Blame - tests/test_ssl.py - platform/external/python/pyopenssl

2008-03-21 17:04:05 -0400

[diff] [blame]

4

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

5

Unit tests for :mod:`OpenSSL.SSL`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

6

"""

7

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

8

import datetime

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

9

import sys

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

10

import uuid

11

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

12

from gc import collect, get_referrers

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

13

from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

14

from sys import platform, getfilesystemencoding, version_info

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

15

from socket import MSG_PEEK, SHUT_RDWR, error, socket

Jean-Paul Calderone

a65cf6c

2009-07-19 10:26:52 -0400

[diff] [blame]

16

from os import makedirs

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

17

from os.path import join

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

18

from weakref import ref

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

19

from warnings import simplefilter

Jean-Paul Calderone

460cc1f

2009-03-07 11:31:12 -0500

[diff] [blame]

20

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

21

import pytest

22

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

23

from pretend import raiser

24

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

25

from six import PY3, text_type

Jean-Paul Calderone

c76c61c

2014-01-18 13:21:52 -0500

[diff] [blame]

26

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

27

from cryptography import x509

28

from cryptography.hazmat.backends import default_backend

29

from cryptography.hazmat.primitives import hashes

30

from cryptography.hazmat.primitives import serialization

31

from cryptography.hazmat.primitives.asymmetric import rsa

32

from cryptography.x509.oid import NameOID

33

34

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

35

from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

36

from OpenSSL.crypto import PKey, X509, X509Extension, X509Store

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

37

from OpenSSL.crypto import dump_privatekey, load_privatekey

38

from OpenSSL.crypto import dump_certificate, load_certificate

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

39

from OpenSSL.crypto import get_elliptic_curves

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

40

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

41

from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS

42

from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

43

from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

44

from OpenSSL.SSL import (

45

SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD,

46

TLSv1_1_METHOD, TLSv1_2_METHOD)

47

from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

48

from OpenSSL.SSL import (

49

VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE, VERIFY_NONE)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

50

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

51

from OpenSSL import SSL

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

52

from OpenSSL.SSL import (

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

53

SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH,

54

SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP,

55

SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL)

56

57

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

58

Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

59

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

60

Context, ContextType, Session, Connection, ConnectionType, SSLeay_version)

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

61

from OpenSSL.SSL import _make_requires

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

62

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

63

from OpenSSL._util import ffi as _ffi, lib as _lib

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

64

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

65

from OpenSSL.SSL import (

66

OP_NO_QUERY_MTU, OP_COOKIE_EXCHANGE, OP_NO_TICKET, OP_NO_COMPRESSION,

67

MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

68

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

69

from OpenSSL.SSL import (

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

70

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

71

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

72

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

73

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

74

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

75

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

76

try:

77

from OpenSSL.SSL import (

78

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

79

)

80

except ImportError:

81

SSL_ST_INIT = SSL_ST_BEFORE = SSL_ST_OK = SSL_ST_RENEGOTIATE = None

82

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

83

from .util import WARNING_TYPE_EXPECTED, NON_ASCII, is_consistent_type

Hynek Schlawack

f0e6685

2015-10-16 20:18:38 +0200

[diff] [blame]

84

from .test_crypto import (

85

cleartextCertificatePEM, cleartextPrivateKeyPEM,

86

client_cert_pem, client_key_pem, server_cert_pem, server_key_pem,

87

root_cert_pem)

88

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

89

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

90

# openssl dhparam 1024 -out dh-1024.pem (note that 1024 is a small number of

91

# bits to use)

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

92

dhparam = """\

93

-----BEGIN DH PARAMETERS-----

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

94

MIGHAoGBALdUMvn+C9MM+y5BWZs11mSeH6HHoEq0UVbzVq7UojC1hbsZUuGukQ3a

95

Qh2/pwqb18BZFykrWB0zv/OkLa0kx4cuUgNrUVq1EFheBiX6YqryJ7t2sO09NQiO

96

V7H54LmltOT/hEh6QWsJqb6BQgH65bswvV/XkYGja8/T0GzvbaVzAgEC

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

97

-----END DH PARAMETERS-----

"""

Hynek Schlawack

2015-09-05 20:48:34 +0200

[diff] [blame]

101

skip_if_py3 = pytest.mark.skipif(PY3, reason="Python 2 only")

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

102

skip_if_py26 = pytest.mark.skipif(

103

version_info[0:2] == (2, 6),

104

reason="Python 2.7 and later only"

105

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

106

107

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

108

def join_bytes_or_unicode(prefix, suffix):

109

"""

110

Join two path components of either ``bytes`` or ``unicode``.

111

112

The return type is the same as the type of ``prefix``.

113

"""

114

# If the types are the same, nothing special is necessary.

115

if type(prefix) == type(suffix):

116

return join(prefix, suffix)

117

118

# Otherwise, coerce suffix to the type of prefix.

119

if isinstance(prefix, text_type):

120

return join(prefix, suffix.decode(getfilesystemencoding()))

121

else:

122

return join(prefix, suffix.encode(getfilesystemencoding()))

123

124

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

125

def verify_cb(conn, cert, errnum, depth, ok):

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

126

return ok

127

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

128

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

129

def socket_pair():

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

130

"""

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

131

Establish and return a pair of network sockets connected to each other.

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

132

"""

133

# Connect a pair of sockets

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(1)

client = socket()

client.setblocking(False)

Jean-Paul Calderone

f23c5d9

2009-07-23 17:58:15 -0400

[diff] [blame]

139

client.connect_ex(("127.0.0.1", port.getsockname()[1]))

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

140

client.setblocking(True)

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

141

server = port.accept()[0]

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

142

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

143

# Let's pass some unencrypted data to make sure our socket connection is

144

# fine. Just one byte, so we don't have to worry about buffers getting

145

# filled up or fragmentation.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

146

server.send(b"x")

147

assert client.recv(1024) == b"x"

148

client.send(b"y")

149

assert server.recv(1024) == b"y"

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

150

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

151

# Most of our callers want non-blocking sockets, make it easy for them.

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

152

server.setblocking(False)

153

client.setblocking(False)

Jim Shaver

46f2891

2015-05-29 19:32:16 -0400

[diff] [blame]

154

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

155

return (server, client)

156

157

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

158

def handshake(client, server):

159

conns = [client, server]

while conns:

for conn in conns:

try:

conn.do_handshake()

except WantReadError:

pass

else:

conns.remove(conn)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

170

def _create_certificate_chain():

171

"""

172

Construct and return a chain of certificates.

173

174

1. A new self-signed certificate authority certificate (cacert)

175

2. A new intermediate certificate signed by cacert (icert)

176

3. A new server certificate signed by icert (scert)

177

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

178

caext = X509Extension(b'basicConstraints', False, b'CA:true')

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

179

180

# Step 1

181

cakey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

182

cakey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

183

cacert = X509()

184

cacert.get_subject().commonName = "Authority Certificate"

185

cacert.set_issuer(cacert.get_subject())

186

cacert.set_pubkey(cakey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

187

cacert.set_notBefore(b"20000101000000Z")

188

cacert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

189

cacert.add_extensions([caext])

190

cacert.set_serial_number(0)

191

cacert.sign(cakey, "sha1")

192

193

# Step 2

194

ikey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

195

ikey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

196

icert = X509()

197

icert.get_subject().commonName = "Intermediate Certificate"

198

icert.set_issuer(cacert.get_subject())

199

icert.set_pubkey(ikey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

200

icert.set_notBefore(b"20000101000000Z")

201

icert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

202

icert.add_extensions([caext])

203

icert.set_serial_number(0)

204

icert.sign(cakey, "sha1")

205

206

# Step 3

207

skey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

208

skey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

209

scert = X509()

210

scert.get_subject().commonName = "Server Certificate"

211

scert.set_issuer(icert.get_subject())

212

scert.set_pubkey(skey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

213

scert.set_notBefore(b"20000101000000Z")

214

scert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

215

scert.add_extensions([

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

216

X509Extension(b'basicConstraints', True, b'CA:false')])

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

217

scert.set_serial_number(0)

218

scert.sign(ikey, "sha1")

219

220

return [(cakey, cacert), (ikey, icert), (skey, scert)]

221

222

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

223

def loopback_client_factory(socket):

224

client = Connection(Context(TLSv1_METHOD), socket)

225

client.set_connect_state()

return client

def loopback_server_factory(socket):

230

ctx = Context(TLSv1_METHOD)

231

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

232

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

233

server = Connection(ctx, socket)

234

server.set_accept_state()

return server

def loopback(server_factory=None, client_factory=None):

239

"""

240

Create a connected socket pair and force two connected SSL sockets

241

to talk to each other via memory BIOs.

242

"""

243

if server_factory is None:

244

server_factory = loopback_server_factory

245

if client_factory is None:

246

client_factory = loopback_client_factory

247

248

(server, client) = socket_pair()

249

server = server_factory(server)

250

client = client_factory(client)

251

252

handshake(client, server)

253

254

server.setblocking(True)

255

client.setblocking(True)

256

return server, client

257

258

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

259

def interact_in_memory(client_conn, server_conn):

260

"""

261

Try to read application bytes from each of the two `Connection` objects.

262

Copy bytes back and forth between their send/receive buffers for as long

263

as there is anything to copy. When there is nothing more to copy,

264

return `None`. If one of them actually manages to deliver some application

265

bytes, return a two-tuple of the connection from which the bytes were read

266

and the bytes themselves.

"""

wrote = True

while wrote:

# Loop until neither side has anything to say

271

wrote = False

272

273

# Copy stuff from each side's send buffer to the other side's

274

# receive buffer.

275

for (read, write) in [(client_conn, server_conn),

276

(server_conn, client_conn)]:

277

278

# Give the side a chance to generate some more bytes, or succeed.

279

try:

280

data = read.recv(2 ** 16)

281

except WantReadError:

282

# It didn't succeed, so we'll hope it generated some output.

283

pass

284

else:

285

# It did succeed, so we'll stop now and let the caller deal

# with it.

return (read, data)

while True:

# Keep copying as long as there's more stuff there.

291

try:

292

dirty = read.bio_read(4096)

293

except WantReadError:

294

# Okay, nothing more waiting to be sent. Stop

295

# processing this send buffer.

296

break

297

else:

298

# Keep track of the fact that someone generated some

299

# output.

300

wrote = True

301

write.bio_write(dirty)

302

303

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

304

def handshake_in_memory(client_conn, server_conn):

305

"""

306

Perform the TLS handshake between two `Connection` instances connected to

307

each other via memory BIOs.

308

"""

309

client_conn.set_connect_state()

310

server_conn.set_accept_state()

311

312

for conn in [client_conn, server_conn]:

313

try:

314

conn.do_handshake()

315

except WantReadError:

316

pass

317

318

interact_in_memory(client_conn, server_conn)

319

320

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

321

class TestVersion(object):

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

322

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

323

Tests for version information exposed by `OpenSSL.SSL.SSLeay_version` and

324

`OpenSSL.SSL.OPENSSL_VERSION_NUMBER`.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

325

"""

326

def test_OPENSSL_VERSION_NUMBER(self):

327

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

328

`OPENSSL_VERSION_NUMBER` is an integer with status in the low byte and

329

the patch, fix, minor, and major versions in the nibbles above that.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

330

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

331

assert isinstance(OPENSSL_VERSION_NUMBER, int)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

332

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

333

def test_SSLeay_version(self):

334

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

335

`SSLeay_version` takes a version type indicator and returns one of a

336

number of version strings based on that indicator.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

337

"""

338

versions = {}

339

for t in [SSLEAY_VERSION, SSLEAY_CFLAGS, SSLEAY_BUILT_ON,

340

SSLEAY_PLATFORM, SSLEAY_DIR]:

341

version = SSLeay_version(t)

342

versions[version] = t

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

343

assert isinstance(version, bytes)

344

assert len(versions) == 5

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

345

346

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

347

@pytest.fixture

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

348

def ca_file(tmpdir):

349

"""

350

Create a valid PEM file with CA certificates and return the path.

351

"""

352

key = rsa.generate_private_key(

353

public_exponent=65537,

354

key_size=2048,

355

backend=default_backend()

356

)

357

public_key = key.public_key()

358

359

builder = x509.CertificateBuilder()

360

builder = builder.subject_name(x509.Name([

361

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

362

]))

363

builder = builder.issuer_name(x509.Name([

364

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

365

]))

366

one_day = datetime.timedelta(1, 0, 0)

367

builder = builder.not_valid_before(datetime.datetime.today() - one_day)

368

builder = builder.not_valid_after(datetime.datetime.today() + one_day)

369

builder = builder.serial_number(int(uuid.uuid4()))

370

builder = builder.public_key(public_key)

371

builder = builder.add_extension(

372

x509.BasicConstraints(ca=True, path_length=None), critical=True,

373

)

374

375

certificate = builder.sign(

376

private_key=key, algorithm=hashes.SHA256(),

377

backend=default_backend()

378

)

379

380

ca_file = tmpdir.join("test.pem")

381

ca_file.write_binary(

382

certificate.public_bytes(

383

encoding=serialization.Encoding.PEM,

)

)

return str(ca_file).encode("ascii")

388

389

390

@pytest.fixture

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

391

def context():

392

"""

393

A simple TLS 1.0 context.

394

"""

395

return Context(TLSv1_METHOD)

396

397

398

class TestContext(object):

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

399

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

400

Unit tests for `OpenSSL.SSL.Context`.

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

401

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

402

@pytest.mark.parametrize("cipher_string", [

403

b"hello world:AES128-SHA",

404

u"hello world:AES128-SHA",

405

])

406

def test_set_cipher_list(self, context, cipher_string):

407

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

408

`Context.set_cipher_list` accepts both byte and unicode strings

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

409

for naming the ciphers which connections created with the context

410

object will be able to choose from.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

411

"""

412

context.set_cipher_list(cipher_string)

413

conn = Connection(context, None)

414

415

assert "AES128-SHA" in conn.get_cipher_list()

416

417

@pytest.mark.parametrize("cipher_list,error", [

418

(object(), TypeError),

419

("imaginary-cipher", Error),

420

])

421

def test_set_cipher_list_wrong_args(self, context, cipher_list, error):

422

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

423

`Context.set_cipher_list` raises `TypeError` when passed a non-string

424

argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher

425

list string.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

426

"""

427

with pytest.raises(error):

428

context.set_cipher_list(cipher_list)

429

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

430

def test_load_client_ca(self, context, ca_file):

431

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

432

`Context.load_client_ca` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

433

"""

434

context.load_client_ca(ca_file)

435

436

def test_load_client_ca_invalid(self, context, tmpdir):

437

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

438

`Context.load_client_ca` raises an Error if the ca file is invalid.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

439

"""

440

ca_file = tmpdir.join("test.pem")

441

ca_file.write("")

442

443

with pytest.raises(Error) as e:

444

context.load_client_ca(str(ca_file).encode("ascii"))

445

446

assert "PEM routines" == e.value.args[0][0][0]

447

448

def test_load_client_ca_unicode(self, context, ca_file):

449

"""

450

Passing the path as unicode raises a warning but works.

451

"""

452

pytest.deprecated_call(

453

context.load_client_ca, ca_file.decode("ascii")

454

)

455

456

def test_set_session_id(self, context):

457

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

458

`Context.set_session_id` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

459

"""

460

context.set_session_id(b"abc")

461

462

def test_set_session_id_fail(self, context):

463

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

464

`Context.set_session_id` errors are propagated.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

465

"""

466

with pytest.raises(Error) as e:

467

context.set_session_id(b"abc" * 1000)

assert [

("SSL routines",

"SSL_CTX_set_session_id_context",

472

"ssl session id context too long")

473

] == e.value.args[0]

474

475

def test_set_session_id_unicode(self, context):

476

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

477

`Context.set_session_id` raises a warning if a unicode string is

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

478

passed.

