Blame - tests/test_ssl.py - platform/external/python/pyopenssl

2008-03-21 17:04:05 -0400

[diff] [blame]

4

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

5

Unit tests for :mod:`OpenSSL.SSL`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

6

"""

7

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

8

import datetime

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

9

import sys

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

10

import uuid

11

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

12

from gc import collect, get_referrers

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

13

from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

14

from sys import platform, getfilesystemencoding, version_info

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

15

from socket import MSG_PEEK, SHUT_RDWR, error, socket

Jean-Paul Calderone

a65cf6c

2009-07-19 10:26:52 -0400

[diff] [blame]

16

from os import makedirs

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

17

from os.path import join

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

18

from weakref import ref

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

19

from warnings import simplefilter

Jean-Paul Calderone

460cc1f

2009-03-07 11:31:12 -0500

[diff] [blame]

20

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

21

import pytest

22

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

23

from pretend import raiser

24

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

25

from six import PY3, text_type

Jean-Paul Calderone

c76c61c

2014-01-18 13:21:52 -0500

[diff] [blame]

26

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

27

from cryptography import x509

28

from cryptography.hazmat.backends import default_backend

29

from cryptography.hazmat.primitives import hashes

30

from cryptography.hazmat.primitives import serialization

31

from cryptography.hazmat.primitives.asymmetric import rsa

32

from cryptography.x509.oid import NameOID

33

34

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

35

from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

36

from OpenSSL.crypto import PKey, X509, X509Extension, X509Store

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

37

from OpenSSL.crypto import dump_privatekey, load_privatekey

38

from OpenSSL.crypto import dump_certificate, load_certificate

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

39

from OpenSSL.crypto import get_elliptic_curves

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

40

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

41

from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS

42

from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

43

from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

44

from OpenSSL.SSL import (

45

SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD,

46

TLSv1_1_METHOD, TLSv1_2_METHOD)

47

from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

48

from OpenSSL.SSL import (

49

VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE, VERIFY_NONE)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

50

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

51

from OpenSSL import SSL

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

52

from OpenSSL.SSL import (

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

53

SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH,

54

SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP,

55

SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL)

56

57

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

58

Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

59

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

60

Context, ContextType, Session, Connection, ConnectionType, SSLeay_version)

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

61

from OpenSSL.SSL import _make_requires

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

62

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

63

from OpenSSL._util import ffi as _ffi, lib as _lib

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

64

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

65

from OpenSSL.SSL import (

66

OP_NO_QUERY_MTU, OP_COOKIE_EXCHANGE, OP_NO_TICKET, OP_NO_COMPRESSION,

67

MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

68

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

69

from OpenSSL.SSL import (

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

70

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

71

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

72

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

73

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

74

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

75

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

76

try:

77

from OpenSSL.SSL import (

78

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

79

)

80

except ImportError:

81

SSL_ST_INIT = SSL_ST_BEFORE = SSL_ST_OK = SSL_ST_RENEGOTIATE = None

82

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

83

from .util import WARNING_TYPE_EXPECTED, NON_ASCII, is_consistent_type

Hynek Schlawack

f0e6685

2015-10-16 20:18:38 +0200

[diff] [blame]

84

from .test_crypto import (

85

cleartextCertificatePEM, cleartextPrivateKeyPEM,

86

client_cert_pem, client_key_pem, server_cert_pem, server_key_pem,

87

root_cert_pem)

88

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

89

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

90

# openssl dhparam 1024 -out dh-1024.pem (note that 1024 is a small number of

91

# bits to use)

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

92

dhparam = """\

93

-----BEGIN DH PARAMETERS-----

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

94

MIGHAoGBALdUMvn+C9MM+y5BWZs11mSeH6HHoEq0UVbzVq7UojC1hbsZUuGukQ3a

95

Qh2/pwqb18BZFykrWB0zv/OkLa0kx4cuUgNrUVq1EFheBiX6YqryJ7t2sO09NQiO

96

V7H54LmltOT/hEh6QWsJqb6BQgH65bswvV/XkYGja8/T0GzvbaVzAgEC

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

97

-----END DH PARAMETERS-----

"""

Hynek Schlawack

2015-09-05 20:48:34 +0200

[diff] [blame]

101

skip_if_py3 = pytest.mark.skipif(PY3, reason="Python 2 only")

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

102

skip_if_py26 = pytest.mark.skipif(

103

version_info[0:2] == (2, 6),

104

reason="Python 2.7 and later only"

105

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

106

107

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

108

def join_bytes_or_unicode(prefix, suffix):

109

"""

110

Join two path components of either ``bytes`` or ``unicode``.

111

112

The return type is the same as the type of ``prefix``.

113

"""

114

# If the types are the same, nothing special is necessary.

115

if type(prefix) == type(suffix):

116

return join(prefix, suffix)

117

118

# Otherwise, coerce suffix to the type of prefix.

119

if isinstance(prefix, text_type):

120

return join(prefix, suffix.decode(getfilesystemencoding()))

121

else:

122

return join(prefix, suffix.encode(getfilesystemencoding()))

123

124

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

125

def verify_cb(conn, cert, errnum, depth, ok):

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

126

return ok

127

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

128

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

129

def socket_pair():

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

130

"""

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

131

Establish and return a pair of network sockets connected to each other.

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

132

"""

133

# Connect a pair of sockets

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(1)

client = socket()

client.setblocking(False)

Jean-Paul Calderone

f23c5d9

2009-07-23 17:58:15 -0400

[diff] [blame]

139

client.connect_ex(("127.0.0.1", port.getsockname()[1]))

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

140

client.setblocking(True)

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

141

server = port.accept()[0]

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

142

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

143

# Let's pass some unencrypted data to make sure our socket connection is

144

# fine. Just one byte, so we don't have to worry about buffers getting

145

# filled up or fragmentation.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

146

server.send(b"x")

147

assert client.recv(1024) == b"x"

148

client.send(b"y")

149

assert server.recv(1024) == b"y"

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

150

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

151

# Most of our callers want non-blocking sockets, make it easy for them.

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

152

server.setblocking(False)

153

client.setblocking(False)

Jim Shaver

46f2891

2015-05-29 19:32:16 -0400

[diff] [blame]

154

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

155

return (server, client)

156

157

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

158

def handshake(client, server):

159

conns = [client, server]

while conns:

for conn in conns:

try:

conn.do_handshake()

except WantReadError:

pass

else:

conns.remove(conn)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

170

def _create_certificate_chain():

171

"""

172

Construct and return a chain of certificates.

173

174

1. A new self-signed certificate authority certificate (cacert)

175

2. A new intermediate certificate signed by cacert (icert)

176

3. A new server certificate signed by icert (scert)

177

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

178

caext = X509Extension(b'basicConstraints', False, b'CA:true')

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

179

180

# Step 1

181

cakey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

182

cakey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

183

cacert = X509()

184

cacert.get_subject().commonName = "Authority Certificate"

185

cacert.set_issuer(cacert.get_subject())

186

cacert.set_pubkey(cakey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

187

cacert.set_notBefore(b"20000101000000Z")

188

cacert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

189

cacert.add_extensions([caext])

190

cacert.set_serial_number(0)

191

cacert.sign(cakey, "sha1")

192

193

# Step 2

194

ikey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

195

ikey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

196

icert = X509()

197

icert.get_subject().commonName = "Intermediate Certificate"

198

icert.set_issuer(cacert.get_subject())

199

icert.set_pubkey(ikey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

200

icert.set_notBefore(b"20000101000000Z")

201

icert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

202

icert.add_extensions([caext])

203

icert.set_serial_number(0)

204

icert.sign(cakey, "sha1")

205

206

# Step 3

207

skey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

208

skey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

209

scert = X509()

210

scert.get_subject().commonName = "Server Certificate"

211

scert.set_issuer(icert.get_subject())

212

scert.set_pubkey(skey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

213

scert.set_notBefore(b"20000101000000Z")

214

scert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

215

scert.add_extensions([

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

216

X509Extension(b'basicConstraints', True, b'CA:false')])

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

217

scert.set_serial_number(0)

218

scert.sign(ikey, "sha1")

219

220

return [(cakey, cacert), (ikey, icert), (skey, scert)]

221

222

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

223

def loopback_client_factory(socket):

Alex Gaynor

85b1758

2017-08-07 11:52:08 -0400

[diff] [blame]

224

client = Connection(Context(SSLv23_METHOD), socket)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

225

client.set_connect_state()

return client

def loopback_server_factory(socket):

Alex Gaynor

85b1758

2017-08-07 11:52:08 -0400

[diff] [blame]

230

ctx = Context(SSLv23_METHOD)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

231

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

232

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

233

server = Connection(ctx, socket)

234

server.set_accept_state()

return server

def loopback(server_factory=None, client_factory=None):

239

"""

240

Create a connected socket pair and force two connected SSL sockets

241

to talk to each other via memory BIOs.

242

"""

243

if server_factory is None:

244

server_factory = loopback_server_factory

245

if client_factory is None:

246

client_factory = loopback_client_factory

247

248

(server, client) = socket_pair()

249

server = server_factory(server)

250

client = client_factory(client)

251

252

handshake(client, server)

253

254

server.setblocking(True)

255

client.setblocking(True)

256

return server, client

257

258

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

259

def interact_in_memory(client_conn, server_conn):

260

"""

261

Try to read application bytes from each of the two `Connection` objects.

262

Copy bytes back and forth between their send/receive buffers for as long

263

as there is anything to copy. When there is nothing more to copy,

264

return `None`. If one of them actually manages to deliver some application

265

bytes, return a two-tuple of the connection from which the bytes were read

266

and the bytes themselves.

"""

wrote = True

while wrote:

# Loop until neither side has anything to say

271

wrote = False

272

273

# Copy stuff from each side's send buffer to the other side's

274

# receive buffer.

275

for (read, write) in [(client_conn, server_conn),

276

(server_conn, client_conn)]:

277

278

# Give the side a chance to generate some more bytes, or succeed.

279

try:

280

data = read.recv(2 ** 16)

281

except WantReadError:

282

# It didn't succeed, so we'll hope it generated some output.

283

pass

284

else:

285

# It did succeed, so we'll stop now and let the caller deal

# with it.

return (read, data)

while True:

# Keep copying as long as there's more stuff there.

291

try:

292

dirty = read.bio_read(4096)

293

except WantReadError:

294

# Okay, nothing more waiting to be sent. Stop

295

# processing this send buffer.

296

break

297

else:

298

# Keep track of the fact that someone generated some

299

# output.

300

wrote = True

301

write.bio_write(dirty)

302

303

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

304

def handshake_in_memory(client_conn, server_conn):

305

"""

306

Perform the TLS handshake between two `Connection` instances connected to

307

each other via memory BIOs.

308

"""

309

client_conn.set_connect_state()

310

server_conn.set_accept_state()

311

312

for conn in [client_conn, server_conn]:

313

try:

314

conn.do_handshake()

315

except WantReadError:

316

pass

317

318

interact_in_memory(client_conn, server_conn)

319

320

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

321

class TestVersion(object):

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

322

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

323

Tests for version information exposed by `OpenSSL.SSL.SSLeay_version` and

324

`OpenSSL.SSL.OPENSSL_VERSION_NUMBER`.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

325

"""

326

def test_OPENSSL_VERSION_NUMBER(self):

327

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

328

`OPENSSL_VERSION_NUMBER` is an integer with status in the low byte and

329

the patch, fix, minor, and major versions in the nibbles above that.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

330

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

331

assert isinstance(OPENSSL_VERSION_NUMBER, int)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

332

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

333

def test_SSLeay_version(self):

334

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

335

`SSLeay_version` takes a version type indicator and returns one of a

336

number of version strings based on that indicator.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

337

"""

338

versions = {}

339

for t in [SSLEAY_VERSION, SSLEAY_CFLAGS, SSLEAY_BUILT_ON,

340

SSLEAY_PLATFORM, SSLEAY_DIR]:

341

version = SSLeay_version(t)

342

versions[version] = t

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

343

assert isinstance(version, bytes)

344

assert len(versions) == 5

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

345

346

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

347

@pytest.fixture

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

348

def ca_file(tmpdir):

349

"""

350

Create a valid PEM file with CA certificates and return the path.

351

"""

352

key = rsa.generate_private_key(

353

public_exponent=65537,

354

key_size=2048,

355

backend=default_backend()

356

)

357

public_key = key.public_key()

358

359

builder = x509.CertificateBuilder()

360

builder = builder.subject_name(x509.Name([

361

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

362

]))

363

builder = builder.issuer_name(x509.Name([

364

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

365

]))

366

one_day = datetime.timedelta(1, 0, 0)

367

builder = builder.not_valid_before(datetime.datetime.today() - one_day)

368

builder = builder.not_valid_after(datetime.datetime.today() + one_day)

369

builder = builder.serial_number(int(uuid.uuid4()))

370

builder = builder.public_key(public_key)

371

builder = builder.add_extension(

372

x509.BasicConstraints(ca=True, path_length=None), critical=True,

373

)

374

375

certificate = builder.sign(

376

private_key=key, algorithm=hashes.SHA256(),

377

backend=default_backend()

378

)

379

380

ca_file = tmpdir.join("test.pem")

381

ca_file.write_binary(

382

certificate.public_bytes(

383

encoding=serialization.Encoding.PEM,

)

)

return str(ca_file).encode("ascii")

388

389

390

@pytest.fixture

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

391

def context():

392

"""

393

A simple TLS 1.0 context.

394

"""

395

return Context(TLSv1_METHOD)

396

397

398

class TestContext(object):

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

399

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

400

Unit tests for `OpenSSL.SSL.Context`.

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

401

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

402

@pytest.mark.parametrize("cipher_string", [

403

b"hello world:AES128-SHA",

404

u"hello world:AES128-SHA",

405

])

406

def test_set_cipher_list(self, context, cipher_string):

407

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

408

`Context.set_cipher_list` accepts both byte and unicode strings

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

409

for naming the ciphers which connections created with the context

410

object will be able to choose from.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

411

"""

412

context.set_cipher_list(cipher_string)

413

conn = Connection(context, None)

414

415

assert "AES128-SHA" in conn.get_cipher_list()

416

417

@pytest.mark.parametrize("cipher_list,error", [

418

(object(), TypeError),

419

("imaginary-cipher", Error),

420

])

421

def test_set_cipher_list_wrong_args(self, context, cipher_list, error):

422

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

423

`Context.set_cipher_list` raises `TypeError` when passed a non-string

424

argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher

425

list string.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

426

"""

427

with pytest.raises(error):

428

context.set_cipher_list(cipher_list)

429

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

430

def test_load_client_ca(self, context, ca_file):

431

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

432

`Context.load_client_ca` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

433

"""

434

context.load_client_ca(ca_file)

435

436

def test_load_client_ca_invalid(self, context, tmpdir):

437

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

438

`Context.load_client_ca` raises an Error if the ca file is invalid.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

439

"""

440

ca_file = tmpdir.join("test.pem")

441

ca_file.write("")

442

443

with pytest.raises(Error) as e:

444

context.load_client_ca(str(ca_file).encode("ascii"))

445

446

assert "PEM routines" == e.value.args[0][0][0]

447

448

def test_load_client_ca_unicode(self, context, ca_file):

449

"""

450

Passing the path as unicode raises a warning but works.

451

"""

452

pytest.deprecated_call(

453

context.load_client_ca, ca_file.decode("ascii")

454

)

455

456

def test_set_session_id(self, context):

457

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

458

`Context.set_session_id` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

459

"""

460

context.set_session_id(b"abc")

461

462

def test_set_session_id_fail(self, context):

463

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

464

`Context.set_session_id` errors are propagated.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

465

"""

466

with pytest.raises(Error) as e:

467

context.set_session_id(b"abc" * 1000)

assert [

("SSL routines",

"SSL_CTX_set_session_id_context",

472

"ssl session id context too long")

473

] == e.value.args[0]

474

475

def test_set_session_id_unicode(self, context):

476

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

477

`Context.set_session_id` raises a warning if a unicode string is

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

478

passed.

