blob: a2dfb8aac0c9d631ae060af42a1a4898a2d20074 [file] [log] [blame]
Jean-Paul Calderone8671c852011-03-02 19:26:20 -05001# Copyright (C) Jean-Paul Calderone
2# See LICENSE for details.
Jean-Paul Calderone8b63d452008-03-21 18:31:12 -04003
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -04004"""
Jonathan Ballet648875f2011-07-16 14:14:58 +09005Unit tests for :py:obj:`OpenSSL.SSL`.
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -04006"""
7
Jean-Paul Calderone4c1aacd2014-01-11 08:15:17 -05008from gc import collect, get_referrers
Konstantinos Koukopoulos541150d2014-01-31 01:00:19 +02009from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -040010from sys import platform, version_info, getfilesystemencoding
Jean-Paul Calderoned899af02013-03-19 22:10:37 -070011from socket import SHUT_RDWR, error, socket
Jean-Paul Calderonea65cf6c2009-07-19 10:26:52 -040012from os import makedirs
Jean-Paul Calderone1461c492013-10-03 16:05:00 -040013from os.path import join
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -040014from unittest import main
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -040015from weakref import ref
Jean-Paul Calderone460cc1f2009-03-07 11:31:12 -050016
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -040017from six import PY3, binary_type, text_type, u
Jean-Paul Calderonec76c61c2014-01-18 13:21:52 -050018
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -040019from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -080020from OpenSSL.crypto import PKey, X509, X509Extension, X509Store
Jean-Paul Calderone7526d172010-09-09 17:55:31 -040021from OpenSSL.crypto import dump_privatekey, load_privatekey
22from OpenSSL.crypto import dump_certificate, load_certificate
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -040023from OpenSSL.crypto import get_elliptic_curves
Jean-Paul Calderone7526d172010-09-09 17:55:31 -040024
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -040025from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS
26from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON
Jean-Paul Calderonee4f6b472010-07-29 22:50:58 -040027from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN
Jean-Paul Calderone1461c492013-10-03 16:05:00 -040028from OpenSSL.SSL import (
29 SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD,
30 TLSv1_1_METHOD, TLSv1_2_METHOD)
31from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -040032from OpenSSL.SSL import (
33 VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE, VERIFY_NONE)
Jean-Paul Calderone0222a492011-09-08 18:26:03 -040034
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -040035from OpenSSL.SSL import (
Jean-Paul Calderone313bf012012-02-08 13:02:49 -050036 SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH,
37 SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP,
38 SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL)
39
40from OpenSSL.SSL import (
Jean-Paul Calderoned899af02013-03-19 22:10:37 -070041 Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError)
Jean-Paul Calderonee0fcf512012-02-13 09:10:15 -050042from OpenSSL.SSL import (
Jean-Paul Calderoned899af02013-03-19 22:10:37 -070043 Context, ContextType, Session, Connection, ConnectionType, SSLeay_version)
Jean-Paul Calderone7526d172010-09-09 17:55:31 -040044
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -040045from OpenSSL.test.util import NON_ASCII, TestCase, b
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -040046from OpenSSL.test.test_crypto import (
47 cleartextCertificatePEM, cleartextPrivateKeyPEM)
48from OpenSSL.test.test_crypto import (
49 client_cert_pem, client_key_pem, server_cert_pem, server_key_pem,
50 root_cert_pem)
51
Jean-Paul Calderone4bccf5e2008-12-28 22:50:42 -050052try:
53 from OpenSSL.SSL import OP_NO_QUERY_MTU
54except ImportError:
55 OP_NO_QUERY_MTU = None
56try:
57 from OpenSSL.SSL import OP_COOKIE_EXCHANGE
58except ImportError:
59 OP_COOKIE_EXCHANGE = None
60try:
61 from OpenSSL.SSL import OP_NO_TICKET
62except ImportError:
63 OP_NO_TICKET = None
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -040064
Jean-Paul Calderone0222a492011-09-08 18:26:03 -040065try:
Jean-Paul Calderonec62d4c12011-09-08 18:29:32 -040066 from OpenSSL.SSL import OP_NO_COMPRESSION
67except ImportError:
68 OP_NO_COMPRESSION = None
69
70try:
Jean-Paul Calderone0222a492011-09-08 18:26:03 -040071 from OpenSSL.SSL import MODE_RELEASE_BUFFERS
72except ImportError:
73 MODE_RELEASE_BUFFERS = None
74
Jean-Paul Calderone1461c492013-10-03 16:05:00 -040075try:
76 from OpenSSL.SSL import OP_NO_TLSv1, OP_NO_TLSv1_1, OP_NO_TLSv1_2
77except ImportError:
78 OP_NO_TLSv1 = OP_NO_TLSv1_1 = OP_NO_TLSv1_2 = None
79
Jean-Paul Calderone31e85a82011-03-21 19:13:35 -040080from OpenSSL.SSL import (
81 SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK, SSL_ST_INIT, SSL_ST_BEFORE,
82 SSL_ST_OK, SSL_ST_RENEGOTIATE,
83 SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,
84 SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,
85 SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,
86 SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE)
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -040087
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -040088# openssl dhparam 128 -out dh-128.pem (note that 128 is a small number of bits
89# to use)
90dhparam = """\
91-----BEGIN DH PARAMETERS-----
92MBYCEQCobsg29c9WZP/54oAPcwiDAgEC
93-----END DH PARAMETERS-----
94"""
95
96
Jean-Paul Calderone05826732015-04-12 11:38:49 -040097def join_bytes_or_unicode(prefix, suffix):
98 """
99 Join two path components of either ``bytes`` or ``unicode``.
100
101 The return type is the same as the type of ``prefix``.
102 """
103 # If the types are the same, nothing special is necessary.
104 if type(prefix) == type(suffix):
105 return join(prefix, suffix)
106
107 # Otherwise, coerce suffix to the type of prefix.
108 if isinstance(prefix, text_type):
109 return join(prefix, suffix.decode(getfilesystemencoding()))
110 else:
111 return join(prefix, suffix.encode(getfilesystemencoding()))
112
113
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400114def verify_cb(conn, cert, errnum, depth, ok):
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400115 return ok
116
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400117
Rick Deanb1ccd562009-07-09 23:52:39 -0500118def socket_pair():
Jean-Paul Calderone1a9613b2009-07-16 12:13:36 -0400119 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400120 Establish and return a pair of network sockets connected to each other.
Jean-Paul Calderone1a9613b2009-07-16 12:13:36 -0400121 """
122 # Connect a pair of sockets
Rick Deanb1ccd562009-07-09 23:52:39 -0500123 port = socket()
124 port.bind(('', 0))
125 port.listen(1)
126 client = socket()
127 client.setblocking(False)
Jean-Paul Calderonef23c5d92009-07-23 17:58:15 -0400128 client.connect_ex(("127.0.0.1", port.getsockname()[1]))
Jean-Paul Calderone94b24a82009-07-16 19:11:38 -0400129 client.setblocking(True)
Rick Deanb1ccd562009-07-09 23:52:39 -0500130 server = port.accept()[0]
Rick Deanb1ccd562009-07-09 23:52:39 -0500131
Jean-Paul Calderone1a9613b2009-07-16 12:13:36 -0400132 # Let's pass some unencrypted data to make sure our socket connection is
133 # fine. Just one byte, so we don't have to worry about buffers getting
134 # filled up or fragmentation.
Jean-Paul Calderone9e4eeae2010-08-22 21:32:52 -0400135 server.send(b("x"))
136 assert client.recv(1024) == b("x")
137 client.send(b("y"))
138 assert server.recv(1024) == b("y")
Rick Deanb1ccd562009-07-09 23:52:39 -0500139
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -0400140 # Most of our callers want non-blocking sockets, make it easy for them.
Jean-Paul Calderone94b24a82009-07-16 19:11:38 -0400141 server.setblocking(False)
142 client.setblocking(False)
143
Rick Deanb1ccd562009-07-09 23:52:39 -0500144 return (server, client)
145
146
Jean-Paul Calderone94b24a82009-07-16 19:11:38 -0400147
Jean-Paul Calderonef8742032010-09-25 00:00:32 -0400148def handshake(client, server):
149 conns = [client, server]
150 while conns:
151 for conn in conns:
152 try:
153 conn.do_handshake()
154 except WantReadError:
155 pass
156 else:
157 conns.remove(conn)
158
159
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400160def _create_certificate_chain():
161 """
162 Construct and return a chain of certificates.
163
164 1. A new self-signed certificate authority certificate (cacert)
165 2. A new intermediate certificate signed by cacert (icert)
166 3. A new server certificate signed by icert (scert)
167 """
168 caext = X509Extension(b('basicConstraints'), False, b('CA:true'))
169
170 # Step 1
171 cakey = PKey()
172 cakey.generate_key(TYPE_RSA, 512)
173 cacert = X509()
174 cacert.get_subject().commonName = "Authority Certificate"
175 cacert.set_issuer(cacert.get_subject())
176 cacert.set_pubkey(cakey)
177 cacert.set_notBefore(b("20000101000000Z"))
178 cacert.set_notAfter(b("20200101000000Z"))
179 cacert.add_extensions([caext])
180 cacert.set_serial_number(0)
181 cacert.sign(cakey, "sha1")
182
183 # Step 2
184 ikey = PKey()
185 ikey.generate_key(TYPE_RSA, 512)
186 icert = X509()
187 icert.get_subject().commonName = "Intermediate Certificate"
188 icert.set_issuer(cacert.get_subject())
189 icert.set_pubkey(ikey)
190 icert.set_notBefore(b("20000101000000Z"))
191 icert.set_notAfter(b("20200101000000Z"))
192 icert.add_extensions([caext])
193 icert.set_serial_number(0)
194 icert.sign(cakey, "sha1")
195
196 # Step 3
197 skey = PKey()
198 skey.generate_key(TYPE_RSA, 512)
199 scert = X509()
200 scert.get_subject().commonName = "Server Certificate"
201 scert.set_issuer(icert.get_subject())
202 scert.set_pubkey(skey)
203 scert.set_notBefore(b("20000101000000Z"))
204 scert.set_notAfter(b("20200101000000Z"))
205 scert.add_extensions([
206 X509Extension(b('basicConstraints'), True, b('CA:false'))])
207 scert.set_serial_number(0)
208 scert.sign(ikey, "sha1")
209
210 return [(cakey, cacert), (ikey, icert), (skey, scert)]
211
212
213
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400214class _LoopbackMixin:
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -0400215 """
216 Helper mixin which defines methods for creating a connected socket pair and
217 for forcing two connected SSL sockets to talk to each other via memory BIOs.
218 """
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -0500219 def _loopbackClientFactory(self, socket):
220 client = Connection(Context(TLSv1_METHOD), socket)
221 client.set_connect_state()
222 return client
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400223
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -0500224
225 def _loopbackServerFactory(self, socket):
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400226 ctx = Context(TLSv1_METHOD)
227 ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
228 ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -0500229 server = Connection(ctx, socket)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400230 server.set_accept_state()
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -0500231 return server
232
233
234 def _loopback(self, serverFactory=None, clientFactory=None):
235 if serverFactory is None:
236 serverFactory = self._loopbackServerFactory
237 if clientFactory is None:
238 clientFactory = self._loopbackClientFactory
239
240 (server, client) = socket_pair()
241 server = serverFactory(server)
242 client = clientFactory(client)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400243
Jean-Paul Calderonef8742032010-09-25 00:00:32 -0400244 handshake(client, server)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400245
246 server.setblocking(True)
247 client.setblocking(True)
248 return server, client
249
250
251 def _interactInMemory(self, client_conn, server_conn):
252 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900253 Try to read application bytes from each of the two :py:obj:`Connection`
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400254 objects. Copy bytes back and forth between their send/receive buffers
255 for as long as there is anything to copy. When there is nothing more
Jonathan Ballet648875f2011-07-16 14:14:58 +0900256 to copy, return :py:obj:`None`. If one of them actually manages to deliver
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400257 some application bytes, return a two-tuple of the connection from which
258 the bytes were read and the bytes themselves.
259 """
260 wrote = True
261 while wrote:
262 # Loop until neither side has anything to say
263 wrote = False
264
265 # Copy stuff from each side's send buffer to the other side's
266 # receive buffer.
267 for (read, write) in [(client_conn, server_conn),
268 (server_conn, client_conn)]:
269
270 # Give the side a chance to generate some more bytes, or
271 # succeed.
272 try:
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400273 data = read.recv(2 ** 16)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400274 except WantReadError:
275 # It didn't succeed, so we'll hope it generated some
276 # output.
277 pass
278 else:
279 # It did succeed, so we'll stop now and let the caller deal
280 # with it.
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400281 return (read, data)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400282
283 while True:
284 # Keep copying as long as there's more stuff there.
285 try:
286 dirty = read.bio_read(4096)
287 except WantReadError:
288 # Okay, nothing more waiting to be sent. Stop
289 # processing this send buffer.
290 break
291 else:
292 # Keep track of the fact that someone generated some
293 # output.
294 wrote = True
295 write.bio_write(dirty)
296
297
Jean-Paul Calderone6a8cd112014-04-02 21:09:08 -0400298 def _handshakeInMemory(self, client_conn, server_conn):
Jean-Paul Calderoneb2b40782014-05-06 08:47:40 -0400299 """
300 Perform the TLS handshake between two :py:class:`Connection` instances
301 connected to each other via memory BIOs.
302 """
Jean-Paul Calderone6a8cd112014-04-02 21:09:08 -0400303 client_conn.set_connect_state()
304 server_conn.set_accept_state()
305
306 for conn in [client_conn, server_conn]:
307 try:
308 conn.do_handshake()
309 except WantReadError:
310 pass
311
312 self._interactInMemory(client_conn, server_conn)
313
314
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400315
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400316class VersionTests(TestCase):
317 """
318 Tests for version information exposed by
Jonathan Ballet648875f2011-07-16 14:14:58 +0900319 :py:obj:`OpenSSL.SSL.SSLeay_version` and
320 :py:obj:`OpenSSL.SSL.OPENSSL_VERSION_NUMBER`.
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400321 """
322 def test_OPENSSL_VERSION_NUMBER(self):
323 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900324 :py:obj:`OPENSSL_VERSION_NUMBER` is an integer with status in the low
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400325 byte and the patch, fix, minor, and major versions in the
326 nibbles above that.
327 """
328 self.assertTrue(isinstance(OPENSSL_VERSION_NUMBER, int))
329
330
331 def test_SSLeay_version(self):
332 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900333 :py:obj:`SSLeay_version` takes a version type indicator and returns
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400334 one of a number of version strings based on that indicator.
335 """
336 versions = {}
337 for t in [SSLEAY_VERSION, SSLEAY_CFLAGS, SSLEAY_BUILT_ON,
338 SSLEAY_PLATFORM, SSLEAY_DIR]:
339 version = SSLeay_version(t)
340 versions[version] = t
341 self.assertTrue(isinstance(version, bytes))
342 self.assertEqual(len(versions), 5)
343
344
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400345
346class ContextTests(TestCase, _LoopbackMixin):
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400347 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900348 Unit tests for :py:obj:`OpenSSL.SSL.Context`.
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400349 """
350 def test_method(self):
351 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900352 :py:obj:`Context` can be instantiated with one of :py:obj:`SSLv2_METHOD`,
Jean-Paul Calderone1461c492013-10-03 16:05:00 -0400353 :py:obj:`SSLv3_METHOD`, :py:obj:`SSLv23_METHOD`, :py:obj:`TLSv1_METHOD`,
354 :py:obj:`TLSv1_1_METHOD`, or :py:obj:`TLSv1_2_METHOD`.
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400355 """
Jean-Paul Calderone1461c492013-10-03 16:05:00 -0400356 methods = [
357 SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD]
358 for meth in methods:
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400359 Context(meth)
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400360
Jean-Paul Calderone1461c492013-10-03 16:05:00 -0400361
362 maybe = [SSLv2_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD]
363 for meth in maybe:
364 try:
365 Context(meth)
366 except (Error, ValueError):
367 # Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some
368 # don't. Difficult to say in advance.
369 pass
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400370
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400371 self.assertRaises(TypeError, Context, "")
372 self.assertRaises(ValueError, Context, 10)
373
374
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500375 if not PY3:
376 def test_method_long(self):
377 """
378 On Python 2 :py:class:`Context` accepts values of type
379 :py:obj:`long` as well as :py:obj:`int`.
380 """
381 Context(long(TLSv1_METHOD))
382
383
384
Rick Deane15b1472009-07-09 15:53:42 -0500385 def test_type(self):
386 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900387 :py:obj:`Context` and :py:obj:`ContextType` refer to the same type object and can be
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400388 used to create instances of that type.
Rick Deane15b1472009-07-09 15:53:42 -0500389 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400390 self.assertIdentical(Context, ContextType)
391 self.assertConsistentType(Context, 'Context', TLSv1_METHOD)
Rick Deane15b1472009-07-09 15:53:42 -0500392
393
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400394 def test_use_privatekey(self):
395 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900396 :py:obj:`Context.use_privatekey` takes an :py:obj:`OpenSSL.crypto.PKey` instance.
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400397 """
398 key = PKey()
399 key.generate_key(TYPE_RSA, 128)
400 ctx = Context(TLSv1_METHOD)
401 ctx.use_privatekey(key)
402 self.assertRaises(TypeError, ctx.use_privatekey, "")
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400403
404
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800405 def test_use_privatekey_file_missing(self):
406 """
407 :py:obj:`Context.use_privatekey_file` raises :py:obj:`OpenSSL.SSL.Error`
408 when passed the name of a file which does not exist.
409 """
410 ctx = Context(TLSv1_METHOD)
411 self.assertRaises(Error, ctx.use_privatekey_file, self.mktemp())
412
413
Jean-Paul Calderone69a4e5b2015-04-12 10:04:28 -0400414 def _use_privatekey_file_test(self, pemfile, filetype):
415 """
416 Verify that calling ``Context.use_privatekey_file`` with the given
417 arguments does not raise an exception.
418 """
419 key = PKey()
420 key.generate_key(TYPE_RSA, 128)
421
422 with open(pemfile, "wt") as pem:
423 pem.write(
424 dump_privatekey(FILETYPE_PEM, key).decode("ascii")
425 )
426
427 ctx = Context(TLSv1_METHOD)
428 ctx.use_privatekey_file(pemfile, filetype)
429
430
431 def test_use_privatekey_file_bytes(self):
432 """
433 A private key can be specified from a file by passing a ``bytes``
434 instance giving the file name to ``Context.use_privatekey_file``.
435 """
436 self._use_privatekey_file_test(
437 self.mktemp() + NON_ASCII.encode(getfilesystemencoding()),
438 FILETYPE_PEM,
439 )
440
441
442 def test_use_privatekey_file_unicode(self):
443 """
444 A private key can be specified from a file by passing a ``unicode``
445 instance giving the file name to ``Context.use_privatekey_file``.
