blob: 5a95876c2307ed95a4faa9004c7ea87ba0ec8faa [file] [log] [blame]
Jean-Paul Calderone8671c852011-03-02 19:26:20 -05001# Copyright (C) Jean-Paul Calderone
2# See LICENSE for details.
Jean-Paul Calderone8b63d452008-03-21 18:31:12 -04003
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -04004"""
Jonathan Ballet648875f2011-07-16 14:14:58 +09005Unit tests for :py:obj:`OpenSSL.SSL`.
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -04006"""
7
Jean-Paul Calderone4c1aacd2014-01-11 08:15:17 -05008from gc import collect, get_referrers
Konstantinos Koukopoulos541150d2014-01-31 01:00:19 +02009from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -040010from sys import platform, version_info
Jean-Paul Calderoned899af02013-03-19 22:10:37 -070011from socket import SHUT_RDWR, error, socket
Jean-Paul Calderonea65cf6c2009-07-19 10:26:52 -040012from os import makedirs
Jean-Paul Calderone1461c492013-10-03 16:05:00 -040013from os.path import join
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -040014from unittest import main
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -040015from weakref import ref
Jean-Paul Calderone460cc1f2009-03-07 11:31:12 -050016
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -040017from six import PY3, text_type, u
Jean-Paul Calderonec76c61c2014-01-18 13:21:52 -050018
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -040019from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -080020from OpenSSL.crypto import PKey, X509, X509Extension, X509Store
Jean-Paul Calderone7526d172010-09-09 17:55:31 -040021from OpenSSL.crypto import dump_privatekey, load_privatekey
22from OpenSSL.crypto import dump_certificate, load_certificate
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -040023from OpenSSL.crypto import get_elliptic_curves
Jean-Paul Calderone7526d172010-09-09 17:55:31 -040024
Jean-Paul Calderoneb41d1f42014-04-17 16:02:04 -040025from OpenSSL.SSL import _lib
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -040026from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS
27from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON
Jean-Paul Calderonee4f6b472010-07-29 22:50:58 -040028from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN
Jean-Paul Calderone1461c492013-10-03 16:05:00 -040029from OpenSSL.SSL import (
30 SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD,
31 TLSv1_1_METHOD, TLSv1_2_METHOD)
32from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -040033from OpenSSL.SSL import (
34 VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE, VERIFY_NONE)
Jean-Paul Calderone0222a492011-09-08 18:26:03 -040035
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -040036from OpenSSL.SSL import (
Jean-Paul Calderone313bf012012-02-08 13:02:49 -050037 SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH,
38 SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP,
39 SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL)
40
41from OpenSSL.SSL import (
Jean-Paul Calderoned899af02013-03-19 22:10:37 -070042 Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError)
Jean-Paul Calderonee0fcf512012-02-13 09:10:15 -050043from OpenSSL.SSL import (
Jean-Paul Calderoned899af02013-03-19 22:10:37 -070044 Context, ContextType, Session, Connection, ConnectionType, SSLeay_version)
Jean-Paul Calderone7526d172010-09-09 17:55:31 -040045
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -050046from OpenSSL.test.util import TestCase, b
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -040047from OpenSSL.test.test_crypto import (
48 cleartextCertificatePEM, cleartextPrivateKeyPEM)
49from OpenSSL.test.test_crypto import (
50 client_cert_pem, client_key_pem, server_cert_pem, server_key_pem,
51 root_cert_pem)
52
Jean-Paul Calderone4bccf5e2008-12-28 22:50:42 -050053try:
54 from OpenSSL.SSL import OP_NO_QUERY_MTU
55except ImportError:
56 OP_NO_QUERY_MTU = None
57try:
58 from OpenSSL.SSL import OP_COOKIE_EXCHANGE
59except ImportError:
60 OP_COOKIE_EXCHANGE = None
61try:
62 from OpenSSL.SSL import OP_NO_TICKET
63except ImportError:
64 OP_NO_TICKET = None
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -040065
Jean-Paul Calderone0222a492011-09-08 18:26:03 -040066try:
Jean-Paul Calderonec62d4c12011-09-08 18:29:32 -040067 from OpenSSL.SSL import OP_NO_COMPRESSION
68except ImportError:
69 OP_NO_COMPRESSION = None
70
71try:
Jean-Paul Calderone0222a492011-09-08 18:26:03 -040072 from OpenSSL.SSL import MODE_RELEASE_BUFFERS
73except ImportError:
74 MODE_RELEASE_BUFFERS = None
75
Jean-Paul Calderone1461c492013-10-03 16:05:00 -040076try:
77 from OpenSSL.SSL import OP_NO_TLSv1, OP_NO_TLSv1_1, OP_NO_TLSv1_2
78except ImportError:
79 OP_NO_TLSv1 = OP_NO_TLSv1_1 = OP_NO_TLSv1_2 = None
80
Jean-Paul Calderone31e85a82011-03-21 19:13:35 -040081from OpenSSL.SSL import (
82 SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK, SSL_ST_INIT, SSL_ST_BEFORE,
83 SSL_ST_OK, SSL_ST_RENEGOTIATE,
84 SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,
85 SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,
86 SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,
87 SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE)
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -040088
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -040089# openssl dhparam 128 -out dh-128.pem (note that 128 is a small number of bits
90# to use)
91dhparam = """\
92-----BEGIN DH PARAMETERS-----
93MBYCEQCobsg29c9WZP/54oAPcwiDAgEC
94-----END DH PARAMETERS-----
95"""
96
97
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -040098def verify_cb(conn, cert, errnum, depth, ok):
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -040099 return ok
100
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400101
Rick Deanb1ccd562009-07-09 23:52:39 -0500102def socket_pair():
Jean-Paul Calderone1a9613b2009-07-16 12:13:36 -0400103 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400104 Establish and return a pair of network sockets connected to each other.
Jean-Paul Calderone1a9613b2009-07-16 12:13:36 -0400105 """
106 # Connect a pair of sockets
Rick Deanb1ccd562009-07-09 23:52:39 -0500107 port = socket()
108 port.bind(('', 0))
109 port.listen(1)
110 client = socket()
111 client.setblocking(False)
Jean-Paul Calderonef23c5d92009-07-23 17:58:15 -0400112 client.connect_ex(("127.0.0.1", port.getsockname()[1]))
Jean-Paul Calderone94b24a82009-07-16 19:11:38 -0400113 client.setblocking(True)
Rick Deanb1ccd562009-07-09 23:52:39 -0500114 server = port.accept()[0]
Rick Deanb1ccd562009-07-09 23:52:39 -0500115
Jean-Paul Calderone1a9613b2009-07-16 12:13:36 -0400116 # Let's pass some unencrypted data to make sure our socket connection is
117 # fine. Just one byte, so we don't have to worry about buffers getting
118 # filled up or fragmentation.
Jean-Paul Calderone9e4eeae2010-08-22 21:32:52 -0400119 server.send(b("x"))
120 assert client.recv(1024) == b("x")
121 client.send(b("y"))
122 assert server.recv(1024) == b("y")
Rick Deanb1ccd562009-07-09 23:52:39 -0500123
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -0400124 # Most of our callers want non-blocking sockets, make it easy for them.
Jean-Paul Calderone94b24a82009-07-16 19:11:38 -0400125 server.setblocking(False)
126 client.setblocking(False)
127
Rick Deanb1ccd562009-07-09 23:52:39 -0500128 return (server, client)
129
130
Jean-Paul Calderone94b24a82009-07-16 19:11:38 -0400131
Jean-Paul Calderonef8742032010-09-25 00:00:32 -0400132def handshake(client, server):
133 conns = [client, server]
134 while conns:
135 for conn in conns:
136 try:
137 conn.do_handshake()
138 except WantReadError:
139 pass
140 else:
141 conns.remove(conn)
142
143
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400144def _create_certificate_chain():
145 """
146 Construct and return a chain of certificates.
147
148 1. A new self-signed certificate authority certificate (cacert)
149 2. A new intermediate certificate signed by cacert (icert)
150 3. A new server certificate signed by icert (scert)
151 """
152 caext = X509Extension(b('basicConstraints'), False, b('CA:true'))
153
154 # Step 1
155 cakey = PKey()
156 cakey.generate_key(TYPE_RSA, 512)
157 cacert = X509()
158 cacert.get_subject().commonName = "Authority Certificate"
159 cacert.set_issuer(cacert.get_subject())
160 cacert.set_pubkey(cakey)
161 cacert.set_notBefore(b("20000101000000Z"))
162 cacert.set_notAfter(b("20200101000000Z"))
163 cacert.add_extensions([caext])
164 cacert.set_serial_number(0)
165 cacert.sign(cakey, "sha1")
166
167 # Step 2
168 ikey = PKey()
169 ikey.generate_key(TYPE_RSA, 512)
170 icert = X509()
171 icert.get_subject().commonName = "Intermediate Certificate"
172 icert.set_issuer(cacert.get_subject())
173 icert.set_pubkey(ikey)
174 icert.set_notBefore(b("20000101000000Z"))
175 icert.set_notAfter(b("20200101000000Z"))
176 icert.add_extensions([caext])
177 icert.set_serial_number(0)
178 icert.sign(cakey, "sha1")
179
180 # Step 3
181 skey = PKey()
182 skey.generate_key(TYPE_RSA, 512)
183 scert = X509()
184 scert.get_subject().commonName = "Server Certificate"
185 scert.set_issuer(icert.get_subject())
186 scert.set_pubkey(skey)
187 scert.set_notBefore(b("20000101000000Z"))
188 scert.set_notAfter(b("20200101000000Z"))
189 scert.add_extensions([
190 X509Extension(b('basicConstraints'), True, b('CA:false'))])
191 scert.set_serial_number(0)
192 scert.sign(ikey, "sha1")
193
194 return [(cakey, cacert), (ikey, icert), (skey, scert)]
195
196
197
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400198class _LoopbackMixin:
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -0400199 """
200 Helper mixin which defines methods for creating a connected socket pair and
201 for forcing two connected SSL sockets to talk to each other via memory BIOs.
202 """
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -0500203 def _loopbackClientFactory(self, socket):
204 client = Connection(Context(TLSv1_METHOD), socket)
205 client.set_connect_state()
206 return client
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400207
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -0500208
209 def _loopbackServerFactory(self, socket):
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400210 ctx = Context(TLSv1_METHOD)
211 ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
212 ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -0500213 server = Connection(ctx, socket)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400214 server.set_accept_state()
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -0500215 return server
216
217
218 def _loopback(self, serverFactory=None, clientFactory=None):
219 if serverFactory is None:
220 serverFactory = self._loopbackServerFactory
221 if clientFactory is None:
222 clientFactory = self._loopbackClientFactory
223
224 (server, client) = socket_pair()
225 server = serverFactory(server)
226 client = clientFactory(client)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400227
Jean-Paul Calderonef8742032010-09-25 00:00:32 -0400228 handshake(client, server)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400229
230 server.setblocking(True)
231 client.setblocking(True)
232 return server, client
233
234
235 def _interactInMemory(self, client_conn, server_conn):
236 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900237 Try to read application bytes from each of the two :py:obj:`Connection`
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400238 objects. Copy bytes back and forth between their send/receive buffers
239 for as long as there is anything to copy. When there is nothing more
Jonathan Ballet648875f2011-07-16 14:14:58 +0900240 to copy, return :py:obj:`None`. If one of them actually manages to deliver
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400241 some application bytes, return a two-tuple of the connection from which
242 the bytes were read and the bytes themselves.
243 """
244 wrote = True
245 while wrote:
246 # Loop until neither side has anything to say
247 wrote = False
248
249 # Copy stuff from each side's send buffer to the other side's
250 # receive buffer.
251 for (read, write) in [(client_conn, server_conn),
252 (server_conn, client_conn)]:
253
254 # Give the side a chance to generate some more bytes, or
255 # succeed.
256 try:
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400257 data = read.recv(2 ** 16)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400258 except WantReadError:
259 # It didn't succeed, so we'll hope it generated some
260 # output.
261 pass
262 else:
263 # It did succeed, so we'll stop now and let the caller deal
264 # with it.
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400265 return (read, data)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400266
267 while True:
268 # Keep copying as long as there's more stuff there.
269 try:
270 dirty = read.bio_read(4096)
271 except WantReadError:
272 # Okay, nothing more waiting to be sent. Stop
273 # processing this send buffer.
274 break
275 else:
276 # Keep track of the fact that someone generated some
277 # output.
278 wrote = True
279 write.bio_write(dirty)
280
281
Jean-Paul Calderone6a8cd112014-04-02 21:09:08 -0400282 def _handshakeInMemory(self, client_conn, server_conn):
Jean-Paul Calderoneb2b40782014-05-06 08:47:40 -0400283 """
284 Perform the TLS handshake between two :py:class:`Connection` instances
285 connected to each other via memory BIOs.
286 """
Jean-Paul Calderone6a8cd112014-04-02 21:09:08 -0400287 client_conn.set_connect_state()
288 server_conn.set_accept_state()
289
290 for conn in [client_conn, server_conn]:
291 try:
292 conn.do_handshake()
293 except WantReadError:
294 pass
295
296 self._interactInMemory(client_conn, server_conn)
297
298
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400299
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400300class VersionTests(TestCase):
301 """
302 Tests for version information exposed by
Jonathan Ballet648875f2011-07-16 14:14:58 +0900303 :py:obj:`OpenSSL.SSL.SSLeay_version` and
304 :py:obj:`OpenSSL.SSL.OPENSSL_VERSION_NUMBER`.
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400305 """
306 def test_OPENSSL_VERSION_NUMBER(self):
307 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900308 :py:obj:`OPENSSL_VERSION_NUMBER` is an integer with status in the low
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400309 byte and the patch, fix, minor, and major versions in the
310 nibbles above that.
311 """
312 self.assertTrue(isinstance(OPENSSL_VERSION_NUMBER, int))
313
314
315 def test_SSLeay_version(self):
316 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900317 :py:obj:`SSLeay_version` takes a version type indicator and returns
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400318 one of a number of version strings based on that indicator.
319 """
320 versions = {}
321 for t in [SSLEAY_VERSION, SSLEAY_CFLAGS, SSLEAY_BUILT_ON,
322 SSLEAY_PLATFORM, SSLEAY_DIR]:
323 version = SSLeay_version(t)
324 versions[version] = t
325 self.assertTrue(isinstance(version, bytes))
326 self.assertEqual(len(versions), 5)
327
328
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400329
330class ContextTests(TestCase, _LoopbackMixin):
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400331 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900332 Unit tests for :py:obj:`OpenSSL.SSL.Context`.
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400333 """
334 def test_method(self):
335 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900336 :py:obj:`Context` can be instantiated with one of :py:obj:`SSLv2_METHOD`,
Jean-Paul Calderone1461c492013-10-03 16:05:00 -0400337 :py:obj:`SSLv3_METHOD`, :py:obj:`SSLv23_METHOD`, :py:obj:`TLSv1_METHOD`,
338 :py:obj:`TLSv1_1_METHOD`, or :py:obj:`TLSv1_2_METHOD`.
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400339 """
Jean-Paul Calderone1461c492013-10-03 16:05:00 -0400340 methods = [
341 SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD]
342 for meth in methods:
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400343 Context(meth)
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400344
Jean-Paul Calderone1461c492013-10-03 16:05:00 -0400345
346 maybe = [SSLv2_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD]
347 for meth in maybe:
348 try:
349 Context(meth)
350 except (Error, ValueError):
351 # Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some
352 # don't. Difficult to say in advance.
353 pass
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400354
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400355 self.assertRaises(TypeError, Context, "")
356 self.assertRaises(ValueError, Context, 10)
357
358
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500359 if not PY3:
360 def test_method_long(self):
361 """
362 On Python 2 :py:class:`Context` accepts values of type
363 :py:obj:`long` as well as :py:obj:`int`.
364 """
365 Context(long(TLSv1_METHOD))
366
367
368
Rick Deane15b1472009-07-09 15:53:42 -0500369 def test_type(self):
370 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900371 :py:obj:`Context` and :py:obj:`ContextType` refer to the same type object and can be
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400372 used to create instances of that type.
Rick Deane15b1472009-07-09 15:53:42 -0500373 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400374 self.assertIdentical(Context, ContextType)
375 self.assertConsistentType(Context, 'Context', TLSv1_METHOD)
Rick Deane15b1472009-07-09 15:53:42 -0500376
377
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400378 def test_use_privatekey(self):
379 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900380 :py:obj:`Context.use_privatekey` takes an :py:obj:`OpenSSL.crypto.PKey` instance.
