aws-crt 0.1.5 → 0.1.6

data/aws-crt-ffi/crt/s2n/tests/cbmc/templates/scripts/setup.py

@@ -5,9 +5,12 @@
 
 """Set up the CBMC proof instrastructure."""
 
+from pathlib import Path
 import logging
 import os
+import shutil
 
+import repository
 import util
 
 SRCDIR_TEXT = """
@@ -19,7 +22,7 @@ SRCDIR ?= $(abspath $(PROOF_ROOT)/{})
 LITANI_TEXT = """
 # Absolute path to the litani script.
 #
-LITANI ?= $(abspath $(PROOF_ROOT)/{})
+LITANI ?= {}
 """
 
 PROJECT_TEXT = """
@@ -40,11 +43,10 @@ def create_makefile_template_defines(
     if os.path.exists(makefile):
         logging.warning("Overwriting %s", makefile)
 
-    with open(makefile, "w") as fileobj:
+    with open(makefile, "w", encoding='utf-8') as fileobj:
         print(SRCDIR_TEXT.format(os.path.relpath(source_root, proof_root)),
               file=fileobj)
-        print(LITANI_TEXT.format(os.path.relpath(litani, proof_root)),
-              file=fileobj)
+        print(LITANI_TEXT.format(litani), file=fileobj)
         print(PROJECT_TEXT.format(project_name), file=fileobj)
 
 def main():
@@ -52,23 +54,20 @@ def main():
 
     logging.basicConfig(format='%(levelname)s: %(message)s')
 
-    source_root = util.read_source_root_path()
-
-    # the script is being run in the cbmc root
-    cbmc_root = os.path.abspath('.')
-
-    # the script is creating the proof root
-    proof_root = os.path.abspath('proofs')
-
-    # the script is linking to the litani script within the litani submodule
-    litani = util.read_litani_path()
-
-    # the name of the project used in project verification reports
-    project_name = util.read_project_name()
+    cbmc_root = Path.cwd()
+    proof_root = cbmc_root / "proofs"
+    source_root = repository.repository_root()
+    litani = "litani" if shutil.which("litani") else \
+        repository.litani_root() / "litani"
+    if litani != "litani":
+        relpath_from_litani_to_proof_root = os.path.relpath(litani, proof_root)
+        litani = f"$(abspath $(PROOF_ROOT)/{relpath_from_litani_to_proof_root})"
+    project_name = util.ask_for_project_name()
 
     util.copy_repository_templates(cbmc_root)
     create_makefile_template_defines(
-        proof_root, source_root, litani, project_name)
+        proof_root, source_root, litani, project_name
+    )
 
 if __name__ == "__main__":
     main()

data/aws-crt-ffi/crt/s2n/tests/cbmc/templates/scripts/util.py

@@ -3,9 +3,11 @@
 
 """Methods of manipulating the templates repository."""
 
+from pathlib import Path
 import logging
 import os
 import shutil
+import repository
 
 REPOSITORY_TEMPLATES = "template-for-repository"
 PROOF_TEMPLATES = "template-for-proof"
@@ -36,34 +38,47 @@ def templates_root():
     return os.path.dirname(script_dir())
 
 ################################################################
-# Read configuration information from the standard input
+# Ask the user for set up information
 
-def read_from_stdin():
-    return input().strip()
+def ask_for_project_name():
+    """Ask user for project name."""
 
-def read_path_from_stdin(description):
-    print("What is the path to {}? ".format(description), end="")
-    return os.path.abspath(os.path.expanduser(read_from_stdin()))
+    return input("What is the project name? ").strip()
 
-def read_source_root_path():
-    return read_path_from_stdin("the source root")
+def ask_for_function_name():
+    """Ask user for function name."""
 
-def read_proof_root_path():
-    return read_path_from_stdin("the 'proofs' directory (usually '.')")
+    return input("What is the function name? ").strip()
 
-def read_litani_path():
-    return read_path_from_stdin("the litani script")
+def ask_for_source_file(func, cwd=None, repo=None):
+    """Ask user to select path to source file defining function func."""
 
