xref: /unit/test/test_tls_session.py (revision 2592:e079c44a8340)
11981Szelenkov@nginx.comimport socket
21981Szelenkov@nginx.comimport time
31981Szelenkov@nginx.com
41981Szelenkov@nginx.comimport pytest
51985Szelenkov@nginx.com
61985Szelenkov@nginx.compytest.importorskip('OpenSSL.SSL')
71981Szelenkov@nginx.comfrom OpenSSL.SSL import (
81981Szelenkov@nginx.com    TLSv1_2_METHOD,
91981Szelenkov@nginx.com    SESS_CACHE_CLIENT,
101981Szelenkov@nginx.com    OP_NO_TICKET,
111981Szelenkov@nginx.com    Context,
121981Szelenkov@nginx.com    Connection,
131981Szelenkov@nginx.com    _lib,
141981Szelenkov@nginx.com)
152491Szelenkov@nginx.comfrom unit.applications.tls import ApplicationTLS
161981Szelenkov@nginx.com
172488Szelenkov@nginx.comprerequisites = {'modules': {'openssl': 'any'}}
182488Szelenkov@nginx.com
192491Szelenkov@nginx.comclient = ApplicationTLS()
201981Szelenkov@nginx.com
212491Szelenkov@nginx.com
222491Szelenkov@nginx.com@pytest.fixture(autouse=True)
232491Szelenkov@nginx.comdef setup_method_fixture():
242491Szelenkov@nginx.com    client.certificate()
251981Szelenkov@nginx.com
262491Szelenkov@nginx.com    assert 'success' in client.conf(
272491Szelenkov@nginx.com        {
282491Szelenkov@nginx.com            "listeners": {
29*2592Szelenkov@nginx.com                "*:8080": {
302491Szelenkov@nginx.com                    "pass": "routes",
312491Szelenkov@nginx.com                    "tls": {"certificate": "default", "session": {}},
322491Szelenkov@nginx.com                }
332491Szelenkov@nginx.com            },
342491Szelenkov@nginx.com            "routes": [{"action": {"return": 200}}],
352491Szelenkov@nginx.com            "applications": {},
362491Szelenkov@nginx.com        }
372491Szelenkov@nginx.com    ), 'load application configuration'
381981Szelenkov@nginx.com
392491Szelenkov@nginx.com
402491Szelenkov@nginx.comdef add_session(cache_size=None, timeout=None):
412491Szelenkov@nginx.com    session = {}
421981Szelenkov@nginx.com
432491Szelenkov@nginx.com    if cache_size is not None:
442491Szelenkov@nginx.com        session['cache_size'] = cache_size
452491Szelenkov@nginx.com    if timeout is not None:
462491Szelenkov@nginx.com        session['timeout'] = timeout
471981Szelenkov@nginx.com
48*2592Szelenkov@nginx.com    return client.conf(session, 'listeners/*:8080/tls/session')
492491Szelenkov@nginx.com
501981Szelenkov@nginx.com
512491Szelenkov@nginx.comdef connect(ctx=None, session=None):
52*2592Szelenkov@nginx.com    sock = socket.create_connection(('127.0.0.1', 8080))
531981Szelenkov@nginx.com
542491Szelenkov@nginx.com    if ctx is None:
552491Szelenkov@nginx.com        ctx = Context(TLSv1_2_METHOD)
562491Szelenkov@nginx.com        ctx.set_session_cache_mode(SESS_CACHE_CLIENT)
572491Szelenkov@nginx.com        ctx.set_options(OP_NO_TICKET)
581981Szelenkov@nginx.com
592491Szelenkov@nginx.com    conn = Connection(ctx, sock)
602491Szelenkov@nginx.com    conn.set_connect_state()
611981Szelenkov@nginx.com
622491Szelenkov@nginx.com    if session is not None:
632491Szelenkov@nginx.com        conn.set_session(session)
641981Szelenkov@nginx.com
652491Szelenkov@nginx.com    conn.do_handshake()
662491Szelenkov@nginx.com    conn.shutdown()
671981Szelenkov@nginx.com
682491Szelenkov@nginx.com    return (
692491Szelenkov@nginx.com        conn,
702491Szelenkov@nginx.com        conn.get_session(),
712491Szelenkov@nginx.com        ctx,
722491Szelenkov@nginx.com        _lib.SSL_session_reused(conn._ssl),
732491Szelenkov@nginx.com    )
742491Szelenkov@nginx.com
751981Szelenkov@nginx.com
