))

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

2069

raise TypeError()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2070

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2071

client_context = Context(TLSv1_METHOD)

2072

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2073

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2074

server_context = Context(TLSv1_METHOD)

2075

server_context.set_alpn_select_callback(select)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2076

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2077

# Necessary to actually accept the connection

2078

server_context.use_privatekey(

2079

load_privatekey(FILETYPE_PEM, server_key_pem))

2080

server_context.use_certificate(

2081

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2082

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2083

# Do a little connection to trigger the logic

2084

server = Connection(server_context, None)

2085

server.set_accept_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2086

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2087

client = Connection(client_context, None)

2088

client.set_connect_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2089

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2090

with pytest.raises(TypeError):

2091

interact_in_memory(server, client)

2092

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2093

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2094

else:

2095

# No ALPN.

2096

def test_alpn_not_implemented(self):

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

2097

"""

2098

If ALPN is not in OpenSSL, we should raise NotImplementedError.

2099

"""

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2100

# Test the context methods first.

2101

context = Context(TLSv1_METHOD)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2102

with pytest.raises(NotImplementedError):

2103

context.set_alpn_protos(None)

2104

with pytest.raises(NotImplementedError):

2105

context.set_alpn_select_callback(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2106

2107

# Now test a connection.

2108

conn = Connection(context)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2109

with pytest.raises(NotImplementedError):

2110

conn.set_alpn_protos(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2111

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2112

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2113

class TestSession(object):

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2114

"""

2115

Unit tests for :py:obj:`OpenSSL.SSL.Session`.

2116

"""

2117

def test_construction(self):

2118

"""

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2119

:py:class:`Session` can be constructed with no arguments, creating

2120

a new instance of that type.

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2121

"""

2122

new_session = Session()

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2123

assert isinstance(new_session, Session)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2124

2125

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2126

class TestConnection(object):

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2127

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2128

Unit tests for `OpenSSL.SSL.Connection`.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2129

"""

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2130

# XXX get_peer_certificate -> None

2131

# XXX sock_shutdown

2132

# XXX master_key -> TypeError

2133

# XXX server_random -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2134

# XXX connect -> TypeError

2135

# XXX connect_ex -> TypeError

2136

# XXX set_connect_state -> TypeError

2137

# XXX set_accept_state -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2138

# XXX do_handshake -> TypeError

2139

# XXX bio_read -> TypeError

2140

# XXX recv -> TypeError

2141

# XXX send -> TypeError

2142

# XXX bio_write -> TypeError

2143

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2144

def test_type(self):

2145

"""

Alex Gaynor

01f90a1

2019-02-07 09:14:48 -0500

[diff] [blame]

2146

`Connection` can be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2147

"""

2148

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2149

assert is_consistent_type(Connection, 'Connection', ctx, None)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2150

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2151

@pytest.mark.parametrize('bad_context', [object(), 'context', None, 1])

2152

def test_wrong_args(self, bad_context):

2153

"""

2154

`Connection.__init__` raises `TypeError` if called with a non-`Context`

2155

instance argument.

2156

"""

2157

with pytest.raises(TypeError):

2158

Connection(bad_context)

2159

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2160

def test_get_context(self):

2161

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2162

`Connection.get_context` returns the `Context` instance used to

2163

construct the `Connection` instance.

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2164

"""

2165

context = Context(TLSv1_METHOD)

2166

connection = Connection(context, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2167

assert connection.get_context() is context

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2168

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2169

def test_set_context_wrong_args(self):

2170

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2171

`Connection.set_context` raises `TypeError` if called with a

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2172

non-`Context` instance argument.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2173

"""

2174

ctx = Context(TLSv1_METHOD)

2175

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2176

with pytest.raises(TypeError):

2177

connection.set_context(object())

2178

with pytest.raises(TypeError):

2179

connection.set_context("hello")

2180

with pytest.raises(TypeError):

2181

connection.set_context(1)

2182

assert ctx is connection.get_context()

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2183

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2184

def test_set_context(self):

2185

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2186

`Connection.set_context` specifies a new `Context` instance to be

2187

used for the connection.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2188

"""

2189

original = Context(SSLv23_METHOD)

2190

replacement = Context(TLSv1_METHOD)

2191

connection = Connection(original, None)

2192

connection.set_context(replacement)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2193

assert replacement is connection.get_context()

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2194

# Lose our references to the contexts, just in case the Connection

2195

# isn't properly managing its own contributions to their reference

2196

# counts.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2197

del original, replacement

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2198

collect()

2199

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2200

def test_set_tlsext_host_name_wrong_args(self):

2201

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2202

If `Connection.set_tlsext_host_name` is called with a non-byte string

2203

argument or a byte string with an embedded NUL, `TypeError` is raised.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2204

"""

2205

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2206

with pytest.raises(TypeError):

2207

conn.set_tlsext_host_name(object())

2208

with pytest.raises(TypeError):

2209

conn.set_tlsext_host_name(b"with\0null")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2210

Abraham Martin

c5484ba

2015-03-25 15:33:05 +0000

[diff] [blame]

2211

if PY3:

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2212

# On Python 3.x, don't accidentally implicitly convert from text.

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2213

with pytest.raises(TypeError):

2214

conn.set_tlsext_host_name(b"example.com".decode("ascii"))

Jean-Paul Calderone

871a4d8

2011-05-26 19:24:02 -0400

[diff] [blame]

2215

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2216

def test_pending(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2217

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2218

`Connection.pending` returns the number of bytes available for

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2219

immediate read.

2220

"""

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2221

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2222

assert connection.pending() == 0

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2223

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2224

def test_peek(self):

2225

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2226

`Connection.recv` peeks into the connection if `socket.MSG_PEEK` is

2227

passed.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2228

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2229

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2230

server.send(b'xy')

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2231

assert client.recv(2, MSG_PEEK) == b'xy'

2232

assert client.recv(2, MSG_PEEK) == b'xy'

2233

assert client.recv(2) == b'xy'

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2234

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2235

def test_connect_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2236

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2237

`Connection.connect` raises `TypeError` if called with a non-address

2238

argument.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2239

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2240

connection = Connection(Context(TLSv1_METHOD), socket())

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2241

with pytest.raises(TypeError):

2242

connection.connect(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2243

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2244

def test_connect_refused(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2245

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2246

`Connection.connect` raises `socket.error` if the underlying socket

2247

connect method raises it.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2248

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2249

client = socket()

2250

context = Context(TLSv1_METHOD)

2251

clientSSL = Connection(context, client)

Alex Gaynor

122717b

2015-09-05 14:14:18 -0400

[diff] [blame]

2252

# pytest.raises here doesn't work because of a bug in py.test on Python

2253

# 2.6: https://github.com/pytest-dev/pytest/issues/988

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2254

try:

Alex Gaynor

1aabb2e

2015-09-05 13:35:18 -0400

[diff] [blame]

2255

clientSSL.connect(("127.0.0.1", 1))

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2256

except error as e:

Alex Gaynor

20a4c08

2015-09-05 14:24:15 -0400

[diff] [blame]

2257

exc = e

2258

assert exc.args[0] == ECONNREFUSED

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2259

2260

def test_connect(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2261

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2262

`Connection.connect` establishes a connection to the specified address.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2263

"""

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(3)

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2269

clientSSL.connect(('127.0.0.1', port.getsockname()[1]))

2270

# XXX An assertion? Or something?

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2271

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2272

@pytest.mark.skipif(

2273

platform == "darwin",

2274

reason="connect_ex sometimes causes a kernel panic on OS X 10.6.4"

2275

)

2276

def test_connect_ex(self):

2277

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2278

If there is a connection error, `Connection.connect_ex` returns the

2279

errno instead of raising an exception.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

"""

port = socket()

port.bind(('', 0))

port.listen(3)

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2284

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2285

clientSSL = Connection(Context(TLSv1_METHOD), socket())

2286

clientSSL.setblocking(False)

2287

result = clientSSL.connect_ex(port.getsockname())

2288

expected = (EINPROGRESS, EWOULDBLOCK)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2289

assert result in expected

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2290

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2291

def test_accept(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2292

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2293

`Connection.accept` accepts a pending connection attempt and returns a

2294

tuple of a new `Connection` (the accepted client) and the address the

2295

connection originated from.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2296

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2297

ctx = Context(TLSv1_METHOD)

2298

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2299

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2300

port = socket()

2301

portSSL = Connection(ctx, port)

2302

portSSL.bind(('', 0))

