Skip to content

Commit

Permalink
Merge branch 'main' into add-cd-logic
Browse files Browse the repository at this point in the history
  • Loading branch information
@boquan-fang
boquan-fang authored Dec 6, 2024
2 parents 96a4d7c + 774462f commit 2c207d6
Show file tree
Hide file tree
Showing 12 changed files with 231 additions and 150 deletions.
44 changes: 43 additions & 1 deletion .github/workflows/ci_rust.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ on:
env:
# Pin the nightly toolchain to prevent breakage.
# This should be occasionally updated.
RUST_NIGHTLY_TOOLCHAIN: nightly-2024-01-01
RUST_NIGHTLY_TOOLCHAIN: nightly-2024-12-01
ROOT_PATH: bindings/rust
EXAMPLE_WORKSPACE: bindings/rust-examples
PCAP_TEST_PATH: tests/pcap
Expand Down Expand Up @@ -213,6 +213,48 @@ jobs:
run: |
cargo test --tests --all-features
# Run the rust unit tests under address sanitizer.
#
# Rust is generally memory safe, but our bindings contain a large amount of unsafe
# code. Additionally, "safe" code doesn't guarentee that the code is free of
# memory leaks.
asan-unit-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Install Rust toolchain
id: toolchain
run: |
rustup toolchain install ${{env.RUST_NIGHTLY_TOOLCHAIN }} \
--profile minimal \
--component rust-src \
--target x86_64-unknown-linux-gnu
rustup override set ${{ env.RUST_NIGHTLY_TOOLCHAIN }}
- name: Generate
run: ./${{env.ROOT_PATH}}/generate.sh --skip-tests

# asan expects a binary at /usr/bin/llvm-symbolizer but GHA runners include
# multiple versioned binaries, like /usr/bin/llvm-symbolizer-13. This step
# finds the latest symbolizer and use it as the "base" llvm-symbolizer binary.
#
# llvm-symbolizer is necessary to get nice stack traces from asan errors.
# Otherwise the stack trace just contains a hex address like "0x55bc6a28a9b6"
- name: set llvm symbolizer
run: |
sudo ln -s $(find /usr/bin/ -maxdepth 1 -name "llvm-symbolizer-*" | sort -V | tail -n 1) /usr/bin/llvm-symbolizer
- name: Run Unit Tests under ASAN
env:
RUSTDOCFLAGS: -Zsanitizer=address
RUSTFLAGS: -Zsanitizer=address
run: |
cargo test \
-Zbuild-std \
--manifest-path ${{ env.ROOT_PATH}}/Cargo.toml \
--target x86_64-unknown-linux-gnu
rustfmt:
runs-on: ubuntu-latest
steps:
Expand Down
1 change: 0 additions & 1 deletion codebuild/bin/s2n_codebuild.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,6 @@ if [[ "$TESTS" == "ALL" || "$TESTS" == "sawHMACPlus" ]] && [[ "$OS_NAME" == "lin
if [[ "$TESTS" == "ALL" || "$TESTS" == "unit" ]]; then run_unit_tests; fi
if [[ "$TESTS" == "ALL" || "$TESTS" == "interning" ]]; then ./codebuild/bin/test_libcrypto_interning.sh; fi
if [[ "$TESTS" == "ALL" || "$TESTS" == "exec_leak" ]]; then ./codebuild/bin/test_exec_leak.sh; fi
if [[ "$TESTS" == "ALL" || "$TESTS" == "asan" ]]; then make clean; S2N_ADDRESS_SANITIZER=1 make -j $JOBS ; fi
if [[ "$TESTS" == "ALL" || "$TESTS" == "integrationv2" ]]; then run_integration_v2_tests; fi
if [[ "$TESTS" == "ALL" || "$TESTS" == "crt" ]]; then ./codebuild/bin/build_aws_crt_cpp.sh $(mktemp -d) $(mktemp -d); fi
if [[ "$TESTS" == "ALL" || "$TESTS" == "sharedandstatic" ]]; then ./codebuild/bin/test_install_shared_and_static.sh $(mktemp -d); fi
Expand Down
45 changes: 0 additions & 45 deletions codebuild/spec/buildspec_generalbatch.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,51 +53,6 @@ batch:
BUILD_S2N: 'true'
TESTS: exec_leak
identifier: s2nExecLeak
- identifier: s2nAsanOpenSSL111Coverage
buildspec: codebuild/spec/buildspec_ubuntu.yml
env:
compute-type: BUILD_GENERAL1_LARGE
image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild
privileged-mode: true
variables:
BUILD_S2N: 'true'
GCC_VERSION: '9'
S2N_COVERAGE: 'true'
S2N_LIBCRYPTO: 'openssl-1.1.1'
TESTS: asan
- identifier: s2nAsanAwslc
buildspec: codebuild/spec/buildspec_ubuntu.yml
env:
compute-type: BUILD_GENERAL1_LARGE
image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild
privileged-mode: true
variables:
BUILD_S2N: 'true'
GCC_VERSION: '9'
S2N_LIBCRYPTO: 'awslc'
TESTS: asan
- identifier: s2nAsanOpenssl3
buildspec: codebuild/spec/buildspec_ubuntu.yml
env:
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild
variables:
TESTS: asan
GCC_VERSION: '9'
S2N_LIBCRYPTO: 'openssl-3.0'
BUILD_S2N: 'true'
- identifier: s2nAsanOpenssl102
buildspec: codebuild/spec/buildspec_ubuntu.yml
env:
compute-type: BUILD_GENERAL1_LARGE
image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild
privileged-mode: true
variables:
BUILD_S2N: 'true'
GCC_VERSION: '9'
S2N_LIBCRYPTO: 'openssl-1.0.2'
TESTS: asan
- buildspec: codebuild/spec/buildspec_ubuntu.yml
env:
compute-type: BUILD_GENERAL1_SMALL
Expand Down
25 changes: 0 additions & 25 deletions codebuild/spec/buildspec_omnibus.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,31 +48,6 @@ batch:
variables:
TESTS: sidetrail

