WIP

aws · Nov 15, 2023 · b0080ac · b0080ac
1 parent 76cdeb3
commit b0080ac
Show file tree

Hide file tree

Showing 23 changed files with 36 additions and 62 deletions.
diff --git a/LICENSE b/LICENSE
@@ -200,25 +200,3 @@
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
-
-
-============================================================================
-    S2N SUBCOMPONENTS:
-
-    The s2n Project contains subcomponents with separate copyright notices
-    and license terms. Your use of the source code for these subcomponents is
-    subject to the terms and conditions of the following licenses.
-
-
-========================================================================
-Third party MIT licenses
-========================================================================
-
-The following components are provided under the MIT License. See project link for details.
-
-
-    SIKE
-      -> s2n/pq-crypto/sike_r1/LICENSE.txt
-
-
-
diff --git a/bindings/rust/generate.sh b/bindings/rust/generate.sh
@@ -19,7 +19,6 @@ cp -r \
   ../../api \
   ../../crypto \
   ../../error \
-  ../../pq-crypto \
   ../../stuffer \
   ../../tls \
   ../../utils \

diff --git a/bindings/rust/s2n-tls-sys/build.rs b/bindings/rust/s2n-tls-sys/build.rs
@@ -91,6 +91,8 @@ impl<'a> FeatureDetector<'a> {
 fn build_vendored() {
     let mut build = builder();
 
+    // TODO: update rust bindings to handle no pq-crypto dir
+
     let pq = option_env("CARGO_FEATURE_PQ").is_some();
 
     // TODO each pq section needs to be built separately since it

diff --git a/codebuild/bin/grep_simple_mistakes.sh b/codebuild/bin/grep_simple_mistakes.sh
@@ -18,7 +18,7 @@ FAILED=0
 # Grep for any instances of raw memcpy() function. s2n code should instead be
 # using one of the *_ENSURE_MEMCPY macros.
 #############################################
-S2N_FILES_ASSERT_NOT_USING_MEMCPY=$(find "$PWD" -type f -name "s2n*.[ch]" -not -path "*/tests/*"  -not -path "*/pq-crypto/*")
+S2N_FILES_ASSERT_NOT_USING_MEMCPY=$(find "$PWD" -type f -name "s2n*.[ch]" -not -path "*/tests/*")
 for file in $S2N_FILES_ASSERT_NOT_USING_MEMCPY; do
   RESULT_NUM_LINES=`grep 'memcpy(' $file | wc -l`
   if [ "${RESULT_NUM_LINES}" != 0 ]; then
@@ -180,7 +180,7 @@ done
 ## Assert that there are no new uses of S2N_ERROR_IF
 # TODO add crypto, tls (see https://github.com/aws/s2n-tls/issues/2635)
 #############################################
-S2N_ERROR_IF_FREE="bin error pq-crypto scram stuffer utils tests"
+S2N_ERROR_IF_FREE="bin error scram stuffer utils tests"
 for dir in $S2N_ERROR_IF_FREE; do
   files=$(find "$dir" -type f -name "*.c" -path "*")
   for file in $files; do

diff --git a/compliance/generate_report.sh b/compliance/generate_report.sh
@@ -15,7 +15,6 @@ duvet \
   --source-pattern '(*=,*#)bin/**/*.[ch]' \
   --source-pattern '(*=,*#)crypto/**/*.[ch]' \
   --source-pattern '(*=,*#)error/**/*.[ch]' \
-  --source-pattern '(*=,*#)pq-crypto/**/*.[ch]' \
   --source-pattern '(*=,*#)stuffer/**/*.[ch]' \
   --source-pattern '(*=,*#)tests/**/*.[ch]' \
   --source-pattern '(*=,*#)tls/**/*.[ch]' \

diff --git a/crypto/s2n_kyber_evp.c b/crypto/s2n_kyber_evp.c
@@ -16,8 +16,8 @@
 #include <openssl/evp.h>
 #include <stddef.h>
 
-#include "error/s2n_errno.h"
 #include "crypto/s2n_pq.h"
+#include "error/s2n_errno.h"
 #include "tls/s2n_kem.h"
 #include "utils/s2n_safety.h"
 #include "utils/s2n_safety_macros.h"
@@ -90,7 +90,7 @@ int s2n_kyber_evp_decapsulate(IN const struct s2n_kem *kem, OUT uint8_t *shared_
     return S2N_SUCCESS;
 }
 
