Blame - tests/test_ssl.py - platform/external/python/pyopenssl

2008-03-21 17:04:05 -0400

[diff] [blame]

4

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

5

Unit tests for :mod:`OpenSSL.SSL`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

6

"""

7

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

8

import datetime

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

9

import sys

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

10

import uuid

11

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

12

from gc import collect, get_referrers

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

13

from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

14

from sys import platform, getfilesystemencoding, version_info

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

15

from socket import MSG_PEEK, SHUT_RDWR, error, socket

Jean-Paul Calderone

a65cf6c

2009-07-19 10:26:52 -0400

[diff] [blame]

16

from os import makedirs

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

17

from os.path import join

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

18

from weakref import ref

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

19

from warnings import simplefilter

Jean-Paul Calderone

460cc1f

2009-03-07 11:31:12 -0500

[diff] [blame]

20

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

21

import pytest

22

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

23

from six import PY3, text_type

Jean-Paul Calderone

c76c61c

2014-01-18 13:21:52 -0500

[diff] [blame]

24

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

25

from cryptography import x509

26

from cryptography.hazmat.backends import default_backend

27

from cryptography.hazmat.primitives import hashes

28

from cryptography.hazmat.primitives import serialization

29

from cryptography.hazmat.primitives.asymmetric import rsa

30

from cryptography.x509.oid import NameOID

31

32

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

33

from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

34

from OpenSSL.crypto import PKey, X509, X509Extension, X509Store

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

35

from OpenSSL.crypto import dump_privatekey, load_privatekey

36

from OpenSSL.crypto import dump_certificate, load_certificate

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

37

from OpenSSL.crypto import get_elliptic_curves

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

38

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

39

from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS

40

from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

41

from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

42

from OpenSSL.SSL import (

43

SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD,

44

TLSv1_1_METHOD, TLSv1_2_METHOD)

45

from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

46

from OpenSSL.SSL import (

47

VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE, VERIFY_NONE)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

48

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

49

from OpenSSL.SSL import (

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

50

SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH,

51

SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP,

52

SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL)

53

54

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

55

Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

56

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

57

Context, ContextType, Session, Connection, ConnectionType, SSLeay_version)

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

58

from OpenSSL.SSL import _make_requires

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

59

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

60

from OpenSSL._util import lib as _lib

61

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

62

from OpenSSL.SSL import (

63

OP_NO_QUERY_MTU, OP_COOKIE_EXCHANGE, OP_NO_TICKET, OP_NO_COMPRESSION,

64

MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

65

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

66

try:

67

from OpenSSL.SSL import OP_NO_TLSv1, OP_NO_TLSv1_1, OP_NO_TLSv1_2

68

except ImportError:

69

OP_NO_TLSv1 = OP_NO_TLSv1_1 = OP_NO_TLSv1_2 = None

70

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

71

from OpenSSL.SSL import (

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

72

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

73

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

74

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

75

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

76

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

77

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

78

try:

79

from OpenSSL.SSL import (

80

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

81

)

82

except ImportError:

83

SSL_ST_INIT = SSL_ST_BEFORE = SSL_ST_OK = SSL_ST_RENEGOTIATE = None

84

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

85

from .util import WARNING_TYPE_EXPECTED, NON_ASCII, is_consistent_type

Hynek Schlawack

f0e6685

2015-10-16 20:18:38 +0200

[diff] [blame]

86

from .test_crypto import (

87

cleartextCertificatePEM, cleartextPrivateKeyPEM,

88

client_cert_pem, client_key_pem, server_cert_pem, server_key_pem,

89

root_cert_pem)

90

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

91

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

92

# openssl dhparam 1024 -out dh-1024.pem (note that 1024 is a small number of

93

# bits to use)

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

94

dhparam = """\

95

-----BEGIN DH PARAMETERS-----

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

96

MIGHAoGBALdUMvn+C9MM+y5BWZs11mSeH6HHoEq0UVbzVq7UojC1hbsZUuGukQ3a

97

Qh2/pwqb18BZFykrWB0zv/OkLa0kx4cuUgNrUVq1EFheBiX6YqryJ7t2sO09NQiO

98

V7H54LmltOT/hEh6QWsJqb6BQgH65bswvV/XkYGja8/T0GzvbaVzAgEC

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

99

-----END DH PARAMETERS-----

"""

Hynek Schlawack

2015-09-05 20:48:34 +0200

[diff] [blame]

103

skip_if_py3 = pytest.mark.skipif(PY3, reason="Python 2 only")

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

104

skip_if_py26 = pytest.mark.skipif(

105

version_info[0:2] == (2, 6),

106

reason="Python 2.7 and later only"

107

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

108

109

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

110

def join_bytes_or_unicode(prefix, suffix):

111

"""

112

Join two path components of either ``bytes`` or ``unicode``.

113

114

The return type is the same as the type of ``prefix``.

115

"""

116

# If the types are the same, nothing special is necessary.

117

if type(prefix) == type(suffix):

118

return join(prefix, suffix)

119

120

# Otherwise, coerce suffix to the type of prefix.

121

if isinstance(prefix, text_type):

122

return join(prefix, suffix.decode(getfilesystemencoding()))

123

else:

124

return join(prefix, suffix.encode(getfilesystemencoding()))

125

126

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

127

def verify_cb(conn, cert, errnum, depth, ok):

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

128

return ok

129

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

130

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

131

def socket_pair():

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

132

"""

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

133

Establish and return a pair of network sockets connected to each other.

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

134

"""

135

# Connect a pair of sockets

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(1)

client = socket()

client.setblocking(False)

Jean-Paul Calderone

f23c5d9

2009-07-23 17:58:15 -0400

[diff] [blame]

141

client.connect_ex(("127.0.0.1", port.getsockname()[1]))

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

142

client.setblocking(True)

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

143

server = port.accept()[0]

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

144

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

145

# Let's pass some unencrypted data to make sure our socket connection is

146

# fine. Just one byte, so we don't have to worry about buffers getting

147

# filled up or fragmentation.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

148

server.send(b"x")

149

assert client.recv(1024) == b"x"

150

client.send(b"y")

151

assert server.recv(1024) == b"y"

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

152

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

153

# Most of our callers want non-blocking sockets, make it easy for them.

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

154

server.setblocking(False)

155

client.setblocking(False)

Jim Shaver

46f2891

2015-05-29 19:32:16 -0400

[diff] [blame]

156

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

157

return (server, client)

158

159

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

160

def handshake(client, server):

161

conns = [client, server]

while conns:

for conn in conns:

try:

conn.do_handshake()

except WantReadError:

pass

else:

conns.remove(conn)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

172

def _create_certificate_chain():

173

"""

174

Construct and return a chain of certificates.

175

176

1. A new self-signed certificate authority certificate (cacert)

177

2. A new intermediate certificate signed by cacert (icert)

178

3. A new server certificate signed by icert (scert)

179

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

180

caext = X509Extension(b'basicConstraints', False, b'CA:true')

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

181

182

# Step 1

183

cakey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

184

cakey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

185

cacert = X509()

186

cacert.get_subject().commonName = "Authority Certificate"

187

cacert.set_issuer(cacert.get_subject())

188

cacert.set_pubkey(cakey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

189

cacert.set_notBefore(b"20000101000000Z")

190

cacert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

191

cacert.add_extensions([caext])

192

cacert.set_serial_number(0)

193

cacert.sign(cakey, "sha1")

194

195

# Step 2

196

ikey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

197

ikey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

198

icert = X509()

199

icert.get_subject().commonName = "Intermediate Certificate"

200

icert.set_issuer(cacert.get_subject())

201

icert.set_pubkey(ikey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

202

icert.set_notBefore(b"20000101000000Z")

203

icert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

204

icert.add_extensions([caext])

205

icert.set_serial_number(0)

206

icert.sign(cakey, "sha1")

207

208

# Step 3

209

skey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

210

skey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

211

scert = X509()

212

scert.get_subject().commonName = "Server Certificate"

213

scert.set_issuer(icert.get_subject())

214

scert.set_pubkey(skey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

215

scert.set_notBefore(b"20000101000000Z")

216

scert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

217

scert.add_extensions([

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

218

X509Extension(b'basicConstraints', True, b'CA:false')])

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

219

scert.set_serial_number(0)

220

scert.sign(ikey, "sha1")

221

222

return [(cakey, cacert), (ikey, icert), (skey, scert)]

223

224

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

225

def loopback_client_factory(socket):

226

client = Connection(Context(TLSv1_METHOD), socket)

227

client.set_connect_state()

return client

def loopback_server_factory(socket):

232

ctx = Context(TLSv1_METHOD)

233

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

234

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

235

server = Connection(ctx, socket)

236

server.set_accept_state()

return server

def loopback(server_factory=None, client_factory=None):

241

"""

242

Create a connected socket pair and force two connected SSL sockets

243

to talk to each other via memory BIOs.

244

"""

245

if server_factory is None:

246

server_factory = loopback_server_factory

247

if client_factory is None:

248

client_factory = loopback_client_factory

249

250

(server, client) = socket_pair()

251

server = server_factory(server)

252

client = client_factory(client)

253

254

handshake(client, server)

255

256

server.setblocking(True)

257

client.setblocking(True)

258

return server, client

259

260

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

261

def interact_in_memory(client_conn, server_conn):

262

"""

263

Try to read application bytes from each of the two `Connection` objects.

264

Copy bytes back and forth between their send/receive buffers for as long

265

as there is anything to copy. When there is nothing more to copy,

266

return `None`. If one of them actually manages to deliver some application

267

bytes, return a two-tuple of the connection from which the bytes were read

268

and the bytes themselves.

"""

wrote = True

while wrote:

# Loop until neither side has anything to say

273

wrote = False

274

275

# Copy stuff from each side's send buffer to the other side's

276

# receive buffer.

277

for (read, write) in [(client_conn, server_conn),

278

(server_conn, client_conn)]:

279

280

# Give the side a chance to generate some more bytes, or succeed.

281

try:

282

data = read.recv(2 ** 16)

283

except WantReadError:

284

# It didn't succeed, so we'll hope it generated some output.

285

pass

286

else:

287

# It did succeed, so we'll stop now and let the caller deal

# with it.

return (read, data)

while True:

# Keep copying as long as there's more stuff there.

293

try:

294

dirty = read.bio_read(4096)

295

except WantReadError:

296

# Okay, nothing more waiting to be sent. Stop

297

# processing this send buffer.

298

break

299

else:

300

# Keep track of the fact that someone generated some

301

# output.

302

wrote = True

303

write.bio_write(dirty)

304

305

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

306

def handshake_in_memory(client_conn, server_conn):

307

"""

308

Perform the TLS handshake between two `Connection` instances connected to

309

each other via memory BIOs.

310

"""

311

client_conn.set_connect_state()

312

server_conn.set_accept_state()

313

314

for conn in [client_conn, server_conn]:

315

try:

316

conn.do_handshake()

317

except WantReadError:

318

pass

319

320

interact_in_memory(client_conn, server_conn)

321

322

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

323

class TestVersion(object):

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

324

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

325

Tests for version information exposed by `OpenSSL.SSL.SSLeay_version` and

326

`OpenSSL.SSL.OPENSSL_VERSION_NUMBER`.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

327

"""

328

def test_OPENSSL_VERSION_NUMBER(self):

329

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

330

`OPENSSL_VERSION_NUMBER` is an integer with status in the low byte and

331

the patch, fix, minor, and major versions in the nibbles above that.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

332

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

333

assert isinstance(OPENSSL_VERSION_NUMBER, int)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

334

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

335

def test_SSLeay_version(self):

336

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

337

`SSLeay_version` takes a version type indicator and returns one of a

338

number of version strings based on that indicator.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

339

"""

340

versions = {}

341

for t in [SSLEAY_VERSION, SSLEAY_CFLAGS, SSLEAY_BUILT_ON,

342

SSLEAY_PLATFORM, SSLEAY_DIR]:

343

version = SSLeay_version(t)

344

versions[version] = t

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

345

assert isinstance(version, bytes)

346

assert len(versions) == 5

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

347

348

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

349

@pytest.fixture

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

350

def ca_file(tmpdir):

351

"""

352

Create a valid PEM file with CA certificates and return the path.

353

"""

354

key = rsa.generate_private_key(

355

public_exponent=65537,

356

key_size=2048,

357

backend=default_backend()

358

)

359

public_key = key.public_key()

360

361

builder = x509.CertificateBuilder()

362

builder = builder.subject_name(x509.Name([

363

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

364

]))

365

builder = builder.issuer_name(x509.Name([

366

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

367

]))

368

one_day = datetime.timedelta(1, 0, 0)

369

builder = builder.not_valid_before(datetime.datetime.today() - one_day)

370

builder = builder.not_valid_after(datetime.datetime.today() + one_day)

371

builder = builder.serial_number(int(uuid.uuid4()))

372

builder = builder.public_key(public_key)

373

builder = builder.add_extension(

374

x509.BasicConstraints(ca=True, path_length=None), critical=True,

375

)

376

377

certificate = builder.sign(

378

private_key=key, algorithm=hashes.SHA256(),

379

backend=default_backend()

380

)

381

382

ca_file = tmpdir.join("test.pem")

383

ca_file.write_binary(

384

certificate.public_bytes(

385

encoding=serialization.Encoding.PEM,

)

)

return str(ca_file).encode("ascii")

390

391

392

@pytest.fixture

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

393

def context():

394

"""

395

A simple TLS 1.0 context.

396

"""

397

return Context(TLSv1_METHOD)

398

399

400

class TestContext(object):

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

401

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

402

Unit tests for `OpenSSL.SSL.Context`.

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

403

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

404

@pytest.mark.parametrize("cipher_string", [

405

b"hello world:AES128-SHA",

406

u"hello world:AES128-SHA",

407

])

408

def test_set_cipher_list(self, context, cipher_string):

409

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

410

`Context.set_cipher_list` accepts both byte and unicode strings

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

411

for naming the ciphers which connections created with the context

412

object will be able to choose from.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

413

"""

414

context.set_cipher_list(cipher_string)

415

conn = Connection(context, None)

416

417

assert "AES128-SHA" in conn.get_cipher_list()

418

419

@pytest.mark.parametrize("cipher_list,error", [

420

(object(), TypeError),

421

("imaginary-cipher", Error),

422

])

423

def test_set_cipher_list_wrong_args(self, context, cipher_list, error):

424

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

425

`Context.set_cipher_list` raises `TypeError` when passed a non-string

426

argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher

427

list string.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

428

"""

429

with pytest.raises(error):

430

context.set_cipher_list(cipher_list)

431

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

432

def test_load_client_ca(self, context, ca_file):

433

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

434

`Context.load_client_ca` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

435

"""

436

context.load_client_ca(ca_file)

437

438

def test_load_client_ca_invalid(self, context, tmpdir):

439

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

440

`Context.load_client_ca` raises an Error if the ca file is invalid.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

441

"""

442

ca_file = tmpdir.join("test.pem")

443

ca_file.write("")

444

445

with pytest.raises(Error) as e:

446

context.load_client_ca(str(ca_file).encode("ascii"))

447

448

assert "PEM routines" == e.value.args[0][0][0]

449

450

def test_load_client_ca_unicode(self, context, ca_file):

451

"""

452

Passing the path as unicode raises a warning but works.

