def test_plain_tcp_client(self):
        # Plain TCP client causes unexpected UNEXPECTED_EOF.
        eccars = []
        for proto in sslproto.get_supported_protocols():
            for cipher in sslproto.DEFAULT_CIPHER_SUITES:
                eccars.append(
                    ECCAR(SSLServerProtoSpec(proto, cipher), UNEXPECTED_EOF))

        self._main_test(['-m', 'sslproto'], TCPConnectionHammer(len(eccars)),
                        eccars)
    def test_plain_tcp_client_timeout(self):
        # Plain TCP client causes unexpected UNEXPECTED_EOF.
        eccars = []
        for proto in sslproto.get_supported_protocols():
            for cipher in sslproto.DEFAULT_CIPHER_SUITES:
                if proto == 'sslv2':
                    expected_error = 'SSL_ERROR_ZERO_RETURN'
                else:
                    expected_error = 'SSL_ERROR_SYSCALL'
                eccars.append(
                    ECCAR(SSLServerProtoSpec(proto, cipher), expected_error))

        self._main_test(['-m', 'sslproto'],
                        TCPConnectionHammer(len(eccars),
                                            delay_before_close=30), eccars)
 def _test_openssl_accepts_selected_proto_cipher(self, selected_proto,
                                                 selected_cipher):
     eccars = []
     for cipher in sslproto.get_ciphers(selected_proto):
         if cipher == selected_cipher:
             expected_res = Connected()
         else:
             expected_res = ALERT_NO_SHARED_CIPHER
         eccars.append(
             ECCAR(SSLServerProtoSpec(selected_proto, cipher),
                   expected_res=expected_res))
     self._main_test([
         '-m', 'sslproto', '--protocols', selected_proto, '--ciphers',
         'ITERATE'
     ], OpenSSLHammer(len(eccars), cipher=selected_cipher), eccars)
    def _test_openssl_accepts_default_ciphers_for_proto(self, proto):
        eccars = []
        for cipher in sslproto.DEFAULT_CIPHER_SUITES:
            expected_res = Connected()
            eccars.append(
                ECCAR(SSLServerProtoSpec(proto, cipher),
                      expected_res=expected_res))

        if proto == 'sslv2':
            openssl_args = '-ssl2'
        elif proto == 'sslv3':
            openssl_args = '-ssl3'
        elif proto == 'tlsv1':
            openssl_args = '-tls1'
        else:
            raise ValueError()

        self._main_test(['-m', 'sslproto', '--protocols', proto],
                        OpenSSLHammer(len(eccars), [openssl_args]), eccars)
    def test_curl_works_with_sslv2_and_export_ciphers(self):
        # curl is expected to work with SSLv2 and weak ciphers
        eccars = []
        there_are_export_ciphers = False
        protos = sslproto.get_supported_protocols()
        for proto in protos:
            for cipher in sslproto.DEFAULT_CIPHER_SUITES:
                if cipher == sslproto.EXPORT_CIPHER:
                    there_are_export_ciphers = True

                if proto == 'sslv2':
                    expected_res = ALERT_NON_SSLV2_INITIAL_PACKET
                elif proto == 'sslv3':
                    expected_res = ALERT_SSLV3_BAD_CERTIFICATE
                else:
                    expected_res = ALERT_UNKNOWN_CA

                eccars.append(
                    ECCAR(SSLServerProtoSpec(proto, cipher),
                          expected_res=expected_res))
        self.assertTrue(there_are_export_ciphers)
        self._main_test(['-m', 'sslproto'], CurlHammer(len(eccars)), eccars)
    def test_cn_verifying_client(self):
        # CN verifying client only cares about getting a correct CN
        eccars = [
            # user-supplied certificate
            ECCAR(SSLProfileSpec_UserSupplied(TEST_USER_CERT_CN),
                  ConnectedGotEOFBeforeTimeout()),

            # self-signed certificates
            ECCAR(SSLProfileSpec_SelfSigned(DEFAULT_CN),
                  ConnectedGotEOFBeforeTimeout()),
            ECCAR(SSLProfileSpec_SelfSigned(LOCALHOST),
                  ConnectedGotRequest(HAMMER_HELLO)),
            ECCAR(SSLProfileSpec_SelfSigned(TEST_SERVER_CN),
                  ConnectedGotEOFBeforeTimeout()),

            # signed by user-supplied certificate
            ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CERT_CN),
                  ConnectedGotEOFBeforeTimeout()),
            ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CERT_CN),
                  ConnectedGotRequest(HAMMER_HELLO)),
            ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CERT_CN),
                  ConnectedGotEOFBeforeTimeout()),

            # signed by user-supplied CA
            ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CA_CN),
                  ConnectedGotEOFBeforeTimeout()),
            ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CA_CN),
                  ConnectedGotRequest(HAMMER_HELLO)),
            ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CA_CN),
                  ConnectedGotEOFBeforeTimeout()),

            # default CN, signed by user-supplied CA, with an intermediate CA
            ECCAR(
                SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_NONE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotEOFBeforeTimeout()),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_FALSE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotEOFBeforeTimeout()),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_TRUE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotEOFBeforeTimeout()),

            # user-supplied CN signed by user-supplied CA, with an intermediate CA
            ECCAR(
                SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_NONE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotRequest(HAMMER_HELLO)),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_FALSE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotRequest(HAMMER_HELLO)),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_TRUE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotRequest(HAMMER_HELLO)),

