RubyGems - aws-crt - Versions diffs - 0.1.5 → 0.1.6 - Mend

aws-crt 0.1.5 → 0.1.6

Files changed (322) hide show

data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_happy_path.py CHANGED Viewed

@@ -4,17 +4,18 @@ import pytest
 from configuration import available_ports, ALL_TEST_CIPHERS, ALL_TEST_CURVES, ALL_TEST_CERTS, PROVIDERS, PROTOCOLS
 from common import ProviderOptions, Protocols, data_bytes
 from fixtures import managed_process
-from providers import Provider, S2N, OpenSSL, JavaSSL
+from providers import Provider, S2N, OpenSSL, JavaSSL, GnuTLS
 from utils import invalid_test_parameters, get_parameter_name, get_expected_s2n_version, to_bytes
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
-@pytest.mark.parametrize("provider", PROVIDERS)
+@pytest.mark.parametrize("provider", [S2N, OpenSSL, GnuTLS, JavaSSL])
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
-def test_s2n_server_happy_path(managed_process, cipher, provider, curve, protocol, certificate):
+def test_s2n_server_happy_path(managed_process, cipher, provider, other_provider, curve, protocol, certificate):
     port = next(available_ports)
     # s2nd can receive large amounts of data because all the data is
@@ -31,7 +32,8 @@ def test_s2n_server_happy_path(managed_process, cipher, provider, curve, protoco
         curve=curve,
         data_to_send=random_bytes,
         insecure=True,
-        protocol=protocol)
+        protocol=protocol
+    )
     server_options = copy.copy(client_options)
     server_options.data_to_send = None
@@ -47,37 +49,41 @@ def test_s2n_server_happy_path(managed_process, cipher, provider, curve, protoco
     # The client will be one of all supported providers. We
     # just want to make sure there was no exception and that
     # the client exited cleanly.
-    for results in client.get_results():
-        results.assert_success()
+    for client_results in client.get_results():
+        client_results.assert_success()
     expected_version = get_expected_s2n_version(protocol, provider)
     # The server is always S2N in this test, so we can examine
     # the stdout reliably.
-    for results in server.get_results():
-        results.assert_success()
-        assert to_bytes("Actual protocol version: {}".format(expected_version)) in results.stdout
-        assert random_bytes in results.stdout
+    for server_results in server.get_results():
+        server_results.assert_success()
+        assert to_bytes("Actual protocol version: {}".format(
+            expected_version)) in server_results.stdout
+        assert random_bytes in server_results.stdout
         if provider is not S2N:
-            assert to_bytes("Cipher negotiated: {}".format(cipher.name)) in results.stdout
+            assert to_bytes("Cipher negotiated: {}".format(
+                cipher.name)) in server_results.stdout
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
-@pytest.mark.parametrize("provider", [S2N, OpenSSL])
+@pytest.mark.parametrize("provider", [S2N, OpenSSL, GnuTLS])
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
-def test_s2n_client_happy_path(managed_process, cipher, provider, curve, protocol, certificate):
