Jean-Paul Calderone | 8671c85 | 2011-03-02 19:26:20 -0500 | [diff] [blame] | 1 | # Copyright (C) Jean-Paul Calderone |
| 2 | # See LICENSE for details. |
Jean-Paul Calderone | 8b63d45 | 2008-03-21 18:31:12 -0400 | [diff] [blame] | 3 | |
Jean-Paul Calderone | 30c09ea | 2008-03-21 17:04:05 -0400 | [diff] [blame] | 4 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 5 | Unit tests for :py:obj:`OpenSSL.SSL`. |
Jean-Paul Calderone | 30c09ea | 2008-03-21 17:04:05 -0400 | [diff] [blame] | 6 | """ |
| 7 | |
Jean-Paul Calderone | 4c1aacd | 2014-01-11 08:15:17 -0500 | [diff] [blame] | 8 | from gc import collect, get_referrers |
Konstantinos Koukopoulos | 541150d | 2014-01-31 01:00:19 +0200 | [diff] [blame] | 9 | from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN |
Jean-Paul Calderone | 516c12c | 2015-04-13 20:34:57 -0400 | [diff] [blame] | 10 | from sys import platform, getfilesystemencoding |
Maximilian Hils | 1d95dea | 2015-08-17 19:27:20 +0200 | [diff] [blame] | 11 | from socket import MSG_PEEK, SHUT_RDWR, error, socket |
Jean-Paul Calderone | a65cf6c | 2009-07-19 10:26:52 -0400 | [diff] [blame] | 12 | from os import makedirs |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 13 | from os.path import join |
Jean-Paul Calderone | 0b88b6a | 2009-07-05 12:44:41 -0400 | [diff] [blame] | 14 | from unittest import main |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 15 | from weakref import ref |
Abraham Martin | ef06348 | 2015-03-25 14:06:24 +0000 | [diff] [blame] | 16 | from warnings import catch_warnings, simplefilter |
Jean-Paul Calderone | 460cc1f | 2009-03-07 11:31:12 -0500 | [diff] [blame] | 17 | |
Hynek Schlawack | 734d302 | 2015-09-05 19:19:32 +0200 | [diff] [blame] | 18 | import pytest |
| 19 | |
Jean-Paul Calderone | 4e0c43f | 2015-04-13 10:15:17 -0400 | [diff] [blame] | 20 | from six import PY3, text_type, u |
Jean-Paul Calderone | c76c61c | 2014-01-18 13:21:52 -0500 | [diff] [blame] | 21 | |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 22 | from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM |
Jean-Paul Calderone | a63714c | 2013-03-05 17:02:26 -0800 | [diff] [blame] | 23 | from OpenSSL.crypto import PKey, X509, X509Extension, X509Store |
Jean-Paul Calderone | 7526d17 | 2010-09-09 17:55:31 -0400 | [diff] [blame] | 24 | from OpenSSL.crypto import dump_privatekey, load_privatekey |
| 25 | from OpenSSL.crypto import dump_certificate, load_certificate |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 26 | from OpenSSL.crypto import get_elliptic_curves |
Jean-Paul Calderone | 7526d17 | 2010-09-09 17:55:31 -0400 | [diff] [blame] | 27 | |
Jean-Paul Calderone | 9f2e38e | 2011-04-14 09:36:55 -0400 | [diff] [blame] | 28 | from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS |
| 29 | from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON |
Jean-Paul Calderone | e4f6b47 | 2010-07-29 22:50:58 -0400 | [diff] [blame] | 30 | from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 31 | from OpenSSL.SSL import ( |
| 32 | SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD, |
| 33 | TLSv1_1_METHOD, TLSv1_2_METHOD) |
| 34 | from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3 |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 35 | from OpenSSL.SSL import ( |
| 36 | VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE, VERIFY_NONE) |
Jean-Paul Calderone | 0222a49 | 2011-09-08 18:26:03 -0400 | [diff] [blame] | 37 | |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 38 | from OpenSSL.SSL import ( |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 39 | SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH, |
| 40 | SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP, |
| 41 | SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL) |
| 42 | |
| 43 | from OpenSSL.SSL import ( |
Jean-Paul Calderone | d899af0 | 2013-03-19 22:10:37 -0700 | [diff] [blame] | 44 | Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError) |
Jean-Paul Calderone | e0fcf51 | 2012-02-13 09:10:15 -0500 | [diff] [blame] | 45 | from OpenSSL.SSL import ( |
Jean-Paul Calderone | d899af0 | 2013-03-19 22:10:37 -0700 | [diff] [blame] | 46 | Context, ContextType, Session, Connection, ConnectionType, SSLeay_version) |
Jean-Paul Calderone | 7526d17 | 2010-09-09 17:55:31 -0400 | [diff] [blame] | 47 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 48 | from OpenSSL._util import lib as _lib |
| 49 | |
Jean-Paul Calderone | 17eca48 | 2015-04-13 20:31:07 -0400 | [diff] [blame] | 50 | from OpenSSL.test.util import WARNING_TYPE_EXPECTED, NON_ASCII, TestCase, b |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 51 | from OpenSSL.test.test_crypto import ( |
Jean-Paul Calderone | da6399a | 2015-04-13 20:52:29 -0400 | [diff] [blame] | 52 | cleartextCertificatePEM, cleartextPrivateKeyPEM, |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 53 | client_cert_pem, client_key_pem, server_cert_pem, server_key_pem, |
| 54 | root_cert_pem) |
| 55 | |
Jean-Paul Calderone | 4bccf5e | 2008-12-28 22:50:42 -0500 | [diff] [blame] | 56 | try: |
| 57 | from OpenSSL.SSL import OP_NO_QUERY_MTU |
| 58 | except ImportError: |
| 59 | OP_NO_QUERY_MTU = None |
| 60 | try: |
| 61 | from OpenSSL.SSL import OP_COOKIE_EXCHANGE |
| 62 | except ImportError: |
| 63 | OP_COOKIE_EXCHANGE = None |
| 64 | try: |
| 65 | from OpenSSL.SSL import OP_NO_TICKET |
| 66 | except ImportError: |
| 67 | OP_NO_TICKET = None |
Jean-Paul Calderone | 5ef8651 | 2008-04-26 19:06:28 -0400 | [diff] [blame] | 68 | |
Jean-Paul Calderone | 0222a49 | 2011-09-08 18:26:03 -0400 | [diff] [blame] | 69 | try: |
Jean-Paul Calderone | c62d4c1 | 2011-09-08 18:29:32 -0400 | [diff] [blame] | 70 | from OpenSSL.SSL import OP_NO_COMPRESSION |
| 71 | except ImportError: |
| 72 | OP_NO_COMPRESSION = None |
| 73 | |
| 74 | try: |
Jean-Paul Calderone | 0222a49 | 2011-09-08 18:26:03 -0400 | [diff] [blame] | 75 | from OpenSSL.SSL import MODE_RELEASE_BUFFERS |
| 76 | except ImportError: |
| 77 | MODE_RELEASE_BUFFERS = None |
| 78 | |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 79 | try: |
| 80 | from OpenSSL.SSL import OP_NO_TLSv1, OP_NO_TLSv1_1, OP_NO_TLSv1_2 |
| 81 | except ImportError: |
| 82 | OP_NO_TLSv1 = OP_NO_TLSv1_1 = OP_NO_TLSv1_2 = None |
| 83 | |
Jean-Paul Calderone | 31e85a8 | 2011-03-21 19:13:35 -0400 | [diff] [blame] | 84 | from OpenSSL.SSL import ( |
| 85 | SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK, SSL_ST_INIT, SSL_ST_BEFORE, |
| 86 | SSL_ST_OK, SSL_ST_RENEGOTIATE, |
| 87 | SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT, |
| 88 | SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP, |
| 89 | SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT, |
| 90 | SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE) |
Jean-Paul Calderone | 30c09ea | 2008-03-21 17:04:05 -0400 | [diff] [blame] | 91 | |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 92 | |
Jean-Paul Calderone | 6ace478 | 2010-09-09 18:43:40 -0400 | [diff] [blame] | 93 | # openssl dhparam 128 -out dh-128.pem (note that 128 is a small number of bits |
| 94 | # to use) |
| 95 | dhparam = """\ |
| 96 | -----BEGIN DH PARAMETERS----- |
| 97 | MBYCEQCobsg29c9WZP/54oAPcwiDAgEC |
| 98 | -----END DH PARAMETERS----- |
| 99 | """ |
| 100 | |
| 101 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 102 | skip_if_py3 = pytest.mark.skipif(not PY3, reason="Python 2 only") |
| 103 | |
| 104 | |
Jean-Paul Calderone | 0582673 | 2015-04-12 11:38:49 -0400 | [diff] [blame] | 105 | def join_bytes_or_unicode(prefix, suffix): |
| 106 | """ |
| 107 | Join two path components of either ``bytes`` or ``unicode``. |
| 108 | |
| 109 | The return type is the same as the type of ``prefix``. |
| 110 | """ |
| 111 | # If the types are the same, nothing special is necessary. |
| 112 | if type(prefix) == type(suffix): |
| 113 | return join(prefix, suffix) |
| 114 | |
| 115 | # Otherwise, coerce suffix to the type of prefix. |
| 116 | if isinstance(prefix, text_type): |
| 117 | return join(prefix, suffix.decode(getfilesystemencoding())) |
| 118 | else: |
| 119 | return join(prefix, suffix.encode(getfilesystemencoding())) |
| 120 | |
| 121 | |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 122 | def verify_cb(conn, cert, errnum, depth, ok): |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 123 | return ok |
| 124 | |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 125 | |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 126 | def socket_pair(): |
Jean-Paul Calderone | 1a9613b | 2009-07-16 12:13:36 -0400 | [diff] [blame] | 127 | """ |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 128 | Establish and return a pair of network sockets connected to each other. |
Jean-Paul Calderone | 1a9613b | 2009-07-16 12:13:36 -0400 | [diff] [blame] | 129 | """ |
| 130 | # Connect a pair of sockets |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 131 | port = socket() |
| 132 | port.bind(('', 0)) |
| 133 | port.listen(1) |
| 134 | client = socket() |
| 135 | client.setblocking(False) |
Jean-Paul Calderone | f23c5d9 | 2009-07-23 17:58:15 -0400 | [diff] [blame] | 136 | client.connect_ex(("127.0.0.1", port.getsockname()[1])) |
Jean-Paul Calderone | 94b24a8 | 2009-07-16 19:11:38 -0400 | [diff] [blame] | 137 | client.setblocking(True) |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 138 | server = port.accept()[0] |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 139 | |
Jean-Paul Calderone | 1a9613b | 2009-07-16 12:13:36 -0400 | [diff] [blame] | 140 | # Let's pass some unencrypted data to make sure our socket connection is |
| 141 | # fine. Just one byte, so we don't have to worry about buffers getting |
| 142 | # filled up or fragmentation. |
Jean-Paul Calderone | 9e4eeae | 2010-08-22 21:32:52 -0400 | [diff] [blame] | 143 | server.send(b("x")) |
| 144 | assert client.recv(1024) == b("x") |
| 145 | client.send(b("y")) |
| 146 | assert server.recv(1024) == b("y") |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 147 | |
Jean-Paul Calderone | 7ca48b5 | 2010-07-28 18:57:21 -0400 | [diff] [blame] | 148 | # Most of our callers want non-blocking sockets, make it easy for them. |
Jean-Paul Calderone | 94b24a8 | 2009-07-16 19:11:38 -0400 | [diff] [blame] | 149 | server.setblocking(False) |
| 150 | client.setblocking(False) |
Jim Shaver | 46f2891 | 2015-05-29 19:32:16 -0400 | [diff] [blame] | 151 | |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 152 | return (server, client) |
| 153 | |
| 154 | |
Jean-Paul Calderone | f874203 | 2010-09-25 00:00:32 -0400 | [diff] [blame] | 155 | def handshake(client, server): |
| 156 | conns = [client, server] |
| 157 | while conns: |
| 158 | for conn in conns: |
| 159 | try: |
| 160 | conn.do_handshake() |
| 161 | except WantReadError: |
| 162 | pass |
| 163 | else: |
| 164 | conns.remove(conn) |
| 165 | |
| 166 | |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 167 | def _create_certificate_chain(): |
| 168 | """ |
| 169 | Construct and return a chain of certificates. |
| 170 | |
| 171 | 1. A new self-signed certificate authority certificate (cacert) |
| 172 | 2. A new intermediate certificate signed by cacert (icert) |
| 173 | 3. A new server certificate signed by icert (scert) |
| 174 | """ |
| 175 | caext = X509Extension(b('basicConstraints'), False, b('CA:true')) |
| 176 | |
| 177 | # Step 1 |
| 178 | cakey = PKey() |
| 179 | cakey.generate_key(TYPE_RSA, 512) |
| 180 | cacert = X509() |
| 181 | cacert.get_subject().commonName = "Authority Certificate" |
| 182 | cacert.set_issuer(cacert.get_subject()) |
| 183 | cacert.set_pubkey(cakey) |
| 184 | cacert.set_notBefore(b("20000101000000Z")) |
| 185 | cacert.set_notAfter(b("20200101000000Z")) |
| 186 | cacert.add_extensions([caext]) |
| 187 | cacert.set_serial_number(0) |
| 188 | cacert.sign(cakey, "sha1") |
| 189 | |
| 190 | # Step 2 |
| 191 | ikey = PKey() |
| 192 | ikey.generate_key(TYPE_RSA, 512) |
| 193 | icert = X509() |
| 194 | icert.get_subject().commonName = "Intermediate Certificate" |
| 195 | icert.set_issuer(cacert.get_subject()) |
| 196 | icert.set_pubkey(ikey) |
| 197 | icert.set_notBefore(b("20000101000000Z")) |
| 198 | icert.set_notAfter(b("20200101000000Z")) |
| 199 | icert.add_extensions([caext]) |
| 200 | icert.set_serial_number(0) |
| 201 | icert.sign(cakey, "sha1") |
| 202 | |
| 203 | # Step 3 |
| 204 | skey = PKey() |
| 205 | skey.generate_key(TYPE_RSA, 512) |
| 206 | scert = X509() |
| 207 | scert.get_subject().commonName = "Server Certificate" |
| 208 | scert.set_issuer(icert.get_subject()) |
| 209 | scert.set_pubkey(skey) |
| 210 | scert.set_notBefore(b("20000101000000Z")) |
| 211 | scert.set_notAfter(b("20200101000000Z")) |
| 212 | scert.add_extensions([ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 213 | X509Extension(b('basicConstraints'), True, b('CA:false'))]) |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 214 | scert.set_serial_number(0) |
| 215 | scert.sign(ikey, "sha1") |
| 216 | |
| 217 | return [(cakey, cacert), (ikey, icert), (skey, scert)] |
| 218 | |
| 219 | |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 220 | class _LoopbackMixin: |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 221 | """ |
| 222 | Helper mixin which defines methods for creating a connected socket pair and |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 223 | for forcing two connected SSL sockets to talk to each other via memory |
| 224 | BIOs. |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 225 | """ |
Jean-Paul Calderone | fef5c4b | 2012-02-14 16:31:52 -0500 | [diff] [blame] | 226 | def _loopbackClientFactory(self, socket): |
| 227 | client = Connection(Context(TLSv1_METHOD), socket) |
| 228 | client.set_connect_state() |
| 229 | return client |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 230 | |
Jean-Paul Calderone | fef5c4b | 2012-02-14 16:31:52 -0500 | [diff] [blame] | 231 | def _loopbackServerFactory(self, socket): |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 232 | ctx = Context(TLSv1_METHOD) |
| 233 | ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 234 | ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) |
Jean-Paul Calderone | fef5c4b | 2012-02-14 16:31:52 -0500 | [diff] [blame] | 235 | server = Connection(ctx, socket) |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 236 | server.set_accept_state() |
Jean-Paul Calderone | fef5c4b | 2012-02-14 16:31:52 -0500 | [diff] [blame] | 237 | return server |
| 238 | |
Jean-Paul Calderone | fef5c4b | 2012-02-14 16:31:52 -0500 | [diff] [blame] | 239 | def _loopback(self, serverFactory=None, clientFactory=None): |
| 240 | if serverFactory is None: |
| 241 | serverFactory = self._loopbackServerFactory |
| 242 | if clientFactory is None: |
| 243 | clientFactory = self._loopbackClientFactory |
| 244 | |
| 245 | (server, client) = socket_pair() |
| 246 | server = serverFactory(server) |
| 247 | client = clientFactory(client) |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 248 | |
Jean-Paul Calderone | f874203 | 2010-09-25 00:00:32 -0400 | [diff] [blame] | 249 | handshake(client, server) |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 250 | |
| 251 | server.setblocking(True) |
| 252 | client.setblocking(True) |
| 253 | return server, client |
| 254 | |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 255 | def _interactInMemory(self, client_conn, server_conn): |
| 256 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 257 | Try to read application bytes from each of the two :py:obj:`Connection` |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 258 | objects. Copy bytes back and forth between their send/receive buffers |
| 259 | for as long as there is anything to copy. When there is nothing more |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 260 | to copy, return :py:obj:`None`. If one of them actually manages to |
| 261 | deliver some application bytes, return a two-tuple of the connection |
| 262 | from which the bytes were read and the bytes themselves. |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 263 | """ |
| 264 | wrote = True |
| 265 | while wrote: |
| 266 | # Loop until neither side has anything to say |
| 267 | wrote = False |
| 268 | |
| 269 | # Copy stuff from each side's send buffer to the other side's |
| 270 | # receive buffer. |
| 271 | for (read, write) in [(client_conn, server_conn), |
| 272 | (server_conn, client_conn)]: |
| 273 | |
| 274 | # Give the side a chance to generate some more bytes, or |
| 275 | # succeed. |
| 276 | try: |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 277 | data = read.recv(2 ** 16) |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 278 | except WantReadError: |
| 279 | # It didn't succeed, so we'll hope it generated some |
| 280 | # output. |
| 281 | pass |
| 282 | else: |
| 283 | # It did succeed, so we'll stop now and let the caller deal |
| 284 | # with it. |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 285 | return (read, data) |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 286 | |
| 287 | while True: |
| 288 | # Keep copying as long as there's more stuff there. |
| 289 | try: |
| 290 | dirty = read.bio_read(4096) |
| 291 | except WantReadError: |
| 292 | # Okay, nothing more waiting to be sent. Stop |
| 293 | # processing this send buffer. |
| 294 | break |
| 295 | else: |
| 296 | # Keep track of the fact that someone generated some |
| 297 | # output. |
| 298 | wrote = True |
| 299 | write.bio_write(dirty) |
| 300 | |
Jean-Paul Calderone | 6a8cd11 | 2014-04-02 21:09:08 -0400 | [diff] [blame] | 301 | def _handshakeInMemory(self, client_conn, server_conn): |
Jean-Paul Calderone | b2b4078 | 2014-05-06 08:47:40 -0400 | [diff] [blame] | 302 | """ |
| 303 | Perform the TLS handshake between two :py:class:`Connection` instances |
| 304 | connected to each other via memory BIOs. |
| 305 | """ |
Jean-Paul Calderone | 6a8cd11 | 2014-04-02 21:09:08 -0400 | [diff] [blame] | 306 | client_conn.set_connect_state() |
| 307 | server_conn.set_accept_state() |
| 308 | |
| 309 | for conn in [client_conn, server_conn]: |
| 310 | try: |
| 311 | conn.do_handshake() |
| 312 | except WantReadError: |
| 313 | pass |
| 314 | |
| 315 | self._interactInMemory(client_conn, server_conn) |
| 316 | |
| 317 | |
Jean-Paul Calderone | 9f2e38e | 2011-04-14 09:36:55 -0400 | [diff] [blame] | 318 | class VersionTests(TestCase): |
| 319 | """ |
| 320 | Tests for version information exposed by |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 321 | :py:obj:`OpenSSL.SSL.SSLeay_version` and |
| 322 | :py:obj:`OpenSSL.SSL.OPENSSL_VERSION_NUMBER`. |
Jean-Paul Calderone | 9f2e38e | 2011-04-14 09:36:55 -0400 | [diff] [blame] | 323 | """ |
| 324 | def test_OPENSSL_VERSION_NUMBER(self): |
| 325 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 326 | :py:obj:`OPENSSL_VERSION_NUMBER` is an integer with status in the low |
Jean-Paul Calderone | 9f2e38e | 2011-04-14 09:36:55 -0400 | [diff] [blame] | 327 | byte and the patch, fix, minor, and major versions in the |
| 328 | nibbles above that. |
| 329 | """ |
| 330 | self.assertTrue(isinstance(OPENSSL_VERSION_NUMBER, int)) |
| 331 | |
Jean-Paul Calderone | 9f2e38e | 2011-04-14 09:36:55 -0400 | [diff] [blame] | 332 | def test_SSLeay_version(self): |
| 333 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 334 | :py:obj:`SSLeay_version` takes a version type indicator and returns |
Jean-Paul Calderone | 9f2e38e | 2011-04-14 09:36:55 -0400 | [diff] [blame] | 335 | one of a number of version strings based on that indicator. |
| 336 | """ |
| 337 | versions = {} |
| 338 | for t in [SSLEAY_VERSION, SSLEAY_CFLAGS, SSLEAY_BUILT_ON, |
| 339 | SSLEAY_PLATFORM, SSLEAY_DIR]: |
| 340 | version = SSLeay_version(t) |
| 341 | versions[version] = t |
| 342 | self.assertTrue(isinstance(version, bytes)) |
| 343 | self.assertEqual(len(versions), 5) |
| 344 | |
| 345 | |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 346 | class ContextTests(TestCase, _LoopbackMixin): |
Jean-Paul Calderone | 30c09ea | 2008-03-21 17:04:05 -0400 | [diff] [blame] | 347 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 348 | Unit tests for :py:obj:`OpenSSL.SSL.Context`. |
Jean-Paul Calderone | 30c09ea | 2008-03-21 17:04:05 -0400 | [diff] [blame] | 349 | """ |
| 350 | def test_method(self): |
| 351 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 352 | :py:obj:`Context` can be instantiated with one of |
| 353 | :py:obj:`SSLv2_METHOD`, :py:obj:`SSLv3_METHOD`, |
| 354 | :py:obj:`SSLv23_METHOD`, :py:obj:`TLSv1_METHOD`, |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 355 | :py:obj:`TLSv1_1_METHOD`, or :py:obj:`TLSv1_2_METHOD`. |
Jean-Paul Calderone | 30c09ea | 2008-03-21 17:04:05 -0400 | [diff] [blame] | 356 | """ |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 357 | methods = [ |
| 358 | SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD] |
| 359 | for meth in methods: |
Jean-Paul Calderone | 30c09ea | 2008-03-21 17:04:05 -0400 | [diff] [blame] | 360 | Context(meth) |
Jean-Paul Calderone | 9f2e38e | 2011-04-14 09:36:55 -0400 | [diff] [blame] | 361 | |
Jean-Paul Calderone | 1461c49 | 2013-10-03 16:05:00 -0400 | [diff] [blame] | 362 | maybe = [SSLv2_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD] |
| 363 | for meth in maybe: |
| 364 | try: |
| 365 | Context(meth) |
| 366 | except (Error, ValueError): |
| 367 | # Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some |
| 368 | # don't. Difficult to say in advance. |
| 369 | pass |
Jean-Paul Calderone | 9f2e38e | 2011-04-14 09:36:55 -0400 | [diff] [blame] | 370 | |
Jean-Paul Calderone | 30c09ea | 2008-03-21 17:04:05 -0400 | [diff] [blame] | 371 | self.assertRaises(TypeError, Context, "") |
| 372 | self.assertRaises(ValueError, Context, 10) |
| 373 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 374 | @skip_if_py3 |
| 375 | def test_method_long(self): |
| 376 | """ |
| 377 | On Python 2 :py:class:`Context` accepts values of type |
| 378 | :py:obj:`long` as well as :py:obj:`int`. |
| 379 | """ |
| 380 | Context(long(TLSv1_METHOD)) |
Jean-Paul Calderone | f73a3cb | 2014-02-09 08:49:06 -0500 | [diff] [blame] | 381 | |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 382 | def test_type(self): |
| 383 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 384 | :py:obj:`Context` and :py:obj:`ContextType` refer to the same type |
| 385 | object and can be used to create instances of that type. |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 386 | """ |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 387 | self.assertIdentical(Context, ContextType) |
| 388 | self.assertConsistentType(Context, 'Context', TLSv1_METHOD) |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 389 | |
Jean-Paul Calderone | 30c09ea | 2008-03-21 17:04:05 -0400 | [diff] [blame] | 390 | def test_use_privatekey(self): |
| 391 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 392 | :py:obj:`Context.use_privatekey` takes an :py:obj:`OpenSSL.crypto.PKey` |
| 393 | instance. |
Jean-Paul Calderone | 30c09ea | 2008-03-21 17:04:05 -0400 | [diff] [blame] | 394 | """ |
| 395 | key = PKey() |
| 396 | key.generate_key(TYPE_RSA, 128) |
| 397 | ctx = Context(TLSv1_METHOD) |
| 398 | ctx.use_privatekey(key) |
| 399 | self.assertRaises(TypeError, ctx.use_privatekey, "") |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 400 | |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 401 | def test_use_privatekey_file_missing(self): |
| 402 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 403 | :py:obj:`Context.use_privatekey_file` raises |
| 404 | :py:obj:`OpenSSL.SSL.Error` when passed the name of a file which does |
| 405 | not exist. |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 406 | """ |
| 407 | ctx = Context(TLSv1_METHOD) |
| 408 | self.assertRaises(Error, ctx.use_privatekey_file, self.mktemp()) |
| 409 | |
Jean-Paul Calderone | 69a4e5b | 2015-04-12 10:04:28 -0400 | [diff] [blame] | 410 | def _use_privatekey_file_test(self, pemfile, filetype): |
| 411 | """ |
| 412 | Verify that calling ``Context.use_privatekey_file`` with the given |
| 413 | arguments does not raise an exception. |
| 414 | """ |
| 415 | key = PKey() |
| 416 | key.generate_key(TYPE_RSA, 128) |
| 417 | |
| 418 | with open(pemfile, "wt") as pem: |
| 419 | pem.write( |
| 420 | dump_privatekey(FILETYPE_PEM, key).decode("ascii") |
| 421 | ) |
| 422 | |
| 423 | ctx = Context(TLSv1_METHOD) |
| 424 | ctx.use_privatekey_file(pemfile, filetype) |
| 425 | |
Jean-Paul Calderone | 69a4e5b | 2015-04-12 10:04:28 -0400 | [diff] [blame] | 426 | def test_use_privatekey_file_bytes(self): |
| 427 | """ |
| 428 | A private key can be specified from a file by passing a ``bytes`` |
| 429 | instance giving the file name to ``Context.use_privatekey_file``. |
| 430 | """ |
| 431 | self._use_privatekey_file_test( |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 432 | self.mktemp() + NON_ASCII.encode(getfilesystemencoding()), |
Jean-Paul Calderone | 69a4e5b | 2015-04-12 10:04:28 -0400 | [diff] [blame] | 433 | FILETYPE_PEM, |
| 434 | ) |
| 435 | |
Jean-Paul Calderone | 69a4e5b | 2015-04-12 10:04:28 -0400 | [diff] [blame] | 436 | def test_use_privatekey_file_unicode(self): |
| 437 | """ |
| 438 | A private key can be specified from a file by passing a ``unicode`` |
| 439 | instance giving the file name to ``Context.use_privatekey_file``. |
| 440 | """ |
| 441 | self._use_privatekey_file_test( |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 442 | self.mktemp().decode(getfilesystemencoding()) + NON_ASCII, |
Jean-Paul Calderone | 69a4e5b | 2015-04-12 10:04:28 -0400 | [diff] [blame] | 443 | FILETYPE_PEM, |
| 444 | ) |
| 445 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 446 | @skip_if_py3 |
| 447 | def test_use_privatekey_file_long(self): |
| 448 | """ |
| 449 | On Python 2 :py:obj:`Context.use_privatekey_file` accepts a |
| 450 | filetype of type :py:obj:`long` as well as :py:obj:`int`. |
| 451 | """ |
| 452 | self._use_privatekey_file_test(self.mktemp(), long(FILETYPE_PEM)) |
Jean-Paul Calderone | f73a3cb | 2014-02-09 08:49:06 -0500 | [diff] [blame] | 453 | |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 454 | def test_use_certificate_wrong_args(self): |
| 455 | """ |
| 456 | :py:obj:`Context.use_certificate_wrong_args` raises :py:obj:`TypeError` |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 457 | when not passed exactly one :py:obj:`OpenSSL.crypto.X509` instance as |
| 458 | an argument. |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 459 | """ |
| 460 | ctx = Context(TLSv1_METHOD) |
| 461 | self.assertRaises(TypeError, ctx.use_certificate) |
| 462 | self.assertRaises(TypeError, ctx.use_certificate, "hello, world") |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 463 | self.assertRaises( |
| 464 | TypeError, ctx.use_certificate, X509(), "hello, world" |
| 465 | ) |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 466 | |
| 467 | def test_use_certificate_uninitialized(self): |
| 468 | """ |
| 469 | :py:obj:`Context.use_certificate` raises :py:obj:`OpenSSL.SSL.Error` |
| 470 | when passed a :py:obj:`OpenSSL.crypto.X509` instance which has not been |
| 471 | initialized (ie, which does not actually have any certificate data). |
| 472 | """ |
| 473 | ctx = Context(TLSv1_METHOD) |
| 474 | self.assertRaises(Error, ctx.use_certificate, X509()) |
| 475 | |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 476 | def test_use_certificate(self): |
| 477 | """ |
| 478 | :py:obj:`Context.use_certificate` sets the certificate which will be |
| 479 | used to identify connections created using the context. |
| 480 | """ |
| 481 | # TODO |
| 482 | # Hard to assert anything. But we could set a privatekey then ask |
| 483 | # OpenSSL if the cert and key agree using check_privatekey. Then as |
| 484 | # long as check_privatekey works right we're good... |
| 485 | ctx = Context(TLSv1_METHOD) |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 486 | ctx.use_certificate( |
| 487 | load_certificate(FILETYPE_PEM, cleartextCertificatePEM) |
| 488 | ) |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 489 | |
| 490 | def test_use_certificate_file_wrong_args(self): |
| 491 | """ |
| 492 | :py:obj:`Context.use_certificate_file` raises :py:obj:`TypeError` if |
| 493 | called with zero arguments or more than two arguments, or if the first |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 494 | argument is not a byte string or the second argumnent is not an |
| 495 | integer. |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 496 | """ |
| 497 | ctx = Context(TLSv1_METHOD) |
| 498 | self.assertRaises(TypeError, ctx.use_certificate_file) |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 499 | self.assertRaises(TypeError, ctx.use_certificate_file, b"somefile", |
| 500 | object()) |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 501 | self.assertRaises( |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 502 | TypeError, ctx.use_certificate_file, b"somefile", FILETYPE_PEM, |
| 503 | object()) |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 504 | self.assertRaises( |
| 505 | TypeError, ctx.use_certificate_file, object(), FILETYPE_PEM) |
| 506 | self.assertRaises( |
| 507 | TypeError, ctx.use_certificate_file, b"somefile", object()) |
| 508 | |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 509 | def test_use_certificate_file_missing(self): |
| 510 | """ |
| 511 | :py:obj:`Context.use_certificate_file` raises |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 512 | `:py:obj:`OpenSSL.SSL.Error` if passed the name of a file which does |
| 513 | not exist. |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 514 | """ |
