Blame - tests/test_ssl.py - platform/external/python/pyopenssl

2008-03-21 17:04:05 -0400

[diff] [blame]

4

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

5

Unit tests for :mod:`OpenSSL.SSL`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

6

"""

7

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

8

import datetime

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

9

import sys

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

10

import uuid

11

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

12

from gc import collect, get_referrers

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

13

from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

14

from sys import platform, getfilesystemencoding, version_info

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

15

from socket import MSG_PEEK, SHUT_RDWR, error, socket

Jean-Paul Calderone

a65cf6c

2009-07-19 10:26:52 -0400

[diff] [blame]

16

from os import makedirs

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

17

from os.path import join

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

18

from weakref import ref

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

19

from warnings import simplefilter

Jean-Paul Calderone

460cc1f

2009-03-07 11:31:12 -0500

[diff] [blame]

20

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

21

import pytest

22

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

23

from pretend import raiser

24

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

25

from six import PY3, text_type

Jean-Paul Calderone

c76c61c

2014-01-18 13:21:52 -0500

[diff] [blame]

26

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

27

from cryptography import x509

28

from cryptography.hazmat.backends import default_backend

29

from cryptography.hazmat.primitives import hashes

30

from cryptography.hazmat.primitives import serialization

31

from cryptography.hazmat.primitives.asymmetric import rsa

32

from cryptography.x509.oid import NameOID

33

34

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

35

from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

36

from OpenSSL.crypto import PKey, X509, X509Extension, X509Store

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

37

from OpenSSL.crypto import dump_privatekey, load_privatekey

38

from OpenSSL.crypto import dump_certificate, load_certificate

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

39

from OpenSSL.crypto import get_elliptic_curves

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

40

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

41

from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS

42

from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

43

from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

44

from OpenSSL.SSL import (

45

SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD,

46

TLSv1_1_METHOD, TLSv1_2_METHOD)

47

from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

48

from OpenSSL.SSL import (

49

VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE, VERIFY_NONE)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

50

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

51

from OpenSSL import SSL

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

52

from OpenSSL.SSL import (

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

53

SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH,

54

SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP,

55

SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL)

56

57

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

58

Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

59

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

60

Context, ContextType, Session, Connection, ConnectionType, SSLeay_version)

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

61

from OpenSSL.SSL import _make_requires

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

62

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

63

from OpenSSL._util import ffi as _ffi, lib as _lib

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

64

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

65

from OpenSSL.SSL import (

66

OP_NO_QUERY_MTU, OP_COOKIE_EXCHANGE, OP_NO_TICKET, OP_NO_COMPRESSION,

67

MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

68

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

69

try:

70

from OpenSSL.SSL import OP_NO_TLSv1, OP_NO_TLSv1_1, OP_NO_TLSv1_2

71

except ImportError:

72

OP_NO_TLSv1 = OP_NO_TLSv1_1 = OP_NO_TLSv1_2 = None

73

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

74

from OpenSSL.SSL import (

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

75

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

76

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

77

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

78

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

79

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

80

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

81

try:

82

from OpenSSL.SSL import (

83

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

84

)

85

except ImportError:

86

SSL_ST_INIT = SSL_ST_BEFORE = SSL_ST_OK = SSL_ST_RENEGOTIATE = None

87

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

88

from .util import WARNING_TYPE_EXPECTED, NON_ASCII, is_consistent_type

Hynek Schlawack

f0e6685

2015-10-16 20:18:38 +0200

[diff] [blame]

89

from .test_crypto import (

90

cleartextCertificatePEM, cleartextPrivateKeyPEM,

91

client_cert_pem, client_key_pem, server_cert_pem, server_key_pem,

92

root_cert_pem)

93

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

94

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

95

# openssl dhparam 1024 -out dh-1024.pem (note that 1024 is a small number of

96

# bits to use)

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

97

dhparam = """\

98

-----BEGIN DH PARAMETERS-----

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

99

MIGHAoGBALdUMvn+C9MM+y5BWZs11mSeH6HHoEq0UVbzVq7UojC1hbsZUuGukQ3a

100

Qh2/pwqb18BZFykrWB0zv/OkLa0kx4cuUgNrUVq1EFheBiX6YqryJ7t2sO09NQiO

101

V7H54LmltOT/hEh6QWsJqb6BQgH65bswvV/XkYGja8/T0GzvbaVzAgEC

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

102

-----END DH PARAMETERS-----

"""

Hynek Schlawack

2015-09-05 20:48:34 +0200

[diff] [blame]

106

skip_if_py3 = pytest.mark.skipif(PY3, reason="Python 2 only")

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

107

skip_if_py26 = pytest.mark.skipif(

108

version_info[0:2] == (2, 6),

109

reason="Python 2.7 and later only"

110

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

111

112

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

113

def join_bytes_or_unicode(prefix, suffix):

114

"""

115

Join two path components of either ``bytes`` or ``unicode``.

116

117

The return type is the same as the type of ``prefix``.

118

"""

119

# If the types are the same, nothing special is necessary.

120

if type(prefix) == type(suffix):

121

return join(prefix, suffix)

122

123

# Otherwise, coerce suffix to the type of prefix.

124

if isinstance(prefix, text_type):

125

return join(prefix, suffix.decode(getfilesystemencoding()))

126

else:

127

return join(prefix, suffix.encode(getfilesystemencoding()))

128

129

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

130

def verify_cb(conn, cert, errnum, depth, ok):

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

131

return ok

132

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

133

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

134

def socket_pair():

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

135

"""

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

136

Establish and return a pair of network sockets connected to each other.

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

137

"""

138

# Connect a pair of sockets

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(1)

client = socket()

client.setblocking(False)

Jean-Paul Calderone

f23c5d9

2009-07-23 17:58:15 -0400

[diff] [blame]

144

client.connect_ex(("127.0.0.1", port.getsockname()[1]))

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

145

client.setblocking(True)

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

146

server = port.accept()[0]

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

147

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

148

# Let's pass some unencrypted data to make sure our socket connection is

149

# fine. Just one byte, so we don't have to worry about buffers getting

150

# filled up or fragmentation.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

151

server.send(b"x")

152

assert client.recv(1024) == b"x"

153

client.send(b"y")

154

assert server.recv(1024) == b"y"

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

155

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

156

# Most of our callers want non-blocking sockets, make it easy for them.

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

157

server.setblocking(False)

158

client.setblocking(False)

Jim Shaver

46f2891

2015-05-29 19:32:16 -0400

[diff] [blame]

159

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

160

return (server, client)

161

162

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

163

def handshake(client, server):

164

conns = [client, server]

while conns:

for conn in conns:

try:

conn.do_handshake()

except WantReadError:

pass

else:

conns.remove(conn)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

175

def _create_certificate_chain():

176

"""

177

Construct and return a chain of certificates.

178

179

1. A new self-signed certificate authority certificate (cacert)

180

2. A new intermediate certificate signed by cacert (icert)

181

3. A new server certificate signed by icert (scert)

182

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

183

caext = X509Extension(b'basicConstraints', False, b'CA:true')

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

184

185

# Step 1

186

cakey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

187

cakey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

188

cacert = X509()

189

cacert.get_subject().commonName = "Authority Certificate"

190

cacert.set_issuer(cacert.get_subject())

191

cacert.set_pubkey(cakey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

192

cacert.set_notBefore(b"20000101000000Z")

193

cacert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

194

cacert.add_extensions([caext])

195

cacert.set_serial_number(0)

196

cacert.sign(cakey, "sha1")

197

198

# Step 2

199

ikey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

200

ikey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

201

icert = X509()

202

icert.get_subject().commonName = "Intermediate Certificate"

203

icert.set_issuer(cacert.get_subject())

204

icert.set_pubkey(ikey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

205

icert.set_notBefore(b"20000101000000Z")

206

icert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

207

icert.add_extensions([caext])

208

icert.set_serial_number(0)

209

icert.sign(cakey, "sha1")

210

211

# Step 3

212

skey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

213

skey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

214

scert = X509()

215

scert.get_subject().commonName = "Server Certificate"

216

scert.set_issuer(icert.get_subject())

217

scert.set_pubkey(skey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

218

scert.set_notBefore(b"20000101000000Z")

219

scert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

220

scert.add_extensions([

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

221

X509Extension(b'basicConstraints', True, b'CA:false')])

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

222

scert.set_serial_number(0)

223

scert.sign(ikey, "sha1")

224

225

return [(cakey, cacert), (ikey, icert), (skey, scert)]

226

227

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

228

def loopback_client_factory(socket):

229

client = Connection(Context(TLSv1_METHOD), socket)

230

client.set_connect_state()

return client

def loopback_server_factory(socket):

235

ctx = Context(TLSv1_METHOD)

236

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

237

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

238

server = Connection(ctx, socket)

239

server.set_accept_state()

return server

def loopback(server_factory=None, client_factory=None):

244

"""

245

Create a connected socket pair and force two connected SSL sockets

246

to talk to each other via memory BIOs.

247

"""

248

if server_factory is None:

249

server_factory = loopback_server_factory

250

if client_factory is None:

251

client_factory = loopback_client_factory

252

253

(server, client) = socket_pair()

254

server = server_factory(server)

255

client = client_factory(client)

256

257

handshake(client, server)

258

259

server.setblocking(True)

260

client.setblocking(True)

261

return server, client

262

263

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

264

def interact_in_memory(client_conn, server_conn):

265

"""

266

Try to read application bytes from each of the two `Connection` objects.

267

Copy bytes back and forth between their send/receive buffers for as long

268

as there is anything to copy. When there is nothing more to copy,

269

return `None`. If one of them actually manages to deliver some application

270

bytes, return a two-tuple of the connection from which the bytes were read

271

and the bytes themselves.

"""

wrote = True

while wrote:

# Loop until neither side has anything to say

276

wrote = False

277

278

# Copy stuff from each side's send buffer to the other side's

279

# receive buffer.

280

for (read, write) in [(client_conn, server_conn),

281

(server_conn, client_conn)]:

282

283

# Give the side a chance to generate some more bytes, or succeed.

284

try:

285

data = read.recv(2 ** 16)

286

except WantReadError:

287

# It didn't succeed, so we'll hope it generated some output.

288

pass

289

else:

290

# It did succeed, so we'll stop now and let the caller deal

# with it.

return (read, data)

while True:

# Keep copying as long as there's more stuff there.

296

try:

297

dirty = read.bio_read(4096)

298

except WantReadError:

299

# Okay, nothing more waiting to be sent. Stop

300

# processing this send buffer.

301

break

302

else:

303

# Keep track of the fact that someone generated some

304

# output.

305

wrote = True

306

write.bio_write(dirty)

307

308

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

309

def handshake_in_memory(client_conn, server_conn):

310

"""

311

Perform the TLS handshake between two `Connection` instances connected to

312

each other via memory BIOs.

313

"""

314

client_conn.set_connect_state()

315

server_conn.set_accept_state()

316

317

for conn in [client_conn, server_conn]:

318

try:

319

conn.do_handshake()

320

except WantReadError:

321

pass

322

323

interact_in_memory(client_conn, server_conn)

324

325

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

326

class TestVersion(object):

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

327

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

328

Tests for version information exposed by `OpenSSL.SSL.SSLeay_version` and

329

`OpenSSL.SSL.OPENSSL_VERSION_NUMBER`.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

330

"""

331

def test_OPENSSL_VERSION_NUMBER(self):

332

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

333

`OPENSSL_VERSION_NUMBER` is an integer with status in the low byte and

334

the patch, fix, minor, and major versions in the nibbles above that.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

335

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

336

assert isinstance(OPENSSL_VERSION_NUMBER, int)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

337

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

338

def test_SSLeay_version(self):

339

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

340

`SSLeay_version` takes a version type indicator and returns one of a

341

number of version strings based on that indicator.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

342

"""

343

versions = {}

344

for t in [SSLEAY_VERSION, SSLEAY_CFLAGS, SSLEAY_BUILT_ON,

345

SSLEAY_PLATFORM, SSLEAY_DIR]:

346

version = SSLeay_version(t)

347

versions[version] = t

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

348

assert isinstance(version, bytes)

349

assert len(versions) == 5

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

350

351

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

352

@pytest.fixture

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

353

def ca_file(tmpdir):

354

"""

355

Create a valid PEM file with CA certificates and return the path.

356

"""

357

key = rsa.generate_private_key(

358

public_exponent=65537,

359

key_size=2048,

360

backend=default_backend()

361

)

362

public_key = key.public_key()

363

364

builder = x509.CertificateBuilder()

365

builder = builder.subject_name(x509.Name([

366

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

367

]))

368

builder = builder.issuer_name(x509.Name([

369

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

370

]))

371

one_day = datetime.timedelta(1, 0, 0)

372

builder = builder.not_valid_before(datetime.datetime.today() - one_day)

373

builder = builder.not_valid_after(datetime.datetime.today() + one_day)

374

builder = builder.serial_number(int(uuid.uuid4()))

375

builder = builder.public_key(public_key)

376

builder = builder.add_extension(

377

x509.BasicConstraints(ca=True, path_length=None), critical=True,

378

)

379

380

certificate = builder.sign(

381

private_key=key, algorithm=hashes.SHA256(),

382

backend=default_backend()

383

)

384

385

ca_file = tmpdir.join("test.pem")

386

ca_file.write_binary(

387

certificate.public_bytes(

388

encoding=serialization.Encoding.PEM,

)

)

return str(ca_file).encode("ascii")

393

394

395

@pytest.fixture

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

396

def context():

397

"""

398

A simple TLS 1.0 context.

399

"""

400

return Context(TLSv1_METHOD)

401

402

403

class TestContext(object):

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

404

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

405

Unit tests for `OpenSSL.SSL.Context`.

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

406

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

407

@pytest.mark.parametrize("cipher_string", [

408

b"hello world:AES128-SHA",

409

u"hello world:AES128-SHA",

410

])

411

def test_set_cipher_list(self, context, cipher_string):

412

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

413

`Context.set_cipher_list` accepts both byte and unicode strings

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

414

for naming the ciphers which connections created with the context

415

object will be able to choose from.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

416

"""

417

context.set_cipher_list(cipher_string)

418

conn = Connection(context, None)

419

420

assert "AES128-SHA" in conn.get_cipher_list()

421

422

@pytest.mark.parametrize("cipher_list,error", [

423

(object(), TypeError),

424

("imaginary-cipher", Error),

425

])

426

def test_set_cipher_list_wrong_args(self, context, cipher_list, error):

427

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

428

`Context.set_cipher_list` raises `TypeError` when passed a non-string

429

argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher

430

list string.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

431

"""

432

with pytest.raises(error):

433

context.set_cipher_list(cipher_list)

434

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

435

def test_load_client_ca(self, context, ca_file):

436

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

437

`Context.load_client_ca` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

438

"""

439

context.load_client_ca(ca_file)

440

441

def test_load_client_ca_invalid(self, context, tmpdir):

442

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

443

`Context.load_client_ca` raises an Error if the ca file is invalid.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

444

"""

445

ca_file = tmpdir.join("test.pem")

446

ca_file.write("")

447

448

with pytest.raises(Error) as e:

449

context.load_client_ca(str(ca_file).encode("ascii"))

450

451

assert "PEM routines" == e.value.args[0][0][0]

452

453

def test_load_client_ca_unicode(self, context, ca_file):

454

"""

455

Passing the path as unicode raises a warning but works.

456

"""

457

pytest.deprecated_call(

458

context.load_client_ca, ca_file.decode("ascii")

459

)

460

461

def test_set_session_id(self, context):

462

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

463

`Context.set_session_id` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

464

"""

465

context.set_session_id(b"abc")

466

467

def test_set_session_id_fail(self, context):

468

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

469

`Context.set_session_id` errors are propagated.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

470

"""

471

with pytest.raises(Error) as e:

472

context.set_session_id(b"abc" * 1000)

assert [

("SSL routines",

"SSL_CTX_set_session_id_context",

477

"ssl session id context too long")

478

] == e.value.args[0]

479

480

def test_set_session_id_unicode(self, context):

481

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

482

`Context.set_session_id` raises a warning if a unicode string is

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

483

passed.

