Skip to content

Commit aa7466f

Browse files
nabla-c0d3nabla-c0d3
committed
Tweak name and add one more test
1 parent 311b0ba commit aa7466f

File tree

3 files changed

+68
-25
lines changed

3 files changed

+68
-25
lines changed

nassl/ephemeral_key_info.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,9 @@ def get_supported_by_ssl_client(cls) -> List["OpenSslEcNidEnum"]:
8787
OpenSslEvpPkeyEnum.EC: "ECDH",
8888
OpenSslEvpPkeyEnum.X25519: "ECDH",
8989
OpenSslEvpPkeyEnum.X448: "ECDH",
90+
OpenSslEvpPkeyEnum.RSA: "RSA",
91+
OpenSslEvpPkeyEnum.DSA: "DSA",
92+
OpenSslEvpPkeyEnum.RSA_PSS: "RSA-PSS",
9093
}
9194

9295

nassl/ssl_client.py

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -466,9 +466,11 @@ def set_ciphersuites(self, cipher_suites: str) -> None:
466466
# TODO(AD): Eventually merge this method with get/set_cipher_list()
467467
self._ssl.set_ciphersuites(cipher_suites)
468468

469-
def set_sigalgs(self, sigalgs: List[Tuple[OpenSslDigestNidEnum, OpenSslEvpPkeyEnum]]) -> None:
470-
"""Set the enabled signature algorithms for the key exchange."""
471-
flattened_sigalgs = [item for sublist in sigalgs for item in sublist]
469+
def set_signature_algorithms(self, algorithms: List[Tuple[OpenSslDigestNidEnum, OpenSslEvpPkeyEnum]]) -> None:
470+
"""Set the enabled signature algorithms for the key exchange.
471+
472+
The algorithms parameter is a list of a public key algorithm and a digest."""
473+
flattened_sigalgs = [item for sublist in algorithms for item in sublist]
472474
self._ssl.set1_sigalgs(flattened_sigalgs)
473475

474476
def get_peer_signature_nid(self) -> OpenSslDigestNidEnum:

tests/ssl_client_test.py

Lines changed: 60 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,8 @@
1212
OpenSslVerifyEnum,
1313
SslClient,
1414
OpenSSLError,
15-
OpenSslEarlyDataStatusEnum, OpenSslDigestNidEnum,
15+
OpenSslEarlyDataStatusEnum,
16+
OpenSslDigestNidEnum,
1617
)
1718
from nassl.ephemeral_key_info import (
1819
OpenSslEvpPkeyEnum,
@@ -219,7 +220,6 @@ def test_get_verified_chain(self) -> None:
219220
# And when requesting the verified certificate chain, it returns it
220221
assert ssl_client.get_verified_chain()
221222

222-
assert ssl_client.get_peer_signature_nid() == OpenSslDigestNidEnum.SHA256
223223
finally:
224224
ssl_client.shutdown()
225225

@@ -363,16 +363,20 @@ def test_set_groups_curve_x448(self) -> None:
363363
assert len(dh_info.public_bytes) == 56
364364

365365
def test_get_extended_master_secret_not_used(self) -> None:
366+
# Given a TLS server that does NOT support the Extended Master Secret extension
366367
with LegacyOpenSslServer() as server:
367368
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
368369
sock.settimeout(5)
369370
sock.connect((server.hostname, server.port))
370371

372+
# When a client connects to it
371373
ssl_client = SslClient(
372374
ssl_version=OpenSslVersionEnum.TLSV1_2,
373375
underlying_socket=sock,
374376
ssl_verify=OpenSslVerifyEnum.NONE,
375377
)
378+
379+
# Then, before the handshake, the client cannot tell if Extended Master Secret was used
376380
exms_support_before_handshake = ssl_client.get_extended_master_secret_support()
377381
assert exms_support_before_handshake == ExtendedMasterSecretSupportEnum.UNKNOWN
378382

@@ -381,29 +385,83 @@ def test_get_extended_master_secret_not_used(self) -> None:
381385
finally:
382386
ssl_client.shutdown()
383387

388+
# And after the handshake, the client can tell that Extended Master Secret was NOT used
384389
exms_support = ssl_client.get_extended_master_secret_support()
385390
assert exms_support == ExtendedMasterSecretSupportEnum.NOT_USED_IN_CURRENT_SESSION
386391

