aws-crt 0.1.5 → 0.1.6

data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_external_psk.py

@@ -18,15 +18,15 @@ known_psk_identity = '2c035d829359ee5ff7af4ec900000000262a6494dc486d2c8a34cb33fa
 known_psk_secret = '4ecd0eb6ec3b4d87f5d6028f922ca4c5851a277fd41311c9e62d2c9492e1c4f3'
 
 # Arbitrary test vectors
-PSK_IDENTITY_LIST = [ known_psk_identity, 'psk_identity', 'test_psk_identity' ]
-PSK_SECRET_LIST = [ known_psk_secret, 'a6dadae4567876', 'a64dafcd0fc67d2a' ]
+PSK_IDENTITY_LIST = [known_psk_identity, 'psk_identity', 'test_psk_identity']
+PSK_SECRET_LIST = [known_psk_secret, 'a6dadae4567876', 'a64dafcd0fc67d2a']
 PSK_IDENTITY_NO_MATCH = "PSK_IDENTITY_NO_MATCH"
 PSK_SECRET_NO_MATCH = "e9492e1c"
 PSK_IDENTITY_NO_MATCH_2 = "PSK_IDENTITY_NO_MATCH_2"
 PSK_SECRET_NO_MATCH_2 = "c1e29493fd"
 
-ALL_TEST_CERTS_WITH_EMPTY_CERT = ALL_TEST_CERTS + [ None ]
-PSK_PROVIDERS = [ OpenSSL, S2N ] 
+ALL_TEST_CERTS_WITH_EMPTY_CERT = ALL_TEST_CERTS + [None]
+PSK_PROVIDERS = [OpenSSL, S2N]
 
 
 class Outcome(Enum):
@@ -36,11 +36,11 @@ class Outcome(Enum):
 
 
 def setup_s2n_psk_params(psk_identity, psk_secret, psk_hash_alg):
-    return [ '--psk', psk_identity + ',' + psk_secret + ',' + psk_hash_alg ]
+    return ['--psk', psk_identity + ',' + psk_secret + ',' + psk_hash_alg]
 
 
 def setup_openssl_psk_params(psk_identity, psk_secret):
-    return [ '-psk_identity', psk_identity, '--psk', psk_secret ]
+    return ['-psk_identity', psk_identity, '--psk', psk_secret]
 
 
 def setup_provider_options(mode, port, cipher, curve, certificate, data_to_send, client_psk_params):
@@ -65,18 +65,18 @@ def get_psk_hash_alg_from_cipher(cipher):
     # S2N supports only SHA256 and SHA384 PSK Hash Algorithms
     if 'SHA256' in cipher.name:
         return 'SHA256'
-    elif 'SHA384' in cipher.name: 
+    elif 'SHA384' in cipher.name:
         return 'SHA384'
     else:
         return None
 
-   
+
 def skip_invalid_psk_tests(provider, psk_hash_alg):
-    # If the PSK hash algorithm is None, it is not supported and we can safely skip the test case. 
+    # If the PSK hash algorithm is None, it is not supported and we can safely skip the test case.
     if psk_hash_alg is None:
         pytest.skip()
 
-    # In OpenSSL, PSK works only with TLS1.3 ciphersuites based on SHA256 hash algorithm which includes 
+    # In OpenSSL, PSK works only with TLS1.3 ciphersuites based on SHA256 hash algorithm which includes
     # all TLS1.3 ciphersuites supported by S2N except TLS_AES_256_GCM_SHA384.
     if provider == OpenSSL and psk_hash_alg == 'SHA384':
         pytest.skip()
@@ -84,63 +84,87 @@ def skip_invalid_psk_tests(provider, psk_hash_alg):
 
