From b0080ac9644568d0d1f301e628b436a6882152cb Mon Sep 17 00:00:00 2001 From: Alex Weibel Date: Thu, 9 Nov 2023 17:30:43 -0800 Subject: [PATCH] WIP --- LICENSE | 22 ------------------- bindings/rust/generate.sh | 1 - bindings/rust/s2n-tls-sys/build.rs | 2 ++ codebuild/bin/grep_simple_mistakes.sh | 4 ++-- compliance/generate_report.sh | 1 - crypto/s2n_kyber_evp.c | 4 ++-- crypto/s2n_pq.c | 4 ++-- lib/Makefile | 2 +- tests/fuzz/allowed_coverage_failures.cfg | 5 +++++ tests/fuzz/calcTotalCov.sh | 2 +- tests/fuzz/runFuzzTest.sh | 10 +++++++-- .../s2n_hybrid_ecdhe_kyber_r3_fuzz_test.c | 2 +- .../s2n_kyber_r3_recv_ciphertext_fuzz_test.c | 1 - .../s2n_kyber_r3_recv_public_key_fuzz_test.c | 1 + tests/integrationv2/common.py | 4 ++-- tests/saw/Makefile | 19 ++-------------- tests/unit/s2n_config_test.c | 2 +- tests/unit/s2n_security_policies_test.c | 2 +- tests/unit/s2n_tls13_pq_handshake_test.c | 2 +- tls/extensions/s2n_client_key_share.c | 2 +- tls/s2n_cipher_suites.c | 2 +- tls/s2n_config.c | 2 +- tls/s2n_server_hello_retry.c | 2 +- 23 files changed, 36 insertions(+), 62 deletions(-) create mode 100644 tests/fuzz/allowed_coverage_failures.cfg diff --git a/LICENSE b/LICENSE index fb388fd4731..d6456956733 100644 --- a/LICENSE +++ b/LICENSE @@ -200,25 +200,3 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. - - -============================================================================ - S2N SUBCOMPONENTS: - - The s2n Project contains subcomponents with separate copyright notices - and license terms. Your use of the source code for these subcomponents is - subject to the terms and conditions of the following licenses. - - -======================================================================== -Third party MIT licenses -======================================================================== - -The following components are provided under the MIT License. See project link for details. - - - SIKE - -> s2n/pq-crypto/sike_r1/LICENSE.txt - - - diff --git a/bindings/rust/generate.sh b/bindings/rust/generate.sh index 0f1a5dc142f..03d66841bb6 100755 --- a/bindings/rust/generate.sh +++ b/bindings/rust/generate.sh @@ -19,7 +19,6 @@ cp -r \ ../../api \ ../../crypto \ ../../error \ - ../../pq-crypto \ ../../stuffer \ ../../tls \ ../../utils \ diff --git a/bindings/rust/s2n-tls-sys/build.rs b/bindings/rust/s2n-tls-sys/build.rs index 03a9698cc8b..4fc35629c76 100644 --- a/bindings/rust/s2n-tls-sys/build.rs +++ b/bindings/rust/s2n-tls-sys/build.rs @@ -91,6 +91,8 @@ impl<'a> FeatureDetector<'a> { fn build_vendored() { let mut build = builder(); + // TODO: update rust bindings to handle no pq-crypto dir + let pq = option_env("CARGO_FEATURE_PQ").is_some(); // TODO each pq section needs to be built separately since it diff --git