blob: abc9dfde81ab3e23c6dc1bcdf7d367201432e6f8 [file] [log] [blame]
Jean-Paul Calderone8671c852011-03-02 19:26:20 -05001# Copyright (C) Jean-Paul Calderone
2# See LICENSE for details.
Jean-Paul Calderone8b63d452008-03-21 18:31:12 -04003
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -04004"""
Jonathan Ballet648875f2011-07-16 14:14:58 +09005Unit tests for :py:obj:`OpenSSL.SSL`.
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -04006"""
7
Jean-Paul Calderone4c1aacd2014-01-11 08:15:17 -05008from gc import collect, get_referrers
Konstantinos Koukopoulos541150d2014-01-31 01:00:19 +02009from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -040010from sys import platform, version_info, getfilesystemencoding
Jean-Paul Calderoned899af02013-03-19 22:10:37 -070011from socket import SHUT_RDWR, error, socket
Jean-Paul Calderonea65cf6c2009-07-19 10:26:52 -040012from os import makedirs
Jean-Paul Calderone1461c492013-10-03 16:05:00 -040013from os.path import join
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -040014from unittest import main
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -040015from weakref import ref
Jean-Paul Calderone460cc1f2009-03-07 11:31:12 -050016
Jean-Paul Calderone4e0c43f2015-04-13 10:15:17 -040017from six import PY3, text_type, u
Jean-Paul Calderonec76c61c2014-01-18 13:21:52 -050018
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -040019from OpenSSL.crypto import TYPE_RSA, FILETYPE_PEM
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -080020from OpenSSL.crypto import PKey, X509, X509Extension, X509Store
Jean-Paul Calderone7526d172010-09-09 17:55:31 -040021from OpenSSL.crypto import dump_privatekey, load_privatekey
22from OpenSSL.crypto import dump_certificate, load_certificate
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -040023from OpenSSL.crypto import get_elliptic_curves
Jean-Paul Calderone7526d172010-09-09 17:55:31 -040024
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -040025from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS
26from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON
Jean-Paul Calderonee4f6b472010-07-29 22:50:58 -040027from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN
Jean-Paul Calderone1461c492013-10-03 16:05:00 -040028from OpenSSL.SSL import (
29 SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD,
30 TLSv1_1_METHOD, TLSv1_2_METHOD)
31from OpenSSL.SSL import OP_SINGLE_DH_USE, OP_NO_SSLv2, OP_NO_SSLv3
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -040032from OpenSSL.SSL import (
33 VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT, VERIFY_CLIENT_ONCE, VERIFY_NONE)
Jean-Paul Calderone0222a492011-09-08 18:26:03 -040034
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -040035from OpenSSL.SSL import (
Jean-Paul Calderone313bf012012-02-08 13:02:49 -050036 SESS_CACHE_OFF, SESS_CACHE_CLIENT, SESS_CACHE_SERVER, SESS_CACHE_BOTH,
37 SESS_CACHE_NO_AUTO_CLEAR, SESS_CACHE_NO_INTERNAL_LOOKUP,
38 SESS_CACHE_NO_INTERNAL_STORE, SESS_CACHE_NO_INTERNAL)
39
40from OpenSSL.SSL import (
Jean-Paul Calderoned899af02013-03-19 22:10:37 -070041 Error, SysCallError, WantReadError, WantWriteError, ZeroReturnError)
Jean-Paul Calderonee0fcf512012-02-13 09:10:15 -050042from OpenSSL.SSL import (
Jean-Paul Calderoned899af02013-03-19 22:10:37 -070043 Context, ContextType, Session, Connection, ConnectionType, SSLeay_version)
Jean-Paul Calderone7526d172010-09-09 17:55:31 -040044
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -040045from OpenSSL.test.util import NON_ASCII, TestCase, b
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -040046from OpenSSL.test.test_crypto import (
47 cleartextCertificatePEM, cleartextPrivateKeyPEM)
48from OpenSSL.test.test_crypto import (
49 client_cert_pem, client_key_pem, server_cert_pem, server_key_pem,
50 root_cert_pem)
51
Jean-Paul Calderone4bccf5e2008-12-28 22:50:42 -050052try:
53 from OpenSSL.SSL import OP_NO_QUERY_MTU
54except ImportError:
55 OP_NO_QUERY_MTU = None
56try:
57 from OpenSSL.SSL import OP_COOKIE_EXCHANGE
58except ImportError:
59 OP_COOKIE_EXCHANGE = None
60try:
61 from OpenSSL.SSL import OP_NO_TICKET
62except ImportError:
63 OP_NO_TICKET = None
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -040064
Jean-Paul Calderone0222a492011-09-08 18:26:03 -040065try:
Jean-Paul Calderonec62d4c12011-09-08 18:29:32 -040066 from OpenSSL.SSL import OP_NO_COMPRESSION
67except ImportError:
68 OP_NO_COMPRESSION = None
69
70try:
Jean-Paul Calderone0222a492011-09-08 18:26:03 -040071 from OpenSSL.SSL import MODE_RELEASE_BUFFERS
72except ImportError:
73 MODE_RELEASE_BUFFERS = None
74
Jean-Paul Calderone1461c492013-10-03 16:05:00 -040075try:
76 from OpenSSL.SSL import OP_NO_TLSv1, OP_NO_TLSv1_1, OP_NO_TLSv1_2
77except ImportError:
78 OP_NO_TLSv1 = OP_NO_TLSv1_1 = OP_NO_TLSv1_2 = None
79
Jean-Paul Calderone31e85a82011-03-21 19:13:35 -040080from OpenSSL.SSL import (
81 SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK, SSL_ST_INIT, SSL_ST_BEFORE,
82 SSL_ST_OK, SSL_ST_RENEGOTIATE,
83 SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,
84 SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,
85 SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,
86 SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE)
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -040087
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -040088# openssl dhparam 128 -out dh-128.pem (note that 128 is a small number of bits
89# to use)
90dhparam = """\
91-----BEGIN DH PARAMETERS-----
92MBYCEQCobsg29c9WZP/54oAPcwiDAgEC
93-----END DH PARAMETERS-----
94"""
95
96
Jean-Paul Calderone05826732015-04-12 11:38:49 -040097def join_bytes_or_unicode(prefix, suffix):
98 """
99 Join two path components of either ``bytes`` or ``unicode``.
100
101 The return type is the same as the type of ``prefix``.
102 """
103 # If the types are the same, nothing special is necessary.
104 if type(prefix) == type(suffix):
105 return join(prefix, suffix)
106
107 # Otherwise, coerce suffix to the type of prefix.
108 if isinstance(prefix, text_type):
109 return join(prefix, suffix.decode(getfilesystemencoding()))
110 else:
111 return join(prefix, suffix.encode(getfilesystemencoding()))
112
113
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400114def verify_cb(conn, cert, errnum, depth, ok):
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400115 return ok
116
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400117
Rick Deanb1ccd562009-07-09 23:52:39 -0500118def socket_pair():
Jean-Paul Calderone1a9613b2009-07-16 12:13:36 -0400119 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400120 Establish and return a pair of network sockets connected to each other.
Jean-Paul Calderone1a9613b2009-07-16 12:13:36 -0400121 """
122 # Connect a pair of sockets
Rick Deanb1ccd562009-07-09 23:52:39 -0500123 port = socket()
124 port.bind(('', 0))
125 port.listen(1)
126 client = socket()
127 client.setblocking(False)
Jean-Paul Calderonef23c5d92009-07-23 17:58:15 -0400128 client.connect_ex(("127.0.0.1", port.getsockname()[1]))
Jean-Paul Calderone94b24a82009-07-16 19:11:38 -0400129 client.setblocking(True)
Rick Deanb1ccd562009-07-09 23:52:39 -0500130 server = port.accept()[0]
Rick Deanb1ccd562009-07-09 23:52:39 -0500131
Jean-Paul Calderone1a9613b2009-07-16 12:13:36 -0400132 # Let's pass some unencrypted data to make sure our socket connection is
133 # fine. Just one byte, so we don't have to worry about buffers getting
134 # filled up or fragmentation.
Jean-Paul Calderone9e4eeae2010-08-22 21:32:52 -0400135 server.send(b("x"))
136 assert client.recv(1024) == b("x")
137 client.send(b("y"))
138 assert server.recv(1024) == b("y")
Rick Deanb1ccd562009-07-09 23:52:39 -0500139
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -0400140 # Most of our callers want non-blocking sockets, make it easy for them.
Jean-Paul Calderone94b24a82009-07-16 19:11:38 -0400141 server.setblocking(False)
142 client.setblocking(False)
143
Rick Deanb1ccd562009-07-09 23:52:39 -0500144 return (server, client)
145
146
Jean-Paul Calderone94b24a82009-07-16 19:11:38 -0400147
Jean-Paul Calderonef8742032010-09-25 00:00:32 -0400148def handshake(client, server):
149 conns = [client, server]
150 while conns:
151 for conn in conns:
152 try:
153 conn.do_handshake()
154 except WantReadError:
155 pass
156 else:
157 conns.remove(conn)
158
159
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400160def _create_certificate_chain():
161 """
162 Construct and return a chain of certificates.
163
164 1. A new self-signed certificate authority certificate (cacert)
165 2. A new intermediate certificate signed by cacert (icert)
166 3. A new server certificate signed by icert (scert)
167 """
168 caext = X509Extension(b('basicConstraints'), False, b('CA:true'))
169
170 # Step 1
171 cakey = PKey()
172 cakey.generate_key(TYPE_RSA, 512)
173 cacert = X509()
174 cacert.get_subject().commonName = "Authority Certificate"
175 cacert.set_issuer(cacert.get_subject())
176 cacert.set_pubkey(cakey)
177 cacert.set_notBefore(b("20000101000000Z"))
178 cacert.set_notAfter(b("20200101000000Z"))
179 cacert.add_extensions([caext])
180 cacert.set_serial_number(0)
181 cacert.sign(cakey, "sha1")
182
183 # Step 2
184 ikey = PKey()
185 ikey.generate_key(TYPE_RSA, 512)
186 icert = X509()
187 icert.get_subject().commonName = "Intermediate Certificate"
188 icert.set_issuer(cacert.get_subject())
189 icert.set_pubkey(ikey)
190 icert.set_notBefore(b("20000101000000Z"))
191 icert.set_notAfter(b("20200101000000Z"))
192 icert.add_extensions([caext])
193 icert.set_serial_number(0)
194 icert.sign(cakey, "sha1")
195
196 # Step 3
197 skey = PKey()
198 skey.generate_key(TYPE_RSA, 512)
199 scert = X509()
200 scert.get_subject().commonName = "Server Certificate"
201 scert.set_issuer(icert.get_subject())
202 scert.set_pubkey(skey)
203 scert.set_notBefore(b("20000101000000Z"))
204 scert.set_notAfter(b("20200101000000Z"))
205 scert.add_extensions([
206 X509Extension(b('basicConstraints'), True, b('CA:false'))])
207 scert.set_serial_number(0)
208 scert.sign(ikey, "sha1")
209
210 return [(cakey, cacert), (ikey, icert), (skey, scert)]
211
212
213
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400214class _LoopbackMixin:
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -0400215 """
216 Helper mixin which defines methods for creating a connected socket pair and
217 for forcing two connected SSL sockets to talk to each other via memory BIOs.
218 """
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -0500219 def _loopbackClientFactory(self, socket):
220 client = Connection(Context(TLSv1_METHOD), socket)
221 client.set_connect_state()
222 return client
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400223
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -0500224
225 def _loopbackServerFactory(self, socket):
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400226 ctx = Context(TLSv1_METHOD)
227 ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
228 ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -0500229 server = Connection(ctx, socket)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400230 server.set_accept_state()
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -0500231 return server
232
233
234 def _loopback(self, serverFactory=None, clientFactory=None):
235 if serverFactory is None:
236 serverFactory = self._loopbackServerFactory
237 if clientFactory is None:
238 clientFactory = self._loopbackClientFactory
239
240 (server, client) = socket_pair()
241 server = serverFactory(server)
242 client = clientFactory(client)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400243
Jean-Paul Calderonef8742032010-09-25 00:00:32 -0400244 handshake(client, server)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400245
246 server.setblocking(True)
247 client.setblocking(True)
248 return server, client
249
250
251 def _interactInMemory(self, client_conn, server_conn):
252 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900253 Try to read application bytes from each of the two :py:obj:`Connection`
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400254 objects. Copy bytes back and forth between their send/receive buffers
255 for as long as there is anything to copy. When there is nothing more
Jonathan Ballet648875f2011-07-16 14:14:58 +0900256 to copy, return :py:obj:`None`. If one of them actually manages to deliver
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400257 some application bytes, return a two-tuple of the connection from which
258 the bytes were read and the bytes themselves.
259 """
260 wrote = True
261 while wrote:
262 # Loop until neither side has anything to say
263 wrote = False
264
265 # Copy stuff from each side's send buffer to the other side's
266 # receive buffer.
267 for (read, write) in [(client_conn, server_conn),
268 (server_conn, client_conn)]:
269
270 # Give the side a chance to generate some more bytes, or
271 # succeed.
272 try:
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400273 data = read.recv(2 ** 16)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400274 except WantReadError:
275 # It didn't succeed, so we'll hope it generated some
276 # output.
277 pass
278 else:
279 # It did succeed, so we'll stop now and let the caller deal
280 # with it.
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400281 return (read, data)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400282
283 while True:
284 # Keep copying as long as there's more stuff there.
285 try:
286 dirty = read.bio_read(4096)
287 except WantReadError:
288 # Okay, nothing more waiting to be sent. Stop
289 # processing this send buffer.
290 break
291 else:
292 # Keep track of the fact that someone generated some
293 # output.
294 wrote = True
295 write.bio_write(dirty)
296
297
Jean-Paul Calderone6a8cd112014-04-02 21:09:08 -0400298 def _handshakeInMemory(self, client_conn, server_conn):
Jean-Paul Calderoneb2b40782014-05-06 08:47:40 -0400299 """
300 Perform the TLS handshake between two :py:class:`Connection` instances
301 connected to each other via memory BIOs.
302 """
Jean-Paul Calderone6a8cd112014-04-02 21:09:08 -0400303 client_conn.set_connect_state()
304 server_conn.set_accept_state()
305
306 for conn in [client_conn, server_conn]:
307 try:
308 conn.do_handshake()
309 except WantReadError:
310 pass
311
312 self._interactInMemory(client_conn, server_conn)
313
314
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -0400315
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400316class VersionTests(TestCase):
317 """
318 Tests for version information exposed by
Jonathan Ballet648875f2011-07-16 14:14:58 +0900319 :py:obj:`OpenSSL.SSL.SSLeay_version` and
320 :py:obj:`OpenSSL.SSL.OPENSSL_VERSION_NUMBER`.
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400321 """
322 def test_OPENSSL_VERSION_NUMBER(self):
323 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900324 :py:obj:`OPENSSL_VERSION_NUMBER` is an integer with status in the low
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400325 byte and the patch, fix, minor, and major versions in the
326 nibbles above that.
327 """
328 self.assertTrue(isinstance(OPENSSL_VERSION_NUMBER, int))
329
330
331 def test_SSLeay_version(self):
332 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900333 :py:obj:`SSLeay_version` takes a version type indicator and returns
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400334 one of a number of version strings based on that indicator.
335 """
336 versions = {}
337 for t in [SSLEAY_VERSION, SSLEAY_CFLAGS, SSLEAY_BUILT_ON,
338 SSLEAY_PLATFORM, SSLEAY_DIR]:
339 version = SSLeay_version(t)
340 versions[version] = t
341 self.assertTrue(isinstance(version, bytes))
342 self.assertEqual(len(versions), 5)
343
344
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -0400345
346class ContextTests(TestCase, _LoopbackMixin):
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400347 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900348 Unit tests for :py:obj:`OpenSSL.SSL.Context`.
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400349 """
350 def test_method(self):
351 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900352 :py:obj:`Context` can be instantiated with one of :py:obj:`SSLv2_METHOD`,
Jean-Paul Calderone1461c492013-10-03 16:05:00 -0400353 :py:obj:`SSLv3_METHOD`, :py:obj:`SSLv23_METHOD`, :py:obj:`TLSv1_METHOD`,
354 :py:obj:`TLSv1_1_METHOD`, or :py:obj:`TLSv1_2_METHOD`.
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400355 """
Jean-Paul Calderone1461c492013-10-03 16:05:00 -0400356 methods = [
357 SSLv3_METHOD, SSLv23_METHOD, TLSv1_METHOD]
358 for meth in methods:
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400359 Context(meth)
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400360
Jean-Paul Calderone1461c492013-10-03 16:05:00 -0400361
362 maybe = [SSLv2_METHOD, TLSv1_1_METHOD, TLSv1_2_METHOD]
363 for meth in maybe:
364 try:
365 Context(meth)
366 except (Error, ValueError):
367 # Some versions of OpenSSL have SSLv2 / TLSv1.1 / TLSv1.2, some
368 # don't. Difficult to say in advance.
369 pass
Jean-Paul Calderone9f2e38e2011-04-14 09:36:55 -0400370
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400371 self.assertRaises(TypeError, Context, "")
372 self.assertRaises(ValueError, Context, 10)
373
374
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500375 if not PY3:
376 def test_method_long(self):
377 """
378 On Python 2 :py:class:`Context` accepts values of type
379 :py:obj:`long` as well as :py:obj:`int`.
380 """
381 Context(long(TLSv1_METHOD))
382
383
384
Rick Deane15b1472009-07-09 15:53:42 -0500385 def test_type(self):
386 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900387 :py:obj:`Context` and :py:obj:`ContextType` refer to the same type object and can be
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400388 used to create instances of that type.
Rick Deane15b1472009-07-09 15:53:42 -0500389 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -0400390 self.assertIdentical(Context, ContextType)
391 self.assertConsistentType(Context, 'Context', TLSv1_METHOD)
Rick Deane15b1472009-07-09 15:53:42 -0500392
393
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400394 def test_use_privatekey(self):
395 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900396 :py:obj:`Context.use_privatekey` takes an :py:obj:`OpenSSL.crypto.PKey` instance.
Jean-Paul Calderone30c09ea2008-03-21 17:04:05 -0400397 """
398 key = PKey()
399 key.generate_key(TYPE_RSA, 128)
400 ctx = Context(TLSv1_METHOD)
401 ctx.use_privatekey(key)
402 self.assertRaises(TypeError, ctx.use_privatekey, "")
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400403
404
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800405 def test_use_privatekey_file_missing(self):
406 """
407 :py:obj:`Context.use_privatekey_file` raises :py:obj:`OpenSSL.SSL.Error`
408 when passed the name of a file which does not exist.
409 """
410 ctx = Context(TLSv1_METHOD)
411 self.assertRaises(Error, ctx.use_privatekey_file, self.mktemp())
412
413
Jean-Paul Calderone69a4e5b2015-04-12 10:04:28 -0400414 def _use_privatekey_file_test(self, pemfile, filetype):
415 """
416 Verify that calling ``Context.use_privatekey_file`` with the given
417 arguments does not raise an exception.
418 """
419 key = PKey()
420 key.generate_key(TYPE_RSA, 128)
421
422 with open(pemfile, "wt") as pem:
423 pem.write(
424 dump_privatekey(FILETYPE_PEM, key).decode("ascii")
425 )
426
427 ctx = Context(TLSv1_METHOD)
428 ctx.use_privatekey_file(pemfile, filetype)
429
430
431 def test_use_privatekey_file_bytes(self):
432 """
433 A private key can be specified from a file by passing a ``bytes``
434 instance giving the file name to ``Context.use_privatekey_file``.
435 """
436 self._use_privatekey_file_test(
437 self.mktemp() + NON_ASCII.encode(getfilesystemencoding()),
438 FILETYPE_PEM,
439 )
440
441
442 def test_use_privatekey_file_unicode(self):
443 """
444 A private key can be specified from a file by passing a ``unicode``
445 instance giving the file name to ``Context.use_privatekey_file``.
446 """
447 self._use_privatekey_file_test(
448 self.mktemp().decode(getfilesystemencoding()) + NON_ASCII,
449 FILETYPE_PEM,
450 )
451
452
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500453 if not PY3:
454 def test_use_privatekey_file_long(self):
455 """
456 On Python 2 :py:obj:`Context.use_privatekey_file` accepts a
457 filetype of type :py:obj:`long` as well as :py:obj:`int`.
458 """
Jean-Paul Calderone69a4e5b2015-04-12 10:04:28 -0400459 self._use_privatekey_file_test(self.mktemp(), long(FILETYPE_PEM))
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500460
461
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800462 def test_use_certificate_wrong_args(self):
463 """
464 :py:obj:`Context.use_certificate_wrong_args` raises :py:obj:`TypeError`
465 when not passed exactly one :py:obj:`OpenSSL.crypto.X509` instance as an
466 argument.