| 515 | ctx = Context(TLSv1_METHOD) |
| 516 | self.assertRaises(Error, ctx.use_certificate_file, self.mktemp()) |
| 517 | |
Jean-Paul Calderone | d57a7b6 | 2015-04-12 09:57:36 -0400 | [diff] [blame] | 518 | def _use_certificate_file_test(self, certificate_file): |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 519 | """ |
Jean-Paul Calderone | d57a7b6 | 2015-04-12 09:57:36 -0400 | [diff] [blame] | 520 | Verify that calling ``Context.use_certificate_file`` with the given |
| 521 | filename doesn't raise an exception. |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 522 | """ |
| 523 | # TODO |
| 524 | # Hard to assert anything. But we could set a privatekey then ask |
| 525 | # OpenSSL if the cert and key agree using check_privatekey. Then as |
| 526 | # long as check_privatekey works right we're good... |
Jean-Paul Calderone | d57a7b6 | 2015-04-12 09:57:36 -0400 | [diff] [blame] | 527 | with open(certificate_file, "wb") as pem_file: |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 528 | pem_file.write(cleartextCertificatePEM) |
| 529 | |
| 530 | ctx = Context(TLSv1_METHOD) |
Jean-Paul Calderone | d57a7b6 | 2015-04-12 09:57:36 -0400 | [diff] [blame] | 531 | ctx.use_certificate_file(certificate_file) |
| 532 | |
Jean-Paul Calderone | d57a7b6 | 2015-04-12 09:57:36 -0400 | [diff] [blame] | 533 | def test_use_certificate_file_bytes(self): |
| 534 | """ |
| 535 | :py:obj:`Context.use_certificate_file` sets the certificate (given as a |
| 536 | ``bytes`` filename) which will be used to identify connections created |
| 537 | using the context. |
| 538 | """ |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 539 | filename = self.mktemp() + NON_ASCII.encode(getfilesystemencoding()) |
Jean-Paul Calderone | d57a7b6 | 2015-04-12 09:57:36 -0400 | [diff] [blame] | 540 | self._use_certificate_file_test(filename) |
| 541 | |
Jean-Paul Calderone | d57a7b6 | 2015-04-12 09:57:36 -0400 | [diff] [blame] | 542 | def test_use_certificate_file_unicode(self): |
| 543 | """ |
| 544 | :py:obj:`Context.use_certificate_file` sets the certificate (given as a |
| 545 | ``bytes`` filename) which will be used to identify connections created |
| 546 | using the context. |
| 547 | """ |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 548 | filename = self.mktemp().decode(getfilesystemencoding()) + NON_ASCII |
Jean-Paul Calderone | d57a7b6 | 2015-04-12 09:57:36 -0400 | [diff] [blame] | 549 | self._use_certificate_file_test(filename) |
Jean-Paul Calderone | 173cff9 | 2013-03-06 10:29:21 -0800 | [diff] [blame] | 550 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 551 | @skip_if_py3 |
| 552 | def test_use_certificate_file_long(self): |
| 553 | """ |
| 554 | On Python 2 :py:obj:`Context.use_certificate_file` accepts a |
| 555 | filetype of type :py:obj:`long` as well as :py:obj:`int`. |
| 556 | """ |
| 557 | pem_filename = self.mktemp() |
| 558 | with open(pem_filename, "wb") as pem_file: |
| 559 | pem_file.write(cleartextCertificatePEM) |
Jean-Paul Calderone | f73a3cb | 2014-02-09 08:49:06 -0500 | [diff] [blame] | 560 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 561 | ctx = Context(TLSv1_METHOD) |
| 562 | ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM)) |
Jean-Paul Calderone | f73a3cb | 2014-02-09 08:49:06 -0500 | [diff] [blame] | 563 | |
Jean-Paul Calderone | 932f5cc | 2014-12-11 13:58:00 -0500 | [diff] [blame] | 564 | def test_check_privatekey_valid(self): |
| 565 | """ |
| 566 | :py:obj:`Context.check_privatekey` returns :py:obj:`None` if the |
| 567 | :py:obj:`Context` instance has been configured to use a matched key and |
| 568 | certificate pair. |
| 569 | """ |
| 570 | key = load_privatekey(FILETYPE_PEM, client_key_pem) |
| 571 | cert = load_certificate(FILETYPE_PEM, client_cert_pem) |
| 572 | context = Context(TLSv1_METHOD) |
| 573 | context.use_privatekey(key) |
| 574 | context.use_certificate(cert) |
| 575 | self.assertIs(None, context.check_privatekey()) |
| 576 | |
Jean-Paul Calderone | 932f5cc | 2014-12-11 13:58:00 -0500 | [diff] [blame] | 577 | def test_check_privatekey_invalid(self): |
| 578 | """ |
| 579 | :py:obj:`Context.check_privatekey` raises :py:obj:`Error` if the |
| 580 | :py:obj:`Context` instance has been configured to use a key and |
| 581 | certificate pair which don't relate to each other. |
| 582 | """ |
| 583 | key = load_privatekey(FILETYPE_PEM, client_key_pem) |
| 584 | cert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 585 | context = Context(TLSv1_METHOD) |
| 586 | context.use_privatekey(key) |
| 587 | context.use_certificate(cert) |
| 588 | self.assertRaises(Error, context.check_privatekey) |
| 589 | |
Jean-Paul Calderone | 932f5cc | 2014-12-11 13:58:00 -0500 | [diff] [blame] | 590 | def test_check_privatekey_wrong_args(self): |
| 591 | """ |
| 592 | :py:obj:`Context.check_privatekey` raises :py:obj:`TypeError` if called |
| 593 | with other than no arguments. |
| 594 | """ |
| 595 | context = Context(TLSv1_METHOD) |
| 596 | self.assertRaises(TypeError, context.check_privatekey, object()) |
| 597 | |
Jean-Paul Calderone | bd47916 | 2010-07-30 18:03:25 -0400 | [diff] [blame] | 598 | def test_set_app_data_wrong_args(self): |
| 599 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 600 | :py:obj:`Context.set_app_data` raises :py:obj:`TypeError` if called |
| 601 | with other than one argument. |
Jean-Paul Calderone | bd47916 | 2010-07-30 18:03:25 -0400 | [diff] [blame] | 602 | """ |
| 603 | context = Context(TLSv1_METHOD) |
| 604 | self.assertRaises(TypeError, context.set_app_data) |
| 605 | self.assertRaises(TypeError, context.set_app_data, None, None) |
| 606 | |
Jean-Paul Calderone | bd47916 | 2010-07-30 18:03:25 -0400 | [diff] [blame] | 607 | def test_get_app_data_wrong_args(self): |
| 608 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 609 | :py:obj:`Context.get_app_data` raises :py:obj:`TypeError` if called |
| 610 | with any arguments. |
Jean-Paul Calderone | bd47916 | 2010-07-30 18:03:25 -0400 | [diff] [blame] | 611 | """ |
| 612 | context = Context(TLSv1_METHOD) |
| 613 | self.assertRaises(TypeError, context.get_app_data, None) |
| 614 | |
Jean-Paul Calderone | bd47916 | 2010-07-30 18:03:25 -0400 | [diff] [blame] | 615 | def test_app_data(self): |
| 616 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 617 | :py:obj:`Context.set_app_data` stores an object for later retrieval |
| 618 | using :py:obj:`Context.get_app_data`. |
Jean-Paul Calderone | bd47916 | 2010-07-30 18:03:25 -0400 | [diff] [blame] | 619 | """ |
| 620 | app_data = object() |
| 621 | context = Context(TLSv1_METHOD) |
| 622 | context.set_app_data(app_data) |
| 623 | self.assertIdentical(context.get_app_data(), app_data) |
| 624 | |
Jean-Paul Calderone | 40569ca | 2010-07-30 18:04:58 -0400 | [diff] [blame] | 625 | def test_set_options_wrong_args(self): |
| 626 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 627 | :py:obj:`Context.set_options` raises :py:obj:`TypeError` if called with |
| 628 | the wrong number of arguments or a non-:py:obj:`int` argument. |
Jean-Paul Calderone | 40569ca | 2010-07-30 18:04:58 -0400 | [diff] [blame] | 629 | """ |
| 630 | context = Context(TLSv1_METHOD) |
| 631 | self.assertRaises(TypeError, context.set_options) |
| 632 | self.assertRaises(TypeError, context.set_options, None) |
| 633 | self.assertRaises(TypeError, context.set_options, 1, None) |
| 634 | |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 635 | def test_set_options(self): |
| 636 | """ |
| 637 | :py:obj:`Context.set_options` returns the new options value. |
| 638 | """ |
| 639 | context = Context(TLSv1_METHOD) |
| 640 | options = context.set_options(OP_NO_SSLv2) |
| 641 | self.assertTrue(OP_NO_SSLv2 & options) |
| 642 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 643 | @skip_if_py3 |
| 644 | def test_set_options_long(self): |
| 645 | """ |
| 646 | On Python 2 :py:obj:`Context.set_options` accepts values of type |
| 647 | :py:obj:`long` as well as :py:obj:`int`. |
| 648 | """ |
| 649 | context = Context(TLSv1_METHOD) |
| 650 | options = context.set_options(long(OP_NO_SSLv2)) |
| 651 | self.assertTrue(OP_NO_SSLv2 & options) |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 652 | |
Guillermo Gonzalez | 74a2c29 | 2011-08-29 16:16:58 -0300 | [diff] [blame] | 653 | def test_set_mode_wrong_args(self): |
| 654 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 655 | :py:obj:`Context.set`mode} raises :py:obj:`TypeError` if called with |
| 656 | the wrong number of arguments or a non-:py:obj:`int` argument. |
Guillermo Gonzalez | 74a2c29 | 2011-08-29 16:16:58 -0300 | [diff] [blame] | 657 | """ |
| 658 | context = Context(TLSv1_METHOD) |
| 659 | self.assertRaises(TypeError, context.set_mode) |
| 660 | self.assertRaises(TypeError, context.set_mode, None) |
| 661 | self.assertRaises(TypeError, context.set_mode, 1, None) |
| 662 | |
Jean-Paul Calderone | 0222a49 | 2011-09-08 18:26:03 -0400 | [diff] [blame] | 663 | if MODE_RELEASE_BUFFERS is not None: |
| 664 | def test_set_mode(self): |
| 665 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 666 | :py:obj:`Context.set_mode` accepts a mode bitvector and returns the |
| 667 | newly set mode. |
Jean-Paul Calderone | 0222a49 | 2011-09-08 18:26:03 -0400 | [diff] [blame] | 668 | """ |
| 669 | context = Context(TLSv1_METHOD) |
| 670 | self.assertTrue( |
| 671 | MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS)) |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 672 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 673 | @skip_if_py3 |
| 674 | def test_set_mode_long(self): |
| 675 | """ |
| 676 | On Python 2 :py:obj:`Context.set_mode` accepts values of type |
| 677 | :py:obj:`long` as well as :py:obj:`int`. |
| 678 | """ |
| 679 | context = Context(TLSv1_METHOD) |
| 680 | mode = context.set_mode(long(MODE_RELEASE_BUFFERS)) |
| 681 | self.assertTrue(MODE_RELEASE_BUFFERS & mode) |
Jean-Paul Calderone | 0222a49 | 2011-09-08 18:26:03 -0400 | [diff] [blame] | 682 | else: |
| 683 | "MODE_RELEASE_BUFFERS unavailable - OpenSSL version may be too old" |
| 684 | |
Jean-Paul Calderone | 5ebb44a | 2010-07-30 18:09:41 -0400 | [diff] [blame] | 685 | def test_set_timeout_wrong_args(self): |
| 686 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 687 | :py:obj:`Context.set_timeout` raises :py:obj:`TypeError` if called with |
| 688 | the wrong number of arguments or a non-:py:obj:`int` argument. |
Jean-Paul Calderone | 5ebb44a | 2010-07-30 18:09:41 -0400 | [diff] [blame] | 689 | """ |
| 690 | context = Context(TLSv1_METHOD) |
| 691 | self.assertRaises(TypeError, context.set_timeout) |
| 692 | self.assertRaises(TypeError, context.set_timeout, None) |
| 693 | self.assertRaises(TypeError, context.set_timeout, 1, None) |
| 694 | |
Jean-Paul Calderone | 5ebb44a | 2010-07-30 18:09:41 -0400 | [diff] [blame] | 695 | def test_get_timeout_wrong_args(self): |
| 696 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 697 | :py:obj:`Context.get_timeout` raises :py:obj:`TypeError` if called with |
| 698 | any arguments. |
Jean-Paul Calderone | 5ebb44a | 2010-07-30 18:09:41 -0400 | [diff] [blame] | 699 | """ |
| 700 | context = Context(TLSv1_METHOD) |
| 701 | self.assertRaises(TypeError, context.get_timeout, None) |
| 702 | |
Jean-Paul Calderone | 5ebb44a | 2010-07-30 18:09:41 -0400 | [diff] [blame] | 703 | def test_timeout(self): |
| 704 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 705 | :py:obj:`Context.set_timeout` sets the session timeout for all |
| 706 | connections created using the context object. |
| 707 | :py:obj:`Context.get_timeout` retrieves this value. |
Jean-Paul Calderone | 5ebb44a | 2010-07-30 18:09:41 -0400 | [diff] [blame] | 708 | """ |
| 709 | context = Context(TLSv1_METHOD) |
| 710 | context.set_timeout(1234) |
| 711 | self.assertEquals(context.get_timeout(), 1234) |
| 712 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 713 | @skip_if_py3 |
| 714 | def test_timeout_long(self): |
| 715 | """ |
| 716 | On Python 2 :py:obj:`Context.set_timeout` accepts values of type |
| 717 | `long` as well as int. |
| 718 | """ |
| 719 | context = Context(TLSv1_METHOD) |
| 720 | context.set_timeout(long(1234)) |
| 721 | self.assertEquals(context.get_timeout(), 1234) |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 722 | |
Jean-Paul Calderone | e2b6951 | 2010-07-30 18:22:06 -0400 | [diff] [blame] | 723 | def test_set_verify_depth_wrong_args(self): |
| 724 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 725 | :py:obj:`Context.set_verify_depth` raises :py:obj:`TypeError` if called |
| 726 | with the wrong number of arguments or a non-:py:obj:`int` argument. |
Jean-Paul Calderone | e2b6951 | 2010-07-30 18:22:06 -0400 | [diff] [blame] | 727 | """ |
| 728 | context = Context(TLSv1_METHOD) |
| 729 | self.assertRaises(TypeError, context.set_verify_depth) |
| 730 | self.assertRaises(TypeError, context.set_verify_depth, None) |
| 731 | self.assertRaises(TypeError, context.set_verify_depth, 1, None) |
| 732 | |
Jean-Paul Calderone | e2b6951 | 2010-07-30 18:22:06 -0400 | [diff] [blame] | 733 | def test_get_verify_depth_wrong_args(self): |
| 734 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 735 | :py:obj:`Context.get_verify_depth` raises :py:obj:`TypeError` if called |
| 736 | with any arguments. |
Jean-Paul Calderone | e2b6951 | 2010-07-30 18:22:06 -0400 | [diff] [blame] | 737 | """ |
| 738 | context = Context(TLSv1_METHOD) |
| 739 | self.assertRaises(TypeError, context.get_verify_depth, None) |
| 740 | |
Jean-Paul Calderone | e2b6951 | 2010-07-30 18:22:06 -0400 | [diff] [blame] | 741 | def test_verify_depth(self): |
| 742 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 743 | :py:obj:`Context.set_verify_depth` sets the number of certificates in |
| 744 | a chain to follow before giving up. The value can be retrieved with |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 745 | :py:obj:`Context.get_verify_depth`. |
Jean-Paul Calderone | e2b6951 | 2010-07-30 18:22:06 -0400 | [diff] [blame] | 746 | """ |
| 747 | context = Context(TLSv1_METHOD) |
| 748 | context.set_verify_depth(11) |
| 749 | self.assertEquals(context.get_verify_depth(), 11) |
| 750 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 751 | @skip_if_py3 |
| 752 | def test_verify_depth_long(self): |
| 753 | """ |
| 754 | On Python 2 :py:obj:`Context.set_verify_depth` accepts values of |
| 755 | type `long` as well as int. |
| 756 | """ |
| 757 | context = Context(TLSv1_METHOD) |
| 758 | context.set_verify_depth(long(11)) |
| 759 | self.assertEquals(context.get_verify_depth(), 11) |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 760 | |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 761 | def _write_encrypted_pem(self, passphrase): |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 762 | """ |
| 763 | Write a new private key out to a new file, encrypted using the given |
| 764 | passphrase. Return the path to the new file. |
| 765 | """ |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 766 | key = PKey() |
| 767 | key.generate_key(TYPE_RSA, 128) |
| 768 | pemFile = self.mktemp() |
Jean-Paul Calderone | a986883 | 2010-08-22 21:38:34 -0400 | [diff] [blame] | 769 | fObj = open(pemFile, 'w') |
| 770 | pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase) |
| 771 | fObj.write(pem.decode('ascii')) |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 772 | fObj.close() |
| 773 | return pemFile |
| 774 | |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 775 | def test_set_passwd_cb_wrong_args(self): |
| 776 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 777 | :py:obj:`Context.set_passwd_cb` raises :py:obj:`TypeError` if called |
| 778 | with the wrong arguments or with a non-callable first argument. |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 779 | """ |
| 780 | context = Context(TLSv1_METHOD) |
| 781 | self.assertRaises(TypeError, context.set_passwd_cb) |
| 782 | self.assertRaises(TypeError, context.set_passwd_cb, None) |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 783 | self.assertRaises( |
| 784 | TypeError, context.set_passwd_cb, lambda: None, None, None |
Hynek Schlawack | 2c013a9 | 2015-09-05 19:33:05 +0200 | [diff] [blame] | 785 | ) # pragma: nocover |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 786 | |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 787 | def test_set_passwd_cb(self): |
| 788 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 789 | :py:obj:`Context.set_passwd_cb` accepts a callable which will be |
| 790 | invoked when a private key is loaded from an encrypted PEM. |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 791 | """ |
Jean-Paul Calderone | a986883 | 2010-08-22 21:38:34 -0400 | [diff] [blame] | 792 | passphrase = b("foobar") |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 793 | pemFile = self._write_encrypted_pem(passphrase) |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 794 | calledWith = [] |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 795 | |
Jean-Paul Calderone | 828c9cb | 2008-04-26 18:06:54 -0400 | [diff] [blame] | 796 | def passphraseCallback(maxlen, verify, extra): |
| 797 | calledWith.append((maxlen, verify, extra)) |
| 798 | return passphrase |
| 799 | context = Context(TLSv1_METHOD) |
| 800 | context.set_passwd_cb(passphraseCallback) |
| 801 | context.use_privatekey_file(pemFile) |
| 802 | self.assertTrue(len(calledWith), 1) |
| 803 | self.assertTrue(isinstance(calledWith[0][0], int)) |
| 804 | self.assertTrue(isinstance(calledWith[0][1], int)) |
| 805 | self.assertEqual(calledWith[0][2], None) |
Jean-Paul Calderone | 5ef8651 | 2008-04-26 19:06:28 -0400 | [diff] [blame] | 806 | |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 807 | def test_passwd_callback_exception(self): |
| 808 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 809 | :py:obj:`Context.use_privatekey_file` propagates any exception raised |
| 810 | by the passphrase callback. |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 811 | """ |
Jean-Paul Calderone | a986883 | 2010-08-22 21:38:34 -0400 | [diff] [blame] | 812 | pemFile = self._write_encrypted_pem(b("monkeys are nice")) |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 813 | |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 814 | def passphraseCallback(maxlen, verify, extra): |
| 815 | raise RuntimeError("Sorry, I am a fail.") |
| 816 | |
| 817 | context = Context(TLSv1_METHOD) |
| 818 | context.set_passwd_cb(passphraseCallback) |
| 819 | self.assertRaises(RuntimeError, context.use_privatekey_file, pemFile) |
| 820 | |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 821 | def test_passwd_callback_false(self): |
| 822 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 823 | :py:obj:`Context.use_privatekey_file` raises |
| 824 | :py:obj:`OpenSSL.SSL.Error` if the passphrase callback returns a false |
| 825 | value. |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 826 | """ |
Jean-Paul Calderone | a986883 | 2010-08-22 21:38:34 -0400 | [diff] [blame] | 827 | pemFile = self._write_encrypted_pem(b("monkeys are nice")) |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 828 | |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 829 | def passphraseCallback(maxlen, verify, extra): |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 830 | return b"" |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 831 | |
| 832 | context = Context(TLSv1_METHOD) |
| 833 | context.set_passwd_cb(passphraseCallback) |
| 834 | self.assertRaises(Error, context.use_privatekey_file, pemFile) |
| 835 | |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 836 | def test_passwd_callback_non_string(self): |
| 837 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 838 | :py:obj:`Context.use_privatekey_file` raises |
| 839 | :py:obj:`OpenSSL.SSL.Error` if the passphrase callback returns a true |
| 840 | non-string value. |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 841 | """ |
Jean-Paul Calderone | a986883 | 2010-08-22 21:38:34 -0400 | [diff] [blame] | 842 | pemFile = self._write_encrypted_pem(b("monkeys are nice")) |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 843 | |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 844 | def passphraseCallback(maxlen, verify, extra): |
| 845 | return 10 |
| 846 | |
| 847 | context = Context(TLSv1_METHOD) |
| 848 | context.set_passwd_cb(passphraseCallback) |
Jean-Paul Calderone | 8a1bea5 | 2013-03-05 07:57:57 -0800 | [diff] [blame] | 849 | self.assertRaises(ValueError, context.use_privatekey_file, pemFile) |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 850 | |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 851 | def test_passwd_callback_too_long(self): |
| 852 | """ |
| 853 | If the passphrase returned by the passphrase callback returns a string |
| 854 | longer than the indicated maximum length, it is truncated. |
| 855 | """ |
| 856 | # A priori knowledge! |
Jean-Paul Calderone | a986883 | 2010-08-22 21:38:34 -0400 | [diff] [blame] | 857 | passphrase = b("x") * 1024 |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 858 | pemFile = self._write_encrypted_pem(passphrase) |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 859 | |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 860 | def passphraseCallback(maxlen, verify, extra): |
| 861 | assert maxlen == 1024 |
Jean-Paul Calderone | b1f7f5f | 2010-08-22 21:40:52 -0400 | [diff] [blame] | 862 | return passphrase + b("y") |
Jean-Paul Calderone | 389d76d | 2010-07-30 17:57:53 -0400 | [diff] [blame] | 863 | |
| 864 | context = Context(TLSv1_METHOD) |
| 865 | context.set_passwd_cb(passphraseCallback) |
| 866 | # This shall succeed because the truncated result is the correct |
| 867 | # passphrase. |
| 868 | context.use_privatekey_file(pemFile) |
| 869 | |
Jean-Paul Calderone | 5ef8651 | 2008-04-26 19:06:28 -0400 | [diff] [blame] | 870 | def test_set_info_callback(self): |
| 871 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 872 | :py:obj:`Context.set_info_callback` accepts a callable which will be |
| 873 | invoked when certain information about an SSL connection is available. |
Jean-Paul Calderone | 5ef8651 | 2008-04-26 19:06:28 -0400 | [diff] [blame] | 874 | """ |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 875 | (server, client) = socket_pair() |
Jean-Paul Calderone | 5ef8651 | 2008-04-26 19:06:28 -0400 | [diff] [blame] | 876 | |
| 877 | clientSSL = Connection(Context(TLSv1_METHOD), client) |
| 878 | clientSSL.set_connect_state() |
| 879 | |
| 880 | called = [] |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 881 | |
Jean-Paul Calderone | 5ef8651 | 2008-04-26 19:06:28 -0400 | [diff] [blame] | 882 | def info(conn, where, ret): |
| 883 | called.append((conn, where, ret)) |
| 884 | context = Context(TLSv1_METHOD) |
| 885 | context.set_info_callback(info) |
| 886 | context.use_certificate( |
| 887 | load_certificate(FILETYPE_PEM, cleartextCertificatePEM)) |
| 888 | context.use_privatekey( |
| 889 | load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)) |
| 890 | |
Jean-Paul Calderone | 5ef8651 | 2008-04-26 19:06:28 -0400 | [diff] [blame] | 891 | serverSSL = Connection(context, server) |
| 892 | serverSSL.set_accept_state() |
| 893 | |
Jean-Paul Calderone | f2bbc9c | 2014-02-02 10:59:14 -0500 | [diff] [blame] | 894 | handshake(clientSSL, serverSSL) |
Jean-Paul Calderone | 5ef8651 | 2008-04-26 19:06:28 -0400 | [diff] [blame] | 895 | |
Jean-Paul Calderone | 3835e52 | 2014-02-02 11:12:30 -0500 | [diff] [blame] | 896 | # The callback must always be called with a Connection instance as the |
| 897 | # first argument. It would probably be better to split this into |
| 898 | # separate tests for client and server side info callbacks so we could |
| 899 | # assert it is called with the right Connection instance. It would |
| 900 | # also be good to assert *something* about `where` and `ret`. |
Jean-Paul Calderone | f2bbc9c | 2014-02-02 10:59:14 -0500 | [diff] [blame] | 901 | notConnections = [ |
| 902 | conn for (conn, where, ret) in called |
| 903 | if not isinstance(conn, Connection)] |
| 904 | self.assertEqual( |
| 905 | [], notConnections, |
| 906 | "Some info callback arguments were not Connection instaces.") |
Jean-Paul Calderone | e1bd432 | 2008-09-07 20:17:17 -0400 | [diff] [blame] | 907 | |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 908 | def _load_verify_locations_test(self, *args): |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 909 | """ |
| 910 | Create a client context which will verify the peer certificate and call |
Jean-Paul Calderone | 64efa2c | 2011-09-11 10:00:09 -0400 | [diff] [blame] | 911 | its :py:obj:`load_verify_locations` method with the given arguments. |
| 912 | Then connect it to a server and ensure that the handshake succeeds. |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 913 | """ |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 914 | (server, client) = socket_pair() |
Jean-Paul Calderone | e1bd432 | 2008-09-07 20:17:17 -0400 | [diff] [blame] | 915 | |
Jean-Paul Calderone | e1bd432 | 2008-09-07 20:17:17 -0400 | [diff] [blame] | 916 | clientContext = Context(TLSv1_METHOD) |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 917 | clientContext.load_verify_locations(*args) |
Jean-Paul Calderone | e1bd432 | 2008-09-07 20:17:17 -0400 | [diff] [blame] | 918 | # Require that the server certificate verify properly or the |
| 919 | # connection will fail. |
| 920 | clientContext.set_verify( |
| 921 | VERIFY_PEER, |
| 922 | lambda conn, cert, errno, depth, preverify_ok: preverify_ok) |
| 923 | |
| 924 | clientSSL = Connection(clientContext, client) |
| 925 | clientSSL.set_connect_state() |
| 926 | |
Jean-Paul Calderone | e1bd432 | 2008-09-07 20:17:17 -0400 | [diff] [blame] | 927 | serverContext = Context(TLSv1_METHOD) |
| 928 | serverContext.use_certificate( |
| 929 | load_certificate(FILETYPE_PEM, cleartextCertificatePEM)) |
| 930 | serverContext.use_privatekey( |
| 931 | load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)) |
| 932 | |
| 933 | serverSSL = Connection(serverContext, server) |
| 934 | serverSSL.set_accept_state() |
| 935 | |
Jean-Paul Calderone | f874203 | 2010-09-25 00:00:32 -0400 | [diff] [blame] | 936 | # Without load_verify_locations above, the handshake |
| 937 | # will fail: |
| 938 | # Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', |
| 939 | # 'certificate verify failed')] |
| 940 | handshake(clientSSL, serverSSL) |
Jean-Paul Calderone | e1bd432 | 2008-09-07 20:17:17 -0400 | [diff] [blame] | 941 | |
| 942 | cert = clientSSL.get_peer_certificate() |
Jean-Paul Calderone | 20131f5 | 2009-04-01 12:05:45 -0400 | [diff] [blame] | 943 | self.assertEqual(cert.get_subject().CN, 'Testing Root CA') |
Jean-Paul Calderone | 5075fce | 2008-09-07 20:18:55 -0400 | [diff] [blame] | 944 | |
Jean-Paul Calderone | 210c0f3 | 2015-04-12 09:20:31 -0400 | [diff] [blame] | 945 | def _load_verify_cafile(self, cafile): |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 946 | """ |
Jean-Paul Calderone | 210c0f3 | 2015-04-12 09:20:31 -0400 | [diff] [blame] | 947 | Verify that if path to a file containing a certificate is passed to |
| 948 | ``Context.load_verify_locations`` for the ``cafile`` parameter, that |
| 949 | certificate is used as a trust root for the purposes of verifying |
| 950 | connections created using that ``Context``. |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 951 | """ |
Jean-Paul Calderone | a986883 | 2010-08-22 21:38:34 -0400 | [diff] [blame] | 952 | fObj = open(cafile, 'w') |
Jean-Paul Calderone | b1f7f5f | 2010-08-22 21:40:52 -0400 | [diff] [blame] | 953 | fObj.write(cleartextCertificatePEM.decode('ascii')) |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 954 | fObj.close() |
| 955 | |
| 956 | self._load_verify_locations_test(cafile) |
| 957 | |
Jean-Paul Calderone | 210c0f3 | 2015-04-12 09:20:31 -0400 | [diff] [blame] | 958 | def test_load_verify_bytes_cafile(self): |
| 959 | """ |
| 960 | :py:obj:`Context.load_verify_locations` accepts a file name as a |
| 961 | ``bytes`` instance and uses the certificates within for verification |
| 962 | purposes. |
| 963 | """ |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 964 | cafile = self.mktemp() + NON_ASCII.encode(getfilesystemencoding()) |
Jean-Paul Calderone | 210c0f3 | 2015-04-12 09:20:31 -0400 | [diff] [blame] | 965 | self._load_verify_cafile(cafile) |
| 966 | |
Jean-Paul Calderone | 210c0f3 | 2015-04-12 09:20:31 -0400 | [diff] [blame] | 967 | def test_load_verify_unicode_cafile(self): |
| 968 | """ |
| 969 | :py:obj:`Context.load_verify_locations` accepts a file name as a |
| 970 | ``unicode`` instance and uses the certificates within for verification |
| 971 | purposes. |
| 972 | """ |
Jean-Paul Calderone | 4f70c80 | 2015-04-12 11:26:47 -0400 | [diff] [blame] | 973 | self._load_verify_cafile( |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 974 | self.mktemp().decode(getfilesystemencoding()) + NON_ASCII |
Jean-Paul Calderone | 4f70c80 | 2015-04-12 11:26:47 -0400 | [diff] [blame] | 975 | ) |
Jean-Paul Calderone | 210c0f3 | 2015-04-12 09:20:31 -0400 | [diff] [blame] | 976 | |
Jean-Paul Calderone | 5075fce | 2008-09-07 20:18:55 -0400 | [diff] [blame] | 977 | def test_load_verify_invalid_file(self): |
| 978 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 979 | :py:obj:`Context.load_verify_locations` raises :py:obj:`Error` when |
| 980 | passed a non-existent cafile. |
Jean-Paul Calderone | 5075fce | 2008-09-07 20:18:55 -0400 | [diff] [blame] | 981 | """ |
| 982 | clientContext = Context(TLSv1_METHOD) |
| 983 | self.assertRaises( |