484

"""

485

pytest.deprecated_call(context.set_session_id, u"abc")

486

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

487

def test_method(self):

488

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

489

`Context` can be instantiated with one of `SSLv2_METHOD`,

490

`SSLv3_METHOD`, `SSLv23_METHOD`, `TLSv1_METHOD`, `TLSv1_1_METHOD`,

491

or `TLSv1_2_METHOD`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

492

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

493

methods = [SSLv23_METHOD, TLSv1_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

494

for meth in methods:

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

495

Context(meth)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

496

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

497

maybe = [SSLv2_METHOD, SSLv3_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

for meth in maybe:

try:

Context(meth)

except (Error, ValueError):

502

# Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some

503

# don't. Difficult to say in advance.

504

pass

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

505

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

506

with pytest.raises(TypeError):

507

Context("")

508

with pytest.raises(ValueError):

509

Context(10)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

510

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

511

@skip_if_py3

512

def test_method_long(self):

513

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

514

On Python 2 `Context` accepts values of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

515

"""

516

Context(long(TLSv1_METHOD))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

517

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

518

def test_type(self):

519

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

520

`Context` and `ContextType` refer to the same type object and can

521

be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

522

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

523

assert Context is ContextType

524

assert is_consistent_type(Context, 'Context', TLSv1_METHOD)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

525

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

526

def test_use_privatekey(self):

527

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

528

`Context.use_privatekey` takes an `OpenSSL.crypto.PKey` instance.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

529

"""

530

key = PKey()

531

key.generate_key(TYPE_RSA, 128)

532

ctx = Context(TLSv1_METHOD)

533

ctx.use_privatekey(key)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

534

with pytest.raises(TypeError):

535

ctx.use_privatekey("")

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

536

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

537

def test_use_privatekey_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

538

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

539

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` when passed

540

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

541

"""

542

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

543

with pytest.raises(Error):

544

ctx.use_privatekey_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

545

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

546

def _use_privatekey_file_test(self, pemfile, filetype):

547

"""

548

Verify that calling ``Context.use_privatekey_file`` with the given

549

arguments does not raise an exception.

550

"""

551

key = PKey()

552

key.generate_key(TYPE_RSA, 128)

553

554

with open(pemfile, "wt") as pem:

555

pem.write(

556

dump_privatekey(FILETYPE_PEM, key).decode("ascii")

557

)

558

559

ctx = Context(TLSv1_METHOD)

560

ctx.use_privatekey_file(pemfile, filetype)

561

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

562

@pytest.mark.parametrize('filetype', [object(), "", None, 1.0])

563

def test_wrong_privatekey_file_wrong_args(self, tmpfile, filetype):

564

"""

565

`Context.use_privatekey_file` raises `TypeError` when called with

566

a `filetype` which is not a valid file encoding.

567

"""

568

ctx = Context(TLSv1_METHOD)

569

with pytest.raises(TypeError):

570

ctx.use_privatekey_file(tmpfile, filetype)

571

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

572

def test_use_privatekey_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

573

"""

574

A private key can be specified from a file by passing a ``bytes``

575

instance giving the file name to ``Context.use_privatekey_file``.

576

"""

577

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

578

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

582

def test_use_privatekey_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

583

"""

584

A private key can be specified from a file by passing a ``unicode``

585

instance giving the file name to ``Context.use_privatekey_file``.

586

"""

587

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

588

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

592

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

593

def test_use_privatekey_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

594

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

595

On Python 2 `Context.use_privatekey_file` accepts a filetype of

596

type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

597

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

598

self._use_privatekey_file_test(tmpfile, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

599

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

600

def test_use_certificate_wrong_args(self):

601

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

602

`Context.use_certificate_wrong_args` raises `TypeError` when not passed

603

exactly one `OpenSSL.crypto.X509` instance as an argument.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

604

"""

605

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

606

with pytest.raises(TypeError):

607

ctx.use_certificate("hello, world")

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

608

609

def test_use_certificate_uninitialized(self):

610

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

611

`Context.use_certificate` raises `OpenSSL.SSL.Error` when passed a

612

`OpenSSL.crypto.X509` instance which has not been initialized

613

(ie, which does not actually have any certificate data).

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

614

"""

615

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

616

with pytest.raises(Error):

617

ctx.use_certificate(X509())

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

618

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

619

def test_use_certificate(self):

620

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

621

`Context.use_certificate` sets the certificate which will be

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

622

used to identify connections created using the context.

623

"""

624

# TODO

625

# Hard to assert anything. But we could set a privatekey then ask

626

# OpenSSL if the cert and key agree using check_privatekey. Then as

627

# long as check_privatekey works right we're good...

628

ctx = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

629

ctx.use_certificate(

630

load_certificate(FILETYPE_PEM, cleartextCertificatePEM)

631

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

632

633

def test_use_certificate_file_wrong_args(self):

634

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

635

`Context.use_certificate_file` raises `TypeError` if the first

636

argument is not a byte string or the second argument is not an integer.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

637

"""

638

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

639

with pytest.raises(TypeError):

640

ctx.use_certificate_file(object(), FILETYPE_PEM)

641

with pytest.raises(TypeError):

642

ctx.use_certificate_file(b"somefile", object())

643

with pytest.raises(TypeError):

644

ctx.use_certificate_file(object(), FILETYPE_PEM)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

645

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

646

def test_use_certificate_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

647

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

648

`Context.use_certificate_file` raises `OpenSSL.SSL.Error` if passed

649

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

650

"""

651

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

652

with pytest.raises(Error):

653

ctx.use_certificate_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

654

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

655

def _use_certificate_file_test(self, certificate_file):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

656

"""

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

657

Verify that calling ``Context.use_certificate_file`` with the given

658

filename doesn't raise an exception.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

659

"""

660

# TODO

661

# Hard to assert anything. But we could set a privatekey then ask

662

# OpenSSL if the cert and key agree using check_privatekey. Then as

663

# long as check_privatekey works right we're good...

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

664

with open(certificate_file, "wb") as pem_file:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

665

pem_file.write(cleartextCertificatePEM)

666

667

ctx = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

668

ctx.use_certificate_file(certificate_file)

669

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

670

def test_use_certificate_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

671

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

672

`Context.use_certificate_file` sets the certificate (given as a

673

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

674

using the context.

675

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

676

filename = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

677

self._use_certificate_file_test(filename)

678

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

679

def test_use_certificate_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

680

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

681

`Context.use_certificate_file` sets the certificate (given as a

682

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

683

using the context.

684

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

685

filename = tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

686

self._use_certificate_file_test(filename)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

687

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

688

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

689

def test_use_certificate_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

690

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

691

On Python 2 `Context.use_certificate_file` accepts a

692

filetype of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

693

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

694

pem_filename = tmpfile

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

695

with open(pem_filename, "wb") as pem_file:

696

pem_file.write(cleartextCertificatePEM)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

697

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

698

ctx = Context(TLSv1_METHOD)

699

ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

700

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

701

def test_check_privatekey_valid(self):

702

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

703

`Context.check_privatekey` returns `None` if the `Context` instance

704

has been configured to use a matched key and certificate pair.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

705

"""

706

key = load_privatekey(FILETYPE_PEM, client_key_pem)

707

cert = load_certificate(FILETYPE_PEM, client_cert_pem)

708

context = Context(TLSv1_METHOD)

709

context.use_privatekey(key)

710

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

711

assert None is context.check_privatekey()

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

712

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

713

def test_check_privatekey_invalid(self):

714

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

715

`Context.check_privatekey` raises `Error` if the `Context` instance

716

has been configured to use a key and certificate pair which don't

717

relate to each other.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

718

"""

719

key = load_privatekey(FILETYPE_PEM, client_key_pem)

720

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

721

context = Context(TLSv1_METHOD)

722

context.use_privatekey(key)

723

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

724

with pytest.raises(Error):

725

context.check_privatekey()

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

726

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

727

def test_app_data(self):

728

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

729

`Context.set_app_data` stores an object for later retrieval

730

using `Context.get_app_data`.

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

731

"""

732

app_data = object()

733

context = Context(TLSv1_METHOD)

734

context.set_app_data(app_data)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

735

assert context.get_app_data() is app_data

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

736

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

737

def test_set_options_wrong_args(self):

738

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

739

`Context.set_options` raises `TypeError` if called with

740

a non-`int` argument.

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

741

"""

742

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

743

with pytest.raises(TypeError):

744

context.set_options(None)

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

745

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

746

def test_set_options(self):

747

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

748

`Context.set_options` returns the new options value.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

749

"""

750

context = Context(TLSv1_METHOD)

751

options = context.set_options(OP_NO_SSLv2)

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

752

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

753

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

754

@skip_if_py3

755

def test_set_options_long(self):

756

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

757

On Python 2 `Context.set_options` accepts values of type

758

`long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

759

"""

760

context = Context(TLSv1_METHOD)

761

options = context.set_options(long(OP_NO_SSLv2))

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

762

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

763

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

764

def test_set_mode_wrong_args(self):

765

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

766

`Context.set_mode` raises `TypeError` if called with

767

a non-`int` argument.

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

768

"""

769

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

770

with pytest.raises(TypeError):

771

context.set_mode(None)

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

772

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

773

def test_set_mode(self):

774

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

775

`Context.set_mode` accepts a mode bitvector and returns the

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

776

newly set mode.

777

"""

778

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

779

assert MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

780

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

781

@skip_if_py3

782

def test_set_mode_long(self):

783

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

784

On Python 2 `Context.set_mode` accepts values of type `long` as well

785

as `int`.

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

786

"""

787

context = Context(TLSv1_METHOD)

788

mode = context.set_mode(long(MODE_RELEASE_BUFFERS))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

789

assert MODE_RELEASE_BUFFERS & mode

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

790

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

791

def test_set_timeout_wrong_args(self):

792

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

793

`Context.set_timeout` raises `TypeError` if called with

794

a non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

795

"""

796

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

797

with pytest.raises(TypeError):

798

context.set_timeout(None)

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

799

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

800

def test_timeout(self):

801

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

802

`Context.set_timeout` sets the session timeout for all connections

803

created using the context object. `Context.get_timeout` retrieves

804

this value.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

805

"""

806

context = Context(TLSv1_METHOD)

807

context.set_timeout(1234)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

808

assert context.get_timeout() == 1234

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

809

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

810

@skip_if_py3

811

def test_timeout_long(self):

812

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

813

On Python 2 `Context.set_timeout` accepts values of type `long` as

814

well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

815

"""

816

context = Context(TLSv1_METHOD)

817

context.set_timeout(long(1234))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

818

assert context.get_timeout() == 1234

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

819

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

820

def test_set_verify_depth_wrong_args(self):

821

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

822

`Context.set_verify_depth` raises `TypeError` if called with a

823

non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

824

"""

825

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

826

with pytest.raises(TypeError):

827

context.set_verify_depth(None)

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

828

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

829

def test_verify_depth(self):

830

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

831

`Context.set_verify_depth` sets the number of certificates in

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

832

a chain to follow before giving up. The value can be retrieved with

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

833

`Context.get_verify_depth`.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

834

"""

835

context = Context(TLSv1_METHOD)

836

context.set_verify_depth(11)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

837

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

838

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

839

@skip_if_py3

840

def test_verify_depth_long(self):

841

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

842

On Python 2 `Context.set_verify_depth` accepts values of type `long`

843

as well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

844

"""

845

context = Context(TLSv1_METHOD)

846

context.set_verify_depth(long(11))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

847

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

848

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

849

def _write_encrypted_pem(self, passphrase, tmpfile):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

850

"""

851

Write a new private key out to a new file, encrypted using the given

852

passphrase. Return the path to the new file.

853

"""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

854

key = PKey()

855

key.generate_key(TYPE_RSA, 128)

Jean-Paul Calderone

a986883

2010-08-22 21:38:34 -0400

[diff] [blame]

856

pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

857

with open(tmpfile, 'w') as fObj:

858

fObj.write(pem.decode('ascii'))

859

return tmpfile

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

860

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

861

def test_set_passwd_cb_wrong_args(self):

862

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

863

`Context.set_passwd_cb` raises `TypeError` if called with a

864

non-callable first argument.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

865

"""

866

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

867

with pytest.raises(TypeError):

868

context.set_passwd_cb(None)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

869

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

870

def test_set_passwd_cb(self, tmpfile):

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

871

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

872

`Context.set_passwd_cb` accepts a callable which will be invoked when

873

a private key is loaded from an encrypted PEM.

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

874

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

875

passphrase = b"foobar"

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

876

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

877

calledWith = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

878

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

879

def passphraseCallback(maxlen, verify, extra):

880

calledWith.append((maxlen, verify, extra))

881

return passphrase

882

context = Context(TLSv1_METHOD)

883

context.set_passwd_cb(passphraseCallback)

884

context.use_privatekey_file(pemFile)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

885

assert len(calledWith) == 1

886

assert isinstance(calledWith[0][0], int)

887

assert isinstance(calledWith[0][1], int)

888

assert calledWith[0][2] is None

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

889

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

890

def test_passwd_callback_exception(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

891

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

892

`Context.use_privatekey_file` propagates any exception raised

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

893

by the passphrase callback.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

894

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

895

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

896

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

897

def passphraseCallback(maxlen, verify, extra):

898

raise RuntimeError("Sorry, I am a fail.")

899

900

context = Context(TLSv1_METHOD)

901

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

902

with pytest.raises(RuntimeError):

903

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

904

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

905

def test_passwd_callback_false(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

906

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

907

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

908

passphrase callback returns a false value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

909

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

910

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

911

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

912

def passphraseCallback(maxlen, verify, extra):

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

913

return b""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

914

915

context = Context(TLSv1_METHOD)

916

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

917

with pytest.raises(Error):

918

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

919

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

920

def test_passwd_callback_non_string(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

921

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

922

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

923

passphrase callback returns a true non-string value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

924

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

925

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

926

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

927

def passphraseCallback(maxlen, verify, extra):

928

return 10

929

930

context = Context(TLSv1_METHOD)

931

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

932

# TODO: Surely this is the wrong error?

933

with pytest.raises(ValueError):

934

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

935

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

936

def test_passwd_callback_too_long(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

937

"""

938

If the passphrase returned by the passphrase callback returns a string

939

longer than the indicated maximum length, it is truncated.

940

"""

941

# A priori knowledge!

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

942

passphrase = b"x" * 1024

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

943

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

944

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

945

def passphraseCallback(maxlen, verify, extra):

946

assert maxlen == 1024

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

947

return passphrase + b"y"

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

948

949

context = Context(TLSv1_METHOD)

950

context.set_passwd_cb(passphraseCallback)

951

# This shall succeed because the truncated result is the correct

952

# passphrase.

953

context.use_privatekey_file(pemFile)

954

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

955

def test_set_info_callback(self):

956

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

957

`Context.set_info_callback` accepts a callable which will be

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

958

invoked when certain information about an SSL connection is available.

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

959

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

960

(server, client) = socket_pair()

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

961

962

clientSSL = Connection(Context(TLSv1_METHOD), client)

963

clientSSL.set_connect_state()

964

965

called = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

966

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

967

def info(conn, where, ret):

968

called.append((conn, where, ret))

969

context = Context(TLSv1_METHOD)

970

context.set_info_callback(info)

971

context.use_certificate(

972

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

973

context.use_privatekey(

974

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

975

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

976

serverSSL = Connection(context, server)

977

serverSSL.set_accept_state()

978

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

979

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

980

Jean-Paul Calderone

3835e52

2014-02-02 11:12:30 -0500

[diff] [blame]

981

# The callback must always be called with a Connection instance as the

982

# first argument. It would probably be better to split this into

983

# separate tests for client and server side info callbacks so we could

984

# assert it is called with the right Connection instance. It would

985

# also be good to assert *something* about `where` and `ret`.

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

986

notConnections = [

987

conn for (conn, where, ret) in called

988

if not isinstance(conn, Connection)]

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

989

assert [] == notConnections, (

990

"Some info callback arguments were not Connection instances.")

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

991

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

992

def _load_verify_locations_test(self, *args):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

993

"""

994

Create a client context which will verify the peer certificate and call

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

995

its `load_verify_locations` method with the given arguments.

