Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "test: disallow explict use of "default" policy in tests (#4750)" #4812

Merged
merged 1 commit into from
Oct 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 3 additions & 5 deletions bindings/rust/s2n-tls-tokio/tests/common/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ use s2n_tls::{
config,
connection::Builder,
error::Error,
security::{Policy, DEFAULT_TLS13},
security::{DEFAULT, DEFAULT_TLS13},
};
use s2n_tls_tokio::{TlsAcceptor, TlsConnector, TlsStream};
use std::time::Duration;
Expand Down Expand Up @@ -67,16 +67,14 @@ pub fn server_config() -> Result<config::Builder, Error> {

pub fn client_config_tls12() -> Result<config::Builder, Error> {
let mut builder = config::Config::builder();
let policy = Policy::from_version("20240501").unwrap();
builder.set_security_policy(&policy)?;
builder.set_security_policy(&DEFAULT)?;
builder.trust_pem(RSA_CERT_PEM)?;
Ok(builder)
}

pub fn server_config_tls12() -> Result<config::Builder, Error> {
let mut builder = config::Config::builder();
let policy = Policy::from_version("20240501").unwrap();
builder.set_security_policy(&policy)?;
builder.set_security_policy(&DEFAULT)?;
builder.load_pem(RSA_CERT_PEM, RSA_KEY_PEM)?;
Ok(builder)
}
Expand Down
38 changes: 0 additions & 38 deletions codebuild/bin/grep_simple_mistakes.sh
Original file line number Diff line number Diff line change
Expand Up @@ -244,44 +244,6 @@ if [[ -n $S2N_ENSURE_WITH_INVALID_ERROR_CODE ]]; then
printf "$S2N_ENSURE_WITH_INVALID_ERROR_CODE\n\n"
fi

#############################################
# Assert tests don't specify the "default" security policy.
#
# Since the "default" policies are subject to change, tests should instead specify
# an immutable numbered policy to avoid unwanted testing behavior.
#############################################
S2N_DEFAULT_SECURITY_POLICY_USAGE=$(find "$PWD" -type f -name "s2n*.c" -path "*/tests/*" \
-not -path "*/bindings/*")
declare -A KNOWN_DEFAULT_USAGE
KNOWN_DEFAULT_USAGE["$PWD/tests/unit/s2n_security_policies_test.c"]=5
KNOWN_DEFAULT_USAGE["$PWD/tests/unit/s2n_client_hello_test.c"]=2
KNOWN_DEFAULT_USAGE["$PWD/tests/unit/s2n_connection_preferences_test.c"]=1
KNOWN_DEFAULT_USAGE["$PWD/tests/unit/s2n_config_test.c"]=1
# "default" string not used for specifying security policy
#
# The regex matching results in false positives but is intentionally "loose" to
# try and catch non-obvious [1] usage of "default". This is acceptable since
# there are only a few false positives at the moment.
#
# [1] https://github.com/aws/s2n-tls/blob/341a69ed6fc4fa8f51c09b9cc477223cec4d8e60/tests/unit/s2n_client_hello_test.c#L580
KNOWN_DEFAULT_USAGE["$PWD/tests/unit/s2n_build_test.c"]=1
KNOWN_DEFAULT_USAGE["$PWD/tests/unit/s2n_client_key_share_extension_test.c"]=2

for file in $S2N_DEFAULT_SECURITY_POLICY_USAGE; do
RESULT_NUM_LINES=`grep -n '"default"' $file | wc -l`

# set default KNOWN_DEFAULT_USAGE value
[ -z "${KNOWN_DEFAULT_USAGE["$file"]}" ] && KNOWN_DEFAULT_USAGE["$file"]="0"

# check if "default" usage is 0 or a known value
if [ "${RESULT_NUM_LINES}" != "${KNOWN_DEFAULT_USAGE["$file"]}" ]; then
FAILED=1
KNOWN_USAGE=${KNOWN_DEFAULT_USAGE[$file]}
printf "\e[1;34mExpected: ${KNOWN_USAGE} Found: ${RESULT_NUM_LINES} usage of \"default\" in $file\n"
printf "\e[1;34mTests should specify a numbered security policy unless specifically testing the \"default\" policy.\n\n"
fi
done

