Merge pull request #88 from tomato42/handshakesettings-fixes

Test coverage for handshakesettings and few fixes
trevp · Mar 24, 2015 · e4604fa · e4604fa
2 parents 02c41b8 + a9f92d4
commit e4604fa
Show file tree

Hide file tree

Showing 3 changed files with 173 additions and 10 deletions.
diff --git a/tlslite/handshakesettings.py b/tlslite/handshakesettings.py
@@ -111,9 +111,15 @@ def __init__(self):
         self.useExperimentalTackExtension = False
         self.sendFallbackSCSV = False
 
-    # Validates the min/max fields, and certificateTypes
-    # Filters out unsupported cipherNames and cipherImplementations
-    def _filter(self):
+    def validate(self):
+        """
+        Validate the settings, filter out unsupported ciphersuites and return
+        a copy of object. Does not modify the original object.
+
+        @rtype: HandshakeSettings
+        @return: a self-consistent copy of settings
+        @raise ValueError: when settings are invalid, insecure or unsupported.
+        """
         other = HandshakeSettings()
         other.minKeySize = self.minKeySize
         other.maxKeySize = self.maxKeySize
@@ -149,6 +155,8 @@ def _filter(self):
             raise ValueError("maxKeySize too small")
         if other.maxKeySize>16384:
             raise ValueError("maxKeySize too large")
+        if other.maxKeySize < other.minKeySize:
+            raise ValueError("maxKeySize smaller than minKeySize")
         for s in other.cipherNames:
             if s not in CIPHER_NAMES:
                 raise ValueError("Unknown cipher name: '%s'" % s)
@@ -174,11 +182,12 @@ def _filter(self):
 
         return other
 
-    def _getCertificateTypes(self):
-        l = []
+    def getCertificateTypes(self):
+        """Get list of certificate types as IDs"""
+        ret = []
         for ct in self.certificateTypes:
             if ct == "x509":
-                l.append(CertificateType.x509)
+                ret.append(CertificateType.x509)
             else:
                 raise AssertionError()
-        return l
+        return ret
diff --git a/tlslite/tlsconnection.py b/tlslite/tlsconnection.py
@@ -370,7 +370,7 @@ def _handshakeClientAsyncHelper(self, srpParams, certParams, anonParams,
         # or crypto libraries that were requested        
         if not settings:
             settings = HandshakeSettings()
-        settings = settings._filter()
+        settings = settings.validate()
 
         if clientCertChain:
             if not isinstance(clientCertChain, X509CertChain):
@@ -514,7 +514,7 @@ def _clientSendClientHello(self, settings, session, srpUsername,
             wireCipherSuites.append(CipherSuite.TLS_FALLBACK_SCSV)
 
         #Initialize acceptable certificate types
-        certificateTypes = settings._getCertificateTypes()
+        certificateTypes = settings.getCertificateTypes()
 
         #Either send ClientHello (with a resumable session)...
         if session and session.sessionID:
@@ -1116,7 +1116,7 @@ def _handshakeServerAsyncHelper(self, verifierDB,
 
         if not settings:
             settings = HandshakeSettings()
-        settings = settings._filter()
+        settings = settings.validate()
 
         # OK Start exchanging messages
         # ******************************

diff --git a/unit_tests/test_tlslite_handshakesettings.py b/unit_tests/test_tlslite_handshakesettings.py
@@ -0,0 +1,154 @@
+# Author: Hubert Kario (c) 2014
+# see LICENCE file for legal information regarding use of this file
+
+# compatibility with Python 2.6, for that we need unittest2 package,
+# which is not available on 3.3 or 3.4
+try:
+    import unittest2 as unittest
+except ImportError:
+    import unittest
+
+from tlslite.handshakesettings import HandshakeSettings
+
+class TestHandshakeSettings(unittest.TestCase):
+    def test___init__(self):
+        hs = HandshakeSettings()
+
+        self.assertIsNotNone(hs)
+
+    def test_validate(self):
+        hs = HandshakeSettings()
+        newHS = hs.validate()
+
+        self.assertIsNotNone(newHS)
+        self.assertIsNot(hs, newHS)
+
+    def test_minKeySize_too_small(self):
+        hs = HandshakeSettings()
+        hs.minKeySize = 511
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_minKeySize_too_large(self):
+        hs = HandshakeSettings()
+        hs.minKeySize = 16385
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_maxKeySize_too_small(self):
+        hs = HandshakeSettings()
+        hs.maxKeySize = 511
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_maxKeySize_too_large(self):
+        hs = HandshakeSettings()
+        hs.maxKeySize = 16385
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_maxKeySize_smaller_than_minKeySize(self):
+        hs = HandshakeSettings()
+        hs.maxKeySize = 1024
+        hs.minKeySize = 2048
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_cipherNames_with_unknown_name(self):
+        hs = HandshakeSettings()
+        hs.cipherNames = ["aes256"]
+
+        newHs = hs.validate()
+
+        self.assertEqual(["aes256"], newHs.cipherNames)
+
+    def test_cipherNames_with_unknown_name(self):
+        hs = HandshakeSettings()
+        hs.cipherNames = ["aes256gcm", "aes256"]
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_cipherNames_empty(self):
+        hs = HandshakeSettings()
+        hs.cipherNames = []
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_certificateTypes_empty(self):
+        hs = HandshakeSettings()
+        hs.certificateTypes = []
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_certificateTypes_with_unknown_type(self):
+        hs = HandshakeSettings()
+        hs.certificateTypes = [0, 42]
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_cipherImplementations_empty(self):
+        hs = HandshakeSettings()
+        hs.cipherImplementations = []
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_cipherImplementations_with_unknown_implementations(self):
+        hs = HandshakeSettings()
+        hs.cipherImplementations = ["openssl", "NSS"]
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_minVersion_higher_than_maxVersion(self):
+        hs = HandshakeSettings()
+        hs.minVersion = (3, 3)
+        hs.maxVersion = (3, 0)
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_minVersion_with_unknown_version(self):
+        hs = HandshakeSettings()
+        hs.minVersion = (2, 0)
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_maxVersion_with_unknown_version(self):
+        hs = HandshakeSettings()
+        hs.maxVersion = (3, 4)
+
+        with self.assertRaises(ValueError):
+            hs.validate()
+
+    def test_maxVersion_without_TLSv1_2(self):
+        hs = HandshakeSettings()
+        hs.maxVersion = (3, 2)
+
+        self.assertTrue('sha256' in hs.macNames)
+
+        new_hs = hs.validate()
+
+        self.assertFalse("sha256" in new_hs.macNames)
+
+    def test_getCertificateTypes(self):
+        hs = HandshakeSettings()
+
+        self.assertEqual([0], hs.getCertificateTypes())
+
+    def test_getCertificateTypes_with_unsupported_type(self):
+        hs = HandshakeSettings()
+        hs.certificateTypes = ["x509", "openpgp"]
+
+        with self.assertRaises(AssertionError):
+            hs.getCertificateTypes()