2303

portSSL.listen(3)

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2304

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2305

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2306

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2307

# Calling portSSL.getsockname() here to get the server IP address

2308

# sounds great, but frequently fails on Windows.

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2309

clientSSL.connect(('127.0.0.1', portSSL.getsockname()[1]))

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2310

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2311

serverSSL, address = portSSL.accept()

2312

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2313

assert isinstance(serverSSL, Connection)

2314

assert serverSSL.get_context() is ctx

2315

assert address == clientSSL.getsockname()

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2316

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2317

def test_shutdown_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2318

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2319

`Connection.set_shutdown` raises `TypeError` if called with arguments

2320

other than integers.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2321

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2322

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2323

with pytest.raises(TypeError):

2324

connection.set_shutdown(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2325

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2326

def test_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2327

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2328

`Connection.shutdown` performs an SSL-level connection shutdown.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2329

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2330

server, client = loopback()

2331

assert not server.shutdown()

2332

assert server.get_shutdown() == SENT_SHUTDOWN

2333

with pytest.raises(ZeroReturnError):

2334

client.recv(1024)

2335

assert client.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

2336

client.shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2337

assert client.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

2338

with pytest.raises(ZeroReturnError):

2339

server.recv(1024)

2340

assert server.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2341

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2342

def test_shutdown_closed(self):

2343

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2344

If the underlying socket is closed, `Connection.shutdown` propagates

2345

the write error from the low level write call.

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2346

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2347

server, client = loopback()

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2348

server.sock_shutdown(2)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2349

with pytest.raises(SysCallError) as exc:

2350

server.shutdown()

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2351

if platform == "win32":

2352

assert exc.value.args[0] == ESHUTDOWN

2353

else:

2354

assert exc.value.args[0] == EPIPE

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2355

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2356

def test_shutdown_truncated(self):

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2357

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2358

If the underlying connection is truncated, `Connection.shutdown`

2359

raises an `Error`.

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2360

"""

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2361

server_ctx = Context(TLSv1_METHOD)

2362

client_ctx = Context(TLSv1_METHOD)

2363

server_ctx.use_privatekey(

2364

load_privatekey(FILETYPE_PEM, server_key_pem))

2365

server_ctx.use_certificate(

2366

load_certificate(FILETYPE_PEM, server_cert_pem))

2367

server = Connection(server_ctx, None)

2368

client = Connection(client_ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2369

handshake_in_memory(client, server)

2370

assert not server.shutdown()

2371

with pytest.raises(WantReadError):

2372

server.shutdown()

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2373

server.bio_shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2374

with pytest.raises(Error):

2375

server.shutdown()

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2376

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2377

def test_set_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2378

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2379

`Connection.set_shutdown` sets the state of the SSL connection

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2380

shutdown process.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2381

"""

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2382

connection = Connection(Context(TLSv1_METHOD), socket())

2383

connection.set_shutdown(RECEIVED_SHUTDOWN)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2384

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2385

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2386

@skip_if_py3

2387

def test_set_shutdown_long(self):

2388

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2389

On Python 2 `Connection.set_shutdown` accepts an argument

2390

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2391

"""

2392

connection = Connection(Context(TLSv1_METHOD), socket())

2393

connection.set_shutdown(long(RECEIVED_SHUTDOWN))

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2394

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

2395

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2396

def test_state_string(self):

2397

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2398

`Connection.state_string` verbosely describes the current state of

2399

the `Connection`.

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2400

"""

Hynek Schlawack

b0274ce

2015-10-16 19:56:26 +0200

[diff] [blame]

2401

server, client = socket_pair()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2402

server = loopback_server_factory(server)

2403

client = loopback_client_factory(client)

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2404

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2405

assert server.get_state_string() in [

2406

b"before/accept initialization", b"before SSL initialization"

2407

]

2408

assert client.get_state_string() in [

2409

b"before/connect initialization", b"before SSL initialization"

2410

]

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2411

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2412

def test_app_data(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2413

"""

2414

Any object can be set as app data by passing it to

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2415

`Connection.set_app_data` and later retrieved with

2416

`Connection.get_app_data`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2417

"""

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2418

conn = Connection(Context(TLSv1_METHOD), None)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2419

assert None is conn.get_app_data()

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2420

app_data = object()

2421

conn.set_app_data(app_data)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2422

assert conn.get_app_data() is app_data

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2423

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2424

def test_makefile(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2425

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2426

`Connection.makefile` is not implemented and calling that

2427

method raises `NotImplementedError`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2428

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2429

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2430

with pytest.raises(NotImplementedError):

2431

conn.makefile()

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2432

Jeremy Lainé

460a19d

2018-05-16 19:44:19 +0200

[diff] [blame]

2433

def test_get_certificate(self):

2434

"""

2435

`Connection.get_certificate` returns the local certificate.

2436

"""

2437

chain = _create_certificate_chain()

2438

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

2439

2440

context = Context(TLSv1_METHOD)

2441

context.use_certificate(scert)

2442

client = Connection(context, None)

2443

cert = client.get_certificate()

2444

assert cert is not None

2445

assert "Server Certificate" == cert.get_subject().CN

2446

2447

def test_get_certificate_none(self):

2448

"""

2449

`Connection.get_certificate` returns the local certificate.

2450

2451

If there is no certificate, it returns None.

2452

"""

2453

context = Context(TLSv1_METHOD)

2454

client = Connection(context, None)

2455

cert = client.get_certificate()

2456

assert cert is None

2457

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2458

def test_get_peer_cert_chain(self):

2459

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2460

`Connection.get_peer_cert_chain` returns a list of certificates

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2461

which the connected server returned for the certification verification.

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2462

"""

2463

chain = _create_certificate_chain()

2464

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

2465

2466

serverContext = Context(TLSv1_METHOD)

2467

serverContext.use_privatekey(skey)

2468

serverContext.use_certificate(scert)

2469

serverContext.add_extra_chain_cert(icert)

2470

serverContext.add_extra_chain_cert(cacert)

2471

server = Connection(serverContext, None)

2472

server.set_accept_state()

2473

2474

# Create the client

2475

clientContext = Context(TLSv1_METHOD)

2476

clientContext.set_verify(VERIFY_NONE, verify_cb)

2477

client = Connection(clientContext, None)

2478

client.set_connect_state()

2479

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2480

interact_in_memory(client, server)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2481

2482

chain = client.get_peer_cert_chain()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2483

assert len(chain) == 3

2484

assert "Server Certificate" == chain[0].get_subject().CN

2485

assert "Intermediate Certificate" == chain[1].get_subject().CN

2486

assert "Authority Certificate" == chain[2].get_subject().CN

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2487

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2488

def test_get_peer_cert_chain_none(self):

2489

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2490

`Connection.get_peer_cert_chain` returns `None` if the peer sends

2491

no certificate chain.

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2492

"""

2493

ctx = Context(TLSv1_METHOD)

2494

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2495

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

2496

server = Connection(ctx, None)

2497

server.set_accept_state()

2498

client = Connection(Context(TLSv1_METHOD), None)

2499

client.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2500

interact_in_memory(client, server)

2501

assert None is server.get_peer_cert_chain()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2502

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2503

def test_get_session_unconnected(self):

2504

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2505

`Connection.get_session` returns `None` when used with an object

2506

which has not been connected.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2507

"""

2508

ctx = Context(TLSv1_METHOD)

2509

server = Connection(ctx, None)

2510

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2511

assert None is session

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2512

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2513

def test_server_get_session(self):

2514

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2515

On the server side of a connection, `Connection.get_session` returns a

2516

`Session` instance representing the SSL session for that connection.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2517

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2518

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2519

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2520

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2521

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2522

def test_client_get_session(self):

2523

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2524

On the client side of a connection, `Connection.get_session`

2525

returns a `Session` instance representing the SSL session for

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2526

that connection.

