aws-crt 0.1.5 → 0.1.6

data/aws-crt-ffi/crt/s2n/tests/integrationv2/providers.py

@@ -1,8 +1,14 @@
 import pytest
 import threading
 
-from common import ProviderOptions, Ciphers, Curves, Protocols, Certificates
-from global_flags import get_flag, S2N_PROVIDER_VERSION
+from common import ProviderOptions, Ciphers, Curves, Protocols, Certificates, Signatures
+from global_flags import get_flag, S2N_PROVIDER_VERSION, S2N_FIPS_MODE
+
+
+TLS_13_LIBCRYPTOS = {
+    "awslc",
+    "openssl-1.1.1"
+}
 
 
 class Provider(object):
@@ -22,6 +28,10 @@ class Provider(object):
         # put that message in ready_to_test_marker
         self.ready_to_test_marker = None
 
+        # If a newline character should be added to messages being sent. Required
+        # with some providers to properly write to stdin.
+        self.send_with_newline = False
+
         # By default, we expect clients to send, but not servers.
         if options.mode == Provider.ClientMode:
             self.ready_to_send_input_marker = self.get_send_marker()
@@ -70,6 +80,10 @@ class Provider(object):
     def supports_cipher(cls, cipher, with_curve=None):
         raise NotImplementedError
 
+    @classmethod
+    def supports_signature(cls, signature):
+        return True
+
     def get_cmd_line(self):
         return self.cmd_line
 
@@ -90,6 +104,7 @@ class Tcpdump(Provider):
     This class still follows the provider setup, but all values are hardcoded
     because this isn't expected to be used outside of the dynamic record test.
     """
+
     def __init__(self, options: ProviderOptions):
         Provider.__init__(self, options)
 
@@ -98,22 +113,22 @@ class Tcpdump(Provider):
         tcpdump_filter = "dst port {}".format(self.options.port)
 
         cmd_line = ["tcpdump",
-            # Line buffer the output
-            "-l",
+                    # Line buffer the output
+                    "-l",
 
-            # Only read 10 packets before exiting. This is enough to find a large
-            # packet, and still exit before the timeout.
-            "-c", "10",
+                    # Only read 10 packets before exiting. This is enough to find a large
+                    # packet, and still exit before the timeout.
+                    "-c", "10",
 
-            # Watch the loopback device
-            "-i", "lo",
+                    # Watch the loopback device
+                    "-i", "lo",
 
-            # Don't resolve IP addresses
-            "-nn",
+                    # Don't resolve IP addresses
+                    "-nn",
 
-            # Set the buffer size to 1k
-            "-B", "1024",
-            tcpdump_filter]
+                    # Set the buffer size to 1k
+                    "-B", "1024",
+                    tcpdump_filter]
 
         return cmd_line
 
@@ -122,24 +137,54 @@ class S2N(Provider):
     """
     The S2N provider translates flags into s2nc/s2nd command line arguments.
     """
+
     def __init__(self, options: ProviderOptions):
         Provider.__init__(self, options)
 
+        self.send_with_newline = True
+
     @classmethod
     def get_send_marker(cls):
         return 's2n is ready'
 
     @classmethod
     def supports_protocol(cls, protocol, with_cert=None):
-        # If s2n is built with OpenSSL 1.0.2 it can't connect to itself
-        if protocol is Protocols.TLS13 and 'openssl-1.0.2' in OpenSSL.get_version():
-            if with_cert is not None and with_cert.algorithm != 'EC':
-                return False
+        # Disable TLS 1.3 tests for all libcryptos that don't support 1.3
+        if all([
+            libcrypto not in get_flag(S2N_PROVIDER_VERSION)
+            for libcrypto in TLS_13_LIBCRYPTOS
+        ]) and protocol == Protocols.TLS13:
+            return False
 
