aws · toidiu · Sep 18, 2024 · Sep 18, 2024 · Sep 18, 2024 · Sep 20, 2024
diff --git a/implicit_default_detection/Cargo.toml b/implicit_default_detection/Cargo.toml
@@ -0,0 +1,7 @@
+[package]
+name = "implicit_default_detection"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+regex = "1.10.6"
diff --git a/implicit_default_detection/src/main.rs b/implicit_default_detection/src/main.rs
@@ -0,0 +1,167 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use regex::Regex;
+use std::ffi::OsStr;
+use std::fs;
+use std::fs::read_to_string;
+use std::fs::File;
+use std::io::Write;
+use std::path::PathBuf;
+use std::process::Command;
+
+fn main() {
+    // for all unit tests
+    for test_file in fs::read_dir("../tests/unit").unwrap() {
+        let test_file = test_file.as_ref().unwrap();
+        let test_file_path = test_file.path();
+
+        let is_file = test_file.file_type().unwrap().is_file();
+        // filter on .c files. eg. exclude "valgrind.suppressions"
+        let is_c_file = test_file_path.extension().unwrap_or(OsStr::new("not_c")) == "c";
+        if is_file && is_c_file {
+            let lines = read_file_to_vec(&test_file_path);
+            process_test_file(test_file_path, lines);
+        }
+    }
+}
+
+// Generates the desired temp file as we parse the actual test file. Then replaces the test file
+// with the auto-generated temp file.
+fn process_test_file(test_file_path: PathBuf, lines: Vec<String>) {
+    let test_file_name = test_file_path.file_name().unwrap().to_str().unwrap();
+
+    // create temp file
+    let tmp_filename = format!("tmp_{}", test_file_name);
+    let mut tmp_file = File::create(tmp_filename.clone()).unwrap();
+
+    let mut line_idx = 0;
+    while line_idx < lines.len() {
+        let line = &lines[line_idx];
+
+        // WRITE: the current line
+        writeln!(tmp_file, "{}", line).unwrap();
+
+        if match_config_new(line) {
+            // if config creation is across two lines, then write both lines before inserting the
+            // auto-gen code
+            if config_creation_spans_two_lines(&lines, line_idx) {
+                let nxt_line = &lines[line_idx + 1];
+                // WRITE: config creating spans two lines so write it
+                writeln!(tmp_file, "{}", nxt_line).unwrap();
+
+                // increment line_idx since we already wrote the second line
+                line_idx += 1;
+            }
+
+            // insert auto gen. replacing the actual `config_name` used in test code
+            let config_name = get_config_name(line);
+            let auto_gen = format!(
+                        "EXPECT_SUCCESS(s2n_config_set_cipher_preferences({}, s2n_auto_gen_old_default_security_policy()));",
+                        config_name
+                    );
+            // WRITE: auto-gen
+            writeln!(tmp_file, "{}", auto_gen).unwrap();
+        }
+
+        // increment to next line
+        line_idx += 1;
+    }
+
+    println!("Amended file: {:?}", test_file_path);
+    fs::rename(tmp_filename, test_file_path.clone()).unwrap();
+    Command::new("clang-format")
+        .arg("-i")
+        .arg(test_file_path)
+        .status()
+        .unwrap();
+}
+
+// agressively match all instance of "s2n_config_new()" to avoid missing
+// any instances
+fn match_config_new(line: &str) -> bool {
+    line.contains("s2n_config_new()")
+}
+
+// Extract the config name used in tests.
+//
+// These are all the occurances of s2n_config_new() which must be handled:
+//
+// ```
+// DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(),
+// struct s2n_config *config = s2n_config_new();
+// DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
+// EXPECT_NOT_NULL(config = s2n_config_new());
+// POSIX_GUARD_PTR(server_config = s2n_config_new());
+// POSIX_ENSURE_REF(client_config = s2n_config_new());
+// ```
+fn get_config_name(line: &str) -> String {
+    let config_name = line.trim();
+
+    // remove the end
+    //
+    // pattern: " = s2n_config_new());"
+    // pattern: " = s2n_config_new(), s2n_config_ptr_free);"
+    let re = Regex::new(r" = .*").unwrap();
+    let config_name: String = re.replace(config_name, "").into_owned();
+
+    // attempt to remove if pattern matches
+    //
+    // DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(),
+    // struct s2n_config *config = s2n_config_new();
+    // DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
+    let re = Regex::new(r".*struct s2n_config \*").unwrap();
+    let config_name: String = re.replace(&config_name, "").into_owned();
+
+    // attempt to remove if pattern matches
+    //
+    // EXPECT_NOT_NULL(config = s2n_config_new());
+    let config_name = config_name.replace("EXPECT_NOT_NULL(", "");
+
+    // attempt to remove if pattern matches
+    //
+    // POSIX_GUARD_PTR(server_config = s2n_config_new());
+    let config_name = config_name.replace("POSIX_GUARD_PTR(", "");
+
+    // attempt to remove if pattern matches
+    //
+    // POSIX_ENSURE_REF(client_config = s2n_config_new());
+    config_name.replace("POSIX_ENSURE_REF(", "")
+}
+
+// Detect if config creating spans two lines by checking if `s2n_config_ptr_free`
+//
+// Attempt to match the following pattern.
+// ```
+// DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(),
+//         s2n_config_ptr_free);
+// ```
+//
+// Use `starts_with` to avoid a false positive if two configs are declared one after another.
+//
+// ```
+// DEFER_CLEANUP(struct s2n_config *config1 = s2n_config_new(), s2n_config_ptr_free);
+// DEFER_CLEANUP(struct s2n_config *config2 = s2n_config_new(), s2n_config_ptr_free);
+// ```
+fn config_creation_spans_two_lines(lines: &[String], idx: usize) -> bool {
+    if let Some(next_line) = lines.get(idx + 1) {
+        // pattern: "        s2n_config_ptr_free);"
+        if next_line
+            // pattern: "s2n_config_ptr_free);"
+            .trim()
+            .starts_with("s2n_config_ptr_free);")
+        {
+            return true;
+        }
+    }
+
+    false
+}
+
+fn read_file_to_vec(path: &PathBuf) -> Vec<String> {
+    let mut result = Vec::new();
+    for line in read_to_string(path).unwrap().lines() {
+        result.push(line.to_string());
+    }
+    result
+}
diff --git a/tests/s2n_test.h b/tests/s2n_test.h
@@ -29,6 +29,7 @@
 #include "tls/s2n_tls13.h"
 