- identifier: s2nAsanOpenSSL111Coverage
buildspec: codebuild/spec/buildspec_ubuntu.yml
env:
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild
variables:
TESTS: asan
GCC_VERSION: '6'
S2N_LIBCRYPTO: 'openssl-1.1.1'
BUILD_S2N: 'true'
S2N_COVERAGE: 'true'

- identifier: s2nAsanOpenssl102
buildspec: codebuild/spec/buildspec_ubuntu.yml
env:
privileged-mode: true
compute-type: BUILD_GENERAL1_LARGE
image: 024603541914.dkr.ecr.us-west-2.amazonaws.com/docker:ubuntu18codebuild
variables:
TESTS: asan
GCC_VERSION: '6'
S2N_LIBCRYPTO: 'openssl-1.0.2'
BUILD_S2N: 'true'

- identifier: s2nUnitNoPQ
buildspec: codebuild/spec/buildspec_ubuntu.yml
env:
Expand Down
2 changes: 1 addition & 1 deletion crypto/s2n_libcrypto.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ static S2N_RESULT s2n_libcrypto_validate_expected_version_number(void)
* ABI compatible forks of OpenSSL, detecting OpenSSL is done by checking the
* absence of other known libcrypto variants.
*/
bool s2n_libcrypto_is_openssl()
bool s2n_libcrypto_is_openssl(void)
{
bool is_other_libcrypto_variant =
s2n_libcrypto_is_boringssl() || s2n_libcrypto_is_libressl() || s2n_libcrypto_is_awslc();
Expand Down
8 changes: 1 addition & 7 deletions crypto/s2n_openssl.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,13 +50,7 @@
#define RESULT_EVP_CTX_INIT(ctx) EVP_CIPHER_CTX_init(ctx)
#endif