479

"""

480

pytest.deprecated_call(context.set_session_id, u"abc")

481

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

482

def test_method(self):

483

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

484

`Context` can be instantiated with one of `SSLv2_METHOD`,

485

`SSLv3_METHOD`, `SSLv23_METHOD`, `TLSv1_METHOD`, `TLSv1_1_METHOD`,

486

or `TLSv1_2_METHOD`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

487

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

488

methods = [SSLv23_METHOD, TLSv1_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

489

for meth in methods:

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

490

Context(meth)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

491

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

492

maybe = [SSLv2_METHOD, SSLv3_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

for meth in maybe:

try:

Context(meth)

except (Error, ValueError):

497

# Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some

498

# don't. Difficult to say in advance.

499

pass

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

500

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

501

with pytest.raises(TypeError):

502

Context("")

503

with pytest.raises(ValueError):

504

Context(10)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

505

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

506

@skip_if_py3

507

def test_method_long(self):

508

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

509

On Python 2 `Context` accepts values of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

510

"""

511

Context(long(TLSv1_METHOD))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

512

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

513

def test_type(self):

514

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

515

`Context` and `ContextType` refer to the same type object and can

516

be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

517

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

518

assert Context is ContextType

519

assert is_consistent_type(Context, 'Context', TLSv1_METHOD)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

520

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

521

def test_use_privatekey(self):

522

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

523

`Context.use_privatekey` takes an `OpenSSL.crypto.PKey` instance.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

524

"""

525

key = PKey()

526

key.generate_key(TYPE_RSA, 128)

527

ctx = Context(TLSv1_METHOD)

528

ctx.use_privatekey(key)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

529

with pytest.raises(TypeError):

530

ctx.use_privatekey("")

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

531

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

532

def test_use_privatekey_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

533

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

534

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` when passed

535

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

536

"""

537

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

538

with pytest.raises(Error):

539

ctx.use_privatekey_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

540

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

541

def _use_privatekey_file_test(self, pemfile, filetype):

542

"""

543

Verify that calling ``Context.use_privatekey_file`` with the given

544

arguments does not raise an exception.

545

"""

546

key = PKey()

547

key.generate_key(TYPE_RSA, 128)

548

549

with open(pemfile, "wt") as pem:

550

pem.write(

551

dump_privatekey(FILETYPE_PEM, key).decode("ascii")

552

)

553

554

ctx = Context(TLSv1_METHOD)

555

ctx.use_privatekey_file(pemfile, filetype)

556

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

557

@pytest.mark.parametrize('filetype', [object(), "", None, 1.0])

558

def test_wrong_privatekey_file_wrong_args(self, tmpfile, filetype):

559

"""

560

`Context.use_privatekey_file` raises `TypeError` when called with

561

a `filetype` which is not a valid file encoding.

562

"""

563

ctx = Context(TLSv1_METHOD)

564

with pytest.raises(TypeError):

565

ctx.use_privatekey_file(tmpfile, filetype)

566

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

567

def test_use_privatekey_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

568

"""

569

A private key can be specified from a file by passing a ``bytes``

570

instance giving the file name to ``Context.use_privatekey_file``.

571

"""

572

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

573

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

577

def test_use_privatekey_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

578

"""

579

A private key can be specified from a file by passing a ``unicode``

580

instance giving the file name to ``Context.use_privatekey_file``.

581

"""

582

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

583

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

587

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

588

def test_use_privatekey_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

589

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

590

On Python 2 `Context.use_privatekey_file` accepts a filetype of

591

type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

592

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

593

self._use_privatekey_file_test(tmpfile, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

594

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

595

def test_use_certificate_wrong_args(self):

596

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

597

`Context.use_certificate_wrong_args` raises `TypeError` when not passed

598

exactly one `OpenSSL.crypto.X509` instance as an argument.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

599

"""

600

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

601

with pytest.raises(TypeError):

602

ctx.use_certificate("hello, world")

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

603

604

def test_use_certificate_uninitialized(self):

605

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

606

`Context.use_certificate` raises `OpenSSL.SSL.Error` when passed a

607

`OpenSSL.crypto.X509` instance which has not been initialized

608

(ie, which does not actually have any certificate data).

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

609

"""

610

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

611

with pytest.raises(Error):

612

ctx.use_certificate(X509())

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

613

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

614

def test_use_certificate(self):

615

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

616

`Context.use_certificate` sets the certificate which will be

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

617

used to identify connections created using the context.

618

"""

619

# TODO

620

# Hard to assert anything. But we could set a privatekey then ask

621

# OpenSSL if the cert and key agree using check_privatekey. Then as

622

# long as check_privatekey works right we're good...

623

ctx = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

624

ctx.use_certificate(

625

load_certificate(FILETYPE_PEM, cleartextCertificatePEM)

626

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

627

628

def test_use_certificate_file_wrong_args(self):

629

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

630

`Context.use_certificate_file` raises `TypeError` if the first

631

argument is not a byte string or the second argument is not an integer.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

632

"""

633

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

634

with pytest.raises(TypeError):

635

ctx.use_certificate_file(object(), FILETYPE_PEM)

636

with pytest.raises(TypeError):

637

ctx.use_certificate_file(b"somefile", object())

638

with pytest.raises(TypeError):

639

ctx.use_certificate_file(object(), FILETYPE_PEM)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

640

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

641

def test_use_certificate_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

642

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

643

`Context.use_certificate_file` raises `OpenSSL.SSL.Error` if passed

644

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

645

"""

646

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

647

with pytest.raises(Error):

648

ctx.use_certificate_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

649

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

650

def _use_certificate_file_test(self, certificate_file):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

651

"""

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

652

Verify that calling ``Context.use_certificate_file`` with the given

653

filename doesn't raise an exception.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

654

"""

655

# TODO

656

# Hard to assert anything. But we could set a privatekey then ask

657

# OpenSSL if the cert and key agree using check_privatekey. Then as

658

# long as check_privatekey works right we're good...

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

659

with open(certificate_file, "wb") as pem_file:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

660

pem_file.write(cleartextCertificatePEM)

661

662

ctx = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

663

ctx.use_certificate_file(certificate_file)

664

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

665

def test_use_certificate_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

666

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

667

`Context.use_certificate_file` sets the certificate (given as a

668

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

669

using the context.

670

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

671

filename = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

672

self._use_certificate_file_test(filename)

673

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

674

def test_use_certificate_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

675

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

676

`Context.use_certificate_file` sets the certificate (given as a

677

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

678

using the context.

679

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

680

filename = tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

681

self._use_certificate_file_test(filename)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

682

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

683

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

684

def test_use_certificate_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

685

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

686

On Python 2 `Context.use_certificate_file` accepts a

687

filetype of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

688

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

689

pem_filename = tmpfile

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

690

with open(pem_filename, "wb") as pem_file:

691

pem_file.write(cleartextCertificatePEM)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

692

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

693

ctx = Context(TLSv1_METHOD)

694

ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

695

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

696

def test_check_privatekey_valid(self):

697

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

698

`Context.check_privatekey` returns `None` if the `Context` instance

699

has been configured to use a matched key and certificate pair.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

700

"""

701

key = load_privatekey(FILETYPE_PEM, client_key_pem)

702

cert = load_certificate(FILETYPE_PEM, client_cert_pem)

703

context = Context(TLSv1_METHOD)

704

context.use_privatekey(key)

705

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

706

assert None is context.check_privatekey()

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

707

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

708

def test_check_privatekey_invalid(self):

709

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

710

`Context.check_privatekey` raises `Error` if the `Context` instance

711

has been configured to use a key and certificate pair which don't

712

relate to each other.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

713

"""

714

key = load_privatekey(FILETYPE_PEM, client_key_pem)

715

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

716

context = Context(TLSv1_METHOD)

717

context.use_privatekey(key)

718

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

719

with pytest.raises(Error):

720

context.check_privatekey()

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

721

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

722

def test_app_data(self):

723

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

724

`Context.set_app_data` stores an object for later retrieval

725

using `Context.get_app_data`.

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

726

"""

727

app_data = object()

728

context = Context(TLSv1_METHOD)

729

context.set_app_data(app_data)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

730

assert context.get_app_data() is app_data

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

731

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

732

def test_set_options_wrong_args(self):

733

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

734

`Context.set_options` raises `TypeError` if called with

735

a non-`int` argument.

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

736

"""

737

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

738

with pytest.raises(TypeError):

739

context.set_options(None)

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

740

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

741

def test_set_options(self):

742

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

743

`Context.set_options` returns the new options value.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

744

"""

745

context = Context(TLSv1_METHOD)

746

options = context.set_options(OP_NO_SSLv2)

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

747

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

748

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

749

@skip_if_py3

750

def test_set_options_long(self):

751

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

752

On Python 2 `Context.set_options` accepts values of type

753

`long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

754

"""

755

context = Context(TLSv1_METHOD)

756

options = context.set_options(long(OP_NO_SSLv2))

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

757

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

758

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

759

def test_set_mode_wrong_args(self):

760

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

761

`Context.set_mode` raises `TypeError` if called with

762

a non-`int` argument.

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

763

"""

764

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

765

with pytest.raises(TypeError):

766

context.set_mode(None)

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

767

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

768

def test_set_mode(self):

769

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

770

`Context.set_mode` accepts a mode bitvector and returns the

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

771

newly set mode.

772

"""

773

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

774

assert MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

775

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

776

@skip_if_py3

777

def test_set_mode_long(self):

778

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

779

On Python 2 `Context.set_mode` accepts values of type `long` as well

780

as `int`.

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

781

"""

782

context = Context(TLSv1_METHOD)

783

mode = context.set_mode(long(MODE_RELEASE_BUFFERS))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

784

assert MODE_RELEASE_BUFFERS & mode

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

785

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

786

def test_set_timeout_wrong_args(self):

787

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

788

`Context.set_timeout` raises `TypeError` if called with

789

a non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

790

"""

791

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

792

with pytest.raises(TypeError):

793

context.set_timeout(None)

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

794

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

795

def test_timeout(self):

796

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

797

`Context.set_timeout` sets the session timeout for all connections

798

created using the context object. `Context.get_timeout` retrieves

799

this value.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

800

"""

801

context = Context(TLSv1_METHOD)

802

context.set_timeout(1234)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

803

assert context.get_timeout() == 1234

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

804

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

805

@skip_if_py3

806

def test_timeout_long(self):

807

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

808

On Python 2 `Context.set_timeout` accepts values of type `long` as

809

well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

810

"""

811

context = Context(TLSv1_METHOD)

812

context.set_timeout(long(1234))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

813

assert context.get_timeout() == 1234

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

814

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

815

def test_set_verify_depth_wrong_args(self):

816

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

817

`Context.set_verify_depth` raises `TypeError` if called with a

818

non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

819

"""

820

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

821

with pytest.raises(TypeError):

822

context.set_verify_depth(None)

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

823

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

824

def test_verify_depth(self):

825

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

826

`Context.set_verify_depth` sets the number of certificates in

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

827

a chain to follow before giving up. The value can be retrieved with

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

828

`Context.get_verify_depth`.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

829

"""

830

context = Context(TLSv1_METHOD)

831

context.set_verify_depth(11)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

832

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

833

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

834

@skip_if_py3

835

def test_verify_depth_long(self):

836

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

837

On Python 2 `Context.set_verify_depth` accepts values of type `long`

838

as well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

839

"""

840

context = Context(TLSv1_METHOD)

841

context.set_verify_depth(long(11))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

842

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

843

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

844

def _write_encrypted_pem(self, passphrase, tmpfile):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

845

"""

846

Write a new private key out to a new file, encrypted using the given

847

passphrase. Return the path to the new file.

848

"""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

849

key = PKey()

850

key.generate_key(TYPE_RSA, 128)

Jean-Paul Calderone

a986883

2010-08-22 21:38:34 -0400

[diff] [blame]

851

pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

852

with open(tmpfile, 'w') as fObj:

853

fObj.write(pem.decode('ascii'))

854

return tmpfile

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

855

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

856

def test_set_passwd_cb_wrong_args(self):

857

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

858

`Context.set_passwd_cb` raises `TypeError` if called with a

859

non-callable first argument.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

860

"""

861

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

862

with pytest.raises(TypeError):

863

context.set_passwd_cb(None)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

864

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

865

def test_set_passwd_cb(self, tmpfile):

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

866

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

867

`Context.set_passwd_cb` accepts a callable which will be invoked when

868

a private key is loaded from an encrypted PEM.

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

869

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

870

passphrase = b"foobar"

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

871

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

872

calledWith = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

873

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

874

def passphraseCallback(maxlen, verify, extra):

875

calledWith.append((maxlen, verify, extra))

876

return passphrase

877

context = Context(TLSv1_METHOD)

878

context.set_passwd_cb(passphraseCallback)

879

context.use_privatekey_file(pemFile)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

880

assert len(calledWith) == 1

881

assert isinstance(calledWith[0][0], int)

882

assert isinstance(calledWith[0][1], int)

883

assert calledWith[0][2] is None

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

884

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

885

def test_passwd_callback_exception(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

886

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

887

`Context.use_privatekey_file` propagates any exception raised

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

888

by the passphrase callback.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

889

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

890

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

891

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

892

def passphraseCallback(maxlen, verify, extra):

893

raise RuntimeError("Sorry, I am a fail.")

894

895

context = Context(TLSv1_METHOD)

896

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

897

with pytest.raises(RuntimeError):

898

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

899

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

900

def test_passwd_callback_false(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

901

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

902

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

903

passphrase callback returns a false value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

904

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

905

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

906

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

907

def passphraseCallback(maxlen, verify, extra):

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

908

return b""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

909

910

context = Context(TLSv1_METHOD)

911

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

912

with pytest.raises(Error):

913

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

914

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

915

def test_passwd_callback_non_string(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

916

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

917

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

918

passphrase callback returns a true non-string value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

919

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

920

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

921

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

922

def passphraseCallback(maxlen, verify, extra):

923

return 10

924

925

context = Context(TLSv1_METHOD)

926

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

927

# TODO: Surely this is the wrong error?

928

with pytest.raises(ValueError):

929

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

930

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

931

def test_passwd_callback_too_long(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

932

"""

933

If the passphrase returned by the passphrase callback returns a string

934

longer than the indicated maximum length, it is truncated.

935

"""

936

# A priori knowledge!

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

937

passphrase = b"x" * 1024

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

938

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

939

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

940

def passphraseCallback(maxlen, verify, extra):

941

assert maxlen == 1024

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

942

return passphrase + b"y"

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

943

944

context = Context(TLSv1_METHOD)

945

context.set_passwd_cb(passphraseCallback)

946

# This shall succeed because the truncated result is the correct

947

# passphrase.

948

context.use_privatekey_file(pemFile)

949

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

950

def test_set_info_callback(self):

951

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

952

`Context.set_info_callback` accepts a callable which will be

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

953

invoked when certain information about an SSL connection is available.

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

954

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

955

(server, client) = socket_pair()

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

956

957

clientSSL = Connection(Context(TLSv1_METHOD), client)

958

clientSSL.set_connect_state()

959

960

called = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

961

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

962

def info(conn, where, ret):

963

called.append((conn, where, ret))

964

context = Context(TLSv1_METHOD)

965

context.set_info_callback(info)

966

context.use_certificate(

967

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

968

context.use_privatekey(

969

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

970

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

971

serverSSL = Connection(context, server)

972

serverSSL.set_accept_state()

973

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

974

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

975

Jean-Paul Calderone

3835e52

2014-02-02 11:12:30 -0500

[diff] [blame]

976

# The callback must always be called with a Connection instance as the

977

# first argument. It would probably be better to split this into

978

# separate tests for client and server side info callbacks so we could

979

# assert it is called with the right Connection instance. It would

980

# also be good to assert *something* about `where` and `ret`.

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

981

notConnections = [

982

conn for (conn, where, ret) in called

983

if not isinstance(conn, Connection)]

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

984

assert [] == notConnections, (

985

"Some info callback arguments were not Connection instances.")

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

986

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

987

def _load_verify_locations_test(self, *args):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

988

"""

989

Create a client context which will verify the peer certificate and call

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

990

its `load_verify_locations` method with the given arguments.

