Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: update default cert chain for unit tests #4582

Merged
merged 19 commits into from
Jun 17, 2024
Merged

Conversation

jouho
Copy link
Contributor

@jouho jouho commented Jun 4, 2024

Resolved issues:

Resolves #4541 where unit tests fail due to SHA1 deprecation when built with RHEL9 environment

Description of changes:

  • currently, S2N_DEFAULT_CERT_CHAIN is set to rsa_2048_pkcs1_cert.pem which is signed with SHA1, and we want a similar cert chain that uses signature algorithm that is not SHA1

  • to do this:

  • S2N_DEFAULT_TEST_CERT_CHAIN is now defined with rsae_pkcs_2048_sha256/server-chain.pem

  • S2N_DEFAULT_TEST_PRIVATE_KEY is now defined with rsae_pkcs_2048_sha256/server-key.pem

  • Some tests are modified to adopt cert changes

  • s2n-tls/tests/pems/ocsp/ocsp_response_revoked.der is now signed with sha256WithRSAEncryption instead of sha1WithRSAEncryption

Call-outs:

Testing:

Confirmed all unit tests pass. We will reach out the user in order to confirm this change fixes their issue with RHEL9 build

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Jun 4, 2024
@jouho jouho requested review from maddeleine and goatgoose June 4, 2024 23:36
@jouho jouho marked this pull request as ready for review June 4, 2024 23:36
tests/pems/rsa_2048_pkcs1_sha256_cert.pem Outdated Show resolved Hide resolved
tests/testlib/s2n_testlib.h Show resolved Hide resolved
@jouho jouho requested a review from goatgoose June 5, 2024 20:44
@maddeleine
Copy link
Contributor

Can you try testing this with the patch that RHEL9 is using? I think it shouldn't be too hard.

@wombelix
Copy link

wombelix commented Jun 6, 2024

I appreciate that your work on a fix for the Issue I've reported. If there is anything I can do to help, please let me know.

@jouho
Copy link
Contributor Author

jouho commented Jun 8, 2024

@wombelix since it is difficult for us to replicate RHEL9 environment, could you apply this patch to see if it fixes the issue? We have updated our test certificate chain so it now uses SHA256 instead of SHA1.

diff --git a/tests/testlib/s2n_testlib.h b/tests/testlib/s2n_testlib.h
index 78754fed2..e05da3eef 100644
--- a/tests/testlib/s2n_testlib.h
+++ b/tests/testlib/s2n_testlib.h
@@ -100,8 +100,10 @@ S2N_RESULT s2n_connection_set_test_master_secret(struct s2n_connection *conn, co
 /* These paths assume that the unit tests are run from inside the unit/ directory.
  * Absolute paths will be needed if test directories go to deeper levels.
  */
-#define S2N_RSA_2048_PKCS8_CERT_CHAIN "../pems/rsa_2048_pkcs8_cert.pem"
-#define S2N_RSA_2048_PKCS1_CERT_CHAIN "../pems/rsa_2048_pkcs1_cert.pem"
+#define S2N_RSA_2048_PKCS8_CERT_CHAIN        "../pems/rsa_2048_pkcs8_cert.pem"
+#define S2N_RSA_2048_PKCS1_CERT_CHAIN        "../pems/rsa_2048_pkcs1_cert.pem"
+#define S2N_RSA_2048_PKCS1_SHA256_CERT_CHAIN "../pems/permutations/rsae_pkcs_2048_sha256/server-chain.pem"
+#define S2N_RSA_2048_PKCS1_SHA256_CERT_KEY   "../pems/permutations/rsae_pkcs_2048_sha256/server-key.pem"
 
 #define S2N_RSA_2048_PKCS1_LEAF_CERT    "../pems/rsa_2048_pkcs1_leaf.pem"
 #define S2N_ECDSA_P256_PKCS1_CERT_CHAIN "../pems/ecdsa_p256_pkcs1_cert.pem"
@@ -194,8 +196,8 @@ S2N_RESULT s2n_connection_set_test_master_secret(struct s2n_connection *conn, co
 
 #define S2N_TEST_TRUST_STORE "../pems/trust-store/ca-bundle.crt"
 
-#define S2N_DEFAULT_TEST_CERT_CHAIN  S2N_RSA_2048_PKCS1_CERT_CHAIN
-#define S2N_DEFAULT_TEST_PRIVATE_KEY S2N_RSA_2048_PKCS1_KEY
+#define S2N_DEFAULT_TEST_CERT_CHAIN  S2N_RSA_2048_PKCS1_SHA256_CERT_CHAIN
+#define S2N_DEFAULT_TEST_PRIVATE_KEY S2N_RSA_2048_PKCS1_SHA256_CERT_KEY
 