467 """
468 ctx = Context(TLSv1_METHOD)
469 self.assertRaises(TypeError, ctx.use_certificate)
470 self.assertRaises(TypeError, ctx.use_certificate, "hello, world")
471 self.assertRaises(TypeError, ctx.use_certificate, X509(), "hello, world")
472
473
474 def test_use_certificate_uninitialized(self):
475 """
476 :py:obj:`Context.use_certificate` raises :py:obj:`OpenSSL.SSL.Error`
477 when passed a :py:obj:`OpenSSL.crypto.X509` instance which has not been
478 initialized (ie, which does not actually have any certificate data).
479 """
480 ctx = Context(TLSv1_METHOD)
481 self.assertRaises(Error, ctx.use_certificate, X509())
482
483
484 def test_use_certificate(self):
485 """
486 :py:obj:`Context.use_certificate` sets the certificate which will be
487 used to identify connections created using the context.
488 """
489 # TODO
490 # Hard to assert anything. But we could set a privatekey then ask
491 # OpenSSL if the cert and key agree using check_privatekey. Then as
492 # long as check_privatekey works right we're good...
493 ctx = Context(TLSv1_METHOD)
494 ctx.use_certificate(load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
495
496
497 def test_use_certificate_file_wrong_args(self):
498 """
499 :py:obj:`Context.use_certificate_file` raises :py:obj:`TypeError` if
500 called with zero arguments or more than two arguments, or if the first
501 argument is not a byte string or the second argumnent is not an integer.
502 """
503 ctx = Context(TLSv1_METHOD)
504 self.assertRaises(TypeError, ctx.use_certificate_file)
505 self.assertRaises(TypeError, ctx.use_certificate_file, b"somefile", object())
506 self.assertRaises(
507 TypeError, ctx.use_certificate_file, b"somefile", FILETYPE_PEM, object())
508 self.assertRaises(
509 TypeError, ctx.use_certificate_file, object(), FILETYPE_PEM)
510 self.assertRaises(
511 TypeError, ctx.use_certificate_file, b"somefile", object())
512
513
514 def test_use_certificate_file_missing(self):
515 """
516 :py:obj:`Context.use_certificate_file` raises
517 `:py:obj:`OpenSSL.SSL.Error` if passed the name of a file which does not
518 exist.
519 """
520 ctx = Context(TLSv1_METHOD)
521 self.assertRaises(Error, ctx.use_certificate_file, self.mktemp())
522
523
Jean-Paul Calderoned57a7b62015-04-12 09:57:36 -0400524 def _use_certificate_file_test(self, certificate_file):
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800525 """
Jean-Paul Calderoned57a7b62015-04-12 09:57:36 -0400526 Verify that calling ``Context.use_certificate_file`` with the given
527 filename doesn't raise an exception.
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800528 """
529 # TODO
530 # Hard to assert anything. But we could set a privatekey then ask
531 # OpenSSL if the cert and key agree using check_privatekey. Then as
532 # long as check_privatekey works right we're good...
Jean-Paul Calderoned57a7b62015-04-12 09:57:36 -0400533 with open(certificate_file, "wb") as pem_file:
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800534 pem_file.write(cleartextCertificatePEM)
535
536 ctx = Context(TLSv1_METHOD)
Jean-Paul Calderoned57a7b62015-04-12 09:57:36 -0400537 ctx.use_certificate_file(certificate_file)
538
539
540 def test_use_certificate_file_bytes(self):
541 """
542 :py:obj:`Context.use_certificate_file` sets the certificate (given as a
543 ``bytes`` filename) which will be used to identify connections created
544 using the context.
545 """
546 filename = self.mktemp() + NON_ASCII.encode(getfilesystemencoding())
547 self._use_certificate_file_test(filename)
548
549
550 def test_use_certificate_file_unicode(self):
551 """
552 :py:obj:`Context.use_certificate_file` sets the certificate (given as a
553 ``bytes`` filename) which will be used to identify connections created
554 using the context.
555 """
556 filename = self.mktemp().decode(getfilesystemencoding()) + NON_ASCII
557 self._use_certificate_file_test(filename)
Jean-Paul Calderone173cff92013-03-06 10:29:21 -0800558
559
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -0500560 if not PY3:
561 def test_use_certificate_file_long(self):
562 """
563 On Python 2 :py:obj:`Context.use_certificate_file` accepts a
564 filetype of type :py:obj:`long` as well as :py:obj:`int`.
565 """
566 pem_filename = self.mktemp()
567 with open(pem_filename, "wb") as pem_file:
568 pem_file.write(cleartextCertificatePEM)
569
570 ctx = Context(TLSv1_METHOD)
571 ctx.use_certificate_file(pem_filename, long(FILETYPE_PEM))
572
573
Jean-Paul Calderone932f5cc2014-12-11 13:58:00 -0500574 def test_check_privatekey_valid(self):
575 """
576 :py:obj:`Context.check_privatekey` returns :py:obj:`None` if the
577 :py:obj:`Context` instance has been configured to use a matched key and
578 certificate pair.
579 """
580 key = load_privatekey(FILETYPE_PEM, client_key_pem)
581 cert = load_certificate(FILETYPE_PEM, client_cert_pem)
582 context = Context(TLSv1_METHOD)
583 context.use_privatekey(key)
584 context.use_certificate(cert)
585 self.assertIs(None, context.check_privatekey())
586
587
588 def test_check_privatekey_invalid(self):
589 """
590 :py:obj:`Context.check_privatekey` raises :py:obj:`Error` if the
591 :py:obj:`Context` instance has been configured to use a key and
592 certificate pair which don't relate to each other.
593 """
594 key = load_privatekey(FILETYPE_PEM, client_key_pem)
595 cert = load_certificate(FILETYPE_PEM, server_cert_pem)
596 context = Context(TLSv1_METHOD)
597 context.use_privatekey(key)
598 context.use_certificate(cert)
599 self.assertRaises(Error, context.check_privatekey)
600
601
602 def test_check_privatekey_wrong_args(self):
603 """
604 :py:obj:`Context.check_privatekey` raises :py:obj:`TypeError` if called
605 with other than no arguments.
606 """
607 context = Context(TLSv1_METHOD)
608 self.assertRaises(TypeError, context.check_privatekey, object())
609
610
Jean-Paul Calderonebd479162010-07-30 18:03:25 -0400611 def test_set_app_data_wrong_args(self):
612 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900613 :py:obj:`Context.set_app_data` raises :py:obj:`TypeError` if called with other than
Jean-Paul Calderonebd479162010-07-30 18:03:25 -0400614 one argument.
615 """
616 context = Context(TLSv1_METHOD)
617 self.assertRaises(TypeError, context.set_app_data)
618 self.assertRaises(TypeError, context.set_app_data, None, None)
619
620
621 def test_get_app_data_wrong_args(self):
622 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900623 :py:obj:`Context.get_app_data` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderonebd479162010-07-30 18:03:25 -0400624 arguments.
625 """
626 context = Context(TLSv1_METHOD)
627 self.assertRaises(TypeError, context.get_app_data, None)
628
629
630 def test_app_data(self):
631 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900632 :py:obj:`Context.set_app_data` stores an object for later retrieval using
633 :py:obj:`Context.get_app_data`.
Jean-Paul Calderonebd479162010-07-30 18:03:25 -0400634 """
635 app_data = object()
636 context = Context(TLSv1_METHOD)
637 context.set_app_data(app_data)
638 self.assertIdentical(context.get_app_data(), app_data)
639
640
Jean-Paul Calderone40569ca2010-07-30 18:04:58 -0400641 def test_set_options_wrong_args(self):
642 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900643 :py:obj:`Context.set_options` raises :py:obj:`TypeError` if called with the wrong
644 number of arguments or a non-:py:obj:`int` argument.
Jean-Paul Calderone40569ca2010-07-30 18:04:58 -0400645 """
646 context = Context(TLSv1_METHOD)
647 self.assertRaises(TypeError, context.set_options)
648 self.assertRaises(TypeError, context.set_options, None)
649 self.assertRaises(TypeError, context.set_options, 1, None)
650
651
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500652 def test_set_options(self):
653 """
654 :py:obj:`Context.set_options` returns the new options value.
655 """
656 context = Context(TLSv1_METHOD)
657 options = context.set_options(OP_NO_SSLv2)
658 self.assertTrue(OP_NO_SSLv2 & options)
659
660
661 if not PY3:
662 def test_set_options_long(self):
663 """
664 On Python 2 :py:obj:`Context.set_options` accepts values of type
665 :py:obj:`long` as well as :py:obj:`int`.
666 """
667 context = Context(TLSv1_METHOD)
668 options = context.set_options(long(OP_NO_SSLv2))
669 self.assertTrue(OP_NO_SSLv2 & options)
670
671
Guillermo Gonzalez74a2c292011-08-29 16:16:58 -0300672 def test_set_mode_wrong_args(self):
673 """
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400674 :py:obj:`Context.set`mode} raises :py:obj:`TypeError` if called with the wrong
675 number of arguments or a non-:py:obj:`int` argument.
Guillermo Gonzalez74a2c292011-08-29 16:16:58 -0300676 """
677 context = Context(TLSv1_METHOD)
678 self.assertRaises(TypeError, context.set_mode)
679 self.assertRaises(TypeError, context.set_mode, None)
680 self.assertRaises(TypeError, context.set_mode, 1, None)
681
682
Jean-Paul Calderone0222a492011-09-08 18:26:03 -0400683 if MODE_RELEASE_BUFFERS is not None:
684 def test_set_mode(self):
685 """
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400686 :py:obj:`Context.set_mode` accepts a mode bitvector and returns the newly
Jean-Paul Calderone0222a492011-09-08 18:26:03 -0400687 set mode.
688 """
689 context = Context(TLSv1_METHOD)
690 self.assertTrue(
691 MODE_RELEASE_BUFFERS & context.set_mode(MODE_RELEASE_BUFFERS))
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500692
693 if not PY3:
694 def test_set_mode_long(self):
695 """
696 On Python 2 :py:obj:`Context.set_mode` accepts values of type
697 :py:obj:`long` as well as :py:obj:`int`.
698 """
699 context = Context(TLSv1_METHOD)
700 mode = context.set_mode(long(MODE_RELEASE_BUFFERS))
701 self.assertTrue(MODE_RELEASE_BUFFERS & mode)
Jean-Paul Calderone0222a492011-09-08 18:26:03 -0400702 else:
703 "MODE_RELEASE_BUFFERS unavailable - OpenSSL version may be too old"
704
705
Jean-Paul Calderone5ebb44a2010-07-30 18:09:41 -0400706 def test_set_timeout_wrong_args(self):
707 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900708 :py:obj:`Context.set_timeout` raises :py:obj:`TypeError` if called with the wrong
709 number of arguments or a non-:py:obj:`int` argument.
Jean-Paul Calderone5ebb44a2010-07-30 18:09:41 -0400710 """
711 context = Context(TLSv1_METHOD)
712 self.assertRaises(TypeError, context.set_timeout)
713 self.assertRaises(TypeError, context.set_timeout, None)
714 self.assertRaises(TypeError, context.set_timeout, 1, None)
715
716
717 def test_get_timeout_wrong_args(self):
718 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900719 :py:obj:`Context.get_timeout` raises :py:obj:`TypeError` if called with any arguments.
Jean-Paul Calderone5ebb44a2010-07-30 18:09:41 -0400720 """
721 context = Context(TLSv1_METHOD)
722 self.assertRaises(TypeError, context.get_timeout, None)
723
724
725 def test_timeout(self):
726 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900727 :py:obj:`Context.set_timeout` sets the session timeout for all connections
728 created using the context object. :py:obj:`Context.get_timeout` retrieves this
Jean-Paul Calderone5ebb44a2010-07-30 18:09:41 -0400729 value.
730 """
731 context = Context(TLSv1_METHOD)
732 context.set_timeout(1234)
733 self.assertEquals(context.get_timeout(), 1234)
734
735
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500736 if not PY3:
737 def test_timeout_long(self):
738 """
739 On Python 2 :py:obj:`Context.set_timeout` accepts values of type
740 `long` as well as int.
741 """
742 context = Context(TLSv1_METHOD)
743 context.set_timeout(long(1234))
744 self.assertEquals(context.get_timeout(), 1234)
745
746
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400747 def test_set_verify_depth_wrong_args(self):
748 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900749 :py:obj:`Context.set_verify_depth` raises :py:obj:`TypeError` if called with the wrong
750 number of arguments or a non-:py:obj:`int` argument.
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400751 """
752 context = Context(TLSv1_METHOD)
753 self.assertRaises(TypeError, context.set_verify_depth)
754 self.assertRaises(TypeError, context.set_verify_depth, None)
755 self.assertRaises(TypeError, context.set_verify_depth, 1, None)
756
757
758 def test_get_verify_depth_wrong_args(self):
759 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900760 :py:obj:`Context.get_verify_depth` raises :py:obj:`TypeError` if called with any arguments.
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400761 """
762 context = Context(TLSv1_METHOD)
763 self.assertRaises(TypeError, context.get_verify_depth, None)
764
765
766 def test_verify_depth(self):
767 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900768 :py:obj:`Context.set_verify_depth` sets the number of certificates in a chain
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400769 to follow before giving up. The value can be retrieved with
Jonathan Ballet648875f2011-07-16 14:14:58 +0900770 :py:obj:`Context.get_verify_depth`.
Jean-Paul Calderonee2b69512010-07-30 18:22:06 -0400771 """
772 context = Context(TLSv1_METHOD)
773 context.set_verify_depth(11)
774 self.assertEquals(context.get_verify_depth(), 11)
775
776
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -0500777 if not PY3:
778 def test_verify_depth_long(self):
779 """
780 On Python 2 :py:obj:`Context.set_verify_depth` accepts values of
781 type `long` as well as int.
782 """
783 context = Context(TLSv1_METHOD)
784 context.set_verify_depth(long(11))
785 self.assertEquals(context.get_verify_depth(), 11)
786
787
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400788 def _write_encrypted_pem(self, passphrase):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -0400789 """
790 Write a new private key out to a new file, encrypted using the given
791 passphrase. Return the path to the new file.
792 """
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400793 key = PKey()
794 key.generate_key(TYPE_RSA, 128)
795 pemFile = self.mktemp()
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400796 fObj = open(pemFile, 'w')
797 pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase)
798 fObj.write(pem.decode('ascii'))
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400799 fObj.close()
800 return pemFile
801
802
Jean-Paul Calderonef4480622010-08-02 18:25:03 -0400803 def test_set_passwd_cb_wrong_args(self):
804 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900805 :py:obj:`Context.set_passwd_cb` raises :py:obj:`TypeError` if called with the
Jean-Paul Calderonef4480622010-08-02 18:25:03 -0400806 wrong arguments or with a non-callable first argument.
807 """
808 context = Context(TLSv1_METHOD)
809 self.assertRaises(TypeError, context.set_passwd_cb)
810 self.assertRaises(TypeError, context.set_passwd_cb, None)
811 self.assertRaises(TypeError, context.set_passwd_cb, lambda: None, None, None)
812
813
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400814 def test_set_passwd_cb(self):
815 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900816 :py:obj:`Context.set_passwd_cb` accepts a callable which will be invoked when
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400817 a private key is loaded from an encrypted PEM.
818 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400819 passphrase = b("foobar")
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400820 pemFile = self._write_encrypted_pem(passphrase)
Jean-Paul Calderone828c9cb2008-04-26 18:06:54 -0400821 calledWith = []
822 def passphraseCallback(maxlen, verify, extra):
823 calledWith.append((maxlen, verify, extra))
824 return passphrase
825 context = Context(TLSv1_METHOD)
826 context.set_passwd_cb(passphraseCallback)
827 context.use_privatekey_file(pemFile)
828 self.assertTrue(len(calledWith), 1)
829 self.assertTrue(isinstance(calledWith[0][0], int))
830 self.assertTrue(isinstance(calledWith[0][1], int))
831 self.assertEqual(calledWith[0][2], None)
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400832
833
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400834 def test_passwd_callback_exception(self):
835 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900836 :py:obj:`Context.use_privatekey_file` propagates any exception raised by the
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400837 passphrase callback.
838 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400839 pemFile = self._write_encrypted_pem(b("monkeys are nice"))
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400840 def passphraseCallback(maxlen, verify, extra):
841 raise RuntimeError("Sorry, I am a fail.")
842
843 context = Context(TLSv1_METHOD)
844 context.set_passwd_cb(passphraseCallback)
845 self.assertRaises(RuntimeError, context.use_privatekey_file, pemFile)
846
847
848 def test_passwd_callback_false(self):
849 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900850 :py:obj:`Context.use_privatekey_file` raises :py:obj:`OpenSSL.SSL.Error` if the
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400851 passphrase callback returns a false value.
852 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400853 pemFile = self._write_encrypted_pem(b("monkeys are nice"))
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400854 def passphraseCallback(maxlen, verify, extra):
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -0500855 return b""
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400856
857 context = Context(TLSv1_METHOD)
858 context.set_passwd_cb(passphraseCallback)
859 self.assertRaises(Error, context.use_privatekey_file, pemFile)
860
861
862 def test_passwd_callback_non_string(self):
863 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900864 :py:obj:`Context.use_privatekey_file` raises :py:obj:`OpenSSL.SSL.Error` if the
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400865 passphrase callback returns a true non-string value.
866 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400867 pemFile = self._write_encrypted_pem(b("monkeys are nice"))
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400868 def passphraseCallback(maxlen, verify, extra):
869 return 10
870
871 context = Context(TLSv1_METHOD)
872 context.set_passwd_cb(passphraseCallback)
Jean-Paul Calderone8a1bea52013-03-05 07:57:57 -0800873 self.assertRaises(ValueError, context.use_privatekey_file, pemFile)
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400874
875
876 def test_passwd_callback_too_long(self):
877 """
878 If the passphrase returned by the passphrase callback returns a string
879 longer than the indicated maximum length, it is truncated.
880 """
881 # A priori knowledge!
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400882 passphrase = b("x") * 1024
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400883 pemFile = self._write_encrypted_pem(passphrase)
884 def passphraseCallback(maxlen, verify, extra):
885 assert maxlen == 1024
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -0400886 return passphrase + b("y")
Jean-Paul Calderone389d76d2010-07-30 17:57:53 -0400887
888 context = Context(TLSv1_METHOD)
889 context.set_passwd_cb(passphraseCallback)
890 # This shall succeed because the truncated result is the correct
891 # passphrase.
892 context.use_privatekey_file(pemFile)
893
894
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400895 def test_set_info_callback(self):
896 """
Jonathan Ballet648875f2011-07-16 14:14:58 +0900897 :py:obj:`Context.set_info_callback` accepts a callable which will be invoked
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400898 when certain information about an SSL connection is available.
899 """
Rick Deanb1ccd562009-07-09 23:52:39 -0500900 (server, client) = socket_pair()
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400901
902 clientSSL = Connection(Context(TLSv1_METHOD), client)
903 clientSSL.set_connect_state()
904
905 called = []
906 def info(conn, where, ret):
907 called.append((conn, where, ret))
908 context = Context(TLSv1_METHOD)
909 context.set_info_callback(info)
910 context.use_certificate(
911 load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
912 context.use_privatekey(
913 load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
914
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400915 serverSSL = Connection(context, server)
916 serverSSL.set_accept_state()
917
Jean-Paul Calderonef2bbc9c2014-02-02 10:59:14 -0500918 handshake(clientSSL, serverSSL)
Jean-Paul Calderone5ef86512008-04-26 19:06:28 -0400919
Jean-Paul Calderone3835e522014-02-02 11:12:30 -0500920 # The callback must always be called with a Connection instance as the
921 # first argument. It would probably be better to split this into
922 # separate tests for client and server side info callbacks so we could
923 # assert it is called with the right Connection instance. It would
924 # also be good to assert *something* about `where` and `ret`.
Jean-Paul Calderonef2bbc9c2014-02-02 10:59:14 -0500925 notConnections = [
926 conn for (conn, where, ret) in called
927 if not isinstance(conn, Connection)]
928 self.assertEqual(
929 [], notConnections,
930 "Some info callback arguments were not Connection instaces.")
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400931
932
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400933 def _load_verify_locations_test(self, *args):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -0400934 """
935 Create a client context which will verify the peer certificate and call
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -0400936 its :py:obj:`load_verify_locations` method with the given arguments.
