def invalid_version_negotiation_test_parameters(*args, **kwargs):
# Since s2nd/s2nc will always be using TLS 1.3, make sure the libcrypto is compatible
if invalid_test_parameters(**{
"provider": S2N,
"protocol": Protocols.TLS13
}):
return True
return invalid_test_parameters(*args, **kwargs)
def invalid_pq_handshake_test_parameters(*args, **kwargs):
client_cipher_kwargs = kwargs.copy()
client_cipher_kwargs["cipher"] = kwargs["client_cipher"]
server_cipher_kwargs = kwargs.copy()
server_cipher_kwargs["cipher"] = kwargs["server_cipher"]
# `or` is correct: invalid_test_parameters() returns True if the parameters are invalid;
# we want to return True here if either of the sets of parameters are invalid.
return invalid_test_parameters(
*args, **client_cipher_kwargs) or invalid_test_parameters(
*args, **server_cipher_kwargs)
def invalid_certificate_scans_parameters(*args, **kwargs):
certificate = kwargs["certificate"]
certificate_scan = kwargs["certificate_scan"]
protocol = kwargs["protocol"]
if certificate_scan == CertificateScan.CIPHER_SUITE_SCAN:
if "openssl-1.0.2" in get_flag(S2N_PROVIDER_VERSION):
# SSLyze scan results in rejected ciphers that should have been accepted
# for TLS 1.2
if protocol == Protocols.TLS12:
return True
if "fips" in get_flag(S2N_PROVIDER_VERSION):
# BUG_IN_SSLYZE / TLS version supported assertion failures for ECDSA scans
# in SSLv3 and RSA with TLS version < 1.2 with fips libcryptos
if "ECDSA" in certificate.name and protocol == Protocols.SSLv3:
return True
if "RSA" in certificate.name and protocol in [
Protocols.SSLv3, Protocols.TLS10, Protocols.TLS11
]:
return True
elif certificate_scan == CertificateScan.ELLIPTIC_CURVE_SCAN:
# SSLyze curves scan errors when given ECDSA certs
if "ECDSA" in certificate.name:
return True
# SSLyze curves scan fails to validate with openssl 1.0.2 fips
if "openssl-1.0.2-fips" in get_flag(S2N_PROVIDER_VERSION):
return True
return invalid_test_parameters(*args, **kwargs)
def invalid_test_parameters_frag_len(*args, **kwargs):
provider = kwargs.get("provider")
frag_len = kwargs.get("frag_len")
# Check to make sure frag_len is compatible with gnutls.
if provider == GnuTLS:
if frag_len > 4096:
return True
return invalid_test_parameters(*args, **kwargs)
def filter_cipher_list(*args, **kwargs):
"""
The framework normally filters out ciphers that are not supported by the chosen
protocol. That doesn't happen in this test because of the unique way ciphers are
grouped for the multi certificate tests.
This function handles that unique grouping.
"""
protocol = kwargs.get('protocol')
cert_test_case = kwargs.get('cert_test_case')
lowest_protocol_cipher = min(cert_test_case.client_ciphers,
key=lambda x: x.min_version)
if protocol < lowest_protocol_cipher.min_version:
return True
return invalid_test_parameters(*args, **kwargs)
def skip_ciphers(*args, **kwargs):
cert = kwargs.get('certificate')
cipher = kwargs.get('cipher')
protocol = kwargs.get('protocol')
sigalg = kwargs.get('signature')
if not cert.compatible_with_cipher(cipher):
return True
if not cert.compatible_with_sigalg(sigalg):
return True
if protocol > sigalg.max_protocol:
return True
if protocol < sigalg.min_protocol:
return True
return invalid_test_parameters(*args, **kwargs)
def invalid_sslyze_scan_parameters(*args, **kwargs):
scan_command = kwargs["scan_command"]
protocol = kwargs["protocol"]
# BUG_IN_SSLYZE error in TLS compression and session renegotiation scans
# in fips libcryptos when TLS version < 1.3
if "fips" in get_flag(
S2N_PROVIDER_VERSION) and protocol != Protocols.TLS13:
if scan_command in [
sslyze.ScanCommand.TLS_COMPRESSION,
sslyze.ScanCommand.SESSION_RENEGOTIATION
]:
return True
# BUG_IN_SSLYZE error for session resumption scan with openssl 1.0.2 fips
if "openssl-1.0.2-fips" in get_flag(S2N_PROVIDER_VERSION):
if scan_command == sslyze.ScanCommand.SESSION_RESUMPTION:
return True
return invalid_test_parameters(*args, **kwargs)
def skip_ciphers(*args, **kwargs):
cert = kwargs.get('certificate')
cipher = kwargs.get('cipher')
protocol = kwargs.get('protocol')
sigalg = kwargs.get('signature')
if not cert.compatible_with_cipher(cipher):
return True
if not cert.compatible_with_sigalg(sigalg):
return True
if protocol is Protocols.TLS13 and sigalg.min_protocol is not Protocols.TLS13:
return True
if protocol < sigalg.min_protocol:
return True
if cipher in unsupported_ciphers:
return True
return invalid_test_parameters(*args, **kwargs)
class CipherSuitesVerifier(ScanVerifier):
def assert_scan_success(self):
assert self.scan_result.is_tls_version_supported is True
rejected_ciphers = [
cipher
for rejected_cipher in self.scan_result.rejected_cipher_suites
if (cipher := Ciphers.from_iana(rejected_cipher.cipher_suite.name))
]
for cipher in rejected_ciphers:
# if a cipher is rejected, it should be an invalid test parameter in combination with the
# protocol/provider/cert, otherwise it should have been accepted
assert invalid_test_parameters(protocol=self.protocol,
provider=S2N,
certificate=self.certificate,
cipher=cipher)
class EllipticCurveVerifier(ScanVerifier):
def assert_scan_success(self):
assert self.scan_result.supports_ecdh_key_exchange is True
rejected_curves = [
curve for rejected_curve in self.scan_result.rejected_curves
if (curve := {
"X25519": Curves.X25519,
"prime256v1": Curves.P256,
"prime384v1": Curves.P384,
"prime521v1": Curves.P521
}.get(rejected_curve.name))