o b[@sdZddlZddlZddlmZmZmZmZddlm Z ddl m Z ddl m Z ddlmZddlmZdd lmZdd lmZzdd lmamZdd lmadd lmZmZWneyhddZeYnwddlm Z Gddde j!Z"Gddde j!Z#Gdddej$Z%Gdddej$Z&e ej'Gdddej$Z(ddZ)ddZ*Gdd d Z+tdurGd!d"d"tj,Z-Gd#d$d$eeZ.Gd%d&d&eZ/Gd'd(d(e/Z0Gd)d*d*eZ1Gd+d,d,ee+Z2Gd-d.d.Z3Gd/d0d0eZ4Gd1d2d2eZ5dS)3z Tests for twisted SSL support. N)defer interfacesprotocolreactor)ConnectionDone)basic)FilePath)platform)waitUntilAllDisconnected)ProperlyCloseFilesMixin)TestCase)SSLcrypto)ssl)ClientTLSContextcertPathcCs daadSN)r rrr7/usr/lib/python3/dist-packages/twisted/test/test_ssl.py_noSSLs r) implementerc@s@eZdZdZgdZddgZddZddZd d Zd d Z d S)UnintelligentProtocola @ivar deferred: a deferred that will fire at connection lost. @type deferred: L{defer.Deferred} @cvar pretext: text sent before TLS is set up. @type pretext: C{bytes} @cvar posttext: text sent after TLS is set up. @type posttext: C{bytes} )s first lineslast thing before tls startsSTARTTLSsfirst thing after tls startedslast thing evercCt|_dSrrDeferreddeferredselfrrr__init__7zUnintelligentProtocol.__init__cCs|jD]}||qdSr)pretextsendLine)rlrrrconnectionMade:s  z$UnintelligentProtocol.connectionMadecCsD|dkr |jt|jj|jD]}||q|jdSdS)NREADY) transportstartTLSrfactoryclientposttextr"loseConnection)rliner#rrr lineReceived>s   z"UnintelligentProtocol.lineReceivedcC|jddSrrcallbackrreasonrrrconnectionLostEz$UnintelligentProtocol.connectionLostN) __name__ __module__ __qualname____doc__r!r*rr$r-r3rrrrr's  rc@s:eZdZdZdddZddZddZd d Zd d Zd S) LineCollectoraJ @ivar deferred: a deferred that will fire at connection lost. @type deferred: L{defer.Deferred} @ivar doTLS: whether the protocol is initiate TLS or not. @type doTLS: C{bool} @ivar fillBuffer: if set to True, it will send lots of data once C{STARTTLS} is received. @type fillBuffer: C{bool} FcCs||_||_t|_dSr)doTLS fillBufferrrr)rr:r;rrrrVszLineCollector.__init__cCsd|j_g|j_dS)N)r(rawdatalinesrrrrr$[s zLineCollector.connectionMadecCsv|jj||dkr9|jrtdD]}|dq|d|jr3tttd}|j ||jj dS| dSdS)NrisXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXr%)privateKeyFileNamecertificateFileName) r(r>appendr;ranger"r:ServerTLSContextrr&r'server setRawMode)rr,xctxrrrr-_s    zLineCollector.lineReceivedcCs|jj|7_|jdSr)r(r=r&r+rdatarrrrawDataReceivedoszLineCollector.rawDataReceivedcCr.rr/r1rrrr3sr4zLineCollector.connectionLostNF) r5r6r7r8rr$r-rJr3rrrrr9Is  r9c@seZdZdZddZdS)SingleLineServerProtocolzK A protocol that sends a single line of data at C{connectionMade}. cCs|jd|jdS)N+OK )r&writegetPeerCertificaterrrrr$|s z'SingleLineServerProtocol.connectionMadeN)r5r6r7r8r$rrrrrLws rLc@(eZdZdZddZddZddZdS) RecordingClientProtocolzv @ivar deferred: a deferred that will fire with first received content. @type deferred: L{defer.Deferred} cCrrrrrrrrr z RecordingClientProtocol.