446 """
447 self._use_privatekey_file_test(
448 self.mktemp().decode(getfilesystemencoding()) + NON_ASCII,
449 FILETYPE_PEM,
450 )
451
452
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500453 if not PY3:
454 def test_use_privatekey_file_long(self):
455 """
456 On Python 2 :py:obj:`Context.use_privatekey_file` accepts a
457 filetype of type :py:obj:`long` as well as :py:obj:`int`.
458 """
Jean-Paul Calderone69a4e5b2015-04-12 10:04:28 -0400459 self._use_privatekey_file_test(self.mktemp(), long(FILETYPE_PEM))
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500460
461
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800462 def test_use_certificate_wrong_args(self):
463 """
464 :py:obj:`Context.use_certificate_wrong_args` raises :py:obj:`TypeError`
465 when not passed exactly one :py:obj:`OpenSSL.crypto.X509` instance as an
466 argument.
467 """
468 ctx = Context(TLSv1_METHOD)
469 self.assertRaises(TypeError, ctx.use_certificate)
470 self.assertRaises(TypeError, ctx.use_certificate, "hello, world")
471 self.assertRaises(TypeError, ctx.use_certificate, X509(), "hello, world")
472
473
474 def test_use_certificate_uninitialized(self):
475 """
476 :py:obj:`Context.use_certificate` raises :py:obj:`OpenSSL.SSL.Error`
477 when passed a :py:obj:`OpenSSL.crypto.X509` instance which has not been
478 initialized (ie, which does not actually have any certificate data).
479 """
480 ctx = Context(TLSv1_METHOD)
481 self.assertRaises(Error, ctx.use_certificate, X509())
482
483
484 def test_use_certificate(self):
485 """
486 :py:obj:`Context.use_certificate` sets the certificate which will be
487 used to identify connections created using the context.
488 """
489 # TODO
490 # Hard to assert anything. But we could set a privatekey then ask
491 # OpenSSL if the cert and key agree using check_privatekey. Then as
492 # long as check_privatekey works right we're good...
493 ctx = Context(TLSv1_METHOD)
494 ctx.use_certificate(load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
495
496
497 def test_use_certificate_file_wrong_args(self):
498 """
499 :py:obj:`Context.use_certificate_file` raises :py:obj:`TypeError` if
500 called with zero arguments or more than two arguments, or if the first
501 argument is not a byte string or the second argumnent is not an integer.
502 """
503 ctx = Context(TLSv1_METHOD)
504 self.assertRaises(TypeError, ctx.use_certificate_file)
505 self.assertRaises(TypeError, ctx.use_certificate_file, b"somefile", object())
506 self.assertRaises(
507 TypeError, ctx.use_certificate_file, b"somefile", FILETYPE_PEM, object())
508 self.assertRaises(
509 TypeError, ctx.use_certificate_file, object(), FILETYPE_PEM)
510 self.assertRaises(
511 TypeError, ctx.use_certificate_file, b"somefile", object())
512
513
514 def test_use_certificate_file_missing(self):
515 """
516 :py:obj:`Context.use_certificate_file` raises
517 `:py:obj:`OpenSSL.SSL.Error` if passed the name of a file which does not
518 exist.
519 """
520 ctx = Context(TLSv1_METHOD)
521 self.assertRaises(Error, ctx.use_certificate_file, self.mktemp())
522
523
Jean-Paul Calderoned57a7b62015-04-12 09:57:36 -0400524 def _use_certificate_file_test(self, certificate_file):
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800525 """
Jean-Paul Calderoned57a7b62015-04-12 09:57:36 -0400526 Verify that calling ``Context.use_certificate_file`` with the given
527 filename doesn't raise an exception.
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800528 """
529 # TODO
530 # Hard to assert anything. But we could set a privatekey then ask
531 # OpenSSL if the cert and key agree using check_privatekey. Then as
532 # long as check_privatekey works right we're good...
Jean-Paul Calderoned57a7b62015-04-12 09:57:36 -0400533 with open(certificate_file, "wb") as pem_file:
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800534 pem_file.write(cleartextCertificatePEM)
535
536 ctx = Context(TLSv1_METHOD)
Jean-Paul Calderoned57a7b62015-04-12 09:57:36 -0400537 ctx.use_certificate_file(certificate_file)
538
539
540 def test_use_certificate_file_bytes(self):
541 """
542 :py:obj:`Context.use_certificate_file` sets the certificate (given as a
543 ``bytes`` filename) which will be used to identify connections created
544 using the context.
545 """
546 filename = self.mktemp() + NON_ASCII.encode(getfilesystemencoding())
547 self._use_certificate_file_test(filename)
548
549
550 def test_use_certificate_file_unicode(self):
551 """
552 :py:obj:`Context.use_certificate_file` sets the certificate (given as a
553 ``bytes`` filename) which will be used to identify connections created
554 using the context.
555 """
556 filename = self.mktemp().decode(getfilesystemencoding()) + NON_ASCII
557 self._use_certificate_file_test(filename)
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800558
559
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500560 if not PY3:
561 def test_use_certificate_file_long(self):
562 """
563 On Python 2 :py:obj:`Context.use_certificate_file` accepts a
564 filetype of type :py:obj:`long` as well as :py:obj:`int`.
565 """
566 pem_filename = self.mktemp()
567 with open(pem_filename, "wb") as pem_file:
568 pem_file.write(cleartextCertificatePEM)
569
570 ctx = Context(TLSv1_METHOD)
571 ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM))
572
573
Jean-Paul Calderone932f5cc2014-12-11 13:58:00 -0500574 def test_check_privatekey_valid(self):
575 """
576 :py:obj:`Context.check_privatekey` returns :py:obj:`None` if the
577 :py:obj:`Context` instance has been configured to use a matched key and
578 certificate pair.
579 """
580 key = load_privatekey(FILETYPE_PEM, client_key_pem)
581 cert = load_certificate(FILETYPE_PEM, client_cert_pem)
582 context = Context(TLSv1_METHOD)
583 context.use_privatekey(key)
584 context.use_certificate(cert)
585 self.assertIs(None, context.check_privatekey())
586
587
588 def test_check_privatekey_invalid(self):
589 """
590 :py:obj:`Context.check_privatekey` raises :py:obj:`Error` if the
591 :py:obj:`Context` instance has been configured to use a key and
592 certificate pair which don't relate to each other.
593 """
594 key = load_privatekey(FILETYPE_PEM, client_key_pem)
595 cert = load_certificate(FILETYPE_PEM, server_cert_pem)
596 context = Context(TLSv1_METHOD)
597 context.use_privatekey(key)
598 context.use_certificate(cert)
599 self.assertRaises(Error, context.check_privatekey)
600
601
602 def test_check_privatekey_wrong_args(self):
603 """
604 :py:obj:`Context.check_privatekey` raises :py:obj:`TypeError` if called
605 with other than no arguments.
606 """
607 context = Context(TLSv1_METHOD)
608 self.assertRaises(TypeError, context.check_privatekey, object())
609
610
Jean-Paul Calderonebd479162010-07-30 18:03:25 -0400611 def test_set_app_data_wrong_args(self):
612 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900613 :py:obj:`Context.set_app_data` raises :py:obj:`TypeError` if called with other than
Jean-Paul Calderonebd479162010-07-30 18:03:25 -0400614 one argument.
615 """
616 context = Context(TLSv1_METHOD)
617 self.assertRaises(TypeError, context.set_app_data)
618 self.assertRaises(TypeError, context.set_app_data, None, None)
619
620
621 def test_get_app_data_wrong_args(self):
622 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900623 :py:obj:`Context.get_app_data` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderonebd479162010-07-30 18:03:25 -0400624 arguments.
625 """
626 context = Context(TLSv1_METHOD)
627 self.assertRaises(TypeError, context.get_app_data, None)
628
629
630 def test_app_data(self):
631 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900632 :py:obj:`Context.set_app_data` stores an object for later retrieval using
633 :py:obj:`Context.get_app_data`.
Jean-Paul Calderonebd479162010-07-30 18:03:25 -0400634 """
635 app_data = object()
636 context = Context(TLSv1_METHOD)
637 context.set_app_data(app_data)
638 self.assertIdentical(context.get_app_data(), app_data)
639
640
Jean-Paul Calderone40569ca2010-07-30 18:04:58 -0400641 def test_set_options_wrong_args(self):
642 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900643 :py:obj:`Context.set_options` raises :py:obj:`TypeError` if called with the wrong
644 number of arguments or a non-:py:obj:`int` argument.
Jean-Paul Calderone40569ca2010-07-30 18:04:58 -0400645 """
646 context = Context(TLSv1_METHOD)
647 self.assertRaises(TypeError, context.set_options)
648 self.assertRaises(TypeError, context.set_options, None)
649 self.assertRaises(TypeError, context.set_options, 1, None)
650
651
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500652 def test_set_options(self):
653 """
654 :py:obj:`Context.set_options` returns the new options value.
655 """
656 context = Context(TLSv1_METHOD)
657 options = context.set_options(OP_NO_SSLv2)
658 self.assertTrue(OP_NO_SSLv2 & options)
659
660
661 if not PY3:
662 def test_set_options_long(self):
663 """
664 On Python 2 :py:obj:`Context.set_options` accepts values of type
665 :py:obj:`long` as well as :py:obj:`int`.
666 """
667 context = Context(TLSv1_METHOD)
668 options = context.set_options(long(OP_NO_SSLv2))
669 self.assertTrue(OP_NO_SSLv2 & options)
670
671
Guillermo Gonzalez74a2c292011-08-29 16:16:58 -0300672 def test_set_mode_wrong_args(self):
673 """
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400674 :py:obj:`Context.set`mode} raises :py:obj:`TypeError` if called with the wrong
675 number of arguments or a non-:py:obj:`int` argument.
Guillermo Gonzalez74a2c292011-08-29 16:16:58 -0300676 """
677 context = Context(TLSv1_METHOD)
678 self.assertRaises(TypeError, context.set_mode)
679 self.assertRaises(TypeError, context.set_mode, None)
680 self.assertRaises(TypeError, context.set_mode, 1, None)
681
682
Jean-Paul Calderone0222a492011-09-08 18:26:03 -0400683 if MODE_RELEASE_BUFFERS is not None:
684 def test_set_mode(self):
685 """
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400686 :py:obj:`Context.set_mode` accepts a mode bitvector and returns the newly
Jean-Paul Calderone0222a492011-09-08 18:26:03 -0400687 set mode.
688 """
689 context = Context(TLSv1_METHOD)
690 self.assertTrue(
691 MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS))
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500692
693 if not PY3:
694 def test_set_mode_long(self):
695 """
696 On Python 2 :py:obj:`Context.set_mode` accepts values of type
697 :py:obj:`long` as well as :py:obj:`int`.
698 """
699 context = Context(TLSv1_METHOD)
700 mode = context.set_mode(long(MODE_RELEASE_BUFFERS))
701 self.assertTrue(MODE_RELEASE_BUFFERS & mode)
Jean-Paul Calderone0222a492011-09-08 18:26:03 -0400702 else:
703 "MODE_RELEASE_BUFFERS unavailable - OpenSSL version may be too old"
704
705
Jean-Paul Calderone5ebb44a2010-07-30 18:09:41 -0400706 def test_set_timeout_wrong_args(self):
707 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900708 :py:obj:`Context.set_timeout` raises :py:obj:`TypeError` if called with the wrong
709 number of arguments or a non-:py:obj:`int` argument.
Jean-Paul Calderone5ebb44a2010-07-30 18:09:41 -0400710 """
711 context = Context(TLSv1_METHOD)
712 self.assertRaises(TypeError, context.set_timeout)
713 self.assertRaises(TypeError, context.set_timeout, None)
714 self.assertRaises(TypeError, context.set_timeout, 1, None)
715
716
717 def test_get_timeout_wrong_args(self):
718 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900719 :py:obj:`Context.get_timeout` raises :py:obj:`TypeError` if called with any arguments.
Jean-Paul Calderone5ebb44a2010-07-30 18:09:41 -0400720 """
721 context = Context(TLSv1_METHOD)
722 self.assertRaises(TypeError, context.get_timeout, None)
723
724
725 def test_timeout(self):
726 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900727 :py:obj:`Context.set_timeout` sets the session timeout for all connections
728 created using the context object. :py:obj:`Context.get_timeout` retrieves this
Jean-Paul Calderone5ebb44a2010-07-30 18:09:41 -0400729 value.
730 """
731 context = Context(TLSv1_METHOD)
732 context.set_timeout(1234)
733 self.assertEquals(context.get_timeout(), 1234)
734
735
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500736 if not PY3:
737 def test_timeout_long(self):
738 """
739 On Python 2 :py:obj:`Context.set_timeout` accepts values of type
740 `long` as well as int.
741 """
742 context = Context(TLSv1_METHOD)
743 context.set_timeout(long(1234))
744 self.assertEquals(context.get_timeout(), 1234)
745
746
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400747 def test_set_verify_depth_wrong_args(self):
748 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900749 :py:obj:`Context.set_verify_depth` raises :py:obj:`TypeError` if called with the wrong
750 number of arguments or a non-:py:obj:`int` argument.
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400751 """
752 context = Context(TLSv1_METHOD)
753 self.assertRaises(TypeError, context.set_verify_depth)
754 self.assertRaises(TypeError, context.set_verify_depth, None)
755 self.assertRaises(TypeError, context.set_verify_depth, 1, None)
756
757
758 def test_get_verify_depth_wrong_args(self):
759 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900760 :py:obj:`Context.get_verify_depth` raises :py:obj:`TypeError` if called with any arguments.
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400761 """
762 context = Context(TLSv1_METHOD)
763 self.assertRaises(TypeError, context.get_verify_depth, None)
764
765
766 def test_verify_depth(self):
767 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900768 :py:obj:`Context.set_verify_depth` sets the number of certificates in a chain
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400769 to follow before giving up. The value can be retrieved with
Jonathan Ballet648875f2011-07-16 14:14:58 +0900770 :py:obj:`Context.get_verify_depth`.
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400771 """
772 context = Context(TLSv1_METHOD)
773 context.set_verify_depth(11)
774 self.assertEquals(context.get_verify_depth(), 11)
775
776
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500777 if not PY3:
778 def test_verify_depth_long(self):
779 """
780 On Python 2 :py:obj:`Context.set_verify_depth` accepts values of
781 type `long` as well as int.
782 """
783 context = Context(TLSv1_METHOD)
784 context.set_verify_depth(long(11))
785 self.assertEquals(context.get_verify_depth(), 11)
786
787
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400788 def _write_encrypted_pem(self, passphrase):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -0400789 """
790 Write a new private key out to a new file, encrypted using the given
791 passphrase. Return the path to the new file.
792 """
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400793 key = PKey()
794 key.generate_key(TYPE_RSA, 128)
795 pemFile = self.mktemp()
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400796 fObj = open(pemFile, 'w')
797 pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)
798 fObj.write(pem.decode('ascii'))
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400799 fObj.close()
800 return pemFile
801
802
Jean-Paul Calderonef4480622010-08-02 18:25:03 -0400803 def test_set_passwd_cb_wrong_args(self):
804 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900805 :py:obj:`Context.set_passwd_cb` raises :py:obj:`TypeError` if called with the
Jean-Paul Calderonef4480622010-08-02 18:25:03 -0400806 wrong arguments or with a non-callable first argument.
807 """
808 context = Context(TLSv1_METHOD)
809 self.assertRaises(TypeError, context.set_passwd_cb)
810 self.assertRaises(TypeError, context.set_passwd_cb, None)
811 self.assertRaises(TypeError, context.set_passwd_cb, lambda: None, None, None)
812
813
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400814 def test_set_passwd_cb(self):
815 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900816 :py:obj:`Context.set_passwd_cb` accepts a callable which will be invoked when
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400817 a private key is loaded from an encrypted PEM.
818 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400819 passphrase = b("foobar")
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400820 pemFile = self._write_encrypted_pem(passphrase)
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400821 calledWith = []
822 def passphraseCallback(maxlen, verify, extra):
823 calledWith.append((maxlen, verify, extra))
824 return passphrase
825 context = Context(TLSv1_METHOD)
826 context.set_passwd_cb(passphraseCallback)
827 context.use_privatekey_file(pemFile)
828 self.assertTrue(len(calledWith), 1)
829 self.assertTrue(isinstance(calledWith[0][0], int))
830 self.assertTrue(isinstance(calledWith[0][1], int))
831 self.assertEqual(calledWith[0][2], None)
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400832
833
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400834 def test_passwd_callback_exception(self):
835 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900836 :py:obj:`Context.use_privatekey_file` propagates any exception raised by the
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400837 passphrase callback.
838 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400839 pemFile = self._write_encrypted_pem(b("monkeys are nice"))
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400840 def passphraseCallback(maxlen, verify, extra):
841 raise RuntimeError("Sorry, I am a fail.")
842
843 context = Context(TLSv1_METHOD)
844 context.set_passwd_cb(passphraseCallback)
845 self.assertRaises(RuntimeError, context.use_privatekey_file, pemFile)
846
847
848 def test_passwd_callback_false(self):
849 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900850 :py:obj:`Context.use_privatekey_file` raises :py:obj:`OpenSSL.SSL.Error` if the
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400851 passphrase callback returns a false value.
852 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400853 pemFile = self._write_encrypted_pem(b("monkeys are nice"))
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400854 def passphraseCallback(maxlen, verify, extra):
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500855 return b""
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400856
857 context = Context(TLSv1_METHOD)
858 context.set_passwd_cb(passphraseCallback)
859 self.assertRaises(Error, context.use_privatekey_file, pemFile)
860
861
862 def test_passwd_callback_non_string(self):
863 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900864 :py:obj:`Context.use_privatekey_file` raises :py:obj:`OpenSSL.SSL.Error` if the
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400865 passphrase callback returns a true non-string value.
866 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400867 pemFile = self._write_encrypted_pem(b("monkeys are nice"))
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400868 def passphraseCallback(maxlen, verify, extra):
869 return 10
870
871 context = Context(TLSv1_METHOD)
872 context.set_passwd_cb(passphraseCallback)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800873 self.assertRaises(ValueError, context.use_privatekey_file, pemFile)
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400874
875
876 def test_passwd_callback_too_long(self):
877 """
878 If the passphrase returned by the passphrase callback returns a string
879 longer than the indicated maximum length, it is truncated.
880 """
881 # A priori knowledge!
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400882 passphrase = b("x") * 1024
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400883 pemFile = self._write_encrypted_pem(passphrase)
884 def passphraseCallback(maxlen, verify, extra):
885 assert maxlen == 1024
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -0400886 return passphrase + b("y")
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400887
888 context = Context(TLSv1_METHOD)
889 context.set_passwd_cb(passphraseCallback)
890 # This shall succeed because the truncated result is the correct
891 # passphrase.