+def test_s2n_client_happy_path(managed_process, cipher, provider, other_provider, curve, protocol, certificate):
     port = next(available_ports)
-    # We can only send 4096 bytes here because of the way some servers chunk
-    # output (when writing to stdout). If we send 8192 bytes, then openssl
-    # will print some debugging information in the middle of our chunk.
-    # We still want that debugging data in case of a failure, so we just
-    # send less data, rather than lose debug information.
-    random_bytes = data_bytes(4096)
+    # We can only send 4096 - 1 (\n at the end) bytes here because of the
+    # way some servers chunk output (when writing to stdout). If we send
+    # 8192 bytes, then openssl will print some debugging information in
+    # the middle of our chunk. We still want that debugging data in case
+    # of a failure, so we just send less data, rather than lose debug
+    # information.
+    random_bytes = data_bytes(4095)
     client_options = ProviderOptions(
         mode=Provider.ClientMode,
         port=port,
@@ -85,7 +91,8 @@ def test_s2n_client_happy_path(managed_process, cipher, provider, curve, protoco
         curve=curve,
         data_to_send=random_bytes,
         insecure=True,
-        protocol=protocol)
+        protocol=protocol,
+    )
     server_options = copy.copy(client_options)
     server_options.data_to_send = None
@@ -93,23 +100,30 @@ def test_s2n_client_happy_path(managed_process, cipher, provider, curve, protoco
     server_options.key = certificate.key
     server_options.cert = certificate.cert
+    kill_marker = None
+    if provider == GnuTLS:
+        kill_marker = random_bytes
     # Passing the type of client and server as a parameter will
     # allow us to use a fixture to enumerate all possibilities.
-    server = managed_process(provider, server_options, timeout=5)
+    server = managed_process(provider, server_options,
+                             timeout=5, kill_marker=kill_marker)
     client = managed_process(S2N, client_options, timeout=5)
     expected_version = get_expected_s2n_version(protocol, provider)
     # The client is always S2N in this test, so we can examine
     # the stdout reliably.
-    for results in client.get_results():
-        results.assert_success()
-        assert to_bytes("Actual protocol version: {}".format(expected_version)) in results.stdout
+    for client_results in client.get_results():
+        client_results.assert_success()
+        assert to_bytes("Actual protocol version: {}".format(
+            expected_version)) in client_results.stdout
     # The server will be one of all supported providers. We
     # just want to make sure there was no exception and that
     # the client exited cleanly.
-    for results in server.get_results():
-        results.assert_success()
-        # Avoid debugging information that sometimes gets inserted after the first character
-        assert random_bytes[1:] in results.stdout
+    for server_results in server.get_results():
+        server_results.assert_success()
+        # Avoid debugging information that sometimes gets inserted after the first character.
+        assert any(
+            [random_bytes[1:] in stream for stream in server_results.output_streams()])