453

"""

454

pytest.deprecated_call(

455

context.load_client_ca, ca_file.decode("ascii")

456

)

457

458

def test_set_session_id(self, context):

459

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

460

`Context.set_session_id` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

461

"""

462

context.set_session_id(b"abc")

463

464

def test_set_session_id_fail(self, context):

465

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

466

`Context.set_session_id` errors are propagated.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

467

"""

468

with pytest.raises(Error) as e:

469

context.set_session_id(b"abc" * 1000)

assert [

("SSL routines",

"SSL_CTX_set_session_id_context",

474

"ssl session id context too long")

475

] == e.value.args[0]

476

477

def test_set_session_id_unicode(self, context):

478

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

479

`Context.set_session_id` raises a warning if a unicode string is

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

480

passed.

481

"""

482

pytest.deprecated_call(context.set_session_id, u"abc")

483

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

484

def test_method(self):

485

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

486

`Context` can be instantiated with one of `SSLv2_METHOD`,

487

`SSLv3_METHOD`, `SSLv23_METHOD`, `TLSv1_METHOD`, `TLSv1_1_METHOD`,

488

or `TLSv1_2_METHOD`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

489

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

490

methods = [SSLv23_METHOD, TLSv1_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

491

for meth in methods:

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

492

Context(meth)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

493

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

494

maybe = [SSLv2_METHOD, SSLv3_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

for meth in maybe:

try:

Context(meth)

except (Error, ValueError):

499

# Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some

500

# don't. Difficult to say in advance.

501

pass

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

502

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

503

with pytest.raises(TypeError):

504

Context("")

505

with pytest.raises(ValueError):

506

Context(10)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

507

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

508

@skip_if_py3

509

def test_method_long(self):

510

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

511

On Python 2 `Context` accepts values of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

512

"""

513

Context(long(TLSv1_METHOD))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

514

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

515

def test_type(self):

516

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

517

`Context` and `ContextType` refer to the same type object and can

518

be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

519

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

520

assert Context is ContextType

521

assert is_consistent_type(Context, 'Context', TLSv1_METHOD)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

522

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

523

def test_use_privatekey(self):

524

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

525

`Context.use_privatekey` takes an `OpenSSL.crypto.PKey` instance.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

526

"""

527

key = PKey()

528

key.generate_key(TYPE_RSA, 128)

529

ctx = Context(TLSv1_METHOD)

530

ctx.use_privatekey(key)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

531

with pytest.raises(TypeError):

532

ctx.use_privatekey("")

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

533

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

534

def test_use_privatekey_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

535

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

536

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` when passed

537

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

538

"""

539

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

540

with pytest.raises(Error):

541

ctx.use_privatekey_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

542

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

543

def _use_privatekey_file_test(self, pemfile, filetype):

544

"""

545

Verify that calling ``Context.use_privatekey_file`` with the given

546

arguments does not raise an exception.

547

"""

548

key = PKey()

549

key.generate_key(TYPE_RSA, 128)

550

551

with open(pemfile, "wt") as pem:

552

pem.write(

553

dump_privatekey(FILETYPE_PEM, key).decode("ascii")

554

)

555

556

ctx = Context(TLSv1_METHOD)

557

ctx.use_privatekey_file(pemfile, filetype)

558

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

559

def test_use_privatekey_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

560

"""

561

A private key can be specified from a file by passing a ``bytes``

562

instance giving the file name to ``Context.use_privatekey_file``.

563

"""

564

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

565

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

569

def test_use_privatekey_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

570

"""

571

A private key can be specified from a file by passing a ``unicode``

572

instance giving the file name to ``Context.use_privatekey_file``.

573

"""

574

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

575

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

579

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

580

def test_use_privatekey_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

581

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

582

On Python 2 `Context.use_privatekey_file` accepts a filetype of

583

type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

584

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

585

self._use_privatekey_file_test(tmpfile, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

586

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

587

def test_use_certificate_wrong_args(self):

588

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

589

`Context.use_certificate_wrong_args` raises `TypeError` when not passed

590

exactly one `OpenSSL.crypto.X509` instance as an argument.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

591

"""

592

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

593

with pytest.raises(TypeError):

594

ctx.use_certificate("hello, world")

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

595

596

def test_use_certificate_uninitialized(self):

597

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

598

`Context.use_certificate` raises `OpenSSL.SSL.Error` when passed a

599

`OpenSSL.crypto.X509` instance which has not been initialized

600

(ie, which does not actually have any certificate data).

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

601

"""

602

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

603

with pytest.raises(Error):

604

ctx.use_certificate(X509())

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

605

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

606

def test_use_certificate(self):

607

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

608

`Context.use_certificate` sets the certificate which will be

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

609

used to identify connections created using the context.

610

"""

611

# TODO

612

# Hard to assert anything. But we could set a privatekey then ask

613

# OpenSSL if the cert and key agree using check_privatekey. Then as

614

# long as check_privatekey works right we're good...

615

ctx = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

616

ctx.use_certificate(

617

load_certificate(FILETYPE_PEM, cleartextCertificatePEM)

618

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

619

620

def test_use_certificate_file_wrong_args(self):

621

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

622

`Context.use_certificate_file` raises `TypeError` if the first

623

argument is not a byte string or the second argument is not an integer.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

624

"""

625

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

626

with pytest.raises(TypeError):

627

ctx.use_certificate_file(object(), FILETYPE_PEM)

628

with pytest.raises(TypeError):

629

ctx.use_certificate_file(b"somefile", object())

630

with pytest.raises(TypeError):

631

ctx.use_certificate_file(object(), FILETYPE_PEM)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

632

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

633

def test_use_certificate_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

634

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

635

`Context.use_certificate_file` raises `OpenSSL.SSL.Error` if passed

636

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

637

"""

638

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

639

with pytest.raises(Error):

640

ctx.use_certificate_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

641

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

642

def _use_certificate_file_test(self, certificate_file):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

643

"""

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

644

Verify that calling ``Context.use_certificate_file`` with the given

645

filename doesn't raise an exception.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

646

"""

647

# TODO

648

# Hard to assert anything. But we could set a privatekey then ask

649

# OpenSSL if the cert and key agree using check_privatekey. Then as

650

# long as check_privatekey works right we're good...

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

651

with open(certificate_file, "wb") as pem_file:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

652

pem_file.write(cleartextCertificatePEM)

653

654

ctx = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

655

ctx.use_certificate_file(certificate_file)

656

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

657

def test_use_certificate_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

658

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

659

`Context.use_certificate_file` sets the certificate (given as a

660

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

661

using the context.

662

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

663

filename = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

664

self._use_certificate_file_test(filename)

665

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

666

def test_use_certificate_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

667

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

668

`Context.use_certificate_file` sets the certificate (given as a

669

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

670

using the context.

671

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

672

filename = tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

673

self._use_certificate_file_test(filename)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

674

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

675

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

676

def test_use_certificate_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

677

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

678

On Python 2 `Context.use_certificate_file` accepts a

679

filetype of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

680

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

681

pem_filename = tmpfile

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

682

with open(pem_filename, "wb") as pem_file:

683

pem_file.write(cleartextCertificatePEM)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

684

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

685

ctx = Context(TLSv1_METHOD)

686

ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

687

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

688

def test_check_privatekey_valid(self):

689

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

690

`Context.check_privatekey` returns `None` if the `Context` instance

691

has been configured to use a matched key and certificate pair.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

692

"""

693

key = load_privatekey(FILETYPE_PEM, client_key_pem)

694

cert = load_certificate(FILETYPE_PEM, client_cert_pem)

695

context = Context(TLSv1_METHOD)

696

context.use_privatekey(key)

697

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

698

assert None is context.check_privatekey()

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

699

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

700

def test_check_privatekey_invalid(self):

701

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

702

`Context.check_privatekey` raises `Error` if the `Context` instance

703

has been configured to use a key and certificate pair which don't

704

relate to each other.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

705

"""

706

key = load_privatekey(FILETYPE_PEM, client_key_pem)

707

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

708

context = Context(TLSv1_METHOD)

709

context.use_privatekey(key)

710

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

711

with pytest.raises(Error):

712

context.check_privatekey()

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

713

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

714

def test_app_data(self):

715

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

716

`Context.set_app_data` stores an object for later retrieval

717

using `Context.get_app_data`.

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

718

"""

719

app_data = object()

720

context = Context(TLSv1_METHOD)

721

context.set_app_data(app_data)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

722

assert context.get_app_data() is app_data

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

723

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

724

def test_set_options_wrong_args(self):

725

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

726

`Context.set_options` raises `TypeError` if called with

727

a non-`int` argument.

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

728

"""

729

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

730

with pytest.raises(TypeError):

731

context.set_options(None)

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

732

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

733

def test_set_options(self):

734

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

735

`Context.set_options` returns the new options value.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

736

"""

737

context = Context(TLSv1_METHOD)

738

options = context.set_options(OP_NO_SSLv2)

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

739

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

740

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

741

@skip_if_py3

742

def test_set_options_long(self):

743

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

744

On Python 2 `Context.set_options` accepts values of type

745

`long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

746

"""

747

context = Context(TLSv1_METHOD)

748

options = context.set_options(long(OP_NO_SSLv2))

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

749

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

750

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

751

def test_set_mode_wrong_args(self):

752

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

753

`Context.set_mode` raises `TypeError` if called with

754

a non-`int` argument.

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

755

"""

756

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

757

with pytest.raises(TypeError):

758

context.set_mode(None)

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

759

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

760

def test_set_mode(self):

761

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

762

`Context.set_mode` accepts a mode bitvector and returns the

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

763

newly set mode.

764

"""

765

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

766

assert MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

767

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

768

@skip_if_py3

769

def test_set_mode_long(self):

770

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

771

On Python 2 `Context.set_mode` accepts values of type `long` as well

772

as `int`.

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

773

"""

774

context = Context(TLSv1_METHOD)

775

mode = context.set_mode(long(MODE_RELEASE_BUFFERS))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

776

assert MODE_RELEASE_BUFFERS & mode

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

777

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

778

def test_set_timeout_wrong_args(self):

779

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

780

`Context.set_timeout` raises `TypeError` if called with

781

a non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

782

"""

783

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

784

with pytest.raises(TypeError):

785

context.set_timeout(None)

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

786

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

787

def test_timeout(self):

788

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

789

`Context.set_timeout` sets the session timeout for all connections

790

created using the context object. `Context.get_timeout` retrieves

791

this value.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

792

"""

793

context = Context(TLSv1_METHOD)

794

context.set_timeout(1234)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

795

assert context.get_timeout() == 1234

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

796

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

797

@skip_if_py3

798

def test_timeout_long(self):

799

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

800

On Python 2 `Context.set_timeout` accepts values of type `long` as

801

well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

802

"""

803

context = Context(TLSv1_METHOD)

804

context.set_timeout(long(1234))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

805

assert context.get_timeout() == 1234

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

806

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

807

def test_set_verify_depth_wrong_args(self):

808

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

809

`Context.set_verify_depth` raises `TypeError` if called with a

810

non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

811

"""

812

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

813

with pytest.raises(TypeError):

814

context.set_verify_depth(None)

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

815

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

816

def test_verify_depth(self):

817

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

818

`Context.set_verify_depth` sets the number of certificates in

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

819

a chain to follow before giving up. The value can be retrieved with

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

820

`Context.get_verify_depth`.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

821

"""

822

context = Context(TLSv1_METHOD)

823

context.set_verify_depth(11)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

824

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

825

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

826

@skip_if_py3

827

def test_verify_depth_long(self):

828

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

829

On Python 2 `Context.set_verify_depth` accepts values of type `long`

830

as well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

831

"""

832

context = Context(TLSv1_METHOD)

833

context.set_verify_depth(long(11))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

834

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

835

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

836

def _write_encrypted_pem(self, passphrase, tmpfile):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

837

"""

838

Write a new private key out to a new file, encrypted using the given

839

passphrase. Return the path to the new file.

840

"""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

841

key = PKey()

842

key.generate_key(TYPE_RSA, 128)

Jean-Paul Calderone

a986883

2010-08-22 21:38:34 -0400

[diff] [blame]

843

pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

844

with open(tmpfile, 'w') as fObj:

845

fObj.write(pem.decode('ascii'))

846

return tmpfile

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

847

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

848

def test_set_passwd_cb_wrong_args(self):

849

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

850

`Context.set_passwd_cb` raises `TypeError` if called with a

851

non-callable first argument.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

852

"""

853

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

854

with pytest.raises(TypeError):

855

context.set_passwd_cb(None)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

856

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

857

def test_set_passwd_cb(self, tmpfile):

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

858

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

859

`Context.set_passwd_cb` accepts a callable which will be invoked when

860

a private key is loaded from an encrypted PEM.

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

861

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

862

passphrase = b"foobar"

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

863

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

864

calledWith = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

865

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

866

def passphraseCallback(maxlen, verify, extra):

867

calledWith.append((maxlen, verify, extra))

868

return passphrase

869

context = Context(TLSv1_METHOD)

870

context.set_passwd_cb(passphraseCallback)

871

context.use_privatekey_file(pemFile)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

872

assert len(calledWith) == 1

873

assert isinstance(calledWith[0][0], int)

874

assert isinstance(calledWith[0][1], int)

875

assert calledWith[0][2] is None

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

876

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

877

def test_passwd_callback_exception(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

878

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

879

`Context.use_privatekey_file` propagates any exception raised

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

880

by the passphrase callback.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

881

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

882

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

883

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

884

def passphraseCallback(maxlen, verify, extra):

885

raise RuntimeError("Sorry, I am a fail.")

886

887

context = Context(TLSv1_METHOD)

888

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

889

with pytest.raises(RuntimeError):

890

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

891

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

892

def test_passwd_callback_false(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

893

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

894

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

895

passphrase callback returns a false value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

896

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

897

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

898

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

899

def passphraseCallback(maxlen, verify, extra):

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

900

return b""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

901

902

context = Context(TLSv1_METHOD)

903

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

904

with pytest.raises(Error):

905

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

906

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

907

def test_passwd_callback_non_string(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

908

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

909

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

910

passphrase callback returns a true non-string value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

911

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

912

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

913

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

914

def passphraseCallback(maxlen, verify, extra):

915

return 10

916

917

context = Context(TLSv1_METHOD)

918

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

919

# TODO: Surely this is the wrong error?

920

with pytest.raises(ValueError):

921

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

922

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

923

def test_passwd_callback_too_long(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

924

"""

925

If the passphrase returned by the passphrase callback returns a string

926

longer than the indicated maximum length, it is truncated.

927

"""

928

# A priori knowledge!

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

929

passphrase = b"x" * 1024

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

930

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

931

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

932

def passphraseCallback(maxlen, verify, extra):

933

assert maxlen == 1024

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

934

return passphrase + b"y"

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

935

936

context = Context(TLSv1_METHOD)

937

context.set_passwd_cb(passphraseCallback)

938

# This shall succeed because the truncated result is the correct

939

# passphrase.

940

context.use_privatekey_file(pemFile)

941

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

942

def test_set_info_callback(self):

943

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

944

`Context.set_info_callback` accepts a callable which will be

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

945

invoked when certain information about an SSL connection is available.

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

946

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

947

(server, client) = socket_pair()

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

948

949

clientSSL = Connection(Context(TLSv1_METHOD), client)

950

clientSSL.set_connect_state()

951

952

called = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

953

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

954

def info(conn, where, ret):

955

called.append((conn, where, ret))

956

context = Context(TLSv1_METHOD)

957

context.set_info_callback(info)

958

context.use_certificate(

959

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

960

context.use_privatekey(

961

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

962

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

963

serverSSL = Connection(context, server)

964

serverSSL.set_accept_state()

965

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

966

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

967

Jean-Paul Calderone

3835e52

2014-02-02 11:12:30 -0500

[diff] [blame]

968

# The callback must always be called with a Connection instance as the

969

# first argument. It would probably be better to split this into

970

# separate tests for client and server side info callbacks so we could

971

# assert it is called with the right Connection instance. It would

972

# also be good to assert *something* about `where` and `ret`.

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

973

notConnections = [

974

conn for (conn, where, ret) in called

975

if not isinstance(conn, Connection)]

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

976

assert [] == notConnections, (

977

"Some info callback arguments were not Connection instances.")

