From 087c02e471d3fcdba4a6885565dde0ee78cc9248 Mon Sep 17 00:00:00 2001 From: toidiu Date: Wed, 27 Nov 2024 11:16:29 -0800 Subject: [PATCH] test: pin tests to explicit TLS 1.2/TLS 1.3 policy (#4926) --- .../integration/src/network/tls_client.rs | 22 ++++++++++++------- bindings/rust/s2n-tls-tokio/Cargo.toml | 1 + .../rust/s2n-tls-tokio/tests/common/mod.rs | 7 +++--- bindings/rust/s2n-tls/src/security.rs | 3 +++ .../rust/s2n-tls/src/testing/resumption.rs | 4 +++- ...n_client_supported_groups_extension_test.c | 12 ++++++++++ tests/unit/s2n_self_talk_ktls_test.c | 3 ++- .../s2n_server_key_share_extension_test.c | 1 + 8 files changed, 40 insertions(+), 13 deletions(-) diff --git a/bindings/rust/integration/src/network/tls_client.rs b/bindings/rust/integration/src/network/tls_client.rs index c94325a7692..caef998abf7 100644 --- a/bindings/rust/integration/src/network/tls_client.rs +++ b/bindings/rust/integration/src/network/tls_client.rs @@ -1,7 +1,11 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -use s2n_tls::{config::Config, enums::Version, security::Policy}; +use s2n_tls::{ + config::Config, + enums::Version, + security::{self, Policy}, +}; use s2n_tls_tokio::{TlsConnector, TlsStream}; use tokio::net::TcpStream; @@ -14,13 +18,13 @@ use tokio::net::TcpStream; /// `Err``. async fn handshake_with_domain( domain: &str, - security_policy: &str, + security_policy: &Policy, ) -> Result, Box> { - tracing::info!("querying {domain} with {security_policy}"); + tracing::info!("querying {domain} with {:?}", security_policy); const PORT: u16 = 443; let mut config = Config::builder(); - config.set_security_policy(&Policy::from_version(security_policy)?)?; + config.set_security_policy(security_policy)?; let client = TlsConnector::new(config.build()?); // open the TCP stream @@ -42,7 +46,8 @@ mod kms_pq { // supports ML-KEM. #[test_log::test(tokio::test)] async fn pq_handshake() -> Result<(), Box> { - let tls = handshake_with_domain(DOMAIN, "KMS-PQ-TLS-1-0-2020-07").await?; + let policy = Policy::from_version("KMS-PQ-TLS-1-0-2020-07")?; + let tls = handshake_with_domain(DOMAIN, &policy).await?; assert_eq!( tls.as_ref().cipher_suite()?, @@ -65,7 +70,8 @@ mod kms_pq { ]; for security_policy in EARLY_DRAFT_PQ_POLICIES { - let tls = handshake_with_domain(DOMAIN, security_policy).await?; + let policy = Policy::from_version(security_policy)?; + let tls = handshake_with_domain(DOMAIN, &policy).await?; assert_eq!(tls.as_ref().cipher_suite()?, "ECDHE-RSA-AES256-GCM-SHA384"); assert_eq!(tls.as_ref().kem_name(), None); @@ -84,10 +90,10 @@ async fn tls_client() -> Result<(), Box> { for domain in DOMAINS { tracing::info!("querying {domain}"); - let tls12 = handshake_with_domain(domain, "default").await?; + let tls12 = handshake_with_domain(domain, &security::TESTING_TLS12).await?; assert_eq!(tls12.as_ref().actual_protocol_version()?, Version::TLS12); - let tls13 = handshake_with_domain(domain, "default_tls13").await?; + let tls13 = handshake_with_domain(domain, &security::DEFAULT_TLS13).await?; assert_eq!(tls13.as_ref().actual_protocol_version()?, Version::TLS13); } diff --git a/bindings/rust/s2n-tls-tokio/Cargo.toml b/bindings/rust/s2n-tls-tokio/Cargo.toml index c4cb389943b..fc6db8d014d 100644 --- a/bindings/rust/s2n-tls-tokio/Cargo.toml +++ b/bindings/rust/s2n-tls-tokio/Cargo.toml @@ -19,6 +19,7 @@ s2n-tls = { version = "=0.3.7", path = "../s2n-tls" } tokio = { version = "1", features = ["net", "time"] } [dev-dependencies] +s2n-tls = { path = "../s2n-tls", features = ["unstable-testing"] } clap = { version = "3", features = ["derive"] } rand = { version = "0.8" } tokio = { version = "1", features = [ "io-std", "io-util", "macros", "net", "rt-multi-thread", "test-util", "time"] } diff --git a/bindings/rust/s2n-tls-tokio/tests/common/mod.rs b/bindings/rust/s2n-tls-tokio/tests/common/mod.rs index 5c587a46345..5b93561931c 100644 --- a/bindings/rust/s2n-tls-tokio/tests/common/mod.rs +++ b/bindings/rust/s2n-tls-tokio/tests/common/mod.rs @@ -5,7 +5,7 @@ use s2n_tls::{ config, connection::Builder, error::Error, - security::{DEFAULT, DEFAULT_TLS13}, + security::{DEFAULT_TLS13, TESTING_TLS12}, }; use s2n_tls_tokio::{TlsAcceptor, TlsConnector, TlsStream}; use std::time::Duration; @@ -61,14 +61,15 @@ pub fn server_config() -> Result { pub fn client_config_tls12() -> Result { let mut builder = config::Config::builder(); - builder.set_security_policy(&DEFAULT)?; + builder.set_security_policy(&TESTING_TLS12)?; builder.trust_pem(RSA_CERT_PEM)?; Ok(builder) } pub fn server_config_tls12() -> Result { let mut builder = config::Config::builder(); - builder.set_security_policy(&DEFAULT)?; + builder.set_security_policy(&TESTING_TLS12)?; + builder.load_pem(RSA_CERT_PEM, RSA_KEY_PEM)?; Ok(builder) } diff --git a/bindings/rust/s2n-tls/src/security.rs b/bindings/rust/s2n-tls/src/security.rs index 21e67ba4728..f8483105355 100644 --- a/bindings/rust/s2n-tls/src/security.rs +++ b/bindings/rust/s2n-tls/src/security.rs @@ -105,6 +105,9 @@ pub const DEFAULT: Policy = policy!