Jean-Paul Calderone

64efa2c

2011-09-11 10:00:09 -0400

[diff] [blame]

996

Then connect it to a server and ensure that the handshake succeeds.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

997

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

998

(server, client) = socket_pair()

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

999

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1000

clientContext = Context(TLSv1_METHOD)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1001

clientContext.load_verify_locations(*args)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1002

# Require that the server certificate verify properly or the

1003

# connection will fail.

1004

clientContext.set_verify(

1005

VERIFY_PEER,

1006

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

1007

1008

clientSSL = Connection(clientContext, client)

1009

clientSSL.set_connect_state()

1010

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1011

serverContext = Context(TLSv1_METHOD)

1012

serverContext.use_certificate(

1013

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1014

serverContext.use_privatekey(

1015

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1016

1017

serverSSL = Connection(serverContext, server)

1018

serverSSL.set_accept_state()

1019

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

1020

# Without load_verify_locations above, the handshake

1021

# will fail:

1022

# Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',

1023

# 'certificate verify failed')]

1024

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1025

1026

cert = clientSSL.get_peer_certificate()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1027

assert cert.get_subject().CN == 'Testing Root CA'

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1028

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1029

def _load_verify_cafile(self, cafile):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1030

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1031

Verify that if path to a file containing a certificate is passed to

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1032

`Context.load_verify_locations` for the ``cafile`` parameter, that

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1033

certificate is used as a trust root for the purposes of verifying

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1034

connections created using that `Context`.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1035

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1036

with open(cafile, 'w') as fObj:

1037

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1038

1039

self._load_verify_locations_test(cafile)

1040

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1041

def test_load_verify_bytes_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1042

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1043

`Context.load_verify_locations` accepts a file name as a `bytes`

1044

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1045

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1046

cafile = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1047

self._load_verify_cafile(cafile)

1048

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1049

def test_load_verify_unicode_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1050

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1051

`Context.load_verify_locations` accepts a file name as a `unicode`

1052

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1053

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1054

self._load_verify_cafile(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1055

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1056

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1057

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1058

def test_load_verify_invalid_file(self, tmpfile):

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1059

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1060

`Context.load_verify_locations` raises `Error` when passed a

1061

non-existent cafile.

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1062

"""

1063

clientContext = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1064

with pytest.raises(Error):

1065

clientContext.load_verify_locations(tmpfile)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1066

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1067

def _load_verify_directory_locations_capath(self, capath):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1068

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1069

Verify that if path to a directory containing certificate files is

1070

passed to ``Context.load_verify_locations`` for the ``capath``

1071

parameter, those certificates are used as trust roots for the purposes

1072

of verifying connections created using that ``Context``.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1073

"""

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1074

makedirs(capath)

Jean-Paul Calderone

24dfb33

2011-05-04 18:10:26 -0400

[diff] [blame]

1075

# Hash values computed manually with c_rehash to avoid depending on

1076

# c_rehash in the test suite. One is from OpenSSL 0.9.8, the other

1077

# from OpenSSL 1.0.0.

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1078

for name in [b'c7adac82.0', b'c3705638.0']:

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1079

cafile = join_bytes_or_unicode(capath, name)

1080

with open(cafile, 'w') as fObj:

1081

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1082

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1083

self._load_verify_locations_test(None, capath)

1084

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1085

def test_load_verify_directory_bytes_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1086

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1087

`Context.load_verify_locations` accepts a directory name as a `bytes`

1088

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1089

"""

1090

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1091

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1092

)

1093

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1094

def test_load_verify_directory_unicode_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1095

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1096

`Context.load_verify_locations` accepts a directory name as a `unicode`

1097

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1098

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1099

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1100

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1101

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1102

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1103

def test_load_verify_locations_wrong_args(self):

1104

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1105

`Context.load_verify_locations` raises `TypeError` if with non-`str`

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1106

arguments.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1107

"""

1108

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1109

with pytest.raises(TypeError):

1110

context.load_verify_locations(object())

1111

with pytest.raises(TypeError):

1112

context.load_verify_locations(object(), object())

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1113

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1114

@pytest.mark.skipif(

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

1115

not platform.startswith("linux"),

1116

reason="Loading fallback paths is a linux-specific behavior to "

1117

"accommodate pyca/cryptography manylinux1 wheels"

1118

)

1119

def test_fallback_default_verify_paths(self, monkeypatch):

1120

"""

1121

Test that we load certificates successfully on linux from the fallback

1122

path. To do this we set the _CRYPTOGRAPHY_MANYLINUX1_CA_FILE and

1123

_CRYPTOGRAPHY_MANYLINUX1_CA_DIR vars to be equal to whatever the

1124

current OpenSSL default is and we disable

1125

SSL_CTX_SET_default_verify_paths so that it can't find certs unless

1126

it loads via fallback.

1127

"""

1128

context = Context(TLSv1_METHOD)

1129

monkeypatch.setattr(

1130

_lib, "SSL_CTX_set_default_verify_paths", lambda x: 1

)

monkeypatch.setattr(

SSL,

"_CRYPTOGRAPHY_MANYLINUX1_CA_FILE",

1135

_ffi.string(_lib.X509_get_default_cert_file())

)

monkeypatch.setattr(

SSL,

"_CRYPTOGRAPHY_MANYLINUX1_CA_DIR",

1140

_ffi.string(_lib.X509_get_default_cert_dir())

1141

)

1142

context.set_default_verify_paths()

1143

store = context.get_cert_store()

1144

sk_obj = _lib.X509_STORE_get0_objects(store._store)

1145

assert sk_obj != _ffi.NULL

1146

num = _lib.sk_X509_OBJECT_num(sk_obj)

1147

assert num != 0

1148

1149

def test_check_env_vars(self, monkeypatch):

1150

"""

1151

Test that we return True/False appropriately if the env vars are set.

1152

"""

1153

context = Context(TLSv1_METHOD)

1154

dir_var = "CUSTOM_DIR_VAR"

1155

file_var = "CUSTOM_FILE_VAR"

1156

assert context._check_env_vars_set(dir_var, file_var) is False

1157

monkeypatch.setenv(dir_var, "value")

1158

monkeypatch.setenv(file_var, "value")

1159

assert context._check_env_vars_set(dir_var, file_var) is True

1160

assert context._check_env_vars_set(dir_var, file_var) is True

1161

1162

def test_verify_no_fallback_if_env_vars_set(self, monkeypatch):

1163

"""

1164

Test that we don't use the fallback path if env vars are set.

1165

"""

1166

context = Context(TLSv1_METHOD)

1167

monkeypatch.setattr(

1168

_lib, "SSL_CTX_set_default_verify_paths", lambda x: 1

1169

)

1170

dir_env_var = _ffi.string(

1171

_lib.X509_get_default_cert_dir_env()

1172

).decode("ascii")

1173

file_env_var = _ffi.string(

1174

_lib.X509_get_default_cert_file_env()

1175

).decode("ascii")

1176

monkeypatch.setenv(dir_env_var, "value")

1177

monkeypatch.setenv(file_env_var, "value")

1178

context.set_default_verify_paths()

monkeypatch.setattr(

context,

"_fallback_default_verify_paths",

1183

raiser(SystemError)

1184

)

1185

context.set_default_verify_paths()

1186

1187

@pytest.mark.skipif(

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1188

platform == "win32",

1189

reason="set_default_verify_paths appears not to work on Windows. "

Jean-Paul Calderone

28fb8f0

2009-07-24 18:01:31 -0400

[diff] [blame]

1190

"See LP#404343 and LP#404344."

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1191

)

1192

def test_set_default_verify_paths(self):

1193

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1194

`Context.set_default_verify_paths` causes the platform-specific CA

1195

certificate locations to be used for verification purposes.

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1196

"""

1197

# Testing this requires a server with a certificate signed by one

1198

# of the CAs in the platform CA location. Getting one of those

1199

# costs money. Fortunately (or unfortunately, depending on your

1200

# perspective), it's easy to think of a public server on the

1201

# internet which has such a certificate. Connecting to the network

1202

# in a unit test is bad, but it's the only way I can think of to

1203

# really test this. -exarkun

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1204

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1205

# Arg, verisign.com doesn't speak anything newer than TLS 1.0

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1206

context = Context(SSLv23_METHOD)

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1207

context.set_default_verify_paths()

1208

context.set_verify(

1209

VERIFY_PEER,

1210

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1211

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1212

client = socket()

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1213

client.connect(("encrypted.google.com", 443))

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1214

clientSSL = Connection(context, client)

1215

clientSSL.set_connect_state()

1216

clientSSL.do_handshake()

1217

clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1218

assert clientSSL.recv(1024)

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

1219

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

1220

def test_fallback_path_is_not_file_or_dir(self):

1221

"""

1222

Test that when passed empty arrays or paths that do not exist no

1223

errors are raised.

1224

"""

1225

context = Context(TLSv1_METHOD)

1226

context._fallback_default_verify_paths([], [])

1227

context._fallback_default_verify_paths(

1228

["/not/a/file"], ["/not/a/dir"]

1229

)

1230

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1231

def test_add_extra_chain_cert_invalid_cert(self):

1232

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1233

`Context.add_extra_chain_cert` raises `TypeError` if called with an

1234

object which is not an instance of `X509`.

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1235

"""

1236

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1237

with pytest.raises(TypeError):

1238

context.add_extra_chain_cert(object())

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1239

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1240

def _handshake_test(self, serverContext, clientContext):

1241

"""

1242

Verify that a client and server created with the given contexts can

1243

successfully handshake and communicate.

1244

"""

1245

serverSocket, clientSocket = socket_pair()

1246

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1247

server = Connection(serverContext, serverSocket)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1248

server.set_accept_state()

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1249

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1250

client = Connection(clientContext, clientSocket)

1251

client.set_connect_state()

1252

1253

# Make them talk to each other.

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1254

# interact_in_memory(client, server)

1255

for _ in range(3):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1256

for s in [client, server]:

1257

try:

1258

s.do_handshake()

1259

except WantReadError:

1260

pass

1261

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1262

def test_set_verify_callback_connection_argument(self):

1263

"""

1264

The first argument passed to the verify callback is the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1265

`Connection` instance for which verification is taking place.

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1266

"""

1267

serverContext = Context(TLSv1_METHOD)

1268

serverContext.use_privatekey(

1269

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1270

serverContext.use_certificate(

1271

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1272

serverConnection = Connection(serverContext, None)

1273

1274

class VerifyCallback(object):

1275

def callback(self, connection, *args):

1276

self.connection = connection

1277

return 1

1278

1279

verify = VerifyCallback()

1280

clientContext = Context(TLSv1_METHOD)

1281

clientContext.set_verify(VERIFY_PEER, verify.callback)

1282

clientConnection = Connection(clientContext, None)

1283

clientConnection.set_connect_state()

1284

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1285

handshake_in_memory(clientConnection, serverConnection)

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1286

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1287

assert verify.connection is clientConnection

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1288

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1289

def test_set_verify_callback_exception(self):

1290

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1291

If the verify callback passed to `Context.set_verify` raises an

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1292

exception, verification fails and the exception is propagated to the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1293

caller of `Connection.do_handshake`.

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1294

"""

1295

serverContext = Context(TLSv1_METHOD)

1296

serverContext.use_privatekey(

1297

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1298

serverContext.use_certificate(

1299

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1300

1301

clientContext = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1302

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1303

def verify_callback(*args):

1304

raise Exception("silly verify failure")

1305

clientContext.set_verify(VERIFY_PEER, verify_callback)

1306

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1307

with pytest.raises(Exception) as exc:

1308

self._handshake_test(serverContext, clientContext)

1309

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1310

assert "silly verify failure" == str(exc.value)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1311

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1312

def test_add_extra_chain_cert(self, tmpdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1313

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1314

`Context.add_extra_chain_cert` accepts an `X509`

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1315

instance to add to the certificate chain.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1316

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1317

See `_create_certificate_chain` for the details of the

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1318

certificate chain tested.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1319

1320

The chain is tested by starting a server with scert and connecting

1321

to it with a client which trusts cacert and requires verification to

1322

succeed.

1323

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1324

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1325

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1326

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1327

# Dump the CA certificate to a file because that's the only way to load

1328

# it as a trusted CA in the client context.

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1329

for cert, name in [(cacert, 'ca.pem'),

1330

(icert, 'i.pem'),

1331

(scert, 's.pem')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1332

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1333

f.write(dump_certificate(FILETYPE_PEM, cert).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1334

Hynek Schlawack

1902c01

2015-04-16 15:06:41 -0400

[diff] [blame]

1335

for key, name in [(cakey, 'ca.key'),

1336

(ikey, 'i.key'),

1337

(skey, 's.key')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1338

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1339

f.write(dump_privatekey(FILETYPE_PEM, key).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1340

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1341

# Create the server context

1342

serverContext = Context(TLSv1_METHOD)

1343

serverContext.use_privatekey(skey)

1344

serverContext.use_certificate(scert)

Jean-Paul Calderone

16cf03d

2010-09-08 18:53:39 -0400

[diff] [blame]

1345

# The client already has cacert, we only need to give them icert.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1346

serverContext.add_extra_chain_cert(icert)

1347

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1348

# Create the client

1349

clientContext = Context(TLSv1_METHOD)

1350

clientContext.set_verify(

1351

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1352

clientContext.load_verify_locations(str(tmpdir.join("ca.pem")))

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1353

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1354

# Try it out.

1355

self._handshake_test(serverContext, clientContext)

1356

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1357

def _use_certificate_chain_file_test(self, certdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1358

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1359

Verify that `Context.use_certificate_chain_file` reads a

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1360

certificate chain from a specified file.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1361

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1362

The chain is tested by starting a server with scert and connecting to

1363

it with a client which trusts cacert and requires verification to

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1364

succeed.

1365

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1366

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1367

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1368

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1369

makedirs(certdir)

1370

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1371

chainFile = join_bytes_or_unicode(certdir, "chain.pem")

1372

caFile = join_bytes_or_unicode(certdir, "ca.pem")

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1373

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1374

# Write out the chain file.

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1375

with open(chainFile, 'wb') as fObj:

1376

# Most specific to least general.

1377

fObj.write(dump_certificate(FILETYPE_PEM, scert))

1378

fObj.write(dump_certificate(FILETYPE_PEM, icert))

1379

fObj.write(dump_certificate(FILETYPE_PEM, cacert))

1380

1381

with open(caFile, 'w') as fObj:

1382

fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode('ascii'))

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1383

1384

serverContext = Context(TLSv1_METHOD)

1385

serverContext.use_certificate_chain_file(chainFile)

1386

serverContext.use_privatekey(skey)

1387

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1388

clientContext = Context(TLSv1_METHOD)

1389

clientContext.set_verify(

1390

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1391

clientContext.load_verify_locations(caFile)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1392

1393

self._handshake_test(serverContext, clientContext)

1394

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1395

def test_use_certificate_chain_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1396

"""

1397

``Context.use_certificate_chain_file`` accepts the name of a file (as

1398

an instance of ``bytes``) to specify additional certificates to use to

1399

construct and verify a trust chain.

1400

"""

1401

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1402

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1403

)

1404

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1405

def test_use_certificate_chain_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1406

"""

1407

``Context.use_certificate_chain_file`` accepts the name of a file (as

1408

an instance of ``unicode``) to specify additional certificates to use

1409

to construct and verify a trust chain.

1410

"""

1411

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1412

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1413

)

1414

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1415

def test_use_certificate_chain_file_wrong_args(self):

1416

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1417

`Context.use_certificate_chain_file` raises `TypeError` if passed a

1418

non-byte string single argument.

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1419

"""

1420

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1421

with pytest.raises(TypeError):

1422

context.use_certificate_chain_file(object())

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1423

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1424

def test_use_certificate_chain_file_missing_file(self, tmpfile):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1425

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1426

`Context.use_certificate_chain_file` raises `OpenSSL.SSL.Error` when

1427

passed a bad chain file name (for example, the name of a file which

1428

does not exist).

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1429

"""

1430

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1431

with pytest.raises(Error):

1432

context.use_certificate_chain_file(tmpfile)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1433

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1434

def test_set_verify_mode(self):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1435

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1436

`Context.get_verify_mode` returns the verify mode flags previously

1437

passed to `Context.set_verify`.

