Blame - tests/test_ssl.py - platform/external/python/pyopenssl

2008-03-21 17:04:05 -0400

[diff] [blame]

4

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

5

Unit tests for :mod:`OpenSSL.SSL`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

6

"""

7

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

8

import datetime

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

9

import sys

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

10

import uuid

11

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

12

from gc import collect, get_referrers

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

13

from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN

Jeremy Lainé

1ae7cb6

2018-03-21 14:49:42 +0100

[diff] [blame]

14

from sys import platform, getfilesystemencoding

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

15

from socket import MSG_PEEK, SHUT_RDWR, error, socket

Jean-Paul Calderone

a65cf6c

2009-07-19 10:26:52 -0400

[diff] [blame]

16

from os import makedirs

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

17

from os.path import join

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

18

from weakref import ref

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

19

from warnings import simplefilter

Jean-Paul Calderone

460cc1f

2009-03-07 11:31:12 -0500

[diff] [blame]

20

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

21

import pytest

22

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

23

from pretend import raiser

24

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

25

from six import PY3, text_type

Jean-Paul Calderone

c76c61c

2014-01-18 13:21:52 -0500

[diff] [blame]

26

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

27

from cryptography import x509

28

from cryptography.hazmat.backends import default_backend

29

from cryptography.hazmat.primitives import hashes

30

from cryptography.hazmat.primitives import serialization

31

from cryptography.hazmat.primitives.asymmetric import rsa

32

from cryptography.x509.oid import NameOID

33

34

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

35

from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

36

from OpenSSL.crypto import PKey, X509, X509Extension, X509Store

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

37

from OpenSSL.crypto import dump_privatekey, load_privatekey

38

from OpenSSL.crypto import dump_certificate, load_certificate

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

39

from OpenSSL.crypto import get_elliptic_curves

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

40

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

41

from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS

42

from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

43

from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

44

from OpenSSL.SSL import (

45

SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD,

46

TLSv1_1_METHOD, TLSv1_2_METHOD)

47

from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

48

from OpenSSL.SSL import (

49

VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE, VERIFY_NONE)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

50

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

51

from OpenSSL import SSL

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

52

from OpenSSL.SSL import (

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

53

SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH,

54

SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP,

55

SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL)

56

57

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

58

Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

59

from OpenSSL.SSL import (

Alex Gaynor

01f90a1

2019-02-07 09:14:48 -0500

[diff] [blame]

60

Context, Session, Connection, SSLeay_version)

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

61

from OpenSSL.SSL import _make_requires

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

62

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

63

from OpenSSL._util import ffi as _ffi, lib as _lib

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

64

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

65

from OpenSSL.SSL import (

66

OP_NO_QUERY_MTU, OP_COOKIE_EXCHANGE, OP_NO_TICKET, OP_NO_COMPRESSION,

67

MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

68

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

69

from OpenSSL.SSL import (

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

70

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

71

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

72

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

73

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

74

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

75

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

76

try:

77

from OpenSSL.SSL import (

78

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

79

)

80

except ImportError:

81

SSL_ST_INIT = SSL_ST_BEFORE = SSL_ST_OK = SSL_ST_RENEGOTIATE = None

82

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

83

from .util import WARNING_TYPE_EXPECTED, NON_ASCII, is_consistent_type

Hynek Schlawack

f0e6685

2015-10-16 20:18:38 +0200

[diff] [blame]

84

from .test_crypto import (

85

cleartextCertificatePEM, cleartextPrivateKeyPEM,

86

client_cert_pem, client_key_pem, server_cert_pem, server_key_pem,

87

root_cert_pem)

88

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

89

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

90

# openssl dhparam 1024 -out dh-1024.pem (note that 1024 is a small number of

91

# bits to use)

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

92

dhparam = """\

93

-----BEGIN DH PARAMETERS-----

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

94

MIGHAoGBALdUMvn+C9MM+y5BWZs11mSeH6HHoEq0UVbzVq7UojC1hbsZUuGukQ3a

95

Qh2/pwqb18BZFykrWB0zv/OkLa0kx4cuUgNrUVq1EFheBiX6YqryJ7t2sO09NQiO

96

V7H54LmltOT/hEh6QWsJqb6BQgH65bswvV/XkYGja8/T0GzvbaVzAgEC

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

97

-----END DH PARAMETERS-----

"""

Hynek Schlawack

2015-09-05 20:48:34 +0200

[diff] [blame]

101

skip_if_py3 = pytest.mark.skipif(PY3, reason="Python 2 only")

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

102

103

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

104

def join_bytes_or_unicode(prefix, suffix):

105

"""

106

Join two path components of either ``bytes`` or ``unicode``.

107

108

The return type is the same as the type of ``prefix``.

109

"""

110

# If the types are the same, nothing special is necessary.

111

if type(prefix) == type(suffix):

112

return join(prefix, suffix)

113

114

# Otherwise, coerce suffix to the type of prefix.

115

if isinstance(prefix, text_type):

116

return join(prefix, suffix.decode(getfilesystemencoding()))

117

else:

118

return join(prefix, suffix.encode(getfilesystemencoding()))

119

120

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

121

def verify_cb(conn, cert, errnum, depth, ok):

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

122

return ok

123

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

124

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

125

def socket_pair():

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

126

"""

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

127

Establish and return a pair of network sockets connected to each other.

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

128

"""

129

# Connect a pair of sockets

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(1)

client = socket()

client.setblocking(False)

Jean-Paul Calderone

f23c5d9

2009-07-23 17:58:15 -0400

[diff] [blame]

135

client.connect_ex(("127.0.0.1", port.getsockname()[1]))

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

136

client.setblocking(True)

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

137

server = port.accept()[0]

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

138

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

139

# Let's pass some unencrypted data to make sure our socket connection is

140

# fine. Just one byte, so we don't have to worry about buffers getting

141

# filled up or fragmentation.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

142

server.send(b"x")

143

assert client.recv(1024) == b"x"

144

client.send(b"y")

145

assert server.recv(1024) == b"y"

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

146

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

147

# Most of our callers want non-blocking sockets, make it easy for them.

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

148

server.setblocking(False)

149

client.setblocking(False)

Jim Shaver

46f2891

2015-05-29 19:32:16 -0400

[diff] [blame]

150

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

151

return (server, client)

152

153

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

154

def handshake(client, server):

155

conns = [client, server]

while conns:

for conn in conns:

try:

conn.do_handshake()

except WantReadError:

pass

else:

conns.remove(conn)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

166

def _create_certificate_chain():

167

"""

168

Construct and return a chain of certificates.

169

170

1. A new self-signed certificate authority certificate (cacert)

171

2. A new intermediate certificate signed by cacert (icert)

172

3. A new server certificate signed by icert (scert)

173

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

174

caext = X509Extension(b'basicConstraints', False, b'CA:true')

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

175

176

# Step 1

177

cakey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

178

cakey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

179

cacert = X509()

180

cacert.get_subject().commonName = "Authority Certificate"

181

cacert.set_issuer(cacert.get_subject())

182

cacert.set_pubkey(cakey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

183

cacert.set_notBefore(b"20000101000000Z")

184

cacert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

185

cacert.add_extensions([caext])

186

cacert.set_serial_number(0)

187

cacert.sign(cakey, "sha1")

188

189

# Step 2

190

ikey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

191

ikey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

192

icert = X509()

193

icert.get_subject().commonName = "Intermediate Certificate"

194

icert.set_issuer(cacert.get_subject())

195

icert.set_pubkey(ikey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

196

icert.set_notBefore(b"20000101000000Z")

197

icert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

198

icert.add_extensions([caext])

199

icert.set_serial_number(0)

200

icert.sign(cakey, "sha1")

201

202

# Step 3

203

skey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

204

skey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

205

scert = X509()

206

scert.get_subject().commonName = "Server Certificate"

207

scert.set_issuer(icert.get_subject())

208

scert.set_pubkey(skey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

209

scert.set_notBefore(b"20000101000000Z")

210

scert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

211

scert.add_extensions([

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

212

X509Extension(b'basicConstraints', True, b'CA:false')])

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

213

scert.set_serial_number(0)

214

scert.sign(ikey, "sha1")

215

216

return [(cakey, cacert), (ikey, icert), (skey, scert)]

217

218

Paul Kehrer

2019-01-21 12:24:02 -0600

[diff] [blame]

219

def loopback_client_factory(socket, version=SSLv23_METHOD):

220

client = Connection(Context(version), socket)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

221

client.set_connect_state()

return client

Paul Kehrer

2019-01-21 12:24:02 -0600

[diff] [blame]

225

def loopback_server_factory(socket, version=SSLv23_METHOD):

226

ctx = Context(version)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

227

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

228

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

229

server = Connection(ctx, socket)

230

server.set_accept_state()

return server

def loopback(server_factory=None, client_factory=None):

235

"""

236

Create a connected socket pair and force two connected SSL sockets

237

to talk to each other via memory BIOs.

238

"""

239

if server_factory is None:

240

server_factory = loopback_server_factory

241

if client_factory is None:

242

client_factory = loopback_client_factory

243

244

(server, client) = socket_pair()

245

server = server_factory(server)

246

client = client_factory(client)

247

248

handshake(client, server)

249

250

server.setblocking(True)

251

client.setblocking(True)

252

return server, client

253

254

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

255

def interact_in_memory(client_conn, server_conn):

256

"""

257

Try to read application bytes from each of the two `Connection` objects.

258

Copy bytes back and forth between their send/receive buffers for as long

259

as there is anything to copy. When there is nothing more to copy,

260

return `None`. If one of them actually manages to deliver some application

261

bytes, return a two-tuple of the connection from which the bytes were read

262

and the bytes themselves.

"""

wrote = True

while wrote:

# Loop until neither side has anything to say

267

wrote = False

268

269

# Copy stuff from each side's send buffer to the other side's

270

# receive buffer.

271

for (read, write) in [(client_conn, server_conn),

272

(server_conn, client_conn)]:

273

274

# Give the side a chance to generate some more bytes, or succeed.

275

try:

276

data = read.recv(2 ** 16)

277

except WantReadError:

278

# It didn't succeed, so we'll hope it generated some output.

279

pass

280

else:

281

# It did succeed, so we'll stop now and let the caller deal

# with it.

return (read, data)

while True:

# Keep copying as long as there's more stuff there.

287

try:

288

dirty = read.bio_read(4096)

289

except WantReadError:

290

# Okay, nothing more waiting to be sent. Stop

291

# processing this send buffer.

292

break

293

else:

294

# Keep track of the fact that someone generated some

295

# output.

296

wrote = True

297

write.bio_write(dirty)

298

299

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

300

def handshake_in_memory(client_conn, server_conn):

301

"""

302

Perform the TLS handshake between two `Connection` instances connected to

303

each other via memory BIOs.

304

"""

305

client_conn.set_connect_state()

306

server_conn.set_accept_state()

307

308

for conn in [client_conn, server_conn]:

309

try:

310

conn.do_handshake()

311

except WantReadError:

312

pass

313

314

interact_in_memory(client_conn, server_conn)

315

316

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

317

class TestVersion(object):

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

318

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

319

Tests for version information exposed by `OpenSSL.SSL.SSLeay_version` and

320

`OpenSSL.SSL.OPENSSL_VERSION_NUMBER`.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

321

"""

322

def test_OPENSSL_VERSION_NUMBER(self):

323

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

324

`OPENSSL_VERSION_NUMBER` is an integer with status in the low byte and

325

the patch, fix, minor, and major versions in the nibbles above that.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

326

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

327

assert isinstance(OPENSSL_VERSION_NUMBER, int)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

328

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

329

def test_SSLeay_version(self):

330

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

331

`SSLeay_version` takes a version type indicator and returns one of a

332

number of version strings based on that indicator.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

333

"""

334

versions = {}

335

for t in [SSLEAY_VERSION, SSLEAY_CFLAGS, SSLEAY_BUILT_ON,

336

SSLEAY_PLATFORM, SSLEAY_DIR]:

337

version = SSLeay_version(t)

338

versions[version] = t

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

339

assert isinstance(version, bytes)

340

assert len(versions) == 5

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

341

342

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

343

@pytest.fixture

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

344

def ca_file(tmpdir):

345

"""

346

Create a valid PEM file with CA certificates and return the path.

347

"""

348

key = rsa.generate_private_key(

349

public_exponent=65537,

350

key_size=2048,

351

backend=default_backend()

352

)

353

public_key = key.public_key()

354

355

builder = x509.CertificateBuilder()

356

builder = builder.subject_name(x509.Name([

357

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

358

]))

359

builder = builder.issuer_name(x509.Name([

360

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

361

]))

362

one_day = datetime.timedelta(1, 0, 0)

363

builder = builder.not_valid_before(datetime.datetime.today() - one_day)

364

builder = builder.not_valid_after(datetime.datetime.today() + one_day)

365

builder = builder.serial_number(int(uuid.uuid4()))

366

builder = builder.public_key(public_key)

367

builder = builder.add_extension(

368

x509.BasicConstraints(ca=True, path_length=None), critical=True,

369

)

370

371

certificate = builder.sign(

372

private_key=key, algorithm=hashes.SHA256(),

373

backend=default_backend()

374

)

375

376

ca_file = tmpdir.join("test.pem")

377

ca_file.write_binary(

378

certificate.public_bytes(

379

encoding=serialization.Encoding.PEM,

)

)

return str(ca_file).encode("ascii")

384

385

386

@pytest.fixture

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

387

def context():

388

"""

389

A simple TLS 1.0 context.

390

"""

391

return Context(TLSv1_METHOD)

392

393

394

class TestContext(object):

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

395

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

396

Unit tests for `OpenSSL.SSL.Context`.

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

397

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

398

@pytest.mark.parametrize("cipher_string", [

399

b"hello world:AES128-SHA",

400

u"hello world:AES128-SHA",

401

])

402

def test_set_cipher_list(self, context, cipher_string):

403

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

404

`Context.set_cipher_list` accepts both byte and unicode strings

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

405

for naming the ciphers which connections created with the context

406

object will be able to choose from.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

407

"""

408

context.set_cipher_list(cipher_string)

409

conn = Connection(context, None)

410

411

assert "AES128-SHA" in conn.get_cipher_list()

412

Mark Williams

df2480d

2019-02-14 19:30:07 -0800

[diff] [blame]

413

def test_set_cipher_list_wrong_type(self, context):

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

414

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

415

`Context.set_cipher_list` raises `TypeError` when passed a non-string

Mark Williams

df2480d

2019-02-14 19:30:07 -0800

[diff] [blame]

416

argument.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

417

"""

Mark Williams

df2480d

2019-02-14 19:30:07 -0800

[diff] [blame]

418

with pytest.raises(TypeError):

419

context.set_cipher_list(object())

420

421

def test_set_cipher_list_no_cipher_match(self, context):

422

"""

423

`Context.set_cipher_list` raises `OpenSSL.SSL.Error` with a

424

`"no cipher match"` reason string regardless of the TLS

425

version.

426

"""

427

with pytest.raises(Error) as excinfo:

428

context.set_cipher_list(b"imaginary-cipher")

429

assert excinfo.value.args == (

[

(

'SSL routines',

'SSL_CTX_set_cipher_list',

'no cipher match',

),

],

)

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

438

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

439

def test_load_client_ca(self, context, ca_file):

440

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

441

`Context.load_client_ca` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

442

"""

443

context.load_client_ca(ca_file)

444

445

def test_load_client_ca_invalid(self, context, tmpdir):

446

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

447

`Context.load_client_ca` raises an Error if the ca file is invalid.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

448

"""

449

ca_file = tmpdir.join("test.pem")

450

ca_file.write("")

451

452

with pytest.raises(Error) as e:

453

context.load_client_ca(str(ca_file).encode("ascii"))

454

455

assert "PEM routines" == e.value.args[0][0][0]

456

457

def test_load_client_ca_unicode(self, context, ca_file):

458

"""

459

Passing the path as unicode raises a warning but works.

460

"""

461

pytest.deprecated_call(

462

context.load_client_ca, ca_file.decode("ascii")

463

)

464

465

def test_set_session_id(self, context):

466

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

467

`Context.set_session_id` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

468

"""

469

context.set_session_id(b"abc")

470

471

def test_set_session_id_fail(self, context):

472

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

473

`Context.set_session_id` errors are propagated.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

474

"""

475

with pytest.raises(Error) as e:

476

context.set_session_id(b"abc" * 1000)

assert [

("SSL routines",

"SSL_CTX_set_session_id_context",

481

"ssl session id context too long")

482

] == e.value.args[0]

483

484

def test_set_session_id_unicode(self, context):

485

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

486

`Context.set_session_id` raises a warning if a unicode string is

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

487

passed.

