Merge branch 'main' into remove-testing-feature

CMakeLists.txt

@@ -584,7 +584,7 @@ if (BUILD_TESTING)
                         pytest
                         -x -n=${N} --reruns=2 --durations=10 --cache-clear -rpfsq
                         -o log_cli=true --log-cli-level=DEBUG --provider-version=$ENV{S2N_LIBCRYPTO}
-                        --provider-criterion=off --fips-mode=0 --no-pq=0 ${test_file_path}
+                        --provider-criterion=off --fips-mode=0 ${test_file_path}
                         WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}/tests/integrationv2
                 )
             else()

bindings/rust/s2n-tls-sys/templates/Cargo.template

@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls-sys"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.2.7"
+version = "0.2.8"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"

bindings/rust/s2n-tls-tokio/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls-tokio"
 description = "An implementation of TLS streams for Tokio built on top of s2n-tls"
-version = "0.2.7"
+version = "0.2.8"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"
@@ -15,7 +15,7 @@ default = []
 errno = { version = "0.3" }
 libc = { version = "0.2" }
 pin-project-lite = { version = "0.2" }
-s2n-tls = { version = "=0.2.7", path = "../s2n-tls" }
+s2n-tls = { version = "=0.2.8", path = "../s2n-tls" }
 tokio = { version = "1", features = ["net", "time"] }
 
 [dev-dependencies]

bindings/rust/s2n-tls/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "s2n-tls"
 description = "A C99 implementation of the TLS/SSL protocols"
-version = "0.2.7"
+version = "0.2.8"
 authors = ["AWS s2n"]
 edition = "2021"
 rust-version = "1.63.0"
@@ -19,7 +19,7 @@ pq = ["s2n-tls-sys/pq"]
 [dependencies]
 errno = { version = "0.3" }
 libc = "0.2"
-s2n-tls-sys = { version = "=0.2.7", path = "../s2n-tls-sys", features = ["internal"] }
+s2n-tls-sys = { version = "=0.2.8", path = "../s2n-tls-sys", features = ["internal"] }
 pin-project-lite = "0.2"
 hex = "0.4"
 

bindings/rust/s2n-tls/src/connection.rs

@@ -857,13 +857,28 @@ impl Connection {
         Ok(())
     }
 
+    /// Access the protocol version selected for the connection.
     pub fn actual_protocol_version(&self) -> Result<Version, Error> {
         let version = unsafe {
             s2n_connection_get_actual_protocol_version(self.connection.as_ptr()).into_result()?
         };
         version.try_into()
     }
 
+    /// Detects if the client hello is using the SSLv2 format.
+    ///
+    /// s2n-tls will not negotiate SSLv2, but will accept SSLv2 ClientHellos
+    /// advertising a higher protocol version like SSLv3 or TLS1.0.
+    /// [Connection::actual_protocol_version()] can be used to retrieve the
+    /// protocol version that is actually used on the connection.
+    pub fn client_hello_is_sslv2(&self) -> Result<bool, Error> {
+        let version = unsafe {
+            s2n_connection_get_client_hello_version(self.connection.as_ptr()).into_result()?
+        };
+        let version: Version = version.try_into()?;
+        Ok(version == Version::SSLV2)
+    }
+
     pub fn handshake_type(&self) -> Result<&str, Error> {
         let handshake = unsafe {
             s2n_connection_get_handshake_type_name(self.connection.as_ptr()).into_result()?