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1438

"""

1439

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1440

assert context.get_verify_mode() == 0

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1441

context.set_verify(

1442

VERIFY_PEER | VERIFY_CLIENT_ONCE, lambda *args: None)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1443

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1444

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1445

@skip_if_py3

1446

def test_set_verify_mode_long(self):

1447

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1448

On Python 2 `Context.set_verify_mode` accepts values of type `long`

1449

as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1450

"""

1451

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1452

assert context.get_verify_mode() == 0

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1453

context.set_verify(

Hynek Schlawack

b4ceed3

2015-09-05 20:55:19 +0200

[diff] [blame]

1454

long(VERIFY_PEER | VERIFY_CLIENT_ONCE), lambda *args: None

1455

) # pragma: nocover

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1456

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1457

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1458

@pytest.mark.parametrize('mode', [None, 1.0, object(), 'mode'])

1459

def test_set_verify_wrong_mode_arg(self, mode):

1460

"""

1461

`Context.set_verify` raises `TypeError` if the first argument is

1462

not an integer.

1463

"""

1464

context = Context(TLSv1_METHOD)

1465

with pytest.raises(TypeError):

1466

context.set_verify(mode=mode, callback=lambda *args: None)

1467

1468

@pytest.mark.parametrize('callback', [None, 1.0, 'mode', ('foo', 'bar')])

1469

def test_set_verify_wrong_callable_arg(self, callback):

1470

"""

1471

`Context.set_verify` raises `TypeError` if the the second argument

1472

is not callable.

1473

"""

1474

context = Context(TLSv1_METHOD)

1475

with pytest.raises(TypeError):

1476

context.set_verify(mode=VERIFY_PEER, callback=callback)

1477

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1478

def test_load_tmp_dh_wrong_args(self):

1479

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1480

`Context.load_tmp_dh` raises `TypeError` if called with a

1481

non-`str` argument.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1482

"""

1483

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1484

with pytest.raises(TypeError):

1485

context.load_tmp_dh(object())

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1486

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1487

def test_load_tmp_dh_missing_file(self):

1488

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1489

`Context.load_tmp_dh` raises `OpenSSL.SSL.Error` if the

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1490

specified file does not exist.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1491

"""

1492

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1493

with pytest.raises(Error):

1494

context.load_tmp_dh(b"hello")

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1495

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1496

def _load_tmp_dh_test(self, dhfilename):

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

1497

"""

1498

Verify that calling ``Context.load_tmp_dh`` with the given filename

1499

does not raise an exception.

1500

"""

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1501

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1502

with open(dhfilename, "w") as dhfile:

1503

dhfile.write(dhparam)

1504

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1505

context.load_tmp_dh(dhfilename)

1506

# XXX What should I assert here? -exarkun

1507

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1508

def test_load_tmp_dh_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1509

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1510

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1511

specified file (given as ``bytes``).

1512

"""

1513

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1514

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1515

)

1516

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1517

def test_load_tmp_dh_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1518

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1519

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1520

specified file (given as ``unicode``).

1521

"""

1522

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1523

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1524

)

1525

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1526

def test_set_tmp_ecdh(self):

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1527

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1528

`Context.set_tmp_ecdh` sets the elliptic curve for Diffie-Hellman to

1529

the specified curve.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1530

"""

1531

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1532

for curve in get_elliptic_curves():

Hynek Schlawack

a07fa8c

2015-10-17 10:15:28 +0200

[diff] [blame]

1533

if curve.name.startswith(u"Oakley-"):

Hynek Schlawack

7408aff

2015-10-17 09:51:16 +0200

[diff] [blame]

1534

# Setting Oakley-EC2N-4 and Oakley-EC2N-3 adds

1535

# ('bignum routines', 'BN_mod_inverse', 'no inverse') to the

1536

# error queue on OpenSSL 1.0.2.

1537

continue

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1538

# The only easily "assertable" thing is that it does not raise an

1539

# exception.

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1540

context.set_tmp_ecdh(curve)

Alex Gaynor

12dc084

2014-01-17 12:51:31 -0600

[diff] [blame]

1541

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1542

def test_set_session_cache_mode_wrong_args(self):

1543

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1544

`Context.set_session_cache_mode` raises `TypeError` if called with

1545

a non-integer argument.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1546

called with other than one integer argument.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1547

"""

1548

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1549

with pytest.raises(TypeError):

1550

context.set_session_cache_mode(object())

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1551

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1552

def test_session_cache_mode(self):

1553

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1554

`Context.set_session_cache_mode` specifies how sessions are cached.

1555

The setting can be retrieved via `Context.get_session_cache_mode`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1556

"""

1557

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1558

context.set_session_cache_mode(SESS_CACHE_OFF)

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1559

off = context.set_session_cache_mode(SESS_CACHE_BOTH)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1560

assert SESS_CACHE_OFF == off

1561

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1562

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1563

@skip_if_py3

1564

def test_session_cache_mode_long(self):

1565

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1566

On Python 2 `Context.set_session_cache_mode` accepts values

1567

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1568

"""

1569

context = Context(TLSv1_METHOD)

1570

context.set_session_cache_mode(long(SESS_CACHE_BOTH))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1571

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1572

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1573

def test_get_cert_store(self):

1574

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1575

`Context.get_cert_store` returns a `X509Store` instance.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1576

"""

1577

context = Context(TLSv1_METHOD)

1578

store = context.get_cert_store()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1579

assert isinstance(store, X509Store)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1580

1581

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1582

class TestServerNameCallback(object):

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1583

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1584

Tests for `Context.set_tlsext_servername_callback` and its

1585

interaction with `Connection`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1586

"""

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1587

def test_old_callback_forgotten(self):

1588

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1589

If `Context.set_tlsext_servername_callback` is used to specify

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1590

a new callback, the one it replaces is dereferenced.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1591

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1592

def callback(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1593

pass

1594

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1595

def replacement(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1596

pass

1597

1598

context = Context(TLSv1_METHOD)

1599

context.set_tlsext_servername_callback(callback)

1600

1601

tracker = ref(callback)

1602

del callback

1603

1604

context.set_tlsext_servername_callback(replacement)

Jean-Paul Calderone

d4033eb

2014-01-11 08:21:46 -0500

[diff] [blame]

1605

1606

# One run of the garbage collector happens to work on CPython. PyPy

1607

# doesn't collect the underlying object until a second run for whatever

1608

# reason. That's fine, it still demonstrates our code has properly

1609

# dropped the reference.

1610

collect()

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1611

collect()

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

1612

1613

callback = tracker()

1614

if callback is not None:

1615

referrers = get_referrers(callback)

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1616

if len(referrers) > 1: # pragma: nocover

1617

pytest.fail("Some references remain: %r" % (referrers,))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1618

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1619

def test_no_servername(self):

1620

"""

1621

When a client specifies no server name, the callback passed to

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1622

`Context.set_tlsext_servername_callback` is invoked and the

1623

result of `Connection.get_servername` is `None`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1624

"""

1625

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1626

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1627

def servername(conn):

1628

args.append((conn, conn.get_servername()))

1629

context = Context(TLSv1_METHOD)

1630

context.set_tlsext_servername_callback(servername)

1631

1632

# Lose our reference to it. The Context is responsible for keeping it

# alive now.

del servername

collect()

# Necessary to actually accept the connection

1638

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1639

context.use_certificate(

1640

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1641

1642

# Do a little connection to trigger the logic

1643

server = Connection(context, None)

1644

server.set_accept_state()

1645

1646

client = Connection(Context(TLSv1_METHOD), None)

1647

client.set_connect_state()

1648

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1649

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1650

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1651

assert args == [(server, None)]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1652

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1653

def test_servername(self):

1654

"""

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1655

When a client specifies a server name in its hello message, the

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1656

callback passed to `Contexts.set_tlsext_servername_callback` is

1657

invoked and the result of `Connection.get_servername` is that

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1658

server name.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1659

"""

1660

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1661

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1662

def servername(conn):

1663

args.append((conn, conn.get_servername()))

1664

context = Context(TLSv1_METHOD)

1665

context.set_tlsext_servername_callback(servername)

1666

1667

# Necessary to actually accept the connection

1668

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1669

context.use_certificate(

1670

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1671

1672

# Do a little connection to trigger the logic

1673

server = Connection(context, None)

1674

server.set_accept_state()

1675

1676

client = Connection(Context(TLSv1_METHOD), None)

1677

client.set_connect_state()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

1678

client.set_tlsext_host_name(b"foo1.example.com")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1679

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1680

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1681

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1682

assert args == [(server, b"foo1.example.com")]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1683

1684

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1685

class TestNextProtoNegotiation(object):

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1686

"""

1687

Test for Next Protocol Negotiation in PyOpenSSL.

1688

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1689

def test_npn_success(self):

1690

"""

1691

Tests that clients and servers that agree on the negotiated next

1692

protocol can correct establish a connection, and that the agreed

1693

protocol is reported by the connections.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1700

return [b'http/1.1', b'spdy/2']

1701

1702

def select(conn, options):

1703

select_args.append((conn, options))

1704

return b'spdy/2'

1705

1706

server_context = Context(TLSv1_METHOD)

1707

server_context.set_npn_advertise_callback(advertise)

1708

1709

client_context = Context(TLSv1_METHOD)

1710

client_context.set_npn_select_callback(select)

1711

1712

# Necessary to actually accept the connection

1713

server_context.use_privatekey(

1714

load_privatekey(FILETYPE_PEM, server_key_pem))

1715

server_context.use_certificate(

1716

load_certificate(FILETYPE_PEM, server_cert_pem))

1717

1718

# Do a little connection to trigger the logic

1719

server = Connection(server_context, None)

1720

server.set_accept_state()

1721

1722

client = Connection(client_context, None)

1723

client.set_connect_state()

1724

1725

interact_in_memory(server, client)

1726

1727

assert advertise_args == [(server,)]

1728

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1729

1730

assert server.get_next_proto_negotiated() == b'spdy/2'

1731

assert client.get_next_proto_negotiated() == b'spdy/2'

1732

1733

def test_npn_client_fail(self):

1734

"""

1735

Tests that when clients and servers cannot agree on what protocol

1736

to use next that the TLS connection does not get established.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1743

return [b'http/1.1', b'spdy/2']

1744

1745

def select(conn, options):

1746

select_args.append((conn, options))

1747

return b''

1748

1749

server_context = Context(TLSv1_METHOD)

1750

server_context.set_npn_advertise_callback(advertise)

1751

1752

client_context = Context(TLSv1_METHOD)

1753

client_context.set_npn_select_callback(select)

1754

1755

# Necessary to actually accept the connection

1756

server_context.use_privatekey(

1757

load_privatekey(FILETYPE_PEM, server_key_pem))

1758

server_context.use_certificate(

1759

load_certificate(FILETYPE_PEM, server_cert_pem))

1760

1761

# Do a little connection to trigger the logic

1762

server = Connection(server_context, None)

1763

server.set_accept_state()

1764

1765

client = Connection(client_context, None)

1766

client.set_connect_state()

1767

1768

# If the client doesn't return anything, the connection will fail.

1769

with pytest.raises(Error):

1770

interact_in_memory(server, client)

1771

1772

assert advertise_args == [(server,)]

1773

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1774

1775

def test_npn_select_error(self):

1776

"""

1777

Test that we can handle exceptions in the select callback. If

1778

select fails it should be fatal to the connection.

"""

advertise_args = []

def advertise(conn):

advertise_args.append((conn,))

1784

return [b'http/1.1', b'spdy/2']

1785

1786

def select(conn, options):

1787

raise TypeError

1788

1789

server_context = Context(TLSv1_METHOD)

1790

server_context.set_npn_advertise_callback(advertise)

1791

1792

client_context = Context(TLSv1_METHOD)

1793

client_context.set_npn_select_callback(select)

1794

1795

# Necessary to actually accept the connection

1796

server_context.use_privatekey(

1797

load_privatekey(FILETYPE_PEM, server_key_pem))

1798

server_context.use_certificate(

1799

load_certificate(FILETYPE_PEM, server_cert_pem))

1800

1801

# Do a little connection to trigger the logic

1802

server = Connection(server_context, None)

1803

server.set_accept_state()

1804

1805

client = Connection(client_context, None)

1806

client.set_connect_state()

1807

1808

# If the callback throws an exception it should be raised here.

1809

with pytest.raises(TypeError):

1810

interact_in_memory(server, client)

1811

assert advertise_args == [(server,), ]

1812

1813

def test_npn_advertise_error(self):

1814

"""

1815

Test that we can handle exceptions in the advertise callback. If

1816

advertise fails no NPN is advertised to the client.

"""

select_args = []

def advertise(conn):

raise TypeError

def select(conn, options): # pragma: nocover

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1824

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1825

Assert later that no args are actually appended.

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1826

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1827

select_args.append((conn, options))

1828

return b''

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1829

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1830

server_context = Context(TLSv1_METHOD)

1831

server_context.set_npn_advertise_callback(advertise)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1832

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1833

client_context = Context(TLSv1_METHOD)

1834

client_context.set_npn_select_callback(select)

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1835

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1836

# Necessary to actually accept the connection

1837

server_context.use_privatekey(

1838

load_privatekey(FILETYPE_PEM, server_key_pem))

1839

server_context.use_certificate(

1840

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1841

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1842

# Do a little connection to trigger the logic

1843

server = Connection(server_context, None)

1844

server.set_accept_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1845

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1846

client = Connection(client_context, None)

1847

client.set_connect_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1848

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1849

# If the client doesn't return anything, the connection will fail.

1850

with pytest.raises(TypeError):

1851

interact_in_memory(server, client)

1852

assert select_args == []

Cory Benfield

0ea76e7

2015-03-22 09:05:28 +0000

[diff] [blame]

1853

1854

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1855

class TestApplicationLayerProtoNegotiation(object):

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1856

"""

1857

Tests for ALPN in PyOpenSSL.

1858

"""

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1859

# Skip tests on versions that don't support ALPN.

1860

if _lib.Cryptography_HAS_ALPN:

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1861

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1862

def test_alpn_success(self):

1863

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1864

Clients and servers that agree on the negotiated ALPN protocol can

1865

correct establish a connection, and the agreed protocol is reported

1866

by the connections.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1867

"""

1868

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1869

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1870

def select(conn, options):

1871

select_args.append((conn, options))

1872

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1873

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1874

client_context = Context(TLSv1_METHOD)

1875

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1876

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1877

server_context = Context(TLSv1_METHOD)

1878

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1879

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1880

# Necessary to actually accept the connection

1881

server_context.use_privatekey(

1882

load_privatekey(FILETYPE_PEM, server_key_pem))

1883

server_context.use_certificate(

1884

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1885

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1886

# Do a little connection to trigger the logic

1887

server = Connection(server_context, None)

1888

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1889

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1890

client = Connection(client_context, None)

1891

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1892

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1893

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1894

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1895

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1896

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1897

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1898

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1899

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1900

def test_alpn_set_on_connection(self):

1901

"""

1902

The same as test_alpn_success, but setting the ALPN protocols on

1903

the connection rather than the context.

