[3.7] bpo-31809: test secp ECDH curves (GH-4036) (#5872) · python/cpython@ff7528f (original) (raw)

`@@ -143,6 +143,21 @@ def have_verify_flags():

`

143

143

`# 0.9.8 or higher

`

144

144

`return ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 0, 15)

`

145

145

``

``

146

`+

def _have_secp_curves():

`

``

147

`+

if not ssl.HAS_ECDH:

`

``

148

`+

return False

`

``

149

`+

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)

`

``

150

`+

try:

`

``

151

`+

ctx.set_ecdh_curve("secp384r1")

`

``

152

`+

except ValueError:

`

``

153

`+

return False

`

``

154

`+

else:

`

``

155

`+

return True

`

``

156

+

``

157

+

``

158

`+

HAVE_SECP_CURVES = _have_secp_curves()

`

``

159

+

``

160

+

146

161

`def utc_offset(): #NOTE: ignore issues like #1647654

`

147

162

`# local time = utc time + utc offset

`

148

163

`if time.daylight and time.localtime().tm_isdst > 0:

`

`@@ -3523,6 +3538,43 @@ def test_dh_params(self):

`

3523

3538

`if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:

`

3524

3539

`self.fail("Non-DH cipher: " + cipher[0])

`

3525

3540

``

``

3541

`+

@unittest.skipUnless(HAVE_SECP_CURVES, "needs secp384r1 curve support")

`

``

3542

`+

def test_ecdh_curve(self):

`

``

3543

`+

server secp384r1, client auto

`

``

3544

`+

client_context, server_context, hostname = testing_context()

`

``

3545

`+

server_context.set_ecdh_curve("secp384r1")

`

``

3546

`+

server_context.set_ciphers("ECDHE:!eNULL:!aNULL")

`

``

3547

`+

server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1

`

``

3548

`+

stats = server_params_test(client_context, server_context,

`

``

3549

`+

chatty=True, connectionchatty=True,

`

``

3550

`+

sni_name=hostname)

`

``

3551

+

``

3552

`+

server auto, client secp384r1

`

``

3553

`+

client_context, server_context, hostname = testing_context()

`

``

3554

`+

client_context.set_ecdh_curve("secp384r1")

`

``

3555

`+

server_context.set_ciphers("ECDHE:!eNULL:!aNULL")

`

``

3556

`+

server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1

`

``

3557

`+

stats = server_params_test(client_context, server_context,

`

``

3558

`+

chatty=True, connectionchatty=True,

`

``

3559

`+

sni_name=hostname)

`

``

3560

+

``

3561

`+

server / client curve mismatch

`

``

3562

`+

client_context, server_context, hostname = testing_context()

`

``

3563

`+

client_context.set_ecdh_curve("prime256v1")

`

``

3564

`+

server_context.set_ecdh_curve("secp384r1")

`

``

3565

`+

server_context.set_ciphers("ECDHE:!eNULL:!aNULL")

`

``

3566

`+

server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1

`

``

3567

`+

try:

`

``

3568

`+

stats = server_params_test(client_context, server_context,

`

``

3569

`+

chatty=True, connectionchatty=True,

`

``

3570

`+

sni_name=hostname)

`

``

3571

`+

except ssl.SSLError:

`

``

3572

`+

pass

`

``

3573

`+

else:

`

``

3574

`+

OpenSSL 1.0.2 does not fail although it should.

`

``

3575

`+

if IS_OPENSSL_1_1:

`

``

3576

`+

self.fail("mismatch curve did not fail")

`

``

3577

+

3526

3578

`def test_selected_alpn_protocol(self):

`

3527

3579

`# selected_alpn_protocol() is None unless ALPN is used.

`

3528

3580

`client_context, server_context, hostname = testing_context()

`