         return True
 
     @classmethod
     def supports_cipher(cls, cipher, with_curve=None):
+        # Disable chacha20 tests in unsupported libcryptos
+        if any([
+            libcrypto in get_flag(S2N_PROVIDER_VERSION)
+            for libcrypto in [
+                "openssl-1.0.2",
+                "libressl"
+            ]
+        ]) and "CHACHA20" in cipher.name:
+            return False
+
+        return True
+
+    @classmethod
+    def supports_signature(cls, signature):
+        # Disable RSA_PSS_RSAE_SHA256 in unsupported libcryptos
+        if any([
+            libcrypto in get_flag(S2N_PROVIDER_VERSION)
+            for libcrypto in [
+                "openssl-1.0.2",
+                "libressl",
+                "boringssl"
+            ]
+        ]) and signature == Signatures.RSA_PSS_RSAE_SHA256:
+            return False
+
         return True
 
     def setup_client(self):
@@ -187,6 +232,12 @@ class S2N(Provider):
             if self.options.cert:
                 cmd_line.extend(['--cert', self.options.cert])
 
+        if get_flag(S2N_FIPS_MODE):
+            cmd_line.append("--enter-fips-mode")
+
+        if self.options.enable_client_ocsp:
+            cmd_line.extend(["--status"])
+
         if self.options.extra_flags is not None:
             cmd_line.extend(self.options.extra_flags)
 
@@ -240,7 +291,14 @@ class S2N(Provider):
             cmd_line.append('-T')
 
         if self.options.reconnects_before_exit is not None:
-            cmd_line.append('--max-conns={}'.format(self.options.reconnects_before_exit))
+            cmd_line.append(
+                '--max-conns={}'.format(self.options.reconnects_before_exit))
+
+        if get_flag(S2N_FIPS_MODE):
+            cmd_line.append("--enter-fips-mode")
+
+        if self.options.ocsp_response is not None:
+            cmd_line.extend(["--ocsp", self.options.ocsp_response])
 
         if self.options.extra_flags is not None:
             cmd_line.extend(self.options.extra_flags)
@@ -285,10 +343,12 @@ class OpenSSL(Provider):
             # In the case of a cipher list we need to be sure TLS13 specific ciphers aren't
             # mixed with ciphers from previous versions
             is_tls13_or_above = (cipher[0].min_version >= Protocols.TLS13)
-            mismatch = [c for c in cipher if (c.min_version >= Protocols.TLS13) != is_tls13_or_above]
+            mismatch = [c for c in cipher if (
+                c.min_version >= Protocols.TLS13) != is_tls13_or_above]
 
             if len(mismatch) > 0:
-                raise Exception("Cannot combine ciphers for TLS1.3 or above with older ciphers: {}".format([c.name for c in cipher]))
+                raise Exception("Cannot combine ciphers for TLS1.3 or above with older ciphers: {}".format(
+                    [c.name for c in cipher]))
 
             ciphers.append(self._join_ciphers(cipher))
         else:
@@ -308,29 +368,11 @@ class OpenSSL(Provider):
 
     @classmethod
     def supports_protocol(cls, protocol, with_cert=None):
-        if protocol is Protocols.TLS13:
-            if 'openssl-1.1.1' in OpenSSL.get_version():
-                return True
-            else:
-                return False
-
         return True
 
     @classmethod
     def supports_cipher(cls, cipher, with_curve=None):
-        is_openssl_111 = "openssl-1.1.1" in OpenSSL.get_version()
-        if is_openssl_111 and cipher.openssl1_1_1 is False:
-            return False
-
-        if not is_openssl_111:
-            # OpenSSL 1.0.2 does not have ChaChaPoly
-            if 'CHACHA20' in cipher.name:
-                return False
-
-        if cipher.fips is False and "fips" in OpenSSL.get_version():
-            return False
-
-        if "openssl-1.0.2" in OpenSSL.get_version() and with_curve is not None:
+        if "openssl-1.0.2" in get_flag(S2N_PROVIDER_VERSION) and with_curve is not None:
             invalid_ciphers = [
                 Ciphers.ECDHE_RSA_AES128_SHA,
                 Ciphers.ECDHE_RSA_AES256_SHA,
@@ -349,7 +391,8 @@ class OpenSSL(Provider):
 
     def setup_client(self):
         cmd_line = ['openssl', 's_client']
-        cmd_line.extend(['-connect', '{}:{}'.format(self.options.host, self.options.port)])
+        cmd_line.extend(
+            ['-connect', '{}:{}'.format(self.options.host, self.options.port)])
 