1904

"""

1905

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1906

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1907

def select(conn, options):

1908

select_args.append((conn, options))

1909

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1910

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1911

# Setup the client context but don't set any ALPN protocols.

1912

client_context = Context(TLSv1_METHOD)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1913

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1914

server_context = Context(TLSv1_METHOD)

1915

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1916

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1917

# Necessary to actually accept the connection

1918

server_context.use_privatekey(

1919

load_privatekey(FILETYPE_PEM, server_key_pem))

1920

server_context.use_certificate(

1921

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1922

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1923

# Do a little connection to trigger the logic

1924

server = Connection(server_context, None)

1925

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1926

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1927

# Set the ALPN protocols on the client connection.

1928

client = Connection(client_context, None)

1929

client.set_alpn_protos([b'http/1.1', b'spdy/2'])

1930

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1931

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1932

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1933

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1934

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1935

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1936

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1937

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1938

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1939

def test_alpn_server_fail(self):

1940

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1941

When clients and servers cannot agree on what protocol to use next

1942

the TLS connection does not get established.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1943

"""

1944

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1945

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1946

def select(conn, options):

1947

select_args.append((conn, options))

1948

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1949

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1950

client_context = Context(TLSv1_METHOD)

1951

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1952

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1953

server_context = Context(TLSv1_METHOD)

1954

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1955

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1956

# Necessary to actually accept the connection

1957

server_context.use_privatekey(

1958

load_privatekey(FILETYPE_PEM, server_key_pem))

1959

server_context.use_certificate(

1960

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1961

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1962

# Do a little connection to trigger the logic

1963

server = Connection(server_context, None)

1964

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1965

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1966

client = Connection(client_context, None)

1967

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1968

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1969

# If the client doesn't return anything, the connection will fail.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1970

with pytest.raises(Error):

1971

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1972

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1973

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1974

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1975

def test_alpn_no_server(self):

1976

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1977

When clients and servers cannot agree on what protocol to use next

1978

because the server doesn't offer ALPN, no protocol is negotiated.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1979

"""

1980

client_context = Context(TLSv1_METHOD)

1981

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1982

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1983

server_context = Context(TLSv1_METHOD)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1984

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1985

# Necessary to actually accept the connection

1986

server_context.use_privatekey(

1987

load_privatekey(FILETYPE_PEM, server_key_pem))

1988

server_context.use_certificate(

1989

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1990

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1991

# Do a little connection to trigger the logic

1992

server = Connection(server_context, None)

1993

server.set_accept_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1994

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1995

client = Connection(client_context, None)

1996

client.set_connect_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1997

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1998

# Do the dance.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1999

interact_in_memory(server, client)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2000

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2001

assert client.get_alpn_proto_negotiated() == b''

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2002

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2003

def test_alpn_callback_exception(self):

2004

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

2005

We can handle exceptions in the ALPN select callback.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2006

"""

2007

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2008

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2009

def select(conn, options):

2010

select_args.append((conn, options))

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

2011

raise TypeError()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2012

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2013

client_context = Context(TLSv1_METHOD)

2014

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2015

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2016

server_context = Context(TLSv1_METHOD)

2017

server_context.set_alpn_select_callback(select)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2018

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2019

# Necessary to actually accept the connection

2020

server_context.use_privatekey(

2021

load_privatekey(FILETYPE_PEM, server_key_pem))

2022

server_context.use_certificate(

2023

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2024

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2025

# Do a little connection to trigger the logic

2026

server = Connection(server_context, None)

2027

server.set_accept_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2028

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2029

client = Connection(client_context, None)

2030

client.set_connect_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2031

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2032

with pytest.raises(TypeError):

2033

interact_in_memory(server, client)

2034

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2035

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2036

else:

2037

# No ALPN.

2038

def test_alpn_not_implemented(self):

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

2039

"""

2040

If ALPN is not in OpenSSL, we should raise NotImplementedError.

2041

"""

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2042

# Test the context methods first.

2043

context = Context(TLSv1_METHOD)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2044

with pytest.raises(NotImplementedError):

2045

context.set_alpn_protos(None)

2046

with pytest.raises(NotImplementedError):

2047

context.set_alpn_select_callback(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2048

2049

# Now test a connection.

2050

conn = Connection(context)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2051

with pytest.raises(NotImplementedError):

2052

conn.set_alpn_protos(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2053

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2054

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2055

class TestSession(object):

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2056

"""

2057

Unit tests for :py:obj:`OpenSSL.SSL.Session`.

2058

"""

2059

def test_construction(self):

2060

"""

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2061

:py:class:`Session` can be constructed with no arguments, creating

2062

a new instance of that type.

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2063

"""

2064

new_session = Session()

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2065

assert isinstance(new_session, Session)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2066

2067

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2068

class TestConnection(object):

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2069

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2070

Unit tests for `OpenSSL.SSL.Connection`.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2071

"""

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2072

# XXX get_peer_certificate -> None

2073

# XXX sock_shutdown

2074

# XXX master_key -> TypeError

2075

# XXX server_random -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2076

# XXX connect -> TypeError

2077

# XXX connect_ex -> TypeError

2078

# XXX set_connect_state -> TypeError

2079

# XXX set_accept_state -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2080

# XXX do_handshake -> TypeError

2081

# XXX bio_read -> TypeError

2082

# XXX recv -> TypeError

2083

# XXX send -> TypeError

2084

# XXX bio_write -> TypeError

2085

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2086

def test_type(self):

2087

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2088

`Connection` and `ConnectionType` refer to the same type object and

2089

can be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2090

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2091

assert Connection is ConnectionType

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2092

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2093

assert is_consistent_type(Connection, 'Connection', ctx, None)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2094

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2095

@pytest.mark.parametrize('bad_context', [object(), 'context', None, 1])

2096

def test_wrong_args(self, bad_context):

2097

"""

2098

`Connection.__init__` raises `TypeError` if called with a non-`Context`

2099

instance argument.

2100

"""

2101

with pytest.raises(TypeError):

2102

Connection(bad_context)

2103

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2104

def test_get_context(self):

2105

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2106

`Connection.get_context` returns the `Context` instance used to

2107

construct the `Connection` instance.

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2108

"""

2109

context = Context(TLSv1_METHOD)

2110

connection = Connection(context, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2111

assert connection.get_context() is context

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2112

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2113

def test_set_context_wrong_args(self):

2114

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2115

`Connection.set_context` raises `TypeError` if called with a

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2116

non-`Context` instance argument.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2117

"""

2118

ctx = Context(TLSv1_METHOD)

2119

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2120

with pytest.raises(TypeError):

2121

connection.set_context(object())

2122

with pytest.raises(TypeError):

2123

connection.set_context("hello")

2124

with pytest.raises(TypeError):

2125

connection.set_context(1)

2126

assert ctx is connection.get_context()

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2127

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2128

def test_set_context(self):

2129

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2130

`Connection.set_context` specifies a new `Context` instance to be

2131

used for the connection.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2132

"""

2133

original = Context(SSLv23_METHOD)

2134

replacement = Context(TLSv1_METHOD)

2135

connection = Connection(original, None)

2136

connection.set_context(replacement)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2137

assert replacement is connection.get_context()

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2138

# Lose our references to the contexts, just in case the Connection

2139

# isn't properly managing its own contributions to their reference

2140

# counts.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2141

del original, replacement

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2142

collect()

2143

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2144

def test_set_tlsext_host_name_wrong_args(self):

2145

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2146

If `Connection.set_tlsext_host_name` is called with a non-byte string

2147

argument or a byte string with an embedded NUL, `TypeError` is raised.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2148

"""

2149

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2150

with pytest.raises(TypeError):

2151

conn.set_tlsext_host_name(object())

2152

with pytest.raises(TypeError):

2153

conn.set_tlsext_host_name(b"with\0null")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2154

Abraham Martin

c5484ba

2015-03-25 15:33:05 +0000

[diff] [blame]

2155

if PY3:

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2156

# On Python 3.x, don't accidentally implicitly convert from text.

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2157

with pytest.raises(TypeError):

2158

conn.set_tlsext_host_name(b"example.com".decode("ascii"))

Jean-Paul Calderone

871a4d8

2011-05-26 19:24:02 -0400

[diff] [blame]

2159

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2160

def test_pending(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2161

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2162

`Connection.pending` returns the number of bytes available for

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2163

immediate read.

2164

"""

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2165

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2166

assert connection.pending() == 0

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2167

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2168

def test_peek(self):

2169

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2170

`Connection.recv` peeks into the connection if `socket.MSG_PEEK` is

2171

passed.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2172

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2173

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2174

server.send(b'xy')

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2175

assert client.recv(2, MSG_PEEK) == b'xy'

2176

assert client.recv(2, MSG_PEEK) == b'xy'

2177

assert client.recv(2) == b'xy'

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2178

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2179

def test_connect_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2180

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2181

`Connection.connect` raises `TypeError` if called with a non-address

2182

argument.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2183

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2184

connection = Connection(Context(TLSv1_METHOD), socket())

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2185

with pytest.raises(TypeError):

2186

connection.connect(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2187

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2188

def test_connect_refused(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2189

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2190

`Connection.connect` raises `socket.error` if the underlying socket

2191

connect method raises it.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2192

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2193

client = socket()

2194

context = Context(TLSv1_METHOD)

2195

clientSSL = Connection(context, client)

Alex Gaynor

122717b

2015-09-05 14:14:18 -0400

[diff] [blame]

2196

# pytest.raises here doesn't work because of a bug in py.test on Python

2197

# 2.6: https://github.com/pytest-dev/pytest/issues/988

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2198

try:

Alex Gaynor

1aabb2e

2015-09-05 13:35:18 -0400

[diff] [blame]

2199

clientSSL.connect(("127.0.0.1", 1))

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2200

except error as e:

Alex Gaynor

20a4c08

2015-09-05 14:24:15 -0400

[diff] [blame]

2201

exc = e

2202

assert exc.args[0] == ECONNREFUSED

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2203

2204

def test_connect(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2205

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2206

`Connection.connect` establishes a connection to the specified address.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2207

"""

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(3)

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2213

clientSSL.connect(('127.0.0.1', port.getsockname()[1]))

2214

# XXX An assertion? Or something?

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2215

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2216

@pytest.mark.skipif(

2217

platform == "darwin",

2218

reason="connect_ex sometimes causes a kernel panic on OS X 10.6.4"

2219

)

2220

def test_connect_ex(self):

2221

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2222

If there is a connection error, `Connection.connect_ex` returns the

2223

errno instead of raising an exception.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

"""

port = socket()

port.bind(('', 0))

port.listen(3)

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2228

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2229

clientSSL = Connection(Context(TLSv1_METHOD), socket())

2230

clientSSL.setblocking(False)

2231

result = clientSSL.connect_ex(port.getsockname())

2232

expected = (EINPROGRESS, EWOULDBLOCK)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2233

assert result in expected

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2234

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2235

def test_accept(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2236

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2237

`Connection.accept` accepts a pending connection attempt and returns a

2238

tuple of a new `Connection` (the accepted client) and the address the

2239

connection originated from.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2240

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2241

ctx = Context(TLSv1_METHOD)

2242

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2243

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2244

port = socket()

2245

portSSL = Connection(ctx, port)

2246

portSSL.bind(('', 0))

2247

portSSL.listen(3)

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2248

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2249

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2250

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2251

# Calling portSSL.getsockname() here to get the server IP address

2252

# sounds great, but frequently fails on Windows.

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2253

clientSSL.connect(('127.0.0.1', portSSL.getsockname()[1]))

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2254

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2255

serverSSL, address = portSSL.accept()

2256

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2257

assert isinstance(serverSSL, Connection)

2258

assert serverSSL.get_context() is ctx

2259

assert address == clientSSL.getsockname()

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2260

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2261

def test_shutdown_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2262

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2263

`Connection.set_shutdown` raises `TypeError` if called with arguments

2264

other than integers.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2265

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2266

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2267

with pytest.raises(TypeError):

2268

connection.set_shutdown(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2269

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2270

def test_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2271

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2272

`Connection.shutdown` performs an SSL-level connection shutdown.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2273

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2274

server, client = loopback()

2275

assert not server.shutdown()

2276

assert server.get_shutdown() == SENT_SHUTDOWN

2277

with pytest.raises(ZeroReturnError):

2278

client.recv(1024)

2279

assert client.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

2280

client.shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2281

assert client.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

2282

with pytest.raises(ZeroReturnError):

2283

server.recv(1024)

2284

assert server.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2285

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2286

def test_shutdown_closed(self):

2287

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2288

If the underlying socket is closed, `Connection.shutdown` propagates

2289

the write error from the low level write call.

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2290

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2291

server, client = loopback()

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2292

server.sock_shutdown(2)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2293

with pytest.raises(SysCallError) as exc:

2294

server.shutdown()

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2295

if platform == "win32":

2296

assert exc.value.args[0] == ESHUTDOWN

2297

else:

2298

assert exc.value.args[0] == EPIPE

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2299

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2300

def test_shutdown_truncated(self):

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2301

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2302

If the underlying connection is truncated, `Connection.shutdown`

2303

raises an `Error`.

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2304

"""

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2305

server_ctx = Context(TLSv1_METHOD)

2306

client_ctx = Context(TLSv1_METHOD)

2307

server_ctx.use_privatekey(

2308

load_privatekey(FILETYPE_PEM, server_key_pem))

2309

server_ctx.use_certificate(

2310

load_certificate(FILETYPE_PEM, server_cert_pem))

2311

server = Connection(server_ctx, None)

2312

client = Connection(client_ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2313

handshake_in_memory(client, server)

2314

assert not server.shutdown()

2315

with pytest.raises(WantReadError):

2316

server.shutdown()

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2317

server.bio_shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2318

with pytest.raises(Error):

2319

server.shutdown()

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2320

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2321

def test_set_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2322

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2323

`Connection.set_shutdown` sets the state of the SSL connection

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2324

shutdown process.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2325

"""

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2326

connection = Connection(Context(TLSv1_METHOD), socket())

2327

connection.set_shutdown(RECEIVED_SHUTDOWN)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2328

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2329

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2330

@skip_if_py3

2331

def test_set_shutdown_long(self):

2332

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2333

On Python 2 `Connection.set_shutdown` accepts an argument

2334

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2335

"""

2336

connection = Connection(Context(TLSv1_METHOD), socket())

2337

connection.set_shutdown(long(RECEIVED_SHUTDOWN))

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2338

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

2339

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2340

def test_state_string(self):

2341

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2342

`Connection.state_string` verbosely describes the current state of

2343

the `Connection`.

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2344

"""

Hynek Schlawack

b0274ce

2015-10-16 19:56:26 +0200

[diff] [blame]

2345

server, client = socket_pair()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2346

server = loopback_server_factory(server)

2347

client = loopback_client_factory(client)

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2348

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2349

assert server.get_state_string() in [

2350

b"before/accept initialization", b"before SSL initialization"

2351

]

2352

assert client.get_state_string() in [

2353

b"before/connect initialization", b"before SSL initialization"

2354

]

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2355

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2356

def test_app_data(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2357

"""

2358

Any object can be set as app data by passing it to

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2359

`Connection.set_app_data` and later retrieved with

2360

`Connection.get_app_data`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2361

"""

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2362

conn = Connection(Context(TLSv1_METHOD), None)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2363

assert None is conn.get_app_data()

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2364

app_data = object()

2365

conn.set_app_data(app_data)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2366

assert conn.get_app_data() is app_data

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2367

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2368

def test_makefile(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2369

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2370

`Connection.makefile` is not implemented and calling that

2371

method raises `NotImplementedError`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2372

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2373

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2374

with pytest.raises(NotImplementedError):

2375

conn.makefile()

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2376

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2377

def test_get_peer_cert_chain(self):

2378

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2379

`Connection.get_peer_cert_chain` returns a list of certificates

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2380

which the connected server returned for the certification verification.

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2381

"""

2382

chain = _create_certificate_chain()

2383

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

2384

2385

serverContext = Context(TLSv1_METHOD)

2386

serverContext.use_privatekey(skey)

2387

serverContext.use_certificate(scert)

2388

serverContext.add_extra_chain_cert(icert)

2389

serverContext.add_extra_chain_cert(cacert)

2390

server = Connection(serverContext, None)

2391

server.set_accept_state()

2392

2393

# Create the client

2394

clientContext = Context(TLSv1_METHOD)

2395

clientContext.set_verify(VERIFY_NONE, verify_cb)

2396

client = Connection(clientContext, None)

2397

client.set_connect_state()

2398

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2399

interact_in_memory(client, server)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2400

2401

chain = client.get_peer_cert_chain()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2402

assert len(chain) == 3

2403

assert "Server Certificate" == chain[0].get_subject().CN

2404

assert "Intermediate Certificate" == chain[1].get_subject().CN

2405

assert "Authority Certificate" == chain[2].get_subject().CN

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2406

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2407

def test_get_peer_cert_chain_none(self):

2408

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2409

`Connection.get_peer_cert_chain` returns `None` if the peer sends

2410

no certificate chain.

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2411

"""

2412

ctx = Context(TLSv1_METHOD)

2413

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2414

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

2415

server = Connection(ctx, None)

2416

server.set_accept_state()

2417

client = Connection(Context(TLSv1_METHOD), None)

2418

client.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2419

interact_in_memory(client, server)

2420

assert None is server.get_peer_cert_chain()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2421

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2422

def test_get_session_unconnected(self):

2423

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2424

`Connection.get_session` returns `None` when used with an object

2425

which has not been connected.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2426

"""

2427

ctx = Context(TLSv1_METHOD)

2428

server = Connection(ctx, None)

2429

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2430

assert None is session

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2431

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2432

def test_server_get_session(self):

2433

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2434

On the server side of a connection, `Connection.get_session` returns a

2435

`Session` instance representing the SSL session for that connection.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2436

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2437

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2438

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2439

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2440

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2441

def test_client_get_session(self):

2442

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2443

On the client side of a connection, `Connection.get_session`

2444

returns a `Session` instance representing the SSL session for

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2445

that connection.

