Blame - tests/test_ssl.py - platform/external/python/pyopenssl

2008-03-21 17:04:05 -0400

[diff] [blame]

4

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

5

Unit tests for :mod:`OpenSSL.SSL`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

6

"""

7

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

8

import datetime

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

9

import sys

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

10

import uuid

11

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

12

from gc import collect, get_referrers

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

13

from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

14

from sys import platform, getfilesystemencoding, version_info

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

15

from socket import MSG_PEEK, SHUT_RDWR, error, socket

Jean-Paul Calderone

a65cf6c

2009-07-19 10:26:52 -0400

[diff] [blame]

16

from os import makedirs

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

17

from os.path import join

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

18

from weakref import ref

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

19

from warnings import simplefilter

Jean-Paul Calderone

460cc1f

2009-03-07 11:31:12 -0500

[diff] [blame]

20

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

21

import pytest

22

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

23

from pretend import raiser

24

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

25

from six import PY3, text_type

Jean-Paul Calderone

c76c61c

2014-01-18 13:21:52 -0500

[diff] [blame]

26

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

27

from cryptography import x509

28

from cryptography.hazmat.backends import default_backend

29

from cryptography.hazmat.primitives import hashes

30

from cryptography.hazmat.primitives import serialization

31

from cryptography.hazmat.primitives.asymmetric import rsa

32

from cryptography.x509.oid import NameOID

33

34

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

35

from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

36

from OpenSSL.crypto import PKey, X509, X509Extension, X509Store

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

37

from OpenSSL.crypto import dump_privatekey, load_privatekey

38

from OpenSSL.crypto import dump_certificate, load_certificate

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

39

from OpenSSL.crypto import get_elliptic_curves

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

40

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

41

from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS

42

from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

43

from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

44

from OpenSSL.SSL import (

45

SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD,

46

TLSv1_1_METHOD, TLSv1_2_METHOD)

47

from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

48

from OpenSSL.SSL import (

49

VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE, VERIFY_NONE)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

50

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

51

from OpenSSL import SSL

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

52

from OpenSSL.SSL import (

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

53

SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH,

54

SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP,

55

SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL)

56

57

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

58

Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

59

from OpenSSL.SSL import (

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

60

Context, ContextType, Session, Connection, ConnectionType, SSLeay_version)

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

61

from OpenSSL.SSL import _make_requires

Jean-Paul Calderone

7526d17

2010-09-09 17:55:31 -0400

[diff] [blame]

62

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

63

from OpenSSL._util import ffi as _ffi, lib as _lib

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

64

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

65

from OpenSSL.SSL import (

66

OP_NO_QUERY_MTU, OP_COOKIE_EXCHANGE, OP_NO_TICKET, OP_NO_COMPRESSION,

67

MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

68

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

69

from OpenSSL.SSL import (

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

70

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

71

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

72

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

73

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

74

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

75

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

76

try:

77

from OpenSSL.SSL import (

78

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

79

)

80

except ImportError:

81

SSL_ST_INIT = SSL_ST_BEFORE = SSL_ST_OK = SSL_ST_RENEGOTIATE = None

82

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

83

from .util import WARNING_TYPE_EXPECTED, NON_ASCII, is_consistent_type

Hynek Schlawack

f0e6685

2015-10-16 20:18:38 +0200

[diff] [blame]

84

from .test_crypto import (

85

cleartextCertificatePEM, cleartextPrivateKeyPEM,

86

client_cert_pem, client_key_pem, server_cert_pem, server_key_pem,

87

root_cert_pem)

88

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

89

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

90

# openssl dhparam 1024 -out dh-1024.pem (note that 1024 is a small number of

91

# bits to use)

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

92

dhparam = """\

93

-----BEGIN DH PARAMETERS-----

Alex Gaynor

d0bdd2d

2016-09-10 14:23:46 -0400

[diff] [blame]

94

MIGHAoGBALdUMvn+C9MM+y5BWZs11mSeH6HHoEq0UVbzVq7UojC1hbsZUuGukQ3a

95

Qh2/pwqb18BZFykrWB0zv/OkLa0kx4cuUgNrUVq1EFheBiX6YqryJ7t2sO09NQiO

96

V7H54LmltOT/hEh6QWsJqb6BQgH65bswvV/XkYGja8/T0GzvbaVzAgEC

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

97

-----END DH PARAMETERS-----

"""

Hynek Schlawack

2015-09-05 20:48:34 +0200

[diff] [blame]

101

skip_if_py3 = pytest.mark.skipif(PY3, reason="Python 2 only")

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

102

skip_if_py26 = pytest.mark.skipif(

103

version_info[0:2] == (2, 6),

104

reason="Python 2.7 and later only"

105

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

106

107

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

108

def join_bytes_or_unicode(prefix, suffix):

109

"""

110

Join two path components of either ``bytes`` or ``unicode``.

111

112

The return type is the same as the type of ``prefix``.

113

"""

114

# If the types are the same, nothing special is necessary.

115

if type(prefix) == type(suffix):

116

return join(prefix, suffix)

117

118

# Otherwise, coerce suffix to the type of prefix.

119

if isinstance(prefix, text_type):

120

return join(prefix, suffix.decode(getfilesystemencoding()))

121

else:

122

return join(prefix, suffix.encode(getfilesystemencoding()))

123

124

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

125

def verify_cb(conn, cert, errnum, depth, ok):

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

126

return ok

127

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

128

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

129

def socket_pair():

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

130

"""

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

131

Establish and return a pair of network sockets connected to each other.

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

132

"""

133

# Connect a pair of sockets

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(1)

client = socket()

client.setblocking(False)

Jean-Paul Calderone

f23c5d9

2009-07-23 17:58:15 -0400

[diff] [blame]

139

client.connect_ex(("127.0.0.1", port.getsockname()[1]))

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

140

client.setblocking(True)

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

141

server = port.accept()[0]

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

142

Jean-Paul Calderone

1a9613b

2009-07-16 12:13:36 -0400

[diff] [blame]

143

# Let's pass some unencrypted data to make sure our socket connection is

144

# fine. Just one byte, so we don't have to worry about buffers getting

145

# filled up or fragmentation.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

146

server.send(b"x")

147

assert client.recv(1024) == b"x"

148

client.send(b"y")

149

assert server.recv(1024) == b"y"

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

150

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

151

# Most of our callers want non-blocking sockets, make it easy for them.

Jean-Paul Calderone

94b24a8

2009-07-16 19:11:38 -0400

[diff] [blame]

152

server.setblocking(False)

153

client.setblocking(False)

Jim Shaver

46f2891

2015-05-29 19:32:16 -0400

[diff] [blame]

154

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

155

return (server, client)

156

157

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

158

def handshake(client, server):

159

conns = [client, server]

while conns:

for conn in conns:

try:

conn.do_handshake()

except WantReadError:

pass

else:

conns.remove(conn)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

170

def _create_certificate_chain():

171

"""

172

Construct and return a chain of certificates.

173

174

1. A new self-signed certificate authority certificate (cacert)

175

2. A new intermediate certificate signed by cacert (icert)

176

3. A new server certificate signed by icert (scert)

177

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

178

caext = X509Extension(b'basicConstraints', False, b'CA:true')

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

179

180

# Step 1

181

cakey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

182

cakey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

183

cacert = X509()

184

cacert.get_subject().commonName = "Authority Certificate"

185

cacert.set_issuer(cacert.get_subject())

186

cacert.set_pubkey(cakey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

187

cacert.set_notBefore(b"20000101000000Z")

188

cacert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

189

cacert.add_extensions([caext])

190

cacert.set_serial_number(0)

191

cacert.sign(cakey, "sha1")

192

193

# Step 2

194

ikey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

195

ikey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

196

icert = X509()

197

icert.get_subject().commonName = "Intermediate Certificate"

198

icert.set_issuer(cacert.get_subject())

199

icert.set_pubkey(ikey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

200

icert.set_notBefore(b"20000101000000Z")

201

icert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

202

icert.add_extensions([caext])

203

icert.set_serial_number(0)

204

icert.sign(cakey, "sha1")

205

206

# Step 3

207

skey = PKey()

Alex Gaynor

0737a5e

2016-09-10 14:35:09 -0400

[diff] [blame]

208

skey.generate_key(TYPE_RSA, 1024)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

209

scert = X509()

210

scert.get_subject().commonName = "Server Certificate"

211

scert.set_issuer(icert.get_subject())

212

scert.set_pubkey(skey)

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

213

scert.set_notBefore(b"20000101000000Z")

214

scert.set_notAfter(b"20200101000000Z")

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

215

scert.add_extensions([

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

216

X509Extension(b'basicConstraints', True, b'CA:false')])

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

217

scert.set_serial_number(0)

218

scert.sign(ikey, "sha1")

219

220

return [(cakey, cacert), (ikey, icert), (skey, scert)]

221

222

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

223

def loopback_client_factory(socket):

224

client = Connection(Context(TLSv1_METHOD), socket)

225

client.set_connect_state()

return client

def loopback_server_factory(socket):

230

ctx = Context(TLSv1_METHOD)

231

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

232

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

233

server = Connection(ctx, socket)

234

server.set_accept_state()

return server

def loopback(server_factory=None, client_factory=None):

239

"""

240

Create a connected socket pair and force two connected SSL sockets

241

to talk to each other via memory BIOs.

242

"""

243

if server_factory is None:

244

server_factory = loopback_server_factory

245

if client_factory is None:

246

client_factory = loopback_client_factory

247

248

(server, client) = socket_pair()

249

server = server_factory(server)

250

client = client_factory(client)

251

252

handshake(client, server)

253

254

server.setblocking(True)

255

client.setblocking(True)

256

return server, client

257

258

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

259

def interact_in_memory(client_conn, server_conn):

260

"""

261

Try to read application bytes from each of the two `Connection` objects.

262

Copy bytes back and forth between their send/receive buffers for as long

263

as there is anything to copy. When there is nothing more to copy,

264

return `None`. If one of them actually manages to deliver some application

265

bytes, return a two-tuple of the connection from which the bytes were read

266

and the bytes themselves.

"""

wrote = True

while wrote:

# Loop until neither side has anything to say

271

wrote = False

272

273

# Copy stuff from each side's send buffer to the other side's

274

# receive buffer.

275

for (read, write) in [(client_conn, server_conn),

276

(server_conn, client_conn)]:

277

278

# Give the side a chance to generate some more bytes, or succeed.

279

try:

280

data = read.recv(2 ** 16)

281

except WantReadError:

282

# It didn't succeed, so we'll hope it generated some output.

283

pass

284

else:

285

# It did succeed, so we'll stop now and let the caller deal

# with it.

return (read, data)

while True:

# Keep copying as long as there's more stuff there.

291

try:

292

dirty = read.bio_read(4096)

293

except WantReadError:

294

# Okay, nothing more waiting to be sent. Stop

295

# processing this send buffer.

296

break

297

else:

298

# Keep track of the fact that someone generated some

299

# output.

300

wrote = True

301

write.bio_write(dirty)

302

303

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

304

def handshake_in_memory(client_conn, server_conn):

305

"""

306

Perform the TLS handshake between two `Connection` instances connected to

307

each other via memory BIOs.

308

"""

309

client_conn.set_connect_state()

310

server_conn.set_accept_state()

311

312

for conn in [client_conn, server_conn]:

313

try:

314

conn.do_handshake()

315

except WantReadError:

316

pass

317

318

interact_in_memory(client_conn, server_conn)

319

320

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

321

class TestVersion(object):

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

322

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

323

Tests for version information exposed by `OpenSSL.SSL.SSLeay_version` and

324

`OpenSSL.SSL.OPENSSL_VERSION_NUMBER`.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

325

"""

326

def test_OPENSSL_VERSION_NUMBER(self):

327

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

328

`OPENSSL_VERSION_NUMBER` is an integer with status in the low byte and

329

the patch, fix, minor, and major versions in the nibbles above that.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

330

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

331

assert isinstance(OPENSSL_VERSION_NUMBER, int)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

332

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

333

def test_SSLeay_version(self):

334

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

335

`SSLeay_version` takes a version type indicator and returns one of a

336

number of version strings based on that indicator.

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

337

"""

338

versions = {}

339

for t in [SSLEAY_VERSION, SSLEAY_CFLAGS, SSLEAY_BUILT_ON,

340

SSLEAY_PLATFORM, SSLEAY_DIR]:

341

version = SSLeay_version(t)

342

versions[version] = t

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

343

assert isinstance(version, bytes)

344

assert len(versions) == 5

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

345

346

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

347

@pytest.fixture

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

348

def ca_file(tmpdir):

349

"""

350

Create a valid PEM file with CA certificates and return the path.

351

"""

352

key = rsa.generate_private_key(

353

public_exponent=65537,

354

key_size=2048,

355

backend=default_backend()

356

)

357

public_key = key.public_key()

358

359

builder = x509.CertificateBuilder()

360

builder = builder.subject_name(x509.Name([

361

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

362

]))

363

builder = builder.issuer_name(x509.Name([

364

x509.NameAttribute(NameOID.COMMON_NAME, u"pyopenssl.org"),

365

]))

366

one_day = datetime.timedelta(1, 0, 0)

367

builder = builder.not_valid_before(datetime.datetime.today() - one_day)

368

builder = builder.not_valid_after(datetime.datetime.today() + one_day)

369

builder = builder.serial_number(int(uuid.uuid4()))

370

builder = builder.public_key(public_key)

371

builder = builder.add_extension(

372

x509.BasicConstraints(ca=True, path_length=None), critical=True,

373

)

374

375

certificate = builder.sign(

376

private_key=key, algorithm=hashes.SHA256(),

377

backend=default_backend()

378

)

379

380

ca_file = tmpdir.join("test.pem")

381

ca_file.write_binary(

382

certificate.public_bytes(

383

encoding=serialization.Encoding.PEM,

)

)

return str(ca_file).encode("ascii")

388

389

390

@pytest.fixture

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

391

def context():

392

"""

393

A simple TLS 1.0 context.

394

"""

395

return Context(TLSv1_METHOD)

396

397

398

class TestContext(object):

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

399

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

400

Unit tests for `OpenSSL.SSL.Context`.

Hynek Schlawack

aa86121

2016-03-13 13:53:48 +0100

[diff] [blame]

401

"""

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

402

@pytest.mark.parametrize("cipher_string", [

403

b"hello world:AES128-SHA",

404

u"hello world:AES128-SHA",

405

])

406

def test_set_cipher_list(self, context, cipher_string):

407

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

408

`Context.set_cipher_list` accepts both byte and unicode strings

Hynek Schlawack

a7a63af

2016-03-11 12:05:26 +0100

[diff] [blame]

409

for naming the ciphers which connections created with the context

410

object will be able to choose from.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

411

"""

412

context.set_cipher_list(cipher_string)

413

conn = Connection(context, None)

414

415

assert "AES128-SHA" in conn.get_cipher_list()

416

417

@pytest.mark.parametrize("cipher_list,error", [

418

(object(), TypeError),

419

("imaginary-cipher", Error),

420

])

421

def test_set_cipher_list_wrong_args(self, context, cipher_list, error):

422

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

423

`Context.set_cipher_list` raises `TypeError` when passed a non-string

424

argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher

425

list string.

Hynek Schlawack

2016-03-11 11:21:13 +0100

[diff] [blame]

426

"""

427

with pytest.raises(error):

428

context.set_cipher_list(cipher_list)

429

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

430

def test_load_client_ca(self, context, ca_file):

431

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

432

`Context.load_client_ca` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

433

"""

434

context.load_client_ca(ca_file)

435

436

def test_load_client_ca_invalid(self, context, tmpdir):

437

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

438

`Context.load_client_ca` raises an Error if the ca file is invalid.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

439

"""

440

ca_file = tmpdir.join("test.pem")

441

ca_file.write("")

442

443

with pytest.raises(Error) as e:

444

context.load_client_ca(str(ca_file).encode("ascii"))

445

446

assert "PEM routines" == e.value.args[0][0][0]

447

448

def test_load_client_ca_unicode(self, context, ca_file):

449

"""

450

Passing the path as unicode raises a warning but works.

451

"""

452

pytest.deprecated_call(

453

context.load_client_ca, ca_file.decode("ascii")

454

)

455

456

def test_set_session_id(self, context):

457

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

458

`Context.set_session_id` works as far as we can tell.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

459

"""

460

context.set_session_id(b"abc")

461

462

def test_set_session_id_fail(self, context):

463

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

464

`Context.set_session_id` errors are propagated.

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

465

"""

466

with pytest.raises(Error) as e:

467

context.set_session_id(b"abc" * 1000)

assert [

("SSL routines",

"SSL_CTX_set_session_id_context",

472

"ssl session id context too long")

473

] == e.value.args[0]

474

475

def test_set_session_id_unicode(self, context):

476

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

477

`Context.set_session_id` raises a warning if a unicode string is

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

478

passed.

479

"""

480

pytest.deprecated_call(context.set_session_id, u"abc")

481

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

482

def test_method(self):

483

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

484

`Context` can be instantiated with one of `SSLv2_METHOD`,

485

`SSLv3_METHOD`, `SSLv23_METHOD`, `TLSv1_METHOD`, `TLSv1_1_METHOD`,

486

or `TLSv1_2_METHOD`.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

487

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

488

methods = [SSLv23_METHOD, TLSv1_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

489

for meth in methods:

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

490

Context(meth)

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

491

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

492

maybe = [SSLv2_METHOD, SSLv3_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD]

Jean-Paul Calderone

2013-10-03 16:05:00 -0400

[diff] [blame]

for meth in maybe:

try:

Context(meth)

except (Error, ValueError):

497

# Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some

498

# don't. Difficult to say in advance.

499

pass

Jean-Paul Calderone

2011-04-14 09:36:55 -0400

[diff] [blame]

500

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

501

with pytest.raises(TypeError):

502

Context("")

503

with pytest.raises(ValueError):

504

Context(10)

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

505

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

506

@skip_if_py3

507

def test_method_long(self):

508

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

509

On Python 2 `Context` accepts values of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

510

"""

511

Context(long(TLSv1_METHOD))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

512

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

513

def test_type(self):

514

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

515

`Context` and `ContextType` refer to the same type object and can

516

be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

517

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

518

assert Context is ContextType

519

assert is_consistent_type(Context, 'Context', TLSv1_METHOD)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

520

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

521

def test_use_privatekey(self):

522

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

523

`Context.use_privatekey` takes an `OpenSSL.crypto.PKey` instance.

Jean-Paul Calderone

2008-03-21 17:04:05 -0400

[diff] [blame]

524

"""

525

key = PKey()

526

key.generate_key(TYPE_RSA, 128)

527

ctx = Context(TLSv1_METHOD)

528

ctx.use_privatekey(key)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

529

with pytest.raises(TypeError):

530

ctx.use_privatekey("")

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

531

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

532

def test_use_privatekey_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

533

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

534

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` when passed

535

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

536

"""

537

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

538

with pytest.raises(Error):

539

ctx.use_privatekey_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

540

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

541

def _use_privatekey_file_test(self, pemfile, filetype):

542

"""

543

Verify that calling ``Context.use_privatekey_file`` with the given

544

arguments does not raise an exception.