-def read_source_path():
-    return read_path_from_stdin("the source file defining the function")
+    cwd = Path(cwd or Path.cwd()).resolve()
+    repo = Path(repo or repository.repository_root(cwd=cwd)).resolve()
+    sources = repository.function_sources(func, cwd=cwd, repo=repo, abspath=False)
+    options = sources + ["The source file is not listed here"]
+    choices = [str(idx) for idx in range(len(options))]
+    index = choices[-1]
 
-def read_function_name():
-    print("What is the function name? ", end="")
-    return read_from_stdin()
+    if sources:
+        print(f"These source files define a function '{func}':")
+        for idx, src in enumerate(options):
+            print(f" {idx:3} {src}")
+        index = input(
+            f"Select a source file (the options are {', '.join(choices)}): "
+        ).strip() or choices[-1]
 
-def read_project_name():
-    print("What is the project name? ", end="")
-    return read_from_stdin()
+    if index not in choices:
+        raise UserWarning(f"{index} is not in {', '.join(choices)}")
+    if index == choices[-1]:
+        src = input(f"Enter path to source file defining {func}: ").strip()
+    else:
+        src = sources[int(index)]
+    src = Path(src)
+    if not src.is_file():
+        raise UserWarning(f"Source file '{src}' does not exist")
+
+    return src
 
 ################################################################
 
@@ -99,12 +114,12 @@ def link_files(name, src, dst):
                         install_method[0], name, src_link)
         return 1
 
-    logging.warning(
+    logging.debug(
         "Creating %s %s -> %s", install_method[0], name, src_link)
     install_method[1](src_link, dst_name)
     return 0
 
-def copy_directory_contents(src, dst):
+def copy_directory_contents(src, dst, exclude=None):
     """Link the contents of one directory into another."""
 
     src = os.path.normpath(src)
@@ -116,6 +131,8 @@ def copy_directory_contents(src, dst):
     skipped = 0
     for name in files_under_root(src):
         name = os.path.normpath(name)
+        if exclude and name.startswith(exclude):
+            continue
         skipped += link_files(name, src, dst)
 
     if skipped:
@@ -127,4 +144,5 @@ def copy_repository_templates(cbmc_root):
 
     copy_directory_contents(os.path.join(templates_root(),
                                          REPOSITORY_TEMPLATES),
-                            cbmc_root)
+                            cbmc_root,
+                            exclude="negative_tests")

data/aws-crt-ffi/crt/s2n/tests/fuzz/LD_PRELOAD/global_overrides.c

@@ -27,15 +27,15 @@
 #include "utils/s2n_safety.h"
 #include "utils/s2n_random.h"
 
-int s2n_drbg_generate(struct s2n_drbg *drbg, struct s2n_blob *blob) {
+S2N_RESULT s2n_drbg_generate(struct s2n_drbg *drbg, struct s2n_blob *blob) {
 
     /* If fuzzing, only generate "fake" random numbers in order to ensure that fuzz tests are deterministic and repeatable.
      * This function should generate non-zero values since this function may be called repeatedly at startup until a
      * non-zero value is generated.
      */
-    POSIX_GUARD_RESULT(s2n_get_public_random_data(blob));
+    RESULT_GUARD(s2n_get_public_random_data(blob));
     drbg->bytes_used += blob->size;
-    return S2N_SUCCESS;
+    return S2N_RESULT_OK;
 }
 
 int s2n_stuffer_send_to_fd(struct s2n_stuffer *stuffer, const int wfd, const uint32_t len, uint32_t *bytes_sent)

data/aws-crt-ffi/crt/s2n/tests/integration/s2n_client_endpoint_handshake_test.py

@@ -39,8 +39,8 @@ well_known_endpoints = [
     {"endpoint": "rsa2048.badssl.com"},
     {"endpoint": "rsa4096.badssl.com"},
     {"endpoint": "sha256.badssl.com"},
-    {"endpoint": "sha384.badssl.com"},
-    {"endpoint": "sha512.badssl.com"},
+#    {"endpoint": "sha384.badssl.com"},
+#    {"endpoint": "sha512.badssl.com"},
     {"endpoint": "tls-v1-0.badssl.com"},
     {"endpoint": "tls-v1-1.badssl.com"},
     {"endpoint": "tls-v1-2.badssl.com"},

