|
14 | 14 |
|
15 | 15 | CIPHERS = [ |
16 | 16 | None, # `None` will default to the appropriate `test_all` cipher preference in the S2N client provider |
17 | | - Ciphers.KMS_PQ_TLS_1_0_2019_06, |
18 | | - Ciphers.KMS_PQ_TLS_1_0_2020_02, |
19 | | - Ciphers.KMS_PQ_TLS_1_0_2020_07, |
20 | | - Ciphers.PQ_SIKE_TEST_TLS_1_0_2019_11, |
21 | | - Ciphers.PQ_SIKE_TEST_TLS_1_0_2020_02, |
22 | 17 | Ciphers.KMS_TLS_1_0_2018_10, |
23 | | - Ciphers.PQ_TLS_1_0_2020_12, |
24 | 18 | Ciphers.PQ_TLS_1_3_2023_06_01, |
25 | 19 | ] |
26 | 20 |
|
|
33 | 27 |
|
34 | 28 | EXPECTED_RESULTS = { |
35 | 29 | # The tuple keys have the form (client_{cipher, kem_group}, server_{cipher, kem_group}) |
36 | | - (Ciphers.KMS_PQ_TLS_1_0_2019_06, Ciphers.KMS_PQ_TLS_1_0_2019_06): |
37 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
38 | | - "kem": None, "kem_group": None}, |
39 | | - (Ciphers.KMS_PQ_TLS_1_0_2019_06, Ciphers.KMS_PQ_TLS_1_0_2020_02): |
40 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
41 | | - "kem": None, "kem_group": None}, |
42 | | - (Ciphers.KMS_PQ_TLS_1_0_2019_06, Ciphers.KMS_PQ_TLS_1_0_2020_07): |
43 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
44 | | - "kem": None, "kem_group": None}, |
45 | | - |
46 | | - (Ciphers.KMS_PQ_TLS_1_0_2020_02, Ciphers.KMS_PQ_TLS_1_0_2019_06): |
47 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
48 | | - "kem": None, "kem_group": None}, |
49 | | - (Ciphers.KMS_PQ_TLS_1_0_2020_02, Ciphers.KMS_PQ_TLS_1_0_2020_02): |
50 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
51 | | - "kem": None, "kem_group": None}, |
52 | | - (Ciphers.KMS_PQ_TLS_1_0_2020_02, Ciphers.KMS_PQ_TLS_1_0_2020_07): |
53 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
54 | | - "kem": None, "kem_group": None}, |
55 | | - |
56 | | - (Ciphers.KMS_PQ_TLS_1_0_2020_07, Ciphers.KMS_PQ_TLS_1_0_2019_06): |
57 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
58 | | - "kem": None, "kem_group": None}, |
59 | | - (Ciphers.KMS_PQ_TLS_1_0_2020_07, Ciphers.KMS_PQ_TLS_1_0_2020_02): |
60 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
61 | | - "kem": None, "kem_group": None}, |
62 | | - (Ciphers.KMS_PQ_TLS_1_0_2020_07, Ciphers.KMS_PQ_TLS_1_0_2020_07): |
63 | | - {"cipher": "ECDHE-KYBER-RSA-AES256-GCM-SHA384", |
64 | | - "kem": "kyber512r3", "kem_group": None}, |
65 | | - |
66 | | - (Ciphers.PQ_SIKE_TEST_TLS_1_0_2019_11, Ciphers.KMS_PQ_TLS_1_0_2019_06): |
67 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
68 | | - "kem": None, "kem_group": None}, |
69 | | - (Ciphers.PQ_SIKE_TEST_TLS_1_0_2019_11, Ciphers.KMS_PQ_TLS_1_0_2020_02): |
70 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
71 | | - "kem": None, "kem_group": None}, |
72 | | - (Ciphers.PQ_SIKE_TEST_TLS_1_0_2019_11, Ciphers.KMS_PQ_TLS_1_0_2020_07): |
73 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
74 | | - "kem": None, "kem_group": None}, |
75 | | - |
76 | | - (Ciphers.PQ_SIKE_TEST_TLS_1_0_2020_02, Ciphers.KMS_PQ_TLS_1_0_2019_06): |
77 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
78 | | - "kem": None, "kem_group": None}, |
79 | | - (Ciphers.PQ_SIKE_TEST_TLS_1_0_2020_02, Ciphers.KMS_PQ_TLS_1_0_2020_02): |
80 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
81 | | - "kem": None, "kem_group": None}, |
82 | | - (Ciphers.PQ_SIKE_TEST_TLS_1_0_2020_02, Ciphers.KMS_PQ_TLS_1_0_2020_07): |
83 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