488

"""

489

pytest.deprecated_call(context.set_session_id, u"abc")

490

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

491

def test_method(self):

492

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

493

`Context` can be instantiated with one of `SSLv2_METHOD`,

494

`SSLv3_METHOD`, `SSLv23_METHOD`, `TLSv1_METHOD`, `TLSv1_1_METHOD`,

495

or `TLSv1_2_METHOD`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

496

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

497

methods = [SSLv23_METHOD, TLSv1_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

498

for meth in methods:

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

499

Context(meth)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

500

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

501

maybe = [SSLv2_METHOD, SSLv3_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

for meth in maybe:

try:

Context(meth)

except (Error, ValueError):

506

# Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some

507

# don't. Difficult to say in advance.

508

pass

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

509

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

510

with pytest.raises(TypeError):

511

Context("")

512

with pytest.raises(ValueError):

513

Context(10)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

514

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

515

@skip_if_py3

516

def test_method_long(self):

517

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

518

On Python 2 `Context` accepts values of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

519

"""

520

Context(long(TLSv1_METHOD))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

521

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

522

def test_type(self):

523

"""

Alex Gaynor

01f90a1

2019-02-07 09:14:48 -0500

[diff] [blame]

524

`Context` can be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

525

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

526

assert is_consistent_type(Context, 'Context', TLSv1_METHOD)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

527

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

528

def test_use_privatekey(self):

529

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

530

`Context.use_privatekey` takes an `OpenSSL.crypto.PKey` instance.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

531

"""

532

key = PKey()

Alex Gaynor

6e9f976

2018-05-12 07:44:37 -0400

[diff] [blame]

533

key.generate_key(TYPE_RSA, 512)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

534

ctx = Context(TLSv1_METHOD)

535

ctx.use_privatekey(key)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

536

with pytest.raises(TypeError):

537

ctx.use_privatekey("")

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

538

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

539

def test_use_privatekey_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

540

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

541

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` when passed

542

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

543

"""

544

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

545

with pytest.raises(Error):

546

ctx.use_privatekey_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

547

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

548

def _use_privatekey_file_test(self, pemfile, filetype):

549

"""

550

Verify that calling ``Context.use_privatekey_file`` with the given

551

arguments does not raise an exception.

552

"""

553

key = PKey()

Alex Gaynor

6e9f976

2018-05-12 07:44:37 -0400

[diff] [blame]

554

key.generate_key(TYPE_RSA, 512)

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

555

556

with open(pemfile, "wt") as pem:

557

pem.write(

558

dump_privatekey(FILETYPE_PEM, key).decode("ascii")

559

)

560

561

ctx = Context(TLSv1_METHOD)

562

ctx.use_privatekey_file(pemfile, filetype)

563

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

564

@pytest.mark.parametrize('filetype', [object(), "", None, 1.0])

565

def test_wrong_privatekey_file_wrong_args(self, tmpfile, filetype):

566

"""

567

`Context.use_privatekey_file` raises `TypeError` when called with

568

a `filetype` which is not a valid file encoding.

569

"""

570

ctx = Context(TLSv1_METHOD)

571

with pytest.raises(TypeError):

572

ctx.use_privatekey_file(tmpfile, filetype)

573

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

574

def test_use_privatekey_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

575

"""

576

A private key can be specified from a file by passing a ``bytes``

577

instance giving the file name to ``Context.use_privatekey_file``.

578

"""

579

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

580

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

584

def test_use_privatekey_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

585

"""

586

A private key can be specified from a file by passing a ``unicode``

587

instance giving the file name to ``Context.use_privatekey_file``.

588

"""

589

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

590

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

594

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

595

def test_use_privatekey_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

596

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

597

On Python 2 `Context.use_privatekey_file` accepts a filetype of

598

type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

599

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

600

self._use_privatekey_file_test(tmpfile, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

601

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

602

def test_use_certificate_wrong_args(self):

603

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

604

`Context.use_certificate_wrong_args` raises `TypeError` when not passed

605

exactly one `OpenSSL.crypto.X509` instance as an argument.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

606

"""

607

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

608

with pytest.raises(TypeError):

609

ctx.use_certificate("hello, world")

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

610

611

def test_use_certificate_uninitialized(self):

612

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

613

`Context.use_certificate` raises `OpenSSL.SSL.Error` when passed a

614

`OpenSSL.crypto.X509` instance which has not been initialized

615

(ie, which does not actually have any certificate data).

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

616

"""

617

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

618

with pytest.raises(Error):

619

ctx.use_certificate(X509())

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

620

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

621

def test_use_certificate(self):

622

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

623

`Context.use_certificate` sets the certificate which will be

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

624

used to identify connections created using the context.

625

"""

626

# TODO

627

# Hard to assert anything. But we could set a privatekey then ask

628

# OpenSSL if the cert and key agree using check_privatekey. Then as

629

# long as check_privatekey works right we're good...

630

ctx = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

631

ctx.use_certificate(

632

load_certificate(FILETYPE_PEM, cleartextCertificatePEM)

633

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

634

635

def test_use_certificate_file_wrong_args(self):

636

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

637

`Context.use_certificate_file` raises `TypeError` if the first

638

argument is not a byte string or the second argument is not an integer.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

639

"""

640

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

641

with pytest.raises(TypeError):

642

ctx.use_certificate_file(object(), FILETYPE_PEM)

643

with pytest.raises(TypeError):

644

ctx.use_certificate_file(b"somefile", object())

645

with pytest.raises(TypeError):

646

ctx.use_certificate_file(object(), FILETYPE_PEM)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

647

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

648

def test_use_certificate_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

649

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

650

`Context.use_certificate_file` raises `OpenSSL.SSL.Error` if passed

651

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

652

"""

653

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

654

with pytest.raises(Error):

655

ctx.use_certificate_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

656

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

657

def _use_certificate_file_test(self, certificate_file):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

658

"""

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

659

Verify that calling ``Context.use_certificate_file`` with the given

660

filename doesn't raise an exception.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

661

"""

662

# TODO

663

# Hard to assert anything. But we could set a privatekey then ask

664

# OpenSSL if the cert and key agree using check_privatekey. Then as

665

# long as check_privatekey works right we're good...

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

666

with open(certificate_file, "wb") as pem_file:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

667

pem_file.write(cleartextCertificatePEM)

668

669

ctx = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

670

ctx.use_certificate_file(certificate_file)

671

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

672

def test_use_certificate_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

673

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

674

`Context.use_certificate_file` sets the certificate (given as a

675

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

676

using the context.

677

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

678

filename = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

679

self._use_certificate_file_test(filename)

680

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

681

def test_use_certificate_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

682

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

683

`Context.use_certificate_file` sets the certificate (given as a

684

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

685

using the context.

686

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

687

filename = tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

688

self._use_certificate_file_test(filename)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

689

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

690

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

691

def test_use_certificate_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

692

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

693

On Python 2 `Context.use_certificate_file` accepts a

694

filetype of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

695

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

696

pem_filename = tmpfile

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

697

with open(pem_filename, "wb") as pem_file:

698

pem_file.write(cleartextCertificatePEM)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

699

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

700

ctx = Context(TLSv1_METHOD)

701

ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

702

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

703

def test_check_privatekey_valid(self):

704

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

705

`Context.check_privatekey` returns `None` if the `Context` instance

706

has been configured to use a matched key and certificate pair.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

707

"""

708

key = load_privatekey(FILETYPE_PEM, client_key_pem)

709

cert = load_certificate(FILETYPE_PEM, client_cert_pem)

710

context = Context(TLSv1_METHOD)

711

context.use_privatekey(key)

712

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

713

assert None is context.check_privatekey()

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

714

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

715

def test_check_privatekey_invalid(self):

716

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

717

`Context.check_privatekey` raises `Error` if the `Context` instance

718

has been configured to use a key and certificate pair which don't

719

relate to each other.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

720

"""

721

key = load_privatekey(FILETYPE_PEM, client_key_pem)

722

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

723

context = Context(TLSv1_METHOD)

724

context.use_privatekey(key)

725

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

726

with pytest.raises(Error):

727

context.check_privatekey()

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

728

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

729

def test_app_data(self):

730

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

731

`Context.set_app_data` stores an object for later retrieval

732

using `Context.get_app_data`.

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

733

"""

734

app_data = object()

735

context = Context(TLSv1_METHOD)

736

context.set_app_data(app_data)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

737

assert context.get_app_data() is app_data

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

738

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

739

def test_set_options_wrong_args(self):

740

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

741

`Context.set_options` raises `TypeError` if called with

742

a non-`int` argument.

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

743

"""

744

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

745

with pytest.raises(TypeError):

746

context.set_options(None)

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

747

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

748

def test_set_options(self):

749

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

750

`Context.set_options` returns the new options value.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

751

"""

752

context = Context(TLSv1_METHOD)

753

options = context.set_options(OP_NO_SSLv2)

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

754

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

755

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

756

@skip_if_py3

757

def test_set_options_long(self):

758

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

759

On Python 2 `Context.set_options` accepts values of type

760

`long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

761

"""

762

context = Context(TLSv1_METHOD)

763

options = context.set_options(long(OP_NO_SSLv2))

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

764

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

765

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

766

def test_set_mode_wrong_args(self):

767

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

768

`Context.set_mode` raises `TypeError` if called with

769

a non-`int` argument.

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

770

"""

771

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

772

with pytest.raises(TypeError):

773

context.set_mode(None)

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

774

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

775

def test_set_mode(self):

776

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

777

`Context.set_mode` accepts a mode bitvector and returns the

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

778

newly set mode.

779

"""

780

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

781

assert MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

782

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

783

@skip_if_py3

784

def test_set_mode_long(self):

785

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

786

On Python 2 `Context.set_mode` accepts values of type `long` as well

787

as `int`.

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

788

"""

789

context = Context(TLSv1_METHOD)

790

mode = context.set_mode(long(MODE_RELEASE_BUFFERS))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

791

assert MODE_RELEASE_BUFFERS & mode

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

792

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

793

def test_set_timeout_wrong_args(self):

794

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

795

`Context.set_timeout` raises `TypeError` if called with

796

a non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

797

"""

798

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

799

with pytest.raises(TypeError):

800

context.set_timeout(None)

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

801

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

802

def test_timeout(self):

803

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

804

`Context.set_timeout` sets the session timeout for all connections

805

created using the context object. `Context.get_timeout` retrieves

806

this value.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

807

"""

808

context = Context(TLSv1_METHOD)

809

context.set_timeout(1234)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

810

assert context.get_timeout() == 1234

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

811

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

812

@skip_if_py3

813

def test_timeout_long(self):

814

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

815

On Python 2 `Context.set_timeout` accepts values of type `long` as

816

well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

817

"""

818

context = Context(TLSv1_METHOD)

819

context.set_timeout(long(1234))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

820

assert context.get_timeout() == 1234

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

821

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

822

def test_set_verify_depth_wrong_args(self):

823

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

824

`Context.set_verify_depth` raises `TypeError` if called with a

825

non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

826

"""

827

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

828

with pytest.raises(TypeError):

829

context.set_verify_depth(None)

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

830

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

831

def test_verify_depth(self):

832

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

833

`Context.set_verify_depth` sets the number of certificates in

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

834

a chain to follow before giving up. The value can be retrieved with

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

835

`Context.get_verify_depth`.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

836

"""

837

context = Context(TLSv1_METHOD)

838

context.set_verify_depth(11)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

839

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

840

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

841

@skip_if_py3

842

def test_verify_depth_long(self):

843

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

844

On Python 2 `Context.set_verify_depth` accepts values of type `long`

845

as well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

846

"""

847

context = Context(TLSv1_METHOD)

848

context.set_verify_depth(long(11))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

849

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

850

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

851

def _write_encrypted_pem(self, passphrase, tmpfile):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

852

"""

853

Write a new private key out to a new file, encrypted using the given

854

passphrase. Return the path to the new file.

855

"""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

856

key = PKey()

Alex Gaynor

6e9f976

2018-05-12 07:44:37 -0400

[diff] [blame]

857

key.generate_key(TYPE_RSA, 512)

Jean-Paul Calderone

a986883

2010-08-22 21:38:34 -0400

[diff] [blame]

858

pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

859

with open(tmpfile, 'w') as fObj:

860

fObj.write(pem.decode('ascii'))

861

return tmpfile

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

862

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

863

def test_set_passwd_cb_wrong_args(self):

864

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

865

`Context.set_passwd_cb` raises `TypeError` if called with a

866

non-callable first argument.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

867

"""

868

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

869

with pytest.raises(TypeError):

870

context.set_passwd_cb(None)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

871

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

872

def test_set_passwd_cb(self, tmpfile):

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

873

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

874

`Context.set_passwd_cb` accepts a callable which will be invoked when

875

a private key is loaded from an encrypted PEM.

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

876

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

877

passphrase = b"foobar"

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

878

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

879

calledWith = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

880

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

881

def passphraseCallback(maxlen, verify, extra):

882

calledWith.append((maxlen, verify, extra))

883

return passphrase

884

context = Context(TLSv1_METHOD)

885

context.set_passwd_cb(passphraseCallback)

886

context.use_privatekey_file(pemFile)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

887

assert len(calledWith) == 1

888

assert isinstance(calledWith[0][0], int)

889

assert isinstance(calledWith[0][1], int)

890

assert calledWith[0][2] is None

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

891

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

892

def test_passwd_callback_exception(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

893

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

894

`Context.use_privatekey_file` propagates any exception raised

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

895

by the passphrase callback.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

896

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

897

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

898

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

899

def passphraseCallback(maxlen, verify, extra):

900

raise RuntimeError("Sorry, I am a fail.")

901

902

context = Context(TLSv1_METHOD)

903

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

904

with pytest.raises(RuntimeError):

905

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

906

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

907

def test_passwd_callback_false(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

908

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

909

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

910

passphrase callback returns a false value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

911

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

912

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

913

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

914

def passphraseCallback(maxlen, verify, extra):

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

915

return b""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

916

917

context = Context(TLSv1_METHOD)

918

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

919

with pytest.raises(Error):

920

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

921

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

922

def test_passwd_callback_non_string(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

923

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

924

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

925

passphrase callback returns a true non-string value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

926

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

927

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

928

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

929

def passphraseCallback(maxlen, verify, extra):

930

return 10

931

932

context = Context(TLSv1_METHOD)

933

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

934

# TODO: Surely this is the wrong error?

935

with pytest.raises(ValueError):

936

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

937

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

938

def test_passwd_callback_too_long(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

939

"""

940

If the passphrase returned by the passphrase callback returns a string

941

longer than the indicated maximum length, it is truncated.

942

"""

943

# A priori knowledge!

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

944

passphrase = b"x" * 1024

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

945

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

946

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

947

def passphraseCallback(maxlen, verify, extra):

948

assert maxlen == 1024

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

949

return passphrase + b"y"

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

950

951

context = Context(TLSv1_METHOD)

952

context.set_passwd_cb(passphraseCallback)

953

# This shall succeed because the truncated result is the correct

954

# passphrase.

955

context.use_privatekey_file(pemFile)

956

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

957

def test_set_info_callback(self):

958

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

959

`Context.set_info_callback` accepts a callable which will be

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

960

invoked when certain information about an SSL connection is available.

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

961

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

962

(server, client) = socket_pair()

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

963

964

clientSSL = Connection(Context(TLSv1_METHOD), client)

965

clientSSL.set_connect_state()

966

967

called = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

968

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

969

def info(conn, where, ret):

970

called.append((conn, where, ret))

971

context = Context(TLSv1_METHOD)

972

context.set_info_callback(info)

973

context.use_certificate(

974

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

975

context.use_privatekey(

976

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

977

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

978

serverSSL = Connection(context, server)

979

serverSSL.set_accept_state()

980

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

981

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

982

Jean-Paul Calderone

3835e52

2014-02-02 11:12:30 -0500

[diff] [blame]

983

# The callback must always be called with a Connection instance as the

984

# first argument. It would probably be better to split this into

985

# separate tests for client and server side info callbacks so we could

986

# assert it is called with the right Connection instance. It would

987

# also be good to assert *something* about `where` and `ret`.

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

988

notConnections = [

989

conn for (conn, where, ret) in called

990

if not isinstance(conn, Connection)]

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

991

assert [] == notConnections, (

992

"Some info callback arguments were not Connection instances.")

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

993

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

994

def _load_verify_locations_test(self, *args):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

995

"""

996

Create a client context which will verify the peer certificate and call

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

997

its `load_verify_locations` method with the given arguments.