bindings/rust/s2n-tls/src/testing/s2n_tls.rs

@@ -232,7 +232,7 @@ mod tests {
         callbacks::{ClientHelloCallback, ConnectionFuture, ConnectionFutureResult},
         enums::ClientAuthType,
         error::ErrorType,
-        testing::{client_hello::*, *},
+        testing::{self, client_hello::*, s2n_tls::*, *},
     };
     use alloc::sync::Arc;
     use core::sync::atomic::Ordering;
@@ -890,4 +890,59 @@ mod tests {
         assert_eq!(protocol, b"h2");
         Ok(())
     }
+
+    #[test]
+    fn client_hello_sslv2_negative() -> Result<(), testing::Error> {
+        let config = testing::build_config(&security::DEFAULT_TLS13)?;
+        let mut pair = TestPair::from_config(&config);
+        pair.handshake()?;
+        assert!(!pair.server.client_hello_is_sslv2()?);
+        Ok(())
+    }
+
+    #[test]
+    fn client_hello_sslv2_positive() -> Result<(), testing::Error> {
+        // copy-pasted from s2n-tls/tests/testlib/s2n_sslv2_client_hello.h
+        // by concatenating these fields together, a valid SSLv2 formatted client hello
+        // can be assembled
+        const SSLV2_CLIENT_HELLO_HEADER: &[u8] = &[0x80, 0xb3, 0x01, 0x03, 0x03];
+        const SSLV2_CLIENT_HELLO_PREFIX: &[u8] = &[0x00, 0x8a, 0x00, 0x00, 0x00, 0x20];
+        const SSLV2_CLIENT_HELLO_CIPHER_SUITES: &[u8] = &[
+            0x00, 0xc0, 0x24, 0x00, 0xc0, 0x28, 0x00, 0x00, 0x3d, 0x00, 0xc0, 0x26, 0x00, 0xc0,
+            0x2a, 0x00, 0x00, 0x6b, 0x00, 0x00, 0x6a, 0x00, 0xc0, 0x0a, 0x07, 0x00, 0xc0, 0x00,
+            0xc0, 0x14, 0x00, 0x00, 0x35, 0x00, 0xc0, 0x05, 0x00, 0xc0, 0x0f, 0x00, 0x00, 0x39,
+            0x00, 0x00, 0x38, 0x00, 0xc0, 0x23, 0x00, 0xc0, 0x27, 0x00, 0x00, 0x3c, 0x00, 0xc0,
+            0x25, 0x00, 0xc0, 0x29, 0x00, 0x00, 0x67, 0x00, 0x00, 0x40, 0x00, 0xc0, 0x09, 0x06,
+            0x00, 0x40, 0x00, 0xc0, 0x13, 0x00, 0x00, 0x2f, 0x00, 0xc0, 0x04, 0x01, 0x00, 0x80,
+            0x00, 0xc0, 0x0e, 0x00, 0x00, 0x33, 0x00, 0x00, 0x32, 0x00, 0xc0, 0x2c, 0x00, 0xc0,
+            0x2b, 0x00, 0xc0, 0x30, 0x00, 0x00, 0x9d, 0x00, 0xc0, 0x2e, 0x00, 0xc0, 0x32, 0x00,
+            0x00, 0x9f, 0x00, 0x00, 0xa3, 0x00, 0xc0, 0x2f, 0x00, 0x00, 0x9c, 0x00, 0xc0, 0x2d,
+            0x00, 0xc0, 0x31, 0x00, 0x00, 0x9e, 0x00, 0x00, 0xa2, 0x00, 0x00, 0xff,
+        ];
+        const SSLV2_CLIENT_HELLO_CHALLENGE: &[u8] = &[
+            0x5b, 0xe9, 0xcc, 0xad, 0xd6, 0xa5, 0x20, 0xac, 0xa3, 0xf4, 0x8e, 0x88, 0x06, 0xb5,
+            0x95, 0x53, 0x2d, 0x53, 0xfe, 0xd7, 0xa1, 0x00, 0x57, 0xc0, 0x53, 0x9d, 0x84, 0x71,
+            0x80, 0x7f, 0x30, 0x7e,
+        ];
+
+        let config = testing::build_config(&security::Policy::from_version("test_all")?)?;
+        // we use the pair to setup IO, but we don't want the client to write anything.
+        // So we drop the client and just directly write the SSLv2 header to the
+        // client_tx_stream
+        let mut pair = TestPair::from_config(&config);
+        drop(pair.client);
+
+        let mut client_tx_stream = pair.client_tx_stream.borrow_mut();
+        client_tx_stream.write_all(SSLV2_CLIENT_HELLO_HEADER)?;
+        client_tx_stream.write_all(SSLV2_CLIENT_HELLO_PREFIX)?;
+        client_tx_stream.write_all(SSLV2_CLIENT_HELLO_CIPHER_SUITES)?;
+        client_tx_stream.write_all(SSLV2_CLIENT_HELLO_CHALLENGE)?;
+        // end the exclusive borrow
+        drop(client_tx_stream);
+
+        // the first server.poll_negotiate causes the server to read in the client hello
+        assert!(pair.server.poll_negotiate()?.is_pending());
+        assert!(pair.server.client_hello_is_sslv2()?);
+        Ok(())
+    }
 }