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

978

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

979

def _load_verify_locations_test(self, *args):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

980

"""

981

Create a client context which will verify the peer certificate and call

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

982

its `load_verify_locations` method with the given arguments.

Jean-Paul Calderone

64efa2c

2011-09-11 10:00:09 -0400

[diff] [blame]

983

Then connect it to a server and ensure that the handshake succeeds.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

984

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

985

(server, client) = socket_pair()

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

986

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

987

clientContext = Context(TLSv1_METHOD)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

988

clientContext.load_verify_locations(*args)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

989

# Require that the server certificate verify properly or the

990

# connection will fail.

991

clientContext.set_verify(

992

VERIFY_PEER,

993

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

994

995

clientSSL = Connection(clientContext, client)

996

clientSSL.set_connect_state()

997

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

998

serverContext = Context(TLSv1_METHOD)

999

serverContext.use_certificate(

1000

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1001

serverContext.use_privatekey(

1002

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1003

1004

serverSSL = Connection(serverContext, server)

1005

serverSSL.set_accept_state()

1006

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

1007

# Without load_verify_locations above, the handshake

1008

# will fail:

1009

# Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',

1010

# 'certificate verify failed')]

1011

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1012

1013

cert = clientSSL.get_peer_certificate()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1014

assert cert.get_subject().CN == 'Testing Root CA'

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1015

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1016

def _load_verify_cafile(self, cafile):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1017

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1018

Verify that if path to a file containing a certificate is passed to

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1019

`Context.load_verify_locations` for the ``cafile`` parameter, that

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1020

certificate is used as a trust root for the purposes of verifying

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1021

connections created using that `Context`.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1022

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1023

with open(cafile, 'w') as fObj:

1024

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1025

1026

self._load_verify_locations_test(cafile)

1027

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1028

def test_load_verify_bytes_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1029

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1030

`Context.load_verify_locations` accepts a file name as a `bytes`

1031

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1032

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1033

cafile = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1034

self._load_verify_cafile(cafile)

1035

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1036

def test_load_verify_unicode_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1037

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1038

`Context.load_verify_locations` accepts a file name as a `unicode`

1039

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1040

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1041

self._load_verify_cafile(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1042

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1043

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1044

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1045

def test_load_verify_invalid_file(self, tmpfile):

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1046

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1047

`Context.load_verify_locations` raises `Error` when passed a

1048

non-existent cafile.

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1049

"""

1050

clientContext = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1051

with pytest.raises(Error):

1052

clientContext.load_verify_locations(tmpfile)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1053

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1054

def _load_verify_directory_locations_capath(self, capath):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1055

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1056

Verify that if path to a directory containing certificate files is

1057

passed to ``Context.load_verify_locations`` for the ``capath``

1058

parameter, those certificates are used as trust roots for the purposes

1059

of verifying connections created using that ``Context``.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1060

"""

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1061

makedirs(capath)

Jean-Paul Calderone

24dfb33

2011-05-04 18:10:26 -0400

[diff] [blame]

1062

# Hash values computed manually with c_rehash to avoid depending on

1063

# c_rehash in the test suite. One is from OpenSSL 0.9.8, the other

1064

# from OpenSSL 1.0.0.

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1065

for name in [b'c7adac82.0', b'c3705638.0']:

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1066

cafile = join_bytes_or_unicode(capath, name)

1067

with open(cafile, 'w') as fObj:

1068

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1069

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1070

self._load_verify_locations_test(None, capath)

1071

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1072

def test_load_verify_directory_bytes_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1073

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1074

`Context.load_verify_locations` accepts a directory name as a `bytes`

1075

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1076

"""

1077

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1078

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1079

)

1080

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1081

def test_load_verify_directory_unicode_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1082

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1083

`Context.load_verify_locations` accepts a directory name as a `unicode`

1084

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1085

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1086

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1087

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1088

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1089

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1090

def test_load_verify_locations_wrong_args(self):

1091

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1092

`Context.load_verify_locations` raises `TypeError` if with non-`str`

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1093

arguments.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1094

"""

1095

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1096

with pytest.raises(TypeError):

1097

context.load_verify_locations(object())

1098

with pytest.raises(TypeError):

1099

context.load_verify_locations(object(), object())

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1100

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1101

@pytest.mark.skipif(

1102

platform == "win32",

1103

reason="set_default_verify_paths appears not to work on Windows. "

Jean-Paul Calderone

28fb8f0

2009-07-24 18:01:31 -0400

[diff] [blame]

1104

"See LP#404343 and LP#404344."

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1105

)

1106

def test_set_default_verify_paths(self):

1107

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1108

`Context.set_default_verify_paths` causes the platform-specific CA

1109

certificate locations to be used for verification purposes.

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1110

"""

1111

# Testing this requires a server with a certificate signed by one

1112

# of the CAs in the platform CA location. Getting one of those

1113

# costs money. Fortunately (or unfortunately, depending on your

1114

# perspective), it's easy to think of a public server on the

1115

# internet which has such a certificate. Connecting to the network

1116

# in a unit test is bad, but it's the only way I can think of to

1117

# really test this. -exarkun

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1118

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1119

# Arg, verisign.com doesn't speak anything newer than TLS 1.0

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1120

context = Context(SSLv23_METHOD)

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1121

context.set_default_verify_paths()

1122

context.set_verify(

1123

VERIFY_PEER,

1124

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1125

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1126

client = socket()

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1127

client.connect(("encrypted.google.com", 443))

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1128

clientSSL = Connection(context, client)

1129

clientSSL.set_connect_state()

1130

clientSSL.do_handshake()

1131

clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1132

assert clientSSL.recv(1024)

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

1133

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1134

def test_add_extra_chain_cert_invalid_cert(self):

1135

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1136

`Context.add_extra_chain_cert` raises `TypeError` if called with an

1137

object which is not an instance of `X509`.

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1138

"""

1139

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1140

with pytest.raises(TypeError):

1141

context.add_extra_chain_cert(object())

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1142

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1143

def _handshake_test(self, serverContext, clientContext):

1144

"""

1145

Verify that a client and server created with the given contexts can

1146

successfully handshake and communicate.

1147

"""

1148

serverSocket, clientSocket = socket_pair()

1149

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1150

server = Connection(serverContext, serverSocket)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1151

server.set_accept_state()

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1152

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1153

client = Connection(clientContext, clientSocket)

1154

client.set_connect_state()

1155

1156

# Make them talk to each other.

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1157

# interact_in_memory(client, server)

1158

for _ in range(3):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1159

for s in [client, server]:

1160

try:

1161

s.do_handshake()

1162

except WantReadError:

1163

pass

1164

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1165

def test_set_verify_callback_connection_argument(self):

1166

"""

1167

The first argument passed to the verify callback is the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1168

`Connection` instance for which verification is taking place.

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1169

"""

1170

serverContext = Context(TLSv1_METHOD)

1171

serverContext.use_privatekey(

1172

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1173

serverContext.use_certificate(

1174

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1175

serverConnection = Connection(serverContext, None)

1176

1177

class VerifyCallback(object):

1178

def callback(self, connection, *args):

1179

self.connection = connection

1180

return 1

1181

1182

verify = VerifyCallback()

1183

clientContext = Context(TLSv1_METHOD)

1184

clientContext.set_verify(VERIFY_PEER, verify.callback)

1185

clientConnection = Connection(clientContext, None)

1186

clientConnection.set_connect_state()

1187

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1188

handshake_in_memory(clientConnection, serverConnection)

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1189

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1190

assert verify.connection is clientConnection

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1191

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1192

def test_set_verify_callback_exception(self):

1193

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1194

If the verify callback passed to `Context.set_verify` raises an

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1195

exception, verification fails and the exception is propagated to the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1196

caller of `Connection.do_handshake`.

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1197

"""

1198

serverContext = Context(TLSv1_METHOD)

1199

serverContext.use_privatekey(

1200

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1201

serverContext.use_certificate(

1202

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1203

1204

clientContext = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1205

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1206

def verify_callback(*args):

1207

raise Exception("silly verify failure")

1208

clientContext.set_verify(VERIFY_PEER, verify_callback)

1209

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1210

with pytest.raises(Exception) as exc:

1211

self._handshake_test(serverContext, clientContext)

1212

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1213

assert "silly verify failure" == str(exc.value)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1214

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1215

def test_add_extra_chain_cert(self, tmpdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1216

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1217

`Context.add_extra_chain_cert` accepts an `X509`

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1218

instance to add to the certificate chain.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1219

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1220

See `_create_certificate_chain` for the details of the

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1221

certificate chain tested.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1222

1223

The chain is tested by starting a server with scert and connecting

1224

to it with a client which trusts cacert and requires verification to

1225

succeed.

1226

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1227

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1228

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1229

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1230

# Dump the CA certificate to a file because that's the only way to load

1231

# it as a trusted CA in the client context.

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1232

for cert, name in [(cacert, 'ca.pem'),

1233

(icert, 'i.pem'),

1234

(scert, 's.pem')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1235

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1236

f.write(dump_certificate(FILETYPE_PEM, cert).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1237

Hynek Schlawack

1902c01

2015-04-16 15:06:41 -0400

[diff] [blame]

1238

for key, name in [(cakey, 'ca.key'),

1239

(ikey, 'i.key'),

1240

(skey, 's.key')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1241

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1242

f.write(dump_privatekey(FILETYPE_PEM, key).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1243

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1244

# Create the server context

1245

serverContext = Context(TLSv1_METHOD)

1246

serverContext.use_privatekey(skey)

1247

serverContext.use_certificate(scert)

Jean-Paul Calderone

16cf03d

2010-09-08 18:53:39 -0400

[diff] [blame]

1248

# The client already has cacert, we only need to give them icert.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1249

serverContext.add_extra_chain_cert(icert)

1250

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1251

# Create the client

1252

clientContext = Context(TLSv1_METHOD)

1253

clientContext.set_verify(

1254

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1255

clientContext.load_verify_locations(str(tmpdir.join("ca.pem")))

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1256

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1257

# Try it out.

1258

self._handshake_test(serverContext, clientContext)

1259

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1260

def _use_certificate_chain_file_test(self, certdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1261

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1262

Verify that `Context.use_certificate_chain_file` reads a

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1263

certificate chain from a specified file.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1264

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1265

The chain is tested by starting a server with scert and connecting to

1266

it with a client which trusts cacert and requires verification to

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1267

succeed.

1268

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1269

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1270

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1271

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1272

makedirs(certdir)

1273

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1274

chainFile = join_bytes_or_unicode(certdir, "chain.pem")

1275

caFile = join_bytes_or_unicode(certdir, "ca.pem")

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1276

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1277

# Write out the chain file.

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1278

with open(chainFile, 'wb') as fObj:

1279

# Most specific to least general.

1280

fObj.write(dump_certificate(FILETYPE_PEM, scert))

1281

fObj.write(dump_certificate(FILETYPE_PEM, icert))

1282

fObj.write(dump_certificate(FILETYPE_PEM, cacert))

1283

1284

with open(caFile, 'w') as fObj:

1285

fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode('ascii'))

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1286

1287

serverContext = Context(TLSv1_METHOD)

1288

serverContext.use_certificate_chain_file(chainFile)

1289

serverContext.use_privatekey(skey)

1290

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1291

clientContext = Context(TLSv1_METHOD)

1292

clientContext.set_verify(

1293

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1294

clientContext.load_verify_locations(caFile)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1295

1296

self._handshake_test(serverContext, clientContext)

1297

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1298

def test_use_certificate_chain_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1299

"""

1300

``Context.use_certificate_chain_file`` accepts the name of a file (as

1301

an instance of ``bytes``) to specify additional certificates to use to

1302

construct and verify a trust chain.

1303

"""

1304

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1305

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1306

)

1307

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1308

def test_use_certificate_chain_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1309

"""

1310

``Context.use_certificate_chain_file`` accepts the name of a file (as

1311

an instance of ``unicode``) to specify additional certificates to use

1312

to construct and verify a trust chain.

1313

"""

1314

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1315

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1316

)

1317

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1318

def test_use_certificate_chain_file_wrong_args(self):

1319

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1320

`Context.use_certificate_chain_file` raises `TypeError` if passed a

1321

non-byte string single argument.

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1322

"""

1323

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1324

with pytest.raises(TypeError):

1325

context.use_certificate_chain_file(object())

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1326

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1327

def test_use_certificate_chain_file_missing_file(self, tmpfile):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1328

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1329

`Context.use_certificate_chain_file` raises `OpenSSL.SSL.Error` when

1330

passed a bad chain file name (for example, the name of a file which

1331

does not exist).

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1332

"""

1333

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1334

with pytest.raises(Error):

1335

context.use_certificate_chain_file(tmpfile)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1336

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1337

def test_set_verify_mode(self):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1338

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1339

`Context.get_verify_mode` returns the verify mode flags previously

1340

passed to `Context.set_verify`.

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1341

"""

1342

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1343

assert context.get_verify_mode() == 0

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1344

context.set_verify(

1345

VERIFY_PEER | VERIFY_CLIENT_ONCE, lambda *args: None)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1346

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1347

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1348

@skip_if_py3

1349

def test_set_verify_mode_long(self):

1350

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1351

On Python 2 `Context.set_verify_mode` accepts values of type `long`

1352

as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1353

"""

1354

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1355

assert context.get_verify_mode() == 0

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1356

context.set_verify(

Hynek Schlawack

b4ceed3

2015-09-05 20:55:19 +0200

[diff] [blame]

1357

long(VERIFY_PEER | VERIFY_CLIENT_ONCE), lambda *args: None

1358

) # pragma: nocover

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1359

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1360

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1361

def test_load_tmp_dh_wrong_args(self):

1362

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1363

`Context.load_tmp_dh` raises `TypeError` if called with a

1364

non-`str` argument.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1365

"""

1366

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1367

with pytest.raises(TypeError):

1368

context.load_tmp_dh(object())

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1369

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1370

def test_load_tmp_dh_missing_file(self):

1371

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1372

`Context.load_tmp_dh` raises `OpenSSL.SSL.Error` if the

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1373

specified file does not exist.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1374

"""

1375

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1376

with pytest.raises(Error):

1377

context.load_tmp_dh(b"hello")

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1378

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1379

def _load_tmp_dh_test(self, dhfilename):

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

1380

"""

1381

Verify that calling ``Context.load_tmp_dh`` with the given filename

1382

does not raise an exception.

1383

"""

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1384

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1385

with open(dhfilename, "w") as dhfile:

1386

dhfile.write(dhparam)

1387

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1388

context.load_tmp_dh(dhfilename)

1389

# XXX What should I assert here? -exarkun

1390

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1391

def test_load_tmp_dh_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1392

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1393

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1394

specified file (given as ``bytes``).

1395

"""

1396

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1397

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1398

)

1399

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1400

def test_load_tmp_dh_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1401

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1402

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1403

specified file (given as ``unicode``).

