Blame - tests/test_ssl.py - platform/external/python/pyopenssl

2008-03-21 17:04:05 -0400

[diff] [blame]

4

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

5

Unit tests for :mod:`OpenSSL.SSL`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

6

"""

7

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

8

import datetime

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

9

import sys

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

10

import uuid

11

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

12

from gc import collect, get_referrers

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

13

from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

14

from sys import platform, getfilesystemencoding, version_info

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

15

from socket import MSG_PEEK, SHUT_RDWR, error, socket

Jean-Paul Calderone

a65cf6c

2009-07-19 10:26:52 -0400

[diff] [blame]

16

from os import makedirs

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

17

from os.path import join

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

18

from weakref import ref

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

19

from warnings import simplefilter

Jean-Paul Calderone

460cc1f

2009-03-07 11:31:12 -0500

[diff] [blame]

20

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

21

import pytest

22

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

23

from six import PY3, text_type

Jean-Paul Calderone

c76c61c

2014-01-18 13:21:52 -0500

[diff] [blame]

24

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

25

from cryptography import x509

26

from cryptography.hazmat.backends import default_backend

27

from cryptography.hazmat.primitives import hashes

28

from cryptography.hazmat.primitives import serialization

29

from cryptography.hazmat.primitives.asymmetric import rsa

30

from cryptography.x509.oid import NameOID

31

32

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

33

from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

34

from OpenSSL.crypto import PKey, X509, X509Extension, X509Store

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

35

from OpenSSL.crypto import dump_privatekey, load_privatekey

36

from OpenSSL.crypto import dump_certificate, load_certificate

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

37

from OpenSSL.crypto import get_elliptic_curves

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

38

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

39

from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS

40

from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

41

from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

42

from OpenSSL.SSL import (

43

SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD,

44

TLSv1_1_METHOD, TLSv1_2_METHOD)

45

from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

46

from OpenSSL.SSL import (

47

VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE, VERIFY_NONE)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

48

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

49

from OpenSSL.SSL import (

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

50

SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH,

51

SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP,

52

SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL)

53

54

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

55

Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

56

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

57

Context, ContextType, Session, Connection, ConnectionType, SSLeay_version)

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

58

from OpenSSL.SSL import _make_requires

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

59

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

60

from OpenSSL._util import lib as _lib

61

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

62

from OpenSSL.SSL import (

63

OP_NO_QUERY_MTU, OP_COOKIE_EXCHANGE, OP_NO_TICKET, OP_NO_COMPRESSION,

64

MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

65

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

66

try:

67

from OpenSSL.SSL import OP_NO_TLSv1, OP_NO_TLSv1_1, OP_NO_TLSv1_2

68

except ImportError:

69

OP_NO_TLSv1 = OP_NO_TLSv1_1 = OP_NO_TLSv1_2 = None

70

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

71

from OpenSSL.SSL import (

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

72

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

73

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

74

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

75

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

76

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

77

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

78

try:

79

from OpenSSL.SSL import (

80

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

81

)

82

except ImportError:

83

SSL_ST_INIT = SSL_ST_BEFORE = SSL_ST_OK = SSL_ST_RENEGOTIATE = None

84

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

85

from .util import WARNING_TYPE_EXPECTED, NON_ASCII, is_consistent_type

Hynek Schlawack

f0e6685

2015-10-16 20:18:38 +0200

[diff] [blame]

86

from .test_crypto import (

87

cleartextCertificatePEM, cleartextPrivateKeyPEM,

88

client_cert_pem, client_key_pem, server_cert_pem, server_key_pem,

89

root_cert_pem)

90

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

91

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

92

# openssl dhparam 1024 -out dh-1024.pem (note that 1024 is a small number of

93

# bits to use)

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

94

dhparam = """\

95

-----BEGIN DH PARAMETERS-----

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

96

MIGHAoGBALdUMvn+C9MM+y5BWZs11mSeH6HHoEq0UVbzVq7UojC1hbsZUuGukQ3a

97

Qh2/pwqb18BZFykrWB0zv/OkLa0kx4cuUgNrUVq1EFheBiX6YqryJ7t2sO09NQiO

98

V7H54LmltOT/hEh6QWsJqb6BQgH65bswvV/XkYGja8/T0GzvbaVzAgEC

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

99

-----END DH PARAMETERS-----

"""

Hynek Schlawack

2015-09-05 20:48:34 +0200

[diff] [blame]

103

skip_if_py3 = pytest.mark.skipif(PY3, reason="Python 2 only")

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

104

skip_if_py26 = pytest.mark.skipif(

105

version_info[0:2] == (2, 6),

106

reason="Python 2.7 and later only"

107

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

108

109

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

110

def join_bytes_or_unicode(prefix, suffix):

111

"""

112

Join two path components of either ``bytes`` or ``unicode``.

113

114

The return type is the same as the type of ``prefix``.

115

"""

116

# If the types are the same, nothing special is necessary.

117

if type(prefix) == type(suffix):

118

return join(prefix, suffix)

119

120

# Otherwise, coerce suffix to the type of prefix.

121

if isinstance(prefix, text_type):

122

return join(prefix, suffix.decode(getfilesystemencoding()))

123

else:

124

return join(prefix, suffix.encode(getfilesystemencoding()))

125

126

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

127

def verify_cb(conn, cert, errnum, depth, ok):

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

128

return ok

129

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

130

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

131

def socket_pair():

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

132

"""

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

133

Establish and return a pair of network sockets connected to each other.

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

134

"""

135

# Connect a pair of sockets

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(1)

client = socket()

client.setblocking(False)

Jean-Paul Calderone

f23c5d9

2009-07-23 17:58:15 -0400

[diff] [blame]

141

client.connect_ex(("127.0.0.1", port.getsockname()[1]))

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

142

client.setblocking(True)

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

143

server = port.accept()[0]

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

144

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

145

# Let's pass some unencrypted data to make sure our socket connection is

146

# fine. Just one byte, so we don't have to worry about buffers getting

147

# filled up or fragmentation.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

148

server.send(b"x")

149

assert client.recv(1024) == b"x"

150

client.send(b"y")

151

assert server.recv(1024) == b"y"

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

152

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

153

# Most of our callers want non-blocking sockets, make it easy for them.

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

154

server.setblocking(False)

155

client.setblocking(False)

Jim Shaver

46f2891

2015-05-29 19:32:16 -0400

[diff] [blame]

156

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

157

return (server, client)

158

159

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

160

def handshake(client, server):

161

conns = [client, server]

while conns:

for conn in conns:

try:

conn.do_handshake()

except WantReadError:

pass

else:

conns.remove(conn)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

172

def _create_certificate_chain():

173

"""

174

Construct and return a chain of certificates.

175

176

1. A new self-signed certificate authority certificate (cacert)

177

2. A new intermediate certificate signed by cacert (icert)

178

3. A new server certificate signed by icert (scert)

179

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

180

caext = X509Extension(b'basicConstraints', False, b'CA:true')

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

181

182

# Step 1

183

cakey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

184

cakey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

185

cacert = X509()

186

cacert.get_subject().commonName = "Authority Certificate"

187

cacert.set_issuer(cacert.get_subject())

188

cacert.set_pubkey(cakey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

189

cacert.set_notBefore(b"20000101000000Z")

190

cacert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

191

cacert.add_extensions([caext])

192

cacert.set_serial_number(0)

193

cacert.sign(cakey, "sha1")

194

195

# Step 2

196

ikey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

197

ikey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

198

icert = X509()

199

icert.get_subject().commonName = "Intermediate Certificate"

200

icert.set_issuer(cacert.get_subject())

201

icert.set_pubkey(ikey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

202

icert.set_notBefore(b"20000101000000Z")

203

icert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

204

icert.add_extensions([caext])

205

icert.set_serial_number(0)

206

icert.sign(cakey, "sha1")

207

208

# Step 3

209

skey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

210

skey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

211

scert = X509()

212

scert.get_subject().commonName = "Server Certificate"

213

scert.set_issuer(icert.get_subject())

214

scert.set_pubkey(skey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

215

scert.set_notBefore(b"20000101000000Z")

216

scert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

217

scert.add_extensions([

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

218

X509Extension(b'basicConstraints', True, b'CA:false')])

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

219

scert.set_serial_number(0)

220

scert.sign(ikey, "sha1")

221

222

return [(cakey, cacert), (ikey, icert), (skey, scert)]

223

224

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

225

def loopback_client_factory(socket):

226

client = Connection(Context(TLSv1_METHOD), socket)

227

client.set_connect_state()

return client

def loopback_server_factory(socket):

232

ctx = Context(TLSv1_METHOD)

233

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

234

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

235

server = Connection(ctx, socket)

236

server.set_accept_state()

return server

def loopback(server_factory=None, client_factory=None):

241

"""

242

Create a connected socket pair and force two connected SSL sockets

243

to talk to each other via memory BIOs.

244

"""

245

if server_factory is None:

246

server_factory = loopback_server_factory

247

if client_factory is None:

248

client_factory = loopback_client_factory

249

250

(server, client) = socket_pair()

251

server = server_factory(server)

252

client = client_factory(client)

253

254

handshake(client, server)

255

256

server.setblocking(True)

257

client.setblocking(True)

258

return server, client

259

260

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

261

def interact_in_memory(client_conn, server_conn):

262

"""

263

Try to read application bytes from each of the two `Connection` objects.

264

Copy bytes back and forth between their send/receive buffers for as long

265

as there is anything to copy. When there is nothing more to copy,

266

return `None`. If one of them actually manages to deliver some application

267

bytes, return a two-tuple of the connection from which the bytes were read

268

and the bytes themselves.

"""

wrote = True

while wrote:

# Loop until neither side has anything to say

273

wrote = False

274

275

# Copy stuff from each side's send buffer to the other side's

276

# receive buffer.

277

for (read, write) in [(client_conn, server_conn),

278

(server_conn, client_conn)]:

279

280

# Give the side a chance to generate some more bytes, or succeed.

281

try:

282

data = read.recv(2 ** 16)

283

except WantReadError:

284

# It didn't succeed, so we'll hope it generated some output.

285

pass

286

else:

287

# It did succeed, so we'll stop now and let the caller deal

# with it.

return (read, data)

while True:

# Keep copying as long as there's more stuff there.

293

try:

294

dirty = read.bio_read(4096)

295

except WantReadError:

296

# Okay, nothing more waiting to be sent. Stop

297

# processing this send buffer.

298

break

299

else:

300

# Keep track of the fact that someone generated some

301

# output.

302

wrote = True

303

write.bio_write(dirty)

304

305

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

306

def handshake_in_memory(client_conn, server_conn):

307

"""

308

Perform the TLS handshake between two `Connection` instances connected to

309

each other via memory BIOs.

310

"""

311

client_conn.set_connect_state()

312

server_conn.set_accept_state()

313

314

for conn in [client_conn, server_conn]:

315

try:

316

conn.do_handshake()

317

except WantReadError:

318

pass

319

320

interact_in_memory(client_conn, server_conn)

321

322

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

323

class TestVersion(object):

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

324

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

325

Tests for version information exposed by `OpenSSL.SSL.SSLeay_version` and

326

`OpenSSL.SSL.OPENSSL_VERSION_NUMBER`.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

327

"""

328

def test_OPENSSL_VERSION_NUMBER(self):

329

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

330

`OPENSSL_VERSION_NUMBER` is an integer with status in the low byte and

331

the patch, fix, minor, and major versions in the nibbles above that.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

332

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

333

assert isinstance(OPENSSL_VERSION_NUMBER, int)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

334

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

335

def test_SSLeay_version(self):

336

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

337

`SSLeay_version` takes a version type indicator and returns one of a

338

number of version strings based on that indicator.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

339

"""

340

versions = {}

341

for t in [SSLEAY_VERSION, SSLEAY_CFLAGS, SSLEAY_BUILT_ON,

342

SSLEAY_PLATFORM, SSLEAY_DIR]:

343

version = SSLeay_version(t)

344

versions[version] = t

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

345

assert isinstance(version, bytes)

346

assert len(versions) == 5

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

347

348

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

349

@pytest.fixture

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

350

def ca_file(tmpdir):

351

"""

352

Create a valid PEM file with CA certificates and return the path.

353

"""

354

key = rsa.generate_private_key(

355

public_exponent=65537,

356

key_size=2048,

357

backend=default_backend()

358

)

359

public_key = key.public_key()

360

361

builder = x509.CertificateBuilder()

362

builder = builder.subject_name(x509.Name([

363

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

364

]))

365

builder = builder.issuer_name(x509.Name([

366

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

367

]))

368

one_day = datetime.timedelta(1, 0, 0)

369

builder = builder.not_valid_before(datetime.datetime.today() - one_day)

370

builder = builder.not_valid_after(datetime.datetime.today() + one_day)

371

builder = builder.serial_number(int(uuid.uuid4()))

372

builder = builder.public_key(public_key)

373

builder = builder.add_extension(

374

x509.BasicConstraints(ca=True, path_length=None), critical=True,

375

)

376

377

certificate = builder.sign(

378

private_key=key, algorithm=hashes.SHA256(),

379

backend=default_backend()

380

)

381

382

ca_file = tmpdir.join("test.pem")

383

ca_file.write_binary(

384

certificate.public_bytes(

385

encoding=serialization.Encoding.PEM,

)

)

return str(ca_file).encode("ascii")

390

391

392

@pytest.fixture

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

393

def context():

394

"""

395

A simple TLS 1.0 context.

396

"""

397

return Context(TLSv1_METHOD)

398

399

400

class TestContext(object):

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

401

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

402

Unit tests for `OpenSSL.SSL.Context`.

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

403

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

404

@pytest.mark.parametrize("cipher_string", [

405

b"hello world:AES128-SHA",

406

u"hello world:AES128-SHA",

407

])

408

def test_set_cipher_list(self, context, cipher_string):

409

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

410

`Context.set_cipher_list` accepts both byte and unicode strings

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

411

for naming the ciphers which connections created with the context

412

object will be able to choose from.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

413

"""

414

context.set_cipher_list(cipher_string)

415

conn = Connection(context, None)

416

417

assert "AES128-SHA" in conn.get_cipher_list()

418

419

@pytest.mark.parametrize("cipher_list,error", [

420

(object(), TypeError),

421

("imaginary-cipher", Error),

422

])

423

def test_set_cipher_list_wrong_args(self, context, cipher_list, error):

424

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

425

`Context.set_cipher_list` raises `TypeError` when passed a non-string

426

argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher

427

list string.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

428

"""

429

with pytest.raises(error):

430

context.set_cipher_list(cipher_list)

431

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

432

def test_load_client_ca(self, context, ca_file):

433

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

434

`Context.load_client_ca` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

435

"""

436

context.load_client_ca(ca_file)

437

438

def test_load_client_ca_invalid(self, context, tmpdir):

439

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

440

`Context.load_client_ca` raises an Error if the ca file is invalid.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

441

"""

442

ca_file = tmpdir.join("test.pem")

443

ca_file.write("")

444

445

with pytest.raises(Error) as e:

446

context.load_client_ca(str(ca_file).encode("ascii"))

447

448

assert "PEM routines" == e.value.args[0][0][0]

449

450

def test_load_client_ca_unicode(self, context, ca_file):

451

"""

452

Passing the path as unicode raises a warning but works.

453

"""

454

pytest.deprecated_call(

455

context.load_client_ca, ca_file.decode("ascii")

456

)

457

458

def test_set_session_id(self, context):

459

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

460

`Context.set_session_id` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

461

"""

462

context.set_session_id(b"abc")

463

464

def test_set_session_id_fail(self, context):

465

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

466

`Context.set_session_id` errors are propagated.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

467

"""

468

with pytest.raises(Error) as e:

469

context.set_session_id(b"abc" * 1000)

assert [

("SSL routines",

"SSL_CTX_set_session_id_context",

474

"ssl session id context too long")

475

] == e.value.args[0]

476

477

def test_set_session_id_unicode(self, context):

478

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

479

`Context.set_session_id` raises a warning if a unicode string is

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

480

passed.