545

"""

546

key = PKey()

547

key.generate_key(TYPE_RSA, 128)

548

549

with open(pemfile, "wt") as pem:

550

pem.write(

551

dump_privatekey(FILETYPE_PEM, key).decode("ascii")

552

)

553

554

ctx = Context(TLSv1_METHOD)

555

ctx.use_privatekey_file(pemfile, filetype)

556

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

557

@pytest.mark.parametrize('filetype', [object(), "", None, 1.0])

558

def test_wrong_privatekey_file_wrong_args(self, tmpfile, filetype):

559

"""

560

`Context.use_privatekey_file` raises `TypeError` when called with

561

a `filetype` which is not a valid file encoding.

562

"""

563

ctx = Context(TLSv1_METHOD)

564

with pytest.raises(TypeError):

565

ctx.use_privatekey_file(tmpfile, filetype)

566

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

567

def test_use_privatekey_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

568

"""

569

A private key can be specified from a file by passing a ``bytes``

570

instance giving the file name to ``Context.use_privatekey_file``.

571

"""

572

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

573

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

577

def test_use_privatekey_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

578

"""

579

A private key can be specified from a file by passing a ``unicode``

580

instance giving the file name to ``Context.use_privatekey_file``.

581

"""

582

self._use_privatekey_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

583

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:04:28 -0400

[diff] [blame]

FILETYPE_PEM,

)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

587

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

588

def test_use_privatekey_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

589

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

590

On Python 2 `Context.use_privatekey_file` accepts a filetype of

591

type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

592

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

593

self._use_privatekey_file_test(tmpfile, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

594

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

595

def test_use_certificate_wrong_args(self):

596

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

597

`Context.use_certificate_wrong_args` raises `TypeError` when not passed

598

exactly one `OpenSSL.crypto.X509` instance as an argument.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

599

"""

600

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

601

with pytest.raises(TypeError):

602

ctx.use_certificate("hello, world")

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

603

604

def test_use_certificate_uninitialized(self):

605

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

606

`Context.use_certificate` raises `OpenSSL.SSL.Error` when passed a

607

`OpenSSL.crypto.X509` instance which has not been initialized

608

(ie, which does not actually have any certificate data).

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

609

"""

610

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

611

with pytest.raises(Error):

612

ctx.use_certificate(X509())

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

613

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

614

def test_use_certificate(self):

615

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

616

`Context.use_certificate` sets the certificate which will be

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

617

used to identify connections created using the context.

618

"""

619

# TODO

620

# Hard to assert anything. But we could set a privatekey then ask

621

# OpenSSL if the cert and key agree using check_privatekey. Then as

622

# long as check_privatekey works right we're good...

623

ctx = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

624

ctx.use_certificate(

625

load_certificate(FILETYPE_PEM, cleartextCertificatePEM)

626

)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

627

628

def test_use_certificate_file_wrong_args(self):

629

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

630

`Context.use_certificate_file` raises `TypeError` if the first

631

argument is not a byte string or the second argument is not an integer.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

632

"""

633

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

634

with pytest.raises(TypeError):

635

ctx.use_certificate_file(object(), FILETYPE_PEM)

636

with pytest.raises(TypeError):

637

ctx.use_certificate_file(b"somefile", object())

638

with pytest.raises(TypeError):

639

ctx.use_certificate_file(object(), FILETYPE_PEM)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

640

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

641

def test_use_certificate_file_missing(self, tmpfile):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

642

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

643

`Context.use_certificate_file` raises `OpenSSL.SSL.Error` if passed

644

the name of a file which does not exist.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

645

"""

646

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

647

with pytest.raises(Error):

648

ctx.use_certificate_file(tmpfile)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

649

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

650

def _use_certificate_file_test(self, certificate_file):

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

651

"""

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

652

Verify that calling ``Context.use_certificate_file`` with the given

653

filename doesn't raise an exception.

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

654

"""

655

# TODO

656

# Hard to assert anything. But we could set a privatekey then ask

657

# OpenSSL if the cert and key agree using check_privatekey. Then as

658

# long as check_privatekey works right we're good...

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

659

with open(certificate_file, "wb") as pem_file:

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

660

pem_file.write(cleartextCertificatePEM)

661

662

ctx = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

663

ctx.use_certificate_file(certificate_file)

664

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

665

def test_use_certificate_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

666

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

667

`Context.use_certificate_file` sets the certificate (given as a

668

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

669

using the context.

670

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

671

filename = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

672

self._use_certificate_file_test(filename)

673

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

674

def test_use_certificate_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

675

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

676

`Context.use_certificate_file` sets the certificate (given as a

677

`bytes` filename) which will be used to identify connections created

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

678

using the context.

679

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

680

filename = tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:57:36 -0400

[diff] [blame]

681

self._use_certificate_file_test(filename)

Jean-Paul Calderone

2013-03-06 10:29:21 -0800

[diff] [blame]

682

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

683

@skip_if_py3

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

684

def test_use_certificate_file_long(self, tmpfile):

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

685

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

686

On Python 2 `Context.use_certificate_file` accepts a

687

filetype of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

688

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

689

pem_filename = tmpfile

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

690

with open(pem_filename, "wb") as pem_file:

691

pem_file.write(cleartextCertificatePEM)

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

692

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

693

ctx = Context(TLSv1_METHOD)

694

ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM))

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

695

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

696

def test_check_privatekey_valid(self):

697

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

698

`Context.check_privatekey` returns `None` if the `Context` instance

699

has been configured to use a matched key and certificate pair.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

700

"""

701

key = load_privatekey(FILETYPE_PEM, client_key_pem)

702

cert = load_certificate(FILETYPE_PEM, client_cert_pem)

703

context = Context(TLSv1_METHOD)

704

context.use_privatekey(key)

705

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

706

assert None is context.check_privatekey()

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

707

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

708

def test_check_privatekey_invalid(self):

709

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

710

`Context.check_privatekey` raises `Error` if the `Context` instance

711

has been configured to use a key and certificate pair which don't

712

relate to each other.

Jean-Paul Calderone

2014-12-11 13:58:00 -0500

[diff] [blame]

713

"""

714

key = load_privatekey(FILETYPE_PEM, client_key_pem)

715

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

716

context = Context(TLSv1_METHOD)

717

context.use_privatekey(key)

718

context.use_certificate(cert)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

719

with pytest.raises(Error):

720

context.check_privatekey()

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

721

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

722

def test_app_data(self):

723

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

724

`Context.set_app_data` stores an object for later retrieval

725

using `Context.get_app_data`.

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

726

"""

727

app_data = object()

728

context = Context(TLSv1_METHOD)

729

context.set_app_data(app_data)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

730

assert context.get_app_data() is app_data

Jean-Paul Calderone

2010-07-30 18:03:25 -0400

[diff] [blame]

731

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

732

def test_set_options_wrong_args(self):

733

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

734

`Context.set_options` raises `TypeError` if called with

735

a non-`int` argument.

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

736

"""

737

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

738

with pytest.raises(TypeError):

739

context.set_options(None)

Jean-Paul Calderone

40569ca

2010-07-30 18:04:58 -0400

[diff] [blame]

740

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

741

def test_set_options(self):

742

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

743

`Context.set_options` returns the new options value.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

744

"""

745

context = Context(TLSv1_METHOD)

746

options = context.set_options(OP_NO_SSLv2)

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

747

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

748

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

749

@skip_if_py3

750

def test_set_options_long(self):

751

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

752

On Python 2 `Context.set_options` accepts values of type

753

`long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

754

"""

755

context = Context(TLSv1_METHOD)

756

options = context.set_options(long(OP_NO_SSLv2))

Alex Gaynor

2310f8b

2016-09-10 14:39:32 -0400

[diff] [blame]

757

assert options & OP_NO_SSLv2 == OP_NO_SSLv2

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

758

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

759

def test_set_mode_wrong_args(self):

760

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

761

`Context.set_mode` raises `TypeError` if called with

762

a non-`int` argument.

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

763

"""

764

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

765

with pytest.raises(TypeError):

766

context.set_mode(None)

Guillermo Gonzalez

74a2c29

2011-08-29 16:16:58 -0300

[diff] [blame]

767

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

768

def test_set_mode(self):

769

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

770

`Context.set_mode` accepts a mode bitvector and returns the

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

771

newly set mode.

772

"""

773

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

774

assert MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

775

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

776

@skip_if_py3

777

def test_set_mode_long(self):

778

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

779

On Python 2 `Context.set_mode` accepts values of type `long` as well

780

as `int`.

Alex Gaynor

2016-07-31 10:54:24 -0400

[diff] [blame]

781

"""

782

context = Context(TLSv1_METHOD)

783

mode = context.set_mode(long(MODE_RELEASE_BUFFERS))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

784

assert MODE_RELEASE_BUFFERS & mode

Jean-Paul Calderone

0222a49

2011-09-08 18:26:03 -0400

[diff] [blame]

785

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

786

def test_set_timeout_wrong_args(self):

787

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

788

`Context.set_timeout` raises `TypeError` if called with

789

a non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

790

"""

791

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

792

with pytest.raises(TypeError):

793

context.set_timeout(None)

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

794

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

795

def test_timeout(self):

796

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

797

`Context.set_timeout` sets the session timeout for all connections

798

created using the context object. `Context.get_timeout` retrieves

799

this value.

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

800

"""

801

context = Context(TLSv1_METHOD)

802

context.set_timeout(1234)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

803

assert context.get_timeout() == 1234

Jean-Paul Calderone

2010-07-30 18:09:41 -0400

[diff] [blame]

804

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

805

@skip_if_py3

806

def test_timeout_long(self):

807

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

808

On Python 2 `Context.set_timeout` accepts values of type `long` as

809

well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

810

"""

811

context = Context(TLSv1_METHOD)

812

context.set_timeout(long(1234))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

813

assert context.get_timeout() == 1234

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

814

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

815

def test_set_verify_depth_wrong_args(self):

816

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

817

`Context.set_verify_depth` raises `TypeError` if called with a

818

non-`int` argument.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

819

"""

820

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

821

with pytest.raises(TypeError):

822

context.set_verify_depth(None)

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

823

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

824

def test_verify_depth(self):

825

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

826

`Context.set_verify_depth` sets the number of certificates in

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

827

a chain to follow before giving up. The value can be retrieved with

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

828

`Context.get_verify_depth`.

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

829

"""

830

context = Context(TLSv1_METHOD)

831

context.set_verify_depth(11)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

832

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2010-07-30 18:22:06 -0400

[diff] [blame]

833

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

834

@skip_if_py3

835

def test_verify_depth_long(self):

836

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

837

On Python 2 `Context.set_verify_depth` accepts values of type `long`

838

as well as int.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

839

"""

840

context = Context(TLSv1_METHOD)

841

context.set_verify_depth(long(11))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

842

assert context.get_verify_depth() == 11

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

843

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

844

def _write_encrypted_pem(self, passphrase, tmpfile):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

845

"""

846

Write a new private key out to a new file, encrypted using the given

847

passphrase. Return the path to the new file.

848

"""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

849

key = PKey()

850

key.generate_key(TYPE_RSA, 128)

Jean-Paul Calderone

a986883

2010-08-22 21:38:34 -0400

[diff] [blame]

851

pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

852

with open(tmpfile, 'w') as fObj:

853

fObj.write(pem.decode('ascii'))

854

return tmpfile

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

855

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

856

def test_set_passwd_cb_wrong_args(self):

857

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

858

`Context.set_passwd_cb` raises `TypeError` if called with a

859

non-callable first argument.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

860

"""

861

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

862

with pytest.raises(TypeError):

863

context.set_passwd_cb(None)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

864

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

865

def test_set_passwd_cb(self, tmpfile):

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

866

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

867

`Context.set_passwd_cb` accepts a callable which will be invoked when

868

a private key is loaded from an encrypted PEM.

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

869

"""

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

870

passphrase = b"foobar"

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

871

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

872

calledWith = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

873

Jean-Paul Calderone

2008-04-26 18:06:54 -0400

[diff] [blame]

874

def passphraseCallback(maxlen, verify, extra):

875

calledWith.append((maxlen, verify, extra))

876

return passphrase

877

context = Context(TLSv1_METHOD)

878

context.set_passwd_cb(passphraseCallback)

879

context.use_privatekey_file(pemFile)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

880

assert len(calledWith) == 1

881

assert isinstance(calledWith[0][0], int)

882

assert isinstance(calledWith[0][1], int)

883

assert calledWith[0][2] is None

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

884

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

885

def test_passwd_callback_exception(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

886

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

887

`Context.use_privatekey_file` propagates any exception raised

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

888

by the passphrase callback.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

889

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

890

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

891

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

892

def passphraseCallback(maxlen, verify, extra):

893

raise RuntimeError("Sorry, I am a fail.")

894

895

context = Context(TLSv1_METHOD)

896

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

897

with pytest.raises(RuntimeError):

898

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

899

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

900

def test_passwd_callback_false(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

901

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

902

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

903

passphrase callback returns a false value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

904

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

905

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

906

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

907

def passphraseCallback(maxlen, verify, extra):

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

908

return b""

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

909

910

context = Context(TLSv1_METHOD)

911

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

912

with pytest.raises(Error):

913

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

914

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

915

def test_passwd_callback_non_string(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

916

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

917

`Context.use_privatekey_file` raises `OpenSSL.SSL.Error` if the

918

passphrase callback returns a true non-string value.

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

919

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

920

pemFile = self._write_encrypted_pem(b"monkeys are nice", tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

921

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

922

def passphraseCallback(maxlen, verify, extra):

923

return 10

924

925

context = Context(TLSv1_METHOD)

926

context.set_passwd_cb(passphraseCallback)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

927

# TODO: Surely this is the wrong error?

928

with pytest.raises(ValueError):

929

context.use_privatekey_file(pemFile)

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

930

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

931

def test_passwd_callback_too_long(self, tmpfile):

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

932

"""

933

If the passphrase returned by the passphrase callback returns a string

934

longer than the indicated maximum length, it is truncated.

935

"""

936

# A priori knowledge!

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

937

passphrase = b"x" * 1024

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

938

pemFile = self._write_encrypted_pem(passphrase, tmpfile)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

939

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

940

def passphraseCallback(maxlen, verify, extra):

941

assert maxlen == 1024

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

942

return passphrase + b"y"

Jean-Paul Calderone

2010-07-30 17:57:53 -0400

[diff] [blame]

943

944

context = Context(TLSv1_METHOD)

945

context.set_passwd_cb(passphraseCallback)

946

# This shall succeed because the truncated result is the correct

947

# passphrase.

948

context.use_privatekey_file(pemFile)

949

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

950

def test_set_info_callback(self):

951

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

952

`Context.set_info_callback` accepts a callable which will be

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

953

invoked when certain information about an SSL connection is available.

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

954

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

955

(server, client) = socket_pair()

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

956

957

clientSSL = Connection(Context(TLSv1_METHOD), client)

958

clientSSL.set_connect_state()

959

960

called = []

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

961

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

962

def info(conn, where, ret):

963

called.append((conn, where, ret))

964

context = Context(TLSv1_METHOD)

965

context.set_info_callback(info)

966

context.use_certificate(

967

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

968

context.use_privatekey(

969

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

970

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

971

serverSSL = Connection(context, server)

972

serverSSL.set_accept_state()

973

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

974

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-04-26 19:06:28 -0400

[diff] [blame]

975

Jean-Paul Calderone

3835e52

2014-02-02 11:12:30 -0500

[diff] [blame]

976

# The callback must always be called with a Connection instance as the

977

# first argument. It would probably be better to split this into

978

# separate tests for client and server side info callbacks so we could

979

# assert it is called with the right Connection instance. It would

980

# also be good to assert *something* about `where` and `ret`.

Jean-Paul Calderone

f2bbc9c

2014-02-02 10:59:14 -0500

[diff] [blame]

981

notConnections = [

982

conn for (conn, where, ret) in called

983

if not isinstance(conn, Connection)]

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

984

assert [] == notConnections, (

985

"Some info callback arguments were not Connection instances.")

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

986

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

987

def _load_verify_locations_test(self, *args):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

988

"""

989

Create a client context which will verify the peer certificate and call

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

990

its `load_verify_locations` method with the given arguments.

Jean-Paul Calderone

64efa2c

2011-09-11 10:00:09 -0400

[diff] [blame]

991

Then connect it to a server and ensure that the handshake succeeds.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

992

"""

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

993

(server, client) = socket_pair()

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

994

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

995

clientContext = Context(TLSv1_METHOD)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

996

clientContext.load_verify_locations(*args)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

997

# Require that the server certificate verify properly or the

998

# connection will fail.

999

clientContext.set_verify(

1000

VERIFY_PEER,

1001

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

1002

1003

clientSSL = Connection(clientContext, client)

1004

clientSSL.set_connect_state()

1005

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1006

serverContext = Context(TLSv1_METHOD)

1007

serverContext.use_certificate(

1008

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1009

serverContext.use_privatekey(

1010

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1011

1012

serverSSL = Connection(serverContext, server)

1013

serverSSL.set_accept_state()

1014

Jean-Paul Calderone

f874203

2010-09-25 00:00:32 -0400

[diff] [blame]

1015

# Without load_verify_locations above, the handshake

1016

# will fail:

1017

# Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',

1018

# 'certificate verify failed')]

1019

handshake(clientSSL, serverSSL)

Jean-Paul Calderone

2008-09-07 20:17:17 -0400

[diff] [blame]

1020

1021

cert = clientSSL.get_peer_certificate()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1022

assert cert.get_subject().CN == 'Testing Root CA'

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1023

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1024

def _load_verify_cafile(self, cafile):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1025

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1026

Verify that if path to a file containing a certificate is passed to

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1027

`Context.load_verify_locations` for the ``cafile`` parameter, that

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1028

certificate is used as a trust root for the purposes of verifying

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1029

connections created using that `Context`.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1030

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1031

with open(cafile, 'w') as fObj:

1032

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1033

1034

self._load_verify_locations_test(cafile)

1035

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1036

def test_load_verify_bytes_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1037

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1038

`Context.load_verify_locations` accepts a file name as a `bytes`

1039

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1040

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1041

cafile = tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1042

self._load_verify_cafile(cafile)

1043

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1044

def test_load_verify_unicode_cafile(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1045

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1046

`Context.load_verify_locations` accepts a file name as a `unicode`

1047

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1048

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1049

self._load_verify_cafile(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1050

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1051

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1052

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1053

def test_load_verify_invalid_file(self, tmpfile):

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1054

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1055

`Context.load_verify_locations` raises `Error` when passed a

1056

non-existent cafile.