Jean-Paul Calderone

64efa2c

2011-09-11 10:00:09 -0400

[diff] [blame]

998

Then connect it to a server and ensure that the handshake succeeds.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

999

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

1000

(server, client) = socket_pair()

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1001

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1002

clientContext = Context(TLSv1_METHOD)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1003

clientContext.load_verify_locations(*args)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1004

# Require that the server certificate verify properly or the

1005

# connection will fail.

1006

clientContext.set_verify(

1007

VERIFY_PEER,

1008

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

1009

1010

clientSSL = Connection(clientContext, client)

1011

clientSSL.set_connect_state()

1012

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1013

serverContext = Context(TLSv1_METHOD)

1014

serverContext.use_certificate(

1015

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1016

serverContext.use_privatekey(

1017

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1018

1019

serverSSL = Connection(serverContext, server)

1020

serverSSL.set_accept_state()

1021

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

1022

# Without load_verify_locations above, the handshake

1023

# will fail:

1024

# Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',

1025

# 'certificate verify failed')]

1026

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1027

1028

cert = clientSSL.get_peer_certificate()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1029

assert cert.get_subject().CN == 'Testing Root CA'

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1030

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1031

def _load_verify_cafile(self, cafile):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1032

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1033

Verify that if path to a file containing a certificate is passed to

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1034

`Context.load_verify_locations` for the ``cafile`` parameter, that

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1035

certificate is used as a trust root for the purposes of verifying

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1036

connections created using that `Context`.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1037

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1038

with open(cafile, 'w') as fObj:

1039

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1040

1041

self._load_verify_locations_test(cafile)

1042

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1043

def test_load_verify_bytes_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1044

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1045

`Context.load_verify_locations` accepts a file name as a `bytes`

1046

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1047

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1048

cafile = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1049

self._load_verify_cafile(cafile)

1050

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1051

def test_load_verify_unicode_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1052

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1053

`Context.load_verify_locations` accepts a file name as a `unicode`

1054

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1055

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1056

self._load_verify_cafile(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1057

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1058

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1059

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1060

def test_load_verify_invalid_file(self, tmpfile):

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1061

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1062

`Context.load_verify_locations` raises `Error` when passed a

1063

non-existent cafile.

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1064

"""

1065

clientContext = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1066

with pytest.raises(Error):

1067

clientContext.load_verify_locations(tmpfile)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1068

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1069

def _load_verify_directory_locations_capath(self, capath):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1070

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1071

Verify that if path to a directory containing certificate files is

1072

passed to ``Context.load_verify_locations`` for the ``capath``

1073

parameter, those certificates are used as trust roots for the purposes

1074

of verifying connections created using that ``Context``.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1075

"""

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1076

makedirs(capath)

Jean-Paul Calderone

24dfb33

2011-05-04 18:10:26 -0400

[diff] [blame]

1077

# Hash values computed manually with c_rehash to avoid depending on

1078

# c_rehash in the test suite. One is from OpenSSL 0.9.8, the other

1079

# from OpenSSL 1.0.0.

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1080

for name in [b'c7adac82.0', b'c3705638.0']:

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1081

cafile = join_bytes_or_unicode(capath, name)

1082

with open(cafile, 'w') as fObj:

1083

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1084

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1085

self._load_verify_locations_test(None, capath)

1086

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1087

def test_load_verify_directory_bytes_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1088

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1089

`Context.load_verify_locations` accepts a directory name as a `bytes`

1090

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1091

"""

1092

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1093

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1094

)

1095

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1096

def test_load_verify_directory_unicode_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1097

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1098

`Context.load_verify_locations` accepts a directory name as a `unicode`

1099

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1100

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1101

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1102

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1103

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1104

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1105

def test_load_verify_locations_wrong_args(self):

1106

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1107

`Context.load_verify_locations` raises `TypeError` if with non-`str`

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1108

arguments.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1109

"""

1110

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1111

with pytest.raises(TypeError):

1112

context.load_verify_locations(object())

1113

with pytest.raises(TypeError):

1114

context.load_verify_locations(object(), object())

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1115

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1116

@pytest.mark.skipif(

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

1117

not platform.startswith("linux"),

1118

reason="Loading fallback paths is a linux-specific behavior to "

1119

"accommodate pyca/cryptography manylinux1 wheels"

1120

)

1121

def test_fallback_default_verify_paths(self, monkeypatch):

1122

"""

1123

Test that we load certificates successfully on linux from the fallback

1124

path. To do this we set the _CRYPTOGRAPHY_MANYLINUX1_CA_FILE and

1125

_CRYPTOGRAPHY_MANYLINUX1_CA_DIR vars to be equal to whatever the

1126

current OpenSSL default is and we disable

1127

SSL_CTX_SET_default_verify_paths so that it can't find certs unless

1128

it loads via fallback.

1129

"""

1130

context = Context(TLSv1_METHOD)

1131

monkeypatch.setattr(

1132

_lib, "SSL_CTX_set_default_verify_paths", lambda x: 1

)

monkeypatch.setattr(

SSL,

"_CRYPTOGRAPHY_MANYLINUX1_CA_FILE",

1137

_ffi.string(_lib.X509_get_default_cert_file())

)

monkeypatch.setattr(

SSL,

"_CRYPTOGRAPHY_MANYLINUX1_CA_DIR",

1142

_ffi.string(_lib.X509_get_default_cert_dir())

1143

)

1144

context.set_default_verify_paths()

1145

store = context.get_cert_store()

1146

sk_obj = _lib.X509_STORE_get0_objects(store._store)

1147

assert sk_obj != _ffi.NULL

1148

num = _lib.sk_X509_OBJECT_num(sk_obj)

1149

assert num != 0

1150

1151

def test_check_env_vars(self, monkeypatch):

1152

"""

1153

Test that we return True/False appropriately if the env vars are set.

1154

"""

1155

context = Context(TLSv1_METHOD)

1156

dir_var = "CUSTOM_DIR_VAR"

1157

file_var = "CUSTOM_FILE_VAR"

1158

assert context._check_env_vars_set(dir_var, file_var) is False

1159

monkeypatch.setenv(dir_var, "value")

1160

monkeypatch.setenv(file_var, "value")

1161

assert context._check_env_vars_set(dir_var, file_var) is True

1162

assert context._check_env_vars_set(dir_var, file_var) is True

1163

1164

def test_verify_no_fallback_if_env_vars_set(self, monkeypatch):

1165

"""

1166

Test that we don't use the fallback path if env vars are set.

1167

"""

1168

context = Context(TLSv1_METHOD)

1169

monkeypatch.setattr(

1170

_lib, "SSL_CTX_set_default_verify_paths", lambda x: 1

1171

)

1172

dir_env_var = _ffi.string(

1173

_lib.X509_get_default_cert_dir_env()

1174

).decode("ascii")

1175

file_env_var = _ffi.string(

1176

_lib.X509_get_default_cert_file_env()

1177

).decode("ascii")

1178

monkeypatch.setenv(dir_env_var, "value")

1179

monkeypatch.setenv(file_env_var, "value")

1180

context.set_default_verify_paths()

monkeypatch.setattr(

context,

"_fallback_default_verify_paths",

1185

raiser(SystemError)

1186

)

1187

context.set_default_verify_paths()

1188

1189

@pytest.mark.skipif(

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1190

platform == "win32",

1191

reason="set_default_verify_paths appears not to work on Windows. "

Jean-Paul Calderone

28fb8f0

2009-07-24 18:01:31 -0400

[diff] [blame]

1192

"See LP#404343 and LP#404344."

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1193

)

1194

def test_set_default_verify_paths(self):

1195

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1196

`Context.set_default_verify_paths` causes the platform-specific CA

1197

certificate locations to be used for verification purposes.

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1198

"""

1199

# Testing this requires a server with a certificate signed by one

1200

# of the CAs in the platform CA location. Getting one of those

1201

# costs money. Fortunately (or unfortunately, depending on your

1202

# perspective), it's easy to think of a public server on the

1203

# internet which has such a certificate. Connecting to the network

1204

# in a unit test is bad, but it's the only way I can think of to

1205

# really test this. -exarkun

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1206

context = Context(SSLv23_METHOD)

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1207

context.set_default_verify_paths()

1208

context.set_verify(

1209

VERIFY_PEER,

1210

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1211

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1212

client = socket()

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1213

client.connect(("encrypted.google.com", 443))

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1214

clientSSL = Connection(context, client)

1215

clientSSL.set_connect_state()

Alex Gaynor

373926c

2018-05-12 07:43:07 -0400

[diff] [blame]

1216

clientSSL.set_tlsext_host_name(b"encrypted.google.com")

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1217

clientSSL.do_handshake()

1218

clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1219

assert clientSSL.recv(1024)

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

1220

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

1221

def test_fallback_path_is_not_file_or_dir(self):

1222

"""

1223

Test that when passed empty arrays or paths that do not exist no

1224

errors are raised.

1225

"""

1226

context = Context(TLSv1_METHOD)

1227

context._fallback_default_verify_paths([], [])

1228

context._fallback_default_verify_paths(

1229

["/not/a/file"], ["/not/a/dir"]

1230

)

1231

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1232

def test_add_extra_chain_cert_invalid_cert(self):

1233

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1234

`Context.add_extra_chain_cert` raises `TypeError` if called with an

1235

object which is not an instance of `X509`.

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1236

"""

1237

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1238

with pytest.raises(TypeError):

1239

context.add_extra_chain_cert(object())

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1240

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1241

def _handshake_test(self, serverContext, clientContext):

1242

"""

1243

Verify that a client and server created with the given contexts can

1244

successfully handshake and communicate.

1245

"""

1246

serverSocket, clientSocket = socket_pair()

1247

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1248

server = Connection(serverContext, serverSocket)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1249

server.set_accept_state()

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1250

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1251

client = Connection(clientContext, clientSocket)

1252

client.set_connect_state()

1253

1254

# Make them talk to each other.

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1255

# interact_in_memory(client, server)

1256

for _ in range(3):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1257

for s in [client, server]:

1258

try:

1259

s.do_handshake()

1260

except WantReadError:

1261

pass

1262

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1263

def test_set_verify_callback_connection_argument(self):

1264

"""

1265

The first argument passed to the verify callback is the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1266

`Connection` instance for which verification is taking place.

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1267

"""

1268

serverContext = Context(TLSv1_METHOD)

1269

serverContext.use_privatekey(

1270

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1271

serverContext.use_certificate(

1272

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1273

serverConnection = Connection(serverContext, None)

1274

1275

class VerifyCallback(object):

1276

def callback(self, connection, *args):

1277

self.connection = connection

1278

return 1

1279

1280

verify = VerifyCallback()

1281

clientContext = Context(TLSv1_METHOD)

1282

clientContext.set_verify(VERIFY_PEER, verify.callback)

1283

clientConnection = Connection(clientContext, None)

1284

clientConnection.set_connect_state()

1285

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1286

handshake_in_memory(clientConnection, serverConnection)

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1287

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1288

assert verify.connection is clientConnection

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1289

Paul Kehrer

e738186

2017-11-30 20:55:25 +0800

[diff] [blame]

1290

def test_x509_in_verify_works(self):

1291

"""

1292

We had a bug where the X509 cert instantiated in the callback wrapper

1293

didn't __init__ so it was missing objects needed when calling

1294

get_subject. This test sets up a handshake where we call get_subject

1295

on the cert provided to the verify callback.

1296

"""

1297

serverContext = Context(TLSv1_METHOD)

1298

serverContext.use_privatekey(

1299

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1300

serverContext.use_certificate(

1301

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1302

serverConnection = Connection(serverContext, None)

1303

1304

def verify_cb_get_subject(conn, cert, errnum, depth, ok):

1305

assert cert.get_subject()

1306

return 1

1307

1308

clientContext = Context(TLSv1_METHOD)

1309

clientContext.set_verify(VERIFY_PEER, verify_cb_get_subject)

1310

clientConnection = Connection(clientContext, None)

1311

clientConnection.set_connect_state()

1312

1313

handshake_in_memory(clientConnection, serverConnection)

1314

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1315

def test_set_verify_callback_exception(self):

1316

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1317

If the verify callback passed to `Context.set_verify` raises an

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1318

exception, verification fails and the exception is propagated to the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1319

caller of `Connection.do_handshake`.

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1320

"""

Paul Kehrer

2019-01-21 12:24:02 -0600

[diff] [blame]

1321

serverContext = Context(TLSv1_2_METHOD)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1322

serverContext.use_privatekey(

1323

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1324

serverContext.use_certificate(

1325

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1326

Paul Kehrer

2019-01-21 12:24:02 -0600

[diff] [blame]

1327

clientContext = Context(TLSv1_2_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1328

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1329

def verify_callback(*args):

1330

raise Exception("silly verify failure")

1331

clientContext.set_verify(VERIFY_PEER, verify_callback)

1332

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1333

with pytest.raises(Exception) as exc:

1334

self._handshake_test(serverContext, clientContext)

1335

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1336

assert "silly verify failure" == str(exc.value)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1337

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1338

def test_add_extra_chain_cert(self, tmpdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1339

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1340

`Context.add_extra_chain_cert` accepts an `X509`

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1341

instance to add to the certificate chain.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1342

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1343

See `_create_certificate_chain` for the details of the

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1344

certificate chain tested.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1345

1346

The chain is tested by starting a server with scert and connecting

1347

to it with a client which trusts cacert and requires verification to

1348

succeed.

1349

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1350

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1351

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1352

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1353

# Dump the CA certificate to a file because that's the only way to load

1354

# it as a trusted CA in the client context.

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1355

for cert, name in [(cacert, 'ca.pem'),

1356

(icert, 'i.pem'),

1357

(scert, 's.pem')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1358

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1359

f.write(dump_certificate(FILETYPE_PEM, cert).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1360

Hynek Schlawack

1902c01

2015-04-16 15:06:41 -0400

[diff] [blame]

1361

for key, name in [(cakey, 'ca.key'),

1362

(ikey, 'i.key'),

1363

(skey, 's.key')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1364

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1365

f.write(dump_privatekey(FILETYPE_PEM, key).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1366

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1367

# Create the server context

1368

serverContext = Context(TLSv1_METHOD)

1369

serverContext.use_privatekey(skey)

1370

serverContext.use_certificate(scert)

Jean-Paul Calderone

16cf03d

2010-09-08 18:53:39 -0400

[diff] [blame]

1371

# The client already has cacert, we only need to give them icert.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1372

serverContext.add_extra_chain_cert(icert)

1373

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1374

# Create the client

1375

clientContext = Context(TLSv1_METHOD)

1376

clientContext.set_verify(

1377

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1378

clientContext.load_verify_locations(str(tmpdir.join("ca.pem")))

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1379

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1380

# Try it out.

1381

self._handshake_test(serverContext, clientContext)

1382

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1383

def _use_certificate_chain_file_test(self, certdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1384

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1385

Verify that `Context.use_certificate_chain_file` reads a

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1386

certificate chain from a specified file.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1387

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1388

The chain is tested by starting a server with scert and connecting to

1389

it with a client which trusts cacert and requires verification to

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1390

succeed.

1391

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1392

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1393

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1394

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1395

makedirs(certdir)

1396

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1397

chainFile = join_bytes_or_unicode(certdir, "chain.pem")

1398

caFile = join_bytes_or_unicode(certdir, "ca.pem")

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1399

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1400

# Write out the chain file.

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1401

with open(chainFile, 'wb') as fObj:

1402

# Most specific to least general.

1403

fObj.write(dump_certificate(FILETYPE_PEM, scert))

1404

fObj.write(dump_certificate(FILETYPE_PEM, icert))

1405

fObj.write(dump_certificate(FILETYPE_PEM, cacert))

1406

1407

with open(caFile, 'w') as fObj:

1408

fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode('ascii'))

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1409

1410

serverContext = Context(TLSv1_METHOD)

1411

serverContext.use_certificate_chain_file(chainFile)

1412

serverContext.use_privatekey(skey)

1413

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1414

clientContext = Context(TLSv1_METHOD)

1415

clientContext.set_verify(

1416

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1417

clientContext.load_verify_locations(caFile)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1418

1419

self._handshake_test(serverContext, clientContext)

1420

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1421

def test_use_certificate_chain_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1422

"""

1423

``Context.use_certificate_chain_file`` accepts the name of a file (as

1424

an instance of ``bytes``) to specify additional certificates to use to

1425

construct and verify a trust chain.

1426

"""

1427

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1428

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1429

)

1430

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1431

def test_use_certificate_chain_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1432

"""

1433

``Context.use_certificate_chain_file`` accepts the name of a file (as

1434

an instance of ``unicode``) to specify additional certificates to use

1435

to construct and verify a trust chain.

1436

"""

1437

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1438

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1439

)

1440

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1441

def test_use_certificate_chain_file_wrong_args(self):

1442

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1443

`Context.use_certificate_chain_file` raises `TypeError` if passed a

1444

non-byte string single argument.

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1445

"""

1446

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1447

with pytest.raises(TypeError):

1448

context.use_certificate_chain_file(object())

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1449

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1450

def test_use_certificate_chain_file_missing_file(self, tmpfile):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1451

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1452

`Context.use_certificate_chain_file` raises `OpenSSL.SSL.Error` when

1453

passed a bad chain file name (for example, the name of a file which

1454

does not exist).

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1455

"""

1456

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1457

with pytest.raises(Error):

1458

context.use_certificate_chain_file(tmpfile)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1459

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1460

def test_set_verify_mode(self):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1461

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1462

`Context.get_verify_mode` returns the verify mode flags previously

1463

passed to `Context.set_verify`.

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1464

"""

1465

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1466

assert context.get_verify_mode() == 0

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1467

context.set_verify(

1468

VERIFY_PEER | VERIFY_CLIENT_ONCE, lambda *args: None)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1469

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1470

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1471

@skip_if_py3

1472

def test_set_verify_mode_long(self):

1473

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1474

On Python 2 `Context.set_verify_mode` accepts values of type `long`

1475

as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1476

"""

1477

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1478

assert context.get_verify_mode() == 0

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1479

context.set_verify(

Hynek Schlawack

b4ceed3

2015-09-05 20:55:19 +0200

[diff] [blame]

1480

long(VERIFY_PEER | VERIFY_CLIENT_ONCE), lambda *args: None

1481

) # pragma: nocover

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1482

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1483

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1484

@pytest.mark.parametrize('mode', [None, 1.0, object(), 'mode'])

1485

def test_set_verify_wrong_mode_arg(self, mode):

1486

"""

1487

`Context.set_verify` raises `TypeError` if the first argument is

1488

not an integer.