codebuild/bin/criterion_baseline.sh

@@ -16,8 +16,6 @@ set -eu
 source codebuild/bin/s2n_setup_env.sh
 source codebuild/bin/utils.sh
 
-# Disable PQ
-export S2N_NO_PQ=1
 # Limit the number of child processes in the test run
 export RUST_BACKTRACE=1
 export TOX_TEST_NAME="$INTEGV2_TEST"

codebuild/bin/criterion_delta.sh

@@ -13,8 +13,6 @@
 # permissions and limitations under the License.
 set -eu
 source ./codebuild/bin/utils.sh
-# Disable PQ
-export S2N_NO_PQ=1
 export AWS_S3_BUCKET="s3://s2n-tls-logs/"
 # Limit the number of child processes in the test run
 export RUST_BACKTRACE=1

codebuild/bin/s2n_codebuild.sh

@@ -61,11 +61,6 @@ if [[ "$OS_NAME" == "linux" && "$TESTS" == "valgrind" ]]; then
     kill %1
 fi
 
-CMAKE_PQ_OPTION="S2N_NO_PQ=False"
-if [[ -n "$S2N_NO_PQ" ]]; then
-    CMAKE_PQ_OPTION="S2N_NO_PQ=True"
-fi
-
 test_linked_libcrypto() {
     s2n_executable="$1"
     so_path="${LIBCRYPTO_ROOT}/lib/libcrypto.so"
@@ -93,7 +88,6 @@ run_integration_v2_tests() {
     "$CB_BIN_DIR/install_s2n_head.sh" "$(mktemp -d)"
     cmake . -Bbuild \
             -DCMAKE_PREFIX_PATH=$LIBCRYPTO_ROOT \
-            -D${CMAKE_PQ_OPTION} \
             -DS2N_BLOCK_NONPORTABLE_OPTIMIZATIONS=True \
             -DBUILD_SHARED_LIBS=on \
             -DS2N_INTEG_TESTS=on \
@@ -114,7 +108,6 @@ run_integration_v2_tests() {
 run_unit_tests() {
     cmake . -Bbuild \
             -DCMAKE_PREFIX_PATH=$LIBCRYPTO_ROOT \
-            -D${CMAKE_PQ_OPTION} \
             -DS2N_BLOCK_NONPORTABLE_OPTIMIZATIONS=True \
             -DBUILD_SHARED_LIBS=on
     cmake --build ./build -- -j $(nproc)

codebuild/bin/s2n_codebuild_al2.sh

@@ -24,16 +24,11 @@ if [[ "$OS_NAME" == "linux" && -n "$CODEBUILD_BUILD_ARN" ]]; then
     sudo -E ${PRLIMIT_LOCATION} --pid "$$" --memlock=unlimited:unlimited;
 fi
 
-CMAKE_PQ_OPTION="S2N_NO_PQ=False"
-if [[ -n "$S2N_NO_PQ" ]]; then
-    CMAKE_PQ_OPTION="S2N_NO_PQ=True"
-fi
-
 # Linker flags are a workaround for openssl
 case "$TESTS" in
   "unit")
     cmake . -Bbuild -DCMAKE_EXE_LINKER_FLAGS="-lcrypto -lz" -DCMAKE_EXPORT_COMPILE_COMMANDS=ON \
-      -D${CMAKE_PQ_OPTION} -DS2N_BLOCK_NONPORTABLE_OPTIMIZATIONS=True
+      -DS2N_BLOCK_NONPORTABLE_OPTIMIZATIONS=True
     cmake --build ./build -j $(nproc)
     cmake --build ./build --target test -- ARGS="-L unit --output-on-failure"
     ;;