| 984 | Error, clientContext.load_verify_locations, self.mktemp()) |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 985 | |
Jean-Paul Calderone | 210c0f3 | 2015-04-12 09:20:31 -0400 | [diff] [blame] | 986 | def _load_verify_directory_locations_capath(self, capath): |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 987 | """ |
Jean-Paul Calderone | 210c0f3 | 2015-04-12 09:20:31 -0400 | [diff] [blame] | 988 | Verify that if path to a directory containing certificate files is |
| 989 | passed to ``Context.load_verify_locations`` for the ``capath`` |
| 990 | parameter, those certificates are used as trust roots for the purposes |
| 991 | of verifying connections created using that ``Context``. |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 992 | """ |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 993 | makedirs(capath) |
Jean-Paul Calderone | 24dfb33 | 2011-05-04 18:10:26 -0400 | [diff] [blame] | 994 | # Hash values computed manually with c_rehash to avoid depending on |
| 995 | # c_rehash in the test suite. One is from OpenSSL 0.9.8, the other |
| 996 | # from OpenSSL 1.0.0. |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 997 | for name in [b'c7adac82.0', b'c3705638.0']: |
Jean-Paul Calderone | 0582673 | 2015-04-12 11:38:49 -0400 | [diff] [blame] | 998 | cafile = join_bytes_or_unicode(capath, name) |
| 999 | with open(cafile, 'w') as fObj: |
| 1000 | fObj.write(cleartextCertificatePEM.decode('ascii')) |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 1001 | |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 1002 | self._load_verify_locations_test(None, capath) |
| 1003 | |
Jean-Paul Calderone | 210c0f3 | 2015-04-12 09:20:31 -0400 | [diff] [blame] | 1004 | def test_load_verify_directory_bytes_capath(self): |
| 1005 | """ |
| 1006 | :py:obj:`Context.load_verify_locations` accepts a directory name as a |
| 1007 | ``bytes`` instance and uses the certificates within for verification |
| 1008 | purposes. |
| 1009 | """ |
| 1010 | self._load_verify_directory_locations_capath( |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 1011 | self.mktemp() + NON_ASCII.encode(getfilesystemencoding()) |
Jean-Paul Calderone | 210c0f3 | 2015-04-12 09:20:31 -0400 | [diff] [blame] | 1012 | ) |
| 1013 | |
Jean-Paul Calderone | 210c0f3 | 2015-04-12 09:20:31 -0400 | [diff] [blame] | 1014 | def test_load_verify_directory_unicode_capath(self): |
| 1015 | """ |
| 1016 | :py:obj:`Context.load_verify_locations` accepts a directory name as a |
| 1017 | ``unicode`` instance and uses the certificates within for verification |
| 1018 | purposes. |
| 1019 | """ |
Jean-Paul Calderone | 4f70c80 | 2015-04-12 11:26:47 -0400 | [diff] [blame] | 1020 | self._load_verify_directory_locations_capath( |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 1021 | self.mktemp().decode(getfilesystemencoding()) + NON_ASCII |
Jean-Paul Calderone | 4f70c80 | 2015-04-12 11:26:47 -0400 | [diff] [blame] | 1022 | ) |
Jean-Paul Calderone | 210c0f3 | 2015-04-12 09:20:31 -0400 | [diff] [blame] | 1023 | |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1024 | def test_load_verify_locations_wrong_args(self): |
| 1025 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1026 | :py:obj:`Context.load_verify_locations` raises :py:obj:`TypeError` if |
| 1027 | called with the wrong number of arguments or with non-:py:obj:`str` |
| 1028 | arguments. |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1029 | """ |
| 1030 | context = Context(TLSv1_METHOD) |
| 1031 | self.assertRaises(TypeError, context.load_verify_locations) |
| 1032 | self.assertRaises(TypeError, context.load_verify_locations, object()) |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1033 | self.assertRaises( |
| 1034 | TypeError, context.load_verify_locations, object(), object() |
| 1035 | ) |
| 1036 | self.assertRaises( |
| 1037 | TypeError, context.load_verify_locations, None, None, None |
| 1038 | ) |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1039 | |
Hynek Schlawack | 734d302 | 2015-09-05 19:19:32 +0200 | [diff] [blame] | 1040 | @pytest.mark.skipif( |
| 1041 | platform == "win32", |
| 1042 | reason="set_default_verify_paths appears not to work on Windows. " |
Jean-Paul Calderone | 28fb8f0 | 2009-07-24 18:01:31 -0400 | [diff] [blame] | 1043 | "See LP#404343 and LP#404344." |
Hynek Schlawack | 734d302 | 2015-09-05 19:19:32 +0200 | [diff] [blame] | 1044 | ) |
| 1045 | def test_set_default_verify_paths(self): |
| 1046 | """ |
| 1047 | :py:obj:`Context.set_default_verify_paths` causes the |
| 1048 | platform-specific CA certificate locations to be used for |
| 1049 | verification purposes. |
| 1050 | """ |
| 1051 | # Testing this requires a server with a certificate signed by one |
| 1052 | # of the CAs in the platform CA location. Getting one of those |
| 1053 | # costs money. Fortunately (or unfortunately, depending on your |
| 1054 | # perspective), it's easy to think of a public server on the |
| 1055 | # internet which has such a certificate. Connecting to the network |
| 1056 | # in a unit test is bad, but it's the only way I can think of to |
| 1057 | # really test this. -exarkun |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 1058 | |
Hynek Schlawack | 734d302 | 2015-09-05 19:19:32 +0200 | [diff] [blame] | 1059 | # Arg, verisign.com doesn't speak anything newer than TLS 1.0 |
| 1060 | context = Context(TLSv1_METHOD) |
| 1061 | context.set_default_verify_paths() |
| 1062 | context.set_verify( |
| 1063 | VERIFY_PEER, |
| 1064 | lambda conn, cert, errno, depth, preverify_ok: preverify_ok) |
Jean-Paul Calderone | 1cb5d02 | 2008-09-07 20:58:50 -0400 | [diff] [blame] | 1065 | |
Hynek Schlawack | 734d302 | 2015-09-05 19:19:32 +0200 | [diff] [blame] | 1066 | client = socket() |
| 1067 | client.connect(('verisign.com', 443)) |
| 1068 | clientSSL = Connection(context, client) |
| 1069 | clientSSL.set_connect_state() |
| 1070 | clientSSL.do_handshake() |
| 1071 | clientSSL.send(b"GET / HTTP/1.0\r\n\r\n") |
| 1072 | self.assertTrue(clientSSL.recv(1024)) |
Jean-Paul Calderone | 9eadb96 | 2008-09-07 21:20:44 -0400 | [diff] [blame] | 1073 | |
| 1074 | def test_set_default_verify_paths_signature(self): |
| 1075 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1076 | :py:obj:`Context.set_default_verify_paths` takes no arguments and |
| 1077 | raises :py:obj:`TypeError` if given any. |
Jean-Paul Calderone | 9eadb96 | 2008-09-07 21:20:44 -0400 | [diff] [blame] | 1078 | """ |
| 1079 | context = Context(TLSv1_METHOD) |
| 1080 | self.assertRaises(TypeError, context.set_default_verify_paths, None) |
| 1081 | self.assertRaises(TypeError, context.set_default_verify_paths, 1) |
| 1082 | self.assertRaises(TypeError, context.set_default_verify_paths, "") |
Jean-Paul Calderone | 327d8f9 | 2008-12-28 21:55:56 -0500 | [diff] [blame] | 1083 | |
Jean-Paul Calderone | 12608a8 | 2009-11-07 10:35:15 -0500 | [diff] [blame] | 1084 | def test_add_extra_chain_cert_invalid_cert(self): |
| 1085 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1086 | :py:obj:`Context.add_extra_chain_cert` raises :py:obj:`TypeError` if |
| 1087 | called with other than one argument or if called with an object which |
| 1088 | is not an instance of :py:obj:`X509`. |
Jean-Paul Calderone | 12608a8 | 2009-11-07 10:35:15 -0500 | [diff] [blame] | 1089 | """ |
| 1090 | context = Context(TLSv1_METHOD) |
| 1091 | self.assertRaises(TypeError, context.add_extra_chain_cert) |
| 1092 | self.assertRaises(TypeError, context.add_extra_chain_cert, object()) |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1093 | self.assertRaises( |
| 1094 | TypeError, context.add_extra_chain_cert, object(), object() |
| 1095 | ) |
Jean-Paul Calderone | 12608a8 | 2009-11-07 10:35:15 -0500 | [diff] [blame] | 1096 | |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1097 | def _handshake_test(self, serverContext, clientContext): |
| 1098 | """ |
| 1099 | Verify that a client and server created with the given contexts can |
| 1100 | successfully handshake and communicate. |
| 1101 | """ |
| 1102 | serverSocket, clientSocket = socket_pair() |
| 1103 | |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 1104 | server = Connection(serverContext, serverSocket) |
Jean-Paul Calderone | 9485f2c | 2010-07-29 22:38:42 -0400 | [diff] [blame] | 1105 | server.set_accept_state() |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 1106 | |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1107 | client = Connection(clientContext, clientSocket) |
| 1108 | client.set_connect_state() |
| 1109 | |
| 1110 | # Make them talk to each other. |
| 1111 | # self._interactInMemory(client, server) |
| 1112 | for i in range(3): |
| 1113 | for s in [client, server]: |
| 1114 | try: |
| 1115 | s.do_handshake() |
| 1116 | except WantReadError: |
| 1117 | pass |
| 1118 | |
Jean-Paul Calderone | 6a8cd11 | 2014-04-02 21:09:08 -0400 | [diff] [blame] | 1119 | def test_set_verify_callback_connection_argument(self): |
| 1120 | """ |
| 1121 | The first argument passed to the verify callback is the |
| 1122 | :py:class:`Connection` instance for which verification is taking place. |
| 1123 | """ |
| 1124 | serverContext = Context(TLSv1_METHOD) |
| 1125 | serverContext.use_privatekey( |
| 1126 | load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)) |
| 1127 | serverContext.use_certificate( |
| 1128 | load_certificate(FILETYPE_PEM, cleartextCertificatePEM)) |
| 1129 | serverConnection = Connection(serverContext, None) |
| 1130 | |
| 1131 | class VerifyCallback(object): |
| 1132 | def callback(self, connection, *args): |
| 1133 | self.connection = connection |
| 1134 | return 1 |
| 1135 | |
| 1136 | verify = VerifyCallback() |
| 1137 | clientContext = Context(TLSv1_METHOD) |
| 1138 | clientContext.set_verify(VERIFY_PEER, verify.callback) |
| 1139 | clientConnection = Connection(clientContext, None) |
| 1140 | clientConnection.set_connect_state() |
| 1141 | |
| 1142 | self._handshakeInMemory(clientConnection, serverConnection) |
| 1143 | |
| 1144 | self.assertIdentical(verify.connection, clientConnection) |
| 1145 | |
Jean-Paul Calderone | 7e166fe | 2013-03-06 20:54:38 -0800 | [diff] [blame] | 1146 | def test_set_verify_callback_exception(self): |
| 1147 | """ |
| 1148 | If the verify callback passed to :py:obj:`Context.set_verify` raises an |
| 1149 | exception, verification fails and the exception is propagated to the |
| 1150 | caller of :py:obj:`Connection.do_handshake`. |
| 1151 | """ |
| 1152 | serverContext = Context(TLSv1_METHOD) |
| 1153 | serverContext.use_privatekey( |
| 1154 | load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM)) |
| 1155 | serverContext.use_certificate( |
| 1156 | load_certificate(FILETYPE_PEM, cleartextCertificatePEM)) |
| 1157 | |
| 1158 | clientContext = Context(TLSv1_METHOD) |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1159 | |
Jean-Paul Calderone | 7e166fe | 2013-03-06 20:54:38 -0800 | [diff] [blame] | 1160 | def verify_callback(*args): |
| 1161 | raise Exception("silly verify failure") |
| 1162 | clientContext.set_verify(VERIFY_PEER, verify_callback) |
| 1163 | |
| 1164 | exc = self.assertRaises( |
| 1165 | Exception, self._handshake_test, serverContext, clientContext) |
| 1166 | self.assertEqual("silly verify failure", str(exc)) |
| 1167 | |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1168 | def test_add_extra_chain_cert(self): |
| 1169 | """ |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 1170 | :py:obj:`Context.add_extra_chain_cert` accepts an :py:obj:`X509` |
| 1171 | instance to add to the certificate chain. |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1172 | |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 1173 | See :py:obj:`_create_certificate_chain` for the details of the |
| 1174 | certificate chain tested. |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1175 | |
| 1176 | The chain is tested by starting a server with scert and connecting |
| 1177 | to it with a client which trusts cacert and requires verification to |
| 1178 | succeed. |
| 1179 | """ |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 1180 | chain = _create_certificate_chain() |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1181 | [(cakey, cacert), (ikey, icert), (skey, scert)] = chain |
| 1182 | |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 1183 | # Dump the CA certificate to a file because that's the only way to load |
| 1184 | # it as a trusted CA in the client context. |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 1185 | for cert, name in [(cacert, 'ca.pem'), |
| 1186 | (icert, 'i.pem'), |
| 1187 | (scert, 's.pem')]: |
Hynek Schlawack | e90680f | 2015-04-16 15:09:27 -0400 | [diff] [blame] | 1188 | with open(join(self.tmpdir, name), 'w') as f: |
| 1189 | f.write(dump_certificate(FILETYPE_PEM, cert).decode('ascii')) |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 1190 | |
Hynek Schlawack | 1902c01 | 2015-04-16 15:06:41 -0400 | [diff] [blame] | 1191 | for key, name in [(cakey, 'ca.key'), |
| 1192 | (ikey, 'i.key'), |
| 1193 | (skey, 's.key')]: |
Hynek Schlawack | e90680f | 2015-04-16 15:09:27 -0400 | [diff] [blame] | 1194 | with open(join(self.tmpdir, name), 'w') as f: |
| 1195 | f.write(dump_privatekey(FILETYPE_PEM, key).decode('ascii')) |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 1196 | |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1197 | # Create the server context |
| 1198 | serverContext = Context(TLSv1_METHOD) |
| 1199 | serverContext.use_privatekey(skey) |
| 1200 | serverContext.use_certificate(scert) |
Jean-Paul Calderone | 16cf03d | 2010-09-08 18:53:39 -0400 | [diff] [blame] | 1201 | # The client already has cacert, we only need to give them icert. |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1202 | serverContext.add_extra_chain_cert(icert) |
| 1203 | |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 1204 | # Create the client |
| 1205 | clientContext = Context(TLSv1_METHOD) |
| 1206 | clientContext.set_verify( |
| 1207 | VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb) |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 1208 | clientContext.load_verify_locations(join(self.tmpdir, "ca.pem")) |
Jean-Paul Calderone | 9485f2c | 2010-07-29 22:38:42 -0400 | [diff] [blame] | 1209 | |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1210 | # Try it out. |
| 1211 | self._handshake_test(serverContext, clientContext) |
| 1212 | |
Jean-Paul Calderone | aac43a3 | 2015-04-12 09:51:21 -0400 | [diff] [blame] | 1213 | def _use_certificate_chain_file_test(self, certdir): |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1214 | """ |
Jean-Paul Calderone | aac43a3 | 2015-04-12 09:51:21 -0400 | [diff] [blame] | 1215 | Verify that :py:obj:`Context.use_certificate_chain_file` reads a |
| 1216 | certificate chain from a specified file. |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1217 | |
Jean-Paul Calderone | aac43a3 | 2015-04-12 09:51:21 -0400 | [diff] [blame] | 1218 | The chain is tested by starting a server with scert and connecting to |
| 1219 | it with a client which trusts cacert and requires verification to |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1220 | succeed. |
| 1221 | """ |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 1222 | chain = _create_certificate_chain() |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1223 | [(cakey, cacert), (ikey, icert), (skey, scert)] = chain |
| 1224 | |
Jean-Paul Calderone | aac43a3 | 2015-04-12 09:51:21 -0400 | [diff] [blame] | 1225 | makedirs(certdir) |
| 1226 | |
Jean-Paul Calderone | 0582673 | 2015-04-12 11:38:49 -0400 | [diff] [blame] | 1227 | chainFile = join_bytes_or_unicode(certdir, "chain.pem") |
| 1228 | caFile = join_bytes_or_unicode(certdir, "ca.pem") |
Jean-Paul Calderone | aac43a3 | 2015-04-12 09:51:21 -0400 | [diff] [blame] | 1229 | |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1230 | # Write out the chain file. |
Jean-Paul Calderone | aac43a3 | 2015-04-12 09:51:21 -0400 | [diff] [blame] | 1231 | with open(chainFile, 'wb') as fObj: |
| 1232 | # Most specific to least general. |
| 1233 | fObj.write(dump_certificate(FILETYPE_PEM, scert)) |
| 1234 | fObj.write(dump_certificate(FILETYPE_PEM, icert)) |
| 1235 | fObj.write(dump_certificate(FILETYPE_PEM, cacert)) |
| 1236 | |
| 1237 | with open(caFile, 'w') as fObj: |
| 1238 | fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode('ascii')) |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1239 | |
| 1240 | serverContext = Context(TLSv1_METHOD) |
| 1241 | serverContext.use_certificate_chain_file(chainFile) |
| 1242 | serverContext.use_privatekey(skey) |
| 1243 | |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1244 | clientContext = Context(TLSv1_METHOD) |
| 1245 | clientContext.set_verify( |
| 1246 | VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb) |
Jean-Paul Calderone | aac43a3 | 2015-04-12 09:51:21 -0400 | [diff] [blame] | 1247 | clientContext.load_verify_locations(caFile) |
Jean-Paul Calderone | f448062 | 2010-08-02 18:25:03 -0400 | [diff] [blame] | 1248 | |
| 1249 | self._handshake_test(serverContext, clientContext) |
| 1250 | |
Jean-Paul Calderone | aac43a3 | 2015-04-12 09:51:21 -0400 | [diff] [blame] | 1251 | def test_use_certificate_chain_file_bytes(self): |
| 1252 | """ |
| 1253 | ``Context.use_certificate_chain_file`` accepts the name of a file (as |
| 1254 | an instance of ``bytes``) to specify additional certificates to use to |
| 1255 | construct and verify a trust chain. |
| 1256 | """ |
| 1257 | self._use_certificate_chain_file_test( |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 1258 | self.mktemp() + NON_ASCII.encode(getfilesystemencoding()) |
Jean-Paul Calderone | aac43a3 | 2015-04-12 09:51:21 -0400 | [diff] [blame] | 1259 | ) |
| 1260 | |
Jean-Paul Calderone | aac43a3 | 2015-04-12 09:51:21 -0400 | [diff] [blame] | 1261 | def test_use_certificate_chain_file_unicode(self): |
| 1262 | """ |
| 1263 | ``Context.use_certificate_chain_file`` accepts the name of a file (as |
| 1264 | an instance of ``unicode``) to specify additional certificates to use |
| 1265 | to construct and verify a trust chain. |
| 1266 | """ |
| 1267 | self._use_certificate_chain_file_test( |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 1268 | self.mktemp().decode(getfilesystemencoding()) + NON_ASCII |
Jean-Paul Calderone | aac43a3 | 2015-04-12 09:51:21 -0400 | [diff] [blame] | 1269 | ) |
| 1270 | |
Jean-Paul Calderone | 131052e | 2013-03-05 11:56:19 -0800 | [diff] [blame] | 1271 | def test_use_certificate_chain_file_wrong_args(self): |
| 1272 | """ |
| 1273 | :py:obj:`Context.use_certificate_chain_file` raises :py:obj:`TypeError` |
| 1274 | if passed zero or more than one argument or when passed a non-byte |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1275 | string single argument. It also raises :py:obj:`OpenSSL.SSL.Error` |
| 1276 | when passed a bad chain file name (for example, the name of a file |
| 1277 | which does not exist). |
Jean-Paul Calderone | 131052e | 2013-03-05 11:56:19 -0800 | [diff] [blame] | 1278 | """ |
| 1279 | context = Context(TLSv1_METHOD) |
| 1280 | self.assertRaises(TypeError, context.use_certificate_chain_file) |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1281 | self.assertRaises( |
| 1282 | TypeError, context.use_certificate_chain_file, object() |
| 1283 | ) |
| 1284 | self.assertRaises( |
| 1285 | TypeError, context.use_certificate_chain_file, b"foo", object() |
| 1286 | ) |
Jean-Paul Calderone | 131052e | 2013-03-05 11:56:19 -0800 | [diff] [blame] | 1287 | |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1288 | self.assertRaises( |
| 1289 | Error, context.use_certificate_chain_file, self.mktemp() |
| 1290 | ) |
Jean-Paul Calderone | 131052e | 2013-03-05 11:56:19 -0800 | [diff] [blame] | 1291 | |
Jean-Paul Calderone | e0d7936 | 2010-08-03 18:46:46 -0400 | [diff] [blame] | 1292 | # XXX load_client_ca |
| 1293 | # XXX set_session_id |
Jean-Paul Calderone | 0294e3d | 2010-09-09 18:17:48 -0400 | [diff] [blame] | 1294 | |
| 1295 | def test_get_verify_mode_wrong_args(self): |
| 1296 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1297 | :py:obj:`Context.get_verify_mode` raises :py:obj:`TypeError` if called |
| 1298 | with any arguments. |
Jean-Paul Calderone | 0294e3d | 2010-09-09 18:17:48 -0400 | [diff] [blame] | 1299 | """ |
| 1300 | context = Context(TLSv1_METHOD) |
| 1301 | self.assertRaises(TypeError, context.get_verify_mode, None) |
| 1302 | |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 1303 | def test_set_verify_mode(self): |
Jean-Paul Calderone | 0294e3d | 2010-09-09 18:17:48 -0400 | [diff] [blame] | 1304 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1305 | :py:obj:`Context.get_verify_mode` returns the verify mode flags |
| 1306 | previously passed to :py:obj:`Context.set_verify`. |
Jean-Paul Calderone | 0294e3d | 2010-09-09 18:17:48 -0400 | [diff] [blame] | 1307 | """ |
| 1308 | context = Context(TLSv1_METHOD) |
| 1309 | self.assertEquals(context.get_verify_mode(), 0) |
| 1310 | context.set_verify( |
| 1311 | VERIFY_PEER | VERIFY_CLIENT_ONCE, lambda *args: None) |
| 1312 | self.assertEquals( |
| 1313 | context.get_verify_mode(), VERIFY_PEER | VERIFY_CLIENT_ONCE) |
| 1314 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1315 | @skip_if_py3 |
| 1316 | def test_set_verify_mode_long(self): |
| 1317 | """ |
| 1318 | On Python 2 :py:obj:`Context.set_verify_mode` accepts values of |
| 1319 | type :py:obj:`long` as well as :py:obj:`int`. |
| 1320 | """ |
| 1321 | context = Context(TLSv1_METHOD) |
| 1322 | self.assertEquals(context.get_verify_mode(), 0) |
| 1323 | context.set_verify( |
| 1324 | long(VERIFY_PEER | VERIFY_CLIENT_ONCE), lambda *args: None) |
| 1325 | self.assertEquals( |
| 1326 | context.get_verify_mode(), VERIFY_PEER | VERIFY_CLIENT_ONCE) |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 1327 | |
Jean-Paul Calderone | 6ace478 | 2010-09-09 18:43:40 -0400 | [diff] [blame] | 1328 | def test_load_tmp_dh_wrong_args(self): |
| 1329 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1330 | :py:obj:`Context.load_tmp_dh` raises :py:obj:`TypeError` if called with |
| 1331 | the wrong number of arguments or with a non-:py:obj:`str` argument. |
Jean-Paul Calderone | 6ace478 | 2010-09-09 18:43:40 -0400 | [diff] [blame] | 1332 | """ |
| 1333 | context = Context(TLSv1_METHOD) |
| 1334 | self.assertRaises(TypeError, context.load_tmp_dh) |
| 1335 | self.assertRaises(TypeError, context.load_tmp_dh, "foo", None) |
| 1336 | self.assertRaises(TypeError, context.load_tmp_dh, object()) |
| 1337 | |
Jean-Paul Calderone | 6ace478 | 2010-09-09 18:43:40 -0400 | [diff] [blame] | 1338 | def test_load_tmp_dh_missing_file(self): |
| 1339 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1340 | :py:obj:`Context.load_tmp_dh` raises :py:obj:`OpenSSL.SSL.Error` if the |
| 1341 | specified file does not exist. |
Jean-Paul Calderone | 6ace478 | 2010-09-09 18:43:40 -0400 | [diff] [blame] | 1342 | """ |
| 1343 | context = Context(TLSv1_METHOD) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 1344 | self.assertRaises(Error, context.load_tmp_dh, b"hello") |
Jean-Paul Calderone | 6ace478 | 2010-09-09 18:43:40 -0400 | [diff] [blame] | 1345 | |
Jean-Paul Calderone | 9e1c1dd | 2015-04-12 10:13:13 -0400 | [diff] [blame] | 1346 | def _load_tmp_dh_test(self, dhfilename): |
Jean-Paul Calderone | 4e0c43f | 2015-04-13 10:15:17 -0400 | [diff] [blame] | 1347 | """ |
| 1348 | Verify that calling ``Context.load_tmp_dh`` with the given filename |
| 1349 | does not raise an exception. |
| 1350 | """ |
Jean-Paul Calderone | 6ace478 | 2010-09-09 18:43:40 -0400 | [diff] [blame] | 1351 | context = Context(TLSv1_METHOD) |
Jean-Paul Calderone | 9e1c1dd | 2015-04-12 10:13:13 -0400 | [diff] [blame] | 1352 | with open(dhfilename, "w") as dhfile: |
| 1353 | dhfile.write(dhparam) |
| 1354 | |
Jean-Paul Calderone | 6ace478 | 2010-09-09 18:43:40 -0400 | [diff] [blame] | 1355 | context.load_tmp_dh(dhfilename) |
| 1356 | # XXX What should I assert here? -exarkun |
| 1357 | |
Jean-Paul Calderone | 9e1c1dd | 2015-04-12 10:13:13 -0400 | [diff] [blame] | 1358 | def test_load_tmp_dh_bytes(self): |
| 1359 | """ |
| 1360 | :py:obj:`Context.load_tmp_dh` loads Diffie-Hellman parameters from the |
| 1361 | specified file (given as ``bytes``). |
| 1362 | """ |
| 1363 | self._load_tmp_dh_test( |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 1364 | self.mktemp() + NON_ASCII.encode(getfilesystemencoding()), |
Jean-Paul Calderone | 9e1c1dd | 2015-04-12 10:13:13 -0400 | [diff] [blame] | 1365 | ) |
| 1366 | |
Jean-Paul Calderone | 9e1c1dd | 2015-04-12 10:13:13 -0400 | [diff] [blame] | 1367 | def test_load_tmp_dh_unicode(self): |
| 1368 | """ |
| 1369 | :py:obj:`Context.load_tmp_dh` loads Diffie-Hellman parameters from the |
| 1370 | specified file (given as ``unicode``). |
| 1371 | """ |
| 1372 | self._load_tmp_dh_test( |
Hynek Schlawack | 4813c0e | 2015-04-16 13:38:01 -0400 | [diff] [blame] | 1373 | self.mktemp().decode(getfilesystemencoding()) + NON_ASCII, |
Jean-Paul Calderone | 9e1c1dd | 2015-04-12 10:13:13 -0400 | [diff] [blame] | 1374 | ) |
| 1375 | |
Jean-Paul Calderone | 3e4e335 | 2014-04-19 09:28:28 -0400 | [diff] [blame] | 1376 | def test_set_tmp_ecdh(self): |
Andy Lutomirski | f05a273 | 2014-03-13 17:22:25 -0700 | [diff] [blame] | 1377 | """ |
Jean-Paul Calderone | 3e4e335 | 2014-04-19 09:28:28 -0400 | [diff] [blame] | 1378 | :py:obj:`Context.set_tmp_ecdh` sets the elliptic curve for |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 1379 | Diffie-Hellman to the specified curve. |
Andy Lutomirski | f05a273 | 2014-03-13 17:22:25 -0700 | [diff] [blame] | 1380 | """ |
| 1381 | context = Context(TLSv1_METHOD) |
Jean-Paul Calderone | c09fd58 | 2014-04-18 22:00:10 -0400 | [diff] [blame] | 1382 | for curve in get_elliptic_curves(): |
| 1383 | # The only easily "assertable" thing is that it does not raise an |
| 1384 | # exception. |
Jean-Paul Calderone | 3e4e335 | 2014-04-19 09:28:28 -0400 | [diff] [blame] | 1385 | context.set_tmp_ecdh(curve) |
Alex Gaynor | 12dc084 | 2014-01-17 12:51:31 -0600 | [diff] [blame] | 1386 | |
Jean-Paul Calderone | 63eab69 | 2014-01-18 10:19:56 -0500 | [diff] [blame] | 1387 | def test_set_cipher_list_bytes(self): |
Jean-Paul Calderone | 6ace478 | 2010-09-09 18:43:40 -0400 | [diff] [blame] | 1388 | """ |
Jean-Paul Calderone | 63eab69 | 2014-01-18 10:19:56 -0500 | [diff] [blame] | 1389 | :py:obj:`Context.set_cipher_list` accepts a :py:obj:`bytes` naming the |
| 1390 | ciphers which connections created with the context object will be able |
| 1391 | to choose from. |
Jean-Paul Calderone | 6ace478 | 2010-09-09 18:43:40 -0400 | [diff] [blame] | 1392 | """ |
| 1393 | context = Context(TLSv1_METHOD) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 1394 | context.set_cipher_list(b"hello world:EXP-RC4-MD5") |
Jean-Paul Calderone | 6ace478 | 2010-09-09 18:43:40 -0400 | [diff] [blame] | 1395 | conn = Connection(context, None) |
| 1396 | self.assertEquals(conn.get_cipher_list(), ["EXP-RC4-MD5"]) |
Jean-Paul Calderone | 9485f2c | 2010-07-29 22:38:42 -0400 | [diff] [blame] | 1397 | |
Jean-Paul Calderone | 63eab69 | 2014-01-18 10:19:56 -0500 | [diff] [blame] | 1398 | def test_set_cipher_list_text(self): |
| 1399 | """ |
| 1400 | :py:obj:`Context.set_cipher_list` accepts a :py:obj:`unicode` naming |
| 1401 | the ciphers which connections created with the context object will be |
| 1402 | able to choose from. |
| 1403 | """ |
| 1404 | context = Context(TLSv1_METHOD) |
Jean-Paul Calderone | c76c61c | 2014-01-18 13:21:52 -0500 | [diff] [blame] | 1405 | context.set_cipher_list(u("hello world:EXP-RC4-MD5")) |
Jean-Paul Calderone | 63eab69 | 2014-01-18 10:19:56 -0500 | [diff] [blame] | 1406 | conn = Connection(context, None) |
| 1407 | self.assertEquals(conn.get_cipher_list(), ["EXP-RC4-MD5"]) |
| 1408 | |
Jean-Paul Calderone | 131052e | 2013-03-05 11:56:19 -0800 | [diff] [blame] | 1409 | def test_set_cipher_list_wrong_args(self): |
| 1410 | """ |
Jean-Paul Calderone | 1704483 | 2014-01-18 10:20:11 -0500 | [diff] [blame] | 1411 | :py:obj:`Context.set_cipher_list` raises :py:obj:`TypeError` when |
| 1412 | passed zero arguments or more than one argument or when passed a |
| 1413 | non-string single argument and raises :py:obj:`OpenSSL.SSL.Error` when |
Jean-Paul Calderone | 131052e | 2013-03-05 11:56:19 -0800 | [diff] [blame] | 1414 | passed an incorrect cipher list string. |
| 1415 | """ |
| 1416 | context = Context(TLSv1_METHOD) |
| 1417 | self.assertRaises(TypeError, context.set_cipher_list) |
| 1418 | self.assertRaises(TypeError, context.set_cipher_list, object()) |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1419 | self.assertRaises( |
| 1420 | TypeError, context.set_cipher_list, b"EXP-RC4-MD5", object() |
| 1421 | ) |
Jean-Paul Calderone | 131052e | 2013-03-05 11:56:19 -0800 | [diff] [blame] | 1422 | |
Jean-Paul Calderone | 63eab69 | 2014-01-18 10:19:56 -0500 | [diff] [blame] | 1423 | self.assertRaises(Error, context.set_cipher_list, "imaginary-cipher") |
Jean-Paul Calderone | 131052e | 2013-03-05 11:56:19 -0800 | [diff] [blame] | 1424 | |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 1425 | def test_set_session_cache_mode_wrong_args(self): |
| 1426 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 1427 | :py:obj:`Context.set_session_cache_mode` raises :py:obj:`TypeError` if |
| 1428 | called with other than one integer argument. |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 1429 | """ |
| 1430 | context = Context(TLSv1_METHOD) |
| 1431 | self.assertRaises(TypeError, context.set_session_cache_mode) |
