From 8ab5899bc0bea9724a8bd49a36632a9da611b268 Mon Sep 17 00:00:00 2001 From: Jou Ho <43765840+jouho@users.noreply.github.com> Date: Tue, 26 Nov 2024 11:21:49 -0800 Subject: [PATCH 1/4] upgrade cmake version to 3.9 (#4933) --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 8dfaa4e2d80..f19e25d1440 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,4 +1,4 @@ -cmake_minimum_required (VERSION 3.0) +cmake_minimum_required (VERSION 3.9) project (s2n C) if(POLICY CMP0077) From 0b6ac868ac95d13d83e07dc93112966d429a5e32 Mon Sep 17 00:00:00 2001 From: Carol Yeh Date: Tue, 26 Nov 2024 12:27:58 -0800 Subject: [PATCH 2/4] chore: add new team member (#4939) --- .github/teams.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/teams.yml b/.github/teams.yml index 086ae3ae9e5..b19ff8f12d4 100644 --- a/.github/teams.yml +++ b/.github/teams.yml @@ -9,3 +9,4 @@ s2n-core: - '@jmayclin' - '@jouho' - '@boquan-fang' + - '@CarolYeh910' \ No newline at end of file From be2ad4bf3903490546e2c75de39c3100b4316506 Mon Sep 17 00:00:00 2001 From: maddeleine <59030281+maddeleine@users.noreply.github.com> Date: Wed, 27 Nov 2024 09:33:16 -0800 Subject: [PATCH 3/4] (chore): Fixes team-label github action (#4935) --- .github/workflows/team_label.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/team_label.yml b/.github/workflows/team_label.yml index 19a35b2cf4a..9c8098f41f7 100644 --- a/.github/workflows/team_label.yml +++ b/.github/workflows/team_label.yml @@ -11,7 +11,7 @@ jobs: team-labeler: runs-on: ubuntu-latest steps: - - uses: JulienKode/team-labeler-action@v1.3 + - uses: JulienKode/team-labeler-action@v1.3.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" From 087c02e471d3fcdba4a6885565dde0ee78cc9248 Mon Sep 17 00:00:00 2001 From: toidiu Date: Wed, 27 Nov 2024 11:16:29 -0800 Subject: [PATCH 4/4] test: pin tests to explicit TLS 1.2/TLS 1.3 policy (#4926) --- .../integration/src/network/tls_client.rs | 22 ++++++++++++------- bindings/rust/s2n-tls-tokio/Cargo.toml | 1 + .../rust/s2n-tls-tokio/tests/common/mod.rs | 7 +++--- bindings/rust/s2n-tls/src/security.rs | 3 +++ .../rust/s2n-tls/src/testing/resumption.rs | 4 +++- ...n_client_supported_groups_extension_test.c | 12 ++++++++++ tests/unit/s2n_self_talk_ktls_test.c | 3 ++- .../s2n_server_key_share_extension_test.c | 1 + 8 files changed, 40 insertions(+), 13 deletions(-) diff --git a/bindings/rust/integration/src/network/tls_client.rs b/bindings/rust/integration/src/network/tls_client.rs index c94325a7692..caef998abf7 100644 --- a/bindings/rust/integration/src/network/tls_client.rs +++ b/bindings/rust/integration/src/network/tls_client.rs @@ -1,7 +1,11 @@ // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 -use s2n_tls::{config::Config, enums::Version, security::Policy}; +use s2n_tls::{ + config::Config, + enums::Version, + security::{self, Policy}, +}; use s2n_tls_tokio::{TlsConnector, TlsStream}; use tokio::net::TcpStream; @@ -14,13 +18,13 @@ use tokio::net::TcpStream; /// `Err``. async fn handshake_with_domain( domain: &str, - security_policy: &str, + security_policy: &Policy, ) -> Result, Box> { - tracing::info!("querying {domain} with {security_policy}"); + tracing::info!("querying {domain} with {:?}", security_policy); const PORT: u16 = 443; let mut config = Config::builder(); - config.set_security_policy(&Policy::from_version(security_policy)?)