892 context.use_privatekey_file(pemFile)
893
894
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400895 def test_set_info_callback(self):
896 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900897 :py:obj:`Context.set_info_callback` accepts a callable which will be invoked
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400898 when certain information about an SSL connection is available.
899 """
Rick Deanb1ccd562009-07-09 23:52:39 -0500900 (server, client) = socket_pair()
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400901
902 clientSSL = Connection(Context(TLSv1_METHOD), client)
903 clientSSL.set_connect_state()
904
905 called = []
906 def info(conn, where, ret):
907 called.append((conn, where, ret))
908 context = Context(TLSv1_METHOD)
909 context.set_info_callback(info)
910 context.use_certificate(
911 load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
912 context.use_privatekey(
913 load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
914
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400915 serverSSL = Connection(context, server)
916 serverSSL.set_accept_state()
917
Jean-Paul Calderonef2bbc9c2014-02-02 10:59:14 -0500918 handshake(clientSSL, serverSSL)
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400919
Jean-Paul Calderone3835e522014-02-02 11:12:30 -0500920 # The callback must always be called with a Connection instance as the
921 # first argument. It would probably be better to split this into
922 # separate tests for client and server side info callbacks so we could
923 # assert it is called with the right Connection instance. It would
924 # also be good to assert *something* about `where` and `ret`.
Jean-Paul Calderonef2bbc9c2014-02-02 10:59:14 -0500925 notConnections = [
926 conn for (conn, where, ret) in called
927 if not isinstance(conn, Connection)]
928 self.assertEqual(
929 [], notConnections,
930 "Some info callback arguments were not Connection instaces.")
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400931
932
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400933 def _load_verify_locations_test(self, *args):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -0400934 """
935 Create a client context which will verify the peer certificate and call
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400936 its :py:obj:`load_verify_locations` method with the given arguments.
937 Then connect it to a server and ensure that the handshake succeeds.
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -0400938 """
Rick Deanb1ccd562009-07-09 23:52:39 -0500939 (server, client) = socket_pair()
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400940
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400941 clientContext = Context(TLSv1_METHOD)
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400942 clientContext.load_verify_locations(*args)
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400943 # Require that the server certificate verify properly or the
944 # connection will fail.
945 clientContext.set_verify(
946 VERIFY_PEER,
947 lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
948
949 clientSSL = Connection(clientContext, client)
950 clientSSL.set_connect_state()
951
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400952 serverContext = Context(TLSv1_METHOD)
953 serverContext.use_certificate(
954 load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
955 serverContext.use_privatekey(
956 load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
957
958 serverSSL = Connection(serverContext, server)
959 serverSSL.set_accept_state()
960
Jean-Paul Calderonef8742032010-09-25 00:00:32 -0400961 # Without load_verify_locations above, the handshake
962 # will fail:
963 # Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',
964 # 'certificate verify failed')]
965 handshake(clientSSL, serverSSL)
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400966
967 cert = clientSSL.get_peer_certificate()
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400968 self.assertEqual(cert.get_subject().CN, 'Testing Root CA')
Jean-Paul Calderone5075fce2008-09-07 20:18:55 -0400969
Jean-Paul Calderone12608a82009-11-07 10:35:15 -0500970
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -0400971 def _load_verify_cafile(self, cafile):
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400972 """
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -0400973 Verify that if path to a file containing a certificate is passed to
974 ``Context.load_verify_locations`` for the ``cafile`` parameter, that
975 certificate is used as a trust root for the purposes of verifying
976 connections created using that ``Context``.
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400977 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400978 fObj = open(cafile, 'w')
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -0400979 fObj.write(cleartextCertificatePEM.decode('ascii'))
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400980 fObj.close()
981
982 self._load_verify_locations_test(cafile)
983
Jean-Paul Calderone5075fce2008-09-07 20:18:55 -0400984
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -0400985 def test_load_verify_bytes_cafile(self):
986 """
987 :py:obj:`Context.load_verify_locations` accepts a file name as a
988 ``bytes`` instance and uses the certificates within for verification
989 purposes.
990 """
991 cafile = self.mktemp() + NON_ASCII.encode(getfilesystemencoding())
992 self._load_verify_cafile(cafile)
993
994
995 def test_load_verify_unicode_cafile(self):
996 """
997 :py:obj:`Context.load_verify_locations` accepts a file name as a
998 ``unicode`` instance and uses the certificates within for verification
999 purposes.
1000 """
Jean-Paul Calderone4f70c802015-04-12 11:26:47 -04001001 self._load_verify_cafile(
1002 self.mktemp().decode(getfilesystemencoding()) + NON_ASCII
1003 )
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -04001004
1005
Jean-Paul Calderone5075fce2008-09-07 20:18:55 -04001006 def test_load_verify_invalid_file(self):
1007 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001008 :py:obj:`Context.load_verify_locations` raises :py:obj:`Error` when passed a
Jean-Paul Calderone5075fce2008-09-07 20:18:55 -04001009 non-existent cafile.
1010 """
1011 clientContext = Context(TLSv1_METHOD)
1012 self.assertRaises(
1013 Error, clientContext.load_verify_locations, self.mktemp())
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001014
1015
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -04001016 def _load_verify_directory_locations_capath(self, capath):
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001017 """
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -04001018 Verify that if path to a directory containing certificate files is
1019 passed to ``Context.load_verify_locations`` for the ``capath``
1020 parameter, those certificates are used as trust roots for the purposes
1021 of verifying connections created using that ``Context``.
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001022 """
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001023 makedirs(capath)
Jean-Paul Calderone24dfb332011-05-04 18:10:26 -04001024 # Hash values computed manually with c_rehash to avoid depending on
1025 # c_rehash in the test suite. One is from OpenSSL 0.9.8, the other
1026 # from OpenSSL 1.0.0.
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001027 for name in [b'c7adac82.0', b'c3705638.0']:
Jean-Paul Calderone05826732015-04-12 11:38:49 -04001028 cafile = join_bytes_or_unicode(capath, name)
1029 with open(cafile, 'w') as fObj:
1030 fObj.write(cleartextCertificatePEM.decode('ascii'))
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001031
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001032 self._load_verify_locations_test(None, capath)
1033
1034
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -04001035 def test_load_verify_directory_bytes_capath(self):
1036 """
1037 :py:obj:`Context.load_verify_locations` accepts a directory name as a
1038 ``bytes`` instance and uses the certificates within for verification
1039 purposes.
1040 """
1041 self._load_verify_directory_locations_capath(
1042 self.mktemp() + NON_ASCII.encode(getfilesystemencoding())
1043 )
1044
1045
1046 def test_load_verify_directory_unicode_capath(self):
1047 """
1048 :py:obj:`Context.load_verify_locations` accepts a directory name as a
1049 ``unicode`` instance and uses the certificates within for verification
1050 purposes.
1051 """
Jean-Paul Calderone4f70c802015-04-12 11:26:47 -04001052 self._load_verify_directory_locations_capath(
1053 self.mktemp().decode(getfilesystemencoding()) + NON_ASCII
1054 )
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -04001055
1056
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001057 def test_load_verify_locations_wrong_args(self):
1058 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001059 :py:obj:`Context.load_verify_locations` raises :py:obj:`TypeError` if called with
1060 the wrong number of arguments or with non-:py:obj:`str` arguments.
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001061 """
1062 context = Context(TLSv1_METHOD)
1063 self.assertRaises(TypeError, context.load_verify_locations)
1064 self.assertRaises(TypeError, context.load_verify_locations, object())
1065 self.assertRaises(TypeError, context.load_verify_locations, object(), object())
1066 self.assertRaises(TypeError, context.load_verify_locations, None, None, None)
1067
1068
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04001069 if platform == "win32":
1070 "set_default_verify_paths appears not to work on Windows. "
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -04001071 "See LP#404343 and LP#404344."
1072 else:
1073 def test_set_default_verify_paths(self):
1074 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001075 :py:obj:`Context.set_default_verify_paths` causes the platform-specific CA
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -04001076 certificate locations to be used for verification purposes.
1077 """
1078 # Testing this requires a server with a certificate signed by one of
1079 # the CAs in the platform CA location. Getting one of those costs
1080 # money. Fortunately (or unfortunately, depending on your
1081 # perspective), it's easy to think of a public server on the
1082 # internet which has such a certificate. Connecting to the network
1083 # in a unit test is bad, but it's the only way I can think of to
1084 # really test this. -exarkun
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001085
Alex Gaynorb586da32014-11-15 09:22:21 -08001086 # Arg, verisign.com doesn't speak anything newer than TLS 1.0
1087 context = Context(TLSv1_METHOD)
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -04001088 context.set_default_verify_paths()
1089 context.set_verify(
Ziga Seilnacht44611bf2009-08-31 20:49:30 +02001090 VERIFY_PEER,
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -04001091 lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001092
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -04001093 client = socket()
1094 client.connect(('verisign.com', 443))
1095 clientSSL = Connection(context, client)
1096 clientSSL.set_connect_state()
1097 clientSSL.do_handshake()
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001098 clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -04001099 self.assertTrue(clientSSL.recv(1024))
Jean-Paul Calderone9eadb962008-09-07 21:20:44 -04001100
1101
1102 def test_set_default_verify_paths_signature(self):
1103 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001104 :py:obj:`Context.set_default_verify_paths` takes no arguments and raises
1105 :py:obj:`TypeError` if given any.
Jean-Paul Calderone9eadb962008-09-07 21:20:44 -04001106 """
1107 context = Context(TLSv1_METHOD)
1108 self.assertRaises(TypeError, context.set_default_verify_paths, None)
1109 self.assertRaises(TypeError, context.set_default_verify_paths, 1)
1110 self.assertRaises(TypeError, context.set_default_verify_paths, "")
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05001111
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001112
Jean-Paul Calderone12608a82009-11-07 10:35:15 -05001113 def test_add_extra_chain_cert_invalid_cert(self):
1114 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001115 :py:obj:`Context.add_extra_chain_cert` raises :py:obj:`TypeError` if called with
Jean-Paul Calderone12608a82009-11-07 10:35:15 -05001116 other than one argument or if called with an object which is not an
Jonathan Ballet648875f2011-07-16 14:14:58 +09001117 instance of :py:obj:`X509`.
Jean-Paul Calderone12608a82009-11-07 10:35:15 -05001118 """
1119 context = Context(TLSv1_METHOD)
1120 self.assertRaises(TypeError, context.add_extra_chain_cert)
1121 self.assertRaises(TypeError, context.add_extra_chain_cert, object())
1122 self.assertRaises(TypeError, context.add_extra_chain_cert, object(), object())
1123
1124
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001125 def _handshake_test(self, serverContext, clientContext):
1126 """
1127 Verify that a client and server created with the given contexts can
1128 successfully handshake and communicate.
1129 """
1130 serverSocket, clientSocket = socket_pair()
1131
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001132 server = Connection(serverContext, serverSocket)
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001133 server.set_accept_state()
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001134
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001135 client = Connection(clientContext, clientSocket)
1136 client.set_connect_state()
1137
1138 # Make them talk to each other.
1139 # self._interactInMemory(client, server)
1140 for i in range(3):
1141 for s in [client, server]:
1142 try:
1143 s.do_handshake()
1144 except WantReadError:
1145 pass
1146
1147
Jean-Paul Calderone6a8cd112014-04-02 21:09:08 -04001148 def test_set_verify_callback_connection_argument(self):
1149 """
1150 The first argument passed to the verify callback is the
1151 :py:class:`Connection` instance for which verification is taking place.
1152 """
1153 serverContext = Context(TLSv1_METHOD)
1154 serverContext.use_privatekey(
1155 load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
1156 serverContext.use_certificate(
1157 load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
1158 serverConnection = Connection(serverContext, None)
1159
1160 class VerifyCallback(object):
1161 def callback(self, connection, *args):
1162 self.connection = connection
1163 return 1
1164
1165 verify = VerifyCallback()
1166 clientContext = Context(TLSv1_METHOD)
1167 clientContext.set_verify(VERIFY_PEER, verify.callback)
1168 clientConnection = Connection(clientContext, None)
1169 clientConnection.set_connect_state()
1170
1171 self._handshakeInMemory(clientConnection, serverConnection)
1172
1173 self.assertIdentical(verify.connection, clientConnection)
1174
1175
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -08001176 def test_set_verify_callback_exception(self):
1177 """
1178 If the verify callback passed to :py:obj:`Context.set_verify` raises an
1179 exception, verification fails and the exception is propagated to the
1180 caller of :py:obj:`Connection.do_handshake`.
1181 """
1182 serverContext = Context(TLSv1_METHOD)
1183 serverContext.use_privatekey(
1184 load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
1185 serverContext.use_certificate(
1186 load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
1187
1188 clientContext = Context(TLSv1_METHOD)
1189 def verify_callback(*args):
1190 raise Exception("silly verify failure")
1191 clientContext.set_verify(VERIFY_PEER, verify_callback)
1192
1193 exc = self.assertRaises(
1194 Exception, self._handshake_test, serverContext, clientContext)
1195 self.assertEqual("silly verify failure", str(exc))
1196
1197
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001198 def test_add_extra_chain_cert(self):
1199 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001200 :py:obj:`Context.add_extra_chain_cert` accepts an :py:obj:`X509` instance to add to
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001201 the certificate chain.
1202
Jonathan Ballet648875f2011-07-16 14:14:58 +09001203 See :py:obj:`_create_certificate_chain` for the details of the certificate
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001204 chain tested.
1205
1206 The chain is tested by starting a server with scert and connecting
1207 to it with a client which trusts cacert and requires verification to
1208 succeed.
1209 """
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04001210 chain = _create_certificate_chain()
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001211 [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
1212
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001213 # Dump the CA certificate to a file because that's the only way to load
1214 # it as a trusted CA in the client context.
1215 for cert, name in [(cacert, 'ca.pem'), (icert, 'i.pem'), (scert, 's.pem')]:
Jean-Paul Calderonea9868832010-08-22 21:38:34 -04001216 fObj = open(name, 'w')
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -04001217 fObj.write(dump_certificate(FILETYPE_PEM, cert).decode('ascii'))
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001218 fObj.close()
1219
1220 for key, name in [(cakey, 'ca.key'), (ikey, 'i.key'), (skey, 's.key')]:
Jean-Paul Calderonea9868832010-08-22 21:38:34 -04001221 fObj = open(name, 'w')
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -04001222 fObj.write(dump_privatekey(FILETYPE_PEM, key).decode('ascii'))
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001223 fObj.close()
1224
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001225 # Create the server context
1226 serverContext = Context(TLSv1_METHOD)
1227 serverContext.use_privatekey(skey)
1228 serverContext.use_certificate(scert)
Jean-Paul Calderone16cf03d2010-09-08 18:53:39 -04001229 # The client already has cacert, we only need to give them icert.
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001230 serverContext.add_extra_chain_cert(icert)
1231
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001232 # Create the client
1233 clientContext = Context(TLSv1_METHOD)
1234 clientContext.set_verify(
1235 VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001236 clientContext.load_verify_locations(b"ca.pem")
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001237
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001238 # Try it out.
1239 self._handshake_test(serverContext, clientContext)
1240
1241
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001242 def _use_certificate_chain_file_test(self, certdir):
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001243 """
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001244 Verify that :py:obj:`Context.use_certificate_chain_file` reads a
1245 certificate chain from a specified file.
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001246
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001247 The chain is tested by starting a server with scert and connecting to
1248 it with a client which trusts cacert and requires verification to
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001249 succeed.
1250 """
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04001251 chain = _create_certificate_chain()
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001252 [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
1253
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001254 makedirs(certdir)
1255
Jean-Paul Calderone05826732015-04-12 11:38:49 -04001256 chainFile = join_bytes_or_unicode(certdir, "chain.pem")
1257 caFile = join_bytes_or_unicode(certdir, "ca.pem")
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001258
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001259 # Write out the chain file.
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001260 with open(chainFile, 'wb') as fObj:
1261 # Most specific to least general.
1262 fObj.write(dump_certificate(FILETYPE_PEM, scert))
1263 fObj.write(dump_certificate(FILETYPE_PEM, icert))
1264 fObj.write(dump_certificate(FILETYPE_PEM, cacert))
1265
1266 with open(caFile, 'w') as fObj:
1267 fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode('ascii'))
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001268
1269 serverContext = Context(TLSv1_METHOD)
1270 serverContext.use_certificate_chain_file(chainFile)
1271 serverContext.use_privatekey(skey)
1272
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001273 clientContext = Context(TLSv1_METHOD)
1274 clientContext.set_verify(
1275 VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001276 clientContext.load_verify_locations(caFile)
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001277
1278 self._handshake_test(serverContext, clientContext)
1279
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001280
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001281 def test_use_certificate_chain_file_bytes(self):
1282 """
1283 ``Context.use_certificate_chain_file`` accepts the name of a file (as
1284 an instance of ``bytes``) to specify additional certificates to use to
1285 construct and verify a trust chain.
1286 """
1287 self._use_certificate_chain_file_test(
1288 self.mktemp() + NON_ASCII.encode(getfilesystemencoding())
1289 )
1290
1291
1292 def test_use_certificate_chain_file_unicode(self):
1293 """
1294 ``Context.use_certificate_chain_file`` accepts the name of a file (as
1295 an instance of ``unicode``) to specify additional certificates to use
1296 to construct and verify a trust chain.
1297 """
1298 self._use_certificate_chain_file_test(
1299 self.mktemp().decode(getfilesystemencoding()) + NON_ASCII
1300 )
1301
1302
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001303 def test_use_certificate_chain_file_wrong_args(self):
1304 """
1305 :py:obj:`Context.use_certificate_chain_file` raises :py:obj:`TypeError`
1306 if passed zero or more than one argument or when passed a non-byte
1307 string single argument. It also raises :py:obj:`OpenSSL.SSL.Error` when
1308 passed a bad chain file name (for example, the name of a file which does
1309 not exist).
1310 """
1311 context = Context(TLSv1_METHOD)
1312 self.assertRaises(TypeError, context.use_certificate_chain_file)
1313 self.assertRaises(TypeError, context.use_certificate_chain_file, object())
1314 self.assertRaises(TypeError, context.use_certificate_chain_file, b"foo", object())
1315
1316 self.assertRaises(Error, context.use_certificate_chain_file, self.mktemp())
1317
Jean-Paul Calderonee0d79362010-08-03 18:46:46 -04001318 # XXX load_client_ca
1319 # XXX set_session_id
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -04001320
1321 def test_get_verify_mode_wrong_args(self):
1322 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001323 :py:obj:`Context.get_verify_mode` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -04001324 arguments.
1325 """
1326 context = Context(TLSv1_METHOD)
1327 self.assertRaises(TypeError, context.get_verify_mode, None)
1328
1329
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001330 def test_set_verify_mode(self):
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -04001331 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001332 :py:obj:`Context.get_verify_mode` returns the verify mode flags previously
1333 passed to :py:obj:`Context.set_verify`.