Jean-Paul Calderone

64efa2c

2011-09-11 10:00:09 -0400

[diff] [blame]

991

Then connect it to a server and ensure that the handshake succeeds.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

992

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

993

(server, client) = socket_pair()

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

994

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

995

clientContext = Context(TLSv1_METHOD)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

996

clientContext.load_verify_locations(*args)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

997

# Require that the server certificate verify properly or the

998

# connection will fail.

999

clientContext.set_verify(

1000

VERIFY_PEER,

1001

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

1002

1003

clientSSL = Connection(clientContext, client)

1004

clientSSL.set_connect_state()

1005

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1006

serverContext = Context(TLSv1_METHOD)

1007

serverContext.use_certificate(

1008

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1009

serverContext.use_privatekey(

1010

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1011

1012

serverSSL = Connection(serverContext, server)

1013

serverSSL.set_accept_state()

1014

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

1015

# Without load_verify_locations above, the handshake

1016

# will fail:

1017

# Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',

1018

# 'certificate verify failed')]

1019

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1020

1021

cert = clientSSL.get_peer_certificate()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1022

assert cert.get_subject().CN == 'Testing Root CA'

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1023

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1024

def _load_verify_cafile(self, cafile):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1025

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1026

Verify that if path to a file containing a certificate is passed to

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1027

`Context.load_verify_locations` for the ``cafile`` parameter, that

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1028

certificate is used as a trust root for the purposes of verifying

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1029

connections created using that `Context`.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1030

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1031

with open(cafile, 'w') as fObj:

1032

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1033

1034

self._load_verify_locations_test(cafile)

1035

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1036

def test_load_verify_bytes_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1037

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1038

`Context.load_verify_locations` accepts a file name as a `bytes`

1039

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1040

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1041

cafile = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1042

self._load_verify_cafile(cafile)

1043

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1044

def test_load_verify_unicode_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1045

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1046

`Context.load_verify_locations` accepts a file name as a `unicode`

1047

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1048

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1049

self._load_verify_cafile(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1050

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1051

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1052

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1053

def test_load_verify_invalid_file(self, tmpfile):

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1054

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1055

`Context.load_verify_locations` raises `Error` when passed a

1056

non-existent cafile.

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1057

"""

1058

clientContext = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1059

with pytest.raises(Error):

1060

clientContext.load_verify_locations(tmpfile)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1061

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1062

def _load_verify_directory_locations_capath(self, capath):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1063

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1064

Verify that if path to a directory containing certificate files is

1065

passed to ``Context.load_verify_locations`` for the ``capath``

1066

parameter, those certificates are used as trust roots for the purposes

1067

of verifying connections created using that ``Context``.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1068

"""

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1069

makedirs(capath)

Jean-Paul Calderone

24dfb33

2011-05-04 18:10:26 -0400

[diff] [blame]

1070

# Hash values computed manually with c_rehash to avoid depending on

1071

# c_rehash in the test suite. One is from OpenSSL 0.9.8, the other

1072

# from OpenSSL 1.0.0.

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1073

for name in [b'c7adac82.0', b'c3705638.0']:

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1074

cafile = join_bytes_or_unicode(capath, name)

1075

with open(cafile, 'w') as fObj:

1076

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1077

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1078

self._load_verify_locations_test(None, capath)

1079

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1080

def test_load_verify_directory_bytes_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1081

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1082

`Context.load_verify_locations` accepts a directory name as a `bytes`

1083

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1084

"""

1085

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1086

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1087

)

1088

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1089

def test_load_verify_directory_unicode_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1090

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1091

`Context.load_verify_locations` accepts a directory name as a `unicode`

1092

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1093

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1094

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1095

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1096

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1097

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1098

def test_load_verify_locations_wrong_args(self):

1099

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1100

`Context.load_verify_locations` raises `TypeError` if with non-`str`

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1101

arguments.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1102

"""

1103

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1104

with pytest.raises(TypeError):

1105

context.load_verify_locations(object())

1106

with pytest.raises(TypeError):

1107

context.load_verify_locations(object(), object())

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1108

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1109

@pytest.mark.skipif(

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

1110

not platform.startswith("linux"),

1111

reason="Loading fallback paths is a linux-specific behavior to "

1112

"accommodate pyca/cryptography manylinux1 wheels"

1113

)

1114

def test_fallback_default_verify_paths(self, monkeypatch):

1115

"""

1116

Test that we load certificates successfully on linux from the fallback

1117

path. To do this we set the _CRYPTOGRAPHY_MANYLINUX1_CA_FILE and

1118

_CRYPTOGRAPHY_MANYLINUX1_CA_DIR vars to be equal to whatever the

1119

current OpenSSL default is and we disable

1120

SSL_CTX_SET_default_verify_paths so that it can't find certs unless

1121

it loads via fallback.

1122

"""

1123

context = Context(TLSv1_METHOD)

1124

monkeypatch.setattr(

1125

_lib, "SSL_CTX_set_default_verify_paths", lambda x: 1

)

monkeypatch.setattr(

SSL,

"_CRYPTOGRAPHY_MANYLINUX1_CA_FILE",

1130

_ffi.string(_lib.X509_get_default_cert_file())

)

monkeypatch.setattr(

SSL,

"_CRYPTOGRAPHY_MANYLINUX1_CA_DIR",

1135

_ffi.string(_lib.X509_get_default_cert_dir())

1136

)

1137

context.set_default_verify_paths()

1138

store = context.get_cert_store()

1139

sk_obj = _lib.X509_STORE_get0_objects(store._store)

1140

assert sk_obj != _ffi.NULL

1141

num = _lib.sk_X509_OBJECT_num(sk_obj)

1142

assert num != 0

1143

1144

def test_check_env_vars(self, monkeypatch):

1145

"""

1146

Test that we return True/False appropriately if the env vars are set.

1147

"""

1148

context = Context(TLSv1_METHOD)

1149

dir_var = "CUSTOM_DIR_VAR"

1150

file_var = "CUSTOM_FILE_VAR"

1151

assert context._check_env_vars_set(dir_var, file_var) is False

1152

monkeypatch.setenv(dir_var, "value")

1153

monkeypatch.setenv(file_var, "value")

1154

assert context._check_env_vars_set(dir_var, file_var) is True

1155

assert context._check_env_vars_set(dir_var, file_var) is True

1156

1157

def test_verify_no_fallback_if_env_vars_set(self, monkeypatch):

1158

"""

1159

Test that we don't use the fallback path if env vars are set.

1160

"""

1161

context = Context(TLSv1_METHOD)

1162

monkeypatch.setattr(

1163

_lib, "SSL_CTX_set_default_verify_paths", lambda x: 1

1164

)

1165

dir_env_var = _ffi.string(

1166

_lib.X509_get_default_cert_dir_env()

1167

).decode("ascii")

1168

file_env_var = _ffi.string(

1169

_lib.X509_get_default_cert_file_env()

1170

).decode("ascii")

1171

monkeypatch.setenv(dir_env_var, "value")

1172

monkeypatch.setenv(file_env_var, "value")

1173

context.set_default_verify_paths()

monkeypatch.setattr(

context,

"_fallback_default_verify_paths",

1178

raiser(SystemError)

1179

)

1180

context.set_default_verify_paths()

1181

1182

@pytest.mark.skipif(

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1183

platform == "win32",

1184

reason="set_default_verify_paths appears not to work on Windows. "

Jean-Paul Calderone

28fb8f0

2009-07-24 18:01:31 -0400

[diff] [blame]

1185

"See LP#404343 and LP#404344."

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1186

)

1187

def test_set_default_verify_paths(self):

1188

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1189

`Context.set_default_verify_paths` causes the platform-specific CA

1190

certificate locations to be used for verification purposes.

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1191

"""

1192

# Testing this requires a server with a certificate signed by one

1193

# of the CAs in the platform CA location. Getting one of those

1194

# costs money. Fortunately (or unfortunately, depending on your

1195

# perspective), it's easy to think of a public server on the

1196

# internet which has such a certificate. Connecting to the network

1197

# in a unit test is bad, but it's the only way I can think of to

1198

# really test this. -exarkun

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1199

context = Context(SSLv23_METHOD)

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1200

context.set_default_verify_paths()

1201

context.set_verify(

1202

VERIFY_PEER,

1203

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1204

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1205

client = socket()

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1206

client.connect(("encrypted.google.com", 443))

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1207

clientSSL = Connection(context, client)

1208

clientSSL.set_connect_state()

1209

clientSSL.do_handshake()

1210

clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1211

assert clientSSL.recv(1024)

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

1212

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

1213

def test_fallback_path_is_not_file_or_dir(self):

1214

"""

1215

Test that when passed empty arrays or paths that do not exist no

1216

errors are raised.

1217

"""

1218

context = Context(TLSv1_METHOD)

1219

context._fallback_default_verify_paths([], [])

1220

context._fallback_default_verify_paths(

1221

["/not/a/file"], ["/not/a/dir"]

1222

)

1223

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1224

def test_add_extra_chain_cert_invalid_cert(self):

1225

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1226

`Context.add_extra_chain_cert` raises `TypeError` if called with an

1227

object which is not an instance of `X509`.

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1228

"""

1229

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1230

with pytest.raises(TypeError):

1231

context.add_extra_chain_cert(object())

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1232

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1233

def _handshake_test(self, serverContext, clientContext):

1234

"""

1235

Verify that a client and server created with the given contexts can

1236

successfully handshake and communicate.

1237

"""

1238

serverSocket, clientSocket = socket_pair()

1239

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1240

server = Connection(serverContext, serverSocket)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1241

server.set_accept_state()

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1242

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1243

client = Connection(clientContext, clientSocket)

1244

client.set_connect_state()

1245

1246

# Make them talk to each other.

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1247

# interact_in_memory(client, server)

1248

for _ in range(3):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1249

for s in [client, server]:

1250

try:

1251

s.do_handshake()

1252

except WantReadError:

1253

pass

1254

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1255

def test_set_verify_callback_connection_argument(self):

1256

"""

1257

The first argument passed to the verify callback is the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1258

`Connection` instance for which verification is taking place.

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1259

"""

1260

serverContext = Context(TLSv1_METHOD)

1261

serverContext.use_privatekey(

1262

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1263

serverContext.use_certificate(

1264

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1265

serverConnection = Connection(serverContext, None)

1266

1267

class VerifyCallback(object):

1268

def callback(self, connection, *args):

1269

self.connection = connection

1270

return 1

1271

1272

verify = VerifyCallback()

1273

clientContext = Context(TLSv1_METHOD)

1274

clientContext.set_verify(VERIFY_PEER, verify.callback)

1275

clientConnection = Connection(clientContext, None)

1276

clientConnection.set_connect_state()

1277

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1278

handshake_in_memory(clientConnection, serverConnection)

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1279

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1280

assert verify.connection is clientConnection

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1281

Paul Kehrer

e738186

2017-11-30 20:55:25 +0800

[diff] [blame]

1282

def test_x509_in_verify_works(self):

1283

"""

1284

We had a bug where the X509 cert instantiated in the callback wrapper

1285

didn't __init__ so it was missing objects needed when calling

1286

get_subject. This test sets up a handshake where we call get_subject

1287

on the cert provided to the verify callback.

1288

"""

1289

serverContext = Context(TLSv1_METHOD)

1290

serverContext.use_privatekey(

1291

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1292

serverContext.use_certificate(

1293

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1294

serverConnection = Connection(serverContext, None)

1295

1296

def verify_cb_get_subject(conn, cert, errnum, depth, ok):

1297

assert cert.get_subject()

1298

return 1

1299

1300

clientContext = Context(TLSv1_METHOD)

1301

clientContext.set_verify(VERIFY_PEER, verify_cb_get_subject)

1302

clientConnection = Connection(clientContext, None)

1303

clientConnection.set_connect_state()

1304

1305

handshake_in_memory(clientConnection, serverConnection)

1306

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1307

def test_set_verify_callback_exception(self):

1308

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1309

If the verify callback passed to `Context.set_verify` raises an

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1310

exception, verification fails and the exception is propagated to the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1311

caller of `Connection.do_handshake`.

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1312

"""

1313

serverContext = Context(TLSv1_METHOD)

1314

serverContext.use_privatekey(

1315

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1316

serverContext.use_certificate(

1317

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1318

1319

clientContext = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1320

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1321

def verify_callback(*args):

1322

raise Exception("silly verify failure")

1323

clientContext.set_verify(VERIFY_PEER, verify_callback)

1324

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1325

with pytest.raises(Exception) as exc:

1326

self._handshake_test(serverContext, clientContext)

1327

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1328

assert "silly verify failure" == str(exc.value)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1329

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1330

def test_add_extra_chain_cert(self, tmpdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1331

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1332

`Context.add_extra_chain_cert` accepts an `X509`

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1333

instance to add to the certificate chain.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1334

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1335

See `_create_certificate_chain` for the details of the

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1336

certificate chain tested.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1337

1338

The chain is tested by starting a server with scert and connecting

1339

to it with a client which trusts cacert and requires verification to

1340

succeed.

1341

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1342

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1343

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1344

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1345

# Dump the CA certificate to a file because that's the only way to load

1346

# it as a trusted CA in the client context.

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1347

for cert, name in [(cacert, 'ca.pem'),

1348

(icert, 'i.pem'),

1349

(scert, 's.pem')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1350

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1351

f.write(dump_certificate(FILETYPE_PEM, cert).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1352

Hynek Schlawack

1902c01

2015-04-16 15:06:41 -0400

[diff] [blame]

1353

for key, name in [(cakey, 'ca.key'),

1354

(ikey, 'i.key'),

1355

(skey, 's.key')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1356

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1357

f.write(dump_privatekey(FILETYPE_PEM, key).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1358

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1359

# Create the server context

1360

serverContext = Context(TLSv1_METHOD)

1361

serverContext.use_privatekey(skey)

1362

serverContext.use_certificate(scert)

Jean-Paul Calderone

16cf03d

2010-09-08 18:53:39 -0400

[diff] [blame]

1363

# The client already has cacert, we only need to give them icert.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1364

serverContext.add_extra_chain_cert(icert)

1365

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1366

# Create the client

1367

clientContext = Context(TLSv1_METHOD)

1368

clientContext.set_verify(

1369

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1370

clientContext.load_verify_locations(str(tmpdir.join("ca.pem")))

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1371

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1372

# Try it out.

1373

self._handshake_test(serverContext, clientContext)

1374

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1375

def _use_certificate_chain_file_test(self, certdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1376

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1377

Verify that `Context.use_certificate_chain_file` reads a

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1378

certificate chain from a specified file.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1379

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1380

The chain is tested by starting a server with scert and connecting to

1381

it with a client which trusts cacert and requires verification to

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1382

succeed.

1383

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1384

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1385

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1386

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1387

makedirs(certdir)

1388

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1389

chainFile = join_bytes_or_unicode(certdir, "chain.pem")

1390

caFile = join_bytes_or_unicode(certdir, "ca.pem")

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1391

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1392

# Write out the chain file.

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1393

with open(chainFile, 'wb') as fObj:

1394

# Most specific to least general.

1395

fObj.write(dump_certificate(FILETYPE_PEM, scert))

1396

fObj.write(dump_certificate(FILETYPE_PEM, icert))

1397

fObj.write(dump_certificate(FILETYPE_PEM, cacert))

1398

1399

with open(caFile, 'w') as fObj:

1400

fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode('ascii'))

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1401

1402

serverContext = Context(TLSv1_METHOD)

1403

serverContext.use_certificate_chain_file(chainFile)

1404

serverContext.use_privatekey(skey)

1405

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1406

clientContext = Context(TLSv1_METHOD)

1407

clientContext.set_verify(

1408

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1409

clientContext.load_verify_locations(caFile)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1410

1411

self._handshake_test(serverContext, clientContext)

1412

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1413

def test_use_certificate_chain_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1414

"""

1415

``Context.use_certificate_chain_file`` accepts the name of a file (as

1416

an instance of ``bytes``) to specify additional certificates to use to

1417

construct and verify a trust chain.

1418

"""

1419

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1420

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1421

)

1422

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1423

def test_use_certificate_chain_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1424

"""

1425

``Context.use_certificate_chain_file`` accepts the name of a file (as

1426

an instance of ``unicode``) to specify additional certificates to use

1427

to construct and verify a trust chain.

1428

"""

1429

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1430

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1431

)

1432

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1433

def test_use_certificate_chain_file_wrong_args(self):

1434

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1435

`Context.use_certificate_chain_file` raises `TypeError` if passed a

1436

non-byte string single argument.

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1437

"""

1438

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1439

with pytest.raises(TypeError):

1440

context.use_certificate_chain_file(object())

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1441

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1442

def test_use_certificate_chain_file_missing_file(self, tmpfile):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1443

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1444

`Context.use_certificate_chain_file` raises `OpenSSL.SSL.Error` when

1445

passed a bad chain file name (for example, the name of a file which

1446

does not exist).

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1447

"""

1448

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1449

with pytest.raises(Error):

1450

context.use_certificate_chain_file(tmpfile)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1451

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1452

def test_set_verify_mode(self):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1453

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1454

`Context.get_verify_mode` returns the verify mode flags previously

1455

passed to `Context.set_verify`.