481

"""

482

pytest.deprecated_call(context.set_session_id, u"abc")

483

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

484

def test_method(self):

485

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

486

`Context` can be instantiated with one of `SSLv2_METHOD`,

487

`SSLv3_METHOD`, `SSLv23_METHOD`, `TLSv1_METHOD`, `TLSv1_1_METHOD`,

488

or `TLSv1_2_METHOD`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

489

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

490

methods = [SSLv23_METHOD, TLSv1_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

491

for meth in methods:

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

492

Context(meth)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

493

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

494

maybe = [SSLv2_METHOD, SSLv3_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

for meth in maybe:

try:

Context(meth)

except (Error, ValueError):

499

# Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some

500

# don't. Difficult to say in advance.

501

pass

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

502

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

503

with pytest.raises(TypeError):

504

Context("")

505

with pytest.raises(ValueError):

506

Context(10)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

507

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

508

@skip_if_py3

509

def test_method_long(self):

510

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

511

On Python 2 `Context` accepts values of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

512

"""

513

Context(long(TLSv1_METHOD))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

514

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

515

def test_type(self):

516

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

517

`Context` and `ContextType` refer to the same type object and can

518

be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

519

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

520

assert Context is ContextType

521

assert is_consistent_type(Context, 'Context', TLSv1_METHOD)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

522

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

523

def test_use_privatekey(self):

524

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

525

`Context.use_privatekey` takes an `OpenSSL.crypto.PKey` instance.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

526

"""

527

key = PKey()

528

key.generate_key(TYPE_RSA, 128)

529

ctx = Context(TLSv1_METHOD)

530

ctx.use_privatekey(key)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

531

with pytest.raises(TypeError):

532

ctx.use_privatekey("")

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

533

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

534

def test_use_privatekey_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

535

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

536

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` when passed

537

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

538

"""

539

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

540

with pytest.raises(Error):

541

ctx.use_privatekey_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

542

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

543

def _use_privatekey_file_test(self, pemfile, filetype):

544

"""

545

Verify that calling ``Context.use_privatekey_file`` with the given

546

arguments does not raise an exception.

547

"""

548

key = PKey()

549

key.generate_key(TYPE_RSA, 128)

550

551

with open(pemfile, "wt") as pem:

552

pem.write(

553

dump_privatekey(FILETYPE_PEM, key).decode("ascii")

554

)

555

556

ctx = Context(TLSv1_METHOD)

557

ctx.use_privatekey_file(pemfile, filetype)

558

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

559

@pytest.mark.parametrize('filetype', [object(), "", None, 1.0])

560

def test_wrong_privatekey_file_wrong_args(self, tmpfile, filetype):

561

"""

562

`Context.use_privatekey_file` raises `TypeError` when called with

563

a `filetype` which is not a valid file encoding.

564

"""

565

ctx = Context(TLSv1_METHOD)

566

with pytest.raises(TypeError):

567

ctx.use_privatekey_file(tmpfile, filetype)

568

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

569

def test_use_privatekey_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

570

"""

571

A private key can be specified from a file by passing a ``bytes``

572

instance giving the file name to ``Context.use_privatekey_file``.

573

"""

574

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

575

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

579

def test_use_privatekey_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

580

"""

581

A private key can be specified from a file by passing a ``unicode``

582

instance giving the file name to ``Context.use_privatekey_file``.

583

"""

584

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

585

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

589

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

590

def test_use_privatekey_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

591

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

592

On Python 2 `Context.use_privatekey_file` accepts a filetype of

593

type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

594

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

595

self._use_privatekey_file_test(tmpfile, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

596

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

597

def test_use_certificate_wrong_args(self):

598

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

599

`Context.use_certificate_wrong_args` raises `TypeError` when not passed

600

exactly one `OpenSSL.crypto.X509` instance as an argument.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

601

"""

602

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

603

with pytest.raises(TypeError):

604

ctx.use_certificate("hello, world")

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

605

606

def test_use_certificate_uninitialized(self):

607

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

608

`Context.use_certificate` raises `OpenSSL.SSL.Error` when passed a

609

`OpenSSL.crypto.X509` instance which has not been initialized

610

(ie, which does not actually have any certificate data).

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

611

"""

612

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

613

with pytest.raises(Error):

614

ctx.use_certificate(X509())

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

615

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

616

def test_use_certificate(self):

617

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

618

`Context.use_certificate` sets the certificate which will be

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

619

used to identify connections created using the context.

620

"""

621

# TODO

622

# Hard to assert anything. But we could set a privatekey then ask

623

# OpenSSL if the cert and key agree using check_privatekey. Then as

624

# long as check_privatekey works right we're good...

625

ctx = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

626

ctx.use_certificate(

627

load_certificate(FILETYPE_PEM, cleartextCertificatePEM)

628

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

629

630

def test_use_certificate_file_wrong_args(self):

631

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

632

`Context.use_certificate_file` raises `TypeError` if the first

633

argument is not a byte string or the second argument is not an integer.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

634

"""

635

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

636

with pytest.raises(TypeError):

637

ctx.use_certificate_file(object(), FILETYPE_PEM)

638

with pytest.raises(TypeError):

639

ctx.use_certificate_file(b"somefile", object())

640

with pytest.raises(TypeError):

641

ctx.use_certificate_file(object(), FILETYPE_PEM)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

642

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

643

def test_use_certificate_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

644

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

645

`Context.use_certificate_file` raises `OpenSSL.SSL.Error` if passed

646

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

647

"""

648

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

649

with pytest.raises(Error):

650

ctx.use_certificate_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

651

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

652

def _use_certificate_file_test(self, certificate_file):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

653

"""

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

654

Verify that calling ``Context.use_certificate_file`` with the given

655

filename doesn't raise an exception.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

656

"""

657

# TODO

658

# Hard to assert anything. But we could set a privatekey then ask

659

# OpenSSL if the cert and key agree using check_privatekey. Then as

660

# long as check_privatekey works right we're good...

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

661

with open(certificate_file, "wb") as pem_file:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

662

pem_file.write(cleartextCertificatePEM)

663

664

ctx = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

665

ctx.use_certificate_file(certificate_file)

666

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

667

def test_use_certificate_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

668

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

669

`Context.use_certificate_file` sets the certificate (given as a

670

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

671

using the context.

672

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

673

filename = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

674

self._use_certificate_file_test(filename)

675

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

676

def test_use_certificate_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

677

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

678

`Context.use_certificate_file` sets the certificate (given as a

679

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

680

using the context.

681

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

682

filename = tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

683

self._use_certificate_file_test(filename)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

684

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

685

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

686

def test_use_certificate_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

687

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

688

On Python 2 `Context.use_certificate_file` accepts a

689

filetype of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

690

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

691

pem_filename = tmpfile

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

692

with open(pem_filename, "wb") as pem_file:

693

pem_file.write(cleartextCertificatePEM)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

694

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

695

ctx = Context(TLSv1_METHOD)

696

ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

697

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

698

def test_check_privatekey_valid(self):

699

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

700

`Context.check_privatekey` returns `None` if the `Context` instance

701

has been configured to use a matched key and certificate pair.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

702

"""

703

key = load_privatekey(FILETYPE_PEM, client_key_pem)

704

cert = load_certificate(FILETYPE_PEM, client_cert_pem)

705

context = Context(TLSv1_METHOD)

706

context.use_privatekey(key)

707

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

708

assert None is context.check_privatekey()

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

709

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

710

def test_check_privatekey_invalid(self):

711

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

712

`Context.check_privatekey` raises `Error` if the `Context` instance

713

has been configured to use a key and certificate pair which don't

714

relate to each other.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

715

"""

716

key = load_privatekey(FILETYPE_PEM, client_key_pem)

717

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

718

context = Context(TLSv1_METHOD)

719

context.use_privatekey(key)

720

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

721

with pytest.raises(Error):

722

context.check_privatekey()

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

723

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

724

def test_app_data(self):

725

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

726

`Context.set_app_data` stores an object for later retrieval

727

using `Context.get_app_data`.

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

728

"""

729

app_data = object()

730

context = Context(TLSv1_METHOD)

731

context.set_app_data(app_data)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

732

assert context.get_app_data() is app_data

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

733

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

734

def test_set_options_wrong_args(self):

735

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

736

`Context.set_options` raises `TypeError` if called with

737

a non-`int` argument.

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

738

"""

739

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

740

with pytest.raises(TypeError):

741

context.set_options(None)

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

742

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

743

def test_set_options(self):

744

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

745

`Context.set_options` returns the new options value.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

746

"""

747

context = Context(TLSv1_METHOD)

748

options = context.set_options(OP_NO_SSLv2)

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

749

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

750

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

751

@skip_if_py3

752

def test_set_options_long(self):

753

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

754

On Python 2 `Context.set_options` accepts values of type

755

`long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

756

"""

757

context = Context(TLSv1_METHOD)

758

options = context.set_options(long(OP_NO_SSLv2))

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

759

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

760

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

761

def test_set_mode_wrong_args(self):

762

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

763

`Context.set_mode` raises `TypeError` if called with

764

a non-`int` argument.

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

765

"""

766

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

767

with pytest.raises(TypeError):

768

context.set_mode(None)

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

769

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

770

def test_set_mode(self):

771

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

772

`Context.set_mode` accepts a mode bitvector and returns the

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

773

newly set mode.

774

"""

775

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

776

assert MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

777

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

778

@skip_if_py3

779

def test_set_mode_long(self):

780

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

781

On Python 2 `Context.set_mode` accepts values of type `long` as well

782

as `int`.

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

783

"""

784

context = Context(TLSv1_METHOD)

785

mode = context.set_mode(long(MODE_RELEASE_BUFFERS))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

786

assert MODE_RELEASE_BUFFERS & mode

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

787

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

788

def test_set_timeout_wrong_args(self):

789

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

790

`Context.set_timeout` raises `TypeError` if called with

791

a non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

792

"""

793

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

794

with pytest.raises(TypeError):

795

context.set_timeout(None)

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

796

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

797

def test_timeout(self):

798

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

799

`Context.set_timeout` sets the session timeout for all connections

800

created using the context object. `Context.get_timeout` retrieves

801

this value.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

802

"""

803

context = Context(TLSv1_METHOD)

804

context.set_timeout(1234)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

805

assert context.get_timeout() == 1234

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

806

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

807

@skip_if_py3

808

def test_timeout_long(self):

809

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

810

On Python 2 `Context.set_timeout` accepts values of type `long` as

811

well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

812

"""

813

context = Context(TLSv1_METHOD)

814

context.set_timeout(long(1234))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

815

assert context.get_timeout() == 1234

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

816

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

817

def test_set_verify_depth_wrong_args(self):

818

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

819

`Context.set_verify_depth` raises `TypeError` if called with a

820

non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

821

"""

822

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

823

with pytest.raises(TypeError):

824

context.set_verify_depth(None)

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

825

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

826

def test_verify_depth(self):

827

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

828

`Context.set_verify_depth` sets the number of certificates in

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

829

a chain to follow before giving up. The value can be retrieved with

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

830

`Context.get_verify_depth`.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

831

"""

832

context = Context(TLSv1_METHOD)

833

context.set_verify_depth(11)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

834

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

835

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

836

@skip_if_py3

837

def test_verify_depth_long(self):

838

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

839

On Python 2 `Context.set_verify_depth` accepts values of type `long`

840

as well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

841

"""

842

context = Context(TLSv1_METHOD)

843

context.set_verify_depth(long(11))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

844

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

845

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

846

def _write_encrypted_pem(self, passphrase, tmpfile):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

847

"""

848

Write a new private key out to a new file, encrypted using the given

849

passphrase. Return the path to the new file.

850

"""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

851

key = PKey()

852

key.generate_key(TYPE_RSA, 128)

Jean-Paul Calderone

a986883

2010-08-22 21:38:34 -0400

[diff] [blame]

853

pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

854

with open(tmpfile, 'w') as fObj:

855

fObj.write(pem.decode('ascii'))

856

return tmpfile

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

857

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

858

def test_set_passwd_cb_wrong_args(self):

859

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

860

`Context.set_passwd_cb` raises `TypeError` if called with a

861

non-callable first argument.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

862

"""

863

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

864

with pytest.raises(TypeError):

865

context.set_passwd_cb(None)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

866

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

867

def test_set_passwd_cb(self, tmpfile):

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

868

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

869

`Context.set_passwd_cb` accepts a callable which will be invoked when

870

a private key is loaded from an encrypted PEM.

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

871

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

872

passphrase = b"foobar"

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

873

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

874

calledWith = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

875

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

876

def passphraseCallback(maxlen, verify, extra):

877

calledWith.append((maxlen, verify, extra))

878

return passphrase

879

context = Context(TLSv1_METHOD)

880

context.set_passwd_cb(passphraseCallback)

881

context.use_privatekey_file(pemFile)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

882

assert len(calledWith) == 1

883

assert isinstance(calledWith[0][0], int)

884

assert isinstance(calledWith[0][1], int)

885

assert calledWith[0][2] is None

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

886

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

887

def test_passwd_callback_exception(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

888

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

889

`Context.use_privatekey_file` propagates any exception raised

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

890

by the passphrase callback.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

891

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

892

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

893

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

894

def passphraseCallback(maxlen, verify, extra):

895

raise RuntimeError("Sorry, I am a fail.")

896

897

context = Context(TLSv1_METHOD)

898

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

899

with pytest.raises(RuntimeError):

900

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

901

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

902

def test_passwd_callback_false(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

903

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

904

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

905

passphrase callback returns a false value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

906

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

907

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

908

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

909

def passphraseCallback(maxlen, verify, extra):

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

910

return b""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

911

912

context = Context(TLSv1_METHOD)

913

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

914

with pytest.raises(Error):

915

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

916

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

917

def test_passwd_callback_non_string(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

918

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

919

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

920

passphrase callback returns a true non-string value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

921

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

922

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

923

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

924

def passphraseCallback(maxlen, verify, extra):

925

return 10

926

927

context = Context(TLSv1_METHOD)

928

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

929

# TODO: Surely this is the wrong error?

930

with pytest.raises(ValueError):

931

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

932

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

933

def test_passwd_callback_too_long(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

934

"""

935

If the passphrase returned by the passphrase callback returns a string

936

longer than the indicated maximum length, it is truncated.

937

"""

938

# A priori knowledge!

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

939

passphrase = b"x" * 1024

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

940

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

941

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

942

def passphraseCallback(maxlen, verify, extra):

943

assert maxlen == 1024

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

944

return passphrase + b"y"

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

945

946

context = Context(TLSv1_METHOD)

947

context.set_passwd_cb(passphraseCallback)

948

# This shall succeed because the truncated result is the correct

949

# passphrase.

950

context.use_privatekey_file(pemFile)

951

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

952

def test_set_info_callback(self):

953

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

954

`Context.set_info_callback` accepts a callable which will be

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

955

invoked when certain information about an SSL connection is available.

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

956

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

957

(server, client) = socket_pair()

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

958

959

clientSSL = Connection(Context(TLSv1_METHOD), client)

960

clientSSL.set_connect_state()

961

962

called = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

963

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

964

def info(conn, where, ret):

965

called.append((conn, where, ret))

966

context = Context(TLSv1_METHOD)

967

context.set_info_callback(info)

968

context.use_certificate(

969

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

970

context.use_privatekey(

971

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

972

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

973

serverSSL = Connection(context, server)

974

serverSSL.set_accept_state()

975

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

976

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

977

Jean-Paul Calderone

3835e52

2014-02-02 11:12:30 -0500

[diff] [blame]

978

# The callback must always be called with a Connection instance as the

979

# first argument. It would probably be better to split this into

980

# separate tests for client and server side info callbacks so we could

981

# assert it is called with the right Connection instance. It would

982

# also be good to assert *something* about `where` and `ret`.

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

983

notConnections = [

984

conn for (conn, where, ret) in called

985

if not isinstance(conn, Connection)]

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

986

assert [] == notConnections, (

987

"Some info callback arguments were not Connection instances.")

