Skip to content

Commit

Permalink
test: disallow explict use of "default" policy in tests (aws#4750)
Browse files Browse the repository at this point in the history
  • Loading branch information
toidiu authored Sep 23, 2024
1 parent 683195e commit 360feb2
Show file tree
Hide file tree
Showing 25 changed files with 113 additions and 73 deletions.
8 changes: 5 additions & 3 deletions bindings/rust/s2n-tls-tokio/tests/common/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ use s2n_tls::{
config,
connection::Builder,
error::Error,
security::{DEFAULT, DEFAULT_TLS13},
security::{Policy, DEFAULT_TLS13},
};
use s2n_tls_tokio::{TlsAcceptor, TlsConnector, TlsStream};
use std::time::Duration;
Expand Down Expand Up @@ -67,14 +67,16 @@ pub fn server_config() -> Result<config::Builder, Error> {

pub fn client_config_tls12() -> Result<config::Builder, Error> {
let mut builder = config::Config::builder();
builder.set_security_policy(&DEFAULT)?;
let policy = Policy::from_version("20240501").unwrap();
builder.set_security_policy(&policy)?;
builder.trust_pem(RSA_CERT_PEM)?;
Ok(builder)
}

pub fn server_config_tls12() -> Result<config::Builder, Error> {
let mut builder = config::Config::builder();
builder.set_security_policy(&DEFAULT)?;
let policy = Policy::from_version("20240501").unwrap();
builder.set_security_policy(&policy)?;
builder.load_pem(RSA_CERT_PEM, RSA_KEY_PEM)?;
Ok(builder)
}
Expand Down
38 changes: 38 additions & 0 deletions codebuild/bin/grep_simple_mistakes.sh
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,44 @@ if [[ -n $S2N_ENSURE_WITH_INVALID_ERROR_CODE ]]; then
printf "$S2N_ENSURE_WITH_INVALID_ERROR_CODE\n\n"
fi

#############################################
# Assert tests don't specify the "default" security policy.
#
# Since the "default" policies are subject to change, tests should instead specify
# an immutable numbered policy to avoid unwanted testing behavior.
#############################################
S2N_DEFAULT_SECURITY_POLICY_USAGE=$(find "$PWD" -type f -name "s2n*.c" -path "*/tests/*" \
-not -path "*/bindings/*")
declare -A KNOWN_DEFAULT_USAGE
KNOWN_DEFAULT_USAGE["$PWD/tests/unit/s2n_security_policies_test.c"]=5
KNOWN_DEFAULT_USAGE["$PWD/tests/unit/s2n_client_hello_test.c"]=2
KNOWN_DEFAULT_USAGE["$PWD/tests/unit/s2n_connection_preferences_test.c"]=1
KNOWN_DEFAULT_USAGE["$PWD/tests/unit/s2n_config_test.c"]=1
# "default" string not used for specifying security policy
#
# The regex matching results in false positives but is intentionally "loose" to
# try and catch non-obvious [1] usage of "default". This is acceptable since
# there are only a few false positives at the moment.
#
# [1] https://github.com/aws/s2n-tls/blob/341a69ed6fc4fa8f51c09b9cc477223cec4d8e60/tests/unit/s2n_client_hello_test.c#L580
KNOWN_DEFAULT_USAGE["$PWD/tests/unit/s2n_build_test.c"]=1
KNOWN_DEFAULT_USAGE["$PWD/tests/unit/s2n_client_key_share_extension_test.c"]=2

for file in $S2N_DEFAULT_SECURITY_POLICY_USAGE; do
RESULT_NUM_LINES=`grep -n '"default"' $file | wc -l`

# set default KNOWN_DEFAULT_USAGE value
[ -z "${KNOWN_DEFAULT_USAGE["$file"]}" ] && KNOWN_DEFAULT_USAGE["$file"]="0"

# check if "default" usage is 0 or a known value
if [ "${RESULT_NUM_LINES}" != "${KNOWN_DEFAULT_USAGE["$file"]}" ]; then
FAILED=1
KNOWN_USAGE=${KNOWN_DEFAULT_USAGE[$file]}
printf "\e[1;34mExpected: ${KNOWN_USAGE} Found: ${RESULT_NUM_LINES} usage of \"default\" in $file\n"
printf "\e[1;34mTests should specify a numbered security policy unless specifically testing the \"default\" policy.\n\n"
fi
done