a/codebuild/bin/grep_simple_mistakes.sh b/codebuild/bin/grep_simple_mistakes.sh index 1dbe9fe9208..84c3810b8f6 100755 --- a/codebuild/bin/grep_simple_mistakes.sh +++ b/codebuild/bin/grep_simple_mistakes.sh @@ -18,7 +18,7 @@ FAILED=0 # Grep for any instances of raw memcpy() function. s2n code should instead be # using one of the *_ENSURE_MEMCPY macros. ############################################# -S2N_FILES_ASSERT_NOT_USING_MEMCPY=$(find "$PWD" -type f -name "s2n*.[ch]" -not -path "*/tests/*" -not -path "*/pq-crypto/*") +S2N_FILES_ASSERT_NOT_USING_MEMCPY=$(find "$PWD" -type f -name "s2n*.[ch]" -not -path "*/tests/*") for file in $S2N_FILES_ASSERT_NOT_USING_MEMCPY; do RESULT_NUM_LINES=`grep 'memcpy(' $file | wc -l` if [ "${RESULT_NUM_LINES}" != 0 ]; then @@ -180,7 +180,7 @@ done ## Assert that there are no new uses of S2N_ERROR_IF # TODO add crypto, tls (see https://github.com/aws/s2n-tls/issues/2635) ############################################# -S2N_ERROR_IF_FREE="bin error pq-crypto scram stuffer utils tests" +S2N_ERROR_IF_FREE="bin error scram stuffer utils tests" for dir in $S2N_ERROR_IF_FREE; do files=$(find "$dir" -type f -name "*.c" -path "*") for file in $files; do diff --git a/compliance/generate_report.sh b/compliance/generate_report.sh index d46176fed30..cac3c51299e 100755 --- a/compliance/generate_report.sh +++ b/compliance/generate_report.sh @@ -15,7 +15,6 @@ duvet \ --source-pattern '(*=,*#)bin/**/*.[ch]' \ --source-pattern '(*=,*#)crypto/**/*.[ch]' \ --source-pattern '(*=,*#)error/**/*.[ch]' \ - --source-pattern '(*=,*#)pq-crypto/**/*.[ch]' \ --source-pattern '(*=,*#)stuffer/**/*.[ch]' \ --source-pattern '(*=,*#)tests/**/*.[ch]' \ --source-pattern '(*=,*#)tls/**/*.[ch]' \ diff --git a/crypto/s2n_kyber_evp.c b/crypto/s2n_kyber_evp.c index db0a7467c70..44d11f33db4 100644 --- a/crypto/s2n_kyber_evp.c +++ b/crypto/s2n_kyber_evp.c @@ -16,8 +16,8 @@ #include #include -#include "error/s2n_errno.h" #include "crypto/s2n_pq.h" +#include "error/s2n_errno.h" #include "tls/s2n_kem.h" #include "utils/s2n_safety.h" #include "utils/s2n_safety_macros.h" @@ -90,7 +90,7 @@ int s2n_kyber_evp_decapsulate(IN const struct s2n_kem *kem, OUT uint8_t *shared_ return S2N_SUCCESS; } -#else /* If !S2N_LIBCRYPTO_SUPPORTS_KYBER, pq-crypto won't be compiled so define relevant stubs here. */ +#else /* If !S2N_LIBCRYPTO_SUPPORTS_KYBER, we won't have a Kyber impl so define relevant stubs here. */ int s2n_kyber_evp_generate_keypair(IN const struct s2n_kem *kem, OUT uint8_t *public_key, OUT uint8_t *secret_key) diff --git a/crypto/s2n_pq.c b/crypto/s2n_pq.c index b863e46cce9..7eac0f9dcf6 100644 --- a/crypto/s2n_pq.c +++ b/crypto/s2n_pq.c @@ -19,7 +19,7 @@ bool s2n_libcrypto_supports_kyber() { - /* S2N_LIBCRYPTO_SUPPORTS_KYBER will auto-detected and