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

988

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

989

def _load_verify_locations_test(self, *args):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

990

"""

991

Create a client context which will verify the peer certificate and call

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

992

its `load_verify_locations` method with the given arguments.

Jean-Paul Calderone

64efa2c

2011-09-11 10:00:09 -0400

[diff] [blame]

993

Then connect it to a server and ensure that the handshake succeeds.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

994

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

995

(server, client) = socket_pair()

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

996

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

997

clientContext = Context(TLSv1_METHOD)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

998

clientContext.load_verify_locations(*args)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

999

# Require that the server certificate verify properly or the

1000

# connection will fail.

1001

clientContext.set_verify(

1002

VERIFY_PEER,

1003

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

1004

1005

clientSSL = Connection(clientContext, client)

1006

clientSSL.set_connect_state()

1007

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1008

serverContext = Context(TLSv1_METHOD)

1009

serverContext.use_certificate(

1010

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1011

serverContext.use_privatekey(

1012

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1013

1014

serverSSL = Connection(serverContext, server)

1015

serverSSL.set_accept_state()

1016

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

1017

# Without load_verify_locations above, the handshake

1018

# will fail:

1019

# Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',

1020

# 'certificate verify failed')]

1021

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1022

1023

cert = clientSSL.get_peer_certificate()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1024

assert cert.get_subject().CN == 'Testing Root CA'

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1025

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1026

def _load_verify_cafile(self, cafile):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1027

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1028

Verify that if path to a file containing a certificate is passed to

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1029

`Context.load_verify_locations` for the ``cafile`` parameter, that

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1030

certificate is used as a trust root for the purposes of verifying

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1031

connections created using that `Context`.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1032

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1033

with open(cafile, 'w') as fObj:

1034

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1035

1036

self._load_verify_locations_test(cafile)

1037

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1038

def test_load_verify_bytes_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1039

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1040

`Context.load_verify_locations` accepts a file name as a `bytes`

1041

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1042

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1043

cafile = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1044

self._load_verify_cafile(cafile)

1045

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1046

def test_load_verify_unicode_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1047

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1048

`Context.load_verify_locations` accepts a file name as a `unicode`

1049

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1050

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1051

self._load_verify_cafile(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1052

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1053

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1054

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1055

def test_load_verify_invalid_file(self, tmpfile):

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1056

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1057

`Context.load_verify_locations` raises `Error` when passed a

1058

non-existent cafile.

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1059

"""

1060

clientContext = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1061

with pytest.raises(Error):

1062

clientContext.load_verify_locations(tmpfile)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1063

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1064

def _load_verify_directory_locations_capath(self, capath):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1065

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1066

Verify that if path to a directory containing certificate files is

1067

passed to ``Context.load_verify_locations`` for the ``capath``

1068

parameter, those certificates are used as trust roots for the purposes

1069

of verifying connections created using that ``Context``.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1070

"""

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1071

makedirs(capath)

Jean-Paul Calderone

24dfb33

2011-05-04 18:10:26 -0400

[diff] [blame]

1072

# Hash values computed manually with c_rehash to avoid depending on

1073

# c_rehash in the test suite. One is from OpenSSL 0.9.8, the other

1074

# from OpenSSL 1.0.0.

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1075

for name in [b'c7adac82.0', b'c3705638.0']:

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1076

cafile = join_bytes_or_unicode(capath, name)

1077

with open(cafile, 'w') as fObj:

1078

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1079

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1080

self._load_verify_locations_test(None, capath)

1081

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1082

def test_load_verify_directory_bytes_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1083

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1084

`Context.load_verify_locations` accepts a directory name as a `bytes`

1085

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1086

"""

1087

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1088

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1089

)

1090

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1091

def test_load_verify_directory_unicode_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1092

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1093

`Context.load_verify_locations` accepts a directory name as a `unicode`

1094

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1095

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1096

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1097

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1098

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1099

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1100

def test_load_verify_locations_wrong_args(self):

1101

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1102

`Context.load_verify_locations` raises `TypeError` if with non-`str`

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1103

arguments.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1104

"""

1105

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1106

with pytest.raises(TypeError):

1107

context.load_verify_locations(object())

1108

with pytest.raises(TypeError):

1109

context.load_verify_locations(object(), object())

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1110

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1111

@pytest.mark.skipif(

1112

platform == "win32",

1113

reason="set_default_verify_paths appears not to work on Windows. "

Jean-Paul Calderone

28fb8f0

2009-07-24 18:01:31 -0400

[diff] [blame]

1114

"See LP#404343 and LP#404344."

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1115

)

1116

def test_set_default_verify_paths(self):

1117

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1118

`Context.set_default_verify_paths` causes the platform-specific CA

1119

certificate locations to be used for verification purposes.

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1120

"""

1121

# Testing this requires a server with a certificate signed by one

1122

# of the CAs in the platform CA location. Getting one of those

1123

# costs money. Fortunately (or unfortunately, depending on your

1124

# perspective), it's easy to think of a public server on the

1125

# internet which has such a certificate. Connecting to the network

1126

# in a unit test is bad, but it's the only way I can think of to

1127

# really test this. -exarkun

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1128

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1129

# Arg, verisign.com doesn't speak anything newer than TLS 1.0

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1130

context = Context(SSLv23_METHOD)

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1131

context.set_default_verify_paths()

1132

context.set_verify(

1133

VERIFY_PEER,

1134

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1135

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1136

client = socket()

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1137

client.connect(("encrypted.google.com", 443))

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1138

clientSSL = Connection(context, client)

1139

clientSSL.set_connect_state()

1140

clientSSL.do_handshake()

1141

clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1142

assert clientSSL.recv(1024)

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

1143

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1144

def test_add_extra_chain_cert_invalid_cert(self):

1145

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1146

`Context.add_extra_chain_cert` raises `TypeError` if called with an

1147

object which is not an instance of `X509`.

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1148

"""

1149

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1150

with pytest.raises(TypeError):

1151

context.add_extra_chain_cert(object())

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1152

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1153

def _handshake_test(self, serverContext, clientContext):

1154

"""

1155

Verify that a client and server created with the given contexts can

1156

successfully handshake and communicate.

1157

"""

1158

serverSocket, clientSocket = socket_pair()

1159

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1160

server = Connection(serverContext, serverSocket)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1161

server.set_accept_state()

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1162

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1163

client = Connection(clientContext, clientSocket)

1164

client.set_connect_state()

1165

1166

# Make them talk to each other.

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1167

# interact_in_memory(client, server)

1168

for _ in range(3):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1169

for s in [client, server]:

1170

try:

1171

s.do_handshake()

1172

except WantReadError:

1173

pass

1174

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1175

def test_set_verify_callback_connection_argument(self):

1176

"""

1177

The first argument passed to the verify callback is the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1178

`Connection` instance for which verification is taking place.

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1179

"""

1180

serverContext = Context(TLSv1_METHOD)

1181

serverContext.use_privatekey(

1182

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1183

serverContext.use_certificate(

1184

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1185

serverConnection = Connection(serverContext, None)

1186

1187

class VerifyCallback(object):

1188

def callback(self, connection, *args):

1189

self.connection = connection

1190

return 1

1191

1192

verify = VerifyCallback()

1193

clientContext = Context(TLSv1_METHOD)

1194

clientContext.set_verify(VERIFY_PEER, verify.callback)

1195

clientConnection = Connection(clientContext, None)

1196

clientConnection.set_connect_state()

1197

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1198

handshake_in_memory(clientConnection, serverConnection)

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1199

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1200

assert verify.connection is clientConnection

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1201

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1202

def test_set_verify_callback_exception(self):

1203

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1204

If the verify callback passed to `Context.set_verify` raises an

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1205

exception, verification fails and the exception is propagated to the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1206

caller of `Connection.do_handshake`.

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1207

"""

1208

serverContext = Context(TLSv1_METHOD)

1209

serverContext.use_privatekey(

1210

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1211

serverContext.use_certificate(

1212

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1213

1214

clientContext = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1215

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1216

def verify_callback(*args):

1217

raise Exception("silly verify failure")

1218

clientContext.set_verify(VERIFY_PEER, verify_callback)

1219

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1220

with pytest.raises(Exception) as exc:

1221

self._handshake_test(serverContext, clientContext)

1222

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1223

assert "silly verify failure" == str(exc.value)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1224

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1225

def test_add_extra_chain_cert(self, tmpdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1226

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1227

`Context.add_extra_chain_cert` accepts an `X509`

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1228

instance to add to the certificate chain.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1229

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1230

See `_create_certificate_chain` for the details of the

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1231

certificate chain tested.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1232

1233

The chain is tested by starting a server with scert and connecting

1234

to it with a client which trusts cacert and requires verification to

1235

succeed.

1236

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1237

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1238

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1239

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1240

# Dump the CA certificate to a file because that's the only way to load

1241

# it as a trusted CA in the client context.

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1242

for cert, name in [(cacert, 'ca.pem'),

1243

(icert, 'i.pem'),

1244

(scert, 's.pem')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1245

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1246

f.write(dump_certificate(FILETYPE_PEM, cert).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1247

Hynek Schlawack

1902c01

2015-04-16 15:06:41 -0400

[diff] [blame]

1248

for key, name in [(cakey, 'ca.key'),

1249

(ikey, 'i.key'),

1250

(skey, 's.key')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1251

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1252

f.write(dump_privatekey(FILETYPE_PEM, key).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1253

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1254

# Create the server context

1255

serverContext = Context(TLSv1_METHOD)

1256

serverContext.use_privatekey(skey)

1257

serverContext.use_certificate(scert)

Jean-Paul Calderone

16cf03d

2010-09-08 18:53:39 -0400

[diff] [blame]

1258

# The client already has cacert, we only need to give them icert.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1259

serverContext.add_extra_chain_cert(icert)

1260

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1261

# Create the client

1262

clientContext = Context(TLSv1_METHOD)

1263

clientContext.set_verify(

1264

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1265

clientContext.load_verify_locations(str(tmpdir.join("ca.pem")))

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1266

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1267

# Try it out.

1268

self._handshake_test(serverContext, clientContext)

1269

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1270

def _use_certificate_chain_file_test(self, certdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1271

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1272

Verify that `Context.use_certificate_chain_file` reads a

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1273

certificate chain from a specified file.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1274

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1275

The chain is tested by starting a server with scert and connecting to

1276

it with a client which trusts cacert and requires verification to

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1277

succeed.

1278

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1279

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1280

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1281

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1282

makedirs(certdir)

1283

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1284

chainFile = join_bytes_or_unicode(certdir, "chain.pem")

1285

caFile = join_bytes_or_unicode(certdir, "ca.pem")

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1286

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1287

# Write out the chain file.

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1288

with open(chainFile, 'wb') as fObj:

1289

# Most specific to least general.

1290

fObj.write(dump_certificate(FILETYPE_PEM, scert))

1291

fObj.write(dump_certificate(FILETYPE_PEM, icert))

1292

fObj.write(dump_certificate(FILETYPE_PEM, cacert))

1293

1294

with open(caFile, 'w') as fObj:

1295

fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode('ascii'))

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1296

1297

serverContext = Context(TLSv1_METHOD)

1298

serverContext.use_certificate_chain_file(chainFile)

1299

serverContext.use_privatekey(skey)

1300

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1301

clientContext = Context(TLSv1_METHOD)

1302

clientContext.set_verify(

1303

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1304

clientContext.load_verify_locations(caFile)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1305

1306

self._handshake_test(serverContext, clientContext)

1307

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1308

def test_use_certificate_chain_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1309

"""

1310

``Context.use_certificate_chain_file`` accepts the name of a file (as

1311

an instance of ``bytes``) to specify additional certificates to use to

1312

construct and verify a trust chain.

1313

"""

1314

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1315

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1316

)

1317

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1318

def test_use_certificate_chain_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1319

"""

1320

``Context.use_certificate_chain_file`` accepts the name of a file (as

1321

an instance of ``unicode``) to specify additional certificates to use

1322

to construct and verify a trust chain.

1323

"""

1324

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1325

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1326

)

1327

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1328

def test_use_certificate_chain_file_wrong_args(self):

1329

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1330

`Context.use_certificate_chain_file` raises `TypeError` if passed a

1331

non-byte string single argument.

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1332

"""

1333

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1334

with pytest.raises(TypeError):

1335

context.use_certificate_chain_file(object())

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1336

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1337

def test_use_certificate_chain_file_missing_file(self, tmpfile):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1338

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1339

`Context.use_certificate_chain_file` raises `OpenSSL.SSL.Error` when

1340

passed a bad chain file name (for example, the name of a file which

1341

does not exist).

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1342

"""

1343

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1344

with pytest.raises(Error):

1345

context.use_certificate_chain_file(tmpfile)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1346

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1347

def test_set_verify_mode(self):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1348

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1349

`Context.get_verify_mode` returns the verify mode flags previously

1350

passed to `Context.set_verify`.

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1351

"""

1352

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1353

assert context.get_verify_mode() == 0

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1354

context.set_verify(

1355

VERIFY_PEER | VERIFY_CLIENT_ONCE, lambda *args: None)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1356

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1357

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1358

@skip_if_py3

1359

def test_set_verify_mode_long(self):

1360

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1361

On Python 2 `Context.set_verify_mode` accepts values of type `long`

1362

as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1363

"""

1364

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1365

assert context.get_verify_mode() == 0

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1366

context.set_verify(

Hynek Schlawack

b4ceed3

2015-09-05 20:55:19 +0200

[diff] [blame]

1367

long(VERIFY_PEER | VERIFY_CLIENT_ONCE), lambda *args: None

1368

) # pragma: nocover

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1369

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1370

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1371

@pytest.mark.parametrize('mode', [None, 1.0, object(), 'mode'])

1372

def test_set_verify_wrong_mode_arg(self, mode):

1373

"""

1374

`Context.set_verify` raises `TypeError` if the first argument is

1375

not an integer.

1376

"""

1377

context = Context(TLSv1_METHOD)

1378

with pytest.raises(TypeError):

1379

context.set_verify(mode=mode, callback=lambda *args: None)

1380

1381

@pytest.mark.parametrize('callback', [None, 1.0, 'mode', ('foo', 'bar')])

1382

def test_set_verify_wrong_callable_arg(self, callback):

1383

"""

1384

`Context.set_verify` raises `TypeError` if the the second argument

1385

is not callable.

1386

"""

1387

context = Context(TLSv1_METHOD)

1388

with pytest.raises(TypeError):

1389

context.set_verify(mode=VERIFY_PEER, callback=callback)

1390

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1391

def test_load_tmp_dh_wrong_args(self):

1392

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1393

`Context.load_tmp_dh` raises `TypeError` if called with a

1394

non-`str` argument.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1395

"""

1396

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1397

with pytest.raises(TypeError):

1398

context.load_tmp_dh(object())

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1399

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1400

def test_load_tmp_dh_missing_file(self):

1401

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1402

`Context.load_tmp_dh` raises `OpenSSL.SSL.Error` if the

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1403

specified file does not exist.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1404

"""

1405

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1406

with pytest.raises(Error):

1407

context.load_tmp_dh(b"hello")

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1408

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1409

def _load_tmp_dh_test(self, dhfilename):

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

1410

"""

1411

Verify that calling ``Context.load_tmp_dh`` with the given filename

1412

does not raise an exception.

1413

"""

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1414

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1415

with open(dhfilename, "w") as dhfile:

1416

dhfile.write(dhparam)

1417

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1418

context.load_tmp_dh(dhfilename)

1419

# XXX What should I assert here? -exarkun

1420

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1421

def test_load_tmp_dh_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1422

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1423

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1424

specified file (given as ``bytes``).