         # Additional debugging that will be captured incase of failure
         cmd_line.extend(['-debug', '-tlsextdebug', '-state'])
@@ -391,6 +434,16 @@ class OpenSSL(Provider):
             if self.options.verify_hostname is not None:
                 cmd_line.extend(['-verify_hostname', self.options.server_name])
 
+        if self.options.enable_client_ocsp:
+            cmd_line.append("-status")
+
+        if self.options.signature_algorithm is not None:
+            cmd_line.extend(
+                ["-sigalgs", self.options.signature_algorithm.name])
+
+        if self.options.record_size is not None:
+            cmd_line.extend(["-max_send_frag", str(self.options.record_size)])
+
         # Clients are always ready to connect
         self.set_provider_ready()
 
@@ -405,7 +458,8 @@ class OpenSSL(Provider):
 
         if self.options.reconnects_before_exit is not None:
             # If the user request a specific reconnection count, set it here
-            cmd_line.extend(['-naccept', str(self.options.reconnects_before_exit)])
+            cmd_line.extend(
+                ['-naccept', str(self.options.reconnects_before_exit)])
         else:
             # Exit after the first connection by default
             cmd_line.extend(['-naccept', '1'])
@@ -440,16 +494,25 @@ class OpenSSL(Provider):
             # We use "Verify" instead of "verify" to require a client cert
             cmd_line.extend(['-Verify', '1'])
 
+        if self.options.ocsp_response is not None:
+            cmd_line.extend(["-status_file", self.options.ocsp_response])
+
+        if self.options.signature_algorithm is not None:
+            cmd_line.extend(
+                ["-sigalgs", self.options.signature_algorithm.name])
+
         if self.options.extra_flags is not None:
             cmd_line.extend(self.options.extra_flags)
 
         return cmd_line
 
+
 class JavaSSL(Provider):
     """
     NOTE: Only a Java SSL client has been set up. The server has not been 
     implemented yet.
     """
+
     def __init__(self, options: ProviderOptions):
         Provider.__init__(self, options)
 
@@ -466,7 +529,7 @@ class JavaSSL(Provider):
 
     @classmethod
     def supports_cipher(cls, cipher, with_curve=None):
-        # Java SSL does not support CHACHA20 
+        # Java SSL does not support CHACHA20
         if 'CHACHA20' in cipher.name:
             return False
 
@@ -497,12 +560,14 @@ class JavaSSL(Provider):
 
         return cmd_line
 
+
 class BoringSSL(Provider):
     """
     NOTE: In order to focus on the general use of this framework, BoringSSL
     is not yet supported. The client works, the server has not yet been
     implemented, neither are in the default configuration.
     """
+
     def __init__(self, options: ProviderOptions):
         Provider.__init__(self, options)
 
@@ -515,18 +580,22 @@ class BoringSSL(Provider):
 