937 Then connect it to a server and ensure that the handshake succeeds.
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -0400938 """
Rick Deanb1ccd562009-07-09 23:52:39 -0500939 (server, client) = socket_pair()
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400940
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400941 clientContext = Context(TLSv1_METHOD)
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400942 clientContext.load_verify_locations(*args)
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400943 # Require that the server certificate verify properly or the
944 # connection will fail.
945 clientContext.set_verify(
946 VERIFY_PEER,
947 lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
948
949 clientSSL = Connection(clientContext, client)
950 clientSSL.set_connect_state()
951
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400952 serverContext = Context(TLSv1_METHOD)
953 serverContext.use_certificate(
954 load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
955 serverContext.use_privatekey(
956 load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
957
958 serverSSL = Connection(serverContext, server)
959 serverSSL.set_accept_state()
960
Jean-Paul Calderonef8742032010-09-25 00:00:32 -0400961 # Without load_verify_locations above, the handshake
962 # will fail:
963 # Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE',
964 # 'certificate verify failed')]
965 handshake(clientSSL, serverSSL)
Jean-Paul Calderonee1bd4322008-09-07 20:17:17 -0400966
967 cert = clientSSL.get_peer_certificate()
Jean-Paul Calderone20131f52009-04-01 12:05:45 -0400968 self.assertEqual(cert.get_subject().CN, 'Testing Root CA')
Jean-Paul Calderone5075fce2008-09-07 20:18:55 -0400969
Jean-Paul Calderone12608a82009-11-07 10:35:15 -0500970
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -0400971 def _load_verify_cafile(self, cafile):
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400972 """
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -0400973 Verify that if path to a file containing a certificate is passed to
974 ``Context.load_verify_locations`` for the ``cafile`` parameter, that
975 certificate is used as a trust root for the purposes of verifying
976 connections created using that ``Context``.
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400977 """
Jean-Paul Calderonea9868832010-08-22 21:38:34 -0400978 fObj = open(cafile, 'w')
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -0400979 fObj.write(cleartextCertificatePEM.decode('ascii'))
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -0400980 fObj.close()
981
982 self._load_verify_locations_test(cafile)
983
Jean-Paul Calderone5075fce2008-09-07 20:18:55 -0400984
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -0400985 def test_load_verify_bytes_cafile(self):
986 """
987 :py:obj:`Context.load_verify_locations` accepts a file name as a
988 ``bytes`` instance and uses the certificates within for verification
989 purposes.
990 """
991 cafile = self.mktemp() + NON_ASCII.encode(getfilesystemencoding())
992 self._load_verify_cafile(cafile)
993
994
995 def test_load_verify_unicode_cafile(self):
996 """
997 :py:obj:`Context.load_verify_locations` accepts a file name as a
998 ``unicode`` instance and uses the certificates within for verification
999 purposes.
1000 """
Jean-Paul Calderone4f70c802015-04-12 11:26:47 -04001001 self._load_verify_cafile(
1002 self.mktemp().decode(getfilesystemencoding()) + NON_ASCII
1003 )
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -04001004
1005
Jean-Paul Calderone5075fce2008-09-07 20:18:55 -04001006 def test_load_verify_invalid_file(self):
1007 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001008 :py:obj:`Context.load_verify_locations` raises :py:obj:`Error` when passed a
Jean-Paul Calderone5075fce2008-09-07 20:18:55 -04001009 non-existent cafile.
1010 """
1011 clientContext = Context(TLSv1_METHOD)
1012 self.assertRaises(
1013 Error, clientContext.load_verify_locations, self.mktemp())
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001014
1015
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -04001016 def _load_verify_directory_locations_capath(self, capath):
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001017 """
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -04001018 Verify that if path to a directory containing certificate files is
1019 passed to ``Context.load_verify_locations`` for the ``capath``
1020 parameter, those certificates are used as trust roots for the purposes
1021 of verifying connections created using that ``Context``.
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001022 """
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001023 makedirs(capath)
Jean-Paul Calderone24dfb332011-05-04 18:10:26 -04001024 # Hash values computed manually with c_rehash to avoid depending on
1025 # c_rehash in the test suite. One is from OpenSSL 0.9.8, the other
1026 # from OpenSSL 1.0.0.
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001027 for name in [b'c7adac82.0', b'c3705638.0']:
Jean-Paul Calderone05826732015-04-12 11:38:49 -04001028 cafile = join_bytes_or_unicode(capath, name)
1029 with open(cafile, 'w') as fObj:
1030 fObj.write(cleartextCertificatePEM.decode('ascii'))
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001031
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001032 self._load_verify_locations_test(None, capath)
1033
1034
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -04001035 def test_load_verify_directory_bytes_capath(self):
1036 """
1037 :py:obj:`Context.load_verify_locations` accepts a directory name as a
1038 ``bytes`` instance and uses the certificates within for verification
1039 purposes.
1040 """
1041 self._load_verify_directory_locations_capath(
1042 self.mktemp() + NON_ASCII.encode(getfilesystemencoding())
1043 )
1044
1045
1046 def test_load_verify_directory_unicode_capath(self):
1047 """
1048 :py:obj:`Context.load_verify_locations` accepts a directory name as a
1049 ``unicode`` instance and uses the certificates within for verification
1050 purposes.
1051 """
Jean-Paul Calderone4f70c802015-04-12 11:26:47 -04001052 self._load_verify_directory_locations_capath(
1053 self.mktemp().decode(getfilesystemencoding()) + NON_ASCII
1054 )
Jean-Paul Calderone210c0f32015-04-12 09:20:31 -04001055
1056
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001057 def test_load_verify_locations_wrong_args(self):
1058 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001059 :py:obj:`Context.load_verify_locations` raises :py:obj:`TypeError` if called with
1060 the wrong number of arguments or with non-:py:obj:`str` arguments.
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001061 """
1062 context = Context(TLSv1_METHOD)
1063 self.assertRaises(TypeError, context.load_verify_locations)
1064 self.assertRaises(TypeError, context.load_verify_locations, object())
1065 self.assertRaises(TypeError, context.load_verify_locations, object(), object())
1066 self.assertRaises(TypeError, context.load_verify_locations, None, None, None)
1067
1068
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04001069 if platform == "win32":
1070 "set_default_verify_paths appears not to work on Windows. "
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -04001071 "See LP#404343 and LP#404344."
1072 else:
1073 def test_set_default_verify_paths(self):
1074 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001075 :py:obj:`Context.set_default_verify_paths` causes the platform-specific CA
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -04001076 certificate locations to be used for verification purposes.
1077 """
1078 # Testing this requires a server with a certificate signed by one of
1079 # the CAs in the platform CA location. Getting one of those costs
1080 # money. Fortunately (or unfortunately, depending on your
1081 # perspective), it's easy to think of a public server on the
1082 # internet which has such a certificate. Connecting to the network
1083 # in a unit test is bad, but it's the only way I can think of to
1084 # really test this. -exarkun
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001085
Alex Gaynorb586da32014-11-15 09:22:21 -08001086 # Arg, verisign.com doesn't speak anything newer than TLS 1.0
1087 context = Context(TLSv1_METHOD)
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -04001088 context.set_default_verify_paths()
1089 context.set_verify(
Ziga Seilnacht44611bf2009-08-31 20:49:30 +02001090 VERIFY_PEER,
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -04001091 lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
Jean-Paul Calderone1cb5d022008-09-07 20:58:50 -04001092
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -04001093 client = socket()
1094 client.connect(('verisign.com', 443))
1095 clientSSL = Connection(context, client)
1096 clientSSL.set_connect_state()
1097 clientSSL.do_handshake()
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001098 clientSSL.send(b"GET / HTTP/1.0\r\n\r\n")
Jean-Paul Calderone28fb8f02009-07-24 18:01:31 -04001099 self.assertTrue(clientSSL.recv(1024))
Jean-Paul Calderone9eadb962008-09-07 21:20:44 -04001100
1101
1102 def test_set_default_verify_paths_signature(self):
1103 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001104 :py:obj:`Context.set_default_verify_paths` takes no arguments and raises
1105 :py:obj:`TypeError` if given any.
Jean-Paul Calderone9eadb962008-09-07 21:20:44 -04001106 """
1107 context = Context(TLSv1_METHOD)
1108 self.assertRaises(TypeError, context.set_default_verify_paths, None)
1109 self.assertRaises(TypeError, context.set_default_verify_paths, 1)
1110 self.assertRaises(TypeError, context.set_default_verify_paths, "")
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05001111
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001112
Jean-Paul Calderone12608a82009-11-07 10:35:15 -05001113 def test_add_extra_chain_cert_invalid_cert(self):
1114 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001115 :py:obj:`Context.add_extra_chain_cert` raises :py:obj:`TypeError` if called with
Jean-Paul Calderone12608a82009-11-07 10:35:15 -05001116 other than one argument or if called with an object which is not an
Jonathan Ballet648875f2011-07-16 14:14:58 +09001117 instance of :py:obj:`X509`.
Jean-Paul Calderone12608a82009-11-07 10:35:15 -05001118 """
1119 context = Context(TLSv1_METHOD)
1120 self.assertRaises(TypeError, context.add_extra_chain_cert)
1121 self.assertRaises(TypeError, context.add_extra_chain_cert, object())
1122 self.assertRaises(TypeError, context.add_extra_chain_cert, object(), object())
1123
1124
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001125 def _handshake_test(self, serverContext, clientContext):
1126 """
1127 Verify that a client and server created with the given contexts can
1128 successfully handshake and communicate.
1129 """
1130 serverSocket, clientSocket = socket_pair()
1131
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001132 server = Connection(serverContext, serverSocket)
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001133 server.set_accept_state()
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001134
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001135 client = Connection(clientContext, clientSocket)
1136 client.set_connect_state()
1137
1138 # Make them talk to each other.
1139 # self._interactInMemory(client, server)
1140 for i in range(3):
1141 for s in [client, server]:
1142 try:
1143 s.do_handshake()
1144 except WantReadError:
1145 pass
1146
1147
Jean-Paul Calderone6a8cd112014-04-02 21:09:08 -04001148 def test_set_verify_callback_connection_argument(self):
1149 """
1150 The first argument passed to the verify callback is the
1151 :py:class:`Connection` instance for which verification is taking place.
1152 """
1153 serverContext = Context(TLSv1_METHOD)
1154 serverContext.use_privatekey(
1155 load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
1156 serverContext.use_certificate(
1157 load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
1158 serverConnection = Connection(serverContext, None)
1159
1160 class VerifyCallback(object):
1161 def callback(self, connection, *args):
1162 self.connection = connection
1163 return 1
1164
1165 verify = VerifyCallback()
1166 clientContext = Context(TLSv1_METHOD)
1167 clientContext.set_verify(VERIFY_PEER, verify.callback)
1168 clientConnection = Connection(clientContext, None)
1169 clientConnection.set_connect_state()
1170
1171 self._handshakeInMemory(clientConnection, serverConnection)
1172
1173 self.assertIdentical(verify.connection, clientConnection)
1174
1175
Jean-Paul Calderone7e166fe2013-03-06 20:54:38 -08001176 def test_set_verify_callback_exception(self):
1177 """
1178 If the verify callback passed to :py:obj:`Context.set_verify` raises an
1179 exception, verification fails and the exception is propagated to the
1180 caller of :py:obj:`Connection.do_handshake`.
1181 """
1182 serverContext = Context(TLSv1_METHOD)
1183 serverContext.use_privatekey(
1184 load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
1185 serverContext.use_certificate(
1186 load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
1187
1188 clientContext = Context(TLSv1_METHOD)
1189 def verify_callback(*args):
1190 raise Exception("silly verify failure")
1191 clientContext.set_verify(VERIFY_PEER, verify_callback)
1192
1193 exc = self.assertRaises(
1194 Exception, self._handshake_test, serverContext, clientContext)
1195 self.assertEqual("silly verify failure", str(exc))
1196
1197
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001198 def test_add_extra_chain_cert(self):
1199 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001200 :py:obj:`Context.add_extra_chain_cert` accepts an :py:obj:`X509` instance to add to
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001201 the certificate chain.
1202
Jonathan Ballet648875f2011-07-16 14:14:58 +09001203 See :py:obj:`_create_certificate_chain` for the details of the certificate
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001204 chain tested.
1205
1206 The chain is tested by starting a server with scert and connecting
1207 to it with a client which trusts cacert and requires verification to
1208 succeed.
1209 """
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04001210 chain = _create_certificate_chain()
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001211 [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
1212
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001213 # Dump the CA certificate to a file because that's the only way to load
1214 # it as a trusted CA in the client context.
1215 for cert, name in [(cacert, 'ca.pem'), (icert, 'i.pem'), (scert, 's.pem')]:
Jean-Paul Calderonea9868832010-08-22 21:38:34 -04001216 fObj = open(name, 'w')
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -04001217 fObj.write(dump_certificate(FILETYPE_PEM, cert).decode('ascii'))
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001218 fObj.close()
1219
1220 for key, name in [(cakey, 'ca.key'), (ikey, 'i.key'), (skey, 's.key')]:
Jean-Paul Calderonea9868832010-08-22 21:38:34 -04001221 fObj = open(name, 'w')
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -04001222 fObj.write(dump_privatekey(FILETYPE_PEM, key).decode('ascii'))
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001223 fObj.close()
1224
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001225 # Create the server context
1226 serverContext = Context(TLSv1_METHOD)
1227 serverContext.use_privatekey(skey)
1228 serverContext.use_certificate(scert)
Jean-Paul Calderone16cf03d2010-09-08 18:53:39 -04001229 # The client already has cacert, we only need to give them icert.
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001230 serverContext.add_extra_chain_cert(icert)
1231
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04001232 # Create the client
1233 clientContext = Context(TLSv1_METHOD)
1234 clientContext.set_verify(
1235 VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001236 clientContext.load_verify_locations(b"ca.pem")
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001237
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001238 # Try it out.
1239 self._handshake_test(serverContext, clientContext)
1240
1241
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001242 def _use_certificate_chain_file_test(self, certdir):
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001243 """
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001244 Verify that :py:obj:`Context.use_certificate_chain_file` reads a
1245 certificate chain from a specified file.
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001246
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001247 The chain is tested by starting a server with scert and connecting to
1248 it with a client which trusts cacert and requires verification to
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001249 succeed.
1250 """
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04001251 chain = _create_certificate_chain()
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001252 [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
1253
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001254 makedirs(certdir)
1255
Jean-Paul Calderone05826732015-04-12 11:38:49 -04001256 chainFile = join_bytes_or_unicode(certdir, "chain.pem")
1257 caFile = join_bytes_or_unicode(certdir, "ca.pem")
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001258
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001259 # Write out the chain file.
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001260 with open(chainFile, 'wb') as fObj:
1261 # Most specific to least general.
1262 fObj.write(dump_certificate(FILETYPE_PEM, scert))
1263 fObj.write(dump_certificate(FILETYPE_PEM, icert))
1264 fObj.write(dump_certificate(FILETYPE_PEM, cacert))
1265
1266 with open(caFile, 'w') as fObj:
1267 fObj.write(dump_certificate(FILETYPE_PEM, cacert).decode('ascii'))
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001268
1269 serverContext = Context(TLSv1_METHOD)
1270 serverContext.use_certificate_chain_file(chainFile)
1271 serverContext.use_privatekey(skey)
1272
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001273 clientContext = Context(TLSv1_METHOD)
1274 clientContext.set_verify(
1275 VERIFY_PEER | VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001276 clientContext.load_verify_locations(caFile)
Jean-Paul Calderonef4480622010-08-02 18:25:03 -04001277
1278 self._handshake_test(serverContext, clientContext)
1279
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001280
Jean-Paul Calderoneaac43a32015-04-12 09:51:21 -04001281 def test_use_certificate_chain_file_bytes(self):
1282 """
1283 ``Context.use_certificate_chain_file`` accepts the name of a file (as
1284 an instance of ``bytes``) to specify additional certificates to use to
1285 construct and verify a trust chain.
1286 """
1287 self._use_certificate_chain_file_test(
1288 self.mktemp() + NON_ASCII.encode(getfilesystemencoding())
1289 )
1290
1291
1292 def test_use_certificate_chain_file_unicode(self):
1293 """
1294 ``Context.use_certificate_chain_file`` accepts the name of a file (as
1295 an instance of ``unicode``) to specify additional certificates to use
1296 to construct and verify a trust chain.
1297 """
1298 self._use_certificate_chain_file_test(
1299 self.mktemp().decode(getfilesystemencoding()) + NON_ASCII
1300 )
1301
1302
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001303 def test_use_certificate_chain_file_wrong_args(self):
1304 """
1305 :py:obj:`Context.use_certificate_chain_file` raises :py:obj:`TypeError`
1306 if passed zero or more than one argument or when passed a non-byte
1307 string single argument. It also raises :py:obj:`OpenSSL.SSL.Error` when
1308 passed a bad chain file name (for example, the name of a file which does
1309 not exist).
1310 """
1311 context = Context(TLSv1_METHOD)
1312 self.assertRaises(TypeError, context.use_certificate_chain_file)
1313 self.assertRaises(TypeError, context.use_certificate_chain_file, object())
1314 self.assertRaises(TypeError, context.use_certificate_chain_file, b"foo", object())
1315
1316 self.assertRaises(Error, context.use_certificate_chain_file, self.mktemp())
1317
Jean-Paul Calderonee0d79362010-08-03 18:46:46 -04001318 # XXX load_client_ca
1319 # XXX set_session_id
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -04001320
1321 def test_get_verify_mode_wrong_args(self):
1322 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001323 :py:obj:`Context.get_verify_mode` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -04001324 arguments.
1325 """
1326 context = Context(TLSv1_METHOD)
1327 self.assertRaises(TypeError, context.get_verify_mode, None)
1328
1329
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001330 def test_set_verify_mode(self):
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -04001331 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001332 :py:obj:`Context.get_verify_mode` returns the verify mode flags previously
1333 passed to :py:obj:`Context.set_verify`.
Jean-Paul Calderone0294e3d2010-09-09 18:17:48 -04001334 """
1335 context = Context(TLSv1_METHOD)
1336 self.assertEquals(context.get_verify_mode(), 0)
1337 context.set_verify(
1338 VERIFY_PEER | VERIFY_CLIENT_ONCE, lambda *args: None)
1339 self.assertEquals(
1340 context.get_verify_mode(), VERIFY_PEER | VERIFY_CLIENT_ONCE)
1341
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001342
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001343 if not PY3:
1344 def test_set_verify_mode_long(self):
1345 """
1346 On Python 2 :py:obj:`Context.set_verify_mode` accepts values of
1347 type :py:obj:`long` as well as :py:obj:`int`.
1348 """
1349 context = Context(TLSv1_METHOD)
1350 self.assertEquals(context.get_verify_mode(), 0)
1351 context.set_verify(
1352 long(VERIFY_PEER | VERIFY_CLIENT_ONCE), lambda *args: None)
1353 self.assertEquals(
1354 context.get_verify_mode(), VERIFY_PEER | VERIFY_CLIENT_ONCE)
1355
1356
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001357 def test_load_tmp_dh_wrong_args(self):
1358 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001359 :py:obj:`Context.load_tmp_dh` raises :py:obj:`TypeError` if called with the wrong
1360 number of arguments or with a non-:py:obj:`str` argument.
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001361 """
1362 context = Context(TLSv1_METHOD)
1363 self.assertRaises(TypeError, context.load_tmp_dh)
1364 self.assertRaises(TypeError, context.load_tmp_dh, "foo", None)
1365 self.assertRaises(TypeError, context.load_tmp_dh, object())
1366
1367
1368 def test_load_tmp_dh_missing_file(self):
1369 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001370 :py:obj:`Context.load_tmp_dh` raises :py:obj:`OpenSSL.SSL.Error` if the specified file
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001371 does not exist.
1372 """
1373 context = Context(TLSv1_METHOD)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001374 self.assertRaises(Error, context.load_tmp_dh, b"hello")
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001375
1376
Jean-Paul Calderone9e1c1dd2015-04-12 10:13:13 -04001377 def _load_tmp_dh_test(self, dhfilename):
Jean-Paul Calderone4e0c43f2015-04-13 10:15:17 -04001378 """
1379 Verify that calling ``Context.load_tmp_dh`` with the given filename
1380 does not raise an exception.
1381 """
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001382 context = Context(TLSv1_METHOD)
Jean-Paul Calderone9e1c1dd2015-04-12 10:13:13 -04001383 with open(dhfilename, "w") as dhfile:
1384 dhfile.write(dhparam)
1385
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001386 context.load_tmp_dh(dhfilename)
1387 # XXX What should I assert here? -exarkun
1388
1389
Jean-Paul Calderone9e1c1dd2015-04-12 10:13:13 -04001390 def test_load_tmp_dh_bytes(self):
1391 """
1392 :py:obj:`Context.load_tmp_dh` loads Diffie-Hellman parameters from the
1393 specified file (given as ``bytes``).