1404

"""

1405

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1406

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1407

)

1408

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1409

def test_set_tmp_ecdh(self):

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1410

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1411

`Context.set_tmp_ecdh` sets the elliptic curve for Diffie-Hellman to

1412

the specified curve.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1413

"""

1414

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1415

for curve in get_elliptic_curves():

Hynek Schlawack

a07fa8c

2015-10-17 10:15:28 +0200

[diff] [blame]

1416

if curve.name.startswith(u"Oakley-"):

Hynek Schlawack

7408aff

2015-10-17 09:51:16 +0200

[diff] [blame]

1417

# Setting Oakley-EC2N-4 and Oakley-EC2N-3 adds

1418

# ('bignum routines', 'BN_mod_inverse', 'no inverse') to the

1419

# error queue on OpenSSL 1.0.2.

1420

continue

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1421

# The only easily "assertable" thing is that it does not raise an

1422

# exception.

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1423

context.set_tmp_ecdh(curve)

Alex Gaynor

12dc084

2014-01-17 12:51:31 -0600

[diff] [blame]

1424

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1425

def test_set_session_cache_mode_wrong_args(self):

1426

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1427

`Context.set_session_cache_mode` raises `TypeError` if called with

1428

a non-integer argument.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1429

called with other than one integer argument.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1430

"""

1431

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1432

with pytest.raises(TypeError):

1433

context.set_session_cache_mode(object())

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1434

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1435

def test_session_cache_mode(self):

1436

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1437

`Context.set_session_cache_mode` specifies how sessions are cached.

1438

The setting can be retrieved via `Context.get_session_cache_mode`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1439

"""

1440

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1441

context.set_session_cache_mode(SESS_CACHE_OFF)

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1442

off = context.set_session_cache_mode(SESS_CACHE_BOTH)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1443

assert SESS_CACHE_OFF == off

1444

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1445

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1446

@skip_if_py3

1447

def test_session_cache_mode_long(self):

1448

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1449

On Python 2 `Context.set_session_cache_mode` accepts values

1450

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1451

"""

1452

context = Context(TLSv1_METHOD)

1453

context.set_session_cache_mode(long(SESS_CACHE_BOTH))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1454

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1455

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1456

def test_get_cert_store(self):

1457

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1458

`Context.get_cert_store` returns a `X509Store` instance.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1459

"""

1460

context = Context(TLSv1_METHOD)

1461

store = context.get_cert_store()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1462

assert isinstance(store, X509Store)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1463

1464

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1465

class TestServerNameCallback(object):

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1466

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1467

Tests for `Context.set_tlsext_servername_callback` and its

1468

interaction with `Connection`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1469

"""

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1470

def test_old_callback_forgotten(self):

1471

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1472

If `Context.set_tlsext_servername_callback` is used to specify

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1473

a new callback, the one it replaces is dereferenced.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1474

"""

1475

def callback(connection):

1476

pass

1477

1478

def replacement(connection):

1479

pass

1480

1481

context = Context(TLSv1_METHOD)

1482

context.set_tlsext_servername_callback(callback)

1483

1484

tracker = ref(callback)

1485

del callback

1486

1487

context.set_tlsext_servername_callback(replacement)

Jean-Paul Calderone

d4033eb

2014-01-11 08:21:46 -0500

[diff] [blame]

1488

1489

# One run of the garbage collector happens to work on CPython. PyPy

1490

# doesn't collect the underlying object until a second run for whatever

1491

# reason. That's fine, it still demonstrates our code has properly

1492

# dropped the reference.

1493

collect()

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1494

collect()

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

1495

1496

callback = tracker()

1497

if callback is not None:

1498

referrers = get_referrers(callback)

Jean-Paul Calderone

7de3956

2014-01-11 08:17:59 -0500

[diff] [blame]

1499

if len(referrers) > 1:

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

1500

self.fail("Some references remain: %r" % (referrers,))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1501

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1502

def test_no_servername(self):

1503

"""

1504

When a client specifies no server name, the callback passed to

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1505

`Context.set_tlsext_servername_callback` is invoked and the

1506

result of `Connection.get_servername` is `None`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1507

"""

1508

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1509

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1510

def servername(conn):

1511

args.append((conn, conn.get_servername()))

1512

context = Context(TLSv1_METHOD)

1513

context.set_tlsext_servername_callback(servername)

1514

1515

# Lose our reference to it. The Context is responsible for keeping it

# alive now.

del servername

collect()

# Necessary to actually accept the connection

1521

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1522

context.use_certificate(

1523

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1524

1525

# Do a little connection to trigger the logic

1526

server = Connection(context, None)

1527

server.set_accept_state()

1528

1529

client = Connection(Context(TLSv1_METHOD), None)

1530

client.set_connect_state()

1531

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1532

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1533

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1534

assert args == [(server, None)]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1535

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1536

def test_servername(self):

1537

"""

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1538

When a client specifies a server name in its hello message, the

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1539

callback passed to `Contexts.set_tlsext_servername_callback` is

1540

invoked and the result of `Connection.get_servername` is that

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1541

server name.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1542

"""

1543

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1544

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1545

def servername(conn):

1546

args.append((conn, conn.get_servername()))

1547

context = Context(TLSv1_METHOD)

1548

context.set_tlsext_servername_callback(servername)

1549

1550

# Necessary to actually accept the connection

1551

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1552

context.use_certificate(

1553

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1554

1555

# Do a little connection to trigger the logic

1556

server = Connection(context, None)

1557

server.set_accept_state()

1558

1559

client = Connection(Context(TLSv1_METHOD), None)

1560

client.set_connect_state()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

1561

client.set_tlsext_host_name(b"foo1.example.com")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1562

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1563

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1564

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1565

assert args == [(server, b"foo1.example.com")]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1566

1567

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1568

class TestNextProtoNegotiation(object):

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1569

"""

1570

Test for Next Protocol Negotiation in PyOpenSSL.

1571

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1572

def test_npn_success(self):

1573

"""

1574

Tests that clients and servers that agree on the negotiated next

1575

protocol can correct establish a connection, and that the agreed

1576

protocol is reported by the connections.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1583

return [b'http/1.1', b'spdy/2']

1584

1585

def select(conn, options):

1586

select_args.append((conn, options))

1587

return b'spdy/2'

1588

1589

server_context = Context(TLSv1_METHOD)

1590

server_context.set_npn_advertise_callback(advertise)

1591

1592

client_context = Context(TLSv1_METHOD)

1593

client_context.set_npn_select_callback(select)

1594

1595

# Necessary to actually accept the connection

1596

server_context.use_privatekey(

1597

load_privatekey(FILETYPE_PEM, server_key_pem))

1598

server_context.use_certificate(

1599

load_certificate(FILETYPE_PEM, server_cert_pem))

1600

1601

# Do a little connection to trigger the logic

1602

server = Connection(server_context, None)

1603

server.set_accept_state()

1604

1605

client = Connection(client_context, None)

1606

client.set_connect_state()

1607

1608

interact_in_memory(server, client)

1609

1610

assert advertise_args == [(server,)]

1611

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1612

1613

assert server.get_next_proto_negotiated() == b'spdy/2'

1614

assert client.get_next_proto_negotiated() == b'spdy/2'

1615

1616

def test_npn_client_fail(self):

1617

"""

1618

Tests that when clients and servers cannot agree on what protocol

1619

to use next that the TLS connection does not get established.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1626

return [b'http/1.1', b'spdy/2']

1627

1628

def select(conn, options):

1629

select_args.append((conn, options))

1630

return b''

1631

1632

server_context = Context(TLSv1_METHOD)

1633

server_context.set_npn_advertise_callback(advertise)

1634

1635

client_context = Context(TLSv1_METHOD)

1636

client_context.set_npn_select_callback(select)

1637

1638

# Necessary to actually accept the connection

1639

server_context.use_privatekey(

1640

load_privatekey(FILETYPE_PEM, server_key_pem))

1641

server_context.use_certificate(

1642

load_certificate(FILETYPE_PEM, server_cert_pem))

1643

1644

# Do a little connection to trigger the logic

1645

server = Connection(server_context, None)

1646

server.set_accept_state()

1647

1648

client = Connection(client_context, None)

1649

client.set_connect_state()

1650

1651

# If the client doesn't return anything, the connection will fail.

1652

with pytest.raises(Error):

1653

interact_in_memory(server, client)

1654

1655

assert advertise_args == [(server,)]

1656

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1657

1658

def test_npn_select_error(self):

1659

"""

1660

Test that we can handle exceptions in the select callback. If

1661

select fails it should be fatal to the connection.

"""

advertise_args = []

def advertise(conn):

advertise_args.append((conn,))

1667

return [b'http/1.1', b'spdy/2']

1668

1669

def select(conn, options):

1670

raise TypeError

1671

1672

server_context = Context(TLSv1_METHOD)

1673

server_context.set_npn_advertise_callback(advertise)

1674

1675

client_context = Context(TLSv1_METHOD)

1676

client_context.set_npn_select_callback(select)

1677

1678

# Necessary to actually accept the connection

1679

server_context.use_privatekey(

1680

load_privatekey(FILETYPE_PEM, server_key_pem))

1681

server_context.use_certificate(

1682

load_certificate(FILETYPE_PEM, server_cert_pem))

1683

1684

# Do a little connection to trigger the logic

1685

server = Connection(server_context, None)

1686

server.set_accept_state()

1687

1688

client = Connection(client_context, None)

1689

client.set_connect_state()

1690

1691

# If the callback throws an exception it should be raised here.

1692

with pytest.raises(TypeError):

1693

interact_in_memory(server, client)

1694

assert advertise_args == [(server,), ]

1695

1696

def test_npn_advertise_error(self):

1697

"""

1698

Test that we can handle exceptions in the advertise callback. If

1699

advertise fails no NPN is advertised to the client.

"""

select_args = []

def advertise(conn):

raise TypeError

def select(conn, options): # pragma: nocover

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1707

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1708

Assert later that no args are actually appended.

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1709

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1710

select_args.append((conn, options))

1711

return b''

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1712

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1713

server_context = Context(TLSv1_METHOD)

1714

server_context.set_npn_advertise_callback(advertise)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1715

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1716

client_context = Context(TLSv1_METHOD)

1717

client_context.set_npn_select_callback(select)

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1718

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1719

# Necessary to actually accept the connection

1720

server_context.use_privatekey(

1721

load_privatekey(FILETYPE_PEM, server_key_pem))

1722

server_context.use_certificate(

1723

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1724

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1725

# Do a little connection to trigger the logic

1726

server = Connection(server_context, None)

1727

server.set_accept_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1728

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1729

client = Connection(client_context, None)

1730

client.set_connect_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1731

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1732

# If the client doesn't return anything, the connection will fail.

1733

with pytest.raises(TypeError):

1734

interact_in_memory(server, client)

1735

assert select_args == []

Cory Benfield

0ea76e7

2015-03-22 09:05:28 +0000

[diff] [blame]

1736

1737

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1738

class TestApplicationLayerProtoNegotiation(object):

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1739

"""

1740

Tests for ALPN in PyOpenSSL.

1741

"""

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1742

# Skip tests on versions that don't support ALPN.

1743

if _lib.Cryptography_HAS_ALPN:

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1744

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1745

def test_alpn_success(self):

1746

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1747

Clients and servers that agree on the negotiated ALPN protocol can

1748

correct establish a connection, and the agreed protocol is reported

1749

by the connections.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1750

"""

1751

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1752

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1753

def select(conn, options):

1754

select_args.append((conn, options))

1755

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1756

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1757

client_context = Context(TLSv1_METHOD)

1758

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1759

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1760

server_context = Context(TLSv1_METHOD)

1761

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1762

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1763

# Necessary to actually accept the connection

1764

server_context.use_privatekey(

1765

load_privatekey(FILETYPE_PEM, server_key_pem))

1766

server_context.use_certificate(

1767

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1768

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1769

# Do a little connection to trigger the logic

1770

server = Connection(server_context, None)

1771

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1772

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1773

client = Connection(client_context, None)

1774

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1775

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1776

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1777

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1778

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1779

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1780

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1781

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1782

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1783

def test_alpn_set_on_connection(self):

1784

"""

1785

The same as test_alpn_success, but setting the ALPN protocols on

1786

the connection rather than the context.

1787

"""

1788

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1789

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1790

def select(conn, options):

1791

select_args.append((conn, options))

1792

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1793

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1794

# Setup the client context but don't set any ALPN protocols.

1795

client_context = Context(TLSv1_METHOD)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1796

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1797

server_context = Context(TLSv1_METHOD)

1798

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1799

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1800

# Necessary to actually accept the connection

1801

server_context.use_privatekey(

1802

load_privatekey(FILETYPE_PEM, server_key_pem))

1803

server_context.use_certificate(

1804

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1805

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1806

# Do a little connection to trigger the logic

1807

server = Connection(server_context, None)

1808

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1809

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1810

# Set the ALPN protocols on the client connection.

1811

client = Connection(client_context, None)

1812

client.set_alpn_protos([b'http/1.1', b'spdy/2'])

1813

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1814

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1815

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1816

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1817

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1818

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1819

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1820

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1821

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1822

def test_alpn_server_fail(self):

1823

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1824

When clients and servers cannot agree on what protocol to use next

1825

the TLS connection does not get established.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1826

"""

1827

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1828

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1829

def select(conn, options):

1830

select_args.append((conn, options))

1831

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1832

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1833

client_context = Context(TLSv1_METHOD)

1834

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1835

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1836

server_context = Context(TLSv1_METHOD)

1837

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1838

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1839

# Necessary to actually accept the connection

1840

server_context.use_privatekey(

1841

load_privatekey(FILETYPE_PEM, server_key_pem))

1842

server_context.use_certificate(

1843

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1844

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1845

# Do a little connection to trigger the logic

1846

server = Connection(server_context, None)

1847

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1848

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1849

client = Connection(client_context, None)

1850

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1851

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1852

# If the client doesn't return anything, the connection will fail.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1853

with pytest.raises(Error):

1854

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1855

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1856

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1857

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1858

def test_alpn_no_server(self):

1859

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1860

When clients and servers cannot agree on what protocol to use next

1861

because the server doesn't offer ALPN, no protocol is negotiated.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1862

"""

1863

client_context = Context(TLSv1_METHOD)

1864

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1865

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1866

server_context = Context(TLSv1_METHOD)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1867

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1868

# Necessary to actually accept the connection

1869

server_context.use_privatekey(

1870

load_privatekey(FILETYPE_PEM, server_key_pem))

1871

server_context.use_certificate(

1872

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1873

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1874

# Do a little connection to trigger the logic

1875

server = Connection(server_context, None)

1876

server.set_accept_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1877

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1878

client = Connection(client_context, None)

1879

client.set_connect_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1880

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1881

# Do the dance.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1882

interact_in_memory(server, client)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1883

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1884

assert client.get_alpn_proto_negotiated() == b''

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1885

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1886

def test_alpn_callback_exception(self):

1887

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1888

We can handle exceptions in the ALPN select callback.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1889

"""

1890

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1891

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1892

def select(conn, options):

1893

select_args.append((conn, options))

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

1894

raise TypeError()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1895

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1896

client_context = Context(TLSv1_METHOD)

1897

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1898

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1899

server_context = Context(TLSv1_METHOD)

1900

server_context.set_alpn_select_callback(select)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1901

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1902

# Necessary to actually accept the connection

1903

server_context.use_privatekey(

1904

load_privatekey(FILETYPE_PEM, server_key_pem))

1905

server_context.use_certificate(

1906

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1907

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1908

# Do a little connection to trigger the logic

1909

server = Connection(server_context, None)

1910

server.set_accept_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1911

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1912

client = Connection(client_context, None)

1913

client.set_connect_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1914

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1915

with pytest.raises(TypeError):

1916

interact_in_memory(server, client)

1917

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1918

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

1919

else:

1920

# No ALPN.

1921

def test_alpn_not_implemented(self):

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

1922

"""

1923

If ALPN is not in OpenSSL, we should raise NotImplementedError.