 def validate_negotiated_psk_s2n(outcome, psk_identity, results):
     if outcome == Outcome.psk_connection:
-        assert to_bytes("Negotiated PSK identity: {}".format(psk_identity)) in results.stdout
+        assert to_bytes("Negotiated PSK identity: {}".format(
+            psk_identity)) in results.stdout
     elif outcome == Outcome.full_handshake:
-        assert to_bytes("Negotiated PSK identity: {}".format(psk_identity)) not in results.stdout
+        assert to_bytes("Negotiated PSK identity: {}".format(
+            psk_identity)) not in results.stdout
     else:
         assert results.exit_code != 0
-        assert to_bytes("Failed to negotiate: 'TLS alert received'") in results.stderr
+        assert to_bytes(
+            "Failed to negotiate: 'TLS alert received'") in results.stderr
 
 
 def validate_negotiated_psk_openssl(outcome, results):
     if outcome == Outcome.psk_connection:
         assert to_bytes("extension \"psk\"") in results.stdout
     elif outcome == Outcome.full_handshake:
-        assert to_bytes("SSL_connect:SSLv3/TLS read server certificate") in results.stderr
+        assert to_bytes(
+            "SSL_connect:SSLv3/TLS read server certificate") in results.stderr
     else:
         assert to_bytes("SSL_accept:error in error") in results.stderr
 
 
+def test_nothing():
+    """
+    Sometimes the external psk test parameters in combination with the s2n libcrypto
+    results in no test cases existing. In this case, pass a nothing test to avoid
+    marking the entire codebuild run as failed.
+    """
+    assert True
+
+
 """
 Basic S2N server happy case.
 
 Tests a single psk connection with no fallback option.
 """
+
+
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", TLS13_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", [Protocols.TLS13], ids=get_parameter_name)
 @pytest.mark.parametrize("provider", PSK_PROVIDERS, ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("psk_identity", PSK_IDENTITY_LIST, ids=get_parameter_name)
 @pytest.mark.parametrize("psk_secret", PSK_SECRET_LIST, ids=get_parameter_name)
-def test_s2n_server_psk_connection(managed_process, cipher, curve, protocol, provider, psk_identity, psk_secret):
+def test_s2n_server_psk_connection(managed_process, cipher, curve, protocol, provider, other_provider, psk_identity,
+                                   psk_secret):
     port = next(available_ports)
     random_bytes = data_bytes(10)
     psk_hash_alg = get_psk_hash_alg_from_cipher(cipher)
     skip_invalid_psk_tests(provider, psk_hash_alg)
 
     if provider == S2N:
-        client_psk_params = setup_s2n_psk_params(psk_identity, psk_secret, psk_hash_alg)
+        client_psk_params = setup_s2n_psk_params(
+            psk_identity, psk_secret, psk_hash_alg)
     else:
         client_psk_params = setup_openssl_psk_params(psk_identity, psk_secret)
-    client_options = setup_provider_options(provider.ClientMode, port, cipher, curve, None, random_bytes, client_psk_params)
+    client_options = setup_provider_options(
+        provider.ClientMode, port, cipher, curve, None, random_bytes, client_psk_params)
 
-    server_psk_params = setup_s2n_psk_params(psk_identity, psk_secret, psk_hash_alg)
-    server_options = setup_provider_options(S2N.ServerMode, port, cipher, curve, None, None, server_psk_params)
+    server_psk_params = setup_s2n_psk_params(
+        psk_identity, psk_secret, psk_hash_alg)
+    server_options = setup_provider_options(
+        S2N.ServerMode, port, cipher, curve, None, None, server_psk_params)
 
-    server = managed_process(S2N, server_options, timeout=5, close_marker=str(random_bytes))
+    server = managed_process(
+        S2N, server_options, timeout=5, close_marker=str(random_bytes))
     client = managed_process(provider, client_options, timeout=5)
 
     for results in client.get_results():
         results.assert_success()
         if provider == S2N:
-            validate_negotiated_psk_s2n(Outcome.psk_connection, psk_identity, results)
+            validate_negotiated_psk_s2n(
+                Outcome.psk_connection, psk_identity, results)
         else:
             validate_negotiated_psk_openssl(Outcome.psk_connection, results)
 
     for results in server.get_results():
         results.assert_success()
-        validate_negotiated_psk_s2n(Outcome.psk_connection, psk_identity, results)
+        validate_negotiated_psk_s2n(
+            Outcome.psk_connection, psk_identity, results)
         assert random_bytes in results.stdout
 
 
@@ -149,14 +173,18 @@ Tests S2N server's behavior with multiple PSKs and no fallback options.
 