#############################################
# REPORT FINAL RESULTS
#############################################
Expand Down
4 changes: 2 additions & 2 deletions tests/unit/s2n_alerts_protocol_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -479,13 +479,13 @@ int main(int argc, char **argv)
s2n_connection_ptr_free);
EXPECT_SUCCESS(s2n_connection_set_blinding(server, S2N_SELF_SERVICE_BLINDING));
EXPECT_SUCCESS(s2n_connection_set_config(server, config));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server, "default"));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server, "20240501"));

DEFER_CLEANUP(struct s2n_connection *client = s2n_connection_new(S2N_CLIENT),
s2n_connection_ptr_free);
EXPECT_SUCCESS(s2n_connection_set_blinding(client, S2N_SELF_SERVICE_BLINDING));
EXPECT_SUCCESS(s2n_connection_set_config(client, config));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client, "default"));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client, "20240501"));

DEFER_CLEANUP(struct s2n_test_io_stuffer_pair io_pair = { 0 }, s2n_io_stuffer_pair_free);
EXPECT_OK(s2n_io_stuffer_pair_init(&io_pair));
Expand Down
10 changes: 5 additions & 5 deletions tests/unit/s2n_cert_validation_callback_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ int main(int argc, char *argv[])

DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));

struct s2n_cert_validation_data data = test_cases[i].data;
EXPECT_SUCCESS(s2n_config_set_cert_validation_cb(config, s2n_test_cert_validation_callback, &data));
Expand Down Expand Up @@ -262,7 +262,7 @@ int main(int argc, char *argv[])

DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));

struct s2n_cert_validation_data data = test_cases[i].data;
EXPECT_SUCCESS(s2n_config_set_cert_validation_cb(config, s2n_test_cert_validation_callback, &data));
Expand Down Expand Up @@ -300,7 +300,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));

struct s2n_cert_validation_data data = test_cases[i].data;
EXPECT_SUCCESS(s2n_config_set_cert_validation_cb(config, s2n_test_cert_validation_callback_self_talk, &data));
Expand Down Expand Up @@ -337,7 +337,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(server_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(server_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_client_auth_type(server_config, S2N_CERT_AUTH_REQUIRED));

struct s2n_cert_validation_data data = test_cases[i].data;
Expand All @@ -353,7 +353,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(client_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(client_config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(client_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_client_auth_type(client_config, S2N_CERT_AUTH_OPTIONAL));

DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
Expand Down
6 changes: 3 additions & 3 deletions tests/unit/s2n_client_hello_request_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -76,13 +76,13 @@ int main(int argc, char **argv)

DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));

DEFER_CLEANUP(struct s2n_config *config_with_reneg_cb = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config_with_reneg_cb);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_reneg_cb, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_reneg_cb, "20240501"));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config_with_reneg_cb));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config_with_reneg_cb, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_renegotiate_request_cb(config_with_reneg_cb, s2n_test_reneg_req_cb, NULL));
Expand Down Expand Up @@ -167,7 +167,7 @@ int main(int argc, char **argv)
{
DEFER_CLEANUP(struct s2n_config *config_with_warns = s2n_config_new(), s2n_config_ptr_free);
EXPECT_NOT_NULL(config_with_warns);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_warns, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_warns, "20240501"));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config_with_warns));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config_with_warns, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_alert_behavior(config_with_warns, S2N_ALERT_IGNORE_WARNINGS));
Expand Down
2 changes: 1 addition & 1 deletion tests/unit/s2n_client_hello_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -759,7 +759,7 @@ int main(int argc, char **argv)
struct s2n_connection *conn = NULL;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "default"));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "20240501"));

const struct s2n_security_policy *security_policy = NULL;
POSIX_GUARD(s2n_connection_get_security_policy(conn, &security_policy));
Expand Down
14 changes: 7 additions & 7 deletions tests/unit/s2n_config_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -891,7 +891,7 @@ int main(int argc, char **argv)
{
DEFER_CLEANUP(struct s2n_config *server_config = s2n_config_new_minimal(), s2n_config_ptr_free);
EXPECT_NOT_NULL(server_config);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20240501"));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));

DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
Expand All @@ -901,7 +901,7 @@ int main(int argc, char **argv)

DEFER_CLEANUP(struct s2n_config *client_config = s2n_config_new_minimal(), s2n_config_ptr_free);
EXPECT_NOT_NULL(client_config);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(client_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));

DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT),
Expand All @@ -927,7 +927,7 @@ int main(int argc, char **argv)
{
DEFER_CLEANUP(struct s2n_config *server_config = s2n_config_new_minimal(), s2n_config_ptr_free);
EXPECT_NOT_NULL(server_config);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20240501"));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));

