Merge branch 'main' into tls13_only

aws · Jul 11, 2024 · 9a9b6f3 · 9a9b6f3
2 parents 386194e + 7a6bd38
commit 9a9b6f3
Show file tree

Hide file tree

Showing 35 changed files with 482 additions and 923 deletions.
diff --git a/api/s2n.h b/api/s2n.h
@@ -1112,6 +1112,13 @@ typedef enum {
  * Sets up a connection to request the certificate status of a peer during an SSL handshake. If set
  * to S2N_STATUS_REQUEST_NONE, no status request is made.
  *
+ * @note SHA-1 is the only supported hash algorithm for the `certID` field. This is different
+ * from the hash algorithm used for the OCSP signature. See 
+ * [RFC 6960](https://datatracker.ietf.org/doc/html/rfc6960#section-4.1.1) for more information.
+ * While unlikely to be the case, if support for a different hash algorithm is required, the
+ * s2n-tls validation can be disabled with `s2n_config_set_check_stapled_ocsp_response()` and the
+ * response can be retrieved for manual validation with `s2n_connection_get_ocsp_response()`.
+ * 
  * @param config The configuration object being updated
  * @param type The desired request status type
  * @returns S2N_SUCCESS on success. S2N_FAILURE on failure

diff --git a/bindings/rust/s2n-tls/Cargo.toml b/bindings/rust/s2n-tls/Cargo.toml
@@ -24,7 +24,6 @@ pin-project-lite = "0.2"
 hex = "0.4"
 
 [dev-dependencies]
-bytes = "1"
 futures-test = "0.3"
 openssl = "0.10"
 temp-env = "0.3"

diff --git a/bindings/rust/s2n-tls/src/callbacks/pkey.rs b/bindings/rust/s2n-tls/src/callbacks/pkey.rs
@@ -121,8 +121,8 @@ pub trait PrivateKeyCallback: 'static + Send + Sync {
 mod tests {
     use super::*;
     use crate::{
-        config, connection, error, security, testing,
-        testing::{s2n_tls::*, *},
+        config, connection, error, security,
+        testing::{self, *},
     };
     use core::task::{Poll, Waker};
     use futures_test::task::new_count_waker;
@@ -139,10 +139,7 @@ mod tests {
         "/../../../tests/pems/ecdsa_p384_pkcs1_cert.pem"
     ));
 
-    fn new_pair<T>(
-        callback: T,
-        waker: Waker,
-    ) -> Result<Pair<s2n_tls::Harness, s2n_tls::Harness>, Error>
+    fn new_pair<T>(callback: T, waker: Waker) -> Result<TestPair, Error>
     where
         T: 'static + PrivateKeyCallback,
     {
@@ -157,20 +154,10 @@ mod tests {
             config.build()?
         };
 
-        let server = {
-            let mut server = connection::Connection::new_server();
-            server.set_config(config.clone())?;
-            server.set_waker(Some(&waker))?;
-            Harness::new(server)
-        };
-
-        let client = {
-            let mut client = connection::Connection::new_client();
-            client.set_config(config)?;
-            Harness::new(client)
-        };
+        let mut pair = TestPair::from_config(&config);
+        pair.server.set_waker(Some(&waker))?;
 
-        Ok(Pair::new(server, client))
+        Ok(pair)
     }
 
     fn ecdsa_sign(
@@ -214,11 +201,11 @@ mod tests {
         let (waker, wake_count) = new_count_waker();
         let counter = testing::Counter::default();
         let callback = TestPkeyCallback(counter.clone());
-        let pair = new_pair(callback, waker)?;
+        let mut pair = new_pair(callback, waker)?;
 
         assert_eq!(counter.count(), 0);
         assert_eq!(wake_count, 0);
-        poll_tls_pair(pair);
+        pair.handshake()?;
         assert_eq!(counter.count(), 1);
         assert_eq!(wake_count, 0);
 
@@ -272,11 +259,11 @@ mod tests {
         let (waker, wake_count) = new_count_waker();
         let counter = testing::Counter::default();
         let callback = TestPkeyCallback(counter.clone());
-        let pair = new_pair(callback, waker)?;
+        let mut pair = new_pair(callback, waker)?;
 
         assert_eq!(counter.count(), 0);
         assert_eq!(wake_count, 0);
-        poll_tls_pair(pair);
+        pair.handshake()?;
         assert_eq!(counter.count(), 1);
         assert_eq!(wake_count, POLL_COUNT);
 
@@ -306,14 +293,11 @@ mod tests {
 
         assert_eq!(counter.count(), 0);
         assert_eq!(wake_count, 0);
-        let result = poll_tls_pair_result(&mut pair);
+        let err = pair.handshake().unwrap_err();
         assert_eq!(counter.count(), 1);
         assert_eq!(wake_count, 0);
 