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1456

"""

1457

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1458

assert context.get_verify_mode() == 0

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1459

context.set_verify(

1460

VERIFY_PEER | VERIFY_CLIENT_ONCE, lambda *args: None)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1461

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1462

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1463

@skip_if_py3

1464

def test_set_verify_mode_long(self):

1465

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1466

On Python 2 `Context.set_verify_mode` accepts values of type `long`

1467

as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1468

"""

1469

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1470

assert context.get_verify_mode() == 0

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1471

context.set_verify(

Hynek Schlawack

b4ceed3

2015-09-05 20:55:19 +0200

[diff] [blame]

1472

long(VERIFY_PEER | VERIFY_CLIENT_ONCE), lambda *args: None

1473

) # pragma: nocover

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1474

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1475

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1476

@pytest.mark.parametrize('mode', [None, 1.0, object(), 'mode'])

1477

def test_set_verify_wrong_mode_arg(self, mode):

1478

"""

1479

`Context.set_verify` raises `TypeError` if the first argument is

1480

not an integer.

1481

"""

1482

context = Context(TLSv1_METHOD)

1483

with pytest.raises(TypeError):

1484

context.set_verify(mode=mode, callback=lambda *args: None)

1485

1486

@pytest.mark.parametrize('callback', [None, 1.0, 'mode', ('foo', 'bar')])

1487

def test_set_verify_wrong_callable_arg(self, callback):

1488

"""

1489

`Context.set_verify` raises `TypeError` if the the second argument

1490

is not callable.

1491

"""

1492

context = Context(TLSv1_METHOD)

1493

with pytest.raises(TypeError):

1494

context.set_verify(mode=VERIFY_PEER, callback=callback)

1495

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1496

def test_load_tmp_dh_wrong_args(self):

1497

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1498

`Context.load_tmp_dh` raises `TypeError` if called with a

1499

non-`str` argument.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1500

"""

1501

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1502

with pytest.raises(TypeError):

1503

context.load_tmp_dh(object())

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1504

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1505

def test_load_tmp_dh_missing_file(self):

1506

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1507

`Context.load_tmp_dh` raises `OpenSSL.SSL.Error` if the

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1508

specified file does not exist.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1509

"""

1510

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1511

with pytest.raises(Error):

1512

context.load_tmp_dh(b"hello")

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1513

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1514

def _load_tmp_dh_test(self, dhfilename):

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

1515

"""

1516

Verify that calling ``Context.load_tmp_dh`` with the given filename

1517

does not raise an exception.

1518

"""

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1519

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1520

with open(dhfilename, "w") as dhfile:

1521

dhfile.write(dhparam)

1522

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1523

context.load_tmp_dh(dhfilename)

1524

# XXX What should I assert here? -exarkun

1525

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1526

def test_load_tmp_dh_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1527

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1528

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1529

specified file (given as ``bytes``).

1530

"""

1531

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1532

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1533

)

1534

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1535

def test_load_tmp_dh_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1536

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1537

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1538

specified file (given as ``unicode``).

1539

"""

1540

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1541

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1542

)

1543

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1544

def test_set_tmp_ecdh(self):

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1545

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1546

`Context.set_tmp_ecdh` sets the elliptic curve for Diffie-Hellman to

1547

the specified curve.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1548

"""

1549

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1550

for curve in get_elliptic_curves():

Hynek Schlawack

a07fa8c

2015-10-17 10:15:28 +0200

[diff] [blame]

1551

if curve.name.startswith(u"Oakley-"):

Hynek Schlawack

7408aff

2015-10-17 09:51:16 +0200

[diff] [blame]

1552

# Setting Oakley-EC2N-4 and Oakley-EC2N-3 adds

1553

# ('bignum routines', 'BN_mod_inverse', 'no inverse') to the

1554

# error queue on OpenSSL 1.0.2.

1555

continue

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1556

# The only easily "assertable" thing is that it does not raise an

1557

# exception.

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1558

context.set_tmp_ecdh(curve)

Alex Gaynor

12dc084

2014-01-17 12:51:31 -0600

[diff] [blame]

1559

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1560

def test_set_session_cache_mode_wrong_args(self):

1561

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1562

`Context.set_session_cache_mode` raises `TypeError` if called with

1563

a non-integer argument.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1564

called with other than one integer argument.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1565

"""

1566

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1567

with pytest.raises(TypeError):

1568

context.set_session_cache_mode(object())

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1569

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1570

def test_session_cache_mode(self):

1571

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1572

`Context.set_session_cache_mode` specifies how sessions are cached.

1573

The setting can be retrieved via `Context.get_session_cache_mode`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1574

"""

1575

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1576

context.set_session_cache_mode(SESS_CACHE_OFF)

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1577

off = context.set_session_cache_mode(SESS_CACHE_BOTH)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1578

assert SESS_CACHE_OFF == off

1579

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1580

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1581

@skip_if_py3

1582

def test_session_cache_mode_long(self):

1583

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1584

On Python 2 `Context.set_session_cache_mode` accepts values

1585

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1586

"""

1587

context = Context(TLSv1_METHOD)

1588

context.set_session_cache_mode(long(SESS_CACHE_BOTH))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1589

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1590

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1591

def test_get_cert_store(self):

1592

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1593

`Context.get_cert_store` returns a `X509Store` instance.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1594

"""

1595

context = Context(TLSv1_METHOD)

1596

store = context.get_cert_store()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1597

assert isinstance(store, X509Store)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1598

1599

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1600

class TestServerNameCallback(object):

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1601

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1602

Tests for `Context.set_tlsext_servername_callback` and its

1603

interaction with `Connection`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1604

"""

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1605

def test_old_callback_forgotten(self):

1606

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1607

If `Context.set_tlsext_servername_callback` is used to specify

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1608

a new callback, the one it replaces is dereferenced.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1609

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1610

def callback(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1611

pass

1612

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1613

def replacement(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1614

pass

1615

1616

context = Context(TLSv1_METHOD)

1617

context.set_tlsext_servername_callback(callback)

1618

1619

tracker = ref(callback)

1620

del callback

1621

1622

context.set_tlsext_servername_callback(replacement)

Jean-Paul Calderone

d4033eb

2014-01-11 08:21:46 -0500

[diff] [blame]

1623

1624

# One run of the garbage collector happens to work on CPython. PyPy

1625

# doesn't collect the underlying object until a second run for whatever

1626

# reason. That's fine, it still demonstrates our code has properly

1627

# dropped the reference.

1628

collect()

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1629

collect()

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

1630

1631

callback = tracker()

1632

if callback is not None:

1633

referrers = get_referrers(callback)

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1634

if len(referrers) > 1: # pragma: nocover

1635

pytest.fail("Some references remain: %r" % (referrers,))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1636

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1637

def test_no_servername(self):

1638

"""

1639

When a client specifies no server name, the callback passed to

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1640

`Context.set_tlsext_servername_callback` is invoked and the

1641

result of `Connection.get_servername` is `None`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1642

"""

1643

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1644

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1645

def servername(conn):

1646

args.append((conn, conn.get_servername()))

1647

context = Context(TLSv1_METHOD)

1648

context.set_tlsext_servername_callback(servername)

1649

1650

# Lose our reference to it. The Context is responsible for keeping it

# alive now.

del servername

collect()

# Necessary to actually accept the connection

1656

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1657

context.use_certificate(

1658

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1659

1660

# Do a little connection to trigger the logic

1661

server = Connection(context, None)

1662

server.set_accept_state()

1663

1664

client = Connection(Context(TLSv1_METHOD), None)

1665

client.set_connect_state()

1666

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1667

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1668

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1669

assert args == [(server, None)]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1670

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1671

def test_servername(self):

1672

"""

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1673

When a client specifies a server name in its hello message, the

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1674

callback passed to `Contexts.set_tlsext_servername_callback` is

1675

invoked and the result of `Connection.get_servername` is that

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1676

server name.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1677

"""

1678

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1679

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1680

def servername(conn):

1681

args.append((conn, conn.get_servername()))

1682

context = Context(TLSv1_METHOD)

1683

context.set_tlsext_servername_callback(servername)

1684

1685

# Necessary to actually accept the connection

1686

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1687

context.use_certificate(

1688

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1689

1690

# Do a little connection to trigger the logic

1691

server = Connection(context, None)

1692

server.set_accept_state()

1693

1694

client = Connection(Context(TLSv1_METHOD), None)

1695

client.set_connect_state()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

1696

client.set_tlsext_host_name(b"foo1.example.com")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1697

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1698

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1699

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1700

assert args == [(server, b"foo1.example.com")]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1701

1702

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1703

class TestNextProtoNegotiation(object):

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1704

"""

1705

Test for Next Protocol Negotiation in PyOpenSSL.

1706

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1707

def test_npn_success(self):

1708

"""

1709

Tests that clients and servers that agree on the negotiated next

1710

protocol can correct establish a connection, and that the agreed

1711

protocol is reported by the connections.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1718

return [b'http/1.1', b'spdy/2']

1719

1720

def select(conn, options):

1721

select_args.append((conn, options))

1722

return b'spdy/2'

1723

1724

server_context = Context(TLSv1_METHOD)

1725

server_context.set_npn_advertise_callback(advertise)

1726

1727

client_context = Context(TLSv1_METHOD)

1728

client_context.set_npn_select_callback(select)

1729

1730

# Necessary to actually accept the connection

1731

server_context.use_privatekey(

1732

load_privatekey(FILETYPE_PEM, server_key_pem))

1733

server_context.use_certificate(

1734

load_certificate(FILETYPE_PEM, server_cert_pem))

1735

1736

# Do a little connection to trigger the logic

1737

server = Connection(server_context, None)

1738

server.set_accept_state()

1739

1740

client = Connection(client_context, None)

1741

client.set_connect_state()

1742

1743

interact_in_memory(server, client)

1744

1745

assert advertise_args == [(server,)]

1746

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1747

1748

assert server.get_next_proto_negotiated() == b'spdy/2'

1749

assert client.get_next_proto_negotiated() == b'spdy/2'

1750

1751

def test_npn_client_fail(self):

1752

"""

1753

Tests that when clients and servers cannot agree on what protocol

1754

to use next that the TLS connection does not get established.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1761

return [b'http/1.1', b'spdy/2']

1762

1763

def select(conn, options):

1764

select_args.append((conn, options))

1765

return b''

1766

1767

server_context = Context(TLSv1_METHOD)

1768

server_context.set_npn_advertise_callback(advertise)

1769

1770

client_context = Context(TLSv1_METHOD)

1771

client_context.set_npn_select_callback(select)

1772

1773

# Necessary to actually accept the connection

1774

server_context.use_privatekey(

1775

load_privatekey(FILETYPE_PEM, server_key_pem))

1776

server_context.use_certificate(

1777

load_certificate(FILETYPE_PEM, server_cert_pem))

1778

1779

# Do a little connection to trigger the logic

1780

server = Connection(server_context, None)

1781

server.set_accept_state()

1782

1783

client = Connection(client_context, None)

1784

client.set_connect_state()

1785

1786

# If the client doesn't return anything, the connection will fail.

1787

with pytest.raises(Error):

1788

interact_in_memory(server, client)

1789

1790

assert advertise_args == [(server,)]

1791

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1792

1793

def test_npn_select_error(self):

1794

"""

1795

Test that we can handle exceptions in the select callback. If

1796

select fails it should be fatal to the connection.

"""

advertise_args = []

def advertise(conn):

advertise_args.append((conn,))

1802

return [b'http/1.1', b'spdy/2']

1803

1804

def select(conn, options):

1805

raise TypeError

1806

1807

server_context = Context(TLSv1_METHOD)

1808

server_context.set_npn_advertise_callback(advertise)

1809

1810

client_context = Context(TLSv1_METHOD)

1811

client_context.set_npn_select_callback(select)

1812

1813

# Necessary to actually accept the connection

1814

server_context.use_privatekey(

1815

load_privatekey(FILETYPE_PEM, server_key_pem))

1816

server_context.use_certificate(

1817

load_certificate(FILETYPE_PEM, server_cert_pem))

1818

1819

# Do a little connection to trigger the logic

1820

server = Connection(server_context, None)

1821

server.set_accept_state()

1822

1823

client = Connection(client_context, None)

1824

client.set_connect_state()

1825

1826

# If the callback throws an exception it should be raised here.

1827

with pytest.raises(TypeError):

1828

interact_in_memory(server, client)

1829

assert advertise_args == [(server,), ]

1830

1831

def test_npn_advertise_error(self):

1832

"""

1833

Test that we can handle exceptions in the advertise callback. If

1834

advertise fails no NPN is advertised to the client.

"""

select_args = []

def advertise(conn):

raise TypeError

def select(conn, options): # pragma: nocover

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1842

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1843

Assert later that no args are actually appended.

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1844

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1845

select_args.append((conn, options))

1846

return b''

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1847

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1848

server_context = Context(TLSv1_METHOD)

1849

server_context.set_npn_advertise_callback(advertise)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1850

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1851

client_context = Context(TLSv1_METHOD)

1852

client_context.set_npn_select_callback(select)

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1853

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1854

# Necessary to actually accept the connection

1855

server_context.use_privatekey(

1856

load_privatekey(FILETYPE_PEM, server_key_pem))

1857

server_context.use_certificate(

1858

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1859

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1860

# Do a little connection to trigger the logic

1861

server = Connection(server_context, None)

1862

server.set_accept_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1863

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1864

client = Connection(client_context, None)

1865

client.set_connect_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1866

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1867

# If the client doesn't return anything, the connection will fail.

1868

with pytest.raises(TypeError):

1869

interact_in_memory(server, client)

1870

assert select_args == []

Cory Benfield

0ea76e7

2015-03-22 09:05:28 +0000

[diff] [blame]

1871

1872

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1873

class TestApplicationLayerProtoNegotiation(object):

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1874

"""

1875

Tests for ALPN in PyOpenSSL.

1876

"""

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1877

# Skip tests on versions that don't support ALPN.

1878

if _lib.Cryptography_HAS_ALPN:

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1879

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1880

def test_alpn_success(self):

1881

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1882

Clients and servers that agree on the negotiated ALPN protocol can

1883

correct establish a connection, and the agreed protocol is reported

1884

by the connections.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1885

"""

1886

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1887

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1888

def select(conn, options):

1889

select_args.append((conn, options))

1890

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1891

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1892

client_context = Context(TLSv1_METHOD)

1893

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1894

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1895

server_context = Context(TLSv1_METHOD)

1896

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1897

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1898

# Necessary to actually accept the connection

1899

server_context.use_privatekey(

1900

load_privatekey(FILETYPE_PEM, server_key_pem))

1901

server_context.use_certificate(

1902

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1903

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1904

# Do a little connection to trigger the logic

1905

server = Connection(server_context, None)

1906

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1907

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1908

client = Connection(client_context, None)

1909

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1910

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1911

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1912

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1913

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1914

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1915

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1916

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1917

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1918

def test_alpn_set_on_connection(self):

1919

"""

1920

The same as test_alpn_success, but setting the ALPN protocols on

1921

the connection rather than the context.

1922

"""

1923

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1924

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1925

def select(conn, options):

1926

select_args.append((conn, options))

1927

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1928

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1929

# Setup the client context but don't set any ALPN protocols.

1930

client_context = Context(TLSv1_METHOD)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1931

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1932

server_context = Context(TLSv1_METHOD)

1933

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1934

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1935

# Necessary to actually accept the connection

1936

server_context.use_privatekey(

1937

load_privatekey(FILETYPE_PEM, server_key_pem))

1938

server_context.use_certificate(

1939

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1940

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1941

# Do a little connection to trigger the logic

1942

server = Connection(server_context, None)

1943

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1944

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1945

# Set the ALPN protocols on the client connection.

1946

client = Connection(client_context, None)

1947

client.set_alpn_protos([b'http/1.1', b'spdy/2'])

1948

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1949

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1950

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1951

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1952

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1953

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1954

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1955

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1956

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1957

def test_alpn_server_fail(self):

1958

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1959

When clients and servers cannot agree on what protocol to use next

1960

the TLS connection does not get established.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1961

"""

1962

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1963

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1964

def select(conn, options):

1965

select_args.append((conn, options))

1966

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1967

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1968

client_context = Context(TLSv1_METHOD)

1969

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1970

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1971

server_context = Context(TLSv1_METHOD)

1972

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1973

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1974

# Necessary to actually accept the connection

1975

server_context.use_privatekey(

1976

load_privatekey(FILETYPE_PEM, server_key_pem))

1977

server_context.use_certificate(

1978

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1979

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1980

# Do a little connection to trigger the logic

1981

server = Connection(server_context, None)

1982

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1983

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1984

client = Connection(client_context, None)

1985

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1986

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1987

# If the client doesn't return anything, the connection will fail.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1988

with pytest.raises(Error):

1989

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1990

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1991

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1992

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1993

def test_alpn_no_server(self):

1994

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1995

When clients and servers cannot agree on what protocol to use next

1996

because the server doesn't offer ALPN, no protocol is negotiated.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1997

"""

1998

client_context = Context(TLSv1_METHOD)

1999

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2000

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2001

server_context = Context(TLSv1_METHOD)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2002

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2003

# Necessary to actually accept the connection

2004

server_context.use_privatekey(

2005

load_privatekey(FILETYPE_PEM, server_key_pem))

2006

server_context.use_certificate(

2007

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2008

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2009

# Do a little connection to trigger the logic

2010

server = Connection(server_context, None)

2011

server.set_accept_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2012

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2013

client = Connection(client_context, None)

2014

client.set_connect_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2015

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2016

# Do the dance.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2017

interact_in_memory(server, client)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2018

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2019

assert client.get_alpn_proto_negotiated() == b''

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

2020

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2021

def test_alpn_callback_exception(self):

2022

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

2023

We can handle exceptions in the ALPN select callback.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2024

"""

2025

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2026

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2027

def select(conn, options):

2028

select_args.append((conn, options))

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

2029

raise TypeError()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2030

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2031

client_context = Context(TLSv1_METHOD)

2032

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2033

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2034

server_context = Context(TLSv1_METHOD)

2035

server_context.set_alpn_select_callback(select)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2036

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2037

# Necessary to actually accept the connection

2038

server_context.use_privatekey(

2039

load_privatekey(FILETYPE_PEM, server_key_pem))

2040

server_context.use_certificate(

2041

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2042

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2043

# Do a little connection to trigger the logic

2044

server = Connection(server_context, None)

2045

server.set_accept_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2046

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2047

client = Connection(client_context, None)

2048

client.set_connect_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2049

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2050

with pytest.raises(TypeError):

2051

interact_in_memory(server, client)

2052

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2053

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2054

else:

2055

# No ALPN.

2056

def test_alpn_not_implemented(self):

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

2057

"""

2058

If ALPN is not in OpenSSL, we should raise NotImplementedError.