("default"); /// pub const DEFAULT_TLS13: Policy = policy!("default_tls13"); +#[cfg(any(feature = "unstable-testing", test))] +pub const TESTING_TLS12: Policy = policy!("20240501"); + #[cfg(feature = "pq")] pub const TESTING_PQ: Policy = policy!("PQ-TLS-1-0-2021-05-26"); diff --git a/bindings/rust/s2n-tls/src/testing/resumption.rs b/bindings/rust/s2n-tls/src/testing/resumption.rs index acb11d631b3..7d02accbd66 100644 --- a/bindings/rust/s2n-tls/src/testing/resumption.rs +++ b/bindings/rust/s2n-tls/src/testing/resumption.rs @@ -63,13 +63,14 @@ mod tests { } #[test] - fn resume_session() -> Result<(), Box> { + fn resume_tls12_session() -> Result<(), Box> { let keypair = CertKeyPair::default(); // Initialize config for server with a ticket key let mut server_config_builder = Builder::new(); server_config_builder .add_session_ticket_key(&KEYNAME, &KEY, SystemTime::now())? + .set_security_policy(&security::TESTING_TLS12)? .load_pem(keypair.cert(), keypair.key())?; let server_config = server_config_builder.build()?; @@ -83,6 +84,7 @@ mod tests { .set_session_ticket_callback(handler.clone())? .trust_pem(keypair.cert())? .set_verify_host_callback(InsecureAcceptAllCertificatesHandler {})? + .set_security_policy(&security::TESTING_TLS12)? .set_connection_initializer(handler)?; let client_config = client_config_builder.build()?; diff --git a/tests/unit/s2n_client_supported_groups_extension_test.c b/tests/unit/s2n_client_supported_groups_extension_test.c index 1d8aa315856..58cbe1d9da9 100644 --- a/tests/unit/s2n_client_supported_groups_extension_test.c +++ b/tests/unit/s2n_client_supported_groups_extension_test.c @@ -260,12 +260,24 @@ int main() for (size_t i = 0; i < NUM_MISMATCH_PQ_TEST_POLICY_OVERRIDES; i++) { EXPECT_SUCCESS(s2n_enable_tls13_in_test()); + + DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), + s2n_config_ptr_free); + EXPECT_NOT_NULL(config); + /* These tests explicitly set security_policy_override to test ECC + * selection logic and expect a s2n_config that does support x25519 and + * TLS 1.3, but does not support PQ. + */ + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240503")); + struct s2n_connection *client_conn = NULL; EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT)); + EXPECT_SUCCESS(s2n_connection_set_config(client_conn, config)); client_conn->security_policy_override = test_policy_overrides[i][0]; struct s2n_connection *server_conn = NULL; EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_CLIENT)); + EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config)); server_conn->security_policy_override = test_policy_overrides[i][1]; const struct s2n_ecc_preferences *server_ecc_pref = NULL; diff --git a/tests/unit/s2n_self_talk_ktls_test.c b/tests/unit/s2n_self_talk_ktls_test.c index 454ecb77284..a758478a174 100644 --- a/tests/unit/s2n_self_talk_ktls_test.c +++ b/tests/unit/s2n_self_talk_ktls_test.c @@ -131,7 +131,8 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key)); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + /* Configure a TLS 1.2 policy */ + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); EXPECT_SUCCESS(s2n_config_ktls_enable_unsafe_tls13(config)); /* Even if we detected ktls support at compile time, enabling ktls diff --git a/tests/unit/s2n_server_key_share_extension_test.c b/tests/unit/s2n_server_key_share_extension_test.c index e5323f5adef..14292ea0925 100644 --- a/tests/unit/s2n_server_key_share_extension_test.c +++ b/tests/unit/s2n_server_key_share_extension_test.c @@ -251,6 +251,7 @@ int main(int argc, char **argv) struct s2n_connection *client_conn = NULL; EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT)); + EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client_conn, "20240503")); const struct s2n_ecc_preferences *ecc_pref = NULL; EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(client_conn, &ecc_pref));