def test_s2n_server_signature_algorithms(managed_process, cipher, provider, protocol, certificate, signature, client_auth): port = next(available_ports) random_bytes = data_bytes(64) client_options = ProviderOptions(mode=Provider.ClientMode, port=port, cipher=cipher, data_to_send=random_bytes, insecure=False, use_client_auth=client_auth, key=certificate.key, cert=certificate.cert, signature_algorithm=signature, protocol=protocol) if provider == GnuTLS: # GnuTLS fails the CA verification. It must be run with this check disabled. client_options.extra_flags = ["--no-ca-verification"] server_options = copy.copy(client_options) server_options.extra_flags = None server_options.data_to_send = None server_options.mode = Provider.ServerMode server_options.key = certificate.key server_options.cert = certificate.cert server = managed_process(S2N, server_options, timeout=5) client = managed_process(provider, client_options, timeout=5) for results in client.get_results(): results.assert_success() expected_version = get_expected_s2n_version(protocol, provider) for results in server.get_results(): results.assert_success() assert to_bytes("Actual protocol version: {}".format( expected_version)) in results.stdout assert signature_marker(Provider.ServerMode, signature) in results.stdout assert (signature_marker(Provider.ClientMode, signature) in results.stdout) == client_auth assert random_bytes in results.stdout
def test_s2nd_falls_back_to_full_connection(managed_process, tmp_path, cipher, curve, protocol, provider, certificate): port = str(next(available_ports)) # Use temp directory to store session tickets p = tmp_path / 'ticket.pem' path_to_ticket = str(p) """ This test will set up a full connection with an Openssl client and server to obtain a valid Openssl session ticket. Then, the Openssl client attempts to send the received session ticket to an s2n server to resume a session. s2nd will fallback to a full connection as it does not recognize the session ticket. """ client_options = ProviderOptions(mode=Provider.ClientMode, host="localhost", port=port, cipher=cipher, curve=curve, insecure=True, reconnect=False, extra_flags=['-sess_out', path_to_ticket], data_to_send=data_bytes(4069), protocol=protocol) server_options = copy.copy(client_options) server_options.mode = Provider.ServerMode server_options.key = certificate.key server_options.cert = certificate.cert server_options.extra_flags = None server = managed_process(provider, server_options, timeout=5) client = managed_process(provider, client_options, timeout=5) # The client should have received a session ticket for results in client.get_results(): assert results.exception is None assert results.exit_code == 0 assert b'Post-Handshake New Session Ticket arrived:' in results.stdout for results in server.get_results(): assert results.exception is None assert results.exit_code == 0 # Server should have sent certificate message as this is a full connection assert b'SSL_accept:SSLv3/TLS write certificate' in results.stderr # Client inputs received session ticket to resume a session assert os.path.exists(path_to_ticket) client_options.extra_flags = ['-sess_in', path_to_ticket] port = str(next(available_ports)) client_options.port = port server_options.port = port # Switch providers so now s2n is the server server = managed_process(S2N, server_options, timeout=5) client = managed_process(provider, client_options, timeout=5) s2n_version = get_expected_s2n_version(protocol, provider) # Client has read server certificate because this is a full connection for results in client.get_results(): assert results.exception is None assert results.exit_code == 0 assert bytes("SSL_connect:SSLv3/TLS read server certificate".encode( 'utf-8')) in results.stderr # The server should indicate a session has not been resumed for results in server.get_results(): assert results.exception is None assert not results.stderr assert results.exit_code == 0 assert b'Resumed session' not in results.stdout assert bytes("Actual protocol version: {}".format(s2n_version).encode( 'utf-8')) in results.stdout
def test_tls13_session_resumption_s2n_server(managed_process, tmp_path, cipher, curve, protocol, provider, certificate): port = str(next(available_ports)) # Use temp directory to store session tickets p = tmp_path / 'ticket.pem' path_to_ticket = str(p) client_options = ProviderOptions(mode=Provider.ClientMode, host="localhost", port=port, cipher=cipher, curve=curve, insecure=True, reconnect=False, data_to_send=data_bytes(4069), extra_flags=['-sess_out', path_to_ticket], protocol=protocol) server_options = copy.copy(client_options) server_options.mode = Provider.ServerMode server_options.key = certificate.key server_options.cert = certificate.cert server_options.use_session_ticket = True server_options.extra_flags = None server = managed_process(S2N, server_options, timeout=5) client = managed_process(provider, client_options, timeout=5) # The client should have received a session ticket for results in client.get_results(): assert results.exception is None assert results.exit_code == 0 assert b'Post-Handshake New Session Ticket arrived:' in results.stdout for results in server.get_results(): assert results.exception is None assert results.exit_code == 0 # The first connection is a full handshake assert b'Resumed session' not in results.stdout # Client inputs received session ticket to resume a session assert os.path.exists(path_to_ticket) client_options.extra_flags = ['-sess_in', path_to_ticket] port = str(next(available_ports)) client_options.port = port server_options.port = port server = managed_process(S2N, server_options, timeout=5) client = managed_process(provider, client_options, timeout=5) s2n_version = get_expected_s2n_version(protocol, provider) # Client has not read server certificate message as this is a resumed session for results in client.get_results(): assert results.exception is None assert results.exit_code == 0 assert bytes("SSL_connect:SSLv3/TLS read server certificate".encode( 'utf-8')) not in results.stderr # The server should indicate a session has been resumed for results in server.get_results(): assert results.exception is None assert results.exit_code == 0 assert not results.stderr assert b'Resumed session' in results.stdout assert bytes("Actual protocol version: {}".format(s2n_version).encode( 'utf-8')) in results.stdout