1394 """
1395 self._load_tmp_dh_test(
1396 self.mktemp() + NON_ASCII.encode(getfilesystemencoding()),
1397 )
1398
1399
1400 def test_load_tmp_dh_unicode(self):
1401 """
1402 :py:obj:`Context.load_tmp_dh` loads Diffie-Hellman parameters from the
1403 specified file (given as ``unicode``).
1404 """
1405 self._load_tmp_dh_test(
1406 self.mktemp().decode(getfilesystemencoding()) + NON_ASCII,
1407 )
1408
1409
Jean-Paul Calderone3e4e3352014-04-19 09:28:28 -04001410 def test_set_tmp_ecdh(self):
Andy Lutomirskif05a2732014-03-13 17:22:25 -07001411 """
Jean-Paul Calderone3e4e3352014-04-19 09:28:28 -04001412 :py:obj:`Context.set_tmp_ecdh` sets the elliptic curve for
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -04001413 Diffie-Hellman to the specified curve.
Andy Lutomirskif05a2732014-03-13 17:22:25 -07001414 """
1415 context = Context(TLSv1_METHOD)
Jean-Paul Calderonec09fd582014-04-18 22:00:10 -04001416 for curve in get_elliptic_curves():
1417 # The only easily "assertable" thing is that it does not raise an
1418 # exception.
Jean-Paul Calderone3e4e3352014-04-19 09:28:28 -04001419 context.set_tmp_ecdh(curve)
Alex Gaynor12dc0842014-01-17 12:51:31 -06001420
1421
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001422 def test_set_cipher_list_bytes(self):
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001423 """
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001424 :py:obj:`Context.set_cipher_list` accepts a :py:obj:`bytes` naming the
1425 ciphers which connections created with the context object will be able
1426 to choose from.
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001427 """
1428 context = Context(TLSv1_METHOD)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05001429 context.set_cipher_list(b"hello world:EXP-RC4-MD5")
Jean-Paul Calderone6ace4782010-09-09 18:43:40 -04001430 conn = Connection(context, None)
1431 self.assertEquals(conn.get_cipher_list(), ["EXP-RC4-MD5"])
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001432
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001433
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001434 def test_set_cipher_list_text(self):
1435 """
1436 :py:obj:`Context.set_cipher_list` accepts a :py:obj:`unicode` naming
1437 the ciphers which connections created with the context object will be
1438 able to choose from.
1439 """
1440 context = Context(TLSv1_METHOD)
Jean-Paul Calderonec76c61c2014-01-18 13:21:52 -05001441 context.set_cipher_list(u("hello world:EXP-RC4-MD5"))
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001442 conn = Connection(context, None)
1443 self.assertEquals(conn.get_cipher_list(), ["EXP-RC4-MD5"])
1444
1445
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001446 def test_set_cipher_list_wrong_args(self):
1447 """
Jean-Paul Calderone17044832014-01-18 10:20:11 -05001448 :py:obj:`Context.set_cipher_list` raises :py:obj:`TypeError` when
1449 passed zero arguments or more than one argument or when passed a
1450 non-string single argument and raises :py:obj:`OpenSSL.SSL.Error` when
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001451 passed an incorrect cipher list string.
1452 """
1453 context = Context(TLSv1_METHOD)
1454 self.assertRaises(TypeError, context.set_cipher_list)
1455 self.assertRaises(TypeError, context.set_cipher_list, object())
1456 self.assertRaises(TypeError, context.set_cipher_list, b"EXP-RC4-MD5", object())
1457
Jean-Paul Calderone63eab692014-01-18 10:19:56 -05001458 self.assertRaises(Error, context.set_cipher_list, "imaginary-cipher")
Jean-Paul Calderone131052e2013-03-05 11:56:19 -08001459
1460
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001461 def test_set_session_cache_mode_wrong_args(self):
1462 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001463 :py:obj:`Context.set_session_cache_mode` raises :py:obj:`TypeError` if
1464 called with other than one integer argument.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001465 """
1466 context = Context(TLSv1_METHOD)
1467 self.assertRaises(TypeError, context.set_session_cache_mode)
1468 self.assertRaises(TypeError, context.set_session_cache_mode, object())
1469
1470
1471 def test_get_session_cache_mode_wrong_args(self):
1472 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001473 :py:obj:`Context.get_session_cache_mode` raises :py:obj:`TypeError` if
1474 called with any arguments.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001475 """
1476 context = Context(TLSv1_METHOD)
1477 self.assertRaises(TypeError, context.get_session_cache_mode, 1)
1478
1479
1480 def test_session_cache_mode(self):
1481 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001482 :py:obj:`Context.set_session_cache_mode` specifies how sessions are
1483 cached. The setting can be retrieved via
1484 :py:obj:`Context.get_session_cache_mode`.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001485 """
1486 context = Context(TLSv1_METHOD)
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001487 context.set_session_cache_mode(SESS_CACHE_OFF)
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001488 off = context.set_session_cache_mode(SESS_CACHE_BOTH)
1489 self.assertEqual(SESS_CACHE_OFF, off)
1490 self.assertEqual(SESS_CACHE_BOTH, context.get_session_cache_mode())
1491
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05001492 if not PY3:
1493 def test_session_cache_mode_long(self):
1494 """
1495 On Python 2 :py:obj:`Context.set_session_cache_mode` accepts values
1496 of type :py:obj:`long` as well as :py:obj:`int`.
1497 """
1498 context = Context(TLSv1_METHOD)
1499 context.set_session_cache_mode(long(SESS_CACHE_BOTH))
1500 self.assertEqual(
1501 SESS_CACHE_BOTH, context.get_session_cache_mode())
1502
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05001503
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08001504 def test_get_cert_store(self):
1505 """
1506 :py:obj:`Context.get_cert_store` returns a :py:obj:`X509Store` instance.
1507 """
1508 context = Context(TLSv1_METHOD)
1509 store = context.get_cert_store()
1510 self.assertIsInstance(store, X509Store)
1511
1512
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001513
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001514class ServerNameCallbackTests(TestCase, _LoopbackMixin):
1515 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001516 Tests for :py:obj:`Context.set_tlsext_servername_callback` and its interaction with
1517 :py:obj:`Connection`.
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001518 """
1519 def test_wrong_args(self):
1520 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001521 :py:obj:`Context.set_tlsext_servername_callback` raises :py:obj:`TypeError` if called
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001522 with other than one argument.
1523 """
1524 context = Context(TLSv1_METHOD)
1525 self.assertRaises(TypeError, context.set_tlsext_servername_callback)
1526 self.assertRaises(
1527 TypeError, context.set_tlsext_servername_callback, 1, 2)
1528
Jean-Paul Calderone4c1aacd2014-01-11 08:15:17 -05001529
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001530 def test_old_callback_forgotten(self):
1531 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001532 If :py:obj:`Context.set_tlsext_servername_callback` is used to specify a new
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001533 callback, the one it replaces is dereferenced.
1534 """
1535 def callback(connection):
1536 pass
1537
1538 def replacement(connection):
1539 pass
1540
1541 context = Context(TLSv1_METHOD)
1542 context.set_tlsext_servername_callback(callback)
1543
1544 tracker = ref(callback)
1545 del callback
1546
1547 context.set_tlsext_servername_callback(replacement)
Jean-Paul Calderoned4033eb2014-01-11 08:21:46 -05001548
1549 # One run of the garbage collector happens to work on CPython. PyPy
1550 # doesn't collect the underlying object until a second run for whatever
1551 # reason. That's fine, it still demonstrates our code has properly
1552 # dropped the reference.
1553 collect()
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001554 collect()
Jean-Paul Calderone4c1aacd2014-01-11 08:15:17 -05001555
1556 callback = tracker()
1557 if callback is not None:
1558 referrers = get_referrers(callback)
Jean-Paul Calderone7de39562014-01-11 08:17:59 -05001559 if len(referrers) > 1:
Jean-Paul Calderone4c1aacd2014-01-11 08:15:17 -05001560 self.fail("Some references remain: %r" % (referrers,))
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001561
1562
1563 def test_no_servername(self):
1564 """
1565 When a client specifies no server name, the callback passed to
Jonathan Ballet648875f2011-07-16 14:14:58 +09001566 :py:obj:`Context.set_tlsext_servername_callback` is invoked and the result of
1567 :py:obj:`Connection.get_servername` is :py:obj:`None`.
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001568 """
1569 args = []
1570 def servername(conn):
1571 args.append((conn, conn.get_servername()))
1572 context = Context(TLSv1_METHOD)
1573 context.set_tlsext_servername_callback(servername)
1574
1575 # Lose our reference to it. The Context is responsible for keeping it
1576 # alive now.
1577 del servername
1578 collect()
1579
1580 # Necessary to actually accept the connection
1581 context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
1582 context.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
1583
1584 # Do a little connection to trigger the logic
1585 server = Connection(context, None)
1586 server.set_accept_state()
1587
1588 client = Connection(Context(TLSv1_METHOD), None)
1589 client.set_connect_state()
1590
1591 self._interactInMemory(server, client)
1592
1593 self.assertEqual([(server, None)], args)
1594
1595
1596 def test_servername(self):
1597 """
1598 When a client specifies a server name in its hello message, the callback
Jonathan Ballet648875f2011-07-16 14:14:58 +09001599 passed to :py:obj:`Contexts.set_tlsext_servername_callback` is invoked and the
1600 result of :py:obj:`Connection.get_servername` is that server name.
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001601 """
1602 args = []
1603 def servername(conn):
1604 args.append((conn, conn.get_servername()))
1605 context = Context(TLSv1_METHOD)
1606 context.set_tlsext_servername_callback(servername)
1607
1608 # Necessary to actually accept the connection
1609 context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
1610 context.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
1611
1612 # Do a little connection to trigger the logic
1613 server = Connection(context, None)
1614 server.set_accept_state()
1615
1616 client = Connection(Context(TLSv1_METHOD), None)
1617 client.set_connect_state()
1618 client.set_tlsext_host_name(b("foo1.example.com"))
1619
1620 self._interactInMemory(server, client)
1621
1622 self.assertEqual([(server, b("foo1.example.com"))], args)
1623
1624
Cory Benfield84a121e2014-03-31 20:30:25 +01001625class NextProtoNegotiationTests(TestCase, _LoopbackMixin):
1626 """
1627 Test for Next Protocol Negotiation in PyOpenSSL.
1628 """
1629 def test_npn_success(self):
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001630 """
1631 Tests that clients and servers that agree on the negotiated next
1632 protocol can correct establish a connection, and that the agreed
1633 protocol is reported by the connections.
1634 """
1635 advertise_args = []
Cory Benfield84a121e2014-03-31 20:30:25 +01001636 select_args = []
1637 def advertise(conn):
1638 advertise_args.append((conn,))
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001639 return [b'http/1.1', b'spdy/2']
Cory Benfield84a121e2014-03-31 20:30:25 +01001640 def select(conn, options):
1641 select_args.append((conn, options))
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001642 return b'spdy/2'
Cory Benfield84a121e2014-03-31 20:30:25 +01001643
1644 server_context = Context(TLSv1_METHOD)
1645 server_context.set_npn_advertise_callback(advertise)
1646
1647 client_context = Context(TLSv1_METHOD)
1648 client_context.set_npn_select_callback(select)
1649
1650 # Necessary to actually accept the connection
1651 server_context.use_privatekey(
1652 load_privatekey(FILETYPE_PEM, server_key_pem))
1653 server_context.use_certificate(
1654 load_certificate(FILETYPE_PEM, server_cert_pem))
1655
1656 # Do a little connection to trigger the logic
1657 server = Connection(server_context, None)
1658 server.set_accept_state()
1659
1660 client = Connection(client_context, None)
1661 client.set_connect_state()
1662
1663 self._interactInMemory(server, client)
1664
1665 self.assertEqual([(server,)], advertise_args)
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001666 self.assertEqual([(client, [b'http/1.1', b'spdy/2'])], select_args)
Cory Benfield84a121e2014-03-31 20:30:25 +01001667
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001668 self.assertEqual(server.get_next_proto_negotiated(), b'spdy/2')
1669 self.assertEqual(client.get_next_proto_negotiated(), b'spdy/2')
Cory Benfield84a121e2014-03-31 20:30:25 +01001670
1671
1672 def test_npn_client_fail(self):
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001673 """
1674 Tests that when clients and servers cannot agree on what protocol to
1675 use next that the TLS connection does not get established.
1676 """
1677 advertise_args = []
Cory Benfield84a121e2014-03-31 20:30:25 +01001678 select_args = []
1679 def advertise(conn):
1680 advertise_args.append((conn,))
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001681 return [b'http/1.1', b'spdy/2']
Cory Benfield84a121e2014-03-31 20:30:25 +01001682 def select(conn, options):
1683 select_args.append((conn, options))
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001684 return b''
Cory Benfield84a121e2014-03-31 20:30:25 +01001685
1686 server_context = Context(TLSv1_METHOD)
1687 server_context.set_npn_advertise_callback(advertise)
1688
1689 client_context = Context(TLSv1_METHOD)
1690 client_context.set_npn_select_callback(select)
1691
1692 # Necessary to actually accept the connection
1693 server_context.use_privatekey(
1694 load_privatekey(FILETYPE_PEM, server_key_pem))
1695 server_context.use_certificate(
1696 load_certificate(FILETYPE_PEM, server_cert_pem))
1697
1698 # Do a little connection to trigger the logic
1699 server = Connection(server_context, None)
1700 server.set_accept_state()
1701
1702 client = Connection(client_context, None)
1703 client.set_connect_state()
1704
1705 # If the client doesn't return anything, the connection will fail.
1706 self.assertRaises(Error, self._interactInMemory, server, client)
1707
1708 self.assertEqual([(server,)], advertise_args)
Cory Benfieldbe3e7b82014-05-10 09:48:55 +01001709 self.assertEqual([(client, [b'http/1.1', b'spdy/2'])], select_args)
Cory Benfield84a121e2014-03-31 20:30:25 +01001710
1711
Cory Benfield0ea76e72015-03-22 09:05:28 +00001712 def test_npn_select_error(self):
1713 """
1714 Test that we can handle exceptions in the select callback. If select
1715 fails it should be fatal to the connection.
1716 """
1717 advertise_args = []
1718 def advertise(conn):
1719 advertise_args.append((conn,))
1720 return [b'http/1.1', b'spdy/2']
1721 def select(conn, options):
1722 raise TypeError
1723
1724 server_context = Context(TLSv1_METHOD)
1725 server_context.set_npn_advertise_callback(advertise)
1726
1727 client_context = Context(TLSv1_METHOD)
1728 client_context.set_npn_select_callback(select)
1729
1730 # Necessary to actually accept the connection
1731 server_context.use_privatekey(
1732 load_privatekey(FILETYPE_PEM, server_key_pem))
1733 server_context.use_certificate(
1734 load_certificate(FILETYPE_PEM, server_cert_pem))
1735
1736 # Do a little connection to trigger the logic
1737 server = Connection(server_context, None)
1738 server.set_accept_state()
1739
1740 client = Connection(client_context, None)
1741 client.set_connect_state()
1742
1743 # If the callback throws an exception it should be raised here.
1744 self.assertRaises(TypeError, self._interactInMemory, server, client)
1745 self.assertEqual([(server,)], advertise_args)
1746
1747
1748 def test_npn_advertise_error(self):
1749 """
1750 Test that we can handle exceptions in the advertise callback. If
1751 advertise fails no NPN is advertised to the client.
1752 """
1753 select_args = []
1754 def advertise(conn):
1755 raise TypeError
1756 def select(conn, options):
1757 select_args.append((conn, options))
1758 return b''
1759
1760 server_context = Context(TLSv1_METHOD)
1761 server_context.set_npn_advertise_callback(advertise)
1762
1763 client_context = Context(TLSv1_METHOD)
1764 client_context.set_npn_select_callback(select)
1765
1766 # Necessary to actually accept the connection
1767 server_context.use_privatekey(
1768 load_privatekey(FILETYPE_PEM, server_key_pem))
1769 server_context.use_certificate(
1770 load_certificate(FILETYPE_PEM, server_cert_pem))
1771
1772 # Do a little connection to trigger the logic
1773 server = Connection(server_context, None)
1774 server.set_accept_state()
1775
1776 client = Connection(client_context, None)
1777 client.set_connect_state()
1778
1779 # If the client doesn't return anything, the connection will fail.
1780 self.assertRaises(TypeError, self._interactInMemory, server, client)
1781 self.assertEqual([], select_args)
1782
1783
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04001784
Cory Benfield12eae892014-06-07 15:42:56 +01001785class ApplicationLayerProtoNegotiationTests(TestCase, _LoopbackMixin):
1786 """
1787 Tests for ALPN in PyOpenSSL.
1788 """
1789 def test_alpn_success(self):
1790 """
1791 Tests that clients and servers that agree on the negotiated ALPN
1792 protocol can correct establish a connection, and that the agreed
1793 protocol is reported by the connections.
1794 """
1795 select_args = []
1796 def select(conn, options):
1797 select_args.append((conn, options))
1798 return b'spdy/2'
1799
1800 client_context = Context(TLSv1_METHOD)
1801 client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
1802
1803 server_context = Context(TLSv1_METHOD)
1804 server_context.set_alpn_select_callback(select)
1805
1806 # Necessary to actually accept the connection
1807 server_context.use_privatekey(
1808 load_privatekey(FILETYPE_PEM, server_key_pem))
1809 server_context.use_certificate(
1810 load_certificate(FILETYPE_PEM, server_cert_pem))
1811
1812 # Do a little connection to trigger the logic
1813 server = Connection(server_context, None)
1814 server.set_accept_state()
1815
1816 client = Connection(client_context, None)
1817 client.set_connect_state()
1818
1819 self._interactInMemory(server, client)
1820
Cory Benfield75279582015-04-12 08:52:17 -04001821 self.assertEqual([(server, [b'http/1.1', b'spdy/2'])], select_args)
Cory Benfield12eae892014-06-07 15:42:56 +01001822
1823 self.assertEqual(server.get_alpn_proto_negotiated(), b'spdy/2')
1824 self.assertEqual(client.get_alpn_proto_negotiated(), b'spdy/2')
1825
1826
1827 def test_alpn_set_on_connection(self):
1828 """
1829 The same as test_alpn_success, but setting the ALPN protocols on the
1830 connection rather than the context.
1831 """
1832 select_args = []
1833 def select(conn, options):
1834 select_args.append((conn, options))
1835 return b'spdy/2'
1836
1837 # Setup the client context but don't set any ALPN protocols.
1838 client_context = Context(TLSv1_METHOD)
1839
1840 server_context = Context(TLSv1_METHOD)
1841 server_context.set_alpn_select_callback(select)
1842
1843 # Necessary to actually accept the connection
1844 server_context.use_privatekey(
1845 load_privatekey(FILETYPE_PEM, server_key_pem))
1846 server_context.use_certificate(
1847 load_certificate(FILETYPE_PEM, server_cert_pem))
1848
1849 # Do a little connection to trigger the logic
1850 server = Connection(server_context, None)
1851 server.set_accept_state()
1852
1853 # Set the ALPN protocols on the client connection.
1854 client = Connection(client_context, None)
1855 client.set_alpn_protos([b'http/1.1', b'spdy/2'])
1856 client.set_connect_state()
1857
1858 self._interactInMemory(server, client)
1859
Cory Benfield75279582015-04-12 08:52:17 -04001860 self.assertEqual([(server, [b'http/1.1', b'spdy/2'])], select_args)
Cory Benfield12eae892014-06-07 15:42:56 +01001861
1862 self.assertEqual(server.get_alpn_proto_negotiated(), b'spdy/2')
1863 self.assertEqual(client.get_alpn_proto_negotiated(), b'spdy/2')
1864
1865
1866 def test_alpn_server_fail(self):
1867 """
1868 Tests that when clients and servers cannot agree on what protocol to
1869 use next that the TLS connection does not get established.
1870 """
1871 select_args = []
1872 def select(conn, options):
1873 select_args.append((conn, options))
1874 return b''
1875
1876 client_context = Context(TLSv1_METHOD)
1877 client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
1878
1879 server_context = Context(TLSv1_METHOD)
1880 server_context.set_alpn_select_callback(select)
1881
1882 # Necessary to actually accept the connection
1883 server_context.use_privatekey(
1884 load_privatekey(FILETYPE_PEM, server_key_pem))
1885 server_context.use_certificate(
1886 load_certificate(FILETYPE_PEM, server_cert_pem))
1887
1888 # Do a little connection to trigger the logic
1889 server = Connection(server_context, None)
1890 server.set_accept_state()
1891
1892 client = Connection(client_context, None)
1893 client.set_connect_state()
1894
1895 # If the client doesn't return anything, the connection will fail.