-#else /* If !S2N_LIBCRYPTO_SUPPORTS_KYBER, pq-crypto won't be compiled so define relevant stubs here. */
+#else /* If !S2N_LIBCRYPTO_SUPPORTS_KYBER, we won't have a Kyber impl so define relevant stubs here. */
 
 int s2n_kyber_evp_generate_keypair(IN const struct s2n_kem *kem, OUT uint8_t *public_key,
         OUT uint8_t *secret_key)

diff --git a/crypto/s2n_pq.c b/crypto/s2n_pq.c
@@ -19,7 +19,7 @@
 
 bool s2n_libcrypto_supports_kyber()
 {
-  /* S2N_LIBCRYPTO_SUPPORTS_KYBER will auto-detected and enabled if
+    /* S2N_LIBCRYPTO_SUPPORTS_KYBER will auto-detected and #defined if
    * ./tests/features/S2N_LIBCRYPTO_SUPPORTS_KYBER.c returns 1 */
 #if defined(S2N_LIBCRYPTO_SUPPORTS_KYBER)
     return true;
@@ -30,5 +30,5 @@ bool s2n_libcrypto_supports_kyber()
 
 bool s2n_pq_is_enabled()
 {
-  return s2n_libcrypto_supports_kyber();
+    return s2n_libcrypto_supports_kyber();
 }
diff --git a/lib/Makefile b/lib/Makefile
@@ -13,7 +13,7 @@
 # permissions and limitations under the License.
 #
 
-OBJS = $(wildcard ../utils/*.o ../stuffer/*.o ../tls/*.o ../tls/*/*.o ../iana/*.o ../crypto/*.o ../error/*.o ../pq-crypto/*.o  ../pq-crypto/kyber_r3/*.o)
+OBJS = $(wildcard ../utils/*.o ../stuffer/*.o ../tls/*.o ../tls/*/*.o ../iana/*.o ../crypto/*.o ../error/*.o)
 
 .PHONY : all
 all: libs2n.a libs2n.so libs2n.dylib

diff --git a/tests/fuzz/allowed_coverage_failures.cfg b/tests/fuzz/allowed_coverage_failures.cfg
@@ -0,0 +1,5 @@
+# If s2n is compiled with a libcrypto that doesn't support Kyber, then Kyber fuzzing branch coverage will be near zero
+# since the fuzz test will immediately return an error that Kyber isn't supported. This isn't a fuzz test failure, so
+# allow the Kyber fuzz tests to have zero branch coverage.
+s2n_kyber_r3_recv_ciphertext_fuzz_test
+s2n_kyber_r3_recv_public_key_fuzz_test
diff --git a/tests/fuzz/calcTotalCov.sh b/tests/fuzz/calcTotalCov.sh
@@ -28,7 +28,7 @@ if [[ -z "$S2N_ROOT" ]]; then
     S2N_ROOT=../..
 fi
 
-FUZZCOV_SOURCES="${S2N_ROOT}/api ${S2N_ROOT}/bin ${S2N_ROOT}/crypto ${S2N_ROOT}/error ${S2N_ROOT}/pq-crypto ${S2N_ROOT}/stuffer ${S2N_ROOT}/tls ${S2N_ROOT}/utils"
+FUZZCOV_SOURCES="${S2N_ROOT}/api ${S2N_ROOT}/bin ${S2N_ROOT}/crypto ${S2N_ROOT}/error ${S2N_ROOT}/stuffer ${S2N_ROOT}/tls ${S2N_ROOT}/utils"
 
 
 # Outputs fuzz coverage results if the FUZZ_COVERAGE environment variable is set

diff --git a/tests/fuzz/runFuzzTest.sh b/tests/fuzz/runFuzzTest.sh
@@ -48,7 +48,7 @@ LIBFUZZER_ARGS+="-timeout=5 -max_len=4096 -print_final_stats=1 -jobs=${NUM_CPU_T
 TEST_SPECIFIC_OVERRIDES="${PWD}/LD_PRELOAD/${TEST_NAME}_overrides.so"
 GLOBAL_OVERRIDES="${PWD}/LD_PRELOAD/global_overrides.so"
 
