adding openssl 3 as a provider

aws · Feb 20, 2025 · 21981f6 · 21981f6
1 parent 4ae43ec
commit 21981f6
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 10 deletions.
diff --git a/tests/integrationv2/conftest.py b/tests/integrationv2/conftest.py
@@ -2,8 +2,9 @@
 # SPDX-License-Identifier: Apache-2.0
 import os
 import pytest
+import subprocess
 from global_flags import set_flag, S2N_PROVIDER_VERSION, S2N_FIPS_MODE
-from providers import S2N, JavaSSL
+from providers import S2N, JavaSSL, OpenSSL
 
 PATH_CONFIGURATION_KEY = pytest.StashKey()
 
@@ -30,6 +31,15 @@ def available_providers():
     if os.path.exists("./bin/SSLSocketClient.class"):
         providers.add(JavaSSL)
 
+    result = subprocess.run(
+        ["openssl", "version"], shell=False, capture_output=True, text=True
+    )
+    version_str = result.stdout.split(" ")
+    project = version_str[0]
+    version = version_str[1]
+    if project == "OpenSSL" and version[0:3] == "3.0":
+        providers.add(OpenSSL)
+
     return providers
 
 

diff --git a/tests/integrationv2/providers.py b/tests/integrationv2/providers.py
@@ -344,12 +344,19 @@ def setup_server(self):
 
 
 class OpenSSL(Provider):
+    result = subprocess.run(
+        ["openssl", "version"], shell=False, capture_output=True, text=True
+    )
+    version_str = result.stdout.split(" ")
+    # This will return just the version number
+    version_openssl = version_str[1]
+
     def __init__(self, options: ProviderOptions):
         Provider.__init__(self, options)
         # We print some OpenSSL logging that includes stderr
         self.expect_stderr = True  # lgtm [py/overwritten-inherited-attribute]
         # Current provider needs 1.1.x https://github.com/aws/s2n-tls/issues/3963
-        self._is_openssl_11()
+        self.at_least_openssl_1_1()
 
     @classmethod
     def get_send_marker(cls):
@@ -398,11 +405,17 @@ def _cipher_to_cmdline(self, cipher):
 
     @classmethod
     def get_version(cls):
-        return get_flag(S2N_PROVIDER_VERSION)
+        return cls.version_openssl
 
     @classmethod
-    def supports_protocol(cls, protocol):
-        if protocol is Protocols.SSLv3:
+    def supports_protocol(cls, protocol, with_cert=None):
+        if cls.get_version()[0:3] == "1.1" and protocol is Protocols.SSLv3:
+            return False
+        if cls.get_version()[0:3] == "3.0" and (
+            protocol is Protocols.SSLv3
+            or protocol is Protocols.TLS10
+            or protocol is Protocols.TLS11
+        ):
             return False
 
         return True
@@ -411,14 +424,14 @@ def supports_protocol(cls, protocol):
     def supports_cipher(cls, cipher, with_curve=None):
         return True
 
-    def _is_openssl_11(self) -> None:
+    def at_least_openssl_1_1(self) -> None:
         result = subprocess.run(["openssl", "version"], shell=False, capture_output=True, text=True)
         version_str = result.stdout.split(" ")
         project = version_str[0]
         version = version_str[1]
         print(f"openssl version: {project} version: {version}")
-        if (project != "OpenSSL" or version[0:3] != "1.1"):
-            raise FileNotFoundError(f"Openssl version returned {version}, expected 1.1.x.")
+        if (project != "OpenSSL" or version[0:3] < "1.1"):
+            raise FileNotFoundError(f"Openssl version returned {version}, expected at least 1.1.x.")
 
     def setup_client(self):
         cmd_line = ['openssl', 's_client']

diff --git a/tests/integrationv2/utils.py b/tests/integrationv2/utils.py
@@ -1,7 +1,8 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
-from common import Protocols
-from providers import S2N
+import subprocess
+from common import Certificates, Protocols
+from providers import OpenSSL, S2N
 from global_flags import get_flag, S2N_FIPS_MODE
 
 
@@ -89,6 +90,24 @@ def invalid_test_parameters(*args, **kwargs):
             if not provider_.supports_certificate(certificate_):
                 return True
 
+    # openSSL 3.0 doesn't support 1024 certificates
+    if provider == OpenSSL or other_provider == OpenSSL:
+        if certificate is not None:
+            if OpenSSL.version_openssl[0:3] == "3.0" and (
+                certificate is Certificates.RSA_1024_SHA256
+                or certificate is Certificates.RSA_1024_SHA384
+                or certificate is Certificates.RSA_1024_SHA384
+            ):
+                return True
+
+        if client_certificate is not None:
+            if OpenSSL.version_openssl[0:3] == "3.0" and (
+                client_certificate is Certificates.RSA_1024_SHA256
+                or client_certificate is Certificates.RSA_1024_SHA384
+                or client_certificate is Certificates.RSA_1024_SHA384
+            ):
+                return True
+
     if cipher is not None:
         # If the selected protocol doesn't allow the cipher, don't test
         if protocol is not None: