\dZ"dZddlZddlZddlmZmZmZmZddlm Z ddl m Z ddl m Z ddlmZddlmZdd lmZdd lmZ dd lmamZdd lmadd lmZmZn#e$rdZeYnwxYwddlm Z Gdde j!Z"Gdde j!Z#Gddej$Z%Gddej$Z&e ej'Gddej$Z(dZ)dZ*GddZ+t.Gddt2j,Z-Gd d!eeZ.Gd"d#eZ/Gd$d%e/Z0Gd&d'eZ1Gd(d)ee+Z2Gd*d+Z3Gd,d-eZ4Gd.d/eZ5dS)0z Tests for twisted SSL support. N)defer interfacesprotocolreactor)ConnectionDone)basic)FilePath)platform)waitUntilAllDisconnected)ProperlyCloseFilesMixin)TestCase)SSLcrypto)ssl)ClientTLSContextcertPathcdxaadSN)rr5lib/python3.11/site-packages/twisted/test/test_ssl.py_noSSLrscccr) implementerc:eZdZdZgdZddgZdZdZdZdZ d S) UnintelligentProtocola @ivar deferred: a deferred that will fire at connection lost. @type deferred: L{defer.Deferred} @cvar pretext: text sent before TLS is set up. @type pretext: C{bytes} @cvar posttext: text sent after TLS is set up. @type posttext: C{bytes} )s first lineslast thing before tls startsSTARTTLSsfirst thing after tls startedslast thing everc6tj|_dSrrDeferreddeferredselfs r__init__zUnintelligentProtocol.__init__7(( rcD|jD]}||dSr)pretextsendLine)r"ls rconnectionMadez$UnintelligentProtocol.connectionMade:s2  A MM!      rc|dkrk|jt|jj|jD]}|||jdSdS)NREADY) transportstartTLSrfactoryclientposttextr'loseConnection)r"liner(s r lineReceivedz"UnintelligentProtocol.lineReceived>sy 8   N # #$4$6$6 8K L L L] ! ! a    N ) ) + + + + +  rc:|jddSrr callbackr"reasons rconnectionLostz$UnintelligentProtocol.connectionLostE t$$$$$rN) __name__ __module__ __qualname____doc__r&r0r#r)r3r9rrrrr'ss  LKKG02DEH))),,,%%%%%rrc2eZdZdZd dZdZdZdZdZdS) LineCollectoraJ @ivar deferred: a deferred that will fire at connection lost. @type deferred: L{defer.Deferred} @ivar doTLS: whether the protocol is initiate TLS or not. @type doTLS: C{bool} @ivar fillBuffer: if set to True, it will send lots of data once C{STARTTLS} is received. @type fillBuffer: C{bool} FcR||_||_tj|_dSr)doTLS fillBufferrrr )r"rBrCs rr#zLineCollector.__init__Vs# $(( rc6d|j_g|j_dS)Nr)r.rawdatalinesr!s rr)zLineCollector.connectionMade[s"  rc|jj||dkr|jr't dD]}|d|d|jrBttt}|j ||jj dS| dSdS)NrisXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXr+)privateKeyFileNamecertificateFileName) r.rFappendrCranger'rBServerTLSContextrr,r-server setRawMode)r"r2xctxs rr3zLineCollector.lineReceived_s !!$''' ;   /s//AMM+.... MM( # # #z "&'/(0''T\-@AAAAA!!!!!  rcb|jxj|z c_|jdSr)r.rEr,r1r"datas rrawDataReceivedzLineCollector.rawDataReceivedos2 $ %%'''''rc:|jddSrr5r7s rr9zLineCollector.connectionLostsr:rNF) r;r<r=r>r#r)r3rTr9rrrr@r@Isn  ))))    """ (((%%%%%rr@ceZdZdZdZdS)SingleLineServerProtocolzK A protocol that sends a single line of data at C{connectionMade}. cl|jd|jdS)N+OK )r,writegetPeerCertificater!s rr)z'SingleLineServerProtocol.connectionMade|s3 3444 ))+++++rN)r;r<r=r>r)rrrrXrXws-,,,,,rrXc$eZdZdZdZdZdZdS)RecordingClientProtocolzv @ivar deferred: a deferred that will fire with first received content. @type deferred: L{defer.Deferred} c6tj|_dSrrr!s rr#z RecordingClientProtocol.