test: Adds SSLv3 integ test (#4372)

Author: maddeleine

tests/integrationv2/common.py

@@ -348,8 +348,11 @@ class Curves(object):
     """
     X25519 = Curve("X25519", Protocols.TLS13)
     P256 = Curve("P-256")
-    P384 = Curve("P-384")
-    P521 = Curve("P-521")
+    # Our only SSLv3 provider doesn't support extensions
+    # so there is no way to negotiate a curve other than the
+    # default P-256 in SSLv3.
+    P384 = Curve("P-384", Protocols.TLS10)
+    P521 = Curve("P-521", Protocols.TLS10)
     SecP256r1Kyber768Draft00 = Curve("SecP256r1Kyber768Draft00")
     X25519Kyber768Draft00 = Curve("X25519Kyber768Draft00")
 

tests/integrationv2/configuration.py

@@ -16,6 +16,7 @@
     Protocols.TLS12,
     Protocols.TLS11,
     Protocols.TLS10,
+    Protocols.SSLv3,
 ]
 
 

tests/integrationv2/providers.py

@@ -163,6 +163,11 @@ def supports_protocol(cls, protocol, with_cert=None):
                 # e.g. "openssl-1.0" in "openssl-1.0.2-fips"
                 if unsupported_lc in current_libcrypto:
                     return False
+
+        # s2n-tls will not negotiate SSLv3 if in fips mode
+        if protocol == Protocols.SSLv3 and get_flag(S2N_FIPS_MODE):
+            return False
+
         return True
 
     @classmethod
@@ -468,6 +473,9 @@ def get_version(cls):
 
     @classmethod
     def supports_protocol(cls, protocol, with_cert=None):
+        if protocol is Protocols.SSLv3:
+            return False
+
         return True
 
     @classmethod
@@ -507,6 +515,8 @@ def setup_client(self):
             cmd_line.append('-tls1_1')
         elif self.options.protocol == Protocols.TLS10:
             cmd_line.append('-tls1')
+        elif self.options.protocol == Protocols.SSLv3:
+            cmd_line.append('-ssl3')
 
         if self.options.cipher is not None:
             cmd_line.extend(self._cipher_to_cmdline(self.options.cipher))
@@ -582,6 +592,8 @@ def setup_server(self):
             cmd_line.append('-tls1_1')
         elif self.options.protocol == Protocols.TLS10:
             cmd_line.append('-tls1')
+        elif self.options.protocol == Protocols.SSLv3:
+            cmd_line.append('-ssl3')
 
         if self.options.cipher is not None:
             cmd_line.extend(self._cipher_to_cmdline(self.options.cipher))
@@ -607,6 +619,26 @@ def setup_server(self):
         return cmd_line
 
 
+class SSLv3Provider(OpenSSL):
+    def __init__(self, options: ProviderOptions):
+        OpenSSL.__init__(self, options)
+        self._override_libssl(options)
+
+    def _override_libssl(self, options: ProviderOptions):
+        install_dir = os.environ["OPENSSL_1_0_2_INSTALL_DIR"]
+
+        override_env_vars = dict()
+        override_env_vars["PATH"] = install_dir + "/bin"
+        override_env_vars["LD_LIBRARY_PATH"] = install_dir + "/lib"
+        options.env_overrides = override_env_vars
+
+    @classmethod
+    def supports_protocol(cls, protocol, with_cert=None):
+        if protocol is Protocols.SSLv3:
+            return True
+        return False
+
+
 class JavaSSL(Provider):
     """
     NOTE: Only a Java SSL client has been set up. The server has not been
@@ -623,7 +655,7 @@ def get_send_marker(cls):
     @classmethod
     def supports_protocol(cls, protocol, with_cert=None):
         # https://aws.amazon.com/blogs/opensource/tls-1-0-1-1-changes-in-openjdk-and-amazon-corretto/
-        if protocol is Protocols.TLS10 or protocol is Protocols.TLS11:
+        if protocol is Protocols.SSLv3 or protocol is Protocols.TLS10 or protocol is Protocols.TLS11:
             return False
 
         return True

tests/integrationv2/test_happy_path.py

@@ -4,18 +4,17 @@
 from configuration import available_ports, ALL_TEST_CIPHERS, ALL_TEST_CURVES, ALL_TEST_CERTS, PROTOCOLS
 from common import ProviderOptions, data_bytes
 from fixtures import managed_process  # lgtm [py/unused-import]
-from providers import Provider, S2N, OpenSSL, JavaSSL, GnuTLS
+from providers import Provider, S2N, OpenSSL, JavaSSL, GnuTLS, SSLv3Provider
 from utils import invalid_test_parameters, get_parameter_name, get_expected_s2n_version, to_bytes
 
 
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
-@pytest.mark.parametrize("provider", [S2N, OpenSSL, GnuTLS, JavaSSL])
-@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
+@pytest.mark.parametrize("provider", [S2N, OpenSSL, GnuTLS, JavaSSL, SSLv3Provider])
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
-def test_s2n_server_happy_path(managed_process, cipher, provider, other_provider, curve, protocol, certificate):
+def test_s2n_server_happy_path(managed_process, cipher, provider, curve, protocol, certificate):
     port = next(available_ports)
 
     # s2nd can receive large amounts of data because all the data is
@@ -69,12 +68,11 @@ def test_s2n_server_happy_path(managed_process, cipher, provider, other_provider
 
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
 @pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
-@pytest.mark.parametrize("provider", [S2N, OpenSSL, GnuTLS])
-@pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
+@pytest.mark.parametrize("provider", [S2N, OpenSSL, GnuTLS, SSLv3Provider])
 @pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
 @pytest.mark.parametrize("protocol", PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
-def test_s2n_client_happy_path(managed_process, cipher, provider, other_provider, curve, protocol, certificate):
+def test_s2n_client_happy_path(managed_process, cipher, provider, curve, protocol, certificate):
     port = next(available_ports)
 
     # We can only send 4096 - 1 (\n at the end) bytes here because of the

tests/integrationv2/tox.ini

@@ -5,7 +5,7 @@ skipsdist = True
 [testenv]
 # install pytest in the virtualenv where commands will be executed
 setenv = S2N_INTEG_TEST = 1
-passenv = DYLD_LIBRARY_PATH, LD_LIBRARY_PATH, OQS_OPENSSL_1_1_1_INSTALL_DIR, HOME, TOX_TEST_NAME
+passenv = DYLD_LIBRARY_PATH, LD_LIBRARY_PATH, OQS_OPENSSL_1_1_1_INSTALL_DIR, OPENSSL_1_0_2_INSTALL_DIR, HOME, TOX_TEST_NAME
 ignore_errors=False
 deps =
     pytest==7