 #define S2N_DEFAULT_ECDSA_TEST_CERT_CHAIN  S2N_ECDSA_P384_PKCS1_CERT_CHAIN
 #define S2N_DEFAULT_ECDSA_TEST_PRIVATE_KEY S2N_ECDSA_P384_PKCS1_KEY
diff --git a/tests/unit/s2n_cert_validation_callback_test.c b/tests/unit/s2n_cert_validation_callback_test.c
index bd85a6c92..01615f535 100644
--- a/tests/unit/s2n_cert_validation_callback_test.c
+++ b/tests/unit/s2n_cert_validation_callback_test.c
@@ -222,7 +222,7 @@ int main(int argc, char *argv[])
             DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
             EXPECT_NOT_NULL(conn);
             EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
-            EXPECT_SUCCESS(s2n_set_server_name(conn, "s2nTestServer"));
+            EXPECT_SUCCESS(s2n_set_server_name(conn, "localhost"));
 
             DEFER_CLEANUP(struct s2n_stuffer cert_chain_stuffer = { 0 }, s2n_stuffer_free);
             EXPECT_OK(s2n_test_cert_chain_data_from_pem(conn, S2N_DEFAULT_TEST_CERT_CHAIN, &cert_chain_stuffer));
@@ -313,7 +313,7 @@ int main(int argc, char *argv[])
             EXPECT_NOT_NULL(client_conn);
             EXPECT_SUCCESS(s2n_connection_set_config(client_conn, config));
             EXPECT_SUCCESS(s2n_connection_set_blinding(client_conn, S2N_SELF_SERVICE_BLINDING));
-            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "s2nTestServer"));
+            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
 
             DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
             EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));
@@ -359,7 +359,7 @@ int main(int argc, char *argv[])
             DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
             EXPECT_NOT_NULL(client_conn);
             EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
-            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "s2nTestServer"));
+            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
 
             DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
             EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));

diff --git a/tests/unit/s2n_config_test.c b/tests/unit/s2n_config_test.c
index bbe783fca..aa4687f81 100644
--- a/tests/unit/s2n_config_test.c
+++ b/tests/unit/s2n_config_test.c
@@ -925,7 +925,7 @@ int main(int argc, char **argv)
                         s2n_connection_ptr_free);
                 EXPECT_NOT_NULL(client_conn);
                 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
-                EXPECT_SUCCESS(s2n_set_server_name(client_conn, "s2nTestServer"));
+                EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
 
                 struct s2n_test_io_pair io_pair = { 0 };
                 EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));
diff --git a/tests/unit/s2n_crl_test.c b/tests/unit/s2n_crl_test.c
index 54cc3ce1c..4017e0a7f 100644
--- a/tests/unit/s2n_crl_test.c
+++ b/tests/unit/s2n_crl_test.c
@@ -771,7 +771,7 @@ int main(int argc, char *argv[])
         DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
         EXPECT_NOT_NULL(client_conn);
         EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
-        EXPECT_SUCCESS(s2n_set_server_name(client_conn, "S2nTestServer"));
+        EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
         EXPECT_SUCCESS(s2n_connection_set_blinding(client_conn, S2N_SELF_SERVICE_BLINDING));
 
         DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
@@ -822,7 +822,7 @@ int main(int argc, char *argv[])
         DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
         EXPECT_NOT_NULL(client_conn);
         EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
-        EXPECT_SUCCESS(s2n_set_server_name(client_conn, "S2nTestServer"));
+        EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
         EXPECT_SUCCESS(s2n_connection_set_blinding(client_conn, S2N_SELF_SERVICE_BLINDING));
 
         DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
diff --git a/tests/unit/s2n_x509_validator_test.c b/tests/unit/s2n_x509_validator_test.c
index 41a4a4ef5..ab4731007 100644
--- a/tests/unit/s2n_x509_validator_test.c
+++ b/tests/unit/s2n_x509_validator_test.c
@@ -26,8 +26,8 @@ static int mock_time(void *data, uint64_t *timestamp)
 
 static int fetch_expired_after_ocsp_timestamp(void *data, uint64_t *timestamp)
 {
-    /* 2200-11-27 */
-    *timestamp = 7283958536000000000;
+    /* 2250-01-01 */
+    *timestamp = 8835984000000000000;
     return 0;
 }

@@ -585,11 +577,10 @@ int main(int argc, char **argv)
         uint8_t *chain_data = s2n_stuffer_raw_read(&cert_chain_stuffer, chain_len);
         EXPECT_NOT_NULL(chain_data);
 
-        /* The default cert chain includes a SHA1 signature, so the security policy must allow SHA1 cert signatures. */
         EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));
 
         /* alter a random byte in the certificate to make it invalid */
-        chain_data[500] = (uint8_t) (chain_data[500] << 2);
+        chain_data[200] = (uint8_t) (chain_data[200] << 2);
         struct s2n_pkey public_key_out;
         EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
         s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;


diff --git a/tests/unit/s2n_x509_validator_time_verification_test.c b/tests/unit/s2n_x509_validator_time_verification_test.c
index 3abefac35..e5bf73174 100644
--- a/tests/unit/s2n_x509_validator_time_verification_test.c
+++ b/tests/unit/s2n_x509_validator_time_verification_test.c
@@ -214,7 +214,7 @@ int main(int argc, char *argv[])
             DEFER_CLEANUP(struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
             EXPECT_NOT_NULL(client_conn);
             EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
-            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "s2nTestServer"));
+            EXPECT_SUCCESS(s2n_set_server_name(client_conn, "localhost"));
 