2059

"""

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2060

# Test the context methods first.

2061

context = Context(TLSv1_METHOD)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2062

with pytest.raises(NotImplementedError):

2063

context.set_alpn_protos(None)

2064

with pytest.raises(NotImplementedError):

2065

context.set_alpn_select_callback(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2066

2067

# Now test a connection.

2068

conn = Connection(context)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2069

with pytest.raises(NotImplementedError):

2070

conn.set_alpn_protos(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2071

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2072

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2073

class TestSession(object):

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2074

"""

2075

Unit tests for :py:obj:`OpenSSL.SSL.Session`.

2076

"""

2077

def test_construction(self):

2078

"""

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2079

:py:class:`Session` can be constructed with no arguments, creating

2080

a new instance of that type.

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2081

"""

2082

new_session = Session()

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2083

assert isinstance(new_session, Session)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2084

2085

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2086

class TestConnection(object):

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2087

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2088

Unit tests for `OpenSSL.SSL.Connection`.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2089

"""

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2090

# XXX get_peer_certificate -> None

2091

# XXX sock_shutdown

2092

# XXX master_key -> TypeError

2093

# XXX server_random -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2094

# XXX connect -> TypeError

2095

# XXX connect_ex -> TypeError

2096

# XXX set_connect_state -> TypeError

2097

# XXX set_accept_state -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2098

# XXX do_handshake -> TypeError

2099

# XXX bio_read -> TypeError

2100

# XXX recv -> TypeError

2101

# XXX send -> TypeError

2102

# XXX bio_write -> TypeError

2103

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2104

def test_type(self):

2105

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2106

`Connection` and `ConnectionType` refer to the same type object and

2107

can be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2108

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2109

assert Connection is ConnectionType

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2110

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2111

assert is_consistent_type(Connection, 'Connection', ctx, None)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2112

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2113

@pytest.mark.parametrize('bad_context', [object(), 'context', None, 1])

2114

def test_wrong_args(self, bad_context):

2115

"""

2116

`Connection.__init__` raises `TypeError` if called with a non-`Context`

2117

instance argument.

2118

"""

2119

with pytest.raises(TypeError):

2120

Connection(bad_context)

2121

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2122

def test_get_context(self):

2123

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2124

`Connection.get_context` returns the `Context` instance used to

2125

construct the `Connection` instance.

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2126

"""

2127

context = Context(TLSv1_METHOD)

2128

connection = Connection(context, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2129

assert connection.get_context() is context

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2130

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2131

def test_set_context_wrong_args(self):

2132

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2133

`Connection.set_context` raises `TypeError` if called with a

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2134

non-`Context` instance argument.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2135

"""

2136

ctx = Context(TLSv1_METHOD)

2137

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2138

with pytest.raises(TypeError):

2139

connection.set_context(object())

2140

with pytest.raises(TypeError):

2141

connection.set_context("hello")

2142

with pytest.raises(TypeError):

2143

connection.set_context(1)

2144

assert ctx is connection.get_context()

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2145

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2146

def test_set_context(self):

2147

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2148

`Connection.set_context` specifies a new `Context` instance to be

2149

used for the connection.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2150

"""

2151

original = Context(SSLv23_METHOD)

2152

replacement = Context(TLSv1_METHOD)

2153

connection = Connection(original, None)

2154

connection.set_context(replacement)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2155

assert replacement is connection.get_context()

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2156

# Lose our references to the contexts, just in case the Connection

2157

# isn't properly managing its own contributions to their reference

2158

# counts.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2159

del original, replacement

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2160

collect()

2161

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2162

def test_set_tlsext_host_name_wrong_args(self):

2163

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2164

If `Connection.set_tlsext_host_name` is called with a non-byte string

2165

argument or a byte string with an embedded NUL, `TypeError` is raised.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2166

"""

2167

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2168

with pytest.raises(TypeError):

2169

conn.set_tlsext_host_name(object())

2170

with pytest.raises(TypeError):

2171

conn.set_tlsext_host_name(b"with\0null")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2172

Abraham Martin

c5484ba

2015-03-25 15:33:05 +0000

[diff] [blame]

2173

if PY3:

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2174

# On Python 3.x, don't accidentally implicitly convert from text.

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2175

with pytest.raises(TypeError):

2176

conn.set_tlsext_host_name(b"example.com".decode("ascii"))

Jean-Paul Calderone

871a4d8

2011-05-26 19:24:02 -0400

[diff] [blame]

2177

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2178

def test_pending(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2179

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2180

`Connection.pending` returns the number of bytes available for

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2181

immediate read.

2182

"""

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2183

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2184

assert connection.pending() == 0

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2185

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2186

def test_peek(self):

2187

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2188

`Connection.recv` peeks into the connection if `socket.MSG_PEEK` is

2189

passed.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2190

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2191

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2192

server.send(b'xy')

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2193

assert client.recv(2, MSG_PEEK) == b'xy'

2194

assert client.recv(2, MSG_PEEK) == b'xy'

2195

assert client.recv(2) == b'xy'

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2196

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2197

def test_connect_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2198

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2199

`Connection.connect` raises `TypeError` if called with a non-address

2200

argument.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2201

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2202

connection = Connection(Context(TLSv1_METHOD), socket())

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2203

with pytest.raises(TypeError):

2204

connection.connect(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2205

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2206

def test_connect_refused(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2207

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2208

`Connection.connect` raises `socket.error` if the underlying socket

2209

connect method raises it.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2210

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2211

client = socket()

2212

context = Context(TLSv1_METHOD)

2213

clientSSL = Connection(context, client)

Alex Gaynor

122717b

2015-09-05 14:14:18 -0400

[diff] [blame]

2214

# pytest.raises here doesn't work because of a bug in py.test on Python

2215

# 2.6: https://github.com/pytest-dev/pytest/issues/988

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2216

try:

Alex Gaynor

1aabb2e

2015-09-05 13:35:18 -0400

[diff] [blame]

2217

clientSSL.connect(("127.0.0.1", 1))

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2218

except error as e:

Alex Gaynor

20a4c08

2015-09-05 14:24:15 -0400

[diff] [blame]

2219

exc = e

2220

assert exc.args[0] == ECONNREFUSED

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2221

2222

def test_connect(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2223

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2224

`Connection.connect` establishes a connection to the specified address.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2225

"""

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(3)

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2231

clientSSL.connect(('127.0.0.1', port.getsockname()[1]))

2232

# XXX An assertion? Or something?

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2233

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2234

@pytest.mark.skipif(

2235

platform == "darwin",

2236

reason="connect_ex sometimes causes a kernel panic on OS X 10.6.4"

2237

)

2238

def test_connect_ex(self):

2239

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2240

If there is a connection error, `Connection.connect_ex` returns the

2241

errno instead of raising an exception.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

"""

port = socket()

port.bind(('', 0))

port.listen(3)

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2246

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2247

clientSSL = Connection(Context(TLSv1_METHOD), socket())

2248

clientSSL.setblocking(False)

2249

result = clientSSL.connect_ex(port.getsockname())

2250

expected = (EINPROGRESS, EWOULDBLOCK)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2251

assert result in expected

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2252

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2253

def test_accept(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2254

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2255

`Connection.accept` accepts a pending connection attempt and returns a

2256

tuple of a new `Connection` (the accepted client) and the address the

2257

connection originated from.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2258

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2259

ctx = Context(TLSv1_METHOD)

2260

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2261

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2262

port = socket()

2263

portSSL = Connection(ctx, port)

2264

portSSL.bind(('', 0))

2265

portSSL.listen(3)

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2266

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2267

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2268

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2269

# Calling portSSL.getsockname() here to get the server IP address

2270

# sounds great, but frequently fails on Windows.

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2271

clientSSL.connect(('127.0.0.1', portSSL.getsockname()[1]))

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2272

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2273

serverSSL, address = portSSL.accept()

2274

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2275

assert isinstance(serverSSL, Connection)

2276

assert serverSSL.get_context() is ctx

2277

assert address == clientSSL.getsockname()

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2278

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2279

def test_shutdown_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2280

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2281

`Connection.set_shutdown` raises `TypeError` if called with arguments

2282

other than integers.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2283

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2284

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2285

with pytest.raises(TypeError):

2286

connection.set_shutdown(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2287

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2288

def test_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2289

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2290

`Connection.shutdown` performs an SSL-level connection shutdown.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2291

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2292

server, client = loopback()

2293

assert not server.shutdown()

2294

assert server.get_shutdown() == SENT_SHUTDOWN

2295

with pytest.raises(ZeroReturnError):

2296

client.recv(1024)

2297

assert client.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

2298

client.shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2299

assert client.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

2300

with pytest.raises(ZeroReturnError):

2301

server.recv(1024)

2302

assert server.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2303

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2304

def test_shutdown_closed(self):

2305

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2306

If the underlying socket is closed, `Connection.shutdown` propagates

2307

the write error from the low level write call.

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2308

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2309

server, client = loopback()

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2310

server.sock_shutdown(2)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2311

with pytest.raises(SysCallError) as exc:

2312

server.shutdown()

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2313

if platform == "win32":

2314

assert exc.value.args[0] == ESHUTDOWN

2315

else:

2316

assert exc.value.args[0] == EPIPE

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2317

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2318

def test_shutdown_truncated(self):

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2319

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2320

If the underlying connection is truncated, `Connection.shutdown`

2321

raises an `Error`.

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2322

"""

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2323

server_ctx = Context(TLSv1_METHOD)

2324

client_ctx = Context(TLSv1_METHOD)

2325

server_ctx.use_privatekey(

2326

load_privatekey(FILETYPE_PEM, server_key_pem))

2327

server_ctx.use_certificate(

2328

load_certificate(FILETYPE_PEM, server_cert_pem))

2329

server = Connection(server_ctx, None)

2330

client = Connection(client_ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2331

handshake_in_memory(client, server)

2332

assert not server.shutdown()

2333

with pytest.raises(WantReadError):

2334

server.shutdown()

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2335

server.bio_shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2336

with pytest.raises(Error):

2337

server.shutdown()

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2338

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2339

def test_set_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2340

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2341

`Connection.set_shutdown` sets the state of the SSL connection

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2342

shutdown process.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2343

"""

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2344

connection = Connection(Context(TLSv1_METHOD), socket())

2345

connection.set_shutdown(RECEIVED_SHUTDOWN)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2346

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2347

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2348

@skip_if_py3

2349

def test_set_shutdown_long(self):

2350

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2351

On Python 2 `Connection.set_shutdown` accepts an argument

2352

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2353

"""

2354

connection = Connection(Context(TLSv1_METHOD), socket())

2355

connection.set_shutdown(long(RECEIVED_SHUTDOWN))

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2356

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

2357

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2358

def test_state_string(self):

2359

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2360

`Connection.state_string` verbosely describes the current state of

2361

the `Connection`.

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2362

"""

Hynek Schlawack

b0274ce

2015-10-16 19:56:26 +0200

[diff] [blame]

2363

server, client = socket_pair()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2364

server = loopback_server_factory(server)

2365

client = loopback_client_factory(client)

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2366

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2367

assert server.get_state_string() in [

2368

b"before/accept initialization", b"before SSL initialization"

2369

]

2370

assert client.get_state_string() in [

2371

b"before/connect initialization", b"before SSL initialization"

2372

]

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2373

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2374

def test_app_data(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2375

"""

2376

Any object can be set as app data by passing it to

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2377

`Connection.set_app_data` and later retrieved with

2378

`Connection.get_app_data`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2379

"""

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2380

conn = Connection(Context(TLSv1_METHOD), None)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2381

assert None is conn.get_app_data()

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2382

app_data = object()

2383

conn.set_app_data(app_data)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2384

assert conn.get_app_data() is app_data

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2385

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2386

def test_makefile(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2387

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2388

`Connection.makefile` is not implemented and calling that

2389

method raises `NotImplementedError`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2390

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2391

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2392

with pytest.raises(NotImplementedError):

2393

conn.makefile()

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2394

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2395

def test_get_peer_cert_chain(self):

2396

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2397

`Connection.get_peer_cert_chain` returns a list of certificates

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2398

which the connected server returned for the certification verification.

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2399

"""

2400

chain = _create_certificate_chain()

2401

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

2402

2403

serverContext = Context(TLSv1_METHOD)

2404

serverContext.use_privatekey(skey)

2405

serverContext.use_certificate(scert)

2406

serverContext.add_extra_chain_cert(icert)

2407

serverContext.add_extra_chain_cert(cacert)

2408

server = Connection(serverContext, None)

2409

server.set_accept_state()

2410

2411

# Create the client

2412

clientContext = Context(TLSv1_METHOD)

2413

clientContext.set_verify(VERIFY_NONE, verify_cb)

2414

client = Connection(clientContext, None)

2415

client.set_connect_state()

2416

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2417

interact_in_memory(client, server)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2418

2419

chain = client.get_peer_cert_chain()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2420

assert len(chain) == 3

2421

assert "Server Certificate" == chain[0].get_subject().CN

2422

assert "Intermediate Certificate" == chain[1].get_subject().CN

2423

assert "Authority Certificate" == chain[2].get_subject().CN

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2424

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2425

def test_get_peer_cert_chain_none(self):

2426

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2427

`Connection.get_peer_cert_chain` returns `None` if the peer sends

2428

no certificate chain.

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2429

"""

2430

ctx = Context(TLSv1_METHOD)

2431

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2432

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

2433

server = Connection(ctx, None)

2434

server.set_accept_state()

2435

client = Connection(Context(TLSv1_METHOD), None)

2436

client.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2437

interact_in_memory(client, server)

2438

assert None is server.get_peer_cert_chain()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2439

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2440

def test_get_session_unconnected(self):

2441

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2442

`Connection.get_session` returns `None` when used with an object

2443

which has not been connected.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2444

"""

2445

ctx = Context(TLSv1_METHOD)

2446

server = Connection(ctx, None)

2447

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2448

assert None is session

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2449

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2450

def test_server_get_session(self):

2451

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2452

On the server side of a connection, `Connection.get_session` returns a

2453

`Session` instance representing the SSL session for that connection.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2454

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2455

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2456

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2457

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2458

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2459

def test_client_get_session(self):

2460

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2461

On the client side of a connection, `Connection.get_session`

2462

returns a `Session` instance representing the SSL session for

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2463

that connection.