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -04001334 """
1335 context = Context(TLSv1_METHOD)
1336 self.assertEquals(context.get_verify_mode(), 0)
1337 context.set_verify(
1338 VERIFY_PEER | VERIFY_CLIENT_ONCE, lambda *args: None)
1339 self.assertEquals(
1340 context.get_verify_mode(), VERIFY_PEER | VERIFY_CLIENT_ONCE)
1341
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001342
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001343 if not PY3:
1344 def test_set_verify_mode_long(self):
1345 """
1346 On Python 2 :py:obj:`Context.set_verify_mode` accepts values of
1347 type :py:obj:`long` as well as :py:obj:`int`.
1348 """
1349 context = Context(TLSv1_METHOD)
1350 self.assertEquals(context.get_verify_mode(), 0)
1351 context.set_verify(
1352 long(VERIFY_PEER | VERIFY_CLIENT_ONCE), lambda *args: None)
1353 self.assertEquals(
1354 context.get_verify_mode(), VERIFY_PEER | VERIFY_CLIENT_ONCE)
1355
1356
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001357 def test_load_tmp_dh_wrong_args(self):
1358 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001359 :py:obj:`Context.load_tmp_dh` raises :py:obj:`TypeError` if called with the wrong
1360 number of arguments or with a non-:py:obj:`str` argument.
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001361 """
1362 context = Context(TLSv1_METHOD)
1363 self.assertRaises(TypeError, context.load_tmp_dh)
1364 self.assertRaises(TypeError, context.load_tmp_dh, "foo", None)
1365 self.assertRaises(TypeError, context.load_tmp_dh, object())
1366
1367
1368 def test_load_tmp_dh_missing_file(self):
1369 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001370 :py:obj:`Context.load_tmp_dh` raises :py:obj:`OpenSSL.SSL.Error` if the specified file
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001371 does not exist.
1372 """
1373 context = Context(TLSv1_METHOD)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001374 self.assertRaises(Error, context.load_tmp_dh, b"hello")
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001375
1376
Jean-Paul Calderone9e1c1dd2015-04-12 10:13:13 -04001377 def _load_tmp_dh_test(self, dhfilename):
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001378 context = Context(TLSv1_METHOD)
Jean-Paul Calderone9e1c1dd2015-04-12 10:13:13 -04001379 with open(dhfilename, "w") as dhfile:
1380 dhfile.write(dhparam)
1381
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001382 context.load_tmp_dh(dhfilename)
1383 # XXX What should I assert here? -exarkun
1384
1385
Jean-Paul Calderone9e1c1dd2015-04-12 10:13:13 -04001386 def test_load_tmp_dh_bytes(self):
1387 """
1388 :py:obj:`Context.load_tmp_dh` loads Diffie-Hellman parameters from the
1389 specified file (given as ``bytes``).
1390 """
1391 self._load_tmp_dh_test(
1392 self.mktemp() + NON_ASCII.encode(getfilesystemencoding()),
1393 )
1394
1395
1396 def test_load_tmp_dh_unicode(self):
1397 """
1398 :py:obj:`Context.load_tmp_dh` loads Diffie-Hellman parameters from the
1399 specified file (given as ``unicode``).
1400 """
1401 self._load_tmp_dh_test(
1402 self.mktemp().decode(getfilesystemencoding()) + NON_ASCII,
1403 )
1404
1405
Jean-Paul Calderone3e4e3352014-04-19 09:28:28 -04001406 def test_set_tmp_ecdh(self):
Andy Lutomirskif05a2732014-03-13 17:22:25 -07001407 """
Jean-Paul Calderone3e4e3352014-04-19 09:28:28 -04001408 :py:obj:`Context.set_tmp_ecdh` sets the elliptic curve for
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -04001409 Diffie-Hellman to the specified curve.
Andy Lutomirskif05a2732014-03-13 17:22:25 -07001410 """
1411 context = Context(TLSv1_METHOD)
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -04001412 for curve in get_elliptic_curves():
1413 # The only easily "assertable" thing is that it does not raise an
1414 # exception.
Jean-Paul Calderone3e4e3352014-04-19 09:28:28 -04001415 context.set_tmp_ecdh(curve)
Alex Gaynor12dc0842014-01-17 12:51:31 -06001416
1417
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001418 def test_set_cipher_list_bytes(self):
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001419 """
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001420 :py:obj:`Context.set_cipher_list` accepts a :py:obj:`bytes` naming the
1421 ciphers which connections created with the context object will be able
1422 to choose from.
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001423 """
1424 context = Context(TLSv1_METHOD)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001425 context.set_cipher_list(b"hello world:EXP-RC4-MD5")
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001426 conn = Connection(context, None)
1427 self.assertEquals(conn.get_cipher_list(), ["EXP-RC4-MD5"])
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001428
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001429
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001430 def test_set_cipher_list_text(self):
1431 """
1432 :py:obj:`Context.set_cipher_list` accepts a :py:obj:`unicode` naming
1433 the ciphers which connections created with the context object will be
1434 able to choose from.
1435 """
1436 context = Context(TLSv1_METHOD)
Jean-Paul Calderonec76c61c2014-01-18 13:21:52 -05001437 context.set_cipher_list(u("hello world:EXP-RC4-MD5"))
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001438 conn = Connection(context, None)
1439 self.assertEquals(conn.get_cipher_list(), ["EXP-RC4-MD5"])
1440
1441
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001442 def test_set_cipher_list_wrong_args(self):
1443 """
Jean-Paul Calderone17044832014-01-18 10:20:11 -05001444 :py:obj:`Context.set_cipher_list` raises :py:obj:`TypeError` when
1445 passed zero arguments or more than one argument or when passed a
1446 non-string single argument and raises :py:obj:`OpenSSL.SSL.Error` when
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001447 passed an incorrect cipher list string.
1448 """
1449 context = Context(TLSv1_METHOD)
1450 self.assertRaises(TypeError, context.set_cipher_list)
1451 self.assertRaises(TypeError, context.set_cipher_list, object())
1452 self.assertRaises(TypeError, context.set_cipher_list, b"EXP-RC4-MD5", object())
1453
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001454 self.assertRaises(Error, context.set_cipher_list, "imaginary-cipher")
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001455
1456
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001457 def test_set_session_cache_mode_wrong_args(self):
1458 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001459 :py:obj:`Context.set_session_cache_mode` raises :py:obj:`TypeError` if
1460 called with other than one integer argument.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001461 """
1462 context = Context(TLSv1_METHOD)
1463 self.assertRaises(TypeError, context.set_session_cache_mode)
1464 self.assertRaises(TypeError, context.set_session_cache_mode, object())
1465
1466
1467 def test_get_session_cache_mode_wrong_args(self):
1468 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001469 :py:obj:`Context.get_session_cache_mode` raises :py:obj:`TypeError` if
1470 called with any arguments.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001471 """
1472 context = Context(TLSv1_METHOD)
1473 self.assertRaises(TypeError, context.get_session_cache_mode, 1)
1474
1475
1476 def test_session_cache_mode(self):
1477 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001478 :py:obj:`Context.set_session_cache_mode` specifies how sessions are
1479 cached. The setting can be retrieved via
1480 :py:obj:`Context.get_session_cache_mode`.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001481 """
1482 context = Context(TLSv1_METHOD)
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001483 context.set_session_cache_mode(SESS_CACHE_OFF)
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001484 off = context.set_session_cache_mode(SESS_CACHE_BOTH)
1485 self.assertEqual(SESS_CACHE_OFF, off)
1486 self.assertEqual(SESS_CACHE_BOTH, context.get_session_cache_mode())
1487
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001488 if not PY3:
1489 def test_session_cache_mode_long(self):
1490 """
1491 On Python 2 :py:obj:`Context.set_session_cache_mode` accepts values
1492 of type :py:obj:`long` as well as :py:obj:`int`.
1493 """
1494 context = Context(TLSv1_METHOD)
1495 context.set_session_cache_mode(long(SESS_CACHE_BOTH))
1496 self.assertEqual(
1497 SESS_CACHE_BOTH, context.get_session_cache_mode())
1498
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001499
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001500 def test_get_cert_store(self):
1501 """
1502 :py:obj:`Context.get_cert_store` returns a :py:obj:`X509Store` instance.
1503 """
1504 context = Context(TLSv1_METHOD)
1505 store = context.get_cert_store()
1506 self.assertIsInstance(store, X509Store)
1507
1508
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001509
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001510class ServerNameCallbackTests(TestCase, _LoopbackMixin):
1511 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001512 Tests for :py:obj:`Context.set_tlsext_servername_callback` and its interaction with
1513 :py:obj:`Connection`.
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001514 """
1515 def test_wrong_args(self):
1516 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001517 :py:obj:`Context.set_tlsext_servername_callback` raises :py:obj:`TypeError` if called
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001518 with other than one argument.
1519 """
1520 context = Context(TLSv1_METHOD)
1521 self.assertRaises(TypeError, context.set_tlsext_servername_callback)
1522 self.assertRaises(
1523 TypeError, context.set_tlsext_servername_callback, 1, 2)
1524
Jean-Paul Calderone4c1aacd2014-01-11 08:15:17 -05001525
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001526 def test_old_callback_forgotten(self):
1527 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001528 If :py:obj:`Context.set_tlsext_servername_callback` is used to specify a new
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001529 callback, the one it replaces is dereferenced.
1530 """
1531 def callback(connection):
1532 pass
1533
1534 def replacement(connection):
1535 pass
1536
1537 context = Context(TLSv1_METHOD)
1538 context.set_tlsext_servername_callback(callback)
1539
1540 tracker = ref(callback)
1541 del callback
1542
1543 context.set_tlsext_servername_callback(replacement)
Jean-Paul Calderoned4033eb2014-01-11 08:21:46 -05001544
1545 # One run of the garbage collector happens to work on CPython. PyPy
1546 # doesn't collect the underlying object until a second run for whatever
1547 # reason. That's fine, it still demonstrates our code has properly
1548 # dropped the reference.
1549 collect()
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001550 collect()
Jean-Paul Calderone4c1aacd2014-01-11 08:15:17 -05001551
1552 callback = tracker()
1553 if callback is not None:
1554 referrers = get_referrers(callback)
Jean-Paul Calderone7de39562014-01-11 08:17:59 -05001555 if len(referrers) > 1:
Jean-Paul Calderone4c1aacd2014-01-11 08:15:17 -05001556 self.fail("Some references remain: %r" % (referrers,))
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001557
1558
1559 def test_no_servername(self):
1560 """
1561 When a client specifies no server name, the callback passed to
Jonathan Ballet648875f2011-07-16 14:14:58 +09001562 :py:obj:`Context.set_tlsext_servername_callback` is invoked and the result of
1563 :py:obj:`Connection.get_servername` is :py:obj:`None`.
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001564 """
1565 args = []
1566 def servername(conn):
1567 args.append((conn, conn.get_servername()))
1568 context = Context(TLSv1_METHOD)
1569 context.set_tlsext_servername_callback(servername)
1570
1571 # Lose our reference to it. The Context is responsible for keeping it
1572 # alive now.
1573 del servername
1574 collect()
1575
1576 # Necessary to actually accept the connection
1577 context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
1578 context.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
1579
1580 # Do a little connection to trigger the logic
1581 server = Connection(context, None)
1582 server.set_accept_state()
1583
1584 client = Connection(Context(TLSv1_METHOD), None)
1585 client.set_connect_state()
1586
1587 self._interactInMemory(server, client)
1588
1589 self.assertEqual([(server, None)], args)
1590
1591
1592 def test_servername(self):
1593 """
1594 When a client specifies a server name in its hello message, the callback
Jonathan Ballet648875f2011-07-16 14:14:58 +09001595 passed to :py:obj:`Contexts.set_tlsext_servername_callback` is invoked and the
1596 result of :py:obj:`Connection.get_servername` is that server name.
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001597 """
1598 args = []
1599 def servername(conn):
1600 args.append((conn, conn.get_servername()))
1601 context = Context(TLSv1_METHOD)
1602 context.set_tlsext_servername_callback(servername)
1603
1604 # Necessary to actually accept the connection
1605 context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
1606 context.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
1607
1608 # Do a little connection to trigger the logic
1609 server = Connection(context, None)
1610 server.set_accept_state()
1611
1612 client = Connection(Context(TLSv1_METHOD), None)
1613 client.set_connect_state()
1614 client.set_tlsext_host_name(b("foo1.example.com"))
1615
1616 self._interactInMemory(server, client)
1617
1618 self.assertEqual([(server, b("foo1.example.com"))], args)
1619
1620
Cory Benfield84a121e2014-03-31 20:30:25 +01001621class NextProtoNegotiationTests(TestCase, _LoopbackMixin):
1622 """
1623 Test for Next Protocol Negotiation in PyOpenSSL.
1624 """
1625 def test_npn_success(self):
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001626 """
1627 Tests that clients and servers that agree on the negotiated next
1628 protocol can correct establish a connection, and that the agreed
1629 protocol is reported by the connections.
1630 """
1631 advertise_args = []
Cory Benfield84a121e2014-03-31 20:30:25 +01001632 select_args = []
1633 def advertise(conn):
1634 advertise_args.append((conn,))
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001635 return [b'http/1.1', b'spdy/2']
Cory Benfield84a121e2014-03-31 20:30:25 +01001636 def select(conn, options):
1637 select_args.append((conn, options))
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001638 return b'spdy/2'
Cory Benfield84a121e2014-03-31 20:30:25 +01001639
1640 server_context = Context(TLSv1_METHOD)
1641 server_context.set_npn_advertise_callback(advertise)
1642
1643 client_context = Context(TLSv1_METHOD)
1644 client_context.set_npn_select_callback(select)
1645
1646 # Necessary to actually accept the connection
1647 server_context.use_privatekey(
1648 load_privatekey(FILETYPE_PEM, server_key_pem))
1649 server_context.use_certificate(
1650 load_certificate(FILETYPE_PEM, server_cert_pem))
1651
1652 # Do a little connection to trigger the logic
1653 server = Connection(server_context, None)
1654 server.set_accept_state()
1655
1656 client = Connection(client_context, None)
1657 client.set_connect_state()
1658
1659 self._interactInMemory(server, client)
1660
1661 self.assertEqual([(server,)], advertise_args)
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001662 self.assertEqual([(client, [b'http/1.1', b'spdy/2'])], select_args)
Cory Benfield84a121e2014-03-31 20:30:25 +01001663
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001664 self.assertEqual(server.get_next_proto_negotiated(), b'spdy/2')
1665 self.assertEqual(client.get_next_proto_negotiated(), b'spdy/2')
Cory Benfield84a121e2014-03-31 20:30:25 +01001666
1667
1668 def test_npn_client_fail(self):
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001669 """
1670 Tests that when clients and servers cannot agree on what protocol to
1671 use next that the TLS connection does not get established.
1672 """
1673 advertise_args = []
Cory Benfield84a121e2014-03-31 20:30:25 +01001674 select_args = []
1675 def advertise(conn):
1676 advertise_args.append((conn,))
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001677 return [b'http/1.1', b'spdy/2']
Cory Benfield84a121e2014-03-31 20:30:25 +01001678 def select(conn, options):
1679 select_args.append((conn, options))
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001680 return b''
Cory Benfield84a121e2014-03-31 20:30:25 +01001681
1682 server_context = Context(TLSv1_METHOD)
1683 server_context.set_npn_advertise_callback(advertise)
1684
1685 client_context = Context(TLSv1_METHOD)
1686 client_context.set_npn_select_callback(select)
1687
1688 # Necessary to actually accept the connection
1689 server_context.use_privatekey(
1690 load_privatekey(FILETYPE_PEM, server_key_pem))
1691 server_context.use_certificate(
1692 load_certificate(FILETYPE_PEM, server_cert_pem))
1693
1694 # Do a little connection to trigger the logic
1695 server = Connection(server_context, None)
1696 server.set_accept_state()
1697
1698 client = Connection(client_context, None)
1699 client.set_connect_state()
1700
1701 # If the client doesn't return anything, the connection will fail.
1702 self.assertRaises(Error, self._interactInMemory, server, client)
1703
1704 self.assertEqual([(server,)], advertise_args)
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001705 self.assertEqual([(client, [b'http/1.1', b'spdy/2'])], select_args)
Cory Benfield84a121e2014-03-31 20:30:25 +01001706
1707
Cory Benfield0ea76e72015-03-22 09:05:28 +00001708 def test_npn_select_error(self):
1709 """
1710 Test that we can handle exceptions in the select callback. If select
1711 fails it should be fatal to the connection.
1712 """
1713 advertise_args = []
1714 def advertise(conn):
1715 advertise_args.append((conn,))
1716 return [b'http/1.1', b'spdy/2']
1717 def select(conn, options):
1718 raise TypeError
1719
1720 server_context = Context(TLSv1_METHOD)
1721 server_context.set_npn_advertise_callback(advertise)
1722
1723 client_context = Context(TLSv1_METHOD)
1724 client_context.set_npn_select_callback(select)
1725
1726 # Necessary to actually accept the connection
1727 server_context.use_privatekey(
1728 load_privatekey(FILETYPE_PEM, server_key_pem))
1729 server_context.use_certificate(
1730 load_certificate(FILETYPE_PEM, server_cert_pem))
1731
1732 # Do a little connection to trigger the logic
1733 server = Connection(server_context, None)
1734 server.set_accept_state()
1735
1736 client = Connection(client_context, None)
1737 client.set_connect_state()
1738
1739 # If the callback throws an exception it should be raised here.
1740 self.assertRaises(TypeError, self._interactInMemory, server, client)
1741 self.assertEqual([(server,)], advertise_args)
1742
1743
1744 def test_npn_advertise_error(self):
1745 """
1746 Test that we can handle exceptions in the advertise callback. If
1747 advertise fails no NPN is advertised to the client.
1748 """
1749 select_args = []
1750 def advertise(conn):
1751 raise TypeError
1752 def select(conn, options):
1753 select_args.append((conn, options))
1754 return b''
1755
1756 server_context = Context(TLSv1_METHOD)
1757 server_context.set_npn_advertise_callback(advertise)
1758
1759 client_context = Context(TLSv1_METHOD)
1760 client_context.set_npn_select_callback(select)
1761
1762 # Necessary to actually accept the connection
1763 server_context.use_privatekey(
1764 load_privatekey(FILETYPE_PEM, server_key_pem))
1765 server_context.use_certificate(
1766 load_certificate(FILETYPE_PEM, server_cert_pem))
1767
1768 # Do a little connection to trigger the logic
1769 server = Connection(server_context, None)
1770 server.set_accept_state()
1771
1772 client = Connection(client_context, None)
1773 client.set_connect_state()
1774
1775 # If the client doesn't return anything, the connection will fail.