-FUZZCOV_SOURCES="${S2N_ROOT}/api ${S2N_ROOT}/bin ${S2N_ROOT}/crypto ${S2N_ROOT}/error ${S2N_ROOT}/pq-crypto ${S2N_ROOT}/stuffer ${S2N_ROOT}/tls ${S2N_ROOT}/utils"
+FUZZCOV_SOURCES="${S2N_ROOT}/api ${S2N_ROOT}/bin ${S2N_ROOT}/crypto ${S2N_ROOT}/error ${S2N_ROOT}/stuffer ${S2N_ROOT}/tls ${S2N_ROOT}/utils"
 
 if [ -e $TEST_SPECIFIC_OVERRIDES ];
 then
@@ -197,7 +197,13 @@ then
             printf "\033[33;1mWARNING!\033[0m ${TEST_NAME} is only ${TESTS_PER_SEC} tests/sec, which is below ${MIN_TEST_PER_SEC}/sec! Fuzz tests are more effective at higher rates.\n\n"
         fi
 
-        if [ "$FEATURE_COVERAGE" -lt $MIN_FEATURES_COVERED ]; then
+        COVERAGE_FAILURE_ALLOWED=0
+        if grep -Fxq ${TEST_NAME} ./allowed_coverage_failures.cfg
+        then
+            COVERAGE_FAILURE_ALLOWED=1
+        fi
+
+        if [ "$FEATURE_COVERAGE" -lt $MIN_FEATURES_COVERED && COVERAGE_FAILURE_ALLOWED -eq 0 ]; then
             printf "\033[31;1mERROR!\033[0m ${TEST_NAME} only covers ${FEATURE_COVERAGE} features, which is below ${MIN_FEATURES_COVERED}! This may be due to missing corpus files or a bug.\n"
             exit -1;
         fi

diff --git a/tests/fuzz/s2n_hybrid_ecdhe_kyber_r3_fuzz_test.c b/tests/fuzz/s2n_hybrid_ecdhe_kyber_r3_fuzz_test.c
@@ -21,8 +21,8 @@
 #include "crypto/s2n_drbg.h"
 #include "crypto/s2n_hash.h"
 #include "crypto/s2n_openssl.h"
-#include "error/s2n_errno.h"
 #include "crypto/s2n_pq.h"
+#include "error/s2n_errno.h"
 #include "stuffer/s2n_stuffer.h"
 #include "tests/s2n_test.h"
 #include "tests/testlib/s2n_testlib.h"

diff --git a/tests/fuzz/s2n_kyber_r3_recv_ciphertext_fuzz_test.c b/tests/fuzz/s2n_kyber_r3_recv_ciphertext_fuzz_test.c
@@ -50,4 +50,3 @@ static void s2n_fuzz_cleanup()
 }
 
 S2N_FUZZ_TARGET(s2n_fuzz_init, s2n_fuzz_test, s2n_fuzz_cleanup)
-
diff --git a/tests/fuzz/s2n_kyber_r3_recv_public_key_fuzz_test.c b/tests/fuzz/s2n_kyber_r3_recv_public_key_fuzz_test.c
@@ -37,6 +37,7 @@ int s2n_fuzz_test(const uint8_t *buf, size_t len)
         POSIX_GUARD(s2n_kem_recv_public_key_fuzz_test(buf, len, &kyber768_r3_draft5_params));
         POSIX_GUARD(s2n_kem_recv_public_key_fuzz_test(buf, len, &kyber1024_r3_draft5_params));
     }
+
     return S2N_SUCCESS;
 }
 

diff --git a/tests/integrationv2/common.py b/tests/integrationv2/common.py
@@ -6,7 +6,7 @@
 
 
 from constants import TEST_CERT_DIRECTORY
-from global_flags import get_flag, S2N_NO_PQ, S2N_FIPS_MODE
+from global_flags import get_flag, S2N_PROVIDER_VERSION
 
 
 def data_bytes(n_bytes):
@@ -33,7 +33,7 @@ def pq_enabled():
     """
     Returns true or false to indicate whether PQ crypto is enabled in s2n
     """
-    return not (get_flag(S2N_NO_PQ, False) or get_flag(S2N_FIPS_MODE, False))
+    return "awslc" in get_flag(S2N_PROVIDER_VERSION)
 
 
 class AvailablePorts(object):

diff --git a/tests/saw/Makefile b/tests/saw/Makefile
@@ -149,12 +149,6 @@ bitcode :
 CRYPTO_C = $(wildcard ../../crypto/*.c) $(wildcard ../../crypto/*.h) ../../crypto/Makefile
 CRYPTO_COPY = $(addprefix s2n/crypto/, $(notdir $(CRYPTO_C)))
 