enabled if + /* S2N_LIBCRYPTO_SUPPORTS_KYBER will auto-detected and #defined if * ./tests/features/S2N_LIBCRYPTO_SUPPORTS_KYBER.c returns 1 */ #if defined(S2N_LIBCRYPTO_SUPPORTS_KYBER) return true; @@ -30,5 +30,5 @@ bool s2n_libcrypto_supports_kyber() bool s2n_pq_is_enabled() { - return s2n_libcrypto_supports_kyber(); + return s2n_libcrypto_supports_kyber(); } diff --git a/lib/Makefile b/lib/Makefile index e8c66ff5369..bea08e291b0 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -13,7 +13,7 @@ # permissions and limitations under the License. # -OBJS = $(wildcard ../utils/*.o ../stuffer/*.o ../tls/*.o ../tls/*/*.o ../iana/*.o ../crypto/*.o ../error/*.o ../pq-crypto/*.o ../pq-crypto/kyber_r3/*.o) +OBJS = $(wildcard ../utils/*.o ../stuffer/*.o ../tls/*.o ../tls/*/*.o ../iana/*.o ../crypto/*.o ../error/*.o) .PHONY : all all: libs2n.a libs2n.so libs2n.dylib diff --git a/tests/fuzz/allowed_coverage_failures.cfg b/tests/fuzz/allowed_coverage_failures.cfg new file mode 100644 index 00000000000..debaf49a2b4 --- /dev/null +++ b/tests/fuzz/allowed_coverage_failures.cfg @@ -0,0 +1,5 @@ +# If s2n is compiled with a libcrypto that doesn't support Kyber, then Kyber fuzzing branch coverage will be near zero +# since the fuzz test will immediately return an error that Kyber isn't supported. This isn't a fuzz test failure, so +# allow the Kyber fuzz tests to have zero branch coverage. +s2n_kyber_r3_recv_ciphertext_fuzz_test +s2n_kyber_r3_recv_public_key_fuzz_test \ No newline at end of file diff --git a/tests/fuzz/calcTotalCov.sh b/tests/fuzz/calcTotalCov.sh index 33ac4108042..f36255e9b47 100755 --- a/tests/fuzz/calcTotalCov.sh +++ b/tests/fuzz/calcTotalCov.sh @@ -28,7 +28,7 @@ if [[ -z "$S2N_ROOT" ]]; then S2N_ROOT=../.. fi -FUZZCOV_SOURCES="${S2N_ROOT}/api ${S2N_ROOT}/bin ${S2N_ROOT}/crypto ${S2N_ROOT}/error ${S2N_ROOT}/pq-crypto ${S2N_ROOT}/stuffer ${S2N_ROOT}/tls ${S2N_ROOT}/utils" +FUZZCOV_SOURCES="${S2N_ROOT}/api ${S2N_ROOT}/bin ${S2N_ROOT}/crypto ${S2N_ROOT}/error ${S2N_ROOT}/stuffer ${S2N_ROOT}/tls ${S2N_ROOT}/utils" # Outputs fuzz coverage results if the FUZZ_COVERAGE environment variable is set diff --git a/tests/fuzz/runFuzzTest.sh b/tests/fuzz/runFuzzTest.sh index f929f203a55..e6f11e12f0a 100755 --- a/tests/fuzz/runFuzzTest.sh +++ b/tests/fuzz/runFuzzTest.sh @@ -48,7 +48,7 @@ LIBFUZZER_ARGS+="-timeout=5 -max_len=4096 -print_final_stats=1 -jobs=${NUM_CPU_T TEST_SPECIFIC_OVERRIDES="${PWD}/LD_PRELOAD/${TEST_NAME}_overrides.so" GLOBAL_OVERRIDES="${PWD}/LD_PRELOAD/global_overrides.so" -FUZZCOV_SOURCES="${S2N_ROOT}/api ${S2N_ROOT}/bin ${S2N_ROOT}/crypto ${S2N_ROOT}/error ${S2N_ROOT}/pq-crypto ${S2N_ROOT}/stuffer ${S2N_ROOT}/tls ${S2N_ROOT}/utils" +FUZZCOV_SOURCES="${S2N_ROOT}/api ${S2N_ROOT}/bin ${S2N_ROOT}/crypto ${S2N_ROOT}/error ${S2N_ROOT}/stuffer ${S2N_ROOT}/tls ${S2N_ROOT}/utils" if [ -e $TEST_SPECIFIC_OVERRIDES ]; then @@ -197,7 +197,13 @@ then printf "\033[33;1mWARNING!