1776 self.assertRaises(TypeError, self._interactInMemory, server, client)
1777 self.assertEqual([], select_args)
1778
1779
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001780
Jean-Paul Calderonee0fcf512012-02-13 09:10:15 -05001781class SessionTests(TestCase):
1782 """
1783 Unit tests for :py:obj:`OpenSSL.SSL.Session`.
1784 """
1785 def test_construction(self):
1786 """
1787 :py:class:`Session` can be constructed with no arguments, creating a new
1788 instance of that type.
1789 """
1790 new_session = Session()
1791 self.assertTrue(isinstance(new_session, Session))
1792
1793
1794 def test_construction_wrong_args(self):
1795 """
1796 If any arguments are passed to :py:class:`Session`, :py:obj:`TypeError`
1797 is raised.
1798 """
1799 self.assertRaises(TypeError, Session, 123)
1800 self.assertRaises(TypeError, Session, "hello")
1801 self.assertRaises(TypeError, Session, object())
1802
1803
1804
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001805class ConnectionTests(TestCase, _LoopbackMixin):
Rick Deane15b1472009-07-09 15:53:42 -05001806 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001807 Unit tests for :py:obj:`OpenSSL.SSL.Connection`.
Rick Deane15b1472009-07-09 15:53:42 -05001808 """
Jean-Paul Calderone541eaf22010-09-09 18:55:08 -04001809 # XXX get_peer_certificate -> None
1810 # XXX sock_shutdown
1811 # XXX master_key -> TypeError
1812 # XXX server_random -> TypeError
1813 # XXX state_string
1814 # XXX connect -> TypeError
1815 # XXX connect_ex -> TypeError
1816 # XXX set_connect_state -> TypeError
1817 # XXX set_accept_state -> TypeError
1818 # XXX renegotiate_pending
1819 # XXX do_handshake -> TypeError
1820 # XXX bio_read -> TypeError
1821 # XXX recv -> TypeError
1822 # XXX send -> TypeError
1823 # XXX bio_write -> TypeError
1824
Rick Deane15b1472009-07-09 15:53:42 -05001825 def test_type(self):
1826 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001827 :py:obj:`Connection` and :py:obj:`ConnectionType` refer to the same type object and
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001828 can be used to create instances of that type.
Rick Deane15b1472009-07-09 15:53:42 -05001829 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001830 self.assertIdentical(Connection, ConnectionType)
Rick Deane15b1472009-07-09 15:53:42 -05001831 ctx = Context(TLSv1_METHOD)
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001832 self.assertConsistentType(Connection, 'Connection', ctx, None)
Rick Deane15b1472009-07-09 15:53:42 -05001833
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001834
Jean-Paul Calderone4fd058a2009-11-22 11:46:42 -05001835 def test_get_context(self):
1836 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001837 :py:obj:`Connection.get_context` returns the :py:obj:`Context` instance used to
1838 construct the :py:obj:`Connection` instance.
Jean-Paul Calderone4fd058a2009-11-22 11:46:42 -05001839 """
1840 context = Context(TLSv1_METHOD)
1841 connection = Connection(context, None)
1842 self.assertIdentical(connection.get_context(), context)
1843
1844
1845 def test_get_context_wrong_args(self):
1846 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001847 :py:obj:`Connection.get_context` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderone4fd058a2009-11-22 11:46:42 -05001848 arguments.
1849 """
1850 connection = Connection(Context(TLSv1_METHOD), None)
1851 self.assertRaises(TypeError, connection.get_context, None)
1852
1853
Jean-Paul Calderone95613b72011-05-25 22:30:21 -04001854 def test_set_context_wrong_args(self):
1855 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001856 :py:obj:`Connection.set_context` raises :py:obj:`TypeError` if called with a
1857 non-:py:obj:`Context` instance argument or with any number of arguments other
Jean-Paul Calderone95613b72011-05-25 22:30:21 -04001858 than 1.
1859 """
1860 ctx = Context(TLSv1_METHOD)
1861 connection = Connection(ctx, None)
1862 self.assertRaises(TypeError, connection.set_context)
1863 self.assertRaises(TypeError, connection.set_context, object())
1864 self.assertRaises(TypeError, connection.set_context, "hello")
1865 self.assertRaises(TypeError, connection.set_context, 1)
1866 self.assertRaises(TypeError, connection.set_context, 1, 2)
1867 self.assertRaises(
1868 TypeError, connection.set_context, Context(TLSv1_METHOD), 2)
1869 self.assertIdentical(ctx, connection.get_context())
1870
1871
1872 def test_set_context(self):
1873 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001874 :py:obj:`Connection.set_context` specifies a new :py:obj:`Context` instance to be used
Jean-Paul Calderone95613b72011-05-25 22:30:21 -04001875 for the connection.
1876 """
1877 original = Context(SSLv23_METHOD)
1878 replacement = Context(TLSv1_METHOD)
1879 connection = Connection(original, None)
1880 connection.set_context(replacement)
1881 self.assertIdentical(replacement, connection.get_context())
1882 # Lose our references to the contexts, just in case the Connection isn't
1883 # properly managing its own contributions to their reference counts.
1884 del original, replacement
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001885 collect()
1886
1887
1888 def test_set_tlsext_host_name_wrong_args(self):
1889 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001890 If :py:obj:`Connection.set_tlsext_host_name` is called with a non-byte string
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001891 argument or a byte string with an embedded NUL or other than one
Jonathan Ballet648875f2011-07-16 14:14:58 +09001892 argument, :py:obj:`TypeError` is raised.
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001893 """
1894 conn = Connection(Context(TLSv1_METHOD), None)
1895 self.assertRaises(TypeError, conn.set_tlsext_host_name)
1896 self.assertRaises(TypeError, conn.set_tlsext_host_name, object())
1897 self.assertRaises(TypeError, conn.set_tlsext_host_name, 123, 456)
1898 self.assertRaises(
1899 TypeError, conn.set_tlsext_host_name, b("with\0null"))
1900
1901 if version_info >= (3,):
1902 # On Python 3.x, don't accidentally implicitly convert from text.
1903 self.assertRaises(
1904 TypeError,
1905 conn.set_tlsext_host_name, b("example.com").decode("ascii"))
Jean-Paul Calderone95613b72011-05-25 22:30:21 -04001906
1907
Jean-Paul Calderone871a4d82011-05-26 19:24:02 -04001908 def test_get_servername_wrong_args(self):
1909 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001910 :py:obj:`Connection.get_servername` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderone871a4d82011-05-26 19:24:02 -04001911 arguments.
1912 """
1913 connection = Connection(Context(TLSv1_METHOD), None)
1914 self.assertRaises(TypeError, connection.get_servername, object())
1915 self.assertRaises(TypeError, connection.get_servername, 1)
1916 self.assertRaises(TypeError, connection.get_servername, "hello")
1917
1918
Jean-Paul Calderone1d69a722010-07-29 09:05:53 -04001919 def test_pending(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001920 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001921 :py:obj:`Connection.pending` returns the number of bytes available for
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001922 immediate read.
1923 """
Jean-Paul Calderone1d69a722010-07-29 09:05:53 -04001924 connection = Connection(Context(TLSv1_METHOD), None)
1925 self.assertEquals(connection.pending(), 0)
1926
1927
1928 def test_pending_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001929 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001930 :py:obj:`Connection.pending` raises :py:obj:`TypeError` if called with any arguments.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001931 """
Jean-Paul Calderone1d69a722010-07-29 09:05:53 -04001932 connection = Connection(Context(TLSv1_METHOD), None)
1933 self.assertRaises(TypeError, connection.pending, None)
1934
1935
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001936 def test_connect_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001937 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001938 :py:obj:`Connection.connect` raises :py:obj:`TypeError` if called with a non-address
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001939 argument or with the wrong number of arguments.
1940 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001941 connection = Connection(Context(TLSv1_METHOD), socket())
1942 self.assertRaises(TypeError, connection.connect, None)
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001943 self.assertRaises(TypeError, connection.connect)
1944 self.assertRaises(TypeError, connection.connect, ("127.0.0.1", 1), None)
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001945
1946
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04001947 def test_connect_refused(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001948 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001949 :py:obj:`Connection.connect` raises :py:obj:`socket.error` if the underlying socket
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001950 connect method raises it.
1951 """
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04001952 client = socket()
1953 context = Context(TLSv1_METHOD)
1954 clientSSL = Connection(context, client)
1955 exc = self.assertRaises(error, clientSSL.connect, ("127.0.0.1", 1))
Jean-Paul Calderone35adf9d2010-07-29 18:40:44 -04001956 self.assertEquals(exc.args[0], ECONNREFUSED)
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04001957
1958
1959 def test_connect(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001960 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001961 :py:obj:`Connection.connect` establishes a connection to the specified address.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001962 """
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04001963 port = socket()
1964 port.bind(('', 0))
1965 port.listen(3)
1966
1967 clientSSL = Connection(Context(TLSv1_METHOD), socket())
Jean-Paul Calderoneb6e0fd92010-09-19 09:22:13 -04001968 clientSSL.connect(('127.0.0.1', port.getsockname()[1]))
1969 # XXX An assertion? Or something?
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04001970
1971
Jean-Paul Calderone7b614872010-09-24 17:43:44 -04001972 if platform == "darwin":
1973 "connect_ex sometimes causes a kernel panic on OS X 10.6.4"
1974 else:
1975 def test_connect_ex(self):
1976 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001977 If there is a connection error, :py:obj:`Connection.connect_ex` returns the
Jean-Paul Calderone7b614872010-09-24 17:43:44 -04001978 errno instead of raising an exception.
1979 """
1980 port = socket()
1981 port.bind(('', 0))
1982 port.listen(3)
Jean-Paul Calderone55d91f42010-07-29 19:22:17 -04001983
Jean-Paul Calderone7b614872010-09-24 17:43:44 -04001984 clientSSL = Connection(Context(TLSv1_METHOD), socket())
1985 clientSSL.setblocking(False)
1986 result = clientSSL.connect_ex(port.getsockname())
1987 expected = (EINPROGRESS, EWOULDBLOCK)
1988 self.assertTrue(
1989 result in expected, "%r not in %r" % (result, expected))
Jean-Paul Calderone55d91f42010-07-29 19:22:17 -04001990
1991
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001992 def test_accept_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001993 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001994 :py:obj:`Connection.accept` raises :py:obj:`TypeError` if called with any arguments.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04001995 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04001996 connection = Connection(Context(TLSv1_METHOD), socket())
1997 self.assertRaises(TypeError, connection.accept, None)
1998
1999
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04002000 def test_accept(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002001 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002002 :py:obj:`Connection.accept` accepts a pending connection attempt and returns a
2003 tuple of a new :py:obj:`Connection` (the accepted client) and the address the
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002004 connection originated from.
2005 """
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04002006 ctx = Context(TLSv1_METHOD)
2007 ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
2008 ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04002009 port = socket()
2010 portSSL = Connection(ctx, port)
2011 portSSL.bind(('', 0))
2012 portSSL.listen(3)
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04002013
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04002014 clientSSL = Connection(Context(TLSv1_METHOD), socket())
Jean-Paul Calderoneb6e0fd92010-09-19 09:22:13 -04002015
2016 # Calling portSSL.getsockname() here to get the server IP address sounds
2017 # great, but frequently fails on Windows.
2018 clientSSL.connect(('127.0.0.1', portSSL.getsockname()[1]))
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04002019
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04002020 serverSSL, address = portSSL.accept()
2021
2022 self.assertTrue(isinstance(serverSSL, Connection))
2023 self.assertIdentical(serverSSL.get_context(), ctx)
2024 self.assertEquals(address, clientSSL.getsockname())
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04002025
2026
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002027 def test_shutdown_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002028 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002029 :py:obj:`Connection.shutdown` raises :py:obj:`TypeError` if called with the wrong
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002030 number of arguments or with arguments other than integers.
2031 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002032 connection = Connection(Context(TLSv1_METHOD), None)
2033 self.assertRaises(TypeError, connection.shutdown, None)
Jean-Paul Calderone1d3e0222010-07-29 22:52:45 -04002034 self.assertRaises(TypeError, connection.get_shutdown, None)
2035 self.assertRaises(TypeError, connection.set_shutdown)
2036 self.assertRaises(TypeError, connection.set_shutdown, None)
2037 self.assertRaises(TypeError, connection.set_shutdown, 0, 1)
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002038
2039
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04002040 def test_shutdown(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002041 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002042 :py:obj:`Connection.shutdown` performs an SSL-level connection shutdown.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002043 """
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04002044 server, client = self._loopback()
Jean-Paul Calderonee4f6b472010-07-29 22:50:58 -04002045 self.assertFalse(server.shutdown())
2046 self.assertEquals(server.get_shutdown(), SENT_SHUTDOWN)
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04002047 self.assertRaises(ZeroReturnError, client.recv, 1024)
Jean-Paul Calderonee4f6b472010-07-29 22:50:58 -04002048 self.assertEquals(client.get_shutdown(), RECEIVED_SHUTDOWN)
2049 client.shutdown()
2050 self.assertEquals(client.get_shutdown(), SENT_SHUTDOWN|RECEIVED_SHUTDOWN)
2051 self.assertRaises(ZeroReturnError, server.recv, 1024)
2052 self.assertEquals(server.get_shutdown(), SENT_SHUTDOWN|RECEIVED_SHUTDOWN)
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04002053
2054
Paul Aurichc85e0862015-01-08 08:34:33 -08002055 def test_shutdown_closed(self):
2056 """
2057 If the underlying socket is closed, :py:obj:`Connection.shutdown` propagates the
2058 write error from the low level write call.
2059 """
2060 server, client = self._loopback()
2061 server.sock_shutdown(2)
2062 exc = self.assertRaises(SysCallError, server.shutdown)
2063 if platform == "win32":
2064 self.assertEqual(exc.args[0], ESHUTDOWN)
2065 else:
2066 self.assertEqual(exc.args[0], EPIPE)
2067
2068
Jean-Paul Calderonec89eef22010-07-29 22:51:58 -04002069 def test_set_shutdown(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002070 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002071 :py:obj:`Connection.set_shutdown` sets the state of the SSL connection shutdown
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002072 process.
2073 """
Jean-Paul Calderonec89eef22010-07-29 22:51:58 -04002074 connection = Connection(Context(TLSv1_METHOD), socket())
2075 connection.set_shutdown(RECEIVED_SHUTDOWN)
2076 self.assertEquals(connection.get_shutdown(), RECEIVED_SHUTDOWN)
2077
2078
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -05002079 if not PY3:
2080 def test_set_shutdown_long(self):
2081 """
2082 On Python 2 :py:obj:`Connection.set_shutdown` accepts an argument
2083 of type :py:obj:`long` as well as :py:obj:`int`.
2084 """
2085 connection = Connection(Context(TLSv1_METHOD), socket())
2086 connection.set_shutdown(long(RECEIVED_SHUTDOWN))
2087 self.assertEquals(connection.get_shutdown(), RECEIVED_SHUTDOWN)
2088
2089
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002090 def test_app_data_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002091 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002092 :py:obj:`Connection.set_app_data` raises :py:obj:`TypeError` if called with other than
2093 one argument. :py:obj:`Connection.get_app_data` raises :py:obj:`TypeError` if called
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002094 with any arguments.
2095 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002096 conn = Connection(Context(TLSv1_METHOD), None)
2097 self.assertRaises(TypeError, conn.get_app_data, None)
2098 self.assertRaises(TypeError, conn.set_app_data)
2099 self.assertRaises(TypeError, conn.set_app_data, None, None)
2100
2101
Jean-Paul Calderone1bd8c792010-07-29 09:51:06 -04002102 def test_app_data(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002103 """
2104 Any object can be set as app data by passing it to
Jonathan Ballet648875f2011-07-16 14:14:58 +09002105 :py:obj:`Connection.set_app_data` and later retrieved with
2106 :py:obj:`Connection.get_app_data`.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002107 """
Jean-Paul Calderone1bd8c792010-07-29 09:51:06 -04002108 conn = Connection(Context(TLSv1_METHOD), None)
2109 app_data = object()
2110 conn.set_app_data(app_data)
2111 self.assertIdentical(conn.get_app_data(), app_data)
2112
2113
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002114 def test_makefile(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002115 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002116 :py:obj:`Connection.makefile` is not implemented and calling that method raises
2117 :py:obj:`NotImplementedError`.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002118 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002119 conn = Connection(Context(TLSv1_METHOD), None)
2120 self.assertRaises(NotImplementedError, conn.makefile)
2121
2122
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04002123 def test_get_peer_cert_chain_wrong_args(self):
2124 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002125 :py:obj:`Connection.get_peer_cert_chain` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04002126 arguments.
2127 """
2128 conn = Connection(Context(TLSv1_METHOD), None)
2129 self.assertRaises(TypeError, conn.get_peer_cert_chain, 1)
2130 self.assertRaises(TypeError, conn.get_peer_cert_chain, "foo")
2131 self.assertRaises(TypeError, conn.get_peer_cert_chain, object())
2132 self.assertRaises(TypeError, conn.get_peer_cert_chain, [])
2133
2134
2135 def test_get_peer_cert_chain(self):
2136 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002137 :py:obj:`Connection.get_peer_cert_chain` returns a list of certificates which
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04002138 the connected server returned for the certification verification.
2139 """
2140 chain = _create_certificate_chain()
2141 [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
2142
2143 serverContext = Context(TLSv1_METHOD)
2144 serverContext.use_privatekey(skey)
2145 serverContext.use_certificate(scert)
2146 serverContext.add_extra_chain_cert(icert)
2147 serverContext.add_extra_chain_cert(cacert)
2148 server = Connection(serverContext, None)
2149 server.set_accept_state()
2150
2151 # Create the client
2152 clientContext = Context(TLSv1_METHOD)
2153 clientContext.set_verify(VERIFY_NONE, verify_cb)
2154 client = Connection(clientContext, None)
2155 client.set_connect_state()
2156
2157 self._interactInMemory(client, server)
2158
2159 chain = client.get_peer_cert_chain()
2160 self.assertEqual(len(chain), 3)
Jean-Paul Calderonee33300c2011-05-19 21:44:38 -04002161 self.assertEqual(
Jean-Paul Calderone24a42432011-05-19 22:21:18 -04002162 "Server Certificate", chain[0].get_subject().CN)
Jean-Paul Calderonee33300c2011-05-19 21:44:38 -04002163 self.assertEqual(
Jean-Paul Calderone24a42432011-05-19 22:21:18 -04002164 "Intermediate Certificate", chain[1].get_subject().CN)
Jean-Paul Calderonee33300c2011-05-19 21:44:38 -04002165 self.assertEqual(
Jean-Paul Calderone24a42432011-05-19 22:21:18 -04002166 "Authority Certificate", chain[2].get_subject().CN)
2167
2168
2169 def test_get_peer_cert_chain_none(self):
2170 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002171 :py:obj:`Connection.get_peer_cert_chain` returns :py:obj:`None` if the peer sends no
Jean-Paul Calderone24a42432011-05-19 22:21:18 -04002172 certificate chain.