84 | | - "kem": None, "kem_group": None}, |
85 | | - |
86 | | - (Ciphers.KMS_PQ_TLS_1_0_2019_06, Ciphers.KMS_TLS_1_0_2018_10): |
87 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
88 | | - "kem": None, "kem_group": None}, |
89 | | - (Ciphers.KMS_PQ_TLS_1_0_2020_02, Ciphers.KMS_TLS_1_0_2018_10): |
90 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
91 | | - "kem": None, "kem_group": None}, |
92 | | - (Ciphers.KMS_PQ_TLS_1_0_2020_07, Ciphers.KMS_TLS_1_0_2018_10): |
93 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
94 | | - "kem": None, "kem_group": None}, |
95 | | - |
96 | | - (Ciphers.KMS_TLS_1_0_2018_10, Ciphers.KMS_PQ_TLS_1_0_2019_06): |
97 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
98 | | - "kem": None, "kem_group": None}, |
99 | | - (Ciphers.KMS_TLS_1_0_2018_10, Ciphers.KMS_PQ_TLS_1_0_2020_02): |
100 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
101 | | - "kem": None, "kem_group": None}, |
102 | | - (Ciphers.KMS_TLS_1_0_2018_10, Ciphers.KMS_PQ_TLS_1_0_2020_07): |
103 | | - {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
104 | | - "kem": None, "kem_group": None}, |
105 | | - |
106 | | - # The expected kem_group string for this case purposefully excludes a curve; |
107 | | - # depending on how s2n was compiled, the curve may be either x25519 or one |
108 | | - # of the NIST curves. |
109 | | - (Ciphers.PQ_TLS_1_0_2020_12, Ciphers.PQ_TLS_1_0_2020_12): |
110 | | - {"cipher": "TLS_AES_256_GCM_SHA384", |
111 | | - "kem": None, "kem_group": "_kyber-512-r3"}, |
112 | | - (Ciphers.PQ_TLS_1_0_2020_12, Ciphers.PQ_TLS_1_0_2023_01): |
113 | | - {"cipher": "TLS_AES_256_GCM_SHA384", |
114 | | - "kem": None, "kem_group": "_kyber-512-r3"}, |
115 | 30 | (Ciphers.PQ_TLS_1_0_2023_01, Ciphers.PQ_TLS_1_0_2023_01): |
116 | 31 | {"cipher": "TLS_AES_256_GCM_SHA384", |
117 | 32 | "kem": None, "kem_group": "_kyber-512-r3"}, |
118 | | - (Ciphers.PQ_TLS_1_0_2023_01, Ciphers.PQ_TLS_1_0_2020_12): |
119 | | - {"cipher": "TLS_AES_256_GCM_SHA384", |
120 | | - "kem": None, "kem_group": "_kyber-512-r3"}, |
121 | | - (Ciphers.PQ_TLS_1_0_2020_12, Ciphers.KMS_PQ_TLS_1_0_2020_07): |
122 | | - {"cipher": "ECDHE-KYBER-RSA-AES256-GCM-SHA384", |
123 | | - "kem": "kyber512r3", "kem_group": None}, |
124 | | - (Ciphers.KMS_PQ_TLS_1_0_2020_07, Ciphers.PQ_TLS_1_0_2020_12): |
125 | | - {"cipher": "ECDHE-KYBER-RSA-AES256-GCM-SHA384", |
126 | | - "kem": "kyber512r3", "kem_group": None}, |
127 | | - (Ciphers.PQ_TLS_1_0_2020_12, KemGroups.P256_KYBER512R3): |
128 | | - {"cipher": "AES256_GCM_SHA384", "kem": None, |
129 | | - "kem_group": "secp256r1_kyber-512-r3"}, |
130 | | - (KemGroups.P256_KYBER512R3, Ciphers.PQ_TLS_1_0_2020_12): |
131 | | - {"cipher": "AES256_GCM_SHA384", "kem": None, |
132 | | - "kem_group": "secp256r1_kyber-512-r3"}, |
133 | | - (KemGroups.P256_KYBER512R3, Ciphers.PQ_TLS_1_0_2023_01): |
134 | | - {"cipher": "AES256_GCM_SHA384", "kem": None, |
135 | | - "kem_group": "secp256r1_kyber-512-r3"}, |
136 | | - (KemGroups.P256_KYBER512R3, Ciphers.PQ_TLS_1_3_2023_06_01): |
137 | | - {"cipher": "AES256_GCM_SHA384", "kem": None, |
138 | | - "kem_group": "secp256r1_kyber-512-r3"}, |
139 | 33 | (KemGroups.P384_KYBER768R3, Ciphers.PQ_TLS_1_3_2023_06_01): |
140 | 34 | {"cipher": "AES256_GCM_SHA384", "kem": None, |
141 | 35 | "kem_group": "secp384r1_kyber-768-r3"}, |
|
150 | 44 | {"cipher": "TLS_AES_256_GCM_SHA384", |