 int test_count;
+const char *s2n_auto_gen_old_default_security_policy();
 
 bool s2n_use_color_in_output = true;
 

diff --git a/tests/testlib/s2n_security_policy_testlib.c b/tests/testlib/s2n_security_policy_testlib.c
@@ -13,12 +13,13 @@
  * permissions and limitations under the License.
  */
 
+#include "crypto/s2n_fips.h"
 #include "s2n_testlib.h"
 #include "utils/s2n_safety.h"
 
 extern const struct s2n_ecc_named_curve s2n_unsupported_curve;
 
-const struct s2n_ecc_named_curve *const ecc_pref_list_for_retry[] = {
+const struct s2n_ecc_named_curve* const ecc_pref_list_for_retry[] = {
     &s2n_unsupported_curve,
 #if EVP_APIS_SUPPORTED
     &s2n_ecc_curve_x25519,
@@ -40,3 +41,23 @@ const struct s2n_security_policy security_policy_test_tls13_retry = {
     .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110,
     .ecc_preferences = &ecc_preferences_for_retry,
 };
+
+/* https://github.com/aws/s2n-tls/issues/4765
+ *
+ * These represent the old 'pinned' versions of the "default", "default_fips",
+ * and "default_tls13" policies.
+ *
+ * Motivated when TLS 1.3 support was added to "default" and "default_fips";
+ * this is used to pin old tests to the equivalent numbered policy and avoid
+ * changes in testing behavior.
+ */
+const char* s2n_auto_gen_old_default_security_policy()
+{
+    if (s2n_use_default_tls13_config()) {
+        return "20240503";
+    } else if (s2n_is_in_fips_mode()) {
+        return "20240502";
+    } else {
+        return "20240501";
+    }
+}
diff --git a/tests/unit/s2n_alerts_protocol_test.c b/tests/unit/s2n_alerts_protocol_test.c
@@ -102,12 +102,14 @@ int main(int argc, char **argv)
 
     DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(),
             s2n_config_ptr_free);
+    EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_auto_gen_old_default_security_policy()));
     EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
     EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default_tls13"));
     EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
 
     DEFER_CLEANUP(struct s2n_config *ecdsa_config = s2n_config_new(),
             s2n_config_ptr_free);
+    EXPECT_SUCCESS(s2n_config_set_cipher_preferences(ecdsa_config, s2n_auto_gen_old_default_security_policy()));
     EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(ecdsa_config));
     EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(ecdsa_config, ecdsa_chain_and_key));
 
@@ -206,10 +208,12 @@ int main(int argc, char **argv)
 
         DEFER_CLEANUP(struct s2n_config *bad_cb_config = s2n_config_new(),
                 s2n_config_ptr_free);
+        EXPECT_SUCCESS(s2n_config_set_cipher_preferences(bad_cb_config, s2n_auto_gen_old_default_security_policy()));
         EXPECT_SUCCESS(s2n_config_set_client_hello_cb(bad_cb_config, s2n_test_ch_cb, NULL));
 
         DEFER_CLEANUP(struct s2n_config *untrusted_config = s2n_config_new(),
                 s2n_config_ptr_free);
+        EXPECT_SUCCESS(s2n_config_set_cipher_preferences(untrusted_config, s2n_auto_gen_old_default_security_policy()));
 
         for (size_t i = 0; i < s2n_array_len(test_errors); i++) {
             DEFER_CLEANUP(struct s2n_connection *server = s2n_connection_new(S2N_SERVER),

diff --git a/tests/unit/s2n_alerts_test.c b/tests/unit/s2n_alerts_test.c
@@ -147,6 +147,7 @@ int main(int argc, char **argv)
         if (s2n_is_tls13_fully_supported()) {
             struct s2n_config *config = NULL;
             EXPECT_NOT_NULL(config = s2n_config_new());
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_auto_gen_old_default_security_policy()));
 
             struct s2n_connection *conn = NULL;
             EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
@@ -214,6 +215,7 @@ int main(int argc, char **argv)
             {
                 struct s2n_config *config = NULL;
                 EXPECT_NOT_NULL(config = s2n_config_new());
+                EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_auto_gen_old_default_security_policy()));
                 EXPECT_SUCCESS(s2n_config_set_alert_behavior(config, S2N_ALERT_IGNORE_WARNINGS));
 
                 struct s2n_connection *conn = NULL;
@@ -234,6 +236,7 @@ int main(int argc, char **argv)
             {
                 struct s2n_config *config = NULL;
                 EXPECT_NOT_NULL(config = s2n_config_new());
+                EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_auto_gen_old_default_security_policy()));
                 EXPECT_SUCCESS(s2n_config_set_alert_behavior(config, S2N_ALERT_IGNORE_WARNINGS));
 
                 struct s2n_connection *conn = NULL;
@@ -254,6 +257,7 @@ int main(int argc, char **argv)
             {
                 struct s2n_config *config = NULL;
                 EXPECT_NOT_NULL(config = s2n_config_new());
+                EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_auto_gen_old_default_security_policy()));
 
                 struct s2n_connection *conn = NULL;
                 EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));

diff --git a/tests/unit/s2n_async_pkey_test.c b/tests/unit/s2n_async_pkey_test.c
@@ -405,12 +405,14 @@ int main(int argc, char **argv)
         {
             struct s2n_config *server_config = NULL, *client_config = NULL;
             EXPECT_NOT_NULL(server_config = s2n_config_new());
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, s2n_auto_gen_old_default_security_policy()));
             EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
             EXPECT_SUCCESS(s2n_config_add_dhparams(server_config, dhparams_pem));
             EXPECT_SUCCESS(s2n_config_set_async_pkey_callback(server_config, async_pkey_apply_in_callback));
             server_config->security_policy = &server_security_policy;
 
