def test_s2n_server_with_early_data_max_exceeded(managed_process, tmp_path,
cipher, curve, certificate,
protocol, provider,
other_provider,
excess_early_data):
ticket_file = str(tmp_path / TICKET_FILE)
early_data_file = str(tmp_path / EARLY_DATA_FILE)
early_data = get_early_data_bytes(early_data_file,
MAX_EARLY_DATA + excess_early_data)
options = ProviderOptions(
port=next(available_ports),
cipher=cipher,
curve=curve,
protocol=protocol,
insecure=True,
use_session_ticket=True,
data_to_send=DATA_TO_SEND,
)
options.ticket_file = ticket_file
options.early_data_file = early_data_file
options.max_early_data = MAX_EARLY_DATA + excess_early_data
get_ticket_from_s2n_server(options, managed_process, provider, certificate)
options.max_early_data = MAX_EARLY_DATA
client_options = copy.copy(options)
client_options.mode = Provider.ClientMode
server_options = copy.copy(options)
server_options.mode = Provider.ServerMode
s2n_server = managed_process(S2N, server_options, timeout=10)
client = managed_process(provider, client_options, timeout=10)
for results in client.get_results():
"""
We can't make any assertions about the client exit_code.
To avoid blinding delays, s2nd doesn't call s2n_shutdown for a failed negotiation.
That means that instead of sending close_notify, we just close the socket.
Whether the peer interprets this as a failure or EoF depends on its state.
"""
assert results.exception is None
assert DATA_TO_SEND not in results.stdout
for results in s2n_server.get_results():
assert results.exception is None
assert results.exit_code != 0
# Full early data should not be reported
assert early_data not in results.stdout
# Partial early data should be reported
assert (to_bytes(S2N_EARLY_DATA_RECV_MARKER) +
early_data[:MAX_EARLY_DATA]) in results.stdout
assert to_bytes("Bad message encountered") in results.stderr
def test_s2n_client_with_early_data_rejected_via_hrr(managed_process, tmp_path,
cipher, curve,
certificate, protocol,
provider, other_provider,
early_data_size):
if provider == S2N:
pytest.skip(
"S2N does not respect ProviderOptions.curve, so does not trigger a retry"
)
early_data_file = str(tmp_path / EARLY_DATA_FILE)
early_data = get_early_data_bytes(early_data_file, early_data_size)
options = ProviderOptions(
port=next(available_ports),
cipher=cipher,
curve=curve,
protocol=protocol,
insecure=True,
use_session_ticket=True,
reconnect=True,
)
options.ticket_file = None
options.early_data_file = early_data_file
options.max_early_data = MAX_EARLY_DATA
client_options = copy.copy(options)
client_options.mode = Provider.ClientMode
server_options = copy.copy(options)
server_options.mode = Provider.ServerMode
server_options.key = certificate.key # Required for the initial connection
server_options.cert = certificate.cert # Required for the initial connection
server_options.reconnects_before_exit = NUM_CONNECTIONS
server = managed_process(provider, server_options, timeout=10)
s2n_client = managed_process(S2N, client_options, timeout=10)
for results in s2n_client.get_results():
results.assert_success()
assert S2N_EARLY_DATA_MARKER not in results.stdout
assert S2N_HRR_MARKER in results.stdout
assert results.stdout.count(
to_bytes(S2N_EARLY_DATA_REJECTED_MARKER)) == NUM_RESUMES
for results in server.get_results():
results.assert_success()
assert early_data not in results.stdout
def test_s2n_server_with_early_data_rejected_via_hrr(managed_process, tmp_path,
cipher, curve,
certificate, protocol,
provider, other_provider,
early_data_size):
ticket_file = str(tmp_path / TICKET_FILE)
early_data_file = str(tmp_path / EARLY_DATA_FILE)
early_data = get_early_data_bytes(early_data_file, early_data_size)