2464

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2465

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2466

session = client.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2467

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2468

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2469

def test_set_session_wrong_args(self):

2470

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2471

`Connection.set_session` raises `TypeError` if called with an object

2472

that is not an instance of `Session`.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2473

"""

2474

ctx = Context(TLSv1_METHOD)

2475

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2476

with pytest.raises(TypeError):

2477

connection.set_session(123)

2478

with pytest.raises(TypeError):

2479

connection.set_session("hello")

2480

with pytest.raises(TypeError):

2481

connection.set_session(object())

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2482

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2483

def test_client_set_session(self):

2484

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2485

`Connection.set_session`, when used prior to a connection being

2486

established, accepts a `Session` instance and causes an attempt to

2487

re-use the session it represents when the SSL handshake is performed.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2488

"""

2489

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2490

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

Alex Gaynor

332848f

2017-08-07 12:40:09 -0400

[diff] [blame]

2491

ctx = Context(SSLv23_METHOD)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2492

ctx.use_privatekey(key)

2493

ctx.use_certificate(cert)

2494

ctx.set_session_id("unity-test")

2495

2496

def makeServer(socket):

2497

server = Connection(ctx, socket)

2498

server.set_accept_state()

2499

return server

2500

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2501

originalServer, originalClient = loopback(

2502

server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2503

originalSession = originalClient.get_session()

2504

2505

def makeClient(socket):

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2506

client = loopback_client_factory(socket)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2507

client.set_session(originalSession)

2508

return client

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2509

resumedServer, resumedClient = loopback(

2510

server_factory=makeServer,

2511

client_factory=makeClient)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2512

2513

# This is a proxy: in general, we have no access to any unique

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2514

# identifier for the session (new enough versions of OpenSSL expose

2515

# a hash which could be usable, but "new enough" is very, very new).

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2516

# Instead, exploit the fact that the master key is re-used if the

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2517

# session is re-used. As long as the master key for the two

2518

# connections is the same, the session was re-used!

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2519

assert originalServer.master_key() == resumedServer.master_key()

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2520

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2521

def test_set_session_wrong_method(self):

2522

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2523

If `Connection.set_session` is passed a `Session` instance associated

2524

with a context using a different SSL method than the `Connection`

2525

is using, a `OpenSSL.SSL.Error` is raised.

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2526

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2527

# Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2

2528

# and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT

2529

# is a way to check for 1.1.0)

Alex Gaynor

aa32e71

2017-06-29 20:56:12 -0700

[diff] [blame]

2530

if SSL_ST_INIT is None:

2531

v1 = TLSv1_2_METHOD

2532

v2 = TLSv1_METHOD

2533

elif hasattr(_lib, "SSLv3_method"):

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2534

v1 = TLSv1_METHOD

2535

v2 = SSLv3_METHOD

2536

else:

Alex Gaynor

aa32e71

2017-06-29 20:56:12 -0700

[diff] [blame]

2537

pytest.skip("Test requires either OpenSSL 1.1.0 or SSLv3")

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2538

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2539

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2540

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2541

ctx = Context(v1)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2542

ctx.use_privatekey(key)

2543

ctx.use_certificate(cert)

2544

ctx.set_session_id("unity-test")

2545

2546

def makeServer(socket):

2547

server = Connection(ctx, socket)

2548

server.set_accept_state()

2549

return server

2550

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2551

def makeOriginalClient(socket):

2552

client = Connection(Context(v1), socket)

2553

client.set_connect_state()

2554

return client

2555

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2556

originalServer, originalClient = loopback(

2557

server_factory=makeServer, client_factory=makeOriginalClient)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2558

originalSession = originalClient.get_session()

2559

2560

def makeClient(socket):

2561

# Intentionally use a different, incompatible method here.

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2562

client = Connection(Context(v2), socket)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2563

client.set_connect_state()

2564

client.set_session(originalSession)

2565

return client

2566

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2567

with pytest.raises(Error):

2568

loopback(client_factory=makeClient, server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2569

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2570

def test_wantWriteError(self):

2571

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2572

`Connection` methods which generate output raise

2573

`OpenSSL.SSL.WantWriteError` if writing to the connection's BIO

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2574

fail indicating a should-write state.

2575

"""

2576

client_socket, server_socket = socket_pair()

2577

# Fill up the client's send buffer so Connection won't be able to write

Jean-Paul Calderone

bbff8b9

2014-03-22 14:20:30 -0400

[diff] [blame]

2578

# anything. Only write a single byte at a time so we can be sure we

2579

# completely fill the buffer. Even though the socket API is allowed to

2580

# signal a short write via its return value it seems this doesn't

2581

# always happen on all platforms (FreeBSD and OS X particular) for the

2582

# very last bit of available buffer space.

2583

msg = b"x"

2584

for i in range(1024 * 1024 * 4):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2585

try:

2586

client_socket.send(msg)

2587

except error as e:

2588

if e.errno == EWOULDBLOCK:

2589

break

2590

raise

2591

else:

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2592

pytest.fail(

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2593

"Failed to fill socket buffer, cannot test BIO want write")

2594

2595

ctx = Context(TLSv1_METHOD)

2596

conn = Connection(ctx, client_socket)

2597

# Client's speak first, so make it an SSL client

2598

conn.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2599

with pytest.raises(WantWriteError):

2600

conn.do_handshake()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

# XXX want_read

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2604

def test_get_finished_before_connect(self):

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2605

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2606

`Connection.get_finished` returns `None` before TLS handshake

2607

is completed.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2608

"""

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2609

ctx = Context(TLSv1_METHOD)

2610

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2611

assert connection.get_finished() is None

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2612

2613

def test_get_peer_finished_before_connect(self):

2614

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2615

`Connection.get_peer_finished` returns `None` before TLS handshake

2616

is completed.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2617

"""

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2618

ctx = Context(TLSv1_METHOD)

2619

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2620

assert connection.get_peer_finished() is None

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2621

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2622

def test_get_finished(self):

2623

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2624

`Connection.get_finished` method returns the TLS Finished message send

2625

from client, or server. Finished messages are send during

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2626

TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2627

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2628

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2629

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2630

assert server.get_finished() is not None

2631

assert len(server.get_finished()) > 0

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2632

2633

def test_get_peer_finished(self):

2634

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2635

`Connection.get_peer_finished` method returns the TLS Finished

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2636

message received from client, or server. Finished messages are send

2637

during TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2638

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2639

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2640

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2641

assert server.get_peer_finished() is not None

2642

assert len(server.get_peer_finished()) > 0

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2643

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2644

def test_tls_finished_message_symmetry(self):

2645

"""

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2646

The TLS Finished message send by server must be the TLS Finished

2647

message received by client.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2648

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2649

The TLS Finished message send by client must be the TLS Finished

2650

message received by server.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2651

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2652

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2653

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2654

assert server.get_finished() == client.get_peer_finished()

2655

assert client.get_finished() == server.get_peer_finished()

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2656

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2657

def test_get_cipher_name_before_connect(self):

2658

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2659

`Connection.get_cipher_name` returns `None` if no connection

2660

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2661

"""

2662

ctx = Context(TLSv1_METHOD)

2663

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2664

assert conn.get_cipher_name() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2665

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2666

def test_get_cipher_name(self):

2667

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2668

`Connection.get_cipher_name` returns a `unicode` string giving the

2669

name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2670

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2671

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2672

server_cipher_name, client_cipher_name = \

2673

server.get_cipher_name(), client.get_cipher_name()

2674

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2675

assert isinstance(server_cipher_name, text_type)

2676

assert isinstance(client_cipher_name, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2677

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2678

assert server_cipher_name == client_cipher_name

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2679

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2680

def test_get_cipher_version_before_connect(self):

2681

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2682

`Connection.get_cipher_version` returns `None` if no connection

2683

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2684

"""

2685

ctx = Context(TLSv1_METHOD)

2686

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2687

assert conn.get_cipher_version() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2688

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2689

def test_get_cipher_version(self):

2690

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2691

`Connection.get_cipher_version` returns a `unicode` string giving

2692

the protocol name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2693

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2694

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2695

server_cipher_version, client_cipher_version = \

2696

server.get_cipher_version(), client.get_cipher_version()

2697

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2698

assert isinstance(server_cipher_version, text_type)

2699

assert isinstance(client_cipher_version, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2700

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2701

assert server_cipher_version == client_cipher_version

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2702

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2703

def test_get_cipher_bits_before_connect(self):

2704

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2705

`Connection.get_cipher_bits` returns `None` if no connection has

2706

been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2707

"""

2708

ctx = Context(TLSv1_METHOD)

2709

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2710

assert conn.get_cipher_bits() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2711

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2712

def test_get_cipher_bits(self):

2713

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2714

`Connection.get_cipher_bits` returns the number of secret bits

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2715

of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2716

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2717

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2718

server_cipher_bits, client_cipher_bits = \

2719

server.get_cipher_bits(), client.get_cipher_bits()

2720

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2721

assert isinstance(server_cipher_bits, int)

2722

assert isinstance(client_cipher_bits, int)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2723

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2724

assert server_cipher_bits == client_cipher_bits

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2725

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2726

def test_get_protocol_version_name(self):

2727

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2728

`Connection.get_protocol_version_name()` returns a string giving the

2729

protocol version of the current connection.

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2730

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2731

server, client = loopback()

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2732

client_protocol_version_name = client.get_protocol_version_name()

2733

server_protocol_version_name = server.get_protocol_version_name()

2734

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2735

assert isinstance(server_protocol_version_name, text_type)

2736

assert isinstance(client_protocol_version_name, text_type)

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2737

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2738

assert server_protocol_version_name == client_protocol_version_name

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2739

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2740

def test_get_protocol_version(self):

2741

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2742

`Connection.get_protocol_version()` returns an integer

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2743

giving the protocol version of the current connection.

2744

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2745

server, client = loopback()

Jim Shaver

85a4dff

2015-04-27 17:42:46 -0400

[diff] [blame]

2746

client_protocol_version = client.get_protocol_version()

2747

server_protocol_version = server.get_protocol_version()

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2748

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2749

assert isinstance(server_protocol_version, int)

2750

assert isinstance(client_protocol_version, int)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2751

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2752

assert server_protocol_version == client_protocol_version

2753

2754

def test_wantReadError(self):

2755

"""

2756

`Connection.bio_read` raises `OpenSSL.SSL.WantReadError` if there are

2757

no bytes available to be read from the BIO.

2758

"""

2759

ctx = Context(TLSv1_METHOD)

2760

conn = Connection(ctx, None)

2761

with pytest.raises(WantReadError):

2762

conn.bio_read(1024)

2763

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2764

@pytest.mark.parametrize('bufsize', [1.0, None, object(), 'bufsize'])

2765

def test_bio_read_wrong_args(self, bufsize):

2766

"""

2767

`Connection.bio_read` raises `TypeError` if passed a non-integer

2768

argument.

2769

"""

2770

ctx = Context(TLSv1_METHOD)

2771

conn = Connection(ctx, None)

2772

with pytest.raises(TypeError):

2773

conn.bio_read(bufsize)

2774

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2775

def test_buffer_size(self):

2776

"""

2777

`Connection.bio_read` accepts an integer giving the maximum number

2778

of bytes to read and return.

2779

"""

2780

ctx = Context(TLSv1_METHOD)

2781

conn = Connection(ctx, None)

2782

conn.set_connect_state()

2783

try:

2784

conn.do_handshake()

2785

except WantReadError:

2786

pass

2787

data = conn.bio_read(2)

2788

assert 2 == len(data)

2789

2790

@skip_if_py3

2791

def test_buffer_size_long(self):

2792

"""

2793

On Python 2 `Connection.bio_read` accepts values of type `long` as

2794

well as `int`.

2795

"""

2796

ctx = Context(TLSv1_METHOD)

2797

conn = Connection(ctx, None)

2798

conn.set_connect_state()

2799

try:

2800

conn.do_handshake()

2801

except WantReadError:

2802

pass

2803

data = conn.bio_read(long(2))

2804

assert 2 == len(data)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2805

Jean-Paul Calderone

dbd7627

2014-03-29 18:09:40 -0400

[diff] [blame]

2806

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2807

class TestConnectionGetCipherList(object):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2808

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2809

Tests for `Connection.get_cipher_list`.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2810

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2811

def test_result(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2812

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2813

`Connection.get_cipher_list` returns a list of `bytes` giving the

2814

names of the ciphers which might be used.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2815

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2816

connection = Connection(Context(TLSv1_METHOD), None)

2817

ciphers = connection.get_cipher_list()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2818

assert isinstance(ciphers, list)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2819

for cipher in ciphers:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2820

assert isinstance(cipher, str)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2821

2822

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2823

class VeryLarge(bytes):

2824

"""

2825

Mock object so that we don't have to allocate 2**31 bytes

"""

def __len__(self):

return 2**31

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2831

class TestConnectionSend(object):

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2832

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2833

Tests for `Connection.send`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2834

"""

2835

def test_wrong_args(self):

2836

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

2837

When called with arguments other than string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2838

parameter, `Connection.send` raises `TypeError`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2839

"""

2840

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2841

with pytest.raises(TypeError):

2842

connection.send(object())

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2843

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2844

def test_short_bytes(self):

2845

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2846

When passed a short byte string, `Connection.send` transmits all of it

2847

and returns the number of bytes sent.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2848

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2849

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2850

count = server.send(b'xy')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2851

assert count == 2

2852

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2853

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2854

def test_text(self):

2855

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2856

When passed a text, `Connection.send` transmits all of it and

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2857

returns the number of bytes sent. It also raises a DeprecationWarning.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2858

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2859

server, client = loopback()

2860

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2861

simplefilter("always")

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2862

count = server.send(b"xy".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2863

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2864

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2865

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2866

) == str(w[-1].message))

2867

assert count == 2

2868

assert client.recv(2) == b'xy'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2869

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2870

@skip_if_py26

2871

def test_short_memoryview(self):

2872

"""

2873

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2874

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2875

of bytes sent.

2876

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2877

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2878

count = server.send(memoryview(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2879

assert count == 2

2880

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2881

Hynek Schlawack

8e94f1b

2015-09-05 21:31:00 +0200

[diff] [blame]

2882

@skip_if_py3

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2883

def test_short_buffer(self):

2884

"""

2885

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2886

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2887

of bytes sent.

2888

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2889

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2890

count = server.send(buffer(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2891

assert count == 2

2892

assert client.recv(2) == b'xy'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

2893

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2894

@pytest.mark.skipif(

2895

sys.maxsize < 2**31,

2896

reason="sys.maxsize < 2**31 - test requires 64 bit"

2897

)

2898

def test_buf_too_large(self):

2899

"""

2900

When passed a buffer containing >= 2**31 bytes,

2901

`Connection.send` bails out as SSL_write only

2902

accepts an int for the buffer length.

2903

"""

2904

connection = Connection(Context(TLSv1_METHOD), None)

2905

with pytest.raises(ValueError) as exc_info:

2906

connection.send(VeryLarge())

2907

exc_info.match(r"Cannot send more than .+ bytes at once")

2908

Jean-Paul Calderone

691e6c9

2011-01-21 22:04:35 -0500

[diff] [blame]

2909

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2910

def _make_memoryview(size):

2911

"""

2912

Create a new ``memoryview`` wrapped around a ``bytearray`` of the given

2913

size.

2914

"""

2915

return memoryview(bytearray(size))

2916

2917

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2918

class TestConnectionRecvInto(object):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2919

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2920

Tests for `Connection.recv_into`.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2921

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2922

def _no_length_test(self, factory):

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2923

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2924

Assert that when the given buffer is passed to `Connection.recv_into`,

2925

whatever bytes are available to be received that fit into that buffer

2926

are written into that buffer.

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2927

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2928

output_buffer = factory(5)

2929

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2930

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2931

server.send(b'xy')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2932

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2933

assert client.recv_into(output_buffer) == 2

2934

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2935

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2936

def test_bytearray_no_length(self):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2937

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2938

`Connection.recv_into` can be passed a `bytearray` instance and data

2939

in the receive buffer is written to it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2940

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2941

self._no_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2942

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2943

def _respects_length_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2944

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2945

Assert that when the given buffer is passed to `Connection.recv_into`

2946

along with a value for `nbytes` that is less than the size of that

2947

buffer, only `nbytes` bytes are written into the buffer.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2948

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2949

output_buffer = factory(10)

2950

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2951

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2952

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2953

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2954

assert client.recv_into(output_buffer, 5) == 5

2955

assert output_buffer == bytearray(b'abcde\x00\x00\x00\x00\x00')

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2956

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2957

def test_bytearray_respects_length(self):

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2958

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2959

When called with a `bytearray` instance, `Connection.recv_into`

2960

respects the `nbytes` parameter and doesn't copy in more than that

2961

number of bytes.