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400381 """
382 key = PKey()
383 key.generate_key(TYPE_RSA, 128)
384 ctx = Context(TLSv1_METHOD)
385 ctx.use_privatekey(key)
386 self.assertRaises(TypeError, ctx.use_privatekey, "")
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400387
388
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800389 def test_use_privatekey_file_missing(self):
390 """
391 :py:obj:`Context.use_privatekey_file` raises :py:obj:`OpenSSL.SSL.Error`
392 when passed the name of a file which does not exist.
393 """
394 ctx = Context(TLSv1_METHOD)
395 self.assertRaises(Error, ctx.use_privatekey_file, self.mktemp())
396
397
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500398 if not PY3:
399 def test_use_privatekey_file_long(self):
400 """
401 On Python 2 :py:obj:`Context.use_privatekey_file` accepts a
402 filetype of type :py:obj:`long` as well as :py:obj:`int`.
403 """
404 pemfile = self.mktemp()
405
406 key = PKey()
407 key.generate_key(TYPE_RSA, 128)
408
409 with open(pemfile, "wt") as pem:
410 pem.write(
411 dump_privatekey(FILETYPE_PEM, key).decode("ascii"))
412
413 ctx = Context(TLSv1_METHOD)
414 ctx.use_privatekey_file(pemfile, long(FILETYPE_PEM))
415
416
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800417 def test_use_certificate_wrong_args(self):
418 """
419 :py:obj:`Context.use_certificate_wrong_args` raises :py:obj:`TypeError`
420 when not passed exactly one :py:obj:`OpenSSL.crypto.X509` instance as an
421 argument.
422 """
423 ctx = Context(TLSv1_METHOD)
424 self.assertRaises(TypeError, ctx.use_certificate)
425 self.assertRaises(TypeError, ctx.use_certificate, "hello, world")
426 self.assertRaises(TypeError, ctx.use_certificate, X509(), "hello, world")
427
428
429 def test_use_certificate_uninitialized(self):
430 """
431 :py:obj:`Context.use_certificate` raises :py:obj:`OpenSSL.SSL.Error`
432 when passed a :py:obj:`OpenSSL.crypto.X509` instance which has not been
433 initialized (ie, which does not actually have any certificate data).
434 """
435 ctx = Context(TLSv1_METHOD)
436 self.assertRaises(Error, ctx.use_certificate, X509())
437
438
439 def test_use_certificate(self):
440 """
441 :py:obj:`Context.use_certificate` sets the certificate which will be
442 used to identify connections created using the context.
443 """
444 # TODO
445 # Hard to assert anything. But we could set a privatekey then ask
446 # OpenSSL if the cert and key agree using check_privatekey. Then as
447 # long as check_privatekey works right we're good...
448 ctx = Context(TLSv1_METHOD)
449 ctx.use_certificate(load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
450
451
452 def test_use_certificate_file_wrong_args(self):
453 """
454 :py:obj:`Context.use_certificate_file` raises :py:obj:`TypeError` if
455 called with zero arguments or more than two arguments, or if the first
456 argument is not a byte string or the second argumnent is not an integer.
457 """
458 ctx = Context(TLSv1_METHOD)
459 self.assertRaises(TypeError, ctx.use_certificate_file)
460 self.assertRaises(TypeError, ctx.use_certificate_file, b"somefile", object())
461 self.assertRaises(
462 TypeError, ctx.use_certificate_file, b"somefile", FILETYPE_PEM, object())
463 self.assertRaises(
464 TypeError, ctx.use_certificate_file, object(), FILETYPE_PEM)
465 self.assertRaises(
466 TypeError, ctx.use_certificate_file, b"somefile", object())
467
468
469 def test_use_certificate_file_missing(self):
470 """
471 :py:obj:`Context.use_certificate_file` raises
472 `:py:obj:`OpenSSL.SSL.Error` if passed the name of a file which does not
473 exist.
474 """
475 ctx = Context(TLSv1_METHOD)
476 self.assertRaises(Error, ctx.use_certificate_file, self.mktemp())
477
478
479 def test_use_certificate_file(self):
480 """
481 :py:obj:`Context.use_certificate` sets the certificate which will be
482 used to identify connections created using the context.
483 """
484 # TODO
485 # Hard to assert anything. But we could set a privatekey then ask
486 # OpenSSL if the cert and key agree using check_privatekey. Then as
487 # long as check_privatekey works right we're good...
488 pem_filename = self.mktemp()
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500489 with open(pem_filename, "wb") as pem_file:
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800490 pem_file.write(cleartextCertificatePEM)
491
492 ctx = Context(TLSv1_METHOD)
493 ctx.use_certificate_file(pem_filename)
494
495
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500496 if not PY3:
497 def test_use_certificate_file_long(self):
498 """
499 On Python 2 :py:obj:`Context.use_certificate_file` accepts a
500 filetype of type :py:obj:`long` as well as :py:obj:`int`.
501 """
502 pem_filename = self.mktemp()
503 with open(pem_filename, "wb") as pem_file:
504 pem_file.write(cleartextCertificatePEM)
505
506 ctx = Context(TLSv1_METHOD)
507 ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM))
508
509
Jean-Paul Calderonebd479162010-07-30 18:03:25 -0400510 def test_set_app_data_wrong_args(self):
511 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900512 :py:obj:`Context.set_app_data` raises :py:obj:`TypeError` if called with other than
Jean-Paul Calderonebd479162010-07-30 18:03:25 -0400513 one argument.
514 """
515 context = Context(TLSv1_METHOD)
516 self.assertRaises(TypeError, context.set_app_data)
517 self.assertRaises(TypeError, context.set_app_data, None, None)
518
519
520 def test_get_app_data_wrong_args(self):
521 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900522 :py:obj:`Context.get_app_data` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderonebd479162010-07-30 18:03:25 -0400523 arguments.
524 """
525 context = Context(TLSv1_METHOD)
526 self.assertRaises(TypeError, context.get_app_data, None)
527
528
529 def test_app_data(self):
530 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900531 :py:obj:`Context.set_app_data` stores an object for later retrieval using
532 :py:obj:`Context.get_app_data`.
Jean-Paul Calderonebd479162010-07-30 18:03:25 -0400533 """
534 app_data = object()
535 context = Context(TLSv1_METHOD)
536 context.set_app_data(app_data)
537 self.assertIdentical(context.get_app_data(), app_data)
538
539
Jean-Paul Calderone40569ca2010-07-30 18:04:58 -0400540 def test_set_options_wrong_args(self):
541 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900542 :py:obj:`Context.set_options` raises :py:obj:`TypeError` if called with the wrong
543 number of arguments or a non-:py:obj:`int` argument.
Jean-Paul Calderone40569ca2010-07-30 18:04:58 -0400544 """
545 context = Context(TLSv1_METHOD)
546 self.assertRaises(TypeError, context.set_options)
547 self.assertRaises(TypeError, context.set_options, None)
548 self.assertRaises(TypeError, context.set_options, 1, None)
549
550
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500551 def test_set_options(self):
552 """
553 :py:obj:`Context.set_options` returns the new options value.
554 """
555 context = Context(TLSv1_METHOD)
556 options = context.set_options(OP_NO_SSLv2)
557 self.assertTrue(OP_NO_SSLv2 & options)
558
559
560 if not PY3:
561 def test_set_options_long(self):
562 """
563 On Python 2 :py:obj:`Context.set_options` accepts values of type
564 :py:obj:`long` as well as :py:obj:`int`.
565 """
566 context = Context(TLSv1_METHOD)
567 options = context.set_options(long(OP_NO_SSLv2))
568 self.assertTrue(OP_NO_SSLv2 & options)
569
570
Guillermo Gonzalez74a2c292011-08-29 16:16:58 -0300571 def test_set_mode_wrong_args(self):
572 """
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400573 :py:obj:`Context.set`mode} raises :py:obj:`TypeError` if called with the wrong
574 number of arguments or a non-:py:obj:`int` argument.
Guillermo Gonzalez74a2c292011-08-29 16:16:58 -0300575 """
576 context = Context(TLSv1_METHOD)
577 self.assertRaises(TypeError, context.set_mode)
578 self.assertRaises(TypeError, context.set_mode, None)
579 self.assertRaises(TypeError, context.set_mode, 1, None)
580
581
Jean-Paul Calderone0222a492011-09-08 18:26:03 -0400582 if MODE_RELEASE_BUFFERS is not None:
583 def test_set_mode(self):
584 """
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400585 :py:obj:`Context.set_mode` accepts a mode bitvector and returns the newly
Jean-Paul Calderone0222a492011-09-08 18:26:03 -0400586 set mode.
587 """
588 context = Context(TLSv1_METHOD)
589 self.assertTrue(
590 MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS))
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500591
592 if not PY3:
593 def test_set_mode_long(self):
594 """
595 On Python 2 :py:obj:`Context.set_mode` accepts values of type
596 :py:obj:`long` as well as :py:obj:`int`.
597 """
598 context = Context(TLSv1_METHOD)
599 mode = context.set_mode(long(MODE_RELEASE_BUFFERS))
600 self.assertTrue(MODE_RELEASE_BUFFERS & mode)
Jean-Paul Calderone0222a492011-09-08 18:26:03 -0400601 else:
602 "MODE_RELEASE_BUFFERS unavailable - OpenSSL version may be too old"
603
604
Jean-Paul Calderone5ebb44a2010-07-30 18:09:41 -0400605 def test_set_timeout_wrong_args(self):
606 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900607 :py:obj:`Context.set_timeout` raises :py:obj:`TypeError` if called with the wrong
608 number of arguments or a non-:py:obj:`int` argument.
Jean-Paul Calderone5ebb44a2010-07-30 18:09:41 -0400609 """
610 context = Context(TLSv1_METHOD)
611 self.assertRaises(TypeError, context.set_timeout)
612 self.assertRaises(TypeError, context.set_timeout, None)
613 self.assertRaises(TypeError, context.set_timeout, 1, None)
614
615
616 def test_get_timeout_wrong_args(self):
617 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900618 :py:obj:`Context.get_timeout` raises :py:obj:`TypeError` if called with any arguments.
Jean-Paul Calderone5ebb44a2010-07-30 18:09:41 -0400619 """
620 context = Context(TLSv1_METHOD)
621 self.assertRaises(TypeError, context.get_timeout, None)
622
623
624 def test_timeout(self):
625 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900626 :py:obj:`Context.set_timeout` sets the session timeout for all connections
627 created using the context object. :py:obj:`Context.get_timeout` retrieves this
Jean-Paul Calderone5ebb44a2010-07-30 18:09:41 -0400628 value.
629 """
630 context = Context(TLSv1_METHOD)
631 context.set_timeout(1234)
632 self.assertEquals(context.get_timeout(), 1234)
633
634
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500635 if not PY3:
636 def test_timeout_long(self):
637 """
638 On Python 2 :py:obj:`Context.set_timeout` accepts values of type
639 `long` as well as int.
640 """
641 context = Context(TLSv1_METHOD)
642 context.set_timeout(long(1234))
643 self.assertEquals(context.get_timeout(), 1234)
644
645
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400646 def test_set_verify_depth_wrong_args(self):
647 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900648 :py:obj:`Context.set_verify_depth` raises :py:obj:`TypeError` if called with the wrong
649 number of arguments or a non-:py:obj:`int` argument.
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400650 """
651 context = Context(TLSv1_METHOD)
652 self.assertRaises(TypeError, context.set_verify_depth)
653 self.assertRaises(TypeError, context.set_verify_depth, None)
654 self.assertRaises(TypeError, context.set_verify_depth, 1, None)
655
656
657 def test_get_verify_depth_wrong_args(self):
658 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900659 :py:obj:`Context.get_verify_depth` raises :py:obj:`TypeError` if called with any arguments.
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400660 """
661 context = Context(TLSv1_METHOD)
662 self.assertRaises(TypeError, context.get_verify_depth, None)
663
664
665 def test_verify_depth(self):
666 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900667 :py:obj:`Context.set_verify_depth` sets the number of certificates in a chain
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400668 to follow before giving up. The value can be retrieved with
Jonathan Ballet648875f2011-07-16 14:14:58 +0900669 :py:obj:`Context.get_verify_depth`.
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400670 """
671 context = Context(TLSv1_METHOD)
672 context.set_verify_depth(11)
673 self.assertEquals(context.get_verify_depth(), 11)
674
675
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500676 if not PY3:
677 def test_verify_depth_long(self):
678 """
679 On Python 2 :py:obj:`Context.set_verify_depth` accepts values of
680 type `long` as well as int.
681 """
682 context = Context(TLSv1_METHOD)
683 context.set_verify_depth(long(11))
684 self.assertEquals(context.get_verify_depth(), 11)
685
686
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400687 def _write_encrypted_pem(self, passphrase):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -0400688 """
689 Write a new private key out to a new file, encrypted using the given
690 passphrase. Return the path to the new file.
691 """
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400692 key = PKey()
693 key.generate_key(TYPE_RSA, 128)
694 pemFile = self.mktemp()
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400695 fObj = open(pemFile, 'w')
696 pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)
697 fObj.write(pem.decode('ascii'))
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400698 fObj.close()
699 return pemFile
700
701
Jean-Paul Calderonef4480622010-08-02 18:25:03 -0400702 def test_set_passwd_cb_wrong_args(self):
703 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900704 :py:obj:`Context.set_passwd_cb` raises :py:obj:`TypeError` if called with the
Jean-Paul Calderonef4480622010-08-02 18:25:03 -0400705 wrong arguments or with a non-callable first argument.
706 """
707 context = Context(TLSv1_METHOD)
708 self.assertRaises(TypeError, context.set_passwd_cb)
709 self.assertRaises(TypeError, context.set_passwd_cb, None)
710 self.assertRaises(TypeError, context.set_passwd_cb, lambda: None, None, None)
711
712
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400713 def test_set_passwd_cb(self):
714 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900715 :py:obj:`Context.set_passwd_cb` accepts a callable which will be invoked when
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400716 a private key is loaded from an encrypted PEM.
717 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400718 passphrase = b("foobar")
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400719 pemFile = self._write_encrypted_pem(passphrase)
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400720 calledWith = []
721 def passphraseCallback(maxlen, verify, extra):
722 calledWith.append((maxlen, verify, extra))
723 return passphrase
724 context = Context(TLSv1_METHOD)
725 context.set_passwd_cb(passphraseCallback)
726 context.use_privatekey_file(pemFile)
727 self.assertTrue(len(calledWith), 1)
728 self.assertTrue(isinstance(calledWith[0][0], int))
729 self.assertTrue(isinstance(calledWith[0][1], int))
730 self.assertEqual(calledWith[0][2], None)
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400731
732
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400733 def test_passwd_callback_exception(self):
734 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900735 :py:obj:`Context.use_privatekey_file` propagates any exception raised by the
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400736 passphrase callback.
737 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400738 pemFile = self._write_encrypted_pem(b("monkeys are nice"))
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400739 def passphraseCallback(maxlen, verify, extra):
740 raise RuntimeError("Sorry, I am a fail.")
741
742 context = Context(TLSv1_METHOD)
743 context.set_passwd_cb(passphraseCallback)
744 self.assertRaises(RuntimeError, context.use_privatekey_file, pemFile)
745
746
747 def test_passwd_callback_false(self):
748 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900749 :py:obj:`Context.use_privatekey_file` raises :py:obj:`OpenSSL.SSL.Error` if the
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400750 passphrase callback returns a false value.
751 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400752 pemFile = self._write_encrypted_pem(b("monkeys are nice"))
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400753 def passphraseCallback(maxlen, verify, extra):
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500754 return b""
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400755
756 context = Context(TLSv1_METHOD)
757 context.set_passwd_cb(passphraseCallback)
758 self.assertRaises(Error, context.use_privatekey_file, pemFile)
759
760
761 def test_passwd_callback_non_string(self):
762 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900763 :py:obj:`Context.use_privatekey_file` raises :py:obj:`OpenSSL.SSL.Error` if the
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400764 passphrase callback returns a true non-string value.
765 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400766 pemFile = self._write_encrypted_pem(b("monkeys are nice"))
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400767 def passphraseCallback(maxlen, verify, extra):
768 return 10
769
770 context = Context(TLSv1_METHOD)
771 context.set_passwd_cb(passphraseCallback)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800772 self.assertRaises(ValueError, context.use_privatekey_file, pemFile)
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400773
774
775 def test_passwd_callback_too_long(self):
776 """
777 If the passphrase returned by the passphrase callback returns a string
778 longer than the indicated maximum length, it is truncated.
779 """
780 # A priori knowledge!
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400781 passphrase = b("x") * 1024
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400782 pemFile = self._write_encrypted_pem(passphrase)
783 def passphraseCallback(maxlen, verify, extra):
784 assert maxlen == 1024
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -0400785 return passphrase + b("y")
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400786
787 context = Context(TLSv1_METHOD)
788 context.set_passwd_cb(passphraseCallback)
789 # This shall succeed because the truncated result is the correct
790 # passphrase.