Jean-Paul Calderone

5075fce

2008-09-07 20:18:55 -0400

[diff] [blame]

1057

"""

1058

clientContext = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1059

with pytest.raises(Error):

1060

clientContext.load_verify_locations(tmpfile)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1061

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1062

def _load_verify_directory_locations_capath(self, capath):

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1063

"""

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1064

Verify that if path to a directory containing certificate files is

1065

passed to ``Context.load_verify_locations`` for the ``capath``

1066

parameter, those certificates are used as trust roots for the purposes

1067

of verifying connections created using that ``Context``.

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1068

"""

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1069

makedirs(capath)

Jean-Paul Calderone

24dfb33

2011-05-04 18:10:26 -0400

[diff] [blame]

1070

# Hash values computed manually with c_rehash to avoid depending on

1071

# c_rehash in the test suite. One is from OpenSSL 0.9.8, the other

1072

# from OpenSSL 1.0.0.

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

1073

for name in [b'c7adac82.0', b'c3705638.0']:

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1074

cafile = join_bytes_or_unicode(capath, name)

1075

with open(cafile, 'w') as fObj:

1076

fObj.write(cleartextCertificatePEM.decode('ascii'))

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1077

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1078

self._load_verify_locations_test(None, capath)

1079

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1080

def test_load_verify_directory_bytes_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1081

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1082

`Context.load_verify_locations` accepts a directory name as a `bytes`

1083

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1084

"""

1085

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1086

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1087

)

1088

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1089

def test_load_verify_directory_unicode_capath(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1090

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1091

`Context.load_verify_locations` accepts a directory name as a `unicode`

1092

instance and uses the certificates within for verification purposes.

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1093

"""

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1094

self._load_verify_directory_locations_capath(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1095

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 11:26:47 -0400

[diff] [blame]

1096

)

Jean-Paul Calderone

2015-04-12 09:20:31 -0400

[diff] [blame]

1097

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1098

def test_load_verify_locations_wrong_args(self):

1099

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1100

`Context.load_verify_locations` raises `TypeError` if with non-`str`

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1101

arguments.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1102

"""

1103

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1104

with pytest.raises(TypeError):

1105

context.load_verify_locations(object())

1106

with pytest.raises(TypeError):

1107

context.load_verify_locations(object(), object())

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1108

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1109

@pytest.mark.skipif(

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

1110

not platform.startswith("linux"),

1111

reason="Loading fallback paths is a linux-specific behavior to "

1112

"accommodate pyca/cryptography manylinux1 wheels"

1113

)

1114

def test_fallback_default_verify_paths(self, monkeypatch):

1115

"""

1116

Test that we load certificates successfully on linux from the fallback

1117

path. To do this we set the _CRYPTOGRAPHY_MANYLINUX1_CA_FILE and

1118

_CRYPTOGRAPHY_MANYLINUX1_CA_DIR vars to be equal to whatever the

1119

current OpenSSL default is and we disable

1120

SSL_CTX_SET_default_verify_paths so that it can't find certs unless

1121

it loads via fallback.

1122

"""

1123

context = Context(TLSv1_METHOD)

1124

monkeypatch.setattr(

1125

_lib, "SSL_CTX_set_default_verify_paths", lambda x: 1

)

monkeypatch.setattr(

SSL,

"_CRYPTOGRAPHY_MANYLINUX1_CA_FILE",

1130

_ffi.string(_lib.X509_get_default_cert_file())

)

monkeypatch.setattr(

SSL,

"_CRYPTOGRAPHY_MANYLINUX1_CA_DIR",

1135

_ffi.string(_lib.X509_get_default_cert_dir())

1136

)

1137

context.set_default_verify_paths()

1138

store = context.get_cert_store()

1139

sk_obj = _lib.X509_STORE_get0_objects(store._store)

1140

assert sk_obj != _ffi.NULL

1141

num = _lib.sk_X509_OBJECT_num(sk_obj)

1142

assert num != 0

1143

1144

def test_check_env_vars(self, monkeypatch):

1145

"""

1146

Test that we return True/False appropriately if the env vars are set.

1147

"""

1148

context = Context(TLSv1_METHOD)

1149

dir_var = "CUSTOM_DIR_VAR"

1150

file_var = "CUSTOM_FILE_VAR"

1151

assert context._check_env_vars_set(dir_var, file_var) is False

1152

monkeypatch.setenv(dir_var, "value")

1153

monkeypatch.setenv(file_var, "value")

1154

assert context._check_env_vars_set(dir_var, file_var) is True

1155

assert context._check_env_vars_set(dir_var, file_var) is True

1156

1157

def test_verify_no_fallback_if_env_vars_set(self, monkeypatch):

1158

"""

1159

Test that we don't use the fallback path if env vars are set.

1160

"""

1161

context = Context(TLSv1_METHOD)

1162

monkeypatch.setattr(

1163

_lib, "SSL_CTX_set_default_verify_paths", lambda x: 1

1164

)

1165

dir_env_var = _ffi.string(

1166

_lib.X509_get_default_cert_dir_env()

1167

).decode("ascii")

1168

file_env_var = _ffi.string(

1169

_lib.X509_get_default_cert_file_env()

1170

).decode("ascii")

1171

monkeypatch.setenv(dir_env_var, "value")

1172

monkeypatch.setenv(file_env_var, "value")

1173

context.set_default_verify_paths()

monkeypatch.setattr(

context,

"_fallback_default_verify_paths",

1178

raiser(SystemError)

1179

)

1180

context.set_default_verify_paths()

1181

1182

@pytest.mark.skipif(

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1183

platform == "win32",

1184

reason="set_default_verify_paths appears not to work on Windows. "

Jean-Paul Calderone

28fb8f0

2009-07-24 18:01:31 -0400

[diff] [blame]

1185

"See LP#404343 and LP#404344."

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1186

)

1187

def test_set_default_verify_paths(self):

1188

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1189

`Context.set_default_verify_paths` causes the platform-specific CA

1190

certificate locations to be used for verification purposes.

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1191

"""

1192

# Testing this requires a server with a certificate signed by one

1193

# of the CAs in the platform CA location. Getting one of those

1194

# costs money. Fortunately (or unfortunately, depending on your

1195

# perspective), it's easy to think of a public server on the

1196

# internet which has such a certificate. Connecting to the network

1197

# in a unit test is bad, but it's the only way I can think of to

1198

# really test this. -exarkun

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1199

context = Context(SSLv23_METHOD)

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1200

context.set_default_verify_paths()

1201

context.set_verify(

1202

VERIFY_PEER,

1203

lambda conn, cert, errno, depth, preverify_ok: preverify_ok)

Jean-Paul Calderone

2008-09-07 20:58:50 -0400

[diff] [blame]

1204

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1205

client = socket()

Hynek Schlawack

bf88793

2015-10-21 17:13:47 +0200

[diff] [blame]

1206

client.connect(("encrypted.google.com", 443))

Hynek Schlawack

2015-09-05 19:19:32 +0200

[diff] [blame]

1207

clientSSL = Connection(context, client)

1208

clientSSL.set_connect_state()

1209

clientSSL.do_handshake()

1210

clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1211

assert clientSSL.recv(1024)

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

1212

Paul Kehrer

2017-06-29 18:44:08 -0500

[diff] [blame]

1213

def test_fallback_path_is_not_file_or_dir(self):

1214

"""

1215

Test that when passed empty arrays or paths that do not exist no

1216

errors are raised.

1217

"""

1218

context = Context(TLSv1_METHOD)

1219

context._fallback_default_verify_paths([], [])

1220

context._fallback_default_verify_paths(

1221

["/not/a/file"], ["/not/a/dir"]

1222

)

1223

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1224

def test_add_extra_chain_cert_invalid_cert(self):

1225

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1226

`Context.add_extra_chain_cert` raises `TypeError` if called with an

1227

object which is not an instance of `X509`.

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1228

"""

1229

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1230

with pytest.raises(TypeError):

1231

context.add_extra_chain_cert(object())

Jean-Paul Calderone

12608a8

2009-11-07 10:35:15 -0500

[diff] [blame]

1232

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1233

def _handshake_test(self, serverContext, clientContext):

1234

"""

1235

Verify that a client and server created with the given contexts can

1236

successfully handshake and communicate.

1237

"""

1238

serverSocket, clientSocket = socket_pair()

1239

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1240

server = Connection(serverContext, serverSocket)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1241

server.set_accept_state()

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1242

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1243

client = Connection(clientContext, clientSocket)

1244

client.set_connect_state()

1245

1246

# Make them talk to each other.

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1247

# interact_in_memory(client, server)

1248

for _ in range(3):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1249

for s in [client, server]:

1250

try:

1251

s.do_handshake()

1252

except WantReadError:

1253

pass

1254

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1255

def test_set_verify_callback_connection_argument(self):

1256

"""

1257

The first argument passed to the verify callback is the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1258

`Connection` instance for which verification is taking place.

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1259

"""

1260

serverContext = Context(TLSv1_METHOD)

1261

serverContext.use_privatekey(

1262

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1263

serverContext.use_certificate(

1264

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1265

serverConnection = Connection(serverContext, None)

1266

1267

class VerifyCallback(object):

1268

def callback(self, connection, *args):

1269

self.connection = connection

1270

return 1

1271

1272

verify = VerifyCallback()

1273

clientContext = Context(TLSv1_METHOD)

1274

clientContext.set_verify(VERIFY_PEER, verify.callback)

1275

clientConnection = Connection(clientContext, None)

1276

clientConnection.set_connect_state()

1277

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1278

handshake_in_memory(clientConnection, serverConnection)

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1279

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1280

assert verify.connection is clientConnection

Jean-Paul Calderone

2014-04-02 21:09:08 -0400

[diff] [blame]

1281

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1282

def test_set_verify_callback_exception(self):

1283

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1284

If the verify callback passed to `Context.set_verify` raises an

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1285

exception, verification fails and the exception is propagated to the

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1286

caller of `Connection.do_handshake`.

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1287

"""

1288

serverContext = Context(TLSv1_METHOD)

1289

serverContext.use_privatekey(

1290

load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))

1291

serverContext.use_certificate(

1292

load_certificate(FILETYPE_PEM, cleartextCertificatePEM))

1293

1294

clientContext = Context(TLSv1_METHOD)

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1295

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1296

def verify_callback(*args):

1297

raise Exception("silly verify failure")

1298

clientContext.set_verify(VERIFY_PEER, verify_callback)

1299

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

1300

with pytest.raises(Exception) as exc:

1301

self._handshake_test(serverContext, clientContext)

1302

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1303

assert "silly verify failure" == str(exc.value)

Jean-Paul Calderone

2013-03-06 20:54:38 -0800

[diff] [blame]

1304

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1305

def test_add_extra_chain_cert(self, tmpdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1306

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1307

`Context.add_extra_chain_cert` accepts an `X509`

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1308

instance to add to the certificate chain.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1309

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1310

See `_create_certificate_chain` for the details of the

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1311

certificate chain tested.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1312

1313

The chain is tested by starting a server with scert and connecting

1314

to it with a client which trusts cacert and requires verification to

1315

succeed.

1316

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1317

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1318

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1319

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1320

# Dump the CA certificate to a file because that's the only way to load

1321

# it as a trusted CA in the client context.

Hynek Schlawack

4813c0e

2015-04-16 13:38:01 -0400

[diff] [blame]

1322

for cert, name in [(cacert, 'ca.pem'),

1323

(icert, 'i.pem'),

1324

(scert, 's.pem')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1325

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1326

f.write(dump_certificate(FILETYPE_PEM, cert).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1327

Hynek Schlawack

1902c01

2015-04-16 15:06:41 -0400

[diff] [blame]

1328

for key, name in [(cakey, 'ca.key'),

1329

(ikey, 'i.key'),

1330

(skey, 's.key')]:

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1331

with tmpdir.join(name).open('w') as f:

Hynek Schlawack

e90680f

2015-04-16 15:09:27 -0400

[diff] [blame]

1332

f.write(dump_privatekey(FILETYPE_PEM, key).decode('ascii'))

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1333

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1334

# Create the server context

1335

serverContext = Context(TLSv1_METHOD)

1336

serverContext.use_privatekey(skey)

1337

serverContext.use_certificate(scert)

Jean-Paul Calderone

16cf03d

2010-09-08 18:53:39 -0400

[diff] [blame]

1338

# The client already has cacert, we only need to give them icert.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1339

serverContext.add_extra_chain_cert(icert)

1340

Jean-Paul Calderone

2010-07-31 14:56:20 -0400

[diff] [blame]

1341

# Create the client

1342

clientContext = Context(TLSv1_METHOD)

1343

clientContext.set_verify(

1344

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1345

clientContext.load_verify_locations(str(tmpdir.join("ca.pem")))

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

1346

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1347

# Try it out.

1348

self._handshake_test(serverContext, clientContext)

1349

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1350

def _use_certificate_chain_file_test(self, certdir):

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1351

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1352

Verify that `Context.use_certificate_chain_file` reads a

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1353

certificate chain from a specified file.

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1354

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1355

The chain is tested by starting a server with scert and connecting to

1356

it with a client which trusts cacert and requires verification to

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1357

succeed.

1358

"""

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

1359

chain = _create_certificate_chain()

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1360

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

1361

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1362

makedirs(certdir)

1363

Jean-Paul Calderone

0582673

2015-04-12 11:38:49 -0400

[diff] [blame]

1364

chainFile = join_bytes_or_unicode(certdir, "chain.pem")

1365

caFile = join_bytes_or_unicode(certdir, "ca.pem")

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1366

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1367

# Write out the chain file.

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1368

with open(chainFile, 'wb') as fObj:

1369

# Most specific to least general.

1370

fObj.write(dump_certificate(FILETYPE_PEM, scert))

1371

fObj.write(dump_certificate(FILETYPE_PEM, icert))

1372

fObj.write(dump_certificate(FILETYPE_PEM, cacert))

1373

1374

with open(caFile, 'w') as fObj:

1375

fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode('ascii'))

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1376

1377

serverContext = Context(TLSv1_METHOD)

1378

serverContext.use_certificate_chain_file(chainFile)

1379

serverContext.use_privatekey(skey)

1380

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1381

clientContext = Context(TLSv1_METHOD)

1382

clientContext.set_verify(

1383

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1384

clientContext.load_verify_locations(caFile)

Jean-Paul Calderone

2010-08-02 18:25:03 -0400

[diff] [blame]

1385

1386

self._handshake_test(serverContext, clientContext)

1387

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1388

def test_use_certificate_chain_file_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1389

"""

1390

``Context.use_certificate_chain_file`` accepts the name of a file (as

1391

an instance of ``bytes``) to specify additional certificates to use to

1392

construct and verify a trust chain.

1393

"""

1394

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1395

tmpfile + NON_ASCII.encode(getfilesystemencoding())

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1396

)

1397

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1398

def test_use_certificate_chain_file_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1399

"""

1400

``Context.use_certificate_chain_file`` accepts the name of a file (as

1401

an instance of ``unicode``) to specify additional certificates to use

1402

to construct and verify a trust chain.

1403

"""

1404

self._use_certificate_chain_file_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1405

tmpfile.decode(getfilesystemencoding()) + NON_ASCII

Jean-Paul Calderone

2015-04-12 09:51:21 -0400

[diff] [blame]

1406

)

1407

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1408

def test_use_certificate_chain_file_wrong_args(self):

1409

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1410

`Context.use_certificate_chain_file` raises `TypeError` if passed a

1411

non-byte string single argument.

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1412

"""

1413

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1414

with pytest.raises(TypeError):

1415

context.use_certificate_chain_file(object())

Jean-Paul Calderone

131052e

2013-03-05 11:56:19 -0800

[diff] [blame]

1416

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1417

def test_use_certificate_chain_file_missing_file(self, tmpfile):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1418

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1419

`Context.use_certificate_chain_file` raises `OpenSSL.SSL.Error` when

1420

passed a bad chain file name (for example, the name of a file which

1421

does not exist).

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1422

"""

1423

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1424

with pytest.raises(Error):

1425

context.use_certificate_chain_file(tmpfile)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1426

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1427

def test_set_verify_mode(self):

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1428

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1429

`Context.get_verify_mode` returns the verify mode flags previously

1430

passed to `Context.set_verify`.

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1431

"""

1432

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1433

assert context.get_verify_mode() == 0

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1434

context.set_verify(

1435

VERIFY_PEER | VERIFY_CLIENT_ONCE, lambda *args: None)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1436

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2010-09-09 18:17:48 -0400

[diff] [blame]

1437

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1438

@skip_if_py3

1439

def test_set_verify_mode_long(self):

1440

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1441

On Python 2 `Context.set_verify_mode` accepts values of type `long`

1442

as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1443

"""

1444

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1445

assert context.get_verify_mode() == 0

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1446

context.set_verify(

Hynek Schlawack

b4ceed3

2015-09-05 20:55:19 +0200

[diff] [blame]

1447

long(VERIFY_PEER | VERIFY_CLIENT_ONCE), lambda *args: None

1448

) # pragma: nocover

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1449

assert context.get_verify_mode() == (VERIFY_PEER | VERIFY_CLIENT_ONCE)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1450

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1451

@pytest.mark.parametrize('mode', [None, 1.0, object(), 'mode'])

1452

def test_set_verify_wrong_mode_arg(self, mode):

1453

"""

1454

`Context.set_verify` raises `TypeError` if the first argument is

1455

not an integer.

1456

"""

1457

context = Context(TLSv1_METHOD)

1458

with pytest.raises(TypeError):

1459

context.set_verify(mode=mode, callback=lambda *args: None)

1460

1461

@pytest.mark.parametrize('callback', [None, 1.0, 'mode', ('foo', 'bar')])

1462

def test_set_verify_wrong_callable_arg(self, callback):

1463

"""

1464

`Context.set_verify` raises `TypeError` if the the second argument

1465

is not callable.

1466

"""

1467

context = Context(TLSv1_METHOD)

1468

with pytest.raises(TypeError):

1469

context.set_verify(mode=VERIFY_PEER, callback=callback)

1470

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1471

def test_load_tmp_dh_wrong_args(self):

1472

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1473

`Context.load_tmp_dh` raises `TypeError` if called with a

1474

non-`str` argument.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1475

"""

1476

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1477

with pytest.raises(TypeError):

1478

context.load_tmp_dh(object())

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1479

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1480

def test_load_tmp_dh_missing_file(self):

1481

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1482

`Context.load_tmp_dh` raises `OpenSSL.SSL.Error` if the

Hynek Schlawack

2015-09-05 19:09:26 +0200

[diff] [blame]

1483

specified file does not exist.