1896 self.assertRaises(Error, self._interactInMemory, server, client)
1897
Cory Benfield75279582015-04-12 08:52:17 -04001898 self.assertEqual([(server, [b'http/1.1', b'spdy/2'])], select_args)
Cory Benfield12eae892014-06-07 15:42:56 +01001899
1900
Cory Benfielde3d57152015-04-11 17:57:35 -04001901 def test_alpn_no_server(self):
1902 """
1903 Tests that when clients and servers cannot agree on what protocol to
1904 use next because the server doesn't offer ALPN.
1905 """
Cory Benfielde3d57152015-04-11 17:57:35 -04001906 client_context = Context(TLSv1_METHOD)
1907 client_context.set_alpn_protos([b'http/1.1', b'spdy/2'])
1908
1909 server_context = Context(TLSv1_METHOD)
1910
1911 # Necessary to actually accept the connection
1912 server_context.use_privatekey(
1913 load_privatekey(FILETYPE_PEM, server_key_pem))
1914 server_context.use_certificate(
1915 load_certificate(FILETYPE_PEM, server_cert_pem))
1916
1917 # Do a little connection to trigger the logic
1918 server = Connection(server_context, None)
1919 server.set_accept_state()
1920
1921 client = Connection(client_context, None)
1922 client.set_connect_state()
1923
1924 # Do the dance.
1925 self._interactInMemory(server, client)
1926
Cory Benfielde3d57152015-04-11 17:57:35 -04001927 self.assertEqual(client.get_alpn_proto_negotiated(), b'')
1928
1929
Cory Benfield12eae892014-06-07 15:42:56 +01001930
Jean-Paul Calderonee0fcf512012-02-13 09:10:15 -05001931class SessionTests(TestCase):
1932 """
1933 Unit tests for :py:obj:`OpenSSL.SSL.Session`.
1934 """
1935 def test_construction(self):
1936 """
1937 :py:class:`Session` can be constructed with no arguments, creating a new
1938 instance of that type.
1939 """
1940 new_session = Session()
1941 self.assertTrue(isinstance(new_session, Session))
1942
1943
1944 def test_construction_wrong_args(self):
1945 """
1946 If any arguments are passed to :py:class:`Session`, :py:obj:`TypeError`
1947 is raised.
1948 """
1949 self.assertRaises(TypeError, Session, 123)
1950 self.assertRaises(TypeError, Session, "hello")
1951 self.assertRaises(TypeError, Session, object())
1952
1953
1954
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04001955class ConnectionTests(TestCase, _LoopbackMixin):
Rick Deane15b1472009-07-09 15:53:42 -05001956 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001957 Unit tests for :py:obj:`OpenSSL.SSL.Connection`.
Rick Deane15b1472009-07-09 15:53:42 -05001958 """
Jean-Paul Calderone541eaf22010-09-09 18:55:08 -04001959 # XXX get_peer_certificate -> None
1960 # XXX sock_shutdown
1961 # XXX master_key -> TypeError
1962 # XXX server_random -> TypeError
1963 # XXX state_string
1964 # XXX connect -> TypeError
1965 # XXX connect_ex -> TypeError
1966 # XXX set_connect_state -> TypeError
1967 # XXX set_accept_state -> TypeError
1968 # XXX renegotiate_pending
1969 # XXX do_handshake -> TypeError
1970 # XXX bio_read -> TypeError
1971 # XXX recv -> TypeError
1972 # XXX send -> TypeError
1973 # XXX bio_write -> TypeError
1974
Rick Deane15b1472009-07-09 15:53:42 -05001975 def test_type(self):
1976 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001977 :py:obj:`Connection` and :py:obj:`ConnectionType` refer to the same type object and
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001978 can be used to create instances of that type.
Rick Deane15b1472009-07-09 15:53:42 -05001979 """
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001980 self.assertIdentical(Connection, ConnectionType)
Rick Deane15b1472009-07-09 15:53:42 -05001981 ctx = Context(TLSv1_METHOD)
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001982 self.assertConsistentType(Connection, 'Connection', ctx, None)
Rick Deane15b1472009-07-09 15:53:42 -05001983
Jean-Paul Calderone68649052009-07-17 21:14:27 -04001984
Jean-Paul Calderone4fd058a2009-11-22 11:46:42 -05001985 def test_get_context(self):
1986 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001987 :py:obj:`Connection.get_context` returns the :py:obj:`Context` instance used to
1988 construct the :py:obj:`Connection` instance.
Jean-Paul Calderone4fd058a2009-11-22 11:46:42 -05001989 """
1990 context = Context(TLSv1_METHOD)
1991 connection = Connection(context, None)
1992 self.assertIdentical(connection.get_context(), context)
1993
1994
1995 def test_get_context_wrong_args(self):
1996 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09001997 :py:obj:`Connection.get_context` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderone4fd058a2009-11-22 11:46:42 -05001998 arguments.
1999 """
2000 connection = Connection(Context(TLSv1_METHOD), None)
2001 self.assertRaises(TypeError, connection.get_context, None)
2002
2003
Jean-Paul Calderone95613b72011-05-25 22:30:21 -04002004 def test_set_context_wrong_args(self):
2005 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002006 :py:obj:`Connection.set_context` raises :py:obj:`TypeError` if called with a
2007 non-:py:obj:`Context` instance argument or with any number of arguments other
Jean-Paul Calderone95613b72011-05-25 22:30:21 -04002008 than 1.
2009 """
2010 ctx = Context(TLSv1_METHOD)
2011 connection = Connection(ctx, None)
2012 self.assertRaises(TypeError, connection.set_context)
2013 self.assertRaises(TypeError, connection.set_context, object())
2014 self.assertRaises(TypeError, connection.set_context, "hello")
2015 self.assertRaises(TypeError, connection.set_context, 1)
2016 self.assertRaises(TypeError, connection.set_context, 1, 2)
2017 self.assertRaises(
2018 TypeError, connection.set_context, Context(TLSv1_METHOD), 2)
2019 self.assertIdentical(ctx, connection.get_context())
2020
2021
2022 def test_set_context(self):
2023 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002024 :py:obj:`Connection.set_context` specifies a new :py:obj:`Context` instance to be used
Jean-Paul Calderone95613b72011-05-25 22:30:21 -04002025 for the connection.
2026 """
2027 original = Context(SSLv23_METHOD)
2028 replacement = Context(TLSv1_METHOD)
2029 connection = Connection(original, None)
2030 connection.set_context(replacement)
2031 self.assertIdentical(replacement, connection.get_context())
2032 # Lose our references to the contexts, just in case the Connection isn't
2033 # properly managing its own contributions to their reference counts.
2034 del original, replacement
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04002035 collect()
2036
2037
2038 def test_set_tlsext_host_name_wrong_args(self):
2039 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002040 If :py:obj:`Connection.set_tlsext_host_name` is called with a non-byte string
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04002041 argument or a byte string with an embedded NUL or other than one
Jonathan Ballet648875f2011-07-16 14:14:58 +09002042 argument, :py:obj:`TypeError` is raised.
Jean-Paul Calderonec4cb6582011-05-26 18:47:00 -04002043 """
2044 conn = Connection(Context(TLSv1_METHOD), None)
2045 self.assertRaises(TypeError, conn.set_tlsext_host_name)
2046 self.assertRaises(TypeError, conn.set_tlsext_host_name, object())
2047 self.assertRaises(TypeError, conn.set_tlsext_host_name, 123, 456)
2048 self.assertRaises(
2049 TypeError, conn.set_tlsext_host_name, b("with\0null"))
2050
2051 if version_info >= (3,):
2052 # On Python 3.x, don't accidentally implicitly convert from text.
2053 self.assertRaises(
2054 TypeError,
2055 conn.set_tlsext_host_name, b("example.com").decode("ascii"))
Jean-Paul Calderone95613b72011-05-25 22:30:21 -04002056
2057
Jean-Paul Calderone871a4d82011-05-26 19:24:02 -04002058 def test_get_servername_wrong_args(self):
2059 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002060 :py:obj:`Connection.get_servername` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderone871a4d82011-05-26 19:24:02 -04002061 arguments.
2062 """
2063 connection = Connection(Context(TLSv1_METHOD), None)
2064 self.assertRaises(TypeError, connection.get_servername, object())
2065 self.assertRaises(TypeError, connection.get_servername, 1)
2066 self.assertRaises(TypeError, connection.get_servername, "hello")
2067
2068
Jean-Paul Calderone1d69a722010-07-29 09:05:53 -04002069 def test_pending(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002070 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002071 :py:obj:`Connection.pending` returns the number of bytes available for
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002072 immediate read.
2073 """
Jean-Paul Calderone1d69a722010-07-29 09:05:53 -04002074 connection = Connection(Context(TLSv1_METHOD), None)
2075 self.assertEquals(connection.pending(), 0)
2076
2077
2078 def test_pending_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002079 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002080 :py:obj:`Connection.pending` raises :py:obj:`TypeError` if called with any arguments.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002081 """
Jean-Paul Calderone1d69a722010-07-29 09:05:53 -04002082 connection = Connection(Context(TLSv1_METHOD), None)
2083 self.assertRaises(TypeError, connection.pending, None)
2084
2085
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002086 def test_connect_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002087 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002088 :py:obj:`Connection.connect` raises :py:obj:`TypeError` if called with a non-address
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002089 argument or with the wrong number of arguments.
2090 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002091 connection = Connection(Context(TLSv1_METHOD), socket())
2092 self.assertRaises(TypeError, connection.connect, None)
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002093 self.assertRaises(TypeError, connection.connect)
2094 self.assertRaises(TypeError, connection.connect, ("127.0.0.1", 1), None)
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002095
2096
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04002097 def test_connect_refused(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002098 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002099 :py:obj:`Connection.connect` raises :py:obj:`socket.error` if the underlying socket
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002100 connect method raises it.
2101 """
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04002102 client = socket()
2103 context = Context(TLSv1_METHOD)
2104 clientSSL = Connection(context, client)
2105 exc = self.assertRaises(error, clientSSL.connect, ("127.0.0.1", 1))
Jean-Paul Calderone35adf9d2010-07-29 18:40:44 -04002106 self.assertEquals(exc.args[0], ECONNREFUSED)
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04002107
2108
2109 def test_connect(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002110 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002111 :py:obj:`Connection.connect` establishes a connection to the specified address.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002112 """
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04002113 port = socket()
2114 port.bind(('', 0))
2115 port.listen(3)
2116
2117 clientSSL = Connection(Context(TLSv1_METHOD), socket())
Jean-Paul Calderoneb6e0fd92010-09-19 09:22:13 -04002118 clientSSL.connect(('127.0.0.1', port.getsockname()[1]))
2119 # XXX An assertion? Or something?
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04002120
2121
Jean-Paul Calderone7b614872010-09-24 17:43:44 -04002122 if platform == "darwin":
2123 "connect_ex sometimes causes a kernel panic on OS X 10.6.4"
2124 else:
2125 def test_connect_ex(self):
2126 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002127 If there is a connection error, :py:obj:`Connection.connect_ex` returns the
Jean-Paul Calderone7b614872010-09-24 17:43:44 -04002128 errno instead of raising an exception.
2129 """
2130 port = socket()
2131 port.bind(('', 0))
2132 port.listen(3)
Jean-Paul Calderone55d91f42010-07-29 19:22:17 -04002133
Jean-Paul Calderone7b614872010-09-24 17:43:44 -04002134 clientSSL = Connection(Context(TLSv1_METHOD), socket())
2135 clientSSL.setblocking(False)
2136 result = clientSSL.connect_ex(port.getsockname())
2137 expected = (EINPROGRESS, EWOULDBLOCK)
2138 self.assertTrue(
2139 result in expected, "%r not in %r" % (result, expected))
Jean-Paul Calderone55d91f42010-07-29 19:22:17 -04002140
2141
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002142 def test_accept_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002143 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002144 :py:obj:`Connection.accept` raises :py:obj:`TypeError` if called with any arguments.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002145 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002146 connection = Connection(Context(TLSv1_METHOD), socket())
2147 self.assertRaises(TypeError, connection.accept, None)
2148
2149
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04002150 def test_accept(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002151 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002152 :py:obj:`Connection.accept` accepts a pending connection attempt and returns a
2153 tuple of a new :py:obj:`Connection` (the accepted client) and the address the
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002154 connection originated from.
2155 """
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04002156 ctx = Context(TLSv1_METHOD)
2157 ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
2158 ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04002159 port = socket()
2160 portSSL = Connection(ctx, port)
2161 portSSL.bind(('', 0))
2162 portSSL.listen(3)
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04002163
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04002164 clientSSL = Connection(Context(TLSv1_METHOD), socket())
Jean-Paul Calderoneb6e0fd92010-09-19 09:22:13 -04002165
2166 # Calling portSSL.getsockname() here to get the server IP address sounds
2167 # great, but frequently fails on Windows.
2168 clientSSL.connect(('127.0.0.1', portSSL.getsockname()[1]))
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04002169
Jean-Paul Calderone0bcb0e02010-07-29 09:49:59 -04002170 serverSSL, address = portSSL.accept()
2171
2172 self.assertTrue(isinstance(serverSSL, Connection))
2173 self.assertIdentical(serverSSL.get_context(), ctx)
2174 self.assertEquals(address, clientSSL.getsockname())
Jean-Paul Calderone8bdeba22010-07-29 09:45:07 -04002175
2176
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002177 def test_shutdown_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002178 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002179 :py:obj:`Connection.shutdown` raises :py:obj:`TypeError` if called with the wrong
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002180 number of arguments or with arguments other than integers.
2181 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002182 connection = Connection(Context(TLSv1_METHOD), None)
2183 self.assertRaises(TypeError, connection.shutdown, None)
Jean-Paul Calderone1d3e0222010-07-29 22:52:45 -04002184 self.assertRaises(TypeError, connection.get_shutdown, None)
2185 self.assertRaises(TypeError, connection.set_shutdown)
2186 self.assertRaises(TypeError, connection.set_shutdown, None)
2187 self.assertRaises(TypeError, connection.set_shutdown, 0, 1)
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002188
2189
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04002190 def test_shutdown(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002191 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002192 :py:obj:`Connection.shutdown` performs an SSL-level connection shutdown.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002193 """
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04002194 server, client = self._loopback()
Jean-Paul Calderonee4f6b472010-07-29 22:50:58 -04002195 self.assertFalse(server.shutdown())
2196 self.assertEquals(server.get_shutdown(), SENT_SHUTDOWN)
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04002197 self.assertRaises(ZeroReturnError, client.recv, 1024)
Jean-Paul Calderonee4f6b472010-07-29 22:50:58 -04002198 self.assertEquals(client.get_shutdown(), RECEIVED_SHUTDOWN)
2199 client.shutdown()
2200 self.assertEquals(client.get_shutdown(), SENT_SHUTDOWN|RECEIVED_SHUTDOWN)
2201 self.assertRaises(ZeroReturnError, server.recv, 1024)
2202 self.assertEquals(server.get_shutdown(), SENT_SHUTDOWN|RECEIVED_SHUTDOWN)
Jean-Paul Calderone9485f2c2010-07-29 22:38:42 -04002203
2204
Paul Aurichc85e0862015-01-08 08:34:33 -08002205 def test_shutdown_closed(self):
2206 """
2207 If the underlying socket is closed, :py:obj:`Connection.shutdown` propagates the
2208 write error from the low level write call.
2209 """
2210 server, client = self._loopback()
2211 server.sock_shutdown(2)
2212 exc = self.assertRaises(SysCallError, server.shutdown)
2213 if platform == "win32":
2214 self.assertEqual(exc.args[0], ESHUTDOWN)
2215 else:
2216 self.assertEqual(exc.args[0], EPIPE)
2217
2218
Jean-Paul Calderonec89eef22010-07-29 22:51:58 -04002219 def test_set_shutdown(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002220 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002221 :py:obj:`Connection.set_shutdown` sets the state of the SSL connection shutdown
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002222 process.
2223 """
Jean-Paul Calderonec89eef22010-07-29 22:51:58 -04002224 connection = Connection(Context(TLSv1_METHOD), socket())
2225 connection.set_shutdown(RECEIVED_SHUTDOWN)
2226 self.assertEquals(connection.get_shutdown(), RECEIVED_SHUTDOWN)
2227
2228
Jean-Paul Calderonef73a3cb2014-02-09 08:49:06 -05002229 if not PY3:
2230 def test_set_shutdown_long(self):
2231 """
2232 On Python 2 :py:obj:`Connection.set_shutdown` accepts an argument
2233 of type :py:obj:`long` as well as :py:obj:`int`.
2234 """
2235 connection = Connection(Context(TLSv1_METHOD), socket())
2236 connection.set_shutdown(long(RECEIVED_SHUTDOWN))
2237 self.assertEquals(connection.get_shutdown(), RECEIVED_SHUTDOWN)
2238
2239
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002240 def test_app_data_wrong_args(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002241 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002242 :py:obj:`Connection.set_app_data` raises :py:obj:`TypeError` if called with other than
2243 one argument. :py:obj:`Connection.get_app_data` raises :py:obj:`TypeError` if called
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002244 with any arguments.
2245 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002246 conn = Connection(Context(TLSv1_METHOD), None)
2247 self.assertRaises(TypeError, conn.get_app_data, None)
2248 self.assertRaises(TypeError, conn.set_app_data)
2249 self.assertRaises(TypeError, conn.set_app_data, None, None)
2250
2251
Jean-Paul Calderone1bd8c792010-07-29 09:51:06 -04002252 def test_app_data(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002253 """
2254 Any object can be set as app data by passing it to
Jonathan Ballet648875f2011-07-16 14:14:58 +09002255 :py:obj:`Connection.set_app_data` and later retrieved with
2256 :py:obj:`Connection.get_app_data`.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002257 """
Jean-Paul Calderone1bd8c792010-07-29 09:51:06 -04002258 conn = Connection(Context(TLSv1_METHOD), None)
2259 app_data = object()
2260 conn.set_app_data(app_data)
2261 self.assertIdentical(conn.get_app_data(), app_data)
2262
2263
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002264 def test_makefile(self):
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002265 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002266 :py:obj:`Connection.makefile` is not implemented and calling that method raises
2267 :py:obj:`NotImplementedError`.
Jean-Paul Calderone93dba222010-09-08 22:59:37 -04002268 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002269 conn = Connection(Context(TLSv1_METHOD), None)
2270 self.assertRaises(NotImplementedError, conn.makefile)
2271
2272
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04002273 def test_get_peer_cert_chain_wrong_args(self):
2274 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002275 :py:obj:`Connection.get_peer_cert_chain` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04002276 arguments.
2277 """
2278 conn = Connection(Context(TLSv1_METHOD), None)
2279 self.assertRaises(TypeError, conn.get_peer_cert_chain, 1)
2280 self.assertRaises(TypeError, conn.get_peer_cert_chain, "foo")
2281 self.assertRaises(TypeError, conn.get_peer_cert_chain, object())
2282 self.assertRaises(TypeError, conn.get_peer_cert_chain, [])
2283
2284
2285 def test_get_peer_cert_chain(self):
2286 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002287 :py:obj:`Connection.get_peer_cert_chain` returns a list of certificates which
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04002288 the connected server returned for the certification verification.
2289 """
2290 chain = _create_certificate_chain()
2291 [(cakey, cacert), (ikey, icert), (skey, scert)] = chain
2292
2293 serverContext = Context(TLSv1_METHOD)
2294 serverContext.use_privatekey(skey)
2295 serverContext.use_certificate(scert)
2296 serverContext.add_extra_chain_cert(icert)
2297 serverContext.add_extra_chain_cert(cacert)
2298 server = Connection(serverContext, None)
2299 server.set_accept_state()
2300
2301 # Create the client
2302 clientContext = Context(TLSv1_METHOD)
2303 clientContext.set_verify(VERIFY_NONE, verify_cb)
2304 client = Connection(clientContext, None)
2305 client.set_connect_state()
2306
2307 self._interactInMemory(client, server)
2308
2309 chain = client.get_peer_cert_chain()
2310 self.assertEqual(len(chain), 3)
Jean-Paul Calderonee33300c2011-05-19 21:44:38 -04002311 self.assertEqual(
Jean-Paul Calderone24a42432011-05-19 22:21:18 -04002312 "Server Certificate", chain[0].get_subject().CN)
Jean-Paul Calderonee33300c2011-05-19 21:44:38 -04002313 self.assertEqual(
Jean-Paul Calderone24a42432011-05-19 22:21:18 -04002314 "Intermediate Certificate", chain[1].get_subject().CN)
Jean-Paul Calderonee33300c2011-05-19 21:44:38 -04002315 self.assertEqual(
Jean-Paul Calderone24a42432011-05-19 22:21:18 -04002316 "Authority Certificate", chain[2].get_subject().CN)
2317
2318
2319 def test_get_peer_cert_chain_none(self):
2320 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002321 :py:obj:`Connection.get_peer_cert_chain` returns :py:obj:`None` if the peer sends no
Jean-Paul Calderone24a42432011-05-19 22:21:18 -04002322 certificate chain.