791 context.use_privatekey_file(pemFile)
792
793
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400794 def test_set_info_callback(self):
795 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900796 :py:obj:`Context.set_info_callback` accepts a callable which will be invoked
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400797 when certain information about an SSL connection is available.
798 """
Rick Deanb1ccd562009-07-09 23:52:39 -0500799 (server, client) = socket_pair()
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400800
801 clientSSL = Connection(Context(TLSv1_METHOD), client)
802 clientSSL.set_connect_state()
803
804 called = []
805 def info(conn, where, ret):
806 called.append((conn, where, ret))
807 context = Context(TLSv1_METHOD)
808 context.set_info_callback(info)
809 context.use_certificate(
810 load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
811 context.use_privatekey(
812 load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
813
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400814 serverSSL = Connection(context, server)
815 serverSSL.set_accept_state()
816
Jean-Paul Calderonef2bbc9c2014-02-02 10:59:14 -0500817 handshake(clientSSL, serverSSL)
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400818
Jean-Paul Calderone3835e522014-02-02 11:12:30 -0500819 # The callback must always be called with a Connection instance as the
820 # first argument. It would probably be better to split this into
821 # separate tests for client and server side info callbacks so we could
822 # assert it is called with the right Connection instance. It would
823 # also be good to assert *something* about `where` and `ret`.
Jean-Paul Calderonef2bbc9c2014-02-02 10:59:14 -0500824 notConnections = [
825 conn for (conn, where, ret) in called
826 if not isinstance(conn, Connection)]
827 self.assertEqual(
828 [], notConnections,
829 "Some info callback arguments were not Connection instaces.")
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400830
831
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400832 def _load_verify_locations_test(self, *args):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -0400833 """
834 Create a client context which will verify the peer certificate and call
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400835 its :py:obj:`load_verify_locations` method with the given arguments.
836 Then connect it to a server and ensure that the handshake succeeds.
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -0400837 """
Rick Deanb1ccd562009-07-09 23:52:39 -0500838 (server, client) = socket_pair()
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400839
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400840 clientContext = Context(TLSv1_METHOD)
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400841 clientContext.load_verify_locations(*args)
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400842 # Require that the server certificate verify properly or the
843 # connection will fail.
844 clientContext.set_verify(
845 VERIFY_PEER,
846 lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
847
848 clientSSL = Connection(clientContext, client)
849 clientSSL.set_connect_state()
850
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400851 serverContext = Context(TLSv1_METHOD)
852 serverContext.use_certificate(
853 load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
854 serverContext.use_privatekey(
855 load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
856
857 serverSSL = Connection(serverContext, server)
858 serverSSL.set_accept_state()
859
Jean-Paul Calderonef8742032010-09-25 00:00:32 -0400860 # Without load_verify_locations above, the handshake
861 # will fail:
862 # Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',
863 # 'certificate verify failed')]
864 handshake(clientSSL, serverSSL)
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400865
866 cert = clientSSL.get_peer_certificate()
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400867 self.assertEqual(cert.get_subject().CN, 'Testing Root CA')
Jean-Paul Calderone5075fce2008-09-07 20:18:55 -0400868
Jean-Paul Calderone12608a82009-11-07 10:35:15 -0500869
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400870 def test_load_verify_file(self):
871 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900872 :py:obj:`Context.load_verify_locations` accepts a file name and uses the
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400873 certificates within for verification purposes.
874 """
875 cafile = self.mktemp()
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400876 fObj = open(cafile, 'w')
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -0400877 fObj.write(cleartextCertificatePEM.decode('ascii'))
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400878 fObj.close()
879
880 self._load_verify_locations_test(cafile)
881
Jean-Paul Calderone5075fce2008-09-07 20:18:55 -0400882
883 def test_load_verify_invalid_file(self):
884 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900885 :py:obj:`Context.load_verify_locations` raises :py:obj:`Error` when passed a
Jean-Paul Calderone5075fce2008-09-07 20:18:55 -0400886 non-existent cafile.
887 """
888 clientContext = Context(TLSv1_METHOD)
889 self.assertRaises(
890 Error, clientContext.load_verify_locations, self.mktemp())
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400891
892
893 def test_load_verify_directory(self):
894 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900895 :py:obj:`Context.load_verify_locations` accepts a directory name and uses
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400896 the certificates within for verification purposes.
897 """
898 capath = self.mktemp()
899 makedirs(capath)
Jean-Paul Calderone24dfb332011-05-04 18:10:26 -0400900 # Hash values computed manually with c_rehash to avoid depending on
901 # c_rehash in the test suite. One is from OpenSSL 0.9.8, the other
902 # from OpenSSL 1.0.0.
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500903 for name in [b'c7adac82.0', b'c3705638.0']:
Jean-Paul Calderone24dfb332011-05-04 18:10:26 -0400904 cafile = join(capath, name)
905 fObj = open(cafile, 'w')
906 fObj.write(cleartextCertificatePEM.decode('ascii'))
907 fObj.close()
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400908
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400909 self._load_verify_locations_test(None, capath)
910
911
Jean-Paul Calderonef4480622010-08-02 18:25:03 -0400912 def test_load_verify_locations_wrong_args(self):
913 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900914 :py:obj:`Context.load_verify_locations` raises :py:obj:`TypeError` if called with
915 the wrong number of arguments or with non-:py:obj:`str` arguments.
Jean-Paul Calderonef4480622010-08-02 18:25:03 -0400916 """
917 context = Context(TLSv1_METHOD)
918 self.assertRaises(TypeError, context.load_verify_locations)
919 self.assertRaises(TypeError, context.load_verify_locations, object())
920 self.assertRaises(TypeError, context.load_verify_locations, object(), object())
921 self.assertRaises(TypeError, context.load_verify_locations, None, None, None)
922
923
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -0400924 if platform == "win32":
925 "set_default_verify_paths appears not to work on Windows. "
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -0400926 "See LP#404343 and LP#404344."
927 else:
928 def test_set_default_verify_paths(self):
929 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900930 :py:obj:`Context.set_default_verify_paths` causes the platform-specific CA
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -0400931 certificate locations to be used for verification purposes.
932 """
933 # Testing this requires a server with a certificate signed by one of
934 # the CAs in the platform CA location. Getting one of those costs
935 # money. Fortunately (or unfortunately, depending on your
936 # perspective), it's easy to think of a public server on the
937 # internet which has such a certificate. Connecting to the network
938 # in a unit test is bad, but it's the only way I can think of to
939 # really test this. -exarkun
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400940
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -0400941 # Arg, verisign.com doesn't speak TLSv1
942 context = Context(SSLv3_METHOD)
943 context.set_default_verify_paths()
944 context.set_verify(
Ziga Seilnacht44611bf2009-08-31 20:49:30 +0200945 VERIFY_PEER,
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -0400946 lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400947
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -0400948 client = socket()
949 client.connect(('verisign.com', 443))
950 clientSSL = Connection(context, client)
951 clientSSL.set_connect_state()
952 clientSSL.do_handshake()
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500953 clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -0400954 self.assertTrue(clientSSL.recv(1024))
Jean-Paul Calderone9eadb962008-09-07 21:20:44 -0400955
956
957 def test_set_default_verify_paths_signature(self):
958 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900959 :py:obj:`Context.set_default_verify_paths` takes no arguments and raises
960 :py:obj:`TypeError` if given any.
Jean-Paul Calderone9eadb962008-09-07 21:20:44 -0400961 """
962 context = Context(TLSv1_METHOD)
963 self.assertRaises(TypeError, context.set_default_verify_paths, None)
964 self.assertRaises(TypeError, context.set_default_verify_paths, 1)
965 self.assertRaises(TypeError, context.set_default_verify_paths, "")
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -0500966
Jean-Paul Calderonef4480622010-08-02 18:25:03 -0400967
Jean-Paul Calderone12608a82009-11-07 10:35:15 -0500968 def test_add_extra_chain_cert_invalid_cert(self):
969 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900970 :py:obj:`Context.add_extra_chain_cert` raises :py:obj:`TypeError` if called with
Jean-Paul Calderone12608a82009-11-07 10:35:15 -0500971 other than one argument or if called with an object which is not an
Jonathan Ballet648875f2011-07-16 14:14:58 +0900972 instance of :py:obj:`X509`.
Jean-Paul Calderone12608a82009-11-07 10:35:15 -0500973 """
974 context = Context(TLSv1_METHOD)
975 self.assertRaises(TypeError, context.add_extra_chain_cert)
976 self.assertRaises(TypeError, context.add_extra_chain_cert, object())
977 self.assertRaises(TypeError, context.add_extra_chain_cert, object(), object())
978
979
Jean-Paul Calderonef4480622010-08-02 18:25:03 -0400980 def _handshake_test(self, serverContext, clientContext):
981 """
982 Verify that a client and server created with the given contexts can
983 successfully handshake and communicate.
984 """
985 serverSocket, clientSocket = socket_pair()
986
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400987 server = Connection(serverContext, serverSocket)
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -0400988 server.set_accept_state()
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400989
Jean-Paul Calderonef4480622010-08-02 18:25:03 -0400990 client = Connection(clientContext, clientSocket)
991 client.set_connect_state()
992
993 # Make them talk to each other.
994 # self._interactInMemory(client, server)
995 for i in range(3):
996 for s in [client, server]:
997 try:
998 s.do_handshake()
999 except WantReadError:
1000 pass
1001
1002
Jean-Paul Calderone6a8cd112014-04-02 21:09:08 -04001003 def test_set_verify_callback_connection_argument(self):
1004 """
1005 The first argument passed to the verify callback is the
1006 :py:class:`Connection` instance for which verification is taking place.
1007 """
1008 serverContext = Context(TLSv1_METHOD)
1009 serverContext.use_privatekey(
1010 load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
1011 serverContext.use_certificate(
1012 load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
1013 serverConnection = Connection(serverContext, None)
1014
1015 class VerifyCallback(object):
1016 def callback(self, connection, *args):
1017 self.connection = connection
1018 return 1
1019
1020 verify = VerifyCallback()
1021 clientContext = Context(TLSv1_METHOD)
1022 clientContext.set_verify(VERIFY_PEER, verify.callback)
1023 clientConnection = Connection(clientContext, None)
1024 clientConnection.set_connect_state()
1025
1026 self._handshakeInMemory(clientConnection, serverConnection)
1027
1028 self.assertIdentical(verify.connection, clientConnection)
1029
1030
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -08001031 def test_set_verify_callback_exception(self):
1032 """
1033 If the verify callback passed to :py:obj:`Context.set_verify` raises an
1034 exception, verification fails and the exception is propagated to the
1035 caller of :py:obj:`Connection.do_handshake`.
1036 """
1037 serverContext = Context(TLSv1_METHOD)
1038 serverContext.use_privatekey(
1039 load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
1040 serverContext.use_certificate(
1041 load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
1042
1043 clientContext = Context(TLSv1_METHOD)
1044 def verify_callback(*args):
1045 raise Exception("silly verify failure")
1046 clientContext.set_verify(VERIFY_PEER, verify_callback)
1047
1048 exc = self.assertRaises(
1049 Exception, self._handshake_test, serverContext, clientContext)
1050 self.assertEqual("silly verify failure", str(exc))
1051
1052
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001053 def test_add_extra_chain_cert(self):
1054 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001055 :py:obj:`Context.add_extra_chain_cert` accepts an :py:obj:`X509` instance to add to
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001056 the certificate chain.
1057
Jonathan Ballet648875f2011-07-16 14:14:58 +09001058 See :py:obj:`_create_certificate_chain` for the details of the certificate
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001059 chain tested.
1060
1061 The chain is tested by starting a server with scert and connecting
1062 to it with a client which trusts cacert and requires verification to
1063 succeed.
1064 """
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04001065 chain = _create_certificate_chain()
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001066 [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
1067
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001068 # Dump the CA certificate to a file because that's the only way to load
1069 # it as a trusted CA in the client context.
1070 for cert, name in [(cacert, 'ca.pem'), (icert, 'i.pem'), (scert, 's.pem')]:
Jean-Paul Calderonea9868832010-08-22 21:38:34 -04001071 fObj = open(name, 'w')
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -04001072 fObj.write(dump_certificate(FILETYPE_PEM, cert).decode('ascii'))
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001073 fObj.close()
1074
1075 for key, name in [(cakey, 'ca.key'), (ikey, 'i.key'), (skey, 's.key')]:
Jean-Paul Calderonea9868832010-08-22 21:38:34 -04001076 fObj = open(name, 'w')
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -04001077 fObj.write(dump_privatekey(FILETYPE_PEM, key).decode('ascii'))
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001078 fObj.close()
1079
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001080 # Create the server context
1081 serverContext = Context(TLSv1_METHOD)
1082 serverContext.use_privatekey(skey)
1083 serverContext.use_certificate(scert)
Jean-Paul Calderone16cf03d2010-09-08 18:53:39 -04001084 # The client already has cacert, we only need to give them icert.
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001085 serverContext.add_extra_chain_cert(icert)
1086
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001087 # Create the client
1088 clientContext = Context(TLSv1_METHOD)
1089 clientContext.set_verify(
1090 VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001091 clientContext.load_verify_locations(b"ca.pem")
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001092
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001093 # Try it out.
1094 self._handshake_test(serverContext, clientContext)
1095
1096
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001097 def test_use_certificate_chain_file(self):
1098 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001099 :py:obj:`Context.use_certificate_chain_file` reads a certificate chain from
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001100 the specified file.
1101
1102 The chain is tested by starting a server with scert and connecting
1103 to it with a client which trusts cacert and requires verification to
1104 succeed.
1105 """
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04001106 chain = _create_certificate_chain()
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001107 [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
1108
1109 # Write out the chain file.
1110 chainFile = self.mktemp()
Jean-Paul Calderoned8607982014-01-18 10:30:55 -05001111 fObj = open(chainFile, 'wb')
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001112 # Most specific to least general.
Jean-Paul Calderoned8607982014-01-18 10:30:55 -05001113 fObj.write(dump_certificate(FILETYPE_PEM, scert))
1114 fObj.write(dump_certificate(FILETYPE_PEM, icert))
1115 fObj.write(dump_certificate(FILETYPE_PEM, cacert))
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001116 fObj.close()
1117
1118 serverContext = Context(TLSv1_METHOD)
1119 serverContext.use_certificate_chain_file(chainFile)
1120 serverContext.use_privatekey(skey)
1121
Jean-Paul Calderonea9868832010-08-22 21:38:34 -04001122 fObj = open('ca.pem', 'w')
1123 fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode('ascii'))
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001124 fObj.close()
1125
1126 clientContext = Context(TLSv1_METHOD)
1127 clientContext.set_verify(
1128 VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001129 clientContext.load_verify_locations(b"ca.pem")
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001130
1131 self._handshake_test(serverContext, clientContext)
1132
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001133
1134 def test_use_certificate_chain_file_wrong_args(self):
1135 """
1136 :py:obj:`Context.use_certificate_chain_file` raises :py:obj:`TypeError`
1137 if passed zero or more than one argument or when passed a non-byte
1138 string single argument. It also raises :py:obj:`OpenSSL.SSL.Error` when
1139 passed a bad chain file name (for example, the name of a file which does
1140 not exist).
1141 """
1142 context = Context(TLSv1_METHOD)
1143 self.assertRaises(TypeError, context.use_certificate_chain_file)
1144 self.assertRaises(TypeError, context.use_certificate_chain_file, object())
1145 self.assertRaises(TypeError, context.use_certificate_chain_file, b"foo", object())
1146
1147 self.assertRaises(Error, context.use_certificate_chain_file, self.mktemp())
1148
Jean-Paul Calderonee0d79362010-08-03 18:46:46 -04001149 # XXX load_client_ca
1150 # XXX set_session_id
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -04001151
1152 def test_get_verify_mode_wrong_args(self):
1153 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001154 :py:obj:`Context.get_verify_mode` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -04001155 arguments.
1156 """
1157 context = Context(TLSv1_METHOD)
1158 self.assertRaises(TypeError, context.get_verify_mode, None)
1159
1160
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001161 def test_set_verify_mode(self):
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -04001162 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001163 :py:obj:`Context.get_verify_mode` returns the verify mode flags previously
1164 passed to :py:obj:`Context.set_verify`.
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -04001165 """
1166 context = Context(TLSv1_METHOD)
1167 self.assertEquals(context.get_verify_mode(), 0)
1168 context.set_verify(
1169 VERIFY_PEER | VERIFY_CLIENT_ONCE, lambda *args: None)
1170 self.assertEquals(
1171 context.get_verify_mode(), VERIFY_PEER | VERIFY_CLIENT_ONCE)
1172
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001173
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001174 if not PY3:
1175 def test_set_verify_mode_long(self):
1176 """
1177 On Python 2 :py:obj:`Context.set_verify_mode` accepts values of
1178 type :py:obj:`long` as well as :py:obj:`int`.