1425

"""

1426

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1427

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1428

)

1429

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1430

def test_load_tmp_dh_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1431

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1432

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1433

specified file (given as ``unicode``).

1434

"""

1435

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1436

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1437

)

1438

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1439

def test_set_tmp_ecdh(self):

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1440

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1441

`Context.set_tmp_ecdh` sets the elliptic curve for Diffie-Hellman to

1442

the specified curve.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1443

"""

1444

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1445

for curve in get_elliptic_curves():

Hynek Schlawack

a07fa8c

2015-10-17 10:15:28 +0200

[diff] [blame]

1446

if curve.name.startswith(u"Oakley-"):

Hynek Schlawack

7408aff

2015-10-17 09:51:16 +0200

[diff] [blame]

1447

# Setting Oakley-EC2N-4 and Oakley-EC2N-3 adds

1448

# ('bignum routines', 'BN_mod_inverse', 'no inverse') to the

1449

# error queue on OpenSSL 1.0.2.

1450

continue

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1451

# The only easily "assertable" thing is that it does not raise an

1452

# exception.

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1453

context.set_tmp_ecdh(curve)

Alex Gaynor

12dc084

2014-01-17 12:51:31 -0600

[diff] [blame]

1454

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1455

def test_set_session_cache_mode_wrong_args(self):

1456

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1457

`Context.set_session_cache_mode` raises `TypeError` if called with

1458

a non-integer argument.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1459

called with other than one integer argument.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1460

"""

1461

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1462

with pytest.raises(TypeError):

1463

context.set_session_cache_mode(object())

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1464

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1465

def test_session_cache_mode(self):

1466

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1467

`Context.set_session_cache_mode` specifies how sessions are cached.

1468

The setting can be retrieved via `Context.get_session_cache_mode`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1469

"""

1470

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1471

context.set_session_cache_mode(SESS_CACHE_OFF)

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1472

off = context.set_session_cache_mode(SESS_CACHE_BOTH)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1473

assert SESS_CACHE_OFF == off

1474

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1475

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1476

@skip_if_py3

1477

def test_session_cache_mode_long(self):

1478

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1479

On Python 2 `Context.set_session_cache_mode` accepts values

1480

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1481

"""

1482

context = Context(TLSv1_METHOD)

1483

context.set_session_cache_mode(long(SESS_CACHE_BOTH))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1484

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1485

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1486

def test_get_cert_store(self):

1487

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1488

`Context.get_cert_store` returns a `X509Store` instance.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1489

"""

1490

context = Context(TLSv1_METHOD)

1491

store = context.get_cert_store()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1492

assert isinstance(store, X509Store)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1493

1494

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1495

class TestServerNameCallback(object):

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1496

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1497

Tests for `Context.set_tlsext_servername_callback` and its

1498

interaction with `Connection`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1499

"""

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1500

def test_old_callback_forgotten(self):

1501

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1502

If `Context.set_tlsext_servername_callback` is used to specify

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1503

a new callback, the one it replaces is dereferenced.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1504

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1505

def callback(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1506

pass

1507

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1508

def replacement(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1509

pass

1510

1511

context = Context(TLSv1_METHOD)

1512

context.set_tlsext_servername_callback(callback)

1513

1514

tracker = ref(callback)

1515

del callback

1516

1517

context.set_tlsext_servername_callback(replacement)

Jean-Paul Calderone

d4033eb

2014-01-11 08:21:46 -0500

[diff] [blame]

1518

1519

# One run of the garbage collector happens to work on CPython. PyPy

1520

# doesn't collect the underlying object until a second run for whatever

1521

# reason. That's fine, it still demonstrates our code has properly

1522

# dropped the reference.

1523

collect()

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1524

collect()

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

1525

1526

callback = tracker()

1527

if callback is not None:

1528

referrers = get_referrers(callback)

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1529

if len(referrers) > 1: # pragma: nocover

1530

pytest.fail("Some references remain: %r" % (referrers,))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1531

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1532

def test_no_servername(self):

1533

"""

1534

When a client specifies no server name, the callback passed to

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1535

`Context.set_tlsext_servername_callback` is invoked and the

1536

result of `Connection.get_servername` is `None`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1537

"""

1538

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1539

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1540

def servername(conn):

1541

args.append((conn, conn.get_servername()))

1542

context = Context(TLSv1_METHOD)

1543

context.set_tlsext_servername_callback(servername)

1544

1545

# Lose our reference to it. The Context is responsible for keeping it

# alive now.

del servername

collect()

# Necessary to actually accept the connection

1551

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1552

context.use_certificate(

1553

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1554

1555

# Do a little connection to trigger the logic

1556

server = Connection(context, None)

1557

server.set_accept_state()

1558

1559

client = Connection(Context(TLSv1_METHOD), None)

1560

client.set_connect_state()

1561

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1562

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1563

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1564

assert args == [(server, None)]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1565

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1566

def test_servername(self):

1567

"""

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1568

When a client specifies a server name in its hello message, the

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1569

callback passed to `Contexts.set_tlsext_servername_callback` is

1570

invoked and the result of `Connection.get_servername` is that

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1571

server name.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1572

"""

1573

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1574

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1575

def servername(conn):

1576

args.append((conn, conn.get_servername()))

1577

context = Context(TLSv1_METHOD)

1578

context.set_tlsext_servername_callback(servername)

1579

1580

# Necessary to actually accept the connection

1581

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1582

context.use_certificate(

1583

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1584

1585

# Do a little connection to trigger the logic

1586

server = Connection(context, None)

1587

server.set_accept_state()

1588

1589

client = Connection(Context(TLSv1_METHOD), None)

1590

client.set_connect_state()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

1591

client.set_tlsext_host_name(b"foo1.example.com")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1592

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1593

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1594

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1595

assert args == [(server, b"foo1.example.com")]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1596

1597

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1598

class TestNextProtoNegotiation(object):

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1599

"""

1600

Test for Next Protocol Negotiation in PyOpenSSL.

1601

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1602

def test_npn_success(self):

1603

"""

1604

Tests that clients and servers that agree on the negotiated next

1605

protocol can correct establish a connection, and that the agreed

1606

protocol is reported by the connections.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1613

return [b'http/1.1', b'spdy/2']

1614

1615

def select(conn, options):

1616

select_args.append((conn, options))

1617

return b'spdy/2'

1618

1619

server_context = Context(TLSv1_METHOD)

1620

server_context.set_npn_advertise_callback(advertise)

1621

1622

client_context = Context(TLSv1_METHOD)

1623

client_context.set_npn_select_callback(select)

1624

1625

# Necessary to actually accept the connection

1626

server_context.use_privatekey(

1627

load_privatekey(FILETYPE_PEM, server_key_pem))

1628

server_context.use_certificate(

1629

load_certificate(FILETYPE_PEM, server_cert_pem))

1630

1631

# Do a little connection to trigger the logic

1632

server = Connection(server_context, None)

1633

server.set_accept_state()

1634

1635

client = Connection(client_context, None)

1636

client.set_connect_state()

1637

1638

interact_in_memory(server, client)

1639

1640

assert advertise_args == [(server,)]

1641

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1642

1643

assert server.get_next_proto_negotiated() == b'spdy/2'

1644

assert client.get_next_proto_negotiated() == b'spdy/2'

1645

1646

def test_npn_client_fail(self):

1647

"""

1648

Tests that when clients and servers cannot agree on what protocol

1649

to use next that the TLS connection does not get established.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1656

return [b'http/1.1', b'spdy/2']

1657

1658

def select(conn, options):

1659

select_args.append((conn, options))

1660

return b''

1661

1662

server_context = Context(TLSv1_METHOD)

1663

server_context.set_npn_advertise_callback(advertise)

1664

1665

client_context = Context(TLSv1_METHOD)

1666

client_context.set_npn_select_callback(select)

1667

1668

# Necessary to actually accept the connection

1669

server_context.use_privatekey(

1670

load_privatekey(FILETYPE_PEM, server_key_pem))

1671

server_context.use_certificate(

1672

load_certificate(FILETYPE_PEM, server_cert_pem))

1673

1674

# Do a little connection to trigger the logic

1675

server = Connection(server_context, None)

1676

server.set_accept_state()

1677

1678

client = Connection(client_context, None)

1679

client.set_connect_state()

1680

1681

# If the client doesn't return anything, the connection will fail.

1682

with pytest.raises(Error):

1683

interact_in_memory(server, client)

1684

1685

assert advertise_args == [(server,)]

1686

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1687

1688

def test_npn_select_error(self):

1689

"""

1690

Test that we can handle exceptions in the select callback. If

1691

select fails it should be fatal to the connection.

"""

advertise_args = []

def advertise(conn):

advertise_args.append((conn,))

1697

return [b'http/1.1', b'spdy/2']

1698

1699

def select(conn, options):

1700

raise TypeError

1701

1702

server_context = Context(TLSv1_METHOD)

1703

server_context.set_npn_advertise_callback(advertise)

1704

1705

client_context = Context(TLSv1_METHOD)

1706

client_context.set_npn_select_callback(select)

1707

1708

# Necessary to actually accept the connection

1709

server_context.use_privatekey(

1710

load_privatekey(FILETYPE_PEM, server_key_pem))

1711

server_context.use_certificate(

1712

load_certificate(FILETYPE_PEM, server_cert_pem))

1713

1714

# Do a little connection to trigger the logic

1715

server = Connection(server_context, None)

1716

server.set_accept_state()

1717

1718

client = Connection(client_context, None)

1719

client.set_connect_state()

1720

1721

# If the callback throws an exception it should be raised here.

1722

with pytest.raises(TypeError):

1723

interact_in_memory(server, client)

1724

assert advertise_args == [(server,), ]

1725

1726

def test_npn_advertise_error(self):

1727

"""

1728

Test that we can handle exceptions in the advertise callback. If

1729

advertise fails no NPN is advertised to the client.

"""

select_args = []

def advertise(conn):

raise TypeError

def select(conn, options): # pragma: nocover

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1737

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1738

Assert later that no args are actually appended.

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1739

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1740

select_args.append((conn, options))

1741

return b''

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1742

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1743

server_context = Context(TLSv1_METHOD)

1744

server_context.set_npn_advertise_callback(advertise)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1745

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1746

client_context = Context(TLSv1_METHOD)

1747

client_context.set_npn_select_callback(select)

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1748

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1749

# Necessary to actually accept the connection

1750

server_context.use_privatekey(

1751

load_privatekey(FILETYPE_PEM, server_key_pem))

1752

server_context.use_certificate(

1753

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1754

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1755

# Do a little connection to trigger the logic

1756

server = Connection(server_context, None)

1757

server.set_accept_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1758

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1759

client = Connection(client_context, None)

1760

client.set_connect_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1761

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1762

# If the client doesn't return anything, the connection will fail.

1763

with pytest.raises(TypeError):

1764

interact_in_memory(server, client)

1765

assert select_args == []

Cory Benfield

0ea76e7

2015-03-22 09:05:28 +0000

[diff] [blame]

1766

1767

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1768

class TestApplicationLayerProtoNegotiation(object):

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1769

"""

1770

Tests for ALPN in PyOpenSSL.

1771

"""

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1772

# Skip tests on versions that don't support ALPN.

1773

if _lib.Cryptography_HAS_ALPN:

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1774

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1775

def test_alpn_success(self):

1776

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1777

Clients and servers that agree on the negotiated ALPN protocol can

1778

correct establish a connection, and the agreed protocol is reported

1779

by the connections.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1780

"""

1781

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1782

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1783

def select(conn, options):

1784

select_args.append((conn, options))

1785

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1786

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1787

client_context = Context(TLSv1_METHOD)

1788

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1789

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1790

server_context = Context(TLSv1_METHOD)

1791

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1792

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1793

# Necessary to actually accept the connection

1794

server_context.use_privatekey(

1795

load_privatekey(FILETYPE_PEM, server_key_pem))

1796

server_context.use_certificate(

1797

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1798

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1799

# Do a little connection to trigger the logic

1800

server = Connection(server_context, None)

1801

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1802

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1803

client = Connection(client_context, None)

1804

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1805

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1806

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1807

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1808

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1809

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1810

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1811

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1812

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1813

def test_alpn_set_on_connection(self):

1814

"""

1815

The same as test_alpn_success, but setting the ALPN protocols on

1816

the connection rather than the context.

1817

"""

1818

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1819

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1820

def select(conn, options):

1821

select_args.append((conn, options))

1822

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1823

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1824

# Setup the client context but don't set any ALPN protocols.

1825

client_context = Context(TLSv1_METHOD)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1826

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1827

server_context = Context(TLSv1_METHOD)

1828

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1829

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1830

# Necessary to actually accept the connection

1831

server_context.use_privatekey(

1832

load_privatekey(FILETYPE_PEM, server_key_pem))

1833

server_context.use_certificate(

1834

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1835

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1836

# Do a little connection to trigger the logic

1837

server = Connection(server_context, None)

1838

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1839

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1840

# Set the ALPN protocols on the client connection.

1841

client = Connection(client_context, None)

1842

client.set_alpn_protos([b'http/1.1', b'spdy/2'])

1843

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1844

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1845

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1846

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1847

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1848

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1849

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1850

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1851

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1852

def test_alpn_server_fail(self):

1853

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1854

When clients and servers cannot agree on what protocol to use next

1855

the TLS connection does not get established.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1856

"""

1857

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1858

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1859

def select(conn, options):

1860

select_args.append((conn, options))

1861

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1862

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1863

client_context = Context(TLSv1_METHOD)

1864

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1865

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1866

server_context = Context(TLSv1_METHOD)

1867

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1868

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1869

# Necessary to actually accept the connection

1870

server_context.use_privatekey(

1871

load_privatekey(FILETYPE_PEM, server_key_pem))

1872

server_context.use_certificate(

1873

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1874

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1875

# Do a little connection to trigger the logic

1876

server = Connection(server_context, None)

1877

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1878

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1879

client = Connection(client_context, None)

1880

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1881

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1882

# If the client doesn't return anything, the connection will fail.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1883

with pytest.raises(Error):

1884

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1885

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1886

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1887

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1888

def test_alpn_no_server(self):

1889

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1890

When clients and servers cannot agree on what protocol to use next

1891

because the server doesn't offer ALPN, no protocol is negotiated.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1892

"""

1893

client_context = Context(TLSv1_METHOD)

1894

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1895

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1896

server_context = Context(TLSv1_METHOD)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1897

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1898

# Necessary to actually accept the connection

1899

server_context.use_privatekey(

1900

load_privatekey(FILETYPE_PEM, server_key_pem))

1901

server_context.use_certificate(

1902

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1903

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1904

# Do a little connection to trigger the logic

1905

server = Connection(server_context, None)

1906

server.set_accept_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1907

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1908

client = Connection(client_context, None)

1909

client.set_connect_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1910

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1911

# Do the dance.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1912

interact_in_memory(server, client)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1913

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1914

assert client.get_alpn_proto_negotiated() == b''

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1915

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1916

def test_alpn_callback_exception(self):

1917

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1918

We can handle exceptions in the ALPN select callback.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1919

"""

1920

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1921

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1922

def select(conn, options):

1923

select_args.append((conn, options))

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

1924

raise TypeError()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1925

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1926

client_context = Context(TLSv1_METHOD)

1927

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1928

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1929

server_context = Context(TLSv1_METHOD)

1930

server_context.set_alpn_select_callback(select)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1931

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1932

# Necessary to actually accept the connection

1933

server_context.use_privatekey(

1934

load_privatekey(FILETYPE_PEM, server_key_pem))

1935

server_context.use_certificate(

1936

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1937

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1938

# Do a little connection to trigger the logic

1939

server = Connection(server_context, None)

1940

server.set_accept_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1941

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1942

client = Connection(client_context, None)

1943

client.set_connect_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1944

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1945

with pytest.raises(TypeError):

1946

interact_in_memory(server, client)

1947

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1948

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

1949

else:

1950

# No ALPN.

1951

def test_alpn_not_implemented(self):

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

1952

"""

1953

If ALPN is not in OpenSSL, we should raise NotImplementedError.