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1484

"""

1485

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1486

with pytest.raises(Error):

1487

context.load_tmp_dh(b"hello")

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1488

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1489

def _load_tmp_dh_test(self, dhfilename):

Jean-Paul Calderone

4e0c43f

2015-04-13 10:15:17 -0400

[diff] [blame]

1490

"""

1491

Verify that calling ``Context.load_tmp_dh`` with the given filename

1492

does not raise an exception.

1493

"""

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1494

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1495

with open(dhfilename, "w") as dhfile:

1496

dhfile.write(dhparam)

1497

Jean-Paul Calderone

2010-09-09 18:43:40 -0400

[diff] [blame]

1498

context.load_tmp_dh(dhfilename)

1499

# XXX What should I assert here? -exarkun

1500

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1501

def test_load_tmp_dh_bytes(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1502

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1503

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1504

specified file (given as ``bytes``).

1505

"""

1506

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1507

tmpfile + NON_ASCII.encode(getfilesystemencoding()),

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1508

)

1509

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1510

def test_load_tmp_dh_unicode(self, tmpfile):

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1511

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1512

`Context.load_tmp_dh` loads Diffie-Hellman parameters from the

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1513

specified file (given as ``unicode``).

1514

"""

1515

self._load_tmp_dh_test(

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1516

tmpfile.decode(getfilesystemencoding()) + NON_ASCII,

Jean-Paul Calderone

2015-04-12 10:13:13 -0400

[diff] [blame]

1517

)

1518

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1519

def test_set_tmp_ecdh(self):

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1520

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1521

`Context.set_tmp_ecdh` sets the elliptic curve for Diffie-Hellman to

1522

the specified curve.

Andy Lutomirski

f05a273

2014-03-13 17:22:25 -0700

[diff] [blame]

1523

"""

1524

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1525

for curve in get_elliptic_curves():

Hynek Schlawack

a07fa8c

2015-10-17 10:15:28 +0200

[diff] [blame]

1526

if curve.name.startswith(u"Oakley-"):

Hynek Schlawack

7408aff

2015-10-17 09:51:16 +0200

[diff] [blame]

1527

# Setting Oakley-EC2N-4 and Oakley-EC2N-3 adds

1528

# ('bignum routines', 'BN_mod_inverse', 'no inverse') to the

1529

# error queue on OpenSSL 1.0.2.

1530

continue

Jean-Paul Calderone

c09fd58

2014-04-18 22:00:10 -0400

[diff] [blame]

1531

# The only easily "assertable" thing is that it does not raise an

1532

# exception.

Jean-Paul Calderone

3e4e335

2014-04-19 09:28:28 -0400

[diff] [blame]

1533

context.set_tmp_ecdh(curve)

Alex Gaynor

12dc084

2014-01-17 12:51:31 -0600

[diff] [blame]

1534

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1535

def test_set_session_cache_mode_wrong_args(self):

1536

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1537

`Context.set_session_cache_mode` raises `TypeError` if called with

1538

a non-integer argument.

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1539

called with other than one integer argument.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1540

"""

1541

context = Context(TLSv1_METHOD)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1542

with pytest.raises(TypeError):

1543

context.set_session_cache_mode(object())

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1544

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1545

def test_session_cache_mode(self):

1546

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1547

`Context.set_session_cache_mode` specifies how sessions are cached.

1548

The setting can be retrieved via `Context.get_session_cache_mode`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1549

"""

1550

context = Context(TLSv1_METHOD)

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1551

context.set_session_cache_mode(SESS_CACHE_OFF)

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1552

off = context.set_session_cache_mode(SESS_CACHE_BOTH)

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1553

assert SESS_CACHE_OFF == off

1554

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

1555

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1556

@skip_if_py3

1557

def test_session_cache_mode_long(self):

1558

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1559

On Python 2 `Context.set_session_cache_mode` accepts values

1560

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1561

"""

1562

context = Context(TLSv1_METHOD)

1563

context.set_session_cache_mode(long(SESS_CACHE_BOTH))

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1564

assert SESS_CACHE_BOTH == context.get_session_cache_mode()

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

1565

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1566

def test_get_cert_store(self):

1567

"""

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1568

`Context.get_cert_store` returns a `X509Store` instance.

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1569

"""

1570

context = Context(TLSv1_METHOD)

1571

store = context.get_cert_store()

Alex Chan

2017-01-24 15:14:52 +0000

[diff] [blame]

1572

assert isinstance(store, X509Store)

Jean-Paul Calderone

2013-03-05 17:02:26 -0800

[diff] [blame]

1573

1574

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1575

class TestServerNameCallback(object):

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1576

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1577

Tests for `Context.set_tlsext_servername_callback` and its

1578

interaction with `Connection`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1579

"""

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1580

def test_old_callback_forgotten(self):

1581

"""

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1582

If `Context.set_tlsext_servername_callback` is used to specify

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1583

a new callback, the one it replaces is dereferenced.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1584

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1585

def callback(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1586

pass

1587

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1588

def replacement(connection): # pragma: no cover

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1589

pass

1590

1591

context = Context(TLSv1_METHOD)

1592

context.set_tlsext_servername_callback(callback)

1593

1594

tracker = ref(callback)

1595

del callback

1596

1597

context.set_tlsext_servername_callback(replacement)

Jean-Paul Calderone

d4033eb

2014-01-11 08:21:46 -0500

[diff] [blame]

1598

1599

# One run of the garbage collector happens to work on CPython. PyPy

1600

# doesn't collect the underlying object until a second run for whatever

1601

# reason. That's fine, it still demonstrates our code has properly

1602

# dropped the reference.

1603

collect()

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1604

collect()

Jean-Paul Calderone

4c1aacd

2014-01-11 08:15:17 -0500

[diff] [blame]

1605

1606

callback = tracker()

1607

if callback is not None:

1608

referrers = get_referrers(callback)

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

1609

if len(referrers) > 1: # pragma: nocover

1610

pytest.fail("Some references remain: %r" % (referrers,))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1611

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1612

def test_no_servername(self):

1613

"""

1614

When a client specifies no server name, the callback passed to

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1615

`Context.set_tlsext_servername_callback` is invoked and the

1616

result of `Connection.get_servername` is `None`.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1617

"""

1618

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1619

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1620

def servername(conn):

1621

args.append((conn, conn.get_servername()))

1622

context = Context(TLSv1_METHOD)

1623

context.set_tlsext_servername_callback(servername)

1624

1625

# Lose our reference to it. The Context is responsible for keeping it

# alive now.

del servername

collect()

# Necessary to actually accept the connection

1631

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1632

context.use_certificate(

1633

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1634

1635

# Do a little connection to trigger the logic

1636

server = Connection(context, None)

1637

server.set_accept_state()

1638

1639

client = Connection(Context(TLSv1_METHOD), None)

1640

client.set_connect_state()

1641

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1642

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1643

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1644

assert args == [(server, None)]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1645

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1646

def test_servername(self):

1647

"""

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1648

When a client specifies a server name in its hello message, the

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1649

callback passed to `Contexts.set_tlsext_servername_callback` is

1650

invoked and the result of `Connection.get_servername` is that

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1651

server name.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1652

"""

1653

args = []

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1654

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1655

def servername(conn):

1656

args.append((conn, conn.get_servername()))

1657

context = Context(TLSv1_METHOD)

1658

context.set_tlsext_servername_callback(servername)

1659

1660

# Necessary to actually accept the connection

1661

context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

Hynek Schlawack

2015-09-05 20:08:16 +0200

[diff] [blame]

1662

context.use_certificate(

1663

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1664

1665

# Do a little connection to trigger the logic

1666

server = Connection(context, None)

1667

server.set_accept_state()

1668

1669

client = Connection(Context(TLSv1_METHOD), None)

1670

client.set_connect_state()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

1671

client.set_tlsext_host_name(b"foo1.example.com")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1672

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1673

interact_in_memory(server, client)

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1674

Alex Chan

2016-11-05 13:01:51 +0000

[diff] [blame]

1675

assert args == [(server, b"foo1.example.com")]

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

1676

1677

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1678

class TestNextProtoNegotiation(object):

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1679

"""

1680

Test for Next Protocol Negotiation in PyOpenSSL.

1681

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1682

def test_npn_success(self):

1683

"""

1684

Tests that clients and servers that agree on the negotiated next

1685

protocol can correct establish a connection, and that the agreed

1686

protocol is reported by the connections.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1693

return [b'http/1.1', b'spdy/2']

1694

1695

def select(conn, options):

1696

select_args.append((conn, options))

1697

return b'spdy/2'

1698

1699

server_context = Context(TLSv1_METHOD)

1700

server_context.set_npn_advertise_callback(advertise)

1701

1702

client_context = Context(TLSv1_METHOD)

1703

client_context.set_npn_select_callback(select)

1704

1705

# Necessary to actually accept the connection

1706

server_context.use_privatekey(

1707

load_privatekey(FILETYPE_PEM, server_key_pem))

1708

server_context.use_certificate(

1709

load_certificate(FILETYPE_PEM, server_cert_pem))

1710

1711

# Do a little connection to trigger the logic

1712

server = Connection(server_context, None)

1713

server.set_accept_state()

1714

1715

client = Connection(client_context, None)

1716

client.set_connect_state()

1717

1718

interact_in_memory(server, client)

1719

1720

assert advertise_args == [(server,)]

1721

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1722

1723

assert server.get_next_proto_negotiated() == b'spdy/2'

1724

assert client.get_next_proto_negotiated() == b'spdy/2'

1725

1726

def test_npn_client_fail(self):

1727

"""

1728

Tests that when clients and servers cannot agree on what protocol

1729

to use next that the TLS connection does not get established.

"""

advertise_args = []

select_args = []

def advertise(conn):

advertise_args.append((conn,))

1736

return [b'http/1.1', b'spdy/2']

1737

1738

def select(conn, options):

1739

select_args.append((conn, options))

1740

return b''

1741

1742

server_context = Context(TLSv1_METHOD)

1743

server_context.set_npn_advertise_callback(advertise)

1744

1745

client_context = Context(TLSv1_METHOD)

1746

client_context.set_npn_select_callback(select)

1747

1748

# Necessary to actually accept the connection

1749

server_context.use_privatekey(

1750

load_privatekey(FILETYPE_PEM, server_key_pem))

1751

server_context.use_certificate(

1752

load_certificate(FILETYPE_PEM, server_cert_pem))

1753

1754

# Do a little connection to trigger the logic

1755

server = Connection(server_context, None)

1756

server.set_accept_state()

1757

1758

client = Connection(client_context, None)

1759

client.set_connect_state()

1760

1761

# If the client doesn't return anything, the connection will fail.

1762

with pytest.raises(Error):

1763

interact_in_memory(server, client)

1764

1765

assert advertise_args == [(server,)]

1766

assert select_args == [(client, [b'http/1.1', b'spdy/2'])]

1767

1768

def test_npn_select_error(self):

1769

"""

1770

Test that we can handle exceptions in the select callback. If

1771

select fails it should be fatal to the connection.

"""

advertise_args = []

def advertise(conn):

advertise_args.append((conn,))

1777

return [b'http/1.1', b'spdy/2']

1778

1779

def select(conn, options):

1780

raise TypeError

1781

1782

server_context = Context(TLSv1_METHOD)

1783

server_context.set_npn_advertise_callback(advertise)

1784

1785

client_context = Context(TLSv1_METHOD)

1786

client_context.set_npn_select_callback(select)

1787

1788

# Necessary to actually accept the connection

1789

server_context.use_privatekey(

1790

load_privatekey(FILETYPE_PEM, server_key_pem))

1791

server_context.use_certificate(

1792

load_certificate(FILETYPE_PEM, server_cert_pem))

1793

1794

# Do a little connection to trigger the logic

1795

server = Connection(server_context, None)

1796

server.set_accept_state()

1797

1798

client = Connection(client_context, None)

1799

client.set_connect_state()

1800

1801

# If the callback throws an exception it should be raised here.

1802

with pytest.raises(TypeError):

1803

interact_in_memory(server, client)

1804

assert advertise_args == [(server,), ]

1805

1806

def test_npn_advertise_error(self):

1807

"""

1808

Test that we can handle exceptions in the advertise callback. If

1809

advertise fails no NPN is advertised to the client.

"""

select_args = []

def advertise(conn):

raise TypeError

def select(conn, options): # pragma: nocover

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1817

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1818

Assert later that no args are actually appended.

Cory Benfield

ba1820d

2015-04-13 17:39:12 -0400

[diff] [blame]

1819

"""

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1820

select_args.append((conn, options))

1821

return b''

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1822

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1823

server_context = Context(TLSv1_METHOD)

1824

server_context.set_npn_advertise_callback(advertise)

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1825

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1826

client_context = Context(TLSv1_METHOD)

1827

client_context.set_npn_select_callback(select)

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1828

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1829

# Necessary to actually accept the connection

1830

server_context.use_privatekey(

1831

load_privatekey(FILETYPE_PEM, server_key_pem))

1832

server_context.use_certificate(

1833

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1834

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1835

# Do a little connection to trigger the logic

1836

server = Connection(server_context, None)

1837

server.set_accept_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1838

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1839

client = Connection(client_context, None)

1840

client.set_connect_state()

Cory Benfield

2014-03-31 20:30:25 +0100

[diff] [blame]

1841

Alex Chan

2016-11-10 12:18:54 +0000

[diff] [blame]

1842

# If the client doesn't return anything, the connection will fail.

1843

with pytest.raises(TypeError):

1844

interact_in_memory(server, client)

1845

assert select_args == []

Cory Benfield

0ea76e7

2015-03-22 09:05:28 +0000

[diff] [blame]

1846

1847

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1848

class TestApplicationLayerProtoNegotiation(object):

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1849

"""

1850

Tests for ALPN in PyOpenSSL.

1851

"""

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1852

# Skip tests on versions that don't support ALPN.

1853

if _lib.Cryptography_HAS_ALPN:

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1854

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1855

def test_alpn_success(self):

1856

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1857

Clients and servers that agree on the negotiated ALPN protocol can

1858

correct establish a connection, and the agreed protocol is reported

1859

by the connections.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1860

"""

1861

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1862

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1863

def select(conn, options):

1864

select_args.append((conn, options))

1865

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1866

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1867

client_context = Context(TLSv1_METHOD)

1868

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1869

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1870

server_context = Context(TLSv1_METHOD)

1871

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1872

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1873

# Necessary to actually accept the connection

1874

server_context.use_privatekey(

1875

load_privatekey(FILETYPE_PEM, server_key_pem))

1876

server_context.use_certificate(

1877

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1878

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1879

# Do a little connection to trigger the logic

1880

server = Connection(server_context, None)

1881

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1882

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1883

client = Connection(client_context, None)

1884

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1885

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1886

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1887

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1888

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1889

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1890

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1891

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1892

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1893

def test_alpn_set_on_connection(self):

1894

"""

1895

The same as test_alpn_success, but setting the ALPN protocols on

1896

the connection rather than the context.

1897

"""

1898

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1899

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1900

def select(conn, options):

1901

select_args.append((conn, options))

1902

return b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1903

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1904

# Setup the client context but don't set any ALPN protocols.

1905

client_context = Context(TLSv1_METHOD)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1906

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1907

server_context = Context(TLSv1_METHOD)

1908

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1909

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1910

# Necessary to actually accept the connection

1911

server_context.use_privatekey(

1912

load_privatekey(FILETYPE_PEM, server_key_pem))

1913

server_context.use_certificate(

1914

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1915

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1916

# Do a little connection to trigger the logic

1917

server = Connection(server_context, None)

1918

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1919

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1920

# Set the ALPN protocols on the client connection.

1921

client = Connection(client_context, None)

1922

client.set_alpn_protos([b'http/1.1', b'spdy/2'])

1923

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1924

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1925

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1926

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1927

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1928

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1929

assert server.get_alpn_proto_negotiated() == b'spdy/2'

1930

assert client.get_alpn_proto_negotiated() == b'spdy/2'

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1931

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1932

def test_alpn_server_fail(self):

1933

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1934

When clients and servers cannot agree on what protocol to use next

1935

the TLS connection does not get established.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1936

"""

1937

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

1938

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1939

def select(conn, options):

1940

select_args.append((conn, options))

1941

return b''

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1942

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1943

client_context = Context(TLSv1_METHOD)

1944

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1945

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1946

server_context = Context(TLSv1_METHOD)

1947

server_context.set_alpn_select_callback(select)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1948

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1949

# Necessary to actually accept the connection

1950

server_context.use_privatekey(

1951

load_privatekey(FILETYPE_PEM, server_key_pem))

1952

server_context.use_certificate(

1953

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1954

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1955

# Do a little connection to trigger the logic

1956

server = Connection(server_context, None)

1957

server.set_accept_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1958

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1959

client = Connection(client_context, None)

1960

client.set_connect_state()

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1961

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1962

# If the client doesn't return anything, the connection will fail.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1963

with pytest.raises(Error):

1964

interact_in_memory(server, client)

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1965

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1966

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2014-06-07 15:42:56 +0100

[diff] [blame]

1967

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1968

def test_alpn_no_server(self):

1969

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1970

When clients and servers cannot agree on what protocol to use next

1971

because the server doesn't offer ALPN, no protocol is negotiated.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1972

"""

1973

client_context = Context(TLSv1_METHOD)

1974

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1975

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1976

server_context = Context(TLSv1_METHOD)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1977

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1978

# Necessary to actually accept the connection

1979

server_context.use_privatekey(

1980

load_privatekey(FILETYPE_PEM, server_key_pem))

1981

server_context.use_certificate(

1982

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1983

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1984

# Do a little connection to trigger the logic

1985

server = Connection(server_context, None)

1986

server.set_accept_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1987

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1988

client = Connection(client_context, None)

1989

client.set_connect_state()

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1990

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1991

# Do the dance.

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1992

interact_in_memory(server, client)

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1993

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

1994

assert client.get_alpn_proto_negotiated() == b''

Cory Benfield

2015-04-11 17:57:35 -0400

[diff] [blame]

1995

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1996

def test_alpn_callback_exception(self):

1997

"""

Cory Benfield

2015-04-13 18:12:53 -0400

[diff] [blame]

1998

We can handle exceptions in the ALPN select callback.

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

1999

"""

2000

select_args = []

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2001

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2002

def select(conn, options):

2003

select_args.append((conn, options))

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

2004

raise TypeError()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2005

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2006

client_context = Context(TLSv1_METHOD)

2007

client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2008

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2009

server_context = Context(TLSv1_METHOD)

2010

server_context.set_alpn_select_callback(select)

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2011

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2012

# Necessary to actually accept the connection

2013

server_context.use_privatekey(

2014

load_privatekey(FILETYPE_PEM, server_key_pem))

2015

server_context.use_certificate(

2016

load_certificate(FILETYPE_PEM, server_cert_pem))

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2017

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2018

# Do a little connection to trigger the logic

2019

server = Connection(server_context, None)

2020

server.set_accept_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2021

Cory Benfield

2015-04-13 16:50:49 -0400

[diff] [blame]

2022

client = Connection(client_context, None)

2023

client.set_connect_state()

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2024

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2025

with pytest.raises(TypeError):

2026

interact_in_memory(server, client)

2027

assert select_args == [(server, [b'http/1.1', b'spdy/2'])]

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2028

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2029

else:

2030

# No ALPN.

2031

def test_alpn_not_implemented(self):

Cory Benfield

ef40145

2015-04-13 18:17:36 -0400

[diff] [blame]

2032

"""

2033

If ALPN is not in OpenSSL, we should raise NotImplementedError.