 Note that OpenSSL does not support multiple PSKs. 
 """
+
+
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", TLS13_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", [Protocols.TLS13], ids=get_parameter_name)
 @pytest.mark.parametrize("provider", PSK_PROVIDERS, ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("psk_identity", PSK_IDENTITY_LIST, ids=get_parameter_name)
 @pytest.mark.parametrize("psk_secret", PSK_SECRET_LIST, ids=get_parameter_name)
-def test_s2n_server_multiple_psks(managed_process, cipher, curve, protocol, provider, psk_identity, psk_secret):
+def test_s2n_server_multiple_psks(managed_process, cipher, curve, protocol, provider, other_provider, psk_identity,
+                                  psk_secret):
     port = next(available_ports)
     random_bytes = data_bytes(10)
     psk_hash_alg = get_psk_hash_alg_from_cipher(cipher)
@@ -168,30 +196,41 @@ def test_s2n_server_multiple_psks(managed_process, cipher, curve, protocol, prov
         OpenSSL Provider does not support multiple PSKs in the same connection, 
         the last psk parameter is the psk parameter used in the connection. 
         """
-        client_psk_params.extend(setup_openssl_psk_params(PSK_IDENTITY_NO_MATCH, PSK_SECRET_NO_MATCH))
-        client_psk_params.extend(setup_openssl_psk_params(psk_identity, psk_secret))
+        client_psk_params.extend(setup_openssl_psk_params(
+            PSK_IDENTITY_NO_MATCH, PSK_SECRET_NO_MATCH))
+        client_psk_params.extend(
+            setup_openssl_psk_params(psk_identity, psk_secret))
     else:
-        client_psk_params.extend(setup_s2n_psk_params(PSK_IDENTITY_NO_MATCH, PSK_SECRET_NO_MATCH, psk_hash_alg))
-        client_psk_params.extend(setup_s2n_psk_params(psk_identity, psk_secret, psk_hash_alg))
-    client_options = setup_provider_options(provider.ClientMode, port, cipher, curve, None, random_bytes, client_psk_params)
-
-    server_psk_params = setup_s2n_psk_params(psk_identity, psk_secret, psk_hash_alg)
-    server_psk_params.extend(setup_s2n_psk_params(PSK_IDENTITY_NO_MATCH_2, PSK_SECRET_NO_MATCH_2, psk_hash_alg))
-    server_options = setup_provider_options(S2N.ServerMode, port, cipher, curve, None, None, server_psk_params)
-
-    server = managed_process(S2N, server_options, timeout=5, close_marker=str(random_bytes))
+        client_psk_params.extend(setup_s2n_psk_params(
+            PSK_IDENTITY_NO_MATCH, PSK_SECRET_NO_MATCH, psk_hash_alg))
+        client_psk_params.extend(setup_s2n_psk_params(
+            psk_identity, psk_secret, psk_hash_alg))
+    client_options = setup_provider_options(
+        provider.ClientMode, port, cipher, curve, None, random_bytes, client_psk_params)
+
+    server_psk_params = setup_s2n_psk_params(
+        psk_identity, psk_secret, psk_hash_alg)
+    server_psk_params.extend(setup_s2n_psk_params(
+        PSK_IDENTITY_NO_MATCH_2, PSK_SECRET_NO_MATCH_2, psk_hash_alg))
+    server_options = setup_provider_options(
+        S2N.ServerMode, port, cipher, curve, None, None, server_psk_params)
+
+    server = managed_process(
+        S2N, server_options, timeout=5, close_marker=str(random_bytes))
     client = managed_process(provider, client_options, timeout=5)
 
     for results in client.get_results():
         results.assert_success()
         if provider == S2N:
-            validate_negotiated_psk_s2n(Outcome.psk_connection, psk_identity, results)
+            validate_negotiated_psk_s2n(
+                Outcome.psk_connection, psk_identity, results)
         else:
             validate_negotiated_psk_openssl(Outcome.psk_connection, results)
 
     for results in server.get_results():
         results.assert_success()
-        validate_negotiated_psk_s2n(Outcome.psk_connection, psk_identity, results)
+        validate_negotiated_psk_s2n(
+            Outcome.psk_connection, psk_identity, results)
         assert random_bytes in results.stdout
 