-PQ_CRYPTO_C = $(wildcard ../../pq-crypto/*.c) $(wildcard ../../pq-crypto/*.h) ../../pq-crypto/s2n_pq_asm.mk ../../pq-crypto/Makefile
-PQ_CRYPTO_COPY = $(addprefix s2n/pq-crypto/, $(notdir $(PQ_CRYPTO_C)))
-
-KYBER_R3_C = $(wildcard ../../pq-crypto/kyber_r3/*.c) $(wildcard ../../pq-crypto/kyber_r3/*.h) ../../pq-crypto/kyber_r3/Makefile
-KYBER_R3_COPY = $(addprefix s2n/pq-crypto/kyber_r3/, $(notdir $(KYBER_R3_C)))
-
 UTILS_C = $(wildcard ../../utils/*.c) $(wildcard ../../utils/*.h) ../../utils/Makefile
 UTILS_COPY =$(addprefix s2n/utils/, $(notdir $(UTILS_C)))
 
@@ -182,12 +176,6 @@ s2n/api :
 s2n/crypto :
 	mkdir -p $@
 
-s2n/pq-crypto :
-	mkdir -p $@
-
-s2n/pq-crypto/kyber_r3 :
-	mkdir -p $@
-
 s2n/utils :
 	mkdir -p $@
 
@@ -205,12 +193,12 @@ export BITCODE_DIR := $(CURDIR)/bitcode/
 tmp:
 	mkdir -p tmp
 
-bitcode/all_llvm.bc : s2n/crypto s2n/pq-crypto s2n/utils s2n/tls s2n/api s2n/error s2n/stuffer s2n/Makefile s2n/s2n.mk $(CRYPTO_COPY) $(PQ_CRYPTO_COPY) $(UTILS_COPY) $(TLS_COPY) $(API_COPY) $(ERROR_COPY) $(STUFFER_COPY)
+bitcode/all_llvm.bc : s2n/crypto s2n/utils s2n/tls s2n/api s2n/error s2n/stuffer s2n/Makefile s2n/s2n.mk $(CRYPTO_COPY) $(PQ_CRYPTO_COPY) $(UTILS_COPY) $(TLS_COPY) $(API_COPY) $(ERROR_COPY) $(STUFFER_COPY)
 	${MAKE} -C s2n bc
 	${MAKE} -C bitcode all_llvm.bc
 
 
-s2n/lib/libs2n.so : s2n/crypto s2n/pq-crypto s2n/pq-crypto/kyber_r3 s2n/utils s2n/tls s2n/api s2n/error s2n/stuffer s2n/lib s2n/Makefile s2n/s2n.mk $(CRYPTO_COPY) $(PQ_CRYPTO_COPY) $(KYBER_R3_COPY) $(UTILS_COPY) $(TLS_COPY) $(API_COPY) $(ERROR_COPY) $(STUFFER_COPY) $(LIB_COPY)
+s2n/lib/libs2n.so : s2n/crypto s2n/utils s2n/tls s2n/api s2n/error s2n/stuffer s2n/lib s2n/Makefile s2n/s2n.mk $(CRYPTO_COPY) $(UTILS_COPY) $(TLS_COPY) $(API_COPY) $(ERROR_COPY) $(STUFFER_COPY) $(LIB_COPY)
 	${MAKE} -C s2n libs NO_STACK_PROTECTOR=1 NO_INLINE=1
 
 s2n/%.h : ../../%.h
@@ -230,6 +218,3 @@ s2n/Makefile : ../../Makefile
 
 s2n/s2n.mk : ../../s2n.mk
 	cp $< $@
-
-s2n/pq-crypto/s2n_pq_asm.mk : ../../pq-crypto/s2n_pq_asm.mk
-	cp $< $@
diff --git a/tests/unit/s2n_config_test.c b/tests/unit/s2n_config_test.c
@@ -19,7 +19,7 @@
 