387392
def test_get_extended_master_secret_used(self) -> None:
393+
# Given a TLS server that DOES support the Extended Master Secret extension
388394
with ModernOpenSslServer() as server:
389395
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
390396
sock.settimeout(5)
391397
sock.connect((server.hostname, server.port))
392398

399+
# When a client connects to it
393400
ssl_client = SslClient(
394401
ssl_version=OpenSslVersionEnum.TLSV1_2,
395402
underlying_socket=sock,
396403
ssl_verify=OpenSslVerifyEnum.NONE,
397404
)
398405

406+
# Then, before the handshake, the client cannot tell if Extended Master Secret was used
407+
exms_support_before_handshake = ssl_client.get_extended_master_secret_support()
408+
assert exms_support_before_handshake == ExtendedMasterSecretSupportEnum.UNKNOWN
409+
399410
try:
400411
ssl_client.do_handshake()
401412
finally:
402413
ssl_client.shutdown()
403414

415+
# And after the handshake, the client can tell that Extended Master Secret was used
404416
exms_support = ssl_client.get_extended_master_secret_support()
405417
assert exms_support == ExtendedMasterSecretSupportEnum.USED_IN_CURRENT_SESSION
406418

419+
def test_set_signature_algorithms(self) -> None:
420+
# Given a TLS server
421+
with ModernOpenSslServer() as server:
422+
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
423+
sock.settimeout(5)
424+
sock.connect((server.hostname, server.port))
425+
426+
# And a client
427+
ssl_client = SslClient(
428+
ssl_version=OpenSslVersionEnum.TLSV1_2,
429+
underlying_socket=sock,
430+
ssl_verify=OpenSslVerifyEnum.NONE,
431+
)
432+
# That's configured to use a specific signature algorithm
433+
ssl_client.set_signature_algorithms([(OpenSslDigestNidEnum.SHA256, OpenSslEvpPkeyEnum.RSA)])
434+
435+
# When the client connects to the server, it succeeds
436+
try:
437+
ssl_client.do_handshake()
438+
finally:
439+
ssl_client.shutdown()
440+
441+
# And the configured signature algorithm was used
442+
assert ssl_client.get_peer_signature_nid() == OpenSslDigestNidEnum.SHA256
443+
444+
def test_set_signature_algorithms_but_not_supported(self) -> None:
445+
# Given a TLS server
446+
with ModernOpenSslServer() as server:
447+
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
448+
sock.settimeout(5)
449+
sock.connect((server.hostname, server.port))
450+
451+
# And a client
452+
ssl_client = SslClient(
453+
ssl_version=OpenSslVersionEnum.TLSV1_3,
454+
underlying_socket=sock,
455+
ssl_verify=OpenSslVerifyEnum.NONE,
456+
)
457+
# That's configured to use signature algorithms that are NOT supported
458+
ssl_client.set_signature_algorithms([(OpenSslDigestNidEnum.SHA512, OpenSslEvpPkeyEnum.EC)])
459+
460+
# Then, when the client connects to the server, the handshake fails
461+
with pytest.raises(OpenSSLError, match="handshake failure"):
462+
ssl_client.do_handshake()
463+
ssl_client.shutdown()
464+
407465

408466
class TestLegacySslClientOnline:
409467
def test_ssl_2(self) -> None:
@@ -469,26 +527,6 @@ def test_set_ciphersuites(self) -> None:
469527
# And client's cipher suite was used
470528
assert "TLS_CHACHA20_POLY1305_SHA256" == ssl_client.get_current_cipher_name()
471529

472-
def test_set_sigalgs(self):
473-
with ModernOpenSslServer() as server:
474-
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
475-
sock.settimeout(5)
476-
sock.connect((server.hostname, server.port))
477-
478-
ssl_client = SslClient(
479-
ssl_version=OpenSslVersionEnum.TLSV1_3,
480-
underlying_socket=sock,
481-
ssl_verify=OpenSslVerifyEnum.NONE,
482-
)
483-
# These signature algorithms are unsupported
484-
ssl_client.set_sigalgs([
485-
(OpenSslDigestNidEnum.SHA512, OpenSslEvpPkeyEnum.EC)
486-
])
487-
488-
with pytest.raises(OpenSSLError):
489-
ssl_client.do_handshake()
490-
ssl_client.shutdown()
491-
492530
@staticmethod
493531
def _create_tls_1_3_session(server_host: str, server_port: int) -> _nassl.SSL_SESSION:
494532
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

0 commit comments

Comments
 (0)