| 1432 | self.assertRaises(TypeError, context.set_session_cache_mode, object()) |
| 1433 | |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 1434 | def test_get_session_cache_mode_wrong_args(self): |
| 1435 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 1436 | :py:obj:`Context.get_session_cache_mode` raises :py:obj:`TypeError` if |
| 1437 | called with any arguments. |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 1438 | """ |
| 1439 | context = Context(TLSv1_METHOD) |
| 1440 | self.assertRaises(TypeError, context.get_session_cache_mode, 1) |
| 1441 | |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 1442 | def test_session_cache_mode(self): |
| 1443 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 1444 | :py:obj:`Context.set_session_cache_mode` specifies how sessions are |
| 1445 | cached. The setting can be retrieved via |
| 1446 | :py:obj:`Context.get_session_cache_mode`. |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 1447 | """ |
| 1448 | context = Context(TLSv1_METHOD) |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 1449 | context.set_session_cache_mode(SESS_CACHE_OFF) |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 1450 | off = context.set_session_cache_mode(SESS_CACHE_BOTH) |
| 1451 | self.assertEqual(SESS_CACHE_OFF, off) |
| 1452 | self.assertEqual(SESS_CACHE_BOTH, context.get_session_cache_mode()) |
| 1453 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1454 | @skip_if_py3 |
| 1455 | def test_session_cache_mode_long(self): |
| 1456 | """ |
| 1457 | On Python 2 :py:obj:`Context.set_session_cache_mode` accepts values |
| 1458 | of type :py:obj:`long` as well as :py:obj:`int`. |
| 1459 | """ |
| 1460 | context = Context(TLSv1_METHOD) |
| 1461 | context.set_session_cache_mode(long(SESS_CACHE_BOTH)) |
| 1462 | self.assertEqual( |
| 1463 | SESS_CACHE_BOTH, context.get_session_cache_mode()) |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 1464 | |
Jean-Paul Calderone | a63714c | 2013-03-05 17:02:26 -0800 | [diff] [blame] | 1465 | def test_get_cert_store(self): |
| 1466 | """ |
Hynek Schlawack | de00dd5 | 2015-09-05 19:09:26 +0200 | [diff] [blame] | 1467 | :py:obj:`Context.get_cert_store` returns a :py:obj:`X509Store` |
| 1468 | instance. |
Jean-Paul Calderone | a63714c | 2013-03-05 17:02:26 -0800 | [diff] [blame] | 1469 | """ |
| 1470 | context = Context(TLSv1_METHOD) |
| 1471 | store = context.get_cert_store() |
| 1472 | self.assertIsInstance(store, X509Store) |
| 1473 | |
| 1474 | |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1475 | class ServerNameCallbackTests(TestCase, _LoopbackMixin): |
| 1476 | """ |
Hynek Schlawack | afeffd2 | 2015-09-05 20:08:16 +0200 | [diff] [blame] | 1477 | Tests for :py:obj:`Context.set_tlsext_servername_callback` and its |
| 1478 | interaction with :py:obj:`Connection`. |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1479 | """ |
| 1480 | def test_wrong_args(self): |
| 1481 | """ |
Hynek Schlawack | afeffd2 | 2015-09-05 20:08:16 +0200 | [diff] [blame] | 1482 | :py:obj:`Context.set_tlsext_servername_callback` raises |
| 1483 | :py:obj:`TypeError` if called with other than one argument. |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1484 | """ |
| 1485 | context = Context(TLSv1_METHOD) |
| 1486 | self.assertRaises(TypeError, context.set_tlsext_servername_callback) |
| 1487 | self.assertRaises( |
| 1488 | TypeError, context.set_tlsext_servername_callback, 1, 2) |
| 1489 | |
| 1490 | def test_old_callback_forgotten(self): |
| 1491 | """ |
Hynek Schlawack | afeffd2 | 2015-09-05 20:08:16 +0200 | [diff] [blame] | 1492 | If :py:obj:`Context.set_tlsext_servername_callback` is used to specify |
| 1493 | a new callback, the one it replaces is dereferenced. |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1494 | """ |
| 1495 | def callback(connection): |
| 1496 | pass |
| 1497 | |
| 1498 | def replacement(connection): |
| 1499 | pass |
| 1500 | |
| 1501 | context = Context(TLSv1_METHOD) |
| 1502 | context.set_tlsext_servername_callback(callback) |
| 1503 | |
| 1504 | tracker = ref(callback) |
| 1505 | del callback |
| 1506 | |
| 1507 | context.set_tlsext_servername_callback(replacement) |
Jean-Paul Calderone | d4033eb | 2014-01-11 08:21:46 -0500 | [diff] [blame] | 1508 | |
| 1509 | # One run of the garbage collector happens to work on CPython. PyPy |
| 1510 | # doesn't collect the underlying object until a second run for whatever |
| 1511 | # reason. That's fine, it still demonstrates our code has properly |
| 1512 | # dropped the reference. |
| 1513 | collect() |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1514 | collect() |
Jean-Paul Calderone | 4c1aacd | 2014-01-11 08:15:17 -0500 | [diff] [blame] | 1515 | |
| 1516 | callback = tracker() |
| 1517 | if callback is not None: |
| 1518 | referrers = get_referrers(callback) |
Jean-Paul Calderone | 7de3956 | 2014-01-11 08:17:59 -0500 | [diff] [blame] | 1519 | if len(referrers) > 1: |
Jean-Paul Calderone | 4c1aacd | 2014-01-11 08:15:17 -0500 | [diff] [blame] | 1520 | self.fail("Some references remain: %r" % (referrers,)) |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1521 | |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1522 | def test_no_servername(self): |
| 1523 | """ |
| 1524 | When a client specifies no server name, the callback passed to |
Hynek Schlawack | afeffd2 | 2015-09-05 20:08:16 +0200 | [diff] [blame] | 1525 | :py:obj:`Context.set_tlsext_servername_callback` is invoked and the |
| 1526 | result of :py:obj:`Connection.get_servername` is :py:obj:`None`. |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1527 | """ |
| 1528 | args = [] |
Hynek Schlawack | afeffd2 | 2015-09-05 20:08:16 +0200 | [diff] [blame] | 1529 | |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1530 | def servername(conn): |
| 1531 | args.append((conn, conn.get_servername())) |
| 1532 | context = Context(TLSv1_METHOD) |
| 1533 | context.set_tlsext_servername_callback(servername) |
| 1534 | |
| 1535 | # Lose our reference to it. The Context is responsible for keeping it |
| 1536 | # alive now. |
| 1537 | del servername |
| 1538 | collect() |
| 1539 | |
| 1540 | # Necessary to actually accept the connection |
| 1541 | context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) |
Hynek Schlawack | afeffd2 | 2015-09-05 20:08:16 +0200 | [diff] [blame] | 1542 | context.use_certificate( |
| 1543 | load_certificate(FILETYPE_PEM, server_cert_pem)) |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1544 | |
| 1545 | # Do a little connection to trigger the logic |
| 1546 | server = Connection(context, None) |
| 1547 | server.set_accept_state() |
| 1548 | |
| 1549 | client = Connection(Context(TLSv1_METHOD), None) |
| 1550 | client.set_connect_state() |
| 1551 | |
| 1552 | self._interactInMemory(server, client) |
| 1553 | |
| 1554 | self.assertEqual([(server, None)], args) |
| 1555 | |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1556 | def test_servername(self): |
| 1557 | """ |
Hynek Schlawack | afeffd2 | 2015-09-05 20:08:16 +0200 | [diff] [blame] | 1558 | When a client specifies a server name in its hello message, the |
| 1559 | callback passed to :py:obj:`Contexts.set_tlsext_servername_callback` is |
| 1560 | invoked and the result of :py:obj:`Connection.get_servername` is that |
| 1561 | server name. |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1562 | """ |
| 1563 | args = [] |
Hynek Schlawack | afeffd2 | 2015-09-05 20:08:16 +0200 | [diff] [blame] | 1564 | |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1565 | def servername(conn): |
| 1566 | args.append((conn, conn.get_servername())) |
| 1567 | context = Context(TLSv1_METHOD) |
| 1568 | context.set_tlsext_servername_callback(servername) |
| 1569 | |
| 1570 | # Necessary to actually accept the connection |
| 1571 | context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) |
Hynek Schlawack | afeffd2 | 2015-09-05 20:08:16 +0200 | [diff] [blame] | 1572 | context.use_certificate( |
| 1573 | load_certificate(FILETYPE_PEM, server_cert_pem)) |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 1574 | |
| 1575 | # Do a little connection to trigger the logic |
| 1576 | server = Connection(context, None) |
| 1577 | server.set_accept_state() |
| 1578 | |
| 1579 | client = Connection(Context(TLSv1_METHOD), None) |
| 1580 | client.set_connect_state() |
| 1581 | client.set_tlsext_host_name(b("foo1.example.com")) |
| 1582 | |
| 1583 | self._interactInMemory(server, client) |
| 1584 | |
| 1585 | self.assertEqual([(server, b("foo1.example.com"))], args) |
| 1586 | |
| 1587 | |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1588 | class NextProtoNegotiationTests(TestCase, _LoopbackMixin): |
| 1589 | """ |
| 1590 | Test for Next Protocol Negotiation in PyOpenSSL. |
| 1591 | """ |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1592 | if _lib.Cryptography_HAS_NEXTPROTONEG: |
| 1593 | def test_npn_success(self): |
| 1594 | """ |
| 1595 | Tests that clients and servers that agree on the negotiated next |
| 1596 | protocol can correct establish a connection, and that the agreed |
| 1597 | protocol is reported by the connections. |
| 1598 | """ |
| 1599 | advertise_args = [] |
| 1600 | select_args = [] |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1601 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1602 | def advertise(conn): |
| 1603 | advertise_args.append((conn,)) |
| 1604 | return [b'http/1.1', b'spdy/2'] |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1605 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1606 | def select(conn, options): |
| 1607 | select_args.append((conn, options)) |
| 1608 | return b'spdy/2' |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1609 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1610 | server_context = Context(TLSv1_METHOD) |
| 1611 | server_context.set_npn_advertise_callback(advertise) |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1612 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1613 | client_context = Context(TLSv1_METHOD) |
| 1614 | client_context.set_npn_select_callback(select) |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1615 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1616 | # Necessary to actually accept the connection |
| 1617 | server_context.use_privatekey( |
| 1618 | load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 1619 | server_context.use_certificate( |
| 1620 | load_certificate(FILETYPE_PEM, server_cert_pem)) |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1621 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1622 | # Do a little connection to trigger the logic |
| 1623 | server = Connection(server_context, None) |
| 1624 | server.set_accept_state() |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1625 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1626 | client = Connection(client_context, None) |
| 1627 | client.set_connect_state() |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1628 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1629 | self._interactInMemory(server, client) |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1630 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1631 | self.assertEqual([(server,)], advertise_args) |
| 1632 | self.assertEqual([(client, [b'http/1.1', b'spdy/2'])], select_args) |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1633 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1634 | self.assertEqual(server.get_next_proto_negotiated(), b'spdy/2') |
| 1635 | self.assertEqual(client.get_next_proto_negotiated(), b'spdy/2') |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1636 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1637 | def test_npn_client_fail(self): |
| 1638 | """ |
| 1639 | Tests that when clients and servers cannot agree on what protocol |
| 1640 | to use next that the TLS connection does not get established. |
| 1641 | """ |
| 1642 | advertise_args = [] |
| 1643 | select_args = [] |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1644 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1645 | def advertise(conn): |
| 1646 | advertise_args.append((conn,)) |
| 1647 | return [b'http/1.1', b'spdy/2'] |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1648 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1649 | def select(conn, options): |
| 1650 | select_args.append((conn, options)) |
| 1651 | return b'' |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1652 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1653 | server_context = Context(TLSv1_METHOD) |
| 1654 | server_context.set_npn_advertise_callback(advertise) |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1655 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1656 | client_context = Context(TLSv1_METHOD) |
| 1657 | client_context.set_npn_select_callback(select) |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1658 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1659 | # Necessary to actually accept the connection |
| 1660 | server_context.use_privatekey( |
| 1661 | load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 1662 | server_context.use_certificate( |
| 1663 | load_certificate(FILETYPE_PEM, server_cert_pem)) |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1664 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1665 | # Do a little connection to trigger the logic |
| 1666 | server = Connection(server_context, None) |
| 1667 | server.set_accept_state() |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1668 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1669 | client = Connection(client_context, None) |
| 1670 | client.set_connect_state() |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1671 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1672 | # If the client doesn't return anything, the connection will fail. |
| 1673 | self.assertRaises(Error, self._interactInMemory, server, client) |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1674 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1675 | self.assertEqual([(server,)], advertise_args) |
| 1676 | self.assertEqual([(client, [b'http/1.1', b'spdy/2'])], select_args) |
Cory Benfield | 84a121e | 2014-03-31 20:30:25 +0100 | [diff] [blame] | 1677 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1678 | def test_npn_select_error(self): |
| 1679 | """ |
| 1680 | Test that we can handle exceptions in the select callback. If |
| 1681 | select fails it should be fatal to the connection. |
| 1682 | """ |
| 1683 | advertise_args = [] |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1684 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1685 | def advertise(conn): |
| 1686 | advertise_args.append((conn,)) |
| 1687 | return [b'http/1.1', b'spdy/2'] |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1688 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1689 | def select(conn, options): |
| 1690 | raise TypeError |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1691 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1692 | server_context = Context(TLSv1_METHOD) |
| 1693 | server_context.set_npn_advertise_callback(advertise) |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1694 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1695 | client_context = Context(TLSv1_METHOD) |
| 1696 | client_context.set_npn_select_callback(select) |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1697 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1698 | # Necessary to actually accept the connection |
| 1699 | server_context.use_privatekey( |
| 1700 | load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 1701 | server_context.use_certificate( |
| 1702 | load_certificate(FILETYPE_PEM, server_cert_pem)) |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1703 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1704 | # Do a little connection to trigger the logic |
| 1705 | server = Connection(server_context, None) |
| 1706 | server.set_accept_state() |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1707 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1708 | client = Connection(client_context, None) |
| 1709 | client.set_connect_state() |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1710 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1711 | # If the callback throws an exception it should be raised here. |
| 1712 | self.assertRaises( |
| 1713 | TypeError, self._interactInMemory, server, client |
| 1714 | ) |
| 1715 | self.assertEqual([(server,)], advertise_args) |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1716 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1717 | def test_npn_advertise_error(self): |
| 1718 | """ |
| 1719 | Test that we can handle exceptions in the advertise callback. If |
| 1720 | advertise fails no NPN is advertised to the client. |
| 1721 | """ |
| 1722 | select_args = [] |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1723 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1724 | def advertise(conn): |
| 1725 | raise TypeError |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1726 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1727 | def select(conn, options): |
| 1728 | select_args.append((conn, options)) |
| 1729 | return b'' |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1730 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1731 | server_context = Context(TLSv1_METHOD) |
| 1732 | server_context.set_npn_advertise_callback(advertise) |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1733 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1734 | client_context = Context(TLSv1_METHOD) |
| 1735 | client_context.set_npn_select_callback(select) |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1736 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1737 | # Necessary to actually accept the connection |
| 1738 | server_context.use_privatekey( |
| 1739 | load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 1740 | server_context.use_certificate( |
| 1741 | load_certificate(FILETYPE_PEM, server_cert_pem)) |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1742 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1743 | # Do a little connection to trigger the logic |
| 1744 | server = Connection(server_context, None) |
| 1745 | server.set_accept_state() |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1746 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1747 | client = Connection(client_context, None) |
| 1748 | client.set_connect_state() |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1749 | |
Cory Benfield | ba1820d | 2015-04-13 17:39:12 -0400 | [diff] [blame] | 1750 | # If the client doesn't return anything, the connection will fail. |
| 1751 | self.assertRaises( |
| 1752 | TypeError, self._interactInMemory, server, client |
| 1753 | ) |
| 1754 | self.assertEqual([], select_args) |
| 1755 | |
| 1756 | else: |
| 1757 | # No NPN. |
| 1758 | def test_npn_not_implemented(self): |
| 1759 | # Test the context methods first. |
| 1760 | context = Context(TLSv1_METHOD) |
| 1761 | fail_methods = [ |
| 1762 | context.set_npn_advertise_callback, |
| 1763 | context.set_npn_select_callback, |
| 1764 | ] |
| 1765 | for method in fail_methods: |
| 1766 | self.assertRaises( |
| 1767 | NotImplementedError, method, None |
| 1768 | ) |
| 1769 | |
| 1770 | # Now test a connection. |
| 1771 | conn = Connection(context) |
| 1772 | fail_methods = [ |
| 1773 | conn.get_next_proto_negotiated, |
| 1774 | ] |
| 1775 | for method in fail_methods: |
| 1776 | self.assertRaises(NotImplementedError, method) |
Cory Benfield | 0ea76e7 | 2015-03-22 09:05:28 +0000 | [diff] [blame] | 1777 | |
| 1778 | |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1779 | class ApplicationLayerProtoNegotiationTests(TestCase, _LoopbackMixin): |
| 1780 | """ |
| 1781 | Tests for ALPN in PyOpenSSL. |
| 1782 | """ |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1783 | # Skip tests on versions that don't support ALPN. |
| 1784 | if _lib.Cryptography_HAS_ALPN: |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1785 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1786 | def test_alpn_success(self): |
| 1787 | """ |
Cory Benfield | bb8516b | 2015-04-13 18:12:53 -0400 | [diff] [blame] | 1788 | Clients and servers that agree on the negotiated ALPN protocol can |
| 1789 | correct establish a connection, and the agreed protocol is reported |
| 1790 | by the connections. |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1791 | """ |
| 1792 | select_args = [] |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1793 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1794 | def select(conn, options): |
| 1795 | select_args.append((conn, options)) |
| 1796 | return b'spdy/2' |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1797 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1798 | client_context = Context(TLSv1_METHOD) |
| 1799 | client_context.set_alpn_protos([b'http/1.1', b'spdy/2']) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1800 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1801 | server_context = Context(TLSv1_METHOD) |
| 1802 | server_context.set_alpn_select_callback(select) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1803 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1804 | # Necessary to actually accept the connection |
| 1805 | server_context.use_privatekey( |
| 1806 | load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 1807 | server_context.use_certificate( |
| 1808 | load_certificate(FILETYPE_PEM, server_cert_pem)) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1809 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1810 | # Do a little connection to trigger the logic |
| 1811 | server = Connection(server_context, None) |
| 1812 | server.set_accept_state() |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1813 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1814 | client = Connection(client_context, None) |
| 1815 | client.set_connect_state() |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1816 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1817 | self._interactInMemory(server, client) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1818 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1819 | self.assertEqual([(server, [b'http/1.1', b'spdy/2'])], select_args) |
| 1820 | |
| 1821 | self.assertEqual(server.get_alpn_proto_negotiated(), b'spdy/2') |
| 1822 | self.assertEqual(client.get_alpn_proto_negotiated(), b'spdy/2') |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1823 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1824 | def test_alpn_set_on_connection(self): |
| 1825 | """ |
| 1826 | The same as test_alpn_success, but setting the ALPN protocols on |
| 1827 | the connection rather than the context. |
| 1828 | """ |
| 1829 | select_args = [] |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1830 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1831 | def select(conn, options): |
| 1832 | select_args.append((conn, options)) |
| 1833 | return b'spdy/2' |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1834 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1835 | # Setup the client context but don't set any ALPN protocols. |
| 1836 | client_context = Context(TLSv1_METHOD) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1837 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1838 | server_context = Context(TLSv1_METHOD) |
| 1839 | server_context.set_alpn_select_callback(select) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1840 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1841 | # Necessary to actually accept the connection |
| 1842 | server_context.use_privatekey( |
| 1843 | load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 1844 | server_context.use_certificate( |
| 1845 | load_certificate(FILETYPE_PEM, server_cert_pem)) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1846 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1847 | # Do a little connection to trigger the logic |
| 1848 | server = Connection(server_context, None) |
| 1849 | server.set_accept_state() |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1850 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1851 | # Set the ALPN protocols on the client connection. |
| 1852 | client = Connection(client_context, None) |
| 1853 | client.set_alpn_protos([b'http/1.1', b'spdy/2']) |
| 1854 | client.set_connect_state() |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1855 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1856 | self._interactInMemory(server, client) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1857 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1858 | self.assertEqual([(server, [b'http/1.1', b'spdy/2'])], select_args) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1859 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1860 | self.assertEqual(server.get_alpn_proto_negotiated(), b'spdy/2') |
| 1861 | self.assertEqual(client.get_alpn_proto_negotiated(), b'spdy/2') |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1862 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1863 | def test_alpn_server_fail(self): |
| 1864 | """ |
Cory Benfield | bb8516b | 2015-04-13 18:12:53 -0400 | [diff] [blame] | 1865 | When clients and servers cannot agree on what protocol to use next |
| 1866 | the TLS connection does not get established. |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1867 | """ |
| 1868 | select_args = [] |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1869 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1870 | def select(conn, options): |
| 1871 | select_args.append((conn, options)) |
| 1872 | return b'' |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1873 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1874 | client_context = Context(TLSv1_METHOD) |
| 1875 | client_context.set_alpn_protos([b'http/1.1', b'spdy/2']) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1876 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1877 | server_context = Context(TLSv1_METHOD) |
| 1878 | server_context.set_alpn_select_callback(select) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1879 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1880 | # Necessary to actually accept the connection |
| 1881 | server_context.use_privatekey( |
| 1882 | load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 1883 | server_context.use_certificate( |
| 1884 | load_certificate(FILETYPE_PEM, server_cert_pem)) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1885 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1886 | # Do a little connection to trigger the logic |
| 1887 | server = Connection(server_context, None) |
| 1888 | server.set_accept_state() |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1889 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1890 | client = Connection(client_context, None) |
| 1891 | client.set_connect_state() |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1892 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1893 | # If the client doesn't return anything, the connection will fail. |
| 1894 | self.assertRaises(Error, self._interactInMemory, server, client) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1895 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1896 | self.assertEqual([(server, [b'http/1.1', b'spdy/2'])], select_args) |
Cory Benfield | 12eae89 | 2014-06-07 15:42:56 +0100 | [diff] [blame] | 1897 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1898 | def test_alpn_no_server(self): |
| 1899 | """ |
Cory Benfield | bb8516b | 2015-04-13 18:12:53 -0400 | [diff] [blame] | 1900 | When clients and servers cannot agree on what protocol to use next |
| 1901 | because the server doesn't offer ALPN, no protocol is negotiated. |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1902 | """ |
| 1903 | client_context = Context(TLSv1_METHOD) |
| 1904 | client_context.set_alpn_protos([b'http/1.1', b'spdy/2']) |
Cory Benfield | e3d5715 | 2015-04-11 17:57:35 -0400 | [diff] [blame] | 1905 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1906 | server_context = Context(TLSv1_METHOD) |
Cory Benfield | e3d5715 | 2015-04-11 17:57:35 -0400 | [diff] [blame] | 1907 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1908 | # Necessary to actually accept the connection |
| 1909 | server_context.use_privatekey( |
| 1910 | load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 1911 | server_context.use_certificate( |
| 1912 | load_certificate(FILETYPE_PEM, server_cert_pem)) |
Cory Benfield | e3d5715 | 2015-04-11 17:57:35 -0400 | [diff] [blame] | 1913 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1914 | # Do a little connection to trigger the logic |
| 1915 | server = Connection(server_context, None) |
| 1916 | server.set_accept_state() |
Cory Benfield | e3d5715 | 2015-04-11 17:57:35 -0400 | [diff] [blame] | 1917 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1918 | client = Connection(client_context, None) |
| 1919 | client.set_connect_state() |
Cory Benfield | e3d5715 | 2015-04-11 17:57:35 -0400 | [diff] [blame] | 1920 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1921 | # Do the dance. |
| 1922 | self._interactInMemory(server, client) |
Cory Benfield | e3d5715 | 2015-04-11 17:57:35 -0400 | [diff] [blame] | 1923 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1924 | self.assertEqual(client.get_alpn_proto_negotiated(), b'') |