#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_FIPS) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_AWSLC) && !defined(OPENSSL_NO_ENGINE)
#define S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND 1
#else
#define S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND 0
#endif

bool s2n_libcrypto_is_openssl();
bool s2n_libcrypto_is_openssl(void);
bool s2n_libcrypto_is_awslc();
bool s2n_libcrypto_is_boringssl();
bool s2n_libcrypto_is_libressl();
79 changes: 79 additions & 0 deletions tests/features/S2N_LIBCRYPTO_SUPPORTS_ENGINE.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

/*
* This feature probe checks if the linked libcrypto has ENGINE support.
* https://docs.openssl.org/1.0.2/man3/engine/
*/

/*
* We would always expect the `openssl/engine.h` header to be available.
* However, some platforms (CentOS 10, Fedora 41, and RHEL 10) have reportedly
* been removing the `openssl/engine.h` header.
*
* See the related issues:
* - https://github.com/aws/s2n-tls/pull/4705
* - https://github.com/aws/s2n-tls/pull/4873
*/
#include <openssl/engine.h>
/* LibreSSL requires <openssl/rand.h> include.
* https://github.com/aws/s2n-tls/issues/153#issuecomment-129651643
*/
#include <openssl/rand.h>

int s2n_noop_rand(unsigned char *buf, int num)
{
return 1;
}

int main()
{
/* Init usage in utils/s2n_random.c */
ENGINE *e = ENGINE_new();
ENGINE_set_id(e, "id");
ENGINE_set_name(e, "name");
ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL);
ENGINE_set_init_function(e, NULL);
ENGINE_set_RAND(e, NULL);
ENGINE_add(e);
ENGINE_init(e);
ENGINE_set_default(e, ENGINE_METHOD_RAND);

/* Cleanup usage in utils/s2n_random.c */
ENGINE_remove(e);
ENGINE_finish(e);
ENGINE_unregister_RAND(e);
ENGINE_free(e);
ENGINE_cleanup();
RAND_set_rand_engine(NULL);
RAND_set_rand_method(NULL);

/* RAND_METHOD is gated behind S2N_LIBCRYPTO_SUPPORTS_ENGINE because AWS-LC has
* a different signature for RAND_METHOD and fails to compile.
*
* - AWS-LC: https://github.com/aws/aws-lc/blob/main/include/openssl/rand.h#L124
* - OpenSSL: https://github.com/openssl/openssl/blob/master/include/openssl/rand.h#L42
*/
RAND_METHOD s2n_noop_rand_method = {
.seed = NULL,
.bytes = s2n_noop_rand,
.cleanup = NULL,
.add = NULL,
.pseudorand = s2n_noop_rand,
.status = NULL
};

return 0;
}
1 change: 1 addition & 0 deletions tests/features/S2N_LIBCRYPTO_SUPPORTS_ENGINE.flags
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
-Wincompatible-pointer-types
19 changes: 6 additions & 13 deletions tests/unit/s2n_override_openssl_random_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
*/

#include <openssl/dh.h>
#include <openssl/engine.h>

#include "api/s2n.h"
#include "crypto/s2n_dhe.h"
Expand All @@ -26,7 +25,6 @@
#include "utils/s2n_random.h"
#include "utils/s2n_safety.h"

#if S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND
const char reference_entropy_hex[] = "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
Expand Down Expand Up @@ -70,6 +68,12 @@ int main(int argc, char **argv)
uint64_t bytes_used = 0;

BEGIN_TEST();

if (!s2n_supports_custom_rand()) {
/* Skip when custom rand is not supported */
END_TEST();
}

EXPECT_SUCCESS(s2n_disable_tls13_in_test());

EXPECT_NOT_NULL(dhparams_pem = malloc(S2N_MAX_TEST_PEM_SIZE));
Expand Down Expand Up @@ -137,14 +141,3 @@ int main(int argc, char **argv)

END_TEST();
}

#else

int main(int argc, char **argv)
{
BEGIN_TEST();