2323 """
2324 ctx = Context(TLSv1_METHOD)
2325 ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
2326 ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
2327 server = Connection(ctx, None)
2328 server.set_accept_state()
2329 client = Connection(Context(TLSv1_METHOD), None)
2330 client.set_connect_state()
2331 self._interactInMemory(client, server)
2332 self.assertIdentical(None, server.get_peer_cert_chain())
Jean-Paul Calderone20222ae2011-05-19 21:43:46 -04002333
2334
Jean-Paul Calderone64eaffc2012-02-13 11:53:49 -05002335 def test_get_session_wrong_args(self):
2336 """
2337 :py:obj:`Connection.get_session` raises :py:obj:`TypeError` if called
2338 with any arguments.
2339 """
2340 ctx = Context(TLSv1_METHOD)
2341 server = Connection(ctx, None)
2342 self.assertRaises(TypeError, server.get_session, 123)
2343 self.assertRaises(TypeError, server.get_session, "hello")
2344 self.assertRaises(TypeError, server.get_session, object())
2345
2346
2347 def test_get_session_unconnected(self):
2348 """
2349 :py:obj:`Connection.get_session` returns :py:obj:`None` when used with
2350 an object which has not been connected.
2351 """
2352 ctx = Context(TLSv1_METHOD)
2353 server = Connection(ctx, None)
2354 session = server.get_session()
2355 self.assertIdentical(None, session)
2356
2357
2358 def test_server_get_session(self):
2359 """
2360 On the server side of a connection, :py:obj:`Connection.get_session`
2361 returns a :py:class:`Session` instance representing the SSL session for
2362 that connection.
2363 """
2364 server, client = self._loopback()
2365 session = server.get_session()
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08002366 self.assertIsInstance(session, Session)
Jean-Paul Calderone64eaffc2012-02-13 11:53:49 -05002367
2368
2369 def test_client_get_session(self):
2370 """
2371 On the client side of a connection, :py:obj:`Connection.get_session`
2372 returns a :py:class:`Session` instance representing the SSL session for
2373 that connection.
2374 """
2375 server, client = self._loopback()
2376 session = client.get_session()
Jean-Paul Calderonea63714c2013-03-05 17:02:26 -08002377 self.assertIsInstance(session, Session)
Jean-Paul Calderone64eaffc2012-02-13 11:53:49 -05002378
2379
Jean-Paul Calderonefef5c4b2012-02-14 16:31:52 -05002380 def test_set_session_wrong_args(self):
2381 """
2382 If called with an object that is not an instance of :py:class:`Session`,
2383 or with other than one argument, :py:obj:`Connection.set_session` raises
2384 :py:obj:`TypeError`.
2385 """
2386 ctx = Context(TLSv1_METHOD)
2387 connection = Connection(ctx, None)
2388 self.assertRaises(TypeError, connection.set_session)
2389 self.assertRaises(TypeError, connection.set_session, 123)
2390 self.assertRaises(TypeError, connection.set_session, "hello")
2391 self.assertRaises(TypeError, connection.set_session, object())
2392 self.assertRaises(
2393 TypeError, connection.set_session, Session(), Session())
2394
2395
2396 def test_client_set_session(self):
2397 """
2398 :py:obj:`Connection.set_session`, when used prior to a connection being
2399 established, accepts a :py:class:`Session` instance and causes an
2400 attempt to re-use the session it represents when the SSL handshake is
2401 performed.
2402 """
2403 key = load_privatekey(FILETYPE_PEM, server_key_pem)
2404 cert = load_certificate(FILETYPE_PEM, server_cert_pem)
2405 ctx = Context(TLSv1_METHOD)
2406 ctx.use_privatekey(key)
2407 ctx.use_certificate(cert)
2408 ctx.set_session_id("unity-test")
2409
2410 def makeServer(socket):
2411 server = Connection(ctx, socket)
2412 server.set_accept_state()
2413 return server
2414
2415 originalServer, originalClient = self._loopback(
2416 serverFactory=makeServer)
2417 originalSession = originalClient.get_session()
2418
2419 def makeClient(socket):
2420 client = self._loopbackClientFactory(socket)
2421 client.set_session(originalSession)
2422 return client
2423 resumedServer, resumedClient = self._loopback(
2424 serverFactory=makeServer,
2425 clientFactory=makeClient)
2426
2427 # This is a proxy: in general, we have no access to any unique
2428 # identifier for the session (new enough versions of OpenSSL expose a
2429 # hash which could be usable, but "new enough" is very, very new).
2430 # Instead, exploit the fact that the master key is re-used if the
2431 # session is re-used. As long as the master key for the two connections
2432 # is the same, the session was re-used!
2433 self.assertEqual(
2434 originalServer.master_key(), resumedServer.master_key())
2435
2436
Jean-Paul Calderone5ea41492012-02-14 16:51:35 -05002437 def test_set_session_wrong_method(self):
2438 """
Jean-Paul Calderone068cb592012-02-14 16:52:43 -05002439 If :py:obj:`Connection.set_session` is passed a :py:class:`Session`
2440 instance associated with a context using a different SSL method than the
2441 :py:obj:`Connection` is using, a :py:class:`OpenSSL.SSL.Error` is
2442 raised.
Jean-Paul Calderone5ea41492012-02-14 16:51:35 -05002443 """
2444 key = load_privatekey(FILETYPE_PEM, server_key_pem)
2445 cert = load_certificate(FILETYPE_PEM, server_cert_pem)
2446 ctx = Context(TLSv1_METHOD)
2447 ctx.use_privatekey(key)
2448 ctx.use_certificate(cert)
2449 ctx.set_session_id("unity-test")
2450
2451 def makeServer(socket):
2452 server = Connection(ctx, socket)
2453 server.set_accept_state()
2454 return server
2455
2456 originalServer, originalClient = self._loopback(
2457 serverFactory=makeServer)
2458 originalSession = originalClient.get_session()
2459
2460 def makeClient(socket):
2461 # Intentionally use a different, incompatible method here.
2462 client = Connection(Context(SSLv3_METHOD), socket)
2463 client.set_connect_state()
2464 client.set_session(originalSession)
2465 return client
2466
2467 self.assertRaises(
2468 Error,
2469 self._loopback, clientFactory=makeClient, serverFactory=makeServer)
2470
2471
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07002472 def test_wantWriteError(self):
2473 """
2474 :py:obj:`Connection` methods which generate output raise
2475 :py:obj:`OpenSSL.SSL.WantWriteError` if writing to the connection's BIO
2476 fail indicating a should-write state.
2477 """
2478 client_socket, server_socket = socket_pair()
2479 # Fill up the client's send buffer so Connection won't be able to write
Jean-Paul Calderonebbff8b92014-03-22 14:20:30 -04002480 # anything. Only write a single byte at a time so we can be sure we
2481 # completely fill the buffer. Even though the socket API is allowed to
2482 # signal a short write via its return value it seems this doesn't
2483 # always happen on all platforms (FreeBSD and OS X particular) for the
2484 # very last bit of available buffer space.
2485 msg = b"x"
2486 for i in range(1024 * 1024 * 4):
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07002487 try:
2488 client_socket.send(msg)
2489 except error as e:
2490 if e.errno == EWOULDBLOCK:
2491 break
2492 raise
2493 else:
2494 self.fail(
2495 "Failed to fill socket buffer, cannot test BIO want write")
2496
2497 ctx = Context(TLSv1_METHOD)
2498 conn = Connection(ctx, client_socket)
2499 # Client's speak first, so make it an SSL client
2500 conn.set_connect_state()
2501 self.assertRaises(WantWriteError, conn.do_handshake)
2502
2503 # XXX want_read
2504
Fedor Brunner416f4a12014-03-28 13:18:38 +01002505 def test_get_finished_before_connect(self):
Fedor Brunner5747b932014-03-05 14:22:34 +01002506 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002507 :py:obj:`Connection.get_finished` returns :py:obj:`None` before TLS
2508 handshake is completed.
Fedor Brunner5747b932014-03-05 14:22:34 +01002509 """
Fedor Brunner5747b932014-03-05 14:22:34 +01002510 ctx = Context(TLSv1_METHOD)
2511 connection = Connection(ctx, None)
2512 self.assertEqual(connection.get_finished(), None)
Fedor Brunner416f4a12014-03-28 13:18:38 +01002513
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002514
Fedor Brunner416f4a12014-03-28 13:18:38 +01002515 def test_get_peer_finished_before_connect(self):
2516 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002517 :py:obj:`Connection.get_peer_finished` returns :py:obj:`None` before
2518 TLS handshake is completed.
Fedor Brunner416f4a12014-03-28 13:18:38 +01002519 """
Fedor Brunner416f4a12014-03-28 13:18:38 +01002520 ctx = Context(TLSv1_METHOD)
2521 connection = Connection(ctx, None)
Fedor Brunner5747b932014-03-05 14:22:34 +01002522 self.assertEqual(connection.get_peer_finished(), None)
2523
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002524
Fedor Brunner416f4a12014-03-28 13:18:38 +01002525 def test_get_finished(self):
2526 """
2527 :py:obj:`Connection.get_finished` method returns the TLS Finished
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002528 message send from client, or server. Finished messages are send during
2529 TLS handshake.
Fedor Brunner416f4a12014-03-28 13:18:38 +01002530 """
2531
Fedor Brunner5747b932014-03-05 14:22:34 +01002532 server, client = self._loopback()
2533
2534 self.assertNotEqual(server.get_finished(), None)
2535 self.assertTrue(len(server.get_finished()) > 0)
Fedor Brunner416f4a12014-03-28 13:18:38 +01002536
Jean-Paul Calderoned979f232014-03-30 11:58:00 -04002537
Fedor Brunner416f4a12014-03-28 13:18:38 +01002538 def test_get_peer_finished(self):
2539 """
2540 :py:obj:`Connection.get_peer_finished` method returns the TLS Finished
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002541 message received from client, or server. Finished messages are send
2542 during TLS handshake.
Fedor Brunner416f4a12014-03-28 13:18:38 +01002543 """
Fedor Brunner416f4a12014-03-28 13:18:38 +01002544 server, client = self._loopback()
2545
2546 self.assertNotEqual(server.get_peer_finished(), None)
Fedor Brunner5747b932014-03-05 14:22:34 +01002547 self.assertTrue(len(server.get_peer_finished()) > 0)
2548
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002549
Fedor Brunner416f4a12014-03-28 13:18:38 +01002550 def test_tls_finished_message_symmetry(self):
2551 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002552 The TLS Finished message send by server must be the TLS Finished message
Fedor Brunner416f4a12014-03-28 13:18:38 +01002553 received by client.
2554
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002555 The TLS Finished message send by client must be the TLS Finished message
Fedor Brunner416f4a12014-03-28 13:18:38 +01002556 received by server.
2557 """
Fedor Brunner416f4a12014-03-28 13:18:38 +01002558 server, client = self._loopback()
2559
Fedor Brunner5747b932014-03-05 14:22:34 +01002560 self.assertEqual(server.get_finished(), client.get_peer_finished())
2561 self.assertEqual(client.get_finished(), server.get_peer_finished())
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002562
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002563
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002564 def test_get_cipher_name_before_connect(self):
2565 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002566 :py:obj:`Connection.get_cipher_name` returns :py:obj:`None` if no
2567 connection has been established.
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002568 """
2569 ctx = Context(TLSv1_METHOD)
2570 conn = Connection(ctx, None)
Jean-Paul Calderone069e2bf2014-03-29 18:21:58 -04002571 self.assertIdentical(conn.get_cipher_name(), None)
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002572
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002573
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002574 def test_get_cipher_name(self):
2575 """
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -04002576 :py:obj:`Connection.get_cipher_name` returns a :py:class:`unicode`
2577 string giving the name of the currently used cipher.
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002578 """
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002579 server, client = self._loopback()
2580 server_cipher_name, client_cipher_name = \
2581 server.get_cipher_name(), client.get_cipher_name()
2582
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -04002583 self.assertIsInstance(server_cipher_name, text_type)
2584 self.assertIsInstance(client_cipher_name, text_type)
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002585
2586 self.assertEqual(server_cipher_name, client_cipher_name)
2587
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002588
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002589 def test_get_cipher_version_before_connect(self):
2590 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002591 :py:obj:`Connection.get_cipher_version` returns :py:obj:`None` if no
2592 connection has been established.
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002593 """
2594 ctx = Context(TLSv1_METHOD)
2595 conn = Connection(ctx, None)
Jean-Paul Calderone069e2bf2014-03-29 18:21:58 -04002596 self.assertIdentical(conn.get_cipher_version(), None)
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002597
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002598
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002599 def test_get_cipher_version(self):
2600 """
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -04002601 :py:obj:`Connection.get_cipher_version` returns a :py:class:`unicode`
2602 string giving the protocol name of the currently used cipher.
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002603 """
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002604 server, client = self._loopback()
2605 server_cipher_version, client_cipher_version = \
2606 server.get_cipher_version(), client.get_cipher_version()
2607
Jean-Paul Calderone7f0ded42014-03-30 10:34:17 -04002608 self.assertIsInstance(server_cipher_version, text_type)
2609 self.assertIsInstance(client_cipher_version, text_type)
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002610
2611 self.assertEqual(server_cipher_version, client_cipher_version)
2612
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002613
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002614 def test_get_cipher_bits_before_connect(self):
2615 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002616 :py:obj:`Connection.get_cipher_bits` returns :py:obj:`None` if no
2617 connection has been established.
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002618 """
2619 ctx = Context(TLSv1_METHOD)
2620 conn = Connection(ctx, None)
Jean-Paul Calderone069e2bf2014-03-29 18:21:58 -04002621 self.assertIdentical(conn.get_cipher_bits(), None)
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002622
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002623
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002624 def test_get_cipher_bits(self):
2625 """
Jean-Paul Calderone5b05b482014-03-30 11:28:54 -04002626 :py:obj:`Connection.get_cipher_bits` returns the number of secret bits
2627 of the currently used cipher.
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002628 """
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002629 server, client = self._loopback()
2630 server_cipher_bits, client_cipher_bits = \
2631 server.get_cipher_bits(), client.get_cipher_bits()
2632
Fedor Brunner2cffdbc2014-03-10 10:35:23 +01002633 self.assertIsInstance(server_cipher_bits, int)
2634 self.assertIsInstance(client_cipher_bits, int)
Fedor Brunnerd95014a2014-03-03 17:34:41 +01002635
2636 self.assertEqual(server_cipher_bits, client_cipher_bits)
Jean-Paul Calderone68649052009-07-17 21:14:27 -04002637
Jean-Paul Calderonedbd76272014-03-29 18:09:40 -04002638
2639
Jean-Paul Calderonef135e622010-07-28 19:14:16 -04002640class ConnectionGetCipherListTests(TestCase):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002641 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002642 Tests for :py:obj:`Connection.get_cipher_list`.
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002643 """
Jean-Paul Calderone54a2bc02010-09-09 17:52:38 -04002644 def test_wrong_args(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002645 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002646 :py:obj:`Connection.get_cipher_list` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002647 arguments.
2648 """
Jean-Paul Calderonef135e622010-07-28 19:14:16 -04002649 connection = Connection(Context(TLSv1_METHOD), None)
2650 self.assertRaises(TypeError, connection.get_cipher_list, None)
2651
2652
2653 def test_result(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002654 """
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05002655 :py:obj:`Connection.get_cipher_list` returns a :py:obj:`list` of
2656 :py:obj:`bytes` giving the names of the ciphers which might be used.
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002657 """
Jean-Paul Calderonef135e622010-07-28 19:14:16 -04002658 connection = Connection(Context(TLSv1_METHOD), None)
2659 ciphers = connection.get_cipher_list()
2660 self.assertTrue(isinstance(ciphers, list))
2661 for cipher in ciphers:
2662 self.assertTrue(isinstance(cipher, str))
2663
2664
2665
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002666class ConnectionSendTests(TestCase, _LoopbackMixin):
2667 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002668 Tests for :py:obj:`Connection.send`
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002669 """
2670 def test_wrong_args(self):
2671 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002672 When called with arguments other than string argument for its first
2673 parameter or more than two arguments, :py:obj:`Connection.send` raises
2674 :py:obj:`TypeError`.
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002675 """
2676 connection = Connection(Context(TLSv1_METHOD), None)
Jean-Paul Calderone77fa2602011-01-05 18:23:39 -05002677 self.assertRaises(TypeError, connection.send)
2678 self.assertRaises(TypeError, connection.send, object())
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002679 self.assertRaises(TypeError, connection.send, "foo", object(), "bar")
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002680
2681
2682 def test_short_bytes(self):
2683 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002684 When passed a short byte string, :py:obj:`Connection.send` transmits all of it
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002685 and returns the number of bytes sent.
2686 """
2687 server, client = self._loopback()
2688 count = server.send(b('xy'))
2689 self.assertEquals(count, 2)
2690 self.assertEquals(client.recv(2), b('xy'))
2691
2692 try:
2693 memoryview
2694 except NameError:
2695 "cannot test sending memoryview without memoryview"
2696 else:
2697 def test_short_memoryview(self):
2698 """
2699 When passed a memoryview onto a small number of bytes,
Jonathan Ballet648875f2011-07-16 14:14:58 +09002700 :py:obj:`Connection.send` transmits all of them and returns the number of
Jean-Paul Calderone9cbbe262011-01-05 14:53:43 -05002701 bytes sent.
2702 """
2703 server, client = self._loopback()
2704 count = server.send(memoryview(b('xy')))
2705 self.assertEquals(count, 2)
2706 self.assertEquals(client.recv(2), b('xy'))
2707
2708
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +02002709 try:
2710 buffer
2711 except NameError:
2712 "cannot test sending buffer without buffer"
2713 else:
2714 def test_short_buffer(self):
2715 """
2716 When passed a buffer containing a small number of bytes,
2717 :py:obj:`Connection.send` transmits all of them and returns the number of
2718 bytes sent.
2719 """
2720 server, client = self._loopback()
2721 count = server.send(buffer(b('xy')))
2722 self.assertEquals(count, 2)
2723 self.assertEquals(client.recv(2), b('xy'))
2724
2725
Jean-Paul Calderone691e6c92011-01-21 22:04:35 -05002726
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002727def _make_memoryview(size):
2728 """
2729 Create a new ``memoryview`` wrapped around a ``bytearray`` of the given
2730 size.
2731 """
2732 return memoryview(bytearray(size))
2733
2734
2735
Cory Benfield62d10332014-06-15 10:03:41 +01002736class ConnectionRecvIntoTests(TestCase, _LoopbackMixin):
2737 """
2738 Tests for :py:obj:`Connection.recv_into`
2739 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002740 def _no_length_test(self, factory):
Jean-Paul Calderone61559d82015-03-15 17:04:50 -04002741 """
2742 Assert that when the given buffer is passed to
2743 ``Connection.recv_into``, whatever bytes are available to be received
2744 that fit into that buffer are written into that buffer.
2745 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002746 output_buffer = factory(5)
2747
Jean-Paul Calderone332a85e2015-03-15 17:02:40 -04002748 server, client = self._loopback()
2749 server.send(b('xy'))
2750
Jean-Paul Calderone320af1e2015-03-15 17:20:13 -04002751 self.assertEqual(client.recv_into(output_buffer), 2)
2752 self.assertEqual(output_buffer, bytearray(b('xy\x00\x00\x00')))
Jean-Paul Calderone332a85e2015-03-15 17:02:40 -04002753
2754
Jean-Paul Calderoned335b272015-03-15 17:26:38 -04002755 def test_bytearray_no_length(self):
Cory Benfield62d10332014-06-15 10:03:41 +01002756 """
Jean-Paul Calderone61559d82015-03-15 17:04:50 -04002757 :py:obj:`Connection.recv_into` can be passed a ``bytearray`` instance
2758 and data in the receive buffer is written to it.
Cory Benfield62d10332014-06-15 10:03:41 +01002759 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002760 self._no_length_test(bytearray)
Cory Benfield62d10332014-06-15 10:03:41 +01002761
2762
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002763 def _respects_length_test(self, factory):
Cory Benfield62d10332014-06-15 10:03:41 +01002764 """
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002765 Assert that when the given buffer is passed to ``Connection.recv_into``
2766 along with a value for ``nbytes`` that is less than the size of that
2767 buffer, only ``nbytes`` bytes are written into the buffer.