Cory Benfield | e3d5715 | 2015-04-11 17:57:35 -0400 | [diff] [blame] | 1925 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1926 | def test_alpn_callback_exception(self): |
| 1927 | """ |
Cory Benfield | bb8516b | 2015-04-13 18:12:53 -0400 | [diff] [blame] | 1928 | We can handle exceptions in the ALPN select callback. |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1929 | """ |
| 1930 | select_args = [] |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1931 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1932 | def select(conn, options): |
| 1933 | select_args.append((conn, options)) |
Cory Benfield | ef40145 | 2015-04-13 18:17:36 -0400 | [diff] [blame] | 1934 | raise TypeError() |
Cory Benfield | f1177e7 | 2015-04-12 09:11:49 -0400 | [diff] [blame] | 1935 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1936 | client_context = Context(TLSv1_METHOD) |
| 1937 | client_context.set_alpn_protos([b'http/1.1', b'spdy/2']) |
Cory Benfield | f1177e7 | 2015-04-12 09:11:49 -0400 | [diff] [blame] | 1938 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1939 | server_context = Context(TLSv1_METHOD) |
| 1940 | server_context.set_alpn_select_callback(select) |
Cory Benfield | f1177e7 | 2015-04-12 09:11:49 -0400 | [diff] [blame] | 1941 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1942 | # Necessary to actually accept the connection |
| 1943 | server_context.use_privatekey( |
| 1944 | load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 1945 | server_context.use_certificate( |
| 1946 | load_certificate(FILETYPE_PEM, server_cert_pem)) |
Cory Benfield | f1177e7 | 2015-04-12 09:11:49 -0400 | [diff] [blame] | 1947 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1948 | # Do a little connection to trigger the logic |
| 1949 | server = Connection(server_context, None) |
| 1950 | server.set_accept_state() |
Cory Benfield | f1177e7 | 2015-04-12 09:11:49 -0400 | [diff] [blame] | 1951 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1952 | client = Connection(client_context, None) |
| 1953 | client.set_connect_state() |
Cory Benfield | f1177e7 | 2015-04-12 09:11:49 -0400 | [diff] [blame] | 1954 | |
Cory Benfield | e46fa84 | 2015-04-13 16:50:49 -0400 | [diff] [blame] | 1955 | self.assertRaises( |
| 1956 | TypeError, self._interactInMemory, server, client |
| 1957 | ) |
| 1958 | self.assertEqual([(server, [b'http/1.1', b'spdy/2'])], select_args) |
Cory Benfield | f1177e7 | 2015-04-12 09:11:49 -0400 | [diff] [blame] | 1959 | |
Cory Benfield | 0f7b04c | 2015-04-13 17:51:12 -0400 | [diff] [blame] | 1960 | else: |
| 1961 | # No ALPN. |
| 1962 | def test_alpn_not_implemented(self): |
Cory Benfield | ef40145 | 2015-04-13 18:17:36 -0400 | [diff] [blame] | 1963 | """ |
| 1964 | If ALPN is not in OpenSSL, we should raise NotImplementedError. |
| 1965 | """ |
Cory Benfield | 0f7b04c | 2015-04-13 17:51:12 -0400 | [diff] [blame] | 1966 | # Test the context methods first. |
| 1967 | context = Context(TLSv1_METHOD) |
Cory Benfield | 307e9e6 | 2015-04-13 18:21:12 -0400 | [diff] [blame] | 1968 | self.assertRaises( |
| 1969 | NotImplementedError, context.set_alpn_protos, None |
| 1970 | ) |
| 1971 | self.assertRaises( |
| 1972 | NotImplementedError, context.set_alpn_select_callback, None |
| 1973 | ) |
Cory Benfield | 0f7b04c | 2015-04-13 17:51:12 -0400 | [diff] [blame] | 1974 | |
| 1975 | # Now test a connection. |
| 1976 | conn = Connection(context) |
Cory Benfield | 307e9e6 | 2015-04-13 18:21:12 -0400 | [diff] [blame] | 1977 | self.assertRaises( |
Alex Gaynor | 6841723 | 2015-09-04 07:56:29 -0400 | [diff] [blame] | 1978 | NotImplementedError, conn.set_alpn_protos, None |
Cory Benfield | 307e9e6 | 2015-04-13 18:21:12 -0400 | [diff] [blame] | 1979 | ) |
Cory Benfield | 0f7b04c | 2015-04-13 17:51:12 -0400 | [diff] [blame] | 1980 | |
Cory Benfield | f1177e7 | 2015-04-12 09:11:49 -0400 | [diff] [blame] | 1981 | |
Jean-Paul Calderone | e0fcf51 | 2012-02-13 09:10:15 -0500 | [diff] [blame] | 1982 | class SessionTests(TestCase): |
| 1983 | """ |
| 1984 | Unit tests for :py:obj:`OpenSSL.SSL.Session`. |
| 1985 | """ |
| 1986 | def test_construction(self): |
| 1987 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 1988 | :py:class:`Session` can be constructed with no arguments, creating |
| 1989 | a new instance of that type. |
Jean-Paul Calderone | e0fcf51 | 2012-02-13 09:10:15 -0500 | [diff] [blame] | 1990 | """ |
| 1991 | new_session = Session() |
| 1992 | self.assertTrue(isinstance(new_session, Session)) |
| 1993 | |
Jean-Paul Calderone | e0fcf51 | 2012-02-13 09:10:15 -0500 | [diff] [blame] | 1994 | def test_construction_wrong_args(self): |
| 1995 | """ |
| 1996 | If any arguments are passed to :py:class:`Session`, :py:obj:`TypeError` |
| 1997 | is raised. |
| 1998 | """ |
| 1999 | self.assertRaises(TypeError, Session, 123) |
| 2000 | self.assertRaises(TypeError, Session, "hello") |
| 2001 | self.assertRaises(TypeError, Session, object()) |
| 2002 | |
| 2003 | |
Jean-Paul Calderone | 9485f2c | 2010-07-29 22:38:42 -0400 | [diff] [blame] | 2004 | class ConnectionTests(TestCase, _LoopbackMixin): |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 2005 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2006 | Unit tests for :py:obj:`OpenSSL.SSL.Connection`. |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 2007 | """ |
Jean-Paul Calderone | 541eaf2 | 2010-09-09 18:55:08 -0400 | [diff] [blame] | 2008 | # XXX get_peer_certificate -> None |
| 2009 | # XXX sock_shutdown |
| 2010 | # XXX master_key -> TypeError |
| 2011 | # XXX server_random -> TypeError |
| 2012 | # XXX state_string |
| 2013 | # XXX connect -> TypeError |
| 2014 | # XXX connect_ex -> TypeError |
| 2015 | # XXX set_connect_state -> TypeError |
| 2016 | # XXX set_accept_state -> TypeError |
| 2017 | # XXX renegotiate_pending |
| 2018 | # XXX do_handshake -> TypeError |
| 2019 | # XXX bio_read -> TypeError |
| 2020 | # XXX recv -> TypeError |
| 2021 | # XXX send -> TypeError |
| 2022 | # XXX bio_write -> TypeError |
| 2023 | |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 2024 | def test_type(self): |
| 2025 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2026 | :py:obj:`Connection` and :py:obj:`ConnectionType` refer to the same |
| 2027 | type object and can be used to create instances of that type. |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 2028 | """ |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 2029 | self.assertIdentical(Connection, ConnectionType) |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 2030 | ctx = Context(TLSv1_METHOD) |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 2031 | self.assertConsistentType(Connection, 'Connection', ctx, None) |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 2032 | |
Jean-Paul Calderone | 4fd058a | 2009-11-22 11:46:42 -0500 | [diff] [blame] | 2033 | def test_get_context(self): |
| 2034 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2035 | :py:obj:`Connection.get_context` returns the :py:obj:`Context` instance |
| 2036 | used to construct the :py:obj:`Connection` instance. |
Jean-Paul Calderone | 4fd058a | 2009-11-22 11:46:42 -0500 | [diff] [blame] | 2037 | """ |
| 2038 | context = Context(TLSv1_METHOD) |
| 2039 | connection = Connection(context, None) |
| 2040 | self.assertIdentical(connection.get_context(), context) |
| 2041 | |
Jean-Paul Calderone | 4fd058a | 2009-11-22 11:46:42 -0500 | [diff] [blame] | 2042 | def test_get_context_wrong_args(self): |
| 2043 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2044 | :py:obj:`Connection.get_context` raises :py:obj:`TypeError` if called |
| 2045 | with any arguments. |
Jean-Paul Calderone | 4fd058a | 2009-11-22 11:46:42 -0500 | [diff] [blame] | 2046 | """ |
| 2047 | connection = Connection(Context(TLSv1_METHOD), None) |
| 2048 | self.assertRaises(TypeError, connection.get_context, None) |
| 2049 | |
Jean-Paul Calderone | 95613b7 | 2011-05-25 22:30:21 -0400 | [diff] [blame] | 2050 | def test_set_context_wrong_args(self): |
| 2051 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2052 | :py:obj:`Connection.set_context` raises :py:obj:`TypeError` if called |
| 2053 | with a non-:py:obj:`Context` instance argument or with any number of |
| 2054 | arguments other than 1. |
Jean-Paul Calderone | 95613b7 | 2011-05-25 22:30:21 -0400 | [diff] [blame] | 2055 | """ |
| 2056 | ctx = Context(TLSv1_METHOD) |
| 2057 | connection = Connection(ctx, None) |
| 2058 | self.assertRaises(TypeError, connection.set_context) |
| 2059 | self.assertRaises(TypeError, connection.set_context, object()) |
| 2060 | self.assertRaises(TypeError, connection.set_context, "hello") |
| 2061 | self.assertRaises(TypeError, connection.set_context, 1) |
| 2062 | self.assertRaises(TypeError, connection.set_context, 1, 2) |
| 2063 | self.assertRaises( |
| 2064 | TypeError, connection.set_context, Context(TLSv1_METHOD), 2) |
| 2065 | self.assertIdentical(ctx, connection.get_context()) |
| 2066 | |
Jean-Paul Calderone | 95613b7 | 2011-05-25 22:30:21 -0400 | [diff] [blame] | 2067 | def test_set_context(self): |
| 2068 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2069 | :py:obj:`Connection.set_context` specifies a new :py:obj:`Context` |
| 2070 | instance to be used for the connection. |
Jean-Paul Calderone | 95613b7 | 2011-05-25 22:30:21 -0400 | [diff] [blame] | 2071 | """ |
| 2072 | original = Context(SSLv23_METHOD) |
| 2073 | replacement = Context(TLSv1_METHOD) |
| 2074 | connection = Connection(original, None) |
| 2075 | connection.set_context(replacement) |
| 2076 | self.assertIdentical(replacement, connection.get_context()) |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2077 | # Lose our references to the contexts, just in case the Connection |
| 2078 | # isn't properly managing its own contributions to their reference |
| 2079 | # counts. |
Jean-Paul Calderone | 95613b7 | 2011-05-25 22:30:21 -0400 | [diff] [blame] | 2080 | del original, replacement |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 2081 | collect() |
| 2082 | |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 2083 | def test_set_tlsext_host_name_wrong_args(self): |
| 2084 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2085 | If :py:obj:`Connection.set_tlsext_host_name` is called with a non-byte |
| 2086 | string argument or a byte string with an embedded NUL or other than one |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2087 | argument, :py:obj:`TypeError` is raised. |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 2088 | """ |
| 2089 | conn = Connection(Context(TLSv1_METHOD), None) |
| 2090 | self.assertRaises(TypeError, conn.set_tlsext_host_name) |
| 2091 | self.assertRaises(TypeError, conn.set_tlsext_host_name, object()) |
| 2092 | self.assertRaises(TypeError, conn.set_tlsext_host_name, 123, 456) |
| 2093 | self.assertRaises( |
| 2094 | TypeError, conn.set_tlsext_host_name, b("with\0null")) |
| 2095 | |
Abraham Martin | c5484ba | 2015-03-25 15:33:05 +0000 | [diff] [blame] | 2096 | if PY3: |
Jean-Paul Calderone | c4cb658 | 2011-05-26 18:47:00 -0400 | [diff] [blame] | 2097 | # On Python 3.x, don't accidentally implicitly convert from text. |
| 2098 | self.assertRaises( |
| 2099 | TypeError, |
| 2100 | conn.set_tlsext_host_name, b("example.com").decode("ascii")) |
Jean-Paul Calderone | 95613b7 | 2011-05-25 22:30:21 -0400 | [diff] [blame] | 2101 | |
Jean-Paul Calderone | 871a4d8 | 2011-05-26 19:24:02 -0400 | [diff] [blame] | 2102 | def test_get_servername_wrong_args(self): |
| 2103 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2104 | :py:obj:`Connection.get_servername` raises :py:obj:`TypeError` if |
| 2105 | called with any arguments. |
Jean-Paul Calderone | 871a4d8 | 2011-05-26 19:24:02 -0400 | [diff] [blame] | 2106 | """ |
| 2107 | connection = Connection(Context(TLSv1_METHOD), None) |
| 2108 | self.assertRaises(TypeError, connection.get_servername, object()) |
| 2109 | self.assertRaises(TypeError, connection.get_servername, 1) |
| 2110 | self.assertRaises(TypeError, connection.get_servername, "hello") |
| 2111 | |
Jean-Paul Calderone | 1d69a72 | 2010-07-29 09:05:53 -0400 | [diff] [blame] | 2112 | def test_pending(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2113 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2114 | :py:obj:`Connection.pending` returns the number of bytes available for |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2115 | immediate read. |
| 2116 | """ |
Jean-Paul Calderone | 1d69a72 | 2010-07-29 09:05:53 -0400 | [diff] [blame] | 2117 | connection = Connection(Context(TLSv1_METHOD), None) |
| 2118 | self.assertEquals(connection.pending(), 0) |
| 2119 | |
Jean-Paul Calderone | 1d69a72 | 2010-07-29 09:05:53 -0400 | [diff] [blame] | 2120 | def test_pending_wrong_args(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2121 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2122 | :py:obj:`Connection.pending` raises :py:obj:`TypeError` if called with |
| 2123 | any arguments. |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2124 | """ |
Jean-Paul Calderone | 1d69a72 | 2010-07-29 09:05:53 -0400 | [diff] [blame] | 2125 | connection = Connection(Context(TLSv1_METHOD), None) |
| 2126 | self.assertRaises(TypeError, connection.pending, None) |
| 2127 | |
Maximilian Hils | 1d95dea | 2015-08-17 19:27:20 +0200 | [diff] [blame] | 2128 | def test_peek(self): |
| 2129 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2130 | :py:obj:`Connection.recv` peeks into the connection if |
| 2131 | :py:obj:`socket.MSG_PEEK` is passed. |
Maximilian Hils | 1d95dea | 2015-08-17 19:27:20 +0200 | [diff] [blame] | 2132 | """ |
| 2133 | server, client = self._loopback() |
| 2134 | server.send(b('xy')) |
| 2135 | self.assertEqual(client.recv(2, MSG_PEEK), b('xy')) |
| 2136 | self.assertEqual(client.recv(2, MSG_PEEK), b('xy')) |
| 2137 | self.assertEqual(client.recv(2), b('xy')) |
| 2138 | |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2139 | def test_connect_wrong_args(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2140 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2141 | :py:obj:`Connection.connect` raises :py:obj:`TypeError` if called with |
| 2142 | a non-address argument or with the wrong number of arguments. |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2143 | """ |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2144 | connection = Connection(Context(TLSv1_METHOD), socket()) |
| 2145 | self.assertRaises(TypeError, connection.connect, None) |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2146 | self.assertRaises(TypeError, connection.connect) |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2147 | self.assertRaises( |
| 2148 | TypeError, connection.connect, ("127.0.0.1", 1), None |
| 2149 | ) |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2150 | |
kjav | fe508d6 | 2015-09-02 12:20:35 +0100 | [diff] [blame] | 2151 | def test_connection_undefined_attr(self): |
| 2152 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2153 | :py:obj:`Connection.connect` raises :py:obj:`TypeError` if called with |
| 2154 | a non-address argument or with the wrong number of arguments. |
kjav | fe508d6 | 2015-09-02 12:20:35 +0100 | [diff] [blame] | 2155 | """ |
Alex Gaynor | 1aabb2e | 2015-09-05 13:35:18 -0400 | [diff] [blame] | 2156 | |
kjav | fe508d6 | 2015-09-02 12:20:35 +0100 | [diff] [blame] | 2157 | def attr_access_test(connection): |
| 2158 | return connection.an_attribute_which_is_not_defined |
Alex Gaynor | 1aabb2e | 2015-09-05 13:35:18 -0400 | [diff] [blame] | 2159 | |
kjav | fe508d6 | 2015-09-02 12:20:35 +0100 | [diff] [blame] | 2160 | connection = Connection(Context(TLSv1_METHOD), None) |
| 2161 | self.assertRaises(AttributeError, attr_access_test, connection) |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2162 | |
Jean-Paul Calderone | 8bdeba2 | 2010-07-29 09:45:07 -0400 | [diff] [blame] | 2163 | def test_connect_refused(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2164 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2165 | :py:obj:`Connection.connect` raises :py:obj:`socket.error` if the |
| 2166 | underlying socket connect method raises it. |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2167 | """ |
Jean-Paul Calderone | 8bdeba2 | 2010-07-29 09:45:07 -0400 | [diff] [blame] | 2168 | client = socket() |
| 2169 | context = Context(TLSv1_METHOD) |
| 2170 | clientSSL = Connection(context, client) |
Alex Gaynor | 122717b | 2015-09-05 14:14:18 -0400 | [diff] [blame] | 2171 | # pytest.raises here doesn't work because of a bug in py.test on Python |
| 2172 | # 2.6: https://github.com/pytest-dev/pytest/issues/988 |
Alex Gaynor | e69c278 | 2015-09-05 14:07:48 -0400 | [diff] [blame] | 2173 | try: |
Alex Gaynor | 1aabb2e | 2015-09-05 13:35:18 -0400 | [diff] [blame] | 2174 | clientSSL.connect(("127.0.0.1", 1)) |
Alex Gaynor | e69c278 | 2015-09-05 14:07:48 -0400 | [diff] [blame] | 2175 | except error as e: |
Alex Gaynor | 20a4c08 | 2015-09-05 14:24:15 -0400 | [diff] [blame] | 2176 | exc = e |
| 2177 | assert exc.args[0] == ECONNREFUSED |
Jean-Paul Calderone | 8bdeba2 | 2010-07-29 09:45:07 -0400 | [diff] [blame] | 2178 | |
| 2179 | def test_connect(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2180 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2181 | :py:obj:`Connection.connect` establishes a connection to the specified |
| 2182 | address. |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2183 | """ |
Jean-Paul Calderone | 0bcb0e0 | 2010-07-29 09:49:59 -0400 | [diff] [blame] | 2184 | port = socket() |
| 2185 | port.bind(('', 0)) |
| 2186 | port.listen(3) |
| 2187 | |
| 2188 | clientSSL = Connection(Context(TLSv1_METHOD), socket()) |
Jean-Paul Calderone | b6e0fd9 | 2010-09-19 09:22:13 -0400 | [diff] [blame] | 2189 | clientSSL.connect(('127.0.0.1', port.getsockname()[1])) |
| 2190 | # XXX An assertion? Or something? |
Jean-Paul Calderone | 0bcb0e0 | 2010-07-29 09:49:59 -0400 | [diff] [blame] | 2191 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2192 | @pytest.mark.skipif( |
| 2193 | platform == "darwin", |
| 2194 | reason="connect_ex sometimes causes a kernel panic on OS X 10.6.4" |
| 2195 | ) |
| 2196 | def test_connect_ex(self): |
| 2197 | """ |
| 2198 | If there is a connection error, :py:obj:`Connection.connect_ex` |
| 2199 | returns the errno instead of raising an exception. |
| 2200 | """ |
| 2201 | port = socket() |
| 2202 | port.bind(('', 0)) |
| 2203 | port.listen(3) |
Jean-Paul Calderone | 0bcb0e0 | 2010-07-29 09:49:59 -0400 | [diff] [blame] | 2204 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2205 | clientSSL = Connection(Context(TLSv1_METHOD), socket()) |
| 2206 | clientSSL.setblocking(False) |
| 2207 | result = clientSSL.connect_ex(port.getsockname()) |
| 2208 | expected = (EINPROGRESS, EWOULDBLOCK) |
| 2209 | self.assertTrue( |
| 2210 | result in expected, "%r not in %r" % (result, expected)) |
Jean-Paul Calderone | 55d91f4 | 2010-07-29 19:22:17 -0400 | [diff] [blame] | 2211 | |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2212 | def test_accept_wrong_args(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2213 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2214 | :py:obj:`Connection.accept` raises :py:obj:`TypeError` if called with |
| 2215 | any arguments. |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2216 | """ |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2217 | connection = Connection(Context(TLSv1_METHOD), socket()) |
| 2218 | self.assertRaises(TypeError, connection.accept, None) |
| 2219 | |
Jean-Paul Calderone | 0bcb0e0 | 2010-07-29 09:49:59 -0400 | [diff] [blame] | 2220 | def test_accept(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2221 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2222 | :py:obj:`Connection.accept` accepts a pending connection attempt and |
| 2223 | returns a tuple of a new :py:obj:`Connection` (the accepted client) and |
| 2224 | the address the connection originated from. |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2225 | """ |
Jean-Paul Calderone | 8bdeba2 | 2010-07-29 09:45:07 -0400 | [diff] [blame] | 2226 | ctx = Context(TLSv1_METHOD) |
| 2227 | ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 2228 | ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) |
Jean-Paul Calderone | 0bcb0e0 | 2010-07-29 09:49:59 -0400 | [diff] [blame] | 2229 | port = socket() |
| 2230 | portSSL = Connection(ctx, port) |
| 2231 | portSSL.bind(('', 0)) |
| 2232 | portSSL.listen(3) |
Jean-Paul Calderone | 8bdeba2 | 2010-07-29 09:45:07 -0400 | [diff] [blame] | 2233 | |
Jean-Paul Calderone | 0bcb0e0 | 2010-07-29 09:49:59 -0400 | [diff] [blame] | 2234 | clientSSL = Connection(Context(TLSv1_METHOD), socket()) |
Jean-Paul Calderone | b6e0fd9 | 2010-09-19 09:22:13 -0400 | [diff] [blame] | 2235 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2236 | # Calling portSSL.getsockname() here to get the server IP address |
| 2237 | # sounds great, but frequently fails on Windows. |
Jean-Paul Calderone | b6e0fd9 | 2010-09-19 09:22:13 -0400 | [diff] [blame] | 2238 | clientSSL.connect(('127.0.0.1', portSSL.getsockname()[1])) |
Jean-Paul Calderone | 8bdeba2 | 2010-07-29 09:45:07 -0400 | [diff] [blame] | 2239 | |
Jean-Paul Calderone | 0bcb0e0 | 2010-07-29 09:49:59 -0400 | [diff] [blame] | 2240 | serverSSL, address = portSSL.accept() |
| 2241 | |
| 2242 | self.assertTrue(isinstance(serverSSL, Connection)) |
| 2243 | self.assertIdentical(serverSSL.get_context(), ctx) |
| 2244 | self.assertEquals(address, clientSSL.getsockname()) |
Jean-Paul Calderone | 8bdeba2 | 2010-07-29 09:45:07 -0400 | [diff] [blame] | 2245 | |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2246 | def test_shutdown_wrong_args(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2247 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2248 | :py:obj:`Connection.shutdown` raises :py:obj:`TypeError` if called with |
| 2249 | the wrong number of arguments or with arguments other than integers. |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2250 | """ |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2251 | connection = Connection(Context(TLSv1_METHOD), None) |
| 2252 | self.assertRaises(TypeError, connection.shutdown, None) |
Jean-Paul Calderone | 1d3e022 | 2010-07-29 22:52:45 -0400 | [diff] [blame] | 2253 | self.assertRaises(TypeError, connection.get_shutdown, None) |
| 2254 | self.assertRaises(TypeError, connection.set_shutdown) |
| 2255 | self.assertRaises(TypeError, connection.set_shutdown, None) |
| 2256 | self.assertRaises(TypeError, connection.set_shutdown, 0, 1) |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2257 | |
Jean-Paul Calderone | 9485f2c | 2010-07-29 22:38:42 -0400 | [diff] [blame] | 2258 | def test_shutdown(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2259 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2260 | :py:obj:`Connection.shutdown` performs an SSL-level connection |
| 2261 | shutdown. |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2262 | """ |
Jean-Paul Calderone | 9485f2c | 2010-07-29 22:38:42 -0400 | [diff] [blame] | 2263 | server, client = self._loopback() |
Jean-Paul Calderone | e4f6b47 | 2010-07-29 22:50:58 -0400 | [diff] [blame] | 2264 | self.assertFalse(server.shutdown()) |
| 2265 | self.assertEquals(server.get_shutdown(), SENT_SHUTDOWN) |
Jean-Paul Calderone | 9485f2c | 2010-07-29 22:38:42 -0400 | [diff] [blame] | 2266 | self.assertRaises(ZeroReturnError, client.recv, 1024) |
Jean-Paul Calderone | e4f6b47 | 2010-07-29 22:50:58 -0400 | [diff] [blame] | 2267 | self.assertEquals(client.get_shutdown(), RECEIVED_SHUTDOWN) |
| 2268 | client.shutdown() |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2269 | self.assertEquals( |
| 2270 | client.get_shutdown(), SENT_SHUTDOWN | RECEIVED_SHUTDOWN |
| 2271 | ) |
Jean-Paul Calderone | e4f6b47 | 2010-07-29 22:50:58 -0400 | [diff] [blame] | 2272 | self.assertRaises(ZeroReturnError, server.recv, 1024) |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2273 | self.assertEquals( |
| 2274 | server.get_shutdown(), SENT_SHUTDOWN | RECEIVED_SHUTDOWN |
| 2275 | ) |
Jean-Paul Calderone | 9485f2c | 2010-07-29 22:38:42 -0400 | [diff] [blame] | 2276 | |
Paul Aurich | c85e086 | 2015-01-08 08:34:33 -0800 | [diff] [blame] | 2277 | def test_shutdown_closed(self): |
| 2278 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2279 | If the underlying socket is closed, :py:obj:`Connection.shutdown` |
| 2280 | propagates the write error from the low level write call. |
Paul Aurich | c85e086 | 2015-01-08 08:34:33 -0800 | [diff] [blame] | 2281 | """ |
| 2282 | server, client = self._loopback() |
| 2283 | server.sock_shutdown(2) |
| 2284 | exc = self.assertRaises(SysCallError, server.shutdown) |
| 2285 | if platform == "win32": |
| 2286 | self.assertEqual(exc.args[0], ESHUTDOWN) |
| 2287 | else: |
| 2288 | self.assertEqual(exc.args[0], EPIPE) |
| 2289 | |
Glyph | 8938947 | 2015-04-14 17:29:26 -0400 | [diff] [blame] | 2290 | def test_shutdown_truncated(self): |
Glyph | 6064ec3 | 2015-04-14 16:38:22 -0400 | [diff] [blame] | 2291 | """ |
Glyph | 8938947 | 2015-04-14 17:29:26 -0400 | [diff] [blame] | 2292 | If the underlying connection is truncated, :obj:`Connection.shutdown` |
| 2293 | raises an :obj:`Error`. |
Glyph | 6064ec3 | 2015-04-14 16:38:22 -0400 | [diff] [blame] | 2294 | """ |
Glyph | 8938947 | 2015-04-14 17:29:26 -0400 | [diff] [blame] | 2295 | server_ctx = Context(TLSv1_METHOD) |
| 2296 | client_ctx = Context(TLSv1_METHOD) |
| 2297 | server_ctx.use_privatekey( |
| 2298 | load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 2299 | server_ctx.use_certificate( |
| 2300 | load_certificate(FILETYPE_PEM, server_cert_pem)) |
| 2301 | server = Connection(server_ctx, None) |
| 2302 | client = Connection(client_ctx, None) |
| 2303 | self._handshakeInMemory(client, server) |
| 2304 | self.assertEqual(server.shutdown(), False) |
| 2305 | self.assertRaises(WantReadError, server.shutdown) |
| 2306 | server.bio_shutdown() |
Glyph | 6064ec3 | 2015-04-14 16:38:22 -0400 | [diff] [blame] | 2307 | self.assertRaises(Error, server.shutdown) |
| 2308 | |
Jean-Paul Calderone | c89eef2 | 2010-07-29 22:51:58 -0400 | [diff] [blame] | 2309 | def test_set_shutdown(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2310 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2311 | :py:obj:`Connection.set_shutdown` sets the state of the SSL connection |
| 2312 | shutdown process. |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2313 | """ |
Jean-Paul Calderone | c89eef2 | 2010-07-29 22:51:58 -0400 | [diff] [blame] | 2314 | connection = Connection(Context(TLSv1_METHOD), socket()) |
| 2315 | connection.set_shutdown(RECEIVED_SHUTDOWN) |
| 2316 | self.assertEquals(connection.get_shutdown(), RECEIVED_SHUTDOWN) |
| 2317 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2318 | @skip_if_py3 |
| 2319 | def test_set_shutdown_long(self): |
| 2320 | """ |
| 2321 | On Python 2 :py:obj:`Connection.set_shutdown` accepts an argument |
| 2322 | of type :py:obj:`long` as well as :py:obj:`int`. |
| 2323 | """ |
| 2324 | connection = Connection(Context(TLSv1_METHOD), socket()) |
| 2325 | connection.set_shutdown(long(RECEIVED_SHUTDOWN)) |
| 2326 | self.assertEquals(connection.get_shutdown(), RECEIVED_SHUTDOWN) |
Jean-Paul Calderone | f73a3cb | 2014-02-09 08:49:06 -0500 | [diff] [blame] | 2327 | |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2328 | def test_app_data_wrong_args(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2329 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2330 | :py:obj:`Connection.set_app_data` raises :py:obj:`TypeError` if called |
| 2331 | with other than one argument. :py:obj:`Connection.get_app_data` raises |
| 2332 | :py:obj:`TypeError` if called with any arguments. |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2333 | """ |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2334 | conn = Connection(Context(TLSv1_METHOD), None) |
| 2335 | self.assertRaises(TypeError, conn.get_app_data, None) |
| 2336 | self.assertRaises(TypeError, conn.set_app_data) |
| 2337 | self.assertRaises(TypeError, conn.set_app_data, None, None) |
| 2338 | |
Jean-Paul Calderone | 1bd8c79 | 2010-07-29 09:51:06 -0400 | [diff] [blame] | 2339 | def test_app_data(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2340 | """ |
| 2341 | Any object can be set as app data by passing it to |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2342 | :py:obj:`Connection.set_app_data` and later retrieved with |
| 2343 | :py:obj:`Connection.get_app_data`. |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2344 | """ |
Jean-Paul Calderone | 1bd8c79 | 2010-07-29 09:51:06 -0400 | [diff] [blame] | 2345 | conn = Connection(Context(TLSv1_METHOD), None) |
| 2346 | app_data = object() |
| 2347 | conn.set_app_data(app_data) |
| 2348 | self.assertIdentical(conn.get_app_data(), app_data) |
| 2349 | |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2350 | def test_makefile(self): |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2351 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2352 | :py:obj:`Connection.makefile` is not implemented and calling that |
| 2353 | method raises :py:obj:`NotImplementedError`. |
Jean-Paul Calderone | 93dba22 | 2010-09-08 22:59:37 -0400 | [diff] [blame] | 2354 | """ |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 2355 | conn = Connection(Context(TLSv1_METHOD), None) |
| 2356 | self.assertRaises(NotImplementedError, conn.makefile) |
| 2357 | |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 2358 | def test_get_peer_cert_chain_wrong_args(self): |