1489

"""

1490

context = Context(TLSv1_METHOD)

1491

with pytest.raises(TypeError):

1492

context.set_verify(mode=mode, callback=lambda *args: None)

1493

1494

@pytest.mark.parametrize('callback', [None, 1.0, 'mode', ('foo', 'bar')])

1495

def test_set_verify_wrong_callable_arg(self, callback):

1496

"""

Alex Gaynor

40bc0f1

2018-05-14 14:06:16 -0400

[diff] [blame]

1497

`Context.set_verify` raises `TypeError` if the second argument

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1498

is not callable.

1499

"""

1500

context = Context(TLSv1_METHOD)

1501

with pytest.raises(TypeError):

1502

context.set_verify(mode=VERIFY_PEER, callback=callback)

1503

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1504

def test_load_tmp_dh_wrong_args(self):

1505

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1506

`Context.load_tmp_dh` raises `TypeError` if called with a

1507

non-`str` argument.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1508

"""

1509

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1510

with pytest.raises(TypeError):

1511

context.load_tmp_dh(object())

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1512

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1513

def test_load_tmp_dh_missing_file(self):

1514

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1515

`Context.load_tmp_dh` raises `OpenSSL.SSL.Error` if the

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1516

specified file does not exist.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1517

"""

1518

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1519

with pytest.raises(Error):

1520

context.load_tmp_dh(b"hello")

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1521

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1522

def _load_tmp_dh_test(self, dhfilename):

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

1523

"""

1524

Verify that calling ``Context.load_tmp_dh`` with the given filename

1525

does not raise an exception.

1526

"""

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1527

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1528

with open(dhfilename, "w") as dhfile:

1529

dhfile.write(dhparam)

1530

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1531

context.load_tmp_dh(dhfilename)

1532

# XXX What should I assert here? -exarkun

1533

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1534

def test_load_tmp_dh_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1535

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1536

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1537

specified file (given as ``bytes``).

1538

"""

1539

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1540

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1541

)

1542

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1543

def test_load_tmp_dh_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1544

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1545

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1546

specified file (given as ``unicode``).

1547

"""

1548

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1549

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1550

)

1551

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1552

def test_set_tmp_ecdh(self):

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1553

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1554

`Context.set_tmp_ecdh` sets the elliptic curve for Diffie-Hellman to

1555

the specified curve.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1556

"""

1557

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1558

for curve in get_elliptic_curves():

Hynek Schlawack

a07fa8c

2015-10-17 10:15:28 +0200

[diff] [blame]

1559

if curve.name.startswith(u"Oakley-"):

Hynek Schlawack

7408aff

2015-10-17 09:51:16 +0200

[diff] [blame]

1560

# Setting Oakley-EC2N-4 and Oakley-EC2N-3 adds

1561

# ('bignum routines', 'BN_mod_inverse', 'no inverse') to the

1562

# error queue on OpenSSL 1.0.2.

1563

continue

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1564

# The only easily "assertable" thing is that it does not raise an

1565

# exception.

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1566

context.set_tmp_ecdh(curve)

Alex Gaynor

12dc084

2014-01-17 12:51:31 -0600

[diff] [blame]

1567

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1568

def test_set_session_cache_mode_wrong_args(self):

1569

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1570

`Context.set_session_cache_mode` raises `TypeError` if called with

1571

a non-integer argument.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1572

called with other than one integer argument.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1573

"""

1574

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1575

with pytest.raises(TypeError):

1576

context.set_session_cache_mode(object())

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1577

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1578

def test_session_cache_mode(self):

1579

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1580

`Context.set_session_cache_mode` specifies how sessions are cached.

1581

The setting can be retrieved via `Context.get_session_cache_mode`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1582

"""

1583

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1584

context.set_session_cache_mode(SESS_CACHE_OFF)

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1585

off = context.set_session_cache_mode(SESS_CACHE_BOTH)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1586

assert SESS_CACHE_OFF == off

1587

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1588

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1589

@skip_if_py3

1590

def test_session_cache_mode_long(self):

1591

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1592

On Python 2 `Context.set_session_cache_mode` accepts values

1593

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1594

"""

1595

context = Context(TLSv1_METHOD)

1596

context.set_session_cache_mode(long(SESS_CACHE_BOTH))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1597

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1598

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1599

def test_get_cert_store(self):

1600

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1601

`Context.get_cert_store` returns a `X509Store` instance.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1602

"""

1603

context = Context(TLSv1_METHOD)

1604

store = context.get_cert_store()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1605

assert isinstance(store, X509Store)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1606

Jeremy Lainé

02261ad

2018-05-16 18:33:25 +0200

[diff] [blame]

1607

def test_set_tlsext_use_srtp_not_bytes(self):

1608

"""

1609

`Context.set_tlsext_use_srtp' enables negotiating SRTP keying material.

1610

1611

It raises a TypeError if the list of profiles is not a byte string.

1612

"""

1613

context = Context(TLSv1_METHOD)

1614

with pytest.raises(TypeError):

1615

context.set_tlsext_use_srtp(text_type('SRTP_AES128_CM_SHA1_80'))

1616

1617

def test_set_tlsext_use_srtp_invalid_profile(self):

1618

"""

1619

`Context.set_tlsext_use_srtp' enables negotiating SRTP keying material.

1620

1621

It raises an Error if the call to OpenSSL fails.

1622

"""

1623

context = Context(TLSv1_METHOD)

1624

with pytest.raises(Error):

1625

context.set_tlsext_use_srtp(b'SRTP_BOGUS')

1626

1627

def test_set_tlsext_use_srtp_valid(self):

1628

"""

1629

`Context.set_tlsext_use_srtp' enables negotiating SRTP keying material.

1630

1631

It does not return anything.

1632

"""

1633

context = Context(TLSv1_METHOD)

1634

assert context.set_tlsext_use_srtp(b'SRTP_AES128_CM_SHA1_80') is None

1635

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1636

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1637

class TestServerNameCallback(object):

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1638

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1639

Tests for `Context.set_tlsext_servername_callback` and its

1640

interaction with `Connection`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1641

"""

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1642

def test_old_callback_forgotten(self):

1643

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1644

If `Context.set_tlsext_servername_callback` is used to specify

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1645

a new callback, the one it replaces is dereferenced.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1646

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1647

def callback(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1648

pass

1649

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1650

def replacement(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1651

pass

1652

1653

context = Context(TLSv1_METHOD)

1654

context.set_tlsext_servername_callback(callback)

1655

1656

tracker = ref(callback)

1657

del callback

1658

1659

context.set_tlsext_servername_callback(replacement)

Jean-Paul Calderone

d4033eb

2014-01-11 08:21:46 -0500

[diff] [blame]

1660

1661

# One run of the garbage collector happens to work on CPython. PyPy

1662

# doesn't collect the underlying object until a second run for whatever

1663

# reason. That's fine, it still demonstrates our code has properly

1664

# dropped the reference.

1665

collect()

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1666

collect()

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

1667

1668

callback = tracker()

1669

if callback is not None:

1670

referrers = get_referrers(callback)

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1671

if len(referrers) > 1: # pragma: nocover

1672

pytest.fail("Some references remain: %r" % (referrers,))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1673

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1674

def test_no_servername(self):

1675

"""

1676

When a client specifies no server name, the callback passed to

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1677

`Context.set_tlsext_servername_callback` is invoked and the

1678

result of `Connection.get_servername` is `None`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1679

"""

1680

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1681

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1682

def servername(conn):

1683

args.append((conn, conn.get_servername()))

1684

context = Context(TLSv1_METHOD)

1685

context.set_tlsext_servername_callback(servername)

1686

1687

# Lose our reference to it. The Context is responsible for keeping it

# alive now.

del servername

collect()

# Necessary to actually accept the connection

1693

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1694

context.use_certificate(

1695

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1696

1697

# Do a little connection to trigger the logic

1698

server = Connection(context, None)

1699

server.set_accept_state()

1700

1701

client = Connection(Context(TLSv1_METHOD), None)

1702

client.set_connect_state()

1703

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1704

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1705

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1706

assert args == [(server, None)]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1707

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1708

def test_servername(self):

1709

"""

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1710

When a client specifies a server name in its hello message, the

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1711

callback passed to `Contexts.set_tlsext_servername_callback` is

1712

invoked and the result of `Connection.get_servername` is that

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1713

server name.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1714

"""

1715

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1716

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1717

def servername(conn):

1718

args.append((conn, conn.get_servername()))

1719

context = Context(TLSv1_METHOD)

1720

context.set_tlsext_servername_callback(servername)

1721

1722

# Necessary to actually accept the connection

1723

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1724

context.use_certificate(

1725

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1726

1727

# Do a little connection to trigger the logic

1728

server = Connection(context, None)

1729

server.set_accept_state()

1730

1731

client = Connection(Context(TLSv1_METHOD), None)

1732

client.set_connect_state()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

1733

client.set_tlsext_host_name(b"foo1.example.com")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1734

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1735

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1736

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1737

assert args == [(server, b"foo1.example.com")]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1738

1739

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1740

class TestNextProtoNegotiation(object):

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1741

"""

1742

Test for Next Protocol Negotiation in PyOpenSSL.

1743

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1744

def test_npn_success(self):

1745

"""

1746

Tests that clients and servers that agree on the negotiated next

1747

protocol can correct establish a connection, and that the agreed

1748

protocol is reported by the connections.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1755

return [b'http/1.1', b'spdy/2']

1756

1757

def select(conn, options):

1758

select_args.append((conn, options))

1759

return b'spdy/2'

1760

1761

server_context = Context(TLSv1_METHOD)

1762

server_context.set_npn_advertise_callback(advertise)

1763

1764

client_context = Context(TLSv1_METHOD)

1765

client_context.set_npn_select_callback(select)

1766

1767

# Necessary to actually accept the connection

1768

server_context.use_privatekey(

1769

load_privatekey(FILETYPE_PEM, server_key_pem))

1770

server_context.use_certificate(

1771

load_certificate(FILETYPE_PEM, server_cert_pem))

1772

1773

# Do a little connection to trigger the logic

1774

server = Connection(server_context, None)

1775

server.set_accept_state()

1776

1777

client = Connection(client_context, None)

1778

client.set_connect_state()

1779

1780

interact_in_memory(server, client)

1781

1782

assert advertise_args == [(server,)]

1783

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1784

1785

assert server.get_next_proto_negotiated() == b'spdy/2'

1786

assert client.get_next_proto_negotiated() == b'spdy/2'

1787

1788

def test_npn_client_fail(self):

1789

"""

1790

Tests that when clients and servers cannot agree on what protocol

1791

to use next that the TLS connection does not get established.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1798

return [b'http/1.1', b'spdy/2']

1799

1800

def select(conn, options):

1801

select_args.append((conn, options))

1802

return b''

1803

1804

server_context = Context(TLSv1_METHOD)

1805

server_context.set_npn_advertise_callback(advertise)

1806

1807

client_context = Context(TLSv1_METHOD)

1808

client_context.set_npn_select_callback(select)

1809

1810

# Necessary to actually accept the connection

1811

server_context.use_privatekey(

1812

load_privatekey(FILETYPE_PEM, server_key_pem))

1813

server_context.use_certificate(

1814

load_certificate(FILETYPE_PEM, server_cert_pem))

1815

1816

# Do a little connection to trigger the logic

1817

server = Connection(server_context, None)

1818

server.set_accept_state()

1819

1820

client = Connection(client_context, None)

1821

client.set_connect_state()

1822

1823

# If the client doesn't return anything, the connection will fail.

1824

with pytest.raises(Error):

1825

interact_in_memory(server, client)

1826

1827

assert advertise_args == [(server,)]

1828

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1829

1830

def test_npn_select_error(self):

1831

"""

1832

Test that we can handle exceptions in the select callback. If

1833

select fails it should be fatal to the connection.

"""

advertise_args = []

def advertise(conn):

advertise_args.append((conn,))

1839

return [b'http/1.1', b'spdy/2']

1840

1841

def select(conn, options):

1842

raise TypeError

1843

1844

server_context = Context(TLSv1_METHOD)

1845

server_context.set_npn_advertise_callback(advertise)

1846

1847

client_context = Context(TLSv1_METHOD)

1848

client_context.set_npn_select_callback(select)

1849

1850

# Necessary to actually accept the connection

1851

server_context.use_privatekey(

1852

load_privatekey(FILETYPE_PEM, server_key_pem))

1853

server_context.use_certificate(

1854

load_certificate(FILETYPE_PEM, server_cert_pem))

1855

1856

# Do a little connection to trigger the logic

1857

server = Connection(server_context, None)

1858

server.set_accept_state()

1859

1860

client = Connection(client_context, None)

1861

client.set_connect_state()

1862

1863

# If the callback throws an exception it should be raised here.

1864

with pytest.raises(TypeError):

1865

interact_in_memory(server, client)

1866

assert advertise_args == [(server,), ]

1867

1868

def test_npn_advertise_error(self):

1869

"""

1870

Test that we can handle exceptions in the advertise callback. If

1871

advertise fails no NPN is advertised to the client.

"""

select_args = []

def advertise(conn):

raise TypeError

def select(conn, options): # pragma: nocover

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1879

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1880

Assert later that no args are actually appended.

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1881

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1882

select_args.append((conn, options))

1883

return b''

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1884

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1885

server_context = Context(TLSv1_METHOD)

1886

server_context.set_npn_advertise_callback(advertise)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1887

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1888

client_context = Context(TLSv1_METHOD)

1889

client_context.set_npn_select_callback(select)

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1890

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1891

# Necessary to actually accept the connection

1892

server_context.use_privatekey(

1893

load_privatekey(FILETYPE_PEM, server_key_pem))

1894

server_context.use_certificate(

1895

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1896

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1897

# Do a little connection to trigger the logic

1898

server = Connection(server_context, None)

1899

server.set_accept_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1900

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1901

client = Connection(client_context, None)

1902

client.set_connect_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1903

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1904

# If the client doesn't return anything, the connection will fail.

1905

with pytest.raises(TypeError):

1906

interact_in_memory(server, client)

1907

assert select_args == []

Cory Benfield

0ea76e7

2015-03-22 09:05:28 +0000

[diff] [blame]

1908

1909

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1910

class TestApplicationLayerProtoNegotiation(object):

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1911

"""

1912

Tests for ALPN in PyOpenSSL.

1913

"""

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1914

# Skip tests on versions that don't support ALPN.

1915

if _lib.Cryptography_HAS_ALPN:

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1916

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1917

def test_alpn_success(self):

1918

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1919

Clients and servers that agree on the negotiated ALPN protocol can

1920

correct establish a connection, and the agreed protocol is reported

1921

by the connections.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1922

"""

1923

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1924

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1925

def select(conn, options):

1926

select_args.append((conn, options))

1927

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1928

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1929

client_context = Context(TLSv1_METHOD)

1930

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1931

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1932

server_context = Context(TLSv1_METHOD)

1933

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1934

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1935

# Necessary to actually accept the connection

1936

server_context.use_privatekey(

1937

load_privatekey(FILETYPE_PEM, server_key_pem))

1938

server_context.use_certificate(

1939

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1940

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1941

# Do a little connection to trigger the logic

1942

server = Connection(server_context, None)

1943

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1944

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1945

client = Connection(client_context, None)

1946

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1947

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1948

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1949

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1950

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1951

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1952

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1953

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1954

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1955

def test_alpn_set_on_connection(self):

1956

"""

1957

The same as test_alpn_success, but setting the ALPN protocols on

1958

the connection rather than the context.