151 | 45 | "kem": None, |
152 | 46 | "kem_group": "SecP256r1Kyber768Draft00"}, |
| 47 | + (Ciphers.PQ_TLS_1_3_2023_06_01, Ciphers.PQ_TLS_1_3_2023_06_01): |
| 48 | + {"cipher": "TLS_AES_256_GCM_SHA384", |
| 49 | + "kem": None, |
| 50 | + "kem_group": "SecP256r1Kyber768Draft00"}, |
| 51 | + (Ciphers.PQ_TLS_1_3_2023_06_01, Ciphers.KMS_TLS_1_0_2018_10): |
| 52 | + {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
| 53 | + "kem": None, |
| 54 | + "kem_group": None}, |
| 55 | + (Ciphers.KMS_TLS_1_0_2018_10, Ciphers.PQ_TLS_1_3_2023_06_01): |
| 56 | + {"cipher": "ECDHE-RSA-AES128-GCM-SHA256", |
| 57 | + "kem": None, |
| 58 | + "kem_group": None}, |
| 59 | + (Ciphers.KMS_TLS_1_0_2018_10, Ciphers.KMS_TLS_1_0_2018_10): |
| 60 | + {"cipher": "ECDHE-RSA-AES256-GCM-SHA384", |
| 61 | + "kem": None, |
| 62 | + "kem_group": None}, |
153 | 63 | } |
154 | 64 |
|
155 | 65 | """ |
@@ -224,22 +134,6 @@ def test_nothing(): |
224 | 134 | @pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name) |
225 | 135 | def test_s2nc_to_s2nd_pq_handshake(managed_process, protocol, certificate, client_cipher, server_cipher, provider, |
226 | 136 | other_provider): |
227 | | - # Incorrect cipher is negotiated when both ciphers are PQ_TLS_1_0_2020_12 with |
228 | | - # openssl 1.0.2, boringssl, and libressl libcryptos |
229 | | - if all([ |
230 | | - client_cipher == Ciphers.PQ_TLS_1_0_2020_12, |
231 | | - server_cipher == Ciphers.PQ_TLS_1_0_2020_12, |
232 | | - any([ |
233 | | - libcrypto in get_flag(S2N_PROVIDER_VERSION) |
234 | | - for libcrypto in [ |
235 | | - "boringssl", |
236 | | - "libressl", |
237 | | - "openssl-1.0.2" |
238 | | - ] |
239 | | - ]) |
240 | | - ]): |
241 | | - pytest.skip() |
242 | | - |
243 | 137 | port = next(available_ports) |
244 | 138 |
|
245 | 139 | client_options = ProviderOptions( |
@@ -359,7 +253,7 @@ def test_s2nd_to_awslc_pq_handshake(managed_process, s2n_server_policy, awslc_cl |
359 | 253 |
|
360 | 254 | @pytest.mark.uncollect_if(func=invalid_test_parameters) |
361 | 255 | @pytest.mark.parametrize("protocol", [Protocols.TLS13], ids=get_parameter_name) |
362 | | -@pytest.mark.parametrize("cipher", [Ciphers.PQ_TLS_1_0_2020_12], ids=get_parameter_name) |
| 256 | +@pytest.mark.parametrize("cipher", [Ciphers.PQ_TLS_1_3_2023_06_01], ids=get_parameter_name) |
363 | 257 | @pytest.mark.parametrize("kem_group", KEM_GROUPS, ids=get_parameter_name) |
364 | 258 | def test_s2nc_to_oqs_openssl_pq_handshake(managed_process, protocol, cipher, kem_group): |
365 | 259 | # If PQ is not enabled in s2n, there is no reason to test against oqs_openssl |
@@ -401,7 +295,7 @@ def test_s2nc_to_oqs_openssl_pq_handshake(managed_process, protocol, cipher, kem |
401 | 295 |
|
402 | 296 | @pytest.mark.uncollect_if(func=invalid_test_parameters) |
403 | 297 | @pytest.mark.parametrize("protocol", [Protocols.TLS13], ids=get_parameter_name) |
404 | | -@pytest.mark.parametrize("cipher", [Ciphers.PQ_TLS_1_0_2020_12], ids=get_parameter_name) |
| 298 | +@pytest.mark.parametrize("cipher", [Ciphers.PQ_TLS_1_3_2023_06_01], ids=get_parameter_name) |
405 | 299 | @pytest.mark.parametrize("kem_group", KEM_GROUPS, ids=get_parameter_name) |
406 | 300 | def test_oqs_openssl_to_s2nd_pq_handshake(managed_process, protocol, cipher, kem_group): |
407 | 301 | # If PQ is not enabled in s2n, there is no reason to test against oqs_openssl |
|
0 commit comments