1924

"""

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

1925

# Test the context methods first.

1926

context = Context(TLSv1_METHOD)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1927

with pytest.raises(NotImplementedError):

1928

context.set_alpn_protos(None)

1929

with pytest.raises(NotImplementedError):

1930

context.set_alpn_select_callback(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

1931

1932

# Now test a connection.

1933

conn = Connection(context)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1934

with pytest.raises(NotImplementedError):

1935

conn.set_alpn_protos(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

1936

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1937

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1938

class TestSession(object):

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

1939

"""

1940

Unit tests for :py:obj:`OpenSSL.SSL.Session`.

1941

"""

1942

def test_construction(self):

1943

"""

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1944

:py:class:`Session` can be constructed with no arguments, creating

1945

a new instance of that type.

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

1946

"""

1947

new_session = Session()

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1948

assert isinstance(new_session, Session)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

1949

1950

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

1951

class TestConnection(object):

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

1952

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

1953

Unit tests for `OpenSSL.SSL.Connection`.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

1954

"""

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

1955

# XXX get_peer_certificate -> None

1956

# XXX sock_shutdown

1957

# XXX master_key -> TypeError

1958

# XXX server_random -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

1959

# XXX connect -> TypeError

1960

# XXX connect_ex -> TypeError

1961

# XXX set_connect_state -> TypeError

1962

# XXX set_accept_state -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

1963

# XXX do_handshake -> TypeError

1964

# XXX bio_read -> TypeError

1965

# XXX recv -> TypeError

1966

# XXX send -> TypeError

1967

# XXX bio_write -> TypeError

1968

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

1969

def test_type(self):

1970

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

1971

`Connection` and `ConnectionType` refer to the same type object and

1972

can be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

1973

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

1974

assert Connection is ConnectionType

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

1975

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

1976

assert is_consistent_type(Connection, 'Connection', ctx, None)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

1977

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

1978

def test_get_context(self):

1979

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

1980

`Connection.get_context` returns the `Context` instance used to

1981

construct the `Connection` instance.

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

1982

"""

1983

context = Context(TLSv1_METHOD)

1984

connection = Connection(context, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

1985

assert connection.get_context() is context

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

1986

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

1987

def test_set_context_wrong_args(self):

1988

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

1989

`Connection.set_context` raises `TypeError` if called with a

1990

non-`Context` instance argument,

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

1991

"""

1992

ctx = Context(TLSv1_METHOD)

1993

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

1994

with pytest.raises(TypeError):

1995

connection.set_context(object())

1996

with pytest.raises(TypeError):

1997

connection.set_context("hello")

1998

with pytest.raises(TypeError):

1999

connection.set_context(1)

2000

assert ctx is connection.get_context()

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2001

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2002

def test_set_context(self):

2003

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2004

`Connection.set_context` specifies a new `Context` instance to be

2005

used for the connection.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2006

"""

2007

original = Context(SSLv23_METHOD)

2008

replacement = Context(TLSv1_METHOD)

2009

connection = Connection(original, None)

2010

connection.set_context(replacement)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2011

assert replacement is connection.get_context()

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2012

# Lose our references to the contexts, just in case the Connection

2013

# isn't properly managing its own contributions to their reference

2014

# counts.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2015

del original, replacement

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2016

collect()

2017

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2018

def test_set_tlsext_host_name_wrong_args(self):

2019

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2020

If `Connection.set_tlsext_host_name` is called with a non-byte string

2021

argument or a byte string with an embedded NUL, `TypeError` is raised.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2022

"""

2023

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2024

with pytest.raises(TypeError):

2025

conn.set_tlsext_host_name(object())

2026

with pytest.raises(TypeError):

2027

conn.set_tlsext_host_name(b"with\0null")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2028

Abraham Martin

c5484ba

2015-03-25 15:33:05 +0000

[diff] [blame]

2029

if PY3:

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2030

# On Python 3.x, don't accidentally implicitly convert from text.

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2031

with pytest.raises(TypeError):

2032

conn.set_tlsext_host_name(b"example.com".decode("ascii"))

Jean-Paul Calderone

871a4d8

2011-05-26 19:24:02 -0400

[diff] [blame]

2033

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2034

def test_pending(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2035

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2036

`Connection.pending` returns the number of bytes available for

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2037

immediate read.

2038

"""

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2039

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2040

assert connection.pending() == 0

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2041

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2042

def test_peek(self):

2043

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame^]

2044

`Connection.recv` peeks into the connection if `socket.MSG_PEEK` is

2045

passed.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2046

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2047

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2048

server.send(b'xy')

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2049

assert client.recv(2, MSG_PEEK) == b'xy'

2050

assert client.recv(2, MSG_PEEK) == b'xy'

2051

assert client.recv(2) == b'xy'

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2052

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2053

def test_connect_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2054

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame^]

2055

`Connection.connect` raises `TypeError` if called with a non-address

2056

argument.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2057

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2058

connection = Connection(Context(TLSv1_METHOD), socket())

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2059

with pytest.raises(TypeError):

2060

connection.connect(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2061

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2062

def test_connect_refused(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2063

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2064

`Connection.connect` raises `socket.error` if the underlying socket

2065

connect method raises it.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2066

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2067

client = socket()

2068

context = Context(TLSv1_METHOD)

2069

clientSSL = Connection(context, client)

Alex Gaynor

122717b

2015-09-05 14:14:18 -0400

[diff] [blame]

2070

# pytest.raises here doesn't work because of a bug in py.test on Python

2071

# 2.6: https://github.com/pytest-dev/pytest/issues/988

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2072

try:

Alex Gaynor

1aabb2e

2015-09-05 13:35:18 -0400

[diff] [blame]

2073

clientSSL.connect(("127.0.0.1", 1))

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2074

except error as e:

Alex Gaynor

20a4c08

2015-09-05 14:24:15 -0400

[diff] [blame]

2075

exc = e

2076

assert exc.args[0] == ECONNREFUSED

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2077

2078

def test_connect(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2079

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2080

`Connection.connect` establishes a connection to the specified address.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2081

"""

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(3)

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2087

clientSSL.connect(('127.0.0.1', port.getsockname()[1]))

2088

# XXX An assertion? Or something?

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2089

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2090

@pytest.mark.skipif(

2091

platform == "darwin",

2092

reason="connect_ex sometimes causes a kernel panic on OS X 10.6.4"

2093

)

2094

def test_connect_ex(self):

2095

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2096

If there is a connection error, `Connection.connect_ex` returns the

2097

errno instead of raising an exception.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

"""

port = socket()

port.bind(('', 0))

port.listen(3)

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2102

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2103

clientSSL = Connection(Context(TLSv1_METHOD), socket())

2104

clientSSL.setblocking(False)

2105

result = clientSSL.connect_ex(port.getsockname())

2106

expected = (EINPROGRESS, EWOULDBLOCK)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2107

assert result in expected

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2108

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2109

def test_accept(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2110

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2111

`Connection.accept` accepts a pending connection attempt and returns a

2112

tuple of a new `Connection` (the accepted client) and the address the

2113

connection originated from.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2114

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2115

ctx = Context(TLSv1_METHOD)

2116

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2117

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2118

port = socket()

2119

portSSL = Connection(ctx, port)

2120

portSSL.bind(('', 0))

2121

portSSL.listen(3)

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2122

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2123

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2124

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2125

# Calling portSSL.getsockname() here to get the server IP address

2126

# sounds great, but frequently fails on Windows.

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2127

clientSSL.connect(('127.0.0.1', portSSL.getsockname()[1]))

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2128

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2129

serverSSL, address = portSSL.accept()

2130

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2131

assert isinstance(serverSSL, Connection)

2132

assert serverSSL.get_context() is ctx

2133

assert address == clientSSL.getsockname()

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2134

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2135

def test_shutdown_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2136

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2137

`Connection.set_shutdown` raises `TypeError` if called with arguments

2138

other than integers.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2139

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2140

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2141

with pytest.raises(TypeError):

2142

connection.set_shutdown(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2143

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2144

def test_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2145

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2146

`Connection.shutdown` performs an SSL-level connection shutdown.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2147

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2148

server, client = loopback()

2149

assert not server.shutdown()

2150

assert server.get_shutdown() == SENT_SHUTDOWN

2151

with pytest.raises(ZeroReturnError):

2152

client.recv(1024)

2153

assert client.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

2154

client.shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2155

assert client.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

2156

with pytest.raises(ZeroReturnError):

2157

server.recv(1024)

2158

assert server.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2159

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2160

def test_shutdown_closed(self):

2161

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2162

If the underlying socket is closed, `Connection.shutdown` propagates

2163

the write error from the low level write call.

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2164

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2165

server, client = loopback()

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2166

server.sock_shutdown(2)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2167

with pytest.raises(SysCallError) as exc:

2168

server.shutdown()

2169

if platform == "win32":

2170

assert exc.value.args[0] == ESHUTDOWN

2171

else:

2172

assert exc.value.args[0] == EPIPE

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2173

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2174

def test_shutdown_truncated(self):

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2175

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2176

If the underlying connection is truncated, `Connection.shutdown`

2177

raises an `Error`.

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2178

"""

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2179

server_ctx = Context(TLSv1_METHOD)

2180

client_ctx = Context(TLSv1_METHOD)

2181

server_ctx.use_privatekey(

2182

load_privatekey(FILETYPE_PEM, server_key_pem))

2183

server_ctx.use_certificate(

2184

load_certificate(FILETYPE_PEM, server_cert_pem))

2185

server = Connection(server_ctx, None)

2186

client = Connection(client_ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2187

handshake_in_memory(client, server)

2188

assert not server.shutdown()

2189

with pytest.raises(WantReadError):

2190

server.shutdown()

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2191

server.bio_shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2192

with pytest.raises(Error):

2193

server.shutdown()

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2194

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2195

def test_set_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2196

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2197

`Connection.set_shutdown` sets the state of the SSL connection

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2198

shutdown process.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2199

"""

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2200

connection = Connection(Context(TLSv1_METHOD), socket())

2201

connection.set_shutdown(RECEIVED_SHUTDOWN)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2202

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2203

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2204

@skip_if_py3

2205

def test_set_shutdown_long(self):

2206

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2207

On Python 2 `Connection.set_shutdown` accepts an argument

2208

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2209

"""

2210

connection = Connection(Context(TLSv1_METHOD), socket())

2211

connection.set_shutdown(long(RECEIVED_SHUTDOWN))

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2212

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

2213

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2214

def test_state_string(self):

2215

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2216

`Connection.state_string` verbosely describes the current state of

2217

the `Connection`.

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2218

"""

Hynek Schlawack

b0274ce

2015-10-16 19:56:26 +0200

[diff] [blame]

2219

server, client = socket_pair()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2220

server = loopback_server_factory(server)

2221

client = loopback_client_factory(client)

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2222

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2223

assert server.get_state_string() in [

2224

b"before/accept initialization", b"before SSL initialization"

2225

]

2226

assert client.get_state_string() in [

2227

b"before/connect initialization", b"before SSL initialization"

2228

]

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2229

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2230

def test_app_data(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2231

"""

2232

Any object can be set as app data by passing it to

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2233

`Connection.set_app_data` and later retrieved with

2234

`Connection.get_app_data`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2235

"""

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2236

conn = Connection(Context(TLSv1_METHOD), None)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2237

assert None is conn.get_app_data()

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2238

app_data = object()

2239

conn.set_app_data(app_data)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2240

assert conn.get_app_data() is app_data

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2241

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2242

def test_makefile(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2243

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2244

`Connection.makefile` is not implemented and calling that

2245

method raises `NotImplementedError`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2246

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2247

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2248

with pytest.raises(NotImplementedError):

2249

conn.makefile()

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2250

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2251

def test_get_peer_cert_chain(self):

2252

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2253

`Connection.get_peer_cert_chain` returns a list of certificates

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2254

which the connected server returned for the certification verification.

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2255

"""

2256

chain = _create_certificate_chain()

2257

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

2258

2259

serverContext = Context(TLSv1_METHOD)

2260

serverContext.use_privatekey(skey)

2261

serverContext.use_certificate(scert)

2262

serverContext.add_extra_chain_cert(icert)

2263

serverContext.add_extra_chain_cert(cacert)

2264

server = Connection(serverContext, None)

2265

server.set_accept_state()

2266

2267

# Create the client

2268

clientContext = Context(TLSv1_METHOD)

2269

clientContext.set_verify(VERIFY_NONE, verify_cb)

2270

client = Connection(clientContext, None)

2271

client.set_connect_state()

2272

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2273

interact_in_memory(client, server)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2274

2275

chain = client.get_peer_cert_chain()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2276

assert len(chain) == 3

2277

assert "Server Certificate" == chain[0].get_subject().CN

2278

assert "Intermediate Certificate" == chain[1].get_subject().CN

2279

assert "Authority Certificate" == chain[2].get_subject().CN

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2280

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2281

def test_get_peer_cert_chain_none(self):

2282

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2283

`Connection.get_peer_cert_chain` returns `None` if the peer sends

2284

no certificate chain.

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2285

"""

2286

ctx = Context(TLSv1_METHOD)

2287

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2288

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

2289

server = Connection(ctx, None)

2290

server.set_accept_state()

2291

client = Connection(Context(TLSv1_METHOD), None)

2292

client.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2293

interact_in_memory(client, server)

2294

assert None is server.get_peer_cert_chain()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2295

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2296

def test_get_session_unconnected(self):

2297

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2298

`Connection.get_session` returns `None` when used with an object

2299

which has not been connected.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2300

"""

2301

ctx = Context(TLSv1_METHOD)

2302

server = Connection(ctx, None)

2303

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2304

assert None is session

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2305

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2306

def test_server_get_session(self):

2307

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2308

On the server side of a connection, `Connection.get_session` returns a

2309

`Session` instance representing the SSL session for that connection.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2310

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2311

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2312

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2313

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2314

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2315

def test_client_get_session(self):

2316

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2317

On the client side of a connection, `Connection.get_session`

2318

returns a `Session` instance representing the SSL session for

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2319

that connection.

2320

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2321

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2322

session = client.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2323

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2324

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2325

def test_set_session_wrong_args(self):

2326

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2327

`Connection.set_session` raises `TypeError` if called with an object

2328

that is not an instance of `Session`.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2329

"""

2330

ctx = Context(TLSv1_METHOD)

2331

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2332

with pytest.raises(TypeError):

2333

connection.set_session(123)

2334

with pytest.raises(TypeError):

2335

connection.set_session("hello")

2336

with pytest.raises(TypeError):

2337

connection.set_session(object())

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2338

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2339

def test_client_set_session(self):

2340

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2341

`Connection.set_session`, when used prior to a connection being

2342

established, accepts a `Session` instance and causes an attempt to

2343

re-use the session it represents when the SSL handshake is performed.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2344

"""

2345

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2346

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

2347

ctx = Context(TLSv1_METHOD)

2348

ctx.use_privatekey(key)

2349

ctx.use_certificate(cert)

2350

ctx.set_session_id("unity-test")

2351

2352

def makeServer(socket):

2353

server = Connection(ctx, socket)

2354

server.set_accept_state()

2355

return server

2356

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2357

originalServer, originalClient = loopback(

2358

server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2359

originalSession = originalClient.get_session()

2360

2361

def makeClient(socket):

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2362

client = loopback_client_factory(socket)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2363

client.set_session(originalSession)

2364

return client

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2365

resumedServer, resumedClient = loopback(

2366

server_factory=makeServer,

2367

client_factory=makeClient)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2368

2369

# This is a proxy: in general, we have no access to any unique

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2370

# identifier for the session (new enough versions of OpenSSL expose

2371

# a hash which could be usable, but "new enough" is very, very new).

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2372

# Instead, exploit the fact that the master key is re-used if the

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2373

# session is re-used. As long as the master key for the two

2374

# connections is the same, the session was re-used!

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2375

assert originalServer.master_key() == resumedServer.master_key()

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2376

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2377

def test_set_session_wrong_method(self):

2378

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2379

If `Connection.set_session` is passed a `Session` instance associated

2380

with a context using a different SSL method than the `Connection`

2381

is using, a `OpenSSL.SSL.Error` is raised.