codebuild/bin/s2n_setup_env.sh

@@ -114,7 +114,6 @@ export FUZZ_TIMEOUT_SEC
 export GB_INSTALL_DIR
 export OS_NAME
 export S2N_CORKED_IO
-export S2N_NO_PQ
 # For use by criterion/ci run reports
 export AWS_S3_URL="s3://s2n-tls-logs/release/"
 

codebuild/spec/buildspec_generalbatch.yml

@@ -173,9 +173,8 @@ batch:
           BUILD_S2N: 'true'
           GCC_VERSION: '9'
           S2N_LIBCRYPTO: 'openssl-1.1.1'
-          S2N_NO_PQ: 1
           TESTS: unit
-      identifier: s2nUnitNoPQ
+      identifier: s2nUnitOpenssl111Gcc9
     - buildspec: codebuild/spec/buildspec_ubuntu.yml
       env:
         compute-type: BUILD_GENERAL1_LARGE
@@ -195,7 +194,6 @@ batch:
         privileged-mode: true
         type: ARM_CONTAINER
         variables:
-          S2N_NO_PQ: 1
           TESTS: unit
       identifier: s2nUnitAl2Arm
     - buildspec: codebuild/spec/buildspec_amazonlinux2.yml
@@ -204,7 +202,6 @@ batch:
         image: aws/codebuild/amazonlinux2-x86_64-standard:3.0
         privileged-mode: true
         variables:
-          S2N_NO_PQ: 1
           TESTS: unit
           S2N_LIBCRYPTO: default
       identifier: s2nUnitAL2
@@ -214,7 +211,6 @@ batch:
         image: aws/codebuild/amazonlinux2-x86_64-standard:3.0
         privileged-mode: true
         variables:
-          S2N_NO_PQ: 1
           TESTS: unit
           S2N_LIBCRYPTO: openssl-1.1.1
       identifier: s2nUnitAl2Openssl111
@@ -296,7 +292,6 @@ batch:
           BUILD_S2N: 'true'
           GCC_VERSION: '6'
           S2N_LIBCRYPTO: 'libressl'
-          S2N_NO_PQ: 1
           TESTS: unit
       identifier: s2nUnitLibressl
     - buildspec: codebuild/spec/buildspec_ubuntu.yml
@@ -308,7 +303,6 @@ batch:
           BUILD_S2N: 'true'
           GCC_VERSION: '9'
           S2N_LIBCRYPTO: 'boringssl'
-          S2N_NO_PQ: 1
           TESTS: unit
       identifier: s2nUnitBoringssl
     - buildspec: codebuild/spec/buildspec_ubuntu.yml
@@ -332,7 +326,6 @@ batch:
           CC: '/usr/bin/clang'
           CXX: '/usr/bin/clang++'
           S2N_LIBCRYPTO: 'awslc'
-          S2N_NO_PQ: 1
           TESTS: unit
       identifier: s2nUnitClang15
     - identifier: 32BitBuildAndUnit

codebuild/spec/buildspec_omnibus.yml

@@ -157,7 +157,7 @@ batch:
           S2N_LIBCRYPTO: 'openssl-1.0.2'
           BUILD_S2N: 'true'
 
-    - identifier: s2nUnitNoPQ
+    - identifier: s2nUnitOpenssl111Gcc9
       buildspec: codebuild/spec/buildspec_ubuntu.yml
       env:
         privileged-mode: true
@@ -167,7 +167,6 @@ batch:
           TESTS: unit
           GCC_VERSION: '9'
           S2N_LIBCRYPTO: 'openssl-1.1.1'
-          S2N_NO_PQ: 1
           BUILD_S2N: 'true'
 
     - identifier: s2nUnitAl2Arm
@@ -178,7 +177,6 @@ batch:
         image: aws/codebuild/amazonlinux2-aarch64-standard:2.0
         privileged-mode: true
         variables:
-          S2N_NO_PQ: 1
           TESTS: unit
 
     - identifier: s2nUnitAl2
@@ -189,7 +187,6 @@ batch:
         compute-type: BUILD_GENERAL1_SMALL
         variables:
           TESTS: unit
-          S2N_NO_PQ: 1
 