2034

"""

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2035

# Test the context methods first.

2036

context = Context(TLSv1_METHOD)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2037

with pytest.raises(NotImplementedError):

2038

context.set_alpn_protos(None)

2039

with pytest.raises(NotImplementedError):

2040

context.set_alpn_select_callback(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2041

2042

# Now test a connection.

2043

conn = Connection(context)

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2044

with pytest.raises(NotImplementedError):

2045

conn.set_alpn_protos(None)

Cory Benfield

2015-04-13 17:51:12 -0400

[diff] [blame]

2046

Cory Benfield

2015-04-12 09:11:49 -0400

[diff] [blame]

2047

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2048

class TestSession(object):

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2049

"""

2050

Unit tests for :py:obj:`OpenSSL.SSL.Session`.

2051

"""

2052

def test_construction(self):

2053

"""

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2054

:py:class:`Session` can be constructed with no arguments, creating

2055

a new instance of that type.

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2056

"""

2057

new_session = Session()

Alex Chan

2016-11-10 14:11:45 +0000

[diff] [blame]

2058

assert isinstance(new_session, Session)

Jean-Paul Calderone

2012-02-13 09:10:15 -0500

[diff] [blame]

2059

2060

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2061

class TestConnection(object):

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2062

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2063

Unit tests for `OpenSSL.SSL.Connection`.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2064

"""

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2065

# XXX get_peer_certificate -> None

2066

# XXX sock_shutdown

2067

# XXX master_key -> TypeError

2068

# XXX server_random -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2069

# XXX connect -> TypeError

2070

# XXX connect_ex -> TypeError

2071

# XXX set_connect_state -> TypeError

2072

# XXX set_accept_state -> TypeError

Jean-Paul Calderone

541eaf2

2010-09-09 18:55:08 -0400

[diff] [blame]

2073

# XXX do_handshake -> TypeError

2074

# XXX bio_read -> TypeError

2075

# XXX recv -> TypeError

2076

# XXX send -> TypeError

2077

# XXX bio_write -> TypeError

2078

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2079

def test_type(self):

2080

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2081

`Connection` and `ConnectionType` refer to the same type object and

2082

can be used to create instances of that type.

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2083

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2084

assert Connection is ConnectionType

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2085

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2086

assert is_consistent_type(Connection, 'Connection', ctx, None)

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

2087

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2088

@pytest.mark.parametrize('bad_context', [object(), 'context', None, 1])

2089

def test_wrong_args(self, bad_context):

2090

"""

2091

`Connection.__init__` raises `TypeError` if called with a non-`Context`

2092

instance argument.

2093

"""

2094

with pytest.raises(TypeError):

2095

Connection(bad_context)

2096

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2097

def test_get_context(self):

2098

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2099

`Connection.get_context` returns the `Context` instance used to

2100

construct the `Connection` instance.

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2101

"""

2102

context = Context(TLSv1_METHOD)

2103

connection = Connection(context, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2104

assert connection.get_context() is context

Jean-Paul Calderone

4fd058a

2009-11-22 11:46:42 -0500

[diff] [blame]

2105

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2106

def test_set_context_wrong_args(self):

2107

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2108

`Connection.set_context` raises `TypeError` if called with a

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2109

non-`Context` instance argument.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2110

"""

2111

ctx = Context(TLSv1_METHOD)

2112

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2113

with pytest.raises(TypeError):

2114

connection.set_context(object())

2115

with pytest.raises(TypeError):

2116

connection.set_context("hello")

2117

with pytest.raises(TypeError):

2118

connection.set_context(1)

2119

assert ctx is connection.get_context()

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2120

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2121

def test_set_context(self):

2122

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2123

`Connection.set_context` specifies a new `Context` instance to be

2124

used for the connection.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2125

"""

2126

original = Context(SSLv23_METHOD)

2127

replacement = Context(TLSv1_METHOD)

2128

connection = Connection(original, None)

2129

connection.set_context(replacement)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2130

assert replacement is connection.get_context()

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2131

# Lose our references to the contexts, just in case the Connection

2132

# isn't properly managing its own contributions to their reference

2133

# counts.

Jean-Paul Calderone

2011-05-25 22:30:21 -0400

[diff] [blame]

2134

del original, replacement

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2135

collect()

2136

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2137

def test_set_tlsext_host_name_wrong_args(self):

2138

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2139

If `Connection.set_tlsext_host_name` is called with a non-byte string

2140

argument or a byte string with an embedded NUL, `TypeError` is raised.

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2141

"""

2142

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2143

with pytest.raises(TypeError):

2144

conn.set_tlsext_host_name(object())

2145

with pytest.raises(TypeError):

2146

conn.set_tlsext_host_name(b"with\0null")

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2147

Abraham Martin

c5484ba

2015-03-25 15:33:05 +0000

[diff] [blame]

2148

if PY3:

Jean-Paul Calderone

2011-05-26 18:47:00 -0400

[diff] [blame]

2149

# On Python 3.x, don't accidentally implicitly convert from text.

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2150

with pytest.raises(TypeError):

2151

conn.set_tlsext_host_name(b"example.com".decode("ascii"))

Jean-Paul Calderone

871a4d8

2011-05-26 19:24:02 -0400

[diff] [blame]

2152

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2153

def test_pending(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2154

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2155

`Connection.pending` returns the number of bytes available for

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2156

immediate read.

2157

"""

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2158

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2159

assert connection.pending() == 0

Jean-Paul Calderone

1d69a72

2010-07-29 09:05:53 -0400

[diff] [blame]

2160

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2161

def test_peek(self):

2162

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2163

`Connection.recv` peeks into the connection if `socket.MSG_PEEK` is

2164

passed.

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2165

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2166

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2167

server.send(b'xy')

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2168

assert client.recv(2, MSG_PEEK) == b'xy'

2169

assert client.recv(2, MSG_PEEK) == b'xy'

2170

assert client.recv(2) == b'xy'

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2171

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2172

def test_connect_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2173

"""

Hynek Schlawack

3bcf315

2017-02-18 08:25:34 +0100

[diff] [blame]

2174

`Connection.connect` raises `TypeError` if called with a non-address

2175

argument.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2176

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2177

connection = Connection(Context(TLSv1_METHOD), socket())

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2178

with pytest.raises(TypeError):

2179

connection.connect(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2180

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2181

def test_connect_refused(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2182

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2183

`Connection.connect` raises `socket.error` if the underlying socket

2184

connect method raises it.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2185

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2186

client = socket()

2187

context = Context(TLSv1_METHOD)

2188

clientSSL = Connection(context, client)

Alex Gaynor

122717b

2015-09-05 14:14:18 -0400

[diff] [blame]

2189

# pytest.raises here doesn't work because of a bug in py.test on Python

2190

# 2.6: https://github.com/pytest-dev/pytest/issues/988

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2191

try:

Alex Gaynor

1aabb2e

2015-09-05 13:35:18 -0400

[diff] [blame]

2192

clientSSL.connect(("127.0.0.1", 1))

Alex Gaynor

e69c278

2015-09-05 14:07:48 -0400

[diff] [blame]

2193

except error as e:

Alex Gaynor

20a4c08

2015-09-05 14:24:15 -0400

[diff] [blame]

2194

exc = e

2195

assert exc.args[0] == ECONNREFUSED

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2196

2197

def test_connect(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2198

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2199

`Connection.connect` establishes a connection to the specified address.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2200

"""

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

port = socket()

port.bind(('', 0))

port.listen(3)

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2206

clientSSL.connect(('127.0.0.1', port.getsockname()[1]))

2207

# XXX An assertion? Or something?

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2208

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2209

@pytest.mark.skipif(

2210

platform == "darwin",

2211

reason="connect_ex sometimes causes a kernel panic on OS X 10.6.4"

2212

)

2213

def test_connect_ex(self):

2214

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2215

If there is a connection error, `Connection.connect_ex` returns the

2216

errno instead of raising an exception.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

"""

port = socket()

port.bind(('', 0))

port.listen(3)

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2221

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2222

clientSSL = Connection(Context(TLSv1_METHOD), socket())

2223

clientSSL.setblocking(False)

2224

result = clientSSL.connect_ex(port.getsockname())

2225

expected = (EINPROGRESS, EWOULDBLOCK)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2226

assert result in expected

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2227

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2228

def test_accept(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2229

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2230

`Connection.accept` accepts a pending connection attempt and returns a

2231

tuple of a new `Connection` (the accepted client) and the address the

2232

connection originated from.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2233

"""

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2234

ctx = Context(TLSv1_METHOD)

2235

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2236

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2237

port = socket()

2238

portSSL = Connection(ctx, port)

2239

portSSL.bind(('', 0))

2240

portSSL.listen(3)

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2241

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2242

clientSSL = Connection(Context(TLSv1_METHOD), socket())

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2243

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2244

# Calling portSSL.getsockname() here to get the server IP address

2245

# sounds great, but frequently fails on Windows.

Jean-Paul Calderone

b6e0fd9

2010-09-19 09:22:13 -0400

[diff] [blame]

2246

clientSSL.connect(('127.0.0.1', portSSL.getsockname()[1]))

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2247

Jean-Paul Calderone

2010-07-29 09:49:59 -0400

[diff] [blame]

2248

serverSSL, address = portSSL.accept()

2249

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2250

assert isinstance(serverSSL, Connection)

2251

assert serverSSL.get_context() is ctx

2252

assert address == clientSSL.getsockname()

Jean-Paul Calderone

2010-07-29 09:45:07 -0400

[diff] [blame]

2253

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2254

def test_shutdown_wrong_args(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2255

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2256

`Connection.set_shutdown` raises `TypeError` if called with arguments

2257

other than integers.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2258

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2259

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2260

with pytest.raises(TypeError):

2261

connection.set_shutdown(None)

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2262

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2263

def test_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2264

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2265

`Connection.shutdown` performs an SSL-level connection shutdown.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2266

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2267

server, client = loopback()

2268

assert not server.shutdown()

2269

assert server.get_shutdown() == SENT_SHUTDOWN

2270

with pytest.raises(ZeroReturnError):

2271

client.recv(1024)

2272

assert client.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

e4f6b47

2010-07-29 22:50:58 -0400

[diff] [blame]

2273

client.shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2274

assert client.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

2275

with pytest.raises(ZeroReturnError):

2276

server.recv(1024)

2277

assert server.get_shutdown() == (SENT_SHUTDOWN | RECEIVED_SHUTDOWN)

Jean-Paul Calderone

2010-07-29 22:38:42 -0400

[diff] [blame]

2278

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2279

def test_shutdown_closed(self):

2280

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2281

If the underlying socket is closed, `Connection.shutdown` propagates

2282

the write error from the low level write call.

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2283

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2284

server, client = loopback()

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2285

server.sock_shutdown(2)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2286

with pytest.raises(SysCallError) as exc:

2287

server.shutdown()

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2288

if platform == "win32":

2289

assert exc.value.args[0] == ESHUTDOWN

2290

else:

2291

assert exc.value.args[0] == EPIPE

Paul Aurich

2015-01-08 08:34:33 -0800

[diff] [blame]

2292

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2293

def test_shutdown_truncated(self):

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2294

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2295

If the underlying connection is truncated, `Connection.shutdown`

2296

raises an `Error`.

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2297

"""

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2298

server_ctx = Context(TLSv1_METHOD)

2299

client_ctx = Context(TLSv1_METHOD)

2300

server_ctx.use_privatekey(

2301

load_privatekey(FILETYPE_PEM, server_key_pem))

2302

server_ctx.use_certificate(

2303

load_certificate(FILETYPE_PEM, server_cert_pem))

2304

server = Connection(server_ctx, None)

2305

client = Connection(client_ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2306

handshake_in_memory(client, server)

2307

assert not server.shutdown()

2308

with pytest.raises(WantReadError):

2309

server.shutdown()

Glyph

8938947

2015-04-14 17:29:26 -0400

[diff] [blame]

2310

server.bio_shutdown()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2311

with pytest.raises(Error):

2312

server.shutdown()

Glyph

6064ec3

2015-04-14 16:38:22 -0400

[diff] [blame]

2313

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2314

def test_set_shutdown(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2315

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2316

`Connection.set_shutdown` sets the state of the SSL connection

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2317

shutdown process.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2318

"""

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2319

connection = Connection(Context(TLSv1_METHOD), socket())

2320

connection.set_shutdown(RECEIVED_SHUTDOWN)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2321

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

c89eef2

2010-07-29 22:51:58 -0400

[diff] [blame]

2322

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2323

@skip_if_py3

2324

def test_set_shutdown_long(self):

2325

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2326

On Python 2 `Connection.set_shutdown` accepts an argument

2327

of type `long` as well as `int`.

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2328

"""

2329

connection = Connection(Context(TLSv1_METHOD), socket())

2330

connection.set_shutdown(long(RECEIVED_SHUTDOWN))

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2331

assert connection.get_shutdown() == RECEIVED_SHUTDOWN

Jean-Paul Calderone

2014-02-09 08:49:06 -0500

[diff] [blame]

2332

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2333

def test_state_string(self):

2334

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2335

`Connection.state_string` verbosely describes the current state of

2336

the `Connection`.

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2337

"""

Hynek Schlawack

b0274ce

2015-10-16 19:56:26 +0200

[diff] [blame]

2338

server, client = socket_pair()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2339

server = loopback_server_factory(server)

2340

client = loopback_client_factory(client)

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2341

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2342

assert server.get_state_string() in [

2343

b"before/accept initialization", b"before SSL initialization"

2344

]

2345

assert client.get_state_string() in [

2346

b"before/connect initialization", b"before SSL initialization"

2347

]

kjav

2015-09-07 12:14:01 +0100

[diff] [blame]

2348

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2349

def test_app_data(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2350

"""

2351

Any object can be set as app data by passing it to

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2352

`Connection.set_app_data` and later retrieved with

2353

`Connection.get_app_data`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2354

"""

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2355

conn = Connection(Context(TLSv1_METHOD), None)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2356

assert None is conn.get_app_data()

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2357

app_data = object()

2358

conn.set_app_data(app_data)

Todd Chapman

4f73e4f

2015-08-27 11:26:43 -0400

[diff] [blame]

2359

assert conn.get_app_data() is app_data

Jean-Paul Calderone

2010-07-29 09:51:06 -0400

[diff] [blame]

2360

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2361

def test_makefile(self):

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2362

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2363

`Connection.makefile` is not implemented and calling that

2364

method raises `NotImplementedError`.

Jean-Paul Calderone

2010-09-08 22:59:37 -0400

[diff] [blame]

2365

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

2366

conn = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2367

with pytest.raises(NotImplementedError):

2368

conn.makefile()

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2369

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2370

def test_get_peer_cert_chain(self):

2371

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2372

`Connection.get_peer_cert_chain` returns a list of certificates

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2373

which the connected server returned for the certification verification.

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2374

"""

2375

chain = _create_certificate_chain()

2376

[(cakey, cacert), (ikey, icert), (skey, scert)] = chain

2377

2378

serverContext = Context(TLSv1_METHOD)

2379

serverContext.use_privatekey(skey)

2380

serverContext.use_certificate(scert)

2381

serverContext.add_extra_chain_cert(icert)

2382

serverContext.add_extra_chain_cert(cacert)

2383

server = Connection(serverContext, None)

2384

server.set_accept_state()

2385

2386

# Create the client

2387

clientContext = Context(TLSv1_METHOD)

2388

clientContext.set_verify(VERIFY_NONE, verify_cb)

2389

client = Connection(clientContext, None)

2390

client.set_connect_state()

2391

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2392

interact_in_memory(client, server)

Jean-Paul Calderone

2011-05-19 21:43:46 -0400

[diff] [blame]

2393

2394

chain = client.get_peer_cert_chain()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2395

assert len(chain) == 3

2396

assert "Server Certificate" == chain[0].get_subject().CN

2397

assert "Intermediate Certificate" == chain[1].get_subject().CN

2398

assert "Authority Certificate" == chain[2].get_subject().CN

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2399

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2400

def test_get_peer_cert_chain_none(self):

2401

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2402

`Connection.get_peer_cert_chain` returns `None` if the peer sends

2403

no certificate chain.

Jean-Paul Calderone

24a4243

2011-05-19 22:21:18 -0400

[diff] [blame]

2404

"""

2405

ctx = Context(TLSv1_METHOD)

2406

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

2407

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

2408

server = Connection(ctx, None)

2409

server.set_accept_state()

2410

client = Connection(Context(TLSv1_METHOD), None)

2411

client.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2412

interact_in_memory(client, server)

2413

assert None is server.get_peer_cert_chain()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2414

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2415

def test_get_session_unconnected(self):

2416

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2417

`Connection.get_session` returns `None` when used with an object

2418

which has not been connected.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2419

"""

2420

ctx = Context(TLSv1_METHOD)

2421

server = Connection(ctx, None)

2422

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2423

assert None is session

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2424

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2425

def test_server_get_session(self):

2426

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2427

On the server side of a connection, `Connection.get_session` returns a

2428

`Session` instance representing the SSL session for that connection.

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2429

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2430

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2431

session = server.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2432

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2433

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2434

def test_client_get_session(self):

2435

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2436

On the client side of a connection, `Connection.get_session`

2437

returns a `Session` instance representing the SSL session for

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2438

that connection.

2439

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2440

server, client = loopback()

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2441

session = client.get_session()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2442

assert isinstance(session, Session)

Jean-Paul Calderone

2012-02-13 11:53:49 -0500

[diff] [blame]

2443

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2444

def test_set_session_wrong_args(self):

2445

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2446

`Connection.set_session` raises `TypeError` if called with an object

2447

that is not an instance of `Session`.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2448

"""

2449

ctx = Context(TLSv1_METHOD)

2450

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2451

with pytest.raises(TypeError):

2452

connection.set_session(123)

2453

with pytest.raises(TypeError):

2454

connection.set_session("hello")

2455

with pytest.raises(TypeError):

2456

connection.set_session(object())

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2457

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2458

def test_client_set_session(self):

2459

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2460

`Connection.set_session`, when used prior to a connection being

2461

established, accepts a `Session` instance and causes an attempt to

2462

re-use the session it represents when the SSL handshake is performed.

