diff options
| author | Christian Heimes <christian@python.org> | 2018-02-25 08:49:31 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-02-25 08:49:31 (GMT) |
| commit | b7b9225831a729bff84eb7c43bad138416b994fe (patch) | |
| tree | 9b798c8cbf5684e123539b8a073847c065b9f411 | |
| parent | 186b606d8a2ea4fd51b7286813302c8e8c7006cc (diff) | |
| download | cpython-b7b9225831a729bff84eb7c43bad138416b994fe.zip cpython-b7b9225831a729bff84eb7c43bad138416b994fe.tar.gz cpython-b7b9225831a729bff84eb7c43bad138416b994fe.tar.bz2 | |
bpo-31809: test secp ECDH curves (#4036)
Add tests to verify connection with secp384r1 ECDH curves.
| -rw-r--r-- | Lib/test/test_ssl.py | 52 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Tests/2017-10-18-18-07-45.bpo-31809.KlQrkE.rst | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py index 3f2c50b..3b34fc0 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -143,6 +143,21 @@ def have_verify_flags(): # 0.9.8 or higher return ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 0, 15) +def _have_secp_curves(): + if not ssl.HAS_ECDH: + return False + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) + try: + ctx.set_ecdh_curve("secp384r1") + except ValueError: + return False + else: + return True + + +HAVE_SECP_CURVES = _have_secp_curves() + + def utc_offset(): #NOTE: ignore issues like #1647654 # local time = utc time + utc offset if time.daylight and time.localtime().tm_isdst > 0: @@ -3523,6 +3538,43 @@ class ThreadedTests(unittest.TestCase): if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts: self.fail("Non-DH cipher: " + cipher[0]) + @unittest.skipUnless(HAVE_SECP_CURVES, "needs secp384r1 curve support") + def test_ecdh_curve(self): + # server secp384r1, client auto + client_context, server_context, hostname = testing_context() + server_context.set_ecdh_curve("secp384r1") + server_context.set_ciphers("ECDHE:!eNULL:!aNULL") + server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 + stats = server_params_test(client_context, server_context, + chatty=True, connectionchatty=True, + sni_name=hostname) + + # server auto, client secp384r1 + client_context, server_context, hostname = testing_context() + client_context.set_ecdh_curve("secp384r1") + server_context.set_ciphers("ECDHE:!eNULL:!aNULL") + server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 + stats = server_params_test(client_context, server_context, + chatty=True, connectionchatty=True, + sni_name=hostname) + + # server / client curve mismatch + client_context, server_context, hostname = testing_context() + client_context.set_ecdh_curve("prime256v1") + server_context.set_ecdh_curve("secp384r1") + server_context.set_ciphers("ECDHE:!eNULL:!aNULL") + server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 + try: + stats = server_params_test(client_context, server_context, + chatty=True, connectionchatty=True, + sni_name=hostname) + except ssl.SSLError: + pass + else: + # OpenSSL 1.0.2 does not fail although it should. + if IS_OPENSSL_1_1: + self.fail("mismatch curve did not fail") + def test_selected_alpn_protocol(self): # selected_alpn_protocol() is None unless ALPN is used. client_context, server_context, hostname = testing_context() diff --git a/Misc/NEWS.d/next/Tests/2017-10-18-18-07-45.bpo-31809.KlQrkE.rst b/Misc/NEWS.d/next/Tests/2017-10-18-18-07-45.bpo-31809.KlQrkE.rst new file mode 100644 index 0000000..8a48508 --- /dev/null +++ b/Misc/NEWS.d/next/Tests/2017-10-18-18-07-45.bpo-31809.KlQrkE.rst @@ -0,0 +1 @@ +Add tests to verify connection with secp ECDH curves. |