1179 """
1180 context = Context(TLSv1_METHOD)
1181 self.assertEquals(context.get_verify_mode(), 0)
1182 context.set_verify(
1183 long(VERIFY_PEER | VERIFY_CLIENT_ONCE), lambda *args: None)
1184 self.assertEquals(
1185 context.get_verify_mode(), VERIFY_PEER | VERIFY_CLIENT_ONCE)
1186
1187
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001188 def test_load_tmp_dh_wrong_args(self):
1189 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001190 :py:obj:`Context.load_tmp_dh` raises :py:obj:`TypeError` if called with the wrong
1191 number of arguments or with a non-:py:obj:`str` argument.
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001192 """
1193 context = Context(TLSv1_METHOD)
1194 self.assertRaises(TypeError, context.load_tmp_dh)
1195 self.assertRaises(TypeError, context.load_tmp_dh, "foo", None)
1196 self.assertRaises(TypeError, context.load_tmp_dh, object())
1197
1198
1199 def test_load_tmp_dh_missing_file(self):
1200 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001201 :py:obj:`Context.load_tmp_dh` raises :py:obj:`OpenSSL.SSL.Error` if the specified file
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001202 does not exist.
1203 """
1204 context = Context(TLSv1_METHOD)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001205 self.assertRaises(Error, context.load_tmp_dh, b"hello")
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001206
1207
1208 def test_load_tmp_dh(self):
1209 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001210 :py:obj:`Context.load_tmp_dh` loads Diffie-Hellman parameters from the
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001211 specified file.
1212 """
1213 context = Context(TLSv1_METHOD)
1214 dhfilename = self.mktemp()
1215 dhfile = open(dhfilename, "w")
1216 dhfile.write(dhparam)
1217 dhfile.close()
1218 context.load_tmp_dh(dhfilename)
1219 # XXX What should I assert here? -exarkun
1220
1221
Jean-Paul Calderone3e4e3352014-04-19 09:28:28 -04001222 def test_set_tmp_ecdh(self):
Andy Lutomirskif05a2732014-03-13 17:22:25 -07001223 """
Jean-Paul Calderone3e4e3352014-04-19 09:28:28 -04001224 :py:obj:`Context.set_tmp_ecdh` sets the elliptic curve for
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -04001225 Diffie-Hellman to the specified curve.
Andy Lutomirskif05a2732014-03-13 17:22:25 -07001226 """
1227 context = Context(TLSv1_METHOD)
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -04001228 for curve in get_elliptic_curves():
1229 # The only easily "assertable" thing is that it does not raise an
1230 # exception.
Jean-Paul Calderone3e4e3352014-04-19 09:28:28 -04001231 context.set_tmp_ecdh(curve)
Alex Gaynor12dc0842014-01-17 12:51:31 -06001232
1233
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001234 def test_set_cipher_list_bytes(self):
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001235 """
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001236 :py:obj:`Context.set_cipher_list` accepts a :py:obj:`bytes` naming the
1237 ciphers which connections created with the context object will be able
1238 to choose from.
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001239 """
1240 context = Context(TLSv1_METHOD)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001241 context.set_cipher_list(b"hello world:EXP-RC4-MD5")
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001242 conn = Connection(context, None)
1243 self.assertEquals(conn.get_cipher_list(), ["EXP-RC4-MD5"])
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001244
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001245
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001246 def test_set_cipher_list_text(self):
1247 """
1248 :py:obj:`Context.set_cipher_list` accepts a :py:obj:`unicode` naming
1249 the ciphers which connections created with the context object will be
1250 able to choose from.
1251 """
1252 context = Context(TLSv1_METHOD)
Jean-Paul Calderonec76c61c2014-01-18 13:21:52 -05001253 context.set_cipher_list(u("hello world:EXP-RC4-MD5"))
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001254 conn = Connection(context, None)
1255 self.assertEquals(conn.get_cipher_list(), ["EXP-RC4-MD5"])
1256
1257
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001258 def test_set_cipher_list_wrong_args(self):
1259 """
Jean-Paul Calderone17044832014-01-18 10:20:11 -05001260 :py:obj:`Context.set_cipher_list` raises :py:obj:`TypeError` when
1261 passed zero arguments or more than one argument or when passed a
1262 non-string single argument and raises :py:obj:`OpenSSL.SSL.Error` when
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001263 passed an incorrect cipher list string.
1264 """
1265 context = Context(TLSv1_METHOD)
1266 self.assertRaises(TypeError, context.set_cipher_list)
1267 self.assertRaises(TypeError, context.set_cipher_list, object())
1268 self.assertRaises(TypeError, context.set_cipher_list, b"EXP-RC4-MD5", object())
1269
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001270 self.assertRaises(Error, context.set_cipher_list, "imaginary-cipher")
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001271
1272
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001273 def test_set_session_cache_mode_wrong_args(self):
1274 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001275 :py:obj:`Context.set_session_cache_mode` raises :py:obj:`TypeError` if
1276 called with other than one integer argument.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001277 """
1278 context = Context(TLSv1_METHOD)
1279 self.assertRaises(TypeError, context.set_session_cache_mode)
1280 self.assertRaises(TypeError, context.set_session_cache_mode, object())
1281
1282
1283 def test_get_session_cache_mode_wrong_args(self):
1284 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001285 :py:obj:`Context.get_session_cache_mode` raises :py:obj:`TypeError` if
1286 called with any arguments.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001287 """
1288 context = Context(TLSv1_METHOD)
1289 self.assertRaises(TypeError, context.get_session_cache_mode, 1)
1290
1291
1292 def test_session_cache_mode(self):
1293 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001294 :py:obj:`Context.set_session_cache_mode` specifies how sessions are
1295 cached. The setting can be retrieved via
1296 :py:obj:`Context.get_session_cache_mode`.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001297 """
1298 context = Context(TLSv1_METHOD)
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001299 context.set_session_cache_mode(SESS_CACHE_OFF)
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001300 off = context.set_session_cache_mode(SESS_CACHE_BOTH)
1301 self.assertEqual(SESS_CACHE_OFF, off)
1302 self.assertEqual(SESS_CACHE_BOTH, context.get_session_cache_mode())
1303
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001304 if not PY3:
1305 def test_session_cache_mode_long(self):
1306 """
1307 On Python 2 :py:obj:`Context.set_session_cache_mode` accepts values
1308 of type :py:obj:`long` as well as :py:obj:`int`.
1309 """
1310 context = Context(TLSv1_METHOD)
1311 context.set_session_cache_mode(long(SESS_CACHE_BOTH))
1312 self.assertEqual(
1313 SESS_CACHE_BOTH, context.get_session_cache_mode())
1314
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001315
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001316 def test_get_cert_store(self):
1317 """
1318 :py:obj:`Context.get_cert_store` returns a :py:obj:`X509Store` instance.
1319 """
1320 context = Context(TLSv1_METHOD)
1321 store = context.get_cert_store()
1322 self.assertIsInstance(store, X509Store)
1323
1324
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001325
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001326class ServerNameCallbackTests(TestCase, _LoopbackMixin):
1327 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001328 Tests for :py:obj:`Context.set_tlsext_servername_callback` and its interaction with
1329 :py:obj:`Connection`.
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001330 """
1331 def test_wrong_args(self):
1332 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001333 :py:obj:`Context.set_tlsext_servername_callback` raises :py:obj:`TypeError` if called
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001334 with other than one argument.
1335 """
1336 context = Context(TLSv1_METHOD)
1337 self.assertRaises(TypeError, context.set_tlsext_servername_callback)
1338 self.assertRaises(
1339 TypeError, context.set_tlsext_servername_callback, 1, 2)
1340
Jean-Paul Calderone4c1aacd2014-01-11 08:15:17 -05001341
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001342 def test_old_callback_forgotten(self):
1343 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001344 If :py:obj:`Context.set_tlsext_servername_callback` is used to specify a new
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001345 callback, the one it replaces is dereferenced.
1346 """
1347 def callback(connection):
1348 pass
1349
1350 def replacement(connection):
1351 pass
1352
1353 context = Context(TLSv1_METHOD)
1354 context.set_tlsext_servername_callback(callback)
1355
1356 tracker = ref(callback)
1357 del callback
1358
1359 context.set_tlsext_servername_callback(replacement)
Jean-Paul Calderoned4033eb2014-01-11 08:21:46 -05001360
1361 # One run of the garbage collector happens to work on CPython. PyPy
1362 # doesn't collect the underlying object until a second run for whatever
1363 # reason. That's fine, it still demonstrates our code has properly
1364 # dropped the reference.
1365 collect()
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001366 collect()
Jean-Paul Calderone4c1aacd2014-01-11 08:15:17 -05001367
1368 callback = tracker()
1369 if callback is not None:
1370 referrers = get_referrers(callback)
Jean-Paul Calderone7de39562014-01-11 08:17:59 -05001371 if len(referrers) > 1:
Jean-Paul Calderone4c1aacd2014-01-11 08:15:17 -05001372 self.fail("Some references remain: %r" % (referrers,))
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001373
1374
1375 def test_no_servername(self):
1376 """
1377 When a client specifies no server name, the callback passed to
Jonathan Ballet648875f2011-07-16 14:14:58 +09001378 :py:obj:`Context.set_tlsext_servername_callback` is invoked and the result of
1379 :py:obj:`Connection.get_servername` is :py:obj:`None`.
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001380 """
1381 args = []
1382 def servername(conn):
1383 args.append((conn, conn.get_servername()))
1384 context = Context(TLSv1_METHOD)
1385 context.set_tlsext_servername_callback(servername)
1386
1387 # Lose our reference to it. The Context is responsible for keeping it
1388 # alive now.
1389 del servername
1390 collect()
1391
1392 # Necessary to actually accept the connection
1393 context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
1394 context.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
1395
1396 # Do a little connection to trigger the logic
1397 server = Connection(context, None)
1398 server.set_accept_state()
1399
1400 client = Connection(Context(TLSv1_METHOD), None)
1401 client.set_connect_state()
1402
1403 self._interactInMemory(server, client)
1404
1405 self.assertEqual([(server, None)], args)
1406
1407
1408 def test_servername(self):
1409 """
1410 When a client specifies a server name in its hello message, the callback
Jonathan Ballet648875f2011-07-16 14:14:58 +09001411 passed to :py:obj:`Contexts.set_tlsext_servername_callback` is invoked and the
1412 result of :py:obj:`Connection.get_servername` is that server name.
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001413 """
1414 args = []
1415 def servername(conn):
1416 args.append((conn, conn.get_servername()))
1417 context = Context(TLSv1_METHOD)
1418 context.set_tlsext_servername_callback(servername)
1419
1420 # Necessary to actually accept the connection
1421 context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
1422 context.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
1423
1424 # Do a little connection to trigger the logic
1425 server = Connection(context, None)
1426 server.set_accept_state()
1427
1428 client = Connection(Context(TLSv1_METHOD), None)
1429 client.set_connect_state()
1430 client.set_tlsext_host_name(b("foo1.example.com"))
1431
1432 self._interactInMemory(server, client)
1433
1434 self.assertEqual([(server, b("foo1.example.com"))], args)
1435
1436
1437
Jean-Paul Calderonee0fcf512012-02-13 09:10:15 -05001438class SessionTests(TestCase):
1439 """
1440 Unit tests for :py:obj:`OpenSSL.SSL.Session`.
1441 """
1442 def test_construction(self):
1443 """
1444 :py:class:`Session` can be constructed with no arguments, creating a new
1445 instance of that type.
1446 """
1447 new_session = Session()
1448 self.assertTrue(isinstance(new_session, Session))
1449
1450
1451 def test_construction_wrong_args(self):
1452 """
1453 If any arguments are passed to :py:class:`Session`, :py:obj:`TypeError`
1454 is raised.
1455 """
1456 self.assertRaises(TypeError, Session, 123)
1457 self.assertRaises(TypeError, Session, "hello")
1458 self.assertRaises(TypeError, Session, object())
1459
1460
1461
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001462class ConnectionTests(TestCase, _LoopbackMixin):
Rick Deane15b1472009-07-09 15:53:42 -05001463 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001464 Unit tests for :py:obj:`OpenSSL.SSL.Connection`.
Rick Deane15b1472009-07-09 15:53:42 -05001465 """
Jean-Paul Calderone541eaf22010-09-09 18:55:08 -04001466 # XXX get_peer_certificate -> None
1467 # XXX sock_shutdown
1468 # XXX master_key -> TypeError
1469 # XXX server_random -> TypeError
1470 # XXX state_string
1471 # XXX connect -> TypeError
1472 # XXX connect_ex -> TypeError
1473 # XXX set_connect_state -> TypeError
1474 # XXX set_accept_state -> TypeError
1475 # XXX renegotiate_pending
1476 # XXX do_handshake -> TypeError
1477 # XXX bio_read -> TypeError
1478 # XXX recv -> TypeError
1479 # XXX send -> TypeError
1480 # XXX bio_write -> TypeError
1481
Rick Deane15b1472009-07-09 15:53:42 -05001482 def test_type(self):
1483 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001484 :py:obj:`Connection` and :py:obj:`ConnectionType` refer to the same type object and
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001485 can be used to create instances of that type.
Rick Deane15b1472009-07-09 15:53:42 -05001486 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001487 self.assertIdentical(Connection, ConnectionType)
Rick Deane15b1472009-07-09 15:53:42 -05001488 ctx = Context(TLSv1_METHOD)
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001489 self.assertConsistentType(Connection, 'Connection', ctx, None)
Rick Deane15b1472009-07-09 15:53:42 -05001490
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001491
Jean-Paul Calderone4fd058a2009-11-22 11:46:42 -05001492 def test_get_context(self):
1493 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001494 :py:obj:`Connection.get_context` returns the :py:obj:`Context` instance used to
1495 construct the :py:obj:`Connection` instance.
Jean-Paul Calderone4fd058a2009-11-22 11:46:42 -05001496 """
1497 context = Context(TLSv1_METHOD)
1498 connection = Connection(context, None)
1499 self.assertIdentical(connection.get_context(), context)
1500
1501
1502 def test_get_context_wrong_args(self):
1503 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001504 :py:obj:`Connection.get_context` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderone4fd058a2009-11-22 11:46:42 -05001505 arguments.
1506 """
1507 connection = Connection(Context(TLSv1_METHOD), None)
1508 self.assertRaises(TypeError, connection.get_context, None)
1509
1510
Jean-Paul Calderone95613b72011-05-25 22:30:21 -04001511 def test_set_context_wrong_args(self):
1512 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001513 :py:obj:`Connection.set_context` raises :py:obj:`TypeError` if called with a
1514 non-:py:obj:`Context` instance argument or with any number of arguments other
Jean-Paul Calderone95613b72011-05-25 22:30:21 -04001515 than 1.
1516 """
1517 ctx = Context(TLSv1_METHOD)
1518 connection = Connection(ctx, None)
1519 self.assertRaises(TypeError, connection.set_context)
1520 self.assertRaises(TypeError, connection.set_context, object())
1521 self.assertRaises(TypeError, connection.set_context, "hello")
1522 self.assertRaises(TypeError, connection.set_context, 1)
1523 self.assertRaises(TypeError, connection.set_context, 1, 2)
1524 self.assertRaises(
1525 TypeError, connection.set_context, Context(TLSv1_METHOD), 2)
1526 self.assertIdentical(ctx, connection.get_context())
1527
1528
1529 def test_set_context(self):
1530 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001531 :py:obj:`Connection.set_context` specifies a new :py:obj:`Context` instance to be used
Jean-Paul Calderone95613b72011-05-25 22:30:21 -04001532 for the connection.
1533 """
1534 original = Context(SSLv23_METHOD)
1535 replacement = Context(TLSv1_METHOD)
1536 connection = Connection(original, None)
1537 connection.set_context(replacement)
1538 self.assertIdentical(replacement, connection.get_context())
1539 # Lose our references to the contexts, just in case the Connection isn't
1540 # properly managing its own contributions to their reference counts.
1541 del original, replacement
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001542 collect()
1543
1544
1545 def test_set_tlsext_host_name_wrong_args(self):
1546 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001547 If :py:obj:`Connection.set_tlsext_host_name` is called with a non-byte string
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001548 argument or a byte string with an embedded NUL or other than one
Jonathan Ballet648875f2011-07-16 14:14:58 +09001549 argument, :py:obj:`TypeError` is raised.
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001550 """
1551 conn = Connection(Context(TLSv1_METHOD), None)
1552 self.assertRaises(TypeError, conn.set_tlsext_host_name)
1553 self.assertRaises(TypeError, conn.set_tlsext_host_name, object())
1554 self.assertRaises(TypeError, conn.set_tlsext_host_name, 123, 456)
1555 self.assertRaises(
1556 TypeError, conn.set_tlsext_host_name, b("with\0null"))
1557
1558 if version_info >= (3,):
1559 # On Python 3.x, don't accidentally implicitly convert from text.