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2382

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2383

# Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2

2384

# and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT

2385

# is a way to check for 1.1.0)

2386

if SSL_ST_INIT is not None:

v1 = TLSv1_METHOD

v2 = SSLv3_METHOD

else:

v1 = TLSv1_2_METHOD

v2 = TLSv1_METHOD

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2393

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2394

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2395

ctx = Context(v1)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2396

ctx.use_privatekey(key)

2397

ctx.use_certificate(cert)

2398

ctx.set_session_id("unity-test")

2399

2400

def makeServer(socket):

2401

server = Connection(ctx, socket)

2402

server.set_accept_state()

2403

return server

2404

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2405

def makeOriginalClient(socket):

2406

client = Connection(Context(v1), socket)

2407

client.set_connect_state()

2408

return client

2409

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2410

originalServer, originalClient = loopback(

2411

server_factory=makeServer, client_factory=makeOriginalClient)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2412

originalSession = originalClient.get_session()

2413

2414

def makeClient(socket):

2415

# Intentionally use a different, incompatible method here.

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2416

client = Connection(Context(v2), socket)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2417

client.set_connect_state()

2418

client.set_session(originalSession)

2419

return client

2420

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2421

with pytest.raises(Error):

2422

loopback(client_factory=makeClient, server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2423

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2424

def test_wantWriteError(self):

2425

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2426

`Connection` methods which generate output raise

2427

`OpenSSL.SSL.WantWriteError` if writing to the connection's BIO

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2428

fail indicating a should-write state.

2429

"""

2430

client_socket, server_socket = socket_pair()

2431

# Fill up the client's send buffer so Connection won't be able to write

Jean-Paul Calderone

bbff8b9

2014-03-22 14:20:30 -0400

[diff] [blame]

2432

# anything. Only write a single byte at a time so we can be sure we

2433

# completely fill the buffer. Even though the socket API is allowed to

2434

# signal a short write via its return value it seems this doesn't

2435

# always happen on all platforms (FreeBSD and OS X particular) for the

2436

# very last bit of available buffer space.

2437

msg = b"x"

2438

for i in range(1024 * 1024 * 4):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2439

try:

2440

client_socket.send(msg)

2441

except error as e:

2442

if e.errno == EWOULDBLOCK:

2443

break

2444

raise

2445

else:

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2446

pytest.fail(

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2447

"Failed to fill socket buffer, cannot test BIO want write")

2448

2449

ctx = Context(TLSv1_METHOD)

2450

conn = Connection(ctx, client_socket)

2451

# Client's speak first, so make it an SSL client

2452

conn.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2453

with pytest.raises(WantWriteError):

2454

conn.do_handshake()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

# XXX want_read

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2458

def test_get_finished_before_connect(self):

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2459

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2460

`Connection.get_finished` returns `None` before TLS handshake

2461

is completed.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2462

"""

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2463

ctx = Context(TLSv1_METHOD)

2464

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2465

assert connection.get_finished() is None

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2466

2467

def test_get_peer_finished_before_connect(self):

2468

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2469

`Connection.get_peer_finished` returns `None` before TLS handshake

2470

is completed.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2471

"""

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2472

ctx = Context(TLSv1_METHOD)

2473

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2474

assert connection.get_peer_finished() is None

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2475

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2476

def test_get_finished(self):

2477

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2478

`Connection.get_finished` method returns the TLS Finished message send

2479

from client, or server. Finished messages are send during

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2480

TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2481

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2482

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2483

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2484

assert server.get_finished() is not None

2485

assert len(server.get_finished()) > 0

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2486

2487

def test_get_peer_finished(self):

2488

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2489

`Connection.get_peer_finished` method returns the TLS Finished

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2490

message received from client, or server. Finished messages are send

2491

during TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2492

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2493

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2494

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2495

assert server.get_peer_finished() is not None

2496

assert len(server.get_peer_finished()) > 0

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2497

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2498

def test_tls_finished_message_symmetry(self):

2499

"""

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2500

The TLS Finished message send by server must be the TLS Finished

2501

message received by client.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2502

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2503

The TLS Finished message send by client must be the TLS Finished

2504

message received by server.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2505

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2506

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2507

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2508

assert server.get_finished() == client.get_peer_finished()

2509

assert client.get_finished() == server.get_peer_finished()

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2510

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2511

def test_get_cipher_name_before_connect(self):

2512

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2513

`Connection.get_cipher_name` returns `None` if no connection

2514

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2515

"""

2516

ctx = Context(TLSv1_METHOD)

2517

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2518

assert conn.get_cipher_name() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2519

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2520

def test_get_cipher_name(self):

2521

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2522

`Connection.get_cipher_name` returns a `unicode` string giving the

2523

name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2524

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2525

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2526

server_cipher_name, client_cipher_name = \

2527

server.get_cipher_name(), client.get_cipher_name()

2528

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2529

assert isinstance(server_cipher_name, text_type)

2530

assert isinstance(client_cipher_name, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2531

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2532

assert server_cipher_name == client_cipher_name

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2533

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2534

def test_get_cipher_version_before_connect(self):

2535

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2536

`Connection.get_cipher_version` returns `None` if no connection

2537

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2538

"""

2539

ctx = Context(TLSv1_METHOD)

2540

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2541

assert conn.get_cipher_version() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2542

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2543

def test_get_cipher_version(self):

2544

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2545

`Connection.get_cipher_version` returns a `unicode` string giving

2546

the protocol name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2547

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2548

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2549

server_cipher_version, client_cipher_version = \

2550

server.get_cipher_version(), client.get_cipher_version()

2551

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2552

assert isinstance(server_cipher_version, text_type)

2553

assert isinstance(client_cipher_version, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2554

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2555

assert server_cipher_version == client_cipher_version

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2556

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2557

def test_get_cipher_bits_before_connect(self):

2558

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2559

`Connection.get_cipher_bits` returns `None` if no connection has

2560

been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2561

"""

2562

ctx = Context(TLSv1_METHOD)

2563

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2564

assert conn.get_cipher_bits() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2565

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2566

def test_get_cipher_bits(self):

2567

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2568

`Connection.get_cipher_bits` returns the number of secret bits

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2569

of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2570

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2571

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2572

server_cipher_bits, client_cipher_bits = \

2573

server.get_cipher_bits(), client.get_cipher_bits()

2574

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2575

assert isinstance(server_cipher_bits, int)

2576

assert isinstance(client_cipher_bits, int)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2577

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2578

assert server_cipher_bits == client_cipher_bits

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2579

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2580

def test_get_protocol_version_name(self):

2581

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2582

`Connection.get_protocol_version_name()` returns a string giving the

2583

protocol version of the current connection.

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2584

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2585

server, client = loopback()

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2586

client_protocol_version_name = client.get_protocol_version_name()

2587

server_protocol_version_name = server.get_protocol_version_name()

2588

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2589

assert isinstance(server_protocol_version_name, text_type)

2590

assert isinstance(client_protocol_version_name, text_type)

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2591

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2592

assert server_protocol_version_name == client_protocol_version_name

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2593

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2594

def test_get_protocol_version(self):

2595

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2596

`Connection.get_protocol_version()` returns an integer

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2597

giving the protocol version of the current connection.

2598

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2599

server, client = loopback()

Jim Shaver

85a4dff

2015-04-27 17:42:46 -0400

[diff] [blame]

2600

client_protocol_version = client.get_protocol_version()

2601

server_protocol_version = server.get_protocol_version()

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2602

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2603

assert isinstance(server_protocol_version, int)

2604

assert isinstance(client_protocol_version, int)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2605

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2606

assert server_protocol_version == client_protocol_version

2607

2608

def test_wantReadError(self):

2609

"""

2610

`Connection.bio_read` raises `OpenSSL.SSL.WantReadError` if there are

2611

no bytes available to be read from the BIO.

2612

"""

2613

ctx = Context(TLSv1_METHOD)

2614

conn = Connection(ctx, None)

2615

with pytest.raises(WantReadError):

2616

conn.bio_read(1024)

2617

2618

def test_buffer_size(self):

2619

"""

2620

`Connection.bio_read` accepts an integer giving the maximum number

2621

of bytes to read and return.

2622

"""

2623

ctx = Context(TLSv1_METHOD)

2624

conn = Connection(ctx, None)

2625

conn.set_connect_state()

2626

try:

2627

conn.do_handshake()

2628

except WantReadError:

2629

pass

2630

data = conn.bio_read(2)

2631

assert 2 == len(data)

2632

2633

@skip_if_py3

2634

def test_buffer_size_long(self):

2635

"""

2636

On Python 2 `Connection.bio_read` accepts values of type `long` as

2637

well as `int`.

2638

"""

2639

ctx = Context(TLSv1_METHOD)

2640

conn = Connection(ctx, None)

2641

conn.set_connect_state()

2642

try:

2643

conn.do_handshake()

2644

except WantReadError:

2645

pass

2646

data = conn.bio_read(long(2))

2647

assert 2 == len(data)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2648

Jean-Paul Calderone

dbd7627

2014-03-29 18:09:40 -0400

[diff] [blame]

2649

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2650

class TestConnectionGetCipherList(object):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2651

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2652

Tests for `Connection.get_cipher_list`.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2653

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2654

def test_result(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2655

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2656

`Connection.get_cipher_list` returns a list of `bytes` giving the

2657

names of the ciphers which might be used.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2658

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2659

connection = Connection(Context(TLSv1_METHOD), None)

2660

ciphers = connection.get_cipher_list()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2661

assert isinstance(ciphers, list)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2662

for cipher in ciphers:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2663

assert isinstance(cipher, str)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2664

2665

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2666

class VeryLarge(bytes):

2667

"""

2668

Mock object so that we don't have to allocate 2**31 bytes

"""

def __len__(self):

return 2**31

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2674

class TestConnectionSend(object):

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2675

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2676

Tests for `Connection.send`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2677

"""

2678

def test_wrong_args(self):

2679

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

2680

When called with arguments other than string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2681

parameter, `Connection.send` raises `TypeError`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2682

"""

2683

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2684

with pytest.raises(TypeError):

2685

connection.send(object())

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2686

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2687

def test_short_bytes(self):

2688

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2689

When passed a short byte string, `Connection.send` transmits all of it

2690

and returns the number of bytes sent.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2691

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2692

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2693

count = server.send(b'xy')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2694

assert count == 2

2695

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2696

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2697

def test_text(self):

2698

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2699

When passed a text, `Connection.send` transmits all of it and

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2700

returns the number of bytes sent. It also raises a DeprecationWarning.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2701

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2702

server, client = loopback()

2703

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2704

simplefilter("always")

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2705

count = server.send(b"xy".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2706

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2707

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2708

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2709

) == str(w[-1].message))

2710

assert count == 2

2711

assert client.recv(2) == b'xy'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2712

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2713

@skip_if_py26

2714

def test_short_memoryview(self):

2715

"""

2716

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2717

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2718

of bytes sent.

2719

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2720

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2721

count = server.send(memoryview(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2722

assert count == 2

2723

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2724

Hynek Schlawack

8e94f1b

2015-09-05 21:31:00 +0200

[diff] [blame]

2725

@skip_if_py3

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2726

def test_short_buffer(self):

2727

"""

2728

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2729

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2730

of bytes sent.

2731

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2732

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2733

count = server.send(buffer(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2734

assert count == 2

2735

assert client.recv(2) == b'xy'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

2736

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2737

@pytest.mark.skipif(

2738

sys.maxsize < 2**31,

2739

reason="sys.maxsize < 2**31 - test requires 64 bit"

2740

)

2741

def test_buf_too_large(self):

2742

"""

2743

When passed a buffer containing >= 2**31 bytes,

2744

`Connection.send` bails out as SSL_write only

2745

accepts an int for the buffer length.

2746

"""

2747

connection = Connection(Context(TLSv1_METHOD), None)

2748

with pytest.raises(ValueError) as exc_info:

2749

connection.send(VeryLarge())

2750

exc_info.match(r"Cannot send more than .+ bytes at once")

2751

Jean-Paul Calderone

691e6c9

2011-01-21 22:04:35 -0500

[diff] [blame]

2752

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2753

def _make_memoryview(size):

2754

"""

2755

Create a new ``memoryview`` wrapped around a ``bytearray`` of the given

2756

size.

2757

"""

2758

return memoryview(bytearray(size))

2759

2760

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2761

class TestConnectionRecvInto(object):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2762

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2763

Tests for `Connection.recv_into`.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2764

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2765

def _no_length_test(self, factory):

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2766

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2767

Assert that when the given buffer is passed to `Connection.recv_into`,

2768

whatever bytes are available to be received that fit into that buffer

2769

are written into that buffer.

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2770

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2771

output_buffer = factory(5)

2772

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2773

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2774

server.send(b'xy')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2775

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2776

assert client.recv_into(output_buffer) == 2

2777

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2778

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2779

def test_bytearray_no_length(self):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2780

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2781

`Connection.recv_into` can be passed a `bytearray` instance and data

2782

in the receive buffer is written to it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2783

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2784

self._no_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2785

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2786

def _respects_length_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2787

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2788

Assert that when the given buffer is passed to `Connection.recv_into`

2789

along with a value for `nbytes` that is less than the size of that

2790

buffer, only `nbytes` bytes are written into the buffer.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2791

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2792

output_buffer = factory(10)

2793

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2794

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2795

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2796

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2797

assert client.recv_into(output_buffer, 5) == 5

2798

assert output_buffer == bytearray(b'abcde\x00\x00\x00\x00\x00')

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2799

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2800

def test_bytearray_respects_length(self):

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2801

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2802

When called with a `bytearray` instance, `Connection.recv_into`

2803

respects the `nbytes` parameter and doesn't copy in more than that

2804

number of bytes.

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2805

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2806

self._respects_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2807

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2808

def _doesnt_overfill_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2809

"""

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2810

Assert that if there are more bytes available to be read from the

2811

receive buffer than would fit into the buffer passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2812

`Connection.recv_into`, only as many as fit are written into it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2813

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2814

output_buffer = factory(5)

2815

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2816

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2817

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2818

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2819

assert client.recv_into(output_buffer) == 5

2820

assert output_buffer == bytearray(b'abcde')

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2821

rest = client.recv(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2822

assert b'fghij' == rest

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2823

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2824

def test_bytearray_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2825

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2826

When called with a `bytearray` instance, `Connection.recv_into`

2827

respects the size of the array and doesn't write more bytes into it

2828

than will fit.

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2829

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2830

self._doesnt_overfill_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2831

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2832

def test_bytearray_really_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2833

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2834

When called with a `bytearray` instance and an `nbytes` value that is

2835

too large, `Connection.recv_into` respects the size of the array and

2836

not the `nbytes` value and doesn't write more bytes into the buffer

2837

than will fit.