| 2359 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2360 | :py:obj:`Connection.get_peer_cert_chain` raises :py:obj:`TypeError` if |
| 2361 | called with any arguments. |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 2362 | """ |
| 2363 | conn = Connection(Context(TLSv1_METHOD), None) |
| 2364 | self.assertRaises(TypeError, conn.get_peer_cert_chain, 1) |
| 2365 | self.assertRaises(TypeError, conn.get_peer_cert_chain, "foo") |
| 2366 | self.assertRaises(TypeError, conn.get_peer_cert_chain, object()) |
| 2367 | self.assertRaises(TypeError, conn.get_peer_cert_chain, []) |
| 2368 | |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 2369 | def test_get_peer_cert_chain(self): |
| 2370 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2371 | :py:obj:`Connection.get_peer_cert_chain` returns a list of certificates |
| 2372 | which the connected server returned for the certification verification. |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 2373 | """ |
| 2374 | chain = _create_certificate_chain() |
| 2375 | [(cakey, cacert), (ikey, icert), (skey, scert)] = chain |
| 2376 | |
| 2377 | serverContext = Context(TLSv1_METHOD) |
| 2378 | serverContext.use_privatekey(skey) |
| 2379 | serverContext.use_certificate(scert) |
| 2380 | serverContext.add_extra_chain_cert(icert) |
| 2381 | serverContext.add_extra_chain_cert(cacert) |
| 2382 | server = Connection(serverContext, None) |
| 2383 | server.set_accept_state() |
| 2384 | |
| 2385 | # Create the client |
| 2386 | clientContext = Context(TLSv1_METHOD) |
| 2387 | clientContext.set_verify(VERIFY_NONE, verify_cb) |
| 2388 | client = Connection(clientContext, None) |
| 2389 | client.set_connect_state() |
| 2390 | |
| 2391 | self._interactInMemory(client, server) |
| 2392 | |
| 2393 | chain = client.get_peer_cert_chain() |
| 2394 | self.assertEqual(len(chain), 3) |
Jean-Paul Calderone | e33300c | 2011-05-19 21:44:38 -0400 | [diff] [blame] | 2395 | self.assertEqual( |
Jean-Paul Calderone | 24a4243 | 2011-05-19 22:21:18 -0400 | [diff] [blame] | 2396 | "Server Certificate", chain[0].get_subject().CN) |
Jean-Paul Calderone | e33300c | 2011-05-19 21:44:38 -0400 | [diff] [blame] | 2397 | self.assertEqual( |
Jean-Paul Calderone | 24a4243 | 2011-05-19 22:21:18 -0400 | [diff] [blame] | 2398 | "Intermediate Certificate", chain[1].get_subject().CN) |
Jean-Paul Calderone | e33300c | 2011-05-19 21:44:38 -0400 | [diff] [blame] | 2399 | self.assertEqual( |
Jean-Paul Calderone | 24a4243 | 2011-05-19 22:21:18 -0400 | [diff] [blame] | 2400 | "Authority Certificate", chain[2].get_subject().CN) |
| 2401 | |
Jean-Paul Calderone | 24a4243 | 2011-05-19 22:21:18 -0400 | [diff] [blame] | 2402 | def test_get_peer_cert_chain_none(self): |
| 2403 | """ |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2404 | :py:obj:`Connection.get_peer_cert_chain` returns :py:obj:`None` if the |
| 2405 | peer sends no certificate chain. |
Jean-Paul Calderone | 24a4243 | 2011-05-19 22:21:18 -0400 | [diff] [blame] | 2406 | """ |
| 2407 | ctx = Context(TLSv1_METHOD) |
| 2408 | ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 2409 | ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) |
| 2410 | server = Connection(ctx, None) |
| 2411 | server.set_accept_state() |
| 2412 | client = Connection(Context(TLSv1_METHOD), None) |
| 2413 | client.set_connect_state() |
| 2414 | self._interactInMemory(client, server) |
| 2415 | self.assertIdentical(None, server.get_peer_cert_chain()) |
Jean-Paul Calderone | 20222ae | 2011-05-19 21:43:46 -0400 | [diff] [blame] | 2416 | |
Jean-Paul Calderone | 64eaffc | 2012-02-13 11:53:49 -0500 | [diff] [blame] | 2417 | def test_get_session_wrong_args(self): |
| 2418 | """ |
| 2419 | :py:obj:`Connection.get_session` raises :py:obj:`TypeError` if called |
| 2420 | with any arguments. |
| 2421 | """ |
| 2422 | ctx = Context(TLSv1_METHOD) |
| 2423 | server = Connection(ctx, None) |
| 2424 | self.assertRaises(TypeError, server.get_session, 123) |
| 2425 | self.assertRaises(TypeError, server.get_session, "hello") |
| 2426 | self.assertRaises(TypeError, server.get_session, object()) |
| 2427 | |
Jean-Paul Calderone | 64eaffc | 2012-02-13 11:53:49 -0500 | [diff] [blame] | 2428 | def test_get_session_unconnected(self): |
| 2429 | """ |
| 2430 | :py:obj:`Connection.get_session` returns :py:obj:`None` when used with |
| 2431 | an object which has not been connected. |
| 2432 | """ |
| 2433 | ctx = Context(TLSv1_METHOD) |
| 2434 | server = Connection(ctx, None) |
| 2435 | session = server.get_session() |
| 2436 | self.assertIdentical(None, session) |
| 2437 | |
Jean-Paul Calderone | 64eaffc | 2012-02-13 11:53:49 -0500 | [diff] [blame] | 2438 | def test_server_get_session(self): |
| 2439 | """ |
| 2440 | On the server side of a connection, :py:obj:`Connection.get_session` |
| 2441 | returns a :py:class:`Session` instance representing the SSL session for |
| 2442 | that connection. |
| 2443 | """ |
| 2444 | server, client = self._loopback() |
| 2445 | session = server.get_session() |
Jean-Paul Calderone | a63714c | 2013-03-05 17:02:26 -0800 | [diff] [blame] | 2446 | self.assertIsInstance(session, Session) |
Jean-Paul Calderone | 64eaffc | 2012-02-13 11:53:49 -0500 | [diff] [blame] | 2447 | |
Jean-Paul Calderone | 64eaffc | 2012-02-13 11:53:49 -0500 | [diff] [blame] | 2448 | def test_client_get_session(self): |
| 2449 | """ |
| 2450 | On the client side of a connection, :py:obj:`Connection.get_session` |
| 2451 | returns a :py:class:`Session` instance representing the SSL session for |
| 2452 | that connection. |
| 2453 | """ |
| 2454 | server, client = self._loopback() |
| 2455 | session = client.get_session() |
Jean-Paul Calderone | a63714c | 2013-03-05 17:02:26 -0800 | [diff] [blame] | 2456 | self.assertIsInstance(session, Session) |
Jean-Paul Calderone | 64eaffc | 2012-02-13 11:53:49 -0500 | [diff] [blame] | 2457 | |
Jean-Paul Calderone | fef5c4b | 2012-02-14 16:31:52 -0500 | [diff] [blame] | 2458 | def test_set_session_wrong_args(self): |
| 2459 | """ |
| 2460 | If called with an object that is not an instance of :py:class:`Session`, |
| 2461 | or with other than one argument, :py:obj:`Connection.set_session` raises |
| 2462 | :py:obj:`TypeError`. |
| 2463 | """ |
| 2464 | ctx = Context(TLSv1_METHOD) |
| 2465 | connection = Connection(ctx, None) |
| 2466 | self.assertRaises(TypeError, connection.set_session) |
| 2467 | self.assertRaises(TypeError, connection.set_session, 123) |
| 2468 | self.assertRaises(TypeError, connection.set_session, "hello") |
| 2469 | self.assertRaises(TypeError, connection.set_session, object()) |
| 2470 | self.assertRaises( |
| 2471 | TypeError, connection.set_session, Session(), Session()) |
| 2472 | |
Jean-Paul Calderone | fef5c4b | 2012-02-14 16:31:52 -0500 | [diff] [blame] | 2473 | def test_client_set_session(self): |
| 2474 | """ |
| 2475 | :py:obj:`Connection.set_session`, when used prior to a connection being |
| 2476 | established, accepts a :py:class:`Session` instance and causes an |
| 2477 | attempt to re-use the session it represents when the SSL handshake is |
| 2478 | performed. |
| 2479 | """ |
| 2480 | key = load_privatekey(FILETYPE_PEM, server_key_pem) |
| 2481 | cert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 2482 | ctx = Context(TLSv1_METHOD) |
| 2483 | ctx.use_privatekey(key) |
| 2484 | ctx.use_certificate(cert) |
| 2485 | ctx.set_session_id("unity-test") |
| 2486 | |
| 2487 | def makeServer(socket): |
| 2488 | server = Connection(ctx, socket) |
| 2489 | server.set_accept_state() |
| 2490 | return server |
| 2491 | |
| 2492 | originalServer, originalClient = self._loopback( |
| 2493 | serverFactory=makeServer) |
| 2494 | originalSession = originalClient.get_session() |
| 2495 | |
| 2496 | def makeClient(socket): |
| 2497 | client = self._loopbackClientFactory(socket) |
| 2498 | client.set_session(originalSession) |
| 2499 | return client |
| 2500 | resumedServer, resumedClient = self._loopback( |
| 2501 | serverFactory=makeServer, |
| 2502 | clientFactory=makeClient) |
| 2503 | |
| 2504 | # This is a proxy: in general, we have no access to any unique |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2505 | # identifier for the session (new enough versions of OpenSSL expose |
| 2506 | # a hash which could be usable, but "new enough" is very, very new). |
Jean-Paul Calderone | fef5c4b | 2012-02-14 16:31:52 -0500 | [diff] [blame] | 2507 | # Instead, exploit the fact that the master key is re-used if the |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2508 | # session is re-used. As long as the master key for the two |
| 2509 | # connections is the same, the session was re-used! |
Jean-Paul Calderone | fef5c4b | 2012-02-14 16:31:52 -0500 | [diff] [blame] | 2510 | self.assertEqual( |
| 2511 | originalServer.master_key(), resumedServer.master_key()) |
| 2512 | |
Jean-Paul Calderone | 5ea4149 | 2012-02-14 16:51:35 -0500 | [diff] [blame] | 2513 | def test_set_session_wrong_method(self): |
| 2514 | """ |
Jean-Paul Calderone | 068cb59 | 2012-02-14 16:52:43 -0500 | [diff] [blame] | 2515 | If :py:obj:`Connection.set_session` is passed a :py:class:`Session` |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2516 | instance associated with a context using a different SSL method than |
| 2517 | the :py:obj:`Connection` is using, a :py:class:`OpenSSL.SSL.Error` is |
Jean-Paul Calderone | 068cb59 | 2012-02-14 16:52:43 -0500 | [diff] [blame] | 2518 | raised. |
Jean-Paul Calderone | 5ea4149 | 2012-02-14 16:51:35 -0500 | [diff] [blame] | 2519 | """ |
| 2520 | key = load_privatekey(FILETYPE_PEM, server_key_pem) |
| 2521 | cert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 2522 | ctx = Context(TLSv1_METHOD) |
| 2523 | ctx.use_privatekey(key) |
| 2524 | ctx.use_certificate(cert) |
| 2525 | ctx.set_session_id("unity-test") |
| 2526 | |
| 2527 | def makeServer(socket): |
| 2528 | server = Connection(ctx, socket) |
| 2529 | server.set_accept_state() |
| 2530 | return server |
| 2531 | |
| 2532 | originalServer, originalClient = self._loopback( |
| 2533 | serverFactory=makeServer) |
| 2534 | originalSession = originalClient.get_session() |
| 2535 | |
| 2536 | def makeClient(socket): |
| 2537 | # Intentionally use a different, incompatible method here. |
| 2538 | client = Connection(Context(SSLv3_METHOD), socket) |
| 2539 | client.set_connect_state() |
| 2540 | client.set_session(originalSession) |
| 2541 | return client |
| 2542 | |
| 2543 | self.assertRaises( |
| 2544 | Error, |
| 2545 | self._loopback, clientFactory=makeClient, serverFactory=makeServer) |
| 2546 | |
Jean-Paul Calderone | d899af0 | 2013-03-19 22:10:37 -0700 | [diff] [blame] | 2547 | def test_wantWriteError(self): |
| 2548 | """ |
| 2549 | :py:obj:`Connection` methods which generate output raise |
| 2550 | :py:obj:`OpenSSL.SSL.WantWriteError` if writing to the connection's BIO |
| 2551 | fail indicating a should-write state. |
| 2552 | """ |
| 2553 | client_socket, server_socket = socket_pair() |
| 2554 | # Fill up the client's send buffer so Connection won't be able to write |
Jean-Paul Calderone | bbff8b9 | 2014-03-22 14:20:30 -0400 | [diff] [blame] | 2555 | # anything. Only write a single byte at a time so we can be sure we |
| 2556 | # completely fill the buffer. Even though the socket API is allowed to |
| 2557 | # signal a short write via its return value it seems this doesn't |
| 2558 | # always happen on all platforms (FreeBSD and OS X particular) for the |
| 2559 | # very last bit of available buffer space. |
| 2560 | msg = b"x" |
| 2561 | for i in range(1024 * 1024 * 4): |
Jean-Paul Calderone | d899af0 | 2013-03-19 22:10:37 -0700 | [diff] [blame] | 2562 | try: |
| 2563 | client_socket.send(msg) |
| 2564 | except error as e: |
| 2565 | if e.errno == EWOULDBLOCK: |
| 2566 | break |
| 2567 | raise |
| 2568 | else: |
| 2569 | self.fail( |
| 2570 | "Failed to fill socket buffer, cannot test BIO want write") |
| 2571 | |
| 2572 | ctx = Context(TLSv1_METHOD) |
| 2573 | conn = Connection(ctx, client_socket) |
| 2574 | # Client's speak first, so make it an SSL client |
| 2575 | conn.set_connect_state() |
| 2576 | self.assertRaises(WantWriteError, conn.do_handshake) |
| 2577 | |
| 2578 | # XXX want_read |
| 2579 | |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2580 | def test_get_finished_before_connect(self): |
Fedor Brunner | 5747b93 | 2014-03-05 14:22:34 +0100 | [diff] [blame] | 2581 | """ |
Jean-Paul Calderone | 5b05b48 | 2014-03-30 11:28:54 -0400 | [diff] [blame] | 2582 | :py:obj:`Connection.get_finished` returns :py:obj:`None` before TLS |
| 2583 | handshake is completed. |
Fedor Brunner | 5747b93 | 2014-03-05 14:22:34 +0100 | [diff] [blame] | 2584 | """ |
Fedor Brunner | 5747b93 | 2014-03-05 14:22:34 +0100 | [diff] [blame] | 2585 | ctx = Context(TLSv1_METHOD) |
| 2586 | connection = Connection(ctx, None) |
| 2587 | self.assertEqual(connection.get_finished(), None) |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2588 | |
| 2589 | def test_get_peer_finished_before_connect(self): |
| 2590 | """ |
Jean-Paul Calderone | 5b05b48 | 2014-03-30 11:28:54 -0400 | [diff] [blame] | 2591 | :py:obj:`Connection.get_peer_finished` returns :py:obj:`None` before |
| 2592 | TLS handshake is completed. |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2593 | """ |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2594 | ctx = Context(TLSv1_METHOD) |
| 2595 | connection = Connection(ctx, None) |
Fedor Brunner | 5747b93 | 2014-03-05 14:22:34 +0100 | [diff] [blame] | 2596 | self.assertEqual(connection.get_peer_finished(), None) |
| 2597 | |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2598 | def test_get_finished(self): |
| 2599 | """ |
| 2600 | :py:obj:`Connection.get_finished` method returns the TLS Finished |
Jean-Paul Calderone | 5b05b48 | 2014-03-30 11:28:54 -0400 | [diff] [blame] | 2601 | message send from client, or server. Finished messages are send during |
| 2602 | TLS handshake. |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2603 | """ |
| 2604 | |
Fedor Brunner | 5747b93 | 2014-03-05 14:22:34 +0100 | [diff] [blame] | 2605 | server, client = self._loopback() |
| 2606 | |
| 2607 | self.assertNotEqual(server.get_finished(), None) |
| 2608 | self.assertTrue(len(server.get_finished()) > 0) |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2609 | |
| 2610 | def test_get_peer_finished(self): |
| 2611 | """ |
| 2612 | :py:obj:`Connection.get_peer_finished` method returns the TLS Finished |
Jean-Paul Calderone | 5b05b48 | 2014-03-30 11:28:54 -0400 | [diff] [blame] | 2613 | message received from client, or server. Finished messages are send |
| 2614 | during TLS handshake. |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2615 | """ |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2616 | server, client = self._loopback() |
| 2617 | |
| 2618 | self.assertNotEqual(server.get_peer_finished(), None) |
Fedor Brunner | 5747b93 | 2014-03-05 14:22:34 +0100 | [diff] [blame] | 2619 | self.assertTrue(len(server.get_peer_finished()) > 0) |
| 2620 | |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2621 | def test_tls_finished_message_symmetry(self): |
| 2622 | """ |
Jean-Paul Calderone | 5b05b48 | 2014-03-30 11:28:54 -0400 | [diff] [blame] | 2623 | The TLS Finished message send by server must be the TLS Finished message |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2624 | received by client. |
| 2625 | |
Jean-Paul Calderone | 5b05b48 | 2014-03-30 11:28:54 -0400 | [diff] [blame] | 2626 | The TLS Finished message send by client must be the TLS Finished message |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2627 | received by server. |
| 2628 | """ |
Fedor Brunner | 416f4a1 | 2014-03-28 13:18:38 +0100 | [diff] [blame] | 2629 | server, client = self._loopback() |
| 2630 | |
Fedor Brunner | 5747b93 | 2014-03-05 14:22:34 +0100 | [diff] [blame] | 2631 | self.assertEqual(server.get_finished(), client.get_peer_finished()) |
| 2632 | self.assertEqual(client.get_finished(), server.get_peer_finished()) |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 2633 | |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 2634 | def test_get_cipher_name_before_connect(self): |
| 2635 | """ |
Jean-Paul Calderone | 5b05b48 | 2014-03-30 11:28:54 -0400 | [diff] [blame] | 2636 | :py:obj:`Connection.get_cipher_name` returns :py:obj:`None` if no |
| 2637 | connection has been established. |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 2638 | """ |
| 2639 | ctx = Context(TLSv1_METHOD) |
| 2640 | conn = Connection(ctx, None) |
Jean-Paul Calderone | 069e2bf | 2014-03-29 18:21:58 -0400 | [diff] [blame] | 2641 | self.assertIdentical(conn.get_cipher_name(), None) |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 2642 | |
Fedor Brunner | d95014a | 2014-03-03 17:34:41 +0100 | [diff] [blame] | 2643 | def test_get_cipher_name(self): |
| 2644 | """ |
Jean-Paul Calderone | 7f0ded4 | 2014-03-30 10:34:17 -0400 | [diff] [blame] | 2645 | :py:obj:`Connection.get_cipher_name` returns a :py:class:`unicode` |
| 2646 | string giving the name of the currently used cipher. |
Fedor Brunner | d95014a | 2014-03-03 17:34:41 +0100 | [diff] [blame] | 2647 | """ |
Fedor Brunner | d95014a | 2014-03-03 17:34:41 +0100 | [diff] [blame] | 2648 | server, client = self._loopback() |
| 2649 | server_cipher_name, client_cipher_name = \ |
| 2650 | server.get_cipher_name(), client.get_cipher_name() |
| 2651 | |
Jean-Paul Calderone | 7f0ded4 | 2014-03-30 10:34:17 -0400 | [diff] [blame] | 2652 | self.assertIsInstance(server_cipher_name, text_type) |
| 2653 | self.assertIsInstance(client_cipher_name, text_type) |
Fedor Brunner | d95014a | 2014-03-03 17:34:41 +0100 | [diff] [blame] | 2654 | |
| 2655 | self.assertEqual(server_cipher_name, client_cipher_name) |
| 2656 | |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 2657 | def test_get_cipher_version_before_connect(self): |
| 2658 | """ |
Jean-Paul Calderone | 5b05b48 | 2014-03-30 11:28:54 -0400 | [diff] [blame] | 2659 | :py:obj:`Connection.get_cipher_version` returns :py:obj:`None` if no |
| 2660 | connection has been established. |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 2661 | """ |
| 2662 | ctx = Context(TLSv1_METHOD) |
| 2663 | conn = Connection(ctx, None) |
Jean-Paul Calderone | 069e2bf | 2014-03-29 18:21:58 -0400 | [diff] [blame] | 2664 | self.assertIdentical(conn.get_cipher_version(), None) |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 2665 | |
Fedor Brunner | d95014a | 2014-03-03 17:34:41 +0100 | [diff] [blame] | 2666 | def test_get_cipher_version(self): |
| 2667 | """ |
Jean-Paul Calderone | 7f0ded4 | 2014-03-30 10:34:17 -0400 | [diff] [blame] | 2668 | :py:obj:`Connection.get_cipher_version` returns a :py:class:`unicode` |
| 2669 | string giving the protocol name of the currently used cipher. |
Fedor Brunner | d95014a | 2014-03-03 17:34:41 +0100 | [diff] [blame] | 2670 | """ |
Fedor Brunner | d95014a | 2014-03-03 17:34:41 +0100 | [diff] [blame] | 2671 | server, client = self._loopback() |
| 2672 | server_cipher_version, client_cipher_version = \ |
| 2673 | server.get_cipher_version(), client.get_cipher_version() |
| 2674 | |
Jean-Paul Calderone | 7f0ded4 | 2014-03-30 10:34:17 -0400 | [diff] [blame] | 2675 | self.assertIsInstance(server_cipher_version, text_type) |
| 2676 | self.assertIsInstance(client_cipher_version, text_type) |
Fedor Brunner | d95014a | 2014-03-03 17:34:41 +0100 | [diff] [blame] | 2677 | |
| 2678 | self.assertEqual(server_cipher_version, client_cipher_version) |
| 2679 | |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 2680 | def test_get_cipher_bits_before_connect(self): |
| 2681 | """ |
Jean-Paul Calderone | 5b05b48 | 2014-03-30 11:28:54 -0400 | [diff] [blame] | 2682 | :py:obj:`Connection.get_cipher_bits` returns :py:obj:`None` if no |
| 2683 | connection has been established. |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 2684 | """ |
| 2685 | ctx = Context(TLSv1_METHOD) |
| 2686 | conn = Connection(ctx, None) |
Jean-Paul Calderone | 069e2bf | 2014-03-29 18:21:58 -0400 | [diff] [blame] | 2687 | self.assertIdentical(conn.get_cipher_bits(), None) |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 2688 | |
Fedor Brunner | d95014a | 2014-03-03 17:34:41 +0100 | [diff] [blame] | 2689 | def test_get_cipher_bits(self): |
| 2690 | """ |
Jean-Paul Calderone | 5b05b48 | 2014-03-30 11:28:54 -0400 | [diff] [blame] | 2691 | :py:obj:`Connection.get_cipher_bits` returns the number of secret bits |
| 2692 | of the currently used cipher. |
Fedor Brunner | d95014a | 2014-03-03 17:34:41 +0100 | [diff] [blame] | 2693 | """ |
Fedor Brunner | d95014a | 2014-03-03 17:34:41 +0100 | [diff] [blame] | 2694 | server, client = self._loopback() |
| 2695 | server_cipher_bits, client_cipher_bits = \ |
| 2696 | server.get_cipher_bits(), client.get_cipher_bits() |
| 2697 | |
Fedor Brunner | 2cffdbc | 2014-03-10 10:35:23 +0100 | [diff] [blame] | 2698 | self.assertIsInstance(server_cipher_bits, int) |
| 2699 | self.assertIsInstance(client_cipher_bits, int) |
Fedor Brunner | d95014a | 2014-03-03 17:34:41 +0100 | [diff] [blame] | 2700 | |
| 2701 | self.assertEqual(server_cipher_bits, client_cipher_bits) |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 2702 | |
Jim Shaver | abff188 | 2015-05-27 09:15:55 -0400 | [diff] [blame] | 2703 | def test_get_protocol_version_name(self): |
| 2704 | """ |
| 2705 | :py:obj:`Connection.get_protocol_version_name()` returns a string |
| 2706 | giving the protocol version of the current connection. |
| 2707 | """ |
| 2708 | server, client = self._loopback() |
| 2709 | client_protocol_version_name = client.get_protocol_version_name() |
| 2710 | server_protocol_version_name = server.get_protocol_version_name() |
| 2711 | |
Jim Shaver | 58d2573 | 2015-05-28 11:52:32 -0400 | [diff] [blame] | 2712 | self.assertIsInstance(server_protocol_version_name, text_type) |
| 2713 | self.assertIsInstance(client_protocol_version_name, text_type) |
Jim Shaver | abff188 | 2015-05-27 09:15:55 -0400 | [diff] [blame] | 2714 | |
Hynek Schlawack | 97cf1a8 | 2015-09-05 20:40:19 +0200 | [diff] [blame^] | 2715 | self.assertEqual( |
| 2716 | server_protocol_version_name, client_protocol_version_name |
| 2717 | ) |
Jim Shaver | abff188 | 2015-05-27 09:15:55 -0400 | [diff] [blame] | 2718 | |
Richard J. Moore | 5d85fca | 2015-01-11 17:04:43 +0000 | [diff] [blame] | 2719 | def test_get_protocol_version(self): |
| 2720 | """ |
Alex Gaynor | 4330778 | 2015-09-04 09:05:45 -0400 | [diff] [blame] | 2721 | :py:obj:`Connection.get_protocol_version()` returns an integer |
Richard J. Moore | 5d85fca | 2015-01-11 17:04:43 +0000 | [diff] [blame] | 2722 | giving the protocol version of the current connection. |
| 2723 | """ |
| 2724 | server, client = self._loopback() |
Jim Shaver | 85a4dff | 2015-04-27 17:42:46 -0400 | [diff] [blame] | 2725 | client_protocol_version = client.get_protocol_version() |
| 2726 | server_protocol_version = server.get_protocol_version() |
Richard J. Moore | 5d85fca | 2015-01-11 17:04:43 +0000 | [diff] [blame] | 2727 | |
Jim Shaver | abff188 | 2015-05-27 09:15:55 -0400 | [diff] [blame] | 2728 | self.assertIsInstance(server_protocol_version, int) |
| 2729 | self.assertIsInstance(client_protocol_version, int) |
Richard J. Moore | 5d85fca | 2015-01-11 17:04:43 +0000 | [diff] [blame] | 2730 | |
| 2731 | self.assertEqual(server_protocol_version, client_protocol_version) |
| 2732 | |
Jean-Paul Calderone | dbd7627 | 2014-03-29 18:09:40 -0400 | [diff] [blame] | 2733 | |
Jean-Paul Calderone | f135e62 | 2010-07-28 19:14:16 -0400 | [diff] [blame] | 2734 | class ConnectionGetCipherListTests(TestCase): |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 2735 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2736 | Tests for :py:obj:`Connection.get_cipher_list`. |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 2737 | """ |
Jean-Paul Calderone | 54a2bc0 | 2010-09-09 17:52:38 -0400 | [diff] [blame] | 2738 | def test_wrong_args(self): |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 2739 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2740 | :py:obj:`Connection.get_cipher_list` raises :py:obj:`TypeError` if called with any |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 2741 | arguments. |
| 2742 | """ |
Jean-Paul Calderone | f135e62 | 2010-07-28 19:14:16 -0400 | [diff] [blame] | 2743 | connection = Connection(Context(TLSv1_METHOD), None) |
| 2744 | self.assertRaises(TypeError, connection.get_cipher_list, None) |
| 2745 | |
| 2746 | |
| 2747 | def test_result(self): |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 2748 | """ |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 2749 | :py:obj:`Connection.get_cipher_list` returns a :py:obj:`list` of |
| 2750 | :py:obj:`bytes` giving the names of the ciphers which might be used. |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 2751 | """ |
Jean-Paul Calderone | f135e62 | 2010-07-28 19:14:16 -0400 | [diff] [blame] | 2752 | connection = Connection(Context(TLSv1_METHOD), None) |
| 2753 | ciphers = connection.get_cipher_list() |
| 2754 | self.assertTrue(isinstance(ciphers, list)) |
| 2755 | for cipher in ciphers: |
| 2756 | self.assertTrue(isinstance(cipher, str)) |
| 2757 | |
| 2758 | |
| 2759 | |
Jean-Paul Calderone | 9cbbe26 | 2011-01-05 14:53:43 -0500 | [diff] [blame] | 2760 | class ConnectionSendTests(TestCase, _LoopbackMixin): |
| 2761 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2762 | Tests for :py:obj:`Connection.send` |
Jean-Paul Calderone | 9cbbe26 | 2011-01-05 14:53:43 -0500 | [diff] [blame] | 2763 | """ |
| 2764 | def test_wrong_args(self): |
| 2765 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 2766 | When called with arguments other than string argument for its first |
| 2767 | parameter or more than two arguments, :py:obj:`Connection.send` raises |
| 2768 | :py:obj:`TypeError`. |
Jean-Paul Calderone | 9cbbe26 | 2011-01-05 14:53:43 -0500 | [diff] [blame] | 2769 | """ |
| 2770 | connection = Connection(Context(TLSv1_METHOD), None) |
Jean-Paul Calderone | 77fa260 | 2011-01-05 18:23:39 -0500 | [diff] [blame] | 2771 | self.assertRaises(TypeError, connection.send) |
| 2772 | self.assertRaises(TypeError, connection.send, object()) |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 2773 | self.assertRaises(TypeError, connection.send, "foo", object(), "bar") |
Jean-Paul Calderone | 9cbbe26 | 2011-01-05 14:53:43 -0500 | [diff] [blame] | 2774 | |
| 2775 | |
| 2776 | def test_short_bytes(self): |
| 2777 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2778 | When passed a short byte string, :py:obj:`Connection.send` transmits all of it |
Jean-Paul Calderone | 9cbbe26 | 2011-01-05 14:53:43 -0500 | [diff] [blame] | 2779 | and returns the number of bytes sent. |
| 2780 | """ |
| 2781 | server, client = self._loopback() |
| 2782 | count = server.send(b('xy')) |
| 2783 | self.assertEquals(count, 2) |
| 2784 | self.assertEquals(client.recv(2), b('xy')) |
| 2785 | |
Abraham Martin | ef06348 | 2015-03-25 14:06:24 +0000 | [diff] [blame] | 2786 | |
| 2787 | def test_text(self): |
| 2788 | """ |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 2789 | When passed a text, :py:obj:`Connection.send` transmits all of it and |
| 2790 | returns the number of bytes sent. It also raises a DeprecationWarning. |
Abraham Martin | ef06348 | 2015-03-25 14:06:24 +0000 | [diff] [blame] | 2791 | """ |
| 2792 | server, client = self._loopback() |
| 2793 | with catch_warnings(record=True) as w: |
| 2794 | simplefilter("always") |
Jean-Paul Calderone | 13a0e65 | 2015-03-29 07:58:51 -0400 | [diff] [blame] | 2795 | count = server.send(b"xy".decode("ascii")) |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 2796 | self.assertEqual( |
Jean-Paul Calderone | 13a0e65 | 2015-03-29 07:58:51 -0400 | [diff] [blame] | 2797 | "{0} for buf is no longer accepted, use bytes".format( |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 2798 | WARNING_TYPE_EXPECTED |
| 2799 | ), |
| 2800 | str(w[-1].message) |
| 2801 | ) |
| 2802 | self.assertIs(w[-1].category, DeprecationWarning) |
Abraham Martin | ef06348 | 2015-03-25 14:06:24 +0000 | [diff] [blame] | 2803 | self.assertEquals(count, 2) |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 2804 | self.assertEquals(client.recv(2), b"xy") |
Abraham Martin | ef06348 | 2015-03-25 14:06:24 +0000 | [diff] [blame] | 2805 | |
Jean-Paul Calderone | 9cbbe26 | 2011-01-05 14:53:43 -0500 | [diff] [blame] | 2806 | try: |
| 2807 | memoryview |
| 2808 | except NameError: |
| 2809 | "cannot test sending memoryview without memoryview" |
| 2810 | else: |
| 2811 | def test_short_memoryview(self): |
| 2812 | """ |
| 2813 | When passed a memoryview onto a small number of bytes, |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 2814 | :py:obj:`Connection.send` transmits all of them and returns the number of |
Jean-Paul Calderone | 9cbbe26 | 2011-01-05 14:53:43 -0500 | [diff] [blame] | 2815 | bytes sent. |
| 2816 | """ |
| 2817 | server, client = self._loopback() |
| 2818 | count = server.send(memoryview(b('xy'))) |
| 2819 | self.assertEquals(count, 2) |
| 2820 | self.assertEquals(client.recv(2), b('xy')) |
| 2821 | |
| 2822 | |
Markus Unterwaditzer | 8e41d02 | 2014-04-19 12:27:11 +0200 | [diff] [blame] | 2823 | try: |
| 2824 | buffer |
| 2825 | except NameError: |
| 2826 | "cannot test sending buffer without buffer" |
| 2827 | else: |
| 2828 | def test_short_buffer(self): |
| 2829 | """ |
| 2830 | When passed a buffer containing a small number of bytes, |
| 2831 | :py:obj:`Connection.send` transmits all of them and returns the number of |
| 2832 | bytes sent. |
| 2833 | """ |
| 2834 | server, client = self._loopback() |
