Skip to content

Commit

Permalink
test: pin tests to explicit TLS 1.2/TLS 1.3 policy (#4926)
Browse files Browse the repository at this point in the history
  • Loading branch information
toidiu authored Nov 27, 2024
1 parent be2ad4b commit 087c02e
Show file tree
Hide file tree
Showing 8 changed files with 40 additions and 13 deletions.
22 changes: 14 additions & 8 deletions bindings/rust/integration/src/network/tls_client.rs
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

use s2n_tls::{config::Config, enums::Version, security::Policy};
use s2n_tls::{
config::Config,
enums::Version,
security::{self, Policy},
};
use s2n_tls_tokio::{TlsConnector, TlsStream};
use tokio::net::TcpStream;

Expand All @@ -14,13 +18,13 @@ use tokio::net::TcpStream;
/// `Err``.
async fn handshake_with_domain(
domain: &str,
security_policy: &str,
security_policy: &Policy,
) -> Result<TlsStream<TcpStream>, Box<dyn std::error::Error>> {
tracing::info!("querying {domain} with {security_policy}");
tracing::info!("querying {domain} with {:?}", security_policy);
const PORT: u16 = 443;

let mut config = Config::builder();
config.set_security_policy(&Policy::from_version(security_policy)?)?;
config.set_security_policy(security_policy)?;

let client = TlsConnector::new(config.build()?);
// open the TCP stream
Expand All @@ -42,7 +46,8 @@ mod kms_pq {
// supports ML-KEM.
#[test_log::test(tokio::test)]
async fn pq_handshake() -> Result<(), Box<dyn std::error::Error>> {
let tls = handshake_with_domain(DOMAIN, "KMS-PQ-TLS-1-0-2020-07").await?;
let policy = Policy::from_version("KMS-PQ-TLS-1-0-2020-07")?;
let tls = handshake_with_domain(DOMAIN, &policy).await?;

assert_eq!(
tls.as_ref().cipher_suite()?,
Expand All @@ -65,7 +70,8 @@ mod kms_pq {
];

for security_policy in EARLY_DRAFT_PQ_POLICIES {
let tls = handshake_with_domain(DOMAIN, security_policy).await?;
let policy = Policy::from_version(security_policy)?;
let tls = handshake_with_domain(DOMAIN, &policy).await?;

assert_eq!(tls.as_ref().cipher_suite()?, "ECDHE-RSA-AES256-GCM-SHA384");
assert_eq!(tls.as_ref().kem_name(), None);
Expand All @@ -84,10 +90,10 @@ async fn tls_client() -> Result<(), Box<dyn std::error::Error>> {
for domain in DOMAINS {
tracing::info!("querying {domain}");

let tls12 = handshake_with_domain(domain, "default").await?;
let tls12 = handshake_with_domain(domain, &security::TESTING_TLS12).await?;
assert_eq!(tls12.as_ref().actual_protocol_version()?, Version::TLS12);

let tls13 = handshake_with_domain(domain, "default_tls13").await?;
let tls13 = handshake_with_domain(domain, &security::DEFAULT_TLS13).await?;
assert_eq!(tls13.as_ref().actual_protocol_version()?, Version::TLS13);
}

Expand Down
1 change: 1 addition & 0 deletions bindings/rust/s2n-tls-tokio/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ s2n-tls = { version = "=0.3.7", path = "../s2n-tls" }
tokio = { version = "1", features = ["net", "time"] }

[dev-dependencies]
s2n-tls = { path = "../s2n-tls", features = ["unstable-testing"] }
clap = { version = "3", features = ["derive"] }
rand = { version = "0.8" }
tokio = { version = "1", features = [ "io-std", "io-util", "macros", "net", "rt-multi-thread", "test-util", "time"] }
Expand Down
7 changes: 4 additions & 3 deletions bindings/rust/s2n-tls-tokio/tests/common/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ use s2n_tls::{
config,
connection::Builder,
error::Error,
security::{DEFAULT, DEFAULT_TLS13},
security::{DEFAULT_TLS13, TESTING_TLS12},
};
use s2n_tls_tokio::{TlsAcceptor, TlsConnector, TlsStream};
use std::time::Duration;
Expand Down Expand Up @@ -61,14 +61,15 @@ pub fn server_config() -> Result<config::Builder, Error> {