__init__cC|jdSr)r&rOrrrrr$r z&RecordingClientProtocol.connectionMadecCs|j|dSrr/rHrrr dataReceivedr4z$RecordingClientProtocol.dataReceivedN)r5r6r7r8rr$rSrrrrrQs  rQc@ eZdZdZddZddZdS) ImmediatelyDisconnectingProtocolz A protocol that disconnect immediately on connection. It fires the C{connectionDisconnected} deferred of its factory on connetion lost. cCrRrr&r+rrrrhandshakeCompletedr z3ImmediatelyDisconnectingProtocol.handshakeCompletedcCs|jjddSr)r(connectionDisconnectedr0r1rrrr3z/ImmediatelyDisconnectingProtocol.connectionLostN)r5r6r7r8rWr3rrrrrUs rUcCst}|tjdt}|}||_||_||| |dt }| d| d| d||||||| |d|||fS)z Create a certificate for given C{organization} and C{organizationalUnit}. @return: a tuple of (key, request, certificate) objects. imd5r<)rPKey generate_keyTYPE_RSAX509Req get_subjectOOU set_pubkeysignX509set_serial_numbergmtime_adj_notBeforegmtime_adj_notAfter set_issuer set_subject get_pubkey) organizationorganizationalUnitpkeyreqsubjectcertrrrgenerateCertificateObjectss"       rsc Csnt||\}}}d|tjfd|tjfd|tjffD]\}}}tj||fd} t |  |tj |qdS)z Create certificate files key, req and cert prefixed by C{basename} for given C{organization} and C{organizationalUnit}. keyrprrzutf-8N) rsrdump_privatekeydump_certificate_requestdump_certificateosextsepjoinencoder setContent FILETYPE_PEM) basenamermrnrorprrextobjdumpFuncfNamerrrgenerateCertificateFiless   rc@rT)ContextGeneratingMixinah Offer methods to create L{ssl.DefaultOpenSSLContextFactory} for both client and server. @ivar clientBase: prefix of client certificate files. @type clientBase: C{str} @ivar serverBase: prefix of server certificate files. @type serverBase: C{str} @ivar clientCtxFactory: a generated context factory to be used in L{IReactorSSL.connectSSL}. @type clientCtxFactory: L{ssl.DefaultOpenSSLContextFactory} @ivar serverCtxFactory: a generated context factory to be used in L{IReactorSSL.listenSSL}. @type serverCtxFactory: L{ssl.DefaultOpenSSLContextFactory} cOsN|}t|||tjtj|dftj|dfg|Ri|}||fS)Nrtrr)mktemprrDefaultOpenSSLContextFactoryrxryrz)rorgorgUnitargskwArgsbaseserverCtxFactoryrrrmakeContextFactorys z)ContextGeneratingMixin.makeContextFactorycCs4|j|i|\|_|_|j|i|\|_|_dSr)r clientBaseclientCtxFactory serverBaser)r clientArgs clientKwArgs serverArgs serverKwArgsrrrsetupServerAndClientsz+ContextGeneratingMixin.setupServerAndClientN)r5r6r7r8rrrrrrrs rc@seZdZdZdZddZdS)rCzf A context factory with a default method set to L{OpenSSL.SSL.SSLv23_METHOD}. FcOs(tj|d<tjj|g|Ri|dS)N sslmethod)r SSLv23_METHODrrr)rrkwrrrrs zServerTLSContext.__init__N)r5r6r7r8isClientrrrrrrCs rCc@DeZdZdZeeddurdZddZddZ dd Z d d Z dS) StolenTCPTestszc For SSL transports, test many of the same things which are tested for TCP transports. N2Reactor does not support SSL, cannot run SSL testscCs.tjtt}|}tj||||dS)zY Create an SSL server with a certificate using L{IReactorSSL.listenSSL}.  interface) rPrivateCertificateloadPEMrr getContentoptionsr listenSSL)raddress portNumberr(rrcontextFactoryrrr createServer szStolenTCPTests.createServercCst}||||S)zG Create an SSL client using L{IReactorSSL.connectSSL}. )rCertificateOptions connectSSL)rrr clientCreatorrrrr connectClientszStolenTCPTests.connectClientcCstjS)z Return L{OpenSSL.SSL.Error} as the expected error type which will be raised by a write to the L{OpenSSL.SSL.Connection} object after it has been closed. )r ErrorrrrrgetHandleExceptionTypesz%StolenTCPTests.getHandleExceptionTypec Cs4tttdttdtdtdS)a4 Return a