def test_oqs_openssl_to_s2nd_pq_handshake(managed_process, protocol, cipher,
kem_group):
# If PQ is not enabled in s2n, there is no reason to test against oqs_openssl
if not pq_enabled():
return
port = next(available_ports)
client_options = ProviderOptions(
mode=Provider.ClientMode,
port=port,
protocol=protocol,
env_overrides=get_oqs_openssl_override_env_vars(),
extra_flags=['-groups', kem_group.oqs_name])
server_options = ProviderOptions(mode=Provider.ServerMode,
port=port,
protocol=protocol,
cipher=cipher,
cert=Certificates.RSA_4096_SHA512.cert,
key=Certificates.RSA_4096_SHA512.key)
server = managed_process(S2N, server_options, timeout=5)
client = managed_process(OpenSSL, client_options, timeout=5)
expected_result = EXPECTED_RESULTS.get((kem_group, cipher), None)
for results in client.get_results():
# Client is OQS OpenSSL; just ensure the process exited successfully
results.assert_success()
for results in server.get_results():
# Server is s2n; can make meaningful assertions about negotiation
results.assert_success()
assert_s2n_negotiation_parameters(results, expected_result)
def test_s2nc_to_s2nd_pq_handshake(managed_process, protocol, certificate,
client_cipher, server_cipher, provider,
other_provider):
# Incorrect cipher is negotiated when both ciphers are PQ_TLS_1_0_2020_12 with
# openssl 1.0.2, boringssl, and libressl libcryptos
if all([
client_cipher == Ciphers.PQ_TLS_1_0_2020_12,
server_cipher == Ciphers.PQ_TLS_1_0_2020_12,
any([
libcrypto in get_flag(S2N_PROVIDER_VERSION)
for libcrypto in ["boringssl", "libressl", "openssl-1.0.2"]
])
]):
pytest.skip()
port = next(available_ports)
client_options = ProviderOptions(mode=Provider.ClientMode,
port=port,
insecure=True,
cipher=client_cipher,
protocol=protocol)
server_options = ProviderOptions(mode=Provider.ServerMode,
port=port,
protocol=protocol,
cipher=server_cipher,
cert=certificate.cert,
key=certificate.key)
server = managed_process(S2N, server_options, timeout=5)
client = managed_process(S2N, client_options, timeout=5)
if pq_enabled():
expected_result = EXPECTED_RESULTS.get((client_cipher, server_cipher),
None)
else:
# If PQ is not enabled in s2n, we expect classic handshakes to be negotiated.
# Leave the expected cipher blank, as there are multiple possibilities - the
# important thing is that kem and kem_group are NONE.
expected_result = {"cipher": "", "kem": "NONE", "kem_group": "NONE"}
# Client and server are both s2n; can make meaningful assertions about negotiation for both
for results in client.get_results():
results.assert_success()
assert_s2n_negotiation_parameters(results, expected_result)
for results in server.get_results():
results.assert_success()
assert_s2n_negotiation_parameters(results, expected_result)
def test_s2nc_to_s2nd_pq_handshake(managed_process, protocol, client_cipher,
server_cipher):
host = "localhost"
port = next(available_ports)
client_options = ProviderOptions(mode=Provider.ClientMode,
host=host,
port=port,
insecure=True,
cipher=client_cipher,
protocol=protocol)
server_options = ProviderOptions(mode=Provider.ServerMode,
host=host,
port=port,
protocol=protocol,
cipher=server_cipher,
cert=Certificates.RSA_4096_SHA512.cert,
key=Certificates.RSA_4096_SHA512.key)
server = managed_process(S2N, server_options, timeout=5)
client = managed_process(S2N, client_options, timeout=5)
if pq_enabled():
expected_result = EXPECTED_RESULTS.get((client_cipher, server_cipher),
None)
else:
# If PQ is not enabled in s2n, we expect classic handshakes to be negotiated.
# Leave the expected cipher blank, as there are multiple possibilities - the
# important thing is that kem and kem_group are NONE.
expected_result = {"cipher": "", "kem": "NONE", "kem_group": "NONE"}
# Client and server are both s2n; can make meaningful assertions about negotiation for both
for results in client.get_results():
assert results.exception is None
assert results.exit_code == 0
assert_s2n_negotiation_parameters(results, expected_result)
for results in server.get_results():
assert results.exception is None
assert results.exit_code == 0
assert_s2n_negotiation_parameters(results, expected_result)
"twitter.com",
"wikipedia.org",
"yahoo.com",
"kms.us-east-1.amazonaws.com",
]
CIPHERS = [
None, # `None` will default to the appropriate `test_all` cipher preference in the S2N client provider
Ciphers.KMS_PQ_TLS_1_0_2019_06,
Ciphers.PQ_SIKE_TEST_TLS_1_0_2019_11,
Ciphers.KMS_PQ_TLS_1_0_2020_07,
Ciphers.KMS_PQ_TLS_1_0_2020_02,
Ciphers.PQ_SIKE_TEST_TLS_1_0_2020_02
]
if pq_enabled():
EXPECTED_RESULTS = {
("kms.us-east-1.amazonaws.com", Ciphers.KMS_PQ_TLS_1_0_2019_06): {
"cipher": "ECDHE-BIKE-RSA-AES256-GCM-SHA384",
"kem": "BIKE1r1-Level1"
},
("kms.us-east-1.amazonaws.com", Ciphers.PQ_SIKE_TEST_TLS_1_0_2019_11):
{
"cipher": "ECDHE-SIKE-RSA-AES256-GCM-SHA384",
"kem": "SIKEp503r1-KEM"
},
("kms.us-east-1.amazonaws.com", Ciphers.KMS_PQ_TLS_1_0_2020_07): {
"cipher": "ECDHE-KYBER-RSA-AES256-GCM-SHA384",
"kem": "kyber512r2"
},
("kms.us-east-1.amazonaws.com", Ciphers.KMS_PQ_TLS_1_0_2020_02): {