2527

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2528

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2529

session = client.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2530

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2531

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2532

def test_set_session_wrong_args(self):

2533

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2534

`Connection.set_session` raises `TypeError` if called with an object

2535

that is not an instance of `Session`.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2536

"""

2537

ctx = Context(TLSv1_METHOD)

2538

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2539

with pytest.raises(TypeError):

2540

connection.set_session(123)

2541

with pytest.raises(TypeError):

2542

connection.set_session("hello")

2543

with pytest.raises(TypeError):

2544

connection.set_session(object())

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2545

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2546

def test_client_set_session(self):

2547

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2548

`Connection.set_session`, when used prior to a connection being

2549

established, accepts a `Session` instance and causes an attempt to

2550

re-use the session it represents when the SSL handshake is performed.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2551

"""

2552

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2553

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

Paul Kehrer

2019-01-21 12:24:02 -0600

[diff] [blame]

2554

ctx = Context(TLSv1_2_METHOD)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2555

ctx.use_privatekey(key)

2556

ctx.use_certificate(cert)

2557

ctx.set_session_id("unity-test")

2558

2559

def makeServer(socket):

2560

server = Connection(ctx, socket)

2561

server.set_accept_state()

2562

return server

2563

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2564

originalServer, originalClient = loopback(

2565

server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2566

originalSession = originalClient.get_session()

2567

2568

def makeClient(socket):

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2569

client = loopback_client_factory(socket)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2570

client.set_session(originalSession)

2571

return client

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2572

resumedServer, resumedClient = loopback(

2573

server_factory=makeServer,

2574

client_factory=makeClient)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2575

2576

# This is a proxy: in general, we have no access to any unique

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2577

# identifier for the session (new enough versions of OpenSSL expose

2578

# a hash which could be usable, but "new enough" is very, very new).

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2579

# Instead, exploit the fact that the master key is re-used if the

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2580

# session is re-used. As long as the master key for the two

2581

# connections is the same, the session was re-used!

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2582

assert originalServer.master_key() == resumedServer.master_key()

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2583

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2584

def test_set_session_wrong_method(self):

2585

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2586

If `Connection.set_session` is passed a `Session` instance associated

2587

with a context using a different SSL method than the `Connection`

2588

is using, a `OpenSSL.SSL.Error` is raised.

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2589

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2590

# Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2

2591

# and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT

2592

# is a way to check for 1.1.0)

Alex Gaynor

aa32e71

2017-06-29 20:56:12 -0700

[diff] [blame]

2593

if SSL_ST_INIT is None:

2594

v1 = TLSv1_2_METHOD

2595

v2 = TLSv1_METHOD

2596

elif hasattr(_lib, "SSLv3_method"):

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2597

v1 = TLSv1_METHOD

2598

v2 = SSLv3_METHOD

2599

else:

Alex Gaynor

aa32e71

2017-06-29 20:56:12 -0700

[diff] [blame]

2600

pytest.skip("Test requires either OpenSSL 1.1.0 or SSLv3")

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2601

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2602

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2603

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2604

ctx = Context(v1)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2605

ctx.use_privatekey(key)

2606

ctx.use_certificate(cert)

2607

ctx.set_session_id("unity-test")

2608

2609

def makeServer(socket):

2610

server = Connection(ctx, socket)

2611

server.set_accept_state()

2612

return server

2613

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2614

def makeOriginalClient(socket):

2615

client = Connection(Context(v1), socket)

2616

client.set_connect_state()

2617

return client

2618

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2619

originalServer, originalClient = loopback(

2620

server_factory=makeServer, client_factory=makeOriginalClient)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2621

originalSession = originalClient.get_session()

2622

2623

def makeClient(socket):

2624

# Intentionally use a different, incompatible method here.

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2625

client = Connection(Context(v2), socket)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2626

client.set_connect_state()

2627

client.set_session(originalSession)

2628

return client

2629

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2630

with pytest.raises(Error):

2631

loopback(client_factory=makeClient, server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2632

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2633

def test_wantWriteError(self):

2634

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2635

`Connection` methods which generate output raise

2636

`OpenSSL.SSL.WantWriteError` if writing to the connection's BIO

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2637

fail indicating a should-write state.

2638

"""

2639

client_socket, server_socket = socket_pair()

2640

# Fill up the client's send buffer so Connection won't be able to write

Jean-Paul Calderone

bbff8b9

2014-03-22 14:20:30 -0400

[diff] [blame]

2641

# anything. Only write a single byte at a time so we can be sure we

2642

# completely fill the buffer. Even though the socket API is allowed to

2643

# signal a short write via its return value it seems this doesn't

2644

# always happen on all platforms (FreeBSD and OS X particular) for the

2645

# very last bit of available buffer space.

2646

msg = b"x"

catern

b2777a4

2018-08-09 15:38:13 -0400

[diff] [blame]

2647

for i in range(1024 * 1024 * 64):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2648

try:

2649

client_socket.send(msg)

2650

except error as e:

2651

if e.errno == EWOULDBLOCK:

2652

break

2653

raise

2654

else:

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2655

pytest.fail(

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2656

"Failed to fill socket buffer, cannot test BIO want write")

2657

2658

ctx = Context(TLSv1_METHOD)

2659

conn = Connection(ctx, client_socket)

2660

# Client's speak first, so make it an SSL client

2661

conn.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2662

with pytest.raises(WantWriteError):

2663

conn.do_handshake()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

# XXX want_read

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2667

def test_get_finished_before_connect(self):

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2668

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2669

`Connection.get_finished` returns `None` before TLS handshake

2670

is completed.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2671

"""

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2672

ctx = Context(TLSv1_METHOD)

2673

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2674

assert connection.get_finished() is None

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2675

2676

def test_get_peer_finished_before_connect(self):

2677

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2678

`Connection.get_peer_finished` returns `None` before TLS handshake

2679

is completed.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2680

"""

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2681

ctx = Context(TLSv1_METHOD)

2682

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2683

assert connection.get_peer_finished() is None

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2684

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2685

def test_get_finished(self):

2686

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2687

`Connection.get_finished` method returns the TLS Finished message send

2688

from client, or server. Finished messages are send during

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2689

TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2690

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2691

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2692

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2693

assert server.get_finished() is not None

2694

assert len(server.get_finished()) > 0

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2695

2696

def test_get_peer_finished(self):

2697

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2698

`Connection.get_peer_finished` method returns the TLS Finished

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2699

message received from client, or server. Finished messages are send

2700

during TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2701

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2702

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2703

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2704

assert server.get_peer_finished() is not None

2705

assert len(server.get_peer_finished()) > 0

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2706

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2707

def test_tls_finished_message_symmetry(self):

2708

"""

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2709

The TLS Finished message send by server must be the TLS Finished

2710

message received by client.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2711

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2712

The TLS Finished message send by client must be the TLS Finished

2713

message received by server.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2714

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2715

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2716

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2717

assert server.get_finished() == client.get_peer_finished()

2718

assert client.get_finished() == server.get_peer_finished()

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2719

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2720

def test_get_cipher_name_before_connect(self):

2721

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2722

`Connection.get_cipher_name` returns `None` if no connection

2723

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2724

"""

2725

ctx = Context(TLSv1_METHOD)

2726

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2727

assert conn.get_cipher_name() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2728

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2729

def test_get_cipher_name(self):

2730

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2731

`Connection.get_cipher_name` returns a `unicode` string giving the

2732

name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2733

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2734

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2735

server_cipher_name, client_cipher_name = \

2736

server.get_cipher_name(), client.get_cipher_name()

2737

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2738

assert isinstance(server_cipher_name, text_type)

2739

assert isinstance(client_cipher_name, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2740

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2741

assert server_cipher_name == client_cipher_name

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2742

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2743

def test_get_cipher_version_before_connect(self):

2744

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2745

`Connection.get_cipher_version` returns `None` if no connection

2746

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2747

"""

2748

ctx = Context(TLSv1_METHOD)

2749

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2750

assert conn.get_cipher_version() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2751

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2752

def test_get_cipher_version(self):

2753

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2754

`Connection.get_cipher_version` returns a `unicode` string giving

2755

the protocol name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2756

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2757

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2758

server_cipher_version, client_cipher_version = \

2759

server.get_cipher_version(), client.get_cipher_version()

2760

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2761

assert isinstance(server_cipher_version, text_type)

2762

assert isinstance(client_cipher_version, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2763

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2764

assert server_cipher_version == client_cipher_version

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2765

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2766

def test_get_cipher_bits_before_connect(self):

2767

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2768

`Connection.get_cipher_bits` returns `None` if no connection has

2769

been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2770

"""

2771

ctx = Context(TLSv1_METHOD)

2772

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2773

assert conn.get_cipher_bits() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2774

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2775

def test_get_cipher_bits(self):

2776

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2777

`Connection.get_cipher_bits` returns the number of secret bits

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2778

of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2779

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2780

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2781

server_cipher_bits, client_cipher_bits = \

2782

server.get_cipher_bits(), client.get_cipher_bits()

2783

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2784

assert isinstance(server_cipher_bits, int)

2785

assert isinstance(client_cipher_bits, int)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2786

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2787

assert server_cipher_bits == client_cipher_bits

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2788

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2789

def test_get_protocol_version_name(self):

2790

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2791

`Connection.get_protocol_version_name()` returns a string giving the

2792

protocol version of the current connection.