     def setup_client(self):
         cmd_line = ['bssl', 's_client']
-        cmd_line.extend(['-connect', '{}:{}'.format(self.options.host, self.options.port)])
+        cmd_line.extend(
+            ['-connect', '{}:{}'.format(self.options.host, self.options.port)])
         if self.options.cert is not None:
             cmd_line.extend(['-cert', self.options.cert])
         if self.options.key is not None:
             cmd_line.extend(['-key', self.options.key])
         if self.options.cipher is not None:
             if self.options.cipher == Ciphersuites.TLS_CHACHA20_POLY1305_SHA256:
-                cmd_line.extend(['-cipher', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256'])
+                cmd_line.extend(
+                    ['-cipher', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256'])
             elif self.options.cipher == Ciphersuites.TLS_AES_128_GCM_256:
-                pytest.skip('BoringSSL does not support Cipher {}'.format(self.options.cipher))
+                pytest.skip('BoringSSL does not support Cipher {}'.format(
+                    self.options.cipher))
             elif self.options.cipher == Ciphersuites.TLS_AES_256_GCM_384:
-                pytest.skip('BoringSSL does not support Cipher {}'.format(self.options.cipher))
+                pytest.skip('BoringSSL does not support Cipher {}'.format(
+                    self.options.cipher))
         if self.options.curve is not None:
             if self.options.curve == Curves.P256:
                 cmd_line.extend(['-curves', 'P-256'])
@@ -535,7 +604,8 @@ class BoringSSL(Provider):
             elif self.options.curve == Curves.P521:
                 cmd_line.extend(['-curves', 'P-521'])
             elif self.options.curve == Curves.X25519:
-                pytest.skip('BoringSSL does not support curve {}'.format(self.options.curve))
+                pytest.skip('BoringSSL does not support curve {}'.format(
+                    self.options.curve))
 
         # Clients are always ready to connect
         self.set_provider_ready()
@@ -543,3 +613,189 @@ class BoringSSL(Provider):
         return cmd_line
 