options = ProviderOptions(
port=next(available_ports),
cipher=cipher,
curve=(S2N_UNSUPPORTED_CURVE + ":" + str(curve)),
protocol=protocol,
insecure=True,
use_session_ticket=True,
data_to_send=DATA_TO_SEND,
)
options.ticket_file = ticket_file
options.early_data_file = early_data_file
options.max_early_data = MAX_EARLY_DATA
get_ticket_from_s2n_server(options, managed_process, provider, certificate)
client_options = copy.copy(options)
client_options.mode = Provider.ClientMode
server_options = copy.copy(options)
server_options.mode = Provider.ServerMode
s2n_server = managed_process(S2N, server_options, timeout=10)
client = managed_process(provider, client_options, timeout=10)
for results in client.get_results():
results.assert_success()
assert early_data not in results.stdout
for results in s2n_server.get_results():
results.assert_success()
assert S2N_EARLY_DATA_MARKER not in results.stdout
assert S2N_HRR_MARKER in results.stdout
assert to_bytes(S2N_EARLY_DATA_RECV_MARKER) not in results.stdout
assert to_bytes(S2N_EARLY_DATA_REJECTED_MARKER) in results.stdout
assert DATA_TO_SEND in results.stdout
def test_s2n_server_with_early_data(managed_process, tmp_path, cipher, curve,
protocol, provider, certificate,
early_data_size):
ticket_file = str(tmp_path / TICKET_FILE)
early_data_file = str(tmp_path / EARLY_DATA_FILE)
early_data = get_early_data_bytes(early_data_file, early_data_size)
options = ProviderOptions(
port=next(available_ports),
cipher=cipher,
curve=curve,
protocol=protocol,
insecure=True,
use_session_ticket=True,
data_to_send=DATA_TO_SEND,
)
options.ticket_file = ticket_file
options.early_data_file = early_data_file
options.max_early_data = MAX_EARLY_DATA
get_ticket_from_s2n_server(options, managed_process, provider, certificate)
client_options = copy.copy(options)
client_options.mode = Provider.ClientMode
server_options = copy.copy(options)
server_options.mode = Provider.ServerMode
s2n_server = managed_process(S2N, server_options)
client = managed_process(provider, client_options)
for results in client.get_results():
results.assert_success()
for results in s2n_server.get_results():
results.assert_success()
assert S2N_EARLY_DATA_MARKER in results.stdout
assert (to_bytes(S2N_EARLY_DATA_RECV_MARKER) +
early_data) in results.stdout
assert to_bytes(S2N_EARLY_DATA_ACCEPTED_MARKER) in results.stdout
assert DATA_TO_SEND in results.stdout
def test_s2n_client_without_early_data(managed_process, tmp_path, cipher,
certificate, protocol, provider,
other_provider):
early_data_file = str(tmp_path / EARLY_DATA_FILE)
early_data = get_early_data_bytes(early_data_file, MAX_EARLY_DATA)
options = ProviderOptions(
port=next(available_ports),
cipher=cipher,
protocol=protocol,
insecure=True,
use_session_ticket=True,
reconnect=True,
)
options.ticket_file = None
options.early_data_file = early_data_file
options.max_early_data = 0
client_options = copy.copy(options)
client_options.mode = Provider.ClientMode
server_options = copy.copy(options)
server_options.mode = Provider.ServerMode
server_options.key = certificate.key # Required for the initial connection
server_options.cert = certificate.cert # Required for the initial connection
server_options.reconnects_before_exit = NUM_CONNECTIONS
server = managed_process(provider, server_options, timeout=10)
s2n_client = managed_process(S2N, client_options, timeout=10)
for results in server.get_results():
results.assert_success()
assert early_data not in results.stdout
for results in s2n_client.get_results():
results.assert_success()
assert S2N_EARLY_DATA_MARKER not in results.stdout
assert results.stdout.count(
to_bytes(S2N_EARLY_DATA_NOT_REQUESTED_MARKER)) == NUM_CONNECTIONS