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2962

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2963

self._respects_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2964

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2965

def _doesnt_overfill_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2966

"""

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2967

Assert that if there are more bytes available to be read from the

2968

receive buffer than would fit into the buffer passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2969

`Connection.recv_into`, only as many as fit are written into it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2970

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2971

output_buffer = factory(5)

2972

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2973

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2974

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2975

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2976

assert client.recv_into(output_buffer) == 5

2977

assert output_buffer == bytearray(b'abcde')

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2978

rest = client.recv(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2979

assert b'fghij' == rest

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2980

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2981

def test_bytearray_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2982

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2983

When called with a `bytearray` instance, `Connection.recv_into`

2984

respects the size of the array and doesn't write more bytes into it

2985

than will fit.

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2986

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2987

self._doesnt_overfill_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2988

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2989

def test_bytearray_really_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2990

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2991

When called with a `bytearray` instance and an `nbytes` value that is

2992

too large, `Connection.recv_into` respects the size of the array and

2993

not the `nbytes` value and doesn't write more bytes into the buffer

2994

than will fit.

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2995

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2996

self._doesnt_overfill_test(bytearray)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2997

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2998

def test_peek(self):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2999

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3000

server.send(b'xy')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

3001

3002

for _ in range(2):

3003

output_buffer = bytearray(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3004

assert client.recv_into(output_buffer, flags=MSG_PEEK) == 2

3005

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

3006

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3007

@skip_if_py26

3008

def test_memoryview_no_length(self):

3009

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3010

`Connection.recv_into` can be passed a `memoryview` instance and data

3011

in the receive buffer is written to it.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3012

"""

3013

self._no_length_test(_make_memoryview)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

3014

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3015

@skip_if_py26

3016

def test_memoryview_respects_length(self):

3017

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3018

When called with a `memoryview` instance, `Connection.recv_into`

3019

respects the ``nbytes`` parameter and doesn't copy more than that

3020

number of bytes in.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3021

"""

3022

self._respects_length_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3023

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3024

@skip_if_py26

3025

def test_memoryview_doesnt_overfill(self):

3026

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3027

When called with a `memoryview` instance, `Connection.recv_into`

3028

respects the size of the array and doesn't write more bytes into it

3029

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3030

"""

3031

self._doesnt_overfill_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3032

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3033

@skip_if_py26

3034

def test_memoryview_really_doesnt_overfill(self):

3035

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3036

When called with a `memoryview` instance and an `nbytes` value that is

3037

too large, `Connection.recv_into` respects the size of the array and

3038

not the `nbytes` value and doesn't write more bytes into the buffer

3039

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3040

"""

3041

self._doesnt_overfill_test(_make_memoryview)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

3042

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3043

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3044

class TestConnectionSendall(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3045

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3046

Tests for `Connection.sendall`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3047

"""

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3048

def test_wrong_args(self):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3049

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

3050

When called with arguments other than a string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3051

parameter, `Connection.sendall` raises `TypeError`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3052

"""

3053

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3054

with pytest.raises(TypeError):

3055

connection.sendall(object())

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3056

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3057

def test_short(self):

3058

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3059

`Connection.sendall` transmits all of the bytes in the string

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3060

passed to it.

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3061

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3062

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3063

server.sendall(b'x')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3064

assert client.recv(1) == b'x'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3065

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3066

def test_text(self):

3067

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3068

`Connection.sendall` transmits all the content in the string passed

3069

to it, raising a DeprecationWarning in case of this being a text.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3070

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3071

server, client = loopback()

3072

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3073

simplefilter("always")

Jean-Paul Calderone

8dc37a1

2015-03-29 08:16:52 -0400

[diff] [blame]

3074

server.sendall(b"x".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3075

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

3076

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

3077

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3078

) == str(w[-1].message))

3079

assert client.recv(1) == b"x"

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3080

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3081

@skip_if_py26

3082

def test_short_memoryview(self):

3083

"""

3084

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3085

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3086

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3087

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3088

server.sendall(memoryview(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3089

assert client.recv(1) == b'x'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3090

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3091

@skip_if_py3

3092

def test_short_buffers(self):

3093

"""

3094

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3095

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3096

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3097

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3098

server.sendall(buffer(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3099

assert client.recv(1) == b'x'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

3100

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3101

def test_long(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3102

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3103

`Connection.sendall` transmits all the bytes in the string passed to it

3104

even if this requires multiple calls of an underlying write function.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3105

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3106

server, client = loopback()

Jean-Paul Calderone

6241c70

2010-09-16 19:59:24 -0400

[diff] [blame]

3107

# Should be enough, underlying SSL_write should only do 16k at a time.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3108

# On Windows, after 32k of bytes the write will block (forever

3109

# - because no one is yet reading).

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3110

message = b'x' * (1024 * 32 - 1) + b'y'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3111

server.sendall(message)

3112

accum = []

3113

received = 0

3114

while received < len(message):

Jean-Paul Calderone

b1f7f5f

2010-08-22 21:40:52 -0400

[diff] [blame]

3115

data = client.recv(1024)

3116

accum.append(data)

3117

received += len(data)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3118

assert message == b''.join(accum)

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3119

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3120

def test_closed(self):

3121

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3122

If the underlying socket is closed, `Connection.sendall` propagates the

3123

write error from the low level write call.

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3124

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3125

server, client = loopback()

Jean-Paul Calderone

05d43e8

2010-09-24 18:01:36 -0400

[diff] [blame]

3126

server.sock_shutdown(2)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3127

with pytest.raises(SysCallError) as err:

3128

server.sendall(b"hello, world")

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3129

if platform == "win32":

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3130

assert err.value.args[0] == ESHUTDOWN

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3131

else:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3132

assert err.value.args[0] == EPIPE

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3133

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3134

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3135

class TestConnectionRenegotiate(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3136

"""

3137

Tests for SSL renegotiation APIs.

3138

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3139

def test_total_renegotiations(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3140

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3141

`Connection.total_renegotiations` returns `0` before any renegotiations

3142

have happened.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3143

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3144

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3145

assert connection.total_renegotiations() == 0

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3146

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3147

def test_renegotiate(self):

3148

"""

3149

Go through a complete renegotiation cycle.

3150

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3151

server, client = loopback()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3152

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3153

server.send(b"hello world")

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3154

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3155

assert b"hello world" == client.recv(len(b"hello world"))

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3156

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3157

assert 0 == server.total_renegotiations()

3158

assert False is server.renegotiate_pending()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3159

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3160

assert True is server.renegotiate()

3161

3162

assert True is server.renegotiate_pending()

3163

3164

server.setblocking(False)

3165

client.setblocking(False)

3166

3167

client.do_handshake()

3168

server.do_handshake()

3169

3170

assert 1 == server.total_renegotiations()

3171

while False is server.renegotiate_pending():

3172

pass

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3173

3174

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3175

class TestError(object):

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3176

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3177

Unit tests for `OpenSSL.SSL.Error`.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3178

"""

3179

def test_type(self):

3180

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3181

`Error` is an exception type.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3182

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3183

assert issubclass(Error, Exception)

3184

assert Error.__name__ == 'Error'

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

3185

3186

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3187

class TestConstants(object):

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3188

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3189

Tests for the values of constants exposed in `OpenSSL.SSL`.

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3190

3191

These are values defined by OpenSSL intended only to be used as flags to

3192

OpenSSL APIs. The only assertions it seems can be made about them is

3193

their values.

3194

"""

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3195

@pytest.mark.skipif(

3196

OP_NO_QUERY_MTU is None,

3197

reason="OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old"

3198

)

3199

def test_op_no_query_mtu(self):

3200

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3201

The value of `OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value

3202

of `SSL_OP_NO_QUERY_MTU` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3203

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3204

assert OP_NO_QUERY_MTU == 0x1000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3205

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3206

@pytest.mark.skipif(

3207

OP_COOKIE_EXCHANGE is None,

3208

reason="OP_COOKIE_EXCHANGE unavailable - "

3209

"OpenSSL version may be too old"

3210

)

3211

def test_op_cookie_exchange(self):

3212

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3213

The value of `OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the

3214

value of `SSL_OP_COOKIE_EXCHANGE` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3215

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3216

assert OP_COOKIE_EXCHANGE == 0x2000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3217

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3218

@pytest.mark.skipif(

3219

OP_NO_TICKET is None,

3220

reason="OP_NO_TICKET unavailable - OpenSSL version may be too old"

3221

)

3222

def test_op_no_ticket(self):

3223

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3224

The value of `OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of

3225

`SSL_OP_NO_TICKET` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3226

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3227

assert OP_NO_TICKET == 0x4000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3228

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3229

@pytest.mark.skipif(

3230

OP_NO_COMPRESSION is None,

3231

reason="OP_NO_COMPRESSION unavailable - OpenSSL version may be too old"

3232

)

3233

def test_op_no_compression(self):

3234

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3235

The value of `OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the

3236

value of `SSL_OP_NO_COMPRESSION` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3237

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3238

assert OP_NO_COMPRESSION == 0x20000

Jean-Paul Calderone

c62d4c1

2011-09-08 18:29:32 -0400

[diff] [blame]

3239

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3240

def test_sess_cache_off(self):

3241

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3242

The value of `OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of

3243

`SSL_SESS_CACHE_OFF` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3244

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3245

assert 0x0 == SESS_CACHE_OFF

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3246

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3247

def test_sess_cache_client(self):

3248

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3249

The value of `OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of

3250

`SSL_SESS_CACHE_CLIENT` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3251

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3252

assert 0x1 == SESS_CACHE_CLIENT

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3253

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3254

def test_sess_cache_server(self):

3255

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3256

The value of `OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of

3257

`SSL_SESS_CACHE_SERVER` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3258

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3259

assert 0x2 == SESS_CACHE_SERVER

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3260

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3261

def test_sess_cache_both(self):

3262

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3263

The value of `OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of

3264

`SSL_SESS_CACHE_BOTH` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3265

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3266

assert 0x3 == SESS_CACHE_BOTH

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3267

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3268

def test_sess_cache_no_auto_clear(self):

3269

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3270

The value of `OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the

3271

value of `SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by

3272

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3273

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3274

assert 0x80 == SESS_CACHE_NO_AUTO_CLEAR

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3275

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3276

def test_sess_cache_no_internal_lookup(self):

3277

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3278

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100,

3279

the value of `SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by

3280

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3281

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3282

assert 0x100 == SESS_CACHE_NO_INTERNAL_LOOKUP

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3283

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3284

def test_sess_cache_no_internal_store(self):

3285

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3286

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200,

3287

the value of `SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by

3288

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3289

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3290

assert 0x200 == SESS_CACHE_NO_INTERNAL_STORE

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3291

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3292

def test_sess_cache_no_internal(self):

3293

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3294

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the

3295

value of `SSL_SESS_CACHE_NO_INTERNAL` defined by

3296

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3297

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3298

assert 0x300 == SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3299

3300

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3301

class TestMemoryBIO(object):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3302

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3303

Tests for `OpenSSL.SSL.Connection` using a memory BIO.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3304

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3305

def _server(self, sock):

3306

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3307

Create a new server-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3308

"""

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3309

# Create the server side Connection. This is mostly setup boilerplate

3310

# - use TLSv1, use a particular certificate, etc.

3311

server_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3312

server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3313

server_ctx.set_verify(

3314

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3315

verify_cb

3316

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3317

server_store = server_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3318

server_ctx.use_privatekey(

3319

load_privatekey(FILETYPE_PEM, server_key_pem))

3320

server_ctx.use_certificate(

3321

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3322

server_ctx.check_privatekey()

3323

server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3324

# Here the Connection is actually created. If None is passed as the

3325

# 2nd parameter, it indicates a memory BIO should be created.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3326

server_conn = Connection(server_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3327

server_conn.set_accept_state()

3328

return server_conn

3329

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3330

def _client(self, sock):

3331

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3332

Create a new client-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3333

"""

3334

# Now create the client side Connection. Similar boilerplate to the

3335

# above.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3336

client_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3337

client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3338

client_ctx.set_verify(

3339

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3340

verify_cb

3341

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3342

client_store = client_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3343

client_ctx.use_privatekey(

3344

load_privatekey(FILETYPE_PEM, client_key_pem))

3345

client_ctx.use_certificate(

3346

load_certificate(FILETYPE_PEM, client_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3347

client_ctx.check_privatekey()

3348

client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3349

client_conn = Connection(client_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3350

client_conn.set_connect_state()

3351

return client_conn

3352

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3353

def test_memory_connect(self):

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3354

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3355

Two `Connection`s which use memory BIOs can be manually connected by

3356

reading from the output of each and writing those bytes to the input of

3357

the other and in this way establish a connection and exchange

3358

application-level bytes with each other.

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3359

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3360

server_conn = self._server(None)

3361

client_conn = self._client(None)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3362

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3363

# There should be no key or nonces yet.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3364

assert server_conn.master_key() is None

3365

assert server_conn.client_random() is None

3366

assert server_conn.server_random() is None

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3367

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3368

# First, the handshake needs to happen. We'll deliver bytes back and

3369

# forth between the client and server until neither of them feels like

3370

# speaking any more.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3371

assert interact_in_memory(client_conn, server_conn) is None

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3372

3373

# Now that the handshake is done, there should be a key and nonces.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3374

assert server_conn.master_key() is not None

3375

assert server_conn.client_random() is not None

3376

assert server_conn.server_random() is not None

3377

assert server_conn.client_random() == client_conn.client_random()

3378

assert server_conn.server_random() == client_conn.server_random()

3379

assert server_conn.client_random() != server_conn.server_random()

3380

assert client_conn.client_random() != client_conn.server_random()

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3381

Paul Kehrer

bdb7639

2017-12-01 04:54:32 +0800

[diff] [blame^]

3382

# Export key material for other uses.

3383

cekm = client_conn.export_keying_material(b'LABEL', 32)

3384

sekm = server_conn.export_keying_material(b'LABEL', 32)

3385

assert cekm is not None

3386

assert sekm is not None

3387

assert cekm == sekm

3388

assert len(sekm) == 32

3389

3390

# Export key material for other uses with additional context.

3391

cekmc = client_conn.export_keying_material(b'LABEL', 32, b'CONTEXT')

3392

sekmc = server_conn.export_keying_material(b'LABEL', 32, b'CONTEXT')

3393

assert cekmc is not None

3394

assert sekmc is not None

3395

assert cekmc == sekmc

3396

assert cekmc != cekm

3397

assert sekmc != sekm

3398

# Export with alternate label

3399

cekmt = client_conn.export_keying_material(b'test', 32, b'CONTEXT')

3400

sekmt = server_conn.export_keying_material(b'test', 32, b'CONTEXT')

3401

assert cekmc != cekmt

3402

assert sekmc != sekmt

3403

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3404

# Here are the bytes we'll try to send.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3405

important_message = b'One if by land, two if by sea.'

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3406

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3407

server_conn.write(important_message)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3408

assert (

3409

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3410

(client_conn, important_message))

3411

3412

client_conn.write(important_message[::-1])

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3413

assert (

3414

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3415

(server_conn, important_message[::-1]))

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3416

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3417

def test_socket_connect(self):

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3418

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3419

Just like `test_memory_connect` but with an actual socket.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3420

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3421

This is primarily to rule out the memory BIO code as the source of any

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3422

problems encountered while passing data over a `Connection` (if

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3423

this test fails, there must be a problem outside the memory BIO code,

3424

as no memory BIO is involved here). Even though this isn't a memory

3425

BIO test, it's convenient to have it here.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3426

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3427

server_conn, client_conn = loopback()

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3428

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3429

important_message = b"Help me Obi Wan Kenobi, you're my only hope."

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3430

client_conn.send(important_message)

3431

msg = server_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3432

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3433

3434

# Again in the other direction, just for fun.

3435

important_message = important_message[::-1]

3436

server_conn.send(important_message)

3437

msg = client_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3438

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3439

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3440

def test_socket_overrides_memory(self):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3441

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3442

Test that `OpenSSL.SSL.bio_read` and `OpenSSL.SSL.bio_write` don't

3443

work on `OpenSSL.SSL.Connection`() that use sockets.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3444

"""

Alex Gaynor

51d424c

2016-09-10 14:50:11 -0400

[diff] [blame]

3445

context = Context(TLSv1_METHOD)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3446

client = socket()

3447

clientSSL = Connection(context, client)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3448

with pytest.raises(TypeError):

3449

clientSSL.bio_read(100)

3450

with pytest.raises(TypeError):

3451

clientSSL.bio_write("foo")

3452

with pytest.raises(TypeError):

3453

clientSSL.bio_shutdown()

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3454

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3455

def test_outgoing_overflow(self):

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3456

"""

3457

If more bytes than can be written to the memory BIO are passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3458

`Connection.send` at once, the number of bytes which were written is

3459

returned and that many bytes from the beginning of the input can be

3460

read from the other end of the connection.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3461

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3462

server = self._server(None)

3463

client = self._client(None)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3464

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3465

interact_in_memory(client, server)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3466

3467

size = 2 ** 15

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

3468

sent = client.send(b"x" * size)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3469

# Sanity check. We're trying to test what happens when the entire

3470

# input can't be sent. If the entire input was sent, this test is

3471

# meaningless.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3472

assert sent < size

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3473

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3474

receiver, received = interact_in_memory(client, server)

3475

assert receiver is server

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3476

3477

# We can rely on all of these bytes being received at once because

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3478

# loopback passes 2 ** 16 to recv - more than 2 ** 15.

3479

assert len(received) == sent

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3480

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3481

def test_shutdown(self):

3482

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3483

`Connection.bio_shutdown` signals the end of the data stream

3484

from which the `Connection` reads.