2446

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2447

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2448

session = client.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2449

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2450

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2451

def test_set_session_wrong_args(self):

2452

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2453

`Connection.set_session` raises `TypeError` if called with an object

2454

that is not an instance of `Session`.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2455

"""

2456

ctx = Context(TLSv1_METHOD)

2457

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2458

with pytest.raises(TypeError):

2459

connection.set_session(123)

2460

with pytest.raises(TypeError):

2461

connection.set_session("hello")

2462

with pytest.raises(TypeError):

2463

connection.set_session(object())

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2464

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2465

def test_client_set_session(self):

2466

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2467

`Connection.set_session`, when used prior to a connection being

2468

established, accepts a `Session` instance and causes an attempt to

2469

re-use the session it represents when the SSL handshake is performed.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2470

"""

2471

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2472

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

2473

ctx = Context(TLSv1_METHOD)

2474

ctx.use_privatekey(key)

2475

ctx.use_certificate(cert)

2476

ctx.set_session_id("unity-test")

2477

2478

def makeServer(socket):

2479

server = Connection(ctx, socket)

2480

server.set_accept_state()

2481

return server

2482

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2483

originalServer, originalClient = loopback(

2484

server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2485

originalSession = originalClient.get_session()

2486

2487

def makeClient(socket):

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2488

client = loopback_client_factory(socket)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2489

client.set_session(originalSession)

2490

return client

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2491

resumedServer, resumedClient = loopback(

2492

server_factory=makeServer,

2493

client_factory=makeClient)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2494

2495

# This is a proxy: in general, we have no access to any unique

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2496

# identifier for the session (new enough versions of OpenSSL expose

2497

# a hash which could be usable, but "new enough" is very, very new).

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2498

# Instead, exploit the fact that the master key is re-used if the

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2499

# session is re-used. As long as the master key for the two

2500

# connections is the same, the session was re-used!

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2501

assert originalServer.master_key() == resumedServer.master_key()

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2502

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2503

def test_set_session_wrong_method(self):

2504

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2505

If `Connection.set_session` is passed a `Session` instance associated

2506

with a context using a different SSL method than the `Connection`

2507

is using, a `OpenSSL.SSL.Error` is raised.

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2508

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2509

# Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2

2510

# and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT

2511

# is a way to check for 1.1.0)

Alex Gaynor

aa32e71

2017-06-29 20:56:12 -0700

[diff] [blame^]

2512

if SSL_ST_INIT is None:

2513

v1 = TLSv1_2_METHOD

2514

v2 = TLSv1_METHOD

2515

elif hasattr(_lib, "SSLv3_method"):

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2516

v1 = TLSv1_METHOD

2517

v2 = SSLv3_METHOD

2518

else:

Alex Gaynor

aa32e71

2017-06-29 20:56:12 -0700

[diff] [blame^]

2519

pytest.skip("Test requires either OpenSSL 1.1.0 or SSLv3")

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2520

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2521

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2522

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2523

ctx = Context(v1)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2524

ctx.use_privatekey(key)

2525

ctx.use_certificate(cert)

2526

ctx.set_session_id("unity-test")

2527

2528

def makeServer(socket):

2529

server = Connection(ctx, socket)

2530

server.set_accept_state()

2531

return server

2532

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2533

def makeOriginalClient(socket):

2534

client = Connection(Context(v1), socket)

2535

client.set_connect_state()

2536

return client

2537

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2538

originalServer, originalClient = loopback(

2539

server_factory=makeServer, client_factory=makeOriginalClient)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2540

originalSession = originalClient.get_session()

2541

2542

def makeClient(socket):

2543

# Intentionally use a different, incompatible method here.

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2544

client = Connection(Context(v2), socket)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2545

client.set_connect_state()

2546

client.set_session(originalSession)

2547

return client

2548

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2549

with pytest.raises(Error):

2550

loopback(client_factory=makeClient, server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2551

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2552

def test_wantWriteError(self):

2553

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2554

`Connection` methods which generate output raise

2555

`OpenSSL.SSL.WantWriteError` if writing to the connection's BIO

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2556

fail indicating a should-write state.

2557

"""

2558

client_socket, server_socket = socket_pair()

2559

# Fill up the client's send buffer so Connection won't be able to write

Jean-Paul Calderone

bbff8b9

2014-03-22 14:20:30 -0400

[diff] [blame]

2560

# anything. Only write a single byte at a time so we can be sure we

2561

# completely fill the buffer. Even though the socket API is allowed to

2562

# signal a short write via its return value it seems this doesn't

2563

# always happen on all platforms (FreeBSD and OS X particular) for the

2564

# very last bit of available buffer space.

2565

msg = b"x"

2566

for i in range(1024 * 1024 * 4):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2567

try:

2568

client_socket.send(msg)

2569

except error as e:

2570

if e.errno == EWOULDBLOCK:

2571

break

2572

raise

2573

else:

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2574

pytest.fail(

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2575

"Failed to fill socket buffer, cannot test BIO want write")

2576

2577

ctx = Context(TLSv1_METHOD)

2578

conn = Connection(ctx, client_socket)

2579

# Client's speak first, so make it an SSL client

2580

conn.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2581

with pytest.raises(WantWriteError):

2582

conn.do_handshake()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

# XXX want_read

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2586

def test_get_finished_before_connect(self):

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2587

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2588

`Connection.get_finished` returns `None` before TLS handshake

2589

is completed.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2590

"""

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2591

ctx = Context(TLSv1_METHOD)

2592

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2593

assert connection.get_finished() is None

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2594

2595

def test_get_peer_finished_before_connect(self):

2596

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2597

`Connection.get_peer_finished` returns `None` before TLS handshake

2598

is completed.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2599

"""

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2600

ctx = Context(TLSv1_METHOD)

2601

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2602

assert connection.get_peer_finished() is None

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2603

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2604

def test_get_finished(self):

2605

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2606

`Connection.get_finished` method returns the TLS Finished message send

2607

from client, or server. Finished messages are send during

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2608

TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2609

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2610

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2611

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2612

assert server.get_finished() is not None

2613

assert len(server.get_finished()) > 0

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2614

2615

def test_get_peer_finished(self):

2616

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2617

`Connection.get_peer_finished` method returns the TLS Finished

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2618

message received from client, or server. Finished messages are send

2619

during TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2620

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2621

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2622

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2623

assert server.get_peer_finished() is not None

2624

assert len(server.get_peer_finished()) > 0

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2625

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2626

def test_tls_finished_message_symmetry(self):

2627

"""

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2628

The TLS Finished message send by server must be the TLS Finished

2629

message received by client.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2630

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2631

The TLS Finished message send by client must be the TLS Finished

2632

message received by server.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2633

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2634

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2635

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2636

assert server.get_finished() == client.get_peer_finished()

2637

assert client.get_finished() == server.get_peer_finished()

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2638

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2639

def test_get_cipher_name_before_connect(self):

2640

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2641

`Connection.get_cipher_name` returns `None` if no connection

2642

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2643

"""

2644

ctx = Context(TLSv1_METHOD)

2645

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2646

assert conn.get_cipher_name() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2647

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2648

def test_get_cipher_name(self):

2649

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2650

`Connection.get_cipher_name` returns a `unicode` string giving the

2651

name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2652

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2653

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2654

server_cipher_name, client_cipher_name = \

2655

server.get_cipher_name(), client.get_cipher_name()

2656

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2657

assert isinstance(server_cipher_name, text_type)

2658

assert isinstance(client_cipher_name, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2659

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2660

assert server_cipher_name == client_cipher_name

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2661

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2662

def test_get_cipher_version_before_connect(self):

2663

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2664

`Connection.get_cipher_version` returns `None` if no connection

2665

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2666

"""

2667

ctx = Context(TLSv1_METHOD)

2668

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2669

assert conn.get_cipher_version() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2670

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2671

def test_get_cipher_version(self):

2672

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2673

`Connection.get_cipher_version` returns a `unicode` string giving

2674

the protocol name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2675

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2676

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2677

server_cipher_version, client_cipher_version = \

2678

server.get_cipher_version(), client.get_cipher_version()

2679

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2680

assert isinstance(server_cipher_version, text_type)

2681

assert isinstance(client_cipher_version, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2682

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2683

assert server_cipher_version == client_cipher_version

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2684

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2685

def test_get_cipher_bits_before_connect(self):

2686

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2687

`Connection.get_cipher_bits` returns `None` if no connection has

2688

been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2689

"""

2690

ctx = Context(TLSv1_METHOD)

2691

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2692

assert conn.get_cipher_bits() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2693

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2694

def test_get_cipher_bits(self):

2695

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2696

`Connection.get_cipher_bits` returns the number of secret bits

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2697

of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2698

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2699

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2700

server_cipher_bits, client_cipher_bits = \

2701

server.get_cipher_bits(), client.get_cipher_bits()

2702

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2703

assert isinstance(server_cipher_bits, int)

2704

assert isinstance(client_cipher_bits, int)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2705

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2706

assert server_cipher_bits == client_cipher_bits

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2707

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2708

def test_get_protocol_version_name(self):

2709

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2710

`Connection.get_protocol_version_name()` returns a string giving the

2711

protocol version of the current connection.

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2712

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2713

server, client = loopback()

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2714

client_protocol_version_name = client.get_protocol_version_name()

2715

server_protocol_version_name = server.get_protocol_version_name()

2716

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2717

assert isinstance(server_protocol_version_name, text_type)

2718

assert isinstance(client_protocol_version_name, text_type)

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2719

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2720

assert server_protocol_version_name == client_protocol_version_name

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2721

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2722

def test_get_protocol_version(self):

2723

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2724

`Connection.get_protocol_version()` returns an integer

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2725

giving the protocol version of the current connection.

2726

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2727

server, client = loopback()

Jim Shaver

85a4dff

2015-04-27 17:42:46 -0400

[diff] [blame]

2728

client_protocol_version = client.get_protocol_version()

2729

server_protocol_version = server.get_protocol_version()

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2730

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2731

assert isinstance(server_protocol_version, int)

2732

assert isinstance(client_protocol_version, int)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2733

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2734

assert server_protocol_version == client_protocol_version

2735

2736

def test_wantReadError(self):

2737

"""

2738

`Connection.bio_read` raises `OpenSSL.SSL.WantReadError` if there are

2739

no bytes available to be read from the BIO.

2740

"""

2741

ctx = Context(TLSv1_METHOD)

2742

conn = Connection(ctx, None)

2743

with pytest.raises(WantReadError):

2744

conn.bio_read(1024)

2745

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2746

@pytest.mark.parametrize('bufsize', [1.0, None, object(), 'bufsize'])

2747

def test_bio_read_wrong_args(self, bufsize):

2748

"""

2749

`Connection.bio_read` raises `TypeError` if passed a non-integer

2750

argument.

2751

"""

2752

ctx = Context(TLSv1_METHOD)

2753

conn = Connection(ctx, None)

2754

with pytest.raises(TypeError):

2755

conn.bio_read(bufsize)

2756

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2757

def test_buffer_size(self):

2758

"""

2759

`Connection.bio_read` accepts an integer giving the maximum number

2760

of bytes to read and return.

2761

"""

2762

ctx = Context(TLSv1_METHOD)

2763

conn = Connection(ctx, None)

2764

conn.set_connect_state()

2765

try:

2766

conn.do_handshake()

2767

except WantReadError:

2768

pass

2769

data = conn.bio_read(2)

2770

assert 2 == len(data)

2771

2772

@skip_if_py3

2773

def test_buffer_size_long(self):

2774

"""

2775

On Python 2 `Connection.bio_read` accepts values of type `long` as

2776

well as `int`.

2777

"""

2778

ctx = Context(TLSv1_METHOD)

2779

conn = Connection(ctx, None)

2780

conn.set_connect_state()

2781

try:

2782

conn.do_handshake()

2783

except WantReadError:

2784

pass

2785

data = conn.bio_read(long(2))

2786

assert 2 == len(data)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2787

Jean-Paul Calderone

dbd7627

2014-03-29 18:09:40 -0400

[diff] [blame]

2788

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2789

class TestConnectionGetCipherList(object):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2790

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2791

Tests for `Connection.get_cipher_list`.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2792

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2793

def test_result(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2794

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2795

`Connection.get_cipher_list` returns a list of `bytes` giving the

2796

names of the ciphers which might be used.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2797

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2798

connection = Connection(Context(TLSv1_METHOD), None)

2799

ciphers = connection.get_cipher_list()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2800

assert isinstance(ciphers, list)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2801

for cipher in ciphers:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2802

assert isinstance(cipher, str)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2803

2804

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2805

class VeryLarge(bytes):

2806

"""

2807

Mock object so that we don't have to allocate 2**31 bytes

"""

def __len__(self):

return 2**31

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2813

class TestConnectionSend(object):

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2814

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2815

Tests for `Connection.send`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2816

"""

2817

def test_wrong_args(self):

2818

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

2819

When called with arguments other than string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2820

parameter, `Connection.send` raises `TypeError`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2821

"""

2822

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2823

with pytest.raises(TypeError):

2824

connection.send(object())

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2825

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2826

def test_short_bytes(self):

2827

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2828

When passed a short byte string, `Connection.send` transmits all of it

2829

and returns the number of bytes sent.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2830

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2831

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2832

count = server.send(b'xy')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2833

assert count == 2

2834

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2835

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2836

def test_text(self):

2837

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2838

When passed a text, `Connection.send` transmits all of it and

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2839

returns the number of bytes sent. It also raises a DeprecationWarning.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2840

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2841

server, client = loopback()

2842

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2843

simplefilter("always")

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2844

count = server.send(b"xy".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2845

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2846

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2847

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2848

) == str(w[-1].message))

2849

assert count == 2

2850

assert client.recv(2) == b'xy'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2851

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2852

@skip_if_py26

2853

def test_short_memoryview(self):

2854

"""

2855

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2856

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2857

of bytes sent.

2858

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2859

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2860

count = server.send(memoryview(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2861

assert count == 2

2862

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2863

Hynek Schlawack

8e94f1b

2015-09-05 21:31:00 +0200

[diff] [blame]

2864

@skip_if_py3

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2865

def test_short_buffer(self):

2866

"""

2867

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2868

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2869

of bytes sent.

2870

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2871

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2872

count = server.send(buffer(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2873

assert count == 2

2874

assert client.recv(2) == b'xy'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

2875

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2876

@pytest.mark.skipif(

2877

sys.maxsize < 2**31,

2878

reason="sys.maxsize < 2**31 - test requires 64 bit"

2879

)

2880

def test_buf_too_large(self):

2881

"""

2882

When passed a buffer containing >= 2**31 bytes,

2883

`Connection.send` bails out as SSL_write only

2884

accepts an int for the buffer length.

2885

"""

2886

connection = Connection(Context(TLSv1_METHOD), None)

2887

with pytest.raises(ValueError) as exc_info:

2888

connection.send(VeryLarge())

2889

exc_info.match(r"Cannot send more than .+ bytes at once")

2890

Jean-Paul Calderone

691e6c9

2011-01-21 22:04:35 -0500

[diff] [blame]

2891

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2892

def _make_memoryview(size):

2893

"""

2894

Create a new ``memoryview`` wrapped around a ``bytearray`` of the given

2895

size.

2896

"""

2897

return memoryview(bytearray(size))

2898

2899

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2900

class TestConnectionRecvInto(object):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2901

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2902

Tests for `Connection.recv_into`.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2903

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2904

def _no_length_test(self, factory):

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2905

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2906

Assert that when the given buffer is passed to `Connection.recv_into`,

2907

whatever bytes are available to be received that fit into that buffer

2908

are written into that buffer.

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2909

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2910

output_buffer = factory(5)

2911

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2912

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2913

server.send(b'xy')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2914

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2915

assert client.recv_into(output_buffer) == 2

2916

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2917

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2918

def test_bytearray_no_length(self):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2919

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2920

`Connection.recv_into` can be passed a `bytearray` instance and data

2921

in the receive buffer is written to it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2922

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2923

self._no_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2924

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2925

def _respects_length_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2926

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2927

Assert that when the given buffer is passed to `Connection.recv_into`

2928

along with a value for `nbytes` that is less than the size of that

2929

buffer, only `nbytes` bytes are written into the buffer.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2930

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2931

output_buffer = factory(10)

2932

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2933

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2934

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2935

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2936

assert client.recv_into(output_buffer, 5) == 5

2937

assert output_buffer == bytearray(b'abcde\x00\x00\x00\x00\x00')

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2938

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2939

def test_bytearray_respects_length(self):

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2940

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2941

When called with a `bytearray` instance, `Connection.recv_into`

2942

respects the `nbytes` parameter and doesn't copy in more than that

2943

number of bytes.