| 2835 | count = server.send(buffer(b('xy'))) |
| 2836 | self.assertEquals(count, 2) |
| 2837 | self.assertEquals(client.recv(2), b('xy')) |
| 2838 | |
| 2839 | |
Jean-Paul Calderone | 691e6c9 | 2011-01-21 22:04:35 -0500 | [diff] [blame] | 2840 | |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2841 | def _make_memoryview(size): |
| 2842 | """ |
| 2843 | Create a new ``memoryview`` wrapped around a ``bytearray`` of the given |
| 2844 | size. |
| 2845 | """ |
| 2846 | return memoryview(bytearray(size)) |
| 2847 | |
| 2848 | |
| 2849 | |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2850 | class ConnectionRecvIntoTests(TestCase, _LoopbackMixin): |
| 2851 | """ |
| 2852 | Tests for :py:obj:`Connection.recv_into` |
| 2853 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2854 | def _no_length_test(self, factory): |
Jean-Paul Calderone | 61559d8 | 2015-03-15 17:04:50 -0400 | [diff] [blame] | 2855 | """ |
| 2856 | Assert that when the given buffer is passed to |
| 2857 | ``Connection.recv_into``, whatever bytes are available to be received |
| 2858 | that fit into that buffer are written into that buffer. |
| 2859 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2860 | output_buffer = factory(5) |
| 2861 | |
Jean-Paul Calderone | 332a85e | 2015-03-15 17:02:40 -0400 | [diff] [blame] | 2862 | server, client = self._loopback() |
| 2863 | server.send(b('xy')) |
| 2864 | |
Jean-Paul Calderone | 320af1e | 2015-03-15 17:20:13 -0400 | [diff] [blame] | 2865 | self.assertEqual(client.recv_into(output_buffer), 2) |
| 2866 | self.assertEqual(output_buffer, bytearray(b('xy\x00\x00\x00'))) |
Jean-Paul Calderone | 332a85e | 2015-03-15 17:02:40 -0400 | [diff] [blame] | 2867 | |
| 2868 | |
Jean-Paul Calderone | d335b27 | 2015-03-15 17:26:38 -0400 | [diff] [blame] | 2869 | def test_bytearray_no_length(self): |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2870 | """ |
Jean-Paul Calderone | 61559d8 | 2015-03-15 17:04:50 -0400 | [diff] [blame] | 2871 | :py:obj:`Connection.recv_into` can be passed a ``bytearray`` instance |
| 2872 | and data in the receive buffer is written to it. |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2873 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2874 | self._no_length_test(bytearray) |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2875 | |
| 2876 | |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2877 | def _respects_length_test(self, factory): |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2878 | """ |
Jean-Paul Calderone | c295a2f | 2015-03-15 17:11:18 -0400 | [diff] [blame] | 2879 | Assert that when the given buffer is passed to ``Connection.recv_into`` |
| 2880 | along with a value for ``nbytes`` that is less than the size of that |
| 2881 | buffer, only ``nbytes`` bytes are written into the buffer. |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2882 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2883 | output_buffer = factory(10) |
| 2884 | |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2885 | server, client = self._loopback() |
| 2886 | server.send(b('abcdefghij')) |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2887 | |
Jean-Paul Calderone | 320af1e | 2015-03-15 17:20:13 -0400 | [diff] [blame] | 2888 | self.assertEqual(client.recv_into(output_buffer, 5), 5) |
| 2889 | self.assertEqual( |
Jean-Paul Calderone | c295a2f | 2015-03-15 17:11:18 -0400 | [diff] [blame] | 2890 | output_buffer, bytearray(b('abcde\x00\x00\x00\x00\x00')) |
| 2891 | ) |
| 2892 | |
| 2893 | |
Jean-Paul Calderone | d335b27 | 2015-03-15 17:26:38 -0400 | [diff] [blame] | 2894 | def test_bytearray_respects_length(self): |
Jean-Paul Calderone | c295a2f | 2015-03-15 17:11:18 -0400 | [diff] [blame] | 2895 | """ |
| 2896 | When called with a ``bytearray`` instance, |
| 2897 | :py:obj:`Connection.recv_into` respects the ``nbytes`` parameter and |
| 2898 | doesn't copy in more than that number of bytes. |
| 2899 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2900 | self._respects_length_test(bytearray) |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2901 | |
| 2902 | |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2903 | def _doesnt_overfill_test(self, factory): |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2904 | """ |
Jean-Paul Calderone | 2b41ad3 | 2015-03-15 17:19:39 -0400 | [diff] [blame] | 2905 | Assert that if there are more bytes available to be read from the |
| 2906 | receive buffer than would fit into the buffer passed to |
| 2907 | :py:obj:`Connection.recv_into`, only as many as fit are written into |
| 2908 | it. |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2909 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2910 | output_buffer = factory(5) |
| 2911 | |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2912 | server, client = self._loopback() |
| 2913 | server.send(b('abcdefghij')) |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2914 | |
Jean-Paul Calderone | 320af1e | 2015-03-15 17:20:13 -0400 | [diff] [blame] | 2915 | self.assertEqual(client.recv_into(output_buffer), 5) |
| 2916 | self.assertEqual(output_buffer, bytearray(b('abcde'))) |
Jean-Paul Calderone | 2b41ad3 | 2015-03-15 17:19:39 -0400 | [diff] [blame] | 2917 | rest = client.recv(5) |
| 2918 | self.assertEqual(b('fghij'), rest) |
| 2919 | |
| 2920 | |
Jean-Paul Calderone | d335b27 | 2015-03-15 17:26:38 -0400 | [diff] [blame] | 2921 | def test_bytearray_doesnt_overfill(self): |
Jean-Paul Calderone | 2b41ad3 | 2015-03-15 17:19:39 -0400 | [diff] [blame] | 2922 | """ |
| 2923 | When called with a ``bytearray`` instance, |
| 2924 | :py:obj:`Connection.recv_into` respects the size of the array and |
| 2925 | doesn't write more bytes into it than will fit. |
| 2926 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2927 | self._doesnt_overfill_test(bytearray) |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2928 | |
| 2929 | |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2930 | def _really_doesnt_overfill_test(self, factory): |
Jean-Paul Calderone | 4bec59a | 2015-03-15 17:25:57 -0400 | [diff] [blame] | 2931 | """ |
| 2932 | Assert that if the value given by ``nbytes`` is greater than the actual |
| 2933 | size of the output buffer passed to :py:obj:`Connection.recv_into`, the |
| 2934 | behavior is as if no value was given for ``nbytes`` at all. |
| 2935 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2936 | output_buffer = factory(5) |
| 2937 | |
Jean-Paul Calderone | 4bec59a | 2015-03-15 17:25:57 -0400 | [diff] [blame] | 2938 | server, client = self._loopback() |
| 2939 | server.send(b('abcdefghij')) |
| 2940 | |
| 2941 | self.assertEqual(client.recv_into(output_buffer, 50), 5) |
| 2942 | self.assertEqual(output_buffer, bytearray(b('abcde'))) |
| 2943 | rest = client.recv(5) |
| 2944 | self.assertEqual(b('fghij'), rest) |
| 2945 | |
| 2946 | |
Jean-Paul Calderone | d335b27 | 2015-03-15 17:26:38 -0400 | [diff] [blame] | 2947 | def test_bytearray_really_doesnt_overfill(self): |
Jean-Paul Calderone | 4bec59a | 2015-03-15 17:25:57 -0400 | [diff] [blame] | 2948 | """ |
| 2949 | When called with a ``bytearray`` instance and an ``nbytes`` value that |
| 2950 | is too large, :py:obj:`Connection.recv_into` respects the size of the |
| 2951 | array and not the ``nbytes`` value and doesn't write more bytes into |
| 2952 | the buffer than will fit. |
| 2953 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2954 | self._doesnt_overfill_test(bytearray) |
Jean-Paul Calderone | 4bec59a | 2015-03-15 17:25:57 -0400 | [diff] [blame] | 2955 | |
| 2956 | |
Maximilian Hils | 1d95dea | 2015-08-17 19:27:20 +0200 | [diff] [blame] | 2957 | def test_peek(self): |
| 2958 | |
| 2959 | server, client = self._loopback() |
| 2960 | server.send(b('xy')) |
| 2961 | |
| 2962 | for _ in range(2): |
| 2963 | output_buffer = bytearray(5) |
| 2964 | self.assertEqual(client.recv_into(output_buffer, flags=MSG_PEEK), 2) |
| 2965 | self.assertEqual(output_buffer, bytearray(b('xy\x00\x00\x00'))) |
| 2966 | |
| 2967 | |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2968 | try: |
| 2969 | memoryview |
| 2970 | except NameError: |
| 2971 | "cannot test recv_into memoryview without memoryview" |
| 2972 | else: |
Jean-Paul Calderone | 332a85e | 2015-03-15 17:02:40 -0400 | [diff] [blame] | 2973 | def test_memoryview_no_length(self): |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2974 | """ |
Jean-Paul Calderone | 61559d8 | 2015-03-15 17:04:50 -0400 | [diff] [blame] | 2975 | :py:obj:`Connection.recv_into` can be passed a ``memoryview`` |
| 2976 | instance and data in the receive buffer is written to it. |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2977 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2978 | self._no_length_test(_make_memoryview) |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2979 | |
| 2980 | |
Jean-Paul Calderone | c295a2f | 2015-03-15 17:11:18 -0400 | [diff] [blame] | 2981 | def test_memoryview_respects_length(self): |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2982 | """ |
Jean-Paul Calderone | c295a2f | 2015-03-15 17:11:18 -0400 | [diff] [blame] | 2983 | When called with a ``memoryview`` instance, |
| 2984 | :py:obj:`Connection.recv_into` respects the ``nbytes`` parameter |
| 2985 | and doesn't copy more than that number of bytes in. |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2986 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2987 | self._respects_length_test(_make_memoryview) |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2988 | |
| 2989 | |
Jean-Paul Calderone | 2b41ad3 | 2015-03-15 17:19:39 -0400 | [diff] [blame] | 2990 | def test_memoryview_doesnt_overfill(self): |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2991 | """ |
Jean-Paul Calderone | 8fd8255 | 2015-03-15 17:21:07 -0400 | [diff] [blame] | 2992 | When called with a ``memoryview`` instance, |
| 2993 | :py:obj:`Connection.recv_into` respects the size of the array and |
| 2994 | doesn't write more bytes into it than will fit. |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2995 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 2996 | self._doesnt_overfill_test(_make_memoryview) |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 2997 | |
| 2998 | |
Jean-Paul Calderone | 4bec59a | 2015-03-15 17:25:57 -0400 | [diff] [blame] | 2999 | def test_memoryview_really_doesnt_overfill(self): |
| 3000 | """ |
| 3001 | When called with a ``memoryview`` instance and an ``nbytes`` value |
| 3002 | that is too large, :py:obj:`Connection.recv_into` respects the size |
| 3003 | of the array and not the ``nbytes`` value and doesn't write more |
| 3004 | bytes into the buffer than will fit. |
| 3005 | """ |
Jean-Paul Calderone | 6c84010 | 2015-03-15 17:32:15 -0400 | [diff] [blame] | 3006 | self._doesnt_overfill_test(_make_memoryview) |
Jean-Paul Calderone | 4bec59a | 2015-03-15 17:25:57 -0400 | [diff] [blame] | 3007 | |
| 3008 | |
Cory Benfield | 62d1033 | 2014-06-15 10:03:41 +0100 | [diff] [blame] | 3009 | |
Jean-Paul Calderone | 8ea2252 | 2010-07-29 09:39:39 -0400 | [diff] [blame] | 3010 | class ConnectionSendallTests(TestCase, _LoopbackMixin): |
| 3011 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3012 | Tests for :py:obj:`Connection.sendall`. |
Jean-Paul Calderone | 8ea2252 | 2010-07-29 09:39:39 -0400 | [diff] [blame] | 3013 | """ |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 3014 | def test_wrong_args(self): |
Jean-Paul Calderone | 8ea2252 | 2010-07-29 09:39:39 -0400 | [diff] [blame] | 3015 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 3016 | When called with arguments other than a string argument for its first |
| 3017 | parameter or with more than two arguments, :py:obj:`Connection.sendall` |
| 3018 | raises :py:obj:`TypeError`. |
Jean-Paul Calderone | 8ea2252 | 2010-07-29 09:39:39 -0400 | [diff] [blame] | 3019 | """ |
| 3020 | connection = Connection(Context(TLSv1_METHOD), None) |
| 3021 | self.assertRaises(TypeError, connection.sendall) |
| 3022 | self.assertRaises(TypeError, connection.sendall, object()) |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 3023 | self.assertRaises( |
| 3024 | TypeError, connection.sendall, "foo", object(), "bar") |
Jean-Paul Calderone | 8ea2252 | 2010-07-29 09:39:39 -0400 | [diff] [blame] | 3025 | |
| 3026 | |
Jean-Paul Calderone | 7ca48b5 | 2010-07-28 18:57:21 -0400 | [diff] [blame] | 3027 | def test_short(self): |
| 3028 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3029 | :py:obj:`Connection.sendall` transmits all of the bytes in the string passed to |
Jean-Paul Calderone | 7ca48b5 | 2010-07-28 18:57:21 -0400 | [diff] [blame] | 3030 | it. |
| 3031 | """ |
| 3032 | server, client = self._loopback() |
Jean-Paul Calderone | a986883 | 2010-08-22 21:38:34 -0400 | [diff] [blame] | 3033 | server.sendall(b('x')) |
| 3034 | self.assertEquals(client.recv(1), b('x')) |
Jean-Paul Calderone | 7ca48b5 | 2010-07-28 18:57:21 -0400 | [diff] [blame] | 3035 | |
| 3036 | |
Abraham Martin | ef06348 | 2015-03-25 14:06:24 +0000 | [diff] [blame] | 3037 | def test_text(self): |
| 3038 | """ |
Jean-Paul Calderone | 9347742 | 2015-04-13 20:38:57 -0400 | [diff] [blame] | 3039 | :py:obj:`Connection.sendall` transmits all the content in the string |
| 3040 | passed to it raising a DeprecationWarning in case of this being a text. |
Abraham Martin | ef06348 | 2015-03-25 14:06:24 +0000 | [diff] [blame] | 3041 | """ |
| 3042 | server, client = self._loopback() |
| 3043 | with catch_warnings(record=True) as w: |
| 3044 | simplefilter("always") |
Jean-Paul Calderone | 8dc37a1 | 2015-03-29 08:16:52 -0400 | [diff] [blame] | 3045 | server.sendall(b"x".decode("ascii")) |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 3046 | self.assertEqual( |
Jean-Paul Calderone | 13a0e65 | 2015-03-29 07:58:51 -0400 | [diff] [blame] | 3047 | "{0} for buf is no longer accepted, use bytes".format( |
Jean-Paul Calderone | 6462b07 | 2015-03-29 07:03:11 -0400 | [diff] [blame] | 3048 | WARNING_TYPE_EXPECTED |
| 3049 | ), |
| 3050 | str(w[-1].message) |
| 3051 | ) |
| 3052 | self.assertIs(w[-1].category, DeprecationWarning) |
| 3053 | self.assertEquals(client.recv(1), b"x") |
Abraham Martin | ef06348 | 2015-03-25 14:06:24 +0000 | [diff] [blame] | 3054 | |
| 3055 | |
Jean-Paul Calderone | 691e6c9 | 2011-01-21 22:04:35 -0500 | [diff] [blame] | 3056 | try: |
| 3057 | memoryview |
| 3058 | except NameError: |
| 3059 | "cannot test sending memoryview without memoryview" |
| 3060 | else: |
| 3061 | def test_short_memoryview(self): |
| 3062 | """ |
| 3063 | When passed a memoryview onto a small number of bytes, |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3064 | :py:obj:`Connection.sendall` transmits all of them. |
Jean-Paul Calderone | 691e6c9 | 2011-01-21 22:04:35 -0500 | [diff] [blame] | 3065 | """ |
| 3066 | server, client = self._loopback() |
| 3067 | server.sendall(memoryview(b('x'))) |
| 3068 | self.assertEquals(client.recv(1), b('x')) |
| 3069 | |
| 3070 | |
Markus Unterwaditzer | 8e41d02 | 2014-04-19 12:27:11 +0200 | [diff] [blame] | 3071 | try: |
| 3072 | buffer |
| 3073 | except NameError: |
| 3074 | "cannot test sending buffers without buffers" |
| 3075 | else: |
| 3076 | def test_short_buffers(self): |
| 3077 | """ |
| 3078 | When passed a buffer containing a small number of bytes, |
| 3079 | :py:obj:`Connection.sendall` transmits all of them. |
| 3080 | """ |
| 3081 | server, client = self._loopback() |
| 3082 | server.sendall(buffer(b('x'))) |
| 3083 | self.assertEquals(client.recv(1), b('x')) |
| 3084 | |
| 3085 | |
Jean-Paul Calderone | 7ca48b5 | 2010-07-28 18:57:21 -0400 | [diff] [blame] | 3086 | def test_long(self): |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 3087 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3088 | :py:obj:`Connection.sendall` transmits all of the bytes in the string passed to |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 3089 | it even if this requires multiple calls of an underlying write function. |
| 3090 | """ |
Jean-Paul Calderone | 7ca48b5 | 2010-07-28 18:57:21 -0400 | [diff] [blame] | 3091 | server, client = self._loopback() |
Jean-Paul Calderone | 6241c70 | 2010-09-16 19:59:24 -0400 | [diff] [blame] | 3092 | # Should be enough, underlying SSL_write should only do 16k at a time. |
| 3093 | # On Windows, after 32k of bytes the write will block (forever - because |
| 3094 | # no one is yet reading). |
Jean-Paul Calderone | 9e4c135 | 2010-09-19 09:34:43 -0400 | [diff] [blame] | 3095 | message = b('x') * (1024 * 32 - 1) + b('y') |
Jean-Paul Calderone | 7ca48b5 | 2010-07-28 18:57:21 -0400 | [diff] [blame] | 3096 | server.sendall(message) |
| 3097 | accum = [] |
| 3098 | received = 0 |
| 3099 | while received < len(message): |
Jean-Paul Calderone | b1f7f5f | 2010-08-22 21:40:52 -0400 | [diff] [blame] | 3100 | data = client.recv(1024) |
| 3101 | accum.append(data) |
| 3102 | received += len(data) |
Jean-Paul Calderone | f404785 | 2010-09-19 09:45:57 -0400 | [diff] [blame] | 3103 | self.assertEquals(message, b('').join(accum)) |
Jean-Paul Calderone | 7ca48b5 | 2010-07-28 18:57:21 -0400 | [diff] [blame] | 3104 | |
| 3105 | |
Jean-Paul Calderone | 974bdc0 | 2010-07-28 19:06:10 -0400 | [diff] [blame] | 3106 | def test_closed(self): |
| 3107 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3108 | If the underlying socket is closed, :py:obj:`Connection.sendall` propagates the |
Jean-Paul Calderone | 974bdc0 | 2010-07-28 19:06:10 -0400 | [diff] [blame] | 3109 | write error from the low level write call. |
| 3110 | """ |
| 3111 | server, client = self._loopback() |
Jean-Paul Calderone | 05d43e8 | 2010-09-24 18:01:36 -0400 | [diff] [blame] | 3112 | server.sock_shutdown(2) |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 3113 | exc = self.assertRaises(SysCallError, server.sendall, b"hello, world") |
Konstantinos Koukopoulos | 541150d | 2014-01-31 01:00:19 +0200 | [diff] [blame] | 3114 | if platform == "win32": |
| 3115 | self.assertEqual(exc.args[0], ESHUTDOWN) |
| 3116 | else: |
| 3117 | self.assertEqual(exc.args[0], EPIPE) |
Jean-Paul Calderone | 974bdc0 | 2010-07-28 19:06:10 -0400 | [diff] [blame] | 3118 | |
Jean-Paul Calderone | 7ca48b5 | 2010-07-28 18:57:21 -0400 | [diff] [blame] | 3119 | |
Jean-Paul Calderone | 1d69a72 | 2010-07-29 09:05:53 -0400 | [diff] [blame] | 3120 | |
Jean-Paul Calderone | 8ea2252 | 2010-07-29 09:39:39 -0400 | [diff] [blame] | 3121 | class ConnectionRenegotiateTests(TestCase, _LoopbackMixin): |
| 3122 | """ |
| 3123 | Tests for SSL renegotiation APIs. |
| 3124 | """ |
| 3125 | def test_renegotiate_wrong_args(self): |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 3126 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3127 | :py:obj:`Connection.renegotiate` raises :py:obj:`TypeError` if called with any |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 3128 | arguments. |
| 3129 | """ |
Jean-Paul Calderone | 8ea2252 | 2010-07-29 09:39:39 -0400 | [diff] [blame] | 3130 | connection = Connection(Context(TLSv1_METHOD), None) |
| 3131 | self.assertRaises(TypeError, connection.renegotiate, None) |
| 3132 | |
| 3133 | |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 3134 | def test_total_renegotiations_wrong_args(self): |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 3135 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3136 | :py:obj:`Connection.total_renegotiations` raises :py:obj:`TypeError` if called with |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 3137 | any arguments. |
| 3138 | """ |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 3139 | connection = Connection(Context(TLSv1_METHOD), None) |
| 3140 | self.assertRaises(TypeError, connection.total_renegotiations, None) |
| 3141 | |
| 3142 | |
| 3143 | def test_total_renegotiations(self): |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 3144 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3145 | :py:obj:`Connection.total_renegotiations` returns :py:obj:`0` before any |
Jean-Paul Calderone | a8fb0c8 | 2010-09-09 18:04:56 -0400 | [diff] [blame] | 3146 | renegotiations have happened. |
| 3147 | """ |
Jean-Paul Calderone | cfecc24 | 2010-07-29 22:47:06 -0400 | [diff] [blame] | 3148 | connection = Connection(Context(TLSv1_METHOD), None) |
| 3149 | self.assertEquals(connection.total_renegotiations(), 0) |
| 3150 | |
| 3151 | |
Jean-Paul Calderone | 8ea2252 | 2010-07-29 09:39:39 -0400 | [diff] [blame] | 3152 | # def test_renegotiate(self): |
| 3153 | # """ |
| 3154 | # """ |
| 3155 | # server, client = self._loopback() |
| 3156 | |
| 3157 | # server.send("hello world") |
| 3158 | # self.assertEquals(client.recv(len("hello world")), "hello world") |
| 3159 | |
| 3160 | # self.assertEquals(server.total_renegotiations(), 0) |
| 3161 | # self.assertTrue(server.renegotiate()) |
| 3162 | |
| 3163 | # server.setblocking(False) |
| 3164 | # client.setblocking(False) |
| 3165 | # while server.renegotiate_pending(): |
| 3166 | # client.do_handshake() |
| 3167 | # server.do_handshake() |
| 3168 | |
| 3169 | # self.assertEquals(server.total_renegotiations(), 1) |
| 3170 | |
| 3171 | |
| 3172 | |
| 3173 | |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 3174 | class ErrorTests(TestCase): |
| 3175 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3176 | Unit tests for :py:obj:`OpenSSL.SSL.Error`. |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 3177 | """ |
| 3178 | def test_type(self): |
| 3179 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3180 | :py:obj:`Error` is an exception type. |
Jean-Paul Calderone | 6864905 | 2009-07-17 21:14:27 -0400 | [diff] [blame] | 3181 | """ |
| 3182 | self.assertTrue(issubclass(Error, Exception)) |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 3183 | self.assertEqual(Error.__name__, 'Error') |
Rick Dean | e15b147 | 2009-07-09 15:53:42 -0500 | [diff] [blame] | 3184 | |
| 3185 | |
| 3186 | |
Jean-Paul Calderone | 327d8f9 | 2008-12-28 21:55:56 -0500 | [diff] [blame] | 3187 | class ConstantsTests(TestCase): |
| 3188 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3189 | Tests for the values of constants exposed in :py:obj:`OpenSSL.SSL`. |
Jean-Paul Calderone | 327d8f9 | 2008-12-28 21:55:56 -0500 | [diff] [blame] | 3190 | |
| 3191 | These are values defined by OpenSSL intended only to be used as flags to |
| 3192 | OpenSSL APIs. The only assertions it seems can be made about them is |
| 3193 | their values. |
| 3194 | """ |
Jean-Paul Calderone | d811b68 | 2008-12-28 22:59:15 -0500 | [diff] [blame] | 3195 | # unittest.TestCase has no skip mechanism |
| 3196 | if OP_NO_QUERY_MTU is not None: |
| 3197 | def test_op_no_query_mtu(self): |
| 3198 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3199 | The value of :py:obj:`OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value of |
Jean-Paul Calderone | 64efa2c | 2011-09-11 10:00:09 -0400 | [diff] [blame] | 3200 | :py:const:`SSL_OP_NO_QUERY_MTU` defined by :file:`openssl/ssl.h`. |
Jean-Paul Calderone | d811b68 | 2008-12-28 22:59:15 -0500 | [diff] [blame] | 3201 | """ |
| 3202 | self.assertEqual(OP_NO_QUERY_MTU, 0x1000) |
| 3203 | else: |
| 3204 | "OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old" |
Jean-Paul Calderone | 327d8f9 | 2008-12-28 21:55:56 -0500 | [diff] [blame] | 3205 | |
| 3206 | |
Jean-Paul Calderone | d811b68 | 2008-12-28 22:59:15 -0500 | [diff] [blame] | 3207 | if OP_COOKIE_EXCHANGE is not None: |
| 3208 | def test_op_cookie_exchange(self): |
| 3209 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3210 | The value of :py:obj:`OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the value |
Jean-Paul Calderone | 64efa2c | 2011-09-11 10:00:09 -0400 | [diff] [blame] | 3211 | of :py:const:`SSL_OP_COOKIE_EXCHANGE` defined by :file:`openssl/ssl.h`. |
Jean-Paul Calderone | d811b68 | 2008-12-28 22:59:15 -0500 | [diff] [blame] | 3212 | """ |
| 3213 | self.assertEqual(OP_COOKIE_EXCHANGE, 0x2000) |
| 3214 | else: |
| 3215 | "OP_COOKIE_EXCHANGE unavailable - OpenSSL version may be too old" |
Jean-Paul Calderone | 327d8f9 | 2008-12-28 21:55:56 -0500 | [diff] [blame] | 3216 | |
| 3217 | |
Jean-Paul Calderone | d811b68 | 2008-12-28 22:59:15 -0500 | [diff] [blame] | 3218 | if OP_NO_TICKET is not None: |
| 3219 | def test_op_no_ticket(self): |
| 3220 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3221 | The value of :py:obj:`OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of |
Jean-Paul Calderone | 64efa2c | 2011-09-11 10:00:09 -0400 | [diff] [blame] | 3222 | :py:const:`SSL_OP_NO_TICKET` defined by :file:`openssl/ssl.h`. |
Jean-Paul Calderone | d811b68 | 2008-12-28 22:59:15 -0500 | [diff] [blame] | 3223 | """ |
| 3224 | self.assertEqual(OP_NO_TICKET, 0x4000) |
Jean-Paul Calderone | cebd178 | 2011-09-11 10:01:31 -0400 | [diff] [blame] | 3225 | else: |
Jean-Paul Calderone | d811b68 | 2008-12-28 22:59:15 -0500 | [diff] [blame] | 3226 | "OP_NO_TICKET unavailable - OpenSSL version may be too old" |
Rick Dean | 5b7b637 | 2009-04-01 11:34:06 -0500 | [diff] [blame] | 3227 | |
| 3228 | |
Jean-Paul Calderone | c62d4c1 | 2011-09-08 18:29:32 -0400 | [diff] [blame] | 3229 | if OP_NO_COMPRESSION is not None: |
| 3230 | def test_op_no_compression(self): |
| 3231 | """ |
Jean-Paul Calderone | 64efa2c | 2011-09-11 10:00:09 -0400 | [diff] [blame] | 3232 | The value of :py:obj:`OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the value |
| 3233 | of :py:const:`SSL_OP_NO_COMPRESSION` defined by :file:`openssl/ssl.h`. |
Jean-Paul Calderone | c62d4c1 | 2011-09-08 18:29:32 -0400 | [diff] [blame] | 3234 | """ |
| 3235 | self.assertEqual(OP_NO_COMPRESSION, 0x20000) |
| 3236 | else: |
| 3237 | "OP_NO_COMPRESSION unavailable - OpenSSL version may be too old" |
| 3238 | |
| 3239 | |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 3240 | def test_sess_cache_off(self): |
| 3241 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 3242 | The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of |
| 3243 | :py:obj:`SSL_SESS_CACHE_OFF` defined by ``openssl/ssl.h``. |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 3244 | """ |
| 3245 | self.assertEqual(0x0, SESS_CACHE_OFF) |
| 3246 | |
| 3247 | |
| 3248 | def test_sess_cache_client(self): |
| 3249 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 3250 | The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of |
| 3251 | :py:obj:`SSL_SESS_CACHE_CLIENT` defined by ``openssl/ssl.h``. |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 3252 | """ |
| 3253 | self.assertEqual(0x1, SESS_CACHE_CLIENT) |
| 3254 | |
| 3255 | |
| 3256 | def test_sess_cache_server(self): |
| 3257 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 3258 | The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of |
| 3259 | :py:obj:`SSL_SESS_CACHE_SERVER` defined by ``openssl/ssl.h``. |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 3260 | """ |
| 3261 | self.assertEqual(0x2, SESS_CACHE_SERVER) |
| 3262 | |
| 3263 | |
| 3264 | def test_sess_cache_both(self): |
| 3265 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 3266 | The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of |
| 3267 | :py:obj:`SSL_SESS_CACHE_BOTH` defined by ``openssl/ssl.h``. |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 3268 | """ |
| 3269 | self.assertEqual(0x3, SESS_CACHE_BOTH) |
| 3270 | |
| 3271 | |
| 3272 | def test_sess_cache_no_auto_clear(self): |
| 3273 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 3274 | The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the |
| 3275 | value of :py:obj:`SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by |
| 3276 | ``openssl/ssl.h``. |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 3277 | """ |
| 3278 | self.assertEqual(0x80, SESS_CACHE_NO_AUTO_CLEAR) |
| 3279 | |
| 3280 | |
| 3281 | def test_sess_cache_no_internal_lookup(self): |
| 3282 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 3283 | The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100, |
| 3284 | the value of :py:obj:`SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by |
| 3285 | ``openssl/ssl.h``. |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 3286 | """ |
| 3287 | self.assertEqual(0x100, SESS_CACHE_NO_INTERNAL_LOOKUP) |
| 3288 | |
| 3289 | |
| 3290 | def test_sess_cache_no_internal_store(self): |
| 3291 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 3292 | The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200, |
| 3293 | the value of :py:obj:`SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by |
| 3294 | ``openssl/ssl.h``. |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 3295 | """ |
| 3296 | self.assertEqual(0x200, SESS_CACHE_NO_INTERNAL_STORE) |
| 3297 | |
| 3298 | |
| 3299 | def test_sess_cache_no_internal(self): |
| 3300 | """ |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 3301 | The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the |
| 3302 | value of :py:obj:`SSL_SESS_CACHE_NO_INTERNAL` defined by |
| 3303 | ``openssl/ssl.h``. |
Jean-Paul Calderone | 313bf01 | 2012-02-08 13:02:49 -0500 | [diff] [blame] | 3304 | """ |
| 3305 | self.assertEqual(0x300, SESS_CACHE_NO_INTERNAL) |
| 3306 | |
| 3307 | |
Jean-Paul Calderone | eeee26a | 2009-04-27 11:24:30 -0400 | [diff] [blame] | 3308 | |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 3309 | class MemoryBIOTests(TestCase, _LoopbackMixin): |
Rick Dean | b71c0d2 | 2009-04-01 14:09:23 -0500 | [diff] [blame] | 3310 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3311 | Tests for :py:obj:`OpenSSL.SSL.Connection` using a memory BIO. |
Rick Dean | b71c0d2 | 2009-04-01 14:09:23 -0500 | [diff] [blame] | 3312 | """ |
Jean-Paul Calderone | ce8324d | 2009-07-16 12:22:52 -0400 | [diff] [blame] | 3313 | def _server(self, sock): |
