def test_oqs_openssl_to_s2nd_pq_handshake(managed_process, protocol, cipher, kem_group): # If PQ is not enabled in s2n, there is no reason to test against oqs_openssl if not pq_enabled(): return port = next(available_ports) client_options = ProviderOptions( mode=Provider.ClientMode, port=port, protocol=protocol, env_overrides=get_oqs_openssl_override_env_vars(), extra_flags=['-groups', kem_group.oqs_name]) server_options = ProviderOptions(mode=Provider.ServerMode, port=port, protocol=protocol, cipher=cipher, cert=Certificates.RSA_4096_SHA512.cert, key=Certificates.RSA_4096_SHA512.key) server = managed_process(S2N, server_options, timeout=5) client = managed_process(OpenSSL, client_options, timeout=5) expected_result = EXPECTED_RESULTS.get((kem_group, cipher), None) for results in client.get_results(): # Client is OQS OpenSSL; just ensure the process exited successfully results.assert_success() for results in server.get_results(): # Server is s2n; can make meaningful assertions about negotiation results.assert_success() assert_s2n_negotiation_parameters(results, expected_result)
def test_s2nc_to_s2nd_pq_handshake(managed_process, protocol, certificate, client_cipher, server_cipher, provider, other_provider): # Incorrect cipher is negotiated when both ciphers are PQ_TLS_1_0_2020_12 with # openssl 1.0.2, boringssl, and libressl libcryptos if all([ client_cipher == Ciphers.PQ_TLS_1_0_2020_12, server_cipher == Ciphers.PQ_TLS_1_0_2020_12, any([ libcrypto in get_flag(S2N_PROVIDER_VERSION) for libcrypto in ["boringssl", "libressl", "openssl-1.0.2"] ]) ]): pytest.skip() port = next(available_ports) client_options = ProviderOptions(mode=Provider.ClientMode, port=port, insecure=True, cipher=client_cipher, protocol=protocol) server_options = ProviderOptions(mode=Provider.ServerMode, port=port, protocol=protocol, cipher=server_cipher, cert=certificate.cert, key=certificate.key) server = managed_process(S2N, server_options, timeout=5) client = managed_process(S2N, client_options, timeout=5) if pq_enabled(): expected_result = EXPECTED_RESULTS.get((client_cipher, server_cipher), None) else: # If PQ is not enabled in s2n, we expect classic handshakes to be negotiated. # Leave the expected cipher blank, as there are multiple possibilities - the # important thing is that kem and kem_group are NONE. expected_result = {"cipher": "", "kem": "NONE", "kem_group": "NONE"} # Client and server are both s2n; can make meaningful assertions about negotiation for both for results in client.get_results(): results.assert_success() assert_s2n_negotiation_parameters(results, expected_result) for results in server.get_results(): results.assert_success() assert_s2n_negotiation_parameters(results, expected_result)
def test_s2nc_to_s2nd_pq_handshake(managed_process, protocol, client_cipher, server_cipher): host = "localhost" port = next(available_ports) client_options = ProviderOptions(mode=Provider.ClientMode, host=host, port=port, insecure=True, cipher=client_cipher, protocol=protocol) server_options = ProviderOptions(mode=Provider.ServerMode, host=host, port=port, protocol=protocol, cipher=server_cipher, cert=Certificates.RSA_4096_SHA512.cert, key=Certificates.RSA_4096_SHA512.key) server = managed_process(S2N, server_options, timeout=5) client = managed_process(S2N, client_options, timeout=5) if pq_enabled(): expected_result = EXPECTED_RESULTS.get((client_cipher, server_cipher), None) else: # If PQ is not enabled in s2n, we expect classic handshakes to be negotiated. # Leave the expected cipher blank, as there are multiple possibilities - the # important thing is that kem and kem_group are NONE. expected_result = {"cipher": "", "kem": "NONE", "kem_group": "NONE"} # Client and server are both s2n; can make meaningful assertions about negotiation for both for results in client.get_results(): assert results.exception is None assert results.exit_code == 0 assert_s2n_negotiation_parameters(results, expected_result) for results in server.get_results(): assert results.exception is None assert results.exit_code == 0 assert_s2n_negotiation_parameters(results, expected_result)
"twitter.com", "wikipedia.org", "yahoo.com", "kms.us-east-1.amazonaws.com", ] CIPHERS = [ None, # `None` will default to the appropriate `test_all` cipher preference in the S2N client provider Ciphers.KMS_PQ_TLS_1_0_2019_06, Ciphers.PQ_SIKE_TEST_TLS_1_0_2019_11, Ciphers.KMS_PQ_TLS_1_0_2020_07, Ciphers.KMS_PQ_TLS_1_0_2020_02, Ciphers.PQ_SIKE_TEST_TLS_1_0_2020_02 ] if pq_enabled(): EXPECTED_RESULTS = { ("kms.us-east-1.amazonaws.com", Ciphers.KMS_PQ_TLS_1_0_2019_06): { "cipher": "ECDHE-BIKE-RSA-AES256-GCM-SHA384", "kem": "BIKE1r1-Level1" }, ("kms.us-east-1.amazonaws.com", Ciphers.PQ_SIKE_TEST_TLS_1_0_2019_11): { "cipher": "ECDHE-SIKE-RSA-AES256-GCM-SHA384", "kem": "SIKEp503r1-KEM" }, ("kms.us-east-1.amazonaws.com", Ciphers.KMS_PQ_TLS_1_0_2020_07): { "cipher": "ECDHE-KYBER-RSA-AES256-GCM-SHA384", "kem": "kyber512r2" }, ("kms.us-east-1.amazonaws.com", Ciphers.KMS_PQ_TLS_1_0_2020_02): {