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2944

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2945

self._respects_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2946

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2947

def _doesnt_overfill_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2948

"""

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2949

Assert that if there are more bytes available to be read from the

2950

receive buffer than would fit into the buffer passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2951

`Connection.recv_into`, only as many as fit are written into it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2952

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2953

output_buffer = factory(5)

2954

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2955

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2956

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2957

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2958

assert client.recv_into(output_buffer) == 5

2959

assert output_buffer == bytearray(b'abcde')

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2960

rest = client.recv(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2961

assert b'fghij' == rest

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2962

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2963

def test_bytearray_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2964

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2965

When called with a `bytearray` instance, `Connection.recv_into`

2966

respects the size of the array and doesn't write more bytes into it

2967

than will fit.

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2968

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2969

self._doesnt_overfill_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2970

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2971

def test_bytearray_really_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2972

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2973

When called with a `bytearray` instance and an `nbytes` value that is

2974

too large, `Connection.recv_into` respects the size of the array and

2975

not the `nbytes` value and doesn't write more bytes into the buffer

2976

than will fit.

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2977

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2978

self._doesnt_overfill_test(bytearray)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2979

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2980

def test_peek(self):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2981

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2982

server.send(b'xy')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2983

2984

for _ in range(2):

2985

output_buffer = bytearray(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2986

assert client.recv_into(output_buffer, flags=MSG_PEEK) == 2

2987

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2988

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2989

@skip_if_py26

2990

def test_memoryview_no_length(self):

2991

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2992

`Connection.recv_into` can be passed a `memoryview` instance and data

2993

in the receive buffer is written to it.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2994

"""

2995

self._no_length_test(_make_memoryview)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2996

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2997

@skip_if_py26

2998

def test_memoryview_respects_length(self):

2999

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3000

When called with a `memoryview` instance, `Connection.recv_into`

3001

respects the ``nbytes`` parameter and doesn't copy more than that

3002

number of bytes in.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3003

"""

3004

self._respects_length_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3005

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3006

@skip_if_py26

3007

def test_memoryview_doesnt_overfill(self):

3008

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3009

When called with a `memoryview` instance, `Connection.recv_into`

3010

respects the size of the array and doesn't write more bytes into it

3011

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3012

"""

3013

self._doesnt_overfill_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3014

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3015

@skip_if_py26

3016

def test_memoryview_really_doesnt_overfill(self):

3017

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3018

When called with a `memoryview` instance and an `nbytes` value that is

3019

too large, `Connection.recv_into` respects the size of the array and

3020

not the `nbytes` value and doesn't write more bytes into the buffer

3021

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3022

"""

3023

self._doesnt_overfill_test(_make_memoryview)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

3024

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3025

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3026

class TestConnectionSendall(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3027

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3028

Tests for `Connection.sendall`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3029

"""

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3030

def test_wrong_args(self):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3031

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

3032

When called with arguments other than a string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3033

parameter, `Connection.sendall` raises `TypeError`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3034

"""

3035

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3036

with pytest.raises(TypeError):

3037

connection.sendall(object())

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3038

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3039

def test_short(self):

3040

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3041

`Connection.sendall` transmits all of the bytes in the string

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3042

passed to it.

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3043

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3044

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3045

server.sendall(b'x')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3046

assert client.recv(1) == b'x'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3047

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3048

def test_text(self):

3049

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3050

`Connection.sendall` transmits all the content in the string passed

3051

to it, raising a DeprecationWarning in case of this being a text.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3052

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3053

server, client = loopback()

3054

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3055

simplefilter("always")

Jean-Paul Calderone

8dc37a1

2015-03-29 08:16:52 -0400

[diff] [blame]

3056

server.sendall(b"x".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3057

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

3058

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

3059

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3060

) == str(w[-1].message))

3061

assert client.recv(1) == b"x"

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3062

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3063

@skip_if_py26

3064

def test_short_memoryview(self):

3065

"""

3066

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3067

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3068

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3069

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3070

server.sendall(memoryview(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3071

assert client.recv(1) == b'x'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3072

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3073

@skip_if_py3

3074

def test_short_buffers(self):

3075

"""

3076

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3077

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3078

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3079

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3080

server.sendall(buffer(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3081

assert client.recv(1) == b'x'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

3082

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3083

def test_long(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3084

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3085

`Connection.sendall` transmits all the bytes in the string passed to it

3086

even if this requires multiple calls of an underlying write function.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3087

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3088

server, client = loopback()

Jean-Paul Calderone

6241c70

2010-09-16 19:59:24 -0400

[diff] [blame]

3089

# Should be enough, underlying SSL_write should only do 16k at a time.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3090

# On Windows, after 32k of bytes the write will block (forever

3091

# - because no one is yet reading).

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3092

message = b'x' * (1024 * 32 - 1) + b'y'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3093

server.sendall(message)

3094

accum = []

3095

received = 0

3096

while received < len(message):

Jean-Paul Calderone

b1f7f5f

2010-08-22 21:40:52 -0400

[diff] [blame]

3097

data = client.recv(1024)

3098

accum.append(data)

3099

received += len(data)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3100

assert message == b''.join(accum)

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3101

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3102

def test_closed(self):

3103

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3104

If the underlying socket is closed, `Connection.sendall` propagates the

3105

write error from the low level write call.

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3106

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3107

server, client = loopback()

Jean-Paul Calderone

05d43e8

2010-09-24 18:01:36 -0400

[diff] [blame]

3108

server.sock_shutdown(2)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3109

with pytest.raises(SysCallError) as err:

3110

server.sendall(b"hello, world")

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3111

if platform == "win32":

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3112

assert err.value.args[0] == ESHUTDOWN

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3113

else:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3114

assert err.value.args[0] == EPIPE

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3115

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3116

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3117

class TestConnectionRenegotiate(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3118

"""

3119

Tests for SSL renegotiation APIs.

3120

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3121

def test_total_renegotiations(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3122

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3123

`Connection.total_renegotiations` returns `0` before any renegotiations

3124

have happened.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3125

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3126

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3127

assert connection.total_renegotiations() == 0

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3128

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3129

def test_renegotiate(self):

3130

"""

3131

Go through a complete renegotiation cycle.

3132

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3133

server, client = loopback()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3134

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3135

server.send(b"hello world")

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3136

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3137

assert b"hello world" == client.recv(len(b"hello world"))

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3138

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3139

assert 0 == server.total_renegotiations()

3140

assert False is server.renegotiate_pending()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3141

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3142

assert True is server.renegotiate()

3143

3144

assert True is server.renegotiate_pending()

3145

3146

server.setblocking(False)

3147

client.setblocking(False)

3148

3149

client.do_handshake()

3150

server.do_handshake()

3151

3152

assert 1 == server.total_renegotiations()

3153

while False is server.renegotiate_pending():

3154

pass

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3155

3156

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3157

class TestError(object):

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3158

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3159

Unit tests for `OpenSSL.SSL.Error`.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3160

"""

3161

def test_type(self):

3162

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3163

`Error` is an exception type.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3164

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3165

assert issubclass(Error, Exception)

3166

assert Error.__name__ == 'Error'

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

3167

3168

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3169

class TestConstants(object):

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3170

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3171

Tests for the values of constants exposed in `OpenSSL.SSL`.

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3172

3173

These are values defined by OpenSSL intended only to be used as flags to

3174

OpenSSL APIs. The only assertions it seems can be made about them is

3175

their values.

3176

"""

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3177

@pytest.mark.skipif(

3178

OP_NO_QUERY_MTU is None,

3179

reason="OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old"

3180

)

3181

def test_op_no_query_mtu(self):

3182

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3183

The value of `OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value

3184

of `SSL_OP_NO_QUERY_MTU` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3185

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3186

assert OP_NO_QUERY_MTU == 0x1000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3187

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3188

@pytest.mark.skipif(

3189

OP_COOKIE_EXCHANGE is None,

3190

reason="OP_COOKIE_EXCHANGE unavailable - "

3191

"OpenSSL version may be too old"

3192

)

3193

def test_op_cookie_exchange(self):

3194

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3195

The value of `OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the

3196

value of `SSL_OP_COOKIE_EXCHANGE` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3197

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3198

assert OP_COOKIE_EXCHANGE == 0x2000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3199

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3200

@pytest.mark.skipif(

3201

OP_NO_TICKET is None,

3202

reason="OP_NO_TICKET unavailable - OpenSSL version may be too old"

3203

)

3204

def test_op_no_ticket(self):

3205

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3206

The value of `OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of

3207

`SSL_OP_NO_TICKET` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3208

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3209

assert OP_NO_TICKET == 0x4000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3210

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3211

@pytest.mark.skipif(

3212

OP_NO_COMPRESSION is None,

3213

reason="OP_NO_COMPRESSION unavailable - OpenSSL version may be too old"

3214

)

3215

def test_op_no_compression(self):

3216

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3217

The value of `OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the

3218

value of `SSL_OP_NO_COMPRESSION` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3219

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3220

assert OP_NO_COMPRESSION == 0x20000

Jean-Paul Calderone

c62d4c1

2011-09-08 18:29:32 -0400

[diff] [blame]

3221

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3222

def test_sess_cache_off(self):

3223

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3224

The value of `OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of

3225

`SSL_SESS_CACHE_OFF` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3226

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3227

assert 0x0 == SESS_CACHE_OFF

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3228

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3229

def test_sess_cache_client(self):

3230

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3231

The value of `OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of

3232

`SSL_SESS_CACHE_CLIENT` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3233

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3234

assert 0x1 == SESS_CACHE_CLIENT

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3235

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3236

def test_sess_cache_server(self):

3237

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3238

The value of `OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of

3239

`SSL_SESS_CACHE_SERVER` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3240

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3241

assert 0x2 == SESS_CACHE_SERVER

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3242

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3243

def test_sess_cache_both(self):

3244

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3245

The value of `OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of

3246

`SSL_SESS_CACHE_BOTH` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3247

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3248

assert 0x3 == SESS_CACHE_BOTH

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3249

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3250

def test_sess_cache_no_auto_clear(self):

3251

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3252

The value of `OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the

3253

value of `SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by

3254

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3255

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3256

assert 0x80 == SESS_CACHE_NO_AUTO_CLEAR

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3257

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3258

def test_sess_cache_no_internal_lookup(self):

3259

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3260

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100,

3261

the value of `SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by

3262

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3263

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3264

assert 0x100 == SESS_CACHE_NO_INTERNAL_LOOKUP

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3265

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3266

def test_sess_cache_no_internal_store(self):

3267

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3268

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200,

3269

the value of `SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by

3270

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3271

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3272

assert 0x200 == SESS_CACHE_NO_INTERNAL_STORE

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3273

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3274

def test_sess_cache_no_internal(self):

3275

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3276

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the

3277

value of `SSL_SESS_CACHE_NO_INTERNAL` defined by

3278

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3279

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3280

assert 0x300 == SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3281

3282

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3283

class TestMemoryBIO(object):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3284

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3285

Tests for `OpenSSL.SSL.Connection` using a memory BIO.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3286

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3287

def _server(self, sock):

3288

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3289

Create a new server-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3290

"""

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3291

# Create the server side Connection. This is mostly setup boilerplate

3292

# - use TLSv1, use a particular certificate, etc.

3293

server_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3294

server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3295

server_ctx.set_verify(

3296

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3297

verify_cb

3298

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3299

server_store = server_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3300

server_ctx.use_privatekey(

3301

load_privatekey(FILETYPE_PEM, server_key_pem))

3302

server_ctx.use_certificate(

3303

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3304

server_ctx.check_privatekey()

3305

server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3306

# Here the Connection is actually created. If None is passed as the

3307

# 2nd parameter, it indicates a memory BIO should be created.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3308

server_conn = Connection(server_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3309

server_conn.set_accept_state()

3310

return server_conn

3311

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3312

def _client(self, sock):

3313

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3314

Create a new client-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3315

"""

3316

# Now create the client side Connection. Similar boilerplate to the

3317

# above.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3318

client_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3319

client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3320

client_ctx.set_verify(

3321

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3322

verify_cb

3323

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3324

client_store = client_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3325

client_ctx.use_privatekey(

3326

load_privatekey(FILETYPE_PEM, client_key_pem))

3327

client_ctx.use_certificate(

3328

load_certificate(FILETYPE_PEM, client_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3329

client_ctx.check_privatekey()

3330

client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3331

client_conn = Connection(client_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3332

client_conn.set_connect_state()

3333

return client_conn

3334

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3335

def test_memory_connect(self):

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3336

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3337

Two `Connection`s which use memory BIOs can be manually connected by

3338

reading from the output of each and writing those bytes to the input of

3339

the other and in this way establish a connection and exchange

3340

application-level bytes with each other.

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3341

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3342

server_conn = self._server(None)

3343

client_conn = self._client(None)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3344

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3345

# There should be no key or nonces yet.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3346

assert server_conn.master_key() is None

3347

assert server_conn.client_random() is None

3348

assert server_conn.server_random() is None

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3349

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3350

# First, the handshake needs to happen. We'll deliver bytes back and

3351

# forth between the client and server until neither of them feels like

3352

# speaking any more.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3353

assert interact_in_memory(client_conn, server_conn) is None

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3354

3355

# Now that the handshake is done, there should be a key and nonces.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3356

assert server_conn.master_key() is not None

3357

assert server_conn.client_random() is not None

3358

assert server_conn.server_random() is not None

3359

assert server_conn.client_random() == client_conn.client_random()

3360

assert server_conn.server_random() == client_conn.server_random()

3361

assert server_conn.client_random() != server_conn.server_random()

3362

assert client_conn.client_random() != client_conn.server_random()

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3363

3364

# Here are the bytes we'll try to send.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3365

important_message = b'One if by land, two if by sea.'

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3366

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3367

server_conn.write(important_message)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3368

assert (

3369

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3370

(client_conn, important_message))

3371

3372

client_conn.write(important_message[::-1])

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3373

assert (

3374

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3375

(server_conn, important_message[::-1]))

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3376

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3377

def test_socket_connect(self):

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3378

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3379

Just like `test_memory_connect` but with an actual socket.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3380

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3381

This is primarily to rule out the memory BIO code as the source of any

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3382

problems encountered while passing data over a `Connection` (if

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3383

this test fails, there must be a problem outside the memory BIO code,

3384

as no memory BIO is involved here). Even though this isn't a memory

3385

BIO test, it's convenient to have it here.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3386

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3387

server_conn, client_conn = loopback()

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3388

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3389

important_message = b"Help me Obi Wan Kenobi, you're my only hope."

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3390

client_conn.send(important_message)

3391

msg = server_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3392

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3393

3394

# Again in the other direction, just for fun.

3395

important_message = important_message[::-1]

3396

server_conn.send(important_message)

3397

msg = client_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3398

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3399

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3400

def test_socket_overrides_memory(self):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3401

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3402

Test that `OpenSSL.SSL.bio_read` and `OpenSSL.SSL.bio_write` don't

3403

work on `OpenSSL.SSL.Connection`() that use sockets.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3404

"""

Alex Gaynor

51d424c

2016-09-10 14:50:11 -0400

[diff] [blame]

3405

context = Context(TLSv1_METHOD)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3406

client = socket()

3407

clientSSL = Connection(context, client)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3408

with pytest.raises(TypeError):

3409

clientSSL.bio_read(100)

3410

with pytest.raises(TypeError):

3411

clientSSL.bio_write("foo")

3412

with pytest.raises(TypeError):

3413

clientSSL.bio_shutdown()

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3414

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3415

def test_outgoing_overflow(self):

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3416

"""

3417

If more bytes than can be written to the memory BIO are passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3418

`Connection.send` at once, the number of bytes which were written is

3419

returned and that many bytes from the beginning of the input can be

3420

read from the other end of the connection.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3421

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3422

server = self._server(None)

3423

client = self._client(None)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3424

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3425

interact_in_memory(client, server)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3426

3427

size = 2 ** 15

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

3428

sent = client.send(b"x" * size)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3429

# Sanity check. We're trying to test what happens when the entire

3430

# input can't be sent. If the entire input was sent, this test is

3431

# meaningless.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3432

assert sent < size

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3433

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3434

receiver, received = interact_in_memory(client, server)

3435

assert receiver is server

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3436

3437

# We can rely on all of these bytes being received at once because

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3438

# loopback passes 2 ** 16 to recv - more than 2 ** 15.

3439

assert len(received) == sent

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3440

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3441

def test_shutdown(self):

3442

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3443

`Connection.bio_shutdown` signals the end of the data stream

3444

from which the `Connection` reads.