data/aws-crt-ffi/crt/s2n/tests/integrationv2/Makefile

@@ -28,54 +28,25 @@ endif
 define run_tox
 	( \
 	DYLD_LIBRARY_PATH="$(LIBCRYPTO_ROOT)/lib:$$DYLD_LIBRARY_PATH" \
-	LD_LIBRARY_PATH="$(LIBCRYPTO_ROOT)/lib:$$LD_LIBRARY_PATH" \
+	LD_LIBRARY_PATH="$(LIBCRYPTO_ROOT)/lib:"$(S2N_ROOT)/test-deps/gnutls37/nettle/lib":$$LD_LIBRARY_PATH" \
 	S2N_INTEG_TEST=1 \
-	PATH="../../bin":$(LIBCRYPTO_ROOT)/bin:$(PATH) \
+	PATH="$(S2N_ROOT)/bin":"$(S2N_ROOT)/test-deps/openssl-1.1.1/bin":"$(S2N_ROOT)/test-deps/gnutls37/bin":$(PATH) \
 	PYTHONNOUSERSITE=1 \
-	TOX_TEST_NAME=$(1) \
+	TOX_TEST_NAME=$(1).py \
 	python3.9 -m tox \
 	)
 endef
 
-ifdef TOX_TEST_NAME
-default: test_single
-else
-default: all
-endif
 
-test_key_update:
-	$(call run_tox,$@.py)
-test_client_authentication:
-	$(call run_tox,$@.py)
-test_dynamic_record_sizes:
-	$(call run_tox,$@.py)
-test_early_data:
-	$(call run_tox,$@.py)
-test_external_psk:
-	$(call run_tox,$@.py)
-test_happy_path:
-	$(call run_tox,$@.py)
-test_session_resumption:
-	$(call run_tox,$@.py)
-test_sni_match:
-	$(call run_tox,$@.py)
-test_well_known_endpoints:
-	$(call run_tox,$@.py)
-test_fragmentation:
-	$(call run_tox,$@.py)
-test_hello_retry_requests:
-	$(call run_tox,$@.py)
-test_pq_handshake:
-	$(call run_tox,$@.py)
-test_signature_algorithms:
-	$(call run_tox,$@.py)
-test_version_negotiation:
-	$(call run_tox,$@.py)
-test_cross_compatibility:
-	$(call run_tox,$@.py)
-test_single:
-	$(call run_tox,$(TOX_TEST_NAME))
+TESTS=$(wildcard test_*.py)
+TEST_NAMES=$(TESTS:.py=)
+
+ifndef TOX_TEST_NAME
+	TOX_TEST_NAME := ${TEST_NAMES}
+endif
 
-.PHONY : test_early_data test_external_psk test_client_authentication test_dynamic_record_sizes test_key_update test_happy_path test_session_resumption test_sni_match test_well_known_endpoints test_fragmentation test_hello_retry_requests test_pq_handshake test_signature_algorithms test_version_negotiation test_cross_compatibility
-all: test_early_data test_external_psk test_client_authentication test_dynamic_record_sizes test_key_update test_happy_path test_session_resumption test_sni_match test_well_known_endpoints test_fragmentation test_hello_retry_requests test_pq_handshake test_signature_algorithms test_version_negotiation test_cross_compatibility
+.PHONY : all
+all: $(TOX_TEST_NAME)
 
+$(TOX_TEST_NAME):
+	$(call run_tox,$@)

data/aws-crt-ffi/crt/s2n/tests/integrationv2/README.md

@@ -28,7 +28,12 @@ Python environment. Then all the integration tests will be collected and execute
 If you only want to run a single test, you can set the `TOX_TEST_NAME` environment variable:
 
 ```
-ubuntu@host:s2n_root/ $ TOX_TEST_NAME=test_happy_path.py::test_s2n_server_happy_path make -C tests/integrationv2 test_single
+ubuntu@host:s2n_root/ $ TOX_TEST_NAME=test_happy_path make -C tests/integrationv2
+```
+
+Multiple specific tests can also be run as follows:
+```
+ubuntu@host:s2n_root/ $ TOX_TEST_NAME="test_happy_path test_sslyze" make -C tests/integrationv2
 ```
 