 
@@ -204,42 +243,53 @@ Note that S2N Server succeeds with a full handshake when an invalid PSK paramete
 certificate is provided as the input, as S2N Server uses a default certificate if a certificate is not provided 
 as the input.
 """
+
+
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", TLS13_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", [Protocols.TLS13], ids=get_parameter_name)
 @pytest.mark.parametrize("provider", PSK_PROVIDERS, ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("psk_identity", PSK_IDENTITY_LIST, ids=get_parameter_name)
 @pytest.mark.parametrize("psk_secret", PSK_SECRET_LIST, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS_WITH_EMPTY_CERT, ids=get_parameter_name)
-def test_s2n_server_full_handshake(managed_process, cipher, curve, protocol, provider, psk_identity, psk_secret, certificate):
+def test_s2n_server_full_handshake(managed_process, cipher, curve, protocol, provider, other_provider, psk_identity,
+                                   psk_secret, certificate):
     port = next(available_ports)
     random_bytes = data_bytes(10)
     psk_hash_alg = get_psk_hash_alg_from_cipher(cipher)
     skip_invalid_psk_tests(provider, psk_hash_alg)
 
     if provider == S2N:
-        client_psk_params = setup_s2n_psk_params(psk_identity, psk_secret, psk_hash_alg)
+        client_psk_params = setup_s2n_psk_params(
+            psk_identity, psk_secret, psk_hash_alg)
     else:
         client_psk_params = setup_openssl_psk_params(psk_identity, psk_secret)
-    client_options = setup_provider_options(provider.ClientMode, port, cipher, curve, certificate, random_bytes, client_psk_params)
+    client_options = setup_provider_options(
+        provider.ClientMode, port, cipher, curve, certificate, random_bytes, client_psk_params)
 
-    server_psk_params = setup_s2n_psk_params(PSK_IDENTITY_NO_MATCH, PSK_SECRET_NO_MATCH, psk_hash_alg)
-    server_options = setup_provider_options(S2N.ServerMode, port, cipher, curve, certificate, None, server_psk_params)
+    server_psk_params = setup_s2n_psk_params(
+        PSK_IDENTITY_NO_MATCH, PSK_SECRET_NO_MATCH, psk_hash_alg)
+    server_options = setup_provider_options(
+        S2N.ServerMode, port, cipher, curve, certificate, None, server_psk_params)
 
-    server = managed_process(S2N, server_options, timeout=5, close_marker=str(random_bytes))
+    server = managed_process(
+        S2N, server_options, timeout=5, close_marker=str(random_bytes))
     client = managed_process(provider, client_options, timeout=5)
 
     for results in client.get_results():
         results.assert_success()
         if provider == S2N:
-            validate_negotiated_psk_s2n(Outcome.full_handshake, psk_identity, results)
+            validate_negotiated_psk_s2n(
+                Outcome.full_handshake, psk_identity, results)
         else:
             validate_negotiated_psk_openssl(Outcome.full_handshake, results)
 
     for results in server.get_results():
         results.assert_success()
-        validate_negotiated_psk_s2n(Outcome.full_handshake, PSK_IDENTITY_NO_MATCH, results)
+        validate_negotiated_psk_s2n(
+            Outcome.full_handshake, PSK_IDENTITY_NO_MATCH, results)
         assert random_bytes in results.stdout
 
 
@@ -248,40 +298,51 @@ Basic S2N client happy case.
 
