[Python-checkins] bpo-31809: test secp ECDH curves (#4036)
Christian Heimes
webhook-mailer at python.org
Sun Feb 25 03:49:34 EST 2018
https://github.com/python/cpython/commit/b7b9225831a729bff84eb7c43bad138416b994fe
commit: b7b9225831a729bff84eb7c43bad138416b994fe
branch: master
author: Christian Heimes <christian at python.org>
committer: GitHub <noreply at github.com>
date: 2018-02-25T09:49:31+01:00
summary:
bpo-31809: test secp ECDH curves (#4036)
Add tests to verify connection with secp384r1 ECDH curves.
files:
A Misc/NEWS.d/next/Tests/2017-10-18-18-07-45.bpo-31809.KlQrkE.rst
M Lib/test/test_ssl.py
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 3f2c50b7795a..3b34fc0e0033 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -143,6 +143,21 @@ def have_verify_flags():
# 0.9.8 or higher
return ssl.OPENSSL_VERSION_INFO >= (0, 9, 8, 0, 15)
+def _have_secp_curves():
+ if not ssl.HAS_ECDH:
+ return False
+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+ try:
+ ctx.set_ecdh_curve("secp384r1")
+ except ValueError:
+ return False
+ else:
+ return True
+
+
+HAVE_SECP_CURVES = _have_secp_curves()
+
+
def utc_offset(): #NOTE: ignore issues like #1647654
# local time = utc time + utc offset
if time.daylight and time.localtime().tm_isdst > 0:
@@ -3523,6 +3538,43 @@ def test_dh_params(self):
if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
self.fail("Non-DH cipher: " + cipher[0])
+ @unittest.skipUnless(HAVE_SECP_CURVES, "needs secp384r1 curve support")
+ def test_ecdh_curve(self):
+ # server secp384r1, client auto
+ client_context, server_context, hostname = testing_context()
+ server_context.set_ecdh_curve("secp384r1")
+ server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
+ server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+ stats = server_params_test(client_context, server_context,
+ chatty=True, connectionchatty=True,
+ sni_name=hostname)
+
+ # server auto, client secp384r1
+ client_context, server_context, hostname = testing_context()
+ client_context.set_ecdh_curve("secp384r1")
+ server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
+ server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+ stats = server_params_test(client_context, server_context,
+ chatty=True, connectionchatty=True,
+ sni_name=hostname)
+
+ # server / client curve mismatch
+ client_context, server_context, hostname = testing_context()
+ client_context.set_ecdh_curve("prime256v1")
+ server_context.set_ecdh_curve("secp384r1")
+ server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
+ server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
+ try:
+ stats = server_params_test(client_context, server_context,
+ chatty=True, connectionchatty=True,
+ sni_name=hostname)
+ except ssl.SSLError:
+ pass
+ else:
+ # OpenSSL 1.0.2 does not fail although it should.
+ if IS_OPENSSL_1_1:
+ self.fail("mismatch curve did not fail")
+
def test_selected_alpn_protocol(self):
# selected_alpn_protocol() is None unless ALPN is used.
client_context, server_context, hostname = testing_context()
diff --git a/Misc/NEWS.d/next/Tests/2017-10-18-18-07-45.bpo-31809.KlQrkE.rst b/Misc/NEWS.d/next/Tests/2017-10-18-18-07-45.bpo-31809.KlQrkE.rst
new file mode 100644
index 000000000000..8a48508b8c1f
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2017-10-18-18-07-45.bpo-31809.KlQrkE.rst
@@ -0,0 +1 @@
+Add tests to verify connection with secp ECDH curves.
More information about the Python-checkins
mailing list