             EXPECT_NOT_NULL(client_config = s2n_config_new());
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, s2n_auto_gen_old_default_security_policy()));
             EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config));
             /* Security policy must support all cipher suites in test_cipher_suites above */
             EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "test_all"));
@@ -446,12 +448,14 @@ int main(int argc, char **argv)
         {
             struct s2n_config *server_config = NULL, *client_config = NULL;
             EXPECT_NOT_NULL(server_config = s2n_config_new());
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, s2n_auto_gen_old_default_security_policy()));
             EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
             EXPECT_SUCCESS(s2n_config_add_dhparams(server_config, dhparams_pem));
             EXPECT_SUCCESS(s2n_config_set_async_pkey_callback(server_config, async_pkey_store_callback));
             server_config->security_policy = &server_security_policy;
 
             EXPECT_NOT_NULL(client_config = s2n_config_new());
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, s2n_auto_gen_old_default_security_policy()));
             EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config));
             /* Security policy must support all cipher suites in test_cipher_suites above */
             EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "test_all"));
@@ -487,12 +491,14 @@ int main(int argc, char **argv)
         {
             struct s2n_config *server_config = NULL, *client_config = NULL;
             EXPECT_NOT_NULL(server_config = s2n_config_new());
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, s2n_auto_gen_old_default_security_policy()));
             EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
             EXPECT_SUCCESS(s2n_config_add_dhparams(server_config, dhparams_pem));
             EXPECT_SUCCESS(s2n_config_set_async_pkey_callback(server_config, async_pkey_store_callback));
             server_config->security_policy = &server_security_policy;
 
             EXPECT_NOT_NULL(client_config = s2n_config_new());
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, s2n_auto_gen_old_default_security_policy()));
             EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config));
             /* Security policy must support all cipher suites in test_cipher_suites above */
             EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "test_all"));
@@ -529,6 +535,7 @@ int main(int argc, char **argv)
         {
             struct s2n_config *server_config = NULL, *client_config = NULL;
             EXPECT_NOT_NULL(server_config = s2n_config_new());
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, s2n_auto_gen_old_default_security_policy()));
             EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
             EXPECT_SUCCESS(s2n_config_add_dhparams(server_config, dhparams_pem));
             EXPECT_SUCCESS(s2n_config_set_async_pkey_callback(server_config, async_pkey_store_callback));
@@ -537,6 +544,7 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_config_set_async_pkey_validation_mode(server_config, S2N_ASYNC_PKEY_VALIDATION_STRICT));
 
             EXPECT_NOT_NULL(client_config = s2n_config_new());
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, s2n_auto_gen_old_default_security_policy()));
             EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config));
             /* Security policy must support all cipher suites in test_cipher_suites above */
             EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "test_all"));
@@ -571,13 +579,15 @@ int main(int argc, char **argv)
         /* Test: Apply invalid signature, when signature validation is enabled for all sync / async signatures */
         {
             DEFER_CLEANUP(struct s2n_config *server_config = s2n_config_new(), s2n_config_ptr_free);
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, s2n_auto_gen_old_default_security_policy()));
             EXPECT_NOT_NULL(server_config);
             EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
             EXPECT_SUCCESS(s2n_config_add_dhparams(server_config, dhparams_pem));
             EXPECT_SUCCESS(s2n_config_set_async_pkey_callback(server_config, async_pkey_store_callback));
             server_config->security_policy = &server_security_policy;
 
             DEFER_CLEANUP(struct s2n_config *client_config = s2n_config_new(), s2n_config_ptr_free);
+            EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, s2n_auto_gen_old_default_security_policy()));
             EXPECT_NOT_NULL(client_config);
             EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config));
             /* Security policy must support all cipher suites in test_cipher_suites above */
@@ -679,6 +689,7 @@ int main(int argc, char **argv)
     /* Test: Apply invalid signature to sync operation */
     {
         DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
+        EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_auto_gen_old_default_security_policy()));
         EXPECT_NOT_NULL(config);
         EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
         EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default_tls13"));