Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: avoid cert validation on connection_set_config #4612

Merged
merged 8 commits into from
Jul 16, 2024
Merged

fix: avoid cert validation on connection_set_config #4612

merged 8 commits into from
Jul 16, 2024

Conversation

jmayclin
Copy link
Contributor

Description of changes:

Currently s2n_connection_set_config is O(N) w.r.t the number of certificates loaded on a config. For customers with very large numbers of certificates, this performance penalty is relatively large.

This PR adds a new invariant to s2n_config: it always respects the config->security_policy cert preferences.

With this new invariant, we then relax the check in s2n_connection_set_config to only apply if the connection has a security policy override. Otherwise we already know that the config is valid.

Additionally, I added some "short circuits" to the checks to exit early when the security policy has no associated certificate preferences.

Testing:

New unit tests were added for the config invariant. Additionally a unit test was removed, because config validation no longer happens when s2n_connection_set_config is called.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Jun 18, 2024
@jmayclin jmayclin marked this pull request as ready for review June 18, 2024 17:58
@jmayclin
address ci failure
80635e5 
- forgot to include s2n_map header
@jmayclin jmayclin requested review from lrstewart and maddeleine June 20, 2024 23:53
@jmayclin
address pr feedback
1c64482 
- add unit test to guard against cert preferences in default sp
@jmayclin jmayclin requested a review from lrstewart June 29, 2024 00:35
@jmayclin
address pr feedback
8abea26 
- add new unit test to ensure certs aren't checked in set_config
- use FAILURE_WITH_ERRNO
@jmayclin jmayclin requested review from lrstewart and maddeleine July 9, 2024 04:01
jmayclin added 2 commits July 10, 2024 17:29
@jmayclin
address pr feedback
66ca9f5 
- whitespace fix on the ec certs
@jmayclin
address pr feedback
8f3e8b1 
- add missing newline
@jmayclin jmayclin enabled auto-merge (squash) July 15, 2024 19:09
@jmayclin
address ci failure
26c6330 
- switch to 1024 bit cert
@jmayclin jmayclin requested a review from lrstewart July 16, 2024 17:38
@jmayclin jmayclin mentioned this pull request Jul 16, 2024
Closed
@jmayclin jmayclin merged commit b20075b into aws:main Jul 16, 2024
34 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Jul 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lrstewart lrstewart lrstewart approved these changes

@maddeleine maddeleine maddeleine approved these changes

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jmayclin @lrstewart @maddeleine @camshaft