479

"""

480

pytest.deprecated_call(context.set_session_id, u"abc")

481

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

482

def test_method(self):

483

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

484

`Context` can be instantiated with one of `SSLv2_METHOD`,

485

`SSLv3_METHOD`, `SSLv23_METHOD`, `TLSv1_METHOD`, `TLSv1_1_METHOD`,

486

or `TLSv1_2_METHOD`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

487

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

488

methods = [SSLv23_METHOD, TLSv1_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

489

for meth in methods:

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

490

Context(meth)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

491

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

492

maybe = [SSLv2_METHOD, SSLv3_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

for meth in maybe:

try:

Context(meth)

except (Error, ValueError):

497

# Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some

498

# don't. Difficult to say in advance.

499

pass

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

500

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

501

with pytest.raises(TypeError):

502

Context("")

503

with pytest.raises(ValueError):

504

Context(10)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

505

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

506

@skip_if_py3

507

def test_method_long(self):

508

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

509

On Python 2 `Context` accepts values of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

510

"""

511

Context(long(TLSv1_METHOD))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

512

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

513

def test_type(self):

514

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

515

`Context` and `ContextType` refer to the same type object and can

516

be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

517

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

518

assert Context is ContextType

519

assert is_consistent_type(Context, 'Context', TLSv1_METHOD)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

520

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

521

def test_use_privatekey(self):

522

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

523

`Context.use_privatekey` takes an `OpenSSL.crypto.PKey` instance.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

524

"""

525

key = PKey()

526

key.generate_key(TYPE_RSA, 128)

527

ctx = Context(TLSv1_METHOD)

528

ctx.use_privatekey(key)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

529

with pytest.raises(TypeError):

530

ctx.use_privatekey("")

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

531

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

532

def test_use_privatekey_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

533

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

534

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` when passed

535

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

536

"""

537

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

538

with pytest.raises(Error):

539

ctx.use_privatekey_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

540

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

541

def _use_privatekey_file_test(self, pemfile, filetype):

542

"""

543

Verify that calling ``Context.use_privatekey_file`` with the given

544

arguments does not raise an exception.

545

"""

546

key = PKey()

547

key.generate_key(TYPE_RSA, 128)

548

549

with open(pemfile, "wt") as pem:

550

pem.write(

551

dump_privatekey(FILETYPE_PEM, key).decode("ascii")

552

)

553

554

ctx = Context(TLSv1_METHOD)

555

ctx.use_privatekey_file(pemfile, filetype)

556

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

557

@pytest.mark.parametrize('filetype', [object(), "", None, 1.0])

558

def test_wrong_privatekey_file_wrong_args(self, tmpfile, filetype):

559

"""

560

`Context.use_privatekey_file` raises `TypeError` when called with

561

a `filetype` which is not a valid file encoding.

562

"""

563

ctx = Context(TLSv1_METHOD)

564

with pytest.raises(TypeError):

565

ctx.use_privatekey_file(tmpfile, filetype)

566

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

567

def test_use_privatekey_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

568

"""

569

A private key can be specified from a file by passing a ``bytes``

570

instance giving the file name to ``Context.use_privatekey_file``.

571

"""

572

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

573

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

577

def test_use_privatekey_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

578

"""

579

A private key can be specified from a file by passing a ``unicode``

580

instance giving the file name to ``Context.use_privatekey_file``.

581

"""

582

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

583

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

587

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

588

def test_use_privatekey_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

589

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

590

On Python 2 `Context.use_privatekey_file` accepts a filetype of

591

type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

592

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

593

self._use_privatekey_file_test(tmpfile, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

594

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

595

def test_use_certificate_wrong_args(self):

596

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

597

`Context.use_certificate_wrong_args` raises `TypeError` when not passed

598

exactly one `OpenSSL.crypto.X509` instance as an argument.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

599

"""

600

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

601

with pytest.raises(TypeError):

602

ctx.use_certificate("hello, world")

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

603

604

def test_use_certificate_uninitialized(self):

605

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

606

`Context.use_certificate` raises `OpenSSL.SSL.Error` when passed a

607

`OpenSSL.crypto.X509` instance which has not been initialized

608

(ie, which does not actually have any certificate data).

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

609

"""

610

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

611

with pytest.raises(Error):

612

ctx.use_certificate(X509())

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

613

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

614

def test_use_certificate(self):

615

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

616

`Context.use_certificate` sets the certificate which will be

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

617

used to identify connections created using the context.

618

"""

619

# TODO

620

# Hard to assert anything. But we could set a privatekey then ask

621

# OpenSSL if the cert and key agree using check_privatekey. Then as

622

# long as check_privatekey works right we're good...

623

ctx = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

624

ctx.use_certificate(

625

load_certificate(FILETYPE_PEM, cleartextCertificatePEM)

626

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

627

628

def test_use_certificate_file_wrong_args(self):

629

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

630

`Context.use_certificate_file` raises `TypeError` if the first

631

argument is not a byte string or the second argument is not an integer.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

632

"""

633

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

634

with pytest.raises(TypeError):

635

ctx.use_certificate_file(object(), FILETYPE_PEM)

636

with pytest.raises(TypeError):

637

ctx.use_certificate_file(b"somefile", object())

638

with pytest.raises(TypeError):

639

ctx.use_certificate_file(object(), FILETYPE_PEM)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

640

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

641

def test_use_certificate_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

642

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

643

`Context.use_certificate_file` raises `OpenSSL.SSL.Error` if passed

644

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

645

"""

646

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

647

with pytest.raises(Error):

648

ctx.use_certificate_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

649

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

650

def _use_certificate_file_test(self, certificate_file):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

651

"""

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

652

Verify that calling ``Context.use_certificate_file`` with the given

653

filename doesn't raise an exception.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

654

"""

655

# TODO

656

# Hard to assert anything. But we could set a privatekey then ask

657

# OpenSSL if the cert and key agree using check_privatekey. Then as

658

# long as check_privatekey works right we're good...

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

659

with open(certificate_file, "wb") as pem_file:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

660

pem_file.write(cleartextCertificatePEM)

661

662

ctx = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

663

ctx.use_certificate_file(certificate_file)

664

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

665

def test_use_certificate_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

666

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

667

`Context.use_certificate_file` sets the certificate (given as a

668

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

669

using the context.

670

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

671

filename = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

672

self._use_certificate_file_test(filename)

673

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

674

def test_use_certificate_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

675

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

676

`Context.use_certificate_file` sets the certificate (given as a

677

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

678

using the context.

679

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

680

filename = tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

681

self._use_certificate_file_test(filename)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

682

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

683

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

684

def test_use_certificate_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

685

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

686

On Python 2 `Context.use_certificate_file` accepts a

687

filetype of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

688

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

689

pem_filename = tmpfile

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

690

with open(pem_filename, "wb") as pem_file:

691

pem_file.write(cleartextCertificatePEM)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

692

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

693

ctx = Context(TLSv1_METHOD)

694

ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

695

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

696

def test_check_privatekey_valid(self):

697

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

698

`Context.check_privatekey` returns `None` if the `Context` instance

699

has been configured to use a matched key and certificate pair.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

700

"""

701

key = load_privatekey(FILETYPE_PEM, client_key_pem)

702

cert = load_certificate(FILETYPE_PEM, client_cert_pem)

703

context = Context(TLSv1_METHOD)

704

context.use_privatekey(key)

705

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

706

assert None is context.check_privatekey()

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

707

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

708

def test_check_privatekey_invalid(self):

709

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

710

`Context.check_privatekey` raises `Error` if the `Context` instance

711

has been configured to use a key and certificate pair which don't

712

relate to each other.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

713

"""

714

key = load_privatekey(FILETYPE_PEM, client_key_pem)

715

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

716

context = Context(TLSv1_METHOD)

717

context.use_privatekey(key)

718

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

719

with pytest.raises(Error):

720

context.check_privatekey()

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

721

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

722

def test_app_data(self):

723

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

724

`Context.set_app_data` stores an object for later retrieval

725

using `Context.get_app_data`.

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

726

"""

727

app_data = object()

728

context = Context(TLSv1_METHOD)

729

context.set_app_data(app_data)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

730

assert context.get_app_data() is app_data

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

731

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

732

def test_set_options_wrong_args(self):

733

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

734

`Context.set_options` raises `TypeError` if called with

735

a non-`int` argument.

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

736

"""

737

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

738

with pytest.raises(TypeError):

739

context.set_options(None)

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

740

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

741

def test_set_options(self):

742

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

743

`Context.set_options` returns the new options value.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

744

"""

745

context = Context(TLSv1_METHOD)

746

options = context.set_options(OP_NO_SSLv2)

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

747

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

748

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

749

@skip_if_py3

750

def test_set_options_long(self):

751

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

752

On Python 2 `Context.set_options` accepts values of type

753

`long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

754

"""

755

context = Context(TLSv1_METHOD)

756

options = context.set_options(long(OP_NO_SSLv2))

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

757

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

758

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

759

def test_set_mode_wrong_args(self):

760

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

761

`Context.set_mode` raises `TypeError` if called with

762

a non-`int` argument.

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

763

"""

764

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

765

with pytest.raises(TypeError):

766

context.set_mode(None)

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

767

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

768

def test_set_mode(self):

769

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

770

`Context.set_mode` accepts a mode bitvector and returns the

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

771

newly set mode.

772

"""

773

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

774

assert MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

775

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

776

@skip_if_py3

777

def test_set_mode_long(self):

778

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

779

On Python 2 `Context.set_mode` accepts values of type `long` as well

780

as `int`.

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

781

"""

782

context = Context(TLSv1_METHOD)

783

mode = context.set_mode(long(MODE_RELEASE_BUFFERS))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

784

assert MODE_RELEASE_BUFFERS & mode

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

785

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

786

def test_set_timeout_wrong_args(self):

787

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

788

`Context.set_timeout` raises `TypeError` if called with

789

a non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

790

"""

791

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

792

with pytest.raises(TypeError):

793

context.set_timeout(None)

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

794

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

795

def test_timeout(self):

796

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

797

`Context.set_timeout` sets the session timeout for all connections

798

created using the context object. `Context.get_timeout` retrieves

799

this value.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

800

"""

801

context = Context(TLSv1_METHOD)

802

context.set_timeout(1234)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

803

assert context.get_timeout() == 1234

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

804

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

805

@skip_if_py3

806

def test_timeout_long(self):

807

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

808

On Python 2 `Context.set_timeout` accepts values of type `long` as

809

well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

810

"""

811

context = Context(TLSv1_METHOD)

812

context.set_timeout(long(1234))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

813

assert context.get_timeout() == 1234

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

814

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

815

def test_set_verify_depth_wrong_args(self):

816

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

817

`Context.set_verify_depth` raises `TypeError` if called with a

818

non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

819

"""

820

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

821

with pytest.raises(TypeError):

822

context.set_verify_depth(None)

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

823

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

824

def test_verify_depth(self):

825

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

826

`Context.set_verify_depth` sets the number of certificates in

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

827

a chain to follow before giving up. The value can be retrieved with

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

828

`Context.get_verify_depth`.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

829

"""

830

context = Context(TLSv1_METHOD)

831

context.set_verify_depth(11)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

832

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

833

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

834

@skip_if_py3

835

def test_verify_depth_long(self):

836

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

837

On Python 2 `Context.set_verify_depth` accepts values of type `long`

838

as well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

839

"""

840

context = Context(TLSv1_METHOD)

841

context.set_verify_depth(long(11))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

842

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

843

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

844

def _write_encrypted_pem(self, passphrase, tmpfile):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

845

"""

846

Write a new private key out to a new file, encrypted using the given

847

passphrase. Return the path to the new file.

848

"""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

849

key = PKey()

850

key.generate_key(TYPE_RSA, 128)

Jean-Paul Calderone

a986883

2010-08-22 21:38:34 -0400

[diff] [blame]

851

pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

852

with open(tmpfile, 'w') as fObj:

853

fObj.write(pem.decode('ascii'))

854

return tmpfile

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

855

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

856

def test_set_passwd_cb_wrong_args(self):

857

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

858

`Context.set_passwd_cb` raises `TypeError` if called with a

859

non-callable first argument.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

860

"""

861

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

862

with pytest.raises(TypeError):

863

context.set_passwd_cb(None)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

864

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

865

def test_set_passwd_cb(self, tmpfile):

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

866

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

867

`Context.set_passwd_cb` accepts a callable which will be invoked when

868

a private key is loaded from an encrypted PEM.

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

869

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

870

passphrase = b"foobar"

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

871

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

872

calledWith = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

873

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

874

def passphraseCallback(maxlen, verify, extra):

875

calledWith.append((maxlen, verify, extra))

876

return passphrase

877

context = Context(TLSv1_METHOD)

878

context.set_passwd_cb(passphraseCallback)

879

context.use_privatekey_file(pemFile)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

880

assert len(calledWith) == 1

881

assert isinstance(calledWith[0][0], int)

882

assert isinstance(calledWith[0][1], int)

883

assert calledWith[0][2] is None

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

884

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

885

def test_passwd_callback_exception(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

886

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

887

`Context.use_privatekey_file` propagates any exception raised

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

888

by the passphrase callback.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

889

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

890

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

891

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

892

def passphraseCallback(maxlen, verify, extra):

893

raise RuntimeError("Sorry, I am a fail.")

894

895

context = Context(TLSv1_METHOD)

896

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

897

with pytest.raises(RuntimeError):

898

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

899

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

900

def test_passwd_callback_false(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

901

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

902

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

903

passphrase callback returns a false value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

904

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

905

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

906

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

907

def passphraseCallback(maxlen, verify, extra):

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

908

return b""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

909

910

context = Context(TLSv1_METHOD)

911

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

912

with pytest.raises(Error):

913

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

914

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

915

def test_passwd_callback_non_string(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

916

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

917

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

918

passphrase callback returns a true non-string value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

919

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

920

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

921

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

922

def passphraseCallback(maxlen, verify, extra):

923

return 10

924

925

context = Context(TLSv1_METHOD)

926

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

927

# TODO: Surely this is the wrong error?

928

with pytest.raises(ValueError):

929

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

930

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

931

def test_passwd_callback_too_long(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

932

"""

933

If the passphrase returned by the passphrase callback returns a string

934

longer than the indicated maximum length, it is truncated.

935

"""

936

# A priori knowledge!

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

937

passphrase = b"x" * 1024

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

938

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

939

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

940

def passphraseCallback(maxlen, verify, extra):

941

assert maxlen == 1024

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

942

return passphrase + b"y"

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

943

944

context = Context(TLSv1_METHOD)

945

context.set_passwd_cb(passphraseCallback)

946

# This shall succeed because the truncated result is the correct

947

# passphrase.

948

context.use_privatekey_file(pemFile)

949

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

950

def test_set_info_callback(self):

951

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

952

`Context.set_info_callback` accepts a callable which will be

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

953

invoked when certain information about an SSL connection is available.

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

954

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

955

(server, client) = socket_pair()

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

956

957

clientSSL = Connection(Context(TLSv1_METHOD), client)

958

clientSSL.set_connect_state()

959

960

called = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

961

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

962

def info(conn, where, ret):

963

called.append((conn, where, ret))

964

context = Context(TLSv1_METHOD)

965

context.set_info_callback(info)

966

context.use_certificate(

967

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

968

context.use_privatekey(

969

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

970

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

971

serverSSL = Connection(context, server)

972

serverSSL.set_accept_state()

973

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

974

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

975

Jean-Paul Calderone

3835e52

2014-02-02 11:12:30 -0500

[diff] [blame]

976

# The callback must always be called with a Connection instance as the

977

# first argument. It would probably be better to split this into

978

# separate tests for client and server side info callbacks so we could

979

# assert it is called with the right Connection instance. It would

980

# also be good to assert *something* about `where` and `ret`.

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

981

notConnections = [

982

conn for (conn, where, ret) in called

983

if not isinstance(conn, Connection)]

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

984

assert [] == notConnections, (

985

"Some info callback arguments were not Connection instances.")

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

986

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

987

def _load_verify_locations_test(self, *args):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

988

"""

989

Create a client context which will verify the peer certificate and call

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

990

its `load_verify_locations` method with the given arguments.