 # Writing tests

data/aws-crt-ffi/crt/s2n/tests/integrationv2/common.py

@@ -79,6 +79,7 @@ class TimeoutException(subprocess.SubprocessError):
     TimeoutException wraps the subprocess class giving more control
     over the formatting of output.
     """
+
     def __init__(self, timeout_exception):
         self.exception = timeout_exception
 
@@ -141,8 +142,13 @@ class Certificates(object):
     ECDSA_256 = Cert("ECDSA_256", "localhost_ecdsa_p256")
     ECDSA_384 = Cert("ECDSA_384", "ecdsa_p384_pkcs1")
 
-    RSA_2048_SHA256_WILDCARD = Cert("RSA_2048_SHA256_WILDCARD", "rsa_2048_sha256_wildcard")
-    RSA_PSS_2048_SHA256 = Cert("RSA_PSS_2048_SHA256", "localhost_rsa_pss_2048_sha256")
+    RSA_2048_SHA256_WILDCARD = Cert(
+        "RSA_2048_SHA256_WILDCARD", "rsa_2048_sha256_wildcard")
+    RSA_PSS_2048_SHA256 = Cert(
+        "RSA_PSS_2048_SHA256", "localhost_rsa_pss_2048_sha256")
+
+    OCSP = Cert("OCSP_RSA", "ocsp/server")
+    OCSP_ECDSA = Cert("OCSP_ECDSA_256", "ocsp/server_ecdsa")
 