2173 """
2174 ctx = Context(TLSv1_METHOD)
2175 ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
2176 ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
2177 server = Connection(ctx, None)
2178 server.set_accept_state()
2179 client = Connection(Context(TLSv1_METHOD), None)
2180 client.set_connect_state()
2181 self._interactInMemory(client, server)
2182 self.assertIdentical(None, server.get_peer_cert_chain())
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04002183
2184
Jean-Paul Calderone64eaffc2012-02-13 11:53:49 -05002185 def test_get_session_wrong_args(self):
2186 """
2187 :py:obj:`Connection.get_session` raises :py:obj:`TypeError` if called
2188 with any arguments.
2189 """
2190 ctx = Context(TLSv1_METHOD)
2191 server = Connection(ctx, None)
2192 self.assertRaises(TypeError, server.get_session, 123)
2193 self.assertRaises(TypeError, server.get_session, "hello")
2194 self.assertRaises(TypeError, server.get_session, object())
2195
2196
2197 def test_get_session_unconnected(self):
2198 """
2199 :py:obj:`Connection.get_session` returns :py:obj:`None` when used with
2200 an object which has not been connected.
2201 """
2202 ctx = Context(TLSv1_METHOD)
2203 server = Connection(ctx, None)
2204 session = server.get_session()
2205 self.assertIdentical(None, session)
2206
2207
2208 def test_server_get_session(self):
2209 """
2210 On the server side of a connection, :py:obj:`Connection.get_session`
2211 returns a :py:class:`Session` instance representing the SSL session for
2212 that connection.
2213 """
2214 server, client = self._loopback()
2215 session = server.get_session()
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08002216 self.assertIsInstance(session, Session)
Jean-Paul Calderone64eaffc2012-02-13 11:53:49 -05002217
2218
2219 def test_client_get_session(self):
2220 """
2221 On the client side of a connection, :py:obj:`Connection.get_session`
2222 returns a :py:class:`Session` instance representing the SSL session for
2223 that connection.
2224 """
2225 server, client = self._loopback()
2226 session = client.get_session()
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08002227 self.assertIsInstance(session, Session)
Jean-Paul Calderone64eaffc2012-02-13 11:53:49 -05002228
2229
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -05002230 def test_set_session_wrong_args(self):
2231 """
2232 If called with an object that is not an instance of :py:class:`Session`,
2233 or with other than one argument, :py:obj:`Connection.set_session` raises
2234 :py:obj:`TypeError`.
2235 """
2236 ctx = Context(TLSv1_METHOD)
2237 connection = Connection(ctx, None)
2238 self.assertRaises(TypeError, connection.set_session)
2239 self.assertRaises(TypeError, connection.set_session, 123)
2240 self.assertRaises(TypeError, connection.set_session, "hello")
2241 self.assertRaises(TypeError, connection.set_session, object())
2242 self.assertRaises(
2243 TypeError, connection.set_session, Session(), Session())
2244
2245
2246 def test_client_set_session(self):
2247 """
2248 :py:obj:`Connection.set_session`, when used prior to a connection being
2249 established, accepts a :py:class:`Session` instance and causes an
2250 attempt to re-use the session it represents when the SSL handshake is
2251 performed.
2252 """
2253 key = load_privatekey(FILETYPE_PEM, server_key_pem)
2254 cert = load_certificate(FILETYPE_PEM, server_cert_pem)
2255 ctx = Context(TLSv1_METHOD)
2256 ctx.use_privatekey(key)
2257 ctx.use_certificate(cert)
2258 ctx.set_session_id("unity-test")
2259
2260 def makeServer(socket):
2261 server = Connection(ctx, socket)
2262 server.set_accept_state()
2263 return server
2264
2265 originalServer, originalClient = self._loopback(
2266 serverFactory=makeServer)
2267 originalSession = originalClient.get_session()
2268
2269 def makeClient(socket):
2270 client = self._loopbackClientFactory(socket)
2271 client.set_session(originalSession)
2272 return client
2273 resumedServer, resumedClient = self._loopback(
2274 serverFactory=makeServer,
2275 clientFactory=makeClient)
2276
2277 # This is a proxy: in general, we have no access to any unique
2278 # identifier for the session (new enough versions of OpenSSL expose a
2279 # hash which could be usable, but "new enough" is very, very new).
2280 # Instead, exploit the fact that the master key is re-used if the
2281 # session is re-used. As long as the master key for the two connections
2282 # is the same, the session was re-used!
2283 self.assertEqual(
2284 originalServer.master_key(), resumedServer.master_key())
2285
2286
Jean-Paul Calderone5ea41492012-02-14 16:51:35 -05002287 def test_set_session_wrong_method(self):
2288 """
Jean-Paul Calderone068cb592012-02-14 16:52:43 -05002289 If :py:obj:`Connection.set_session` is passed a :py:class:`Session`
2290 instance associated with a context using a different SSL method than the
2291 :py:obj:`Connection` is using, a :py:class:`OpenSSL.SSL.Error` is
2292 raised.
Jean-Paul Calderone5ea41492012-02-14 16:51:35 -05002293 """
2294 key = load_privatekey(FILETYPE_PEM, server_key_pem)
2295 cert = load_certificate(FILETYPE_PEM, server_cert_pem)
2296 ctx = Context(TLSv1_METHOD)
2297 ctx.use_privatekey(key)
2298 ctx.use_certificate(cert)
2299 ctx.set_session_id("unity-test")
2300
2301 def makeServer(socket):
2302 server = Connection(ctx, socket)
2303 server.set_accept_state()
2304 return server
2305
2306 originalServer, originalClient = self._loopback(
2307 serverFactory=makeServer)
2308 originalSession = originalClient.get_session()
2309
2310 def makeClient(socket):
2311 # Intentionally use a different, incompatible method here.
2312 client = Connection(Context(SSLv3_METHOD), socket)
2313 client.set_connect_state()
2314 client.set_session(originalSession)
2315 return client
2316
2317 self.assertRaises(
2318 Error,
2319 self._loopback, clientFactory=makeClient, serverFactory=makeServer)
2320
2321
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07002322 def test_wantWriteError(self):
2323 """
2324 :py:obj:`Connection` methods which generate output raise
2325 :py:obj:`OpenSSL.SSL.WantWriteError` if writing to the connection's BIO
2326 fail indicating a should-write state.
2327 """
2328 client_socket, server_socket = socket_pair()
2329 # Fill up the client's send buffer so Connection won't be able to write
Jean-Paul Calderonebbff8b92014-03-22 14:20:30 -04002330 # anything. Only write a single byte at a time so we can be sure we
2331 # completely fill the buffer. Even though the socket API is allowed to
2332 # signal a short write via its return value it seems this doesn't
2333 # always happen on all platforms (FreeBSD and OS X particular) for the
2334 # very last bit of available buffer space.
2335 msg = b"x"
2336 for i in range(1024 * 1024 * 4):
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07002337 try:
2338 client_socket.send(msg)
2339 except error as e:
2340 if e.errno == EWOULDBLOCK:
2341 break
2342 raise
2343 else:
2344 self.fail(
2345 "Failed to fill socket buffer, cannot test BIO want write")
2346
2347 ctx = Context(TLSv1_METHOD)
2348 conn = Connection(ctx, client_socket)
2349 # Client's speak first, so make it an SSL client
2350 conn.set_connect_state()
2351 self.assertRaises(WantWriteError, conn.do_handshake)
2352
2353 # XXX want_read
2354
Fedor Brunner416f4a12014-03-28 13:18:38 +01002355 def test_get_finished_before_connect(self):
Fedor Brunner5747b932014-03-05 14:22:34 +01002356 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002357 :py:obj:`Connection.get_finished` returns :py:obj:`None` before TLS
2358 handshake is completed.
Fedor Brunner5747b932014-03-05 14:22:34 +01002359 """
Fedor Brunner5747b932014-03-05 14:22:34 +01002360 ctx = Context(TLSv1_METHOD)
2361 connection = Connection(ctx, None)
2362 self.assertEqual(connection.get_finished(), None)
Fedor Brunner416f4a12014-03-28 13:18:38 +01002363
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002364
Fedor Brunner416f4a12014-03-28 13:18:38 +01002365 def test_get_peer_finished_before_connect(self):
2366 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002367 :py:obj:`Connection.get_peer_finished` returns :py:obj:`None` before
2368 TLS handshake is completed.
Fedor Brunner416f4a12014-03-28 13:18:38 +01002369 """
Fedor Brunner416f4a12014-03-28 13:18:38 +01002370 ctx = Context(TLSv1_METHOD)
2371 connection = Connection(ctx, None)
Fedor Brunner5747b932014-03-05 14:22:34 +01002372 self.assertEqual(connection.get_peer_finished(), None)
2373
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002374
Fedor Brunner416f4a12014-03-28 13:18:38 +01002375 def test_get_finished(self):
2376 """
2377 :py:obj:`Connection.get_finished` method returns the TLS Finished
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002378 message send from client, or server. Finished messages are send during
2379 TLS handshake.
Fedor Brunner416f4a12014-03-28 13:18:38 +01002380 """
2381
Fedor Brunner5747b932014-03-05 14:22:34 +01002382 server, client = self._loopback()
2383
2384 self.assertNotEqual(server.get_finished(), None)
2385 self.assertTrue(len(server.get_finished()) > 0)
Fedor Brunner416f4a12014-03-28 13:18:38 +01002386
Jean-Paul Calderoned979f232014-03-30 11:58:00 -04002387
Fedor Brunner416f4a12014-03-28 13:18:38 +01002388 def test_get_peer_finished(self):
2389 """
2390 :py:obj:`Connection.get_peer_finished` method returns the TLS Finished
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002391 message received from client, or server. Finished messages are send
2392 during TLS handshake.
Fedor Brunner416f4a12014-03-28 13:18:38 +01002393 """
Fedor Brunner416f4a12014-03-28 13:18:38 +01002394 server, client = self._loopback()
2395
2396 self.assertNotEqual(server.get_peer_finished(), None)
Fedor Brunner5747b932014-03-05 14:22:34 +01002397 self.assertTrue(len(server.get_peer_finished()) > 0)
2398
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002399
Fedor Brunner416f4a12014-03-28 13:18:38 +01002400 def test_tls_finished_message_symmetry(self):
2401 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002402 The TLS Finished message send by server must be the TLS Finished message
Fedor Brunner416f4a12014-03-28 13:18:38 +01002403 received by client.
2404
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002405 The TLS Finished message send by client must be the TLS Finished message
Fedor Brunner416f4a12014-03-28 13:18:38 +01002406 received by server.
2407 """
Fedor Brunner416f4a12014-03-28 13:18:38 +01002408 server, client = self._loopback()
2409
Fedor Brunner5747b932014-03-05 14:22:34 +01002410 self.assertEqual(server.get_finished(), client.get_peer_finished())
2411 self.assertEqual(client.get_finished(), server.get_peer_finished())
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002412
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002413
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002414 def test_get_cipher_name_before_connect(self):
2415 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002416 :py:obj:`Connection.get_cipher_name` returns :py:obj:`None` if no
2417 connection has been established.
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002418 """
2419 ctx = Context(TLSv1_METHOD)
2420 conn = Connection(ctx, None)
Jean-Paul Calderone069e2bf2014-03-29 18:21:58 -04002421 self.assertIdentical(conn.get_cipher_name(), None)
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002422
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002423
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002424 def test_get_cipher_name(self):
2425 """
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -04002426 :py:obj:`Connection.get_cipher_name` returns a :py:class:`unicode`
2427 string giving the name of the currently used cipher.
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002428 """
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002429 server, client = self._loopback()
2430 server_cipher_name, client_cipher_name = \
2431 server.get_cipher_name(), client.get_cipher_name()
2432
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -04002433 self.assertIsInstance(server_cipher_name, text_type)
2434 self.assertIsInstance(client_cipher_name, text_type)
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002435
2436 self.assertEqual(server_cipher_name, client_cipher_name)
2437
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002438
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002439 def test_get_cipher_version_before_connect(self):
2440 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002441 :py:obj:`Connection.get_cipher_version` returns :py:obj:`None` if no
2442 connection has been established.
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002443 """
2444 ctx = Context(TLSv1_METHOD)
2445 conn = Connection(ctx, None)
Jean-Paul Calderone069e2bf2014-03-29 18:21:58 -04002446 self.assertIdentical(conn.get_cipher_version(), None)
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002447
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002448
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002449 def test_get_cipher_version(self):
2450 """
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -04002451 :py:obj:`Connection.get_cipher_version` returns a :py:class:`unicode`
2452 string giving the protocol name of the currently used cipher.
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002453 """
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002454 server, client = self._loopback()
2455 server_cipher_version, client_cipher_version = \
2456 server.get_cipher_version(), client.get_cipher_version()
2457
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -04002458 self.assertIsInstance(server_cipher_version, text_type)
2459 self.assertIsInstance(client_cipher_version, text_type)
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002460
2461 self.assertEqual(server_cipher_version, client_cipher_version)
2462
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002463
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002464 def test_get_cipher_bits_before_connect(self):
2465 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002466 :py:obj:`Connection.get_cipher_bits` returns :py:obj:`None` if no
2467 connection has been established.
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002468 """
2469 ctx = Context(TLSv1_METHOD)
2470 conn = Connection(ctx, None)
Jean-Paul Calderone069e2bf2014-03-29 18:21:58 -04002471 self.assertIdentical(conn.get_cipher_bits(), None)
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002472
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002473
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002474 def test_get_cipher_bits(self):
2475 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002476 :py:obj:`Connection.get_cipher_bits` returns the number of secret bits
2477 of the currently used cipher.
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002478 """
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002479 server, client = self._loopback()
2480 server_cipher_bits, client_cipher_bits = \
2481 server.get_cipher_bits(), client.get_cipher_bits()
2482
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002483 self.assertIsInstance(server_cipher_bits, int)
2484 self.assertIsInstance(client_cipher_bits, int)
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002485
2486 self.assertEqual(server_cipher_bits, client_cipher_bits)
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002487
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002488
2489
Jean-Paul Calderonef135e622010-07-28 19:14:16 -04002490class ConnectionGetCipherListTests(TestCase):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002491 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002492 Tests for :py:obj:`Connection.get_cipher_list`.
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002493 """
Jean-Paul Calderone54a2bc02010-09-09 17:52:38 -04002494 def test_wrong_args(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002495 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002496 :py:obj:`Connection.get_cipher_list` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002497 arguments.
2498 """
Jean-Paul Calderonef135e622010-07-28 19:14:16 -04002499 connection = Connection(Context(TLSv1_METHOD), None)
2500 self.assertRaises(TypeError, connection.get_cipher_list, None)
2501
2502
2503 def test_result(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002504 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05002505 :py:obj:`Connection.get_cipher_list` returns a :py:obj:`list` of
2506 :py:obj:`bytes` giving the names of the ciphers which might be used.
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002507 """
Jean-Paul Calderonef135e622010-07-28 19:14:16 -04002508 connection = Connection(Context(TLSv1_METHOD), None)
2509 ciphers = connection.get_cipher_list()
2510 self.assertTrue(isinstance(ciphers, list))
2511 for cipher in ciphers:
2512 self.assertTrue(isinstance(cipher, str))
2513
2514
2515
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002516class ConnectionSendTests(TestCase, _LoopbackMixin):
2517 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002518 Tests for :py:obj:`Connection.send`
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002519 """
2520 def test_wrong_args(self):
2521 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002522 When called with arguments other than string argument for its first
2523 parameter or more than two arguments, :py:obj:`Connection.send` raises
2524 :py:obj:`TypeError`.
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002525 """
2526 connection = Connection(Context(TLSv1_METHOD), None)
Jean-Paul Calderone77fa2602011-01-05 18:23:39 -05002527 self.assertRaises(TypeError, connection.send)
2528 self.assertRaises(TypeError, connection.send, object())
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002529 self.assertRaises(TypeError, connection.send, "foo", object(), "bar")
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002530
2531
2532 def test_short_bytes(self):
2533 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002534 When passed a short byte string, :py:obj:`Connection.send` transmits all of it
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002535 and returns the number of bytes sent.
2536 """
2537 server, client = self._loopback()
2538 count = server.send(b('xy'))
2539 self.assertEquals(count, 2)
2540 self.assertEquals(client.recv(2), b('xy'))
2541
2542 try:
2543 memoryview
2544 except NameError:
2545 "cannot test sending memoryview without memoryview"
2546 else:
2547 def test_short_memoryview(self):
2548 """
2549 When passed a memoryview onto a small number of bytes,
Jonathan Ballet648875f2011-07-16 14:14:58 +09002550 :py:obj:`Connection.send` transmits all of them and returns the number of
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002551 bytes sent.
2552 """
2553 server, client = self._loopback()
2554 count = server.send(memoryview(b('xy')))
2555 self.assertEquals(count, 2)
2556 self.assertEquals(client.recv(2), b('xy'))
2557
2558
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +02002559 try:
2560 buffer
2561 except NameError:
2562 "cannot test sending buffer without buffer"
2563 else:
2564 def test_short_buffer(self):
2565 """
2566 When passed a buffer containing a small number of bytes,
2567 :py:obj:`Connection.send` transmits all of them and returns the number of
2568 bytes sent.
2569 """
2570 server, client = self._loopback()
2571 count = server.send(buffer(b('xy')))
2572 self.assertEquals(count, 2)
2573 self.assertEquals(client.recv(2), b('xy'))
2574
2575
Jean-Paul Calderone691e6c92011-01-21 22:04:35 -05002576
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002577def _make_memoryview(size):
2578 """
2579 Create a new ``memoryview`` wrapped around a ``bytearray`` of the given
2580 size.
2581 """
2582 return memoryview(bytearray(size))
2583
2584
2585
Cory Benfield62d10332014-06-15 10:03:41 +01002586class ConnectionRecvIntoTests(TestCase, _LoopbackMixin):
2587 """
2588 Tests for :py:obj:`Connection.recv_into`
2589 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002590 def _no_length_test(self, factory):
Jean-Paul Calderone61559d82015-03-15 17:04:50 -04002591 """
2592 Assert that when the given buffer is passed to
2593 ``Connection.recv_into``, whatever bytes are available to be received
2594 that fit into that buffer are written into that buffer.
2595 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002596 output_buffer = factory(5)
2597
Jean-Paul Calderone332a85e2015-03-15 17:02:40 -04002598 server, client = self._loopback()
2599 server.send(b('xy'))
2600
Jean-Paul Calderone320af1e2015-03-15 17:20:13 -04002601 self.assertEqual(client.recv_into(output_buffer), 2)
2602 self.assertEqual(output_buffer, bytearray(b('xy\x00\x00\x00')))
Jean-Paul Calderone332a85e2015-03-15 17:02:40 -04002603
2604
Jean-Paul Calderoned335b272015-03-15 17:26:38 -04002605 def test_bytearray_no_length(self):
Cory Benfield62d10332014-06-15 10:03:41 +01002606 """
Jean-Paul Calderone61559d82015-03-15 17:04:50 -04002607 :py:obj:`Connection.recv_into` can be passed a ``bytearray`` instance
2608 and data in the receive buffer is written to it.