 Tests a single psk connection with no fallback option.
 """
+
+
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", TLS13_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", [Protocols.TLS13], ids=get_parameter_name)
 @pytest.mark.parametrize("provider", PSK_PROVIDERS, ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("psk_identity", PSK_IDENTITY_LIST, ids=get_parameter_name)
 @pytest.mark.parametrize("psk_secret", PSK_SECRET_LIST, ids=get_parameter_name)
-def test_s2n_client_psk_connection(managed_process, cipher, curve, protocol, provider, psk_identity, psk_secret):
+def test_s2n_client_psk_connection(managed_process, cipher, curve, protocol, provider, other_provider, psk_identity,
+                                   psk_secret):
     port = next(available_ports)
     random_bytes = data_bytes(10)
     psk_hash_alg = get_psk_hash_alg_from_cipher(cipher)
     skip_invalid_psk_tests(provider, psk_hash_alg)
 
-    client_psk_params = setup_s2n_psk_params(psk_identity, psk_secret, psk_hash_alg)
-    client_options = setup_provider_options(S2N.ClientMode, port, cipher, curve, None, random_bytes, client_psk_params)
+    client_psk_params = setup_s2n_psk_params(
+        psk_identity, psk_secret, psk_hash_alg)
+    client_options = setup_provider_options(
+        S2N.ClientMode, port, cipher, curve, None, random_bytes, client_psk_params)
 
     if provider == S2N:
-        server_psk_params = setup_s2n_psk_params(psk_identity, psk_secret, psk_hash_alg)
+        server_psk_params = setup_s2n_psk_params(
+            psk_identity, psk_secret, psk_hash_alg)
     else:
         server_psk_params = setup_openssl_psk_params(psk_identity, psk_secret)
-        server_psk_params += [ '-nocert' ]
-    server_options = setup_provider_options(provider.ServerMode, port, cipher, curve, None, None, server_psk_params)
+        server_psk_params += ['-nocert']
+    server_options = setup_provider_options(
+        provider.ServerMode, port, cipher, curve, None, None, server_psk_params)
 
-    server = managed_process(provider, server_options, timeout=5, close_marker=str(random_bytes))
+    server = managed_process(provider, server_options,
+                             timeout=5, close_marker=str(random_bytes))
     client = managed_process(S2N, client_options, timeout=5)
 
     for results in client.get_results():
         results.assert_success()
-        validate_negotiated_psk_s2n(Outcome.psk_connection, psk_identity, results)
+        validate_negotiated_psk_s2n(
+            Outcome.psk_connection, psk_identity, results)
 
     for results in server.get_results():
         results.assert_success()
         if provider == S2N:
-            validate_negotiated_psk_s2n(Outcome.psk_connection, psk_identity, results)
+            validate_negotiated_psk_s2n(
+                Outcome.psk_connection, psk_identity, results)
         else:
             validate_negotiated_psk_openssl(Outcome.psk_connection, results)
         assert random_bytes in results.stdout
@@ -292,22 +353,29 @@ Tests S2N client's behavior with multiple PSKs and no fallback option.
 
 Note that OpenSSL does not support multiple PSKs. 
 """
+
+
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", TLS13_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", [Protocols.TLS13], ids=get_parameter_name)
 @pytest.mark.parametrize("provider", PSK_PROVIDERS, ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("psk_identity", PSK_IDENTITY_LIST, ids=get_parameter_name)
 @pytest.mark.parametrize("psk_secret", PSK_SECRET_LIST, ids=get_parameter_name)
-def test_s2n_client_multiple_psks(managed_process, cipher, curve, protocol, provider, psk_identity, psk_secret):
+def test_s2n_client_multiple_psks(managed_process, cipher, curve, protocol, provider, other_provider, psk_identity,
+                                  psk_secret):
     port = next(available_ports)
     random_bytes = data_bytes(10)
     psk_hash_alg = get_psk_hash_alg_from_cipher(cipher)
     skip_invalid_psk_tests(provider, psk_hash_alg)
 