 
 class Protocol(object):
@@ -220,56 +226,94 @@ class Ciphers(object):
     """
     When referencing ciphers, use these class values.
     """
-    DHE_RSA_DES_CBC3_SHA = Cipher("DHE-RSA-DES-CBC3-SHA", Protocols.SSLv3, False, False, iana_standard_name="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA")
-    DHE_RSA_AES128_SHA = Cipher("DHE-RSA-AES128-SHA", Protocols.SSLv3, True, False, TEST_CERT_DIRECTORY + 'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA")
-    DHE_RSA_AES256_SHA = Cipher("DHE-RSA-AES256-SHA", Protocols.SSLv3, True, False, TEST_CERT_DIRECTORY + 'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA")
-    DHE_RSA_AES128_SHA256 = Cipher("DHE-RSA-AES128-SHA256", Protocols.TLS12, True, True, TEST_CERT_DIRECTORY + 'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA256")
-    DHE_RSA_AES256_SHA256 = Cipher("DHE-RSA-AES256-SHA256", Protocols.TLS12, True, True, TEST_CERT_DIRECTORY + 'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA256")
-    DHE_RSA_AES128_GCM_SHA256 = Cipher("DHE-RSA-AES128-GCM-SHA256", Protocols.TLS12, True, True, TEST_CERT_DIRECTORY + 'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256")
-    DHE_RSA_AES256_GCM_SHA384 = Cipher("DHE-RSA-AES256-GCM-SHA384", Protocols.TLS12, True, True, TEST_CERT_DIRECTORY + 'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384")
-    DHE_RSA_CHACHA20_POLY1305 = Cipher("DHE-RSA-CHACHA20-POLY1305", Protocols.TLS12, True, False, TEST_CERT_DIRECTORY + 'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384")
-
-    AES128_SHA = Cipher("AES128-SHA", Protocols.SSLv3, True, True, iana_standard_name="TLS_RSA_WITH_AES_128_CBC_SHA")
-    AES256_SHA = Cipher("AES256-SHA", Protocols.SSLv3, True, True, iana_standard_name="TLS_RSA_WITH_AES_256_CBC_SHA")
-    AES128_SHA256 = Cipher("AES128-SHA256", Protocols.TLS12, True, True, iana_standard_name="TLS_RSA_WITH_AES_128_CBC_SHA256")
-    AES256_SHA256 = Cipher("AES256-SHA256", Protocols.TLS12, True, True, iana_standard_name="TLS_RSA_WITH_AES_256_CBC_SHA256")
-    AES128_GCM_SHA256 = Cipher("TLS_AES_128_GCM_SHA256", Protocols.TLS13, True, True, iana_standard_name="TLS_AES_128_GCM_SHA256")
-    AES256_GCM_SHA384 = Cipher("TLS_AES_256_GCM_SHA384", Protocols.TLS13, True, True, iana_standard_name="TLS_AES_256_GCM_SHA384")
-
-    ECDHE_ECDSA_AES128_SHA = Cipher("ECDHE-ECDSA-AES128-SHA", Protocols.SSLv3, True, False, iana_standard_name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA")
-    ECDHE_ECDSA_AES256_SHA = Cipher("ECDHE-ECDSA-AES256-SHA", Protocols.SSLv3, True, False, iana_standard_name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA")
-    ECDHE_ECDSA_AES128_SHA256 = Cipher("ECDHE-ECDSA-AES128-SHA256", Protocols.TLS12, True, True, iana_standard_name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256")
-    ECDHE_ECDSA_AES256_SHA384 = Cipher("ECDHE-ECDSA-AES256-SHA384", Protocols.TLS12, True, True, iana_standard_name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384")
-    ECDHE_ECDSA_AES128_GCM_SHA256 = Cipher("ECDHE-ECDSA-AES128-GCM-SHA256", Protocols.TLS12, True, True, iana_standard_name="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256")
-    ECDHE_ECDSA_AES256_GCM_SHA384 = Cipher("ECDHE-ECDSA-AES256-GCM-SHA384", Protocols.TLS12, True, True, iana_standard_name="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384")
-    ECDHE_ECDSA_CHACHA20_POLY1305 = Cipher("ECDHE-ECDSA-CHACHA20-POLY1305", Protocols.TLS12, True, False, iana_standard_name="TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256")
-
-    ECDHE_RSA_DES_CBC3_SHA = Cipher("ECDHE-RSA-DES-CBC3-SHA", Protocols.SSLv3, False, False, iana_standard_name="TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA")
-    ECDHE_RSA_AES128_SHA = Cipher("ECDHE-RSA-AES128-SHA", Protocols.SSLv3, True, False, iana_standard_name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA")
-    ECDHE_RSA_AES256_SHA = Cipher("ECDHE-RSA-AES256-SHA", Protocols.SSLv3, True, False, iana_standard_name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA")
-    ECDHE_RSA_RC4_SHA = Cipher("ECDHE-RSA-RC4-SHA", Protocols.SSLv3, False, False, iana_standard_name="TLS_ECDHE_RSA_WITH_RC4_128_SHA")
-    ECDHE_RSA_AES128_SHA256 = Cipher("ECDHE-RSA-AES128-SHA256", Protocols.TLS12, True, True, iana_standard_name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")