Jean-Paul Calderone

64efa2c

2011-09-11 10:00:09 -0400

[diff] [blame]

991

Then connect it to a server and ensure that the handshake succeeds.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

992

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

993

(server, client) = socket_pair()

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

994

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

995

clientContext = Context(TLSv1_METHOD)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

996

clientContext.load_verify_locations(*args)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

997

# Require that the server certificate verify properly or the

998

# connection will fail.

999

clientContext.set_verify(

1000

VERIFY_PEER,

1001

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

1002

1003

clientSSL = Connection(clientContext, client)

1004

clientSSL.set_connect_state()

1005

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1006

serverContext = Context(TLSv1_METHOD)

1007

serverContext.use_certificate(

1008

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1009

serverContext.use_privatekey(

1010

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1011

1012

serverSSL = Connection(serverContext, server)

1013

serverSSL.set_accept_state()

1014

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

1015

# Without load_verify_locations above, the handshake

1016

# will fail:

1017

# Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',

1018

# 'certificate verify failed')]

1019

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1020

1021

cert = clientSSL.get_peer_certificate()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1022

assert cert.get_subject().CN == 'Testing Root CA'

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1023

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1024

def _load_verify_cafile(self, cafile):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1025

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1026

Verify that if path to a file containing a certificate is passed to

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1027

`Context.load_verify_locations` for the ``cafile`` parameter, that

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1028

certificate is used as a trust root for the purposes of verifying

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1029

connections created using that `Context`.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1030

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1031

with open(cafile, 'w') as fObj:

1032

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1033

1034

self._load_verify_locations_test(cafile)

1035

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1036

def test_load_verify_bytes_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1037

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1038

`Context.load_verify_locations` accepts a file name as a `bytes`

1039

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1040

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1041

cafile = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1042

self._load_verify_cafile(cafile)

1043

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1044

def test_load_verify_unicode_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1045

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1046

`Context.load_verify_locations` accepts a file name as a `unicode`

1047

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1048

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1049

self._load_verify_cafile(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1050

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1051

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1052

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1053

def test_load_verify_invalid_file(self, tmpfile):

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1054

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1055

`Context.load_verify_locations` raises `Error` when passed a

1056

non-existent cafile.

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1057

"""

1058

clientContext = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1059

with pytest.raises(Error):

1060

clientContext.load_verify_locations(tmpfile)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1061

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1062

def _load_verify_directory_locations_capath(self, capath):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1063

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1064

Verify that if path to a directory containing certificate files is

1065

passed to ``Context.load_verify_locations`` for the ``capath``

1066

parameter, those certificates are used as trust roots for the purposes

1067

of verifying connections created using that ``Context``.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1068

"""

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1069

makedirs(capath)

Jean-Paul Calderone

24dfb33

2011-05-04 18:10:26 -0400

[diff] [blame]

1070

# Hash values computed manually with c_rehash to avoid depending on

1071

# c_rehash in the test suite. One is from OpenSSL 0.9.8, the other

1072

# from OpenSSL 1.0.0.

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1073

for name in [b'c7adac82.0', b'c3705638.0']:

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1074

cafile = join_bytes_or_unicode(capath, name)

1075

with open(cafile, 'w') as fObj:

1076

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1077

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1078

self._load_verify_locations_test(None, capath)

1079

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1080

def test_load_verify_directory_bytes_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1081

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1082

`Context.load_verify_locations` accepts a directory name as a `bytes`

1083

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1084

"""

1085

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1086

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1087

)

1088

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1089

def test_load_verify_directory_unicode_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1090

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1091

`Context.load_verify_locations` accepts a directory name as a `unicode`

1092

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1093

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1094

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1095

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1096

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1097

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1098

def test_load_verify_locations_wrong_args(self):

1099

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1100

`Context.load_verify_locations` raises `TypeError` if with non-`str`

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1101

arguments.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1102

"""

1103

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1104

with pytest.raises(TypeError):

1105

context.load_verify_locations(object())

1106

with pytest.raises(TypeError):

1107

context.load_verify_locations(object(), object())

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1108

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1109

@pytest.mark.skipif(

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

1110

not platform.startswith("linux"),

1111

reason="Loading fallback paths is a linux-specific behavior to "

1112

"accommodate pyca/cryptography manylinux1 wheels"

1113

)

1114

def test_fallback_default_verify_paths(self, monkeypatch):

1115

"""

1116

Test that we load certificates successfully on linux from the fallback

1117

path. To do this we set the _CRYPTOGRAPHY_MANYLINUX1_CA_FILE and

1118

_CRYPTOGRAPHY_MANYLINUX1_CA_DIR vars to be equal to whatever the

1119

current OpenSSL default is and we disable

1120

SSL_CTX_SET_default_verify_paths so that it can't find certs unless

1121

it loads via fallback.

1122

"""

1123

context = Context(TLSv1_METHOD)

1124

monkeypatch.setattr(

1125

_lib, "SSL_CTX_set_default_verify_paths", lambda x: 1

)

monkeypatch.setattr(

SSL,

"_CRYPTOGRAPHY_MANYLINUX1_CA_FILE",

1130

_ffi.string(_lib.X509_get_default_cert_file())

)

monkeypatch.setattr(

SSL,

"_CRYPTOGRAPHY_MANYLINUX1_CA_DIR",

1135

_ffi.string(_lib.X509_get_default_cert_dir())

1136

)

1137

context.set_default_verify_paths()

1138

store = context.get_cert_store()

1139

sk_obj = _lib.X509_STORE_get0_objects(store._store)

1140

assert sk_obj != _ffi.NULL

1141

num = _lib.sk_X509_OBJECT_num(sk_obj)

1142

assert num != 0

1143

1144

def test_check_env_vars(self, monkeypatch):

1145

"""

1146

Test that we return True/False appropriately if the env vars are set.

1147

"""

1148

context = Context(TLSv1_METHOD)

1149

dir_var = "CUSTOM_DIR_VAR"

1150

file_var = "CUSTOM_FILE_VAR"

1151

assert context._check_env_vars_set(dir_var, file_var) is False

1152

monkeypatch.setenv(dir_var, "value")

1153

monkeypatch.setenv(file_var, "value")

1154

assert context._check_env_vars_set(dir_var, file_var) is True

1155

assert context._check_env_vars_set(dir_var, file_var) is True

1156

1157

def test_verify_no_fallback_if_env_vars_set(self, monkeypatch):

1158

"""

1159

Test that we don't use the fallback path if env vars are set.

1160

"""

1161

context = Context(TLSv1_METHOD)

1162

monkeypatch.setattr(

1163

_lib, "SSL_CTX_set_default_verify_paths", lambda x: 1

1164

)

1165

dir_env_var = _ffi.string(

1166

_lib.X509_get_default_cert_dir_env()

1167

).decode("ascii")

1168

file_env_var = _ffi.string(

1169

_lib.X509_get_default_cert_file_env()

1170

).decode("ascii")

1171

monkeypatch.setenv(dir_env_var, "value")

1172

monkeypatch.setenv(file_env_var, "value")

1173

context.set_default_verify_paths()

monkeypatch.setattr(

context,

"_fallback_default_verify_paths",

1178

raiser(SystemError)

1179

)

1180

context.set_default_verify_paths()

1181

1182

@pytest.mark.skipif(

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1183

platform == "win32",

1184

reason="set_default_verify_paths appears not to work on Windows. "

Jean-Paul Calderone

28fb8f0

2009-07-24 18:01:31 -0400

[diff] [blame]

1185

"See LP#404343 and LP#404344."

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1186

)

1187

def test_set_default_verify_paths(self):

1188

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1189

`Context.set_default_verify_paths` causes the platform-specific CA

1190

certificate locations to be used for verification purposes.

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1191

"""

1192

# Testing this requires a server with a certificate signed by one

1193

# of the CAs in the platform CA location. Getting one of those

1194

# costs money. Fortunately (or unfortunately, depending on your

1195

# perspective), it's easy to think of a public server on the

1196

# internet which has such a certificate. Connecting to the network

1197

# in a unit test is bad, but it's the only way I can think of to

1198

# really test this. -exarkun

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1199

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1200

# Arg, verisign.com doesn't speak anything newer than TLS 1.0

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1201

context = Context(SSLv23_METHOD)

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1202

context.set_default_verify_paths()

1203

context.set_verify(

1204

VERIFY_PEER,

1205

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1206

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1207

client = socket()

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1208

client.connect(("encrypted.google.com", 443))

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1209

clientSSL = Connection(context, client)

1210

clientSSL.set_connect_state()

1211

clientSSL.do_handshake()

1212

clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1213

assert clientSSL.recv(1024)

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

1214

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

1215

def test_fallback_path_is_not_file_or_dir(self):

1216

"""

1217

Test that when passed empty arrays or paths that do not exist no

1218

errors are raised.

1219

"""

1220

context = Context(TLSv1_METHOD)

1221

context._fallback_default_verify_paths([], [])

1222

context._fallback_default_verify_paths(

1223

["/not/a/file"], ["/not/a/dir"]

1224

)

1225

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1226

def test_add_extra_chain_cert_invalid_cert(self):

1227

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1228

`Context.add_extra_chain_cert` raises `TypeError` if called with an

1229

object which is not an instance of `X509`.

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1230

"""

1231

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1232

with pytest.raises(TypeError):

1233

context.add_extra_chain_cert(object())

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1234

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1235

def _handshake_test(self, serverContext, clientContext):

1236

"""

1237

Verify that a client and server created with the given contexts can

1238

successfully handshake and communicate.

1239

"""

1240

serverSocket, clientSocket = socket_pair()

1241

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1242

server = Connection(serverContext, serverSocket)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1243

server.set_accept_state()

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1244

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1245

client = Connection(clientContext, clientSocket)

1246

client.set_connect_state()

1247

1248

# Make them talk to each other.

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1249

# interact_in_memory(client, server)

1250

for _ in range(3):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1251

for s in [client, server]:

1252

try:

1253

s.do_handshake()

1254

except WantReadError:

1255

pass

1256

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1257

def test_set_verify_callback_connection_argument(self):

1258

"""

1259

The first argument passed to the verify callback is the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1260

`Connection` instance for which verification is taking place.

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1261

"""

1262

serverContext = Context(TLSv1_METHOD)

1263

serverContext.use_privatekey(

1264

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1265

serverContext.use_certificate(

1266

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1267

serverConnection = Connection(serverContext, None)

1268

1269

class VerifyCallback(object):

1270

def callback(self, connection, *args):

1271

self.connection = connection

1272

return 1

1273

1274

verify = VerifyCallback()

1275

clientContext = Context(TLSv1_METHOD)

1276

clientContext.set_verify(VERIFY_PEER, verify.callback)

1277

clientConnection = Connection(clientContext, None)

1278

clientConnection.set_connect_state()

1279

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1280

handshake_in_memory(clientConnection, serverConnection)

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1281

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1282

assert verify.connection is clientConnection

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1283

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1284

def test_set_verify_callback_exception(self):

1285

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1286

If the verify callback passed to `Context.set_verify` raises an

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1287

exception, verification fails and the exception is propagated to the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1288

caller of `Connection.do_handshake`.

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1289

"""

1290

serverContext = Context(TLSv1_METHOD)

1291

serverContext.use_privatekey(

1292

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1293

serverContext.use_certificate(

1294

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1295

1296

clientContext = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1297

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1298

def verify_callback(*args):

1299

raise Exception("silly verify failure")

1300

clientContext.set_verify(VERIFY_PEER, verify_callback)

1301

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1302

with pytest.raises(Exception) as exc:

1303

self._handshake_test(serverContext, clientContext)

1304

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1305

assert "silly verify failure" == str(exc.value)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1306

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1307

def test_add_extra_chain_cert(self, tmpdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1308

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1309

`Context.add_extra_chain_cert` accepts an `X509`

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1310

instance to add to the certificate chain.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1311

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1312

See `_create_certificate_chain` for the details of the

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1313

certificate chain tested.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1314

1315

The chain is tested by starting a server with scert and connecting

1316

to it with a client which trusts cacert and requires verification to

1317

succeed.

1318

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1319

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1320

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1321

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1322

# Dump the CA certificate to a file because that's the only way to load

1323

# it as a trusted CA in the client context.

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1324

for cert, name in [(cacert, 'ca.pem'),

1325

(icert, 'i.pem'),

1326

(scert, 's.pem')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1327

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1328

f.write(dump_certificate(FILETYPE_PEM, cert).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1329

Hynek Schlawack

1902c01

2015-04-16 15:06:41 -0400

[diff] [blame]

1330

for key, name in [(cakey, 'ca.key'),

1331

(ikey, 'i.key'),

1332

(skey, 's.key')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1333

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1334

f.write(dump_privatekey(FILETYPE_PEM, key).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1335

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1336

# Create the server context

1337

serverContext = Context(TLSv1_METHOD)

1338

serverContext.use_privatekey(skey)

1339

serverContext.use_certificate(scert)

Jean-Paul Calderone

16cf03d

2010-09-08 18:53:39 -0400

[diff] [blame]

1340

# The client already has cacert, we only need to give them icert.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1341

serverContext.add_extra_chain_cert(icert)

1342

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1343

# Create the client

1344

clientContext = Context(TLSv1_METHOD)

1345

clientContext.set_verify(

1346

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1347

clientContext.load_verify_locations(str(tmpdir.join("ca.pem")))

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1348

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1349

# Try it out.

1350

self._handshake_test(serverContext, clientContext)

1351

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1352

def _use_certificate_chain_file_test(self, certdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1353

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1354

Verify that `Context.use_certificate_chain_file` reads a

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1355

certificate chain from a specified file.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1356

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1357

The chain is tested by starting a server with scert and connecting to

1358

it with a client which trusts cacert and requires verification to

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1359

succeed.

1360

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1361

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1362

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1363

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1364

makedirs(certdir)

1365

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1366

chainFile = join_bytes_or_unicode(certdir, "chain.pem")

1367

caFile = join_bytes_or_unicode(certdir, "ca.pem")

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1368

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1369

# Write out the chain file.

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1370

with open(chainFile, 'wb') as fObj:

1371

# Most specific to least general.

1372

fObj.write(dump_certificate(FILETYPE_PEM, scert))

1373

fObj.write(dump_certificate(FILETYPE_PEM, icert))

1374

fObj.write(dump_certificate(FILETYPE_PEM, cacert))

1375

1376

with open(caFile, 'w') as fObj:

1377

fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode('ascii'))

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1378

1379

serverContext = Context(TLSv1_METHOD)

1380

serverContext.use_certificate_chain_file(chainFile)

1381

serverContext.use_privatekey(skey)

1382

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1383

clientContext = Context(TLSv1_METHOD)

1384

clientContext.set_verify(

1385

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1386

clientContext.load_verify_locations(caFile)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1387

1388

self._handshake_test(serverContext, clientContext)

1389

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1390

def test_use_certificate_chain_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1391

"""

1392

``Context.use_certificate_chain_file`` accepts the name of a file (as

1393

an instance of ``bytes``) to specify additional certificates to use to

1394

construct and verify a trust chain.

1395

"""

1396

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1397

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1398

)

1399

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1400

def test_use_certificate_chain_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1401

"""

1402

``Context.use_certificate_chain_file`` accepts the name of a file (as

1403

an instance of ``unicode``) to specify additional certificates to use

1404

to construct and verify a trust chain.

1405

"""

1406

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1407

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1408

)

1409

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1410

def test_use_certificate_chain_file_wrong_args(self):

1411

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1412

`Context.use_certificate_chain_file` raises `TypeError` if passed a

1413

non-byte string single argument.

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1414

"""

1415

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1416

with pytest.raises(TypeError):

1417

context.use_certificate_chain_file(object())

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1418

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1419

def test_use_certificate_chain_file_missing_file(self, tmpfile):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1420

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1421

`Context.use_certificate_chain_file` raises `OpenSSL.SSL.Error` when

1422

passed a bad chain file name (for example, the name of a file which

1423

does not exist).

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1424

"""

1425

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1426

with pytest.raises(Error):

1427

context.use_certificate_chain_file(tmpfile)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1428

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1429

def test_set_verify_mode(self):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1430

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1431

`Context.get_verify_mode` returns the verify mode flags previously

1432

passed to `Context.set_verify`.

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1433

"""

1434

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1435

assert context.get_verify_mode() == 0

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1436

context.set_verify(

1437

VERIFY_PEER | VERIFY_CLIENT_ONCE, lambda *args: None)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1438

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1439

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1440

@skip_if_py3

1441

def test_set_verify_mode_long(self):

1442

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1443

On Python 2 `Context.set_verify_mode` accepts values of type `long`

1444

as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1445

"""

1446

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1447

assert context.get_verify_mode() == 0

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1448

context.set_verify(

Hynek Schlawack

b4ceed3

2015-09-05 20:55:19 +0200

[diff] [blame]

1449

long(VERIFY_PEER | VERIFY_CLIENT_ONCE), lambda *args: None

1450

) # pragma: nocover

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1451

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1452

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1453

@pytest.mark.parametrize('mode', [None, 1.0, object(), 'mode'])

1454

def test_set_verify_wrong_mode_arg(self, mode):

1455

"""

1456

`Context.set_verify` raises `TypeError` if the first argument is

1457

not an integer.