L{hamcrest.core.matcher.Matcher} for the argument L{OpenSSL.SSL.Error} will be constructed with for this case. This is basically just a random OpenSSL implementation detail. It would be better if this test worked in a way which did not require this. z SSL routines SSL_writessl_write_internalzprotocol is shutdown)hamcrestcontainsequal_toany_ofrrrrgetHandleErrorCodeMatcher#s z(StolenTCPTests.getHandleErrorCodeMatcher) r5r6r7r8r IReactorSSLrskiprrrrrrrrrs rc@sZeZdZdZeeddurdZdZdZ dZ ddZ dddZ d d Z d d Zd dZdS)TLSTestsz Tests for startTLS support. @ivar fillBuffer: forwarded to L{LineCollector.fillBuffer} @type fillBuffer: C{bool} NrFcCs8|jjdur |jj|jjdur|jjdSdSr) clientProtor&r+ serverProtorrrrtearDownIs   zTLSTests.tearDowncs|_t}|_fdd|_|rd|_nd|_|_t}|_fdd|_|r1d|_nd|_t j d|dd}| |j t d|j|tjjgS) a Helper method to run TLS tests. @param clientProto: protocol instance attached to the client connection. @param serverProto: protocol instance attached to the server connection. @param clientIsServer: flag indicated if client should initiate startTLS instead of server. @return: a L{defer.Deferred} that will fire when both connections are lost. cSrrrrrr_z#TLSTests._runTest..FTcrrrrrrrrgrr 127.0.0.1r)rr ClientFactory clientFactoryrDr)r ServerFactory serverFactoryr listenTCP addCleanup stopListening connectTCPgetHostportr gatherResultsr)rrrclientIsServercfsfrrrrr_runTestOs  zTLSTests._runTestc,fdd}ttdj}||S)z~ Test for server and client startTLS: client should received data both before and after the startTLS. cjjtjtjdSr) assertEqualrr>rr!r*)ignorerrrcheckz z TLSTests.test_TLS..checkTrrr9r; addCallbackrrdrrrtest_TLSts  zTLSTests.test_TLScr)z Test for server startTLS not followed by a startTLS in client: the data received after server startTLS should be received as raw. cs&jjtjjjddS)NzNo encrypted bytes received)rrr>rr! assertTruer=ignoredrrrrsz"TLSTests.test_unTLS..checkFrrrrr test_unTLSs  zTLSTests.test_unTLScs.fdd}tdjtd}||S)z: Test startTLS first initiated by client. crr)rrr>rr!r*rrrrrrz)TLSTests.test_backwardsTLS..checkT)rr9r;rrrrrrtest_backwardsTLSs  zTLSTests.test_backwardsTLSrK)r5r6r7r8rrrrr;rrrrrrrrrrrr9s % rc@s(eZdZdZeeddurdZdZdS)SpammyTLSTestszA Test TLS features with bytes sitting in the out buffer. NrT) r5r6r7r8rrrrr;rrrrrs rc@s8eZdZeeddurdZdZdZddZ ddZ dS)BufferingTestsNrcCsB|jjdur |jj|jjdur|jjtt|j|jgSr)rr&r+rr rrrrrrs    zBufferingTests.tearDowncst|_t|_t}t}|_fdd|_fdd|_t t t }t }t j d||dd}||jt d|j||}||jj|jdS)Ncrrrrrrrrrz6BufferingTests.test_openSSLBuffering..crrrrrrrrrrrrrM)rLrrQrrrrr)rrrClientContextFactoryrrrrrrr disconnectrrr)rrDr)sCTXcCTXrclientConnectorrrrtest_openSSLBufferings"     z$BufferingTests.test_openSSLBuffering) r5r6r7rrrrrrrrrrrrrs rc@r) ConnectionLostTestsz' SSL connection closing tests. Nrcsd}||dfi||dfit}tj|_td|j_}t}t |_t |_ t d|j|j|j fddS)Ntwisted.test.test_ssl, client, serverrrcs jSr) serverPortr) ignoredResultrrrrs z=ConnectionLostTests.testImmediateDisconnect..)rrrProtocolrrrrrrUrrrXrrrrr)rrserverProtocolFactoryrclientProtocolFactoryrrrtestImmediateDisconnects*   z+ConnectionLostTests.testImmediateDisconnectcsttjGdddtj}d}|||dfi||dfi|t}fdd|_td||j }| |j |t }fd d|_t d |j||jd d }tj|j|gS) z Both sides of SSL connection close connection; the connections should close cleanly, and only after the underlying TCP connection has disconnected. c@rP) zMConnectionLostTests.test_bothSidesLoseConnection..CloseAfterHandshakeFcSrr)rrdonerrrrrr zVConnectionLostTests.test_bothSidesLoseConnection..CloseAfterHandshake.