END_TEST();
}

#endif
57 changes: 41 additions & 16 deletions tests/unit/s2n_random_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@
#define NUMBER_OF_RANGE_FUNCTION_CALLS 200
#define MAX_REPEATED_OUTPUT 4

bool s2n_libcrypto_is_fips(void);
bool s2n_libcrypto_is_openssl(void);
S2N_RESULT s2n_rand_device_validate(struct s2n_rand_device *device);
S2N_RESULT s2n_rand_get_urandom_for_test(struct s2n_rand_device **device);
S2N_RESULT s2n_rand_set_urandom_for_test();
Expand Down Expand Up @@ -793,25 +795,25 @@ static int s2n_random_rand_bytes_after_cleanup_cb(struct random_test_case *test_

static int s2n_random_rand_bytes_before_init(struct random_test_case *test_case)
{
#if S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND
/* Calling RAND_bytes will set a global random method */
unsigned char rndbytes[16] = { 0 };
EXPECT_EQUAL(RAND_bytes(rndbytes, sizeof(rndbytes)), 1);
const RAND_METHOD *rand_method = RAND_get_rand_method();
EXPECT_NOT_NULL(rand_method);
EXPECT_NOT_EQUAL(rand_method->bytes, s2n_openssl_compat_rand);

EXPECT_SUCCESS(s2n_init());
/* s2n_libcrypto_is_fips() is used since we are testing `s2n_init()` */
if (s2n_supports_custom_rand() && !s2n_libcrypto_is_fips()) {
/* Calling RAND_bytes will set a global random method */
unsigned char rndbytes[16] = { 0 };
EXPECT_EQUAL(RAND_bytes(rndbytes, sizeof(rndbytes)), 1);
const RAND_METHOD *rand_method = RAND_get_rand_method();
EXPECT_NOT_NULL(rand_method);
EXPECT_NOT_EQUAL((void (*)(void)) rand_method->bytes, (void (*)(void)) s2n_openssl_compat_rand);

/* The global random method is overridden after calling s2n_init() */
const RAND_METHOD *custom_rand_method = RAND_get_rand_method();
EXPECT_NOT_NULL(custom_rand_method);
EXPECT_EQUAL(custom_rand_method->bytes, s2n_openssl_compat_rand);
EXPECT_SUCCESS(s2n_init());

/* RAND_bytes is still successful */
EXPECT_EQUAL(RAND_bytes(rndbytes, sizeof(rndbytes)), 1);
/* The global random method is overridden after calling s2n_init() */
const RAND_METHOD *custom_rand_method = RAND_get_rand_method();
EXPECT_NOT_NULL(custom_rand_method);
EXPECT_EQUAL((void (*)(void)) custom_rand_method->bytes, (void (*)(void)) s2n_openssl_compat_rand);

#endif
/* RAND_bytes is still successful */
EXPECT_EQUAL(RAND_bytes(rndbytes, sizeof(rndbytes)), 1);
}
return S2N_SUCCESS;
}

Expand Down Expand Up @@ -894,6 +896,29 @@ int main(int argc, char **argv)
{
BEGIN_TEST_NO_INIT();

/* Feature probe: Negative test */
{
if (s2n_libcrypto_is_awslc()) {
#if defined(S2N_LIBCRYPTO_SUPPORTS_ENGINE)
FAIL_MSG("Expected ENGINE feature probe to be disabled with AWS-LC");
#endif
}
};

/* Feature probe: Positive test
*
* TODO: Test missing due to unrelated feature probe failure on AL2.
* https://github.com/aws/s2n-tls/issues/4900
*/

/* s2n_supports_custom_rand */
{
if (s2n_supports_custom_rand()) {
EXPECT_TRUE(s2n_libcrypto_is_openssl());
EXPECT_FALSE(s2n_is_in_fips_mode());
}
};

/* For each test case, creates a child process that runs the test case.
*
* Fork detection is lazily initialised on first invocation of
Expand Down
Loading

0 comments on commit 2c207d6

Please sign in to comment.