gh-116333: Relax error string text expectations in SSL-related tests (GH-116334)

* Relax error string text expectations in SSL-related tests As suggested [here][1], this change relaxes the OpenSSL error string text expectations in a number of tests. This was specifically done in support of more easily building CPython [AWS-LC][2], but because AWS-LC is a fork of [BoringSSL][3], it should increase compatibility with that library as well. In addition to the error string relaxations, we also add some guards around the `tls-unique` channel binding being used with TLSv1.3, as that feature (described in [RFC 6929][4]) is [not defined][5] for TLSv1.3. [1]: https://discuss.python.org/t/support-building-ssl-and-hashlib-modules-against-aws-lc/44505/4 [2]: https://github.com/aws/aws-lc [3]: https://github.com/google/boringssl [4]: https://datatracker.ietf.org/doc/html/rfc5929#section-3 [5]: https://datatracker.ietf.org/doc/html/rfc8446#appendix-C.5
2024-03-21 14:16:36 -05:00 · 2024-03-21 14:16:36 -05:00 · c85d84166a
parent 1f72fb5447
commit c85d84166a
4 changed files with 96 additions and 38 deletions
--- a/Lib/test/test_asyncio/test_events.py
+++ b/Lib/test/test_asyncio/test_events.py
@ -1125,12 +1125,16 @@ class EventLoopTestsMixin:
        # incorrect server_hostname
        f_c = self.loop.create_connection(MyProto, host, port,
                                          ssl=sslcontext_client)
        # Allow for flexible libssl error messages.
        regex = re.compile(r"""(
            IP address mismatch, certificate is not valid for '127.0.0.1'   # OpenSSL
            |
            CERTIFICATE_VERIFY_FAILED                                       # AWS-LC
        )""", re.X)
        with mock.patch.object(self.loop, 'call_exception_handler'):
            with test_utils.disable_logger():
-                with self.assertRaisesRegex(
+                with self.assertRaisesRegex(ssl.CertificateError, regex):
                        ssl.CertificateError,
                        "IP address mismatch, certificate is not valid for "
                        "'127.0.0.1'"):
                    self.loop.run_until_complete(f_c)
        # close connection
--- a/Lib/test/test_imaplib.py
+++ b/Lib/test/test_imaplib.py
@ -8,6 +8,7 @@ import socketserver
 import time
 import calendar
 import threading
 import re
 import socket
 from test.support import verbose, run_with_tz, run_with_locale, cpython_only, requires_resource
@ -558,9 +559,13 @@ class NewIMAPSSLTests(NewIMAPTestsMixin, unittest.TestCase):
        self.assertEqual(ssl_context.check_hostname, True)
        ssl_context.load_verify_locations(CAFILE)
-        with self.assertRaisesRegex(ssl.CertificateError,
+        # Allow for flexible libssl error messages.
-                "IP address mismatch, certificate is not valid for "
+        regex = re.compile(r"""(
-                "'127.0.0.1'"):
+            IP address mismatch, certificate is not valid for '127.0.0.1'   # OpenSSL
            |
            CERTIFICATE_VERIFY_FAILED                                       # AWS-LC
        )""", re.X)
        with self.assertRaisesRegex(ssl.CertificateError, regex):
            _, server = self._setup(SimpleIMAPHandler)
            client = self.imap_class(*server.server_address,
                                     ssl_context=ssl_context)
@ -954,10 +959,13 @@ class ThreadedNetworkedTestsSSL(ThreadedNetworkedTests):
        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        ssl_context.load_verify_locations(CAFILE)
-        with self.assertRaisesRegex(
+        # Allow for flexible libssl error messages.
-                ssl.CertificateError,
+        regex = re.compile(r"""(
-                "IP address mismatch, certificate is not valid for "
+            IP address mismatch, certificate is not valid for '127.0.0.1'   # OpenSSL
-                "'127.0.0.1'"):
+            |
            CERTIFICATE_VERIFY_FAILED                                       # AWS-LC
        )""", re.X)
        with self.assertRaisesRegex(ssl.CertificateError, regex):
            with self.reaped_server(SimpleIMAPHandler) as server:
                client = self.imap_class(*server.server_address,
                                         ssl_context=ssl_context)
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@ -551,7 +551,7 @@ class BasicSocketTests(unittest.TestCase):
        else:
            openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}"
        self.assertTrue(
-            s.startswith((openssl_ver, libressl_ver)),
+            s.startswith((openssl_ver, libressl_ver, "AWS-LC")),
            (s, t, hex(n))
        )
@ -1169,24 +1169,30 @@ class ContextTests(unittest.TestCase):
        with self.assertRaises(OSError) as cm:
            ctx.load_cert_chain(NONEXISTINGCERT)
        self.assertEqual(cm.exception.errno, errno.ENOENT)
-        with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
+        with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
            ctx.load_cert_chain(BADCERT)
-        with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
+        with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
            ctx.load_cert_chain(EMPTYCERT)
        # Separate key and cert
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
        ctx.load_cert_chain(ONLYCERT, ONLYKEY)
        ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)
        ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)
-        with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
+        with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
            ctx.load_cert_chain(ONLYCERT)
-        with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
+        with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
            ctx.load_cert_chain(ONLYKEY)
-        with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
+        with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
            ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)
        # Mismatching key and cert
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
-        with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
+        # Allow for flexible libssl error messages.