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2463

"""

2464

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2465

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

2466

ctx = Context(TLSv1_METHOD)

2467

ctx.use_privatekey(key)

2468

ctx.use_certificate(cert)

2469

ctx.set_session_id("unity-test")

2470

2471

def makeServer(socket):

2472

server = Connection(ctx, socket)

2473

server.set_accept_state()

2474

return server

2475

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2476

originalServer, originalClient = loopback(

2477

server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2478

originalSession = originalClient.get_session()

2479

2480

def makeClient(socket):

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2481

client = loopback_client_factory(socket)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2482

client.set_session(originalSession)

2483

return client

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2484

resumedServer, resumedClient = loopback(

2485

server_factory=makeServer,

2486

client_factory=makeClient)

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2487

2488

# This is a proxy: in general, we have no access to any unique

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2489

# identifier for the session (new enough versions of OpenSSL expose

2490

# a hash which could be usable, but "new enough" is very, very new).

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2491

# Instead, exploit the fact that the master key is re-used if the

Hynek Schlawack

2015-09-05 20:40:19 +0200

[diff] [blame]

2492

# session is re-used. As long as the master key for the two

2493

# connections is the same, the session was re-used!

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2494

assert originalServer.master_key() == resumedServer.master_key()

Jean-Paul Calderone

2012-02-14 16:31:52 -0500

[diff] [blame]

2495

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2496

def test_set_session_wrong_method(self):

2497

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2498

If `Connection.set_session` is passed a `Session` instance associated

2499

with a context using a different SSL method than the `Connection`

2500

is using, a `OpenSSL.SSL.Error` is raised.

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2501

"""

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2502

# Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2

2503

# and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT

2504

# is a way to check for 1.1.0)

Alex Gaynor

aa32e71

2017-06-29 20:56:12 -0700

[diff] [blame]

2505

if SSL_ST_INIT is None:

2506

v1 = TLSv1_2_METHOD

2507

v2 = TLSv1_METHOD

2508

elif hasattr(_lib, "SSLv3_method"):

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2509

v1 = TLSv1_METHOD

2510

v2 = SSLv3_METHOD

2511

else:

Alex Gaynor

aa32e71

2017-06-29 20:56:12 -0700

[diff] [blame]

2512

pytest.skip("Test requires either OpenSSL 1.1.0 or SSLv3")

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2513

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2514

key = load_privatekey(FILETYPE_PEM, server_key_pem)

2515

cert = load_certificate(FILETYPE_PEM, server_cert_pem)

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2516

ctx = Context(v1)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2517

ctx.use_privatekey(key)

2518

ctx.use_certificate(cert)

2519

ctx.set_session_id("unity-test")

2520

2521

def makeServer(socket):

2522

server = Connection(ctx, socket)

2523

server.set_accept_state()

2524

return server

2525

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2526

def makeOriginalClient(socket):

2527

client = Connection(Context(v1), socket)

2528

client.set_connect_state()

2529

return client

2530

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2531

originalServer, originalClient = loopback(

2532

server_factory=makeServer, client_factory=makeOriginalClient)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2533

originalSession = originalClient.get_session()

2534

2535

def makeClient(socket):

2536

# Intentionally use a different, incompatible method here.

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

2537

client = Connection(Context(v2), socket)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2538

client.set_connect_state()

2539

client.set_session(originalSession)

2540

return client

2541

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2542

with pytest.raises(Error):

2543

loopback(client_factory=makeClient, server_factory=makeServer)

Jean-Paul Calderone

2012-02-14 16:51:35 -0500

[diff] [blame]

2544

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2545

def test_wantWriteError(self):

2546

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2547

`Connection` methods which generate output raise

2548

`OpenSSL.SSL.WantWriteError` if writing to the connection's BIO

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2549

fail indicating a should-write state.

2550

"""

2551

client_socket, server_socket = socket_pair()

2552

# Fill up the client's send buffer so Connection won't be able to write

Jean-Paul Calderone

bbff8b9

2014-03-22 14:20:30 -0400

[diff] [blame]

2553

# anything. Only write a single byte at a time so we can be sure we

2554

# completely fill the buffer. Even though the socket API is allowed to

2555

# signal a short write via its return value it seems this doesn't

2556

# always happen on all platforms (FreeBSD and OS X particular) for the

2557

# very last bit of available buffer space.

2558

msg = b"x"

2559

for i in range(1024 * 1024 * 4):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2560

try:

2561

client_socket.send(msg)

2562

except error as e:

2563

if e.errno == EWOULDBLOCK:

2564

break

2565

raise

2566

else:

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2567

pytest.fail(

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

2568

"Failed to fill socket buffer, cannot test BIO want write")

2569

2570

ctx = Context(TLSv1_METHOD)

2571

conn = Connection(ctx, client_socket)

2572

# Client's speak first, so make it an SSL client

2573

conn.set_connect_state()

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2574

with pytest.raises(WantWriteError):

2575

conn.do_handshake()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

# XXX want_read

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2579

def test_get_finished_before_connect(self):

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2580

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2581

`Connection.get_finished` returns `None` before TLS handshake

2582

is completed.

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2583

"""

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2584

ctx = Context(TLSv1_METHOD)

2585

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2586

assert connection.get_finished() is None

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2587

2588

def test_get_peer_finished_before_connect(self):

2589

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2590

`Connection.get_peer_finished` returns `None` before TLS handshake

2591

is completed.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2592

"""

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2593

ctx = Context(TLSv1_METHOD)

2594

connection = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2595

assert connection.get_peer_finished() is None

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2596

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2597

def test_get_finished(self):

2598

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2599

`Connection.get_finished` method returns the TLS Finished message send

2600

from client, or server. Finished messages are send during

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2601

TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2602

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2603

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2604

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2605

assert server.get_finished() is not None

2606

assert len(server.get_finished()) > 0

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2607

2608

def test_get_peer_finished(self):

2609

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2610

`Connection.get_peer_finished` method returns the TLS Finished

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2611

message received from client, or server. Finished messages are send

2612

during TLS handshake.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2613

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2614

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2615

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2616

assert server.get_peer_finished() is not None

2617

assert len(server.get_peer_finished()) > 0

Fedor Brunner

2014-03-05 14:22:34 +0100

[diff] [blame]

2618

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2619

def test_tls_finished_message_symmetry(self):

2620

"""

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2621

The TLS Finished message send by server must be the TLS Finished

2622

message received by client.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2623

Hynek Schlawack

dddd111

2015-09-05 21:12:30 +0200

[diff] [blame]

2624

The TLS Finished message send by client must be the TLS Finished

2625

message received by server.

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2626

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2627

server, client = loopback()

Fedor Brunner

2014-03-28 13:18:38 +0100

[diff] [blame]

2628

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2629

assert server.get_finished() == client.get_peer_finished()

2630

assert client.get_finished() == server.get_peer_finished()

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2631

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2632

def test_get_cipher_name_before_connect(self):

2633

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2634

`Connection.get_cipher_name` returns `None` if no connection

2635

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2636

"""

2637

ctx = Context(TLSv1_METHOD)

2638

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2639

assert conn.get_cipher_name() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2640

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2641

def test_get_cipher_name(self):

2642

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2643

`Connection.get_cipher_name` returns a `unicode` string giving the

2644

name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2645

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2646

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2647

server_cipher_name, client_cipher_name = \

2648

server.get_cipher_name(), client.get_cipher_name()

2649

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2650

assert isinstance(server_cipher_name, text_type)

2651

assert isinstance(client_cipher_name, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2652

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2653

assert server_cipher_name == client_cipher_name

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2654

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2655

def test_get_cipher_version_before_connect(self):

2656

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2657

`Connection.get_cipher_version` returns `None` if no connection

2658

has been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2659

"""

2660

ctx = Context(TLSv1_METHOD)

2661

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2662

assert conn.get_cipher_version() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2663

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2664

def test_get_cipher_version(self):

2665

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2666

`Connection.get_cipher_version` returns a `unicode` string giving

2667

the protocol name of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2668

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2669

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2670

server_cipher_version, client_cipher_version = \

2671

server.get_cipher_version(), client.get_cipher_version()

2672

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2673

assert isinstance(server_cipher_version, text_type)

2674

assert isinstance(client_cipher_version, text_type)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2675

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2676

assert server_cipher_version == client_cipher_version

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2677

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2678

def test_get_cipher_bits_before_connect(self):

2679

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2680

`Connection.get_cipher_bits` returns `None` if no connection has

2681

been established.

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2682

"""

2683

ctx = Context(TLSv1_METHOD)

2684

conn = Connection(ctx, None)

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2685

assert conn.get_cipher_bits() is None

Fedor Brunner

2014-03-10 10:35:23 +0100

[diff] [blame]

2686

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2687

def test_get_cipher_bits(self):

2688

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2689

`Connection.get_cipher_bits` returns the number of secret bits

Jean-Paul Calderone

5b05b48

2014-03-30 11:28:54 -0400

[diff] [blame]

2690

of the currently used cipher.

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2691

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2692

server, client = loopback()

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2693

server_cipher_bits, client_cipher_bits = \

2694

server.get_cipher_bits(), client.get_cipher_bits()

2695

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2696

assert isinstance(server_cipher_bits, int)

2697

assert isinstance(client_cipher_bits, int)

Fedor Brunner

2014-03-03 17:34:41 +0100

[diff] [blame]

2698

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2699

assert server_cipher_bits == client_cipher_bits

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

2700

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2701

def test_get_protocol_version_name(self):

2702

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2703

`Connection.get_protocol_version_name()` returns a string giving the

2704

protocol version of the current connection.

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2705

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2706

server, client = loopback()

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2707

client_protocol_version_name = client.get_protocol_version_name()

2708

server_protocol_version_name = server.get_protocol_version_name()

2709

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2710

assert isinstance(server_protocol_version_name, text_type)

2711

assert isinstance(client_protocol_version_name, text_type)

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2712

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2713

assert server_protocol_version_name == client_protocol_version_name

Jim Shaver

2015-05-27 09:15:55 -0400

[diff] [blame]

2714

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2715

def test_get_protocol_version(self):

2716

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2717

`Connection.get_protocol_version()` returns an integer

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2718

giving the protocol version of the current connection.

2719

"""

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2720

server, client = loopback()

Jim Shaver

85a4dff

2015-04-27 17:42:46 -0400

[diff] [blame]

2721

client_protocol_version = client.get_protocol_version()

2722

server_protocol_version = server.get_protocol_version()

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2723

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2724

assert isinstance(server_protocol_version, int)

2725

assert isinstance(client_protocol_version, int)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2726

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2727

assert server_protocol_version == client_protocol_version

2728

2729

def test_wantReadError(self):

2730

"""

2731

`Connection.bio_read` raises `OpenSSL.SSL.WantReadError` if there are

2732

no bytes available to be read from the BIO.

2733

"""

2734

ctx = Context(TLSv1_METHOD)

2735

conn = Connection(ctx, None)

2736

with pytest.raises(WantReadError):

2737

conn.bio_read(1024)

2738

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

2739

@pytest.mark.parametrize('bufsize', [1.0, None, object(), 'bufsize'])

2740

def test_bio_read_wrong_args(self, bufsize):

2741

"""

2742

`Connection.bio_read` raises `TypeError` if passed a non-integer

2743

argument.

2744

"""

2745

ctx = Context(TLSv1_METHOD)

2746

conn = Connection(ctx, None)

2747

with pytest.raises(TypeError):

2748

conn.bio_read(bufsize)

2749

Alex Chan

2017-01-30 07:13:30 +0000

[diff] [blame]

2750

def test_buffer_size(self):

2751

"""

2752

`Connection.bio_read` accepts an integer giving the maximum number

2753

of bytes to read and return.

2754

"""

2755

ctx = Context(TLSv1_METHOD)

2756

conn = Connection(ctx, None)

2757

conn.set_connect_state()

2758

try:

2759

conn.do_handshake()

2760

except WantReadError:

2761

pass

2762

data = conn.bio_read(2)

2763

assert 2 == len(data)

2764

2765

@skip_if_py3

2766

def test_buffer_size_long(self):

2767

"""

2768

On Python 2 `Connection.bio_read` accepts values of type `long` as

2769

well as `int`.

2770

"""

2771

ctx = Context(TLSv1_METHOD)

2772

conn = Connection(ctx, None)

2773

conn.set_connect_state()

2774

try:

2775

conn.do_handshake()

2776

except WantReadError:

2777

pass

2778

data = conn.bio_read(long(2))

2779

assert 2 == len(data)

Richard J. Moore

2015-01-11 17:04:43 +0000

[diff] [blame]

2780

Jean-Paul Calderone

dbd7627

2014-03-29 18:09:40 -0400

[diff] [blame]

2781

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2782

class TestConnectionGetCipherList(object):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2783

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2784

Tests for `Connection.get_cipher_list`.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2785

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2786

def test_result(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2787

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2788

`Connection.get_cipher_list` returns a list of `bytes` giving the

2789

names of the ciphers which might be used.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

2790

"""

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2791

connection = Connection(Context(TLSv1_METHOD), None)

2792

ciphers = connection.get_cipher_list()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2793

assert isinstance(ciphers, list)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2794

for cipher in ciphers:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2795

assert isinstance(cipher, str)

Jean-Paul Calderone

2010-07-28 19:14:16 -0400

[diff] [blame]

2796

2797

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2798

class VeryLarge(bytes):

2799

"""

2800

Mock object so that we don't have to allocate 2**31 bytes

"""

def __len__(self):

return 2**31

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2806

class TestConnectionSend(object):

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2807

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2808

Tests for `Connection.send`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2809

"""

2810

def test_wrong_args(self):

2811

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

2812

When called with arguments other than string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2813

parameter, `Connection.send` raises `TypeError`.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2814

"""

2815

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2816

with pytest.raises(TypeError):

2817

connection.send(object())

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2818

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2819

def test_short_bytes(self):

2820

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2821

When passed a short byte string, `Connection.send` transmits all of it

2822

and returns the number of bytes sent.

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2823

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2824

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2825

count = server.send(b'xy')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2826

assert count == 2

2827

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2828

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2829

def test_text(self):

2830

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2831

When passed a text, `Connection.send` transmits all of it and

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2832

returns the number of bytes sent. It also raises a DeprecationWarning.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2833

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2834

server, client = loopback()

2835

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2836

simplefilter("always")

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2837

count = server.send(b"xy".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2838

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

2839

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

2840

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2841

) == str(w[-1].message))

2842

assert count == 2

2843

assert client.recv(2) == b'xy'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

2844

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2845

@skip_if_py26

2846

def test_short_memoryview(self):

2847

"""

2848

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2849

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2850

of bytes sent.

2851

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2852

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2853

count = server.send(memoryview(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2854

assert count == 2

2855

assert client.recv(2) == b'xy'

Jean-Paul Calderone

2011-01-05 14:53:43 -0500

[diff] [blame]

2856

Hynek Schlawack

8e94f1b

2015-09-05 21:31:00 +0200

[diff] [blame]

2857

@skip_if_py3

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2858

def test_short_buffer(self):

2859

"""

2860

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2861

`Connection.send` transmits all of them and returns the number

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2862

of bytes sent.

2863

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2864

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2865

count = server.send(buffer(b'xy'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2866

assert count == 2

2867

assert client.recv(2) == b'xy'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

2868

Maximilian Hils

868dc3c

2017-02-10 14:56:55 +0100

[diff] [blame]

2869

@pytest.mark.skipif(

2870

sys.maxsize < 2**31,

2871

reason="sys.maxsize < 2**31 - test requires 64 bit"

2872

)

2873

def test_buf_too_large(self):

2874

"""

2875

When passed a buffer containing >= 2**31 bytes,

2876

`Connection.send` bails out as SSL_write only

2877

accepts an int for the buffer length.

2878

"""

2879

connection = Connection(Context(TLSv1_METHOD), None)

2880

with pytest.raises(ValueError) as exc_info:

2881

connection.send(VeryLarge())

2882

exc_info.match(r"Cannot send more than .+ bytes at once")

2883

Jean-Paul Calderone

691e6c9

2011-01-21 22:04:35 -0500

[diff] [blame]

2884

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2885

def _make_memoryview(size):

2886

"""

2887

Create a new ``memoryview`` wrapped around a ``bytearray`` of the given

2888

size.

2889

"""

2890

return memoryview(bytearray(size))

2891

2892

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2893

class TestConnectionRecvInto(object):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2894

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2895

Tests for `Connection.recv_into`.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2896

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2897

def _no_length_test(self, factory):

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2898

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2899

Assert that when the given buffer is passed to `Connection.recv_into`,

2900

whatever bytes are available to be received that fit into that buffer

2901

are written into that buffer.

Jean-Paul Calderone

61559d8

2015-03-15 17:04:50 -0400

[diff] [blame]

2902

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2903

output_buffer = factory(5)

2904

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2905

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2906

server.send(b'xy')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2907

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2908

assert client.recv_into(output_buffer) == 2

2909

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Jean-Paul Calderone

332a85e

2015-03-15 17:02:40 -0400

[diff] [blame]

2910

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2911

def test_bytearray_no_length(self):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2912

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2913

`Connection.recv_into` can be passed a `bytearray` instance and data

2914

in the receive buffer is written to it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2915

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2916

self._no_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2917

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2918

def _respects_length_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2919

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2920

Assert that when the given buffer is passed to `Connection.recv_into`

2921

along with a value for `nbytes` that is less than the size of that

2922

buffer, only `nbytes` bytes are written into the buffer.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2923

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2924

output_buffer = factory(10)

2925

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2926

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2927

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2928

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2929

assert client.recv_into(output_buffer, 5) == 5

2930

assert output_buffer == bytearray(b'abcde\x00\x00\x00\x00\x00')

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2931

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2932

def test_bytearray_respects_length(self):

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2933

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2934

When called with a `bytearray` instance, `Connection.recv_into`

2935

respects the `nbytes` parameter and doesn't copy in more than that

2936

number of bytes.

Jean-Paul Calderone

c295a2f

2015-03-15 17:11:18 -0400

[diff] [blame]

2937

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2938

self._respects_length_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2939

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2940

def _doesnt_overfill_test(self, factory):

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2941

"""

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2942

Assert that if there are more bytes available to be read from the

2943

receive buffer than would fit into the buffer passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2944

`Connection.recv_into`, only as many as fit are written into it.

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2945

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2946

output_buffer = factory(5)

2947

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2948

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2949

server.send(b'abcdefghij')

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2950

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2951

assert client.recv_into(output_buffer) == 5

2952

assert output_buffer == bytearray(b'abcde')

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2953

rest = client.recv(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2954

assert b'fghij' == rest

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2955

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2956

def test_bytearray_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2957

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2958

When called with a `bytearray` instance, `Connection.recv_into`

2959

respects the size of the array and doesn't write more bytes into it

2960

than will fit.