\033[0m ${TEST_NAME} is only ${TESTS_PER_SEC} tests/sec, which is below ${MIN_TEST_PER_SEC}/sec! Fuzz tests are more effective at higher rates.\n\n" fi - if [ "$FEATURE_COVERAGE" -lt $MIN_FEATURES_COVERED ]; then + COVERAGE_FAILURE_ALLOWED=0 + if grep -Fxq ${TEST_NAME} ./allowed_coverage_failures.cfg + then + COVERAGE_FAILURE_ALLOWED=1 + fi + + if [ "$FEATURE_COVERAGE" -lt $MIN_FEATURES_COVERED && COVERAGE_FAILURE_ALLOWED -eq 0 ]; then printf "\033[31;1mERROR!\033[0m ${TEST_NAME} only covers ${FEATURE_COVERAGE} features, which is below ${MIN_FEATURES_COVERED}! This may be due to missing corpus files or a bug.\n" exit -1; fi diff --git a/tests/fuzz/s2n_hybrid_ecdhe_kyber_r3_fuzz_test.c b/tests/fuzz/s2n_hybrid_ecdhe_kyber_r3_fuzz_test.c index 2a866dbe2ac..9f8f4e8a00f 100644 --- a/tests/fuzz/s2n_hybrid_ecdhe_kyber_r3_fuzz_test.c +++ b/tests/fuzz/s2n_hybrid_ecdhe_kyber_r3_fuzz_test.c @@ -21,8 +21,8 @@ #include "crypto/s2n_drbg.h" #include "crypto/s2n_hash.h" #include "crypto/s2n_openssl.h" -#include "error/s2n_errno.h" #include "crypto/s2n_pq.h" +#include "error/s2n_errno.h" #include "stuffer/s2n_stuffer.h" #include "tests/s2n_test.h" #include "tests/testlib/s2n_testlib.h" diff --git a/tests/fuzz/s2n_kyber_r3_recv_ciphertext_fuzz_test.c b/tests/fuzz/s2n_kyber_r3_recv_ciphertext_fuzz_test.c index 04a2f9b8306..3e2189db571 100644 --- a/tests/fuzz/s2n_kyber_r3_recv_ciphertext_fuzz_test.c +++ b/tests/fuzz/s2n_kyber_r3_recv_ciphertext_fuzz_test.c @@ -50,4 +50,3 @@ static void s2n_fuzz_cleanup() } S2N_FUZZ_TARGET(s2n_fuzz_init, s2n_fuzz_test, s2n_fuzz_cleanup) - diff --git a/tests/fuzz/s2n_kyber_r3_recv_public_key_fuzz_test.c b/tests/fuzz/s2n_kyber_r3_recv_public_key_fuzz_test.c index 43578191438..5f1f3c5b1c0 100644 --- a/tests/fuzz/s2n_kyber_r3_recv_public_key_fuzz_test.c +++ b/tests/fuzz/s2n_kyber_r3_recv_public_key_fuzz_test.c @@ -37,6 +37,7 @@ int s2n_fuzz_test(const uint8_t *buf, size_t len) POSIX_GUARD(s2n_kem_recv_public_key_fuzz_test(buf, len, &kyber768_r3_draft5_params)); POSIX_GUARD(s2n_kem_recv_public_key_fuzz_test(buf, len, &kyber1024_r3_draft5_params)); } + return S2N_SUCCESS; } diff --git a/tests/integrationv2/common.py b/tests/integrationv2/common.py index bb3cf51c110..aff3c450c13 100644 --- a/tests/integrationv2/common.py +++ b/tests/integrationv2/common.py @@ -6,7 +6,7 @@ from constants import TEST_CERT_DIRECTORY -from global_flags import get_flag, S2N_NO_PQ, S2N_FIPS_MODE +from global_flags import get_flag, S2N_PROVIDER_VERSION def data_bytes(n_bytes): @@ -33,7 +33,7 @@ def pq_enabled(): """ Returns true or false to indicate whether PQ crypto is enabled in s2n """ - return not (get_flag(S2N_NO_PQ, False) or get_flag(S2N_FIPS_MODE, False)) + return "awslc" in get_flag(S2N_PROVIDER_VERSION) class AvailablePorts(object): diff --git a/tests/saw/Makefile b/tests/saw/Makefile index 07f965e881f..9633cbecd99 100644 --- a/tests/saw/Makefile +++ b/tests/saw/Makefile @@ -149,12 +149,6 @@ bitcode : CRYPTO_C = $(wildcard ../../crypto/*.c) $(wildcard ../../crypto/*.h) ../../crypto/Makefile CRYPTO_COPY = $(addprefix s2n/crypto/, $(notdir $(CRYPTO_C))) -PQ_CRYPTO_C = $(wildcard ../../pq-crypto/*.c) $(wildcard ../../pq-crypto/*.h) ../../pq-crypto/s2n_pq_asm.mk ../../pq-crypto/Makefile -PQ_CRYPTO_COPY = $(addprefix s2n/pq-crypto/, $(notdir $(PQ_CRYPTO_C))) - -KYBER_R3_C = $(wildcard ../../pq-crypto/kyber_r3/*.c) $(wildcard ../../pq-crypto/kyber_r3/*.h) ../../pq-crypto/kyber_r3/Makefile -KYBER_R3_COPY = $(addprefix s2n/pq-crypto/kyber_r3/, $(notdir $(KYBER_R3_C))) - UTILS_C = $(wildcard ../../utils/*.c) $(wildcard ../../utils/*.h) ../../utils/Makefile UTILS_COPY =$(addprefix s2n/utils/, $(notdir $(UTILS_C))) @@ -182,12 +176,6 @@ s2n/api : s2n/crypto : mkdir -p $@ -s2n/pq-crypto : - mkdir -p $@ - -s2n/pq-crypto/kyber_r3 : - mkdir -p $@ - s2n/utils : mkdir -p $@ @@ -205,12 +193,12 @@ export BITCODE_DIR := $(CURDIR)/bitcode/ tmp: mkdir -p tmp -bitcode/all_llvm.bc : s2n/crypto s2n/pq-crypto s2n/utils s2n/tls s2n/api s2n/error s2n/stuffer s2n/Makefile s2n/s2n.mk $(CRYPTO_COPY) $(PQ_CRYPTO_COPY) $(UTILS_COPY) $(TLS_COPY) $(API_COPY) $(ERROR_COPY) $(STUFFER_COPY) +bitcode/all_llvm.bc : s2n/crypto s2n/utils s2n/tls s2n/api s2n/error s2n/stuffer s2n/Makefile s2n/s2n.mk $(CRYPTO_COPY) $(PQ_CRYPTO_COPY) $(UTILS_COPY) $(TLS_COPY) $(API_COPY) $(ERROR_COPY) $(STUFFER_COPY) ${MAKE} -C s2n bc ${MAKE} -C bitcode all_llvm.bc -s2n/lib/libs2n.so : s2n/crypto s2n/pq-crypto s2n/pq-crypto/kyber_r3 s2n/utils s2n/tls s2n/api s2n/error s2n/stuffer s2n/lib s2n/Makefile s2n/s2n.mk $(CRYPTO_COPY) $(PQ_CRYPTO_COPY) $(KYBER_R3_COPY) $(UTILS_COPY) $(TLS_COPY) $(API_COPY) $(ERROR_COPY) $(STUFFER_COPY) $(LIB_COPY) +s2n/lib/libs2n.so : s2n/crypto s2n/utils s2n/tls s2n/api s2n/error s2n/stuffer s2n/lib s2n/Makefile s2n/s2n.mk $(CRYPTO_COPY) $(UTILS_COPY) $(TLS_COPY) $(API_COPY) $(ERROR_COPY) $(STUFFER_COPY) $(LIB_COPY) ${MAKE} -C s2n libs NO_STACK_PROTECTOR=1 NO_INLINE=1 s2n/%.h : ../../%.h @@ -230,6 +218,3 @@ s2n/Makefile : ../../Makefile s2n/s2n.mk : ../../s2n.mk cp $< $@ - -s2n/pq-crypto/s2n_pq_asm.mk : ../../pq-crypto/s2n_pq_asm.mk - cp $< $@ diff --git a/tests/unit/s2n_config_test.c b/tests/unit/s2n_config_test.c index 10c1a849dfa..423b0c94719 100644 --- a/tests/unit/s2n_config_test.c +++ b/tests/unit/s2n_config_test.c @@ -19,7 +19,7 @@ #include "api/s2n.h" #include "crypto/s2n_fips.h" -#include "pq-crypto/s2n_pq.h" +#include "crypto/s2n_pq.h" #include "s2n_test.h" #include "testlib/s2n_testlib.h" #include "tls/extensions/s2n_client_supported_groups.h" diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c index 48e37303474..7ef0abb827f 100644 --- a/tests/unit/s2n_security_policies_test.c +++ b/tests/unit/s2n_security_policies_test.c @@ -15,9 +15,9 @@ #include "tls/s2n_security_policies.h" +#include "crypto/s2n_pq.h" #include "crypto/s2n_rsa_pss.h" #include "crypto/s2n_rsa_signing.h" -#include "crypto/s2n_pq.h" #include "s2n_test.h" #include "testlib/s2n_testlib.h" #include "tls/s2n_kem.h" diff --git a/tests/unit/s2n_tls13_pq_handshake_test.c b/tests/unit/s2n_tls13_pq_handshake_test.c index b76a20a0fe5..74f26f0c288 100644 --- a/tests/unit/s2n_tls13_pq_handshake_test.c +++ b/tests/unit/s2n_tls13_pq_handshake_test.c @@ -14,8 +14,8 @@ */ #include "api/s2n.h" -#include "crypto/s2n_rsa_signing.h" #include "crypto/s2n_pq.h" +#include "crypto/s2n_rsa_signing.h" #include "s2n_test.h" #include "testlib/s2n_testlib.h" #include "tls/s2n_ecc_preferences.h" diff --git a/tls/extensions/s2n_client_key_share.c b/tls/extensions/s2n_client_key_share.c index 7e770c4b734..a1f3a3b4e52 100644 --- a/tls/extensions/s2n_client_key_share.c +++ b/tls/extensions/s2n_client_key_share.c @@ -15,8 +15,8 @@ #include "tls/extensions/s2n_client_key_share.h" -#include "error/s2n_errno.h" #include "crypto/s2n_pq.h" +#include "error/s2n_errno.h" #include "stuffer/s2n_stuffer.h" #include "tls/extensions/s2n_key_share.h" #include "tls/s2n_kem_preferences.h" diff --git a/tls/s2n_cipher_suites.c b/tls/s2n_cipher_suites.c index 4fea6ea3cdb..53dc455d1ea 100644 --- a/tls/s2n_cipher_suites.c +++ b/tls/s2n_cipher_suites.c @@ -18,8 +18,8 @@ #include "crypto/s2n_cipher.h" #include "crypto/s2n_openssl.h" -#include "error/s2n_errno.h" #include "crypto/s2n_pq.h" +#include "error/s2n_errno.h" #include "tls/s2n_auth_selection.h" #include "tls/s2n_kex.h" #include "tls/s2n_psk.h" diff --git a/tls/s2n_config.c b/tls/s2n_config.c index b5e2c27b2cc..45bb6790995 100644 --- a/tls/s2n_config.c +++ b/tls/s2n_config.c @@ -20,8 +20,8 @@ #include "crypto/s2n_certificate.h" #include "crypto/s2n_fips.h" #include "crypto/s2n_hkdf.h" +#include "crypto/s2n_pq.h" #include "error/s2n_errno.h" -#include "pq-crypto/s2n_pq.h" #include "tls/s2n_cipher_preferences.h" #include "tls/s2n_internal.h" #include "tls/s2n_ktls.h" diff --git a/tls/s2n_server_hello_retry.c b/tls/s2n_server_hello_retry.c index a0610e81801..dac22e159e4 100644 --- a/tls/s2n_server_hello_retry.c +++ b/tls/s2n_server_hello_retry.c @@ -14,8 +14,8 @@ */ #include -#include "error/s2n_errno.h" #include "crypto/s2n_pq.h" +#include "error/s2n_errno.h" #include "tls/s2n_cipher_suites.h" #include "tls/s2n_server_extensions.h" #include "tls/s2n_tls.h"