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2793

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2794

server, client = loopback()

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2795

client_protocol_version_name = client.get_protocol_version_name()

2796

server_protocol_version_name = server.get_protocol_version_name()

2797

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2798

assert isinstance(server_protocol_version_name, text_type)

2799

assert isinstance(client_protocol_version_name, text_type)

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2800

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2801

assert server_protocol_version_name == client_protocol_version_name

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2802

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2803

def test_get_protocol_version(self):

2804

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2805

`Connection.get_protocol_version()` returns an integer

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2806

giving the protocol version of the current connection.

2807

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2808

server, client = loopback()

Jim Shaver

85a4dff

2015-04-27 17:42:46 -0400

[diff] [blame]

2809

client_protocol_version = client.get_protocol_version()

2810

server_protocol_version = server.get_protocol_version()

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2811

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2812

assert isinstance(server_protocol_version, int)

2813

assert isinstance(client_protocol_version, int)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2814

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2815

assert server_protocol_version == client_protocol_version

2816

2817

def test_wantReadError(self):

2818

"""

2819

`Connection.bio_read` raises `OpenSSL.SSL.WantReadError` if there are

2820

no bytes available to be read from the BIO.

2821

"""

2822

ctx = Context(TLSv1_METHOD)

2823

conn = Connection(ctx, None)

2824

with pytest.raises(WantReadError):

2825

conn.bio_read(1024)

2826

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2827

@pytest.mark.parametrize('bufsize', [1.0, None, object(), 'bufsize'])

2828

def test_bio_read_wrong_args(self, bufsize):

2829

"""

2830

`Connection.bio_read` raises `TypeError` if passed a non-integer

2831

argument.

2832

"""

2833

ctx = Context(TLSv1_METHOD)

2834

conn = Connection(ctx, None)

2835

with pytest.raises(TypeError):

2836

conn.bio_read(bufsize)

2837

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2838

def test_buffer_size(self):

2839

"""

2840

`Connection.bio_read` accepts an integer giving the maximum number

2841

of bytes to read and return.

2842

"""

2843

ctx = Context(TLSv1_METHOD)

2844

conn = Connection(ctx, None)

2845

conn.set_connect_state()

2846

try:

2847

conn.do_handshake()

2848

except WantReadError:

2849

pass

2850

data = conn.bio_read(2)

2851

assert 2 == len(data)

2852

2853

@skip_if_py3

2854

def test_buffer_size_long(self):

2855

"""

2856

On Python 2 `Connection.bio_read` accepts values of type `long` as

2857

well as `int`.

2858

"""

2859

ctx = Context(TLSv1_METHOD)

2860

conn = Connection(ctx, None)

2861

conn.set_connect_state()

2862

try:

2863

conn.do_handshake()

2864

except WantReadError:

2865

pass

2866

data = conn.bio_read(long(2))

2867

assert 2 == len(data)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2868

Jean-Paul Calderone

dbd7627

2014-03-29 18:09:40 -0400

[diff] [blame]

2869

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2870

class TestConnectionGetCipherList(object):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2871

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2872

Tests for `Connection.get_cipher_list`.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2873

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2874

def test_result(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2875

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2876

`Connection.get_cipher_list` returns a list of `bytes` giving the

2877

names of the ciphers which might be used.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2878

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2879

connection = Connection(Context(TLSv1_METHOD), None)

2880

ciphers = connection.get_cipher_list()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2881

assert isinstance(ciphers, list)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2882

for cipher in ciphers:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2883

assert isinstance(cipher, str)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2884

2885

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2886

class VeryLarge(bytes):

2887

"""

2888

Mock object so that we don't have to allocate 2**31 bytes

"""

def __len__(self):

return 2**31

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2894

class TestConnectionSend(object):

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2895

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2896

Tests for `Connection.send`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2897

"""

2898

def test_wrong_args(self):

2899

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

2900

When called with arguments other than string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2901

parameter, `Connection.send` raises `TypeError`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2902

"""

2903

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2904

with pytest.raises(TypeError):

2905

connection.send(object())

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2906

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2907

def test_short_bytes(self):

2908

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2909

When passed a short byte string, `Connection.send` transmits all of it

2910

and returns the number of bytes sent.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2911

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2912

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2913

count = server.send(b'xy')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2914

assert count == 2

2915

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2916

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2917

def test_text(self):

2918

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2919

When passed a text, `Connection.send` transmits all of it and

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2920

returns the number of bytes sent. It also raises a DeprecationWarning.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2921

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2922

server, client = loopback()

2923

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2924

simplefilter("always")

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2925

count = server.send(b"xy".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2926

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2927

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2928

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2929

) == str(w[-1].message))

2930

assert count == 2

2931

assert client.recv(2) == b'xy'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2932

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2933

def test_short_memoryview(self):

2934

"""

2935

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2936

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2937

of bytes sent.

2938

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2939

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2940

count = server.send(memoryview(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2941

assert count == 2

2942

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2943

Hynek Schlawack

8e94f1b

2015-09-05 21:31:00 +0200

[diff] [blame]

2944

@skip_if_py3

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2945

def test_short_buffer(self):

2946

"""

2947

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2948

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2949

of bytes sent.

2950

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2951

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2952

count = server.send(buffer(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2953

assert count == 2

2954

assert client.recv(2) == b'xy'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

2955

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2956

@pytest.mark.skipif(

2957

sys.maxsize < 2**31,

2958

reason="sys.maxsize < 2**31 - test requires 64 bit"

2959

)

2960

def test_buf_too_large(self):

2961

"""

2962

When passed a buffer containing >= 2**31 bytes,

2963

`Connection.send` bails out as SSL_write only

2964

accepts an int for the buffer length.

2965

"""

2966

connection = Connection(Context(TLSv1_METHOD), None)

2967

with pytest.raises(ValueError) as exc_info:

2968

connection.send(VeryLarge())

2969

exc_info.match(r"Cannot send more than .+ bytes at once")

2970

Jean-Paul Calderone

691e6c9

2011-01-21 22:04:35 -0500

[diff] [blame]

2971

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2972

def _make_memoryview(size):

2973

"""

2974

Create a new ``memoryview`` wrapped around a ``bytearray`` of the given

2975

size.

2976

"""

2977

return memoryview(bytearray(size))

2978

2979

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2980

class TestConnectionRecvInto(object):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2981

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2982

Tests for `Connection.recv_into`.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2983

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2984

def _no_length_test(self, factory):

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2985

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2986

Assert that when the given buffer is passed to `Connection.recv_into`,

2987

whatever bytes are available to be received that fit into that buffer

2988

are written into that buffer.

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2989

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2990

output_buffer = factory(5)

2991

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2992

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2993

server.send(b'xy')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2994

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2995

assert client.recv_into(output_buffer) == 2

2996

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2997

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2998

def test_bytearray_no_length(self):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2999

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3000

`Connection.recv_into` can be passed a `bytearray` instance and data

3001

in the receive buffer is written to it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3002

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3003

self._no_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3004

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3005

def _respects_length_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3006

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3007

Assert that when the given buffer is passed to `Connection.recv_into`

3008

along with a value for `nbytes` that is less than the size of that

3009

buffer, only `nbytes` bytes are written into the buffer.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3010

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3011

output_buffer = factory(10)

3012

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3013

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3014

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3015

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3016

assert client.recv_into(output_buffer, 5) == 5

3017

assert output_buffer == bytearray(b'abcde\x00\x00\x00\x00\x00')

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

3018

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

3019

def test_bytearray_respects_length(self):

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

3020

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3021

When called with a `bytearray` instance, `Connection.recv_into`

3022

respects the `nbytes` parameter and doesn't copy in more than that

3023

number of bytes.

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

3024

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3025

self._respects_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3026

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3027

def _doesnt_overfill_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3028

"""

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

3029

Assert that if there are more bytes available to be read from the

3030

receive buffer than would fit into the buffer passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3031

`Connection.recv_into`, only as many as fit are written into it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3032

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3033

output_buffer = factory(5)

3034

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3035

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3036

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3037

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3038

assert client.recv_into(output_buffer) == 5

3039

assert output_buffer == bytearray(b'abcde')

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

3040

rest = client.recv(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3041

assert b'fghij' == rest

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

3042

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

3043

def test_bytearray_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

3044

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3045

When called with a `bytearray` instance, `Connection.recv_into`

3046

respects the size of the array and doesn't write more bytes into it

3047

than will fit.