?; + config.set_security_policy(security_policy)?; let client = TlsConnector::new(config.build()?); // open the TCP stream @@ -42,7 +46,8 @@ mod kms_pq { // supports ML-KEM. #[test_log::test(tokio::test)] async fn pq_handshake() -> Result<(), Box> { - let tls = handshake_with_domain(DOMAIN, "KMS-PQ-TLS-1-0-2020-07").await?; + let policy = Policy::from_version("KMS-PQ-TLS-1-0-2020-07")?; + let tls = handshake_with_domain(DOMAIN, &policy).await?; assert_eq!( tls.as_ref().cipher_suite()?, @@ -65,7 +70,8 @@ mod kms_pq { ]; for security_policy in EARLY_DRAFT_PQ_POLICIES { - let tls = handshake_with_domain(DOMAIN, security_policy).await?; + let policy = Policy::from_version(security_policy)?; + let tls = handshake_with_domain(DOMAIN, &policy).await?; assert_eq!(tls.as_ref().cipher_suite()?, "ECDHE-RSA-AES256-GCM-SHA384"); assert_eq!(tls.as_ref().kem_name(), None); @@ -84,10 +90,10 @@ async fn tls_client() -> Result<(), Box> { for domain in DOMAINS { tracing::info!("querying {domain}"); - let tls12 = handshake_with_domain(domain, "default").await?; + let tls12 = handshake_with_domain(domain, &security::TESTING_TLS12).await?; assert_eq!(tls12.as_ref().actual_protocol_version()?, Version::TLS12); - let tls13 = handshake_with_domain(domain, "default_tls13").await?; + let tls13 = handshake_with_domain(domain, &security::DEFAULT_TLS13).await?; assert_eq!(tls13.as_ref().actual_protocol_version()?, Version::TLS13); } diff --git a/bindings/rust/s2n-tls-tokio/Cargo.toml b/bindings/rust/s2n-tls-tokio/Cargo.toml index c4cb389943b..fc6db8d014d 100644 --- a/bindings/rust/s2n-tls-tokio/Cargo.toml +++ b/bindings/rust/s2n-tls-tokio/Cargo.toml @@ -19,6 +19,7 @@ s2n-tls = { version = "=0.3.7", path = "../s2n-tls" } tokio = { version = "1", features = ["net", "time"] } [dev-dependencies] +s2n-tls = { path = "../s2n-tls", features = ["unstable-testing"] } clap = { version = "3", features = ["derive"] } rand = { version = "0.8" } tokio = { version = "1", features = [ "io-std", "io-util", "macros", "net", "rt-multi-thread", "test-util", "time"] } diff --git a/bindings/rust/s2n-tls-tokio/tests/common/mod.rs b/bindings/rust/s2n-tls-tokio/tests/common/mod.rs index 5c587a46345..5b93561931c 100644 --- a/bindings/rust/s2n-tls-tokio/tests/common/mod.rs +++ b/bindings/rust/s2n-tls-tokio/tests/common/mod.rs @@ -5,7 +5,7 @@ use s2n_tls::{ config, connection::Builder, error::Error, - security::{DEFAULT, DEFAULT_TLS13}, + security::{DEFAULT_TLS13, TESTING_TLS12}, }; use s2n_tls_tokio::{TlsAcceptor, TlsConnector, TlsStream}; use std::time::Duration; @@ -61,14 +61,15 @@ pub fn server_config() -> Result { pub fn client_config_tls12() -> Result { let mut builder = config::Config::builder(); - builder.set_security_policy(&DEFAULT)?; + builder.set_security_policy(&TESTING_TLS12)?; builder.trust_pem(RSA_CERT_PEM)?; Ok(builder) } pub fn server_config_tls12() -> Result { let mut builder = config::Config::builder(); - builder.set_security_policy(&DEFAULT)?; + builder.set_security_policy(&TESTING_TLS12)?; + builder.load_pem(RSA_CERT_PEM, RSA_KEY_PEM)?; Ok(builder) } diff --git a/bindings/rust/s2n-tls/src/security.rs b/bindings/rust/s2n-tls/src/security.rs index 21e67ba4728..f8483105355 100644 --- a/bindings/rust/s2n-tls/src/security.rs +++ b/bindings/rust/s2n-tls/src/security.rs @@ -105,6 +105,9 @@ pub const DEFAULT: Policy = policy!("default"); /// pub const DEFAULT_TLS13: Policy = policy!("default_tls13"); +#[cfg(any(feature = "unstable-testing", test))] +pub const TESTING_TLS12: Policy = policy!("20240501"); + #[cfg(feature = "pq")] pub const TESTING_PQ: Policy = policy!