-    client_psk_params = setup_s2n_psk_params(psk_identity, psk_secret, psk_hash_alg)
-    client_psk_params.extend(setup_s2n_psk_params(PSK_IDENTITY_NO_MATCH, PSK_SECRET_NO_MATCH, psk_hash_alg))
-    client_options = setup_provider_options(S2N.ClientMode, port, cipher, curve, None, random_bytes, client_psk_params)
+    client_psk_params = setup_s2n_psk_params(
+        psk_identity, psk_secret, psk_hash_alg)
+    client_psk_params.extend(setup_s2n_psk_params(
+        PSK_IDENTITY_NO_MATCH, PSK_SECRET_NO_MATCH, psk_hash_alg))
+    client_options = setup_provider_options(
+        S2N.ClientMode, port, cipher, curve, None, random_bytes, client_psk_params)
 
     server_psk_params = []
     if provider == OpenSSL:
@@ -315,25 +383,33 @@ def test_s2n_client_multiple_psks(managed_process, cipher, curve, protocol, prov
         OpenSSL Provider does not support multiple PSKs in the same connection, 
         the last psk params is the final psk used in the connection. 
         """
-        server_psk_params.extend(setup_openssl_psk_params(PSK_IDENTITY_NO_MATCH_2, PSK_SECRET_NO_MATCH_2))
-        server_psk_params.extend(setup_openssl_psk_params(psk_identity, psk_secret))
-        server_psk_params += [ '-nocert' ]
+        server_psk_params.extend(setup_openssl_psk_params(
+            PSK_IDENTITY_NO_MATCH_2, PSK_SECRET_NO_MATCH_2))
+        server_psk_params.extend(
+            setup_openssl_psk_params(psk_identity, psk_secret))
+        server_psk_params += ['-nocert']
     else:
-        server_psk_params.extend(setup_s2n_psk_params(PSK_IDENTITY_NO_MATCH_2, PSK_SECRET_NO_MATCH_2, psk_hash_alg))
-        server_psk_params.extend(setup_s2n_psk_params(psk_identity, psk_secret, psk_hash_alg))
-    server_options = setup_provider_options(provider.ServerMode, port, cipher, curve, None, None, server_psk_params)
-
-    server = managed_process(provider, server_options, timeout=5, close_marker=str(random_bytes))
+        server_psk_params.extend(setup_s2n_psk_params(
+            PSK_IDENTITY_NO_MATCH_2, PSK_SECRET_NO_MATCH_2, psk_hash_alg))
+        server_psk_params.extend(setup_s2n_psk_params(
+            psk_identity, psk_secret, psk_hash_alg))
+    server_options = setup_provider_options(
+        provider.ServerMode, port, cipher, curve, None, None, server_psk_params)
+
+    server = managed_process(provider, server_options,
+                             timeout=5, close_marker=str(random_bytes))
     client = managed_process(S2N, client_options, timeout=5)
 
     for results in client.get_results():
         results.assert_success()
-        validate_negotiated_psk_s2n(Outcome.psk_connection, psk_identity, results)
+        validate_negotiated_psk_s2n(
+            Outcome.psk_connection, psk_identity, results)
 
     for results in server.get_results():
         results.assert_success()
         if provider == S2N:
-            validate_negotiated_psk_s2n(Outcome.psk_connection, psk_identity, results)
+            validate_negotiated_psk_s2n(
+                Outcome.psk_connection, psk_identity, results)
         else:
             validate_negotiated_psk_openssl(Outcome.psk_connection, results)
         assert random_bytes in results.stdout
@@ -346,6 +422,8 @@ and an invalid certificate is provided as the input.
 Note that we cannot use S2N Server as a provider input for this test as S2N Server 
 uses a default certificate if a certificate is not provided as the input.
 """
+
+
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", TLS13_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
@@ -359,22 +437,28 @@ def test_s2n_client_psk_handshake_failure(managed_process, cipher, curve, protoc
     psk_hash_alg = get_psk_hash_alg_from_cipher(cipher)
     skip_invalid_psk_tests(provider, psk_hash_alg)
 
-    client_psk_params = setup_s2n_psk_params(psk_identity, psk_secret, psk_hash_alg)
-    client_options = setup_provider_options(S2N.ClientMode, port, cipher, curve, None, random_bytes, client_psk_params)
+    client_psk_params = setup_s2n_psk_params(
+        psk_identity, psk_secret, psk_hash_alg)
+    client_options = setup_provider_options(
+        S2N.ClientMode, port, cipher, curve, None, random_bytes, client_psk_params)
 