 
+class GnuTLS(Provider):
+    def __init__(self, options: ProviderOptions):
+        Provider.__init__(self, options)
+
+        self.expect_stderr = True
+        self.send_with_newline = True
+
+    @staticmethod
+    def cipher_to_priority_str(cipher):
+        return {
+            Ciphers.DHE_RSA_AES128_SHA:         "DHE-RSA:+AES-128-CBC:+SHA1",
+            Ciphers.DHE_RSA_AES256_SHA:         "DHE-RSA:+AES-256-CBC:+SHA1",
+            Ciphers.DHE_RSA_AES128_SHA256:      "DHE-RSA:+AES-128-CBC:+SHA256",
+            Ciphers.DHE_RSA_AES256_SHA256:      "DHE-RSA:+AES-256-CBC:+SHA256",
+            Ciphers.DHE_RSA_AES128_GCM_SHA256:  "DHE-RSA:+AES-128-GCM:+AEAD",
+            Ciphers.DHE_RSA_AES256_GCM_SHA384:  "DHE-RSA:+AES-256-GCM:+AEAD",
+            Ciphers.DHE_RSA_CHACHA20_POLY1305:  "DHE-RSA:+CHACHA20-POLY1305:+AEAD",
+
+            Ciphers.AES128_SHA:         "RSA:+AES-128-CBC:+SHA1",
+            Ciphers.AES256_SHA:         "RSA:+AES-256-CBC:+SHA1",
+            Ciphers.AES128_SHA256:      "RSA:+AES-128-CBC:+SHA256",
+            Ciphers.AES256_SHA256:      "RSA:+AES-256-CBC:+SHA256",
+            Ciphers.AES128_GCM_SHA256:  "RSA:+AES-128-GCM:+AEAD",
+            Ciphers.AES256_GCM_SHA384:  "RSA:+AES-256-GCM:+AEAD",
+
+            Ciphers.ECDHE_ECDSA_AES128_SHA:         "ECDHE-ECDSA:+AES-128-CBC:+SHA1",
+            Ciphers.ECDHE_ECDSA_AES256_SHA:         "ECDHE-ECDSA:+AES-256-CBC:+SHA1",
+            Ciphers.ECDHE_ECDSA_AES128_SHA256:      "ECDHE-ECDSA:+AES-128-CBC:+SHA256",
+            Ciphers.ECDHE_ECDSA_AES256_SHA384:      "ECDHE-ECDSA:+AES-256-CBC:+SHA384",
+            Ciphers.ECDHE_ECDSA_AES128_GCM_SHA256:  "ECDHE-ECDSA:+AES-128-GCM:+AEAD",
+            Ciphers.ECDHE_ECDSA_AES256_GCM_SHA384:  "ECDHE-ECDSA:+AES-256-GCM:+AEAD",
+
+            Ciphers.ECDHE_RSA_AES128_SHA:           "ECDHE-RSA:+AES-128-CBC:+SHA1",
+            Ciphers.ECDHE_RSA_AES256_SHA:           "ECDHE-RSA:+AES-256-CBC:+SHA1",
+            Ciphers.ECDHE_RSA_AES128_SHA256:        "ECDHE-RSA:+AES-128-CBC:+SHA256",
+            Ciphers.ECDHE_RSA_AES256_SHA384:        "ECDHE-RSA:+AES-256-CBC:+SHA384",
+            Ciphers.ECDHE_RSA_AES128_GCM_SHA256:    "ECDHE-RSA:+AES-128-GCM:+AEAD",
+            Ciphers.ECDHE_RSA_AES256_GCM_SHA384:    "ECDHE-RSA:+AES-256-GCM:+AEAD",
+            Ciphers.ECDHE_RSA_CHACHA20_POLY1305:    "ECDHE-RSA:+CHACHA20-POLY1305:+AEAD"
+        }.get(cipher)
+
+    @staticmethod
+    def protocol_to_priority_str(protocol):
+        return {
+            Protocols.TLS10.value: "VERS-TLS1.0",
+            Protocols.TLS11.value: "VERS-TLS1.1",
+            Protocols.TLS12.value: "VERS-TLS1.2",
+            Protocols.TLS13.value: "VERS-TLS1.3"
+        }.get(protocol.value)
+
+    @staticmethod
+    def curve_to_priority_str(curve):
+        return {
+            Curves.P256:    "CURVE-SECP256R1",
+            Curves.P384:    "CURVE-SECP384R1",
+            Curves.P521:    "CURVE-SECP521R1",
+            Curves.X25519:  "CURVE-X25519"
+        }.get(curve)
+
+    @staticmethod
+    def sigalg_to_priority_str(sigalg):
+        return {
+            Signatures.RSA_SHA1:    "SIGN-RSA-SHA1",
+            Signatures.RSA_SHA256:  "SIGN-RSA-SHA256",
+            Signatures.RSA_SHA384:  "SIGN-RSA-SHA384",
+            Signatures.RSA_SHA512:  "SIGN-RSA-SHA512",
+        }.get(sigalg)
+
+    @classmethod
+    def get_send_marker(cls):
+        return "Simple Client Mode:"
+
+    def create_priority_str(self):
+        priority_str = "NONE"
+
+        if self.options.protocol:
+            priority_str += ":+" + \
+                self.protocol_to_priority_str(self.options.protocol)
+        else:
+            priority_str += ":+VERS-ALL"
+
+        if self.options.cipher:
+            priority_str += ":+" + \
+                self.cipher_to_priority_str(self.options.cipher)
+        else:
+            priority_str += ":+KX-ALL:+CIPHER-ALL:+MAC-ALL"
+
+        if self.options.curve:
+            priority_str += ":+" + \
+                self.curve_to_priority_str(self.options.curve)
+        else:
+            priority_str += ":+GROUP-ALL"
+
+        if self.options.signature_algorithm:
+            priority_str += ":+" + \
+                self.sigalg_to_priority_str(self.options.signature_algorithm)
+        else:
+            priority_str += ":+SIGN-ALL"
+
+        priority_str += ":+COMP-NULL"
+
+        # A digital signature option is not included for the test RSA certs, so GnuTLS must be
+        # told to use these certs regardless. The %COMPAT priority string option enables this for
+        # client certificates, and the undocumented %DEBUG_ALLOW_KEY_USAGE_VIOLATIONS priority
+        # string option enables this for server certificates.
+        priority_str += ":%COMPAT"
+        priority_str += ":%DEBUG_ALLOW_KEY_USAGE_VIOLATIONS"
+
+        return priority_str
+
+    def setup_client(self):
+        self.set_provider_ready()
+
+        cmd_line = [
+            "gnutls-cli",
+            "--port", str(self.options.port),
+            self.options.host,
+            "--debug", "9999",
+            "--verbose"
+        ]
+
+        if self.options.cert and self.options.key:
+            cmd_line.extend(["--x509certfile", self.options.cert])
+            cmd_line.extend(["--x509keyfile", self.options.key])
+
+        priority_str = self.create_priority_str()
+        cmd_line.extend(["--priority", priority_str])
+
+        if self.options.insecure:
+            cmd_line.extend(["--insecure"])
+
+        if self.options.enable_client_ocsp:
+            cmd_line.append("--ocsp")
+
+        if self.options.record_size:
+            cmd_line.extend(["--recordsize", str(self.options.record_size)])
+
+        if self.options.extra_flags:
+            cmd_line.extend(self.options.extra_flags)
+
+        return cmd_line
+
+    def setup_server(self):
+        self.ready_to_test_marker = "Echo Server listening on"
+
+        cmd_line = [
+            "gnutls-serv",
+            f"--port={self.options.port}",
+            "--echo",
+            "--debug=9999"
+        ]
+
+        if self.options.cert is not None:
+            cmd_line.extend(["--x509certfile", self.options.cert])
+        if self.options.key is not None:
+            cmd_line.extend(["--x509keyfile", self.options.key])
+
+        priority_str = self.create_priority_str()
+        cmd_line.extend(["--priority", priority_str])
+
+        if self.options.cipher:
+            if self.options.cipher.parameters:
+                cmd_line.extend(["--dhparams", self.options.cipher.parameters])
+
+        if self.options.ocsp_response:
+            cmd_line.extend(["--ocsp-response", self.options.ocsp_response])
+
+        if self.options.use_client_auth:
+            cmd_line.append("--require-client-cert")
+
+        if self.options.extra_flags:
+            cmd_line.extend(self.options.extra_flags)
+
+        return cmd_line
+
+    @classmethod
+    def supports_protocol(cls, protocol, with_cert=None):
+        return GnuTLS.protocol_to_priority_str(protocol) is not None
+
+    @classmethod
+    def supports_cipher(cls, cipher, with_curve=None):
+        return GnuTLS.cipher_to_priority_str(cipher) is not None
+
+    @classmethod
+    def supports_signature(cls, signature):
+        return GnuTLS.sigalg_to_priority_str(signature) is not None