            # replica of server certificate signed by user-supplied CA, with an intermediate CA
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_NONE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotEOFBeforeTimeout()),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_FALSE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotEOFBeforeTimeout()),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_TRUE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotEOFBeforeTimeout()),
        ]

        self._main_test(
            mk_sslcaudit_argv(user_cn=LOCALHOST),
            CNVerifyingSSLConnectionHammer(len(eccars), HAMMER_HELLO), eccars)
    def test_plain_tcp_client(self):
        # Plain TCP client causes unexpected UNEXPECTED_EOF.
        eccars = [
            # user-supplied certificate
            ECCAR(SSLProfileSpec_UserSupplied(TEST_USER_CERT_CN),
                  UNEXPECTED_EOF),

            # self-signed certificates
            ECCAR(SSLProfileSpec_SelfSigned(DEFAULT_CN), UNEXPECTED_EOF),
            ECCAR(SSLProfileSpec_SelfSigned(TEST_USER_CN), UNEXPECTED_EOF),
            ECCAR(SSLProfileSpec_SelfSigned(TEST_SERVER_CN), UNEXPECTED_EOF),

            # signed by user-supplied certificate
            ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CERT_CN),
                  UNEXPECTED_EOF),
            ECCAR(SSLProfileSpec_Signed(TEST_USER_CN, TEST_USER_CERT_CN),
                  UNEXPECTED_EOF),
            ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CERT_CN),
                  UNEXPECTED_EOF),

            # signed by user-supplied CA
            ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CA_CN),
                  UNEXPECTED_EOF),
            ECCAR(SSLProfileSpec_Signed(TEST_USER_CN, TEST_USER_CA_CN),
                  UNEXPECTED_EOF),
            ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CA_CN),
                  UNEXPECTED_EOF),

            # default CN, signed by user-supplied CA, with an intermediate CA
            ECCAR(
                SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_NONE_CN,
                                           TEST_USER_CA_CN), UNEXPECTED_EOF),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_FALSE_CN,
                                           TEST_USER_CA_CN), UNEXPECTED_EOF),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_TRUE_CN,
                                           TEST_USER_CA_CN), UNEXPECTED_EOF),

            # user-supplied CN signed by user-supplied CA, with an intermediate CA
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_USER_CN, IM_CA_NONE_CN,
                                           TEST_USER_CA_CN), UNEXPECTED_EOF),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_USER_CN, IM_CA_FALSE_CN,
                                           TEST_USER_CA_CN), UNEXPECTED_EOF),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_USER_CN, IM_CA_TRUE_CN,
                                           TEST_USER_CA_CN), UNEXPECTED_EOF),

            # replica of server certificate signed by user-supplied CA, with an intermediate CA
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_NONE_CN,
                                           TEST_USER_CA_CN), UNEXPECTED_EOF),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_FALSE_CN,
                                           TEST_USER_CA_CN), UNEXPECTED_EOF),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_TRUE_CN,
                                           TEST_USER_CA_CN), UNEXPECTED_EOF)
        ]
        self._main_test(mk_sslcaudit_argv(), TCPConnectionHammer(len(eccars)),
                        eccars)
    def test_curl(self):
        # curl does all the checks
        eccars = [
            # user-supplied certificate
            ECCAR(SSLProfileSpec_UserSupplied(TEST_USER_CERT_CN),
                  ConnectedGotEOFBeforeTimeout()),

            # self-signed certificates
            ECCAR(SSLProfileSpec_SelfSigned(DEFAULT_CN), ALERT_UNKNOWN_CA),
            ECCAR(SSLProfileSpec_SelfSigned(LOCALHOST), ALERT_UNKNOWN_CA),
            ECCAR(SSLProfileSpec_SelfSigned(TEST_SERVER_CN), ALERT_UNKNOWN_CA),

            # signed by user-supplied certificate
            ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CERT_CN),
                  ALERT_UNKNOWN_CA),
            ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CERT_CN),
                  ALERT_UNKNOWN_CA),
            ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CERT_CN),
                  ALERT_UNKNOWN_CA),

            # signed by user-supplied CA
            ECCAR(SSLProfileSpec_Signed(DEFAULT_CN, TEST_USER_CA_CN),
                  ConnectedGotEOFBeforeTimeout()),
            ECCAR(SSLProfileSpec_Signed(LOCALHOST, TEST_USER_CA_CN),
                  ConnectedGotRequest()),
            ECCAR(SSLProfileSpec_Signed(TEST_SERVER_CN, TEST_USER_CA_CN),
                  ConnectedGotEOFBeforeTimeout()),

            # default CN, signed by user-supplied CA, with an intermediate CA
            ECCAR(
                SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_NONE_CN,
                                           TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_FALSE_CN,
                                           TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(DEFAULT_CN, IM_CA_TRUE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotEOFBeforeTimeout()),

            # user-supplied CN signed by user-supplied CA, with an intermediate CA
            ECCAR(
                SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_NONE_CN,
                                           TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_FALSE_CN,
                                           TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(LOCALHOST, IM_CA_TRUE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotRequest()),

            # replica of server certificate signed by user-supplied CA, with an intermediate CA
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_NONE_CN,
                                           TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_FALSE_CN,
                                           TEST_USER_CA_CN), ALERT_UNKNOWN_CA),
            ECCAR(
                SSLProfileSpec_IMCA_Signed(TEST_SERVER_CN, IM_CA_TRUE_CN,
                                           TEST_USER_CA_CN),
                ConnectedGotEOFBeforeTimeout()),
        ]

        self._main_test(mk_sslcaudit_argv(user_cn=LOCALHOST),
                        CurlHammer(len(eccars), TEST_USER_CA_CERT_FILE),
                        eccars)