1954

"""

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

1955

# Test the context methods first.

1956

context = Context(TLSv1_METHOD)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1957

with pytest.raises(NotImplementedError):

1958

context.set_alpn_protos(None)

1959

with pytest.raises(NotImplementedError):

1960

context.set_alpn_select_callback(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

1961

1962

# Now test a connection.

1963

conn = Connection(context)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1964

with pytest.raises(NotImplementedError):

1965

conn.set_alpn_protos(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

1966

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

1967

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1968

class TestSession(object):

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

1969

"""

1970

Unit tests for :py:obj:`OpenSSL.SSL.Session`.

1971

"""

1972

def test_construction(self):

1973

"""

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1974

:py:class:`Session` can be constructed with no arguments, creating

1975

a new instance of that type.

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

1976

"""

1977

new_session = Session()

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1978

assert isinstance(new_session, Session)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

1979

1980

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

1981

class TestConnection(object):

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

1982

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

1983

Unit tests for `OpenSSL.SSL.Connection`.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

1984

"""

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

1985

# XXX get_peer_certificate -> None

1986

# XXX sock_shutdown

1987

# XXX master_key -> TypeError

1988

# XXX server_random -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

1989

# XXX connect -> TypeError

1990

# XXX connect_ex -> TypeError

1991

# XXX set_connect_state -> TypeError

1992

# XXX set_accept_state -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

1993

# XXX do_handshake -> TypeError

1994

# XXX bio_read -> TypeError

1995

# XXX recv -> TypeError

1996

# XXX send -> TypeError

1997

# XXX bio_write -> TypeError

1998

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

1999

def test_type(self):

2000

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2001

`Connection` and `ConnectionType` refer to the same type object and

2002

can be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2003

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2004

assert Connection is ConnectionType

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2005

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2006

assert is_consistent_type(Connection, 'Connection', ctx, None)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2007

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2008

@pytest.mark.parametrize('bad_context', [object(), 'context', None, 1])

2009

def test_wrong_args(self, bad_context):

2010

"""

2011

`Connection.__init__` raises `TypeError` if called with a non-`Context`

2012

instance argument.

2013

"""

2014

with pytest.raises(TypeError):

2015

Connection(bad_context)

2016

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2017

def test_get_context(self):

2018

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2019

`Connection.get_context` returns the `Context` instance used to

2020

construct the `Connection` instance.

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2021

"""

2022

context = Context(TLSv1_METHOD)

2023

connection = Connection(context, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2024

assert connection.get_context() is context

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2025

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2026

def test_set_context_wrong_args(self):

2027

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2028

`Connection.set_context` raises `TypeError` if called with a

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2029

non-`Context` instance argument.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2030

"""

2031

ctx = Context(TLSv1_METHOD)

2032

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2033

with pytest.raises(TypeError):

2034

connection.set_context(object())

2035

with pytest.raises(TypeError):

2036

connection.set_context("hello")

2037

with pytest.raises(TypeError):

2038

connection.set_context(1)

2039

assert ctx is connection.get_context()

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2040

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2041

def test_set_context(self):

2042

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2043

`Connection.set_context` specifies a new `Context` instance to be

2044

used for the connection.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2045

"""

2046

original = Context(SSLv23_METHOD)

2047

replacement = Context(TLSv1_METHOD)

2048

connection = Connection(original, None)

2049

connection.set_context(replacement)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2050

assert replacement is connection.get_context()

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2051

# Lose our references to the contexts, just in case the Connection

2052

# isn't properly managing its own contributions to their reference

2053

# counts.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2054

del original, replacement

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2055

collect()

2056

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2057

def test_set_tlsext_host_name_wrong_args(self):

2058

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2059

If `Connection.set_tlsext_host_name` is called with a non-byte string

2060

argument or a byte string with an embedded NUL, `TypeError` is raised.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2061

"""

2062

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2063

with pytest.raises(TypeError):

2064

conn.set_tlsext_host_name(object())

2065

with pytest.raises(TypeError):

2066

conn.set_tlsext_host_name(b"with\0null")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2067

Abraham Martin

c5484ba

2015-03-25 15:33:05 +0000

[diff] [blame]

2068

if PY3:

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2069

# On Python 3.x, don't accidentally implicitly convert from text.

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2070

with pytest.raises(TypeError):

2071

conn.set_tlsext_host_name(b"example.com".decode("ascii"))

Jean-Paul Calderone

871a4d8

2011-05-26 19:24:02 -0400

[diff] [blame]

2072

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2073

def test_pending(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2074

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2075

`Connection.pending` returns the number of bytes available for

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2076

immediate read.

2077

"""

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2078

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2079

assert connection.pending() == 0

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2080

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2081

def test_peek(self):

2082

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2083

`Connection.recv` peeks into the connection if `socket.MSG_PEEK` is

2084

passed.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2085

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2086

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2087

server.send(b'xy')

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2088

assert client.recv(2, MSG_PEEK) == b'xy'

2089

assert client.recv(2, MSG_PEEK) == b'xy'

2090

assert client.recv(2) == b'xy'

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2091

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2092

def test_connect_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2093

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2094

`Connection.connect` raises `TypeError` if called with a non-address

2095

argument.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2096

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2097

connection = Connection(Context(TLSv1_METHOD), socket())

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2098

with pytest.raises(TypeError):

2099

connection.connect(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2100

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2101

def test_connect_refused(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2102

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2103

`Connection.connect` raises `socket.error` if the underlying socket

2104

connect method raises it.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2105

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2106

client = socket()

2107

context = Context(TLSv1_METHOD)

2108

clientSSL = Connection(context, client)

Alex Gaynor

122717b

2015-09-05 14:14:18 -0400

[diff] [blame]

2109

# pytest.raises here doesn't work because of a bug in py.test on Python

2110

# 2.6: https://github.com/pytest-dev/pytest/issues/988

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2111

try:

Alex Gaynor

1aabb2e

2015-09-05 13:35:18 -0400

[diff] [blame]

2112

clientSSL.connect(("127.0.0.1", 1))

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2113

except error as e:

Alex Gaynor

20a4c08

2015-09-05 14:24:15 -0400

[diff] [blame]

2114

exc = e

2115

assert exc.args[0] == ECONNREFUSED

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2116

2117

def test_connect(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2118

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2119

`Connection.connect` establishes a connection to the specified address.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2120

"""

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(3)

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2126

clientSSL.connect(('127.0.0.1', port.getsockname()[1]))

2127

# XXX An assertion? Or something?

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2128

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2129

@pytest.mark.skipif(

2130

platform == "darwin",

2131

reason="connect_ex sometimes causes a kernel panic on OS X 10.6.4"

2132

)

2133

def test_connect_ex(self):

2134

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2135

If there is a connection error, `Connection.connect_ex` returns the

2136

errno instead of raising an exception.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

"""

port = socket()

port.bind(('', 0))

port.listen(3)

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2141

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2142

clientSSL = Connection(Context(TLSv1_METHOD), socket())

2143

clientSSL.setblocking(False)

2144

result = clientSSL.connect_ex(port.getsockname())

2145

expected = (EINPROGRESS, EWOULDBLOCK)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2146

assert result in expected

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2147

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2148

def test_accept(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2149

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2150

`Connection.accept` accepts a pending connection attempt and returns a

2151

tuple of a new `Connection` (the accepted client) and the address the

2152

connection originated from.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2153

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2154

ctx = Context(TLSv1_METHOD)

2155

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2156

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2157

port = socket()

2158

portSSL = Connection(ctx, port)

2159

portSSL.bind(('', 0))

2160

portSSL.listen(3)

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2161

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2162

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2163

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2164

# Calling portSSL.getsockname() here to get the server IP address

2165

# sounds great, but frequently fails on Windows.

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2166

clientSSL.connect(('127.0.0.1', portSSL.getsockname()[1]))

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2167

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2168

serverSSL, address = portSSL.accept()

2169

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2170

assert isinstance(serverSSL, Connection)

2171

assert serverSSL.get_context() is ctx

2172

assert address == clientSSL.getsockname()

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2173

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2174

def test_shutdown_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2175

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2176

`Connection.set_shutdown` raises `TypeError` if called with arguments

2177

other than integers.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2178

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2179

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2180

with pytest.raises(TypeError):

2181

connection.set_shutdown(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2182

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2183

def test_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2184

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2185

`Connection.shutdown` performs an SSL-level connection shutdown.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2186

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2187

server, client = loopback()

2188

assert not server.shutdown()

2189

assert server.get_shutdown() == SENT_SHUTDOWN

2190

with pytest.raises(ZeroReturnError):

2191

client.recv(1024)

2192

assert client.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

2193

client.shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2194

assert client.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

2195

with pytest.raises(ZeroReturnError):

2196

server.recv(1024)

2197

assert server.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2198

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2199

def test_shutdown_closed(self):

2200

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2201

If the underlying socket is closed, `Connection.shutdown` propagates

2202

the write error from the low level write call.

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2203

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2204

server, client = loopback()

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2205

server.sock_shutdown(2)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2206

with pytest.raises(SysCallError) as exc:

2207

server.shutdown()

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2208

if platform == "win32":

2209

assert exc.value.args[0] == ESHUTDOWN

2210

else:

2211

assert exc.value.args[0] == EPIPE

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2212

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2213

def test_shutdown_truncated(self):

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2214

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2215

If the underlying connection is truncated, `Connection.shutdown`

2216

raises an `Error`.

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2217

"""

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2218

server_ctx = Context(TLSv1_METHOD)

2219

client_ctx = Context(TLSv1_METHOD)

2220

server_ctx.use_privatekey(

2221

load_privatekey(FILETYPE_PEM, server_key_pem))

2222

server_ctx.use_certificate(

2223

load_certificate(FILETYPE_PEM, server_cert_pem))

2224

server = Connection(server_ctx, None)

2225

client = Connection(client_ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2226

handshake_in_memory(client, server)

2227

assert not server.shutdown()

2228

with pytest.raises(WantReadError):

2229

server.shutdown()

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2230

server.bio_shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2231

with pytest.raises(Error):

2232

server.shutdown()

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2233

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2234

def test_set_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2235

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2236

`Connection.set_shutdown` sets the state of the SSL connection

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2237

shutdown process.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2238

"""

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2239

connection = Connection(Context(TLSv1_METHOD), socket())

2240

connection.set_shutdown(RECEIVED_SHUTDOWN)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2241

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2242

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2243

@skip_if_py3

2244

def test_set_shutdown_long(self):

2245

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2246

On Python 2 `Connection.set_shutdown` accepts an argument

2247

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2248

"""

2249

connection = Connection(Context(TLSv1_METHOD), socket())

2250

connection.set_shutdown(long(RECEIVED_SHUTDOWN))

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2251

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

2252

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2253

def test_state_string(self):

2254

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2255

`Connection.state_string` verbosely describes the current state of

2256

the `Connection`.

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2257

"""

Hynek Schlawack

b0274ce

2015-10-16 19:56:26 +0200

[diff] [blame]

2258

server, client = socket_pair()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2259

server = loopback_server_factory(server)

2260

client = loopback_client_factory(client)

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2261

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2262

assert server.get_state_string() in [

2263

b"before/accept initialization", b"before SSL initialization"

2264

]

2265

assert client.get_state_string() in [

2266

b"before/connect initialization", b"before SSL initialization"

2267

]

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2268

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2269

def test_app_data(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2270

"""

2271

Any object can be set as app data by passing it to

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2272

`Connection.set_app_data` and later retrieved with

2273

`Connection.get_app_data`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2274

"""

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2275

conn = Connection(Context(TLSv1_METHOD), None)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2276

assert None is conn.get_app_data()

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2277

app_data = object()

2278

conn.set_app_data(app_data)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2279

assert conn.get_app_data() is app_data

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2280

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2281

def test_makefile(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2282

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2283

`Connection.makefile` is not implemented and calling that

2284

method raises `NotImplementedError`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2285

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2286

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2287

with pytest.raises(NotImplementedError):

2288

conn.makefile()

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2289

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2290

def test_get_peer_cert_chain(self):

2291

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2292

`Connection.get_peer_cert_chain` returns a list of certificates

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2293

which the connected server returned for the certification verification.

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2294

"""

2295

chain = _create_certificate_chain()

2296

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

2297

2298

serverContext = Context(TLSv1_METHOD)

2299

serverContext.use_privatekey(skey)

2300

serverContext.use_certificate(scert)

2301

serverContext.add_extra_chain_cert(icert)

2302

serverContext.add_extra_chain_cert(cacert)

2303

server = Connection(serverContext, None)

2304

server.set_accept_state()

2305

2306

# Create the client

2307

clientContext = Context(TLSv1_METHOD)

2308

clientContext.set_verify(VERIFY_NONE, verify_cb)

2309

client = Connection(clientContext, None)

2310

client.set_connect_state()

2311

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2312

interact_in_memory(client, server)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2313

2314

chain = client.get_peer_cert_chain()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2315

assert len(chain) == 3

2316

assert "Server Certificate" == chain[0].get_subject().CN

2317

assert "Intermediate Certificate" == chain[1].get_subject().CN

2318

assert "Authority Certificate" == chain[2].get_subject().CN

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2319

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2320

def test_get_peer_cert_chain_none(self):

2321

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2322

`Connection.get_peer_cert_chain` returns `None` if the peer sends

2323

no certificate chain.

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2324

"""

2325

ctx = Context(TLSv1_METHOD)

2326

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2327

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

2328

server = Connection(ctx, None)

2329

server.set_accept_state()

2330

client = Connection(Context(TLSv1_METHOD), None)

2331

client.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2332

interact_in_memory(client, server)

2333

assert None is server.get_peer_cert_chain()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2334

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2335

def test_get_session_unconnected(self):

2336

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2337

`Connection.get_session` returns `None` when used with an object

2338

which has not been connected.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2339

"""

2340

ctx = Context(TLSv1_METHOD)

2341

server = Connection(ctx, None)

2342

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2343

assert None is session

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2344

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2345

def test_server_get_session(self):

2346

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2347

On the server side of a connection, `Connection.get_session` returns a

2348

`Session` instance representing the SSL session for that connection.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2349

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2350

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2351

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2352

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2353

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2354

def test_client_get_session(self):

2355

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2356

On the client side of a connection, `Connection.get_session`

2357

returns a `Session` instance representing the SSL session for

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2358

that connection.

2359

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2360

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2361

session = client.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2362

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2363

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2364

def test_set_session_wrong_args(self):

2365

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2366

`Connection.set_session` raises `TypeError` if called with an object

2367

that is not an instance of `Session`.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2368

"""

2369

ctx = Context(TLSv1_METHOD)

2370

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2371

with pytest.raises(TypeError):

2372

connection.set_session(123)

2373

with pytest.raises(TypeError):

2374

connection.set_session("hello")

2375

with pytest.raises(TypeError):

2376

connection.set_session(object())

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2377

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2378

def test_client_set_session(self):

2379

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2380

`Connection.set_session`, when used prior to a connection being

2381

established, accepts a `Session` instance and causes an attempt to

2382

re-use the session it represents when the SSL handshake is performed.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2383

"""

2384

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2385

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

2386

ctx = Context(TLSv1_METHOD)

2387

ctx.use_privatekey(key)

2388

ctx.use_certificate(cert)

2389

ctx.set_session_id("unity-test")

2390

2391

def makeServer(socket):

2392

server = Connection(ctx, socket)

2393

server.set_accept_state()

2394

return server

2395

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2396

originalServer, originalClient = loopback(

2397

server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2398

originalSession = originalClient.get_session()

2399

2400

def makeClient(socket):

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2401

client = loopback_client_factory(socket)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2402

client.set_session(originalSession)

2403

return client

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2404

resumedServer, resumedClient = loopback(

2405

server_factory=makeServer,

2406

client_factory=makeClient)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2407

2408

# This is a proxy: in general, we have no access to any unique

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2409

# identifier for the session (new enough versions of OpenSSL expose

2410

# a hash which could be usable, but "new enough" is very, very new).

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2411

# Instead, exploit the fact that the master key is re-used if the

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2412

# session is re-used. As long as the master key for the two

2413

# connections is the same, the session was re-used!

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2414

assert originalServer.master_key() == resumedServer.master_key()

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2415

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2416

def test_set_session_wrong_method(self):

2417

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2418

If `Connection.set_session` is passed a `Session` instance associated

2419

with a context using a different SSL method than the `Connection`

2420

is using, a `OpenSSL.SSL.Error` is raised.