__init__cSrRrrVrrrrrW r z`ConnectionLostTests.test_bothSidesLoseConnection..CloseAfterHandshake.handshakeCompletedcSs|j||`dSr)rerrbackr1rrrr3 s z\ConnectionLostTests.test_bothSidesLoseConnection..CloseAfterHandshake.connectionLostN)r5r6r7gotDatarrWr3rrrrCloseAfterHandshakes  rrrrcrrrrserverProtocolrrrrzBConnectionLostTests.test_bothSidesLoseConnection..rcrrrrclientProtocolrrrrrcSs|tdSr)trapr)failurerrr checkResult&r zEConnectionLostTests.test_bothSidesLoseConnection..checkResult)rrIHandshakeListenerrrrrrrrrrrrrrrrrr addErrback)rrrrrrrrrrrtest_bothSidesLoseConnections4    z0ConnectionLostTests.test_bothSidesLoseConnectionc sd}|||dfi||dfidd}|jtj|t}t |j _ t }fdd|_t d||j|_}t}t |j _ t}fd d|_t d |j||jtj||gd d }||jS) NrrrcWsdS)NFr)arrrverify6z4ConnectionLostTests.testFailedVerify..verifycrrrrrrrr?rz6ConnectionLostTests.testFailedVerify..rcrrrrrrrrHrrT) consumeErrors)rr getContext set_verifyr VERIFY_PEERrrrrr0r3rrrrrrrrr DeferredListr _cbLostConns) rrrserverConnLostrrclientConnLostrdlrrrtestFailedVerify0s6  z$ConnectionLostTests.testFailedVerifycCsh|\\}}\}}||||tjg}tr%ddlm}|||j||j||j S)Nr)ConnectionLost) assertFalser rr isWindowstwisted.internet.errorrrArrr)rresultssSuccesssResultcSuccesscResultacceptableErrorsrrrrr Ss       z ConnectionLostTests._cbLostConns) r5r6r7r8rrrrrrrr rrrrrs4 #rc@s0eZdZdZddZddZddZdd Zd S) FakeContextzK L{OpenSSL.SSL.Context} double which can more easily be inspected. cCs||_d|_dS)Nr)_method_options)rmethodrrrrss zFakeContext.__init__cCs|j|O_dSr)r)rrrrr set_optionswrYzFakeContext.set_optionscCdSrrrfileNamerrruse_certificate_filezrz FakeContext.use_certificate_filecCrrrrrrruse_privatekey_file}rzFakeContext.use_privatekey_fileN)r5r6r7r8rrr!r"rrrrrns  rc@r) !DefaultOpenSSLContextFactoryTestsz8 Tests for L{ssl.DefaultOpenSSLContextFactory}. NrcCs"tjtttd|_|j|_dS)N)_contextFactory)rrrrrrcontextrrrrsetUpsz'DefaultOpenSSLContextFactoryTests.setUpcCV||jjtj||jjtj@tj||jjtj@||jjtj @dS)z L{ssl.DefaultOpenSSLContextFactory.getContext} returns an SSL context which can use SSLv3 or TLSv1 but not SSLv2. N rr%rr rr OP_NO_SSLv2r OP_NO_SSLv3 OP_NO_TLSv1rrrr test_methodsz-DefaultOpenSSLContextFactoryTests.test_methodcCs|tjtjt|dS)z Instantiating L{ssl.DefaultOpenSSLContextFactory} with a certificate filename which does not identify an existing file results in the initializer raising L{OpenSSL.SSL.Error}. N) assertRaisesr rrrrrrrrrtest_missingCertificateFilez=DefaultOpenSSLContextFactoryTests.test_missingCertificateFilecCs|tjtj|tdS)z Instantiating L{ssl.DefaultOpenSSLContextFactory} with a private key filename which does not identify an existing file results in the initializer raising L{OpenSSL.SSL.Error}. N)r-r rrrrrrrrrtest_missingPrivateKeyFiler/zsP           ".  ) 6j *4