data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_hello_retry_requests.py CHANGED Viewed

@@ -20,16 +20,27 @@ CURVE_NAMES = {
     "P-521": "secp521r1"
 }
+def test_nothing():
+    """
+    Sometimes the hello retry test parameters in combination with the s2n libcrypto
+    results in no test cases existing. In this case, pass a nothing test to avoid
+    marking the entire codebuild run as failed.
+    """
+    assert True
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", TLS13_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("provider", [OpenSSL])
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", [Protocols.TLS13], ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
-def test_hrr_with_s2n_as_client(managed_process, cipher, provider, curve, protocol, certificate):
+def test_hrr_with_s2n_as_client(managed_process, cipher, provider, other_provider, curve, protocol, certificate):
     if curve == S2N_DEFAULT_CURVE:
         pytest.skip("No retry if server curve matches client curve")
     port = next(available_ports)
     random_bytes = data_bytes(64)
@@ -57,7 +68,8 @@ def test_hrr_with_s2n_as_client(managed_process, cipher, provider, curve, protoc
     # The client should connect and return without error
     for results in client.get_results():
         results.assert_success()
-        assert to_bytes("Curve: {}".format(CURVE_NAMES[curve.name])) in results.stdout
+        assert to_bytes("Curve: {}".format(
+            CURVE_NAMES[curve.name])) in results.stdout
         assert S2N_HRR_MARKER in results.stdout
     marker_part1 = b"cf 21 ad 74 e5"
@@ -67,17 +79,19 @@ def test_hrr_with_s2n_as_client(managed_process, cipher, provider, curve, protoc
         results.assert_success()
         assert marker_part1 in results.stdout and marker_part2 in results.stdout
         assert b'Supported Elliptic Groups: X25519:P-256:P-384' in results.stdout
-        assert to_bytes("Shared Elliptic groups: {}".format(server_options.curve)) in results.stdout
+        assert to_bytes("Shared Elliptic groups: {}".format(
+            server_options.curve)) in results.stdout
         assert random_bytes in results.stdout
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", TLS13_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("provider", [OpenSSL])
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", [Protocols.TLS13], ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
-def test_hrr_with_s2n_as_server(managed_process, cipher, provider, curve, protocol, certificate):
+def test_hrr_with_s2n_as_server(managed_process, cipher, provider, other_provider, curve, protocol, certificate):
     port = next(available_ports)
     random_bytes = data_bytes(64)
@@ -88,7 +102,7 @@ def test_hrr_with_s2n_as_server(managed_process, cipher, provider, curve, protoc
         data_to_send=random_bytes,
         insecure=True,
         curve=curve,
-        extra_flags = ['-msg', '-curves', 'X448:'+str(curve)],
+        extra_flags=['-msg', '-curves', 'X448:'+str(curve)],
         protocol=protocol)
     server_options = copy.copy(client_options)
@@ -107,7 +121,8 @@ def test_hrr_with_s2n_as_server(managed_process, cipher, provider, curve, protoc
     for results in server.get_results():
         results.assert_success()
         assert random_bytes in results.stdout
-        assert to_bytes("Curve: {}".format(CURVE_NAMES[curve.name])) in results.stdout
+        assert to_bytes("Curve: {}".format(
+            CURVE_NAMES[curve.name])) in results.stdout
         assert random_bytes in results.stdout
         assert S2N_HRR_MARKER in results.stdout
@@ -128,15 +143,19 @@ def test_hrr_with_s2n_as_server(managed_process, cipher, provider, curve, protoc
     assert server_hello_count == 2
     assert finished_count == 2
-# Default Keyshare for TLS v1.3 is x25519
-TEST_CURVES = ALL_TEST_CURVES[1:]
+# Default Keyshare for TLS v1.3 is x25519
+TEST_CURVES = ALL_TEST_CURVES[1:]
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", TLS13_CIPHERS, ids=get_parameter_name)
 @pytest.mark.parametrize("provider", [OpenSSL])
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("curve", TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", [Protocols.TLS13], ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
-def test_hrr_with_default_keyshare(managed_process, cipher, provider, curve, protocol, certificate):
+def test_hrr_with_default_keyshare(managed_process, cipher, provider, other_provider, curve, protocol, certificate):
     port = next(available_ports)
     random_bytes = data_bytes(64)
@@ -164,7 +183,8 @@ def test_hrr_with_default_keyshare(managed_process, cipher, provider, curve, pro
     # The client should connect and return without error
     for results in client.get_results():
         results.assert_success()
-        assert to_bytes("Curve: {}".format(CURVE_NAMES[curve.name])) in results.stdout
+        assert to_bytes("Curve: {}".format(
+            CURVE_NAMES[curve.name])) in results.stdout
         assert S2N_HRR_MARKER in results.stdout
     marker_part1 = b"cf 21 ad 74 e5"
@@ -174,6 +194,6 @@ def test_hrr_with_default_keyshare(managed_process, cipher, provider, curve, pro
         results.assert_success()
         assert marker_part1 in results.stdout and marker_part2 in results.stdout
         assert b'Supported Elliptic Groups: X25519:P-256:P-384' in results.stdout
-        assert to_bytes("Shared Elliptic groups: {}".format(server_options.curve)) in results.stdout
+        assert to_bytes("Shared Elliptic groups: {}".format(
+            server_options.curve)) in results.stdout
         assert random_bytes in results.stdout

data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_key_update.py CHANGED Viewed