-    server_psk_params = setup_openssl_psk_params(PSK_IDENTITY_NO_MATCH, PSK_SECRET_NO_MATCH)
-    server_psk_params += [ '-nocert' ]
-    server_options = setup_provider_options(provider.ServerMode, port, cipher, curve, None, None, server_psk_params)
+    server_psk_params = setup_openssl_psk_params(
+        PSK_IDENTITY_NO_MATCH, PSK_SECRET_NO_MATCH)
+    server_psk_params += ['-nocert']
+    server_options = setup_provider_options(
+        provider.ServerMode, port, cipher, curve, None, None, server_psk_params)
 
-    server = managed_process(provider, server_options, timeout=5, close_marker=str(random_bytes))
+    server = managed_process(provider, server_options,
+                             timeout=5, close_marker=str(random_bytes))
     client = managed_process(S2N, client_options, timeout=5)
 
     for results in client.get_results():
-        assert to_bytes("Failed to negotiate: 'TLS alert received'") in results.stderr
-        validate_negotiated_psk_s2n(Outcome.handshake_failed, psk_identity, results)
+        assert to_bytes(
+            "Failed to negotiate: 'TLS alert received'") in results.stderr
+        validate_negotiated_psk_s2n(
+            Outcome.handshake_failed, psk_identity, results)
 
     for results in server.get_results():
         assert to_bytes("SSL_accept:error in error") in results.stderr
         validate_negotiated_psk_openssl(Outcome.handshake_failed, results)
         assert random_bytes not in results.stdout
-

data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_fragmentation.py

@@ -4,23 +4,32 @@ import pytest
 from configuration import available_ports, PROTOCOLS
 from common import ProviderOptions, Ciphers, Certificates, data_bytes
 from fixtures import managed_process
-from providers import Provider, S2N, OpenSSL
+from providers import Provider, S2N, OpenSSL, GnuTLS
 from utils import invalid_test_parameters, get_parameter_name, get_expected_s2n_version, to_bytes
 
 
-def multi_cipher_name(c):
-    return ':'.join([x.name for x in c])
+CIPHERS_TO_TEST = [
+    Ciphers.AES256_SHA,
+    Ciphers.ECDHE_ECDSA_AES256_SHA,
+    Ciphers.AES256_GCM_SHA384
+]
+
+CERTIFICATES_TO_TEST = [
+    Certificates.RSA_4096_SHA384,
+    Certificates.ECDSA_384
+]
 
 
-multi_cipher = [Ciphers.AES256_SHA, Ciphers.ECDHE_ECDSA_AES256_SHA]
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
-@pytest.mark.parametrize("multi_cipher", [multi_cipher], ids=multi_cipher_name)
-@pytest.mark.parametrize("provider", [OpenSSL])
+@pytest.mark.parametrize("cipher", CIPHERS_TO_TEST, ids=get_parameter_name)
+@pytest.mark.parametrize("provider", [OpenSSL, GnuTLS], ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
-@pytest.mark.parametrize("certificate", [Certificates.RSA_4096_SHA384, Certificates.ECDSA_384], ids=get_parameter_name)
-def test_s2n_server_low_latency(managed_process, multi_cipher, provider, protocol, certificate):
+@pytest.mark.parametrize("certificate", CERTIFICATES_TO_TEST, ids=get_parameter_name)
+def test_s2n_server_low_latency(managed_process, cipher, provider, other_provider, protocol, certificate):
     if provider is OpenSSL and 'openssl-1.0.2' in provider.get_version():
-        pytest.skip('{} does not allow setting max fragmentation for packets'.format(provider))
+        pytest.skip(
+            '{} does not allow setting max fragmentation for packets'.format(provider))
 
     port = next(available_ports)
 
