From 203cc5c480d048e39e8561e508b6902afc1bf10a Mon Sep 17 00:00:00 2001 From: Sam Clark <3758302+goatgoose@users.noreply.github.com> Date: Mon, 10 Feb 2025 13:39:16 -0500 Subject: [PATCH] fix(integrationv2): Skip unsupported client auth tests (#5096) Co-authored-by: James Mayclin --- .../spec/buildspec_ubuntu_integrationv2.yml | 2 +- tests/integrationv2/providers.py | 40 ++++++++++++------- tests/integrationv2/utils.py | 10 +++-- 3 files changed, 32 insertions(+), 20 deletions(-) diff --git a/codebuild/spec/buildspec_ubuntu_integrationv2.yml b/codebuild/spec/buildspec_ubuntu_integrationv2.yml index 109b6757c69..13ee3ab609e 100644 --- a/codebuild/spec/buildspec_ubuntu_integrationv2.yml +++ b/codebuild/spec/buildspec_ubuntu_integrationv2.yml @@ -36,7 +36,7 @@ batch: - openssl-1.1.1_gcc9 - openssl-3.0 INTEGV2_TEST: - - "test_dynamic_record_sizes test_sslyze test_sslv2_client_hello" + - "test_client_authentication test_dynamic_record_sizes test_sslyze test_sslv2_client_hello" - "test_happy_path" - "test_cross_compatibility" - "test_early_data test_well_known_endpoints test_hello_retry_requests test_sni_match test_pq_handshake test_fragmentation test_key_update" diff --git a/tests/integrationv2/providers.py b/tests/integrationv2/providers.py index 6e8bcd049d6..5b5a7e29faf 100644 --- a/tests/integrationv2/providers.py +++ b/tests/integrationv2/providers.py @@ -5,7 +5,7 @@ import pytest import threading -from common import ProviderOptions, Ciphers, Curves, Protocols, Signatures +from common import ProviderOptions, Ciphers, Curves, Protocols, Signatures, Cert from global_flags import get_flag, S2N_PROVIDER_VERSION, S2N_FIPS_MODE from stat import S_IMODE @@ -72,7 +72,7 @@ def get_send_marker(cls): return None @classmethod - def supports_protocol(cls, protocol, with_cert=None): + def supports_protocol(cls, protocol): raise NotImplementedError @classmethod @@ -94,6 +94,10 @@ def set_provider_ready(self): self._provider_ready = True self._provider_ready_condition.notify() + @classmethod + def supports_certificate(cls, cert: Cert): + return True + class Tcpdump(Provider): """ @@ -147,7 +151,7 @@ def get_send_marker(cls): return 's2n is ready' @classmethod - def supports_protocol(cls, protocol, with_cert=None): + def _pss_supported(cls): # RSA-PSS is unsupported for openssl-1.0 # libressl and boringssl are disabled because of configuration issues # see https://github.com/aws/s2n-tls/issues/3250 @@ -156,16 +160,22 @@ def supports_protocol(cls, protocol, with_cert=None): "boringssl", "openssl-1.0" } - pss_is_unsupported = any([ + for libcrypto in PSS_UNSUPPORTED_LIBCRYPTOS: # e.g. "openssl-1.0" in "openssl-1.0.2-fips" - libcrypto in get_flag(S2N_PROVIDER_VERSION) - for libcrypto in PSS_UNSUPPORTED_LIBCRYPTOS - ]) - if pss_is_unsupported: - if protocol == Protocols.TLS13: - return False - if with_cert and with_cert.algorithm == 'RSAPSS': + if libcrypto in get_flag(S2N_PROVIDER_VERSION): return False + return True + + @classmethod + def supports_certificate(cls, cert: Cert): + if not cls._pss_supported() and cert.algorithm == 'RSAPSS': + return False + return True + + @classmethod + def supports_protocol(cls, protocol): + if not cls._pss_supported() and protocol == Protocols.TLS13: + return False # SSLv3 cannot be negotiated in FIPS mode with libcryptos other than AWS-LC. if all([ @@ -391,7 +401,7 @@ def get_version(cls): return get_flag(S2N_PROVIDER_VERSION) @classmethod - def supports_protocol(cls, protocol, with_cert=None): + def supports_protocol(cls, protocol): if protocol is Protocols.SSLv3: return False @@ -552,7 +562,7 @@ def _override_libssl(self, options: ProviderOptions): options.env_overrides = override_env_vars @classmethod - def supports_protocol(cls, protocol, with_cert=None): + def supports_protocol(cls, protocol): if protocol is Protocols.SSLv3: return True return False @@ -572,7 +582,7 @@ def get_send_marker(cls): return "Starting handshake" @classmethod - def supports_protocol(cls, protocol, with_cert=None): + def supports_protocol(cls, protocol): # https://aws.amazon.com/blogs/opensource/tls-1-0-1-1-changes-in-openjdk-and-amazon-corretto/ if protocol is Protocols.SSLv3 or protocol is Protocols.TLS10 or protocol is Protocols.TLS11: return False @@ -879,7 +889,7 @@ def setup_server(self): return cmd_line @classmethod - def supports_protocol(cls, protocol, with_cert=None): + def supports_protocol(cls, protocol): return GnuTLS.protocol_to_priority_str(protocol) is not None @classmethod diff --git a/tests/integrationv2/utils.py b/tests/integrationv2/utils.py index 47842fd3bdb..615a154b4bd 100644 --- a/tests/integrationv2/utils.py +++ b/tests/integrationv2/utils.py @@ -72,6 +72,8 @@ def invalid_test_parameters(*args, **kwargs): # Always consider S2N providers.append(S2N) + certificates = [cert for cert in [certificate, client_certificate] if cert] + # Older versions do not support RSA-PSS-PSS certificates if protocol and protocol < Protocols.TLS12: if client_certificate and client_certificate.algorithm == 'RSAPSS': @@ -83,6 +85,10 @@ def invalid_test_parameters(*args, **kwargs): if not provider_.supports_protocol(protocol): return True + for certificate_ in certificates: + if not provider_.supports_certificate(certificate_): + return True + if cipher is not None: # If the selected protocol doesn't allow the cipher, don't test if protocol is not None: @@ -105,10 +111,6 @@ def invalid_test_parameters(*args, **kwargs): # If we are using a cipher that depends on a specific certificate algorithm # deselect the test if the wrong certificate is used. if certificate is not None: - if protocol is not None: - for provider_ in providers: - if provider_.supports_protocol(protocol, with_cert=certificate) is False: - return True if cipher is not None and certificate.compatible_with_cipher(cipher) is False: return True