-    ECDHE_RSA_AES256_SHA384 = Cipher("ECDHE-RSA-AES256-SHA384", Protocols.TLS12, True, True, iana_standard_name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")
-    ECDHE_RSA_AES128_GCM_SHA256 = Cipher("ECDHE-RSA-AES128-GCM-SHA256", Protocols.TLS12, True, True, iana_standard_name="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
-    ECDHE_RSA_AES256_GCM_SHA384 = Cipher("ECDHE-RSA-AES256-GCM-SHA384", Protocols.TLS12, True, True, iana_standard_name="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
-    ECDHE_RSA_CHACHA20_POLY1305 = Cipher("ECDHE-RSA-CHACHA20-POLY1305", Protocols.TLS12, True, False, iana_standard_name="TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256")
-    CHACHA20_POLY1305_SHA256 = Cipher("TLS_CHACHA20_POLY1305_SHA256", Protocols.TLS13, True, False, iana_standard_name="TLS_CHACHA20_POLY1305_SHA256")
-
-    KMS_TLS_1_0_2018_10 = Cipher("KMS-TLS-1-0-2018-10", Protocols.TLS10, False, False, s2n=True)
-    KMS_PQ_TLS_1_0_2019_06 = Cipher("KMS-PQ-TLS-1-0-2019-06", Protocols.TLS10, False, False, s2n=True, pq=True)
-    KMS_PQ_TLS_1_0_2020_02 = Cipher("KMS-PQ-TLS-1-0-2020-02", Protocols.TLS10, False, False, s2n=True, pq=True)
-    KMS_PQ_TLS_1_0_2020_07 = Cipher("KMS-PQ-TLS-1-0-2020-07", Protocols.TLS10, False, False, s2n=True, pq=True)
-    PQ_SIKE_TEST_TLS_1_0_2019_11 = Cipher("PQ-SIKE-TEST-TLS-1-0-2019-11", Protocols.TLS10, False, False, s2n=True, pq=True)
-    PQ_SIKE_TEST_TLS_1_0_2020_02 = Cipher("PQ-SIKE-TEST-TLS-1-0-2020-02", Protocols.TLS10, False, False, s2n=True, pq=True)
-    PQ_TLS_1_0_2020_12 = Cipher("PQ-TLS-1-0-2020-12", Protocols.TLS10, False, False, s2n=True, pq=True)
+    DHE_RSA_DES_CBC3_SHA = Cipher("DHE-RSA-DES-CBC3-SHA", Protocols.SSLv3,
+                                  False, False, iana_standard_name="SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA")
+    DHE_RSA_AES128_SHA = Cipher("DHE-RSA-AES128-SHA", Protocols.SSLv3, True, False, TEST_CERT_DIRECTORY +
+                                'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA")
+    DHE_RSA_AES256_SHA = Cipher("DHE-RSA-AES256-SHA", Protocols.SSLv3, True, False, TEST_CERT_DIRECTORY +
+                                'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA")
+    DHE_RSA_AES128_SHA256 = Cipher("DHE-RSA-AES128-SHA256", Protocols.TLS12, True, True, TEST_CERT_DIRECTORY +
+                                   'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_128_CBC_SHA256")
+    DHE_RSA_AES256_SHA256 = Cipher("DHE-RSA-AES256-SHA256", Protocols.TLS12, True, True, TEST_CERT_DIRECTORY +
+                                   'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_256_CBC_SHA256")
+    DHE_RSA_AES128_GCM_SHA256 = Cipher("DHE-RSA-AES128-GCM-SHA256", Protocols.TLS12, True, True,
+                                       TEST_CERT_DIRECTORY + 'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256")
+    DHE_RSA_AES256_GCM_SHA384 = Cipher("DHE-RSA-AES256-GCM-SHA384", Protocols.TLS12, True, True,
+                                       TEST_CERT_DIRECTORY + 'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384")
+    DHE_RSA_CHACHA20_POLY1305 = Cipher("DHE-RSA-CHACHA20-POLY1305", Protocols.TLS12, True, False,
+                                       TEST_CERT_DIRECTORY + 'dhparams_2048.pem', iana_standard_name="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384")
+
+    AES128_SHA = Cipher("AES128-SHA", Protocols.SSLv3, True,
+                        True, iana_standard_name="TLS_RSA_WITH_AES_128_CBC_SHA")
+    AES256_SHA = Cipher("AES256-SHA", Protocols.SSLv3, True,
+                        True, iana_standard_name="TLS_RSA_WITH_AES_256_CBC_SHA")
+    AES128_SHA256 = Cipher("AES128-SHA256", Protocols.TLS12, True,
+                           True, iana_standard_name="TLS_RSA_WITH_AES_128_CBC_SHA256")
+    AES256_SHA256 = Cipher("AES256-SHA256", Protocols.TLS12, True,
+                           True, iana_standard_name="TLS_RSA_WITH_AES_256_CBC_SHA256")
+    AES128_GCM_SHA256 = Cipher("TLS_AES_128_GCM_SHA256", Protocols.TLS13,
+                               True, True, iana_standard_name="TLS_AES_128_GCM_SHA256")
+    AES256_GCM_SHA384 = Cipher("TLS_AES_256_GCM_SHA384", Protocols.TLS13,
+                               True, True, iana_standard_name="TLS_AES_256_GCM_SHA384")
+
+    ECDHE_ECDSA_AES128_SHA = Cipher("ECDHE-ECDSA-AES128-SHA", Protocols.SSLv3,