1959

"""

1960

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1961

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1962

def select(conn, options):

1963

select_args.append((conn, options))

1964

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1965

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1966

# Setup the client context but don't set any ALPN protocols.

1967

client_context = Context(TLSv1_METHOD)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1968

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1969

server_context = Context(TLSv1_METHOD)

1970

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1971

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1972

# Necessary to actually accept the connection

1973

server_context.use_privatekey(

1974

load_privatekey(FILETYPE_PEM, server_key_pem))

1975

server_context.use_certificate(

1976

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1977

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1978

# Do a little connection to trigger the logic

1979

server = Connection(server_context, None)

1980

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1981

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1982

# Set the ALPN protocols on the client connection.

1983

client = Connection(client_context, None)

1984

client.set_alpn_protos([b'http/1.1', b'spdy/2'])

1985

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1986

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1987

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1988

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1989

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1990

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1991

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1992

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1993

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1994

def test_alpn_server_fail(self):

1995

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1996

When clients and servers cannot agree on what protocol to use next

1997

the TLS connection does not get established.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1998

"""

1999

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2000

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2001

def select(conn, options):

2002

select_args.append((conn, options))

2003

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2004

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2005

client_context = Context(TLSv1_METHOD)

2006

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2007

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2008

server_context = Context(TLSv1_METHOD)

2009

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2010

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2011

# Necessary to actually accept the connection

2012

server_context.use_privatekey(

2013

load_privatekey(FILETYPE_PEM, server_key_pem))

2014

server_context.use_certificate(

2015

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2016

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2017

# Do a little connection to trigger the logic

2018

server = Connection(server_context, None)

2019

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2020

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2021

client = Connection(client_context, None)

2022

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2023

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2024

# If the client doesn't return anything, the connection will fail.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2025

with pytest.raises(Error):

2026

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2027

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2028

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

2029

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2030

def test_alpn_no_server(self):

2031

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

2032

When clients and servers cannot agree on what protocol to use next

2033

because the server doesn't offer ALPN, no protocol is negotiated.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2034

"""

2035

client_context = Context(TLSv1_METHOD)

2036

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2037

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2038

server_context = Context(TLSv1_METHOD)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2039

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2040

# Necessary to actually accept the connection

2041

server_context.use_privatekey(

2042

load_privatekey(FILETYPE_PEM, server_key_pem))

2043

server_context.use_certificate(

2044

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2045

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2046

# Do a little connection to trigger the logic

2047

server = Connection(server_context, None)

2048

server.set_accept_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2049

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2050

client = Connection(client_context, None)

2051

client.set_connect_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2052

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2053

# Do the dance.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2054

interact_in_memory(server, client)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2055

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2056

assert client.get_alpn_proto_negotiated() == b''

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2057

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2058

def test_alpn_callback_exception(self):

2059

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

2060

We can handle exceptions in the ALPN select callback.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2061

"""

2062

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2063

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2064

def select(conn, options):

2065

select_args.append((conn, options))

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

2066

raise TypeError()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2067

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2068

client_context = Context(TLSv1_METHOD)

2069

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2070

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2071

server_context = Context(TLSv1_METHOD)

2072

server_context.set_alpn_select_callback(select)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2073

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2074

# Necessary to actually accept the connection

2075

server_context.use_privatekey(

2076

load_privatekey(FILETYPE_PEM, server_key_pem))

2077

server_context.use_certificate(

2078

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2079

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2080

# Do a little connection to trigger the logic

2081

server = Connection(server_context, None)

2082

server.set_accept_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2083

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2084

client = Connection(client_context, None)

2085

client.set_connect_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2086

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2087

with pytest.raises(TypeError):

2088

interact_in_memory(server, client)

2089

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2090

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2091

else:

2092

# No ALPN.

2093

def test_alpn_not_implemented(self):

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

2094

"""

2095

If ALPN is not in OpenSSL, we should raise NotImplementedError.

2096

"""

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2097

# Test the context methods first.

2098

context = Context(TLSv1_METHOD)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2099

with pytest.raises(NotImplementedError):

2100

context.set_alpn_protos(None)

2101

with pytest.raises(NotImplementedError):

2102

context.set_alpn_select_callback(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2103

2104

# Now test a connection.

2105

conn = Connection(context)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2106

with pytest.raises(NotImplementedError):

2107

conn.set_alpn_protos(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2108

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2109

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2110

class TestSession(object):

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2111

"""

2112

Unit tests for :py:obj:`OpenSSL.SSL.Session`.

2113

"""

2114

def test_construction(self):

2115

"""

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2116

:py:class:`Session` can be constructed with no arguments, creating

2117

a new instance of that type.

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2118

"""

2119

new_session = Session()

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2120

assert isinstance(new_session, Session)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2121

2122

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2123

class TestConnection(object):

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2124

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2125

Unit tests for `OpenSSL.SSL.Connection`.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2126

"""

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2127

# XXX get_peer_certificate -> None

2128

# XXX sock_shutdown

2129

# XXX master_key -> TypeError

2130

# XXX server_random -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2131

# XXX connect -> TypeError

2132

# XXX connect_ex -> TypeError

2133

# XXX set_connect_state -> TypeError

2134

# XXX set_accept_state -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2135

# XXX do_handshake -> TypeError

2136

# XXX bio_read -> TypeError

2137

# XXX recv -> TypeError

2138

# XXX send -> TypeError

2139

# XXX bio_write -> TypeError

2140

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2141

def test_type(self):

2142

"""

Alex Gaynor

01f90a1

2019-02-07 09:14:48 -0500

[diff] [blame]

2143

`Connection` can be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2144

"""

2145

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2146

assert is_consistent_type(Connection, 'Connection', ctx, None)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2147

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2148

@pytest.mark.parametrize('bad_context', [object(), 'context', None, 1])

2149

def test_wrong_args(self, bad_context):

2150

"""

2151

`Connection.__init__` raises `TypeError` if called with a non-`Context`

2152

instance argument.

2153

"""

2154

with pytest.raises(TypeError):

2155

Connection(bad_context)

2156

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2157

def test_get_context(self):

2158

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2159

`Connection.get_context` returns the `Context` instance used to

2160

construct the `Connection` instance.

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2161

"""

2162

context = Context(TLSv1_METHOD)

2163

connection = Connection(context, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2164

assert connection.get_context() is context

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2165

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2166

def test_set_context_wrong_args(self):

2167

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2168

`Connection.set_context` raises `TypeError` if called with a

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2169

non-`Context` instance argument.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2170

"""

2171

ctx = Context(TLSv1_METHOD)

2172

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2173

with pytest.raises(TypeError):

2174

connection.set_context(object())

2175

with pytest.raises(TypeError):

2176

connection.set_context("hello")

2177

with pytest.raises(TypeError):

2178

connection.set_context(1)

2179

assert ctx is connection.get_context()

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2180

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2181

def test_set_context(self):

2182

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2183

`Connection.set_context` specifies a new `Context` instance to be

2184

used for the connection.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2185

"""

2186

original = Context(SSLv23_METHOD)

2187

replacement = Context(TLSv1_METHOD)

2188

connection = Connection(original, None)

2189

connection.set_context(replacement)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2190

assert replacement is connection.get_context()

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2191

# Lose our references to the contexts, just in case the Connection

2192

# isn't properly managing its own contributions to their reference

2193

# counts.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2194

del original, replacement

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2195

collect()

2196

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2197

def test_set_tlsext_host_name_wrong_args(self):

2198

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2199

If `Connection.set_tlsext_host_name` is called with a non-byte string

2200

argument or a byte string with an embedded NUL, `TypeError` is raised.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2201

"""

2202

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2203

with pytest.raises(TypeError):

2204

conn.set_tlsext_host_name(object())

2205

with pytest.raises(TypeError):

2206

conn.set_tlsext_host_name(b"with\0null")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2207

Abraham Martin

c5484ba

2015-03-25 15:33:05 +0000

[diff] [blame]

2208

if PY3:

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2209

# On Python 3.x, don't accidentally implicitly convert from text.

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2210

with pytest.raises(TypeError):

2211

conn.set_tlsext_host_name(b"example.com".decode("ascii"))

Jean-Paul Calderone

871a4d8

2011-05-26 19:24:02 -0400

[diff] [blame]

2212

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2213

def test_pending(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2214

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2215

`Connection.pending` returns the number of bytes available for

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2216

immediate read.

2217

"""

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2218

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2219

assert connection.pending() == 0

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2220

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2221

def test_peek(self):

2222

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2223

`Connection.recv` peeks into the connection if `socket.MSG_PEEK` is

2224

passed.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2225

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2226

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2227

server.send(b'xy')

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2228

assert client.recv(2, MSG_PEEK) == b'xy'

2229

assert client.recv(2, MSG_PEEK) == b'xy'

2230

assert client.recv(2) == b'xy'

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2231

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2232

def test_connect_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2233

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2234

`Connection.connect` raises `TypeError` if called with a non-address

2235

argument.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2236

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2237

connection = Connection(Context(TLSv1_METHOD), socket())

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2238

with pytest.raises(TypeError):

2239

connection.connect(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2240

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2241

def test_connect_refused(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2242

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2243

`Connection.connect` raises `socket.error` if the underlying socket

2244

connect method raises it.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2245

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2246

client = socket()

2247

context = Context(TLSv1_METHOD)

2248

clientSSL = Connection(context, client)

Alex Gaynor

122717b

2015-09-05 14:14:18 -0400

[diff] [blame]

2249

# pytest.raises here doesn't work because of a bug in py.test on Python

2250

# 2.6: https://github.com/pytest-dev/pytest/issues/988

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2251

try:

Alex Gaynor

1aabb2e

2015-09-05 13:35:18 -0400

[diff] [blame]

2252

clientSSL.connect(("127.0.0.1", 1))

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2253

except error as e:

Alex Gaynor

20a4c08

2015-09-05 14:24:15 -0400

[diff] [blame]

2254

exc = e

2255

assert exc.args[0] == ECONNREFUSED

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2256

2257

def test_connect(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2258

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2259

`Connection.connect` establishes a connection to the specified address.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2260

"""

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(3)

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2266

clientSSL.connect(('127.0.0.1', port.getsockname()[1]))

2267

# XXX An assertion? Or something?

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2268

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2269

@pytest.mark.skipif(

2270

platform == "darwin",

2271

reason="connect_ex sometimes causes a kernel panic on OS X 10.6.4"

2272

)

2273

def test_connect_ex(self):

2274

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2275

If there is a connection error, `Connection.connect_ex` returns the

2276

errno instead of raising an exception.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

"""

port = socket()

port.bind(('', 0))

port.listen(3)

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2281

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2282

clientSSL = Connection(Context(TLSv1_METHOD), socket())

2283

clientSSL.setblocking(False)

2284

result = clientSSL.connect_ex(port.getsockname())

2285

expected = (EINPROGRESS, EWOULDBLOCK)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2286

assert result in expected

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2287

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2288

def test_accept(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2289

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2290

`Connection.accept` accepts a pending connection attempt and returns a

2291

tuple of a new `Connection` (the accepted client) and the address the

2292

connection originated from.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2293

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2294

ctx = Context(TLSv1_METHOD)

2295

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2296

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2297

port = socket()

2298

portSSL = Connection(ctx, port)

2299

portSSL.bind(('', 0))

2300

portSSL.listen(3)

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2301

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2302

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2303

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2304

# Calling portSSL.getsockname() here to get the server IP address

2305

# sounds great, but frequently fails on Windows.

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2306

clientSSL.connect(('127.0.0.1', portSSL.getsockname()[1]))

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2307

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2308

serverSSL, address = portSSL.accept()

2309

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2310

assert isinstance(serverSSL, Connection)

2311

assert serverSSL.get_context() is ctx

2312

assert address == clientSSL.getsockname()

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2313

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2314

def test_shutdown_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2315

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2316

`Connection.set_shutdown` raises `TypeError` if called with arguments

2317

other than integers.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2318

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2319

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2320

with pytest.raises(TypeError):

2321

connection.set_shutdown(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2322

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2323

def test_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2324

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2325

`Connection.shutdown` performs an SSL-level connection shutdown.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2326

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2327

server, client = loopback()

2328

assert not server.shutdown()

2329

assert server.get_shutdown() == SENT_SHUTDOWN

2330

with pytest.raises(ZeroReturnError):

2331

client.recv(1024)

2332

assert client.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

2333

client.shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2334

assert client.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

2335

with pytest.raises(ZeroReturnError):

2336

server.recv(1024)

2337

assert server.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2338

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2339

def test_shutdown_closed(self):

2340

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2341

If the underlying socket is closed, `Connection.shutdown` propagates

2342

the write error from the low level write call.

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2343

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2344

server, client = loopback()

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2345

server.sock_shutdown(2)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2346

with pytest.raises(SysCallError) as exc:

2347

server.shutdown()

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2348

if platform == "win32":

2349

assert exc.value.args[0] == ESHUTDOWN

2350

else:

2351

assert exc.value.args[0] == EPIPE

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2352

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2353

def test_shutdown_truncated(self):

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2354

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2355

If the underlying connection is truncated, `Connection.shutdown`

2356

raises an `Error`.

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2357

"""

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2358

server_ctx = Context(TLSv1_METHOD)

2359

client_ctx = Context(TLSv1_METHOD)

2360

server_ctx.use_privatekey(

2361

load_privatekey(FILETYPE_PEM, server_key_pem))

2362

server_ctx.use_certificate(

2363

load_certificate(FILETYPE_PEM, server_cert_pem))

2364

server = Connection(server_ctx, None)

2365

client = Connection(client_ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2366

handshake_in_memory(client, server)

2367

assert not server.shutdown()

2368

with pytest.raises(WantReadError):

2369

server.shutdown()

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2370

server.bio_shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2371

with pytest.raises(Error):

2372

server.shutdown()

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2373

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2374

def test_set_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2375

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2376

`Connection.set_shutdown` sets the state of the SSL connection

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2377

shutdown process.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2378

"""

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2379

connection = Connection(Context(TLSv1_METHOD), socket())

2380

connection.set_shutdown(RECEIVED_SHUTDOWN)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2381

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2382

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2383

@skip_if_py3

2384

def test_set_shutdown_long(self):

2385

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2386

On Python 2 `Connection.set_shutdown` accepts an argument

2387

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2388

"""

2389

connection = Connection(Context(TLSv1_METHOD), socket())

2390

connection.set_shutdown(long(RECEIVED_SHUTDOWN))

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2391

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

2392

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2393

def test_state_string(self):

2394

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2395

`Connection.state_string` verbosely describes the current state of

2396

the `Connection`.

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2397

"""

Hynek Schlawack

b0274ce

2015-10-16 19:56:26 +0200

[diff] [blame]

2398

server, client = socket_pair()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2399

server = loopback_server_factory(server)

2400

client = loopback_client_factory(client)

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2401

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2402

assert server.get_state_string() in [

2403

b"before/accept initialization", b"before SSL initialization"

2404

]

2405

assert client.get_state_string() in [

2406

b"before/connect initialization", b"before SSL initialization"

2407

]

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2408

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2409

def test_app_data(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2410

"""

2411

Any object can be set as app data by passing it to

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2412

`Connection.set_app_data` and later retrieved with

2413

`Connection.get_app_data`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2414

"""

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2415

conn = Connection(Context(TLSv1_METHOD), None)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2416

assert None is conn.get_app_data()

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2417

app_data = object()

2418

conn.set_app_data(app_data)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2419

assert conn.get_app_data() is app_data

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2420

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2421

def test_makefile(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2422

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2423

`Connection.makefile` is not implemented and calling that

2424

method raises `NotImplementedError`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2425

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2426

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2427

with pytest.raises(NotImplementedError):

2428

conn.makefile()

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2429

Jeremy Lainé

460a19d

2018-05-16 19:44:19 +0200

[diff] [blame]

2430

def test_get_certificate(self):

2431

"""

2432

`Connection.get_certificate` returns the local certificate.

2433

"""

2434

chain = _create_certificate_chain()

2435

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

2436

2437

context = Context(TLSv1_METHOD)

2438

context.use_certificate(scert)

2439

client = Connection(context, None)

2440

cert = client.get_certificate()

2441

assert cert is not None

2442

assert "Server Certificate" == cert.get_subject().CN

2443

2444

def test_get_certificate_none(self):

2445

"""

2446

`Connection.get_certificate` returns the local certificate.

2447

2448

If there is no certificate, it returns None.

2449

"""

2450

context = Context(TLSv1_METHOD)

2451

client = Connection(context, None)

2452

cert = client.get_certificate()

2453

assert cert is None

2454

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2455

def test_get_peer_cert_chain(self):

2456

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2457

`Connection.get_peer_cert_chain` returns a list of certificates

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2458

which the connected server returned for the certification verification.

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2459

"""

2460

chain = _create_certificate_chain()

2461

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

2462

2463

serverContext = Context(TLSv1_METHOD)

2464

serverContext.use_privatekey(skey)

2465

serverContext.use_certificate(scert)

2466

serverContext.add_extra_chain_cert(icert)

2467

serverContext.add_extra_chain_cert(cacert)

2468

server = Connection(serverContext, None)

2469

server.set_accept_state()

2470

2471

# Create the client

2472

clientContext = Context(TLSv1_METHOD)

2473

clientContext.set_verify(VERIFY_NONE, verify_cb)

2474

client = Connection(clientContext, None)

2475

client.set_connect_state()

2476

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2477

interact_in_memory(client, server)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2478

2479

chain = client.get_peer_cert_chain()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2480

assert len(chain) == 3

2481

assert "Server Certificate" == chain[0].get_subject().CN

2482

assert "Intermediate Certificate" == chain[1].get_subject().CN

2483

assert "Authority Certificate" == chain[2].get_subject().CN

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2484

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2485

def test_get_peer_cert_chain_none(self):

2486

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2487

`Connection.get_peer_cert_chain` returns `None` if the peer sends

2488

no certificate chain.