pub fn client_config_tls12() -> Result<config::Builder, Error> {
let mut builder = config::Config::builder();
builder.set_security_policy(&DEFAULT)?;
builder.set_security_policy(&TESTING_TLS12)?;
builder.trust_pem(RSA_CERT_PEM)?;
Ok(builder)
}

pub fn server_config_tls12() -> Result<config::Builder, Error> {
let mut builder = config::Config::builder();
builder.set_security_policy(&DEFAULT)?;
builder.set_security_policy(&TESTING_TLS12)?;

builder.load_pem(RSA_CERT_PEM, RSA_KEY_PEM)?;
Ok(builder)
}
Expand Down
3 changes: 3 additions & 0 deletions bindings/rust/s2n-tls/src/security.rs
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,9 @@ pub const DEFAULT: Policy = policy!("default");
/// <https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html>
pub const DEFAULT_TLS13: Policy = policy!("default_tls13");

#[cfg(any(feature = "unstable-testing", test))]
pub const TESTING_TLS12: Policy = policy!("20240501");

#[cfg(feature = "pq")]
pub const TESTING_PQ: Policy = policy!("PQ-TLS-1-0-2021-05-26");

Expand Down
4 changes: 3 additions & 1 deletion bindings/rust/s2n-tls/src/testing/resumption.rs
Original file line number Diff line number Diff line change
Expand Up @@ -63,13 +63,14 @@ mod tests {
}

#[test]
fn resume_session() -> Result<(), Box<dyn Error>> {
fn resume_tls12_session() -> Result<(), Box<dyn Error>> {
let keypair = CertKeyPair::default();

// Initialize config for server with a ticket key
let mut server_config_builder = Builder::new();
server_config_builder
.add_session_ticket_key(&KEYNAME, &KEY, SystemTime::now())?
.set_security_policy(&security::TESTING_TLS12)?
.load_pem(keypair.cert(), keypair.key())?;
let server_config = server_config_builder.build()?;

Expand All @@ -83,6 +84,7 @@ mod tests {
.set_session_ticket_callback(handler.clone())?
.trust_pem(keypair.cert())?
.set_verify_host_callback(InsecureAcceptAllCertificatesHandler {})?
.set_security_policy(&security::TESTING_TLS12)?
.set_connection_initializer(handler)?;
let client_config = client_config_builder.build()?;

Expand Down
12 changes: 12 additions & 0 deletions tests/unit/s2n_client_supported_groups_extension_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -260,12 +260,24 @@ int main()

for (size_t i = 0; i < NUM_MISMATCH_PQ_TEST_POLICY_OVERRIDES; i++) {
EXPECT_SUCCESS(s2n_enable_tls13_in_test());

DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(),
s2n_config_ptr_free);
EXPECT_NOT_NULL(config);
/* These tests explicitly set security_policy_override to test ECC
* selection logic and expect a s2n_config that does support x25519 and
* TLS 1.3, but does not support PQ.
*/
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240503"));

struct s2n_connection *client_conn = NULL;
EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(s2n_connection_set_config(client_conn, config));
client_conn->security_policy_override = test_policy_overrides[i][0];

struct s2n_connection *server_conn = NULL;
EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config));
server_conn->security_policy_override = test_policy_overrides[i][1];

const struct s2n_ecc_preferences *server_ecc_pref = NULL;
Expand Down
3 changes: 2 additions & 1 deletion tests/unit/s2n_self_talk_ktls_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,8 @@ int main(int argc, char **argv)
DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default"));
/* Configure a TLS 1.2 policy */
EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501"));
EXPECT_SUCCESS(s2n_config_ktls_enable_unsafe_tls13(config));

/* Even if we detected ktls support at compile time, enabling ktls
Expand Down
1 change: 1 addition & 0 deletions tests/unit/s2n_server_key_share_extension_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,7 @@ int main(int argc, char **argv)
struct s2n_connection *client_conn = NULL;

EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client_conn, "20240503"));

const struct s2n_ecc_preferences *ecc_pref = NULL;
EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(client_conn, &ecc_pref));
Expand Down

0 comments on commit 087c02e

Please sign in to comment.