        regex = re.compile(r"""(
            key values mismatch         # OpenSSL
            |
            KEY_VALUES_MISMATCH         # AWS-LC
        )""", re.X)
        with self.assertRaisesRegex(ssl.SSLError, regex):
            ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY)
        # Password protected key and cert
        ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)
@ -1254,7 +1260,7 @@ class ContextTests(unittest.TestCase):
        with self.assertRaises(OSError) as cm:
            ctx.load_verify_locations(NONEXISTINGCERT)
        self.assertEqual(cm.exception.errno, errno.ENOENT)
-        with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
+        with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
            ctx.load_verify_locations(BADCERT)
        ctx.load_verify_locations(CERTFILE, CAPATH)
        ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
@ -1662,9 +1668,10 @@ class SSLErrorTests(unittest.TestCase):
        with self.assertRaises(ssl.SSLError) as cm:
            ctx.load_dh_params(CERTFILE)
        self.assertEqual(cm.exception.library, 'PEM')
-        self.assertEqual(cm.exception.reason, 'NO_START_LINE')
+        regex = "(NO_START_LINE|UNSUPPORTED_PUBLIC_KEY_TYPE)"
        self.assertRegex(cm.exception.reason, regex)
        s = str(cm.exception)
-        self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s)
+        self.assertTrue("NO_START_LINE" in s, s)
    def test_subclass(self):
        # Check that the appropriate SSLError subclass is raised
@ -1844,7 +1851,13 @@ class SimpleBackgroundTests(unittest.TestCase):
        s = test_wrap_socket(socket.socket(socket.AF_INET),
                            cert_reqs=ssl.CERT_REQUIRED)
        self.addCleanup(s.close)
-        self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
+        # Allow for flexible libssl error messages.
        regex = re.compile(r"""(
            certificate verify failed   # OpenSSL
            |
            CERTIFICATE_VERIFY_FAILED   # AWS-LC
        )""", re.X)
        self.assertRaisesRegex(ssl.SSLError, regex,
                               s.connect, self.server_addr)
    def test_connect_ex(self):
@ -1912,7 +1925,13 @@ class SimpleBackgroundTests(unittest.TestCase):
            server_hostname=SIGNED_CERTFILE_HOSTNAME
        )
        self.addCleanup(s.close)
-        self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
+        # Allow for flexible libssl error messages.
        regex = re.compile(r"""(
            certificate verify failed   # OpenSSL
            |
            CERTIFICATE_VERIFY_FAILED   # AWS-LC
        )""", re.X)
        self.assertRaisesRegex(ssl.SSLError, regex,
                                s.connect, self.server_addr)
    def test_connect_capath(self):
@ -2129,14 +2148,16 @@ class SimpleBackgroundTests(unittest.TestCase):
        self.assertIsNone(sslobj.version())
        self.assertIsNone(sslobj.shared_ciphers())
        self.assertRaises(ValueError, sslobj.getpeercert)
-        if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
+        # tls-unique is not defined for TLSv1.3
        # https://datatracker.ietf.org/doc/html/rfc8446#appendix-C.5
        if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES and sslobj.version() != "TLSv1.3":
            self.assertIsNone(sslobj.get_channel_binding('tls-unique'))
        self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
        self.assertTrue(sslobj.cipher())
        self.assertIsNone(sslobj.shared_ciphers())
        self.assertIsNotNone(sslobj.version())
        self.assertTrue(sslobj.getpeercert())
-        if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
+        if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES and sslobj.version() != "TLSv1.3":
            self.assertTrue(sslobj.get_channel_binding('tls-unique'))
        try:
            self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
@ -2861,11 +2882,16 @@ class ThreadedTests(unittest.TestCase):
        client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF
        server = ThreadedEchoServer(context=server_context, chatty=True)
        # Allow for flexible libssl error messages.
        regex = re.compile(r"""(
            certificate verify failed   # OpenSSL
            |
            CERTIFICATE_VERIFY_FAILED   # AWS-LC
        )""", re.X)
        with server:
            with client_context.wrap_socket(socket.socket(),
                                            server_hostname=hostname) as s:
-                with self.assertRaisesRegex(ssl.SSLError,
+                with self.assertRaisesRegex(ssl.SSLError, regex):
                                            "certificate verify failed"):
                    s.connect((HOST, server.port))