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

3048

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3049

self._doesnt_overfill_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3050

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

3051

def test_bytearray_really_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

3052

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3053

When called with a `bytearray` instance and an `nbytes` value that is

3054

too large, `Connection.recv_into` respects the size of the array and

3055

not the `nbytes` value and doesn't write more bytes into the buffer

3056

than will fit.

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

3057

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3058

self._doesnt_overfill_test(bytearray)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

3059

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

3060

def test_peek(self):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3061

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3062

server.send(b'xy')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

3063

3064

for _ in range(2):

3065

output_buffer = bytearray(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3066

assert client.recv_into(output_buffer, flags=MSG_PEEK) == 2

3067

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

3068

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3069

def test_memoryview_no_length(self):

3070

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3071

`Connection.recv_into` can be passed a `memoryview` instance and data

3072

in the receive buffer is written to it.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3073

"""

3074

self._no_length_test(_make_memoryview)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

3075

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3076

def test_memoryview_respects_length(self):

3077

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3078

When called with a `memoryview` instance, `Connection.recv_into`

3079

respects the ``nbytes`` parameter and doesn't copy more than that

3080

number of bytes in.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3081

"""

3082

self._respects_length_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3083

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3084

def test_memoryview_doesnt_overfill(self):

3085

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3086

When called with a `memoryview` instance, `Connection.recv_into`

3087

respects the size of the array and doesn't write more bytes into it

3088

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3089

"""

3090

self._doesnt_overfill_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3091

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3092

def test_memoryview_really_doesnt_overfill(self):

3093

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3094

When called with a `memoryview` instance and an `nbytes` value that is

3095

too large, `Connection.recv_into` respects the size of the array and

3096

not the `nbytes` value and doesn't write more bytes into the buffer

3097

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3098

"""

3099

self._doesnt_overfill_test(_make_memoryview)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

3100

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3101

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3102

class TestConnectionSendall(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3103

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3104

Tests for `Connection.sendall`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3105

"""

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3106

def test_wrong_args(self):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3107

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

3108

When called with arguments other than a string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3109

parameter, `Connection.sendall` raises `TypeError`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3110

"""

3111

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3112

with pytest.raises(TypeError):

3113

connection.sendall(object())

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3114

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3115

def test_short(self):

3116

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3117

`Connection.sendall` transmits all of the bytes in the string

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3118

passed to it.

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3119

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3120

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3121

server.sendall(b'x')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3122

assert client.recv(1) == b'x'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3123

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3124

def test_text(self):

3125

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3126

`Connection.sendall` transmits all the content in the string passed

3127

to it, raising a DeprecationWarning in case of this being a text.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3128

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3129

server, client = loopback()

3130

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3131

simplefilter("always")

Jean-Paul Calderone

8dc37a1

2015-03-29 08:16:52 -0400

[diff] [blame]

3132

server.sendall(b"x".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3133

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

3134

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

3135

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3136

) == str(w[-1].message))

3137

assert client.recv(1) == b"x"

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3138

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3139

def test_short_memoryview(self):

3140

"""

3141

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3142

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3143

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3144

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3145

server.sendall(memoryview(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3146

assert client.recv(1) == b'x'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3147

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3148

@skip_if_py3

3149

def test_short_buffers(self):

3150

"""

3151

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3152

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3153

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3154

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3155

server.sendall(buffer(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3156

assert client.recv(1) == b'x'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

3157

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3158

def test_long(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3159

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3160

`Connection.sendall` transmits all the bytes in the string passed to it

3161

even if this requires multiple calls of an underlying write function.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3162

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3163

server, client = loopback()

Jean-Paul Calderone

6241c70

2010-09-16 19:59:24 -0400

[diff] [blame]

3164

# Should be enough, underlying SSL_write should only do 16k at a time.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3165

# On Windows, after 32k of bytes the write will block (forever

3166

# - because no one is yet reading).

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3167

message = b'x' * (1024 * 32 - 1) + b'y'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3168

server.sendall(message)

3169

accum = []

3170

received = 0

3171

while received < len(message):

Jean-Paul Calderone

b1f7f5f

2010-08-22 21:40:52 -0400

[diff] [blame]

3172

data = client.recv(1024)

3173

accum.append(data)

3174

received += len(data)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3175

assert message == b''.join(accum)

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3176

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3177

def test_closed(self):

3178

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3179

If the underlying socket is closed, `Connection.sendall` propagates the

3180

write error from the low level write call.

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3181

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3182

server, client = loopback()

Jean-Paul Calderone

05d43e8

2010-09-24 18:01:36 -0400

[diff] [blame]

3183

server.sock_shutdown(2)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3184

with pytest.raises(SysCallError) as err:

3185

server.sendall(b"hello, world")

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3186

if platform == "win32":

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3187

assert err.value.args[0] == ESHUTDOWN

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3188

else:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3189

assert err.value.args[0] == EPIPE

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3190

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3191

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3192

class TestConnectionRenegotiate(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3193

"""

3194

Tests for SSL renegotiation APIs.

3195

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3196

def test_total_renegotiations(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3197

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3198

`Connection.total_renegotiations` returns `0` before any renegotiations

3199

have happened.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3200

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3201

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3202

assert connection.total_renegotiations() == 0

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3203

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3204

def test_renegotiate(self):

3205

"""

3206

Go through a complete renegotiation cycle.

3207

"""

Paul Kehrer

2019-01-21 12:24:02 -0600

[diff] [blame]

3208

server, client = loopback(

3209

lambda s: loopback_server_factory(s, TLSv1_2_METHOD),

3210

lambda s: loopback_client_factory(s, TLSv1_2_METHOD),

3211

)

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3212

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3213

server.send(b"hello world")

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3214

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3215

assert b"hello world" == client.recv(len(b"hello world"))

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3216

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3217

assert 0 == server.total_renegotiations()

3218

assert False is server.renegotiate_pending()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3219

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3220

assert True is server.renegotiate()

3221

3222

assert True is server.renegotiate_pending()

3223

3224

server.setblocking(False)

3225

client.setblocking(False)

3226

3227

client.do_handshake()

3228

server.do_handshake()

3229

3230

assert 1 == server.total_renegotiations()

3231

while False is server.renegotiate_pending():

3232

pass

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3233

3234

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3235

class TestError(object):

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3236

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3237

Unit tests for `OpenSSL.SSL.Error`.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3238

"""

3239

def test_type(self):

3240

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3241

`Error` is an exception type.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3242

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3243

assert issubclass(Error, Exception)

3244

assert Error.__name__ == 'Error'

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

3245

3246

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3247

class TestConstants(object):

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3248

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3249

Tests for the values of constants exposed in `OpenSSL.SSL`.

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3250

3251

These are values defined by OpenSSL intended only to be used as flags to

3252

OpenSSL APIs. The only assertions it seems can be made about them is

3253

their values.

3254

"""

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3255

@pytest.mark.skipif(

3256

OP_NO_QUERY_MTU is None,

3257

reason="OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old"

3258

)

3259

def test_op_no_query_mtu(self):

3260

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3261

The value of `OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value

3262

of `SSL_OP_NO_QUERY_MTU` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3263

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3264

assert OP_NO_QUERY_MTU == 0x1000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3265

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3266

@pytest.mark.skipif(

3267

OP_COOKIE_EXCHANGE is None,

3268

reason="OP_COOKIE_EXCHANGE unavailable - "

3269

"OpenSSL version may be too old"

3270

)

3271

def test_op_cookie_exchange(self):

3272

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3273

The value of `OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the

3274

value of `SSL_OP_COOKIE_EXCHANGE` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3275

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3276

assert OP_COOKIE_EXCHANGE == 0x2000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3277

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3278

@pytest.mark.skipif(

3279

OP_NO_TICKET is None,

3280

reason="OP_NO_TICKET unavailable - OpenSSL version may be too old"

3281

)

3282

def test_op_no_ticket(self):

3283

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3284

The value of `OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of

3285

`SSL_OP_NO_TICKET` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3286

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3287

assert OP_NO_TICKET == 0x4000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3288