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2489

"""

2490

ctx = Context(TLSv1_METHOD)

2491

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2492

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

2493

server = Connection(ctx, None)

2494

server.set_accept_state()

2495

client = Connection(Context(TLSv1_METHOD), None)

2496

client.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2497

interact_in_memory(client, server)

2498

assert None is server.get_peer_cert_chain()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2499

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2500

def test_get_session_unconnected(self):

2501

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2502

`Connection.get_session` returns `None` when used with an object

2503

which has not been connected.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2504

"""

2505

ctx = Context(TLSv1_METHOD)

2506

server = Connection(ctx, None)

2507

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2508

assert None is session

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2509

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2510

def test_server_get_session(self):

2511

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2512

On the server side of a connection, `Connection.get_session` returns a

2513

`Session` instance representing the SSL session for that connection.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2514

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2515

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2516

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2517

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2518

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2519

def test_client_get_session(self):

2520

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2521

On the client side of a connection, `Connection.get_session`

2522

returns a `Session` instance representing the SSL session for

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2523

that connection.

2524

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2525

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2526

session = client.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2527

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2528

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2529

def test_set_session_wrong_args(self):

2530

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2531

`Connection.set_session` raises `TypeError` if called with an object

2532

that is not an instance of `Session`.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2533

"""

2534

ctx = Context(TLSv1_METHOD)

2535

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2536

with pytest.raises(TypeError):

2537

connection.set_session(123)

2538

with pytest.raises(TypeError):

2539

connection.set_session("hello")

2540

with pytest.raises(TypeError):

2541

connection.set_session(object())

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2542

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2543

def test_client_set_session(self):

2544

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2545

`Connection.set_session`, when used prior to a connection being

2546

established, accepts a `Session` instance and causes an attempt to

2547

re-use the session it represents when the SSL handshake is performed.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2548

"""

2549

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2550

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

Paul Kehrer

2019-01-21 12:24:02 -0600

[diff] [blame]

2551

ctx = Context(TLSv1_2_METHOD)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2552

ctx.use_privatekey(key)

2553

ctx.use_certificate(cert)

2554

ctx.set_session_id("unity-test")

2555

2556

def makeServer(socket):

2557

server = Connection(ctx, socket)

2558

server.set_accept_state()

2559

return server

2560

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2561

originalServer, originalClient = loopback(

2562

server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2563

originalSession = originalClient.get_session()

2564

2565

def makeClient(socket):

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2566

client = loopback_client_factory(socket)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2567

client.set_session(originalSession)

2568

return client

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2569

resumedServer, resumedClient = loopback(

2570

server_factory=makeServer,

2571

client_factory=makeClient)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2572

2573

# This is a proxy: in general, we have no access to any unique

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2574

# identifier for the session (new enough versions of OpenSSL expose

2575

# a hash which could be usable, but "new enough" is very, very new).

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2576

# Instead, exploit the fact that the master key is re-used if the

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2577

# session is re-used. As long as the master key for the two

2578

# connections is the same, the session was re-used!

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2579

assert originalServer.master_key() == resumedServer.master_key()

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2580

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2581

def test_set_session_wrong_method(self):

2582

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2583

If `Connection.set_session` is passed a `Session` instance associated

2584

with a context using a different SSL method than the `Connection`

2585

is using, a `OpenSSL.SSL.Error` is raised.

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2586

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2587

# Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2

2588

# and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT

2589

# is a way to check for 1.1.0)

Alex Gaynor

aa32e71

2017-06-29 20:56:12 -0700

[diff] [blame]

2590

if SSL_ST_INIT is None:

2591

v1 = TLSv1_2_METHOD

2592

v2 = TLSv1_METHOD

2593

elif hasattr(_lib, "SSLv3_method"):

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2594

v1 = TLSv1_METHOD

2595

v2 = SSLv3_METHOD

2596

else:

Alex Gaynor

aa32e71

2017-06-29 20:56:12 -0700

[diff] [blame]

2597

pytest.skip("Test requires either OpenSSL 1.1.0 or SSLv3")

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2598

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2599

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2600

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2601

ctx = Context(v1)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2602

ctx.use_privatekey(key)

2603

ctx.use_certificate(cert)

2604

ctx.set_session_id("unity-test")

2605

2606

def makeServer(socket):

2607

server = Connection(ctx, socket)

2608

server.set_accept_state()

2609

return server

2610

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2611

def makeOriginalClient(socket):

2612

client = Connection(Context(v1), socket)

2613

client.set_connect_state()

2614

return client

2615

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2616

originalServer, originalClient = loopback(

2617

server_factory=makeServer, client_factory=makeOriginalClient)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2618

originalSession = originalClient.get_session()

2619

2620

def makeClient(socket):

2621

# Intentionally use a different, incompatible method here.

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2622

client = Connection(Context(v2), socket)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2623

client.set_connect_state()

2624

client.set_session(originalSession)

2625

return client

2626

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2627

with pytest.raises(Error):

2628

loopback(client_factory=makeClient, server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2629

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2630

def test_wantWriteError(self):

2631

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2632

`Connection` methods which generate output raise

2633

`OpenSSL.SSL.WantWriteError` if writing to the connection's BIO

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2634

fail indicating a should-write state.

2635

"""

2636

client_socket, server_socket = socket_pair()

2637

# Fill up the client's send buffer so Connection won't be able to write

Jean-Paul Calderone

bbff8b9

2014-03-22 14:20:30 -0400

[diff] [blame]

2638

# anything. Only write a single byte at a time so we can be sure we

2639

# completely fill the buffer. Even though the socket API is allowed to

2640

# signal a short write via its return value it seems this doesn't

2641

# always happen on all platforms (FreeBSD and OS X particular) for the

2642

# very last bit of available buffer space.

2643

msg = b"x"

catern

b2777a4

2018-08-09 15:38:13 -0400

[diff] [blame]

2644

for i in range(1024 * 1024 * 64):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2645

try:

2646

client_socket.send(msg)

2647

except error as e:

2648

if e.errno == EWOULDBLOCK:

2649

break

2650

raise

2651

else:

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2652

pytest.fail(

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2653

"Failed to fill socket buffer, cannot test BIO want write")

2654

2655

ctx = Context(TLSv1_METHOD)

2656

conn = Connection(ctx, client_socket)

2657

# Client's speak first, so make it an SSL client

2658

conn.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2659

with pytest.raises(WantWriteError):

2660

conn.do_handshake()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

# XXX want_read

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2664

def test_get_finished_before_connect(self):

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2665

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2666

`Connection.get_finished` returns `None` before TLS handshake

2667

is completed.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2668

"""

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2669

ctx = Context(TLSv1_METHOD)

2670

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2671

assert connection.get_finished() is None

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2672

2673

def test_get_peer_finished_before_connect(self):

2674

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2675

`Connection.get_peer_finished` returns `None` before TLS handshake

2676

is completed.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2677

"""

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2678

ctx = Context(TLSv1_METHOD)

2679

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2680

assert connection.get_peer_finished() is None

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2681

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2682

def test_get_finished(self):

2683

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2684

`Connection.get_finished` method returns the TLS Finished message send

2685

from client, or server. Finished messages are send during

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2686

TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2687

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2688

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2689

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2690

assert server.get_finished() is not None

2691

assert len(server.get_finished()) > 0

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2692

2693

def test_get_peer_finished(self):

2694

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2695

`Connection.get_peer_finished` method returns the TLS Finished

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2696

message received from client, or server. Finished messages are send

2697

during TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2698

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2699

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2700

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2701

assert server.get_peer_finished() is not None

2702

assert len(server.get_peer_finished()) > 0

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2703

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2704

def test_tls_finished_message_symmetry(self):

2705

"""

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2706

The TLS Finished message send by server must be the TLS Finished

2707

message received by client.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2708

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2709

The TLS Finished message send by client must be the TLS Finished

2710

message received by server.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2711

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2712

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2713

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2714

assert server.get_finished() == client.get_peer_finished()

2715

assert client.get_finished() == server.get_peer_finished()

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2716

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2717

def test_get_cipher_name_before_connect(self):

2718

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2719

`Connection.get_cipher_name` returns `None` if no connection

2720

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2721

"""

2722

ctx = Context(TLSv1_METHOD)

2723

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2724

assert conn.get_cipher_name() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2725

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2726

def test_get_cipher_name(self):

2727

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2728

`Connection.get_cipher_name` returns a `unicode` string giving the

2729

name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2730

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2731

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2732

server_cipher_name, client_cipher_name = \

2733

server.get_cipher_name(), client.get_cipher_name()

2734

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2735

assert isinstance(server_cipher_name, text_type)

2736

assert isinstance(client_cipher_name, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2737

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2738

assert server_cipher_name == client_cipher_name

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2739

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2740

def test_get_cipher_version_before_connect(self):

2741

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2742

`Connection.get_cipher_version` returns `None` if no connection

2743

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2744

"""

2745

ctx = Context(TLSv1_METHOD)

2746

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2747

assert conn.get_cipher_version() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2748

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2749

def test_get_cipher_version(self):

2750

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2751

`Connection.get_cipher_version` returns a `unicode` string giving

2752

the protocol name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2753

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2754

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2755

server_cipher_version, client_cipher_version = \

2756

server.get_cipher_version(), client.get_cipher_version()

2757

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2758

assert isinstance(server_cipher_version, text_type)

2759

assert isinstance(client_cipher_version, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2760

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2761

assert server_cipher_version == client_cipher_version

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2762

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2763

def test_get_cipher_bits_before_connect(self):

2764

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2765

`Connection.get_cipher_bits` returns `None` if no connection has

2766

been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2767

"""

2768

ctx = Context(TLSv1_METHOD)

2769

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2770

assert conn.get_cipher_bits() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2771

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2772

def test_get_cipher_bits(self):

2773

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2774

`Connection.get_cipher_bits` returns the number of secret bits

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2775

of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2776

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2777

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2778

server_cipher_bits, client_cipher_bits = \

2779

server.get_cipher_bits(), client.get_cipher_bits()

2780

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2781

assert isinstance(server_cipher_bits, int)

2782

assert isinstance(client_cipher_bits, int)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2783

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2784

assert server_cipher_bits == client_cipher_bits

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2785

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2786

def test_get_protocol_version_name(self):

2787

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2788

`Connection.get_protocol_version_name()` returns a string giving the

2789

protocol version of the current connection.

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2790

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2791

server, client = loopback()

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2792

client_protocol_version_name = client.get_protocol_version_name()

2793

server_protocol_version_name = server.get_protocol_version_name()

2794

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2795

assert isinstance(server_protocol_version_name, text_type)

2796

assert isinstance(client_protocol_version_name, text_type)

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2797

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2798

assert server_protocol_version_name == client_protocol_version_name

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2799

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2800

def test_get_protocol_version(self):

2801

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2802

`Connection.get_protocol_version()` returns an integer

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2803

giving the protocol version of the current connection.

2804

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2805

server, client = loopback()

Jim Shaver

85a4dff

2015-04-27 17:42:46 -0400

[diff] [blame]

2806

client_protocol_version = client.get_protocol_version()

2807

server_protocol_version = server.get_protocol_version()

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2808

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2809

assert isinstance(server_protocol_version, int)

2810

assert isinstance(client_protocol_version, int)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2811

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2812

assert server_protocol_version == client_protocol_version

2813

2814

def test_wantReadError(self):

2815

"""

2816

`Connection.bio_read` raises `OpenSSL.SSL.WantReadError` if there are

2817

no bytes available to be read from the BIO.

2818

"""

2819

ctx = Context(TLSv1_METHOD)

2820

conn = Connection(ctx, None)

2821

with pytest.raises(WantReadError):

2822

conn.bio_read(1024)

2823

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2824

@pytest.mark.parametrize('bufsize', [1.0, None, object(), 'bufsize'])

2825

def test_bio_read_wrong_args(self, bufsize):

2826

"""

2827

`Connection.bio_read` raises `TypeError` if passed a non-integer

2828

argument.

2829

"""

2830

ctx = Context(TLSv1_METHOD)

2831

conn = Connection(ctx, None)

2832

with pytest.raises(TypeError):

2833

conn.bio_read(bufsize)

2834

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2835

def test_buffer_size(self):

2836

"""

2837

`Connection.bio_read` accepts an integer giving the maximum number

2838

of bytes to read and return.

2839

"""

2840

ctx = Context(TLSv1_METHOD)

2841

conn = Connection(ctx, None)

2842

conn.set_connect_state()

2843

try:

2844

conn.do_handshake()

2845

except WantReadError:

2846

pass

2847

data = conn.bio_read(2)

2848

assert 2 == len(data)

2849

2850

@skip_if_py3

2851

def test_buffer_size_long(self):

2852

"""

2853

On Python 2 `Connection.bio_read` accepts values of type `long` as

2854

well as `int`.

2855

"""

2856

ctx = Context(TLSv1_METHOD)

2857

conn = Connection(ctx, None)

2858

conn.set_connect_state()

2859

try:

2860

conn.do_handshake()

2861

except WantReadError:

2862

pass

2863

data = conn.bio_read(long(2))

2864

assert 2 == len(data)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2865

Jean-Paul Calderone

dbd7627

2014-03-29 18:09:40 -0400

[diff] [blame]

2866

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2867

class TestConnectionGetCipherList(object):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2868

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2869

Tests for `Connection.get_cipher_list`.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2870

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2871

def test_result(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2872

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2873

`Connection.get_cipher_list` returns a list of `bytes` giving the

2874

names of the ciphers which might be used.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2875

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2876

connection = Connection(Context(TLSv1_METHOD), None)

2877

ciphers = connection.get_cipher_list()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2878

assert isinstance(ciphers, list)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2879

for cipher in ciphers:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2880

assert isinstance(cipher, str)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2881

2882

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2883

class VeryLarge(bytes):

2884

"""

2885

Mock object so that we don't have to allocate 2**31 bytes

"""

def __len__(self):

return 2**31

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2891

class TestConnectionSend(object):

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2892

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2893

Tests for `Connection.send`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2894

"""

2895

def test_wrong_args(self):

2896

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

2897

When called with arguments other than string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2898

parameter, `Connection.send` raises `TypeError`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2899

"""

2900

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2901

with pytest.raises(TypeError):

2902

connection.send(object())

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2903

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2904

def test_short_bytes(self):

2905

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2906

When passed a short byte string, `Connection.send` transmits all of it

2907

and returns the number of bytes sent.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2908

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2909

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2910

count = server.send(b'xy')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2911

assert count == 2

2912

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2913

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2914

def test_text(self):

2915

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2916

When passed a text, `Connection.send` transmits all of it and

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2917

returns the number of bytes sent. It also raises a DeprecationWarning.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2918

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2919

server, client = loopback()

2920

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2921

simplefilter("always")

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2922

count = server.send(b"xy".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2923

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2924

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2925

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2926

) == str(w[-1].message))

2927

assert count == 2

2928

assert client.recv(2) == b'xy'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2929

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2930

def test_short_memoryview(self):

2931

"""

2932

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2933

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2934

of bytes sent.

2935

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2936

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2937

count = server.send(memoryview(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2938

assert count == 2

2939

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2940

Hynek Schlawack

8e94f1b

2015-09-05 21:31:00 +0200

[diff] [blame]

2941

@skip_if_py3

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2942

def test_short_buffer(self):

2943

"""

2944

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2945

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2946

of bytes sent.

2947

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2948

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2949

count = server.send(buffer(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2950

assert count == 2

2951

assert client.recv(2) == b'xy'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

2952

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2953

@pytest.mark.skipif(

2954

sys.maxsize < 2**31,

2955

reason="sys.maxsize < 2**31 - test requires 64 bit"

2956

)

2957

def test_buf_too_large(self):

2958

"""

2959

When passed a buffer containing >= 2**31 bytes,

2960

`Connection.send` bails out as SSL_write only

2961

accepts an int for the buffer length.

2962

"""

2963

connection = Connection(Context(TLSv1_METHOD), None)

2964

with pytest.raises(ValueError) as exc_info:

2965

connection.send(VeryLarge())

2966

exc_info.match(r"Cannot send more than .+ bytes at once")

2967

Jean-Paul Calderone

691e6c9

2011-01-21 22:04:35 -0500

[diff] [blame]

2968

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2969

def _make_memoryview(size):

2970

"""

2971

Create a new ``memoryview`` wrapped around a ``bytearray`` of the given

2972

size.

2973

"""

2974

return memoryview(bytearray(size))

2975

2976

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2977

class TestConnectionRecvInto(object):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2978

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2979

Tests for `Connection.recv_into`.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2980

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2981

def _no_length_test(self, factory):

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2982

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2983

Assert that when the given buffer is passed to `Connection.recv_into`,

2984

whatever bytes are available to be received that fit into that buffer

2985

are written into that buffer.

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2986

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2987

output_buffer = factory(5)

2988

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2989

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2990

server.send(b'xy')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2991

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2992

assert client.recv_into(output_buffer) == 2

2993

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2994

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2995

def test_bytearray_no_length(self):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2996

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2997

`Connection.recv_into` can be passed a `bytearray` instance and data

2998

in the receive buffer is written to it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2999

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3000

self._no_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3001

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3002

def _respects_length_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3003

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3004

Assert that when the given buffer is passed to `Connection.recv_into`

3005

along with a value for `nbytes` that is less than the size of that

3006

buffer, only `nbytes` bytes are written into the buffer.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3007

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3008

output_buffer = factory(10)

3009

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3010

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3011

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3012

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3013

assert client.recv_into(output_buffer, 5) == 5

3014

assert output_buffer == bytearray(b'abcde\x00\x00\x00\x00\x00')

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

3015

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

3016

def test_bytearray_respects_length(self):

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

3017

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3018

When called with a `bytearray` instance, `Connection.recv_into`

3019

respects the `nbytes` parameter and doesn't copy in more than that

3020

number of bytes.