Cory Benfield62d10332014-06-15 10:03:41 +01002609 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002610 self._no_length_test(bytearray)
Cory Benfield62d10332014-06-15 10:03:41 +01002611
2612
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002613 def _respects_length_test(self, factory):
Cory Benfield62d10332014-06-15 10:03:41 +01002614 """
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002615 Assert that when the given buffer is passed to ``Connection.recv_into``
2616 along with a value for ``nbytes`` that is less than the size of that
2617 buffer, only ``nbytes`` bytes are written into the buffer.
Cory Benfield62d10332014-06-15 10:03:41 +01002618 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002619 output_buffer = factory(10)
2620
Cory Benfield62d10332014-06-15 10:03:41 +01002621 server, client = self._loopback()
2622 server.send(b('abcdefghij'))
Cory Benfield62d10332014-06-15 10:03:41 +01002623
Jean-Paul Calderone320af1e2015-03-15 17:20:13 -04002624 self.assertEqual(client.recv_into(output_buffer, 5), 5)
2625 self.assertEqual(
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002626 output_buffer, bytearray(b('abcde\x00\x00\x00\x00\x00'))
2627 )
2628
2629
Jean-Paul Calderoned335b272015-03-15 17:26:38 -04002630 def test_bytearray_respects_length(self):
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002631 """
2632 When called with a ``bytearray`` instance,
2633 :py:obj:`Connection.recv_into` respects the ``nbytes`` parameter and
2634 doesn't copy in more than that number of bytes.
2635 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002636 self._respects_length_test(bytearray)
Cory Benfield62d10332014-06-15 10:03:41 +01002637
2638
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002639 def _doesnt_overfill_test(self, factory):
Cory Benfield62d10332014-06-15 10:03:41 +01002640 """
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002641 Assert that if there are more bytes available to be read from the
2642 receive buffer than would fit into the buffer passed to
2643 :py:obj:`Connection.recv_into`, only as many as fit are written into
2644 it.
Cory Benfield62d10332014-06-15 10:03:41 +01002645 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002646 output_buffer = factory(5)
2647
Cory Benfield62d10332014-06-15 10:03:41 +01002648 server, client = self._loopback()
2649 server.send(b('abcdefghij'))
Cory Benfield62d10332014-06-15 10:03:41 +01002650
Jean-Paul Calderone320af1e2015-03-15 17:20:13 -04002651 self.assertEqual(client.recv_into(output_buffer), 5)
2652 self.assertEqual(output_buffer, bytearray(b('abcde')))
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002653 rest = client.recv(5)
2654 self.assertEqual(b('fghij'), rest)
2655
2656
Jean-Paul Calderoned335b272015-03-15 17:26:38 -04002657 def test_bytearray_doesnt_overfill(self):
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002658 """
2659 When called with a ``bytearray`` instance,
2660 :py:obj:`Connection.recv_into` respects the size of the array and
2661 doesn't write more bytes into it than will fit.
2662 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002663 self._doesnt_overfill_test(bytearray)
Cory Benfield62d10332014-06-15 10:03:41 +01002664
2665
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002666 def _really_doesnt_overfill_test(self, factory):
Jean-Paul Calderone4bec59a2015-03-15 17:25:57 -04002667 """
2668 Assert that if the value given by ``nbytes`` is greater than the actual
2669 size of the output buffer passed to :py:obj:`Connection.recv_into`, the
2670 behavior is as if no value was given for ``nbytes`` at all.
2671 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002672 output_buffer = factory(5)
2673
Jean-Paul Calderone4bec59a2015-03-15 17:25:57 -04002674 server, client = self._loopback()
2675 server.send(b('abcdefghij'))
2676
2677 self.assertEqual(client.recv_into(output_buffer, 50), 5)
2678 self.assertEqual(output_buffer, bytearray(b('abcde')))
2679 rest = client.recv(5)
2680 self.assertEqual(b('fghij'), rest)
2681
2682
Jean-Paul Calderoned335b272015-03-15 17:26:38 -04002683 def test_bytearray_really_doesnt_overfill(self):
Jean-Paul Calderone4bec59a2015-03-15 17:25:57 -04002684 """
2685 When called with a ``bytearray`` instance and an ``nbytes`` value that
2686 is too large, :py:obj:`Connection.recv_into` respects the size of the
2687 array and not the ``nbytes`` value and doesn't write more bytes into
2688 the buffer than will fit.
2689 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002690 self._doesnt_overfill_test(bytearray)
Jean-Paul Calderone4bec59a2015-03-15 17:25:57 -04002691
2692
Cory Benfield62d10332014-06-15 10:03:41 +01002693 try:
2694 memoryview
2695 except NameError:
2696 "cannot test recv_into memoryview without memoryview"
2697 else:
Jean-Paul Calderone332a85e2015-03-15 17:02:40 -04002698 def test_memoryview_no_length(self):
Cory Benfield62d10332014-06-15 10:03:41 +01002699 """
Jean-Paul Calderone61559d82015-03-15 17:04:50 -04002700 :py:obj:`Connection.recv_into` can be passed a ``memoryview``
2701 instance and data in the receive buffer is written to it.
Cory Benfield62d10332014-06-15 10:03:41 +01002702 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002703 self._no_length_test(_make_memoryview)
Cory Benfield62d10332014-06-15 10:03:41 +01002704
2705
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002706 def test_memoryview_respects_length(self):
Cory Benfield62d10332014-06-15 10:03:41 +01002707 """
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002708 When called with a ``memoryview`` instance,
2709 :py:obj:`Connection.recv_into` respects the ``nbytes`` parameter
2710 and doesn't copy more than that number of bytes in.
Cory Benfield62d10332014-06-15 10:03:41 +01002711 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002712 self._respects_length_test(_make_memoryview)
Cory Benfield62d10332014-06-15 10:03:41 +01002713
2714
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002715 def test_memoryview_doesnt_overfill(self):
Cory Benfield62d10332014-06-15 10:03:41 +01002716 """
Jean-Paul Calderone8fd82552015-03-15 17:21:07 -04002717 When called with a ``memoryview`` instance,
2718 :py:obj:`Connection.recv_into` respects the size of the array and
2719 doesn't write more bytes into it than will fit.
Cory Benfield62d10332014-06-15 10:03:41 +01002720 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002721 self._doesnt_overfill_test(_make_memoryview)
Cory Benfield62d10332014-06-15 10:03:41 +01002722
2723
Jean-Paul Calderone4bec59a2015-03-15 17:25:57 -04002724 def test_memoryview_really_doesnt_overfill(self):
2725 """
2726 When called with a ``memoryview`` instance and an ``nbytes`` value
2727 that is too large, :py:obj:`Connection.recv_into` respects the size
2728 of the array and not the ``nbytes`` value and doesn't write more
2729 bytes into the buffer than will fit.
2730 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002731 self._doesnt_overfill_test(_make_memoryview)
Jean-Paul Calderone4bec59a2015-03-15 17:25:57 -04002732
2733
Cory Benfield62d10332014-06-15 10:03:41 +01002734
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002735class ConnectionSendallTests(TestCase, _LoopbackMixin):
2736 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002737 Tests for :py:obj:`Connection.sendall`.
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002738 """
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002739 def test_wrong_args(self):
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002740 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002741 When called with arguments other than a string argument for its first
2742 parameter or with more than two arguments, :py:obj:`Connection.sendall`
2743 raises :py:obj:`TypeError`.
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002744 """
2745 connection = Connection(Context(TLSv1_METHOD), None)
2746 self.assertRaises(TypeError, connection.sendall)
2747 self.assertRaises(TypeError, connection.sendall, object())
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002748 self.assertRaises(
2749 TypeError, connection.sendall, "foo", object(), "bar")
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002750
2751
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002752 def test_short(self):
2753 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002754 :py:obj:`Connection.sendall` transmits all of the bytes in the string passed to
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002755 it.
2756 """
2757 server, client = self._loopback()
Jean-Paul Calderonea9868832010-08-22 21:38:34 -04002758 server.sendall(b('x'))
2759 self.assertEquals(client.recv(1), b('x'))
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002760
2761
Jean-Paul Calderone691e6c92011-01-21 22:04:35 -05002762 try:
2763 memoryview
2764 except NameError:
2765 "cannot test sending memoryview without memoryview"
2766 else:
2767 def test_short_memoryview(self):
2768 """
2769 When passed a memoryview onto a small number of bytes,
Jonathan Ballet648875f2011-07-16 14:14:58 +09002770 :py:obj:`Connection.sendall` transmits all of them.
Jean-Paul Calderone691e6c92011-01-21 22:04:35 -05002771 """
2772 server, client = self._loopback()
2773 server.sendall(memoryview(b('x')))
2774 self.assertEquals(client.recv(1), b('x'))
2775
2776
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +02002777 try:
2778 buffer
2779 except NameError:
2780 "cannot test sending buffers without buffers"
2781 else:
2782 def test_short_buffers(self):
2783 """
2784 When passed a buffer containing a small number of bytes,
2785 :py:obj:`Connection.sendall` transmits all of them.
2786 """
2787 server, client = self._loopback()
2788 server.sendall(buffer(b('x')))
2789 self.assertEquals(client.recv(1), b('x'))
2790
2791
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002792 def test_long(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002793 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002794 :py:obj:`Connection.sendall` transmits all of the bytes in the string passed to
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002795 it even if this requires multiple calls of an underlying write function.
2796 """
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002797 server, client = self._loopback()
Jean-Paul Calderone6241c702010-09-16 19:59:24 -04002798 # Should be enough, underlying SSL_write should only do 16k at a time.
2799 # On Windows, after 32k of bytes the write will block (forever - because
2800 # no one is yet reading).
Jean-Paul Calderone9e4c1352010-09-19 09:34:43 -04002801 message = b('x') * (1024 * 32 - 1) + b('y')
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002802 server.sendall(message)
2803 accum = []
2804 received = 0
2805 while received < len(message):
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -04002806 data = client.recv(1024)
2807 accum.append(data)
2808 received += len(data)
Jean-Paul Calderonef4047852010-09-19 09:45:57 -04002809 self.assertEquals(message, b('').join(accum))
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002810
2811
Jean-Paul Calderone974bdc02010-07-28 19:06:10 -04002812 def test_closed(self):
2813 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002814 If the underlying socket is closed, :py:obj:`Connection.sendall` propagates the
Jean-Paul Calderone974bdc02010-07-28 19:06:10 -04002815 write error from the low level write call.
2816 """
2817 server, client = self._loopback()
Jean-Paul Calderone05d43e82010-09-24 18:01:36 -04002818 server.sock_shutdown(2)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05002819 exc = self.assertRaises(SysCallError, server.sendall, b"hello, world")
Konstantinos Koukopoulos541150d2014-01-31 01:00:19 +02002820 if platform == "win32":
2821 self.assertEqual(exc.args[0], ESHUTDOWN)
2822 else:
2823 self.assertEqual(exc.args[0], EPIPE)
Jean-Paul Calderone974bdc02010-07-28 19:06:10 -04002824
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002825
Jean-Paul Calderone1d69a722010-07-29 09:05:53 -04002826
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002827class ConnectionRenegotiateTests(TestCase, _LoopbackMixin):
2828 """
2829 Tests for SSL renegotiation APIs.
2830 """
2831 def test_renegotiate_wrong_args(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002832 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002833 :py:obj:`Connection.renegotiate` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002834 arguments.
2835 """
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002836 connection = Connection(Context(TLSv1_METHOD), None)
2837 self.assertRaises(TypeError, connection.renegotiate, None)
2838
2839
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002840 def test_total_renegotiations_wrong_args(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002841 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002842 :py:obj:`Connection.total_renegotiations` raises :py:obj:`TypeError` if called with
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002843 any arguments.
2844 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002845 connection = Connection(Context(TLSv1_METHOD), None)
2846 self.assertRaises(TypeError, connection.total_renegotiations, None)
2847
2848
2849 def test_total_renegotiations(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002850 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002851 :py:obj:`Connection.total_renegotiations` returns :py:obj:`0` before any
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002852 renegotiations have happened.
2853 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002854 connection = Connection(Context(TLSv1_METHOD), None)
2855 self.assertEquals(connection.total_renegotiations(), 0)
2856
2857
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002858# def test_renegotiate(self):
2859# """
2860# """
2861# server, client = self._loopback()
2862
2863# server.send("hello world")
2864# self.assertEquals(client.recv(len("hello world")), "hello world")
2865
2866# self.assertEquals(server.total_renegotiations(), 0)
2867# self.assertTrue(server.renegotiate())
2868
2869# server.setblocking(False)
2870# client.setblocking(False)
2871# while server.renegotiate_pending():
2872# client.do_handshake()
2873# server.do_handshake()
2874
2875# self.assertEquals(server.total_renegotiations(), 1)
2876
2877
2878
2879
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002880class ErrorTests(TestCase):
2881 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002882 Unit tests for :py:obj:`OpenSSL.SSL.Error`.
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002883 """
2884 def test_type(self):
2885 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002886 :py:obj:`Error` is an exception type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002887 """
2888 self.assertTrue(issubclass(Error, Exception))
Rick Deane15b1472009-07-09 15:53:42 -05002889 self.assertEqual(Error.__name__, 'Error')
Rick Deane15b1472009-07-09 15:53:42 -05002890
2891
2892
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05002893class ConstantsTests(TestCase):
2894 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002895 Tests for the values of constants exposed in :py:obj:`OpenSSL.SSL`.
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05002896
2897 These are values defined by OpenSSL intended only to be used as flags to
2898 OpenSSL APIs. The only assertions it seems can be made about them is
2899 their values.
2900 """
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002901 # unittest.TestCase has no skip mechanism
2902 if OP_NO_QUERY_MTU is not None:
2903 def test_op_no_query_mtu(self):
2904 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002905 The value of :py:obj:`OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value of
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -04002906 :py:const:`SSL_OP_NO_QUERY_MTU` defined by :file:`openssl/ssl.h`.
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002907 """
2908 self.assertEqual(OP_NO_QUERY_MTU, 0x1000)
2909 else:
2910 "OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old"
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05002911
2912
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002913 if OP_COOKIE_EXCHANGE is not None:
2914 def test_op_cookie_exchange(self):
2915 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002916 The value of :py:obj:`OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the value
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -04002917 of :py:const:`SSL_OP_COOKIE_EXCHANGE` defined by :file:`openssl/ssl.h`.
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002918 """
2919 self.assertEqual(OP_COOKIE_EXCHANGE, 0x2000)
2920 else:
2921 "OP_COOKIE_EXCHANGE unavailable - OpenSSL version may be too old"
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05002922
2923
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002924 if OP_NO_TICKET is not None:
2925 def test_op_no_ticket(self):
2926 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002927 The value of :py:obj:`OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -04002928 :py:const:`SSL_OP_NO_TICKET` defined by :file:`openssl/ssl.h`.
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002929 """
2930 self.assertEqual(OP_NO_TICKET, 0x4000)
Jean-Paul Calderonecebd1782011-09-11 10:01:31 -04002931 else:
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05002932 "OP_NO_TICKET unavailable - OpenSSL version may be too old"
Rick Dean5b7b6372009-04-01 11:34:06 -05002933
2934
Jean-Paul Calderonec62d4c12011-09-08 18:29:32 -04002935 if OP_NO_COMPRESSION is not None:
2936 def test_op_no_compression(self):
2937 """
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -04002938 The value of :py:obj:`OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the value
2939 of :py:const:`SSL_OP_NO_COMPRESSION` defined by :file:`openssl/ssl.h`.
Jean-Paul Calderonec62d4c12011-09-08 18:29:32 -04002940 """
2941 self.assertEqual(OP_NO_COMPRESSION, 0x20000)
2942 else:
2943 "OP_NO_COMPRESSION unavailable - OpenSSL version may be too old"
2944
2945
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002946 def test_sess_cache_off(self):
2947 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002948 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of
2949 :py:obj:`SSL_SESS_CACHE_OFF` defined by ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002950 """
2951 self.assertEqual(0x0, SESS_CACHE_OFF)
2952
2953
2954 def test_sess_cache_client(self):
2955 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002956 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of
2957 :py:obj:`SSL_SESS_CACHE_CLIENT` defined by ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002958 """
2959 self.assertEqual(0x1, SESS_CACHE_CLIENT)
2960
2961
2962 def test_sess_cache_server(self):
2963 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002964 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of
2965 :py:obj:`SSL_SESS_CACHE_SERVER` defined by ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002966 """
2967 self.assertEqual(0x2, SESS_CACHE_SERVER)
2968
2969
2970 def test_sess_cache_both(self):
2971 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002972 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of
2973 :py:obj:`SSL_SESS_CACHE_BOTH` defined by ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002974 """
2975 self.assertEqual(0x3, SESS_CACHE_BOTH)
2976
2977
2978 def test_sess_cache_no_auto_clear(self):
2979 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002980 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the
2981 value of :py:obj:`SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by
2982 ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002983 """
2984 self.assertEqual(0x80, SESS_CACHE_NO_AUTO_CLEAR)
2985
2986
2987 def test_sess_cache_no_internal_lookup(self):
2988 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002989 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100,
2990 the value of :py:obj:`SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by
2991 ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05002992 """
2993 self.assertEqual(0x100, SESS_CACHE_NO_INTERNAL_LOOKUP)
2994
2995
2996 def test_sess_cache_no_internal_store(self):
2997 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002998 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200,
2999 the value of :py:obj:`SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by
3000 ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05003001 """
3002 self.assertEqual(0x200, SESS_CACHE_NO_INTERNAL_STORE)
3003
3004
3005 def test_sess_cache_no_internal(self):
3006 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05003007 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the
3008 value of :py:obj:`SSL_SESS_CACHE_NO_INTERNAL` defined by
3009 ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05003010 """
3011 self.assertEqual(0x300, SESS_CACHE_NO_INTERNAL)
3012
3013
Jean-Paul Calderoneeeee26a2009-04-27 11:24:30 -04003014
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003015class MemoryBIOTests(TestCase, _LoopbackMixin):
Rick Deanb71c0d22009-04-01 14:09:23 -05003016 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003017 Tests for :py:obj:`OpenSSL.SSL.Connection` using a memory BIO.
Rick Deanb71c0d22009-04-01 14:09:23 -05003018 """
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003019 def _server(self, sock):
3020 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003021 Create a new server-side SSL :py:obj:`Connection` object wrapped around
3022 :py:obj:`sock`.
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003023 """
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003024 # Create the server side Connection. This is mostly setup boilerplate
3025 # - use TLSv1, use a particular certificate, etc.
