diff --git a/tests/pems/permutations/generate-certs.sh b/tests/pems/permutations/generate-certs.sh index bf283fb182b..8491ba8f8a1 100755 --- a/tests/pems/permutations/generate-certs.sh +++ b/tests/pems/permutations/generate-certs.sh @@ -170,6 +170,7 @@ then cert-gen ec ecdsa 384 SHA384 ec_ecdsa_p384_sha384 cert-gen ec ecdsa 521 SHA384 ec_ecdsa_p521_sha384 cert-gen ec ecdsa 521 SHA512 ec_ecdsa_p521_sha512 + cert-gen rsa pkcsv1.5 1024 SHA1 rsae_pkcs_1024_sha1 cert-gen rsa pkcsv1.5 2048 SHA1 rsae_pkcs_2048_sha1 cert-gen rsa pkcsv1.5 2048 SHA224 rsae_pkcs_2048_sha224 cert-gen rsa pkcsv1.5 2048 SHA256 rsae_pkcs_2048_sha256 diff --git a/tests/pems/permutations/rsae_pkcs_1024_sha1/ca-cert.pem b/tests/pems/permutations/rsae_pkcs_1024_sha1/ca-cert.pem new file mode 100644 index 00000000000..3a21510a09a --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_1024_sha1/ca-cert.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICJjCCAY+gAwIBAgIUQDCl/x6VIdw2yTd5txSGLknYLO4wDQYJKoZIhvcNAQEF +BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNzE2MTY1NzU3 +WhgPMjIwMzEyMjIxNjU3NTdaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290 +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH6oo3EzDAAN+1zmpMkxEw2EP6 +E8Zh2wjVvC4VGjCgjysjwswxQmteLO+ZXgIDqXfRw9nC6VXZkSRqVMY07t5OFre+ +6eDDPW6jugtDveqJfFWgCNuOnFlVTC5GflS+8pC3mcnyRdTmlxK0wDAGQQmZMsNN +cKDAoTNq0StR0E/1ZwIDAQABo2MwYTAdBgNVHQ4EFgQUAh7fvcT9sUislNuEPeSQ +X9xO5HcwHwYDVR0jBBgwFoAUAh7fvcT9sUislNuEPeSQX9xO5HcwDwYDVR0TAQH/ +BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEAj5ht0bxM +ebIpeYJSpvA7L+J9Vttn3iGuw+j52y4wAWIQ6OZEJQAu5WDn6Tox0nJ33/v/yPu2 ++LN5dtQm8P1rBRo9zJ3QKv/HhvhcZ+eWaWpwX8ccDT/9jXRTS2tGGg8Mr5x97W4A +EyqOVM1cZOUjuDlibMNJoPU/n1uuyclkjqw= +-----END CERTIFICATE----- diff --git a/tests/pems/permutations/rsae_pkcs_1024_sha1/client-cert.pem b/tests/pems/permutations/rsae_pkcs_1024_sha1/client-cert.pem new file mode 100644 index 00000000000..99a98f4d519 --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_1024_sha1/client-cert.pem @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICHTCCAYagAwIBAgIUPinmIrgv3ehEP79tmkXGXv2WXdUwDQYJKoZIhvcNAQEF +BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNzE2MTY1NzU3 +WhgPMjIwMzEyMjIxNjU3NTdaMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQDDAZjbGll +bnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLoQlvRxBoqr+/5dTcSFHZd +1obX8MLtFK42bbwxdoehTe9k0UtBi0DAaVGOmntntn4QMoAiyyXkIqIWnv3rnKKl +rZNotl8lZR8JfNhR869uVtmUHO4bupknHFigW16R/RMsYyGaBPTfpJlRQtTC0uQf +M+amPpxxPSQpzWlpnd/bAgMBAAGjWDBWMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAd +BgNVHQ4EFgQUPqmkeXae2pEeEmTnayyPDjkey2AwHwYDVR0jBBgwFoAUAh7fvcT9 +sUislNuEPeSQX9xO5HcwDQYJKoZIhvcNAQEFBQADgYEAGUDGe/OyqzSuIT7dZSec +ypIK8llt4X7ceZrTKVFWxl3oyTFJVzzmHTiIrUmqcrDi3i664Wjd/ni2k3/piKVt +e23E4pFmXOQ0i95C/nqyKNmio4saxUUEX6bf6u7kxYC8OVmD4/fnulQtfJijnQA2 +gJRedJcj+ppZ7+H9TxCzXdM= +-----END CERTIFICATE----- diff --git a/tests/pems/permutations/rsae_pkcs_1024_sha1/client-key.pem b/tests/pems/permutations/rsae_pkcs_1024_sha1/client-key.pem new file mode 100644 index 00000000000..af729c66c2b --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_1024_sha1/client-key.