def test_s2n_server_with_early_data_max_exceeded(managed_process, tmp_path, cipher, curve, certificate, protocol, provider, other_provider, excess_early_data): ticket_file = str(tmp_path / TICKET_FILE) early_data_file = str(tmp_path / EARLY_DATA_FILE) early_data = get_early_data_bytes(early_data_file, MAX_EARLY_DATA + excess_early_data) options = ProviderOptions( port=next(available_ports), cipher=cipher, curve=curve, protocol=protocol, insecure=True, use_session_ticket=True, data_to_send=DATA_TO_SEND, ) options.ticket_file = ticket_file options.early_data_file = early_data_file options.max_early_data = MAX_EARLY_DATA + excess_early_data get_ticket_from_s2n_server(options, managed_process, provider, certificate) options.max_early_data = MAX_EARLY_DATA client_options = copy.copy(options) client_options.mode = Provider.ClientMode server_options = copy.copy(options) server_options.mode = Provider.ServerMode s2n_server = managed_process(S2N, server_options, timeout=10) client = managed_process(provider, client_options, timeout=10) for results in client.get_results(): """ We can't make any assertions about the client exit_code. To avoid blinding delays, s2nd doesn't call s2n_shutdown for a failed negotiation. That means that instead of sending close_notify, we just close the socket. Whether the peer interprets this as a failure or EoF depends on its state. """ assert results.exception is None assert DATA_TO_SEND not in results.stdout for results in s2n_server.get_results(): assert results.exception is None assert results.exit_code != 0 # Full early data should not be reported assert early_data not in results.stdout # Partial early data should be reported assert (to_bytes(S2N_EARLY_DATA_RECV_MARKER) + early_data[:MAX_EARLY_DATA]) in results.stdout assert to_bytes("Bad message encountered") in results.stderr
def test_s2n_server_with_early_data_rejected(managed_process, tmp_path, cipher, curve, certificate, protocol, provider, other_provider, early_data_size): ticket_file = str(tmp_path / TICKET_FILE) early_data_file = str(tmp_path / EARLY_DATA_FILE) early_data = get_early_data_bytes(early_data_file, early_data_size) options = ProviderOptions( port=next(available_ports), cipher=cipher, curve=curve, protocol=protocol, insecure=True, use_session_ticket=True, data_to_send=DATA_TO_SEND, ) options.ticket_file = ticket_file options.early_data_file = early_data_file options.max_early_data = MAX_EARLY_DATA get_ticket_from_s2n_server(options, managed_process, provider, certificate) options.max_early_data = 0 client_options = copy.copy(options) client_options.mode = Provider.ClientMode server_options = copy.copy(options) server_options.mode = Provider.ServerMode s2n_server = managed_process(S2N, server_options, timeout=10) client = managed_process(provider, client_options, timeout=10) for results in client.get_results(): results.assert_success() for results in s2n_server.get_results(): results.assert_success() assert S2N_EARLY_DATA_MARKER not in results.stdout assert S2N_HRR_MARKER not in results.stdout assert to_bytes(S2N_EARLY_DATA_RECV_MARKER) not in results.stdout assert to_bytes(S2N_EARLY_DATA_REJECTED_MARKER) in results.stdout assert DATA_TO_SEND in results.stdout
def test_s2n_client_with_early_data_rejected_via_hrr(managed_process, tmp_path, cipher, curve, certificate, protocol, provider, other_provider, early_data_size): if provider == S2N: pytest.skip( "S2N does not respect ProviderOptions.curve, so does not trigger a retry" ) early_data_file = str(tmp_path / EARLY_DATA_FILE) early_data = get_early_data_bytes(early_data_file, early_data_size) options = ProviderOptions( port=next(available_ports), cipher=cipher, curve=curve, protocol=protocol, insecure=True, use_session_ticket=True, reconnect=True, ) options.ticket_file = None options.early_data_file = early_data_file options.max_early_data = MAX_EARLY_DATA client_options = copy.copy(options) client_options.mode = Provider.ClientMode server_options = copy.copy(options) server_options.mode = Provider.ServerMode server_options.key = certificate.key # Required for the initial connection server_options.cert = certificate.cert # Required for the initial connection server_options.reconnects_before_exit = NUM_CONNECTIONS server = managed_process(provider, server_options, timeout=10) s2n_client = managed_process(S2N, client_options, timeout=10) for results in s2n_client.get_results(): results.assert_success() assert S2N_EARLY_DATA_MARKER not in results.stdout assert S2N_HRR_MARKER in results.stdout assert results.stdout.count( to_bytes(S2N_EARLY_DATA_REJECTED_MARKER)) == NUM_RESUMES for results in server.get_results(): results.assert_success() assert early_data not in results.stdout
def test_s2n_client_without_early_data(managed_process, tmp_path, cipher, certificate, protocol, provider, other_provider): early_data_file = str(tmp_path / EARLY_DATA_FILE) early_data = get_early_data_bytes(early_data_file, MAX_EARLY_DATA) options = ProviderOptions( port=next(available_ports), cipher=cipher, protocol=protocol, insecure=True, use_session_ticket=True, reconnect=True, ) options.ticket_file = None options.early_data_file = early_data_file options.max_early_data = 0 client_options = copy.copy(options) client_options.mode = Provider.ClientMode server_options = copy.copy(options) server_options.mode = Provider.ServerMode server_options.key = certificate.key # Required for the initial connection server_options.cert = certificate.cert # Required for the initial connection server_options.reconnects_before_exit = NUM_CONNECTIONS server = managed_process(provider, server_options, timeout=10) s2n_client = managed_process(S2N, client_options, timeout=10) for results in server.get_results(): results.assert_success() assert early_data not in results.stdout for results in s2n_client.get_results(): results.assert_success() assert S2N_EARLY_DATA_MARKER not in results.stdout assert results.stdout.count( to_bytes(S2N_EARLY_DATA_NOT_REQUESTED_MARKER)) == NUM_CONNECTIONS