DEFER_CLEANUP(struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER),
Expand All @@ -936,7 +936,7 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));

DEFER_CLEANUP(struct s2n_config *client_config = s2n_config_new_minimal(), s2n_config_ptr_free);
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20240501"));
EXPECT_NOT_NULL(client_config);

DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT),
Expand Down Expand Up @@ -1092,7 +1092,7 @@ int main(int argc, char **argv)
struct s2n_security_policy rfc9151_applied_locally = security_policy_rfc9151;
rfc9151_applied_locally.certificate_preferences_apply_locally = true;

/* rfc9151 doesn't allow SHA256 signatures, but does allow SHA384 signatures,
/* rfc9151 doesn't allow SHA256 signatures, but does allow SHA384 signatures,
* so ecdsa_p384_sha256 is invalid and ecdsa_p384_sha384 is valid */

/* valid certs are accepted */
Expand All @@ -1119,8 +1119,8 @@ int main(int argc, char **argv)

/* certs in default_certs_by_type are validated */
{
/* s2n_config_set_cert_chain_and_key_defaults populates default_certs_by_type
* but doesn't populate domain_name_to_cert_map
/* s2n_config_set_cert_chain_and_key_defaults populates default_certs_by_type
* but doesn't populate domain_name_to_cert_map
*/
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new_minimal(), s2n_config_ptr_free);
EXPECT_SUCCESS(s2n_config_set_cert_chain_and_key_defaults(config, &invalid_cert, 1));
Expand Down
12 changes: 6 additions & 6 deletions tests/unit/s2n_crl_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -668,7 +668,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(config, S2N_CRL_ROOT_CERT, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));

struct crl_lookup_data data = { 0 };
data.crls[0] = intermediate_crl;
Expand Down Expand Up @@ -704,7 +704,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(config, S2N_CRL_ROOT_CERT, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));

struct crl_lookup_data data = { 0 };
data.crls[0] = intermediate_crl;
Expand Down Expand Up @@ -743,7 +743,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(server_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, server_chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(server_config, S2N_CRL_ROOT_CERT, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_client_auth_type(server_config, S2N_CERT_AUTH_REQUIRED));

DEFER_CLEANUP(struct s2n_cert_chain_and_key *client_chain_and_key = NULL, s2n_cert_chain_and_key_ptr_free);
Expand All @@ -754,7 +754,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(client_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(client_config, client_chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(client_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_client_auth_type(client_config, S2N_CERT_AUTH_REQUIRED));

struct crl_lookup_data data = { 0 };
Expand Down Expand Up @@ -794,7 +794,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(server_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, server_chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(server_config, S2N_CRL_ROOT_CERT, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_client_auth_type(server_config, S2N_CERT_AUTH_REQUIRED));

DEFER_CLEANUP(struct s2n_cert_chain_and_key *client_chain_and_key = NULL, s2n_cert_chain_and_key_ptr_free);
Expand All @@ -805,7 +805,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(client_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(client_config, client_chain_and_key));
EXPECT_SUCCESS(s2n_config_set_verification_ca_location(client_config, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_client_auth_type(client_config, S2N_CERT_AUTH_REQUIRED));

struct crl_lookup_data data = { 0 };
Expand Down
6 changes: 3 additions & 3 deletions tests/unit/s2n_extended_master_secret_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ int main(int argc, char **argv)
EXPECT_NOT_NULL(config);

/* TLS1.2 cipher preferences */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
struct s2n_cert_chain_and_key *chain_and_key = NULL;
EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key,
Expand Down Expand Up @@ -208,7 +208,7 @@ int main(int argc, char **argv)
struct s2n_config *config = s2n_config_new();
EXPECT_NOT_NULL(config);

EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
struct s2n_cert_chain_and_key *chain_and_key = NULL;
EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key,
Expand Down Expand Up @@ -253,7 +253,7 @@ int main(int argc, char **argv)
struct s2n_config *config = s2n_config_new();
EXPECT_NOT_NULL(config);

EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
struct s2n_cert_chain_and_key *chain_and_key = NULL;
EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key,
Expand Down
2 changes: 1 addition & 1 deletion tests/unit/s2n_renegotiate_io_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ int main(int argc, char *argv[])
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));

uint8_t app_data[] = "test application data";

Expand Down
Loading

0 comments on commit 360feb2

Please sign in to comment.