data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_client_authentication.py

@@ -4,7 +4,7 @@ import pytest
 import time
 
 from configuration import (available_ports, ALL_TEST_CIPHERS, ALL_TEST_CURVES,
-    ALL_TEST_CERTS, PROTOCOLS)
+                           ALL_TEST_CERTS, PROTOCOLS)
 from common import Certificates, ProviderOptions, Protocols, data_bytes
 from fixtures import managed_process
 from providers import Provider, S2N, OpenSSL
@@ -21,6 +21,7 @@ CERTS_TO_TEST = [
     Certificates.RSA_PSS_2048_SHA256,
 ]
 
+
 def assert_openssl_handshake_complete(results, is_complete=True):
     if is_complete:
         assert b'read finished' in results.stderr
@@ -32,18 +33,22 @@ def assert_openssl_handshake_complete(results, is_complete=True):
 def assert_s2n_handshake_complete(results, protocol, provider, is_complete=True):
     expected_version = get_expected_s2n_version(protocol, provider)
     if is_complete:
-        assert to_bytes("Actual protocol version: {}".format(expected_version)) in results.stdout
+        assert to_bytes("Actual protocol version: {}".format(
+            expected_version)) in results.stdout
     else:
-        assert to_bytes("Actual protocol version: {}".format(expected_version)) not in results.stdout
+        assert to_bytes("Actual protocol version: {}".format(
+            expected_version)) not in results.stdout
 