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

3021

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3022

self._respects_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3023

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3024

def _doesnt_overfill_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3025

"""

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

3026

Assert that if there are more bytes available to be read from the

3027

receive buffer than would fit into the buffer passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3028

`Connection.recv_into`, only as many as fit are written into it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3029

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3030

output_buffer = factory(5)

3031

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3032

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3033

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3034

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3035

assert client.recv_into(output_buffer) == 5

3036

assert output_buffer == bytearray(b'abcde')

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

3037

rest = client.recv(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3038

assert b'fghij' == rest

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

3039

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

3040

def test_bytearray_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

3041

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3042

When called with a `bytearray` instance, `Connection.recv_into`

3043

respects the size of the array and doesn't write more bytes into it

3044

than will fit.

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

3045

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3046

self._doesnt_overfill_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3047

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

3048

def test_bytearray_really_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

3049

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3050

When called with a `bytearray` instance and an `nbytes` value that is

3051

too large, `Connection.recv_into` respects the size of the array and

3052

not the `nbytes` value and doesn't write more bytes into the buffer

3053

than will fit.

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

3054

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

3055

self._doesnt_overfill_test(bytearray)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

3056

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

3057

def test_peek(self):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3058

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3059

server.send(b'xy')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

3060

3061

for _ in range(2):

3062

output_buffer = bytearray(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3063

assert client.recv_into(output_buffer, flags=MSG_PEEK) == 2

3064

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

3065

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3066

def test_memoryview_no_length(self):

3067

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3068

`Connection.recv_into` can be passed a `memoryview` instance and data

3069

in the receive buffer is written to it.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3070

"""

3071

self._no_length_test(_make_memoryview)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

3072

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3073

def test_memoryview_respects_length(self):

3074

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3075

When called with a `memoryview` instance, `Connection.recv_into`

3076

respects the ``nbytes`` parameter and doesn't copy more than that

3077

number of bytes in.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3078

"""

3079

self._respects_length_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3080

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3081

def test_memoryview_doesnt_overfill(self):

3082

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3083

When called with a `memoryview` instance, `Connection.recv_into`

3084

respects the size of the array and doesn't write more bytes into it

3085

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3086

"""

3087

self._doesnt_overfill_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3088

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3089

def test_memoryview_really_doesnt_overfill(self):

3090

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3091

When called with a `memoryview` instance and an `nbytes` value that is

3092

too large, `Connection.recv_into` respects the size of the array and

3093

not the `nbytes` value and doesn't write more bytes into the buffer

3094

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3095

"""

3096

self._doesnt_overfill_test(_make_memoryview)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

3097

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3098

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3099

class TestConnectionSendall(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3100

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3101

Tests for `Connection.sendall`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3102

"""

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3103

def test_wrong_args(self):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3104

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

3105

When called with arguments other than a string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3106

parameter, `Connection.sendall` raises `TypeError`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3107

"""

3108

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3109

with pytest.raises(TypeError):

3110

connection.sendall(object())

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3111

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3112

def test_short(self):

3113

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3114

`Connection.sendall` transmits all of the bytes in the string

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3115

passed to it.

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3116

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3117

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3118

server.sendall(b'x')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3119

assert client.recv(1) == b'x'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3120

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3121

def test_text(self):

3122

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3123

`Connection.sendall` transmits all the content in the string passed

3124

to it, raising a DeprecationWarning in case of this being a text.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3125

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3126

server, client = loopback()

3127

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3128

simplefilter("always")

Jean-Paul Calderone

8dc37a1

2015-03-29 08:16:52 -0400

[diff] [blame]

3129

server.sendall(b"x".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3130

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

3131

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

3132

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3133

) == str(w[-1].message))

3134

assert client.recv(1) == b"x"

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3135

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3136

def test_short_memoryview(self):

3137

"""

3138

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3139

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3140

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3141

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3142

server.sendall(memoryview(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3143

assert client.recv(1) == b'x'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3144

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3145

@skip_if_py3

3146

def test_short_buffers(self):

3147

"""

3148

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3149

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3150

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3151

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3152

server.sendall(buffer(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3153

assert client.recv(1) == b'x'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

3154

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3155

def test_long(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3156

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3157

`Connection.sendall` transmits all the bytes in the string passed to it

3158

even if this requires multiple calls of an underlying write function.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3159

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3160

server, client = loopback()

Jean-Paul Calderone

6241c70

2010-09-16 19:59:24 -0400

[diff] [blame]

3161

# Should be enough, underlying SSL_write should only do 16k at a time.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3162

# On Windows, after 32k of bytes the write will block (forever

3163

# - because no one is yet reading).

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3164

message = b'x' * (1024 * 32 - 1) + b'y'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3165

server.sendall(message)

3166

accum = []

3167

received = 0

3168

while received < len(message):

Jean-Paul Calderone

b1f7f5f

2010-08-22 21:40:52 -0400

[diff] [blame]

3169

data = client.recv(1024)

3170

accum.append(data)

3171

received += len(data)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3172

assert message == b''.join(accum)

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3173

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3174

def test_closed(self):

3175

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3176

If the underlying socket is closed, `Connection.sendall` propagates the

3177

write error from the low level write call.

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3178

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3179

server, client = loopback()

Jean-Paul Calderone

05d43e8

2010-09-24 18:01:36 -0400

[diff] [blame]

3180

server.sock_shutdown(2)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3181

with pytest.raises(SysCallError) as err:

3182

server.sendall(b"hello, world")

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3183

if platform == "win32":

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3184

assert err.value.args[0] == ESHUTDOWN

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3185

else:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3186

assert err.value.args[0] == EPIPE

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3187

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3188

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3189

class TestConnectionRenegotiate(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3190

"""

3191

Tests for SSL renegotiation APIs.

3192

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3193

def test_total_renegotiations(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3194

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3195

`Connection.total_renegotiations` returns `0` before any renegotiations

3196

have happened.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3197

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3198

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3199

assert connection.total_renegotiations() == 0

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3200

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3201

def test_renegotiate(self):

3202

"""

3203

Go through a complete renegotiation cycle.

3204

"""

Paul Kehrer

2019-01-21 12:24:02 -0600

[diff] [blame]

3205

server, client = loopback(

3206

lambda s: loopback_server_factory(s, TLSv1_2_METHOD),

3207

lambda s: loopback_client_factory(s, TLSv1_2_METHOD),

3208

)

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3209

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3210

server.send(b"hello world")

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3211

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3212

assert b"hello world" == client.recv(len(b"hello world"))

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3213

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3214

assert 0 == server.total_renegotiations()

3215

assert False is server.renegotiate_pending()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3216

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3217

assert True is server.renegotiate()

3218

3219

assert True is server.renegotiate_pending()

3220

3221

server.setblocking(False)

3222

client.setblocking(False)

3223

3224

client.do_handshake()

3225

server.do_handshake()

3226

3227

assert 1 == server.total_renegotiations()

3228

while False is server.renegotiate_pending():

3229

pass

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3230

3231

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3232

class TestError(object):

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3233

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3234

Unit tests for `OpenSSL.SSL.Error`.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3235

"""

3236

def test_type(self):

3237

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3238

`Error` is an exception type.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3239

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3240

assert issubclass(Error, Exception)

3241

assert Error.__name__ == 'Error'

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

3242

3243

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3244

class TestConstants(object):

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3245

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3246

Tests for the values of constants exposed in `OpenSSL.SSL`.

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3247

3248

These are values defined by OpenSSL intended only to be used as flags to

3249

OpenSSL APIs. The only assertions it seems can be made about them is

3250

their values.

3251

"""

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3252

@pytest.mark.skipif(

3253

OP_NO_QUERY_MTU is None,

3254

reason="OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old"

3255

)

3256

def test_op_no_query_mtu(self):

3257

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3258

The value of `OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value

3259

of `SSL_OP_NO_QUERY_MTU` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3260

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3261

assert OP_NO_QUERY_MTU == 0x1000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3262

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3263

@pytest.mark.skipif(

3264

OP_COOKIE_EXCHANGE is None,

3265

reason="OP_COOKIE_EXCHANGE unavailable - "

3266

"OpenSSL version may be too old"

3267

)

3268

def test_op_cookie_exchange(self):

3269

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3270

The value of `OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the

3271

value of `SSL_OP_COOKIE_EXCHANGE` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3272

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3273

assert OP_COOKIE_EXCHANGE == 0x2000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3274

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3275

@pytest.mark.skipif(

3276

OP_NO_TICKET is None,

3277

reason="OP_NO_TICKET unavailable - OpenSSL version may be too old"

3278

)

3279

def test_op_no_ticket(self):

3280

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3281

The value of `OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of

3282

`SSL_OP_NO_TICKET` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3283

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3284

assert OP_NO_TICKET == 0x4000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3285

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3286

@pytest.mark.skipif(

3287

OP_NO_COMPRESSION is None,

3288

reason="OP_NO_COMPRESSION unavailable - OpenSSL version may be too old"

3289

)

3290

def test_op_no_compression(self):

3291

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3292

The value of `OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the

3293

value of `SSL_OP_NO_COMPRESSION` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3294

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3295

assert OP_NO_COMPRESSION == 0x20000

Jean-Paul Calderone

c62d4c1

2011-09-08 18:29:32 -0400

[diff] [blame]

3296

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3297

def test_sess_cache_off(self):

3298

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3299

The value of `OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of

3300

`SSL_SESS_CACHE_OFF` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3301

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3302

assert 0x0 == SESS_CACHE_OFF

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3303

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3304

def test_sess_cache_client(self):

3305

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3306

The value of `OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of

3307

`SSL_SESS_CACHE_CLIENT` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3308

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3309

assert 0x1 == SESS_CACHE_CLIENT

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3310

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3311

def test_sess_cache_server(self):

3312

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3313

The value of `OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of

3314

`SSL_SESS_CACHE_SERVER` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3315

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3316

assert 0x2 == SESS_CACHE_SERVER

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3317

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3318

def test_sess_cache_both(self):

3319

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3320

The value of `OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of

3321

`SSL_SESS_CACHE_BOTH` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3322

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3323

assert 0x3 == SESS_CACHE_BOTH

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3324

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3325

def test_sess_cache_no_auto_clear(self):

3326

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3327

The value of `OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the

3328

value of `SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by

3329

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3330

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3331

assert 0x80 == SESS_CACHE_NO_AUTO_CLEAR

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3332

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3333

def test_sess_cache_no_internal_lookup(self):

3334

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3335

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100,

3336

the value of `SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by

3337

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3338

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3339

assert 0x100 == SESS_CACHE_NO_INTERNAL_LOOKUP

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3340

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3341

def test_sess_cache_no_internal_store(self):

3342

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3343

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200,

3344

the value of `SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by

3345

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3346

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3347

assert 0x200 == SESS_CACHE_NO_INTERNAL_STORE

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3348

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3349

def test_sess_cache_no_internal(self):

3350

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3351

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the

3352

value of `SSL_SESS_CACHE_NO_INTERNAL` defined by

3353

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3354

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3355

assert 0x300 == SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3356

3357

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3358

class TestMemoryBIO(object):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3359

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3360

Tests for `OpenSSL.SSL.Connection` using a memory BIO.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3361

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3362

def _server(self, sock):

3363

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3364

Create a new server-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3365

"""

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3366

# Create the server side Connection. This is mostly setup boilerplate

3367

# - use TLSv1, use a particular certificate, etc.

3368

server_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3369

server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3370

server_ctx.set_verify(

3371

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3372

verify_cb

3373

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3374

server_store = server_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3375

server_ctx.use_privatekey(

3376

load_privatekey(FILETYPE_PEM, server_key_pem))

3377

server_ctx.use_certificate(

3378

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3379

server_ctx.check_privatekey()

3380

server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3381

# Here the Connection is actually created. If None is passed as the

3382

# 2nd parameter, it indicates a memory BIO should be created.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3383

server_conn = Connection(server_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3384

server_conn.set_accept_state()

3385

return server_conn

3386

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3387

def _client(self, sock):

3388

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3389

Create a new client-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3390

"""

3391

# Now create the client side Connection. Similar boilerplate to the

3392

# above.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3393

client_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3394

client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3395

client_ctx.set_verify(

3396

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3397

verify_cb

3398

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3399

client_store = client_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3400

client_ctx.use_privatekey(

3401

load_privatekey(FILETYPE_PEM, client_key_pem))

3402

client_ctx.use_certificate(

3403

load_certificate(FILETYPE_PEM, client_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3404

client_ctx.check_privatekey()

3405

client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3406

client_conn = Connection(client_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3407

client_conn.set_connect_state()

3408

return client_conn

3409

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3410

def test_memory_connect(self):

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3411

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3412

Two `Connection`s which use memory BIOs can be manually connected by

3413

reading from the output of each and writing those bytes to the input of

3414

the other and in this way establish a connection and exchange

3415

application-level bytes with each other.

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3416

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3417

server_conn = self._server(None)

3418

client_conn = self._client(None)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3419

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3420

# There should be no key or nonces yet.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3421

assert server_conn.master_key() is None

3422

assert server_conn.client_random() is None

3423

assert server_conn.server_random() is None

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3424

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3425

# First, the handshake needs to happen. We'll deliver bytes back and

3426

# forth between the client and server until neither of them feels like

3427

# speaking any more.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3428

assert interact_in_memory(client_conn, server_conn) is None

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3429

3430

# Now that the handshake is done, there should be a key and nonces.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3431

assert server_conn.master_key() is not None

3432

assert server_conn.client_random() is not None

3433

assert server_conn.server_random() is not None

3434

assert server_conn.client_random() == client_conn.client_random()

3435

assert server_conn.server_random() == client_conn.server_random()

3436

assert server_conn.client_random() != server_conn.server_random()

3437

assert client_conn.client_random() != client_conn.server_random()

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3438

Paul Kehrer

bdb7639

2017-12-01 04:54:32 +0800

[diff] [blame]

3439

# Export key material for other uses.

3440

cekm = client_conn.export_keying_material(b'LABEL', 32)

3441

sekm = server_conn.export_keying_material(b'LABEL', 32)

3442

assert cekm is not None

3443

assert sekm is not None

3444

assert cekm == sekm

3445

assert len(sekm) == 32

3446

3447

# Export key material for other uses with additional context.

3448

cekmc = client_conn.export_keying_material(b'LABEL', 32, b'CONTEXT')

3449

sekmc = server_conn.export_keying_material(b'LABEL', 32, b'CONTEXT')

3450

assert cekmc is not None

3451

assert sekmc is not None

3452

assert cekmc == sekmc

3453

assert cekmc != cekm

3454

assert sekmc != sekm

3455

# Export with alternate label

3456

cekmt = client_conn.export_keying_material(b'test', 32, b'CONTEXT')

3457

sekmt = server_conn.export_keying_material(b'test', 32, b'CONTEXT')

3458

assert cekmc != cekmt

3459

assert sekmc != sekmt

3460

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3461

# Here are the bytes we'll try to send.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3462

important_message = b'One if by land, two if by sea.'

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3463

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3464

server_conn.write(important_message)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3465

assert (

3466

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3467

(client_conn, important_message))

3468

3469

client_conn.write(important_message[::-1])

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3470

assert (

3471

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3472

(server_conn, important_message[::-1]))

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3473

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3474

def test_socket_connect(self):

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3475

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3476

Just like `test_memory_connect` but with an actual socket.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3477

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3478

This is primarily to rule out the memory BIO code as the source of any

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3479

problems encountered while passing data over a `Connection` (if

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3480

this test fails, there must be a problem outside the memory BIO code,

3481

as no memory BIO is involved here). Even though this isn't a memory

3482

BIO test, it's convenient to have it here.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3483

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3484

server_conn, client_conn = loopback()

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3485

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3486

important_message = b"Help me Obi Wan Kenobi, you're my only hope."