@@ -2,15 +2,29 @@ import copy
 import pytest
 from configuration import available_ports, TLS13_CIPHERS
-from common import ProviderOptions, Protocols, data_bytes
+from common import ProviderOptions, Protocols, data_bytes, Ciphers
 from fixtures import managed_process
 from providers import Provider, S2N, OpenSSL
 from utils import invalid_test_parameters, get_parameter_name
+from global_flags import get_flag, S2N_PROVIDER_VERSION
+def test_nothing():
+    """
+    Sometimes the key update test parameters in combination with the s2n libcrypto
+    results in no test cases existing. In this case, pass a nothing test to avoid
+    marking the entire codebuild run as failed.
+    """
+    assert True
+@pytest.mark.flaky(reruns=5)
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", TLS13_CIPHERS, ids=get_parameter_name)
-def test_s2n_server_key_update(managed_process, cipher):
+@pytest.mark.parametrize("provider", [OpenSSL], ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
+@pytest.mark.parametrize("protocol", [Protocols.TLS13], ids=get_parameter_name)
+def test_s2n_server_key_update(managed_process, cipher, provider, other_provider, protocol):
     host = "localhost"
     port = next(available_ports)
@@ -29,7 +43,7 @@ def test_s2n_server_key_update(managed_process, cipher):
         cipher=cipher,
         data_to_send=[update_requested, client_data],
         insecure=True,
-        protocol=Protocols.TLS13,
+        protocol=protocol,
     )
     server_options = copy.copy(client_options)
@@ -40,14 +54,14 @@ def test_s2n_server_key_update(managed_process, cipher):
     server_options.data_to_send = [server_data]
     server = managed_process(
-        S2N, server_options, send_marker=[str(client_data)], timeout=5
+        S2N, server_options, send_marker=[str(client_data)], timeout=30
     )
     client = managed_process(
-        OpenSSL,
+        provider,
         client_options,
         send_marker=send_marker_list,
         close_marker=str(server_data),
-        timeout=5,
+        timeout=30,
     )
     for results in client.get_results():
@@ -60,9 +74,13 @@ def test_s2n_server_key_update(managed_process, cipher):
         assert client_data in results.stdout
+@pytest.mark.flaky(reruns=5)
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", TLS13_CIPHERS, ids=get_parameter_name)
-def test_s2n_client_key_update(managed_process, cipher):
+@pytest.mark.parametrize("provider", [OpenSSL], ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
+@pytest.mark.parametrize("protocol", [Protocols.TLS13], ids=get_parameter_name)
+def test_s2n_client_key_update(managed_process, cipher, provider, other_provider, protocol):
     host = "localhost"
     port = next(available_ports)
@@ -83,7 +101,7 @@ def test_s2n_client_key_update(managed_process, cipher):
         cipher=cipher,
         data_to_send=[client_data],
         insecure=True,
-        protocol=Protocols.TLS13,
+        protocol=protocol,
     )
     server_options = copy.copy(client_options)
@@ -94,18 +112,18 @@ def test_s2n_client_key_update(managed_process, cipher):
     server_options.data_to_send = [update_requested, server_data]
     server = managed_process(
-        OpenSSL,
+        provider,
         server_options,
         send_marker=send_marker_list,
         close_marker=str(client_data),
-        timeout=5,
+        timeout=30,
     )
     client = managed_process(
         S2N,
         client_options,
         send_marker=[str(server_data)],
         close_marker=str(server_data),
-        timeout=5,
+        timeout=30,
     )
     for results in client.get_results():