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2838

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2839

self._doesnt_overfill_test(bytearray)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2840

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2841

def test_peek(self):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2842

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2843

server.send(b'xy')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2844

2845

for _ in range(2):

2846

output_buffer = bytearray(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2847

assert client.recv_into(output_buffer, flags=MSG_PEEK) == 2

2848

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2849

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2850

@skip_if_py26

2851

def test_memoryview_no_length(self):

2852

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2853

`Connection.recv_into` can be passed a `memoryview` instance and data

2854

in the receive buffer is written to it.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2855

"""

2856

self._no_length_test(_make_memoryview)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2857

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2858

@skip_if_py26

2859

def test_memoryview_respects_length(self):

2860

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2861

When called with a `memoryview` instance, `Connection.recv_into`

2862

respects the ``nbytes`` parameter and doesn't copy more than that

2863

number of bytes in.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2864

"""

2865

self._respects_length_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2866

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2867

@skip_if_py26

2868

def test_memoryview_doesnt_overfill(self):

2869

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2870

When called with a `memoryview` instance, `Connection.recv_into`

2871

respects the size of the array and doesn't write more bytes into it

2872

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2873

"""

2874

self._doesnt_overfill_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2875

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2876

@skip_if_py26

2877

def test_memoryview_really_doesnt_overfill(self):

2878

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2879

When called with a `memoryview` instance and an `nbytes` value that is

2880

too large, `Connection.recv_into` respects the size of the array and

2881

not the `nbytes` value and doesn't write more bytes into the buffer

2882

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2883

"""

2884

self._doesnt_overfill_test(_make_memoryview)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2885

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2886

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2887

class TestConnectionSendall(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2888

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2889

Tests for `Connection.sendall`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2890

"""

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2891

def test_wrong_args(self):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2892

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

2893

When called with arguments other than a string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2894

parameter, `Connection.sendall` raises `TypeError`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2895

"""

2896

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2897

with pytest.raises(TypeError):

2898

connection.sendall(object())

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2899

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

2900

def test_short(self):

2901

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2902

`Connection.sendall` transmits all of the bytes in the string

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

2903

passed to it.

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

2904

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2905

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2906

server.sendall(b'x')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2907

assert client.recv(1) == b'x'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

2908

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2909

def test_text(self):

2910

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2911

`Connection.sendall` transmits all the content in the string passed

2912

to it, raising a DeprecationWarning in case of this being a text.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2913

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2914

server, client = loopback()

2915

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2916

simplefilter("always")

Jean-Paul Calderone

8dc37a1

2015-03-29 08:16:52 -0400

[diff] [blame]

2917

server.sendall(b"x".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2918

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2919

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2920

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2921

) == str(w[-1].message))

2922

assert client.recv(1) == b"x"

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2923

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

2924

@skip_if_py26

2925

def test_short_memoryview(self):

2926

"""

2927

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2928

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

2929

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2930

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2931

server.sendall(memoryview(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2932

assert client.recv(1) == b'x'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2933

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

2934

@skip_if_py3

2935

def test_short_buffers(self):

2936

"""

2937

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2938

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

2939

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2940

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2941

server.sendall(buffer(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2942

assert client.recv(1) == b'x'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

2943

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

2944

def test_long(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2945

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2946

`Connection.sendall` transmits all the bytes in the string passed to it

2947

even if this requires multiple calls of an underlying write function.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2948

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2949

server, client = loopback()

Jean-Paul Calderone

6241c70

2010-09-16 19:59:24 -0400

[diff] [blame]

2950

# Should be enough, underlying SSL_write should only do 16k at a time.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

2951

# On Windows, after 32k of bytes the write will block (forever

2952

# - because no one is yet reading).

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2953

message = b'x' * (1024 * 32 - 1) + b'y'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

2954

server.sendall(message)

2955

accum = []

2956

received = 0

2957

while received < len(message):

Jean-Paul Calderone

b1f7f5f

2010-08-22 21:40:52 -0400

[diff] [blame]

2958

data = client.recv(1024)

2959

accum.append(data)

2960

received += len(data)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2961

assert message == b''.join(accum)

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

2962

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

2963

def test_closed(self):

2964

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2965

If the underlying socket is closed, `Connection.sendall` propagates the

2966

write error from the low level write call.

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

2967

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2968

server, client = loopback()

Jean-Paul Calderone

05d43e8

2010-09-24 18:01:36 -0400

[diff] [blame]

2969

server.sock_shutdown(2)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2970

with pytest.raises(SysCallError) as err:

2971

server.sendall(b"hello, world")

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

2972

if platform == "win32":

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2973

assert err.value.args[0] == ESHUTDOWN

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

2974

else:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2975

assert err.value.args[0] == EPIPE

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

2976

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

2977

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2978

class TestConnectionRenegotiate(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2979

"""

2980

Tests for SSL renegotiation APIs.

2981

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2982

def test_total_renegotiations(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2983

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2984

`Connection.total_renegotiations` returns `0` before any renegotiations

2985

have happened.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2986

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2987

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2988

assert connection.total_renegotiations() == 0

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2989

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

2990

def test_renegotiate(self):

2991

"""

2992

Go through a complete renegotiation cycle.

2993

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2994

server, client = loopback()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2995

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

2996

server.send(b"hello world")

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2997

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

2998

assert b"hello world" == client.recv(len(b"hello world"))

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2999

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3000

assert 0 == server.total_renegotiations()

3001

assert False is server.renegotiate_pending()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3002

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3003

assert True is server.renegotiate()

3004

3005

assert True is server.renegotiate_pending()

3006

3007

server.setblocking(False)

3008

client.setblocking(False)

3009

3010

client.do_handshake()

3011

server.do_handshake()

3012

3013

assert 1 == server.total_renegotiations()

3014

while False is server.renegotiate_pending():

3015

pass

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3016

3017

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3018

class TestError(object):

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3019

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3020

Unit tests for `OpenSSL.SSL.Error`.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3021

"""

3022

def test_type(self):

3023

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3024

`Error` is an exception type.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3025

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3026

assert issubclass(Error, Exception)

3027

assert Error.__name__ == 'Error'

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

3028

3029

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3030

class TestConstants(object):

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3031

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3032

Tests for the values of constants exposed in `OpenSSL.SSL`.

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3033

3034

These are values defined by OpenSSL intended only to be used as flags to

3035

OpenSSL APIs. The only assertions it seems can be made about them is

3036

their values.

3037

"""

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3038

@pytest.mark.skipif(

3039

OP_NO_QUERY_MTU is None,

3040

reason="OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old"

3041

)

3042

def test_op_no_query_mtu(self):

3043

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3044

The value of `OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value

3045

of `SSL_OP_NO_QUERY_MTU` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3046

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3047

assert OP_NO_QUERY_MTU == 0x1000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3048

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3049

@pytest.mark.skipif(

3050

OP_COOKIE_EXCHANGE is None,

3051

reason="OP_COOKIE_EXCHANGE unavailable - "

3052

"OpenSSL version may be too old"

3053

)

3054

def test_op_cookie_exchange(self):

3055

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3056

The value of `OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the

3057

value of `SSL_OP_COOKIE_EXCHANGE` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3058

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3059

assert OP_COOKIE_EXCHANGE == 0x2000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3060

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3061

@pytest.mark.skipif(

3062

OP_NO_TICKET is None,

3063

reason="OP_NO_TICKET unavailable - OpenSSL version may be too old"

3064

)

3065

def test_op_no_ticket(self):

3066

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3067

The value of `OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of

3068

`SSL_OP_NO_TICKET` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3069

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3070

assert OP_NO_TICKET == 0x4000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3071

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3072

@pytest.mark.skipif(

3073

OP_NO_COMPRESSION is None,

3074

reason="OP_NO_COMPRESSION unavailable - OpenSSL version may be too old"

3075

)

3076

def test_op_no_compression(self):

3077

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3078

The value of `OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the

3079

value of `SSL_OP_NO_COMPRESSION` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3080

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3081

assert OP_NO_COMPRESSION == 0x20000

Jean-Paul Calderone

c62d4c1

2011-09-08 18:29:32 -0400

[diff] [blame]

3082

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3083

def test_sess_cache_off(self):

3084

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3085

The value of `OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of

3086

`SSL_SESS_CACHE_OFF` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3087

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3088

assert 0x0 == SESS_CACHE_OFF

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3089

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3090

def test_sess_cache_client(self):

3091

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3092

The value of `OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of

3093

`SSL_SESS_CACHE_CLIENT` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3094

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3095

assert 0x1 == SESS_CACHE_CLIENT

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3096

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3097

def test_sess_cache_server(self):

3098

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3099

The value of `OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of

3100

`SSL_SESS_CACHE_SERVER` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3101

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3102

assert 0x2 == SESS_CACHE_SERVER

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3103

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3104

def test_sess_cache_both(self):

3105

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3106

The value of `OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of

3107

`SSL_SESS_CACHE_BOTH` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3108

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3109

assert 0x3 == SESS_CACHE_BOTH

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3110

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3111

def test_sess_cache_no_auto_clear(self):

3112

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3113

The value of `OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the

3114

value of `SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by

3115

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3116

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3117

assert 0x80 == SESS_CACHE_NO_AUTO_CLEAR

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3118

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3119

def test_sess_cache_no_internal_lookup(self):

3120

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3121

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100,

3122

the value of `SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by

3123

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3124

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3125

assert 0x100 == SESS_CACHE_NO_INTERNAL_LOOKUP

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3126

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3127

def test_sess_cache_no_internal_store(self):

3128

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3129

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200,

3130

the value of `SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by

3131

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3132

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3133

assert 0x200 == SESS_CACHE_NO_INTERNAL_STORE

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3134

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3135

def test_sess_cache_no_internal(self):

3136

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3137

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the

3138

value of `SSL_SESS_CACHE_NO_INTERNAL` defined by

3139

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3140

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3141

assert 0x300 == SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3142

3143

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3144

class TestMemoryBIO(object):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3145

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3146

Tests for `OpenSSL.SSL.Connection` using a memory BIO.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3147

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3148

def _server(self, sock):

3149

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3150

Create a new server-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3151

"""

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3152

# Create the server side Connection. This is mostly setup boilerplate

3153

# - use TLSv1, use a particular certificate, etc.

3154

server_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3155

server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3156

server_ctx.set_verify(

3157

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3158

verify_cb

3159

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3160

server_store = server_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3161

server_ctx.use_privatekey(

3162

load_privatekey(FILETYPE_PEM, server_key_pem))

3163

server_ctx.use_certificate(

3164

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3165

server_ctx.check_privatekey()

3166

server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3167

# Here the Connection is actually created. If None is passed as the

3168

# 2nd parameter, it indicates a memory BIO should be created.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3169

server_conn = Connection(server_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3170

server_conn.set_accept_state()

3171

return server_conn

3172

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3173

def _client(self, sock):

3174

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3175

Create a new client-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3176

"""

3177

# Now create the client side Connection. Similar boilerplate to the

3178

# above.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3179

client_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3180

client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3181

client_ctx.set_verify(

3182

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3183

verify_cb

3184

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3185

client_store = client_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3186

client_ctx.use_privatekey(

3187

load_privatekey(FILETYPE_PEM, client_key_pem))

3188

client_ctx.use_certificate(

3189

load_certificate(FILETYPE_PEM, client_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3190

client_ctx.check_privatekey()

3191

client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3192

client_conn = Connection(client_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3193

client_conn.set_connect_state()

3194

return client_conn

3195

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3196

def test_memory_connect(self):

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3197

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3198

Two `Connection`s which use memory BIOs can be manually connected by

3199

reading from the output of each and writing those bytes to the input of

3200

the other and in this way establish a connection and exchange

3201

application-level bytes with each other.

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3202

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3203

server_conn = self._server(None)

3204

client_conn = self._client(None)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3205

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3206

# There should be no key or nonces yet.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3207

assert server_conn.master_key() is None

3208

assert server_conn.client_random() is None

3209

assert server_conn.server_random() is None

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3210

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3211

# First, the handshake needs to happen. We'll deliver bytes back and

3212

# forth between the client and server until neither of them feels like

3213

# speaking any more.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3214

assert interact_in_memory(client_conn, server_conn) is None

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3215

3216

# Now that the handshake is done, there should be a key and nonces.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3217

assert server_conn.master_key() is not None

3218

assert server_conn.client_random() is not None

3219

assert server_conn.server_random() is not None

3220

assert server_conn.client_random() == client_conn.client_random()

3221

assert server_conn.server_random() == client_conn.server_random()

3222

assert server_conn.client_random() != server_conn.server_random()

3223

assert client_conn.client_random() != client_conn.server_random()

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3224

3225

# Here are the bytes we'll try to send.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3226

important_message = b'One if by land, two if by sea.'

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3227

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3228

server_conn.write(important_message)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3229

assert (

3230

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3231

(client_conn, important_message))

3232

3233

client_conn.write(important_message[::-1])

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3234

assert (

3235

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3236

(server_conn, important_message[::-1]))

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3237

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3238

def test_socket_connect(self):

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3239

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3240

Just like `test_memory_connect` but with an actual socket.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3241

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3242

This is primarily to rule out the memory BIO code as the source of any

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3243

problems encountered while passing data over a `Connection` (if

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3244

this test fails, there must be a problem outside the memory BIO code,

3245

as no memory BIO is involved here). Even though this isn't a memory

3246

BIO test, it's convenient to have it here.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3247

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3248

server_conn, client_conn = loopback()

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3249

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3250

important_message = b"Help me Obi Wan Kenobi, you're my only hope."

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3251

client_conn.send(important_message)

3252

msg = server_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3253

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3254

3255

# Again in the other direction, just for fun.

3256

important_message = important_message[::-1]

3257

server_conn.send(important_message)

3258

msg = client_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3259

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3260

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3261

def test_socket_overrides_memory(self):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3262

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3263

Test that `OpenSSL.SSL.bio_read` and `OpenSSL.SSL.bio_write` don't

3264

work on `OpenSSL.SSL.Connection`() that use sockets.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3265

"""

Alex Gaynor

51d424c

2016-09-10 14:50:11 -0400

[diff] [blame]

3266

context = Context(TLSv1_METHOD)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3267

client = socket()

3268

clientSSL = Connection(context, client)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3269

with pytest.raises(TypeError):

3270

clientSSL.bio_read(100)

3271

with pytest.raises(TypeError):

3272

clientSSL.bio_write("foo")

3273

with pytest.raises(TypeError):

3274

clientSSL.bio_shutdown()

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3275

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3276

def test_outgoing_overflow(self):

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3277

"""

3278

If more bytes than can be written to the memory BIO are passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3279

`Connection.send` at once, the number of bytes which were written is

3280

returned and that many bytes from the beginning of the input can be

3281

read from the other end of the connection.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3282

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3283

server = self._server(None)

3284

client = self._client(None)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3285

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3286

interact_in_memory(client, server)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3287

3288

size = 2 ** 15

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

3289

sent = client.send(b"x" * size)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3290

# Sanity check. We're trying to test what happens when the entire

3291

# input can't be sent. If the entire input was sent, this test is

3292

# meaningless.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3293

assert sent < size

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3294

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3295

receiver, received = interact_in_memory(client, server)

3296

assert receiver is server

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3297

3298

# We can rely on all of these bytes being received at once because

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3299

# loopback passes 2 ** 16 to recv - more than 2 ** 15.

3300

assert len(received) == sent

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3301

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3302

def test_shutdown(self):

3303

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3304

`Connection.bio_shutdown` signals the end of the data stream

3305

from which the `Connection` reads.

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3306

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3307

server = self._server(None)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3308

server.bio_shutdown()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3309

with pytest.raises(Error) as err:

3310

server.recv(1024)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3311

# We don't want WantReadError or ZeroReturnError or anything - it's a

3312

# handshake failure.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3313

assert type(err.value) in [Error, SysCallError]

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3314

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3315

def test_unexpected_EOF(self):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3316

"""

3317

If the connection is lost before an orderly SSL shutdown occurs,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3318

`OpenSSL.SSL.SysCallError` is raised with a message of

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3319

"Unexpected EOF".