1458

"""

1459

context = Context(TLSv1_METHOD)

1460

with pytest.raises(TypeError):

1461

context.set_verify(mode=mode, callback=lambda *args: None)

1462

1463

@pytest.mark.parametrize('callback', [None, 1.0, 'mode', ('foo', 'bar')])

1464

def test_set_verify_wrong_callable_arg(self, callback):

1465

"""

1466

`Context.set_verify` raises `TypeError` if the the second argument

1467

is not callable.

1468

"""

1469

context = Context(TLSv1_METHOD)

1470

with pytest.raises(TypeError):

1471

context.set_verify(mode=VERIFY_PEER, callback=callback)

1472

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1473

def test_load_tmp_dh_wrong_args(self):

1474

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1475

`Context.load_tmp_dh` raises `TypeError` if called with a

1476

non-`str` argument.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1477

"""

1478

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1479

with pytest.raises(TypeError):

1480

context.load_tmp_dh(object())

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1481

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1482

def test_load_tmp_dh_missing_file(self):

1483

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1484

`Context.load_tmp_dh` raises `OpenSSL.SSL.Error` if the

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1485

specified file does not exist.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1486

"""

1487

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1488

with pytest.raises(Error):

1489

context.load_tmp_dh(b"hello")

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1490

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1491

def _load_tmp_dh_test(self, dhfilename):

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

1492

"""

1493

Verify that calling ``Context.load_tmp_dh`` with the given filename

1494

does not raise an exception.

1495

"""

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1496

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1497

with open(dhfilename, "w") as dhfile:

1498

dhfile.write(dhparam)

1499

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1500

context.load_tmp_dh(dhfilename)

1501

# XXX What should I assert here? -exarkun

1502

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1503

def test_load_tmp_dh_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1504

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1505

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1506

specified file (given as ``bytes``).

1507

"""

1508

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1509

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1510

)

1511

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1512

def test_load_tmp_dh_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1513

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1514

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1515

specified file (given as ``unicode``).

1516

"""

1517

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1518

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1519

)

1520

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1521

def test_set_tmp_ecdh(self):

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1522

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1523

`Context.set_tmp_ecdh` sets the elliptic curve for Diffie-Hellman to

1524

the specified curve.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1525

"""

1526

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1527

for curve in get_elliptic_curves():

Hynek Schlawack

a07fa8c

2015-10-17 10:15:28 +0200

[diff] [blame]

1528

if curve.name.startswith(u"Oakley-"):

Hynek Schlawack

7408aff

2015-10-17 09:51:16 +0200

[diff] [blame]

1529

# Setting Oakley-EC2N-4 and Oakley-EC2N-3 adds

1530

# ('bignum routines', 'BN_mod_inverse', 'no inverse') to the

1531

# error queue on OpenSSL 1.0.2.

1532

continue

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1533

# The only easily "assertable" thing is that it does not raise an

1534

# exception.

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1535

context.set_tmp_ecdh(curve)

Alex Gaynor

12dc084

2014-01-17 12:51:31 -0600

[diff] [blame]

1536

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1537

def test_set_session_cache_mode_wrong_args(self):

1538

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1539

`Context.set_session_cache_mode` raises `TypeError` if called with

1540

a non-integer argument.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1541

called with other than one integer argument.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1542

"""

1543

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1544

with pytest.raises(TypeError):

1545

context.set_session_cache_mode(object())

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1546

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1547

def test_session_cache_mode(self):

1548

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1549

`Context.set_session_cache_mode` specifies how sessions are cached.

1550

The setting can be retrieved via `Context.get_session_cache_mode`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1551

"""

1552

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1553

context.set_session_cache_mode(SESS_CACHE_OFF)

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1554

off = context.set_session_cache_mode(SESS_CACHE_BOTH)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1555

assert SESS_CACHE_OFF == off

1556

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1557

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1558

@skip_if_py3

1559

def test_session_cache_mode_long(self):

1560

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1561

On Python 2 `Context.set_session_cache_mode` accepts values

1562

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1563

"""

1564

context = Context(TLSv1_METHOD)

1565

context.set_session_cache_mode(long(SESS_CACHE_BOTH))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1566

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1567

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1568

def test_get_cert_store(self):

1569

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1570

`Context.get_cert_store` returns a `X509Store` instance.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1571

"""

1572

context = Context(TLSv1_METHOD)

1573

store = context.get_cert_store()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1574

assert isinstance(store, X509Store)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1575

1576

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1577

class TestServerNameCallback(object):

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1578

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1579

Tests for `Context.set_tlsext_servername_callback` and its

1580

interaction with `Connection`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1581

"""

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1582

def test_old_callback_forgotten(self):

1583

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1584

If `Context.set_tlsext_servername_callback` is used to specify

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1585

a new callback, the one it replaces is dereferenced.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1586

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1587

def callback(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1588

pass

1589

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1590

def replacement(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1591

pass

1592

1593

context = Context(TLSv1_METHOD)

1594

context.set_tlsext_servername_callback(callback)

1595

1596

tracker = ref(callback)

1597

del callback

1598

1599

context.set_tlsext_servername_callback(replacement)

Jean-Paul Calderone

d4033eb

2014-01-11 08:21:46 -0500

[diff] [blame]

1600

1601

# One run of the garbage collector happens to work on CPython. PyPy

1602

# doesn't collect the underlying object until a second run for whatever

1603

# reason. That's fine, it still demonstrates our code has properly

1604

# dropped the reference.

1605

collect()

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1606

collect()

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

1607

1608

callback = tracker()

1609

if callback is not None:

1610

referrers = get_referrers(callback)

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1611

if len(referrers) > 1: # pragma: nocover

1612

pytest.fail("Some references remain: %r" % (referrers,))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1613

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1614

def test_no_servername(self):

1615

"""

1616

When a client specifies no server name, the callback passed to

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1617

`Context.set_tlsext_servername_callback` is invoked and the

1618

result of `Connection.get_servername` is `None`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1619

"""

1620

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1621

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1622

def servername(conn):

1623

args.append((conn, conn.get_servername()))

1624

context = Context(TLSv1_METHOD)

1625

context.set_tlsext_servername_callback(servername)

1626

1627

# Lose our reference to it. The Context is responsible for keeping it

# alive now.

del servername

collect()

# Necessary to actually accept the connection

1633

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1634

context.use_certificate(

1635

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1636

1637

# Do a little connection to trigger the logic

1638

server = Connection(context, None)

1639

server.set_accept_state()

1640

1641

client = Connection(Context(TLSv1_METHOD), None)

1642

client.set_connect_state()

1643

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1644

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1645

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1646

assert args == [(server, None)]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1647

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1648

def test_servername(self):

1649

"""

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1650

When a client specifies a server name in its hello message, the

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1651

callback passed to `Contexts.set_tlsext_servername_callback` is

1652

invoked and the result of `Connection.get_servername` is that

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1653

server name.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1654

"""

1655

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1656

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1657

def servername(conn):

1658

args.append((conn, conn.get_servername()))

1659

context = Context(TLSv1_METHOD)

1660

context.set_tlsext_servername_callback(servername)

1661

1662

# Necessary to actually accept the connection

1663

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1664

context.use_certificate(

1665

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1666

1667

# Do a little connection to trigger the logic

1668

server = Connection(context, None)

1669

server.set_accept_state()

1670

1671

client = Connection(Context(TLSv1_METHOD), None)

1672

client.set_connect_state()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

1673

client.set_tlsext_host_name(b"foo1.example.com")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1674

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1675

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1676

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1677

assert args == [(server, b"foo1.example.com")]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1678

1679

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1680

class TestNextProtoNegotiation(object):

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1681

"""

1682

Test for Next Protocol Negotiation in PyOpenSSL.

1683

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1684

def test_npn_success(self):

1685

"""

1686

Tests that clients and servers that agree on the negotiated next

1687

protocol can correct establish a connection, and that the agreed

1688

protocol is reported by the connections.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1695

return [b'http/1.1', b'spdy/2']

1696

1697

def select(conn, options):

1698

select_args.append((conn, options))

1699

return b'spdy/2'

1700

1701

server_context = Context(TLSv1_METHOD)

1702

server_context.set_npn_advertise_callback(advertise)

1703

1704

client_context = Context(TLSv1_METHOD)

1705

client_context.set_npn_select_callback(select)

1706

1707

# Necessary to actually accept the connection

1708

server_context.use_privatekey(

1709

load_privatekey(FILETYPE_PEM, server_key_pem))

1710

server_context.use_certificate(

1711

load_certificate(FILETYPE_PEM, server_cert_pem))

1712

1713

# Do a little connection to trigger the logic

1714

server = Connection(server_context, None)

1715

server.set_accept_state()

1716

1717

client = Connection(client_context, None)

1718

client.set_connect_state()

1719

1720

interact_in_memory(server, client)

1721

1722

assert advertise_args == [(server,)]

1723

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1724

1725

assert server.get_next_proto_negotiated() == b'spdy/2'

1726

assert client.get_next_proto_negotiated() == b'spdy/2'

1727

1728

def test_npn_client_fail(self):

1729

"""

1730

Tests that when clients and servers cannot agree on what protocol

1731

to use next that the TLS connection does not get established.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1738

return [b'http/1.1', b'spdy/2']

1739

1740

def select(conn, options):

1741

select_args.append((conn, options))

1742

return b''

1743

1744

server_context = Context(TLSv1_METHOD)

1745

server_context.set_npn_advertise_callback(advertise)

1746

1747

client_context = Context(TLSv1_METHOD)

1748

client_context.set_npn_select_callback(select)

1749

1750

# Necessary to actually accept the connection

1751

server_context.use_privatekey(

1752

load_privatekey(FILETYPE_PEM, server_key_pem))

1753

server_context.use_certificate(

1754

load_certificate(FILETYPE_PEM, server_cert_pem))

1755

1756

# Do a little connection to trigger the logic

1757

server = Connection(server_context, None)

1758

server.set_accept_state()

1759

1760

client = Connection(client_context, None)

1761

client.set_connect_state()

1762

1763

# If the client doesn't return anything, the connection will fail.

1764

with pytest.raises(Error):

1765

interact_in_memory(server, client)

1766

1767

assert advertise_args == [(server,)]

1768

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1769

1770

def test_npn_select_error(self):

1771

"""

1772

Test that we can handle exceptions in the select callback. If

1773

select fails it should be fatal to the connection.

"""

advertise_args = []

def advertise(conn):

advertise_args.append((conn,))

1779

return [b'http/1.1', b'spdy/2']

1780

1781

def select(conn, options):

1782

raise TypeError

1783

1784

server_context = Context(TLSv1_METHOD)

1785

server_context.set_npn_advertise_callback(advertise)

1786

1787

client_context = Context(TLSv1_METHOD)

1788

client_context.set_npn_select_callback(select)

1789

1790

# Necessary to actually accept the connection

1791

server_context.use_privatekey(

1792

load_privatekey(FILETYPE_PEM, server_key_pem))

1793

server_context.use_certificate(

1794

load_certificate(FILETYPE_PEM, server_cert_pem))

1795

1796

# Do a little connection to trigger the logic

1797

server = Connection(server_context, None)

1798

server.set_accept_state()

1799

1800

client = Connection(client_context, None)

1801

client.set_connect_state()

1802

1803

# If the callback throws an exception it should be raised here.

1804

with pytest.raises(TypeError):

1805

interact_in_memory(server, client)

1806

assert advertise_args == [(server,), ]

1807

1808

def test_npn_advertise_error(self):

1809

"""

1810

Test that we can handle exceptions in the advertise callback. If

1811

advertise fails no NPN is advertised to the client.

"""

select_args = []

def advertise(conn):

raise TypeError

def select(conn, options): # pragma: nocover

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1819

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1820

Assert later that no args are actually appended.

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1821

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1822

select_args.append((conn, options))

1823

return b''

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1824

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1825

server_context = Context(TLSv1_METHOD)

1826

server_context.set_npn_advertise_callback(advertise)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1827

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1828

client_context = Context(TLSv1_METHOD)

1829

client_context.set_npn_select_callback(select)

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1830

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1831

# Necessary to actually accept the connection

1832

server_context.use_privatekey(

1833

load_privatekey(FILETYPE_PEM, server_key_pem))

1834

server_context.use_certificate(

1835

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1836

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1837

# Do a little connection to trigger the logic

1838

server = Connection(server_context, None)

1839

server.set_accept_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1840

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1841

client = Connection(client_context, None)

1842

client.set_connect_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1843

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1844

# If the client doesn't return anything, the connection will fail.

1845

with pytest.raises(TypeError):

1846

interact_in_memory(server, client)

1847

assert select_args == []

Cory Benfield

0ea76e7

2015-03-22 09:05:28 +0000

[diff] [blame]

1848

1849

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1850

class TestApplicationLayerProtoNegotiation(object):

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1851

"""

1852

Tests for ALPN in PyOpenSSL.

1853

"""

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1854

# Skip tests on versions that don't support ALPN.

1855

if _lib.Cryptography_HAS_ALPN:

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1856

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1857

def test_alpn_success(self):

1858

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1859

Clients and servers that agree on the negotiated ALPN protocol can

1860

correct establish a connection, and the agreed protocol is reported

1861

by the connections.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1862

"""

1863

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1864

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1865

def select(conn, options):

1866

select_args.append((conn, options))

1867

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1868

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1869

client_context = Context(TLSv1_METHOD)

1870

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1871

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1872

server_context = Context(TLSv1_METHOD)

1873

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1874

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1875

# Necessary to actually accept the connection

1876

server_context.use_privatekey(

1877

load_privatekey(FILETYPE_PEM, server_key_pem))

1878

server_context.use_certificate(

1879

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1880

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1881

# Do a little connection to trigger the logic

1882

server = Connection(server_context, None)

1883

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1884

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1885

client = Connection(client_context, None)

1886

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1887

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1888

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1889

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1890

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1891

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1892

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1893

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1894

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1895

def test_alpn_set_on_connection(self):

1896

"""

1897

The same as test_alpn_success, but setting the ALPN protocols on

1898

the connection rather than the context.

1899

"""

1900

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1901

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1902

def select(conn, options):

1903

select_args.append((conn, options))

1904

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1905

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1906

# Setup the client context but don't set any ALPN protocols.

1907

client_context = Context(TLSv1_METHOD)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1908

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1909

server_context = Context(TLSv1_METHOD)

1910

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1911

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1912

# Necessary to actually accept the connection

1913

server_context.use_privatekey(

1914

load_privatekey(FILETYPE_PEM, server_key_pem))

1915

server_context.use_certificate(

1916

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1917

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1918

# Do a little connection to trigger the logic

1919

server = Connection(server_context, None)

1920

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1921

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1922

# Set the ALPN protocols on the client connection.

1923

client = Connection(client_context, None)

1924

client.set_alpn_protos([b'http/1.1', b'spdy/2'])

1925

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1926

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1927

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1928

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1929

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1930

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1931

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1932

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1933

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1934

def test_alpn_server_fail(self):

1935

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1936

When clients and servers cannot agree on what protocol to use next

1937

the TLS connection does not get established.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1938

"""

1939

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1940

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1941

def select(conn, options):

1942

select_args.append((conn, options))

1943

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1944

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1945

client_context = Context(TLSv1_METHOD)

1946

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1947

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1948

server_context = Context(TLSv1_METHOD)

1949

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1950

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1951

# Necessary to actually accept the connection

1952

server_context.use_privatekey(

1953

load_privatekey(FILETYPE_PEM, server_key_pem))

1954

server_context.use_certificate(

1955

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1956

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1957

# Do a little connection to trigger the logic

1958

server = Connection(server_context, None)

1959

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1960

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1961

client = Connection(client_context, None)

1962

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1963

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1964

# If the client doesn't return anything, the connection will fail.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1965

with pytest.raises(Error):

1966

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1967

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1968

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1969

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1970

def test_alpn_no_server(self):

1971

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1972

When clients and servers cannot agree on what protocol to use next

1973

because the server doesn't offer ALPN, no protocol is negotiated.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1974

"""

1975

client_context = Context(TLSv1_METHOD)

1976

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1977

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1978

server_context = Context(TLSv1_METHOD)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1979

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1980

# Necessary to actually accept the connection

1981

server_context.use_privatekey(

1982

load_privatekey(FILETYPE_PEM, server_key_pem))

1983

server_context.use_certificate(

1984

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1985

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1986

# Do a little connection to trigger the logic

1987

server = Connection(server_context, None)

1988

server.set_accept_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1989

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1990

client = Connection(client_context, None)

1991

client.set_connect_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1992

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1993

# Do the dance.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1994

interact_in_memory(server, client)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1995

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1996

assert client.get_alpn_proto_negotiated() == b''

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1997

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1998

def test_alpn_callback_exception(self):

1999

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

2000

We can handle exceptions in the ALPN select callback.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2001

"""

2002

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2003

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2004

def select(conn, options):

2005

select_args.append((conn, options))

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

2006

raise TypeError()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2007

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2008

client_context = Context(TLSv1_METHOD)

2009

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2010

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2011

server_context = Context(TLSv1_METHOD)

2012

server_context.set_alpn_select_callback(select)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2013

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2014

# Necessary to actually accept the connection

2015

server_context.use_privatekey(

2016

load_privatekey(FILETYPE_PEM, server_key_pem))

2017

server_context.use_certificate(

2018

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2019

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2020

# Do a little connection to trigger the logic

2021

server = Connection(server_context, None)

2022

server.set_accept_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2023

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2024

client = Connection(client_context, None)

2025

client.set_connect_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2026

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2027

with pytest.raises(TypeError):

2028

interact_in_memory(server, client)

2029

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2030

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2031

else:

2032

# No ALPN.

2033

def test_alpn_not_implemented(self):

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

2034

"""

2035

If ALPN is not in OpenSSL, we should raise NotImplementedError.

