Skip to content

Commit

Permalink
pin implicit default security policy usage for s2n_config
Browse files Browse the repository at this point in the history
  • Loading branch information
@toidiu
toidiu committed Sep 17, 2024
1 parent b50b152 commit 252650a
Show file tree
Hide file tree
Showing 172 changed files with 2,035 additions and 135 deletions.
12 changes: 12 additions & 0 deletions tests/unit/s2n_alerts_protocol_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,12 +102,18 @@ int main(int argc, char **argv)

DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(),
s2n_config_ptr_free);
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default_tls13"));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));

DEFER_CLEANUP(struct s2n_config *ecdsa_config = s2n_config_new(),
s2n_config_ptr_free);
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(ecdsa_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(ecdsa_config));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(ecdsa_config, ecdsa_chain_and_key));

Expand Down Expand Up @@ -206,10 +212,16 @@ int main(int argc, char **argv)

DEFER_CLEANUP(struct s2n_config *bad_cb_config = s2n_config_new(),
s2n_config_ptr_free);
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(bad_cb_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_client_hello_cb(bad_cb_config, s2n_test_ch_cb, NULL));

DEFER_CLEANUP(struct s2n_config *untrusted_config = s2n_config_new(),
s2n_config_ptr_free);
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(untrusted_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */

for (size_t i = 0; i < s2n_array_len(test_errors); i++) {
DEFER_CLEANUP(struct s2n_connection *server = s2n_connection_new(S2N_SERVER),
Expand Down
15 changes: 13 additions & 2 deletions tests/unit/s2n_alerts_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,9 @@
* permissions and limitations under the License.
*/

#include "tls/s2n_alerts.h"

#include "s2n_test.h"
#include "testlib/s2n_testlib.h"
#include "tls/s2n_alerts.h"
#include "tls/s2n_quic_support.h"

#define ALERT_LEN (sizeof(uint16_t))
Expand Down Expand Up @@ -147,6 +146,9 @@ int main(int argc, char **argv)
if (s2n_is_tls13_fully_supported()) {
struct s2n_config *config = NULL;
EXPECT_NOT_NULL(config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */

struct s2n_connection *conn = NULL;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
Expand Down Expand Up @@ -214,6 +216,9 @@ int main(int argc, char **argv)
{
struct s2n_config *config = NULL;
EXPECT_NOT_NULL(config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_alert_behavior(config, S2N_ALERT_IGNORE_WARNINGS));

struct s2n_connection *conn = NULL;
Expand All @@ -234,6 +239,9 @@ int main(int argc, char **argv)
{
struct s2n_config *config = NULL;
EXPECT_NOT_NULL(config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_alert_behavior(config, S2N_ALERT_IGNORE_WARNINGS));

struct s2n_connection *conn = NULL;
Expand All @@ -254,6 +262,9 @@ int main(int argc, char **argv)
{
struct s2n_config *config = NULL;
EXPECT_NOT_NULL(config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */

struct s2n_connection *conn = NULL;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
Expand Down
3 changes: 1 addition & 2 deletions tests/unit/s2n_array_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,8 @@
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
#include "utils/s2n_array.h"

#include "s2n_test.h"
#include "utils/s2n_array.h"
#include "utils/s2n_blob.h"
#include "utils/s2n_mem.h"
#include "utils/s2n_safety.h"
Expand Down
36 changes: 34 additions & 2 deletions tests/unit/s2n_async_pkey_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,11 @@
* permissions and limitations under the License.
*/

#include "tls/s2n_async_pkey.h"

#include "api/s2n.h"
#include "error/s2n_errno.h"
#include "s2n_test.h"
#include "testlib/s2n_testlib.h"
#include "tls/s2n_async_pkey.h"
#include "tls/s2n_cipher_suites.h"
#include "tls/s2n_connection.h"
#include "tls/s2n_security_policies.h"
Expand Down Expand Up @@ -405,12 +404,18 @@ int main(int argc, char **argv)
{
struct s2n_config *server_config = NULL, *client_config = NULL;
EXPECT_NOT_NULL(server_config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
EXPECT_SUCCESS(s2n_config_add_dhparams(server_config, dhparams_pem));
EXPECT_SUCCESS(s2n_config_set_async_pkey_callback(server_config, async_pkey_apply_in_callback));
server_config->security_policy = &server_security_policy;