| 3314 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3315 | Create a new server-side SSL :py:obj:`Connection` object wrapped around |
| 3316 | :py:obj:`sock`. |
Jean-Paul Calderone | ce8324d | 2009-07-16 12:22:52 -0400 | [diff] [blame] | 3317 | """ |
Jean-Paul Calderone | aff0fc4 | 2009-04-27 17:13:34 -0400 | [diff] [blame] | 3318 | # Create the server side Connection. This is mostly setup boilerplate |
| 3319 | # - use TLSv1, use a particular certificate, etc. |
| 3320 | server_ctx = Context(TLSv1_METHOD) |
Alex Gaynor | 4330778 | 2015-09-04 09:05:45 -0400 | [diff] [blame] | 3321 | server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE) |
| 3322 | server_ctx.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE, verify_cb) |
Jean-Paul Calderone | aff0fc4 | 2009-04-27 17:13:34 -0400 | [diff] [blame] | 3323 | server_store = server_ctx.get_cert_store() |
| 3324 | server_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) |
| 3325 | server_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) |
| 3326 | server_ctx.check_privatekey() |
| 3327 | server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem)) |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 3328 | # Here the Connection is actually created. If None is passed as the 2nd |
| 3329 | # parameter, it indicates a memory BIO should be created. |
| 3330 | server_conn = Connection(server_ctx, sock) |
Jean-Paul Calderone | aff0fc4 | 2009-04-27 17:13:34 -0400 | [diff] [blame] | 3331 | server_conn.set_accept_state() |
| 3332 | return server_conn |
| 3333 | |
| 3334 | |
Jean-Paul Calderone | ce8324d | 2009-07-16 12:22:52 -0400 | [diff] [blame] | 3335 | def _client(self, sock): |
| 3336 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3337 | Create a new client-side SSL :py:obj:`Connection` object wrapped around |
| 3338 | :py:obj:`sock`. |
Jean-Paul Calderone | ce8324d | 2009-07-16 12:22:52 -0400 | [diff] [blame] | 3339 | """ |
| 3340 | # Now create the client side Connection. Similar boilerplate to the |
| 3341 | # above. |
Jean-Paul Calderone | aff0fc4 | 2009-04-27 17:13:34 -0400 | [diff] [blame] | 3342 | client_ctx = Context(TLSv1_METHOD) |
Alex Gaynor | 4330778 | 2015-09-04 09:05:45 -0400 | [diff] [blame] | 3343 | client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE) |
| 3344 | client_ctx.set_verify(VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE, verify_cb) |
Jean-Paul Calderone | aff0fc4 | 2009-04-27 17:13:34 -0400 | [diff] [blame] | 3345 | client_store = client_ctx.get_cert_store() |
| 3346 | client_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, client_key_pem)) |
| 3347 | client_ctx.use_certificate(load_certificate(FILETYPE_PEM, client_cert_pem)) |
| 3348 | client_ctx.check_privatekey() |
| 3349 | client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem)) |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 3350 | client_conn = Connection(client_ctx, sock) |
Jean-Paul Calderone | aff0fc4 | 2009-04-27 17:13:34 -0400 | [diff] [blame] | 3351 | client_conn.set_connect_state() |
| 3352 | return client_conn |
| 3353 | |
| 3354 | |
Jean-Paul Calderone | ce8324d | 2009-07-16 12:22:52 -0400 | [diff] [blame] | 3355 | def test_memoryConnect(self): |
Jean-Paul Calderone | 958299e | 2009-04-27 12:59:12 -0400 | [diff] [blame] | 3356 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3357 | Two :py:obj:`Connection`s which use memory BIOs can be manually connected by |
Jean-Paul Calderone | 958299e | 2009-04-27 12:59:12 -0400 | [diff] [blame] | 3358 | reading from the output of each and writing those bytes to the input of |
| 3359 | the other and in this way establish a connection and exchange |
| 3360 | application-level bytes with each other. |
| 3361 | """ |
Jean-Paul Calderone | ce8324d | 2009-07-16 12:22:52 -0400 | [diff] [blame] | 3362 | server_conn = self._server(None) |
| 3363 | client_conn = self._client(None) |
Rick Dean | b71c0d2 | 2009-04-01 14:09:23 -0500 | [diff] [blame] | 3364 | |
Jean-Paul Calderone | 958299e | 2009-04-27 12:59:12 -0400 | [diff] [blame] | 3365 | # There should be no key or nonces yet. |
| 3366 | self.assertIdentical(server_conn.master_key(), None) |
| 3367 | self.assertIdentical(server_conn.client_random(), None) |
| 3368 | self.assertIdentical(server_conn.server_random(), None) |
Rick Dean | b71c0d2 | 2009-04-01 14:09:23 -0500 | [diff] [blame] | 3369 | |
Jean-Paul Calderone | 958299e | 2009-04-27 12:59:12 -0400 | [diff] [blame] | 3370 | # First, the handshake needs to happen. We'll deliver bytes back and |
| 3371 | # forth between the client and server until neither of them feels like |
| 3372 | # speaking any more. |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 3373 | self.assertIdentical( |
| 3374 | self._interactInMemory(client_conn, server_conn), None) |
Jean-Paul Calderone | 958299e | 2009-04-27 12:59:12 -0400 | [diff] [blame] | 3375 | |
| 3376 | # Now that the handshake is done, there should be a key and nonces. |
| 3377 | self.assertNotIdentical(server_conn.master_key(), None) |
| 3378 | self.assertNotIdentical(server_conn.client_random(), None) |
| 3379 | self.assertNotIdentical(server_conn.server_random(), None) |
Jean-Paul Calderone | 6c051e6 | 2009-07-05 13:50:34 -0400 | [diff] [blame] | 3380 | self.assertEquals(server_conn.client_random(), client_conn.client_random()) |
| 3381 | self.assertEquals(server_conn.server_random(), client_conn.server_random()) |
| 3382 | self.assertNotEquals(server_conn.client_random(), server_conn.server_random()) |
| 3383 | self.assertNotEquals(client_conn.client_random(), client_conn.server_random()) |
Jean-Paul Calderone | 958299e | 2009-04-27 12:59:12 -0400 | [diff] [blame] | 3384 | |
| 3385 | # Here are the bytes we'll try to send. |
Jean-Paul Calderone | a441fdc | 2010-08-22 21:33:57 -0400 | [diff] [blame] | 3386 | important_message = b('One if by land, two if by sea.') |
Rick Dean | b71c0d2 | 2009-04-01 14:09:23 -0500 | [diff] [blame] | 3387 | |
Jean-Paul Calderone | 958299e | 2009-04-27 12:59:12 -0400 | [diff] [blame] | 3388 | server_conn.write(important_message) |
| 3389 | self.assertEquals( |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 3390 | self._interactInMemory(client_conn, server_conn), |
Jean-Paul Calderone | 958299e | 2009-04-27 12:59:12 -0400 | [diff] [blame] | 3391 | (client_conn, important_message)) |
| 3392 | |
| 3393 | client_conn.write(important_message[::-1]) |
| 3394 | self.assertEquals( |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 3395 | self._interactInMemory(client_conn, server_conn), |
Jean-Paul Calderone | 958299e | 2009-04-27 12:59:12 -0400 | [diff] [blame] | 3396 | (server_conn, important_message[::-1])) |
Rick Dean | b71c0d2 | 2009-04-01 14:09:23 -0500 | [diff] [blame] | 3397 | |
| 3398 | |
Jean-Paul Calderone | ce8324d | 2009-07-16 12:22:52 -0400 | [diff] [blame] | 3399 | def test_socketConnect(self): |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 3400 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3401 | Just like :py:obj:`test_memoryConnect` but with an actual socket. |
Jean-Paul Calderone | ce8324d | 2009-07-16 12:22:52 -0400 | [diff] [blame] | 3402 | |
| 3403 | This is primarily to rule out the memory BIO code as the source of |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3404 | any problems encountered while passing data over a :py:obj:`Connection` (if |
Jean-Paul Calderone | ce8324d | 2009-07-16 12:22:52 -0400 | [diff] [blame] | 3405 | this test fails, there must be a problem outside the memory BIO |
| 3406 | code, as no memory BIO is involved here). Even though this isn't a |
| 3407 | memory BIO test, it's convenient to have it here. |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 3408 | """ |
Jean-Paul Calderone | 06c7cc9 | 2010-09-24 23:52:00 -0400 | [diff] [blame] | 3409 | server_conn, client_conn = self._loopback() |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 3410 | |
Jean-Paul Calderone | a441fdc | 2010-08-22 21:33:57 -0400 | [diff] [blame] | 3411 | important_message = b("Help me Obi Wan Kenobi, you're my only hope.") |
Rick Dean | b1ccd56 | 2009-07-09 23:52:39 -0500 | [diff] [blame] | 3412 | client_conn.send(important_message) |
| 3413 | msg = server_conn.recv(1024) |
| 3414 | self.assertEqual(msg, important_message) |
| 3415 | |
| 3416 | # Again in the other direction, just for fun. |
| 3417 | important_message = important_message[::-1] |
| 3418 | server_conn.send(important_message) |
| 3419 | msg = client_conn.recv(1024) |
| 3420 | self.assertEqual(msg, important_message) |
| 3421 | |
| 3422 | |
Jean-Paul Calderone | fc4ed0f | 2009-04-27 11:51:27 -0400 | [diff] [blame] | 3423 | def test_socketOverridesMemory(self): |
Rick Dean | b71c0d2 | 2009-04-01 14:09:23 -0500 | [diff] [blame] | 3424 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3425 | Test that :py:obj:`OpenSSL.SSL.bio_read` and :py:obj:`OpenSSL.SSL.bio_write` don't |
| 3426 | work on :py:obj:`OpenSSL.SSL.Connection`() that use sockets. |
Rick Dean | b71c0d2 | 2009-04-01 14:09:23 -0500 | [diff] [blame] | 3427 | """ |
| 3428 | context = Context(SSLv3_METHOD) |
| 3429 | client = socket() |
| 3430 | clientSSL = Connection(context, client) |
Alex Gaynor | 4330778 | 2015-09-04 09:05:45 -0400 | [diff] [blame] | 3431 | self.assertRaises(TypeError, clientSSL.bio_read, 100) |
| 3432 | self.assertRaises(TypeError, clientSSL.bio_write, "foo") |
Alex Gaynor | 7e8b61e | 2015-09-04 13:13:05 -0400 | [diff] [blame] | 3433 | self.assertRaises(TypeError, clientSSL.bio_shutdown) |
Jean-Paul Calderone | aff0fc4 | 2009-04-27 17:13:34 -0400 | [diff] [blame] | 3434 | |
| 3435 | |
| 3436 | def test_outgoingOverflow(self): |
| 3437 | """ |
| 3438 | If more bytes than can be written to the memory BIO are passed to |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3439 | :py:obj:`Connection.send` at once, the number of bytes which were written is |
Jean-Paul Calderone | aff0fc4 | 2009-04-27 17:13:34 -0400 | [diff] [blame] | 3440 | returned and that many bytes from the beginning of the input can be |
| 3441 | read from the other end of the connection. |
| 3442 | """ |
Jean-Paul Calderone | ce8324d | 2009-07-16 12:22:52 -0400 | [diff] [blame] | 3443 | server = self._server(None) |
| 3444 | client = self._client(None) |
Jean-Paul Calderone | aff0fc4 | 2009-04-27 17:13:34 -0400 | [diff] [blame] | 3445 | |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 3446 | self._interactInMemory(client, server) |
Jean-Paul Calderone | aff0fc4 | 2009-04-27 17:13:34 -0400 | [diff] [blame] | 3447 | |
| 3448 | size = 2 ** 15 |
Jean-Paul Calderone | 4f0467a | 2014-01-11 11:58:41 -0500 | [diff] [blame] | 3449 | sent = client.send(b"x" * size) |
Jean-Paul Calderone | aff0fc4 | 2009-04-27 17:13:34 -0400 | [diff] [blame] | 3450 | # Sanity check. We're trying to test what happens when the entire |
| 3451 | # input can't be sent. If the entire input was sent, this test is |
| 3452 | # meaningless. |
| 3453 | self.assertTrue(sent < size) |
| 3454 | |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 3455 | receiver, received = self._interactInMemory(client, server) |
Jean-Paul Calderone | aff0fc4 | 2009-04-27 17:13:34 -0400 | [diff] [blame] | 3456 | self.assertIdentical(receiver, server) |
| 3457 | |
| 3458 | # We can rely on all of these bytes being received at once because |
| 3459 | # _loopback passes 2 ** 16 to recv - more than 2 ** 15. |
| 3460 | self.assertEquals(len(received), sent) |
Jean-Paul Calderone | 3ad85d4 | 2009-04-30 20:24:35 -0400 | [diff] [blame] | 3461 | |
| 3462 | |
| 3463 | def test_shutdown(self): |
| 3464 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3465 | :py:obj:`Connection.bio_shutdown` signals the end of the data stream from |
| 3466 | which the :py:obj:`Connection` reads. |
Jean-Paul Calderone | 3ad85d4 | 2009-04-30 20:24:35 -0400 | [diff] [blame] | 3467 | """ |
Jean-Paul Calderone | ce8324d | 2009-07-16 12:22:52 -0400 | [diff] [blame] | 3468 | server = self._server(None) |
Jean-Paul Calderone | 3ad85d4 | 2009-04-30 20:24:35 -0400 | [diff] [blame] | 3469 | server.bio_shutdown() |
| 3470 | e = self.assertRaises(Error, server.recv, 1024) |
| 3471 | # We don't want WantReadError or ZeroReturnError or anything - it's a |
| 3472 | # handshake failure. |
| 3473 | self.assertEquals(e.__class__, Error) |
Jean-Paul Calderone | 0b88b6a | 2009-07-05 12:44:41 -0400 | [diff] [blame] | 3474 | |
| 3475 | |
Jean-Paul Calderone | d899af0 | 2013-03-19 22:10:37 -0700 | [diff] [blame] | 3476 | def test_unexpectedEndOfFile(self): |
| 3477 | """ |
| 3478 | If the connection is lost before an orderly SSL shutdown occurs, |
| 3479 | :py:obj:`OpenSSL.SSL.SysCallError` is raised with a message of |
| 3480 | "Unexpected EOF". |
| 3481 | """ |
| 3482 | server_conn, client_conn = self._loopback() |
| 3483 | client_conn.sock_shutdown(SHUT_RDWR) |
| 3484 | exc = self.assertRaises(SysCallError, server_conn.recv, 1024) |
| 3485 | self.assertEqual(exc.args, (-1, "Unexpected EOF")) |
| 3486 | |
| 3487 | |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3488 | def _check_client_ca_list(self, func): |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3489 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3490 | Verify the return value of the :py:obj:`get_client_ca_list` method for server and client connections. |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3491 | |
Jonathan Ballet | 78b92a2 | 2011-07-16 08:07:26 +0900 | [diff] [blame] | 3492 | :param func: A function which will be called with the server context |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3493 | before the client and server are connected to each other. This |
| 3494 | function should specify a list of CAs for the server to send to the |
| 3495 | client and return that same list. The list will be used to verify |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3496 | that :py:obj:`get_client_ca_list` returns the proper value at various |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3497 | times. |
| 3498 | """ |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3499 | server = self._server(None) |
| 3500 | client = self._client(None) |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3501 | self.assertEqual(client.get_client_ca_list(), []) |
| 3502 | self.assertEqual(server.get_client_ca_list(), []) |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3503 | ctx = server.get_context() |
| 3504 | expected = func(ctx) |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3505 | self.assertEqual(client.get_client_ca_list(), []) |
| 3506 | self.assertEqual(server.get_client_ca_list(), expected) |
Jean-Paul Calderone | bf37f0f | 2010-07-31 14:56:20 -0400 | [diff] [blame] | 3507 | self._interactInMemory(client, server) |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3508 | self.assertEqual(client.get_client_ca_list(), expected) |
| 3509 | self.assertEqual(server.get_client_ca_list(), expected) |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3510 | |
| 3511 | |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3512 | def test_set_client_ca_list_errors(self): |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3513 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3514 | :py:obj:`Context.set_client_ca_list` raises a :py:obj:`TypeError` if called with a |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3515 | non-list or a list that contains objects other than X509Names. |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3516 | """ |
| 3517 | ctx = Context(TLSv1_METHOD) |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3518 | self.assertRaises(TypeError, ctx.set_client_ca_list, "spam") |
| 3519 | self.assertRaises(TypeError, ctx.set_client_ca_list, ["spam"]) |
| 3520 | self.assertIdentical(ctx.set_client_ca_list([]), None) |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3521 | |
| 3522 | |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3523 | def test_set_empty_ca_list(self): |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3524 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3525 | If passed an empty list, :py:obj:`Context.set_client_ca_list` configures the |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3526 | context to send no CA names to the client and, on both the server and |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3527 | client sides, :py:obj:`Connection.get_client_ca_list` returns an empty list |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3528 | after the connection is set up. |
| 3529 | """ |
| 3530 | def no_ca(ctx): |
| 3531 | ctx.set_client_ca_list([]) |
| 3532 | return [] |
| 3533 | self._check_client_ca_list(no_ca) |
| 3534 | |
| 3535 | |
| 3536 | def test_set_one_ca_list(self): |
| 3537 | """ |
| 3538 | If passed a list containing a single X509Name, |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3539 | :py:obj:`Context.set_client_ca_list` configures the context to send that CA |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3540 | name to the client and, on both the server and client sides, |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3541 | :py:obj:`Connection.get_client_ca_list` returns a list containing that |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3542 | X509Name after the connection is set up. |
| 3543 | """ |
| 3544 | cacert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 3545 | cadesc = cacert.get_subject() |
| 3546 | def single_ca(ctx): |
| 3547 | ctx.set_client_ca_list([cadesc]) |
| 3548 | return [cadesc] |
| 3549 | self._check_client_ca_list(single_ca) |
| 3550 | |
| 3551 | |
| 3552 | def test_set_multiple_ca_list(self): |
| 3553 | """ |
| 3554 | If passed a list containing multiple X509Name objects, |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3555 | :py:obj:`Context.set_client_ca_list` configures the context to send those CA |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3556 | names to the client and, on both the server and client sides, |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3557 | :py:obj:`Connection.get_client_ca_list` returns a list containing those |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3558 | X509Names after the connection is set up. |
| 3559 | """ |
| 3560 | secert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 3561 | clcert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 3562 | |
| 3563 | sedesc = secert.get_subject() |
| 3564 | cldesc = clcert.get_subject() |
| 3565 | |
| 3566 | def multiple_ca(ctx): |
| 3567 | L = [sedesc, cldesc] |
| 3568 | ctx.set_client_ca_list(L) |
| 3569 | return L |
| 3570 | self._check_client_ca_list(multiple_ca) |
| 3571 | |
| 3572 | |
| 3573 | def test_reset_ca_list(self): |
| 3574 | """ |
| 3575 | If called multiple times, only the X509Names passed to the final call |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3576 | of :py:obj:`Context.set_client_ca_list` are used to configure the CA names |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3577 | sent to the client. |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3578 | """ |
| 3579 | cacert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 3580 | secert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 3581 | clcert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 3582 | |
| 3583 | cadesc = cacert.get_subject() |
| 3584 | sedesc = secert.get_subject() |
| 3585 | cldesc = clcert.get_subject() |
| 3586 | |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3587 | def changed_ca(ctx): |
| 3588 | ctx.set_client_ca_list([sedesc, cldesc]) |
| 3589 | ctx.set_client_ca_list([cadesc]) |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3590 | return [cadesc] |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3591 | self._check_client_ca_list(changed_ca) |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3592 | |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3593 | |
| 3594 | def test_mutated_ca_list(self): |
| 3595 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3596 | If the list passed to :py:obj:`Context.set_client_ca_list` is mutated |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3597 | afterwards, this does not affect the list of CA names sent to the |
| 3598 | client. |
| 3599 | """ |
| 3600 | cacert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 3601 | secert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 3602 | |
| 3603 | cadesc = cacert.get_subject() |
| 3604 | sedesc = secert.get_subject() |
| 3605 | |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3606 | def mutated_ca(ctx): |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3607 | L = [cadesc] |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3608 | ctx.set_client_ca_list([cadesc]) |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3609 | L.append(sedesc) |
| 3610 | return [cadesc] |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3611 | self._check_client_ca_list(mutated_ca) |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3612 | |
| 3613 | |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3614 | def test_add_client_ca_errors(self): |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3615 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3616 | :py:obj:`Context.add_client_ca` raises :py:obj:`TypeError` if called with a non-X509 |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3617 | object or with a number of arguments other than one. |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3618 | """ |
| 3619 | ctx = Context(TLSv1_METHOD) |
| 3620 | cacert = load_certificate(FILETYPE_PEM, root_cert_pem) |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3621 | self.assertRaises(TypeError, ctx.add_client_ca) |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3622 | self.assertRaises(TypeError, ctx.add_client_ca, "spam") |
Jean-Paul Calderone | 911c911 | 2009-10-24 11:12:00 -0400 | [diff] [blame] | 3623 | self.assertRaises(TypeError, ctx.add_client_ca, cacert, cacert) |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3624 | |
| 3625 | |
Jean-Paul Calderone | 055a917 | 2009-10-24 13:45:11 -0400 | [diff] [blame] | 3626 | def test_one_add_client_ca(self): |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3627 | """ |
Jean-Paul Calderone | 055a917 | 2009-10-24 13:45:11 -0400 | [diff] [blame] | 3628 | A certificate's subject can be added as a CA to be sent to the client |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3629 | with :py:obj:`Context.add_client_ca`. |
Jean-Paul Calderone | 055a917 | 2009-10-24 13:45:11 -0400 | [diff] [blame] | 3630 | """ |
| 3631 | cacert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 3632 | cadesc = cacert.get_subject() |
| 3633 | def single_ca(ctx): |
| 3634 | ctx.add_client_ca(cacert) |
| 3635 | return [cadesc] |
| 3636 | self._check_client_ca_list(single_ca) |
| 3637 | |
| 3638 | |
| 3639 | def test_multiple_add_client_ca(self): |
| 3640 | """ |
| 3641 | Multiple CA names can be sent to the client by calling |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3642 | :py:obj:`Context.add_client_ca` with multiple X509 objects. |
Jean-Paul Calderone | 055a917 | 2009-10-24 13:45:11 -0400 | [diff] [blame] | 3643 | """ |
| 3644 | cacert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 3645 | secert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 3646 | |
| 3647 | cadesc = cacert.get_subject() |
| 3648 | sedesc = secert.get_subject() |
| 3649 | |
| 3650 | def multiple_ca(ctx): |
| 3651 | ctx.add_client_ca(cacert) |
| 3652 | ctx.add_client_ca(secert) |
| 3653 | return [cadesc, sedesc] |
| 3654 | self._check_client_ca_list(multiple_ca) |
| 3655 | |
| 3656 | |
| 3657 | def test_set_and_add_client_ca(self): |
| 3658 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3659 | A call to :py:obj:`Context.set_client_ca_list` followed by a call to |
| 3660 | :py:obj:`Context.add_client_ca` results in using the CA names from the first |
Jean-Paul Calderone | 055a917 | 2009-10-24 13:45:11 -0400 | [diff] [blame] | 3661 | call and the CA name from the second call. |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3662 | """ |
| 3663 | cacert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 3664 | secert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 3665 | clcert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 3666 | |
| 3667 | cadesc = cacert.get_subject() |
| 3668 | sedesc = secert.get_subject() |
| 3669 | cldesc = clcert.get_subject() |
| 3670 | |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3671 | def mixed_set_add_ca(ctx): |
| 3672 | ctx.set_client_ca_list([cadesc, sedesc]) |
| 3673 | ctx.add_client_ca(clcert) |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3674 | return [cadesc, sedesc, cldesc] |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3675 | self._check_client_ca_list(mixed_set_add_ca) |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3676 | |
Jean-Paul Calderone | 055a917 | 2009-10-24 13:45:11 -0400 | [diff] [blame] | 3677 | |
| 3678 | def test_set_after_add_client_ca(self): |
| 3679 | """ |
Jonathan Ballet | 648875f | 2011-07-16 14:14:58 +0900 | [diff] [blame] | 3680 | A call to :py:obj:`Context.set_client_ca_list` after a call to |
| 3681 | :py:obj:`Context.add_client_ca` replaces the CA name specified by the former |
Jean-Paul Calderone | 055a917 | 2009-10-24 13:45:11 -0400 | [diff] [blame] | 3682 | call with the names specified by the latter cal. |
| 3683 | """ |
| 3684 | cacert = load_certificate(FILETYPE_PEM, root_cert_pem) |
| 3685 | secert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 3686 | clcert = load_certificate(FILETYPE_PEM, server_cert_pem) |
| 3687 | |
| 3688 | cadesc = cacert.get_subject() |
| 3689 | sedesc = secert.get_subject() |
Jean-Paul Calderone | 055a917 | 2009-10-24 13:45:11 -0400 | [diff] [blame] | 3690 | |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3691 | def set_replaces_add_ca(ctx): |
| 3692 | ctx.add_client_ca(clcert) |
| 3693 | ctx.set_client_ca_list([cadesc]) |
| 3694 | ctx.add_client_ca(secert) |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3695 | return [cadesc, sedesc] |
Ziga Seilnacht | f93bf10 | 2009-10-23 09:51:07 +0200 | [diff] [blame] | 3696 | self._check_client_ca_list(set_replaces_add_ca) |
Ziga Seilnacht | 679c426 | 2009-09-01 01:32:29 +0200 | [diff] [blame] | 3697 | |
Jean-Paul Calderone | 0b88b6a | 2009-07-05 12:44:41 -0400 | [diff] [blame] | 3698 | |
Jean-Paul Calderone | d899af0 | 2013-03-19 22:10:37 -0700 | [diff] [blame] | 3699 | |
| 3700 | class ConnectionBIOTests(TestCase): |
| 3701 | """ |
| 3702 | Tests for :py:obj:`Connection.bio_read` and :py:obj:`Connection.bio_write`. |
| 3703 | """ |
| 3704 | def test_wantReadError(self): |
| 3705 | """ |
| 3706 | :py:obj:`Connection.bio_read` raises :py:obj:`OpenSSL.SSL.WantReadError` |
| 3707 | if there are no bytes available to be read from the BIO. |
| 3708 | """ |
| 3709 | ctx = Context(TLSv1_METHOD) |
| 3710 | conn = Connection(ctx, None) |
| 3711 | self.assertRaises(WantReadError, conn.bio_read, 1024) |
| 3712 | |
| 3713 | |
Jean-Paul Calderone | bef4f4c | 2014-02-02 18:13:31 -0500 | [diff] [blame] | 3714 | def test_buffer_size(self): |
| 3715 | """ |
| 3716 | :py:obj:`Connection.bio_read` accepts an integer giving the maximum |
| 3717 | number of bytes to read and return. |
| 3718 | """ |
| 3719 | ctx = Context(TLSv1_METHOD) |
| 3720 | conn = Connection(ctx, None) |
| 3721 | conn.set_connect_state() |
| 3722 | try: |
| 3723 | conn.do_handshake() |
| 3724 | except WantReadError: |
| 3725 | pass |
| 3726 | data = conn.bio_read(2) |
| 3727 | self.assertEqual(2, len(data)) |
| 3728 | |
| 3729 | |
| 3730 | if not PY3: |
| 3731 | def test_buffer_size_long(self): |
| 3732 | """ |
| 3733 | On Python 2 :py:obj:`Connection.bio_read` accepts values of type |
| 3734 | :py:obj:`long` as well as :py:obj:`int`. |
| 3735 | """ |
| 3736 | ctx = Context(TLSv1_METHOD) |
| 3737 | conn = Connection(ctx, None) |
| 3738 | conn.set_connect_state() |
| 3739 | try: |
| 3740 | conn.do_handshake() |
| 3741 | except WantReadError: |
| 3742 | pass |
| 3743 | data = conn.bio_read(long(2)) |
| 3744 | self.assertEqual(2, len(data)) |
| 3745 | |
| 3746 | |
| 3747 | |
Jean-Paul Calderone | d899af0 | 2013-03-19 22:10:37 -0700 | [diff] [blame] | 3748 | |
Jean-Paul Calderone | 31e85a8 | 2011-03-21 19:13:35 -0400 | [diff] [blame] | 3749 | class InfoConstantTests(TestCase): |
| 3750 | """ |
| 3751 | Tests for assorted constants exposed for use in info callbacks. |
| 3752 | """ |
| 3753 | def test_integers(self): |
| 3754 | """ |
| 3755 | All of the info constants are integers. |
| 3756 | |
| 3757 | This is a very weak test. It would be nice to have one that actually |
| 3758 | verifies that as certain info events happen, the value passed to the |
| 3759 | info callback matches up with the constant exposed by OpenSSL.SSL. |
| 3760 | """ |
| 3761 | for const in [ |
| 3762 | SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK, SSL_ST_INIT, |
| 3763 | SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE, |
| 3764 | SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT, |
| 3765 | SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP, |
| 3766 | SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT, |
| 3767 | SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE]: |
| 3768 | |
| 3769 | self.assertTrue(isinstance(const, int)) |
| 3770 | |
Ziga Seilnacht | 44611bf | 2009-08-31 20:49:30 +0200 | [diff] [blame] | 3771 | |
Jean-Paul Calderone | 0b88b6a | 2009-07-05 12:44:41 -0400 | [diff] [blame] | 3772 | if __name__ == '__main__': |
| 3773 | main() |