2036

"""

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2037

# Test the context methods first.

2038

context = Context(TLSv1_METHOD)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2039

with pytest.raises(NotImplementedError):

2040

context.set_alpn_protos(None)

2041

with pytest.raises(NotImplementedError):

2042

context.set_alpn_select_callback(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2043

2044

# Now test a connection.

2045

conn = Connection(context)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2046

with pytest.raises(NotImplementedError):

2047

conn.set_alpn_protos(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2048

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2049

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2050

class TestSession(object):

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2051

"""

2052

Unit tests for :py:obj:`OpenSSL.SSL.Session`.

2053

"""

2054

def test_construction(self):

2055

"""

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2056

:py:class:`Session` can be constructed with no arguments, creating

2057

a new instance of that type.

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2058

"""

2059

new_session = Session()

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2060

assert isinstance(new_session, Session)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2061

2062

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2063

class TestConnection(object):

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2064

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2065

Unit tests for `OpenSSL.SSL.Connection`.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2066

"""

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2067

# XXX get_peer_certificate -> None

2068

# XXX sock_shutdown

2069

# XXX master_key -> TypeError

2070

# XXX server_random -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2071

# XXX connect -> TypeError

2072

# XXX connect_ex -> TypeError

2073

# XXX set_connect_state -> TypeError

2074

# XXX set_accept_state -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2075

# XXX do_handshake -> TypeError

2076

# XXX bio_read -> TypeError

2077

# XXX recv -> TypeError

2078

# XXX send -> TypeError

2079

# XXX bio_write -> TypeError

2080

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2081

def test_type(self):

2082

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2083

`Connection` and `ConnectionType` refer to the same type object and

2084

can be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2085

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2086

assert Connection is ConnectionType

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2087

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2088

assert is_consistent_type(Connection, 'Connection', ctx, None)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2089

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2090

@pytest.mark.parametrize('bad_context', [object(), 'context', None, 1])

2091

def test_wrong_args(self, bad_context):

2092

"""

2093

`Connection.__init__` raises `TypeError` if called with a non-`Context`

2094

instance argument.

2095

"""

2096

with pytest.raises(TypeError):

2097

Connection(bad_context)

2098

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2099

def test_get_context(self):

2100

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2101

`Connection.get_context` returns the `Context` instance used to

2102

construct the `Connection` instance.

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2103

"""

2104

context = Context(TLSv1_METHOD)

2105

connection = Connection(context, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2106

assert connection.get_context() is context

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2107

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2108

def test_set_context_wrong_args(self):

2109

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2110

`Connection.set_context` raises `TypeError` if called with a

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2111

non-`Context` instance argument.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2112

"""

2113

ctx = Context(TLSv1_METHOD)

2114

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2115

with pytest.raises(TypeError):

2116

connection.set_context(object())

2117

with pytest.raises(TypeError):

2118

connection.set_context("hello")

2119

with pytest.raises(TypeError):

2120

connection.set_context(1)

2121

assert ctx is connection.get_context()

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2122

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2123

def test_set_context(self):

2124

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2125

`Connection.set_context` specifies a new `Context` instance to be

2126

used for the connection.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2127

"""

2128

original = Context(SSLv23_METHOD)

2129

replacement = Context(TLSv1_METHOD)

2130

connection = Connection(original, None)

2131

connection.set_context(replacement)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2132

assert replacement is connection.get_context()

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2133

# Lose our references to the contexts, just in case the Connection

2134

# isn't properly managing its own contributions to their reference

2135

# counts.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2136

del original, replacement

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2137

collect()

2138

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2139

def test_set_tlsext_host_name_wrong_args(self):

2140

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2141

If `Connection.set_tlsext_host_name` is called with a non-byte string

2142

argument or a byte string with an embedded NUL, `TypeError` is raised.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2143

"""

2144

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2145

with pytest.raises(TypeError):

2146

conn.set_tlsext_host_name(object())

2147

with pytest.raises(TypeError):

2148

conn.set_tlsext_host_name(b"with\0null")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2149

Abraham Martin

c5484ba

2015-03-25 15:33:05 +0000

[diff] [blame]

2150

if PY3:

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2151

# On Python 3.x, don't accidentally implicitly convert from text.

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2152

with pytest.raises(TypeError):

2153

conn.set_tlsext_host_name(b"example.com".decode("ascii"))

Jean-Paul Calderone

871a4d8

2011-05-26 19:24:02 -0400

[diff] [blame]

2154

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2155

def test_pending(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2156

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2157

`Connection.pending` returns the number of bytes available for

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2158

immediate read.

2159

"""

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2160

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2161

assert connection.pending() == 0

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2162

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2163

def test_peek(self):

2164

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2165

`Connection.recv` peeks into the connection if `socket.MSG_PEEK` is

2166

passed.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2167

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2168

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2169

server.send(b'xy')

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2170

assert client.recv(2, MSG_PEEK) == b'xy'

2171

assert client.recv(2, MSG_PEEK) == b'xy'

2172

assert client.recv(2) == b'xy'

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2173

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2174

def test_connect_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2175

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2176

`Connection.connect` raises `TypeError` if called with a non-address

2177

argument.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2178

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2179

connection = Connection(Context(TLSv1_METHOD), socket())

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2180

with pytest.raises(TypeError):

2181

connection.connect(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2182

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2183

def test_connect_refused(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2184

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2185

`Connection.connect` raises `socket.error` if the underlying socket

2186

connect method raises it.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2187

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2188

client = socket()

2189

context = Context(TLSv1_METHOD)

2190

clientSSL = Connection(context, client)

Alex Gaynor

122717b

2015-09-05 14:14:18 -0400

[diff] [blame]

2191

# pytest.raises here doesn't work because of a bug in py.test on Python

2192

# 2.6: https://github.com/pytest-dev/pytest/issues/988

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2193

try:

Alex Gaynor

1aabb2e

2015-09-05 13:35:18 -0400

[diff] [blame]

2194

clientSSL.connect(("127.0.0.1", 1))

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2195

except error as e:

Alex Gaynor

20a4c08

2015-09-05 14:24:15 -0400

[diff] [blame]

2196

exc = e

2197

assert exc.args[0] == ECONNREFUSED

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2198

2199

def test_connect(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2200

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2201

`Connection.connect` establishes a connection to the specified address.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2202

"""

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(3)

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2208

clientSSL.connect(('127.0.0.1', port.getsockname()[1]))

2209

# XXX An assertion? Or something?

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2210

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2211

@pytest.mark.skipif(

2212

platform == "darwin",

2213

reason="connect_ex sometimes causes a kernel panic on OS X 10.6.4"

2214

)

2215

def test_connect_ex(self):

2216

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2217

If there is a connection error, `Connection.connect_ex` returns the

2218

errno instead of raising an exception.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

"""

port = socket()

port.bind(('', 0))

port.listen(3)

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2223

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2224

clientSSL = Connection(Context(TLSv1_METHOD), socket())

2225

clientSSL.setblocking(False)

2226

result = clientSSL.connect_ex(port.getsockname())

2227

expected = (EINPROGRESS, EWOULDBLOCK)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2228

assert result in expected

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2229

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2230

def test_accept(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2231

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2232

`Connection.accept` accepts a pending connection attempt and returns a

2233

tuple of a new `Connection` (the accepted client) and the address the

2234

connection originated from.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2235

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2236

ctx = Context(TLSv1_METHOD)

2237

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2238

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2239

port = socket()

2240

portSSL = Connection(ctx, port)

2241

portSSL.bind(('', 0))

2242

portSSL.listen(3)

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2243

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2244

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2245

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2246

# Calling portSSL.getsockname() here to get the server IP address

2247

# sounds great, but frequently fails on Windows.

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2248

clientSSL.connect(('127.0.0.1', portSSL.getsockname()[1]))

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2249

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2250

serverSSL, address = portSSL.accept()

2251

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2252

assert isinstance(serverSSL, Connection)

2253

assert serverSSL.get_context() is ctx

2254

assert address == clientSSL.getsockname()

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2255

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2256

def test_shutdown_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2257

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2258

`Connection.set_shutdown` raises `TypeError` if called with arguments

2259

other than integers.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2260

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2261

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2262

with pytest.raises(TypeError):

2263

connection.set_shutdown(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2264

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2265

def test_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2266

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2267

`Connection.shutdown` performs an SSL-level connection shutdown.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2268

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2269

server, client = loopback()

2270

assert not server.shutdown()

2271

assert server.get_shutdown() == SENT_SHUTDOWN

2272

with pytest.raises(ZeroReturnError):

2273

client.recv(1024)

2274

assert client.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

2275

client.shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2276

assert client.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

2277

with pytest.raises(ZeroReturnError):

2278

server.recv(1024)

2279

assert server.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2280

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2281

def test_shutdown_closed(self):

2282

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2283

If the underlying socket is closed, `Connection.shutdown` propagates

2284

the write error from the low level write call.

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2285

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2286

server, client = loopback()

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2287

server.sock_shutdown(2)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2288

with pytest.raises(SysCallError) as exc:

2289

server.shutdown()

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2290

if platform == "win32":

2291

assert exc.value.args[0] == ESHUTDOWN

2292

else:

2293

assert exc.value.args[0] == EPIPE

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2294

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2295

def test_shutdown_truncated(self):

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2296

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2297

If the underlying connection is truncated, `Connection.shutdown`

2298

raises an `Error`.

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2299

"""

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2300

server_ctx = Context(TLSv1_METHOD)

2301

client_ctx = Context(TLSv1_METHOD)

2302

server_ctx.use_privatekey(

2303

load_privatekey(FILETYPE_PEM, server_key_pem))

2304

server_ctx.use_certificate(

2305

load_certificate(FILETYPE_PEM, server_cert_pem))

2306

server = Connection(server_ctx, None)

2307

client = Connection(client_ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2308

handshake_in_memory(client, server)

2309

assert not server.shutdown()

2310

with pytest.raises(WantReadError):

2311

server.shutdown()

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2312

server.bio_shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2313

with pytest.raises(Error):

2314

server.shutdown()

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2315

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2316

def test_set_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2317

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2318

`Connection.set_shutdown` sets the state of the SSL connection

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2319

shutdown process.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2320

"""

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2321

connection = Connection(Context(TLSv1_METHOD), socket())

2322

connection.set_shutdown(RECEIVED_SHUTDOWN)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2323

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2324

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2325

@skip_if_py3

2326

def test_set_shutdown_long(self):

2327

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2328

On Python 2 `Connection.set_shutdown` accepts an argument

2329

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2330

"""

2331

connection = Connection(Context(TLSv1_METHOD), socket())

2332

connection.set_shutdown(long(RECEIVED_SHUTDOWN))

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2333

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

2334

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2335

def test_state_string(self):

2336

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2337

`Connection.state_string` verbosely describes the current state of

2338

the `Connection`.

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2339

"""

Hynek Schlawack

b0274ce

2015-10-16 19:56:26 +0200

[diff] [blame]

2340

server, client = socket_pair()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2341

server = loopback_server_factory(server)

2342

client = loopback_client_factory(client)

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2343

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2344

assert server.get_state_string() in [

2345

b"before/accept initialization", b"before SSL initialization"

2346

]

2347

assert client.get_state_string() in [

2348

b"before/connect initialization", b"before SSL initialization"

2349

]

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2350

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2351

def test_app_data(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2352

"""

2353

Any object can be set as app data by passing it to

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2354

`Connection.set_app_data` and later retrieved with

2355

`Connection.get_app_data`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2356

"""

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2357

conn = Connection(Context(TLSv1_METHOD), None)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2358

assert None is conn.get_app_data()

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2359

app_data = object()

2360

conn.set_app_data(app_data)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2361

assert conn.get_app_data() is app_data

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2362

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2363

def test_makefile(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2364

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2365

`Connection.makefile` is not implemented and calling that

2366

method raises `NotImplementedError`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2367

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2368

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2369

with pytest.raises(NotImplementedError):

2370

conn.makefile()

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2371

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2372

def test_get_peer_cert_chain(self):

2373

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2374

`Connection.get_peer_cert_chain` returns a list of certificates

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2375

which the connected server returned for the certification verification.

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2376

"""

2377

chain = _create_certificate_chain()

2378

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

2379

2380

serverContext = Context(TLSv1_METHOD)

2381

serverContext.use_privatekey(skey)

2382

serverContext.use_certificate(scert)

2383

serverContext.add_extra_chain_cert(icert)

2384

serverContext.add_extra_chain_cert(cacert)

2385

server = Connection(serverContext, None)

2386

server.set_accept_state()

2387

2388

# Create the client

2389

clientContext = Context(TLSv1_METHOD)

2390

clientContext.set_verify(VERIFY_NONE, verify_cb)

2391

client = Connection(clientContext, None)

2392

client.set_connect_state()

2393

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2394

interact_in_memory(client, server)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2395

2396

chain = client.get_peer_cert_chain()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2397

assert len(chain) == 3

2398

assert "Server Certificate" == chain[0].get_subject().CN

2399

assert "Intermediate Certificate" == chain[1].get_subject().CN

2400

assert "Authority Certificate" == chain[2].get_subject().CN

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2401

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2402

def test_get_peer_cert_chain_none(self):

2403

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2404

`Connection.get_peer_cert_chain` returns `None` if the peer sends

2405

no certificate chain.

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2406

"""

2407

ctx = Context(TLSv1_METHOD)

2408

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2409

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

2410

server = Connection(ctx, None)

2411

server.set_accept_state()

2412

client = Connection(Context(TLSv1_METHOD), None)

2413

client.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2414

interact_in_memory(client, server)

2415

assert None is server.get_peer_cert_chain()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2416

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2417

def test_get_session_unconnected(self):

2418

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2419

`Connection.get_session` returns `None` when used with an object

2420

which has not been connected.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2421

"""

2422

ctx = Context(TLSv1_METHOD)

2423

server = Connection(ctx, None)

2424

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2425

assert None is session

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2426

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2427

def test_server_get_session(self):

2428

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2429

On the server side of a connection, `Connection.get_session` returns a

2430

`Session` instance representing the SSL session for that connection.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2431

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2432

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2433

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2434

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2435

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2436

def test_client_get_session(self):

2437

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2438

On the client side of a connection, `Connection.get_session`

2439

returns a `Session` instance representing the SSL session for

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2440

that connection.