+                                    True, False, iana_standard_name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA")
+    ECDHE_ECDSA_AES256_SHA = Cipher("ECDHE-ECDSA-AES256-SHA", Protocols.SSLv3,
+                                    True, False, iana_standard_name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA")
+    ECDHE_ECDSA_AES128_SHA256 = Cipher("ECDHE-ECDSA-AES128-SHA256", Protocols.TLS12,
+                                       True, True, iana_standard_name="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256")
+    ECDHE_ECDSA_AES256_SHA384 = Cipher("ECDHE-ECDSA-AES256-SHA384", Protocols.TLS12,
+                                       True, True, iana_standard_name="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384")
+    ECDHE_ECDSA_AES128_GCM_SHA256 = Cipher("ECDHE-ECDSA-AES128-GCM-SHA256", Protocols.TLS12,
+                                           True, True, iana_standard_name="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256")
+    ECDHE_ECDSA_AES256_GCM_SHA384 = Cipher("ECDHE-ECDSA-AES256-GCM-SHA384", Protocols.TLS12,
+                                           True, True, iana_standard_name="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384")
+    ECDHE_ECDSA_CHACHA20_POLY1305 = Cipher("ECDHE-ECDSA-CHACHA20-POLY1305", Protocols.TLS12,
+                                           True, False, iana_standard_name="TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256")
+
+    ECDHE_RSA_DES_CBC3_SHA = Cipher("ECDHE-RSA-DES-CBC3-SHA", Protocols.SSLv3,
+                                    False, False, iana_standard_name="TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA")
+    ECDHE_RSA_AES128_SHA = Cipher("ECDHE-RSA-AES128-SHA", Protocols.SSLv3,
+                                  True, False, iana_standard_name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA")
+    ECDHE_RSA_AES256_SHA = Cipher("ECDHE-RSA-AES256-SHA", Protocols.SSLv3,
+                                  True, False, iana_standard_name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA")
+    ECDHE_RSA_RC4_SHA = Cipher("ECDHE-RSA-RC4-SHA", Protocols.SSLv3,
+                               False, False, iana_standard_name="TLS_ECDHE_RSA_WITH_RC4_128_SHA")
+    ECDHE_RSA_AES128_SHA256 = Cipher("ECDHE-RSA-AES128-SHA256", Protocols.TLS12,
+                                     True, True, iana_standard_name="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256")
+    ECDHE_RSA_AES256_SHA384 = Cipher("ECDHE-RSA-AES256-SHA384", Protocols.TLS12,
+                                     True, True, iana_standard_name="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384")
+    ECDHE_RSA_AES128_GCM_SHA256 = Cipher("ECDHE-RSA-AES128-GCM-SHA256", Protocols.TLS12,
+                                         True, True, iana_standard_name="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256")
+    ECDHE_RSA_AES256_GCM_SHA384 = Cipher("ECDHE-RSA-AES256-GCM-SHA384", Protocols.TLS12,
+                                         True, True, iana_standard_name="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
+    ECDHE_RSA_CHACHA20_POLY1305 = Cipher("ECDHE-RSA-CHACHA20-POLY1305", Protocols.TLS12,
+                                         True, False, iana_standard_name="TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256")
+    CHACHA20_POLY1305_SHA256 = Cipher("TLS_CHACHA20_POLY1305_SHA256", Protocols.TLS13,
+                                      True, False, iana_standard_name="TLS_CHACHA20_POLY1305_SHA256")
+
+    KMS_TLS_1_0_2018_10 = Cipher(
+        "KMS-TLS-1-0-2018-10", Protocols.TLS10, False, False, s2n=True)
+    KMS_PQ_TLS_1_0_2019_06 = Cipher(
+        "KMS-PQ-TLS-1-0-2019-06", Protocols.TLS10, False, False, s2n=True, pq=True)
+    KMS_PQ_TLS_1_0_2020_02 = Cipher(
+        "KMS-PQ-TLS-1-0-2020-02", Protocols.TLS10, False, False, s2n=True, pq=True)
+    KMS_PQ_TLS_1_0_2020_07 = Cipher(
+        "KMS-PQ-TLS-1-0-2020-07", Protocols.TLS10, False, False, s2n=True, pq=True)
+    PQ_SIKE_TEST_TLS_1_0_2019_11 = Cipher(
+        "PQ-SIKE-TEST-TLS-1-0-2019-11", Protocols.TLS10, False, False, s2n=True, pq=True)
+    PQ_SIKE_TEST_TLS_1_0_2020_02 = Cipher(
+        "PQ-SIKE-TEST-TLS-1-0-2020-02", Protocols.TLS10, False, False, s2n=True, pq=True)
+    PQ_TLS_1_0_2020_12 = Cipher(
+        "PQ-TLS-1-0-2020-12", Protocols.TLS10, False, False, s2n=True, pq=True)
 