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3289

@pytest.mark.skipif(

3290

OP_NO_COMPRESSION is None,

3291

reason="OP_NO_COMPRESSION unavailable - OpenSSL version may be too old"

3292

)

3293

def test_op_no_compression(self):

3294

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3295

The value of `OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the

3296

value of `SSL_OP_NO_COMPRESSION` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3297

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3298

assert OP_NO_COMPRESSION == 0x20000

Jean-Paul Calderone

c62d4c1

2011-09-08 18:29:32 -0400

[diff] [blame]

3299

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3300

def test_sess_cache_off(self):

3301

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3302

The value of `OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of

3303

`SSL_SESS_CACHE_OFF` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3304

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3305

assert 0x0 == SESS_CACHE_OFF

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3306

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3307

def test_sess_cache_client(self):

3308

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3309

The value of `OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of

3310

`SSL_SESS_CACHE_CLIENT` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3311

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3312

assert 0x1 == SESS_CACHE_CLIENT

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3313

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3314

def test_sess_cache_server(self):

3315

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3316

The value of `OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of

3317

`SSL_SESS_CACHE_SERVER` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3318

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3319

assert 0x2 == SESS_CACHE_SERVER

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3320

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3321

def test_sess_cache_both(self):

3322

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3323

The value of `OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of

3324

`SSL_SESS_CACHE_BOTH` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3325

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3326

assert 0x3 == SESS_CACHE_BOTH

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3327

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3328

def test_sess_cache_no_auto_clear(self):

3329

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3330

The value of `OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the

3331

value of `SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by

3332

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3333

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3334

assert 0x80 == SESS_CACHE_NO_AUTO_CLEAR

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3335

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3336

def test_sess_cache_no_internal_lookup(self):

3337

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3338

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100,

3339

the value of `SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by

3340

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3341

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3342

assert 0x100 == SESS_CACHE_NO_INTERNAL_LOOKUP

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3343

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3344

def test_sess_cache_no_internal_store(self):

3345

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3346

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200,

3347

the value of `SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by

3348

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3349

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3350

assert 0x200 == SESS_CACHE_NO_INTERNAL_STORE

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3351

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3352

def test_sess_cache_no_internal(self):

3353

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3354

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the

3355

value of `SSL_SESS_CACHE_NO_INTERNAL` defined by

3356

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3357

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3358

assert 0x300 == SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3359

3360

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3361

class TestMemoryBIO(object):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3362

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3363

Tests for `OpenSSL.SSL.Connection` using a memory BIO.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3364

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3365

def _server(self, sock):

3366

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3367

Create a new server-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3368

"""

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3369

# Create the server side Connection. This is mostly setup boilerplate

3370

# - use TLSv1, use a particular certificate, etc.

3371

server_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3372

server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3373

server_ctx.set_verify(

3374

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3375

verify_cb

3376

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3377

server_store = server_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3378

server_ctx.use_privatekey(

3379

load_privatekey(FILETYPE_PEM, server_key_pem))

3380

server_ctx.use_certificate(

3381

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3382

server_ctx.check_privatekey()

3383

server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3384

# Here the Connection is actually created. If None is passed as the

3385

# 2nd parameter, it indicates a memory BIO should be created.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3386

server_conn = Connection(server_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3387

server_conn.set_accept_state()

3388

return server_conn

3389

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3390

def _client(self, sock):

3391

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3392

Create a new client-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3393

"""

3394

# Now create the client side Connection. Similar boilerplate to the

3395

# above.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3396

client_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3397

client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3398

client_ctx.set_verify(

3399

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3400

verify_cb

3401

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3402

client_store = client_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3403

client_ctx.use_privatekey(

3404

load_privatekey(FILETYPE_PEM, client_key_pem))

3405

client_ctx.use_certificate(

3406

load_certificate(FILETYPE_PEM, client_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3407

client_ctx.check_privatekey()

3408

client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3409

client_conn = Connection(client_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3410

client_conn.set_connect_state()

3411

return client_conn

3412

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3413

def test_memory_connect(self):

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3414

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3415

Two `Connection`s which use memory BIOs can be manually connected by

3416

reading from the output of each and writing those bytes to the input of

3417

the other and in this way establish a connection and exchange

3418

application-level bytes with each other.

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3419

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3420

server_conn = self._server(None)

3421

client_conn = self._client(None)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3422

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3423

# There should be no key or nonces yet.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3424

assert server_conn.master_key() is None

3425

assert server_conn.client_random() is None

3426

assert server_conn.server_random() is None

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3427

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3428

# First, the handshake needs to happen. We'll deliver bytes back and

3429

# forth between the client and server until neither of them feels like

3430

# speaking any more.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3431

assert interact_in_memory(client_conn, server_conn) is None

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3432

3433

# Now that the handshake is done, there should be a key and nonces.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3434

assert server_conn.master_key() is not None

3435

assert server_conn.client_random() is not None

3436

assert server_conn.server_random() is not None

3437

assert server_conn.client_random() == client_conn.client_random()

3438

assert server_conn.server_random() == client_conn.server_random()

3439

assert server_conn.client_random() != server_conn.server_random()

3440

assert client_conn.client_random() != client_conn.server_random()

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3441

Paul Kehrer

bdb7639

2017-12-01 04:54:32 +0800

[diff] [blame]

3442

# Export key material for other uses.

3443

cekm = client_conn.export_keying_material(b'LABEL', 32)

3444

sekm = server_conn.export_keying_material(b'LABEL', 32)

3445

assert cekm is not None

3446

assert sekm is not None

3447

assert cekm == sekm

3448

assert len(sekm) == 32

3449

3450

# Export key material for other uses with additional context.

3451

cekmc = client_conn.export_keying_material(b'LABEL', 32, b'CONTEXT')

3452

sekmc = server_conn.export_keying_material(b'LABEL', 32, b'CONTEXT')

3453

assert cekmc is not None

3454

assert sekmc is not None

3455

assert cekmc == sekmc

3456

assert cekmc != cekm

3457

assert sekmc != sekm

3458

# Export with alternate label

3459

cekmt = client_conn.export_keying_material(b'test', 32, b'CONTEXT')

3460

sekmt = server_conn.export_keying_material(b'test', 32, b'CONTEXT')

3461

assert cekmc != cekmt

3462

assert sekmc != sekmt

3463

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3464

# Here are the bytes we'll try to send.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3465

important_message = b'One if by land, two if by sea.'

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3466

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3467

server_conn.write(important_message)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3468

assert (

3469

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3470

(client_conn, important_message))

3471

3472

client_conn.write(important_message[::-1])

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3473

assert (

3474

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3475

(server_conn, important_message[::-1]))

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3476

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3477

def test_socket_connect(self):

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3478

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3479

Just like `test_memory_connect` but with an actual socket.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3480

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3481

This is primarily to rule out the memory BIO code as the source of any

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3482

problems encountered while passing data over a `Connection` (if

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3483

this test fails, there must be a problem outside the memory BIO code,

3484

as no memory BIO is involved here). Even though this isn't a memory

3485

BIO test, it's convenient to have it here.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3486

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3487

server_conn, client_conn = loopback()

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3488

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3489

important_message = b"Help me Obi Wan Kenobi, you're my only hope."

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3490

client_conn.send(important_message)

3491

msg = server_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3492

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3493

3494

# Again in the other direction, just for fun.

3495

important_message = important_message[::-1]

3496

server_conn.send(important_message)

3497

msg = client_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3498

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3499

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3500

def test_socket_overrides_memory(self):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3501

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3502

Test that `OpenSSL.SSL.bio_read` and `OpenSSL.SSL.bio_write` don't

3503

work on `OpenSSL.SSL.Connection`() that use sockets.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3504

"""

Alex Gaynor

51d424c

2016-09-10 14:50:11 -0400

[diff] [blame]

3505

context = Context(TLSv1_METHOD)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3506

client = socket()

3507

clientSSL = Connection(context, client)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3508

with pytest.raises(TypeError):

3509

clientSSL.bio_read(100)

3510

with pytest.raises(TypeError):

3511

clientSSL.bio_write("foo")

3512

with pytest.raises(TypeError):

3513

clientSSL.bio_shutdown()

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3514

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3515

def test_outgoing_overflow(self):

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3516

"""

3517

If more bytes than can be written to the memory BIO are passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3518

`Connection.send` at once, the number of bytes which were written is

3519

returned and that many bytes from the beginning of the input can be

3520

read from the other end of the connection.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3521

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3522

server = self._server(None)

3523

client = self._client(None)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3524

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3525

interact_in_memory(client, server)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3526

3527

size = 2 ** 15

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

3528

sent = client.send(b"x" * size)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3529

# Sanity check. We're trying to test what happens when the entire

3530

# input can't be sent. If the entire input was sent, this test is

3531

# meaningless.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3532

assert sent < size

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3533

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3534

receiver, received = interact_in_memory(client, server)

3535

assert receiver is server

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3536

3537

# We can rely on all of these bytes being received at once because

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3538

# loopback passes 2 ** 16 to recv - more than 2 ** 15.

3539

assert len(received) == sent

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3540

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3541

def test_shutdown(self):

3542

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3543

`Connection.bio_shutdown` signals the end of the data stream

3544

from which the `Connection` reads.