-        match result {
-            Ok(_) => panic!("Handshake unexpectedly succeeded"),
-            Err(e) => testing::assert_test_error(e, ERROR),
-        };
+        assert_test_error(err, ERROR);
         Ok(())
     }
 
@@ -362,14 +346,11 @@ mod tests {
 
         assert_eq!(counter.count(), 0);
         assert_eq!(wake_count, 0);
-        let result = poll_tls_pair_result(&mut pair);
+        let err = pair.handshake().unwrap_err();
         assert_eq!(counter.count(), 1);
         assert_eq!(wake_count, POLL_COUNT);
 
-        match result {
-            Ok(_) => panic!("Handshake unexpectedly succeeded"),
-            Err(e) => testing::assert_test_error(e, ERROR),
-        };
+        assert_test_error(err, ERROR);
         Ok(())
     }
 }
diff --git a/bindings/rust/s2n-tls/src/client_hello.rs b/bindings/rust/s2n-tls/src/client_hello.rs
@@ -229,30 +229,21 @@ pub mod fingerprint {
                 fingerprint::{FingerprintType, MD5_HASH_SIZE},
                 ClientHello,
             },
-            connection::Connection,
             error::{Error, ErrorType},
             security,
-            testing::{poll_tls_pair, tls_pair},
+            testing::TestPair,
         };
 
         /// This function is a test fixture used a generate a valid ClientHello so
         /// that we don't have to copy and paste the raw bytes for test fixtures
-        fn get_client_hello_bytes() -> Vec<u8> {
+        fn get_client_hello_bytes() -> Result<Vec<u8>, crate::error::Error> {
             let config = crate::testing::config_builder(&security::DEFAULT_TLS13)
                 .unwrap()
-                .build()
-                .unwrap();
-            let pair = tls_pair(config);
-            let pair = poll_tls_pair(pair);
+                .build()?;
+            let mut pair = TestPair::from_config(&config);
+            pair.handshake()?;
             // this doesn't have the handshake header
-            let client_hello_message = pair
-                .server
-                .0
-                .connection()
-                .client_hello()
-                .unwrap()
-                .raw_message()
-                .unwrap();
+            let client_hello_message = pair.server.client_hello()?.raw_message()?;
             // handshake header is {tag: u8, client_hello_length: u24}
             let mut client_hello = vec![0; 4];
             // As long as the client hello is small, no bit fiddling is required
@@ -261,7 +252,7 @@ pub mod fingerprint {
             client_hello[0] = 1;
             client_hello[3] = client_hello_message.len() as u8;
             client_hello.extend(client_hello_message.iter());
-            client_hello
+            Ok(client_hello)
         }
 
         fn known_test_case(
@@ -290,7 +281,7 @@ pub mod fingerprint {
         pub fn get_client_hello() -> Box<ClientHello> {
             // sets up connection and handshakes
             let raw_client_hello = get_client_hello_bytes();
-            ClientHello::parse_client_hello(raw_client_hello.as_slice()).unwrap()
+            ClientHello::parse_client_hello(raw_client_hello.unwrap().as_slice()).unwrap()
         }
 
         pub fn client_hello_bytes() -> Vec<u8> {
@@ -324,28 +315,23 @@ pub mod fingerprint {
                 .unwrap()
                 .build()
                 .unwrap();
-            let pair = crate::testing::tls_pair(config);
+            let mut pair = TestPair::from_config(&config);
 
             // client_hellos can not be accessed before the handshake
-            assert!(pair.client.0.connection().client_hello().is_err());
-            assert!(pair.server.0.connection().client_hello().is_err());
-
-            let pair = poll_tls_pair(pair);
-            let server_conn = pair.server.0.connection();
-            let client_conn = pair.server.0.connection();
-
-            let check_client_hello = |conn: &Connection| -> Result<(), Error> {
-                let client_hello = conn.client_hello().unwrap();
-                let mut hash = Vec::new();
-                let fingerprint_size =
-                    client_hello.fingerprint_hash(FingerprintType::JA3, &mut hash)?;
-                let mut string = String::with_capacity(fingerprint_size as usize);
-                client_hello.fingerprint_string(FingerprintType::JA3, &mut string)?;
-                Ok(())
-            };
+            assert!(pair.client.client_hello().is_err());
+            assert!(pair.server.client_hello().is_err());
+
+            pair.handshake().unwrap();
 
-            assert!(check_client_hello(server_conn).is_ok());
-            assert!(check_client_hello(client_conn).is_ok());
+            let client_hello = pair.server.client_hello().unwrap();
+            let mut hash = Vec::new();
+            let fingerprint_size = client_hello
+                .fingerprint_hash(FingerprintType::JA3, &mut hash)
+                .unwrap();
+            let mut string = String::with_capacity(fingerprint_size as usize);
+            client_hello
+                .fingerprint_string(FingerprintType::JA3, &mut string)
+                .unwrap();
         }
 
         // known value test case copied from s2n_fingerprint_ja3_test.c