Skip to content

Commit

Permalink
test: pin static testing policies to numbered versions
Browse files Browse the repository at this point in the history
  • Loading branch information
@toidiu
toidiu committed Oct 21, 2024
1 parent ae74eb5 commit 55a0f7f
Show file tree
Hide file tree
Showing 7 changed files with 307 additions and 176 deletions.
2 changes: 1 addition & 1 deletion tests/fuzz/s2n_certificate_extensions_parse_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@ static const uint8_t TLS_VERSIONS[] = {S2N_TLS13};
int s2n_fuzz_init(int *argc, char **argv[])
{
/* Initialize the trust store */
POSIX_GUARD_RESULT(s2n_config_testing_defaults_init_tls13_certs());
POSIX_GUARD(s2n_enable_tls13_in_test());
return S2N_SUCCESS;
}
Expand All @@ -69,6 +68,7 @@ int s2n_fuzz_test(const uint8_t *buf, size_t len)

struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT);
POSIX_ENSURE_REF(client_conn);
POSIX_GUARD(s2n_connection_set_cipher_preferences(client_conn, "20240503"));

/* Pull a byte off the libfuzzer input and use it to set parameters */
uint8_t randval = 0;
Expand Down
54 changes: 48 additions & 6 deletions tests/unit/s2n_config_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,10 +69,14 @@ int main(int argc, char **argv)

const s2n_mode modes[] = { S2N_CLIENT, S2N_SERVER };

const struct s2n_security_policy *default_security_policy = NULL, *tls13_security_policy = NULL, *fips_security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &tls13_security_policy));
const struct s2n_security_policy *default_security_policy = NULL, *fips_security_policy = NULL,
*tls12_security_policy = NULL, *tls12_fips_security_policy = NULL,
*tls13_security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_fips", &fips_security_policy));
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &default_security_policy));
EXPECT_SUCCESS(s2n_find_security_policy_from_version("20240501", &tls12_security_policy));
EXPECT_SUCCESS(s2n_find_security_policy_from_version("20240502", &tls12_fips_security_policy));
EXPECT_SUCCESS(s2n_find_security_policy_from_version("20240503", &tls13_security_policy));

char cert[S2N_MAX_TEST_PEM_SIZE] = { 0 };
EXPECT_SUCCESS(s2n_read_test_pem(S2N_DEFAULT_TEST_CERT_CHAIN, cert, S2N_MAX_TEST_PEM_SIZE));
Expand Down Expand Up @@ -102,9 +106,11 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_config_free(config));
};

/* Connections created with default configs */
/* Connections created with default settings */
{
/* For TLS1.2 */
EXPECT_SUCCESS(s2n_reset_tls13_in_test());

/* Not fips */
if (!s2n_is_in_fips_mode()) {
struct s2n_connection *conn = NULL;
const struct s2n_security_policy *security_policy = NULL;
Expand All @@ -118,6 +124,41 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_connection_free(conn));
}

/* For fips */
if (s2n_is_in_fips_mode()) {
struct s2n_connection *conn = NULL;
const struct s2n_security_policy *security_policy = NULL;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));

EXPECT_EQUAL(conn->config, s2n_fetch_default_config());

EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, fips_security_policy);

EXPECT_SUCCESS(s2n_connection_free(conn));
}

EXPECT_SUCCESS(s2n_disable_tls13_in_test());
};

/* Connections created with testing overrides */
{
/* For TLS1.2 */
if (!s2n_is_in_fips_mode()) {
EXPECT_SUCCESS(s2n_disable_tls13_in_test());
struct s2n_connection *conn = NULL;
const struct s2n_security_policy *security_policy = NULL;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));

EXPECT_EQUAL(conn->config, s2n_fetch_default_config());

EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, tls12_security_policy);

EXPECT_SUCCESS(s2n_connection_free(conn));
EXPECT_SUCCESS(s2n_disable_tls13_in_test());
}

/* For TLS1.3 */
{
EXPECT_SUCCESS(s2n_enable_tls13_in_test());
Expand All @@ -136,14 +177,15 @@ int main(int argc, char **argv)

/* For fips */
if (s2n_is_in_fips_mode()) {
EXPECT_SUCCESS(s2n_disable_tls13_in_test());
struct s2n_connection *conn = NULL;
const struct s2n_security_policy *security_policy = NULL;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));

EXPECT_EQUAL(conn->config, s2n_fetch_default_config());

EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, fips_security_policy);
EXPECT_EQUAL(security_policy, tls12_fips_security_policy);

EXPECT_SUCCESS(s2n_connection_free(conn));
EXPECT_SUCCESS(s2n_disable_tls13_in_test());
Expand All @@ -155,7 +197,7 @@ int main(int argc, char **argv)
if (!s2n_is_in_fips_mode()) {
struct s2n_config *config = NULL;
EXPECT_NOT_NULL(config = s2n_config_new());
EXPECT_EQUAL(config->security_policy, default_security_policy);
EXPECT_EQUAL(config->security_policy, tls12_security_policy);
EXPECT_SUCCESS(s2n_config_free(config));