2441

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2442

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2443

session = client.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2444

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2445

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2446

def test_set_session_wrong_args(self):

2447

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2448

`Connection.set_session` raises `TypeError` if called with an object

2449

that is not an instance of `Session`.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2450

"""

2451

ctx = Context(TLSv1_METHOD)

2452

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2453

with pytest.raises(TypeError):

2454

connection.set_session(123)

2455

with pytest.raises(TypeError):

2456

connection.set_session("hello")

2457

with pytest.raises(TypeError):

2458

connection.set_session(object())

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2459

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2460

def test_client_set_session(self):

2461

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2462

`Connection.set_session`, when used prior to a connection being

2463

established, accepts a `Session` instance and causes an attempt to

2464

re-use the session it represents when the SSL handshake is performed.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2465

"""

2466

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2467

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

2468

ctx = Context(TLSv1_METHOD)

2469

ctx.use_privatekey(key)

2470

ctx.use_certificate(cert)

2471

ctx.set_session_id("unity-test")

2472

2473

def makeServer(socket):

2474

server = Connection(ctx, socket)

2475

server.set_accept_state()

2476

return server

2477

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2478

originalServer, originalClient = loopback(

2479

server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2480

originalSession = originalClient.get_session()

2481

2482

def makeClient(socket):

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2483

client = loopback_client_factory(socket)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2484

client.set_session(originalSession)

2485

return client

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2486

resumedServer, resumedClient = loopback(

2487

server_factory=makeServer,

2488

client_factory=makeClient)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2489

2490

# This is a proxy: in general, we have no access to any unique

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2491

# identifier for the session (new enough versions of OpenSSL expose

2492

# a hash which could be usable, but "new enough" is very, very new).

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2493

# Instead, exploit the fact that the master key is re-used if the

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2494

# session is re-used. As long as the master key for the two

2495

# connections is the same, the session was re-used!

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2496

assert originalServer.master_key() == resumedServer.master_key()

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2497

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2498

def test_set_session_wrong_method(self):

2499

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2500

If `Connection.set_session` is passed a `Session` instance associated

2501

with a context using a different SSL method than the `Connection`

2502

is using, a `OpenSSL.SSL.Error` is raised.

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2503

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2504

# Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2

2505

# and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT

2506

# is a way to check for 1.1.0)

Alex Gaynor

aa32e71

2017-06-29 20:56:12 -0700

[diff] [blame]

2507

if SSL_ST_INIT is None:

2508

v1 = TLSv1_2_METHOD

2509

v2 = TLSv1_METHOD

2510

elif hasattr(_lib, "SSLv3_method"):

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2511

v1 = TLSv1_METHOD

2512

v2 = SSLv3_METHOD

2513

else:

Alex Gaynor

aa32e71

2017-06-29 20:56:12 -0700

[diff] [blame]

2514

pytest.skip("Test requires either OpenSSL 1.1.0 or SSLv3")

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2515

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2516

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2517

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2518

ctx = Context(v1)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2519

ctx.use_privatekey(key)

2520

ctx.use_certificate(cert)

2521

ctx.set_session_id("unity-test")

2522

2523

def makeServer(socket):

2524

server = Connection(ctx, socket)

2525

server.set_accept_state()

2526

return server

2527

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2528

def makeOriginalClient(socket):

2529

client = Connection(Context(v1), socket)

2530

client.set_connect_state()

2531

return client

2532

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2533

originalServer, originalClient = loopback(

2534

server_factory=makeServer, client_factory=makeOriginalClient)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2535

originalSession = originalClient.get_session()

2536

2537

def makeClient(socket):

2538

# Intentionally use a different, incompatible method here.

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2539

client = Connection(Context(v2), socket)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2540

client.set_connect_state()

2541

client.set_session(originalSession)

2542

return client

2543

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2544

with pytest.raises(Error):

2545

loopback(client_factory=makeClient, server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2546

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2547

def test_wantWriteError(self):

2548

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2549

`Connection` methods which generate output raise

2550

`OpenSSL.SSL.WantWriteError` if writing to the connection's BIO

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2551

fail indicating a should-write state.

2552

"""

2553

client_socket, server_socket = socket_pair()

2554

# Fill up the client's send buffer so Connection won't be able to write

Jean-Paul Calderone

bbff8b9

2014-03-22 14:20:30 -0400

[diff] [blame]

2555

# anything. Only write a single byte at a time so we can be sure we

2556

# completely fill the buffer. Even though the socket API is allowed to

2557

# signal a short write via its return value it seems this doesn't

2558

# always happen on all platforms (FreeBSD and OS X particular) for the

2559

# very last bit of available buffer space.

2560

msg = b"x"

2561

for i in range(1024 * 1024 * 4):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2562

try:

2563

client_socket.send(msg)

2564

except error as e:

2565

if e.errno == EWOULDBLOCK:

2566

break

2567

raise

2568

else:

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2569

pytest.fail(

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2570

"Failed to fill socket buffer, cannot test BIO want write")

2571

2572

ctx = Context(TLSv1_METHOD)

2573

conn = Connection(ctx, client_socket)

2574

# Client's speak first, so make it an SSL client

2575

conn.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2576

with pytest.raises(WantWriteError):

2577

conn.do_handshake()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

# XXX want_read

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2581

def test_get_finished_before_connect(self):

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2582

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2583

`Connection.get_finished` returns `None` before TLS handshake

2584

is completed.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2585

"""

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2586

ctx = Context(TLSv1_METHOD)

2587

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2588

assert connection.get_finished() is None

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2589

2590

def test_get_peer_finished_before_connect(self):

2591

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2592

`Connection.get_peer_finished` returns `None` before TLS handshake

2593

is completed.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2594

"""

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2595

ctx = Context(TLSv1_METHOD)

2596

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2597

assert connection.get_peer_finished() is None

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2598

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2599

def test_get_finished(self):

2600

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2601

`Connection.get_finished` method returns the TLS Finished message send

2602

from client, or server. Finished messages are send during

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2603

TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2604

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2605

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2606

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2607

assert server.get_finished() is not None

2608

assert len(server.get_finished()) > 0

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2609

2610

def test_get_peer_finished(self):

2611

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2612

`Connection.get_peer_finished` method returns the TLS Finished

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2613

message received from client, or server. Finished messages are send

2614

during TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2615

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2616

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2617

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2618

assert server.get_peer_finished() is not None

2619

assert len(server.get_peer_finished()) > 0

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2620

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2621

def test_tls_finished_message_symmetry(self):

2622

"""

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2623

The TLS Finished message send by server must be the TLS Finished

2624

message received by client.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2625

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2626

The TLS Finished message send by client must be the TLS Finished

2627

message received by server.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2628

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2629

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2630

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2631

assert server.get_finished() == client.get_peer_finished()

2632

assert client.get_finished() == server.get_peer_finished()

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2633

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2634

def test_get_cipher_name_before_connect(self):

2635

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2636

`Connection.get_cipher_name` returns `None` if no connection

2637

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2638

"""

2639

ctx = Context(TLSv1_METHOD)

2640

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2641

assert conn.get_cipher_name() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2642

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2643

def test_get_cipher_name(self):

2644

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2645

`Connection.get_cipher_name` returns a `unicode` string giving the

2646

name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2647

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2648

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2649

server_cipher_name, client_cipher_name = \

2650

server.get_cipher_name(), client.get_cipher_name()

2651

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2652

assert isinstance(server_cipher_name, text_type)

2653

assert isinstance(client_cipher_name, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2654

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2655

assert server_cipher_name == client_cipher_name

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2656

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2657

def test_get_cipher_version_before_connect(self):

2658

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2659

`Connection.get_cipher_version` returns `None` if no connection

2660

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2661

"""

2662

ctx = Context(TLSv1_METHOD)

2663

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2664

assert conn.get_cipher_version() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2665

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2666

def test_get_cipher_version(self):

2667

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2668

`Connection.get_cipher_version` returns a `unicode` string giving

2669

the protocol name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2670

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2671

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2672

server_cipher_version, client_cipher_version = \

2673

server.get_cipher_version(), client.get_cipher_version()

2674

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2675

assert isinstance(server_cipher_version, text_type)

2676

assert isinstance(client_cipher_version, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2677

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2678

assert server_cipher_version == client_cipher_version

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2679

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2680

def test_get_cipher_bits_before_connect(self):

2681

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2682

`Connection.get_cipher_bits` returns `None` if no connection has

2683

been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2684

"""

2685

ctx = Context(TLSv1_METHOD)

2686

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2687

assert conn.get_cipher_bits() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2688

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2689

def test_get_cipher_bits(self):

2690

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2691

`Connection.get_cipher_bits` returns the number of secret bits

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2692

of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2693

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2694

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2695

server_cipher_bits, client_cipher_bits = \

2696

server.get_cipher_bits(), client.get_cipher_bits()

2697

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2698

assert isinstance(server_cipher_bits, int)

2699

assert isinstance(client_cipher_bits, int)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2700

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2701

assert server_cipher_bits == client_cipher_bits

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2702

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2703

def test_get_protocol_version_name(self):

2704

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2705

`Connection.get_protocol_version_name()` returns a string giving the

2706

protocol version of the current connection.

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2707

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2708

server, client = loopback()

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2709

client_protocol_version_name = client.get_protocol_version_name()

2710

server_protocol_version_name = server.get_protocol_version_name()

2711

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2712

assert isinstance(server_protocol_version_name, text_type)

2713

assert isinstance(client_protocol_version_name, text_type)

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2714

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2715

assert server_protocol_version_name == client_protocol_version_name

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2716

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2717

def test_get_protocol_version(self):

2718

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2719

`Connection.get_protocol_version()` returns an integer

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2720

giving the protocol version of the current connection.

2721

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2722

server, client = loopback()

Jim Shaver

85a4dff

2015-04-27 17:42:46 -0400

[diff] [blame]

2723

client_protocol_version = client.get_protocol_version()

2724

server_protocol_version = server.get_protocol_version()

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2725

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2726

assert isinstance(server_protocol_version, int)

2727

assert isinstance(client_protocol_version, int)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2728

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2729

assert server_protocol_version == client_protocol_version

2730

2731

def test_wantReadError(self):

2732

"""

2733

`Connection.bio_read` raises `OpenSSL.SSL.WantReadError` if there are

2734

no bytes available to be read from the BIO.

2735

"""

2736

ctx = Context(TLSv1_METHOD)

2737

conn = Connection(ctx, None)

2738

with pytest.raises(WantReadError):

2739

conn.bio_read(1024)

2740

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2741

@pytest.mark.parametrize('bufsize', [1.0, None, object(), 'bufsize'])

2742

def test_bio_read_wrong_args(self, bufsize):

2743

"""

2744

`Connection.bio_read` raises `TypeError` if passed a non-integer

2745

argument.

2746

"""

2747

ctx = Context(TLSv1_METHOD)

2748

conn = Connection(ctx, None)

2749

with pytest.raises(TypeError):

2750

conn.bio_read(bufsize)

2751

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2752

def test_buffer_size(self):

2753

"""

2754

`Connection.bio_read` accepts an integer giving the maximum number

2755

of bytes to read and return.

2756

"""

2757

ctx = Context(TLSv1_METHOD)

2758

conn = Connection(ctx, None)

2759

conn.set_connect_state()

2760

try:

2761

conn.do_handshake()

2762

except WantReadError:

2763

pass

2764

data = conn.bio_read(2)

2765

assert 2 == len(data)

2766

2767

@skip_if_py3

2768

def test_buffer_size_long(self):

2769

"""

2770

On Python 2 `Connection.bio_read` accepts values of type `long` as

2771

well as `int`.

2772

"""

2773

ctx = Context(TLSv1_METHOD)

2774

conn = Connection(ctx, None)

2775

conn.set_connect_state()

2776

try:

2777

conn.do_handshake()

2778

except WantReadError:

2779

pass

2780

data = conn.bio_read(long(2))

2781

assert 2 == len(data)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2782

Jean-Paul Calderone

dbd7627

2014-03-29 18:09:40 -0400

[diff] [blame]

2783

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2784

class TestConnectionGetCipherList(object):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2785

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2786

Tests for `Connection.get_cipher_list`.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2787

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2788

def test_result(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2789

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2790

`Connection.get_cipher_list` returns a list of `bytes` giving the

2791

names of the ciphers which might be used.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2792

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2793

connection = Connection(Context(TLSv1_METHOD), None)

2794

ciphers = connection.get_cipher_list()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2795

assert isinstance(ciphers, list)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2796

for cipher in ciphers:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2797

assert isinstance(cipher, str)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2798

2799

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2800

class VeryLarge(bytes):

2801

"""

2802

Mock object so that we don't have to allocate 2**31 bytes

"""

def __len__(self):

return 2**31

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2808

class TestConnectionSend(object):

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2809

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2810

Tests for `Connection.send`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2811

"""

2812

def test_wrong_args(self):

2813

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

2814

When called with arguments other than string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2815

parameter, `Connection.send` raises `TypeError`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2816

"""

2817

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2818

with pytest.raises(TypeError):

2819

connection.send(object())

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2820

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2821

def test_short_bytes(self):

2822

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2823

When passed a short byte string, `Connection.send` transmits all of it

2824

and returns the number of bytes sent.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2825

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2826

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2827

count = server.send(b'xy')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2828

assert count == 2

2829

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2830

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2831

def test_text(self):

2832

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2833

When passed a text, `Connection.send` transmits all of it and

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2834

returns the number of bytes sent. It also raises a DeprecationWarning.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2835

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2836

server, client = loopback()

2837

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2838

simplefilter("always")

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2839

count = server.send(b"xy".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2840

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2841

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2842

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2843

) == str(w[-1].message))

2844

assert count == 2

2845

assert client.recv(2) == b'xy'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2846

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2847

@skip_if_py26

2848

def test_short_memoryview(self):

2849

"""

2850

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2851

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2852

of bytes sent.

2853

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2854

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2855

count = server.send(memoryview(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2856

assert count == 2

2857

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2858

Hynek Schlawack

8e94f1b

2015-09-05 21:31:00 +0200

[diff] [blame]

2859

@skip_if_py3

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2860

def test_short_buffer(self):

2861

"""

2862

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2863

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2864

of bytes sent.

2865

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2866

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2867

count = server.send(buffer(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2868

assert count == 2

2869

assert client.recv(2) == b'xy'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

2870

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2871

@pytest.mark.skipif(

2872

sys.maxsize < 2**31,

2873

reason="sys.maxsize < 2**31 - test requires 64 bit"

2874

)

2875

def test_buf_too_large(self):

2876

"""

2877

When passed a buffer containing >= 2**31 bytes,

2878

`Connection.send` bails out as SSL_write only

2879

accepts an int for the buffer length.

2880

"""

2881

connection = Connection(Context(TLSv1_METHOD), None)

2882

with pytest.raises(ValueError) as exc_info:

2883

connection.send(VeryLarge())

2884

exc_info.match(r"Cannot send more than .+ bytes at once")

2885

Jean-Paul Calderone

691e6c9

2011-01-21 22:04:35 -0500

[diff] [blame]

2886

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2887

def _make_memoryview(size):

2888

"""

2889

Create a new ``memoryview`` wrapped around a ``bytearray`` of the given

2890

size.

2891

"""

2892

return memoryview(bytearray(size))

2893

2894

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2895

class TestConnectionRecvInto(object):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2896

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2897

Tests for `Connection.recv_into`.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2898

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2899

def _no_length_test(self, factory):

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2900

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2901

Assert that when the given buffer is passed to `Connection.recv_into`,

2902

whatever bytes are available to be received that fit into that buffer

2903

are written into that buffer.

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2904

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2905

output_buffer = factory(5)

2906

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2907

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2908

server.send(b'xy')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2909

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2910

assert client.recv_into(output_buffer) == 2

2911

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2912

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2913

def test_bytearray_no_length(self):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2914

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2915

`Connection.recv_into` can be passed a `bytearray` instance and data

2916

in the receive buffer is written to it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2917

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2918

self._no_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2919

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2920

def _respects_length_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2921

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2922

Assert that when the given buffer is passed to `Connection.recv_into`

2923

along with a value for `nbytes` that is less than the size of that

2924

buffer, only `nbytes` bytes are written into the buffer.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2925

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2926

output_buffer = factory(10)

2927

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2928

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2929

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2930

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2931

assert client.recv_into(output_buffer, 5) == 5

2932

assert output_buffer == bytearray(b'abcde\x00\x00\x00\x00\x00')

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2933

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2934

def test_bytearray_respects_length(self):

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2935

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2936

When called with a `bytearray` instance, `Connection.recv_into`

2937

respects the `nbytes` parameter and doesn't copy in more than that

2938

number of bytes.