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3545

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3546

server = self._server(None)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3547

server.bio_shutdown()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3548

with pytest.raises(Error) as err:

3549

server.recv(1024)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3550

# We don't want WantReadError or ZeroReturnError or anything - it's a

3551

# handshake failure.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3552

assert type(err.value) in [Error, SysCallError]

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3553

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3554

def test_unexpected_EOF(self):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3555

"""

3556

If the connection is lost before an orderly SSL shutdown occurs,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3557

`OpenSSL.SSL.SysCallError` is raised with a message of

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3558

"Unexpected EOF".

3559

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3560

server_conn, client_conn = loopback()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3561

client_conn.sock_shutdown(SHUT_RDWR)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3562

with pytest.raises(SysCallError) as err:

3563

server_conn.recv(1024)

3564

assert err.value.args == (-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3565

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3566

def _check_client_ca_list(self, func):

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3567

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3568

Verify the return value of the `get_client_ca_list` method for

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3569

server and client connections.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3570

Jonathan Ballet

78b92a2

2011-07-16 08:07:26 +0900

[diff] [blame]

3571

:param func: A function which will be called with the server context

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3572

before the client and server are connected to each other. This

3573

function should specify a list of CAs for the server to send to the

3574

client and return that same list. The list will be used to verify

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3575

that `get_client_ca_list` returns the proper value at

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3576

various times.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3577

"""

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3578

server = self._server(None)

3579

client = self._client(None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3580

assert client.get_client_ca_list() == []

3581

assert server.get_client_ca_list() == []

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3582

ctx = server.get_context()

3583

expected = func(ctx)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3584

assert client.get_client_ca_list() == []

3585

assert server.get_client_ca_list() == expected

3586

interact_in_memory(client, server)

3587

assert client.get_client_ca_list() == expected

3588

assert server.get_client_ca_list() == expected

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3589

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3590

def test_set_client_ca_list_errors(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3591

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3592

`Context.set_client_ca_list` raises a `TypeError` if called with a

3593

non-list or a list that contains objects other than X509Names.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3594

"""

3595

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3596

with pytest.raises(TypeError):

3597

ctx.set_client_ca_list("spam")

3598

with pytest.raises(TypeError):

3599

ctx.set_client_ca_list(["spam"])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3600

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3601

def test_set_empty_ca_list(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3602

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3603

If passed an empty list, `Context.set_client_ca_list` configures the

3604

context to send no CA names to the client and, on both the server and

3605

client sides, `Connection.get_client_ca_list` returns an empty list

3606

after the connection is set up.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3607

"""

3608

def no_ca(ctx):

3609

ctx.set_client_ca_list([])

3610

return []

3611

self._check_client_ca_list(no_ca)

3612

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3613

def test_set_one_ca_list(self):

3614

"""

3615

If passed a list containing a single X509Name,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3616

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3617

that CA name to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3618

`Connection.get_client_ca_list` returns a list containing that

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3619

X509Name after the connection is set up.

3620

"""

3621

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3622

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3623

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3624

def single_ca(ctx):

3625

ctx.set_client_ca_list([cadesc])

3626

return [cadesc]

3627

self._check_client_ca_list(single_ca)

3628

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3629

def test_set_multiple_ca_list(self):

3630

"""

3631

If passed a list containing multiple X509Name objects,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3632

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3633

those CA names to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3634

`Connection.get_client_ca_list` returns a list containing those

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3635

X509Names after the connection is set up.

3636

"""

3637

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3638

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3639

3640

sedesc = secert.get_subject()

3641

cldesc = clcert.get_subject()

3642

3643

def multiple_ca(ctx):

3644

L = [sedesc, cldesc]

3645

ctx.set_client_ca_list(L)

3646

return L

3647

self._check_client_ca_list(multiple_ca)

3648

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3649

def test_reset_ca_list(self):

3650

"""

3651

If called multiple times, only the X509Names passed to the final call

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3652

of `Context.set_client_ca_list` are used to configure the CA

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3653

names sent to the client.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3654

"""

3655

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3656

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3657

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3658

3659

cadesc = cacert.get_subject()

3660

sedesc = secert.get_subject()

3661

cldesc = clcert.get_subject()

3662

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3663

def changed_ca(ctx):

3664

ctx.set_client_ca_list([sedesc, cldesc])

3665

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3666

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3667

self._check_client_ca_list(changed_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3668

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3669

def test_mutated_ca_list(self):

3670

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3671

If the list passed to `Context.set_client_ca_list` is mutated

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3672

afterwards, this does not affect the list of CA names sent to the

3673

client.

3674

"""

3675

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3676

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3677

3678

cadesc = cacert.get_subject()

3679

sedesc = secert.get_subject()

3680

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3681

def mutated_ca(ctx):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3682

L = [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3683

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3684

L.append(sedesc)

3685

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3686

self._check_client_ca_list(mutated_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3687

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3688

def test_add_client_ca_wrong_args(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3689

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3690

`Context.add_client_ca` raises `TypeError` if called with

3691

a non-X509 object.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3692

"""

3693

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3694

with pytest.raises(TypeError):

3695

ctx.add_client_ca("spam")

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3696

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3697

def test_one_add_client_ca(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3698

"""

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3699

A certificate's subject can be added as a CA to be sent to the client

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3700

with `Context.add_client_ca`.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3701

"""

3702

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3703

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3704

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3705

def single_ca(ctx):

3706

ctx.add_client_ca(cacert)

3707

return [cadesc]

3708

self._check_client_ca_list(single_ca)

3709

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3710

def test_multiple_add_client_ca(self):

3711

"""

3712

Multiple CA names can be sent to the client by calling

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3713

`Context.add_client_ca` with multiple X509 objects.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3714

"""

3715

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3716

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3717

3718

cadesc = cacert.get_subject()

3719

sedesc = secert.get_subject()

3720

3721

def multiple_ca(ctx):

3722

ctx.add_client_ca(cacert)

3723

ctx.add_client_ca(secert)

3724

return [cadesc, sedesc]

3725

self._check_client_ca_list(multiple_ca)

3726

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3727

def test_set_and_add_client_ca(self):

3728

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3729

A call to `Context.set_client_ca_list` followed by a call to

3730

`Context.add_client_ca` results in using the CA names from the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3731

first call and the CA name from the second call.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3732

"""

3733

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3734

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3735

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3736

3737

cadesc = cacert.get_subject()

3738

sedesc = secert.get_subject()

3739

cldesc = clcert.get_subject()

3740

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3741

def mixed_set_add_ca(ctx):

3742

ctx.set_client_ca_list([cadesc, sedesc])

3743

ctx.add_client_ca(clcert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3744

return [cadesc, sedesc, cldesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3745

self._check_client_ca_list(mixed_set_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3746

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3747

def test_set_after_add_client_ca(self):

3748

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3749

A call to `Context.set_client_ca_list` after a call to

3750

`Context.add_client_ca` replaces the CA name specified by the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3751

former call with the names specified by the latter call.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3752

"""

3753

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3754

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3755

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3756

3757

cadesc = cacert.get_subject()

3758

sedesc = secert.get_subject()

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3759

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3760

def set_replaces_add_ca(ctx):

3761

ctx.add_client_ca(clcert)

3762

ctx.set_client_ca_list([cadesc])

3763

ctx.add_client_ca(secert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3764

return [cadesc, sedesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3765

self._check_client_ca_list(set_replaces_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3766

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3767

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3768

class TestInfoConstants(object):

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3769

"""

3770

Tests for assorted constants exposed for use in info callbacks.

3771

"""

3772

def test_integers(self):

3773

"""

3774

All of the info constants are integers.