EXPECT_SUCCESS(s2n_enable_tls13_in_test());
Expand Down
228 changes: 87 additions & 141 deletions tests/unit/s2n_connection_preferences_test.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,176 +23,122 @@
#include "tls/s2n_security_policies.h"
#include "tls/s2n_tls13.h"

int main(int argc, char **argv)
{
BEGIN_TEST();
EXPECT_SUCCESS(s2n_disable_tls13_in_test());

const struct s2n_security_policy *default_security_policy = NULL, *tls13_security_policy = NULL, *fips_security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &tls13_security_policy));
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_fips", &fips_security_policy));
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &default_security_policy));

/* Test default TLS1.2 */
if (!s2n_is_in_fips_mode()) {
struct s2n_connection *conn = NULL;
const struct s2n_cipher_preferences *cipher_preferences = NULL;
const struct s2n_security_policy *security_policy = NULL;
const struct s2n_kem_preferences *kem_preferences = NULL;
const struct s2n_signature_preferences *signature_preferences = NULL;
const struct s2n_ecc_preferences *ecc_preferences = NULL;

EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
EXPECT_NULL(conn->security_policy_override);

EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
EXPECT_EQUAL(cipher_preferences, default_security_policy->cipher_preferences);

EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, default_security_policy);
S2N_RESULT test_policy_behavior(const struct s2n_security_policy *policy,
const struct s2n_security_policy *compare_policy, const char *compare_policy_name) {
RESULT_ENSURE_REF(policy);

EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
EXPECT_EQUAL(kem_preferences, default_security_policy->kem_preferences);

EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
EXPECT_EQUAL(signature_preferences, default_security_policy->signature_preferences);

EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
EXPECT_EQUAL(ecc_preferences, default_security_policy->ecc_preferences);

EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "20170328"));
EXPECT_NOT_NULL(conn->security_policy_override);

cipher_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
EXPECT_EQUAL(cipher_preferences, security_policy_20170328.cipher_preferences);

security_policy = NULL;
EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, &security_policy_20170328);

kem_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
EXPECT_EQUAL(kem_preferences, security_policy_20170328.kem_preferences);

signature_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
EXPECT_EQUAL(signature_preferences, security_policy_20170328.signature_preferences);

ecc_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
EXPECT_EQUAL(ecc_preferences, security_policy_20170328.ecc_preferences);

EXPECT_SUCCESS(s2n_connection_free(conn));
}

/* Test TLS1.3 */
{
EXPECT_SUCCESS(s2n_enable_tls13_in_test());
struct s2n_connection *conn = NULL;
const struct s2n_cipher_preferences *cipher_preferences = NULL;
const struct s2n_security_policy *security_policy = NULL;
const struct s2n_kem_preferences *kem_preferences = NULL;
const struct s2n_signature_preferences *signature_preferences = NULL;
const struct s2n_ecc_preferences *ecc_preferences = NULL;
struct s2n_connection *conn = NULL;
const struct s2n_cipher_preferences *cipher_preferences = NULL;
const struct s2n_security_policy *security_policy = NULL;
const struct s2n_kem_preferences *kem_preferences = NULL;
const struct s2n_signature_preferences *signature_preferences = NULL;
const struct s2n_ecc_preferences *ecc_preferences = NULL;

EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
EXPECT_NULL(conn->security_policy_override);
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
EXPECT_NULL(conn->security_policy_override);

EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
EXPECT_EQUAL(cipher_preferences, tls13_security_policy->cipher_preferences);
EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
EXPECT_EQUAL(cipher_preferences, policy->cipher_preferences);

EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, tls13_security_policy);
EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, policy);

EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
EXPECT_EQUAL(kem_preferences, tls13_security_policy->kem_preferences);
EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
EXPECT_EQUAL(kem_preferences, policy->kem_preferences);

EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
EXPECT_EQUAL(signature_preferences, tls13_security_policy->signature_preferences);
EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
EXPECT_EQUAL(signature_preferences, policy->signature_preferences);

EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
EXPECT_EQUAL(ecc_preferences, tls13_security_policy->ecc_preferences);
EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
EXPECT_EQUAL(ecc_preferences, policy->ecc_preferences);

EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "test_all_tls13"));
EXPECT_NOT_NULL(conn->security_policy_override);
/* Load the security policy with the compare_policy_name and confirm it is equal
* to the compare_policy
*/
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, compare_policy_name));
EXPECT_NOT_NULL(conn->security_policy_override);

cipher_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
EXPECT_EQUAL(cipher_preferences, security_policy_test_all_tls13.cipher_preferences);
cipher_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
EXPECT_EQUAL(cipher_preferences, compare_policy->cipher_preferences);

security_policy = NULL;
EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, &security_policy_test_all_tls13);
security_policy = NULL;
EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, compare_policy);

kem_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
EXPECT_EQUAL(kem_preferences, security_policy_test_all_tls13.kem_preferences);
kem_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
EXPECT_EQUAL(kem_preferences, compare_policy->kem_preferences);

signature_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
EXPECT_EQUAL(signature_preferences, security_policy_test_all_tls13.signature_preferences);
signature_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
EXPECT_EQUAL(signature_preferences, compare_policy->signature_preferences);

ecc_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
EXPECT_EQUAL(ecc_preferences, security_policy_test_all_tls13.ecc_preferences);
ecc_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
EXPECT_EQUAL(ecc_preferences, compare_policy->ecc_preferences);

EXPECT_SUCCESS(s2n_connection_free(conn));
EXPECT_SUCCESS(s2n_disable_tls13_in_test());
};
EXPECT_SUCCESS(s2n_connection_free(conn));

/* Test default fips */
return S2N_RESULT_OK;
}

if (s2n_is_in_fips_mode()) {
struct s2n_connection *conn = NULL;
const struct s2n_cipher_preferences *cipher_preferences = NULL;
const struct s2n_security_policy *security_policy = NULL;
const struct s2n_kem_preferences *kem_preferences = NULL;
const struct s2n_signature_preferences *signature_preferences = NULL;
const struct s2n_ecc_preferences *ecc_preferences = NULL;

EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
EXPECT_NULL(conn->security_policy_override);
int main(int argc, char **argv)
{
BEGIN_TEST();
EXPECT_SUCCESS(s2n_disable_tls13_in_test());

EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
EXPECT_EQUAL(cipher_preferences, fips_security_policy->cipher_preferences);
const struct s2n_security_policy *default_security_policy = NULL, *fips_security_policy = NULL,
*tls12_security_policy = NULL, *tls12_fips_security_policy = NULL,
*tls13_security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_fips", &fips_security_policy));
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &default_security_policy));
EXPECT_SUCCESS(s2n_find_security_policy_from_version("20240501", &tls12_security_policy));
EXPECT_SUCCESS(s2n_find_security_policy_from_version("20240502", &tls12_fips_security_policy));
EXPECT_SUCCESS(s2n_find_security_policy_from_version("20240503", &tls13_security_policy));

EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, fips_security_policy);
/* Test default */
{
EXPECT_SUCCESS(s2n_reset_tls13_in_test());

EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
EXPECT_EQUAL(kem_preferences, fips_security_policy->kem_preferences);
/* TLS 1.2 */
if (!s2n_is_in_fips_mode()) {
EXPECT_OK(test_policy_behavior(default_security_policy, &security_policy_20240501, "20240501"));
}

EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
EXPECT_EQUAL(signature_preferences, fips_security_policy->signature_preferences);
/* TLS 1.2 FIPS */
if (s2n_is_in_fips_mode()) {
EXPECT_OK(test_policy_behavior(fips_security_policy, &security_policy_20240502, "20240502"));
}

EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
EXPECT_EQUAL(ecc_preferences, fips_security_policy->ecc_preferences);
EXPECT_SUCCESS(s2n_disable_tls13_in_test());
}

EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "test_all_fips"));
EXPECT_NOT_NULL(conn->security_policy_override);
/* Test override */
{
/* Test override TLS1.2 */
if (!s2n_is_in_fips_mode()) {
EXPECT_SUCCESS(s2n_disable_tls13_in_test());

cipher_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
EXPECT_EQUAL(cipher_preferences, security_policy_test_all_fips.cipher_preferences);
EXPECT_OK(test_policy_behavior(tls12_security_policy, &security_policy_20170328, "20170328"));
}

security_policy = NULL;
EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, &security_policy_test_all_fips);
/* Test override TLS1.3 */
{
EXPECT_SUCCESS(s2n_enable_tls13_in_test());

kem_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
EXPECT_EQUAL(kem_preferences, security_policy_test_all_fips.kem_preferences);
EXPECT_OK(test_policy_behavior(tls13_security_policy, &security_policy_test_all_tls13, "test_all_tls13"));
};

signature_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
EXPECT_EQUAL(signature_preferences, security_policy_test_all_fips.signature_preferences);
/* Test override default fips */
if (s2n_is_in_fips_mode()) {
EXPECT_SUCCESS(s2n_disable_tls13_in_test());

ecc_preferences = NULL;
EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
EXPECT_EQUAL(ecc_preferences, security_policy_test_all_fips.ecc_preferences);
EXPECT_OK(test_policy_behavior(fips_security_policy, &security_policy_test_all_fips, "test_all_fips"));
}

EXPECT_SUCCESS(s2n_connection_free(conn));
EXPECT_SUCCESS(s2n_disable_tls13_in_test());
}

/* Test for NULL */
Expand Down
Loading

0 comments on commit 55a0f7f

Please sign in to comment.