 
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("provider", [OpenSSL], ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", CERTS_TO_TEST, ids=get_parameter_name)
 @pytest.mark.parametrize("client_certificate", CERTS_TO_TEST, ids=get_parameter_name)
-def test_client_auth_with_s2n_server(managed_process, cipher, provider, protocol, certificate, client_certificate):
+def test_client_auth_with_s2n_server(managed_process, provider, other_provider, protocol, cipher, certificate,
+                                     client_certificate):
     port = next(available_ports)
 
     random_bytes = data_bytes(64)
@@ -76,7 +81,6 @@ def test_client_auth_with_s2n_server(managed_process, cipher, provider, protocol
         assert b'write certificate verify' in results.stderr
         assert_openssl_handshake_complete(results)
 
-
     # S2N should successfully connect
     for results in server.get_results():
         results.assert_success()
@@ -86,11 +90,13 @@ def test_client_auth_with_s2n_server(managed_process, cipher, provider, protocol
 
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("provider", [OpenSSL], ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", CERTS_TO_TEST, ids=get_parameter_name)
 @pytest.mark.parametrize("client_certificate", CERTS_TO_TEST, ids=get_parameter_name)
-def test_client_auth_with_s2n_server_using_nonmatching_certs(managed_process, cipher, provider, protocol, certificate, client_certificate):
+def test_client_auth_with_s2n_server_using_nonmatching_certs(managed_process, provider, other_provider, protocol,
+                                                             cipher, certificate, client_certificate):
     port = next(available_ports)
 
     client_options = ProviderOptions(
@@ -112,7 +118,7 @@ def test_client_auth_with_s2n_server_using_nonmatching_certs(managed_process, ci
     server_options.cert = certificate.cert
 
     # Tell the server to expect the wrong certificate
-    server_options.trust_store=Certificates.RSA_2048_SHA256_WILDCARD.cert
+    server_options.trust_store = Certificates.RSA_2048_SHA256_WILDCARD.cert
 
     server = managed_process(S2N, server_options, timeout=5)
     client = managed_process(OpenSSL, client_options, timeout=5)
@@ -138,10 +144,11 @@ def test_client_auth_with_s2n_server_using_nonmatching_certs(managed_process, ci
 
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("provider", [OpenSSL], ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", CERTS_TO_TEST, ids=get_parameter_name)
-def test_client_auth_with_s2n_client_no_cert(managed_process, cipher, protocol, provider, certificate):
+def test_client_auth_with_s2n_client_no_cert(managed_process, provider, other_provider, protocol, cipher, certificate):
     port = next(available_ports)
 
     random_bytes = data_bytes(64)
@@ -174,20 +181,22 @@ def test_client_auth_with_s2n_client_no_cert(managed_process, cipher, protocol,
 
     for results in client.get_results():
         assert results.exception is None
-         # TLS1.3 OpenSSL fails after the handshake, but pre-TLS1.3 fails during
+        # TLS1.3 OpenSSL fails after the handshake, but pre-TLS1.3 fails during
         if protocol is not Protocols.TLS13:
-            assert (results.exit_code != 0) 
+            assert (results.exit_code != 0)
             assert b"Failed to negotiate: 'TLS alert received'" in results.stderr
             assert_s2n_handshake_complete(results, protocol, provider, False)
 
 
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("provider", [OpenSSL], ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", CERTS_TO_TEST, ids=get_parameter_name)
 @pytest.mark.parametrize("client_certificate", CERTS_TO_TEST, ids=get_parameter_name)
-def test_client_auth_with_s2n_client_with_cert(managed_process, cipher, protocol, provider, certificate, client_certificate):
+def test_client_auth_with_s2n_client_with_cert(managed_process, provider, other_provider, protocol, cipher, certificate,
+                                               client_certificate):
     port = next(available_ports)
 
     random_bytes = data_bytes(64)