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3445

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3446

server = self._server(None)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3447

server.bio_shutdown()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3448

with pytest.raises(Error) as err:

3449

server.recv(1024)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3450

# We don't want WantReadError or ZeroReturnError or anything - it's a

3451

# handshake failure.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3452

assert type(err.value) in [Error, SysCallError]

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3453

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3454

def test_unexpected_EOF(self):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3455

"""

3456

If the connection is lost before an orderly SSL shutdown occurs,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3457

`OpenSSL.SSL.SysCallError` is raised with a message of

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3458

"Unexpected EOF".

3459

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3460

server_conn, client_conn = loopback()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3461

client_conn.sock_shutdown(SHUT_RDWR)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3462

with pytest.raises(SysCallError) as err:

3463

server_conn.recv(1024)

3464

assert err.value.args == (-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3465

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3466

def _check_client_ca_list(self, func):

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3467

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3468

Verify the return value of the `get_client_ca_list` method for

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3469

server and client connections.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3470

Jonathan Ballet

78b92a2

2011-07-16 08:07:26 +0900

[diff] [blame]

3471

:param func: A function which will be called with the server context

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3472

before the client and server are connected to each other. This

3473

function should specify a list of CAs for the server to send to the

3474

client and return that same list. The list will be used to verify

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3475

that `get_client_ca_list` returns the proper value at

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3476

various times.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3477

"""

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3478

server = self._server(None)

3479

client = self._client(None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3480

assert client.get_client_ca_list() == []

3481

assert server.get_client_ca_list() == []

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3482

ctx = server.get_context()

3483

expected = func(ctx)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3484

assert client.get_client_ca_list() == []

3485

assert server.get_client_ca_list() == expected

3486

interact_in_memory(client, server)

3487

assert client.get_client_ca_list() == expected

3488

assert server.get_client_ca_list() == expected

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3489

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3490

def test_set_client_ca_list_errors(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3491

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3492

`Context.set_client_ca_list` raises a `TypeError` if called with a

3493

non-list or a list that contains objects other than X509Names.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3494

"""

3495

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3496

with pytest.raises(TypeError):

3497

ctx.set_client_ca_list("spam")

3498

with pytest.raises(TypeError):

3499

ctx.set_client_ca_list(["spam"])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3500

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3501

def test_set_empty_ca_list(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3502

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3503

If passed an empty list, `Context.set_client_ca_list` configures the

3504

context to send no CA names to the client and, on both the server and

3505

client sides, `Connection.get_client_ca_list` returns an empty list

3506

after the connection is set up.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3507

"""

3508

def no_ca(ctx):

3509

ctx.set_client_ca_list([])

3510

return []

3511

self._check_client_ca_list(no_ca)

3512

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3513

def test_set_one_ca_list(self):

3514

"""

3515

If passed a list containing a single X509Name,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3516

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3517

that CA name to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3518

`Connection.get_client_ca_list` returns a list containing that

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3519

X509Name after the connection is set up.

3520

"""

3521

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3522

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3523

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3524

def single_ca(ctx):

3525

ctx.set_client_ca_list([cadesc])

3526

return [cadesc]

3527

self._check_client_ca_list(single_ca)

3528

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3529

def test_set_multiple_ca_list(self):

3530

"""

3531

If passed a list containing multiple X509Name objects,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3532

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3533

those CA names to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3534

`Connection.get_client_ca_list` returns a list containing those

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3535

X509Names after the connection is set up.

3536

"""

3537

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3538

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3539

3540

sedesc = secert.get_subject()

3541

cldesc = clcert.get_subject()

3542

3543

def multiple_ca(ctx):

3544

L = [sedesc, cldesc]

3545

ctx.set_client_ca_list(L)

3546

return L

3547

self._check_client_ca_list(multiple_ca)

3548

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3549

def test_reset_ca_list(self):

3550

"""

3551

If called multiple times, only the X509Names passed to the final call

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3552

of `Context.set_client_ca_list` are used to configure the CA

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3553

names sent to the client.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3554

"""

3555

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3556

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3557

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3558

3559

cadesc = cacert.get_subject()

3560

sedesc = secert.get_subject()

3561

cldesc = clcert.get_subject()

3562

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3563

def changed_ca(ctx):

3564

ctx.set_client_ca_list([sedesc, cldesc])

3565

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3566

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3567

self._check_client_ca_list(changed_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3568

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3569

def test_mutated_ca_list(self):

3570

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3571

If the list passed to `Context.set_client_ca_list` is mutated

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3572

afterwards, this does not affect the list of CA names sent to the

3573

client.

3574

"""

3575

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3576

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3577

3578

cadesc = cacert.get_subject()

3579

sedesc = secert.get_subject()

3580

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3581

def mutated_ca(ctx):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3582

L = [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3583

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3584

L.append(sedesc)

3585

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3586

self._check_client_ca_list(mutated_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3587

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3588

def test_add_client_ca_wrong_args(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3589

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3590

`Context.add_client_ca` raises `TypeError` if called with

3591

a non-X509 object.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3592

"""

3593

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3594

with pytest.raises(TypeError):

3595

ctx.add_client_ca("spam")

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3596

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3597

def test_one_add_client_ca(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3598

"""

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3599

A certificate's subject can be added as a CA to be sent to the client

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3600

with `Context.add_client_ca`.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3601

"""

3602

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3603

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3604

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3605

def single_ca(ctx):

3606

ctx.add_client_ca(cacert)

3607

return [cadesc]

3608

self._check_client_ca_list(single_ca)

3609

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3610

def test_multiple_add_client_ca(self):

3611

"""

3612

Multiple CA names can be sent to the client by calling

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3613

`Context.add_client_ca` with multiple X509 objects.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3614

"""

3615

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3616

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3617

3618

cadesc = cacert.get_subject()

3619

sedesc = secert.get_subject()

3620

3621

def multiple_ca(ctx):

3622

ctx.add_client_ca(cacert)

3623

ctx.add_client_ca(secert)

3624

return [cadesc, sedesc]

3625

self._check_client_ca_list(multiple_ca)

3626

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3627

def test_set_and_add_client_ca(self):

3628

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3629

A call to `Context.set_client_ca_list` followed by a call to

3630

`Context.add_client_ca` results in using the CA names from the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3631

first call and the CA name from the second call.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3632

"""

3633

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3634

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3635

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3636

3637

cadesc = cacert.get_subject()

3638

sedesc = secert.get_subject()

3639

cldesc = clcert.get_subject()

3640

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3641

def mixed_set_add_ca(ctx):

3642

ctx.set_client_ca_list([cadesc, sedesc])

3643

ctx.add_client_ca(clcert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3644

return [cadesc, sedesc, cldesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3645

self._check_client_ca_list(mixed_set_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3646

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3647

def test_set_after_add_client_ca(self):

3648

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3649

A call to `Context.set_client_ca_list` after a call to

3650

`Context.add_client_ca` replaces the CA name specified by the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3651

former call with the names specified by the latter call.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3652

"""

3653

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3654

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3655

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3656

3657

cadesc = cacert.get_subject()

3658

sedesc = secert.get_subject()

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3659

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3660

def set_replaces_add_ca(ctx):

3661

ctx.add_client_ca(clcert)

3662

ctx.set_client_ca_list([cadesc])

3663

ctx.add_client_ca(secert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3664

return [cadesc, sedesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3665

self._check_client_ca_list(set_replaces_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3666

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3667

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3668

class TestInfoConstants(object):

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3669

"""

3670

Tests for assorted constants exposed for use in info callbacks.

3671

"""

3672

def test_integers(self):

3673

"""

3674

All of the info constants are integers.

3675

3676

This is a very weak test. It would be nice to have one that actually

3677

verifies that as certain info events happen, the value passed to the

3678

info callback matches up with the constant exposed by OpenSSL.SSL.

3679

"""

3680

for const in [

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3681

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3682

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

3683

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

3684

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3685

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE

3686

]:

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3687

assert isinstance(const, int)

3688

3689

# These constants don't exist on OpenSSL 1.1.0

3690

for const in [

3691

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

3692

]:

3693

assert const is None or isinstance(const, int)

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3694

Ziga Seilnacht

44611bf

2009-08-31 20:49:30 +0200

[diff] [blame]

3695

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3696

class TestRequires(object):

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3697

"""

3698

Tests for the decorator factory used to conditionally raise

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3699

NotImplementedError when older OpenSSLs are used.

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3700

"""

3701

def test_available(self):

3702

"""

3703

When the OpenSSL functionality is available the decorated functions

3704

work appropriately.

3705

"""

3706

feature_guard = _make_requires(True, "Error text")

results = []

@feature_guard

def inner():

results.append(True)

return True

Cory Benfield

2016-03-30 14:24:16 +0100

[diff] [blame]

3714

assert inner() is True

3715

assert [True] == results

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3716

3717

def test_unavailable(self):

3718

"""

3719

When the OpenSSL functionality is not available the decorated function

3720

does not execute and NotImplementedError is raised.

3721

"""

3722

feature_guard = _make_requires(False, "Error text")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3723

3724

@feature_guard

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3725

def inner(): # pragma: nocover

3726

pytest.fail("Should not be called")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3727

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3728

with pytest.raises(NotImplementedError) as e:

3729

inner()

3730

3731

assert "Error text" in str(e.value)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3732

3733

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3734

class TestOCSP(object):

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3735

"""

3736

Tests for PyOpenSSL's OCSP stapling support.

3737

"""

3738

sample_ocsp_data = b"this is totally ocsp data"

3739

3740

def _client_connection(self, callback, data, request_ocsp=True):

3741

"""

3742

Builds a client connection suitable for using OCSP.

3743

3744

:param callback: The callback to register for OCSP.

3745

:param data: The opaque data object that will be handed to the

3746

OCSP callback.

3747

:param request_ocsp: Whether the client will actually ask for OCSP

3748

stapling. Useful for testing only.

3749

"""

3750

ctx = Context(SSLv23_METHOD)

3751

ctx.set_ocsp_client_callback(callback, data)

3752

client = Connection(ctx)

3753

3754

if request_ocsp:

3755

client.request_ocsp()

3756

3757

client.set_connect_state()

3758

return client

3759

3760

def _server_connection(self, callback, data):

3761

"""

3762

Builds a server connection suitable for using OCSP.

3763

3764

:param callback: The callback to register for OCSP.

3765

:param data: The opaque data object that will be handed to the

3766

OCSP callback.

3767

"""

3768

ctx = Context(SSLv23_METHOD)

3769

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

3770

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

3771

ctx.set_ocsp_server_callback(callback, data)

3772

server = Connection(ctx)

3773

server.set_accept_state()

3774

return server

3775

3776

def test_callbacks_arent_called_by_default(self):

3777

"""

3778

If both the client and the server have registered OCSP callbacks, but

3779

the client does not send the OCSP request, neither callback gets

3780

called.

3781

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3782

def ocsp_callback(*args, **kwargs): # pragma: nocover

3783

pytest.fail("Should not be called")

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3784

3785

client = self._client_connection(

3786

callback=ocsp_callback, data=None, request_ocsp=False

3787

)

3788

server = self._server_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3789

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3790

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3791

def test_client_negotiates_without_server(self):

3792

"""

3793

If the client wants to do OCSP but the server does not, the handshake

3794

succeeds, and the client callback fires with an empty byte string.

"""

called = []

def ocsp_callback(conn, ocsp_data, ignored):

3799

called.append(ocsp_data)

3800

return True

3801

3802

client = self._client_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3803

server = loopback_server_factory(socket=None)

3804

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3805

3806

assert len(called) == 1

3807

assert called[0] == b''

3808

3809

def test_client_receives_servers_data(self):

3810

"""

3811

The data the server sends in its callback is received by the client.

"""

calls = []

def server_callback(*args, **kwargs):

3816

return self.sample_ocsp_data

3817

3818

def client_callback(conn, ocsp_data, ignored):

3819

calls.append(ocsp_data)

3820

return True

3821

3822

client = self._client_connection(callback=client_callback, data=None)

3823

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3824

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3825

3826

assert len(calls) == 1

3827

assert calls[0] == self.sample_ocsp_data

3828

3829

def test_callbacks_are_invoked_with_connections(self):

3830

"""

3831

The first arguments to both callbacks are their respective connections.

"""

client_calls = []

server_calls = []

def client_callback(conn, *args, **kwargs):

3837

client_calls.append(conn)

3838

return True

3839

3840

def server_callback(conn, *args, **kwargs):

3841

server_calls.append(conn)

3842

return self.sample_ocsp_data

3843

3844

client = self._client_connection(callback=client_callback, data=None)

3845

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3846

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3847

3848

assert len(client_calls) == 1

3849

assert len(server_calls) == 1

3850

assert client_calls[0] is client

3851

assert server_calls[0] is server

3852

3853

def test_opaque_data_is_passed_through(self):

3854

"""

3855

Both callbacks receive an opaque, user-provided piece of data in their

3856

callbacks as the final argument.

"""

calls = []

def server_callback(*args):

3861

calls.append(args)

3862

return self.sample_ocsp_data

3863

3864

def client_callback(*args):

calls.append(args)

return True

sentinel = object()

client = self._client_connection(

3871

callback=client_callback, data=sentinel

3872

)

3873

server = self._server_connection(

3874

callback=server_callback, data=sentinel

3875

)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3876

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3877

3878

assert len(calls) == 2

3879

assert calls[0][-1] is sentinel

3880

assert calls[1][-1] is sentinel

3881

3882

def test_server_returns_empty_string(self):

3883

"""

3884

If the server returns an empty bytestring from its callback, the

3885

client callback is called with the empty bytestring.

"""

client_calls = []

def server_callback(*args):

3890

return b''

3891

3892

def client_callback(conn, ocsp_data, ignored):

3893

client_calls.append(ocsp_data)

3894

return True

3895

3896

client = self._client_connection(callback=client_callback, data=None)

3897

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3898

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3899

3900

assert len(client_calls) == 1

3901

assert client_calls[0] == b''

3902

3903

def test_client_returns_false_terminates_handshake(self):

3904

"""

3905

If the client returns False from its callback, the handshake fails.

3906

"""

3907

def server_callback(*args):

3908

return self.sample_ocsp_data

3909

3910

def client_callback(*args):

3911

return False

3912

3913

client = self._client_connection(callback=client_callback, data=None)

3914

server = self._server_connection(callback=server_callback, data=None)

3915

3916

with pytest.raises(Error):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3917

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3918

3919

def test_exceptions_in_client_bubble_up(self):

3920

"""

3921

The callbacks thrown in the client callback bubble up to the caller.

3922

"""

3923

class SentinelException(Exception):

3924

pass

3925

3926

def server_callback(*args):

3927

return self.sample_ocsp_data

3928

3929

def client_callback(*args):

3930

raise SentinelException()

3931

3932

client = self._client_connection(callback=client_callback, data=None)

3933

server = self._server_connection(callback=server_callback, data=None)

3934

3935

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3936

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3937

3938

def test_exceptions_in_server_bubble_up(self):

3939

"""

3940

The callbacks thrown in the server callback bubble up to the caller.

3941

"""

3942

class SentinelException(Exception):

3943

pass

3944

3945

def server_callback(*args):

3946

raise SentinelException()

3947

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3948

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3949

pytest.fail("Should not be called")

3950

3951

client = self._client_connection(callback=client_callback, data=None)

3952

server = self._server_connection(callback=server_callback, data=None)

3953

3954

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3955

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3956

3957

def test_server_must_return_bytes(self):

3958

"""

3959

The server callback must return a bytestring, or a TypeError is thrown.

3960

"""

3961

def server_callback(*args):

3962

return self.sample_ocsp_data.decode('ascii')

3963

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3964

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3965

pytest.fail("Should not be called")

3966

3967

client = self._client_connection(callback=client_callback, data=None)

3968

server = self._server_connection(callback=server_callback, data=None)

3969

3970

with pytest.raises(TypeError):

Alex Chan