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2939

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2940

self._respects_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2941

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2942

def _doesnt_overfill_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2943

"""

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2944

Assert that if there are more bytes available to be read from the

2945

receive buffer than would fit into the buffer passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2946

`Connection.recv_into`, only as many as fit are written into it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2947

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2948

output_buffer = factory(5)

2949

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2950

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2951

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2952

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2953

assert client.recv_into(output_buffer) == 5

2954

assert output_buffer == bytearray(b'abcde')

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2955

rest = client.recv(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2956

assert b'fghij' == rest

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2957

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2958

def test_bytearray_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2959

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2960

When called with a `bytearray` instance, `Connection.recv_into`

2961

respects the size of the array and doesn't write more bytes into it

2962

than will fit.

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2963

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2964

self._doesnt_overfill_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2965

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2966

def test_bytearray_really_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2967

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2968

When called with a `bytearray` instance and an `nbytes` value that is

2969

too large, `Connection.recv_into` respects the size of the array and

2970

not the `nbytes` value and doesn't write more bytes into the buffer

2971

than will fit.

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2972

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2973

self._doesnt_overfill_test(bytearray)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2974

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2975

def test_peek(self):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2976

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2977

server.send(b'xy')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2978

2979

for _ in range(2):

2980

output_buffer = bytearray(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2981

assert client.recv_into(output_buffer, flags=MSG_PEEK) == 2

2982

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2983

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2984

@skip_if_py26

2985

def test_memoryview_no_length(self):

2986

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2987

`Connection.recv_into` can be passed a `memoryview` instance and data

2988

in the receive buffer is written to it.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2989

"""

2990

self._no_length_test(_make_memoryview)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2991

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2992

@skip_if_py26

2993

def test_memoryview_respects_length(self):

2994

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2995

When called with a `memoryview` instance, `Connection.recv_into`

2996

respects the ``nbytes`` parameter and doesn't copy more than that

2997

number of bytes in.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2998

"""

2999

self._respects_length_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3000

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3001

@skip_if_py26

3002

def test_memoryview_doesnt_overfill(self):

3003

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3004

When called with a `memoryview` instance, `Connection.recv_into`

3005

respects the size of the array and doesn't write more bytes into it

3006

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3007

"""

3008

self._doesnt_overfill_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3009

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3010

@skip_if_py26

3011

def test_memoryview_really_doesnt_overfill(self):

3012

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3013

When called with a `memoryview` instance and an `nbytes` value that is

3014

too large, `Connection.recv_into` respects the size of the array and

3015

not the `nbytes` value and doesn't write more bytes into the buffer

3016

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3017

"""

3018

self._doesnt_overfill_test(_make_memoryview)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

3019

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3020

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3021

class TestConnectionSendall(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3022

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3023

Tests for `Connection.sendall`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3024

"""

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3025

def test_wrong_args(self):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3026

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

3027

When called with arguments other than a string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3028

parameter, `Connection.sendall` raises `TypeError`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3029

"""

3030

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3031

with pytest.raises(TypeError):

3032

connection.sendall(object())

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3033

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3034

def test_short(self):

3035

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3036

`Connection.sendall` transmits all of the bytes in the string

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3037

passed to it.

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3038

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3039

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3040

server.sendall(b'x')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3041

assert client.recv(1) == b'x'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3042

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3043

def test_text(self):

3044

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3045

`Connection.sendall` transmits all the content in the string passed

3046

to it, raising a DeprecationWarning in case of this being a text.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3047

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3048

server, client = loopback()

3049

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3050

simplefilter("always")

Jean-Paul Calderone

8dc37a1

2015-03-29 08:16:52 -0400

[diff] [blame]

3051

server.sendall(b"x".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3052

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

3053

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

3054

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3055

) == str(w[-1].message))

3056

assert client.recv(1) == b"x"

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3057

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3058

@skip_if_py26

3059

def test_short_memoryview(self):

3060

"""

3061

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3062

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3063

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3064

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3065

server.sendall(memoryview(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3066

assert client.recv(1) == b'x'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3067

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3068

@skip_if_py3

3069

def test_short_buffers(self):

3070

"""

3071

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3072

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3073

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3074

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3075

server.sendall(buffer(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3076

assert client.recv(1) == b'x'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

3077

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3078

def test_long(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3079

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3080

`Connection.sendall` transmits all the bytes in the string passed to it

3081

even if this requires multiple calls of an underlying write function.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3082

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3083

server, client = loopback()

Jean-Paul Calderone

6241c70

2010-09-16 19:59:24 -0400

[diff] [blame]

3084

# Should be enough, underlying SSL_write should only do 16k at a time.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3085

# On Windows, after 32k of bytes the write will block (forever

3086

# - because no one is yet reading).

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3087

message = b'x' * (1024 * 32 - 1) + b'y'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3088

server.sendall(message)

3089

accum = []

3090

received = 0

3091

while received < len(message):

Jean-Paul Calderone

b1f7f5f

2010-08-22 21:40:52 -0400

[diff] [blame]

3092

data = client.recv(1024)

3093

accum.append(data)

3094

received += len(data)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3095

assert message == b''.join(accum)

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3096

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3097

def test_closed(self):

3098

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3099

If the underlying socket is closed, `Connection.sendall` propagates the

3100

write error from the low level write call.

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3101

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3102

server, client = loopback()

Jean-Paul Calderone

05d43e8

2010-09-24 18:01:36 -0400

[diff] [blame]

3103

server.sock_shutdown(2)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3104

with pytest.raises(SysCallError) as err:

3105

server.sendall(b"hello, world")

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3106

if platform == "win32":

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3107

assert err.value.args[0] == ESHUTDOWN

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3108

else:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3109

assert err.value.args[0] == EPIPE

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3110

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3111

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3112

class TestConnectionRenegotiate(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3113

"""

3114

Tests for SSL renegotiation APIs.

3115

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3116

def test_total_renegotiations(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3117

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3118

`Connection.total_renegotiations` returns `0` before any renegotiations

3119

have happened.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3120

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3121

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3122

assert connection.total_renegotiations() == 0

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3123

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3124

def test_renegotiate(self):

3125

"""

3126

Go through a complete renegotiation cycle.

3127

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3128

server, client = loopback()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3129

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3130

server.send(b"hello world")

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3131

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3132

assert b"hello world" == client.recv(len(b"hello world"))

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3133

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3134

assert 0 == server.total_renegotiations()

3135

assert False is server.renegotiate_pending()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3136

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3137

assert True is server.renegotiate()

3138

3139

assert True is server.renegotiate_pending()

3140

3141

server.setblocking(False)

3142

client.setblocking(False)

3143

3144

client.do_handshake()

3145

server.do_handshake()

3146

3147

assert 1 == server.total_renegotiations()

3148

while False is server.renegotiate_pending():

3149

pass

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3150

3151

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3152

class TestError(object):

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3153

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3154

Unit tests for `OpenSSL.SSL.Error`.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3155

"""

3156

def test_type(self):

3157

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3158

`Error` is an exception type.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3159

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3160

assert issubclass(Error, Exception)

3161

assert Error.__name__ == 'Error'

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

3162

3163

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3164

class TestConstants(object):

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3165

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3166

Tests for the values of constants exposed in `OpenSSL.SSL`.

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3167

3168

These are values defined by OpenSSL intended only to be used as flags to

3169

OpenSSL APIs. The only assertions it seems can be made about them is

3170

their values.

3171

"""

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3172

@pytest.mark.skipif(

3173

OP_NO_QUERY_MTU is None,

3174

reason="OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old"

3175

)

3176

def test_op_no_query_mtu(self):

3177

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3178

The value of `OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value

3179

of `SSL_OP_NO_QUERY_MTU` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3180

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3181

assert OP_NO_QUERY_MTU == 0x1000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3182

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3183

@pytest.mark.skipif(

3184

OP_COOKIE_EXCHANGE is None,

3185

reason="OP_COOKIE_EXCHANGE unavailable - "

3186

"OpenSSL version may be too old"

3187

)

3188

def test_op_cookie_exchange(self):

3189

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3190

The value of `OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the

3191

value of `SSL_OP_COOKIE_EXCHANGE` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3192

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3193

assert OP_COOKIE_EXCHANGE == 0x2000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3194

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3195

@pytest.mark.skipif(

3196

OP_NO_TICKET is None,

3197

reason="OP_NO_TICKET unavailable - OpenSSL version may be too old"

3198

)

3199

def test_op_no_ticket(self):

3200

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3201

The value of `OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of

3202

`SSL_OP_NO_TICKET` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3203

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3204

assert OP_NO_TICKET == 0x4000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3205

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3206

@pytest.mark.skipif(

3207

OP_NO_COMPRESSION is None,

3208

reason="OP_NO_COMPRESSION unavailable - OpenSSL version may be too old"

3209

)

3210

def test_op_no_compression(self):

3211

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3212

The value of `OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the

3213

value of `SSL_OP_NO_COMPRESSION` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3214

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3215

assert OP_NO_COMPRESSION == 0x20000

Jean-Paul Calderone

c62d4c1

2011-09-08 18:29:32 -0400

[diff] [blame]

3216

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3217

def test_sess_cache_off(self):

3218

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3219

The value of `OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of

3220

`SSL_SESS_CACHE_OFF` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3221

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3222

assert 0x0 == SESS_CACHE_OFF

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3223

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3224

def test_sess_cache_client(self):

3225

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3226

The value of `OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of

3227

`SSL_SESS_CACHE_CLIENT` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3228

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3229

assert 0x1 == SESS_CACHE_CLIENT

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3230

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3231

def test_sess_cache_server(self):

3232

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3233

The value of `OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of

3234

`SSL_SESS_CACHE_SERVER` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3235

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3236

assert 0x2 == SESS_CACHE_SERVER

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3237

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3238

def test_sess_cache_both(self):

3239

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3240

The value of `OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of

3241

`SSL_SESS_CACHE_BOTH` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3242

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3243

assert 0x3 == SESS_CACHE_BOTH

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3244

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3245

def test_sess_cache_no_auto_clear(self):

3246

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3247

The value of `OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the

3248

value of `SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by

3249

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3250

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3251

assert 0x80 == SESS_CACHE_NO_AUTO_CLEAR

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3252

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3253

def test_sess_cache_no_internal_lookup(self):

3254

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3255

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100,

3256

the value of `SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by

3257

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3258

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3259

assert 0x100 == SESS_CACHE_NO_INTERNAL_LOOKUP

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3260

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3261

def test_sess_cache_no_internal_store(self):

3262

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3263

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200,

3264

the value of `SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by

3265

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3266

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3267

assert 0x200 == SESS_CACHE_NO_INTERNAL_STORE

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3268

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3269

def test_sess_cache_no_internal(self):

3270

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3271

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the

3272

value of `SSL_SESS_CACHE_NO_INTERNAL` defined by

3273

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3274

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3275

assert 0x300 == SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3276

3277

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3278

class TestMemoryBIO(object):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3279

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3280

Tests for `OpenSSL.SSL.Connection` using a memory BIO.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3281

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3282

def _server(self, sock):

3283

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3284

Create a new server-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3285

"""

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3286

# Create the server side Connection. This is mostly setup boilerplate

3287

# - use TLSv1, use a particular certificate, etc.

3288

server_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3289

server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3290

server_ctx.set_verify(

3291

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3292

verify_cb

3293

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3294

server_store = server_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3295

server_ctx.use_privatekey(

3296

load_privatekey(FILETYPE_PEM, server_key_pem))

3297

server_ctx.use_certificate(

3298

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3299

server_ctx.check_privatekey()

3300

server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3301

# Here the Connection is actually created. If None is passed as the

3302

# 2nd parameter, it indicates a memory BIO should be created.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3303

server_conn = Connection(server_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3304

server_conn.set_accept_state()

3305

return server_conn

3306

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3307

def _client(self, sock):

3308

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3309

Create a new client-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3310

"""

3311

# Now create the client side Connection. Similar boilerplate to the

3312

# above.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3313

client_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3314

client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3315

client_ctx.set_verify(

3316

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3317

verify_cb

3318

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3319

client_store = client_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3320

client_ctx.use_privatekey(

3321

load_privatekey(FILETYPE_PEM, client_key_pem))

3322

client_ctx.use_certificate(

3323

load_certificate(FILETYPE_PEM, client_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3324

client_ctx.check_privatekey()

3325

client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3326

client_conn = Connection(client_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3327

client_conn.set_connect_state()

3328

return client_conn

3329

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3330

def test_memory_connect(self):

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3331

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3332

Two `Connection`s which use memory BIOs can be manually connected by

3333

reading from the output of each and writing those bytes to the input of

3334

the other and in this way establish a connection and exchange

3335

application-level bytes with each other.

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3336

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3337

server_conn = self._server(None)

3338

client_conn = self._client(None)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3339

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3340

# There should be no key or nonces yet.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3341

assert server_conn.master_key() is None

3342

assert server_conn.client_random() is None

3343

assert server_conn.server_random() is None

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3344

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3345

# First, the handshake needs to happen. We'll deliver bytes back and

3346

# forth between the client and server until neither of them feels like

3347

# speaking any more.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3348

assert interact_in_memory(client_conn, server_conn) is None

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3349

3350

# Now that the handshake is done, there should be a key and nonces.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3351

assert server_conn.master_key() is not None

3352

assert server_conn.client_random() is not None

3353

assert server_conn.server_random() is not None

3354

assert server_conn.client_random() == client_conn.client_random()

3355

assert server_conn.server_random() == client_conn.server_random()

3356

assert server_conn.client_random() != server_conn.server_random()

3357

assert client_conn.client_random() != client_conn.server_random()

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3358

3359

# Here are the bytes we'll try to send.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3360

important_message = b'One if by land, two if by sea.'

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3361

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3362

server_conn.write(important_message)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3363

assert (

3364

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3365

(client_conn, important_message))

3366

3367

client_conn.write(important_message[::-1])

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3368

assert (

3369

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3370

(server_conn, important_message[::-1]))

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3371

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3372

def test_socket_connect(self):

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3373

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3374

Just like `test_memory_connect` but with an actual socket.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3375

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3376

This is primarily to rule out the memory BIO code as the source of any

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3377

problems encountered while passing data over a `Connection` (if

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3378

this test fails, there must be a problem outside the memory BIO code,

3379

as no memory BIO is involved here). Even though this isn't a memory

3380

BIO test, it's convenient to have it here.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3381

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3382

server_conn, client_conn = loopback()

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3383

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3384

important_message = b"Help me Obi Wan Kenobi, you're my only hope."

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3385

client_conn.send(important_message)

3386

msg = server_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3387

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3388

3389

# Again in the other direction, just for fun.

3390

important_message = important_message[::-1]

3391

server_conn.send(important_message)

3392

msg = client_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3393

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3394

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3395

def test_socket_overrides_memory(self):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3396

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3397

Test that `OpenSSL.SSL.bio_read` and `OpenSSL.SSL.bio_write` don't

3398

work on `OpenSSL.SSL.Connection`() that use sockets.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3399

"""

Alex Gaynor

51d424c

2016-09-10 14:50:11 -0400

[diff] [blame]

3400

context = Context(TLSv1_METHOD)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3401

client = socket()

3402

clientSSL = Connection(context, client)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3403

with pytest.raises(TypeError):

3404

clientSSL.bio_read(100)

3405

with pytest.raises(TypeError):

3406

clientSSL.bio_write("foo")

3407

with pytest.raises(TypeError):

3408

clientSSL.bio_shutdown()

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3409

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3410

def test_outgoing_overflow(self):

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3411

"""

3412

If more bytes than can be written to the memory BIO are passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3413

`Connection.send` at once, the number of bytes which were written is

3414

returned and that many bytes from the beginning of the input can be

3415

read from the other end of the connection.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3416

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3417

server = self._server(None)

3418

client = self._client(None)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3419

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3420

interact_in_memory(client, server)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3421

3422

size = 2 ** 15

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

3423

sent = client.send(b"x" * size)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3424

# Sanity check. We're trying to test what happens when the entire

3425

# input can't be sent. If the entire input was sent, this test is

3426

# meaningless.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3427

assert sent < size

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3428

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3429

receiver, received = interact_in_memory(client, server)

3430

assert receiver is server

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3431

3432

# We can rely on all of these bytes being received at once because

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3433

# loopback passes 2 ** 16 to recv - more than 2 ** 15.

3434

assert len(received) == sent

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3435

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3436

def test_shutdown(self):

3437

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3438

`Connection.bio_shutdown` signals the end of the data stream

3439

from which the `Connection` reads.