Cory Benfield62d10332014-06-15 10:03:41 +01002768 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002769 output_buffer = factory(10)
2770
Cory Benfield62d10332014-06-15 10:03:41 +01002771 server, client = self._loopback()
2772 server.send(b('abcdefghij'))
Cory Benfield62d10332014-06-15 10:03:41 +01002773
Jean-Paul Calderone320af1e2015-03-15 17:20:13 -04002774 self.assertEqual(client.recv_into(output_buffer, 5), 5)
2775 self.assertEqual(
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002776 output_buffer, bytearray(b('abcde\x00\x00\x00\x00\x00'))
2777 )
2778
2779
Jean-Paul Calderoned335b272015-03-15 17:26:38 -04002780 def test_bytearray_respects_length(self):
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002781 """
2782 When called with a ``bytearray`` instance,
2783 :py:obj:`Connection.recv_into` respects the ``nbytes`` parameter and
2784 doesn't copy in more than that number of bytes.
2785 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002786 self._respects_length_test(bytearray)
Cory Benfield62d10332014-06-15 10:03:41 +01002787
2788
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002789 def _doesnt_overfill_test(self, factory):
Cory Benfield62d10332014-06-15 10:03:41 +01002790 """
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002791 Assert that if there are more bytes available to be read from the
2792 receive buffer than would fit into the buffer passed to
2793 :py:obj:`Connection.recv_into`, only as many as fit are written into
2794 it.
Cory Benfield62d10332014-06-15 10:03:41 +01002795 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002796 output_buffer = factory(5)
2797
Cory Benfield62d10332014-06-15 10:03:41 +01002798 server, client = self._loopback()
2799 server.send(b('abcdefghij'))
Cory Benfield62d10332014-06-15 10:03:41 +01002800
Jean-Paul Calderone320af1e2015-03-15 17:20:13 -04002801 self.assertEqual(client.recv_into(output_buffer), 5)
2802 self.assertEqual(output_buffer, bytearray(b('abcde')))
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002803 rest = client.recv(5)
2804 self.assertEqual(b('fghij'), rest)
2805
2806
Jean-Paul Calderoned335b272015-03-15 17:26:38 -04002807 def test_bytearray_doesnt_overfill(self):
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002808 """
2809 When called with a ``bytearray`` instance,
2810 :py:obj:`Connection.recv_into` respects the size of the array and
2811 doesn't write more bytes into it than will fit.
2812 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002813 self._doesnt_overfill_test(bytearray)
Cory Benfield62d10332014-06-15 10:03:41 +01002814
2815
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002816 def _really_doesnt_overfill_test(self, factory):
Jean-Paul Calderone4bec59a2015-03-15 17:25:57 -04002817 """
2818 Assert that if the value given by ``nbytes`` is greater than the actual
2819 size of the output buffer passed to :py:obj:`Connection.recv_into`, the
2820 behavior is as if no value was given for ``nbytes`` at all.
2821 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002822 output_buffer = factory(5)
2823
Jean-Paul Calderone4bec59a2015-03-15 17:25:57 -04002824 server, client = self._loopback()
2825 server.send(b('abcdefghij'))
2826
2827 self.assertEqual(client.recv_into(output_buffer, 50), 5)
2828 self.assertEqual(output_buffer, bytearray(b('abcde')))
2829 rest = client.recv(5)
2830 self.assertEqual(b('fghij'), rest)
2831
2832
Jean-Paul Calderoned335b272015-03-15 17:26:38 -04002833 def test_bytearray_really_doesnt_overfill(self):
Jean-Paul Calderone4bec59a2015-03-15 17:25:57 -04002834 """
2835 When called with a ``bytearray`` instance and an ``nbytes`` value that
2836 is too large, :py:obj:`Connection.recv_into` respects the size of the
2837 array and not the ``nbytes`` value and doesn't write more bytes into
2838 the buffer than will fit.
2839 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002840 self._doesnt_overfill_test(bytearray)
Jean-Paul Calderone4bec59a2015-03-15 17:25:57 -04002841
2842
Cory Benfield62d10332014-06-15 10:03:41 +01002843 try:
2844 memoryview
2845 except NameError:
2846 "cannot test recv_into memoryview without memoryview"
2847 else:
Jean-Paul Calderone332a85e2015-03-15 17:02:40 -04002848 def test_memoryview_no_length(self):
Cory Benfield62d10332014-06-15 10:03:41 +01002849 """
Jean-Paul Calderone61559d82015-03-15 17:04:50 -04002850 :py:obj:`Connection.recv_into` can be passed a ``memoryview``
2851 instance and data in the receive buffer is written to it.
Cory Benfield62d10332014-06-15 10:03:41 +01002852 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002853 self._no_length_test(_make_memoryview)
Cory Benfield62d10332014-06-15 10:03:41 +01002854
2855
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002856 def test_memoryview_respects_length(self):
Cory Benfield62d10332014-06-15 10:03:41 +01002857 """
Jean-Paul Calderonec295a2f2015-03-15 17:11:18 -04002858 When called with a ``memoryview`` instance,
2859 :py:obj:`Connection.recv_into` respects the ``nbytes`` parameter
2860 and doesn't copy more than that number of bytes in.
Cory Benfield62d10332014-06-15 10:03:41 +01002861 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002862 self._respects_length_test(_make_memoryview)
Cory Benfield62d10332014-06-15 10:03:41 +01002863
2864
Jean-Paul Calderone2b41ad32015-03-15 17:19:39 -04002865 def test_memoryview_doesnt_overfill(self):
Cory Benfield62d10332014-06-15 10:03:41 +01002866 """
Jean-Paul Calderone8fd82552015-03-15 17:21:07 -04002867 When called with a ``memoryview`` instance,
2868 :py:obj:`Connection.recv_into` respects the size of the array and
2869 doesn't write more bytes into it than will fit.
Cory Benfield62d10332014-06-15 10:03:41 +01002870 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002871 self._doesnt_overfill_test(_make_memoryview)
Cory Benfield62d10332014-06-15 10:03:41 +01002872
2873
Jean-Paul Calderone4bec59a2015-03-15 17:25:57 -04002874 def test_memoryview_really_doesnt_overfill(self):
2875 """
2876 When called with a ``memoryview`` instance and an ``nbytes`` value
2877 that is too large, :py:obj:`Connection.recv_into` respects the size
2878 of the array and not the ``nbytes`` value and doesn't write more
2879 bytes into the buffer than will fit.
2880 """
Jean-Paul Calderone6c840102015-03-15 17:32:15 -04002881 self._doesnt_overfill_test(_make_memoryview)
Jean-Paul Calderone4bec59a2015-03-15 17:25:57 -04002882
2883
Cory Benfield62d10332014-06-15 10:03:41 +01002884
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002885class ConnectionSendallTests(TestCase, _LoopbackMixin):
2886 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002887 Tests for :py:obj:`Connection.sendall`.
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002888 """
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002889 def test_wrong_args(self):
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002890 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002891 When called with arguments other than a string argument for its first
2892 parameter or with more than two arguments, :py:obj:`Connection.sendall`
2893 raises :py:obj:`TypeError`.
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002894 """
2895 connection = Connection(Context(TLSv1_METHOD), None)
2896 self.assertRaises(TypeError, connection.sendall)
2897 self.assertRaises(TypeError, connection.sendall, object())
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05002898 self.assertRaises(
2899 TypeError, connection.sendall, "foo", object(), "bar")
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002900
2901
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002902 def test_short(self):
2903 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002904 :py:obj:`Connection.sendall` transmits all of the bytes in the string passed to
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002905 it.
2906 """
2907 server, client = self._loopback()
Jean-Paul Calderonea9868832010-08-22 21:38:34 -04002908 server.sendall(b('x'))
2909 self.assertEquals(client.recv(1), b('x'))
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002910
2911
Jean-Paul Calderone691e6c92011-01-21 22:04:35 -05002912 try:
2913 memoryview
2914 except NameError:
2915 "cannot test sending memoryview without memoryview"
2916 else:
2917 def test_short_memoryview(self):
2918 """
2919 When passed a memoryview onto a small number of bytes,
Jonathan Ballet648875f2011-07-16 14:14:58 +09002920 :py:obj:`Connection.sendall` transmits all of them.
Jean-Paul Calderone691e6c92011-01-21 22:04:35 -05002921 """
2922 server, client = self._loopback()
2923 server.sendall(memoryview(b('x')))
2924 self.assertEquals(client.recv(1), b('x'))
2925
2926
Markus Unterwaditzer8e41d022014-04-19 12:27:11 +02002927 try:
2928 buffer
2929 except NameError:
2930 "cannot test sending buffers without buffers"
2931 else:
2932 def test_short_buffers(self):
2933 """
2934 When passed a buffer containing a small number of bytes,
2935 :py:obj:`Connection.sendall` transmits all of them.
2936 """
2937 server, client = self._loopback()
2938 server.sendall(buffer(b('x')))
2939 self.assertEquals(client.recv(1), b('x'))
2940
2941
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002942 def test_long(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002943 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002944 :py:obj:`Connection.sendall` transmits all of the bytes in the string passed to
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002945 it even if this requires multiple calls of an underlying write function.
2946 """
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002947 server, client = self._loopback()
Jean-Paul Calderone6241c702010-09-16 19:59:24 -04002948 # Should be enough, underlying SSL_write should only do 16k at a time.
2949 # On Windows, after 32k of bytes the write will block (forever - because
2950 # no one is yet reading).
Jean-Paul Calderone9e4c1352010-09-19 09:34:43 -04002951 message = b('x') * (1024 * 32 - 1) + b('y')
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002952 server.sendall(message)
2953 accum = []
2954 received = 0
2955 while received < len(message):
Jean-Paul Calderoneb1f7f5f2010-08-22 21:40:52 -04002956 data = client.recv(1024)
2957 accum.append(data)
2958 received += len(data)
Jean-Paul Calderonef4047852010-09-19 09:45:57 -04002959 self.assertEquals(message, b('').join(accum))
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002960
2961
Jean-Paul Calderone974bdc02010-07-28 19:06:10 -04002962 def test_closed(self):
2963 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002964 If the underlying socket is closed, :py:obj:`Connection.sendall` propagates the
Jean-Paul Calderone974bdc02010-07-28 19:06:10 -04002965 write error from the low level write call.
2966 """
2967 server, client = self._loopback()
Jean-Paul Calderone05d43e82010-09-24 18:01:36 -04002968 server.sock_shutdown(2)
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05002969 exc = self.assertRaises(SysCallError, server.sendall, b"hello, world")
Konstantinos Koukopoulos541150d2014-01-31 01:00:19 +02002970 if platform == "win32":
2971 self.assertEqual(exc.args[0], ESHUTDOWN)
2972 else:
2973 self.assertEqual(exc.args[0], EPIPE)
Jean-Paul Calderone974bdc02010-07-28 19:06:10 -04002974
Jean-Paul Calderone7ca48b52010-07-28 18:57:21 -04002975
Jean-Paul Calderone1d69a722010-07-29 09:05:53 -04002976
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002977class ConnectionRenegotiateTests(TestCase, _LoopbackMixin):
2978 """
2979 Tests for SSL renegotiation APIs.
2980 """
2981 def test_renegotiate_wrong_args(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002982 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002983 :py:obj:`Connection.renegotiate` raises :py:obj:`TypeError` if called with any
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002984 arguments.
2985 """
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04002986 connection = Connection(Context(TLSv1_METHOD), None)
2987 self.assertRaises(TypeError, connection.renegotiate, None)
2988
2989
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002990 def test_total_renegotiations_wrong_args(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002991 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09002992 :py:obj:`Connection.total_renegotiations` raises :py:obj:`TypeError` if called with
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04002993 any arguments.
2994 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04002995 connection = Connection(Context(TLSv1_METHOD), None)
2996 self.assertRaises(TypeError, connection.total_renegotiations, None)
2997
2998
2999 def test_total_renegotiations(self):
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04003000 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003001 :py:obj:`Connection.total_renegotiations` returns :py:obj:`0` before any
Jean-Paul Calderonea8fb0c82010-09-09 18:04:56 -04003002 renegotiations have happened.
3003 """
Jean-Paul Calderonecfecc242010-07-29 22:47:06 -04003004 connection = Connection(Context(TLSv1_METHOD), None)
3005 self.assertEquals(connection.total_renegotiations(), 0)
3006
3007
Jean-Paul Calderone8ea22522010-07-29 09:39:39 -04003008# def test_renegotiate(self):
3009# """
3010# """
3011# server, client = self._loopback()
3012
3013# server.send("hello world")
3014# self.assertEquals(client.recv(len("hello world")), "hello world")
3015
3016# self.assertEquals(server.total_renegotiations(), 0)
3017# self.assertTrue(server.renegotiate())
3018
3019# server.setblocking(False)
3020# client.setblocking(False)
3021# while server.renegotiate_pending():
3022# client.do_handshake()
3023# server.do_handshake()
3024
3025# self.assertEquals(server.total_renegotiations(), 1)
3026
3027
3028
3029
Jean-Paul Calderone68649052009-07-17 21:14:27 -04003030class ErrorTests(TestCase):
3031 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003032 Unit tests for :py:obj:`OpenSSL.SSL.Error`.
Jean-Paul Calderone68649052009-07-17 21:14:27 -04003033 """
3034 def test_type(self):
3035 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003036 :py:obj:`Error` is an exception type.
Jean-Paul Calderone68649052009-07-17 21:14:27 -04003037 """
3038 self.assertTrue(issubclass(Error, Exception))
Rick Deane15b1472009-07-09 15:53:42 -05003039 self.assertEqual(Error.__name__, 'Error')
Rick Deane15b1472009-07-09 15:53:42 -05003040
3041
3042
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05003043class ConstantsTests(TestCase):
3044 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003045 Tests for the values of constants exposed in :py:obj:`OpenSSL.SSL`.
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05003046
3047 These are values defined by OpenSSL intended only to be used as flags to
3048 OpenSSL APIs. The only assertions it seems can be made about them is
3049 their values.
3050 """
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05003051 # unittest.TestCase has no skip mechanism
3052 if OP_NO_QUERY_MTU is not None:
3053 def test_op_no_query_mtu(self):
3054 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003055 The value of :py:obj:`OpenSSL.SSL.OP_NO_QUERY_MTU` is 0x1000, the value of
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -04003056 :py:const:`SSL_OP_NO_QUERY_MTU` defined by :file:`openssl/ssl.h`.
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05003057 """
3058 self.assertEqual(OP_NO_QUERY_MTU, 0x1000)
3059 else:
3060 "OP_NO_QUERY_MTU unavailable - OpenSSL version may be too old"
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05003061
3062
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05003063 if OP_COOKIE_EXCHANGE is not None:
3064 def test_op_cookie_exchange(self):
3065 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003066 The value of :py:obj:`OpenSSL.SSL.OP_COOKIE_EXCHANGE` is 0x2000, the value
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -04003067 of :py:const:`SSL_OP_COOKIE_EXCHANGE` defined by :file:`openssl/ssl.h`.
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05003068 """
3069 self.assertEqual(OP_COOKIE_EXCHANGE, 0x2000)
3070 else:
3071 "OP_COOKIE_EXCHANGE unavailable - OpenSSL version may be too old"
Jean-Paul Calderone327d8f92008-12-28 21:55:56 -05003072
3073
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05003074 if OP_NO_TICKET is not None:
3075 def test_op_no_ticket(self):
3076 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003077 The value of :py:obj:`OpenSSL.SSL.OP_NO_TICKET` is 0x4000, the value of
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -04003078 :py:const:`SSL_OP_NO_TICKET` defined by :file:`openssl/ssl.h`.
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05003079 """
3080 self.assertEqual(OP_NO_TICKET, 0x4000)
Jean-Paul Calderonecebd1782011-09-11 10:01:31 -04003081 else:
Jean-Paul Calderoned811b682008-12-28 22:59:15 -05003082 "OP_NO_TICKET unavailable - OpenSSL version may be too old"
Rick Dean5b7b6372009-04-01 11:34:06 -05003083
3084
Jean-Paul Calderonec62d4c12011-09-08 18:29:32 -04003085 if OP_NO_COMPRESSION is not None:
3086 def test_op_no_compression(self):
3087 """
Jean-Paul Calderone64efa2c2011-09-11 10:00:09 -04003088 The value of :py:obj:`OpenSSL.SSL.OP_NO_COMPRESSION` is 0x20000, the value
3089 of :py:const:`SSL_OP_NO_COMPRESSION` defined by :file:`openssl/ssl.h`.
Jean-Paul Calderonec62d4c12011-09-08 18:29:32 -04003090 """
3091 self.assertEqual(OP_NO_COMPRESSION, 0x20000)
3092 else:
3093 "OP_NO_COMPRESSION unavailable - OpenSSL version may be too old"
3094
3095
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05003096 def test_sess_cache_off(self):
3097 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05003098 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_OFF` 0x0, the value of
3099 :py:obj:`SSL_SESS_CACHE_OFF` defined by ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05003100 """
3101 self.assertEqual(0x0, SESS_CACHE_OFF)
3102
3103
3104 def test_sess_cache_client(self):
3105 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05003106 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_CLIENT` 0x1, the value of
3107 :py:obj:`SSL_SESS_CACHE_CLIENT` defined by ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05003108 """
3109 self.assertEqual(0x1, SESS_CACHE_CLIENT)
3110
3111
3112 def test_sess_cache_server(self):
3113 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05003114 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_SERVER` 0x2, the value of
3115 :py:obj:`SSL_SESS_CACHE_SERVER` defined by ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05003116 """
3117 self.assertEqual(0x2, SESS_CACHE_SERVER)
3118
3119
3120 def test_sess_cache_both(self):
3121 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05003122 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_BOTH` 0x3, the value of
3123 :py:obj:`SSL_SESS_CACHE_BOTH` defined by ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05003124 """
3125 self.assertEqual(0x3, SESS_CACHE_BOTH)
3126
3127
3128 def test_sess_cache_no_auto_clear(self):
3129 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05003130 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_AUTO_CLEAR` 0x80, the
3131 value of :py:obj:`SSL_SESS_CACHE_NO_AUTO_CLEAR` defined by
3132 ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05003133 """
3134 self.assertEqual(0x80, SESS_CACHE_NO_AUTO_CLEAR)
3135
3136
3137 def test_sess_cache_no_internal_lookup(self):
3138 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05003139 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_LOOKUP` 0x100,
3140 the value of :py:obj:`SSL_SESS_CACHE_NO_INTERNAL_LOOKUP` defined by
3141 ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05003142 """
3143 self.assertEqual(0x100, SESS_CACHE_NO_INTERNAL_LOOKUP)
3144
3145
3146 def test_sess_cache_no_internal_store(self):
3147 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05003148 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_INTERNAL_STORE` 0x200,
3149 the value of :py:obj:`SSL_SESS_CACHE_NO_INTERNAL_STORE` defined by
3150 ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05003151 """
3152 self.assertEqual(0x200, SESS_CACHE_NO_INTERNAL_STORE)
3153
3154
3155 def test_sess_cache_no_internal(self):
3156 """
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05003157 The value of :py:obj:`OpenSSL.SSL.SESS_CACHE_NO_INTERNAL` 0x300, the
3158 value of :py:obj:`SSL_SESS_CACHE_NO_INTERNAL` defined by
3159 ``openssl/ssl.h``.
Jean-Paul Calderone313bf012012-02-08 13:02:49 -05003160 """
3161 self.assertEqual(0x300, SESS_CACHE_NO_INTERNAL)
3162
3163
Jean-Paul Calderoneeeee26a2009-04-27 11:24:30 -04003164
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003165class MemoryBIOTests(TestCase, _LoopbackMixin):
Rick Deanb71c0d22009-04-01 14:09:23 -05003166 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003167 Tests for :py:obj:`OpenSSL.SSL.Connection` using a memory BIO.
Rick Deanb71c0d22009-04-01 14:09:23 -05003168 """
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003169 def _server(self, sock):
3170 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003171 Create a new server-side SSL :py:obj:`Connection` object wrapped around
3172 :py:obj:`sock`.
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003173 """
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003174 # Create the server side Connection. This is mostly setup boilerplate
3175 # - use TLSv1, use a particular certificate, etc.
3176 server_ctx = Context(TLSv1_METHOD)
3177 server_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
3178 server_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
3179 server_store = server_ctx.get_cert_store()
3180 server_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
3181 server_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
3182 server_ctx.check_privatekey()
3183 server_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
Rick Deanb1ccd562009-07-09 23:52:39 -05003184 # Here the Connection is actually created. If None is passed as the 2nd
3185 # parameter, it indicates a memory BIO should be created.