data/aws-crt-ffi/crt/s2n/tests/integrationv2/test_ocsp.py ADDED Viewed

@@ -0,0 +1,138 @@
+import pytest
+from configuration import available_ports, ALL_TEST_CIPHERS, ALL_TEST_CURVES, PROTOCOLS
+from common import ProviderOptions, Protocols, data_bytes, Certificates
+from fixtures import managed_process
+from constants import TEST_OCSP_DIRECTORY
+from providers import Provider, S2N, OpenSSL, JavaSSL, GnuTLS
+from utils import invalid_test_parameters, get_parameter_name
+from global_flags import get_flag, S2N_PROVIDER_VERSION
+OCSP_CERTS = [Certificates.OCSP, Certificates.OCSP_ECDSA]
+@pytest.mark.uncollect_if(func=invalid_test_parameters)
+@pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
+@pytest.mark.parametrize("provider", [S2N, OpenSSL, GnuTLS], ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
+@pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
+@pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
+@pytest.mark.parametrize("certificate", OCSP_CERTS, ids=get_parameter_name)
+def test_s2n_client_ocsp_response(managed_process, cipher, provider, other_provider, curve, protocol, certificate):
+    if "boringssl" in get_flag(S2N_PROVIDER_VERSION):
+        pytest.skip("s2n-tls client with boringssl does not support ocsp")
+    port = next(available_ports)
+    random_bytes = data_bytes(128)
+    client_options = ProviderOptions(
+        mode=Provider.ClientMode,
+        port=port,
+        cipher=cipher,
+        curve=curve,
+        protocol=protocol,
+        insecure=True,
+        data_to_send=random_bytes,
+        enable_client_ocsp=True
+    )
+    server_options = ProviderOptions(
+        mode=Provider.ServerMode,
+        port=port,
+        cipher=cipher,
+        curve=curve,
+        protocol=protocol,
+        key=certificate.key,
+        cert=certificate.cert,
+        ocsp_response={
+            "RSA":  TEST_OCSP_DIRECTORY + "ocsp_response.der",
+            "EC":   TEST_OCSP_DIRECTORY + "ocsp_ecdsa_response.der"
+        }.get(certificate.algorithm),
+    )
+    kill_marker = None
+    if provider == GnuTLS:
+        kill_marker = random_bytes
+    server = managed_process(
+        provider,
+        server_options,
+        timeout=30,
+        kill_marker=kill_marker
+    )
+    client = managed_process(S2N, client_options, timeout=30)
+    for client_results in client.get_results():
+        client_results.assert_success()
+        assert b"OCSP response received" in client_results.stdout
+    for server_results in server.get_results():
+        server_results.assert_success()
+        # Avoid debugging information that sometimes gets inserted after the first character.
+        assert random_bytes[1:] in server_results.stdout or random_bytes[1:] in server_results.stderr
+@pytest.mark.uncollect_if(func=invalid_test_parameters)
+@pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
+@pytest.mark.parametrize("provider", [GnuTLS, OpenSSL], ids=get_parameter_name)
+@pytest.mark.parametrize("other_provider", [S2N])
+@pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
+@pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
+@pytest.mark.parametrize("certificate", OCSP_CERTS, ids=get_parameter_name)
+def test_s2n_server_ocsp_response(managed_process, cipher, provider, other_provider, curve, protocol, certificate):
+    port = next(available_ports)
+    random_bytes = data_bytes(128)
+    client_options = ProviderOptions(
+        mode=Provider.ClientMode,
+        port=port,
+        cipher=cipher,
+        curve=curve,
+        protocol=protocol,
+        insecure=True,
+        data_to_send=random_bytes,
+        enable_client_ocsp=True
+    )
+    server_options = ProviderOptions(
+        mode=Provider.ServerMode,
+        port=port,
+        cipher=cipher,
+        curve=curve,
+        protocol=protocol,
+        insecure=True,
+        key=certificate.key,
+        cert=certificate.cert,
+        ocsp_response={
+            "RSA":  TEST_OCSP_DIRECTORY + "ocsp_response.der",
+            "EC":   TEST_OCSP_DIRECTORY + "ocsp_ecdsa_response.der"
+        }.get(certificate.algorithm),
+    )
+    kill_marker = None
+    if provider == GnuTLS:
+        # The GnuTLS client hangs for a while after sending. Speed up the tests by killing
+        # it immediately after sending the message.
+        kill_marker = b"Sent: "
+    server = managed_process(S2N, server_options, timeout=2000)
+    client = managed_process(provider, client_options,
+                             timeout=2000, kill_marker=kill_marker)
+    for client_results in client.get_results():
+        client_results.assert_success()
+        assert any([
+            {
+                GnuTLS:  b"OCSP Response Information:\n\tResponse Status: Successful",
+                OpenSSL: b"OCSP Response Status: successful"
+            }.get(provider) in stream for stream in client_results.output_streams()
+        ])
+    for server_results in server.get_results():
+        server_results.assert_success()
+        # Avoid debugging information that sometimes gets inserted after the first character.
+        assert any(
+            [random_bytes[1:] in stream for stream in server_results.output_streams()])