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMLoQlvRxBoqr+/5 +dTcSFHZd1obX8MLtFK42bbwxdoehTe9k0UtBi0DAaVGOmntntn4QMoAiyyXkIqIW +nv3rnKKlrZNotl8lZR8JfNhR869uVtmUHO4bupknHFigW16R/RMsYyGaBPTfpJlR +QtTC0uQfM+amPpxxPSQpzWlpnd/bAgMBAAECgYB6XAMkz5iz8K6JEeuDSidsc9a0 +yqYMSXgdMnBLoCXQWfSqYHmALEK2wNSdbdAPvvlzRMnfZXhxbjpL1bW0pRCsdkml +4llm3S+VlZVjSu6kYM7Dwvfm2VqbJq8MnMXVNxeU77PF2fddhOTtV0uHIJLVY6X2 +Nqr5vtA3xDXqNzLewQJBAOtzeR+S1wS9BxU1dS6fJc0pvFOEDFLpFoHNjiLvlTDI +nkeNpAmknJz90wtutqbZFwU6RD8jsWtGyUzT1EOs9CECQQDT6vFZkEnLztJtIgFK +usdlA0wrXOhFydkAeWYVWIKlbSczo9JJfd9PxXRn6Ix3MYid7vIMmiDdhKv17yU0 +MhR7AkEAilhzVyYEyXf4bXHXxOkmYQKg8cGpLB5hZyvM1KJJ2zxGJG0JcdETZPuP +wivvjuIIML4n06G5YftZ1JazJoC9gQJBAIjBxHDtGYKJ/OfqmvTT5lt8rkoJked/ +pCeXMFa0INOKxlKf9NPyhAshvMZVn1hIQgbRraiOSolJ1gNHCjZN30MCQQCnIwaq +5R6/tN/UxDZIMPo2K6mqQUXfYVOec0ARoB0J845qZd6rG0E8g5w45ipcu6LVBhd9 +CnEVAXHfnuMzNzjN +-----END PRIVATE KEY----- diff --git a/tests/pems/permutations/rsae_pkcs_1024_sha1/server-chain.pem b/tests/pems/permutations/rsae_pkcs_1024_sha1/server-chain.pem new file mode 100644 index 00000000000..d3abfc6686c --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_1024_sha1/server-chain.pem @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIICHTCCAYagAwIBAgIUVSkc16/rtMXmETH/wnscN+VGY+EwDQYJKoZIhvcNAQEF +BQAwHjELMAkGA1UEBhMCVVMxDzANBgNVBAMMBmJyYW5jaDAgFw0yNDA3MTYxNjU3 +NTdaGA8yMjAzMTIyMjE2NTc1N1owHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBGxl +YWYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMqhP+hZTU2XpYsT/+IfDeq9 +gqRmMC2RXsymsrgSwU8GmIKuHbb0Dd7hHDUQ4yYOwhQs67C2zCfFudaQ7xT7h87j +Jwxr2QuJZWWCic2N1r7FdtHFiYU7l+UQuzfhtaExZhJx0kpSQQNR6RQpjliHgsuw +ZLSHA5raSyW/jkzwOdp7AgMBAAGjWDBWMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAd +BgNVHQ4EFgQU0bnFIDqssv+4WHdQHtAjIrTBLV0wHwYDVR0jBBgwFoAUr4RQk79w +CfTtpMZ8oBogqWzdWcswDQYJKoZIhvcNAQEFBQADgYEADu69a05cs0qgDa17FjtT +nvzk9djKbg4R2fyUn1jpW9IGgrTQStqv8KXtV+czRPeaiPst7+nZOCXNH/LVhm/P +oCrZd7z5WP5RMXPvEjrNzoXZZRaz2jwD56HpIzM5afzsdYABIQ2pwAhD1KkVhw2g +Npt/QuOuyfy8AnHigRKsTVs= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICKDCCAZGgAwIBAgIUPinmIrgv3ehEP79tmkXGXv2WXdQwDQYJKoZIhvcNAQEF +BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNzE2MTY1NzU3 +WhgPMjIwMzEyMjIxNjU3NTdaMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQDDAZicmFu +Y2gwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz0PVnrhX4YVPLkzgcf7arr +aoA2md5rDVoIQKIJtxihwodByUMLYJFtttEiul6QSLZhPWNnFDh9e50bKXucgcFH +Tlf1XM6W69VED+ZCd9Q4+jewRK7iXxH1C/L0LreF68Gkq+c6VdwSQLyQkUp/AaPf +iH45dUv33ftd4EE0lQbrAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P +AQH/BAQDAgIEMB0GA1UdDgQWBBSvhFCTv3AJ9O2kxnygGiCpbN1ZyzAfBgNVHSME +GDAWgBQCHt+9xP2xSKyU24Q95JBf3E7kdzANBgkqhkiG9w0BAQUFAAOBgQBj3USi +VsO2XKx+5R+V6673/T16yAub61pb126ZGzHzgT7ol7m0Oe4X/pKwcN6ya2iUQkrh +eCbXJ/gK5VE+X95mng+n1v2o8UB7pTMRVA/U+vQfohzQaSsC4HordJLjTKI19bAB +qVfrFvFGMgTeaypoFSmDZTxwCVr974kU9YWrvw== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIICJjCCAY+gAwIBAgIUQDCl/x6VIdw2yTd5txSGLknYLO4wDQYJKoZIhvcNAQEF +BQAwHDELMAkGA1UEBhMCVVMxDTALBgNVBAMMBHJvb3QwIBcNMjQwNzE2MTY1NzU3 +WhgPMjIwMzEyMjIxNjU3NTdaMBwxCzAJBgNVBAYTAlVTMQ0wCwYDVQQDDARyb290 +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH6oo3EzDAAN+1zmpMkxEw2EP6 +E8Zh2wjVvC4VGjCgjysjwswxQmteLO+ZXgIDqXfRw9nC6VXZkSRqVMY07t5OFre+ +6eDDPW6jugtDveqJfFWgCNuOnFlVTC5GflS+8pC3mcnyRdTmlxK0wDAGQQmZMsNN +cKDAoTNq0StR0E/1ZwIDAQABo2MwYTAdBgNVHQ4EFgQUAh7fvcT9sUislNuEPeSQ +X9xO5HcwHwYDVR0jBBgwFoAUAh7fvcT9sUislNuEPeSQX9xO5HcwDwYDVR0TAQH/ +BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEAj5ht0bxM +ebIpeYJSpvA7L+J9Vttn3iGuw+j52y4wAWIQ6OZEJQAu5WDn6Tox0nJ33/v/yPu2 ++LN5dtQm8P1rBRo9zJ3QKv/HhvhcZ+eWaWpwX8ccDT/9jXRTS2tGGg8Mr5x97W4A +EyqOVM1cZOUjuDlibMNJoPU/n1uuyclkjqw= +-----END CERTIFICATE----- diff --git a/tests/pems/permutations/rsae_pkcs_1024_sha1/server-key.pem b/tests/pems/permutations/rsae_pkcs_1024_sha1/server-key.pem new file mode 100644 index 00000000000..d9853e99c28 --- /dev/null +++ b/tests/pems/permutations/rsae_pkcs_1024_sha1/server-key.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMqhP+hZTU2XpYsT +/+IfDeq9gqRmMC2RXsymsrgSwU8GmIKuHbb0Dd7hHDUQ4yYOwhQs67C2zCfFudaQ +7xT7h87jJwxr2QuJZWWCic2N1r7FdtHFiYU7l+UQuzfhtaExZhJx0kpSQQNR6RQp +jliHgsuwZLSHA5raSyW/jkzwOdp7AgMBAAECgYEAnRWAq6l/SiXDyhvJBQ06Br6/ +pp8pvkmyCkk4x4aSoablWHmOw6RTlHNDIMhkr75FKsrgNHChuDuKpBJbphKQ5qrE +yiBpWq1nIw3VZtikR5lfg5NMNJwQ7koqAom+f4E/OuOtvZYlNyURZZIoj4/2WhIS +GIgzN7vhaIDDK24j3uECQQDseFFBZbqlSBi6aKYVCOqGXHsH/eZZFGoJD8D++y5L +jy7DxFffa/zUcBYZeGfT7HXlravBlBoAsU5vi8KzvG2pAkEA211zf5FsFikWnr+w +1riaxBIPdTMj5aPT5fqhTaVZp6MXD401xvnC+BfxQaqlXoNUJadpONMj8IWIah9c +XeP1gwJAIGMaPerA9YI6YM2Uca0W8fAYqa+MrQauvy75L/MXFCI4NXfe0SrpJe90 +F2j2T4BDZYGz1H+EUDP4mi56LEPSgQJBANU8gDtvRxw7kKt8NxBinr8dtzz8G1bs +69xQx1/M7dvQ42fQoofq3aWA0Jo+oUXAb5mypMwCIpt5kmNmXMlAALUCQHG5eN03 +COl3DU1wTHOuFqejLcp+exARlCYN/BcGL6Qnrjk9sXOo9Ojfsj24zSuIMp3KJuUl +fYSKMUAftnb+KH4= +-----END PRIVATE KEY----- diff --git a/tests/unit/s2n_config_test.c b/tests/unit/s2n_config_test.c index aa4687f8138..ffcd3e0c6a6 100644 --- a/tests/unit/s2n_config_test.c +++ b/tests/unit/s2n_config_test.c @@ -255,23 +255,6 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_connection_free(conn)); EXPECT_SUCCESS(s2n_config_free(config)); }; - - /* Test that security policy validation is enforced on the config */ - { - DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); - EXPECT_NOT_NULL(config); - DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER), s2n_connection_ptr_free); - EXPECT_NOT_NULL(conn); - - DEFER_CLEANUP(struct s2n_cert_chain_and_key *invalid_cert = NULL, s2n_cert_chain_and_key_ptr_free); - EXPECT_SUCCESS(s2n_test_cert_permutation_load_server_chain(&invalid_cert, "rsae", "pss", "4096", "sha384")); - EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, invalid_cert)); - struct s2n_security_policy rfc9151_applied_locally = security_policy_rfc9151; - rfc9151_applied_locally.certificate_preferences_apply_locally = true; - config->security_policy = &rfc9151_applied_locally; - - EXPECT_FAILURE_WITH_ERRNO(s2n_connection_set_config(conn, config), S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT); - }; }; /* s2n_config_set_session_tickets_onoff */ diff --git a/tests/unit/s2n_connection_test.c b/tests/unit/s2n_connection_test.c index e8252940797..7a1c4e63bdb 100644 --- a/tests/unit/s2n_connection_test.c +++ b/tests/unit/s2n_connection_test.c @@ -648,6 +648,31 @@ int main(int argc, char **argv) conn->security_policy_override = &rfc9151_applied_locally; EXPECT_FAILURE_WITH_ERRNO(s2n_connection_set_config(conn, config), S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT); }; + + /* s2n_connection_set_config doesn't enforce cert preferences + * + * Customers may configure large numbers of certs on each config. This test + * asserts that we don't do any validation on certificates as part of set_config, + * because that would incur a potentially large performance penalty. + */ + { + DEFER_CLEANUP(struct s2n_cert_chain_and_key *invalid_cert = NULL, s2n_cert_chain_and_key_ptr_free); + EXPECT_SUCCESS( + s2n_test_cert_permutation_load_server_chain(&invalid_cert, "ec", "ecdsa", "p384", "sha256")); + + DEFER_CLEANUP(struct s2n_config *invalid_config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(invalid_config, invalid_cert)); + + /* directly set the security policy to avoid the validation in "set_cipher_preferences" */ + const struct s2n_security_policy *security_policy = NULL; + POSIX_GUARD(s2n_find_security_policy_from_version("rfc9151", &security_policy)); + invalid_config->security_policy = security_policy; + + DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_SERVER), s2n_connection_ptr_free); + POSIX_ENSURE_REF(conn); + /* Success implies that certificates are not validated as during "set_config" */ + EXPECT_SUCCESS(s2n_connection_set_config(conn, invalid_config)); + }; }; /* Test s2n_connection_get_wire_bytes_out */ diff --git a/tests/unit/s2n_security_policy_cert_preferences_test.c b/tests/unit/s2n_security_policy_cert_preferences_test.c index 1c7e44dd231..14b06121de9 100644 --- a/tests/unit/s2n_security_policy_cert_preferences_test.c +++ b/tests/unit/s2n_security_policy_cert_preferences_test.c @@ -18,6 +18,7 @@ #include "tls/s2n_certificate_keys.h" #include "tls/s2n_security_policies.h" #include "tls/s2n_signature_scheme.h" +#include "utils/s2n_map.h" #define CHAIN_LENGTH 3 @@ -265,6 +266,61 @@ int main(int argc, char **argv) } }; + /* s2n_config invariant: always respects config->security_policy cert preferences */ + { + DEFER_CLEANUP(struct s2n_cert_chain_and_key *invalid_cert = NULL, s2n_cert_chain_and_key_ptr_free); + EXPECT_SUCCESS(s2n_test_cert_permutation_load_server_chain(&invalid_cert, + "ec", "ecdsa", "p384", "sha256")); + + /* configure security policy then load an invalid cert */ + { + DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "rfc9151")); + + EXPECT_FAILURE_WITH_ERRNO(s2n_config_add_cert_chain_and_key_to_store(config, invalid_cert), + S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT); + + /* assert that no certs were loaded */ + uint32_t domain_certs = 0; + EXPECT_EQUAL(s2n_config_get_num_default_certs(config), 0); + EXPECT_OK(s2n_map_size(config->domain_name_to_cert_map, &domain_certs)); + EXPECT_EQUAL(domain_certs, 0); + EXPECT_EQUAL(s2n_config_get_num_default_certs(config), 0); + }; + + /* load a cert then configure an invalid security policy */ + { + DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, invalid_cert)); + const struct s2n_security_policy *default_sp = config->security_policy; + EXPECT_FAILURE_WITH_ERRNO(s2n_config_set_cipher_preferences(config, "rfc9151"), + S2N_ERR_SECURITY_POLICY_INCOMPATIBLE_CERT); + + /* assert that the security policy was not changed */ + EXPECT_EQUAL(config->security_policy, default_sp); + }; + }; + + /* default policy check: ensure that the default security policy doesn't + * enforce certificate preferences. + * + * Adding certificate preferences to the default security policy would be a + * breaking change, because it would prevent customers from adding + * non-compliant certs unless they first set the security policy. + * + * This test ensures that such a breaking change would be visible and + * deliberate. + */ + { + DEFER_CLEANUP(struct s2n_cert_chain_and_key *cert = NULL, s2n_cert_chain_and_key_ptr_free); + /* use a very insecure cert that would not be included in any reasonable cert preferences */ + EXPECT_SUCCESS(s2n_test_cert_permutation_load_server_chain(&cert, "rsae", "pkcs", "1024", "sha1")); + + DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, cert)); + EXPECT_EQUAL(s2n_config_get_num_default_certs(config), 1); + }; + END_TEST(); return S2N_SUCCESS; } diff --git a/tls/s2n_config.c b/tls/s2n_config.c index c84736be495..e911eb96879 100644 --- a/tls/s2n_config.c +++ b/tls/s2n_config.c @@ -532,6 +532,8 @@ static int s2n_config_add_cert_chain_and_key_impl(struct s2n_config *config, str POSIX_ENSURE_REF(config->domain_name_to_cert_map); POSIX_ENSURE_REF(cert_key_pair); + POSIX_GUARD_RESULT(s2n_security_policy_validate_certificate_chain(config->security_policy, cert_key_pair)); + s2n_pkey_type