3186 server_conn = Connection(server_ctx, sock)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003187 server_conn.set_accept_state()
3188 return server_conn
3189
3190
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003191 def _client(self, sock):
3192 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003193 Create a new client-side SSL :py:obj:`Connection` object wrapped around
3194 :py:obj:`sock`.
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003195 """
3196 # Now create the client side Connection. Similar boilerplate to the
3197 # above.
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003198 client_ctx = Context(TLSv1_METHOD)
3199 client_ctx.set_options(OP_NO_SSLv2 | OP_NO_SSLv3 | OP_SINGLE_DH_USE )
3200 client_ctx.set_verify(VERIFY_PEER|VERIFY_FAIL_IF_NO_PEER_CERT|VERIFY_CLIENT_ONCE, verify_cb)
3201 client_store = client_ctx.get_cert_store()
3202 client_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, client_key_pem))
3203 client_ctx.use_certificate(load_certificate(FILETYPE_PEM, client_cert_pem))
3204 client_ctx.check_privatekey()
3205 client_store.add_cert(load_certificate(FILETYPE_PEM, root_cert_pem))
Rick Deanb1ccd562009-07-09 23:52:39 -05003206 client_conn = Connection(client_ctx, sock)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003207 client_conn.set_connect_state()
3208 return client_conn
3209
3210
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003211 def test_memoryConnect(self):
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003212 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003213 Two :py:obj:`Connection`s which use memory BIOs can be manually connected by
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003214 reading from the output of each and writing those bytes to the input of
3215 the other and in this way establish a connection and exchange
3216 application-level bytes with each other.
3217 """
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003218 server_conn = self._server(None)
3219 client_conn = self._client(None)
Rick Deanb71c0d22009-04-01 14:09:23 -05003220
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003221 # There should be no key or nonces yet.
3222 self.assertIdentical(server_conn.master_key(), None)
3223 self.assertIdentical(server_conn.client_random(), None)
3224 self.assertIdentical(server_conn.server_random(), None)
Rick Deanb71c0d22009-04-01 14:09:23 -05003225
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003226 # First, the handshake needs to happen. We'll deliver bytes back and
3227 # forth between the client and server until neither of them feels like
3228 # speaking any more.
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003229 self.assertIdentical(
3230 self._interactInMemory(client_conn, server_conn), None)
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003231
3232 # Now that the handshake is done, there should be a key and nonces.
3233 self.assertNotIdentical(server_conn.master_key(), None)
3234 self.assertNotIdentical(server_conn.client_random(), None)
3235 self.assertNotIdentical(server_conn.server_random(), None)
Jean-Paul Calderone6c051e62009-07-05 13:50:34 -04003236 self.assertEquals(server_conn.client_random(), client_conn.client_random())
3237 self.assertEquals(server_conn.server_random(), client_conn.server_random())
3238 self.assertNotEquals(server_conn.client_random(), server_conn.server_random())
3239 self.assertNotEquals(client_conn.client_random(), client_conn.server_random())
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003240
3241 # Here are the bytes we'll try to send.
Jean-Paul Calderonea441fdc2010-08-22 21:33:57 -04003242 important_message = b('One if by land, two if by sea.')
Rick Deanb71c0d22009-04-01 14:09:23 -05003243
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003244 server_conn.write(important_message)
3245 self.assertEquals(
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003246 self._interactInMemory(client_conn, server_conn),
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003247 (client_conn, important_message))
3248
3249 client_conn.write(important_message[::-1])
3250 self.assertEquals(
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003251 self._interactInMemory(client_conn, server_conn),
Jean-Paul Calderone958299e2009-04-27 12:59:12 -04003252 (server_conn, important_message[::-1]))
Rick Deanb71c0d22009-04-01 14:09:23 -05003253
3254
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003255 def test_socketConnect(self):
Rick Deanb1ccd562009-07-09 23:52:39 -05003256 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003257 Just like :py:obj:`test_memoryConnect` but with an actual socket.
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003258
3259 This is primarily to rule out the memory BIO code as the source of
Jonathan Ballet648875f2011-07-16 14:14:58 +09003260 any problems encountered while passing data over a :py:obj:`Connection` (if
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003261 this test fails, there must be a problem outside the memory BIO
3262 code, as no memory BIO is involved here). Even though this isn't a
3263 memory BIO test, it's convenient to have it here.
Rick Deanb1ccd562009-07-09 23:52:39 -05003264 """
Jean-Paul Calderone06c7cc92010-09-24 23:52:00 -04003265 server_conn, client_conn = self._loopback()
Rick Deanb1ccd562009-07-09 23:52:39 -05003266
Jean-Paul Calderonea441fdc2010-08-22 21:33:57 -04003267 important_message = b("Help me Obi Wan Kenobi, you're my only hope.")
Rick Deanb1ccd562009-07-09 23:52:39 -05003268 client_conn.send(important_message)
3269 msg = server_conn.recv(1024)
3270 self.assertEqual(msg, important_message)
3271
3272 # Again in the other direction, just for fun.
3273 important_message = important_message[::-1]
3274 server_conn.send(important_message)
3275 msg = client_conn.recv(1024)
3276 self.assertEqual(msg, important_message)
3277
3278
Jean-Paul Calderonefc4ed0f2009-04-27 11:51:27 -04003279 def test_socketOverridesMemory(self):
Rick Deanb71c0d22009-04-01 14:09:23 -05003280 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003281 Test that :py:obj:`OpenSSL.SSL.bio_read` and :py:obj:`OpenSSL.SSL.bio_write` don't
3282 work on :py:obj:`OpenSSL.SSL.Connection`() that use sockets.
Rick Deanb71c0d22009-04-01 14:09:23 -05003283 """
3284 context = Context(SSLv3_METHOD)
3285 client = socket()
3286 clientSSL = Connection(context, client)
3287 self.assertRaises( TypeError, clientSSL.bio_read, 100)
3288 self.assertRaises( TypeError, clientSSL.bio_write, "foo")
Jean-Paul Calderone07acf3f2009-05-05 13:23:28 -04003289 self.assertRaises( TypeError, clientSSL.bio_shutdown )
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003290
3291
3292 def test_outgoingOverflow(self):
3293 """
3294 If more bytes than can be written to the memory BIO are passed to
Jonathan Ballet648875f2011-07-16 14:14:58 +09003295 :py:obj:`Connection.send` at once, the number of bytes which were written is
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003296 returned and that many bytes from the beginning of the input can be
3297 read from the other end of the connection.
3298 """
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003299 server = self._server(None)
3300 client = self._client(None)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003301
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003302 self._interactInMemory(client, server)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003303
3304 size = 2 ** 15
Jean-Paul Calderone4f0467a2014-01-11 11:58:41 -05003305 sent = client.send(b"x" * size)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003306 # Sanity check. We're trying to test what happens when the entire
3307 # input can't be sent. If the entire input was sent, this test is
3308 # meaningless.
3309 self.assertTrue(sent < size)
3310
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003311 receiver, received = self._interactInMemory(client, server)
Jean-Paul Calderoneaff0fc42009-04-27 17:13:34 -04003312 self.assertIdentical(receiver, server)
3313
3314 # We can rely on all of these bytes being received at once because
3315 # _loopback passes 2 ** 16 to recv - more than 2 ** 15.
3316 self.assertEquals(len(received), sent)
Jean-Paul Calderone3ad85d42009-04-30 20:24:35 -04003317
3318
3319 def test_shutdown(self):
3320 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003321 :py:obj:`Connection.bio_shutdown` signals the end of the data stream from
3322 which the :py:obj:`Connection` reads.
Jean-Paul Calderone3ad85d42009-04-30 20:24:35 -04003323 """
Jean-Paul Calderonece8324d2009-07-16 12:22:52 -04003324 server = self._server(None)
Jean-Paul Calderone3ad85d42009-04-30 20:24:35 -04003325 server.bio_shutdown()
3326 e = self.assertRaises(Error, server.recv, 1024)
3327 # We don't want WantReadError or ZeroReturnError or anything - it's a
3328 # handshake failure.
3329 self.assertEquals(e.__class__, Error)
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -04003330
3331
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07003332 def test_unexpectedEndOfFile(self):
3333 """
3334 If the connection is lost before an orderly SSL shutdown occurs,
3335 :py:obj:`OpenSSL.SSL.SysCallError` is raised with a message of
3336 "Unexpected EOF".
3337 """
3338 server_conn, client_conn = self._loopback()
3339 client_conn.sock_shutdown(SHUT_RDWR)
3340 exc = self.assertRaises(SysCallError, server_conn.recv, 1024)
3341 self.assertEqual(exc.args, (-1, "Unexpected EOF"))
3342
3343
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003344 def _check_client_ca_list(self, func):
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003345 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003346 Verify the return value of the :py:obj:`get_client_ca_list` method for server and client connections.
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003347
Jonathan Ballet78b92a22011-07-16 08:07:26 +09003348 :param func: A function which will be called with the server context
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003349 before the client and server are connected to each other. This
3350 function should specify a list of CAs for the server to send to the
3351 client and return that same list. The list will be used to verify
Jonathan Ballet648875f2011-07-16 14:14:58 +09003352 that :py:obj:`get_client_ca_list` returns the proper value at various
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003353 times.
3354 """
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003355 server = self._server(None)
3356 client = self._client(None)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003357 self.assertEqual(client.get_client_ca_list(), [])
3358 self.assertEqual(server.get_client_ca_list(), [])
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003359 ctx = server.get_context()
3360 expected = func(ctx)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003361 self.assertEqual(client.get_client_ca_list(), [])
3362 self.assertEqual(server.get_client_ca_list(), expected)
Jean-Paul Calderonebf37f0f2010-07-31 14:56:20 -04003363 self._interactInMemory(client, server)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003364 self.assertEqual(client.get_client_ca_list(), expected)
3365 self.assertEqual(server.get_client_ca_list(), expected)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003366
3367
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003368 def test_set_client_ca_list_errors(self):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003369 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003370 :py:obj:`Context.set_client_ca_list` raises a :py:obj:`TypeError` if called with a
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003371 non-list or a list that contains objects other than X509Names.
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003372 """
3373 ctx = Context(TLSv1_METHOD)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003374 self.assertRaises(TypeError, ctx.set_client_ca_list, "spam")
3375 self.assertRaises(TypeError, ctx.set_client_ca_list, ["spam"])
3376 self.assertIdentical(ctx.set_client_ca_list([]), None)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003377
3378
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003379 def test_set_empty_ca_list(self):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003380 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003381 If passed an empty list, :py:obj:`Context.set_client_ca_list` configures the
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003382 context to send no CA names to the client and, on both the server and
Jonathan Ballet648875f2011-07-16 14:14:58 +09003383 client sides, :py:obj:`Connection.get_client_ca_list` returns an empty list
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003384 after the connection is set up.
3385 """
3386 def no_ca(ctx):
3387 ctx.set_client_ca_list([])
3388 return []
3389 self._check_client_ca_list(no_ca)
3390
3391
3392 def test_set_one_ca_list(self):
3393 """
3394 If passed a list containing a single X509Name,
Jonathan Ballet648875f2011-07-16 14:14:58 +09003395 :py:obj:`Context.set_client_ca_list` configures the context to send that CA
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003396 name to the client and, on both the server and client sides,
Jonathan Ballet648875f2011-07-16 14:14:58 +09003397 :py:obj:`Connection.get_client_ca_list` returns a list containing that
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003398 X509Name after the connection is set up.
3399 """
3400 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3401 cadesc = cacert.get_subject()
3402 def single_ca(ctx):
3403 ctx.set_client_ca_list([cadesc])
3404 return [cadesc]
3405 self._check_client_ca_list(single_ca)
3406
3407
3408 def test_set_multiple_ca_list(self):
3409 """
3410 If passed a list containing multiple X509Name objects,
Jonathan Ballet648875f2011-07-16 14:14:58 +09003411 :py:obj:`Context.set_client_ca_list` configures the context to send those CA
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003412 names to the client and, on both the server and client sides,
Jonathan Ballet648875f2011-07-16 14:14:58 +09003413 :py:obj:`Connection.get_client_ca_list` returns a list containing those
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003414 X509Names after the connection is set up.
3415 """
3416 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
3417 clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
3418
3419 sedesc = secert.get_subject()
3420 cldesc = clcert.get_subject()
3421
3422 def multiple_ca(ctx):
3423 L = [sedesc, cldesc]
3424 ctx.set_client_ca_list(L)
3425 return L
3426 self._check_client_ca_list(multiple_ca)
3427
3428
3429 def test_reset_ca_list(self):
3430 """
3431 If called multiple times, only the X509Names passed to the final call
Jonathan Ballet648875f2011-07-16 14:14:58 +09003432 of :py:obj:`Context.set_client_ca_list` are used to configure the CA names
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003433 sent to the client.
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003434 """
3435 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3436 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
3437 clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
3438
3439 cadesc = cacert.get_subject()
3440 sedesc = secert.get_subject()
3441 cldesc = clcert.get_subject()
3442
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003443 def changed_ca(ctx):
3444 ctx.set_client_ca_list([sedesc, cldesc])
3445 ctx.set_client_ca_list([cadesc])
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003446 return [cadesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003447 self._check_client_ca_list(changed_ca)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003448
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003449
3450 def test_mutated_ca_list(self):
3451 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003452 If the list passed to :py:obj:`Context.set_client_ca_list` is mutated
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003453 afterwards, this does not affect the list of CA names sent to the
3454 client.
3455 """
3456 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3457 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
3458
3459 cadesc = cacert.get_subject()
3460 sedesc = secert.get_subject()
3461
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003462 def mutated_ca(ctx):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003463 L = [cadesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003464 ctx.set_client_ca_list([cadesc])
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003465 L.append(sedesc)
3466 return [cadesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003467 self._check_client_ca_list(mutated_ca)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003468
3469
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003470 def test_add_client_ca_errors(self):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003471 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003472 :py:obj:`Context.add_client_ca` raises :py:obj:`TypeError` if called with a non-X509
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003473 object or with a number of arguments other than one.
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003474 """
3475 ctx = Context(TLSv1_METHOD)
3476 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003477 self.assertRaises(TypeError, ctx.add_client_ca)
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003478 self.assertRaises(TypeError, ctx.add_client_ca, "spam")
Jean-Paul Calderone911c9112009-10-24 11:12:00 -04003479 self.assertRaises(TypeError, ctx.add_client_ca, cacert, cacert)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003480
3481
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003482 def test_one_add_client_ca(self):
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003483 """
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003484 A certificate's subject can be added as a CA to be sent to the client
Jonathan Ballet648875f2011-07-16 14:14:58 +09003485 with :py:obj:`Context.add_client_ca`.
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003486 """
3487 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3488 cadesc = cacert.get_subject()
3489 def single_ca(ctx):
3490 ctx.add_client_ca(cacert)
3491 return [cadesc]
3492 self._check_client_ca_list(single_ca)
3493
3494
3495 def test_multiple_add_client_ca(self):
3496 """
3497 Multiple CA names can be sent to the client by calling
Jonathan Ballet648875f2011-07-16 14:14:58 +09003498 :py:obj:`Context.add_client_ca` with multiple X509 objects.
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003499 """
3500 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3501 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
3502
3503 cadesc = cacert.get_subject()
3504 sedesc = secert.get_subject()
3505
3506 def multiple_ca(ctx):
3507 ctx.add_client_ca(cacert)
3508 ctx.add_client_ca(secert)
3509 return [cadesc, sedesc]
3510 self._check_client_ca_list(multiple_ca)
3511
3512
3513 def test_set_and_add_client_ca(self):
3514 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003515 A call to :py:obj:`Context.set_client_ca_list` followed by a call to
3516 :py:obj:`Context.add_client_ca` results in using the CA names from the first
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003517 call and the CA name from the second call.
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003518 """
3519 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3520 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
3521 clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
3522
3523 cadesc = cacert.get_subject()
3524 sedesc = secert.get_subject()
3525 cldesc = clcert.get_subject()
3526
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003527 def mixed_set_add_ca(ctx):
3528 ctx.set_client_ca_list([cadesc, sedesc])
3529 ctx.add_client_ca(clcert)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003530 return [cadesc, sedesc, cldesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003531 self._check_client_ca_list(mixed_set_add_ca)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003532
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003533
3534 def test_set_after_add_client_ca(self):
3535 """
Jonathan Ballet648875f2011-07-16 14:14:58 +09003536 A call to :py:obj:`Context.set_client_ca_list` after a call to
3537 :py:obj:`Context.add_client_ca` replaces the CA name specified by the former
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003538 call with the names specified by the latter cal.
3539 """
3540 cacert = load_certificate(FILETYPE_PEM, root_cert_pem)
3541 secert = load_certificate(FILETYPE_PEM, server_cert_pem)
3542 clcert = load_certificate(FILETYPE_PEM, server_cert_pem)
3543
3544 cadesc = cacert.get_subject()
3545 sedesc = secert.get_subject()
Jean-Paul Calderone055a9172009-10-24 13:45:11 -04003546
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003547 def set_replaces_add_ca(ctx):
3548 ctx.add_client_ca(clcert)
3549 ctx.set_client_ca_list([cadesc])
3550 ctx.add_client_ca(secert)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003551 return [cadesc, sedesc]
Ziga Seilnachtf93bf102009-10-23 09:51:07 +02003552 self._check_client_ca_list(set_replaces_add_ca)
Ziga Seilnacht679c4262009-09-01 01:32:29 +02003553
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -04003554
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07003555
3556class ConnectionBIOTests(TestCase):
3557 """
3558 Tests for :py:obj:`Connection.bio_read` and :py:obj:`Connection.bio_write`.
3559 """
3560 def test_wantReadError(self):
3561 """
3562 :py:obj:`Connection.bio_read` raises :py:obj:`OpenSSL.SSL.WantReadError`
3563 if there are no bytes available to be read from the BIO.
3564 """
3565 ctx = Context(TLSv1_METHOD)
3566 conn = Connection(ctx, None)
3567 self.assertRaises(WantReadError, conn.bio_read, 1024)
3568
3569
Jean-Paul Calderonebef4f4c2014-02-02 18:13:31 -05003570 def test_buffer_size(self):
3571 """
3572 :py:obj:`Connection.bio_read` accepts an integer giving the maximum
3573 number of bytes to read and return.
3574 """
3575 ctx = Context(TLSv1_METHOD)
3576 conn = Connection(ctx, None)
3577 conn.set_connect_state()
3578 try:
3579 conn.do_handshake()
3580 except WantReadError:
3581 pass
3582 data = conn.bio_read(2)
3583 self.assertEqual(2, len(data))
3584
3585
3586 if not PY3:
3587 def test_buffer_size_long(self):
3588 """
3589 On Python 2 :py:obj:`Connection.bio_read` accepts values of type
3590 :py:obj:`long` as well as :py:obj:`int`.
3591 """
3592 ctx = Context(TLSv1_METHOD)
3593 conn = Connection(ctx, None)
3594 conn.set_connect_state()
3595 try:
3596 conn.do_handshake()
3597 except WantReadError:
3598 pass
3599 data = conn.bio_read(long(2))
3600 self.assertEqual(2, len(data))
3601
3602
3603
Jean-Paul Calderoned899af02013-03-19 22:10:37 -07003604
Jean-Paul Calderone31e85a82011-03-21 19:13:35 -04003605class InfoConstantTests(TestCase):
3606 """
3607 Tests for assorted constants exposed for use in info callbacks.
3608 """
3609 def test_integers(self):
3610 """
3611 All of the info constants are integers.
3612
3613 This is a very weak test. It would be nice to have one that actually
3614 verifies that as certain info events happen, the value passed to the
3615 info callback matches up with the constant exposed by OpenSSL.SSL.
3616 """
3617 for const in [
3618 SSL_ST_CONNECT, SSL_ST_ACCEPT, SSL_ST_MASK, SSL_ST_INIT,
3619 SSL_ST_BEFORE, SSL_ST_OK, SSL_ST_RENEGOTIATE,
3620 SSL_CB_LOOP, SSL_CB_EXIT, SSL_CB_READ, SSL_CB_WRITE, SSL_CB_ALERT,
3621 SSL_CB_READ_ALERT, SSL_CB_WRITE_ALERT, SSL_CB_ACCEPT_LOOP,
3622 SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP, SSL_CB_CONNECT_EXIT,
3623 SSL_CB_HANDSHAKE_START, SSL_CB_HANDSHAKE_DONE]:
3624
3625 self.assertTrue(isinstance(const, int))
3626
Ziga Seilnacht44611bf2009-08-31 20:49:30 +02003627
Jean-Paul Calderone0b88b6a2009-07-05 12:44:41 -04003628if __name__ == '__main__':
3629 main()