3026 server_ctx = Context(TLSv1_METHOD)
3027 server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
3028 server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
3029 server_store = server_ctx.get_cert_store()
3030 server_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
3031 server_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
3032 server_ctx.check_privatekey()
3033 server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
Rick Deanb1ccd562009-07-09 23:52:39 -05003034 # Here the Connection is actually created. If None is passed as the 2nd
3035 # parameter, it indicates a memory BIO should be created.
3036 server_conn = Connection(server_ctx, sock)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003037 server_conn.set_accept_state()
3038 return server_conn
3039
3040
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003041 def _client(self, sock):
3042 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003043 Create a new client-side SSL :py:obj:`Connection` object wrapped around
3044 :py:obj:`sock`.
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003045 """
3046 # Now create the client side Connection. Similar boilerplate to the
3047 # above.
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003048 client_ctx = Context(TLSv1_METHOD)
3049 client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
3050 client_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
3051 client_store = client_ctx.get_cert_store()
3052 client_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, client_key_pem))
3053 client_ctx.use_certificate(load_certificate(FILETYPE_PEM, client_cert_pem))
3054 client_ctx.check_privatekey()
3055 client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
Rick Deanb1ccd562009-07-09 23:52:39 -05003056 client_conn = Connection(client_ctx, sock)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003057 client_conn.set_connect_state()
3058 return client_conn
3059
3060
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003061 def test_memoryConnect(self):
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003062 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003063 Two :py:obj:`Connection`s which use memory BIOs can be manually connected by
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003064 reading from the output of each and writing those bytes to the input of
3065 the other and in this way establish a connection and exchange
3066 application-level bytes with each other.
3067 """
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003068 server_conn = self._server(None)
3069 client_conn = self._client(None)
Rick Deanb71c0d22009-04-01 14:09:23 -05003070
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003071 # There should be no key or nonces yet.
3072 self.assertIdentical(server_conn.master_key(), None)
3073 self.assertIdentical(server_conn.client_random(), None)
3074 self.assertIdentical(server_conn.server_random(), None)
Rick Deanb71c0d22009-04-01 14:09:23 -05003075
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003076 # First, the handshake needs to happen. We'll deliver bytes back and
3077 # forth between the client and server until neither of them feels like
3078 # speaking any more.
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003079 self.assertIdentical(
3080 self._interactInMemory(client_conn, server_conn), None)
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003081
3082 # Now that the handshake is done, there should be a key and nonces.
3083 self.assertNotIdentical(server_conn.master_key(), None)
3084 self.assertNotIdentical(server_conn.client_random(), None)
3085 self.assertNotIdentical(server_conn.server_random(), None)
Jean-Paul Calderone6c051e62009-07-05 13:50:34 -04003086 self.assertEquals(server_conn.client_random(), client_conn.client_random())
3087 self.assertEquals(server_conn.server_random(), client_conn.server_random())
3088 self.assertNotEquals(server_conn.client_random(), server_conn.server_random())
3089 self.assertNotEquals(client_conn.client_random(), client_conn.server_random())
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003090
3091 # Here are the bytes we'll try to send.
Jean-Paul Calderonea441fdc2010-08-22 21:33:57 -04003092 important_message = b('One if by land, two if by sea.')
Rick Deanb71c0d22009-04-01 14:09:23 -05003093
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003094 server_conn.write(important_message)
3095 self.assertEquals(
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003096 self._interactInMemory(client_conn, server_conn),
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003097 (client_conn, important_message))
3098
3099 client_conn.write(important_message[::-1])
3100 self.assertEquals(
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003101 self._interactInMemory(client_conn, server_conn),
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003102 (server_conn, important_message[::-1]))
Rick Deanb71c0d22009-04-01 14:09:23 -05003103
3104
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003105 def test_socketConnect(self):
Rick Deanb1ccd562009-07-09 23:52:39 -05003106 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003107 Just like :py:obj:`test_memoryConnect` but with an actual socket.
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003108
3109 This is primarily to rule out the memory BIO code as the source of
Jonathan Ballet648875f2011-07-16 14:14:58 +09003110 any problems encountered while passing data over a :py:obj:`Connection` (if
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003111 this test fails, there must be a problem outside the memory BIO
3112 code, as no memory BIO is involved here). Even though this isn't a
3113 memory BIO test, it's convenient to have it here.
Rick Deanb1ccd562009-07-09 23:52:39 -05003114 """
Jean-Paul Calderone06c7cc92010-09-24 23:52:00 -04003115 server_conn, client_conn = self._loopback()
Rick Deanb1ccd562009-07-09 23:52:39 -05003116
Jean-Paul Calderonea441fdc2010-08-22 21:33:57 -04003117 important_message = b("Help me Obi Wan Kenobi, you're my only hope.")
Rick Deanb1ccd562009-07-09 23:52:39 -05003118 client_conn.send(important_message)
3119 msg = server_conn.recv(1024)
3120 self.assertEqual(msg, important_message)
3121
3122 # Again in the other direction, just for fun.
3123 important_message = important_message[::-1]
3124 server_conn.send(important_message)
3125 msg = client_conn.recv(1024)
3126 self.assertEqual(msg, important_message)
3127
3128
Jean-Paul Calderonefc4ed0f2009-04-27 11:51:27 -04003129 def test_socketOverridesMemory(self):
Rick Deanb71c0d22009-04-01 14:09:23 -05003130 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003131 Test that :py:obj:`OpenSSL.SSL.bio_read` and :py:obj:`OpenSSL.SSL.bio_write` don't
3132 work on :py:obj:`OpenSSL.SSL.Connection`() that use sockets.
Rick Deanb71c0d22009-04-01 14:09:23 -05003133 """
3134 context = Context(SSLv3_METHOD)
3135 client = socket()
3136 clientSSL = Connection(context, client)
3137 self.assertRaises( TypeError, clientSSL.bio_read, 100)
3138 self.assertRaises( TypeError, clientSSL.bio_write, "foo")
Jean-Paul Calderone07acf3f2009-05-05 13:23:28 -04003139 self.assertRaises( TypeError, clientSSL.bio_shutdown )
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003140
3141
3142 def test_outgoingOverflow(self):
3143 """
3144 If more bytes than can be written to the memory BIO are passed to
Jonathan Ballet648875f2011-07-16 14:14:58 +09003145 :py:obj:`Connection.send` at once, the number of bytes which were written is
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003146 returned and that many bytes from the beginning of the input can be
3147 read from the other end of the connection.
3148 """
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003149 server = self._server(None)
3150 client = self._client(None)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003151
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003152 self._interactInMemory(client, server)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003153
3154 size = 2 ** 15
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05003155 sent = client.send(b"x" * size)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003156 # Sanity check. We're trying to test what happens when the entire
3157 # input can't be sent. If the entire input was sent, this test is
3158 # meaningless.
3159 self.assertTrue(sent < size)
3160
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003161 receiver, received = self._interactInMemory(client, server)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003162 self.assertIdentical(receiver, server)
3163
3164 # We can rely on all of these bytes being received at once because
3165 # _loopback passes 2 ** 16 to recv - more than 2 ** 15.
3166 self.assertEquals(len(received), sent)
Jean-Paul Calderone3ad85d42009-04-30 20:24:35 -04003167
3168
3169 def test_shutdown(self):
3170 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003171 :py:obj:`Connection.bio_shutdown` signals the end of the data stream from
3172 which the :py:obj:`Connection` reads.
Jean-Paul Calderone3ad85d42009-04-30 20:24:35 -04003173 """
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003174 server = self._server(None)
Jean-Paul Calderone3ad85d42009-04-30 20:24:35 -04003175 server.bio_shutdown()
3176 e = self.assertRaises(Error, server.recv, 1024)
3177 # We don't want WantReadError or ZeroReturnError or anything - it's a
3178 # handshake failure.
3179 self.assertEquals(e.__class__, Error)
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -04003180
3181
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07003182 def test_unexpectedEndOfFile(self):
3183 """
3184 If the connection is lost before an orderly SSL shutdown occurs,
3185 :py:obj:`OpenSSL.SSL.SysCallError` is raised with a message of
3186 "Unexpected EOF".
3187 """
3188 server_conn, client_conn = self._loopback()
3189 client_conn.sock_shutdown(SHUT_RDWR)
3190 exc = self.assertRaises(SysCallError, server_conn.recv, 1024)
3191 self.assertEqual(exc.args, (-1, "Unexpected EOF"))
3192
3193
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003194 def _check_client_ca_list(self, func):
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003195 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003196 Verify the return value of the :py:obj:`get_client_ca_list` method for server and client connections.
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003197
Jonathan Ballet78b92a22011-07-16 08:07:26 +09003198 :param func: A function which will be called with the server context
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003199 before the client and server are connected to each other. This
3200 function should specify a list of CAs for the server to send to the
3201 client and return that same list. The list will be used to verify
Jonathan Ballet648875f2011-07-16 14:14:58 +09003202 that :py:obj:`get_client_ca_list` returns the proper value at various
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003203 times.
3204 """
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003205 server = self._server(None)
3206 client = self._client(None)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003207 self.assertEqual(client.get_client_ca_list(), [])
3208 self.assertEqual(server.get_client_ca_list(), [])
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003209 ctx = server.get_context()
3210 expected = func(ctx)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003211 self.assertEqual(client.get_client_ca_list(), [])
3212 self.assertEqual(server.get_client_ca_list(), expected)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003213 self._interactInMemory(client, server)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003214 self.assertEqual(client.get_client_ca_list(), expected)
3215 self.assertEqual(server.get_client_ca_list(), expected)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003216
3217
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003218 def test_set_client_ca_list_errors(self):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003219 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003220 :py:obj:`Context.set_client_ca_list` raises a :py:obj:`TypeError` if called with a
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003221 non-list or a list that contains objects other than X509Names.
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003222 """
3223 ctx = Context(TLSv1_METHOD)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003224 self.assertRaises(TypeError, ctx.set_client_ca_list, "spam")
3225 self.assertRaises(TypeError, ctx.set_client_ca_list, ["spam"])
3226 self.assertIdentical(ctx.set_client_ca_list([]), None)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003227
3228
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003229 def test_set_empty_ca_list(self):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003230 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003231 If passed an empty list, :py:obj:`Context.set_client_ca_list` configures the
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003232 context to send no CA names to the client and, on both the server and
Jonathan Ballet648875f2011-07-16 14:14:58 +09003233 client sides, :py:obj:`Connection.get_client_ca_list` returns an empty list
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003234 after the connection is set up.
3235 """
3236 def no_ca(ctx):
3237 ctx.set_client_ca_list([])
3238 return []
3239 self._check_client_ca_list(no_ca)
3240
3241
3242 def test_set_one_ca_list(self):
3243 """
3244 If passed a list containing a single X509Name,
Jonathan Ballet648875f2011-07-16 14:14:58 +09003245 :py:obj:`Context.set_client_ca_list` configures the context to send that CA
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003246 name to the client and, on both the server and client sides,
Jonathan Ballet648875f2011-07-16 14:14:58 +09003247 :py:obj:`Connection.get_client_ca_list` returns a list containing that
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003248 X509Name after the connection is set up.
3249 """
3250 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3251 cadesc = cacert.get_subject()
3252 def single_ca(ctx):
3253 ctx.set_client_ca_list([cadesc])
3254 return [cadesc]
3255 self._check_client_ca_list(single_ca)
3256
3257
3258 def test_set_multiple_ca_list(self):
3259 """
3260 If passed a list containing multiple X509Name objects,
Jonathan Ballet648875f2011-07-16 14:14:58 +09003261 :py:obj:`Context.set_client_ca_list` configures the context to send those CA
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003262 names to the client and, on both the server and client sides,
Jonathan Ballet648875f2011-07-16 14:14:58 +09003263 :py:obj:`Connection.get_client_ca_list` returns a list containing those
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003264 X509Names after the connection is set up.
3265 """
3266 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
3267 clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
3268
3269 sedesc = secert.get_subject()
3270 cldesc = clcert.get_subject()
3271
3272 def multiple_ca(ctx):
3273 L = [sedesc, cldesc]
3274 ctx.set_client_ca_list(L)
3275 return L
3276 self._check_client_ca_list(multiple_ca)
3277
3278
3279 def test_reset_ca_list(self):
3280 """
3281 If called multiple times, only the X509Names passed to the final call
Jonathan Ballet648875f2011-07-16 14:14:58 +09003282 of :py:obj:`Context.set_client_ca_list` are used to configure the CA names
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003283 sent to the client.
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003284 """
3285 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3286 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
3287 clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
3288
3289 cadesc = cacert.get_subject()
3290 sedesc = secert.get_subject()
3291 cldesc = clcert.get_subject()
3292
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003293 def changed_ca(ctx):
3294 ctx.set_client_ca_list([sedesc, cldesc])
3295 ctx.set_client_ca_list([cadesc])
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003296 return [cadesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003297 self._check_client_ca_list(changed_ca)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003298
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003299
3300 def test_mutated_ca_list(self):
3301 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003302 If the list passed to :py:obj:`Context.set_client_ca_list` is mutated
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003303 afterwards, this does not affect the list of CA names sent to the
3304 client.
3305 """
3306 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3307 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
3308
3309 cadesc = cacert.get_subject()
3310 sedesc = secert.get_subject()
3311
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003312 def mutated_ca(ctx):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003313 L = [cadesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003314 ctx.set_client_ca_list([cadesc])
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003315 L.append(sedesc)
3316 return [cadesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003317 self._check_client_ca_list(mutated_ca)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003318
3319
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003320 def test_add_client_ca_errors(self):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003321 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003322 :py:obj:`Context.add_client_ca` raises :py:obj:`TypeError` if called with a non-X509
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003323 object or with a number of arguments other than one.
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003324 """
3325 ctx = Context(TLSv1_METHOD)
3326 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003327 self.assertRaises(TypeError, ctx.add_client_ca)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003328 self.assertRaises(TypeError, ctx.add_client_ca, "spam")
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003329 self.assertRaises(TypeError, ctx.add_client_ca, cacert, cacert)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003330
3331
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003332 def test_one_add_client_ca(self):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003333 """
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003334 A certificate's subject can be added as a CA to be sent to the client
Jonathan Ballet648875f2011-07-16 14:14:58 +09003335 with :py:obj:`Context.add_client_ca`.
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003336 """
3337 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3338 cadesc = cacert.get_subject()
3339 def single_ca(ctx):
3340 ctx.add_client_ca(cacert)
3341 return [cadesc]
3342 self._check_client_ca_list(single_ca)
3343
3344
3345 def test_multiple_add_client_ca(self):
3346 """
3347 Multiple CA names can be sent to the client by calling
Jonathan Ballet648875f2011-07-16 14:14:58 +09003348 :py:obj:`Context.add_client_ca` with multiple X509 objects.
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003349 """
3350 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3351 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
3352
3353 cadesc = cacert.get_subject()
3354 sedesc = secert.get_subject()
3355
3356 def multiple_ca(ctx):
3357 ctx.add_client_ca(cacert)
3358 ctx.add_client_ca(secert)
3359 return [cadesc, sedesc]
3360 self._check_client_ca_list(multiple_ca)
3361
3362
3363 def test_set_and_add_client_ca(self):
3364 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003365 A call to :py:obj:`Context.set_client_ca_list` followed by a call to
3366 :py:obj:`Context.add_client_ca` results in using the CA names from the first
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003367 call and the CA name from the second call.
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003368 """
3369 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3370 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
3371 clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
3372
3373 cadesc = cacert.get_subject()
3374 sedesc = secert.get_subject()
3375 cldesc = clcert.get_subject()
3376
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003377 def mixed_set_add_ca(ctx):
3378 ctx.set_client_ca_list([cadesc, sedesc])
3379 ctx.add_client_ca(clcert)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003380 return [cadesc, sedesc, cldesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003381 self._check_client_ca_list(mixed_set_add_ca)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003382
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003383
3384 def test_set_after_add_client_ca(self):
3385 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003386 A call to :py:obj:`Context.set_client_ca_list` after a call to
3387 :py:obj:`Context.add_client_ca` replaces the CA name specified by the former
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003388 call with the names specified by the latter cal.
3389 """
3390 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3391 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
3392 clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
3393
3394 cadesc = cacert.get_subject()
3395 sedesc = secert.get_subject()
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003396
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003397 def set_replaces_add_ca(ctx):
3398 ctx.add_client_ca(clcert)
3399 ctx.set_client_ca_list([cadesc])
3400 ctx.add_client_ca(secert)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003401 return [cadesc, sedesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003402 self._check_client_ca_list(set_replaces_add_ca)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003403
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -04003404
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07003405
3406class ConnectionBIOTests(TestCase):
3407 """
3408 Tests for :py:obj:`Connection.bio_read` and :py:obj:`Connection.bio_write`.
3409 """
3410 def test_wantReadError(self):
3411 """
3412 :py:obj:`Connection.bio_read` raises :py:obj:`OpenSSL.SSL.WantReadError`
3413 if there are no bytes available to be read from the BIO.
3414 """
3415 ctx = Context(TLSv1_METHOD)
3416 conn = Connection(ctx, None)
3417 self.assertRaises(WantReadError, conn.bio_read, 1024)
3418
3419
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05003420 def test_buffer_size(self):
3421 """
3422 :py:obj:`Connection.bio_read` accepts an integer giving the maximum
3423 number of bytes to read and return.
3424 """
3425 ctx = Context(TLSv1_METHOD)
3426 conn = Connection(ctx, None)
3427 conn.set_connect_state()
3428 try:
3429 conn.do_handshake()
3430 except WantReadError:
3431 pass
3432 data = conn.bio_read(2)
3433 self.assertEqual(2, len(data))
3434
3435
3436 if not PY3:
3437 def test_buffer_size_long(self):
3438 """
3439 On Python 2 :py:obj:`Connection.bio_read` accepts values of type
3440 :py:obj:`long` as well as :py:obj:`int`.
3441 """
3442 ctx = Context(TLSv1_METHOD)
3443 conn = Connection(ctx, None)
3444 conn.set_connect_state()
3445 try:
3446 conn.do_handshake()
3447 except WantReadError:
3448 pass
3449 data = conn.bio_read(long(2))
3450 self.assertEqual(2, len(data))
3451
3452
3453
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07003454
Jean-Paul Calderone31e85a82011-03-21 19:13:35 -04003455class InfoConstantTests(TestCase):
3456 """
3457 Tests for assorted constants exposed for use in info callbacks.
3458 """
3459 def test_integers(self):
3460 """
3461 All of the info constants are integers.
3462
3463 This is a very weak test. It would be nice to have one that actually
3464 verifies that as certain info events happen, the value passed to the
3465 info callback matches up with the constant exposed by OpenSSL.SSL.
3466 """
3467 for const in [
3468 SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK, SSL_ST_INIT,
3469 SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE,
3470 SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,
3471 SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,
3472 SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,
3473 SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE]:
3474
3475 self.assertTrue(isinstance(const, int))
3476
Ziga Seilnacht44611bf2009-08-31 20:49:30 +02003477
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -04003478if __name__ == '__main__':
3479 main()