     - identifier: s2nLibcryptoInterningOpenSSL
       buildspec: codebuild/spec/buildspec_ubuntu.yml
@@ -280,7 +277,6 @@ batch:
           BUILD_S2N: 'true'
           GCC_VERSION: '6'
           S2N_LIBCRYPTO: 'libressl'
-          S2N_NO_PQ: 1
           TESTS: unit
       identifier: s2nUnitLibressl
 
@@ -293,7 +289,6 @@ batch:
           BUILD_S2N: 'true'
           GCC_VERSION: '9'
           S2N_LIBCRYPTO: 'boringssl'
-          S2N_NO_PQ: 1
           TESTS: unit
       identifier: s2nUnitBoringssl
 

codebuild/spec/buildspec_ubuntu_integv2criterion.yml

@@ -17,7 +17,6 @@ batch:
         variables:
           INTEGV2_TEST: test_well_known_endpoints
           S2N_USE_CRITERION: 2
-          S2N_NO_PQ: 1
           TESTS: integrationv2crit
           GCC_VERSION: 6
           RUST_BACKTRACE: 1
@@ -29,7 +28,6 @@ batch:
         variables:
           INTEGV2_TEST: test_well_known_endpoints
           S2N_USE_CRITERION: 1
-          S2N_NO_PQ: 1
           TESTS: integrationv2crit
           GCC_VERSION: 6
           ARTIFACT_BUCKET: s3://s2n-tls-logs/release

flake.nix

@@ -68,8 +68,7 @@
           configurePhase = ''
             cmake -S . -B./build \
                   -DBUILD_SHARED_LIBS=ON \
-                  -DCMAKE_BUILD_TYPE=RelWithDebInfo \
-                  -DS2N_NO_PQ=0
+                  -DCMAKE_BUILD_TYPE=RelWithDebInfo
           ''; # TODO: set when system like aarch64/mips,etc
 
           buildPhase = ''

tests/cbmc/proofs/Makefile.common

@@ -299,8 +299,8 @@ CHECKFLAGS += $(CBMC_FLAG_UNSIGNED_OVERFLOW_CHECK)
 NONDET_STATIC ?=
 
 # Flags to pass to goto-cc for compilation and linking
-COMPILE_FLAGS ?= -Wall
-LINK_FLAGS ?= -Wall
+COMPILE_FLAGS ?= -Wall -Werror
+LINK_FLAGS ?= -Wall -Werror
 EXPORT_FILE_LOCAL_SYMBOLS ?= --export-file-local-symbols
 
 # During instrumentation, it adds models of C library functions

tests/cbmc/proofs/lib/summarize.py

@@ -86,13 +86,13 @@ def _get_status_and_proof_summaries(run_dict):
     count_statuses = {}
     proofs = [["Proof", "Status"]]
     for proof_pipeline in run_dict["pipelines"]:
+        if proof_pipeline["name"] == "print_tool_versions":
+            continue
         status_pretty_name = proof_pipeline["status"].title().replace("_", " ")
         try:
             count_statuses[status_pretty_name] += 1
         except KeyError:
             count_statuses[status_pretty_name] = 1
-        if proof_pipeline["name"] == "print_tool_versions":
-            continue
         proofs.append([proof_pipeline["name"], status_pretty_name])
     statuses = [["Status", "Count"]]
     for status, count in count_statuses.items():

tests/fuzz/runFuzzTest.sh

@@ -203,7 +203,7 @@ then
             COVERAGE_FAILURE_ALLOWED=1
         fi
 
-        if [ "$FEATURE_COVERAGE" -lt $MIN_FEATURES_COVERED && COVERAGE_FAILURE_ALLOWED -eq 0 ]; then
+        if [[ "$FEATURE_COVERAGE" -lt $MIN_FEATURES_COVERED && COVERAGE_FAILURE_ALLOWED -eq 0 ]]; then
             printf "\033[31;1mERROR!\033[0m ${TEST_NAME} only covers ${FEATURE_COVERAGE} features, which is below ${MIN_FEATURES_COVERED}! This may be due to missing corpus files or a bug.\n"
             exit -1;
         fi