diff options
Diffstat (limited to '')
-rw-r--r-- | tests/pytests/conftest.py | 2 | ||||
-rw-r--r-- | tests/pytests/test_tls.py | 47 | ||||
-rw-r--r-- | tests/pytests/utils.py | 19 |
3 files changed, 8 insertions, 60 deletions
diff --git a/tests/pytests/conftest.py b/tests/pytests/conftest.py index 4c711f8..fcf4b05 100644 --- a/tests/pytests/conftest.py +++ b/tests/pytests/conftest.py @@ -86,7 +86,7 @@ def query_before(request): # whether to send an initial query return request.param -@pytest.mark.optionalhook +@pytest.hookimpl(optionalhook=True) def pytest_metadata(metadata): # filter potentially sensitive data from GitLab CI keys_to_delete = [] for key in metadata.keys(): diff --git a/tests/pytests/test_tls.py b/tests/pytests/test_tls.py index 3e1328a..2187efb 100644 --- a/tests/pytests/test_tls.py +++ b/tests/pytests/test_tls.py @@ -1,15 +1,8 @@ # SPDX-License-Identifier: GPL-3.0-or-later """TLS-specific tests""" -import itertools -import os -from socket import AF_INET, AF_INET6 import ssl -import sys - import pytest - -from kresd import make_kresd import utils @@ -41,43 +34,3 @@ def test_tls_cert_hostname_mismatch(kresd_tt, sock_family): with pytest.raises(ssl.CertificateError): ssock.connect(dest) - - -@pytest.mark.skipif(sys.version_info < (3, 6), - reason="requires python3.6 or higher") -@pytest.mark.parametrize('sf1, sf2, sf3', itertools.product( - [AF_INET, AF_INET6], [AF_INET, AF_INET6], [AF_INET, AF_INET6])) -def test_tls_session_resumption(tmpdir, sf1, sf2, sf3): - """Attempt TLS session resumption against the same kresd instance and a different one.""" - # TODO ensure that session can't be resumed after session ticket key regeneration - # at the first kresd instance - - # NOTE TLS 1.3 is intentionally disabled for session resumption tests, - # because python's SSLSocket.session isn't compatible with TLS 1.3 - # https://docs.python.org/3/library/ssl.html?highlight=ssl%20ticket#tls-1-3 - - def connect(kresd, ctx, sf, session=None): - sock, dest = kresd.stream_socket(sf, tls=True) - ssock = ctx.wrap_socket( - sock, server_hostname='transport-test-server.com', session=session) - ssock.connect(dest) - new_session = ssock.session - assert new_session.has_ticket - assert ssock.session_reused == (session is not None) - utils.ping_alive(ssock) - ssock.close() - return new_session - - workdir = os.path.join(str(tmpdir), 'kresd') - os.makedirs(workdir) - - with make_kresd(workdir, 'tt') as kresd: - ctx = utils.make_ssl_context( - verify_location=kresd.tls_cert_path, extra_options=[ssl.OP_NO_TLSv1_3]) - session = connect(kresd, ctx, sf1) # initial conn - connect(kresd, ctx, sf2, session) # resume session on the same instance - - workdir2 = os.path.join(str(tmpdir), 'kresd2') - os.makedirs(workdir2) - with make_kresd(workdir2, 'tt') as kresd2: - connect(kresd2, ctx, sf3, session) # resume session on a different instance diff --git a/tests/pytests/utils.py b/tests/pytests/utils.py index 4b995d4..8af71aa 100644 --- a/tests/pytests/utils.py +++ b/tests/pytests/utils.py @@ -99,7 +99,7 @@ def ping_alive(sock, msgid=None): @contextmanager def expect_kresd_close(rst_ok=False): - with pytest.raises(BrokenPipeError): + with pytest.raises((BrokenPipeError, ssl.SSLEOFError)): try: time.sleep(0.2) # give kresd time to close connection with TCP FIN yield @@ -110,17 +110,12 @@ def expect_kresd_close(rst_ok=False): pytest.fail("kresd didn't close the connection") -def make_ssl_context(insecure=False, verify_location=None, extra_options=None): - # set TLS v1.2+ - context = ssl.SSLContext(ssl.PROTOCOL_TLS) - context.options |= ssl.OP_NO_SSLv2 - context.options |= ssl.OP_NO_SSLv3 - context.options |= ssl.OP_NO_TLSv1 - context.options |= ssl.OP_NO_TLSv1_1 - - if extra_options is not None: - for option in extra_options: - context.options |= option +def make_ssl_context(insecure=False, verify_location=None, + minimum_tls=ssl.TLSVersion.TLSv1_2, + maximum_tls=ssl.TLSVersion.MAXIMUM_SUPPORTED): + context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) + context.minimum_version = minimum_tls + context.maximum_version = maximum_tls if insecure: # turn off certificate verification |