1560 self.assertRaises(
1561 TypeError,
1562 conn.set_tlsext_host_name, b("example.com").decode("ascii"))
Jean-Paul Calderone95613b72011-05-25 22:30:21 -04001563
1564
Jean-Paul Calderone871a4d82011-05-26 19:24:02 -04001565 def test_get_servername_wrong_args(self):
1566 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001567 :py:obj:`Connection.get_servername` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderone871a4d82011-05-26 19:24:02 -04001568 arguments.
1569 """
1570 connection = Connection(Context(TLSv1_METHOD), None)
1571 self.assertRaises(TypeError, connection.get_servername, object())
1572 self.assertRaises(TypeError, connection.get_servername, 1)
1573 self.assertRaises(TypeError, connection.get_servername, "hello")
1574
1575
Jean-Paul Calderone1d69a722010-07-29 09:05:53 -04001576 def test_pending(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001577 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001578 :py:obj:`Connection.pending` returns the number of bytes available for
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001579 immediate read.
1580 """
Jean-Paul Calderone1d69a722010-07-29 09:05:53 -04001581 connection = Connection(Context(TLSv1_METHOD), None)
1582 self.assertEquals(connection.pending(), 0)
1583
1584
1585 def test_pending_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001586 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001587 :py:obj:`Connection.pending` raises :py:obj:`TypeError` if called with any arguments.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001588 """
Jean-Paul Calderone1d69a722010-07-29 09:05:53 -04001589 connection = Connection(Context(TLSv1_METHOD), None)
1590 self.assertRaises(TypeError, connection.pending, None)
1591
1592
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001593 def test_connect_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001594 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001595 :py:obj:`Connection.connect` raises :py:obj:`TypeError` if called with a non-address
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001596 argument or with the wrong number of arguments.
1597 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001598 connection = Connection(Context(TLSv1_METHOD), socket())
1599 self.assertRaises(TypeError, connection.connect, None)
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001600 self.assertRaises(TypeError, connection.connect)
1601 self.assertRaises(TypeError, connection.connect, ("127.0.0.1", 1), None)
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001602
1603
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04001604 def test_connect_refused(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001605 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001606 :py:obj:`Connection.connect` raises :py:obj:`socket.error` if the underlying socket
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001607 connect method raises it.
1608 """
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04001609 client = socket()
1610 context = Context(TLSv1_METHOD)
1611 clientSSL = Connection(context, client)
1612 exc = self.assertRaises(error, clientSSL.connect, ("127.0.0.1", 1))
Jean-Paul Calderone35adf9d2010-07-29 18:40:44 -04001613 self.assertEquals(exc.args[0], ECONNREFUSED)
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04001614
1615
1616 def test_connect(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001617 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001618 :py:obj:`Connection.connect` establishes a connection to the specified address.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001619 """
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04001620 port = socket()
1621 port.bind(('', 0))
1622 port.listen(3)
1623
1624 clientSSL = Connection(Context(TLSv1_METHOD), socket())
Jean-Paul Calderoneb6e0fd92010-09-19 09:22:13 -04001625 clientSSL.connect(('127.0.0.1', port.getsockname()[1]))
1626 # XXX An assertion? Or something?
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04001627
1628
Jean-Paul Calderone7b614872010-09-24 17:43:44 -04001629 if platform == "darwin":
1630 "connect_ex sometimes causes a kernel panic on OS X 10.6.4"
1631 else:
1632 def test_connect_ex(self):
1633 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001634 If there is a connection error, :py:obj:`Connection.connect_ex` returns the
Jean-Paul Calderone7b614872010-09-24 17:43:44 -04001635 errno instead of raising an exception.
1636 """
1637 port = socket()
1638 port.bind(('', 0))
1639 port.listen(3)
Jean-Paul Calderone55d91f42010-07-29 19:22:17 -04001640
Jean-Paul Calderone7b614872010-09-24 17:43:44 -04001641 clientSSL = Connection(Context(TLSv1_METHOD), socket())
1642 clientSSL.setblocking(False)
1643 result = clientSSL.connect_ex(port.getsockname())
1644 expected = (EINPROGRESS, EWOULDBLOCK)
1645 self.assertTrue(
1646 result in expected, "%r not in %r" % (result, expected))
Jean-Paul Calderone55d91f42010-07-29 19:22:17 -04001647
1648
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001649 def test_accept_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001650 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001651 :py:obj:`Connection.accept` raises :py:obj:`TypeError` if called with any arguments.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001652 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001653 connection = Connection(Context(TLSv1_METHOD), socket())
1654 self.assertRaises(TypeError, connection.accept, None)
1655
1656
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04001657 def test_accept(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001658 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001659 :py:obj:`Connection.accept` accepts a pending connection attempt and returns a
1660 tuple of a new :py:obj:`Connection` (the accepted client) and the address the
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001661 connection originated from.
1662 """
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04001663 ctx = Context(TLSv1_METHOD)
1664 ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
1665 ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04001666 port = socket()
1667 portSSL = Connection(ctx, port)
1668 portSSL.bind(('', 0))
1669 portSSL.listen(3)
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04001670
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04001671 clientSSL = Connection(Context(TLSv1_METHOD), socket())
Jean-Paul Calderoneb6e0fd92010-09-19 09:22:13 -04001672
1673 # Calling portSSL.getsockname() here to get the server IP address sounds
1674 # great, but frequently fails on Windows.
1675 clientSSL.connect(('127.0.0.1', portSSL.getsockname()[1]))
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04001676
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04001677 serverSSL, address = portSSL.accept()
1678
1679 self.assertTrue(isinstance(serverSSL, Connection))
1680 self.assertIdentical(serverSSL.get_context(), ctx)
1681 self.assertEquals(address, clientSSL.getsockname())
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04001682
1683
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001684 def test_shutdown_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001685 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001686 :py:obj:`Connection.shutdown` raises :py:obj:`TypeError` if called with the wrong
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001687 number of arguments or with arguments other than integers.
1688 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001689 connection = Connection(Context(TLSv1_METHOD), None)
1690 self.assertRaises(TypeError, connection.shutdown, None)
Jean-Paul Calderone1d3e0222010-07-29 22:52:45 -04001691 self.assertRaises(TypeError, connection.get_shutdown, None)
1692 self.assertRaises(TypeError, connection.set_shutdown)
1693 self.assertRaises(TypeError, connection.set_shutdown, None)
1694 self.assertRaises(TypeError, connection.set_shutdown, 0, 1)
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001695
1696
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001697 def test_shutdown(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001698 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001699 :py:obj:`Connection.shutdown` performs an SSL-level connection shutdown.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001700 """
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001701 server, client = self._loopback()
Jean-Paul Calderonee4f6b472010-07-29 22:50:58 -04001702 self.assertFalse(server.shutdown())
1703 self.assertEquals(server.get_shutdown(), SENT_SHUTDOWN)
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001704 self.assertRaises(ZeroReturnError, client.recv, 1024)
Jean-Paul Calderonee4f6b472010-07-29 22:50:58 -04001705 self.assertEquals(client.get_shutdown(), RECEIVED_SHUTDOWN)
1706 client.shutdown()
1707 self.assertEquals(client.get_shutdown(), SENT_SHUTDOWN|RECEIVED_SHUTDOWN)
1708 self.assertRaises(ZeroReturnError, server.recv, 1024)
1709 self.assertEquals(server.get_shutdown(), SENT_SHUTDOWN|RECEIVED_SHUTDOWN)
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001710
1711
Jean-Paul Calderonec89eef22010-07-29 22:51:58 -04001712 def test_set_shutdown(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001713 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001714 :py:obj:`Connection.set_shutdown` sets the state of the SSL connection shutdown
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001715 process.
1716 """
Jean-Paul Calderonec89eef22010-07-29 22:51:58 -04001717 connection = Connection(Context(TLSv1_METHOD), socket())
1718 connection.set_shutdown(RECEIVED_SHUTDOWN)
1719 self.assertEquals(connection.get_shutdown(), RECEIVED_SHUTDOWN)
1720
1721
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -05001722 if not PY3:
1723 def test_set_shutdown_long(self):
1724 """
1725 On Python 2 :py:obj:`Connection.set_shutdown` accepts an argument
1726 of type :py:obj:`long` as well as :py:obj:`int`.
1727 """
1728 connection = Connection(Context(TLSv1_METHOD), socket())
1729 connection.set_shutdown(long(RECEIVED_SHUTDOWN))
1730 self.assertEquals(connection.get_shutdown(), RECEIVED_SHUTDOWN)
1731
1732
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001733 def test_app_data_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001734 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001735 :py:obj:`Connection.set_app_data` raises :py:obj:`TypeError` if called with other than
1736 one argument. :py:obj:`Connection.get_app_data` raises :py:obj:`TypeError` if called
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001737 with any arguments.
1738 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001739 conn = Connection(Context(TLSv1_METHOD), None)
1740 self.assertRaises(TypeError, conn.get_app_data, None)
1741 self.assertRaises(TypeError, conn.set_app_data)
1742 self.assertRaises(TypeError, conn.set_app_data, None, None)
1743
1744
Jean-Paul Calderone1bd8c792010-07-29 09:51:06 -04001745 def test_app_data(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001746 """
1747 Any object can be set as app data by passing it to
Jonathan Ballet648875f2011-07-16 14:14:58 +09001748 :py:obj:`Connection.set_app_data` and later retrieved with
1749 :py:obj:`Connection.get_app_data`.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001750 """
Jean-Paul Calderone1bd8c792010-07-29 09:51:06 -04001751 conn = Connection(Context(TLSv1_METHOD), None)
1752 app_data = object()
1753 conn.set_app_data(app_data)
1754 self.assertIdentical(conn.get_app_data(), app_data)
1755
1756
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001757 def test_makefile(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001758 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001759 :py:obj:`Connection.makefile` is not implemented and calling that method raises
1760 :py:obj:`NotImplementedError`.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001761 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001762 conn = Connection(Context(TLSv1_METHOD), None)
1763 self.assertRaises(NotImplementedError, conn.makefile)
1764
1765
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04001766 def test_get_peer_cert_chain_wrong_args(self):
1767 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001768 :py:obj:`Connection.get_peer_cert_chain` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04001769 arguments.
1770 """
1771 conn = Connection(Context(TLSv1_METHOD), None)
1772 self.assertRaises(TypeError, conn.get_peer_cert_chain, 1)
1773 self.assertRaises(TypeError, conn.get_peer_cert_chain, "foo")
1774 self.assertRaises(TypeError, conn.get_peer_cert_chain, object())
1775 self.assertRaises(TypeError, conn.get_peer_cert_chain, [])
1776
1777
1778 def test_get_peer_cert_chain(self):
1779 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001780 :py:obj:`Connection.get_peer_cert_chain` returns a list of certificates which
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04001781 the connected server returned for the certification verification.
1782 """
1783 chain = _create_certificate_chain()
1784 [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
1785
1786 serverContext = Context(TLSv1_METHOD)
1787 serverContext.use_privatekey(skey)
1788 serverContext.use_certificate(scert)
1789 serverContext.add_extra_chain_cert(icert)
1790 serverContext.add_extra_chain_cert(cacert)
1791 server = Connection(serverContext, None)
1792 server.set_accept_state()
1793
1794 # Create the client
1795 clientContext = Context(TLSv1_METHOD)
1796 clientContext.set_verify(VERIFY_NONE, verify_cb)
1797 client = Connection(clientContext, None)
1798 client.set_connect_state()
1799
1800 self._interactInMemory(client, server)
1801
1802 chain = client.get_peer_cert_chain()
1803 self.assertEqual(len(chain), 3)
Jean-Paul Calderonee33300c2011-05-19 21:44:38 -04001804 self.assertEqual(
Jean-Paul Calderone24a42432011-05-19 22:21:18 -04001805 "Server Certificate", chain[0].get_subject().CN)
Jean-Paul Calderonee33300c2011-05-19 21:44:38 -04001806 self.assertEqual(
Jean-Paul Calderone24a42432011-05-19 22:21:18 -04001807 "Intermediate Certificate", chain[1].get_subject().CN)
Jean-Paul Calderonee33300c2011-05-19 21:44:38 -04001808 self.assertEqual(
Jean-Paul Calderone24a42432011-05-19 22:21:18 -04001809 "Authority Certificate", chain[2].get_subject().CN)
1810
1811
1812 def test_get_peer_cert_chain_none(self):
1813 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001814 :py:obj:`Connection.get_peer_cert_chain` returns :py:obj:`None` if the peer sends no
Jean-Paul Calderone24a42432011-05-19 22:21:18 -04001815 certificate chain.
1816 """
1817 ctx = Context(TLSv1_METHOD)
1818 ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
1819 ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
1820 server = Connection(ctx, None)
1821 server.set_accept_state()
1822 client = Connection(Context(TLSv1_METHOD), None)
1823 client.set_connect_state()
1824 self._interactInMemory(client, server)
1825 self.assertIdentical(None, server.get_peer_cert_chain())
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04001826
1827
Jean-Paul Calderone64eaffc2012-02-13 11:53:49 -05001828 def test_get_session_wrong_args(self):
1829 """
1830 :py:obj:`Connection.get_session` raises :py:obj:`TypeError` if called
1831 with any arguments.
1832 """
1833 ctx = Context(TLSv1_METHOD)
1834 server = Connection(ctx, None)
1835 self.assertRaises(TypeError, server.get_session, 123)
1836 self.assertRaises(TypeError, server.get_session, "hello")
1837 self.assertRaises(TypeError, server.get_session, object())
1838
1839
1840 def test_get_session_unconnected(self):
1841 """
1842 :py:obj:`Connection.get_session` returns :py:obj:`None` when used with
1843 an object which has not been connected.
1844 """
1845 ctx = Context(TLSv1_METHOD)
1846 server = Connection(ctx, None)
1847 session = server.get_session()
1848 self.assertIdentical(None, session)
1849
1850
1851 def test_server_get_session(self):
1852 """
1853 On the server side of a connection, :py:obj:`Connection.get_session`
1854 returns a :py:class:`Session` instance representing the SSL session for
1855 that connection.
1856 """
1857 server, client = self._loopback()
1858 session = server.get_session()
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001859 self.assertIsInstance(session, Session)
Jean-Paul Calderone64eaffc2012-02-13 11:53:49 -05001860
1861
1862 def test_client_get_session(self):
1863 """
1864 On the client side of a connection, :py:obj:`Connection.get_session`
1865 returns a :py:class:`Session` instance representing the SSL session for
1866 that connection.
1867 """
1868 server, client = self._loopback()
1869 session = client.get_session()
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001870 self.assertIsInstance(session, Session)
Jean-Paul Calderone64eaffc2012-02-13 11:53:49 -05001871
1872
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -05001873 def test_set_session_wrong_args(self):
1874 """
1875 If called with an object that is not an instance of :py:class:`Session`,
1876 or with other than one argument, :py:obj:`Connection.set_session` raises
1877 :py:obj:`TypeError`.
1878 """
1879 ctx = Context(TLSv1_METHOD)
1880 connection = Connection(ctx, None)
1881 self.assertRaises(TypeError, connection.set_session)
1882 self.assertRaises(TypeError, connection.set_session, 123)
1883 self.assertRaises(TypeError, connection.set_session, "hello")
1884 self.assertRaises(TypeError, connection.set_session, object())
1885 self.assertRaises(
1886 TypeError, connection.set_session, Session(), Session())
1887
1888
1889 def test_client_set_session(self):
1890 """
1891 :py:obj:`Connection.set_session`, when used prior to a connection being
1892 established, accepts a :py:class:`Session` instance and causes an
1893 attempt to re-use the session it represents when the SSL handshake is
1894 performed.
1895 """
1896 key = load_privatekey(FILETYPE_PEM, server_key_pem)
1897 cert = load_certificate(FILETYPE_PEM, server_cert_pem)
1898 ctx = Context(TLSv1_METHOD)
1899 ctx.use_privatekey(key)
1900 ctx.use_certificate(cert)
1901 ctx.set_session_id("unity-test")
1902
1903 def makeServer(socket):
1904 server = Connection(ctx, socket)
1905 server.set_accept_state()
1906 return server
1907
1908 originalServer, originalClient = self._loopback(
1909 serverFactory=makeServer)
1910 originalSession = originalClient.get_session()
1911
1912 def makeClient(socket):
1913 client = self._loopbackClientFactory(socket)
1914 client.set_session(originalSession)
1915 return client
1916 resumedServer, resumedClient = self._loopback(
1917 serverFactory=makeServer,
1918 clientFactory=makeClient)
1919
1920 # This is a proxy: in general, we have no access to any unique
1921 # identifier for the session (new enough versions of OpenSSL expose a
1922 # hash which could be usable, but "new enough" is very, very new).