__init__r$rc8|jdSr)r,r\r!s rr)z&RecordingClientProtocol.connectionMades ))+++++rc:|j|dSrr5rRs r dataReceivedz$RecordingClientProtocol.dataReceivedr:rN)r;r<r=r>r#r)rbrrrr^r^sK ))),,,%%%%%rr^ceZdZdZdZdZdS) ImmediatelyDisconnectingProtocolz A protocol that disconnect immediately on connection. It fires the C{connectionDisconnected} deferred of its factory on connetion lost. c8|jdSrr,r1r!s rhandshakeCompletedz3ImmediatelyDisconnectingProtocol.handshakeCompleteds %%'''''rcD|jjddSr)r.connectionDisconnectedr6r7s rr9z/ImmediatelyDisconnectingProtocol.connectionLosts! +44T:::::rN)r;r<r=r>rgr9rrrrdrds< (((;;;;;rrdctj}|tjdtj}|}||_||_||| |dtj }| d| d| d||||||| |d|||fS)z Create a certificate for given C{organization} and C{organizationalUnit}. @return: a tuple of (key, request, certificate) objects. imd5r<)rPKey generate_keyTYPE_RSAX509Req get_subjectOOU set_pubkeysignX509set_serial_numbergmtime_adj_notBeforegmtime_adj_notAfter set_issuer set_subject get_pubkey) organizationorganizationalUnitpkeyreqsubjectcerts rgenerateCertificateObjectsrs6 ;==Dfot,,, .  CooGGI#GJNN4HHT5 ;==D1a   R   OOCOO%%&&&S__&&'''OOCNN$$%%%IIdE d?rcht||\}}}d|tjfd|tjfd|tjffD]p\}}}t j||fd} t|  |tj |qdS)z Create certificate files key, req and cert prefixed by C{basename} for given C{organization} and C{organizationalUnit}. keyrrzutf-8N) rrdump_privatekeydump_certificate_requestdump_certificateosextsepjoinencoder setContent FILETYPE_PEM) basenamer~rrrrextobjdumpFuncfNames rgenerateCertificateFilesrs 1?QRROD#t f,- V45 v./GGS(  #//66w??""88F,?#E#EFFFF GGrceZdZdZdZdZdS)ContextGeneratingMixinah Offer methods to create L{ssl.DefaultOpenSSLContextFactory} for both client and server. @ivar clientBase: prefix of client certificate files. @type clientBase: C{str} @ivar serverBase: prefix of server certificate files. @type serverBase: C{str} @ivar clientCtxFactory: a generated context factory to be used in L{IReactorSSL.connectSSL}. @type clientCtxFactory: L{ssl.DefaultOpenSSLContextFactory} @ivar serverCtxFactory: a generated context factory to be used in L{IReactorSSL.listenSSL}. @type serverCtxFactory: L{ssl.DefaultOpenSSLContextFactory} c|}t|||tjtj|dftj|dfg|Ri|}||fS)Nrr)mktemprrDefaultOpenSSLContextFactoryrrr)r"orgorgUnitargskwArgsbaseserverCtxFactorys rmakeContextFactoryz)ContextGeneratingMixin.makeContextFactorys{{}} sG444; INND%= ) ) INND&> * *       %%%rcn|j|i|\|_|_|j|i|\|_|_dSr)r clientBaseclientCtxFactory serverBaser)r" clientArgs clientKwArgs serverArgs serverKwArgss rsetupServerAndClientz+ContextGeneratingMixin.setupServerAndClients]1H1H 2 '2 2 ..2I1H 2 '2 2 ....rN)r;r<r=r>rrrrrrrs<& & & &     rrceZdZdZdZdZdS)rLzf A context factory with a default method set to L{OpenSSL.SSL.SSLv23_METHOD}. FcXtj|d<tjj|g|Ri|dS)N sslmethod)r SSLv23_METHODrrr#)r"rkws rr#zServerTLSContext.__init__s8!/B{O  , 5d HT H H HR H H H H HrN)r;r<r=r>isClientr#rrrrLrLs9   I I I I IrrLcPeZdZdZejeddZdZdZ dZ dZ dS)StolenTCPTestszc For SSL transports, test many of the same things which are tested for TCP transports. N2Reactor does not support SSL, cannot run SSL testsctjtt}|}tj||||S)zY Create an SSL server with a certificate using L{IReactorSSL.listenSSL}.  interface) rPrivateCertificateloadPEMr r getContentoptionsr listenSSL)r"address portNumberr.rcontextFactorys r createServerzStolenTCPTests.createServer sV%--hx.