cert_type = s2n_cert_chain_and_key_get_pkey_type(cert_key_pair); config->is_rsa_cert_configured |= (cert_type == S2N_PKEY_TYPE_RSA); @@ -567,6 +569,11 @@ S2N_RESULT s2n_config_validate_loaded_certificates(const struct s2n_config *conf RESULT_ENSURE_REF(config); RESULT_ENSURE_REF(security_policy); + if (security_policy->certificate_key_preferences == NULL + && security_policy->certificate_signature_preferences == NULL) { + return S2N_RESULT_OK; + } + /* validate the default certs */ for (int i = 0; i < S2N_CERT_TYPE_COUNT; i++) { struct s2n_cert_chain_and_key *cert = config->default_certs_by_type.certs[i]; @@ -577,6 +584,10 @@ S2N_RESULT s2n_config_validate_loaded_certificates(const struct s2n_config *conf } /* validate the certs in the domain map */ + if (config->domain_name_to_cert_map == NULL) { + return S2N_RESULT_OK; + } + struct s2n_map_iterator iter = { 0 }; RESULT_GUARD(s2n_map_iterator_init(&iter, config->domain_name_to_cert_map)); diff --git a/tls/s2n_connection.c b/tls/s2n_connection.c index 74f1597aabb..86323d681dd 100644 --- a/tls/s2n_connection.c +++ b/tls/s2n_connection.c @@ -287,11 +287,14 @@ int s2n_connection_set_config(struct s2n_connection *conn, struct s2n_config *co return 0; } - const struct s2n_security_policy *security_policy = conn->security_policy_override; - if (!security_policy) { - security_policy = config->security_policy; + /* s2n_config invariant: any s2n_config is always in a state that respects the + * config->security_policy certificate preferences. Therefore we only need to + * validate certificates here if the connection is using a security policy override. + */ + const struct s2n_security_policy *security_policy_override = conn->security_policy_override; + if (security_policy_override) { + POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(config, security_policy_override)); } - POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(config, security_policy)); /* We only support one client certificate */ if (s2n_config_get_num_default_certs(config) > 1 && conn->mode == S2N_CLIENT) { diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c index aa6c461d49f..c36515bd3c1 100644 --- a/tls/s2n_security_policies.c +++ b/tls/s2n_security_policies.c @@ -1278,6 +1278,8 @@ int s2n_config_set_cipher_preferences(struct s2n_config *config, const char *ver /* If the security policy's minimum version is higher than what libcrypto supports, return an error. */ POSIX_ENSURE((security_policy->minimum_protocol_version <= s2n_get_highest_fully_supported_tls_version()), S2N_ERR_PROTOCOL_VERSION_UNSUPPORTED); + /* If the config contains certificates violating the security policy cert preferences, return an error. */ + POSIX_GUARD_RESULT(s2n_config_validate_loaded_certificates(config, security_policy)); config->security_policy = security_policy; return 0; }