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2421

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2422

# Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2

2423

# and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT

2424

# is a way to check for 1.1.0)

2425

if SSL_ST_INIT is not None:

v1 = TLSv1_METHOD

v2 = SSLv3_METHOD

else:

v1 = TLSv1_2_METHOD

v2 = TLSv1_METHOD

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2432

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2433

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2434

ctx = Context(v1)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2435

ctx.use_privatekey(key)

2436

ctx.use_certificate(cert)

2437

ctx.set_session_id("unity-test")

2438

2439

def makeServer(socket):

2440

server = Connection(ctx, socket)

2441

server.set_accept_state()

2442

return server

2443

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2444

def makeOriginalClient(socket):

2445

client = Connection(Context(v1), socket)

2446

client.set_connect_state()

2447

return client

2448

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2449

originalServer, originalClient = loopback(

2450

server_factory=makeServer, client_factory=makeOriginalClient)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2451

originalSession = originalClient.get_session()

2452

2453

def makeClient(socket):

2454

# Intentionally use a different, incompatible method here.

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2455

client = Connection(Context(v2), socket)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2456

client.set_connect_state()

2457

client.set_session(originalSession)

2458

return client

2459

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2460

with pytest.raises(Error):

2461

loopback(client_factory=makeClient, server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2462

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2463

def test_wantWriteError(self):

2464

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2465

`Connection` methods which generate output raise

2466

`OpenSSL.SSL.WantWriteError` if writing to the connection's BIO

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2467

fail indicating a should-write state.

2468

"""

2469

client_socket, server_socket = socket_pair()

2470

# Fill up the client's send buffer so Connection won't be able to write

Jean-Paul Calderone

bbff8b9

2014-03-22 14:20:30 -0400

[diff] [blame]

2471

# anything. Only write a single byte at a time so we can be sure we

2472

# completely fill the buffer. Even though the socket API is allowed to

2473

# signal a short write via its return value it seems this doesn't

2474

# always happen on all platforms (FreeBSD and OS X particular) for the

2475

# very last bit of available buffer space.

2476

msg = b"x"

2477

for i in range(1024 * 1024 * 4):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2478

try:

2479

client_socket.send(msg)

2480

except error as e:

2481

if e.errno == EWOULDBLOCK:

2482

break

2483

raise

2484

else:

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2485

pytest.fail(

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2486

"Failed to fill socket buffer, cannot test BIO want write")

2487

2488

ctx = Context(TLSv1_METHOD)

2489

conn = Connection(ctx, client_socket)

2490

# Client's speak first, so make it an SSL client

2491

conn.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2492

with pytest.raises(WantWriteError):

2493

conn.do_handshake()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

# XXX want_read

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2497

def test_get_finished_before_connect(self):

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2498

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2499

`Connection.get_finished` returns `None` before TLS handshake

2500

is completed.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2501

"""

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2502

ctx = Context(TLSv1_METHOD)

2503

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2504

assert connection.get_finished() is None

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2505

2506

def test_get_peer_finished_before_connect(self):

2507

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2508

`Connection.get_peer_finished` returns `None` before TLS handshake

2509

is completed.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2510

"""

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2511

ctx = Context(TLSv1_METHOD)

2512

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2513

assert connection.get_peer_finished() is None

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2514

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2515

def test_get_finished(self):

2516

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2517

`Connection.get_finished` method returns the TLS Finished message send

2518

from client, or server. Finished messages are send during

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2519

TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2520

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2521

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2522

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2523

assert server.get_finished() is not None

2524

assert len(server.get_finished()) > 0

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2525

2526

def test_get_peer_finished(self):

2527

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2528

`Connection.get_peer_finished` method returns the TLS Finished

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2529

message received from client, or server. Finished messages are send

2530

during TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2531

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2532

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2533

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2534

assert server.get_peer_finished() is not None

2535

assert len(server.get_peer_finished()) > 0

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2536

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2537

def test_tls_finished_message_symmetry(self):

2538

"""

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2539

The TLS Finished message send by server must be the TLS Finished

2540

message received by client.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2541

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2542

The TLS Finished message send by client must be the TLS Finished

2543

message received by server.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2544

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2545

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2546

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2547

assert server.get_finished() == client.get_peer_finished()

2548

assert client.get_finished() == server.get_peer_finished()

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2549

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2550

def test_get_cipher_name_before_connect(self):

2551

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2552

`Connection.get_cipher_name` returns `None` if no connection

2553

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2554

"""

2555

ctx = Context(TLSv1_METHOD)

2556

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2557

assert conn.get_cipher_name() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2558

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2559

def test_get_cipher_name(self):

2560

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2561

`Connection.get_cipher_name` returns a `unicode` string giving the

2562

name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2563

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2564

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2565

server_cipher_name, client_cipher_name = \

2566

server.get_cipher_name(), client.get_cipher_name()

2567

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2568

assert isinstance(server_cipher_name, text_type)

2569

assert isinstance(client_cipher_name, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2570

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2571

assert server_cipher_name == client_cipher_name

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2572

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2573

def test_get_cipher_version_before_connect(self):

2574

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2575

`Connection.get_cipher_version` returns `None` if no connection

2576

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2577

"""

2578

ctx = Context(TLSv1_METHOD)

2579

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2580

assert conn.get_cipher_version() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2581

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2582

def test_get_cipher_version(self):

2583

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2584

`Connection.get_cipher_version` returns a `unicode` string giving

2585

the protocol name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2586

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2587

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2588

server_cipher_version, client_cipher_version = \

2589

server.get_cipher_version(), client.get_cipher_version()

2590

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2591

assert isinstance(server_cipher_version, text_type)

2592

assert isinstance(client_cipher_version, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2593

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2594

assert server_cipher_version == client_cipher_version

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2595

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2596

def test_get_cipher_bits_before_connect(self):

2597

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2598

`Connection.get_cipher_bits` returns `None` if no connection has

2599

been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2600

"""

2601

ctx = Context(TLSv1_METHOD)

2602

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2603

assert conn.get_cipher_bits() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2604

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2605

def test_get_cipher_bits(self):

2606

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2607

`Connection.get_cipher_bits` returns the number of secret bits

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2608

of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2609

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2610

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2611

server_cipher_bits, client_cipher_bits = \

2612

server.get_cipher_bits(), client.get_cipher_bits()

2613

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2614

assert isinstance(server_cipher_bits, int)

2615

assert isinstance(client_cipher_bits, int)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2616

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2617

assert server_cipher_bits == client_cipher_bits

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2618

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2619

def test_get_protocol_version_name(self):

2620

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2621

`Connection.get_protocol_version_name()` returns a string giving the

2622

protocol version of the current connection.

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2623

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2624

server, client = loopback()

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2625

client_protocol_version_name = client.get_protocol_version_name()

2626

server_protocol_version_name = server.get_protocol_version_name()

2627

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2628

assert isinstance(server_protocol_version_name, text_type)

2629

assert isinstance(client_protocol_version_name, text_type)

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2630

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2631

assert server_protocol_version_name == client_protocol_version_name

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2632

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2633

def test_get_protocol_version(self):

2634

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2635

`Connection.get_protocol_version()` returns an integer

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2636

giving the protocol version of the current connection.

2637

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2638

server, client = loopback()

Jim Shaver

85a4dff

2015-04-27 17:42:46 -0400

[diff] [blame]

2639

client_protocol_version = client.get_protocol_version()

2640

server_protocol_version = server.get_protocol_version()

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2641

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2642

assert isinstance(server_protocol_version, int)

2643

assert isinstance(client_protocol_version, int)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2644

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2645

assert server_protocol_version == client_protocol_version

2646

2647

def test_wantReadError(self):

2648

"""

2649

`Connection.bio_read` raises `OpenSSL.SSL.WantReadError` if there are

2650

no bytes available to be read from the BIO.

2651

"""

2652

ctx = Context(TLSv1_METHOD)

2653

conn = Connection(ctx, None)

2654

with pytest.raises(WantReadError):

2655

conn.bio_read(1024)

2656

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2657

@pytest.mark.parametrize('bufsize', [1.0, None, object(), 'bufsize'])

2658

def test_bio_read_wrong_args(self, bufsize):

2659

"""

2660

`Connection.bio_read` raises `TypeError` if passed a non-integer

2661

argument.

2662

"""

2663

ctx = Context(TLSv1_METHOD)

2664

conn = Connection(ctx, None)

2665

with pytest.raises(TypeError):

2666

conn.bio_read(bufsize)

2667

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2668

def test_buffer_size(self):

2669

"""

2670

`Connection.bio_read` accepts an integer giving the maximum number

2671

of bytes to read and return.

2672

"""

2673

ctx = Context(TLSv1_METHOD)

2674

conn = Connection(ctx, None)

2675

conn.set_connect_state()

2676

try:

2677

conn.do_handshake()

2678

except WantReadError:

2679

pass

2680

data = conn.bio_read(2)

2681

assert 2 == len(data)

2682

2683

@skip_if_py3

2684

def test_buffer_size_long(self):

2685

"""

2686

On Python 2 `Connection.bio_read` accepts values of type `long` as

2687

well as `int`.

2688

"""

2689

ctx = Context(TLSv1_METHOD)

2690

conn = Connection(ctx, None)

2691

conn.set_connect_state()

2692

try:

2693

conn.do_handshake()

2694

except WantReadError:

2695

pass

2696

data = conn.bio_read(long(2))

2697

assert 2 == len(data)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2698

Jean-Paul Calderone

dbd7627

2014-03-29 18:09:40 -0400

[diff] [blame]

2699

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2700

class TestConnectionGetCipherList(object):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2701

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2702

Tests for `Connection.get_cipher_list`.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2703

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2704

def test_result(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2705

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2706

`Connection.get_cipher_list` returns a list of `bytes` giving the

2707

names of the ciphers which might be used.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2708

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2709

connection = Connection(Context(TLSv1_METHOD), None)

2710

ciphers = connection.get_cipher_list()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2711

assert isinstance(ciphers, list)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2712

for cipher in ciphers:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2713

assert isinstance(cipher, str)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2714

2715

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2716

class VeryLarge(bytes):

2717

"""

2718

Mock object so that we don't have to allocate 2**31 bytes

"""

def __len__(self):

return 2**31

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2724

class TestConnectionSend(object):

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2725

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2726

Tests for `Connection.send`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2727

"""

2728

def test_wrong_args(self):

2729

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

2730

When called with arguments other than string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2731

parameter, `Connection.send` raises `TypeError`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2732

"""

2733

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2734

with pytest.raises(TypeError):

2735

connection.send(object())

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2736

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2737

def test_short_bytes(self):

2738

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2739

When passed a short byte string, `Connection.send` transmits all of it

2740

and returns the number of bytes sent.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2741

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2742

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2743

count = server.send(b'xy')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2744

assert count == 2

2745

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2746

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2747

def test_text(self):

2748

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2749

When passed a text, `Connection.send` transmits all of it and

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2750

returns the number of bytes sent. It also raises a DeprecationWarning.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2751

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2752

server, client = loopback()

2753

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2754

simplefilter("always")

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2755

count = server.send(b"xy".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2756

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2757

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2758

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2759

) == str(w[-1].message))

2760

assert count == 2

2761

assert client.recv(2) == b'xy'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2762

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2763

@skip_if_py26

2764

def test_short_memoryview(self):

2765

"""

2766

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2767

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2768

of bytes sent.

2769

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2770

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2771

count = server.send(memoryview(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2772

assert count == 2

2773

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2774

Hynek Schlawack

8e94f1b

2015-09-05 21:31:00 +0200

[diff] [blame]

2775

@skip_if_py3

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2776

def test_short_buffer(self):

2777

"""

2778

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2779

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2780

of bytes sent.

2781

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2782

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2783

count = server.send(buffer(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2784

assert count == 2

2785

assert client.recv(2) == b'xy'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

2786

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2787

@pytest.mark.skipif(

2788

sys.maxsize < 2**31,

2789

reason="sys.maxsize < 2**31 - test requires 64 bit"

2790

)

2791

def test_buf_too_large(self):

2792

"""

2793

When passed a buffer containing >= 2**31 bytes,

2794

`Connection.send` bails out as SSL_write only

2795

accepts an int for the buffer length.

2796

"""

2797

connection = Connection(Context(TLSv1_METHOD), None)

2798

with pytest.raises(ValueError) as exc_info:

2799

connection.send(VeryLarge())

2800

exc_info.match(r"Cannot send more than .+ bytes at once")

2801

Jean-Paul Calderone

691e6c9

2011-01-21 22:04:35 -0500

[diff] [blame]

2802

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2803

def _make_memoryview(size):

2804

"""

2805

Create a new ``memoryview`` wrapped around a ``bytearray`` of the given

2806

size.

2807

"""

2808

return memoryview(bytearray(size))

2809

2810

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2811

class TestConnectionRecvInto(object):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2812

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2813

Tests for `Connection.recv_into`.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2814

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2815

def _no_length_test(self, factory):

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2816

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2817

Assert that when the given buffer is passed to `Connection.recv_into`,

2818

whatever bytes are available to be received that fit into that buffer

2819

are written into that buffer.

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2820

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2821

output_buffer = factory(5)

2822

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2823

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2824

server.send(b'xy')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2825

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2826

assert client.recv_into(output_buffer) == 2

2827

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2828

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2829

def test_bytearray_no_length(self):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2830

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2831

`Connection.recv_into` can be passed a `bytearray` instance and data

2832

in the receive buffer is written to it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2833

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2834

self._no_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2835

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2836

def _respects_length_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2837

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2838

Assert that when the given buffer is passed to `Connection.recv_into`

2839

along with a value for `nbytes` that is less than the size of that

2840

buffer, only `nbytes` bytes are written into the buffer.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2841

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2842

output_buffer = factory(10)

2843

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2844

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2845

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2846

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2847

assert client.recv_into(output_buffer, 5) == 5

2848

assert output_buffer == bytearray(b'abcde\x00\x00\x00\x00\x00')

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2849

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2850

def test_bytearray_respects_length(self):

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2851

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2852

When called with a `bytearray` instance, `Connection.recv_into`

2853

respects the `nbytes` parameter and doesn't copy in more than that

2854

number of bytes.

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2855

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2856

self._respects_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2857

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2858

def _doesnt_overfill_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2859

"""

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2860

Assert that if there are more bytes available to be read from the

2861

receive buffer than would fit into the buffer passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2862

`Connection.recv_into`, only as many as fit are written into it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2863

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2864

output_buffer = factory(5)

2865

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2866

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2867

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2868

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2869

assert client.recv_into(output_buffer) == 5

2870

assert output_buffer == bytearray(b'abcde')

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2871

rest = client.recv(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2872

assert b'fghij' == rest

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2873

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2874

def test_bytearray_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2875

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2876

When called with a `bytearray` instance, `Connection.recv_into`

2877

respects the size of the array and doesn't write more bytes into it

2878

than will fit.