@.@.K.K.M.MNN WnPWXXXXrcVtj}||||S)zG Create an SSL client using L{IReactorSSL.connectSSL}. )rCertificateOptions connectSSL)r"rr clientCreatorrs r connectClientzStolenTCPTests.connectClients*/11''^LLLrctjS)z Return L{OpenSSL.SSL.Error} as the expected error type which will be raised by a write to the L{OpenSSL.SSL.Connection} object after it has been closed. )rErrorr!s rgetHandleExceptionTypez%StolenTCPTests.getHandleExceptionTypes yrc .tjtjtjdtjtjdtjdtjdtjdS)a4 Return a L{hamcrest.core.matcher.Matcher} for the argument L{OpenSSL.SSL.Error} will be constructed with for this case. This is basically just a random OpenSSL implementation detail. It would be better if this test worked in a way which did not require this. z SSL routines SSL_writessl_write_internalzprotocol is shutdown)hamcrestcontainsequal_toany_ofr!s rgetHandleErrorCodeMatcherz(StolenTCPTests.getHandleErrorCodeMatcher#s  !.11%k22%&:;;%b)) !"899     r) r;r<r=r>r IReactorSSLrskiprrrrrrrrrs| zgt,,4CYYYMMM     rrcdeZdZdZejeddZdZdZ dZ dZ d dZ dZ dZd ZdS) TLSTestsz Tests for startTLS support. @ivar fillBuffer: forwarded to L{LineCollector.fillBuffer} @type fillBuffer: C{bool} NrFc|jj|jj|jj |jjdSdSr) clientProtor,r1 serverProtor!s rtearDownzTLSTests.tearDownJsX   % 1   & 5 5 7 7 7   % 1   & 5 5 7 7 7 7 7 2 1rc|_tjx}|_fd|_|rd|_nd|_|_tjx}|_fd|_|rd|_nd|_tj d|d}| |j tj d|j|t!jjjgS)a Helper method to run TLS tests. @param clientProto: protocol instance attached to the client connection. @param serverProto: protocol instance attached to the server connection. @param clientIsServer: flag indicated if client should initiate startTLS instead of server. @return: a L{defer.Deferred} that will fire when both connections are lost. cSrrrsrz#TLSTests._runTest..`krFTcSrrrsrrz#TLSTests._runTest..hrrr 127.0.0.1r)rr ClientFactory clientFactoryrMr/r ServerFactory serverFactoryr listenTCP addCleanup stopListening connectTCPgetHostportr gatherResultsr )r"rrclientIsServercfsfrs `` r_runTestzTLSTests._runTestPs'"*"8":"::T ))))  BIIBI&"*"8":"::T ))))  BIIBI B+>>> *+++; (;R@@@"K$8+:N#OPPPrcfd}ttdj}||S)z~ Test for server and client startTLS: client should received data both before and after the startTLS. cvjjtjtjzdSr) assertEqualrrFrr&r0)ignorer"s rcheckz TLSTests.test_TLS..check{=   "(%-0E0NN     rTrrr@rC addCallbackr"rds` rtest_TLSzTLSTests.test_TLSusV       MM/11=t3W3W X X}}U###rcfd}ttdj}||S)z Test for server startTLS not followed by a startTLS in client: the data received after server startTLS should be received as raw. cjjtjjjddS)NzNo encrypted bytes received)rrrFrr& assertTruerEignoredr"s rrz"TLSTests.test_unTLS..checksD   T/57L7T U U U OOD.68U V V V V VrFrrs` r test_unTLSzTLSTests.test_unTLSsa  W W W W W MM ! # #]5$/%J%J  }}U###rcfd}tdjtd}||S)z: Test startTLS first initiated by client. cvjjtjtjzdSr)rrrFrr&r0rs rrz)TLSTests.test_backwardsTLS..checkrrT)rr@rCrrrs` rtest_backwardsTLSzTLSTests.test_backwardsTLSs_       MM $ 0 02G2I2I4  }}U###rrV)r;r<r=r>rrrrrCrrrrrrrrrrrr:szgt,,4CJKK888 #Q#Q#Q#QJ $ $ $ $ $ $$$$$$rrc<eZdZdZejeddZdZdS)SpammyTLSTestszA Test TLS features with bytes sitting in the out buffer. NrT) r;r<r=r>rrrrrCrrrrrs9zgt,,4CJJJrrcHeZdZejeddZdZdZdZ dZ dS)BufferingTestsNrc|jj|jj|jj|jjt t |j|jgSr)rr,r1rr rr!s rrzBufferingTests.tearDownse   % 1   & 5 5 7 7 7   % 1   & 5 5 7 7 7'$2BDDT1UVVVrcttx|_tx|_t j}t jx}|_fd|_fd|_tj tt}tj }tj d||d}||jtjd|j||}||jj|jdS)NcSrrrsrrz6BufferingTests.test_openSSLBuffering..