1923 # Instead, exploit the fact that the master key is re-used if the
1924 # session is re-used. As long as the master key for the two connections
1925 # is the same, the session was re-used!
1926 self.assertEqual(
1927 originalServer.master_key(), resumedServer.master_key())
1928
1929
Jean-Paul Calderone5ea41492012-02-14 16:51:35 -05001930 def test_set_session_wrong_method(self):
1931 """
Jean-Paul Calderone068cb592012-02-14 16:52:43 -05001932 If :py:obj:`Connection.set_session` is passed a :py:class:`Session`
1933 instance associated with a context using a different SSL method than the
1934 :py:obj:`Connection` is using, a :py:class:`OpenSSL.SSL.Error` is
1935 raised.
Jean-Paul Calderone5ea41492012-02-14 16:51:35 -05001936 """
1937 key = load_privatekey(FILETYPE_PEM, server_key_pem)
1938 cert = load_certificate(FILETYPE_PEM, server_cert_pem)
1939 ctx = Context(TLSv1_METHOD)
1940 ctx.use_privatekey(key)
1941 ctx.use_certificate(cert)
1942 ctx.set_session_id("unity-test")
1943
1944 def makeServer(socket):
1945 server = Connection(ctx, socket)
1946 server.set_accept_state()
1947 return server
1948
1949 originalServer, originalClient = self._loopback(
1950 serverFactory=makeServer)
1951 originalSession = originalClient.get_session()
1952
1953 def makeClient(socket):
1954 # Intentionally use a different, incompatible method here.
1955 client = Connection(Context(SSLv3_METHOD), socket)
1956 client.set_connect_state()
1957 client.set_session(originalSession)
1958 return client
1959
1960 self.assertRaises(
1961 Error,
1962 self._loopback, clientFactory=makeClient, serverFactory=makeServer)
1963
1964
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07001965 def test_wantWriteError(self):
1966 """
1967 :py:obj:`Connection` methods which generate output raise
1968 :py:obj:`OpenSSL.SSL.WantWriteError` if writing to the connection's BIO
1969 fail indicating a should-write state.
1970 """
1971 client_socket, server_socket = socket_pair()
1972 # Fill up the client's send buffer so Connection won't be able to write
Jean-Paul Calderonebbff8b92014-03-22 14:20:30 -04001973 # anything. Only write a single byte at a time so we can be sure we
1974 # completely fill the buffer. Even though the socket API is allowed to
1975 # signal a short write via its return value it seems this doesn't
1976 # always happen on all platforms (FreeBSD and OS X particular) for the
1977 # very last bit of available buffer space.
1978 msg = b"x"
1979 for i in range(1024 * 1024 * 4):
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07001980 try:
1981 client_socket.send(msg)
1982 except error as e:
1983 if e.errno == EWOULDBLOCK:
1984 break
1985 raise
1986 else:
1987 self.fail(
1988 "Failed to fill socket buffer, cannot test BIO want write")
1989
1990 ctx = Context(TLSv1_METHOD)
1991 conn = Connection(ctx, client_socket)
1992 # Client's speak first, so make it an SSL client
1993 conn.set_connect_state()
1994 self.assertRaises(WantWriteError, conn.do_handshake)
1995
1996 # XXX want_read
1997
Fedor Brunner416f4a12014-03-28 13:18:38 +01001998 def test_get_finished_before_connect(self):
Fedor Brunner5747b932014-03-05 14:22:34 +01001999 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002000 :py:obj:`Connection.get_finished` returns :py:obj:`None` before TLS
2001 handshake is completed.
Fedor Brunner5747b932014-03-05 14:22:34 +01002002 """
Fedor Brunner5747b932014-03-05 14:22:34 +01002003 ctx = Context(TLSv1_METHOD)
2004 connection = Connection(ctx, None)
2005 self.assertEqual(connection.get_finished(), None)
Fedor Brunner416f4a12014-03-28 13:18:38 +01002006
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002007
Fedor Brunner416f4a12014-03-28 13:18:38 +01002008 def test_get_peer_finished_before_connect(self):
2009 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002010 :py:obj:`Connection.get_peer_finished` returns :py:obj:`None` before
2011 TLS handshake is completed.
Fedor Brunner416f4a12014-03-28 13:18:38 +01002012 """
Fedor Brunner416f4a12014-03-28 13:18:38 +01002013 ctx = Context(TLSv1_METHOD)
2014 connection = Connection(ctx, None)
Fedor Brunner5747b932014-03-05 14:22:34 +01002015 self.assertEqual(connection.get_peer_finished(), None)
2016
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002017
Fedor Brunner416f4a12014-03-28 13:18:38 +01002018 def test_get_finished(self):
2019 """
2020 :py:obj:`Connection.get_finished` method returns the TLS Finished
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002021 message send from client, or server. Finished messages are send during
2022 TLS handshake.
Fedor Brunner416f4a12014-03-28 13:18:38 +01002023 """
2024
Fedor Brunner5747b932014-03-05 14:22:34 +01002025 server, client = self._loopback()
2026
2027 self.assertNotEqual(server.get_finished(), None)
2028 self.assertTrue(len(server.get_finished()) > 0)
Fedor Brunner416f4a12014-03-28 13:18:38 +01002029
Jean-Paul Calderoned979f232014-03-30 11:58:00 -04002030
Fedor Brunner416f4a12014-03-28 13:18:38 +01002031 def test_get_peer_finished(self):
2032 """
2033 :py:obj:`Connection.get_peer_finished` method returns the TLS Finished
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002034 message received from client, or server. Finished messages are send
2035 during TLS handshake.
Fedor Brunner416f4a12014-03-28 13:18:38 +01002036 """
Fedor Brunner416f4a12014-03-28 13:18:38 +01002037 server, client = self._loopback()
2038
2039 self.assertNotEqual(server.get_peer_finished(), None)
Fedor Brunner5747b932014-03-05 14:22:34 +01002040 self.assertTrue(len(server.get_peer_finished()) > 0)
2041
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002042
Fedor Brunner416f4a12014-03-28 13:18:38 +01002043 def test_tls_finished_message_symmetry(self):
2044 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002045 The TLS Finished message send by server must be the TLS Finished message
Fedor Brunner416f4a12014-03-28 13:18:38 +01002046 received by client.
2047
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002048 The TLS Finished message send by client must be the TLS Finished message
Fedor Brunner416f4a12014-03-28 13:18:38 +01002049 received by server.
2050 """
Fedor Brunner416f4a12014-03-28 13:18:38 +01002051 server, client = self._loopback()
2052
Fedor Brunner5747b932014-03-05 14:22:34 +01002053 self.assertEqual(server.get_finished(), client.get_peer_finished())
2054 self.assertEqual(client.get_finished(), server.get_peer_finished())
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002055
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002056
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002057 def test_get_cipher_name_before_connect(self):
2058 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002059 :py:obj:`Connection.get_cipher_name` returns :py:obj:`None` if no
2060 connection has been established.
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002061 """
2062 ctx = Context(TLSv1_METHOD)
2063 conn = Connection(ctx, None)
Jean-Paul Calderone069e2bf2014-03-29 18:21:58 -04002064 self.assertIdentical(conn.get_cipher_name(), None)
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002065
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002066
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002067 def test_get_cipher_name(self):
2068 """
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -04002069 :py:obj:`Connection.get_cipher_name` returns a :py:class:`unicode`
2070 string giving the name of the currently used cipher.
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002071 """
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002072 server, client = self._loopback()
2073 server_cipher_name, client_cipher_name = \
2074 server.get_cipher_name(), client.get_cipher_name()
2075
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -04002076 self.assertIsInstance(server_cipher_name, text_type)
2077 self.assertIsInstance(client_cipher_name, text_type)
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002078
2079 self.assertEqual(server_cipher_name, client_cipher_name)
2080
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002081
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002082 def test_get_cipher_version_before_connect(self):
2083 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002084 :py:obj:`Connection.get_cipher_version` returns :py:obj:`None` if no
2085 connection has been established.
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002086 """
2087 ctx = Context(TLSv1_METHOD)
2088 conn = Connection(ctx, None)
Jean-Paul Calderone069e2bf2014-03-29 18:21:58 -04002089 self.assertIdentical(conn.get_cipher_version(), None)
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002090
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002091
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002092 def test_get_cipher_version(self):
2093 """
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -04002094 :py:obj:`Connection.get_cipher_version` returns a :py:class:`unicode`
2095 string giving the protocol name of the currently used cipher.
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002096 """
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002097 server, client = self._loopback()
2098 server_cipher_version, client_cipher_version = \
2099 server.get_cipher_version(), client.get_cipher_version()
2100
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -04002101 self.assertIsInstance(server_cipher_version, text_type)
2102 self.assertIsInstance(client_cipher_version, text_type)
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002103
2104 self.assertEqual(server_cipher_version, client_cipher_version)
2105
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002106
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002107 def test_get_cipher_bits_before_connect(self):
2108 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002109 :py:obj:`Connection.get_cipher_bits` returns :py:obj:`None` if no
2110 connection has been established.
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002111 """
2112 ctx = Context(TLSv1_METHOD)
2113 conn = Connection(ctx, None)
Jean-Paul Calderone069e2bf2014-03-29 18:21:58 -04002114 self.assertIdentical(conn.get_cipher_bits(), None)
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002115
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002116
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002117 def test_get_cipher_bits(self):
2118 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002119 :py:obj:`Connection.get_cipher_bits` returns the number of secret bits
2120 of the currently used cipher.
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002121 """
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002122 server, client = self._loopback()
2123 server_cipher_bits, client_cipher_bits = \
2124 server.get_cipher_bits(), client.get_cipher_bits()
2125
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002126 self.assertIsInstance(server_cipher_bits, int)
2127 self.assertIsInstance(client_cipher_bits, int)
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002128
2129 self.assertEqual(server_cipher_bits, client_cipher_bits)
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002130
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002131
2132
Jean-Paul Calderonef135e622010-07-28 19:14:16 -04002133class ConnectionGetCipherListTests(TestCase):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002134 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002135 Tests for :py:obj:`Connection.get_cipher_list`.
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002136 """
Jean-Paul Calderone54a2bc02010-09-09 17:52:38 -04002137 def test_wrong_args(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002138 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002139 :py:obj:`Connection.get_cipher_list` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002140 arguments.
2141 """
Jean-Paul Calderonef135e622010-07-28 19:14:16 -04002142 connection = Connection(Context(TLSv1_METHOD), None)
2143 self.assertRaises(TypeError, connection.get_cipher_list, None)
2144
2145
2146 def test_result(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002147 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05002148 :py:obj:`Connection.get_cipher_list` returns a :py:obj:`list` of
2149 :py:obj:`bytes` giving the names of the ciphers which might be used.
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002150 """
Jean-Paul Calderonef135e622010-07-28 19:14:16 -04002151 connection = Connection(Context(TLSv1_METHOD), None)
2152 ciphers = connection.get_cipher_list()
2153 self.assertTrue(isinstance(ciphers, list))
2154 for cipher in ciphers:
2155 self.assertTrue(isinstance(cipher, str))
2156
2157
2158
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002159class ConnectionSendTests(TestCase, _LoopbackMixin):
2160 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002161 Tests for :py:obj:`Connection.send`
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002162 """
2163 def test_wrong_args(self):
2164 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002165 When called with arguments other than string argument for its first
2166 parameter or more than two arguments, :py:obj:`Connection.send` raises
2167 :py:obj:`TypeError`.
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002168 """
2169 connection = Connection(Context(TLSv1_METHOD), None)
Jean-Paul Calderone77fa2602011-01-05 18:23:39 -05002170 self.assertRaises(TypeError, connection.send)
2171 self.assertRaises(TypeError, connection.send, object())
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002172 self.assertRaises(TypeError, connection.send, "foo", object(), "bar")
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002173
2174
2175 def test_short_bytes(self):
2176 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002177 When passed a short byte string, :py:obj:`Connection.send` transmits all of it
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002178 and returns the number of bytes sent.
2179 """
2180 server, client = self._loopback()
2181 count = server.send(b('xy'))
2182 self.assertEquals(count, 2)
2183 self.assertEquals(client.recv(2), b('xy'))
2184
2185 try:
2186 memoryview
2187 except NameError:
2188 "cannot test sending memoryview without memoryview"
2189 else:
2190 def test_short_memoryview(self):
2191 """
2192 When passed a memoryview onto a small number of bytes,
Jonathan Ballet648875f2011-07-16 14:14:58 +09002193 :py:obj:`Connection.send` transmits all of them and returns the number of
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002194 bytes sent.
2195 """
2196 server, client = self._loopback()
2197 count = server.send(memoryview(b('xy')))
2198 self.assertEquals(count, 2)
2199 self.assertEquals(client.recv(2), b('xy'))
2200
2201
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +02002202 try:
2203 buffer
2204 except NameError:
2205 "cannot test sending buffer without buffer"
2206 else:
2207 def test_short_buffer(self):
2208 """
2209 When passed a buffer containing a small number of bytes,
2210 :py:obj:`Connection.send` transmits all of them and returns the number of
2211 bytes sent.
2212 """
2213 server, client = self._loopback()
2214 count = server.send(buffer(b('xy')))
2215 self.assertEquals(count, 2)
2216 self.assertEquals(client.recv(2), b('xy'))
2217
2218
Jean-Paul Calderone691e6c92011-01-21 22:04:35 -05002219
Cory Benfield62d10332014-06-15 10:03:41 +01002220class ConnectionRecvIntoTests(TestCase, _LoopbackMixin):
2221 """
2222 Tests for :py:obj:`Connection.recv_into`
2223 """
Jean-Paul Calderone332a85e2015-03-15 17:02:40 -04002224 def _no_length_test(self, output_buffer):
Jean-Paul Calderone61559d82015-03-15 17:04:50 -04002225 """
2226 Assert that when the given buffer is passed to
2227 ``Connection.recv_into``, whatever bytes are available to be received
2228 that fit into that buffer are written into that buffer.
2229 """
Jean-Paul Calderone332a85e2015-03-15 17:02:40 -04002230 server, client = self._loopback()
2231 server.send(b('xy'))
2232
Jean-Paul Calderone320af1e2015-03-15 17:20:13 -04002233 self.assertEqual(client.recv_into(output_buffer), 2)
2234 self.assertEqual(output_buffer, bytearray(b('xy\x00\x00\x00')))
Jean-Paul Calderone332a85e2015-03-15 17:02:40 -04002235
2236
2237 def test_buffer_no_length(self):
Cory Benfield62d10332014-06-15 10:03:41 +01002238 """
Jean-Paul Calderone61559d82015-03-15 17:04:50 -04002239 :py:obj:`Connection.recv_into` can be passed a ``bytearray`` instance
2240 and data in the receive buffer is written to it.
Cory Benfield62d10332014-06-15 10:03:41 +01002241 """
Jean-Paul Calderone332a85e2015-03-15 17:02:40 -04002242 self._no_length_test(bytearray(5))
Cory Benfield62d10332014-06-15 10:03:41 +01002243
2244
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002245 def _respects_length_test(self, output_buffer):
Cory Benfield62d10332014-06-15 10:03:41 +01002246 """
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002247 Assert that when the given buffer is passed to ``Connection.recv_into``
2248 along with a value for ``nbytes`` that is less than the size of that
2249 buffer, only ``nbytes`` bytes are written into the buffer.
Cory Benfield62d10332014-06-15 10:03:41 +01002250 """
2251 server, client = self._loopback()
2252 server.send(b('abcdefghij'))
Cory Benfield62d10332014-06-15 10:03:41 +01002253
Jean-Paul Calderone320af1e2015-03-15 17:20:13 -04002254 self.assertEqual(client.recv_into(output_buffer, 5), 5)
2255 self.assertEqual(
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002256 output_buffer, bytearray(b('abcde\x00\x00\x00\x00\x00'))
2257 )
2258
2259
2260 def test_buffer_respects_length(self):
2261 """
2262 When called with a ``bytearray`` instance,
2263 :py:obj:`Connection.recv_into` respects the ``nbytes`` parameter and
2264 doesn't copy in more than that number of bytes.
2265 """
2266 self._respects_length_test(bytearray(10))
Cory Benfield62d10332014-06-15 10:03:41 +01002267
2268
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002269 def _doesnt_overfill_test(self, output_buffer):
Cory Benfield62d10332014-06-15 10:03:41 +01002270 """
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002271 Assert that if there are more bytes available to be read from the
2272 receive buffer than would fit into the buffer passed to
2273 :py:obj:`Connection.recv_into`, only as many as fit are written into
2274 it.