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2879

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2880

self._doesnt_overfill_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2881

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2882

def test_bytearray_really_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2883

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2884

When called with a `bytearray` instance and an `nbytes` value that is

2885

too large, `Connection.recv_into` respects the size of the array and

2886

not the `nbytes` value and doesn't write more bytes into the buffer

2887

than will fit.

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2888

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2889

self._doesnt_overfill_test(bytearray)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2890

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2891

def test_peek(self):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2892

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2893

server.send(b'xy')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2894

2895

for _ in range(2):

2896

output_buffer = bytearray(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2897

assert client.recv_into(output_buffer, flags=MSG_PEEK) == 2

2898

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2899

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2900

@skip_if_py26

2901

def test_memoryview_no_length(self):

2902

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2903

`Connection.recv_into` can be passed a `memoryview` instance and data

2904

in the receive buffer is written to it.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2905

"""

2906

self._no_length_test(_make_memoryview)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2907

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2908

@skip_if_py26

2909

def test_memoryview_respects_length(self):

2910

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2911

When called with a `memoryview` instance, `Connection.recv_into`

2912

respects the ``nbytes`` parameter and doesn't copy more than that

2913

number of bytes in.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2914

"""

2915

self._respects_length_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2916

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2917

@skip_if_py26

2918

def test_memoryview_doesnt_overfill(self):

2919

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2920

When called with a `memoryview` instance, `Connection.recv_into`

2921

respects the size of the array and doesn't write more bytes into it

2922

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2923

"""

2924

self._doesnt_overfill_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2925

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2926

@skip_if_py26

2927

def test_memoryview_really_doesnt_overfill(self):

2928

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2929

When called with a `memoryview` instance and an `nbytes` value that is

2930

too large, `Connection.recv_into` respects the size of the array and

2931

not the `nbytes` value and doesn't write more bytes into the buffer

2932

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2933

"""

2934

self._doesnt_overfill_test(_make_memoryview)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2935

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2936

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2937

class TestConnectionSendall(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2938

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2939

Tests for `Connection.sendall`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2940

"""

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2941

def test_wrong_args(self):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2942

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

2943

When called with arguments other than a string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2944

parameter, `Connection.sendall` raises `TypeError`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2945

"""

2946

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2947

with pytest.raises(TypeError):

2948

connection.sendall(object())

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

2949

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

2950

def test_short(self):

2951

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2952

`Connection.sendall` transmits all of the bytes in the string

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

2953

passed to it.

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

2954

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2955

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2956

server.sendall(b'x')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2957

assert client.recv(1) == b'x'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

2958

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2959

def test_text(self):

2960

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2961

`Connection.sendall` transmits all the content in the string passed

2962

to it, raising a DeprecationWarning in case of this being a text.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2963

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2964

server, client = loopback()

2965

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2966

simplefilter("always")

Jean-Paul Calderone

8dc37a1

2015-03-29 08:16:52 -0400

[diff] [blame]

2967

server.sendall(b"x".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2968

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2969

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2970

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2971

) == str(w[-1].message))

2972

assert client.recv(1) == b"x"

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2973

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

2974

@skip_if_py26

2975

def test_short_memoryview(self):

2976

"""

2977

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2978

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

2979

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2980

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2981

server.sendall(memoryview(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2982

assert client.recv(1) == b'x'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2983

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

2984

@skip_if_py3

2985

def test_short_buffers(self):

2986

"""

2987

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2988

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

2989

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2990

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2991

server.sendall(buffer(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2992

assert client.recv(1) == b'x'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

2993

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

2994

def test_long(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2995

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2996

`Connection.sendall` transmits all the bytes in the string passed to it

2997

even if this requires multiple calls of an underlying write function.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2998

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2999

server, client = loopback()

Jean-Paul Calderone

6241c70

2010-09-16 19:59:24 -0400

[diff] [blame]

3000

# Should be enough, underlying SSL_write should only do 16k at a time.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3001

# On Windows, after 32k of bytes the write will block (forever

3002

# - because no one is yet reading).

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3003

message = b'x' * (1024 * 32 - 1) + b'y'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3004

server.sendall(message)

3005

accum = []

3006

received = 0

3007

while received < len(message):

Jean-Paul Calderone

b1f7f5f

2010-08-22 21:40:52 -0400

[diff] [blame]

3008

data = client.recv(1024)

3009

accum.append(data)

3010

received += len(data)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3011

assert message == b''.join(accum)

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3012

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3013

def test_closed(self):

3014

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3015

If the underlying socket is closed, `Connection.sendall` propagates the

3016

write error from the low level write call.

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3017

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3018

server, client = loopback()

Jean-Paul Calderone

05d43e8

2010-09-24 18:01:36 -0400

[diff] [blame]

3019

server.sock_shutdown(2)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3020

with pytest.raises(SysCallError) as err:

3021

server.sendall(b"hello, world")

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3022

if platform == "win32":

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3023

assert err.value.args[0] == ESHUTDOWN

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3024

else:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3025

assert err.value.args[0] == EPIPE

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3026

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3027

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3028

class TestConnectionRenegotiate(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3029

"""

3030

Tests for SSL renegotiation APIs.

3031

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3032

def test_total_renegotiations(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3033

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3034

`Connection.total_renegotiations` returns `0` before any renegotiations

3035

have happened.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3036

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3037

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3038

assert connection.total_renegotiations() == 0

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3039

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3040

def test_renegotiate(self):

3041

"""

3042

Go through a complete renegotiation cycle.

3043

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3044

server, client = loopback()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3045

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3046

server.send(b"hello world")

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3047

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3048

assert b"hello world" == client.recv(len(b"hello world"))

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3049

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3050

assert 0 == server.total_renegotiations()

3051

assert False is server.renegotiate_pending()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3052

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3053

assert True is server.renegotiate()

3054

3055

assert True is server.renegotiate_pending()

3056

3057

server.setblocking(False)

3058

client.setblocking(False)

3059

3060

client.do_handshake()

3061

server.do_handshake()

3062

3063

assert 1 == server.total_renegotiations()

3064

while False is server.renegotiate_pending():

3065

pass

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3066

3067

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3068

class TestError(object):

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3069

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3070

Unit tests for `OpenSSL.SSL.Error`.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3071

"""

3072

def test_type(self):

3073

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3074

`Error` is an exception type.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3075

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3076

assert issubclass(Error, Exception)

3077

assert Error.__name__ == 'Error'

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

3078

3079

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3080

class TestConstants(object):

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3081

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3082

Tests for the values of constants exposed in `OpenSSL.SSL`.

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3083

3084

These are values defined by OpenSSL intended only to be used as flags to

3085

OpenSSL APIs. The only assertions it seems can be made about them is

3086

their values.

3087

"""

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3088

@pytest.mark.skipif(

3089

OP_NO_QUERY_MTU is None,

3090

reason="OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old"

3091

)

3092

def test_op_no_query_mtu(self):

3093

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3094

The value of `OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value

3095

of `SSL_OP_NO_QUERY_MTU` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3096

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3097

assert OP_NO_QUERY_MTU == 0x1000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3098

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3099

@pytest.mark.skipif(

3100

OP_COOKIE_EXCHANGE is None,

3101

reason="OP_COOKIE_EXCHANGE unavailable - "

3102

"OpenSSL version may be too old"

3103

)

3104

def test_op_cookie_exchange(self):

3105

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3106

The value of `OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the

3107

value of `SSL_OP_COOKIE_EXCHANGE` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3108

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3109

assert OP_COOKIE_EXCHANGE == 0x2000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3110

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3111

@pytest.mark.skipif(

3112

OP_NO_TICKET is None,

3113

reason="OP_NO_TICKET unavailable - OpenSSL version may be too old"

3114

)

3115

def test_op_no_ticket(self):

3116

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3117

The value of `OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of

3118

`SSL_OP_NO_TICKET` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3119

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3120

assert OP_NO_TICKET == 0x4000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3121

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3122

@pytest.mark.skipif(

3123

OP_NO_COMPRESSION is None,

3124

reason="OP_NO_COMPRESSION unavailable - OpenSSL version may be too old"

3125

)

3126

def test_op_no_compression(self):

3127

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3128

The value of `OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the

3129

value of `SSL_OP_NO_COMPRESSION` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3130

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3131

assert OP_NO_COMPRESSION == 0x20000

Jean-Paul Calderone

c62d4c1

2011-09-08 18:29:32 -0400

[diff] [blame]

3132

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3133

def test_sess_cache_off(self):

3134

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3135

The value of `OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of

3136

`SSL_SESS_CACHE_OFF` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3137

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3138

assert 0x0 == SESS_CACHE_OFF

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3139

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3140

def test_sess_cache_client(self):

3141

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3142

The value of `OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of

3143

`SSL_SESS_CACHE_CLIENT` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3144

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3145

assert 0x1 == SESS_CACHE_CLIENT

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3146

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3147

def test_sess_cache_server(self):

3148

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3149

The value of `OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of

3150

`SSL_SESS_CACHE_SERVER` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3151

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3152

assert 0x2 == SESS_CACHE_SERVER

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3153

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3154

def test_sess_cache_both(self):

3155

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3156

The value of `OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of

3157

`SSL_SESS_CACHE_BOTH` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3158

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3159

assert 0x3 == SESS_CACHE_BOTH

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3160

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3161

def test_sess_cache_no_auto_clear(self):

3162

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3163

The value of `OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the

3164

value of `SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by

3165

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3166

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3167

assert 0x80 == SESS_CACHE_NO_AUTO_CLEAR

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3168

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3169

def test_sess_cache_no_internal_lookup(self):

3170

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3171

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100,

3172

the value of `SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by

3173

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3174

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3175

assert 0x100 == SESS_CACHE_NO_INTERNAL_LOOKUP

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3176

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3177

def test_sess_cache_no_internal_store(self):

3178

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3179

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200,

3180

the value of `SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by

3181

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3182

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3183

assert 0x200 == SESS_CACHE_NO_INTERNAL_STORE

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3184

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3185

def test_sess_cache_no_internal(self):

3186

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3187

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the

3188

value of `SSL_SESS_CACHE_NO_INTERNAL` defined by

3189

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3190

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3191

assert 0x300 == SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3192

3193

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3194

class TestMemoryBIO(object):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3195

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3196

Tests for `OpenSSL.SSL.Connection` using a memory BIO.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3197

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3198

def _server(self, sock):

3199

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3200

Create a new server-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3201

"""

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3202

# Create the server side Connection. This is mostly setup boilerplate

3203

# - use TLSv1, use a particular certificate, etc.

3204

server_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3205

server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3206

server_ctx.set_verify(

3207

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3208

verify_cb

3209

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3210

server_store = server_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3211

server_ctx.use_privatekey(

3212

load_privatekey(FILETYPE_PEM, server_key_pem))

3213

server_ctx.use_certificate(

3214

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3215

server_ctx.check_privatekey()

3216

server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3217

# Here the Connection is actually created. If None is passed as the

3218

# 2nd parameter, it indicates a memory BIO should be created.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3219

server_conn = Connection(server_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3220

server_conn.set_accept_state()

3221

return server_conn

3222

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3223

def _client(self, sock):

3224

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3225

Create a new client-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3226

"""

3227

# Now create the client side Connection. Similar boilerplate to the

3228

# above.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3229

client_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3230

client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3231

client_ctx.set_verify(

3232

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3233

verify_cb

3234

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3235

client_store = client_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3236

client_ctx.use_privatekey(

3237

load_privatekey(FILETYPE_PEM, client_key_pem))

3238

client_ctx.use_certificate(

3239

load_certificate(FILETYPE_PEM, client_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3240

client_ctx.check_privatekey()

3241

client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3242

client_conn = Connection(client_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3243

client_conn.set_connect_state()

3244

return client_conn

3245

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3246

def test_memory_connect(self):

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3247

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3248

Two `Connection`s which use memory BIOs can be manually connected by

3249

reading from the output of each and writing those bytes to the input of

3250

the other and in this way establish a connection and exchange

3251

application-level bytes with each other.

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3252

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3253

server_conn = self._server(None)

3254

client_conn = self._client(None)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3255

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3256

# There should be no key or nonces yet.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3257

assert server_conn.master_key() is None

3258

assert server_conn.client_random() is None

3259

assert server_conn.server_random() is None

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3260

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3261

# First, the handshake needs to happen. We'll deliver bytes back and

3262

# forth between the client and server until neither of them feels like

3263

# speaking any more.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3264

assert interact_in_memory(client_conn, server_conn) is None

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3265

3266

# Now that the handshake is done, there should be a key and nonces.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3267

assert server_conn.master_key() is not None

3268

assert server_conn.client_random() is not None

3269

assert server_conn.server_random() is not None

3270

assert server_conn.client_random() == client_conn.client_random()

3271

assert server_conn.server_random() == client_conn.server_random()

3272

assert server_conn.client_random() != server_conn.server_random()

3273

assert client_conn.client_random() != client_conn.server_random()

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3274

3275

# Here are the bytes we'll try to send.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3276

important_message = b'One if by land, two if by sea.'

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3277

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3278

server_conn.write(important_message)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3279

assert (

3280

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3281

(client_conn, important_message))

3282

3283

client_conn.write(important_message[::-1])

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3284

assert (

3285

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3286

(server_conn, important_message[::-1]))

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3287

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3288

def test_socket_connect(self):

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3289

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3290

Just like `test_memory_connect` but with an actual socket.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3291

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3292

This is primarily to rule out the memory BIO code as the source of any

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3293

problems encountered while passing data over a `Connection` (if

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3294

this test fails, there must be a problem outside the memory BIO code,

3295

as no memory BIO is involved here). Even though this isn't a memory

3296

BIO test, it's convenient to have it here.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3297

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3298

server_conn, client_conn = loopback()

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3299

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3300

important_message = b"Help me Obi Wan Kenobi, you're my only hope."

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3301

client_conn.send(important_message)

3302

msg = server_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3303

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3304

3305

# Again in the other direction, just for fun.

3306

important_message = important_message[::-1]

3307

server_conn.send(important_message)

3308

msg = client_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3309

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3310

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3311

def test_socket_overrides_memory(self):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3312

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3313

Test that `OpenSSL.SSL.bio_read` and `OpenSSL.SSL.bio_write` don't

3314

work on `OpenSSL.SSL.Connection`() that use sockets.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3315

"""

Alex Gaynor

51d424c

2016-09-10 14:50:11 -0400

[diff] [blame]

3316

context = Context(TLSv1_METHOD)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3317

client = socket()

3318

clientSSL = Connection(context, client)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3319

with pytest.raises(TypeError):

3320

clientSSL.bio_read(100)

3321

with pytest.raises(TypeError):

3322

clientSSL.bio_write("foo")

3323

with pytest.raises(TypeError):

3324

clientSSL.bio_shutdown()

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3325

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3326

def test_outgoing_overflow(self):

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3327

"""

3328

If more bytes than can be written to the memory BIO are passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3329

`Connection.send` at once, the number of bytes which were written is

3330

returned and that many bytes from the beginning of the input can be

3331

read from the other end of the connection.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3332

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3333

server = self._server(None)

3334

client = self._client(None)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3335

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3336

interact_in_memory(client, server)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3337

3338

size = 2 ** 15

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

3339

sent = client.send(b"x" * size)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3340

# Sanity check. We're trying to test what happens when the entire

3341

# input can't be sent. If the entire input was sent, this test is

3342

# meaningless.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3343

assert sent < size

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3344

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3345

receiver, received = interact_in_memory(client, server)

3346

assert receiver is server

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3347

3348

# We can rely on all of these bytes being received at once because

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3349

# loopback passes 2 ** 16 to recv - more than 2 ** 15.

3350

assert len(received) == sent

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3351

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3352

def test_shutdown(self):

3353

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3354

`Connection.bio_shutdown` signals the end of the data stream

3355

from which the `Connection` reads.