Jean-Paul Calderone

2015-03-15 17:19:39 -0400

[diff] [blame]

2961

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2962

self._doesnt_overfill_test(bytearray)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2963

Jean-Paul Calderone

2015-03-15 17:26:38 -0400

[diff] [blame]

2964

def test_bytearray_really_doesnt_overfill(self):

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2965

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2966

When called with a `bytearray` instance and an `nbytes` value that is

2967

too large, `Connection.recv_into` respects the size of the array and

2968

not the `nbytes` value and doesn't write more bytes into the buffer

2969

than will fit.

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2970

"""

Jean-Paul Calderone

2015-03-15 17:32:15 -0400

[diff] [blame]

2971

self._doesnt_overfill_test(bytearray)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

2972

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2973

def test_peek(self):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2974

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

2975

server.send(b'xy')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2976

2977

for _ in range(2):

2978

output_buffer = bytearray(5)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2979

assert client.recv_into(output_buffer, flags=MSG_PEEK) == 2

2980

assert output_buffer == bytearray(b'xy\x00\x00\x00')

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2981

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2982

@skip_if_py26

2983

def test_memoryview_no_length(self):

2984

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2985

`Connection.recv_into` can be passed a `memoryview` instance and data

2986

in the receive buffer is written to it.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2987

"""

2988

self._no_length_test(_make_memoryview)

Maximilian Hils

2015-08-17 19:27:20 +0200

[diff] [blame]

2989

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2990

@skip_if_py26

2991

def test_memoryview_respects_length(self):

2992

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

2993

When called with a `memoryview` instance, `Connection.recv_into`

2994

respects the ``nbytes`` parameter and doesn't copy more than that

2995

number of bytes in.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2996

"""

2997

self._respects_length_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

2998

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

2999

@skip_if_py26

3000

def test_memoryview_doesnt_overfill(self):

3001

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3002

When called with a `memoryview` instance, `Connection.recv_into`

3003

respects the size of the array and doesn't write more bytes into it

3004

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3005

"""

3006

self._doesnt_overfill_test(_make_memoryview)

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3007

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3008

@skip_if_py26

3009

def test_memoryview_really_doesnt_overfill(self):

3010

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3011

When called with a `memoryview` instance and an `nbytes` value that is

3012

too large, `Connection.recv_into` respects the size of the array and

3013

not the `nbytes` value and doesn't write more bytes into the buffer

3014

than will fit.

Hynek Schlawack

2015-09-05 21:25:25 +0200

[diff] [blame]

3015

"""

3016

self._doesnt_overfill_test(_make_memoryview)

Jean-Paul Calderone

2015-03-15 17:25:57 -0400

[diff] [blame]

3017

Cory Benfield

2014-06-15 10:03:41 +0100

[diff] [blame]

3018

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3019

class TestConnectionSendall(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3020

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3021

Tests for `Connection.sendall`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3022

"""

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3023

def test_wrong_args(self):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3024

"""

Jean-Paul Calderone

2014-02-02 18:13:31 -0500

[diff] [blame]

3025

When called with arguments other than a string argument for its first

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3026

parameter, `Connection.sendall` raises `TypeError`.

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3027

"""

3028

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3029

with pytest.raises(TypeError):

3030

connection.sendall(object())

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3031

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3032

def test_short(self):

3033

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3034

`Connection.sendall` transmits all of the bytes in the string

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3035

passed to it.

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3036

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3037

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3038

server.sendall(b'x')

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3039

assert client.recv(1) == b'x'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3040

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3041

def test_text(self):

3042

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3043

`Connection.sendall` transmits all the content in the string passed

3044

to it, raising a DeprecationWarning in case of this being a text.

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3045

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3046

server, client = loopback()

3047

with pytest.warns(DeprecationWarning) as w:

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3048

simplefilter("always")

Jean-Paul Calderone

8dc37a1

2015-03-29 08:16:52 -0400

[diff] [blame]

3049

server.sendall(b"x".decode("ascii"))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3050

assert (

Jean-Paul Calderone

13a0e65

2015-03-29 07:58:51 -0400

[diff] [blame]

3051

"{0} for buf is no longer accepted, use bytes".format(

Jean-Paul Calderone

6462b07

2015-03-29 07:03:11 -0400

[diff] [blame]

3052

WARNING_TYPE_EXPECTED

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3053

) == str(w[-1].message))

3054

assert client.recv(1) == b"x"

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3055

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3056

@skip_if_py26

3057

def test_short_memoryview(self):

3058

"""

3059

When passed a memoryview onto a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3060

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3061

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3062

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3063

server.sendall(memoryview(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3064

assert client.recv(1) == b'x'

Abraham Martin

2015-03-25 14:06:24 +0000

[diff] [blame]

3065

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3066

@skip_if_py3

3067

def test_short_buffers(self):

3068

"""

3069

When passed a buffer containing a small number of bytes,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3070

`Connection.sendall` transmits all of them.

Hynek Schlawack

2015-09-05 21:39:50 +0200

[diff] [blame]

3071

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3072

server, client = loopback()

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3073

server.sendall(buffer(b'x'))

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3074

assert client.recv(1) == b'x'

Markus Unterwaditzer

8e41d02

2014-04-19 12:27:11 +0200

[diff] [blame]

3075

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3076

def test_long(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3077

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3078

`Connection.sendall` transmits all the bytes in the string passed to it

3079

even if this requires multiple calls of an underlying write function.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3080

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3081

server, client = loopback()

Jean-Paul Calderone

6241c70

2010-09-16 19:59:24 -0400

[diff] [blame]

3082

# Should be enough, underlying SSL_write should only do 16k at a time.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3083

# On Windows, after 32k of bytes the write will block (forever

3084

# - because no one is yet reading).

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3085

message = b'x' * (1024 * 32 - 1) + b'y'

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3086

server.sendall(message)

3087

accum = []

3088

received = 0

3089

while received < len(message):

Jean-Paul Calderone

b1f7f5f

2010-08-22 21:40:52 -0400

[diff] [blame]

3090

data = client.recv(1024)

3091

accum.append(data)

3092

received += len(data)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3093

assert message == b''.join(accum)

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3094

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3095

def test_closed(self):

3096

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3097

If the underlying socket is closed, `Connection.sendall` propagates the

3098

write error from the low level write call.

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3099

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3100

server, client = loopback()

Jean-Paul Calderone

05d43e8

2010-09-24 18:01:36 -0400

[diff] [blame]

3101

server.sock_shutdown(2)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3102

with pytest.raises(SysCallError) as err:

3103

server.sendall(b"hello, world")

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3104

if platform == "win32":

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3105

assert err.value.args[0] == ESHUTDOWN

Konstantinos Koukopoulos

541150d

2014-01-31 01:00:19 +0200

[diff] [blame]

3106

else:

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3107

assert err.value.args[0] == EPIPE

Jean-Paul Calderone

974bdc0

2010-07-28 19:06:10 -0400

[diff] [blame]

3108

Jean-Paul Calderone

2010-07-28 18:57:21 -0400

[diff] [blame]

3109

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3110

class TestConnectionRenegotiate(object):

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3111

"""

3112

Tests for SSL renegotiation APIs.

3113

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3114

def test_total_renegotiations(self):

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3115

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3116

`Connection.total_renegotiations` returns `0` before any renegotiations

3117

have happened.

Jean-Paul Calderone

2010-09-09 18:04:56 -0400

[diff] [blame]

3118

"""

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3119

connection = Connection(Context(TLSv1_METHOD), None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3120

assert connection.total_renegotiations() == 0

Jean-Paul Calderone

2010-07-29 22:47:06 -0400

[diff] [blame]

3121

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3122

def test_renegotiate(self):

3123

"""

3124

Go through a complete renegotiation cycle.

3125

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3126

server, client = loopback()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3127

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3128

server.send(b"hello world")

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3129

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3130

assert b"hello world" == client.recv(len(b"hello world"))

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3131

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3132

assert 0 == server.total_renegotiations()

3133

assert False is server.renegotiate_pending()

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3134

Hynek Schlawack

2016-02-13 09:10:04 +0100

[diff] [blame]

3135

assert True is server.renegotiate()

3136

3137

assert True is server.renegotiate_pending()

3138

3139

server.setblocking(False)

3140

client.setblocking(False)

3141

3142

client.do_handshake()

3143

server.do_handshake()

3144

3145

assert 1 == server.total_renegotiations()

3146

while False is server.renegotiate_pending():

3147

pass

Jean-Paul Calderone

2010-07-29 09:39:39 -0400

[diff] [blame]

3148

3149

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3150

class TestError(object):

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3151

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3152

Unit tests for `OpenSSL.SSL.Error`.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3153

"""

3154

def test_type(self):

3155

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3156

`Error` is an exception type.

Jean-Paul Calderone

2009-07-17 21:14:27 -0400

[diff] [blame]

3157

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3158

assert issubclass(Error, Exception)

3159

assert Error.__name__ == 'Error'

Rick Dean

2009-07-09 15:53:42 -0500

[diff] [blame]

3160

3161

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3162

class TestConstants(object):

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3163

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3164

Tests for the values of constants exposed in `OpenSSL.SSL`.

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3165

3166

These are values defined by OpenSSL intended only to be used as flags to

3167

OpenSSL APIs. The only assertions it seems can be made about them is

3168

their values.

3169

"""

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3170

@pytest.mark.skipif(

3171

OP_NO_QUERY_MTU is None,

3172

reason="OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old"

3173

)

3174

def test_op_no_query_mtu(self):

3175

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3176

The value of `OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value

3177

of `SSL_OP_NO_QUERY_MTU` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3178

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3179

assert OP_NO_QUERY_MTU == 0x1000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3180

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3181

@pytest.mark.skipif(

3182

OP_COOKIE_EXCHANGE is None,

3183

reason="OP_COOKIE_EXCHANGE unavailable - "

3184

"OpenSSL version may be too old"

3185

)

3186

def test_op_cookie_exchange(self):

3187

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3188

The value of `OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the

3189

value of `SSL_OP_COOKIE_EXCHANGE` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3190

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3191

assert OP_COOKIE_EXCHANGE == 0x2000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3192

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3193

@pytest.mark.skipif(

3194

OP_NO_TICKET is None,

3195

reason="OP_NO_TICKET unavailable - OpenSSL version may be too old"

3196

)

3197

def test_op_no_ticket(self):

3198

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3199

The value of `OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of

3200

`SSL_OP_NO_TICKET` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3201

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3202

assert OP_NO_TICKET == 0x4000

Jean-Paul Calderone

2008-12-28 21:55:56 -0500

[diff] [blame]

3203

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3204

@pytest.mark.skipif(

3205

OP_NO_COMPRESSION is None,

3206

reason="OP_NO_COMPRESSION unavailable - OpenSSL version may be too old"

3207

)

3208

def test_op_no_compression(self):

3209

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3210

The value of `OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the

3211

value of `SSL_OP_NO_COMPRESSION` defined by `openssl/ssl.h`.

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3212

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3213

assert OP_NO_COMPRESSION == 0x20000

Jean-Paul Calderone

c62d4c1

2011-09-08 18:29:32 -0400

[diff] [blame]

3214

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3215

def test_sess_cache_off(self):

3216

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3217

The value of `OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of

3218

`SSL_SESS_CACHE_OFF` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3219

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3220

assert 0x0 == SESS_CACHE_OFF

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3221

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3222

def test_sess_cache_client(self):

3223

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3224

The value of `OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of

3225

`SSL_SESS_CACHE_CLIENT` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3226

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3227

assert 0x1 == SESS_CACHE_CLIENT

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3228

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3229

def test_sess_cache_server(self):

3230

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3231

The value of `OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of

3232

`SSL_SESS_CACHE_SERVER` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3233

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3234

assert 0x2 == SESS_CACHE_SERVER

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3235

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3236

def test_sess_cache_both(self):

3237

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3238

The value of `OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of

3239

`SSL_SESS_CACHE_BOTH` defined by `openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3240

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3241

assert 0x3 == SESS_CACHE_BOTH

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3242

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3243

def test_sess_cache_no_auto_clear(self):

3244

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3245

The value of `OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the

3246

value of `SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by

3247

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3248

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3249

assert 0x80 == SESS_CACHE_NO_AUTO_CLEAR

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3250

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3251

def test_sess_cache_no_internal_lookup(self):

3252

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3253

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100,

3254

the value of `SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by

3255

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3256

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3257

assert 0x100 == SESS_CACHE_NO_INTERNAL_LOOKUP

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3258

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3259

def test_sess_cache_no_internal_store(self):

3260

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3261

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200,

3262

the value of `SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by

3263

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3264

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3265

assert 0x200 == SESS_CACHE_NO_INTERNAL_STORE

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3266

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3267

def test_sess_cache_no_internal(self):

3268

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3269

The value of `OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the

3270

value of `SSL_SESS_CACHE_NO_INTERNAL` defined by

3271

`openssl/ssl.h`.

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3272

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3273

assert 0x300 == SESS_CACHE_NO_INTERNAL

Jean-Paul Calderone

2012-02-08 13:02:49 -0500

[diff] [blame]

3274

3275

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3276

class TestMemoryBIO(object):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3277

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3278

Tests for `OpenSSL.SSL.Connection` using a memory BIO.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3279

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3280

def _server(self, sock):

3281

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3282

Create a new server-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3283

"""

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3284

# Create the server side Connection. This is mostly setup boilerplate

3285

# - use TLSv1, use a particular certificate, etc.

3286

server_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3287

server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3288

server_ctx.set_verify(

3289

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3290

verify_cb

3291

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3292

server_store = server_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3293

server_ctx.use_privatekey(

3294

load_privatekey(FILETYPE_PEM, server_key_pem))

3295

server_ctx.use_certificate(

3296

load_certificate(FILETYPE_PEM, server_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3297

server_ctx.check_privatekey()

3298

server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3299

# Here the Connection is actually created. If None is passed as the

3300

# 2nd parameter, it indicates a memory BIO should be created.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3301

server_conn = Connection(server_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3302

server_conn.set_accept_state()

3303

return server_conn

3304

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3305

def _client(self, sock):

3306

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3307

Create a new client-side SSL `Connection` object wrapped around `sock`.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3308

"""

3309

# Now create the client side Connection. Similar boilerplate to the

3310

# above.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3311

client_ctx = Context(TLSv1_METHOD)

Alex Gaynor

4330778

2015-09-04 09:05:45 -0400

[diff] [blame]

3312

client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE)

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3313

client_ctx.set_verify(

3314

VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT | VERIFY_CLIENT_ONCE,

3315

verify_cb

3316

)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3317

client_store = client_ctx.get_cert_store()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3318

client_ctx.use_privatekey(

3319

load_privatekey(FILETYPE_PEM, client_key_pem))

3320

client_ctx.use_certificate(

3321

load_certificate(FILETYPE_PEM, client_cert_pem))

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3322

client_ctx.check_privatekey()

3323

client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3324

client_conn = Connection(client_ctx, sock)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3325

client_conn.set_connect_state()

3326

return client_conn

3327

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3328

def test_memory_connect(self):

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3329

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3330

Two `Connection`s which use memory BIOs can be manually connected by

3331

reading from the output of each and writing those bytes to the input of

3332

the other and in this way establish a connection and exchange

3333

application-level bytes with each other.

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3334

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3335

server_conn = self._server(None)

3336

client_conn = self._client(None)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3337

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3338

# There should be no key or nonces yet.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3339

assert server_conn.master_key() is None

3340

assert server_conn.client_random() is None

3341

assert server_conn.server_random() is None

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3342

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3343

# First, the handshake needs to happen. We'll deliver bytes back and

3344

# forth between the client and server until neither of them feels like

3345

# speaking any more.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3346

assert interact_in_memory(client_conn, server_conn) is None

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3347

3348

# Now that the handshake is done, there should be a key and nonces.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3349

assert server_conn.master_key() is not None

3350

assert server_conn.client_random() is not None

3351

assert server_conn.server_random() is not None

3352

assert server_conn.client_random() == client_conn.client_random()

3353

assert server_conn.server_random() == client_conn.server_random()

3354

assert server_conn.client_random() != server_conn.server_random()

3355

assert client_conn.client_random() != client_conn.server_random()

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3356

3357

# Here are the bytes we'll try to send.

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3358

important_message = b'One if by land, two if by sea.'

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3359

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3360

server_conn.write(important_message)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3361

assert (

3362

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3363

(client_conn, important_message))

3364

3365

client_conn.write(important_message[::-1])

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3366

assert (

3367

interact_in_memory(client_conn, server_conn) ==

Jean-Paul Calderone

2009-04-27 12:59:12 -0400

[diff] [blame]

3368

(server_conn, important_message[::-1]))

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3369

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3370

def test_socket_connect(self):

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3371

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3372

Just like `test_memory_connect` but with an actual socket.

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3373

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3374

This is primarily to rule out the memory BIO code as the source of any

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3375

problems encountered while passing data over a `Connection` (if

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3376

this test fails, there must be a problem outside the memory BIO code,

3377

as no memory BIO is involved here). Even though this isn't a memory

3378

BIO test, it's convenient to have it here.

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3379

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3380

server_conn, client_conn = loopback()

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3381

Alex Gaynor

2016-09-11 11:48:14 -0400

[diff] [blame]

3382

important_message = b"Help me Obi Wan Kenobi, you're my only hope."

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3383

client_conn.send(important_message)

3384

msg = server_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3385

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3386

3387

# Again in the other direction, just for fun.

3388

important_message = important_message[::-1]

3389

server_conn.send(important_message)

3390

msg = client_conn.recv(1024)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3391

assert msg == important_message

Rick Dean

2009-07-09 23:52:39 -0500

[diff] [blame]

3392

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3393

def test_socket_overrides_memory(self):

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3394

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3395

Test that `OpenSSL.SSL.bio_read` and `OpenSSL.SSL.bio_write` don't

3396

work on `OpenSSL.SSL.Connection`() that use sockets.

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3397

"""

Alex Gaynor

51d424c

2016-09-10 14:50:11 -0400

[diff] [blame]

3398

context = Context(TLSv1_METHOD)

Rick Dean

2009-04-01 14:09:23 -0500

[diff] [blame]

3399

client = socket()

3400

clientSSL = Connection(context, client)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3401

with pytest.raises(TypeError):

3402

clientSSL.bio_read(100)

3403

with pytest.raises(TypeError):

3404

clientSSL.bio_write("foo")

3405

with pytest.raises(TypeError):

3406

clientSSL.bio_shutdown()

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3407

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3408

def test_outgoing_overflow(self):

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3409

"""

3410

If more bytes than can be written to the memory BIO are passed to

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3411

`Connection.send` at once, the number of bytes which were written is

3412

returned and that many bytes from the beginning of the input can be

3413

read from the other end of the connection.