762502Szelenkov@nginx.com@pytest.mark.skipif(
772502Szelenkov@nginx.com    not hasattr(_lib, 'SSL_session_reused'),
782502Szelenkov@nginx.com    reason='session reuse is not supported',
792502Szelenkov@nginx.com)
802491Szelenkov@nginx.comdef test_tls_session():
812491Szelenkov@nginx.com    _, sess, ctx, reused = connect()
822491Szelenkov@nginx.com    assert not reused, 'new connection'
831981Szelenkov@nginx.com
842491Szelenkov@nginx.com    _, _, _, reused = connect(ctx, sess)
852491Szelenkov@nginx.com    assert not reused, 'no cache'
861981Szelenkov@nginx.com
872491Szelenkov@nginx.com    assert 'success' in add_session(cache_size=2)
881981Szelenkov@nginx.com
892491Szelenkov@nginx.com    _, sess, ctx, reused = connect()
902491Szelenkov@nginx.com    assert not reused, 'new connection cache'
911981Szelenkov@nginx.com
922491Szelenkov@nginx.com    _, _, _, reused = connect(ctx, sess)
932491Szelenkov@nginx.com    assert reused, 'cache'
941981Szelenkov@nginx.com
952491Szelenkov@nginx.com    _, _, _, reused = connect(ctx, sess)
962491Szelenkov@nginx.com    assert reused, 'cache 2'
971981Szelenkov@nginx.com
982491Szelenkov@nginx.com    # check that at least one session of four is not reused
991981Szelenkov@nginx.com
1002491Szelenkov@nginx.com    conns = [connect() for _ in range(4)]
1012491Szelenkov@nginx.com    assert True not in [c[-1] for c in conns], 'cache small all new'
1021981Szelenkov@nginx.com
1032491Szelenkov@nginx.com    conns_again = [connect(c[2], c[1]) for c in conns]
1042491Szelenkov@nginx.com    assert False in [c[-1] for c in conns_again], 'cache small no reuse'
1051981Szelenkov@nginx.com
1062491Szelenkov@nginx.com    # all four sessions are reused
1071981Szelenkov@nginx.com
1082491Szelenkov@nginx.com    assert 'success' in add_session(cache_size=8)
1091981Szelenkov@nginx.com
1102491Szelenkov@nginx.com    conns = [connect() for _ in range(4)]
1112491Szelenkov@nginx.com    assert True not in [c[-1] for c in conns], 'cache big all new'
1121981Szelenkov@nginx.com
1132491Szelenkov@nginx.com    conns_again = [connect(c[2], c[1]) for c in conns]
1142491Szelenkov@nginx.com    assert False not in [c[-1] for c in conns_again], 'cache big reuse'
1152491Szelenkov@nginx.com
1161981Szelenkov@nginx.com
1172502Szelenkov@nginx.com@pytest.mark.skipif(
1182502Szelenkov@nginx.com    not hasattr(_lib, 'SSL_session_reused'),
1192502Szelenkov@nginx.com    reason='session reuse is not supported',
1202502Szelenkov@nginx.com)
1212491Szelenkov@nginx.comdef test_tls_session_timeout():
1222491Szelenkov@nginx.com    assert 'success' in add_session(cache_size=5, timeout=1)
1231981Szelenkov@nginx.com
1242491Szelenkov@nginx.com    _, sess, ctx, reused = connect()
1252491Szelenkov@nginx.com    assert not reused, 'new connection'
1261981Szelenkov@nginx.com
1272491Szelenkov@nginx.com    _, _, _, reused = connect(ctx, sess)
1282491Szelenkov@nginx.com    assert reused, 'no timeout'
1291981Szelenkov@nginx.com
1302491Szelenkov@nginx.com    time.sleep(3)
1311981Szelenkov@nginx.com
1322491Szelenkov@nginx.com    _, _, _, reused = connect(ctx, sess)
1332491Szelenkov@nginx.com    assert not reused, 'timeout'
1342491Szelenkov@nginx.com
1351981Szelenkov@nginx.com
1362491Szelenkov@nginx.comdef test_tls_session_invalid():
1372491Szelenkov@nginx.com    assert 'error' in add_session(cache_size=-1)
1382491Szelenkov@nginx.com    assert 'error' in add_session(cache_size={})
1392491Szelenkov@nginx.com    assert 'error' in add_session(timeout=-1)
1402491Szelenkov@nginx.com    assert 'error' in add_session(timeout={})
141