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3356

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3357

server = self._server(None)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3358

server.bio_shutdown()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3359

with pytest.raises(Error) as err:

3360

server.recv(1024)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3361

# We don't want WantReadError or ZeroReturnError or anything - it's a

3362

# handshake failure.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3363

assert type(err.value) in [Error, SysCallError]

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3364

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3365

def test_unexpected_EOF(self):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3366

"""

3367

If the connection is lost before an orderly SSL shutdown occurs,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3368

`OpenSSL.SSL.SysCallError` is raised with a message of

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3369

"Unexpected EOF".

3370

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3371

server_conn, client_conn = loopback()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3372

client_conn.sock_shutdown(SHUT_RDWR)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3373

with pytest.raises(SysCallError) as err:

3374

server_conn.recv(1024)

3375

assert err.value.args == (-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3376

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3377

def _check_client_ca_list(self, func):

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3378

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3379

Verify the return value of the `get_client_ca_list` method for

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3380

server and client connections.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3381

Jonathan Ballet

78b92a2

2011-07-16 08:07:26 +0900

[diff] [blame]

3382

:param func: A function which will be called with the server context

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3383

before the client and server are connected to each other. This

3384

function should specify a list of CAs for the server to send to the

3385

client and return that same list. The list will be used to verify

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3386

that `get_client_ca_list` returns the proper value at

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3387

various times.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3388

"""

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3389

server = self._server(None)

3390

client = self._client(None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3391

assert client.get_client_ca_list() == []

3392

assert server.get_client_ca_list() == []

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3393

ctx = server.get_context()

3394

expected = func(ctx)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3395

assert client.get_client_ca_list() == []

3396

assert server.get_client_ca_list() == expected

3397

interact_in_memory(client, server)

3398

assert client.get_client_ca_list() == expected

3399

assert server.get_client_ca_list() == expected

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3400

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3401

def test_set_client_ca_list_errors(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3402

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3403

`Context.set_client_ca_list` raises a `TypeError` if called with a

3404

non-list or a list that contains objects other than X509Names.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3405

"""

3406

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3407

with pytest.raises(TypeError):

3408

ctx.set_client_ca_list("spam")

3409

with pytest.raises(TypeError):

3410

ctx.set_client_ca_list(["spam"])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3411

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3412

def test_set_empty_ca_list(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3413

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3414

If passed an empty list, `Context.set_client_ca_list` configures the

3415

context to send no CA names to the client and, on both the server and

3416

client sides, `Connection.get_client_ca_list` returns an empty list

3417

after the connection is set up.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3418

"""

3419

def no_ca(ctx):

3420

ctx.set_client_ca_list([])

3421

return []

3422

self._check_client_ca_list(no_ca)

3423

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3424

def test_set_one_ca_list(self):

3425

"""

3426

If passed a list containing a single X509Name,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3427

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3428

that CA name to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3429

`Connection.get_client_ca_list` returns a list containing that

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3430

X509Name after the connection is set up.

3431

"""

3432

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3433

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3434

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3435

def single_ca(ctx):

3436

ctx.set_client_ca_list([cadesc])

3437

return [cadesc]

3438

self._check_client_ca_list(single_ca)

3439

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3440

def test_set_multiple_ca_list(self):

3441

"""

3442

If passed a list containing multiple X509Name objects,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3443

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3444

those CA names to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3445

`Connection.get_client_ca_list` returns a list containing those

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3446

X509Names after the connection is set up.

3447

"""

3448

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3449

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3450

3451

sedesc = secert.get_subject()

3452

cldesc = clcert.get_subject()

3453

3454

def multiple_ca(ctx):

3455

L = [sedesc, cldesc]

3456

ctx.set_client_ca_list(L)

3457

return L

3458

self._check_client_ca_list(multiple_ca)

3459

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3460

def test_reset_ca_list(self):

3461

"""

3462

If called multiple times, only the X509Names passed to the final call

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3463

of `Context.set_client_ca_list` are used to configure the CA

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3464

names sent to the client.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3465

"""

3466

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3467

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3468

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3469

3470

cadesc = cacert.get_subject()

3471

sedesc = secert.get_subject()

3472

cldesc = clcert.get_subject()

3473

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3474

def changed_ca(ctx):

3475

ctx.set_client_ca_list([sedesc, cldesc])

3476

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3477

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3478

self._check_client_ca_list(changed_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3479

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3480

def test_mutated_ca_list(self):

3481

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3482

If the list passed to `Context.set_client_ca_list` is mutated

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3483

afterwards, this does not affect the list of CA names sent to the

3484

client.

3485

"""

3486

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3487

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3488

3489

cadesc = cacert.get_subject()

3490

sedesc = secert.get_subject()

3491

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3492

def mutated_ca(ctx):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3493

L = [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3494

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3495

L.append(sedesc)

3496

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3497

self._check_client_ca_list(mutated_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3498

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3499

def test_add_client_ca_wrong_args(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3500

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3501

`Context.add_client_ca` raises `TypeError` if called with

3502

a non-X509 object.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3503

"""

3504

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3505

with pytest.raises(TypeError):

3506

ctx.add_client_ca("spam")

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3507

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3508

def test_one_add_client_ca(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3509

"""

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3510

A certificate's subject can be added as a CA to be sent to the client

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3511

with `Context.add_client_ca`.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3512

"""

3513

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3514

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3515

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3516

def single_ca(ctx):

3517

ctx.add_client_ca(cacert)

3518

return [cadesc]

3519

self._check_client_ca_list(single_ca)

3520

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3521

def test_multiple_add_client_ca(self):

3522

"""

3523

Multiple CA names can be sent to the client by calling

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3524

`Context.add_client_ca` with multiple X509 objects.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3525

"""

3526

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3527

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3528

3529

cadesc = cacert.get_subject()

3530

sedesc = secert.get_subject()

3531

3532

def multiple_ca(ctx):

3533

ctx.add_client_ca(cacert)

3534

ctx.add_client_ca(secert)

3535

return [cadesc, sedesc]

3536

self._check_client_ca_list(multiple_ca)

3537

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3538

def test_set_and_add_client_ca(self):

3539

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3540

A call to `Context.set_client_ca_list` followed by a call to

3541

`Context.add_client_ca` results in using the CA names from the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3542

first call and the CA name from the second call.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3543

"""

3544

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3545

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3546

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3547

3548

cadesc = cacert.get_subject()

3549

sedesc = secert.get_subject()

3550

cldesc = clcert.get_subject()

3551

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3552

def mixed_set_add_ca(ctx):

3553

ctx.set_client_ca_list([cadesc, sedesc])

3554

ctx.add_client_ca(clcert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3555

return [cadesc, sedesc, cldesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3556

self._check_client_ca_list(mixed_set_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3557

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3558

def test_set_after_add_client_ca(self):

3559

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3560

A call to `Context.set_client_ca_list` after a call to

3561

`Context.add_client_ca` replaces the CA name specified by the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3562

former call with the names specified by the latter call.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3563

"""

3564

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3565

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3566

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3567

3568

cadesc = cacert.get_subject()

3569

sedesc = secert.get_subject()

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3570

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3571

def set_replaces_add_ca(ctx):

3572

ctx.add_client_ca(clcert)

3573

ctx.set_client_ca_list([cadesc])

3574

ctx.add_client_ca(secert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3575

return [cadesc, sedesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3576

self._check_client_ca_list(set_replaces_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3577

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3578

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3579

class TestInfoConstants(object):

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3580

"""

3581

Tests for assorted constants exposed for use in info callbacks.

3582

"""

3583

def test_integers(self):

3584

"""

3585

All of the info constants are integers.

3586

3587

This is a very weak test. It would be nice to have one that actually

3588

verifies that as certain info events happen, the value passed to the

3589

info callback matches up with the constant exposed by OpenSSL.SSL.

3590

"""

3591

for const in [

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3592

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3593

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

3594

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

3595

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3596

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE

3597

]:

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3598

assert isinstance(const, int)

3599

3600

# These constants don't exist on OpenSSL 1.1.0

3601

for const in [

3602

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

3603

]:

3604

assert const is None or isinstance(const, int)

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3605

Ziga Seilnacht

44611bf

2009-08-31 20:49:30 +0200

[diff] [blame]

3606

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3607

class TestRequires(object):

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3608

"""

3609

Tests for the decorator factory used to conditionally raise

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3610

NotImplementedError when older OpenSSLs are used.

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3611

"""

3612

def test_available(self):

3613

"""

3614

When the OpenSSL functionality is available the decorated functions

3615

work appropriately.

3616

"""

3617

feature_guard = _make_requires(True, "Error text")

results = []

@feature_guard

def inner():

results.append(True)

return True

Cory Benfield

2016-03-30 14:24:16 +0100

[diff] [blame]

3625

assert inner() is True

3626

assert [True] == results

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3627

3628

def test_unavailable(self):

3629

"""

3630

When the OpenSSL functionality is not available the decorated function

3631

does not execute and NotImplementedError is raised.

3632

"""

3633

feature_guard = _make_requires(False, "Error text")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3634

3635

@feature_guard

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3636

def inner(): # pragma: nocover

3637

pytest.fail("Should not be called")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3638

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3639

with pytest.raises(NotImplementedError) as e:

3640

inner()

3641

3642

assert "Error text" in str(e.value)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3643

3644

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3645

class TestOCSP(object):

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3646

"""

3647

Tests for PyOpenSSL's OCSP stapling support.

3648

"""

3649

sample_ocsp_data = b"this is totally ocsp data"

3650

3651

def _client_connection(self, callback, data, request_ocsp=True):

3652

"""

3653

Builds a client connection suitable for using OCSP.

3654

3655

:param callback: The callback to register for OCSP.

3656

:param data: The opaque data object that will be handed to the

3657

OCSP callback.

3658

:param request_ocsp: Whether the client will actually ask for OCSP

3659

stapling. Useful for testing only.

3660

"""

3661

ctx = Context(SSLv23_METHOD)

3662

ctx.set_ocsp_client_callback(callback, data)

3663

client = Connection(ctx)

3664

3665

if request_ocsp:

3666

client.request_ocsp()

3667

3668

client.set_connect_state()

3669

return client

3670

3671

def _server_connection(self, callback, data):

3672

"""

3673

Builds a server connection suitable for using OCSP.

3674

3675

:param callback: The callback to register for OCSP.

3676

:param data: The opaque data object that will be handed to the

3677

OCSP callback.

3678

"""

3679

ctx = Context(SSLv23_METHOD)

3680

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

3681

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

3682

ctx.set_ocsp_server_callback(callback, data)

3683

server = Connection(ctx)

3684

server.set_accept_state()

3685

return server

3686

3687

def test_callbacks_arent_called_by_default(self):

3688

"""

3689

If both the client and the server have registered OCSP callbacks, but

3690

the client does not send the OCSP request, neither callback gets

3691

called.

3692

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3693

def ocsp_callback(*args, **kwargs): # pragma: nocover

3694

pytest.fail("Should not be called")

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3695

3696

client = self._client_connection(

3697

callback=ocsp_callback, data=None, request_ocsp=False

3698

)

3699

server = self._server_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3700

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3701

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3702

def test_client_negotiates_without_server(self):

3703

"""

3704

If the client wants to do OCSP but the server does not, the handshake

3705

succeeds, and the client callback fires with an empty byte string.

"""

called = []

def ocsp_callback(conn, ocsp_data, ignored):

3710

called.append(ocsp_data)

3711

return True

3712

3713

client = self._client_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3714

server = loopback_server_factory(socket=None)

3715

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3716

3717

assert len(called) == 1

3718

assert called[0] == b''

3719

3720

def test_client_receives_servers_data(self):

3721

"""

3722

The data the server sends in its callback is received by the client.

"""

calls = []

def server_callback(*args, **kwargs):

3727

return self.sample_ocsp_data

3728

3729

def client_callback(conn, ocsp_data, ignored):

3730

calls.append(ocsp_data)

3731

return True

3732

3733

client = self._client_connection(callback=client_callback, data=None)

3734

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3735

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3736

3737

assert len(calls) == 1

3738

assert calls[0] == self.sample_ocsp_data

3739

3740

def test_callbacks_are_invoked_with_connections(self):

3741

"""

3742

The first arguments to both callbacks are their respective connections.

"""

client_calls = []

server_calls = []

def client_callback(conn, *args, **kwargs):

3748

client_calls.append(conn)

3749

return True

3750

3751

def server_callback(conn, *args, **kwargs):

3752

server_calls.append(conn)

3753

return self.sample_ocsp_data

3754

3755

client = self._client_connection(callback=client_callback, data=None)

3756

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3757

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3758

3759

assert len(client_calls) == 1

3760

assert len(server_calls) == 1

3761

assert client_calls[0] is client

3762

assert server_calls[0] is server

3763

3764

def test_opaque_data_is_passed_through(self):

3765

"""

3766

Both callbacks receive an opaque, user-provided piece of data in their

3767

callbacks as the final argument.

"""

calls = []

def server_callback(*args):

3772

calls.append(args)

3773

return self.sample_ocsp_data

3774

3775

def client_callback(*args):

calls.append(args)

return True

sentinel = object()

client = self._client_connection(

3782

callback=client_callback, data=sentinel

3783

)

3784

server = self._server_connection(

3785

callback=server_callback, data=sentinel

3786

)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3787

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3788

3789

assert len(calls) == 2

3790

assert calls[0][-1] is sentinel

3791

assert calls[1][-1] is sentinel

3792

3793

def test_server_returns_empty_string(self):

3794

"""

3795

If the server returns an empty bytestring from its callback, the

3796

client callback is called with the empty bytestring.

"""

client_calls = []

def server_callback(*args):

3801

return b''

3802

3803

def client_callback(conn, ocsp_data, ignored):

3804

client_calls.append(ocsp_data)

3805

return True

3806

3807

client = self._client_connection(callback=client_callback, data=None)

3808

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3809

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3810

3811

assert len(client_calls) == 1

3812

assert client_calls[0] == b''

3813

3814

def test_client_returns_false_terminates_handshake(self):

3815

"""

3816

If the client returns False from its callback, the handshake fails.

3817

"""

3818

def server_callback(*args):

3819

return self.sample_ocsp_data

3820

3821

def client_callback(*args):

3822

return False

3823

3824

client = self._client_connection(callback=client_callback, data=None)

3825

server = self._server_connection(callback=server_callback, data=None)

3826

3827

with pytest.raises(Error):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3828

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3829

3830

def test_exceptions_in_client_bubble_up(self):

3831

"""

3832

The callbacks thrown in the client callback bubble up to the caller.

3833

"""

3834

class SentinelException(Exception):

3835

pass

3836

3837

def server_callback(*args):

3838

return self.sample_ocsp_data

3839

3840

def client_callback(*args):

3841

raise SentinelException()

3842

3843

client = self._client_connection(callback=client_callback, data=None)

3844

server = self._server_connection(callback=server_callback, data=None)

3845

3846

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3847

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3848

3849

def test_exceptions_in_server_bubble_up(self):

3850

"""

3851

The callbacks thrown in the server callback bubble up to the caller.

3852

"""

3853

class SentinelException(Exception):

3854

pass

3855

3856

def server_callback(*args):

3857

raise SentinelException()

3858

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3859

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3860

pytest.fail("Should not be called")

3861

3862

client = self._client_connection(callback=client_callback, data=None)

3863

server = self._server_connection(callback=server_callback, data=None)

3864

3865

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3866

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3867

3868

def test_server_must_return_bytes(self):

3869

"""

3870

The server callback must return a bytestring, or a TypeError is thrown.

3871

"""

3872

def server_callback(*args):

3873

return self.sample_ocsp_data.decode('ascii')

3874

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3875

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3876

pytest.fail("Should not be called")

3877

3878

client = self._client_connection(callback=client_callback, data=None)

3879

server = self._server_connection(callback=server_callback, data=None)

3880

3881

with pytest.raises(TypeError):

Alex Chan