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3485

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3486

server = self._server(None)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3487

server.bio_shutdown()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3488

with pytest.raises(Error) as err:

3489

server.recv(1024)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3490

# We don't want WantReadError or ZeroReturnError or anything - it's a

3491

# handshake failure.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3492

assert type(err.value) in [Error, SysCallError]

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3493

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3494

def test_unexpected_EOF(self):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3495

"""

3496

If the connection is lost before an orderly SSL shutdown occurs,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3497

`OpenSSL.SSL.SysCallError` is raised with a message of

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3498

"Unexpected EOF".

3499

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3500

server_conn, client_conn = loopback()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3501

client_conn.sock_shutdown(SHUT_RDWR)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3502

with pytest.raises(SysCallError) as err:

3503

server_conn.recv(1024)

3504

assert err.value.args == (-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3505

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3506

def _check_client_ca_list(self, func):

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3507

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3508

Verify the return value of the `get_client_ca_list` method for

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3509

server and client connections.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3510

Jonathan Ballet

78b92a2

2011-07-16 08:07:26 +0900

[diff] [blame]

3511

:param func: A function which will be called with the server context

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3512

before the client and server are connected to each other. This

3513

function should specify a list of CAs for the server to send to the

3514

client and return that same list. The list will be used to verify

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3515

that `get_client_ca_list` returns the proper value at

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3516

various times.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3517

"""

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3518

server = self._server(None)

3519

client = self._client(None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3520

assert client.get_client_ca_list() == []

3521

assert server.get_client_ca_list() == []

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3522

ctx = server.get_context()

3523

expected = func(ctx)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3524

assert client.get_client_ca_list() == []

3525

assert server.get_client_ca_list() == expected

3526

interact_in_memory(client, server)

3527

assert client.get_client_ca_list() == expected

3528

assert server.get_client_ca_list() == expected

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3529

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3530

def test_set_client_ca_list_errors(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3531

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3532

`Context.set_client_ca_list` raises a `TypeError` if called with a

3533

non-list or a list that contains objects other than X509Names.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3534

"""

3535

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3536

with pytest.raises(TypeError):

3537

ctx.set_client_ca_list("spam")

3538

with pytest.raises(TypeError):

3539

ctx.set_client_ca_list(["spam"])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3540

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3541

def test_set_empty_ca_list(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3542

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3543

If passed an empty list, `Context.set_client_ca_list` configures the

3544

context to send no CA names to the client and, on both the server and

3545

client sides, `Connection.get_client_ca_list` returns an empty list

3546

after the connection is set up.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3547

"""

3548

def no_ca(ctx):

3549

ctx.set_client_ca_list([])

3550

return []

3551

self._check_client_ca_list(no_ca)

3552

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3553

def test_set_one_ca_list(self):

3554

"""

3555

If passed a list containing a single X509Name,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3556

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3557

that CA name to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3558

`Connection.get_client_ca_list` returns a list containing that

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3559

X509Name after the connection is set up.

3560

"""

3561

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3562

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3563

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3564

def single_ca(ctx):

3565

ctx.set_client_ca_list([cadesc])

3566

return [cadesc]

3567

self._check_client_ca_list(single_ca)

3568

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3569

def test_set_multiple_ca_list(self):

3570

"""

3571

If passed a list containing multiple X509Name objects,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3572

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3573

those CA names to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3574

`Connection.get_client_ca_list` returns a list containing those

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3575

X509Names after the connection is set up.

3576

"""

3577

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3578

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3579

3580

sedesc = secert.get_subject()

3581

cldesc = clcert.get_subject()

3582

3583

def multiple_ca(ctx):

3584

L = [sedesc, cldesc]

3585

ctx.set_client_ca_list(L)

3586

return L

3587

self._check_client_ca_list(multiple_ca)

3588

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3589

def test_reset_ca_list(self):

3590

"""

3591

If called multiple times, only the X509Names passed to the final call

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3592

of `Context.set_client_ca_list` are used to configure the CA

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3593

names sent to the client.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3594

"""

3595

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3596

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3597

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3598

3599

cadesc = cacert.get_subject()

3600

sedesc = secert.get_subject()

3601

cldesc = clcert.get_subject()

3602

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3603

def changed_ca(ctx):

3604

ctx.set_client_ca_list([sedesc, cldesc])

3605

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3606

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3607

self._check_client_ca_list(changed_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3608

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3609

def test_mutated_ca_list(self):

3610

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3611

If the list passed to `Context.set_client_ca_list` is mutated

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3612

afterwards, this does not affect the list of CA names sent to the

3613

client.

3614

"""

3615

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3616

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3617

3618

cadesc = cacert.get_subject()

3619

sedesc = secert.get_subject()

3620

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3621

def mutated_ca(ctx):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3622

L = [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3623

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3624

L.append(sedesc)

3625

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3626

self._check_client_ca_list(mutated_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3627

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3628

def test_add_client_ca_wrong_args(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3629

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3630

`Context.add_client_ca` raises `TypeError` if called with

3631

a non-X509 object.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3632

"""

3633

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3634

with pytest.raises(TypeError):

3635

ctx.add_client_ca("spam")

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3636

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3637

def test_one_add_client_ca(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3638

"""

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3639

A certificate's subject can be added as a CA to be sent to the client

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3640

with `Context.add_client_ca`.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3641

"""

3642

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3643

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3644

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3645

def single_ca(ctx):

3646

ctx.add_client_ca(cacert)

3647

return [cadesc]

3648

self._check_client_ca_list(single_ca)

3649

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3650

def test_multiple_add_client_ca(self):

3651

"""

3652

Multiple CA names can be sent to the client by calling

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3653

`Context.add_client_ca` with multiple X509 objects.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3654

"""

3655

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3656

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3657

3658

cadesc = cacert.get_subject()

3659

sedesc = secert.get_subject()

3660

3661

def multiple_ca(ctx):

3662

ctx.add_client_ca(cacert)

3663

ctx.add_client_ca(secert)

3664

return [cadesc, sedesc]

3665

self._check_client_ca_list(multiple_ca)

3666

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3667

def test_set_and_add_client_ca(self):

3668

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3669

A call to `Context.set_client_ca_list` followed by a call to

3670

`Context.add_client_ca` results in using the CA names from the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3671

first call and the CA name from the second call.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3672

"""

3673

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3674

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3675

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3676

3677

cadesc = cacert.get_subject()

3678

sedesc = secert.get_subject()

3679

cldesc = clcert.get_subject()

3680

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3681

def mixed_set_add_ca(ctx):

3682

ctx.set_client_ca_list([cadesc, sedesc])

3683

ctx.add_client_ca(clcert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3684

return [cadesc, sedesc, cldesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3685

self._check_client_ca_list(mixed_set_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3686

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3687

def test_set_after_add_client_ca(self):

3688

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3689

A call to `Context.set_client_ca_list` after a call to

3690

`Context.add_client_ca` replaces the CA name specified by the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3691

former call with the names specified by the latter call.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3692

"""

3693

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3694

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3695

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3696

3697

cadesc = cacert.get_subject()

3698

sedesc = secert.get_subject()

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3699

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3700

def set_replaces_add_ca(ctx):

3701

ctx.add_client_ca(clcert)

3702

ctx.set_client_ca_list([cadesc])

3703

ctx.add_client_ca(secert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3704

return [cadesc, sedesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3705

self._check_client_ca_list(set_replaces_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3706

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3707

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3708

class TestInfoConstants(object):

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3709

"""

3710

Tests for assorted constants exposed for use in info callbacks.

3711

"""

3712

def test_integers(self):

3713

"""

3714

All of the info constants are integers.

3715

3716

This is a very weak test. It would be nice to have one that actually

3717

verifies that as certain info events happen, the value passed to the

3718

info callback matches up with the constant exposed by OpenSSL.SSL.

3719

"""

3720

for const in [

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3721

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3722

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

3723

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

3724

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3725

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE

3726

]:

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3727

assert isinstance(const, int)

3728

3729

# These constants don't exist on OpenSSL 1.1.0

3730

for const in [

3731

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

3732

]:

3733

assert const is None or isinstance(const, int)

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3734

Ziga Seilnacht

44611bf

2009-08-31 20:49:30 +0200

[diff] [blame]

3735

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3736

class TestRequires(object):

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3737

"""

3738

Tests for the decorator factory used to conditionally raise

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3739

NotImplementedError when older OpenSSLs are used.

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3740

"""

3741

def test_available(self):

3742

"""

3743

When the OpenSSL functionality is available the decorated functions

3744

work appropriately.

3745

"""

3746

feature_guard = _make_requires(True, "Error text")

results = []

@feature_guard

def inner():

results.append(True)

return True

Cory Benfield

2016-03-30 14:24:16 +0100

[diff] [blame]

3754

assert inner() is True

3755

assert [True] == results

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3756

3757

def test_unavailable(self):

3758

"""

3759

When the OpenSSL functionality is not available the decorated function

3760

does not execute and NotImplementedError is raised.

3761

"""

3762

feature_guard = _make_requires(False, "Error text")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3763

3764

@feature_guard

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3765

def inner(): # pragma: nocover

3766

pytest.fail("Should not be called")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3767

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3768

with pytest.raises(NotImplementedError) as e:

3769

inner()

3770

3771

assert "Error text" in str(e.value)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3772

3773

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3774

class TestOCSP(object):

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3775

"""

3776

Tests for PyOpenSSL's OCSP stapling support.

3777

"""

3778

sample_ocsp_data = b"this is totally ocsp data"

3779

3780

def _client_connection(self, callback, data, request_ocsp=True):

3781

"""

3782

Builds a client connection suitable for using OCSP.

3783

3784

:param callback: The callback to register for OCSP.

3785

:param data: The opaque data object that will be handed to the

3786

OCSP callback.

3787

:param request_ocsp: Whether the client will actually ask for OCSP

3788

stapling. Useful for testing only.

3789

"""

3790

ctx = Context(SSLv23_METHOD)

3791

ctx.set_ocsp_client_callback(callback, data)

3792

client = Connection(ctx)

3793

3794

if request_ocsp:

3795

client.request_ocsp()

3796

3797

client.set_connect_state()

3798

return client

3799

3800

def _server_connection(self, callback, data):

3801

"""

3802

Builds a server connection suitable for using OCSP.

3803

3804

:param callback: The callback to register for OCSP.

3805

:param data: The opaque data object that will be handed to the

3806

OCSP callback.

3807

"""

3808

ctx = Context(SSLv23_METHOD)

3809

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

3810

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

3811

ctx.set_ocsp_server_callback(callback, data)

3812

server = Connection(ctx)

3813

server.set_accept_state()

3814

return server

3815

3816

def test_callbacks_arent_called_by_default(self):

3817

"""

3818

If both the client and the server have registered OCSP callbacks, but

3819

the client does not send the OCSP request, neither callback gets

3820

called.

3821

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3822

def ocsp_callback(*args, **kwargs): # pragma: nocover

3823

pytest.fail("Should not be called")

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3824

3825

client = self._client_connection(

3826

callback=ocsp_callback, data=None, request_ocsp=False

3827

)

3828

server = self._server_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3829

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3830

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3831

def test_client_negotiates_without_server(self):

3832

"""

3833

If the client wants to do OCSP but the server does not, the handshake

3834

succeeds, and the client callback fires with an empty byte string.

"""

called = []

def ocsp_callback(conn, ocsp_data, ignored):

3839

called.append(ocsp_data)

3840

return True

3841

3842

client = self._client_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3843

server = loopback_server_factory(socket=None)

3844

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3845

3846

assert len(called) == 1

3847

assert called[0] == b''

3848

3849

def test_client_receives_servers_data(self):

3850

"""

3851

The data the server sends in its callback is received by the client.

"""

calls = []

def server_callback(*args, **kwargs):

3856

return self.sample_ocsp_data

3857

3858

def client_callback(conn, ocsp_data, ignored):

3859

calls.append(ocsp_data)

3860

return True

3861

3862

client = self._client_connection(callback=client_callback, data=None)

3863

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3864

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3865

3866

assert len(calls) == 1

3867

assert calls[0] == self.sample_ocsp_data

3868

3869

def test_callbacks_are_invoked_with_connections(self):

3870

"""

3871

The first arguments to both callbacks are their respective connections.

"""

client_calls = []

server_calls = []

def client_callback(conn, *args, **kwargs):

3877

client_calls.append(conn)

3878

return True

3879

3880

def server_callback(conn, *args, **kwargs):

3881

server_calls.append(conn)

3882

return self.sample_ocsp_data

3883

3884

client = self._client_connection(callback=client_callback, data=None)

3885

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3886

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3887

3888

assert len(client_calls) == 1

3889

assert len(server_calls) == 1

3890

assert client_calls[0] is client

3891

assert server_calls[0] is server

3892

3893

def test_opaque_data_is_passed_through(self):

3894

"""

3895

Both callbacks receive an opaque, user-provided piece of data in their

3896

callbacks as the final argument.

"""

calls = []

def server_callback(*args):

3901

calls.append(args)

3902

return self.sample_ocsp_data

3903

3904

def client_callback(*args):

calls.append(args)

return True

sentinel = object()

client = self._client_connection(

3911

callback=client_callback, data=sentinel

3912

)

3913

server = self._server_connection(

3914

callback=server_callback, data=sentinel

3915

)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3916

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3917

3918

assert len(calls) == 2

3919

assert calls[0][-1] is sentinel

3920

assert calls[1][-1] is sentinel

3921

3922

def test_server_returns_empty_string(self):

3923

"""

3924

If the server returns an empty bytestring from its callback, the

3925

client callback is called with the empty bytestring.

"""

client_calls = []

def server_callback(*args):

3930

return b''

3931

3932

def client_callback(conn, ocsp_data, ignored):

3933

client_calls.append(ocsp_data)

3934

return True

3935

3936

client = self._client_connection(callback=client_callback, data=None)

3937

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3938

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3939

3940

assert len(client_calls) == 1

3941

assert client_calls[0] == b''

3942

3943

def test_client_returns_false_terminates_handshake(self):

3944

"""

3945

If the client returns False from its callback, the handshake fails.

3946

"""

3947

def server_callback(*args):

3948

return self.sample_ocsp_data

3949

3950

def client_callback(*args):

3951

return False

3952

3953

client = self._client_connection(callback=client_callback, data=None)

3954

server = self._server_connection(callback=server_callback, data=None)

3955

3956

with pytest.raises(Error):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3957

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3958

3959

def test_exceptions_in_client_bubble_up(self):

3960

"""

3961

The callbacks thrown in the client callback bubble up to the caller.

3962

"""

3963

class SentinelException(Exception):

3964

pass

3965

3966

def server_callback(*args):

3967

return self.sample_ocsp_data

3968

3969

def client_callback(*args):

3970

raise SentinelException()

3971

3972

client = self._client_connection(callback=client_callback, data=None)

3973

server = self._server_connection(callback=server_callback, data=None)

3974

3975

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3976

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3977

3978

def test_exceptions_in_server_bubble_up(self):

3979

"""

3980

The callbacks thrown in the server callback bubble up to the caller.

3981

"""

3982

class SentinelException(Exception):

3983

pass

3984

3985

def server_callback(*args):

3986

raise SentinelException()

3987

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3988

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3989

pytest.fail("Should not be called")

3990

3991

client = self._client_connection(callback=client_callback, data=None)

3992

server = self._server_connection(callback=server_callback, data=None)

3993

3994

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3995

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3996

3997

def test_server_must_return_bytes(self):

3998

"""

3999

The server callback must return a bytestring, or a TypeError is thrown.

4000

"""

4001

def server_callback(*args):

4002

return self.sample_ocsp_data.decode('ascii')

4003

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

4004

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

4005

pytest.fail("Should not be called")

4006

4007

client = self._client_connection(callback=client_callback, data=None)

4008

server = self._server_connection(callback=server_callback, data=None)

4009

4010

with pytest.raises(TypeError):

Alex Chan