     @staticmethod
     def from_iana(iana_name):
         ciphers = [
             cipher for attr in vars(Ciphers)
             if not callable(cipher := getattr(Ciphers, attr))
-               and not attr.startswith("_")
-               and cipher.iana_standard_name
+            and not attr.startswith("_")
+            and cipher.iana_standard_name
         ]
         return {
             cipher.iana_standard_name: cipher
@@ -337,7 +381,7 @@ class Signature(object):
 
 
 class Signatures(object):
-    RSA_SHA1   = Signature('RSA+SHA1',   max_protocol=Protocols.TLS12)
+    RSA_SHA1 = Signature('RSA+SHA1',   max_protocol=Protocols.TLS12)
     RSA_SHA224 = Signature('RSA+SHA224', max_protocol=Protocols.TLS12)
     RSA_SHA256 = Signature('RSA+SHA256', max_protocol=Protocols.TLS12)
     RSA_SHA384 = Signature('RSA+SHA384', max_protocol=Protocols.TLS12)
@@ -379,25 +423,31 @@ class Results(object):
     # Any exception thrown while running the process
     exception = None
 
-    def __init__(self, stdout, stderr, exit_code, exception, expect_stderr=False):
+    def __init__(self, stdout, stderr, exit_code, exception, expect_stderr=False, expect_nonzero_exit=False):
         self.stdout = stdout
         self.stderr = stderr
         self.exit_code = exit_code
         self.exception = exception
         self.expect_stderr = expect_stderr
+        self.expect_nonzero_exit = expect_nonzero_exit
 
     def __str__(self):
         return "Stdout: {}\nStderr: {}\nExit code: {}\nException: {}".format(self.stdout, self.stderr, self.exit_code, self.exception)
 
     def assert_success(self):
-        assert self.exception is None
-        assert self.exit_code == 0
+        assert self.exception is None, self.exception
+        if not self.expect_nonzero_exit:
+            assert self.exit_code == 0, f"exit code: {self.exit_code}"
         if not self.expect_stderr:
-            assert not self.stderr
+            assert not self.stderr, self.stderr
+
+    def output_streams(self):
+        return {self.stdout, self.stderr}
 
 
 class ProviderOptions(object):
-    def __init__(self,
+    def __init__(
+            self,
             mode=None,
             host=None,
             port=None,
@@ -417,7 +467,12 @@ class ProviderOptions(object):
             server_name=None,
             protocol=None,
             use_mainline_version=None,
-            env_overrides=dict()):
+            env_overrides=dict(),
+            enable_client_ocsp=False,
+            ocsp_response=None,
+            signature_algorithm=None,
+            record_size=None
+    ):
 
         # Client or server
         self.mode = mode
@@ -480,3 +535,13 @@ class ProviderOptions(object):
 
         # Extra environment parameters
         self.env_overrides = env_overrides
+
+        # Enable OCSP on the client
+        self.enable_client_ocsp = enable_client_ocsp
+
+        # Path to OCSP response on the server
+        self.ocsp_response = ocsp_response
+
+        self.signature_algorithm = signature_algorithm
+
+        self.record_size = record_size