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3440

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3441

server = self._server(None)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3442

server.bio_shutdown()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3443

with pytest.raises(Error) as err:

3444

server.recv(1024)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3445

# We don't want WantReadError or ZeroReturnError or anything - it's a

3446

# handshake failure.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3447

assert type(err.value) in [Error, SysCallError]

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3448

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3449

def test_unexpected_EOF(self):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3450

"""

3451

If the connection is lost before an orderly SSL shutdown occurs,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3452

`OpenSSL.SSL.SysCallError` is raised with a message of

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3453

"Unexpected EOF".

3454

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3455

server_conn, client_conn = loopback()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3456

client_conn.sock_shutdown(SHUT_RDWR)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3457

with pytest.raises(SysCallError) as err:

3458

server_conn.recv(1024)

3459

assert err.value.args == (-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3460

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3461

def _check_client_ca_list(self, func):

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3462

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3463

Verify the return value of the `get_client_ca_list` method for

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3464

server and client connections.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3465

Jonathan Ballet

78b92a2

2011-07-16 08:07:26 +0900

[diff] [blame]

3466

:param func: A function which will be called with the server context

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3467

before the client and server are connected to each other. This

3468

function should specify a list of CAs for the server to send to the

3469

client and return that same list. The list will be used to verify

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3470

that `get_client_ca_list` returns the proper value at

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3471

various times.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3472

"""

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3473

server = self._server(None)

3474

client = self._client(None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3475

assert client.get_client_ca_list() == []

3476

assert server.get_client_ca_list() == []

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3477

ctx = server.get_context()

3478

expected = func(ctx)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3479

assert client.get_client_ca_list() == []

3480

assert server.get_client_ca_list() == expected

3481

interact_in_memory(client, server)

3482

assert client.get_client_ca_list() == expected

3483

assert server.get_client_ca_list() == expected

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3484

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3485

def test_set_client_ca_list_errors(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3486

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3487

`Context.set_client_ca_list` raises a `TypeError` if called with a

3488

non-list or a list that contains objects other than X509Names.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3489

"""

3490

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3491

with pytest.raises(TypeError):

3492

ctx.set_client_ca_list("spam")

3493

with pytest.raises(TypeError):

3494

ctx.set_client_ca_list(["spam"])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3495

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3496

def test_set_empty_ca_list(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3497

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3498

If passed an empty list, `Context.set_client_ca_list` configures the

3499

context to send no CA names to the client and, on both the server and

3500

client sides, `Connection.get_client_ca_list` returns an empty list

3501

after the connection is set up.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3502

"""

3503

def no_ca(ctx):

3504

ctx.set_client_ca_list([])

3505

return []

3506

self._check_client_ca_list(no_ca)

3507

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3508

def test_set_one_ca_list(self):

3509

"""

3510

If passed a list containing a single X509Name,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3511

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3512

that CA name to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3513

`Connection.get_client_ca_list` returns a list containing that

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3514

X509Name after the connection is set up.

3515

"""

3516

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3517

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3518

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3519

def single_ca(ctx):

3520

ctx.set_client_ca_list([cadesc])

3521

return [cadesc]

3522

self._check_client_ca_list(single_ca)

3523

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3524

def test_set_multiple_ca_list(self):

3525

"""

3526

If passed a list containing multiple X509Name objects,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3527

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3528

those CA names to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3529

`Connection.get_client_ca_list` returns a list containing those

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3530

X509Names after the connection is set up.

3531

"""

3532

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3533

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3534

3535

sedesc = secert.get_subject()

3536

cldesc = clcert.get_subject()

3537

3538

def multiple_ca(ctx):

3539

L = [sedesc, cldesc]

3540

ctx.set_client_ca_list(L)

3541

return L

3542

self._check_client_ca_list(multiple_ca)

3543

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3544

def test_reset_ca_list(self):

3545

"""

3546

If called multiple times, only the X509Names passed to the final call

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3547

of `Context.set_client_ca_list` are used to configure the CA

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3548

names sent to the client.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3549

"""

3550

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3551

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3552

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3553

3554

cadesc = cacert.get_subject()

3555

sedesc = secert.get_subject()

3556

cldesc = clcert.get_subject()

3557

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3558

def changed_ca(ctx):

3559

ctx.set_client_ca_list([sedesc, cldesc])

3560

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3561

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3562

self._check_client_ca_list(changed_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3563

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3564

def test_mutated_ca_list(self):

3565

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3566

If the list passed to `Context.set_client_ca_list` is mutated

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3567

afterwards, this does not affect the list of CA names sent to the

3568

client.

3569

"""

3570

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3571

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3572

3573

cadesc = cacert.get_subject()

3574

sedesc = secert.get_subject()

3575

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3576

def mutated_ca(ctx):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3577

L = [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3578

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3579

L.append(sedesc)

3580

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3581

self._check_client_ca_list(mutated_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3582

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3583

def test_add_client_ca_wrong_args(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3584

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3585

`Context.add_client_ca` raises `TypeError` if called with

3586

a non-X509 object.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3587

"""

3588

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3589

with pytest.raises(TypeError):

3590

ctx.add_client_ca("spam")

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3591

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3592

def test_one_add_client_ca(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3593

"""

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3594

A certificate's subject can be added as a CA to be sent to the client

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3595

with `Context.add_client_ca`.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3596

"""

3597

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3598

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3599

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3600

def single_ca(ctx):

3601

ctx.add_client_ca(cacert)

3602

return [cadesc]

3603

self._check_client_ca_list(single_ca)

3604

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3605

def test_multiple_add_client_ca(self):

3606

"""

3607

Multiple CA names can be sent to the client by calling

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3608

`Context.add_client_ca` with multiple X509 objects.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3609

"""

3610

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3611

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3612

3613

cadesc = cacert.get_subject()

3614

sedesc = secert.get_subject()

3615

3616

def multiple_ca(ctx):

3617

ctx.add_client_ca(cacert)

3618

ctx.add_client_ca(secert)

3619

return [cadesc, sedesc]

3620

self._check_client_ca_list(multiple_ca)

3621

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3622

def test_set_and_add_client_ca(self):

3623

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3624

A call to `Context.set_client_ca_list` followed by a call to

3625

`Context.add_client_ca` results in using the CA names from the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3626

first call and the CA name from the second call.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3627

"""

3628

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3629

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3630

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3631

3632

cadesc = cacert.get_subject()

3633

sedesc = secert.get_subject()

3634

cldesc = clcert.get_subject()

3635

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3636

def mixed_set_add_ca(ctx):

3637

ctx.set_client_ca_list([cadesc, sedesc])

3638

ctx.add_client_ca(clcert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3639

return [cadesc, sedesc, cldesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3640

self._check_client_ca_list(mixed_set_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3641

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3642

def test_set_after_add_client_ca(self):

3643

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3644

A call to `Context.set_client_ca_list` after a call to

3645

`Context.add_client_ca` replaces the CA name specified by the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3646

former call with the names specified by the latter call.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3647

"""

3648

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3649

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3650

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3651

3652

cadesc = cacert.get_subject()

3653

sedesc = secert.get_subject()

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3654

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3655

def set_replaces_add_ca(ctx):

3656

ctx.add_client_ca(clcert)

3657

ctx.set_client_ca_list([cadesc])

3658

ctx.add_client_ca(secert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3659

return [cadesc, sedesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3660

self._check_client_ca_list(set_replaces_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3661

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3662

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3663

class TestInfoConstants(object):

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3664

"""

3665

Tests for assorted constants exposed for use in info callbacks.

3666

"""

3667

def test_integers(self):

3668

"""

3669

All of the info constants are integers.

3670

3671

This is a very weak test. It would be nice to have one that actually

3672

verifies that as certain info events happen, the value passed to the

3673

info callback matches up with the constant exposed by OpenSSL.SSL.

3674

"""

3675

for const in [

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3676

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3677

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

3678

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

3679

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3680

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE

3681

]:

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3682

assert isinstance(const, int)

3683

3684

# These constants don't exist on OpenSSL 1.1.0

3685

for const in [

3686

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

3687

]:

3688

assert const is None or isinstance(const, int)

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3689

Ziga Seilnacht

44611bf

2009-08-31 20:49:30 +0200

[diff] [blame]

3690

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3691

class TestRequires(object):

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3692

"""

3693

Tests for the decorator factory used to conditionally raise

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3694

NotImplementedError when older OpenSSLs are used.

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3695

"""

3696

def test_available(self):

3697

"""

3698

When the OpenSSL functionality is available the decorated functions

3699

work appropriately.

3700

"""

3701

feature_guard = _make_requires(True, "Error text")

results = []

@feature_guard

def inner():

results.append(True)

return True

Cory Benfield

2016-03-30 14:24:16 +0100

[diff] [blame]

3709

assert inner() is True

3710

assert [True] == results

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3711

3712

def test_unavailable(self):

3713

"""

3714

When the OpenSSL functionality is not available the decorated function

3715

does not execute and NotImplementedError is raised.

3716

"""

3717

feature_guard = _make_requires(False, "Error text")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3718

3719

@feature_guard

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3720

def inner(): # pragma: nocover

3721

pytest.fail("Should not be called")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3722

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3723

with pytest.raises(NotImplementedError) as e:

3724

inner()

3725

3726

assert "Error text" in str(e.value)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3727

3728

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3729

class TestOCSP(object):

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3730

"""

3731

Tests for PyOpenSSL's OCSP stapling support.

3732

"""

3733

sample_ocsp_data = b"this is totally ocsp data"

3734

3735

def _client_connection(self, callback, data, request_ocsp=True):

3736

"""

3737

Builds a client connection suitable for using OCSP.

3738

3739

:param callback: The callback to register for OCSP.

3740

:param data: The opaque data object that will be handed to the

3741

OCSP callback.

3742

:param request_ocsp: Whether the client will actually ask for OCSP

3743

stapling. Useful for testing only.

3744

"""

3745

ctx = Context(SSLv23_METHOD)

3746

ctx.set_ocsp_client_callback(callback, data)

3747

client = Connection(ctx)

3748

3749

if request_ocsp:

3750

client.request_ocsp()

3751

3752

client.set_connect_state()

3753

return client

3754

3755

def _server_connection(self, callback, data):

3756

"""

3757

Builds a server connection suitable for using OCSP.

3758

3759

:param callback: The callback to register for OCSP.

3760

:param data: The opaque data object that will be handed to the

3761

OCSP callback.

3762

"""

3763

ctx = Context(SSLv23_METHOD)

3764

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

3765

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

3766

ctx.set_ocsp_server_callback(callback, data)

3767

server = Connection(ctx)

3768

server.set_accept_state()

3769

return server

3770

3771

def test_callbacks_arent_called_by_default(self):

3772

"""

3773

If both the client and the server have registered OCSP callbacks, but

3774

the client does not send the OCSP request, neither callback gets

3775

called.

3776

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3777

def ocsp_callback(*args, **kwargs): # pragma: nocover

3778

pytest.fail("Should not be called")

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3779

3780

client = self._client_connection(

3781

callback=ocsp_callback, data=None, request_ocsp=False

3782

)

3783

server = self._server_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3784

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3785

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3786

def test_client_negotiates_without_server(self):

3787

"""

3788

If the client wants to do OCSP but the server does not, the handshake

3789

succeeds, and the client callback fires with an empty byte string.

"""

called = []

def ocsp_callback(conn, ocsp_data, ignored):

3794

called.append(ocsp_data)

3795

return True

3796

3797

client = self._client_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3798

server = loopback_server_factory(socket=None)

3799

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3800

3801

assert len(called) == 1

3802

assert called[0] == b''

3803

3804

def test_client_receives_servers_data(self):

3805

"""

3806

The data the server sends in its callback is received by the client.

"""

calls = []

def server_callback(*args, **kwargs):

3811

return self.sample_ocsp_data

3812

3813

def client_callback(conn, ocsp_data, ignored):

3814

calls.append(ocsp_data)

3815

return True

3816

3817

client = self._client_connection(callback=client_callback, data=None)

3818

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3819

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3820

3821

assert len(calls) == 1

3822

assert calls[0] == self.sample_ocsp_data

3823

3824

def test_callbacks_are_invoked_with_connections(self):

3825

"""

3826

The first arguments to both callbacks are their respective connections.

"""

client_calls = []

server_calls = []

def client_callback(conn, *args, **kwargs):

3832

client_calls.append(conn)

3833

return True

3834

3835

def server_callback(conn, *args, **kwargs):

3836

server_calls.append(conn)

3837

return self.sample_ocsp_data

3838

3839

client = self._client_connection(callback=client_callback, data=None)

3840

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3841

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3842

3843

assert len(client_calls) == 1

3844

assert len(server_calls) == 1

3845

assert client_calls[0] is client

3846

assert server_calls[0] is server

3847

3848

def test_opaque_data_is_passed_through(self):

3849

"""

3850

Both callbacks receive an opaque, user-provided piece of data in their

3851

callbacks as the final argument.

"""

calls = []

def server_callback(*args):

3856

calls.append(args)

3857

return self.sample_ocsp_data

3858

3859

def client_callback(*args):

calls.append(args)

return True

sentinel = object()

client = self._client_connection(

3866

callback=client_callback, data=sentinel

3867

)

3868

server = self._server_connection(

3869

callback=server_callback, data=sentinel

3870

)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3871

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3872

3873

assert len(calls) == 2

3874

assert calls[0][-1] is sentinel

3875

assert calls[1][-1] is sentinel

3876

3877

def test_server_returns_empty_string(self):

3878

"""

3879

If the server returns an empty bytestring from its callback, the

3880

client callback is called with the empty bytestring.

"""

client_calls = []

def server_callback(*args):

3885

return b''

3886

3887

def client_callback(conn, ocsp_data, ignored):

3888

client_calls.append(ocsp_data)

3889

return True

3890

3891

client = self._client_connection(callback=client_callback, data=None)

3892

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3893

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3894

3895

assert len(client_calls) == 1

3896

assert client_calls[0] == b''

3897

3898

def test_client_returns_false_terminates_handshake(self):

3899

"""

3900

If the client returns False from its callback, the handshake fails.

3901

"""

3902

def server_callback(*args):

3903

return self.sample_ocsp_data

3904

3905

def client_callback(*args):

3906

return False

3907

3908

client = self._client_connection(callback=client_callback, data=None)

3909

server = self._server_connection(callback=server_callback, data=None)

3910

3911

with pytest.raises(Error):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3912

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3913

3914

def test_exceptions_in_client_bubble_up(self):

3915

"""

3916

The callbacks thrown in the client callback bubble up to the caller.

3917

"""

3918

class SentinelException(Exception):

3919

pass

3920

3921

def server_callback(*args):

3922

return self.sample_ocsp_data

3923

3924

def client_callback(*args):

3925

raise SentinelException()

3926

3927

client = self._client_connection(callback=client_callback, data=None)

3928

server = self._server_connection(callback=server_callback, data=None)

3929

3930

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3931

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3932

3933

def test_exceptions_in_server_bubble_up(self):

3934

"""

3935

The callbacks thrown in the server callback bubble up to the caller.

3936

"""

3937

class SentinelException(Exception):

3938

pass

3939

3940

def server_callback(*args):

3941

raise SentinelException()

3942

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3943

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3944

pytest.fail("Should not be called")

3945

3946

client = self._client_connection(callback=client_callback, data=None)

3947

server = self._server_connection(callback=server_callback, data=None)

3948

3949

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3950

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3951

3952

def test_server_must_return_bytes(self):

3953

"""

3954

The server callback must return a bytestring, or a TypeError is thrown.

3955

"""

3956

def server_callback(*args):

3957

return self.sample_ocsp_data.decode('ascii')

3958

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3959

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3960

pytest.fail("Should not be called")

3961

3962

client = self._client_connection(callback=client_callback, data=None)

3963

server = self._server_connection(callback=server_callback, data=None)

3964

3965

with pytest.raises(TypeError):

Alex Chan