+rcSrrrsrrz6BufferingTests.test_openSSLBuffering..r rrrrrZ)rXrr^rrrrr/rrrClientContextFactoryrrrrrrr disconnectr rr) r"rMr/sCTXcCTXrclientConnectorrrs @@rtest_openSSLBufferingz$BufferingTests.test_openSSLBufferings)A)C)CC d&)@)B)BB d&'))'5777--------/(CC')) FDKHHH *+++!, ,fd   2333#//  4   r) r;r<r=rrrrrrrrrrrrrsYzgt,,4CKKWWW     rrcPeZdZdZejeddZdZdZ dZ dZ dS)ConnectionLostTestsz' SSL connection closing tests. Nrcd}||dzfi||dzfitj}tj|_t jd|jx_}tj}t|_tj |_ t j d|j|j|j fdS)Ntwisted.test.test_ssl, client, serverrrc6jSr) serverPortr) ignoredResultr"s rrz=ConnectionLostTests.testImmediateDisconnect..s$/"?"?"A"Ar)rrrProtocolrrrrrrdrrrirrrrr)r"rserverProtocolFactoryrclientProtocolFactorys` rtestImmediateDisconnectz+ConnectionLostTests.testImmediateDisconnects% !! # " #R#sZ/?)@"   !) 6 8 8)1):&'.'8 $d&;( (  *!) 6 8 8)I&7<~7G7G4     % !  !    %;GG A A A A   rcttjGddtj}d}|||dzfi||dzfi|tj}fd|_tjd||j }| |j |tj }fd|_tj d |j||jd }t#jj|j|gS) z Both sides of SSL connection close connection; the connections should close cleanly, and only after the underlying TCP connection has disconnected. c$eZdZdZdZdZdZdS)MConnectionLostTests.test_bothSidesLoseConnection..CloseAfterHandshakeFc6tj|_dSr)rrdoner!s rr#zVConnectionLostTests.test_bothSidesLoseConnection..CloseAfterHandshake.__init__s!N,, rc8|jdSrrfr!s rrgz`ConnectionLostTests.test_bothSidesLoseConnection..CloseAfterHandshake.handshakeCompleted s--/////rc>|j||`dSr)r$errbackr7s rr9z\ConnectionLostTests.test_bothSidesLoseConnection..CloseAfterHandshake.connectionLosts! !!&)))IIIrN)r;r<r=gotDatar#rgr9rrrCloseAfterHandshaker"sFG - - - 0 0 0     rr)rrrcSrrserverProtocolsrrzBConnectionLostTests.test_bothSidesLoseConnection..rrcSrrclientProtocolsrrzBConnectionLostTests.test_bothSidesLoseConnection..r-rrc:|tdSr)trapr)failures r checkResultzEConnectionLostTests.test_bothSidesLoseConnection..checkResult's LL ( ( ( ( (r)rrIHandshakeListenerrrrrrrrrrrrrrrrrr$ addErrback) r"r)rrrrr4r0r,s @@rtest_bothSidesLoseConnectionz0ConnectionLostTests.test_bothSidesLoseConnections Z2 3 3     ("3   4 3 & !! # " #R#sZ/?)@"   -,.. ( 6 8 8)?)?)?)?&&q*?AVWW   0111,,.. ( 6 8 8)?)?)?)?&     % !  !     ) ) )"#..{;;#..{;;    rc  d}|||dzfi||dzfid}|jtj|t j}tj |j _ tj } fd|_tjd||jx|_}t j}tj |j _ tj} fd|_tjd|j||jt j||gd }||jS) NrrrcdS)NFr)as rverifyz4ConnectionLostTests.testFailedVerify..verify7s5rcSrrr+srrz6ConnectionLostTests.testFailedVerify..@r-rrcSrrr/srrz6ConnectionLostTests.testFailedVerify..Ir-rrT) consumeErrors)rr getContext set_verifyr VERIFY_PEERrrrrr6r9rrrrrrrrr DeferredListr _cbLostConns) r"rr;serverConnLostrrclientConnLostrdlr0r,s @@rtestFailedVerifyz$ConnectionLostTests.testFailedVerify1s% !! # " #R#sZ/?)@"       ((**55covNNN))!