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3414

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3415

server = self._server(None)

3416

client = self._client(None)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3417

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3418

interact_in_memory(client, server)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3419

3420

size = 2 ** 15

Jean-Paul Calderone

4f0467a

2014-01-11 11:58:41 -0500

[diff] [blame]

3421

sent = client.send(b"x" * size)

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3422

# Sanity check. We're trying to test what happens when the entire

3423

# input can't be sent. If the entire input was sent, this test is

3424

# meaningless.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3425

assert sent < size

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3426

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3427

receiver, received = interact_in_memory(client, server)

3428

assert receiver is server

Jean-Paul Calderone

2009-04-27 17:13:34 -0400

[diff] [blame]

3429

3430

# We can rely on all of these bytes being received at once because

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3431

# loopback passes 2 ** 16 to recv - more than 2 ** 15.

3432

assert len(received) == sent

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3433

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3434

def test_shutdown(self):

3435

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3436

`Connection.bio_shutdown` signals the end of the data stream

3437

from which the `Connection` reads.

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3438

"""

Jean-Paul Calderone

2009-07-16 12:22:52 -0400

[diff] [blame]

3439

server = self._server(None)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3440

server.bio_shutdown()

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3441

with pytest.raises(Error) as err:

3442

server.recv(1024)

Jean-Paul Calderone

2009-04-30 20:24:35 -0400

[diff] [blame]

3443

# We don't want WantReadError or ZeroReturnError or anything - it's a

3444

# handshake failure.

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3445

assert type(err.value) in [Error, SysCallError]

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3446

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3447

def test_unexpected_EOF(self):

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3448

"""

3449

If the connection is lost before an orderly SSL shutdown occurs,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3450

`OpenSSL.SSL.SysCallError` is raised with a message of

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3451

"Unexpected EOF".

3452

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3453

server_conn, client_conn = loopback()

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3454

client_conn.sock_shutdown(SHUT_RDWR)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3455

with pytest.raises(SysCallError) as err:

3456

server_conn.recv(1024)

3457

assert err.value.args == (-1, "Unexpected EOF")

Jean-Paul Calderone

2013-03-19 22:10:37 -0700

[diff] [blame]

3458

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3459

def _check_client_ca_list(self, func):

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3460

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3461

Verify the return value of the `get_client_ca_list` method for

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3462

server and client connections.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3463

Jonathan Ballet

78b92a2

2011-07-16 08:07:26 +0900

[diff] [blame]

3464

:param func: A function which will be called with the server context

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3465

before the client and server are connected to each other. This

3466

function should specify a list of CAs for the server to send to the

3467

client and return that same list. The list will be used to verify

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3468

that `get_client_ca_list` returns the proper value at

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3469

various times.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3470

"""

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3471

server = self._server(None)

3472

client = self._client(None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3473

assert client.get_client_ca_list() == []

3474

assert server.get_client_ca_list() == []

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3475

ctx = server.get_context()

3476

expected = func(ctx)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3477

assert client.get_client_ca_list() == []

3478

assert server.get_client_ca_list() == expected

3479

interact_in_memory(client, server)

3480

assert client.get_client_ca_list() == expected

3481

assert server.get_client_ca_list() == expected

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3482

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3483

def test_set_client_ca_list_errors(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3484

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3485

`Context.set_client_ca_list` raises a `TypeError` if called with a

3486

non-list or a list that contains objects other than X509Names.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3487

"""

3488

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3489

with pytest.raises(TypeError):

3490

ctx.set_client_ca_list("spam")

3491

with pytest.raises(TypeError):

3492

ctx.set_client_ca_list(["spam"])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3493

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3494

def test_set_empty_ca_list(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3495

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3496

If passed an empty list, `Context.set_client_ca_list` configures the

3497

context to send no CA names to the client and, on both the server and

3498

client sides, `Connection.get_client_ca_list` returns an empty list

3499

after the connection is set up.

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3500

"""

3501

def no_ca(ctx):

3502

ctx.set_client_ca_list([])

3503

return []

3504

self._check_client_ca_list(no_ca)

3505

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3506

def test_set_one_ca_list(self):

3507

"""

3508

If passed a list containing a single X509Name,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3509

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3510

that CA name to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3511

`Connection.get_client_ca_list` returns a list containing that

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3512

X509Name after the connection is set up.

3513

"""

3514

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3515

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3516

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3517

def single_ca(ctx):

3518

ctx.set_client_ca_list([cadesc])

3519

return [cadesc]

3520

self._check_client_ca_list(single_ca)

3521

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3522

def test_set_multiple_ca_list(self):

3523

"""

3524

If passed a list containing multiple X509Name objects,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3525

`Context.set_client_ca_list` configures the context to send

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3526

those CA names to the client and, on both the server and client sides,

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3527

`Connection.get_client_ca_list` returns a list containing those

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3528

X509Names after the connection is set up.

3529

"""

3530

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3531

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3532

3533

sedesc = secert.get_subject()

3534

cldesc = clcert.get_subject()

3535

3536

def multiple_ca(ctx):

3537

L = [sedesc, cldesc]

3538

ctx.set_client_ca_list(L)

3539

return L

3540

self._check_client_ca_list(multiple_ca)

3541

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3542

def test_reset_ca_list(self):

3543

"""

3544

If called multiple times, only the X509Names passed to the final call

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3545

of `Context.set_client_ca_list` are used to configure the CA

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3546

names sent to the client.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3547

"""

3548

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3549

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3550

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3551

3552

cadesc = cacert.get_subject()

3553

sedesc = secert.get_subject()

3554

cldesc = clcert.get_subject()

3555

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3556

def changed_ca(ctx):

3557

ctx.set_client_ca_list([sedesc, cldesc])

3558

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3559

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3560

self._check_client_ca_list(changed_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3561

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3562

def test_mutated_ca_list(self):

3563

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3564

If the list passed to `Context.set_client_ca_list` is mutated

Jean-Paul Calderone

2009-10-24 11:12:00 -0400

[diff] [blame]

3565

afterwards, this does not affect the list of CA names sent to the

3566

client.

3567

"""

3568

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3569

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3570

3571

cadesc = cacert.get_subject()

3572

sedesc = secert.get_subject()

3573

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3574

def mutated_ca(ctx):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3575

L = [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3576

ctx.set_client_ca_list([cadesc])

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3577

L.append(sedesc)

3578

return [cadesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3579

self._check_client_ca_list(mutated_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3580

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3581

def test_add_client_ca_wrong_args(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3582

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3583

`Context.add_client_ca` raises `TypeError` if called with

3584

a non-X509 object.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3585

"""

3586

ctx = Context(TLSv1_METHOD)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3587

with pytest.raises(TypeError):

3588

ctx.add_client_ca("spam")

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3589

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3590

def test_one_add_client_ca(self):

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3591

"""

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3592

A certificate's subject can be added as a CA to be sent to the client

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3593

with `Context.add_client_ca`.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3594

"""

3595

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3596

cadesc = cacert.get_subject()

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3597

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3598

def single_ca(ctx):

3599

ctx.add_client_ca(cacert)

3600

return [cadesc]

3601

self._check_client_ca_list(single_ca)

3602

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3603

def test_multiple_add_client_ca(self):

3604

"""

3605

Multiple CA names can be sent to the client by calling

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3606

`Context.add_client_ca` with multiple X509 objects.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3607

"""

3608

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3609

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3610

3611

cadesc = cacert.get_subject()

3612

sedesc = secert.get_subject()

3613

3614

def multiple_ca(ctx):

3615

ctx.add_client_ca(cacert)

3616

ctx.add_client_ca(secert)

3617

return [cadesc, sedesc]

3618

self._check_client_ca_list(multiple_ca)

3619

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3620

def test_set_and_add_client_ca(self):

3621

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3622

A call to `Context.set_client_ca_list` followed by a call to

3623

`Context.add_client_ca` results in using the CA names from the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3624

first call and the CA name from the second call.

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3625

"""

3626

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3627

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3628

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3629

3630

cadesc = cacert.get_subject()

3631

sedesc = secert.get_subject()

3632

cldesc = clcert.get_subject()

3633

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3634

def mixed_set_add_ca(ctx):

3635

ctx.set_client_ca_list([cadesc, sedesc])

3636

ctx.add_client_ca(clcert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3637

return [cadesc, sedesc, cldesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3638

self._check_client_ca_list(mixed_set_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3639

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3640

def test_set_after_add_client_ca(self):

3641

"""

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3642

A call to `Context.set_client_ca_list` after a call to

3643

`Context.add_client_ca` replaces the CA name specified by the

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3644

former call with the names specified by the latter call.

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3645

"""

3646

cacert = load_certificate(FILETYPE_PEM, root_cert_pem)

3647

secert = load_certificate(FILETYPE_PEM, server_cert_pem)

3648

clcert = load_certificate(FILETYPE_PEM, server_cert_pem)

3649

3650

cadesc = cacert.get_subject()

3651

sedesc = secert.get_subject()

Jean-Paul Calderone

2009-10-24 13:45:11 -0400

[diff] [blame]

3652

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3653

def set_replaces_add_ca(ctx):

3654

ctx.add_client_ca(clcert)

3655

ctx.set_client_ca_list([cadesc])

3656

ctx.add_client_ca(secert)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3657

return [cadesc, sedesc]

Ziga Seilnacht

2009-10-23 09:51:07 +0200

[diff] [blame]

3658

self._check_client_ca_list(set_replaces_add_ca)

Ziga Seilnacht

2009-09-01 01:32:29 +0200

[diff] [blame]

3659

Jean-Paul Calderone

0b88b6a

2009-07-05 12:44:41 -0400

[diff] [blame]

3660

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3661

class TestInfoConstants(object):

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3662

"""

3663

Tests for assorted constants exposed for use in info callbacks.

3664

"""

3665

def test_integers(self):

3666

"""

3667

All of the info constants are integers.

3668

3669

This is a very weak test. It would be nice to have one that actually

3670

verifies that as certain info events happen, the value passed to the

3671

info callback matches up with the constant exposed by OpenSSL.SSL.

3672

"""

3673

for const in [

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3674

SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK,

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3675

SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,

3676

SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,

3677

SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,

Hynek Schlawack

2015-09-05 21:54:25 +0200

[diff] [blame]

3678

SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE

3679

]:

Alex Gaynor

2016-09-24 01:52:21 -0400

[diff] [blame]

3680

assert isinstance(const, int)

3681

3682

# These constants don't exist on OpenSSL 1.1.0

3683

for const in [

3684

SSL_ST_INIT, SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE

3685

]:

3686

assert const is None or isinstance(const, int)

Jean-Paul Calderone

2011-03-21 19:13:35 -0400

[diff] [blame]

3687

Ziga Seilnacht

44611bf

2009-08-31 20:49:30 +0200

[diff] [blame]

3688

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3689

class TestRequires(object):

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3690

"""

3691

Tests for the decorator factory used to conditionally raise

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3692

NotImplementedError when older OpenSSLs are used.

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3693

"""

3694

def test_available(self):

3695

"""

3696

When the OpenSSL functionality is available the decorated functions

3697

work appropriately.

3698

"""

3699

feature_guard = _make_requires(True, "Error text")

results = []

@feature_guard

def inner():

results.append(True)

return True

Cory Benfield

2016-03-30 14:24:16 +0100

[diff] [blame]

3707

assert inner() is True

3708

assert [True] == results

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3709

3710

def test_unavailable(self):

3711

"""

3712

When the OpenSSL functionality is not available the decorated function

3713

does not execute and NotImplementedError is raised.

3714

"""

3715

feature_guard = _make_requires(False, "Error text")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3716

3717

@feature_guard

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3718

def inner(): # pragma: nocover

3719

pytest.fail("Should not be called")

Cory Benfield

2016-03-30 09:35:05 +0100

[diff] [blame]

3720

Cory Benfield

1d14214

2016-03-30 11:51:45 +0100

[diff] [blame]

3721

with pytest.raises(NotImplementedError) as e:

3722

inner()

3723

3724

assert "Error text" in str(e.value)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3725

3726

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3727

class TestOCSP(object):

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3728

"""

3729

Tests for PyOpenSSL's OCSP stapling support.

3730

"""

3731

sample_ocsp_data = b"this is totally ocsp data"

3732

3733

def _client_connection(self, callback, data, request_ocsp=True):

3734

"""

3735

Builds a client connection suitable for using OCSP.

3736

3737

:param callback: The callback to register for OCSP.

3738

:param data: The opaque data object that will be handed to the

3739

OCSP callback.

3740

:param request_ocsp: Whether the client will actually ask for OCSP

3741

stapling. Useful for testing only.

3742

"""

3743

ctx = Context(SSLv23_METHOD)

3744

ctx.set_ocsp_client_callback(callback, data)

3745

client = Connection(ctx)

3746

3747

if request_ocsp:

3748

client.request_ocsp()

3749

3750

client.set_connect_state()

3751

return client

3752

3753

def _server_connection(self, callback, data):

3754

"""

3755

Builds a server connection suitable for using OCSP.

3756

3757

:param callback: The callback to register for OCSP.

3758

:param data: The opaque data object that will be handed to the

3759

OCSP callback.

3760

"""

3761

ctx = Context(SSLv23_METHOD)

3762

ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))

3763

ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))

3764

ctx.set_ocsp_server_callback(callback, data)

3765

server = Connection(ctx)

3766

server.set_accept_state()

3767

return server

3768

3769

def test_callbacks_arent_called_by_default(self):

3770

"""

3771

If both the client and the server have registered OCSP callbacks, but

3772

the client does not send the OCSP request, neither callback gets

3773

called.

3774

"""

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3775

def ocsp_callback(*args, **kwargs): # pragma: nocover

3776

pytest.fail("Should not be called")

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3777

3778

client = self._client_connection(

3779

callback=ocsp_callback, data=None, request_ocsp=False

3780

)

3781

server = self._server_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3782

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3783

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3784

def test_client_negotiates_without_server(self):

3785

"""

3786

If the client wants to do OCSP but the server does not, the handshake

3787

succeeds, and the client callback fires with an empty byte string.

"""

called = []

def ocsp_callback(conn, ocsp_data, ignored):

3792

called.append(ocsp_data)

3793

return True

3794

3795

client = self._client_connection(callback=ocsp_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3796

server = loopback_server_factory(socket=None)

3797

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3798

3799

assert len(called) == 1

3800

assert called[0] == b''

3801

3802

def test_client_receives_servers_data(self):

3803

"""

3804

The data the server sends in its callback is received by the client.

"""

calls = []

def server_callback(*args, **kwargs):

3809

return self.sample_ocsp_data

3810

3811

def client_callback(conn, ocsp_data, ignored):

3812

calls.append(ocsp_data)

3813

return True

3814

3815

client = self._client_connection(callback=client_callback, data=None)

3816

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3817

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3818

3819

assert len(calls) == 1

3820

assert calls[0] == self.sample_ocsp_data

3821

3822

def test_callbacks_are_invoked_with_connections(self):

3823

"""

3824

The first arguments to both callbacks are their respective connections.

"""

client_calls = []

server_calls = []

def client_callback(conn, *args, **kwargs):

3830

client_calls.append(conn)

3831

return True

3832

3833

def server_callback(conn, *args, **kwargs):

3834

server_calls.append(conn)

3835

return self.sample_ocsp_data

3836

3837

client = self._client_connection(callback=client_callback, data=None)

3838

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3839

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3840

3841

assert len(client_calls) == 1

3842

assert len(server_calls) == 1

3843

assert client_calls[0] is client

3844

assert server_calls[0] is server

3845

3846

def test_opaque_data_is_passed_through(self):

3847

"""

3848

Both callbacks receive an opaque, user-provided piece of data in their

3849

callbacks as the final argument.

"""

calls = []

def server_callback(*args):

3854

calls.append(args)

3855

return self.sample_ocsp_data

3856

3857

def client_callback(*args):

calls.append(args)

return True

sentinel = object()

client = self._client_connection(

3864

callback=client_callback, data=sentinel

3865

)

3866

server = self._server_connection(

3867

callback=server_callback, data=sentinel

3868

)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3869

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3870

3871

assert len(calls) == 2

3872

assert calls[0][-1] is sentinel

3873

assert calls[1][-1] is sentinel

3874

3875

def test_server_returns_empty_string(self):

3876

"""

3877

If the server returns an empty bytestring from its callback, the

3878

client callback is called with the empty bytestring.

"""

client_calls = []

def server_callback(*args):

3883

return b''

3884

3885

def client_callback(conn, ocsp_data, ignored):

3886

client_calls.append(ocsp_data)

3887

return True

3888

3889

client = self._client_connection(callback=client_callback, data=None)

3890

server = self._server_connection(callback=server_callback, data=None)

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3891

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3892

3893

assert len(client_calls) == 1

3894

assert client_calls[0] == b''

3895

3896

def test_client_returns_false_terminates_handshake(self):

3897

"""

3898

If the client returns False from its callback, the handshake fails.

3899

"""

3900

def server_callback(*args):

3901

return self.sample_ocsp_data

3902

3903

def client_callback(*args):

3904

return False

3905

3906

client = self._client_connection(callback=client_callback, data=None)

3907

server = self._server_connection(callback=server_callback, data=None)

3908

3909

with pytest.raises(Error):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3910

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3911

3912

def test_exceptions_in_client_bubble_up(self):

3913

"""

3914

The callbacks thrown in the client callback bubble up to the caller.

3915

"""

3916

class SentinelException(Exception):

3917

pass

3918

3919

def server_callback(*args):

3920

return self.sample_ocsp_data

3921

3922

def client_callback(*args):

3923

raise SentinelException()

3924

3925

client = self._client_connection(callback=client_callback, data=None)

3926

server = self._server_connection(callback=server_callback, data=None)

3927

3928

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3929

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3930

3931

def test_exceptions_in_server_bubble_up(self):

3932

"""

3933

The callbacks thrown in the server callback bubble up to the caller.

3934

"""

3935

class SentinelException(Exception):

3936

pass

3937

3938

def server_callback(*args):

3939

raise SentinelException()

3940

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3941

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3942

pytest.fail("Should not be called")

3943

3944

client = self._client_connection(callback=client_callback, data=None)

3945

server = self._server_connection(callback=server_callback, data=None)

3946

3947

with pytest.raises(SentinelException):

Alex Chan

2017-01-30 14:04:47 +0000

[diff] [blame]

3948

handshake_in_memory(client, server)

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3949

3950

def test_server_must_return_bytes(self):

3951

"""

3952

The server callback must return a bytestring, or a TypeError is thrown.

3953

"""

3954

def server_callback(*args):

3955

return self.sample_ocsp_data.decode('ascii')

3956

Alex Chan

2017-04-20 11:16:15 +0100

[diff] [blame]

3957

def client_callback(*args): # pragma: nocover

Cory Benfield

2017-01-24 11:42:56 +0000

[diff] [blame]

3958

pytest.fail("Should not be called")

3959

3960

client = self._client_connection(callback=client_callback, data=None)

3961

server = self._server_connection(callback=server_callback, data=None)

3962

3963

with pytest.raises(TypeError):

Alex Chan