 #include "api/s2n.h"
 #include "crypto/s2n_fips.h"
-#include "pq-crypto/s2n_pq.h"
+#include "crypto/s2n_pq.h"
 #include "s2n_test.h"
 #include "testlib/s2n_testlib.h"
 #include "tls/extensions/s2n_client_supported_groups.h"

diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c
@@ -15,9 +15,9 @@
 
 #include "tls/s2n_security_policies.h"
 
+#include "crypto/s2n_pq.h"
 #include "crypto/s2n_rsa_pss.h"
 #include "crypto/s2n_rsa_signing.h"
-#include "crypto/s2n_pq.h"
 #include "s2n_test.h"
 #include "testlib/s2n_testlib.h"
 #include "tls/s2n_kem.h"

diff --git a/tests/unit/s2n_tls13_pq_handshake_test.c b/tests/unit/s2n_tls13_pq_handshake_test.c
@@ -14,8 +14,8 @@
  */
 
 #include "api/s2n.h"
-#include "crypto/s2n_rsa_signing.h"
 #include "crypto/s2n_pq.h"
+#include "crypto/s2n_rsa_signing.h"
 #include "s2n_test.h"
 #include "testlib/s2n_testlib.h"
 #include "tls/s2n_ecc_preferences.h"

diff --git a/tls/extensions/s2n_client_key_share.c b/tls/extensions/s2n_client_key_share.c
@@ -15,8 +15,8 @@
 
 #include "tls/extensions/s2n_client_key_share.h"
 
-#include "error/s2n_errno.h"
 #include "crypto/s2n_pq.h"
+#include "error/s2n_errno.h"
 #include "stuffer/s2n_stuffer.h"
 #include "tls/extensions/s2n_key_share.h"
 #include "tls/s2n_kem_preferences.h"

diff --git a/tls/s2n_cipher_suites.c b/tls/s2n_cipher_suites.c
@@ -18,8 +18,8 @@
 
 #include "crypto/s2n_cipher.h"
 #include "crypto/s2n_openssl.h"
-#include "error/s2n_errno.h"
 #include "crypto/s2n_pq.h"
+#include "error/s2n_errno.h"
 #include "tls/s2n_auth_selection.h"
 #include "tls/s2n_kex.h"
 #include "tls/s2n_psk.h"

diff --git a/tls/s2n_config.c b/tls/s2n_config.c
@@ -20,8 +20,8 @@
 #include "crypto/s2n_certificate.h"
 #include "crypto/s2n_fips.h"
 #include "crypto/s2n_hkdf.h"
+#include "crypto/s2n_pq.h"
 #include "error/s2n_errno.h"
-#include "pq-crypto/s2n_pq.h"
 #include "tls/s2n_cipher_preferences.h"
 #include "tls/s2n_internal.h"
 #include "tls/s2n_ktls.h"

diff --git a/tls/s2n_server_hello_retry.c b/tls/s2n_server_hello_retry.c
@@ -14,8 +14,8 @@
  */
 #include <stdbool.h>
 
-#include "error/s2n_errno.h"
 #include "crypto/s2n_pq.h"
+#include "error/s2n_errno.h"
 #include "tls/s2n_cipher_suites.h"
 #include "tls/s2n_server_extensions.h"
 #include "tls/s2n_tls.h"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -50,4 +50,3 @@ static void s2n_fuzz_cleanup()
		}

		S2N_FUZZ_TARGET(s2n_fuzz_init, s2n_fuzz_test, s2n_fuzz_cleanup)
-Original file line number
+Diff line change
@@ Expand Up / @@ -37,6 +37,7 @@ int s2n_fuzz_test(const uint8_t *buf, size_t len) @@
             POSIX_GUARD(s2n_kem_recv_public_key_fuzz_test(buf, len, &kyber768_r3_draft5_params));
             POSIX_GUARD(s2n_kem_recv_public_key_fuzz_test(buf, len, &kyber1024_r3_draft5_params));
         }
         return S2N_SUCCESS;
     }
@@ Expand Down @@