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3487

client_conn.send(important_message)

3488

msg = server_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3489

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3490

3491

# Again in the other direction, just for fun.

3492

important_message = important_message[::-1]

3493

server_conn.send(important_message)

3494

msg = client_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3495

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3496

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3497

def test_socket_overrides_memory(self):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3498

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3499

Test that `OpenSSL.SSL.bio_read` and `OpenSSL.SSL.bio_write` don't

3500

work on `OpenSSL.SSL.Connection`() that use sockets.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3501

"""

Alex Gaynor

51d424c

2016-09-10 14:50:11 -0400

[diff] [blame]

3502

context = Context(TLSv1_METHOD)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3503

client = socket()

3504

clientSSL = Connection(context, client)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3505

with pytest.raises(TypeError):

3506

clientSSL.bio_read(100)

3507

with pytest.raises(TypeError):

3508

clientSSL.bio_write("foo")

3509

with pytest.raises(TypeError):

3510

clientSSL.bio_shutdown()

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3511

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3512

def test_outgoing_overflow(self):

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3513

"""

3514

If more bytes than can be written to the memory BIO are passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3515

`Connection.send` at once, the number of bytes which were written is

3516

returned and that many bytes from the beginning of the input can be

3517

read from the other end of the connection.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3518

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3519

server = self._server(None)

3520

client = self._client(None)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3521

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3522

interact_in_memory(client, server)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3523

3524

size = 2 ** 15

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

3525

sent = client.send(b"x" * size)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3526

# Sanity check. We're trying to test what happens when the entire

3527

# input can't be sent. If the entire input was sent, this test is

3528

# meaningless.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3529

assert sent < size

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3530

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3531

receiver, received = interact_in_memory(client, server)

3532

assert receiver is server

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3533

3534

# We can rely on all of these bytes being received at once because

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3535

# loopback passes 2 ** 16 to recv - more than 2 ** 15.

3536

assert len(received) == sent

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3537

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3538

def test_shutdown(self):

3539

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3540

`Connection.bio_shutdown` signals the end of the data stream

3541

from which the `Connection` reads.

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3542

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3543

server = self._server(None)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3544

server.bio_shutdown()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3545

with pytest.raises(Error) as err:

3546

server.recv(1024)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3547

# We don't want WantReadError or ZeroReturnError or anything - it's a

3548

# handshake failure.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3549

assert type(err.value) in [Error, SysCallError]

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3550

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3551

def test_unexpected_EOF(self):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3552

"""

3553

If the connection is lost before an orderly SSL shutdown occurs,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3554

`OpenSSL.SSL.SysCallError` is raised with a message of

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3555

"Unexpected EOF".

3556

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3557

server_conn, client_conn = loopback()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3558

client_conn.sock_shutdown(SHUT_RDWR)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3559

with pytest.raises(SysCallError) as err:

3560

server_conn.recv(1024)

3561

assert err.value.args == (-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3562

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3563

def _check_client_ca_list(self, func):

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3564

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3565

Verify the return value of the `get_client_ca_list` method for

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3566

server and client connections.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3567

Jonathan Ballet

78b92a2

2011-07-16 08:07:26 +0900

[diff] [blame]

3568

:param func: A function which will be called with the server context

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3569

before the client and server are connected to each other. This

3570

function should specify a list of CAs for the server to send to the

3571

client and return that same list. The list will be used to verify

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3572

that `get_client_ca_list` returns the proper value at

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3573

various times.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3574

"""

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3575

server = self._server(None)

3576

client = self._client(None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3577

assert client.get_client_ca_list() == []

3578

assert server.get_client_ca_list() == []

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3579

ctx = server.get_context()

3580

expected = func(ctx)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3581

assert client.get_client_ca_list() == []

3582

assert server.get_client_ca_list() == expected

3583

interact_in_memory(client, server)

3584

assert client.get_client_ca_list() == expected

3585

assert server.get_client_ca_list() == expected

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3586

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3587

def test_set_client_ca_list_errors(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3588

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3589

`Context.set_client_ca_list` raises a `TypeError` if called with a

3590

non-list or a list that contains objects other than X509Names.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3591

"""

3592

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3593

with pytest.raises(TypeError):

3594

ctx.set_client_ca_list("spam")

3595

with pytest.raises(TypeError):

3596

ctx.set_client_ca_list(["spam"])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3597

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3598

def test_set_empty_ca_list(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3599

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3600

If passed an empty list, `Context.set_client_ca_list` configures the

3601

context to send no CA names to the client and, on both the server and

3602

client sides, `Connection.get_client_ca_list` returns an empty list

3603

after the connection is set up.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3604

"""

3605

def no_ca(ctx):

3606

ctx.set_client_ca_list([])

3607

return []

3608

self._check_client_ca_list(no_ca)

3609

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3610

def test_set_one_ca_list(self):

3611

"""

3612

If passed a list containing a single X509Name,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3613

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3614

that CA name to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3615

`Connection.get_client_ca_list` returns a list containing that

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3616

X509Name after the connection is set up.

3617

"""

3618

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3619

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3620

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3621

def single_ca(ctx):

3622

ctx.set_client_ca_list([cadesc])

3623

return [cadesc]

3624

self._check_client_ca_list(single_ca)

3625

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3626

def test_set_multiple_ca_list(self):

3627

"""

3628

If passed a list containing multiple X509Name objects,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3629

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3630

those CA names to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3631

`Connection.get_client_ca_list` returns a list containing those

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3632

X509Names after the connection is set up.

3633

"""

3634

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3635

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3636

3637

sedesc = secert.get_subject()

3638

cldesc = clcert.get_subject()

3639

3640

def multiple_ca(ctx):

3641

L = [sedesc, cldesc]

3642

ctx.set_client_ca_list(L)

3643

return L

3644

self._check_client_ca_list(multiple_ca)

3645

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3646

def test_reset_ca_list(self):

3647

"""

3648

If called multiple times, only the X509Names passed to the final call

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3649

of `Context.set_client_ca_list` are used to configure the CA

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3650

names sent to the client.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3651

"""

3652

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3653

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3654

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3655

3656

cadesc = cacert.get_subject()

3657

sedesc = secert.get_subject()

3658

cldesc = clcert.get_subject()

3659

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3660

def changed_ca(ctx):

3661

ctx.set_client_ca_list([sedesc, cldesc])

3662

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3663

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3664

self._check_client_ca_list(changed_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3665

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3666

def test_mutated_ca_list(self):

3667

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3668

If the list passed to `Context.set_client_ca_list` is mutated

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3669

afterwards, this does not affect the list of CA names sent to the

3670

client.

3671

"""

3672

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3673

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3674

3675

cadesc = cacert.get_subject()

3676

sedesc = secert.get_subject()

3677

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3678

def mutated_ca(ctx):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3679

L = [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3680

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3681

L.append(sedesc)

3682

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3683

self._check_client_ca_list(mutated_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3684

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3685

def test_add_client_ca_wrong_args(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3686

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3687

`Context.add_client_ca` raises `TypeError` if called with

3688

a non-X509 object.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3689

"""

3690

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3691

with pytest.raises(TypeError):

3692

ctx.add_client_ca("spam")

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3693

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3694

def test_one_add_client_ca(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3695

"""

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3696

A certificate's subject can be added as a CA to be sent to the client

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3697

with `Context.add_client_ca`.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3698

"""

3699

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3700

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3701

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3702

def single_ca(ctx):

3703

ctx.add_client_ca(cacert)

3704

return [cadesc]

3705

self._check_client_ca_list(single_ca)

3706

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3707

def test_multiple_add_client_ca(self):

3708

"""

3709

Multiple CA names can be sent to the client by calling

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3710

`Context.add_client_ca` with multiple X509 objects.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3711

"""

3712

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3713

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3714

3715

cadesc = cacert.get_subject()

3716

sedesc = secert.get_subject()

3717

3718

def multiple_ca(ctx):

3719

ctx.add_client_ca(cacert)

3720

ctx.add_client_ca(secert)

3721

return [cadesc, sedesc]

3722

self._check_client_ca_list(multiple_ca)

3723

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3724

def test_set_and_add_client_ca(self):

3725

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3726

A call to `Context.set_client_ca_list` followed by a call to

3727

`Context.add_client_ca` results in using the CA names from the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3728

first call and the CA name from the second call.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3729

"""

3730

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3731

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3732

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3733

3734

cadesc = cacert.get_subject()

3735

sedesc = secert.get_subject()

3736

cldesc = clcert.get_subject()

3737

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3738

def mixed_set_add_ca(ctx):

3739

ctx.set_client_ca_list([cadesc, sedesc])

3740

ctx.add_client_ca(clcert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3741

return [cadesc, sedesc, cldesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3742

self._check_client_ca_list(mixed_set_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3743

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3744

def test_set_after_add_client_ca(self):

3745

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3746

A call to `Context.set_client_ca_list` after a call to

3747

`Context.add_client_ca` replaces the CA name specified by the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3748

former call with the names specified by the latter call.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3749

"""

3750

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3751

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3752

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3753

3754

cadesc = cacert.get_subject()

3755

sedesc = secert.get_subject()

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3756

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3757

def set_replaces_add_ca(ctx):

3758

ctx.add_client_ca(clcert)

3759

ctx.set_client_ca_list([cadesc])

3760

ctx.add_client_ca(secert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3761

return [cadesc, sedesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3762

self._check_client_ca_list(set_replaces_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3763

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3764

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3765

class TestInfoConstants(object):

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3766

"""

3767

Tests for assorted constants exposed for use in info callbacks.

3768

"""

3769

def test_integers(self):

3770

"""

3771

All of the info constants are integers.

3772

3773

This is a very weak test. It would be nice to have one that actually

3774

verifies that as certain info events happen, the value passed to the

3775

info callback matches up with the constant exposed by OpenSSL.SSL.

3776

"""

3777

for const in [

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3778

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3779

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

3780

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

3781

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3782

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE

3783

]:

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3784

assert isinstance(const, int)

3785

3786

# These constants don't exist on OpenSSL 1.1.0

3787

for const in [

3788

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

3789

]:

3790

assert const is None or isinstance(const, int)

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3791

Ziga Seilnacht

44611bf

2009-08-31 20:49:30 +0200

[diff] [blame]

3792

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3793

class TestRequires(object):

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3794

"""

3795

Tests for the decorator factory used to conditionally raise

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3796

NotImplementedError when older OpenSSLs are used.

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3797

"""

3798

def test_available(self):

3799

"""

3800

When the OpenSSL functionality is available the decorated functions

3801

work appropriately.

3802

"""

3803

feature_guard = _make_requires(True, "Error text")

results = []

@feature_guard

def inner():

results.append(True)

return True

Cory Benfield

2016-03-30 14:24:16 +0100

[diff] [blame]

3811

assert inner() is True

3812

assert [True] == results

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3813

3814

def test_unavailable(self):

3815

"""

3816

When the OpenSSL functionality is not available the decorated function

3817

does not execute and NotImplementedError is raised.

3818

"""

3819

feature_guard = _make_requires(False, "Error text")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3820

3821

@feature_guard

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3822

def inner(): # pragma: nocover

3823

pytest.fail("Should not be called")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3824

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3825

with pytest.raises(NotImplementedError) as e:

3826

inner()

3827

3828

assert "Error text" in str(e.value)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3829

3830

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3831

class TestOCSP(object):

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3832

"""

3833

Tests for PyOpenSSL's OCSP stapling support.

3834

"""

3835

sample_ocsp_data = b"this is totally ocsp data"

3836

3837

def _client_connection(self, callback, data, request_ocsp=True):

3838

"""

3839

Builds a client connection suitable for using OCSP.

3840

3841

:param callback: The callback to register for OCSP.

3842

:param data: The opaque data object that will be handed to the

3843

OCSP callback.

3844

:param request_ocsp: Whether the client will actually ask for OCSP

3845

stapling. Useful for testing only.

3846

"""

3847

ctx = Context(SSLv23_METHOD)

3848

ctx.set_ocsp_client_callback(callback, data)

3849

client = Connection(ctx)

3850

3851

if request_ocsp:

3852

client.request_ocsp()

3853

3854

client.set_connect_state()

3855

return client

3856

3857

def _server_connection(self, callback, data):

3858

"""

3859

Builds a server connection suitable for using OCSP.

3860

3861

:param callback: The callback to register for OCSP.

3862

:param data: The opaque data object that will be handed to the

3863

OCSP callback.

3864

"""

3865

ctx = Context(SSLv23_METHOD)

3866

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

3867

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

3868

ctx.set_ocsp_server_callback(callback, data)

3869

server = Connection(ctx)

3870

server.set_accept_state()

3871

return server

3872

3873

def test_callbacks_arent_called_by_default(self):

3874

"""

3875

If both the client and the server have registered OCSP callbacks, but

3876

the client does not send the OCSP request, neither callback gets

3877

called.

3878

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3879

def ocsp_callback(*args, **kwargs): # pragma: nocover

3880

pytest.fail("Should not be called")

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3881

3882

client = self._client_connection(

3883

callback=ocsp_callback, data=None, request_ocsp=False

3884

)

3885

server = self._server_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3886

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3887

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3888

def test_client_negotiates_without_server(self):

3889

"""

3890

If the client wants to do OCSP but the server does not, the handshake

3891

succeeds, and the client callback fires with an empty byte string.

"""

called = []

def ocsp_callback(conn, ocsp_data, ignored):

3896

called.append(ocsp_data)

3897

return True

3898

3899

client = self._client_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3900

server = loopback_server_factory(socket=None)

3901

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3902

3903

assert len(called) == 1

3904

assert called[0] == b''

3905

3906

def test_client_receives_servers_data(self):

3907

"""

3908

The data the server sends in its callback is received by the client.

"""

calls = []

def server_callback(*args, **kwargs):

3913

return self.sample_ocsp_data

3914

3915

def client_callback(conn, ocsp_data, ignored):

3916

calls.append(ocsp_data)

3917

return True

3918

3919

client = self._client_connection(callback=client_callback, data=None)

3920

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3921

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3922

3923

assert len(calls) == 1

3924

assert calls[0] == self.sample_ocsp_data

3925

3926

def test_callbacks_are_invoked_with_connections(self):

3927

"""

3928

The first arguments to both callbacks are their respective connections.

"""

client_calls = []

server_calls = []

def client_callback(conn, *args, **kwargs):

3934

client_calls.append(conn)

3935

return True

3936

3937

def server_callback(conn, *args, **kwargs):

3938

server_calls.append(conn)

3939

return self.sample_ocsp_data

3940

3941

client = self._client_connection(callback=client_callback, data=None)

3942

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3943

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3944

3945

assert len(client_calls) == 1

3946

assert len(server_calls) == 1

3947

assert client_calls[0] is client

3948

assert server_calls[0] is server

3949

3950

def test_opaque_data_is_passed_through(self):

3951

"""

3952

Both callbacks receive an opaque, user-provided piece of data in their

3953

callbacks as the final argument.

"""

calls = []

def server_callback(*args):

3958

calls.append(args)

3959

return self.sample_ocsp_data

3960

3961

def client_callback(*args):

calls.append(args)

return True

sentinel = object()

client = self._client_connection(

3968

callback=client_callback, data=sentinel

3969

)

3970

server = self._server_connection(

3971

callback=server_callback, data=sentinel

3972

)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3973

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3974

3975

assert len(calls) == 2

3976

assert calls[0][-1] is sentinel

3977

assert calls[1][-1] is sentinel

3978

3979

def test_server_returns_empty_string(self):

3980

"""

3981

If the server returns an empty bytestring from its callback, the

3982

client callback is called with the empty bytestring.

"""

client_calls = []

def server_callback(*args):

3987

return b''

3988

3989

def client_callback(conn, ocsp_data, ignored):

3990

client_calls.append(ocsp_data)

3991

return True

3992

3993

client = self._client_connection(callback=client_callback, data=None)

3994

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3995

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3996

3997

assert len(client_calls) == 1

3998

assert client_calls[0] == b''

3999

4000

def test_client_returns_false_terminates_handshake(self):

4001

"""

4002

If the client returns False from its callback, the handshake fails.

4003

"""

4004

def server_callback(*args):

4005

return self.sample_ocsp_data

4006

4007

def client_callback(*args):

4008

return False

4009

4010

client = self._client_connection(callback=client_callback, data=None)

4011

server = self._server_connection(callback=server_callback, data=None)

4012

4013

with pytest.raises(Error):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

4014

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

4015

4016

def test_exceptions_in_client_bubble_up(self):

4017

"""

4018

The callbacks thrown in the client callback bubble up to the caller.

4019

"""

4020

class SentinelException(Exception):

4021

pass

4022

4023

def server_callback(*args):

4024

return self.sample_ocsp_data

4025

4026

def client_callback(*args):

4027

raise SentinelException()

4028

4029

client = self._client_connection(callback=client_callback, data=None)

4030

server = self._server_connection(callback=server_callback, data=None)

4031

4032

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

4033

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

4034

4035

def test_exceptions_in_server_bubble_up(self):

4036

"""

4037

The callbacks thrown in the server callback bubble up to the caller.

4038

"""

4039

class SentinelException(Exception):

4040

pass

4041

4042

def server_callback(*args):

4043

raise SentinelException()

4044

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

4045

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

4046

pytest.fail("Should not be called")

4047

4048

client = self._client_connection(callback=client_callback, data=None)

4049

server = self._server_connection(callback=server_callback, data=None)

4050

4051

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

4052

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

4053

4054

def test_server_must_return_bytes(self):

4055

"""

4056

The server callback must return a bytestring, or a TypeError is thrown.

4057

"""

4058

def server_callback(*args):

4059

return self.sample_ocsp_data.decode('ascii')

4060

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

4061

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

4062

pytest.fail("Should not be called")

4063

4064

client = self._client_connection(callback=client_callback, data=None)

4065

server = self._server_connection(callback=server_callback, data=None)

4066

4067

with pytest.raises(TypeError):

Alex Chan