3320

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3321

server_conn, client_conn = loopback()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3322

client_conn.sock_shutdown(SHUT_RDWR)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3323

with pytest.raises(SysCallError) as err:

3324

server_conn.recv(1024)

3325

assert err.value.args == (-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3326

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3327

def _check_client_ca_list(self, func):

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3328

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3329

Verify the return value of the `get_client_ca_list` method for

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3330

server and client connections.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3331

Jonathan Ballet

78b92a2

2011-07-16 08:07:26 +0900

[diff] [blame]

3332

:param func: A function which will be called with the server context

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3333

before the client and server are connected to each other. This

3334

function should specify a list of CAs for the server to send to the

3335

client and return that same list. The list will be used to verify

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3336

that `get_client_ca_list` returns the proper value at

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3337

various times.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3338

"""

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3339

server = self._server(None)

3340

client = self._client(None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3341

assert client.get_client_ca_list() == []

3342

assert server.get_client_ca_list() == []

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3343

ctx = server.get_context()

3344

expected = func(ctx)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3345

assert client.get_client_ca_list() == []

3346

assert server.get_client_ca_list() == expected

3347

interact_in_memory(client, server)

3348

assert client.get_client_ca_list() == expected

3349

assert server.get_client_ca_list() == expected

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3350

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3351

def test_set_client_ca_list_errors(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3352

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3353

`Context.set_client_ca_list` raises a `TypeError` if called with a

3354

non-list or a list that contains objects other than X509Names.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3355

"""

3356

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3357

with pytest.raises(TypeError):

3358

ctx.set_client_ca_list("spam")

3359

with pytest.raises(TypeError):

3360

ctx.set_client_ca_list(["spam"])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3361

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3362

def test_set_empty_ca_list(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3363

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3364

If passed an empty list, `Context.set_client_ca_list` configures the

3365

context to send no CA names to the client and, on both the server and

3366

client sides, `Connection.get_client_ca_list` returns an empty list

3367

after the connection is set up.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3368

"""

3369

def no_ca(ctx):

3370

ctx.set_client_ca_list([])

3371

return []

3372

self._check_client_ca_list(no_ca)

3373

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3374

def test_set_one_ca_list(self):

3375

"""

3376

If passed a list containing a single X509Name,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3377

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3378

that CA name to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3379

`Connection.get_client_ca_list` returns a list containing that

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3380

X509Name after the connection is set up.

3381

"""

3382

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3383

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3384

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3385

def single_ca(ctx):

3386

ctx.set_client_ca_list([cadesc])

3387

return [cadesc]

3388

self._check_client_ca_list(single_ca)

3389

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3390

def test_set_multiple_ca_list(self):

3391

"""

3392

If passed a list containing multiple X509Name objects,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3393

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3394

those CA names to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3395

`Connection.get_client_ca_list` returns a list containing those

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3396

X509Names after the connection is set up.

3397

"""

3398

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3399

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3400

3401

sedesc = secert.get_subject()

3402

cldesc = clcert.get_subject()

3403

3404

def multiple_ca(ctx):

3405

L = [sedesc, cldesc]

3406

ctx.set_client_ca_list(L)

3407

return L

3408

self._check_client_ca_list(multiple_ca)

3409

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3410

def test_reset_ca_list(self):

3411

"""

3412

If called multiple times, only the X509Names passed to the final call

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3413

of `Context.set_client_ca_list` are used to configure the CA

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3414

names sent to the client.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3415

"""

3416

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3417

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3418

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3419

3420

cadesc = cacert.get_subject()

3421

sedesc = secert.get_subject()

3422

cldesc = clcert.get_subject()

3423

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3424

def changed_ca(ctx):

3425

ctx.set_client_ca_list([sedesc, cldesc])

3426

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3427

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3428

self._check_client_ca_list(changed_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3429

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3430

def test_mutated_ca_list(self):

3431

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3432

If the list passed to `Context.set_client_ca_list` is mutated

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3433

afterwards, this does not affect the list of CA names sent to the

3434

client.

3435

"""

3436

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3437

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3438

3439

cadesc = cacert.get_subject()

3440

sedesc = secert.get_subject()

3441

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3442

def mutated_ca(ctx):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3443

L = [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3444

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3445

L.append(sedesc)

3446

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3447

self._check_client_ca_list(mutated_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3448

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3449

def test_add_client_ca_wrong_args(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3450

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3451

`Context.add_client_ca` raises `TypeError` if called with

3452

a non-X509 object.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3453

"""

3454

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3455

with pytest.raises(TypeError):

3456

ctx.add_client_ca("spam")

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3457

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3458

def test_one_add_client_ca(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3459

"""

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3460

A certificate's subject can be added as a CA to be sent to the client

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3461

with `Context.add_client_ca`.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3462

"""

3463

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3464

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3465

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3466

def single_ca(ctx):

3467

ctx.add_client_ca(cacert)

3468

return [cadesc]

3469

self._check_client_ca_list(single_ca)

3470

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3471

def test_multiple_add_client_ca(self):

3472

"""

3473

Multiple CA names can be sent to the client by calling

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3474

`Context.add_client_ca` with multiple X509 objects.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3475

"""

3476

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3477

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3478

3479

cadesc = cacert.get_subject()

3480

sedesc = secert.get_subject()

3481

3482

def multiple_ca(ctx):

3483

ctx.add_client_ca(cacert)

3484

ctx.add_client_ca(secert)

3485

return [cadesc, sedesc]

3486

self._check_client_ca_list(multiple_ca)

3487

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3488

def test_set_and_add_client_ca(self):

3489

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3490

A call to `Context.set_client_ca_list` followed by a call to

3491

`Context.add_client_ca` results in using the CA names from the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3492

first call and the CA name from the second call.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3493

"""

3494

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3495

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3496

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3497

3498

cadesc = cacert.get_subject()

3499

sedesc = secert.get_subject()

3500

cldesc = clcert.get_subject()

3501

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3502

def mixed_set_add_ca(ctx):

3503

ctx.set_client_ca_list([cadesc, sedesc])

3504

ctx.add_client_ca(clcert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3505

return [cadesc, sedesc, cldesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3506

self._check_client_ca_list(mixed_set_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3507

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3508

def test_set_after_add_client_ca(self):

3509

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3510

A call to `Context.set_client_ca_list` after a call to

3511

`Context.add_client_ca` replaces the CA name specified by the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3512

former call with the names specified by the latter call.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3513

"""

3514

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3515

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3516

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3517

3518

cadesc = cacert.get_subject()

3519

sedesc = secert.get_subject()

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3520

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3521

def set_replaces_add_ca(ctx):

3522

ctx.add_client_ca(clcert)

3523

ctx.set_client_ca_list([cadesc])

3524

ctx.add_client_ca(secert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3525

return [cadesc, sedesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3526

self._check_client_ca_list(set_replaces_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3527

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3528

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3529

class TestInfoConstants(object):

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3530

"""

3531

Tests for assorted constants exposed for use in info callbacks.

3532

"""

3533

def test_integers(self):

3534

"""

3535

All of the info constants are integers.

3536

3537

This is a very weak test. It would be nice to have one that actually

3538

verifies that as certain info events happen, the value passed to the

3539

info callback matches up with the constant exposed by OpenSSL.SSL.

3540

"""

3541

for const in [

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3542

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3543

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

3544

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

3545

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3546

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE

3547

]:

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3548

assert isinstance(const, int)

3549

3550

# These constants don't exist on OpenSSL 1.1.0

3551

for const in [

3552

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

3553

]:

3554

assert const is None or isinstance(const, int)

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3555

Ziga Seilnacht

44611bf

2009-08-31 20:49:30 +0200

[diff] [blame]

3556

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3557

class TestRequires(object):

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3558

"""

3559

Tests for the decorator factory used to conditionally raise

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3560

NotImplementedError when older OpenSSLs are used.

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3561

"""

3562

def test_available(self):

3563

"""

3564

When the OpenSSL functionality is available the decorated functions

3565

work appropriately.

3566

"""

3567

feature_guard = _make_requires(True, "Error text")

results = []

@feature_guard

def inner():

results.append(True)

return True

Cory Benfield

2016-03-30 14:24:16 +0100

[diff] [blame]

3575

assert inner() is True

3576

assert [True] == results

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3577

3578

def test_unavailable(self):

3579

"""

3580

When the OpenSSL functionality is not available the decorated function

3581

does not execute and NotImplementedError is raised.

3582

"""

3583

feature_guard = _make_requires(False, "Error text")

results = []

@feature_guard

def inner():

results.append(True)

return True

Cory Benfield

2016-03-30 11:51:45 +0100

[diff] [blame]

3591

with pytest.raises(NotImplementedError) as e:

3592

inner()

3593

3594

assert "Error text" in str(e.value)

Cory Benfield

2333e5e

2016-03-30 14:24:16 +0100

[diff] [blame]

3595

assert results == []

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3596

3597

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3598

class TestOCSP(object):

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3599

"""

3600

Tests for PyOpenSSL's OCSP stapling support.

3601

"""

3602

sample_ocsp_data = b"this is totally ocsp data"

3603

3604

def _client_connection(self, callback, data, request_ocsp=True):

3605

"""

3606

Builds a client connection suitable for using OCSP.

3607

3608

:param callback: The callback to register for OCSP.

3609

:param data: The opaque data object that will be handed to the

3610

OCSP callback.

3611

:param request_ocsp: Whether the client will actually ask for OCSP

3612

stapling. Useful for testing only.

3613

"""

3614

ctx = Context(SSLv23_METHOD)

3615

ctx.set_ocsp_client_callback(callback, data)

3616

client = Connection(ctx)

3617

3618

if request_ocsp:

3619

client.request_ocsp()

3620

3621

client.set_connect_state()

3622

return client

3623

3624

def _server_connection(self, callback, data):

3625

"""

3626

Builds a server connection suitable for using OCSP.

3627

3628

:param callback: The callback to register for OCSP.

3629

:param data: The opaque data object that will be handed to the

3630

OCSP callback.

3631

"""

3632

ctx = Context(SSLv23_METHOD)

3633

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

3634

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

3635

ctx.set_ocsp_server_callback(callback, data)

3636

server = Connection(ctx)

3637

server.set_accept_state()

3638

return server

3639

3640

def test_callbacks_arent_called_by_default(self):

3641

"""

3642

If both the client and the server have registered OCSP callbacks, but

3643

the client does not send the OCSP request, neither callback gets

called.

"""

called = []

def ocsp_callback(*args, **kwargs):

3649

called.append((args, kwargs))

3650

3651

client = self._client_connection(

3652

callback=ocsp_callback, data=None, request_ocsp=False

3653

)

3654

server = self._server_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3655

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

assert not called

def test_client_negotiates_without_server(self):

3660

"""

3661

If the client wants to do OCSP but the server does not, the handshake

3662

succeeds, and the client callback fires with an empty byte string.

"""

called = []

def ocsp_callback(conn, ocsp_data, ignored):

3667

called.append(ocsp_data)

3668

return True

3669

3670

client = self._client_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3671

server = loopback_server_factory(socket=None)

3672

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3673

3674

assert len(called) == 1

3675

assert called[0] == b''

3676

3677

def test_client_receives_servers_data(self):

3678

"""

3679

The data the server sends in its callback is received by the client.

"""

calls = []

def server_callback(*args, **kwargs):

3684

return self.sample_ocsp_data

3685

3686

def client_callback(conn, ocsp_data, ignored):

3687

calls.append(ocsp_data)

3688

return True

3689

3690

client = self._client_connection(callback=client_callback, data=None)

3691

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3692

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3693

3694

assert len(calls) == 1

3695

assert calls[0] == self.sample_ocsp_data

3696

3697

def test_callbacks_are_invoked_with_connections(self):

3698

"""

3699

The first arguments to both callbacks are their respective connections.

"""

client_calls = []

server_calls = []

def client_callback(conn, *args, **kwargs):

3705

client_calls.append(conn)

3706

return True

3707

3708

def server_callback(conn, *args, **kwargs):

3709

server_calls.append(conn)

3710

return self.sample_ocsp_data

3711

3712

client = self._client_connection(callback=client_callback, data=None)

3713

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3714

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3715

3716

assert len(client_calls) == 1

3717

assert len(server_calls) == 1

3718

assert client_calls[0] is client

3719

assert server_calls[0] is server

3720

3721

def test_opaque_data_is_passed_through(self):

3722

"""

3723

Both callbacks receive an opaque, user-provided piece of data in their

3724

callbacks as the final argument.

"""

calls = []

def server_callback(*args):

3729

calls.append(args)

3730

return self.sample_ocsp_data

3731

3732

def client_callback(*args):

calls.append(args)

return True

sentinel = object()

client = self._client_connection(

3739

callback=client_callback, data=sentinel

3740

)

3741

server = self._server_connection(

3742

callback=server_callback, data=sentinel

3743

)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3744

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3745

3746

assert len(calls) == 2

3747

assert calls[0][-1] is sentinel

3748

assert calls[1][-1] is sentinel

3749

3750

def test_server_returns_empty_string(self):

3751

"""

3752

If the server returns an empty bytestring from its callback, the

3753

client callback is called with the empty bytestring.

"""

client_calls = []

def server_callback(*args):

3758

return b''

3759

3760

def client_callback(conn, ocsp_data, ignored):

3761

client_calls.append(ocsp_data)

3762

return True

3763

3764

client = self._client_connection(callback=client_callback, data=None)

3765

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3766

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3767

3768

assert len(client_calls) == 1

3769

assert client_calls[0] == b''

3770

3771

def test_client_returns_false_terminates_handshake(self):

3772

"""

3773

If the client returns False from its callback, the handshake fails.

3774

"""

3775

def server_callback(*args):

3776

return self.sample_ocsp_data

3777

3778

def client_callback(*args):

3779

return False

3780

3781

client = self._client_connection(callback=client_callback, data=None)

3782

server = self._server_connection(callback=server_callback, data=None)

3783

3784

with pytest.raises(Error):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3785

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3786

3787

def test_exceptions_in_client_bubble_up(self):

3788

"""

3789

The callbacks thrown in the client callback bubble up to the caller.

3790

"""

3791

class SentinelException(Exception):

3792

pass

3793

3794

def server_callback(*args):

3795

return self.sample_ocsp_data

3796

3797

def client_callback(*args):

3798

raise SentinelException()

3799

3800

client = self._client_connection(callback=client_callback, data=None)

3801

server = self._server_connection(callback=server_callback, data=None)

3802

3803

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3804

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3805

3806

def test_exceptions_in_server_bubble_up(self):

3807

"""

3808

The callbacks thrown in the server callback bubble up to the caller.

3809

"""

3810

class SentinelException(Exception):

3811

pass

3812

3813

def server_callback(*args):

3814

raise SentinelException()

3815

3816

def client_callback(*args):

3817

pytest.fail("Should not be called")

3818

3819

client = self._client_connection(callback=client_callback, data=None)

3820

server = self._server_connection(callback=server_callback, data=None)

3821

3822

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3823

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3824

3825

def test_server_must_return_bytes(self):

3826

"""

3827

The server callback must return a bytestring, or a TypeError is thrown.

3828

"""

3829

def server_callback(*args):

3830

return self.sample_ocsp_data.decode('ascii')

3831

3832

def client_callback(*args):

3833

pytest.fail("Should not be called")

3834

3835

client = self._client_connection(callback=client_callback, data=None)

3836

server = self._server_connection(callback=server_callback, data=None)

3837

3838

with pytest.raises(TypeError):

Alex Chan