#############################################
# REPORT FINAL RESULTS
#############################################
Expand Down
4 changes: 2 additions & 2 deletions tests/unit/s2n_alerts_protocol_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -479,13 +479,13 @@ int main(int argc, char **argv)
s2n_connection_ptr_free);
EXPECT_SUCCESS(s2n_connection_set_blinding(server, S2N_SELF_SERVICE_BLINDING));
EXPECT_SUCCESS(s2n_connection_set_config(server, config));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server, "20240501"));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server, "default"));

DEFER_CLEANUP(struct s2n_connection *client = s2n_connection_new(S2N_CLIENT),
s2n_connection_ptr_free);
EXPECT_SUCCESS(s2n_connection_set_blinding(client, S2N_SELF_SERVICE_BLINDING));
EXPECT_SUCCESS(s2n_connection_set_config(client, config));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client, "20240501"));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client, "default"));

DEFER_CLEANUP(struct s2n_test_io_stuffer_pair io_pair = { 0 }, s2n_io_stuffer_pair_free);
EXPECT_OK(s2n_io_stuffer_pair_init(&io_pair));
Expand Down
10 changes: 5 additions & 5 deletions tests/unit/s2n_cert_validation_callback_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ int main(int argc, char *argv[])

DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));

struct s2n_cert_validation_data data = test_cases[i].data;
EXPECT_SUCCESS(s2n_config_set_cert_validation_cb(config, s2n_test_cert_validation_callback, &data));
Expand Down Expand Up @@ -262,7 +262,7 @@ int main(int argc, char *argv[])

DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));

struct s2n_cert_validation_data data = test_cases[i].data;
EXPECT_SUCCESS(s2n_config_set_cert_validation_cb(config, s2n_test_cert_validation_callback, &data));
Expand Down Expand Up @@ -300,7 +300,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));

struct s2n_cert_validation_data data = test_cases[i].data;
EXPECT_SUCCESS(s2n_config_set_cert_validation_cb(config, s2n_test_cert_validation_callback_self_talk, &data));
Expand Down Expand Up @@ -337,7 +337,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(server_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(server_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default"));
EXPECT_SUCCESS(s2n_config_set_client_auth_type(server_config, S2N_CERT_AUTH_REQUIRED));

struct s2n_cert_validation_data data = test_cases[i].data;
Expand All @@ -353,7 +353,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(client_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(client_config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(client_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "default"));
EXPECT_SUCCESS(s2n_config_set_client_auth_type(client_config, S2N_CERT_AUTH_OPTIONAL));

DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
Expand Down
6 changes: 3 additions & 3 deletions tests/unit/s2n_client_hello_request_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -76,13 +76,13 @@ int main(int argc, char **argv)

DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));

DEFER_CLEANUP(struct s2n_config *config_with_reneg_cb = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config_with_reneg_cb);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_reneg_cb, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_reneg_cb, "default"));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config_with_reneg_cb));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config_with_reneg_cb, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_renegotiate_request_cb(config_with_reneg_cb, s2n_test_reneg_req_cb, NULL));
Expand Down Expand Up @@ -167,7 +167,7 @@ int main(int argc, char **argv)
{
DEFER_CLEANUP(struct s2n_config *config_with_warns = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config_with_warns);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_warns, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_warns, "default"));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config_with_warns));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config_with_warns, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_alert_behavior(config_with_warns, S2N_ALERT_IGNORE_WARNINGS));
Expand Down
2 changes: 1 addition & 1 deletion tests/unit/s2n_client_hello_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -759,7 +759,7 @@ int main(int argc, char **argv)
struct s2n_connection *conn = NULL;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "20240501"));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "default"));

const struct s2n_security_policy *security_policy = NULL;
POSIX_GUARD(s2n_connection_get_security_policy(conn, &security_policy));
Expand Down
14 changes: 7 additions & 7 deletions tests/unit/s2n_config_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -891,7 +891,7 @@ int main(int argc, char **argv)
{
DEFER_CLEANUP(struct s2n_config *server_config = s2n_config_new_minimal(), s2n_config_ptr_free);
EXPECT_NOT_NULL(server_config);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default"));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));

DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
Expand All @@ -901,7 +901,7 @@ int main(int argc, char **argv)

DEFER_CLEANUP(struct s2n_config *client_config = s2n_config_new_minimal(), s2n_config_ptr_free);
EXPECT_NOT_NULL(client_config);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "default"));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(client_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));

DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT),
Expand All @@ -927,7 +927,7 @@ int main(int argc, char **argv)
{
DEFER_CLEANUP(struct s2n_config *server_config = s2n_config_new_minimal(), s2n_config_ptr_free);
EXPECT_NOT_NULL(server_config);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default"));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));

DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
Expand All @@ -936,7 +936,7 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));

DEFER_CLEANUP(struct s2n_config *client_config = s2n_config_new_minimal(), s2n_config_ptr_free);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "default"));
EXPECT_NOT_NULL(client_config);

DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT),
Expand Down Expand Up @@ -1092,7 +1092,7 @@ int main(int argc, char **argv)
struct s2n_security_policy rfc9151_applied_locally = security_policy_rfc9151;
rfc9151_applied_locally.certificate_preferences_apply_locally = true;

/* rfc9151 doesn't allow SHA256 signatures, but does allow SHA384 signatures,
/* rfc9151 doesn't allow SHA256 signatures, but does allow SHA384 signatures,
* so ecdsa_p384_sha256 is invalid and ecdsa_p384_sha384 is valid */

/* valid certs are accepted */
Expand All @@ -1119,8 +1119,8 @@ int main(int argc, char **argv)

/* certs in default_certs_by_type are validated */
{
/* s2n_config_set_cert_chain_and_key_defaults populates default_certs_by_type
* but doesn't populate domain_name_to_cert_map
/* s2n_config_set_cert_chain_and_key_defaults populates default_certs_by_type
* but doesn't populate domain_name_to_cert_map
*/
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new_minimal(), s2n_config_ptr_free);
EXPECT_SUCCESS(s2n_config_set_cert_chain_and_key_defaults(config, &invalid_cert, 1));
Expand Down
12 changes: 6 additions & 6 deletions tests/unit/s2n_crl_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -668,7 +668,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(config, S2N_CRL_ROOT_CERT, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));

struct crl_lookup_data data = { 0 };
data.crls[0] = intermediate_crl;
Expand Down Expand Up @@ -704,7 +704,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(config, S2N_CRL_ROOT_CERT, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));

struct crl_lookup_data data = { 0 };
data.crls[0] = intermediate_crl;
Expand Down Expand Up @@ -743,7 +743,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(server_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, server_chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(server_config, S2N_CRL_ROOT_CERT, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default"));
EXPECT_SUCCESS(s2n_config_set_client_auth_type(server_config, S2N_CERT_AUTH_REQUIRED));

DEFER_CLEANUP(struct s2n_cert_chain_and_key *client_chain_and_key = NULL, s2n_cert_chain_and_key_ptr_free);
Expand All @@ -754,7 +754,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(client_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(client_config, client_chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(client_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "default"));
EXPECT_SUCCESS(s2n_config_set_client_auth_type(client_config, S2N_CERT_AUTH_REQUIRED));

struct crl_lookup_data data = { 0 };
Expand Down Expand Up @@ -794,7 +794,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(server_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, server_chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(server_config, S2N_CRL_ROOT_CERT, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default"));
EXPECT_SUCCESS(s2n_config_set_client_auth_type(server_config, S2N_CERT_AUTH_REQUIRED));

DEFER_CLEANUP(struct s2n_cert_chain_and_key *client_chain_and_key = NULL, s2n_cert_chain_and_key_ptr_free);
Expand All @@ -805,7 +805,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(client_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(client_config, client_chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(client_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "default"));
EXPECT_SUCCESS(s2n_config_set_client_auth_type(client_config, S2N_CERT_AUTH_REQUIRED));

struct crl_lookup_data data = { 0 };
Expand Down
6 changes: 3 additions & 3 deletions tests/unit/s2n_extended_master_secret_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ int main(int argc, char **argv)
EXPECT_NOT_NULL(config);

/* TLS1.2 cipher preferences */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
struct s2n_cert_chain_and_key *chain_and_key = NULL;
EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key,
Expand Down Expand Up @@ -208,7 +208,7 @@ int main(int argc, char **argv)
struct s2n_config *config = s2n_config_new();
EXPECT_NOT_NULL(config);

EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
struct s2n_cert_chain_and_key *chain_and_key = NULL;
EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key,
Expand Down Expand Up @@ -253,7 +253,7 @@ int main(int argc, char **argv)
struct s2n_config *config = s2n_config_new();
EXPECT_NOT_NULL(config);

EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
struct s2n_cert_chain_and_key *chain_and_key = NULL;
EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key,
Expand Down
2 changes: 1 addition & 1 deletion tests/unit/s2n_renegotiate_io_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));

uint8_t app_data[] = "test application data";

Expand Down
Loading
Loading