EXPECT_NOT_NULL(client_config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config));
/* Security policy must support all cipher suites in test_cipher_suites above */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "test_all"));
Expand Down Expand Up @@ -446,12 +451,18 @@ int main(int argc, char **argv)
{
struct s2n_config *server_config = NULL, *client_config = NULL;
EXPECT_NOT_NULL(server_config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
EXPECT_SUCCESS(s2n_config_add_dhparams(server_config, dhparams_pem));
EXPECT_SUCCESS(s2n_config_set_async_pkey_callback(server_config, async_pkey_store_callback));
server_config->security_policy = &server_security_policy;

EXPECT_NOT_NULL(client_config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config));
/* Security policy must support all cipher suites in test_cipher_suites above */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "test_all"));
Expand Down Expand Up @@ -487,12 +498,18 @@ int main(int argc, char **argv)
{
struct s2n_config *server_config = NULL, *client_config = NULL;
EXPECT_NOT_NULL(server_config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
EXPECT_SUCCESS(s2n_config_add_dhparams(server_config, dhparams_pem));
EXPECT_SUCCESS(s2n_config_set_async_pkey_callback(server_config, async_pkey_store_callback));
server_config->security_policy = &server_security_policy;

EXPECT_NOT_NULL(client_config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config));
/* Security policy must support all cipher suites in test_cipher_suites above */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "test_all"));
Expand Down Expand Up @@ -529,6 +546,9 @@ int main(int argc, char **argv)
{
struct s2n_config *server_config = NULL, *client_config = NULL;
EXPECT_NOT_NULL(server_config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
EXPECT_SUCCESS(s2n_config_add_dhparams(server_config, dhparams_pem));
EXPECT_SUCCESS(s2n_config_set_async_pkey_callback(server_config, async_pkey_store_callback));
Expand All @@ -537,6 +557,9 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_config_set_async_pkey_validation_mode(server_config, S2N_ASYNC_PKEY_VALIDATION_STRICT));

EXPECT_NOT_NULL(client_config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config));
/* Security policy must support all cipher suites in test_cipher_suites above */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "test_all"));
Expand Down Expand Up @@ -571,13 +594,19 @@ int main(int argc, char **argv)
/* Test: Apply invalid signature, when signature validation is enabled for all sync / async signatures */
{
DEFER_CLEANUP(struct s2n_config *server_config = s2n_config_new(), s2n_config_ptr_free);
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_NOT_NULL(server_config);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
EXPECT_SUCCESS(s2n_config_add_dhparams(server_config, dhparams_pem));
EXPECT_SUCCESS(s2n_config_set_async_pkey_callback(server_config, async_pkey_store_callback));
server_config->security_policy = &server_security_policy;

DEFER_CLEANUP(struct s2n_config *client_config = s2n_config_new(), s2n_config_ptr_free);
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_NOT_NULL(client_config);
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config));
/* Security policy must support all cipher suites in test_cipher_suites above */
Expand Down Expand Up @@ -679,6 +708,9 @@ int main(int argc, char **argv)
/* Test: Apply invalid signature to sync operation */
{
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_NOT_NULL(config);
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default_tls13"));
Expand Down
21 changes: 19 additions & 2 deletions tests/unit/s2n_auth_selection_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,12 @@
* permissions and limitations under the License.
*/

#include "tls/s2n_auth_selection.h"

#include "api/s2n.h"
#include "crypto/s2n_fips.h"
#include "crypto/s2n_rsa_pss.h"
#include "s2n_test.h"
#include "testlib/s2n_testlib.h"
#include "tls/s2n_auth_selection.h"
#include "tls/s2n_cipher_preferences.h"
#include "tls/s2n_cipher_suites.h"
#include "tls/s2n_config.h"
Expand Down Expand Up @@ -74,19 +73,34 @@ int main(int argc, char **argv)
S2N_ECDSA_P384_PKCS1_CERT_CHAIN, S2N_ECDSA_P384_PKCS1_KEY));

struct s2n_config *no_certs_config = s2n_config_new();
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(no_certs_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */

struct s2n_config *rsa_cert_config = s2n_config_new();
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(rsa_cert_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(rsa_cert_config, rsa_cert_chain));

struct s2n_config *ecdsa_cert_config = s2n_config_new();
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(ecdsa_cert_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(ecdsa_cert_config, ecdsa_cert_chain));

struct s2n_config *all_certs_config = s2n_config_new();
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(all_certs_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(all_certs_config, rsa_cert_chain));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(all_certs_config, ecdsa_cert_chain));

struct s2n_cert_chain_and_key *rsa_pss_cert_chain = NULL;
struct s2n_config *rsa_pss_cert_config = s2n_config_new();
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(rsa_pss_cert_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */

#if RSA_PSS_CERTS_SUPPORTED
EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&rsa_pss_cert_chain,
Expand Down Expand Up @@ -190,6 +204,9 @@ int main(int argc, char **argv)
S2N_ECDSA_P256_PKCS1_CERT_CHAIN, S2N_ECDSA_P256_PKCS1_KEY));

struct s2n_config *ecdsa_cert_config_for_other_curve = s2n_config_new();
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(ecdsa_cert_config_for_other_curve, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(
ecdsa_cert_config_for_other_curve, ecdsa_cert_chain_for_other_curve));

Expand Down
3 changes: 1 addition & 2 deletions tests/unit/s2n_blob_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,9 @@
* permissions and limitations under the License.
*/

#include "utils/s2n_blob.h"

#include "api/s2n.h"
#include "s2n_test.h"
#include "utils/s2n_blob.h"
#include "utils/s2n_mem.h"

int main(int argc, char **argv)
Expand Down
6 changes: 4 additions & 2 deletions tests/unit/s2n_cert_authorities_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,10 @@
* permissions and limitations under the License.
*/

#include "tls/extensions/s2n_cert_authorities.h"

#include "crypto/s2n_rsa_pss.h"
#include "s2n_test.h"
#include "testlib/s2n_testlib.h"
#include "tls/extensions/s2n_cert_authorities.h"
#include "tls/s2n_tls.h"
#include "utils/s2n_bitmap.h"

Expand Down Expand Up @@ -74,6 +73,9 @@ int main(int argc, char **argv)
{
/* s2n_config_new configures the default trust store */
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_NOT_NULL(config);

/* Fails with default system trust store */
Expand Down
15 changes: 15 additions & 0 deletions tests/unit/s2n_cert_chain_and_key_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(setenv("S2N_DONT_MLOCK", "1", 0));

EXPECT_NOT_NULL(client_config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
/* Create config with s2n_config_add_cert_chain_and_key_to_store API with multiple certs */
{
Expand All @@ -81,6 +84,9 @@ int main(int argc, char **argv)
/* Collection of certs with the same domain name that need to have ties resolved. */
struct s2n_cert_chain_and_key *tied_certs[NUM_TIED_CERTS] = { NULL };
EXPECT_NOT_NULL(server_config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cert_tiebreak_callback(server_config, test_cert_tiebreak_cb));

/* Need to add at least one cert with a different domain name to make cert lookup utilize hashmap */
Expand Down Expand Up @@ -123,6 +129,9 @@ int main(int argc, char **argv)
/* Create config with deprecated s2n_config_add_cert_chain_and_key API */
{
EXPECT_NOT_NULL(server_config = s2n_config_new());
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key(server_config, cert_chain, private_key));

EXPECT_NOT_NULL(server_conn = create_conn(S2N_SERVER, server_config));
Expand All @@ -149,6 +158,9 @@ int main(int argc, char **argv)
/* Config first uses s2n_config_add_cert_chain_and_key: library owns chain */
{
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_NOT_NULL(config);
EXPECT_EQUAL(config->cert_ownership, S2N_NOT_OWNED);

Expand All @@ -170,6 +182,9 @@ int main(int argc, char **argv)
/* Config first uses s2n_config_add_cert_chain_and_key_to_store: application owns chain */
{
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
/* AUTO-GENERATED */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, s2n_testing_old_default_security_policy()));
/* AUTO-GENERATED */
EXPECT_NOT_NULL(config);
EXPECT_EQUAL(config->cert_ownership, S2N_NOT_OWNED);

Expand Down
Loading

0 comments on commit 252650a

Please sign in to comment.