3775

3776

This is a very weak test. It would be nice to have one that actually

3777

verifies that as certain info events happen, the value passed to the

3778

info callback matches up with the constant exposed by OpenSSL.SSL.

3779

"""

3780

for const in [

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3781

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3782

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

3783

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

3784

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3785

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE

3786

]:

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3787

assert isinstance(const, int)

3788

3789

# These constants don't exist on OpenSSL 1.1.0

3790

for const in [

3791

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

3792

]:

3793

assert const is None or isinstance(const, int)

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3794

Ziga Seilnacht

44611bf

2009-08-31 20:49:30 +0200

[diff] [blame]

3795

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3796

class TestRequires(object):

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3797

"""

3798

Tests for the decorator factory used to conditionally raise

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3799

NotImplementedError when older OpenSSLs are used.

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3800

"""

3801

def test_available(self):

3802

"""

3803

When the OpenSSL functionality is available the decorated functions

3804

work appropriately.

3805

"""

3806

feature_guard = _make_requires(True, "Error text")

results = []

@feature_guard

def inner():

results.append(True)

return True

Cory Benfield

2016-03-30 14:24:16 +0100

[diff] [blame]

3814

assert inner() is True

3815

assert [True] == results

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3816

3817

def test_unavailable(self):

3818

"""

3819

When the OpenSSL functionality is not available the decorated function

3820

does not execute and NotImplementedError is raised.

3821

"""

3822

feature_guard = _make_requires(False, "Error text")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3823

3824

@feature_guard

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3825

def inner(): # pragma: nocover

3826

pytest.fail("Should not be called")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3827

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3828

with pytest.raises(NotImplementedError) as e:

3829

inner()

3830

3831

assert "Error text" in str(e.value)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3832

3833

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3834

class TestOCSP(object):

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3835

"""

3836

Tests for PyOpenSSL's OCSP stapling support.

3837

"""

3838

sample_ocsp_data = b"this is totally ocsp data"

3839

3840

def _client_connection(self, callback, data, request_ocsp=True):

3841

"""

3842

Builds a client connection suitable for using OCSP.

3843

3844

:param callback: The callback to register for OCSP.

3845

:param data: The opaque data object that will be handed to the

3846

OCSP callback.

3847

:param request_ocsp: Whether the client will actually ask for OCSP

3848

stapling. Useful for testing only.

3849

"""

3850

ctx = Context(SSLv23_METHOD)

3851

ctx.set_ocsp_client_callback(callback, data)

3852

client = Connection(ctx)

3853

3854

if request_ocsp:

3855

client.request_ocsp()

3856

3857

client.set_connect_state()

3858

return client

3859

3860

def _server_connection(self, callback, data):

3861

"""

3862

Builds a server connection suitable for using OCSP.

3863

3864

:param callback: The callback to register for OCSP.

3865

:param data: The opaque data object that will be handed to the

3866

OCSP callback.

3867

"""

3868

ctx = Context(SSLv23_METHOD)

3869

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

3870

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

3871

ctx.set_ocsp_server_callback(callback, data)

3872

server = Connection(ctx)

3873

server.set_accept_state()

3874

return server

3875

3876

def test_callbacks_arent_called_by_default(self):

3877

"""

3878

If both the client and the server have registered OCSP callbacks, but

3879

the client does not send the OCSP request, neither callback gets

3880

called.

3881

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3882

def ocsp_callback(*args, **kwargs): # pragma: nocover

3883

pytest.fail("Should not be called")

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3884

3885

client = self._client_connection(

3886

callback=ocsp_callback, data=None, request_ocsp=False

3887

)

3888

server = self._server_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3889

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3890

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3891

def test_client_negotiates_without_server(self):

3892

"""

3893

If the client wants to do OCSP but the server does not, the handshake

3894

succeeds, and the client callback fires with an empty byte string.

"""

called = []

def ocsp_callback(conn, ocsp_data, ignored):

3899

called.append(ocsp_data)

3900

return True

3901

3902

client = self._client_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3903

server = loopback_server_factory(socket=None)

3904

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3905

3906

assert len(called) == 1

3907

assert called[0] == b''

3908

3909

def test_client_receives_servers_data(self):

3910

"""

3911

The data the server sends in its callback is received by the client.

"""

calls = []

def server_callback(*args, **kwargs):

3916

return self.sample_ocsp_data

3917

3918

def client_callback(conn, ocsp_data, ignored):

3919

calls.append(ocsp_data)

3920

return True

3921

3922

client = self._client_connection(callback=client_callback, data=None)

3923

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3924

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3925

3926

assert len(calls) == 1

3927

assert calls[0] == self.sample_ocsp_data

3928

3929

def test_callbacks_are_invoked_with_connections(self):

3930

"""

3931

The first arguments to both callbacks are their respective connections.

"""

client_calls = []

server_calls = []

def client_callback(conn, *args, **kwargs):

3937

client_calls.append(conn)

3938

return True

3939

3940

def server_callback(conn, *args, **kwargs):

3941

server_calls.append(conn)

3942

return self.sample_ocsp_data

3943

3944

client = self._client_connection(callback=client_callback, data=None)

3945

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3946

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3947

3948

assert len(client_calls) == 1

3949

assert len(server_calls) == 1

3950

assert client_calls[0] is client

3951

assert server_calls[0] is server

3952

3953

def test_opaque_data_is_passed_through(self):

3954

"""

3955

Both callbacks receive an opaque, user-provided piece of data in their

3956

callbacks as the final argument.

"""

calls = []

def server_callback(*args):

3961

calls.append(args)

3962

return self.sample_ocsp_data

3963

3964

def client_callback(*args):

calls.append(args)

return True

sentinel = object()

client = self._client_connection(

3971

callback=client_callback, data=sentinel

3972

)

3973

server = self._server_connection(

3974

callback=server_callback, data=sentinel

3975

)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3976

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3977

3978

assert len(calls) == 2

3979

assert calls[0][-1] is sentinel

3980

assert calls[1][-1] is sentinel

3981

3982

def test_server_returns_empty_string(self):

3983

"""

3984

If the server returns an empty bytestring from its callback, the

3985

client callback is called with the empty bytestring.

"""

client_calls = []

def server_callback(*args):

3990

return b''

3991

3992

def client_callback(conn, ocsp_data, ignored):

3993

client_calls.append(ocsp_data)

3994

return True

3995

3996

client = self._client_connection(callback=client_callback, data=None)

3997

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3998

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3999

4000

assert len(client_calls) == 1

4001

assert client_calls[0] == b''

4002

4003

def test_client_returns_false_terminates_handshake(self):

4004

"""

4005

If the client returns False from its callback, the handshake fails.

4006

"""

4007

def server_callback(*args):

4008

return self.sample_ocsp_data

4009

4010

def client_callback(*args):

4011

return False

4012

4013

client = self._client_connection(callback=client_callback, data=None)

4014

server = self._server_connection(callback=server_callback, data=None)

4015

4016

with pytest.raises(Error):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

4017

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

4018

4019

def test_exceptions_in_client_bubble_up(self):

4020

"""

4021

The callbacks thrown in the client callback bubble up to the caller.

4022

"""

4023

class SentinelException(Exception):

4024

pass

4025

4026

def server_callback(*args):

4027

return self.sample_ocsp_data

4028

4029

def client_callback(*args):

4030

raise SentinelException()

4031

4032

client = self._client_connection(callback=client_callback, data=None)

4033

server = self._server_connection(callback=server_callback, data=None)

4034

4035

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

4036

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

4037

4038

def test_exceptions_in_server_bubble_up(self):

4039

"""

4040

The callbacks thrown in the server callback bubble up to the caller.

4041

"""

4042

class SentinelException(Exception):

4043

pass

4044

4045

def server_callback(*args):

4046

raise SentinelException()

4047

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

4048

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

4049

pytest.fail("Should not be called")

4050

4051

client = self._client_connection(callback=client_callback, data=None)

4052

server = self._server_connection(callback=server_callback, data=None)

4053

4054

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

4055

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

4056

4057

def test_server_must_return_bytes(self):

4058

"""

4059

The server callback must return a bytestring, or a TypeError is thrown.

4060

"""

4061

def server_callback(*args):

4062

return self.sample_ocsp_data.decode('ascii')

4063

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

4064

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

4065

pytest.fail("Should not be called")

4066

4067

client = self._client_connection(callback=client_callback, data=None)

4068

server = self._server_connection(callback=server_callback, data=None)

4069

4070

with pytest.raises(TypeError):

Alex Chan