        # now load a CRL file. The CRL file is signed by the CA.
@ -2896,12 +2922,16 @@ class ThreadedTests(unittest.TestCase):
        # incorrect hostname should raise an exception
        server = ThreadedEchoServer(context=server_context, chatty=True)
        # Allow for flexible libssl error messages.
        regex = re.compile(r"""(
            certificate verify failed   # OpenSSL
            |
            CERTIFICATE_VERIFY_FAILED   # AWS-LC
        )""", re.X)
        with server:
            with client_context.wrap_socket(socket.socket(),
                                            server_hostname="invalid") as s:
-                with self.assertRaisesRegex(
+                with self.assertRaisesRegex(ssl.CertificateError, regex):
                        ssl.CertificateError,
                        "Hostname mismatch, certificate is not valid for 'invalid'."):
                    s.connect((HOST, server.port))
        # missing server_hostname arg should cause an exception, too
@ -3137,7 +3167,7 @@ class ThreadedTests(unittest.TestCase):
            s.connect((HOST, server.port))
            with self.assertRaisesRegex(
                ssl.SSLError,
-                'alert unknown ca|EOF occurred'
+                'alert unknown ca|EOF occurred|TLSV1_ALERT_UNKNOWN_CA'
            ):
                # TLS 1.3 perform client cert exchange after handshake
                s.write(b'data')
@ -3201,13 +3231,21 @@ class ThreadedTests(unittest.TestCase):
                                     server_hostname=SIGNED_CERTFILE_HOSTNAME) as s:
                try:
                    s.connect((HOST, server.port))
                    self.fail("Expected connection failure")
                except ssl.SSLError as e:
                    msg = 'unable to get local issuer certificate'
                    self.assertIsInstance(e, ssl.SSLCertVerificationError)
                    self.assertEqual(e.verify_code, 20)
                    self.assertEqual(e.verify_message, msg)
-                    self.assertIn(msg, repr(e))
+                    # Allow for flexible libssl error messages.
-                    self.assertIn('certificate verify failed', repr(e))
+                    regex = f"({msg}|CERTIFICATE_VERIFY_FAILED)"
                    self.assertRegex(repr(e), regex)
                    regex = re.compile(r"""(
                        certificate verify failed   # OpenSSL
                        |
                        CERTIFICATE_VERIFY_FAILED   # AWS-LC
                    )""", re.X)
                    self.assertRegex(repr(e), regex)
    def test_PROTOCOL_TLS(self):
        """Connecting to an SSLv23 server with various client options"""
@ -3739,7 +3777,7 @@ class ThreadedTests(unittest.TestCase):
                                            server_hostname=hostname) as s:
                with self.assertRaises(OSError):
                    s.connect((HOST, server.port))
-        self.assertIn("no shared cipher", server.conn_errors[0])
+        self.assertIn("NO_SHARED_CIPHER", server.conn_errors[0])
    def test_version_basic(self):
        """
@ -3827,7 +3865,7 @@ class ThreadedTests(unittest.TestCase):
                                            server_hostname=hostname) as s:
                with self.assertRaises(ssl.SSLError) as e:
                    s.connect((HOST, server.port))
-                self.assertIn("alert", str(e.exception))
+                self.assertRegex("(alert|ALERT)", str(e.exception))
    @requires_tls_version('SSLv3')
    def test_min_max_version_sslv3(self):
@ -3869,6 +3907,10 @@ class ThreadedTests(unittest.TestCase):
        client_context, server_context, hostname = testing_context()
        # tls-unique is not defined for TLSv1.3
        # https://datatracker.ietf.org/doc/html/rfc8446#appendix-C.5
        client_context.maximum_version = ssl.TLSVersion.TLSv1_2
        server = ThreadedEchoServer(context=server_context,
                                    chatty=True,
                                    connectionchatty=False)
@ -3969,7 +4011,7 @@ class ThreadedTests(unittest.TestCase):
        cipher = stats["cipher"][0]
        parts = cipher.split("-")
        if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
-            self.fail("Non-DH cipher: " + cipher[0])
+            self.fail("Non-DH key exchange: " + cipher[0])
    def test_ecdh_curve(self):
        # server secp384r1, client auto
@ -4136,8 +4178,9 @@ class ThreadedTests(unittest.TestCase):
                                           chatty=False,
                                           sni_name='supermessage')
-            self.assertEqual(cm.exception.reason,
+            # Allow for flexible libssl error messages.
-                             'SSLV3_ALERT_HANDSHAKE_FAILURE')
+            regex = "(SSLV3_ALERT_HANDSHAKE_FAILURE|NO_PRIVATE_VALUE)"
            self.assertRegex(regex, cm.exception.reason)
            self.assertEqual(catch.unraisable.exc_type, ZeroDivisionError)
    def test_sni_callback_wrong_return_type(self):
--- a/Misc/NEWS.d/next/Tests/2024-03-21-11-32-29.gh-issue-116333.F-9Ram.rst
+++ b/Misc/NEWS.d/next/Tests/2024-03-21-11-32-29.gh-issue-116333.F-9Ram.rst
@ -0,0 +1,3 @@
 Tests of TLS related things (error codes, etc) were updated to be more
 lenient about specific error message strings and behaviors as seen in the
 BoringSSL and AWS-LC forks of OpenSSL.