Cory Benfield62d10332014-06-15 10:03:41 +01002275 """
2276 server, client = self._loopback()
2277 server.send(b('abcdefghij'))
Cory Benfield62d10332014-06-15 10:03:41 +01002278
Jean-Paul Calderone320af1e2015-03-15 17:20:13 -04002279 self.assertEqual(client.recv_into(output_buffer), 5)
2280 self.assertEqual(output_buffer, bytearray(b('abcde')))
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002281 rest = client.recv(5)
2282 self.assertEqual(b('fghij'), rest)
2283
2284
2285 def test_buffer_doesnt_overfill(self):
2286 """
2287 When called with a ``bytearray`` instance,
2288 :py:obj:`Connection.recv_into` respects the size of the array and
2289 doesn't write more bytes into it than will fit.
2290 """
2291 self._doesnt_overfill_test(bytearray(5))
Cory Benfield62d10332014-06-15 10:03:41 +01002292
2293
2294 try:
2295 memoryview
2296 except NameError:
2297 "cannot test recv_into memoryview without memoryview"
2298 else:
Jean-Paul Calderone332a85e2015-03-15 17:02:40 -04002299 def test_memoryview_no_length(self):
Cory Benfield62d10332014-06-15 10:03:41 +01002300 """
Jean-Paul Calderone61559d82015-03-15 17:04:50 -04002301 :py:obj:`Connection.recv_into` can be passed a ``memoryview``
2302 instance and data in the receive buffer is written to it.
Cory Benfield62d10332014-06-15 10:03:41 +01002303 """
Jean-Paul Calderone332a85e2015-03-15 17:02:40 -04002304 self._no_length_test(memoryview(bytearray(5)))
Cory Benfield62d10332014-06-15 10:03:41 +01002305
2306
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002307 def test_memoryview_respects_length(self):
Cory Benfield62d10332014-06-15 10:03:41 +01002308 """
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002309 When called with a ``memoryview`` instance,
2310 :py:obj:`Connection.recv_into` respects the ``nbytes`` parameter
2311 and doesn't copy more than that number of bytes in.
Cory Benfield62d10332014-06-15 10:03:41 +01002312 """
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002313 self._respects_length_test(memoryview(bytearray(10)))
Cory Benfield62d10332014-06-15 10:03:41 +01002314
2315
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002316 def test_memoryview_doesnt_overfill(self):
Cory Benfield62d10332014-06-15 10:03:41 +01002317 """
Jean-Paul Calderone8fd82552015-03-15 17:21:07 -04002318 When called with a ``memoryview`` instance,
2319 :py:obj:`Connection.recv_into` respects the size of the array and
2320 doesn't write more bytes into it than will fit.
Cory Benfield62d10332014-06-15 10:03:41 +01002321 """
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002322 self._doesnt_overfill_test(memoryview(bytearray(5)))
Cory Benfield62d10332014-06-15 10:03:41 +01002323
2324
2325
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002326class ConnectionSendallTests(TestCase, _LoopbackMixin):
2327 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002328 Tests for :py:obj:`Connection.sendall`.
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002329 """
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002330 def test_wrong_args(self):
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002331 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002332 When called with arguments other than a string argument for its first
2333 parameter or with more than two arguments, :py:obj:`Connection.sendall`
2334 raises :py:obj:`TypeError`.
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002335 """
2336 connection = Connection(Context(TLSv1_METHOD), None)
2337 self.assertRaises(TypeError, connection.sendall)
2338 self.assertRaises(TypeError, connection.sendall, object())
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002339 self.assertRaises(
2340 TypeError, connection.sendall, "foo", object(), "bar")
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002341
2342
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002343 def test_short(self):
2344 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002345 :py:obj:`Connection.sendall` transmits all of the bytes in the string passed to
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002346 it.
2347 """
2348 server, client = self._loopback()
Jean-Paul Calderonea9868832010-08-22 21:38:34 -04002349 server.sendall(b('x'))
2350 self.assertEquals(client.recv(1), b('x'))
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002351
2352
Jean-Paul Calderone691e6c92011-01-21 22:04:35 -05002353 try:
2354 memoryview
2355 except NameError:
2356 "cannot test sending memoryview without memoryview"
2357 else:
2358 def test_short_memoryview(self):
2359 """
2360 When passed a memoryview onto a small number of bytes,
Jonathan Ballet648875f2011-07-16 14:14:58 +09002361 :py:obj:`Connection.sendall` transmits all of them.
Jean-Paul Calderone691e6c92011-01-21 22:04:35 -05002362 """
2363 server, client = self._loopback()
2364 server.sendall(memoryview(b('x')))
2365 self.assertEquals(client.recv(1), b('x'))
2366
2367
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +02002368 try:
2369 buffer
2370 except NameError:
2371 "cannot test sending buffers without buffers"
2372 else:
2373 def test_short_buffers(self):
2374 """
2375 When passed a buffer containing a small number of bytes,
2376 :py:obj:`Connection.sendall` transmits all of them.
2377 """
2378 server, client = self._loopback()
2379 server.sendall(buffer(b('x')))
2380 self.assertEquals(client.recv(1), b('x'))
2381
2382
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002383 def test_long(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002384 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002385 :py:obj:`Connection.sendall` transmits all of the bytes in the string passed to
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002386 it even if this requires multiple calls of an underlying write function.
2387 """
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002388 server, client = self._loopback()
Jean-Paul Calderone6241c702010-09-16 19:59:24 -04002389 # Should be enough, underlying SSL_write should only do 16k at a time.
2390 # On Windows, after 32k of bytes the write will block (forever - because
2391 # no one is yet reading).
Jean-Paul Calderone9e4c1352010-09-19 09:34:43 -04002392 message = b('x') * (1024 * 32 - 1) + b('y')
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002393 server.sendall(message)
2394 accum = []
2395 received = 0
2396 while received < len(message):
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -04002397 data = client.recv(1024)
2398 accum.append(data)
2399 received += len(data)
Jean-Paul Calderonef4047852010-09-19 09:45:57 -04002400 self.assertEquals(message, b('').join(accum))
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002401
2402
Jean-Paul Calderone974bdc02010-07-28 19:06:10 -04002403 def test_closed(self):
2404 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002405 If the underlying socket is closed, :py:obj:`Connection.sendall` propagates the
Jean-Paul Calderone974bdc02010-07-28 19:06:10 -04002406 write error from the low level write call.
2407 """
2408 server, client = self._loopback()
Jean-Paul Calderone05d43e82010-09-24 18:01:36 -04002409 server.sock_shutdown(2)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05002410 exc = self.assertRaises(SysCallError, server.sendall, b"hello, world")
Konstantinos Koukopoulos541150d2014-01-31 01:00:19 +02002411 if platform == "win32":
2412 self.assertEqual(exc.args[0], ESHUTDOWN)
2413 else:
2414 self.assertEqual(exc.args[0], EPIPE)
Jean-Paul Calderone974bdc02010-07-28 19:06:10 -04002415
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002416
Jean-Paul Calderone1d69a722010-07-29 09:05:53 -04002417
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002418class ConnectionRenegotiateTests(TestCase, _LoopbackMixin):
2419 """
2420 Tests for SSL renegotiation APIs.
2421 """
2422 def test_renegotiate_wrong_args(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002423 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002424 :py:obj:`Connection.renegotiate` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002425 arguments.
2426 """
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002427 connection = Connection(Context(TLSv1_METHOD), None)
2428 self.assertRaises(TypeError, connection.renegotiate, None)
2429
2430
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002431 def test_total_renegotiations_wrong_args(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002432 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002433 :py:obj:`Connection.total_renegotiations` raises :py:obj:`TypeError` if called with
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002434 any arguments.
2435 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002436 connection = Connection(Context(TLSv1_METHOD), None)
2437 self.assertRaises(TypeError, connection.total_renegotiations, None)
2438
2439
2440 def test_total_renegotiations(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002441 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002442 :py:obj:`Connection.total_renegotiations` returns :py:obj:`0` before any
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002443 renegotiations have happened.
2444 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002445 connection = Connection(Context(TLSv1_METHOD), None)
2446 self.assertEquals(connection.total_renegotiations(), 0)
2447
2448
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002449# def test_renegotiate(self):
2450# """
2451# """
2452# server, client = self._loopback()
2453
2454# server.send("hello world")
2455# self.assertEquals(client.recv(len("hello world")), "hello world")
2456
2457# self.assertEquals(server.total_renegotiations(), 0)
2458# self.assertTrue(server.renegotiate())
2459
2460# server.setblocking(False)
2461# client.setblocking(False)
2462# while server.renegotiate_pending():
2463# client.do_handshake()
2464# server.do_handshake()
2465
2466# self.assertEquals(server.total_renegotiations(), 1)
2467
2468
2469
2470
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002471class ErrorTests(TestCase):
2472 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002473 Unit tests for :py:obj:`OpenSSL.SSL.Error`.
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002474 """
2475 def test_type(self):
2476 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002477 :py:obj:`Error` is an exception type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002478 """
2479 self.assertTrue(issubclass(Error, Exception))
Rick Deane15b1472009-07-09 15:53:42 -05002480 self.assertEqual(Error.__name__, 'Error')
Rick Deane15b1472009-07-09 15:53:42 -05002481
2482
2483
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05002484class ConstantsTests(TestCase):
2485 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002486 Tests for the values of constants exposed in :py:obj:`OpenSSL.SSL`.
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05002487
2488 These are values defined by OpenSSL intended only to be used as flags to
2489 OpenSSL APIs. The only assertions it seems can be made about them is
2490 their values.
2491 """
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002492 # unittest.TestCase has no skip mechanism
2493 if OP_NO_QUERY_MTU is not None:
2494 def test_op_no_query_mtu(self):
2495 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002496 The value of :py:obj:`OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value of
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -04002497 :py:const:`SSL_OP_NO_QUERY_MTU` defined by :file:`openssl/ssl.h`.
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002498 """
2499 self.assertEqual(OP_NO_QUERY_MTU, 0x1000)
2500 else:
2501 "OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old"
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05002502
2503
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002504 if OP_COOKIE_EXCHANGE is not None:
2505 def test_op_cookie_exchange(self):
2506 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002507 The value of :py:obj:`OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the value
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -04002508 of :py:const:`SSL_OP_COOKIE_EXCHANGE` defined by :file:`openssl/ssl.h`.
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002509 """
2510 self.assertEqual(OP_COOKIE_EXCHANGE, 0x2000)
2511 else:
2512 "OP_COOKIE_EXCHANGE unavailable - OpenSSL version may be too old"
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05002513
2514
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002515 if OP_NO_TICKET is not None:
2516 def test_op_no_ticket(self):
2517 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002518 The value of :py:obj:`OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -04002519 :py:const:`SSL_OP_NO_TICKET` defined by :file:`openssl/ssl.h`.
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002520 """
2521 self.assertEqual(OP_NO_TICKET, 0x4000)
Jean-Paul Calderonecebd1782011-09-11 10:01:31 -04002522 else:
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002523 "OP_NO_TICKET unavailable - OpenSSL version may be too old"
Rick Dean5b7b6372009-04-01 11:34:06 -05002524
2525
Jean-Paul Calderonec62d4c12011-09-08 18:29:32 -04002526 if OP_NO_COMPRESSION is not None:
2527 def test_op_no_compression(self):
2528 """
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -04002529 The value of :py:obj:`OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the value
2530 of :py:const:`SSL_OP_NO_COMPRESSION` defined by :file:`openssl/ssl.h`.
Jean-Paul Calderonec62d4c12011-09-08 18:29:32 -04002531 """
2532 self.assertEqual(OP_NO_COMPRESSION, 0x20000)
2533 else:
2534 "OP_NO_COMPRESSION unavailable - OpenSSL version may be too old"
2535
2536
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002537 def test_sess_cache_off(self):
2538 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002539 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of
2540 :py:obj:`SSL_SESS_CACHE_OFF` defined by ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002541 """
2542 self.assertEqual(0x0, SESS_CACHE_OFF)
2543
2544
2545 def test_sess_cache_client(self):
2546 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002547 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of
2548 :py:obj:`SSL_SESS_CACHE_CLIENT` defined by ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002549 """
2550 self.assertEqual(0x1, SESS_CACHE_CLIENT)
2551
2552
2553 def test_sess_cache_server(self):
2554 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002555 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of
2556 :py:obj:`SSL_SESS_CACHE_SERVER` defined by ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002557 """
2558 self.assertEqual(0x2, SESS_CACHE_SERVER)
2559
2560
2561 def test_sess_cache_both(self):
2562 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002563 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of
2564 :py:obj:`SSL_SESS_CACHE_BOTH` defined by ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002565 """
2566 self.assertEqual(0x3, SESS_CACHE_BOTH)
2567
2568
2569 def test_sess_cache_no_auto_clear(self):
2570 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002571 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the
2572 value of :py:obj:`SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by
2573 ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002574 """
2575 self.assertEqual(0x80, SESS_CACHE_NO_AUTO_CLEAR)
2576
2577
2578 def test_sess_cache_no_internal_lookup(self):
2579 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002580 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100,
2581 the value of :py:obj:`SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by
2582 ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002583 """
2584 self.assertEqual(0x100, SESS_CACHE_NO_INTERNAL_LOOKUP)
2585
2586
2587 def test_sess_cache_no_internal_store(self):
2588 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002589 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200,
2590 the value of :py:obj:`SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by
2591 ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002592 """
2593 self.assertEqual(0x200, SESS_CACHE_NO_INTERNAL_STORE)
2594
2595
2596 def test_sess_cache_no_internal(self):
2597 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002598 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the
2599 value of :py:obj:`SSL_SESS_CACHE_NO_INTERNAL` defined by
2600 ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002601 """
2602 self.assertEqual(0x300, SESS_CACHE_NO_INTERNAL)
2603
2604
Jean-Paul Calderoneeeee26a2009-04-27 11:24:30 -04002605
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04002606class MemoryBIOTests(TestCase, _LoopbackMixin):
Rick Deanb71c0d22009-04-01 14:09:23 -05002607 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002608 Tests for :py:obj:`OpenSSL.SSL.Connection` using a memory BIO.
Rick Deanb71c0d22009-04-01 14:09:23 -05002609 """
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04002610 def _server(self, sock):
2611 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002612 Create a new server-side SSL :py:obj:`Connection` object wrapped around
2613 :py:obj:`sock`.
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04002614 """
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04002615 # Create the server side Connection. This is mostly setup boilerplate
2616 # - use TLSv1, use a particular certificate, etc.
2617 server_ctx = Context(TLSv1_METHOD)
2618 server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
2619 server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
2620 server_store = server_ctx.get_cert_store()
2621 server_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
2622 server_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
2623 server_ctx.check_privatekey()
2624 server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
Rick Deanb1ccd562009-07-09 23:52:39 -05002625 # Here the Connection is actually created. If None is passed as the 2nd
2626 # parameter, it indicates a memory BIO should be created.
2627 server_conn = Connection(server_ctx, sock)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04002628 server_conn.set_accept_state()
2629 return server_conn
2630
2631
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04002632 def _client(self, sock):
2633 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002634 Create a new client-side SSL :py:obj:`Connection` object wrapped around
2635 :py:obj:`sock`.
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04002636 """
2637 # Now create the client side Connection. Similar boilerplate to the
2638 # above.
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04002639 client_ctx = Context(TLSv1_METHOD)
2640 client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
2641 client_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
2642 client_store = client_ctx.get_cert_store()
2643 client_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, client_key_pem))
2644 client_ctx.use_certificate(load_certificate(FILETYPE_PEM, client_cert_pem))
2645 client_ctx.check_privatekey()
2646 client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
Rick Deanb1ccd562009-07-09 23:52:39 -05002647 client_conn = Connection(client_ctx, sock)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04002648 client_conn.set_connect_state()
2649 return client_conn
2650
2651
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04002652 def test_memoryConnect(self):
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04002653 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002654 Two :py:obj:`Connection`s which use memory BIOs can be manually connected by
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04002655 reading from the output of each and writing those bytes to the input of
2656 the other and in this way establish a connection and exchange
2657 application-level bytes with each other.
2658 """
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04002659 server_conn = self._server(None)
2660 client_conn = self._client(None)
Rick Deanb71c0d22009-04-01 14:09:23 -05002661
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04002662 # There should be no key or nonces yet.
2663 self.assertIdentical(server_conn.master_key(), None)
2664 self.assertIdentical(server_conn.client_random(), None)
2665 self.assertIdentical(server_conn.server_random(), None)
Rick Deanb71c0d22009-04-01 14:09:23 -05002666
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04002667 # First, the handshake needs to happen. We'll deliver bytes back and
2668 # forth between the client and server until neither of them feels like
2669 # speaking any more.
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04002670 self.assertIdentical(
2671 self._interactInMemory(client_conn, server_conn), None)
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04002672
2673 # Now that the handshake is done, there should be a key and nonces.