@@ -28,7 +37,7 @@ def test_s2n_server_low_latency(managed_process, multi_cipher, provider, protoco
     client_options = ProviderOptions(
         mode=Provider.ClientMode,
         port=port,
-        cipher=multi_cipher,
+        cipher=cipher,
         data_to_send=random_bytes,
         insecure=True,
         protocol=protocol)
@@ -51,19 +60,35 @@ def test_s2n_server_low_latency(managed_process, multi_cipher, provider, protoco
 
     for results in server.get_results():
         results.assert_success()
-        assert to_bytes("Actual protocol version: {}".format(expected_version)) in results.stdout
+        assert to_bytes("Actual protocol version: {}".format(
+            expected_version)) in results.stdout
         assert random_bytes in results.stdout
 
 
-@pytest.mark.uncollect_if(func=invalid_test_parameters)
-@pytest.mark.parametrize("multi_cipher", [multi_cipher], ids=multi_cipher_name)
-@pytest.mark.parametrize("provider", [OpenSSL])
+def invalid_test_parameters_frag_len(*args, **kwargs):
+    provider = kwargs.get("provider")
+    frag_len = kwargs.get("frag_len")
+
+    # Check to make sure frag_len is compatible with gnutls.
+    if provider == GnuTLS:
+        if frag_len > 4096:
+            return True
+
+    return invalid_test_parameters(*args, **kwargs)
+
+
+@pytest.mark.uncollect_if(func=invalid_test_parameters_frag_len)
+@pytest.mark.parametrize("cipher", CIPHERS_TO_TEST, ids=get_parameter_name)
+@pytest.mark.parametrize("provider", [OpenSSL, GnuTLS], ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
-@pytest.mark.parametrize("certificate", [Certificates.RSA_4096_SHA384, Certificates.ECDSA_384], ids=get_parameter_name)
+@pytest.mark.parametrize("certificate", CERTIFICATES_TO_TEST, ids=get_parameter_name)
 @pytest.mark.parametrize("frag_len", [512, 2048, 8192, 12345, 16384], ids=get_parameter_name)
-def test_s2n_server_framented_data(managed_process, multi_cipher, provider, protocol, frag_len, certificate):
+def test_s2n_server_framented_data(managed_process, cipher, provider, other_provider, protocol, certificate,
+                                   frag_len):
     if provider is OpenSSL and 'openssl-1.0.2' in provider.get_version():
-        pytest.skip('{} does not allow setting max fragmentation for packets'.format(provider))
+        pytest.skip(
+            '{} does not allow setting max fragmentation for packets'.format(provider))
 
     port = next(available_ports)
 
@@ -71,11 +96,12 @@ def test_s2n_server_framented_data(managed_process, multi_cipher, provider, prot
     client_options = ProviderOptions(
         mode=Provider.ClientMode,
         port=port,
-        cipher=multi_cipher,
+        cipher=cipher,
         data_to_send=random_bytes,
         insecure=True,
-        extra_flags=['-max_send_frag', str(frag_len)],
-        protocol=protocol)
+        record_size=frag_len,
+        protocol=protocol
+    )
 
     server_options = copy.copy(client_options)
     server_options.extra_flags = None
@@ -88,12 +114,19 @@ def test_s2n_server_framented_data(managed_process, multi_cipher, provider, prot
     server = managed_process(S2N, server_options, timeout=5)
     client = managed_process(provider, client_options, timeout=5)
 
-    for results in client.get_results():
-        results.assert_success()
+    for client_results in client.get_results():
+        client_results.assert_success()
 
     expected_version = get_expected_s2n_version(protocol, provider)
 
-    for results in server.get_results():
-        results.assert_success()
-        assert to_bytes("Actual protocol version: {}".format(expected_version)) in results.stdout
-        assert random_bytes in results.stdout
+    for server_results in server.get_results():
+        server_results.assert_success()
+        assert to_bytes("Actual protocol version: {}".format(
+            expected_version)) in server_results.stdout
+
+        if provider == GnuTLS:
+            # GnuTLS ignores data sent through stdin past frag_len up to the application data
+            # packet length of 4096. so, just check to make sure data up to frag_len was received.
+            assert random_bytes[:frag_len] in server_results.stdout
+        else:
+            assert random_bytes in server_results.stdout