("PQ-TLS-1-0-2021-05-26"); diff --git a/bindings/rust/s2n-tls/src/testing/resumption.rs b/bindings/rust/s2n-tls/src/testing/resumption.rs index acb11d631b3..7d02accbd66 100644 --- a/bindings/rust/s2n-tls/src/testing/resumption.rs +++ b/bindings/rust/s2n-tls/src/testing/resumption.rs @@ -63,13 +63,14 @@ mod tests { } #[test] - fn resume_session() -> Result<(), Box> { + fn resume_tls12_session() -> Result<(), Box> { let keypair = CertKeyPair::default(); // Initialize config for server with a ticket key let mut server_config_builder = Builder::new(); server_config_builder .add_session_ticket_key(&KEYNAME, &KEY, SystemTime::now())? + .set_security_policy(&security::TESTING_TLS12)? .load_pem(keypair.cert(), keypair.key())?; let server_config = server_config_builder.build()?; @@ -83,6 +84,7 @@ mod tests { .set_session_ticket_callback(handler.clone())? .trust_pem(keypair.cert())? .set_verify_host_callback(InsecureAcceptAllCertificatesHandler {})? + .set_security_policy(&security::TESTING_TLS12)? .set_connection_initializer(handler)?; let client_config = client_config_builder.build()?; diff --git a/tests/unit/s2n_client_supported_groups_extension_test.c b/tests/unit/s2n_client_supported_groups_extension_test.c index 1d8aa315856..58cbe1d9da9 100644 --- a/tests/unit/s2n_client_supported_groups_extension_test.c +++ b/tests/unit/s2n_client_supported_groups_extension_test.c @@ -260,12 +260,24 @@ int main() for (size_t i = 0; i < NUM_MISMATCH_PQ_TEST_POLICY_OVERRIDES; i++) { EXPECT_SUCCESS(s2n_enable_tls13_in_test()); + + DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), + s2n_config_ptr_free); + EXPECT_NOT_NULL(config); + /* These tests explicitly set security_policy_override to test ECC + * selection logic and expect a s2n_config that does support x25519 and + * TLS 1.3, but does not support PQ. + */ + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240503")); + struct s2n_connection *client_conn = NULL; EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT)); + EXPECT_SUCCESS(s2n_connection_set_config(client_conn, config)); client_conn->security_policy_override = test_policy_overrides[i][0]; struct s2n_connection *server_conn = NULL; EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_CLIENT)); + EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config)); server_conn->security_policy_override = test_policy_overrides[i][1]; const struct s2n_ecc_preferences *server_ecc_pref = NULL; diff --git a/tests/unit/s2n_self_talk_ktls_test.c b/tests/unit/s2n_self_talk_ktls_test.c index 454ecb77284..a758478a174 100644 --- a/tests/unit/s2n_self_talk_ktls_test.c +++ b/tests/unit/s2n_self_talk_ktls_test.c @@ -131,7 +131,8 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key)); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + /* Configure a TLS 1.2 policy */ + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); EXPECT_SUCCESS(s2n_config_ktls_enable_unsafe_tls13(config)); /* Even if we detected ktls support at compile time, enabling ktls diff --git a/tests/unit/s2n_server_key_share_extension_test.c b/tests/unit/s2n_server_key_share_extension_test.c index e5323f5adef..14292ea0925 100644 --- a/tests/unit/s2n_server_key_share_extension_test.c +++ b/tests/unit/s2n_server_key_share_extension_test.c @@ -251,6 +251,7 @@ int main(int argc, char **argv) struct s2n_connection *client_conn = NULL; EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT)); + EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client_conn, "20240503")); const struct s2n_ecc_preferences *ecc_pref = NULL; EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(client_conn, &ecc_pref));