*,,(6(?% ( 6 8 8)?)?)?)?&'.'8 $d&;( (  *))!*,,(6(?% ( 6 8 8)?)?)?)?&     % !  !      @PT U U U~~d/000rc<|\\}}\}}||||tjg}tjrddlm}|||j||j||j S)Nr)ConnectionLost) assertFalserrr isWindowstwisted.internet.errorrIrJr2rr)r"resultssSuccesssResultcSuccesscResultacceptableErrorsrIs rrCz ConnectionLostTests._cbLostConnsTs3:070h """ """I;     4 = = = = = =  # #N 3 3 3 &'' &'',,...r) r;r<r=r>rrrrrr7rGrCrrrrrsxzgt,,4C   82 2 2 h!1!1!1F/////rrc*eZdZdZdZdZdZdZdS) FakeContextzK L{OpenSSL.SSL.Context} double which can more easily be inspected. c"||_d|_dS)Nr)_method_options)r"methods rr#zFakeContext.__init__ts  rc&|xj|zc_dSr)rW)r"rs r set_optionszFakeContext.set_optionsxs  rcdSrrr"fileNames ruse_certificate_filez FakeContext.use_certificate_file{ rcdSrrr\s ruse_privatekey_filezFakeContext.use_privatekey_file~r_rN)r;r<r=r>r#rZr^rarrrrTrTosZ!!!        rrTcPeZdZdZejeddZdZdZ dZ dZ dS)!DefaultOpenSSLContextFactoryTestsz8 Tests for L{ssl.DefaultOpenSSLContextFactory}. Nrctjttt|_|j|_dS)N)_contextFactory)rrrrTrr?contextr!s rsetUpz'DefaultOpenSSLContextFactoryTests.setUpsA"> h    *5577 rc ||jjtj||jjtjztj||jjtjzdS)z L{ssl.DefaultOpenSSLContextFactory.getContext} returns an SSL context which can use SSLv3 or TLSv1 but not SSLv2. N) rrfrVr TLS_METHODrW OP_NO_SSLv2rJ OP_NO_TLSv1_2r!s r test_methodz-DefaultOpenSSLContextFactoryTests.test_methodsp -s~>>> .@#/RRR .1BBCCCCCrc|tjtjt |dS)z Instantiating L{ssl.DefaultOpenSSLContextFactory} with a certificate filename which does not identify an existing file results in the initializer raising L{OpenSSL.SSL.Error}. N) assertRaisesrrrrrrr!s rtest_missingCertificateFilez=DefaultOpenSSLContextFactoryTests.test_missingCertificateFiles<  Is74;;==     rc|tjtj|t dS)z Instantiating L{ssl.DefaultOpenSSLContextFactory} with a private key filename which does not identify an existing file results in the initializer raising L{OpenSSL.SSL.Error}. N)rnrrrrrrr!s rtest_missingPrivateKeyFilezrrrrrgrlrorqrrrrcrcsyzgt,,4C888 D D D        rrccDeZdZdZejeddZdZdZ dS)ClientContextFactoryTestsz0 Tests for L{ssl.ClientContextFactory}. Nrctj|_t|j_|j|_dSr)rr rrTrer?rfr!s rrgzClientContextFactoryTests.setUps8!688.9+*5577 rcx||jjtj||jjtjztj||jjtjz||jjtj zdS)z L{ssl.ClientContextFactory.getContext} returns a context which can use TLSv1.2 or 1.3 but nothing earlier. N) rrfrVrrirWrjr OP_NO_SSLv3 OP_NO_TLSv1r!s rrlz%ClientContextFactoryTests.test_methods -s~>>> .@#/RRR  -?@@@  -?@@@@@r) r;r<r=r>rrrrrgrlrrrrsrss]zgt,,4C888 AAAAArrs)6r>rrtwisted.internetrrrrrLrtwisted.protocolsrtwisted.python.filepathr twisted.python.runtimer twisted.test.proto_helpersr twisted.test.test_tcpr twisted.trial.unittestr OpenSSLrrrtwisted.test.ssl_helpersrr ImportErrorrzope.interfacer LineReceiverrr@rrXr^r5rdrrrrrLrrrrrrTrcrsrrrrs^ AAAAAAAAAAAA111111######,,,,,,++++++??????999999++++++  ########$$$$$$CCCCCCCCC     FHHHHH '&&&&&%%%%%E.%%%D+%+%+%+%+%E&+%+%+%\,,,,,x0,,, % % % % %h/ % % %  Z *++ ; ; ; ; ;x'8 ; ;,+ ;8 G G G & & & & & & & & R? I I I I I3; I I I4 4 4 4 4 ,h4 4 4 ng$g$g$g$g$xg$g$g$TX' ' ' ' ' X' ' ' TS/S/S/S/S/($:S/S/S/l        &0 0 0 0 0 0 0 0 fAAAAAAAAAAsAA.-A.