2674 self.assertNotIdentical(server_conn.master_key(), None)
2675 self.assertNotIdentical(server_conn.client_random(), None)
2676 self.assertNotIdentical(server_conn.server_random(), None)
Jean-Paul Calderone6c051e62009-07-05 13:50:34 -04002677 self.assertEquals(server_conn.client_random(), client_conn.client_random())
2678 self.assertEquals(server_conn.server_random(), client_conn.server_random())
2679 self.assertNotEquals(server_conn.client_random(), server_conn.server_random())
2680 self.assertNotEquals(client_conn.client_random(), client_conn.server_random())
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04002681
2682 # Here are the bytes we'll try to send.
Jean-Paul Calderonea441fdc2010-08-22 21:33:57 -04002683 important_message = b('One if by land, two if by sea.')
Rick Deanb71c0d22009-04-01 14:09:23 -05002684
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04002685 server_conn.write(important_message)
2686 self.assertEquals(
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04002687 self._interactInMemory(client_conn, server_conn),
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04002688 (client_conn, important_message))
2689
2690 client_conn.write(important_message[::-1])
2691 self.assertEquals(
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04002692 self._interactInMemory(client_conn, server_conn),
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04002693 (server_conn, important_message[::-1]))
Rick Deanb71c0d22009-04-01 14:09:23 -05002694
2695
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04002696 def test_socketConnect(self):
Rick Deanb1ccd562009-07-09 23:52:39 -05002697 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002698 Just like :py:obj:`test_memoryConnect` but with an actual socket.
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04002699
2700 This is primarily to rule out the memory BIO code as the source of
Jonathan Ballet648875f2011-07-16 14:14:58 +09002701 any problems encountered while passing data over a :py:obj:`Connection` (if
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04002702 this test fails, there must be a problem outside the memory BIO
2703 code, as no memory BIO is involved here). Even though this isn't a
2704 memory BIO test, it's convenient to have it here.
Rick Deanb1ccd562009-07-09 23:52:39 -05002705 """
Jean-Paul Calderone06c7cc92010-09-24 23:52:00 -04002706 server_conn, client_conn = self._loopback()
Rick Deanb1ccd562009-07-09 23:52:39 -05002707
Jean-Paul Calderonea441fdc2010-08-22 21:33:57 -04002708 important_message = b("Help me Obi Wan Kenobi, you're my only hope.")
Rick Deanb1ccd562009-07-09 23:52:39 -05002709 client_conn.send(important_message)
2710 msg = server_conn.recv(1024)
2711 self.assertEqual(msg, important_message)
2712
2713 # Again in the other direction, just for fun.
2714 important_message = important_message[::-1]
2715 server_conn.send(important_message)
2716 msg = client_conn.recv(1024)
2717 self.assertEqual(msg, important_message)
2718
2719
Jean-Paul Calderonefc4ed0f2009-04-27 11:51:27 -04002720 def test_socketOverridesMemory(self):
Rick Deanb71c0d22009-04-01 14:09:23 -05002721 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002722 Test that :py:obj:`OpenSSL.SSL.bio_read` and :py:obj:`OpenSSL.SSL.bio_write` don't
2723 work on :py:obj:`OpenSSL.SSL.Connection`() that use sockets.
Rick Deanb71c0d22009-04-01 14:09:23 -05002724 """
2725 context = Context(SSLv3_METHOD)
2726 client = socket()
2727 clientSSL = Connection(context, client)
2728 self.assertRaises( TypeError, clientSSL.bio_read, 100)
2729 self.assertRaises( TypeError, clientSSL.bio_write, "foo")
Jean-Paul Calderone07acf3f2009-05-05 13:23:28 -04002730 self.assertRaises( TypeError, clientSSL.bio_shutdown )
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04002731
2732
2733 def test_outgoingOverflow(self):
2734 """
2735 If more bytes than can be written to the memory BIO are passed to
Jonathan Ballet648875f2011-07-16 14:14:58 +09002736 :py:obj:`Connection.send` at once, the number of bytes which were written is
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04002737 returned and that many bytes from the beginning of the input can be
2738 read from the other end of the connection.
2739 """
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04002740 server = self._server(None)
2741 client = self._client(None)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04002742
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04002743 self._interactInMemory(client, server)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04002744
2745 size = 2 ** 15
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05002746 sent = client.send(b"x" * size)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04002747 # Sanity check. We're trying to test what happens when the entire
2748 # input can't be sent. If the entire input was sent, this test is
2749 # meaningless.
2750 self.assertTrue(sent < size)
2751
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04002752 receiver, received = self._interactInMemory(client, server)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04002753 self.assertIdentical(receiver, server)
2754
2755 # We can rely on all of these bytes being received at once because
2756 # _loopback passes 2 ** 16 to recv - more than 2 ** 15.
2757 self.assertEquals(len(received), sent)
Jean-Paul Calderone3ad85d42009-04-30 20:24:35 -04002758
2759
2760 def test_shutdown(self):
2761 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002762 :py:obj:`Connection.bio_shutdown` signals the end of the data stream from
2763 which the :py:obj:`Connection` reads.
Jean-Paul Calderone3ad85d42009-04-30 20:24:35 -04002764 """
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04002765 server = self._server(None)
Jean-Paul Calderone3ad85d42009-04-30 20:24:35 -04002766 server.bio_shutdown()
2767 e = self.assertRaises(Error, server.recv, 1024)
2768 # We don't want WantReadError or ZeroReturnError or anything - it's a
2769 # handshake failure.
2770 self.assertEquals(e.__class__, Error)
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -04002771
2772
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07002773 def test_unexpectedEndOfFile(self):
2774 """
2775 If the connection is lost before an orderly SSL shutdown occurs,
2776 :py:obj:`OpenSSL.SSL.SysCallError` is raised with a message of
2777 "Unexpected EOF".
2778 """
2779 server_conn, client_conn = self._loopback()
2780 client_conn.sock_shutdown(SHUT_RDWR)
2781 exc = self.assertRaises(SysCallError, server_conn.recv, 1024)
2782 self.assertEqual(exc.args, (-1, "Unexpected EOF"))
2783
2784
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002785 def _check_client_ca_list(self, func):
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002786 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002787 Verify the return value of the :py:obj:`get_client_ca_list` method for server and client connections.
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002788
Jonathan Ballet78b92a22011-07-16 08:07:26 +09002789 :param func: A function which will be called with the server context
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002790 before the client and server are connected to each other. This
2791 function should specify a list of CAs for the server to send to the
2792 client and return that same list. The list will be used to verify
Jonathan Ballet648875f2011-07-16 14:14:58 +09002793 that :py:obj:`get_client_ca_list` returns the proper value at various
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002794 times.
2795 """
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002796 server = self._server(None)
2797 client = self._client(None)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002798 self.assertEqual(client.get_client_ca_list(), [])
2799 self.assertEqual(server.get_client_ca_list(), [])
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002800 ctx = server.get_context()
2801 expected = func(ctx)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002802 self.assertEqual(client.get_client_ca_list(), [])
2803 self.assertEqual(server.get_client_ca_list(), expected)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04002804 self._interactInMemory(client, server)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002805 self.assertEqual(client.get_client_ca_list(), expected)
2806 self.assertEqual(server.get_client_ca_list(), expected)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002807
2808
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002809 def test_set_client_ca_list_errors(self):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002810 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002811 :py:obj:`Context.set_client_ca_list` raises a :py:obj:`TypeError` if called with a
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002812 non-list or a list that contains objects other than X509Names.
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002813 """
2814 ctx = Context(TLSv1_METHOD)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002815 self.assertRaises(TypeError, ctx.set_client_ca_list, "spam")
2816 self.assertRaises(TypeError, ctx.set_client_ca_list, ["spam"])
2817 self.assertIdentical(ctx.set_client_ca_list([]), None)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002818
2819
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002820 def test_set_empty_ca_list(self):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002821 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002822 If passed an empty list, :py:obj:`Context.set_client_ca_list` configures the
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002823 context to send no CA names to the client and, on both the server and
Jonathan Ballet648875f2011-07-16 14:14:58 +09002824 client sides, :py:obj:`Connection.get_client_ca_list` returns an empty list
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002825 after the connection is set up.
2826 """
2827 def no_ca(ctx):
2828 ctx.set_client_ca_list([])
2829 return []
2830 self._check_client_ca_list(no_ca)
2831
2832
2833 def test_set_one_ca_list(self):
2834 """
2835 If passed a list containing a single X509Name,
Jonathan Ballet648875f2011-07-16 14:14:58 +09002836 :py:obj:`Context.set_client_ca_list` configures the context to send that CA
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002837 name to the client and, on both the server and client sides,
Jonathan Ballet648875f2011-07-16 14:14:58 +09002838 :py:obj:`Connection.get_client_ca_list` returns a list containing that
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002839 X509Name after the connection is set up.
2840 """
2841 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
2842 cadesc = cacert.get_subject()
2843 def single_ca(ctx):
2844 ctx.set_client_ca_list([cadesc])
2845 return [cadesc]
2846 self._check_client_ca_list(single_ca)
2847
2848
2849 def test_set_multiple_ca_list(self):
2850 """
2851 If passed a list containing multiple X509Name objects,
Jonathan Ballet648875f2011-07-16 14:14:58 +09002852 :py:obj:`Context.set_client_ca_list` configures the context to send those CA
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002853 names to the client and, on both the server and client sides,
Jonathan Ballet648875f2011-07-16 14:14:58 +09002854 :py:obj:`Connection.get_client_ca_list` returns a list containing those
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002855 X509Names after the connection is set up.
2856 """
2857 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
2858 clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
2859
2860 sedesc = secert.get_subject()
2861 cldesc = clcert.get_subject()
2862
2863 def multiple_ca(ctx):
2864 L = [sedesc, cldesc]
2865 ctx.set_client_ca_list(L)
2866 return L
2867 self._check_client_ca_list(multiple_ca)
2868
2869
2870 def test_reset_ca_list(self):
2871 """
2872 If called multiple times, only the X509Names passed to the final call
Jonathan Ballet648875f2011-07-16 14:14:58 +09002873 of :py:obj:`Context.set_client_ca_list` are used to configure the CA names
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002874 sent to the client.
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002875 """
2876 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
2877 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
2878 clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
2879
2880 cadesc = cacert.get_subject()
2881 sedesc = secert.get_subject()
2882 cldesc = clcert.get_subject()
2883
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002884 def changed_ca(ctx):
2885 ctx.set_client_ca_list([sedesc, cldesc])
2886 ctx.set_client_ca_list([cadesc])
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002887 return [cadesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002888 self._check_client_ca_list(changed_ca)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002889
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002890
2891 def test_mutated_ca_list(self):
2892 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002893 If the list passed to :py:obj:`Context.set_client_ca_list` is mutated
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002894 afterwards, this does not affect the list of CA names sent to the
2895 client.
2896 """
2897 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
2898 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
2899
2900 cadesc = cacert.get_subject()
2901 sedesc = secert.get_subject()
2902
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002903 def mutated_ca(ctx):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002904 L = [cadesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002905 ctx.set_client_ca_list([cadesc])
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002906 L.append(sedesc)
2907 return [cadesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002908 self._check_client_ca_list(mutated_ca)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002909
2910
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002911 def test_add_client_ca_errors(self):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002912 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002913 :py:obj:`Context.add_client_ca` raises :py:obj:`TypeError` if called with a non-X509
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002914 object or with a number of arguments other than one.
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002915 """
2916 ctx = Context(TLSv1_METHOD)
2917 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002918 self.assertRaises(TypeError, ctx.add_client_ca)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002919 self.assertRaises(TypeError, ctx.add_client_ca, "spam")
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04002920 self.assertRaises(TypeError, ctx.add_client_ca, cacert, cacert)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002921
2922
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04002923 def test_one_add_client_ca(self):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002924 """
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04002925 A certificate's subject can be added as a CA to be sent to the client
Jonathan Ballet648875f2011-07-16 14:14:58 +09002926 with :py:obj:`Context.add_client_ca`.
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04002927 """
2928 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
2929 cadesc = cacert.get_subject()
2930 def single_ca(ctx):
2931 ctx.add_client_ca(cacert)
2932 return [cadesc]
2933 self._check_client_ca_list(single_ca)
2934
2935
2936 def test_multiple_add_client_ca(self):
2937 """
2938 Multiple CA names can be sent to the client by calling
Jonathan Ballet648875f2011-07-16 14:14:58 +09002939 :py:obj:`Context.add_client_ca` with multiple X509 objects.
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04002940 """
2941 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
2942 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
2943
2944 cadesc = cacert.get_subject()
2945 sedesc = secert.get_subject()
2946
2947 def multiple_ca(ctx):
2948 ctx.add_client_ca(cacert)
2949 ctx.add_client_ca(secert)
2950 return [cadesc, sedesc]
2951 self._check_client_ca_list(multiple_ca)
2952
2953
2954 def test_set_and_add_client_ca(self):
2955 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002956 A call to :py:obj:`Context.set_client_ca_list` followed by a call to
2957 :py:obj:`Context.add_client_ca` results in using the CA names from the first
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04002958 call and the CA name from the second call.
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002959 """
2960 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
2961 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
2962 clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
2963
2964 cadesc = cacert.get_subject()
2965 sedesc = secert.get_subject()
2966 cldesc = clcert.get_subject()
2967
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002968 def mixed_set_add_ca(ctx):
2969 ctx.set_client_ca_list([cadesc, sedesc])
2970 ctx.add_client_ca(clcert)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002971 return [cadesc, sedesc, cldesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002972 self._check_client_ca_list(mixed_set_add_ca)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002973
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04002974
2975 def test_set_after_add_client_ca(self):
2976 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002977 A call to :py:obj:`Context.set_client_ca_list` after a call to
2978 :py:obj:`Context.add_client_ca` replaces the CA name specified by the former
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04002979 call with the names specified by the latter cal.
2980 """
2981 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
2982 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
2983 clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
2984
2985 cadesc = cacert.get_subject()
2986 sedesc = secert.get_subject()
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04002987
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002988 def set_replaces_add_ca(ctx):
2989 ctx.add_client_ca(clcert)
2990 ctx.set_client_ca_list([cadesc])
2991 ctx.add_client_ca(secert)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002992 return [cadesc, sedesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02002993 self._check_client_ca_list(set_replaces_add_ca)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02002994
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -04002995
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07002996
2997class ConnectionBIOTests(TestCase):
2998 """
2999 Tests for :py:obj:`Connection.bio_read` and :py:obj:`Connection.bio_write`.
3000 """
3001 def test_wantReadError(self):
3002 """
3003 :py:obj:`Connection.bio_read` raises :py:obj:`OpenSSL.SSL.WantReadError`
3004 if there are no bytes available to be read from the BIO.
3005 """
3006 ctx = Context(TLSv1_METHOD)
3007 conn = Connection(ctx, None)
3008 self.assertRaises(WantReadError, conn.bio_read, 1024)
3009
3010
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05003011 def test_buffer_size(self):
3012 """
3013 :py:obj:`Connection.bio_read` accepts an integer giving the maximum
3014 number of bytes to read and return.
3015 """
3016 ctx = Context(TLSv1_METHOD)
3017 conn = Connection(ctx, None)
3018 conn.set_connect_state()
3019 try:
3020 conn.do_handshake()
3021 except WantReadError:
3022 pass
3023 data = conn.bio_read(2)
3024 self.assertEqual(2, len(data))
3025
3026
3027 if not PY3:
3028 def test_buffer_size_long(self):
3029 """
3030 On Python 2 :py:obj:`Connection.bio_read` accepts values of type
3031 :py:obj:`long` as well as :py:obj:`int`.
3032 """
3033 ctx = Context(TLSv1_METHOD)
3034 conn = Connection(ctx, None)
3035 conn.set_connect_state()
3036 try:
3037 conn.do_handshake()
3038 except WantReadError:
3039 pass
3040 data = conn.bio_read(long(2))
3041 self.assertEqual(2, len(data))
3042
3043
3044
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07003045
Jean-Paul Calderone31e85a82011-03-21 19:13:35 -04003046class InfoConstantTests(TestCase):
3047 """
3048 Tests for assorted constants exposed for use in info callbacks.
3049 """
3050 def test_integers(self):
3051 """
3052 All of the info constants are integers.
3053
3054 This is a very weak test. It would be nice to have one that actually
3055 verifies that as certain info events happen, the value passed to the
3056 info callback matches up with the constant exposed by OpenSSL.SSL.
3057 """
3058 for const in [
3059 SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK, SSL_ST_INIT,
3060 SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE,
3061 SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,
3062 SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,
3063 SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,
3064 SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE]:
3065
3066 self.assertTrue(isinstance(const, int))
3067
Ziga Seilnacht44611bf2009-08-31 20:49:30 +02003068
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -04003069if __name__ == '__main__':
3070 main()