             DEFER_CLEANUP(struct s2n_test_io_pair io_pair = { 0 }, s2n_io_pair_close);
             EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));
@@ -256,7 +256,7 @@ int main(int argc, char *argv[])
         DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
         EXPECT_NOT_NULL(conn);
         EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
-        EXPECT_SUCCESS(s2n_set_server_name(conn, "s2nTestServer"));
+        EXPECT_SUCCESS(s2n_set_server_name(conn, "localhost"));
 
         DEFER_CLEANUP(struct s2n_stuffer cert_chain_stuffer = { 0 }, s2n_stuffer_free);
         EXPECT_OK(s2n_test_cert_chain_data_from_pem(conn, S2N_DEFAULT_TEST_CERT_CHAIN, &cert_chain_stuffer)); 

@wombelix
Copy link

@wombelix since it is difficult for us to replicate RHEL9 environment, could you apply this patch to see if it fixes the issue? We have updated our test certificate chain so it now uses SHA256 instead of SHA1.

Of course, my pleasure to help :)
It looks very good, just one test still reports Certificate is untrusted, I assume that one slipped through in the current version of the patch:

262/266 Test #265: s2n_x509_validator_test ..........................***Failed    0.06 sec
Running /builddir/build/BUILD/s2n-tls-1.4.16/tests/unit/s2n_x509_validator_test.c ... NOTE: Some details are omitted, run with S2N_PRINT_STACKTRACE=1 for a verbose backtrace.
See https://github.com/aws/s2n-tls/blob/main/docs/usage-guide
FAILED test 346
(s2n_errno) == (S2N_ERR_CERT_REVOKED) is not true  (/builddir/build/BUILD/s2n-tls-1.4.16/tests/unit/s2n_x509_validator_test.c:1410)
Error Message: 'Certificate is untrusted'
 Debug String: 'Error encountered in /builddir/build/BUILD/s2n-tls-1.4.16/tls/s2n_x509_validator.c:871'
 System Error: Success (0)

99% tests passed, 1 tests failed out of 266

The following tests FAILED:
	265 - s2n_x509_validator_test (Failed)

@jouho
Copy link
Contributor Author

jouho commented Jun 10, 2024

It looks very good, just one test still reports Certificate is untrusted, I assume that one slipped through in the current version of the patch:

Thank you for testing @wombelix

Hmm this one looks like another issue outside of SHA1 deprecation, but I'm not exactly sure why it fails. The certs used in this test are using SHA256 with RSAE. It might be helpful if you could troubleshoot this to see why this specific test is not working with RHEL9. @maddeleine @goatgoose any guesses?

@jouho
Copy link
Contributor Author

jouho commented Jun 10, 2024

I was wrong. The OCSP response is using SHA1 and that could be the problem.

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, ST = WA, O = s2n, OU = s2n Test OCSP, CN = ocsp.s2ntest.com
    Produced At: Jun 22 21:22:25 2020 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: DE7932B3217E48FB4E47AE0B9007A55376AE44CA
      Issuer Key Hash: 12DF817571CA92D3CE1B2C2B773B9E3377F3F76F
      Serial Number: 7778
    Cert Status: revoked
    Revocation Time: Aug 12 05:39:25 2018 GMT
    This Update: Jun 22 21:22:25 2020 GMT
    Next Update: Jun  7 21:22:25 2080 GMT

    Response Extensions:
        OCSP Nonce: 
            0410DEE9E806BF49E4448329C2047689609A
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
        9f:99:98:1b:de:cf:7b:35:a9:4d:4b:04:32:ff:96:e9:83:29:
        0f:a3:20:b0:06:f9:56:61:ae:64:2c:a6:09:94:05:53:6b:aa:
        0d:83:61:65:ae:53:d9:2b:08:86:03:9e:41:1c:1b:67:6c:ed:
        18:0f:15:0a:74:24:99:32:e6:a8:69:94:8f:02:89:aa:4f:1e:
        3c:1d:f0:21:05:3b:b9:82:80:35:ef:42:7f:29:7f:c7:5f:b8:
        22:e2:44:d6:e6:0c:99:f3:88:31:ff:2a:b8:4b:6d:aa:d2:72:
        a4:9e:9d:fe:e5:fd:95:b7:de:bb:79:c9:d0:db:5c:3a:f8:a5:
        ba:29:d8:8f:f2:dc:55:ee:d5:2f:ab:42:87:c4:1e:7d:0a:d8:
        21:dc:ef:e0:27:8a:a5:7a:42:37:79:74:39:73:91:44:20:c1:
        ec:de:d2:3e:cc:b5:c7:18:98:fb:2c:cb:aa:01:b9:d6:d0:8a:
        4c:8b:cd:99:4d:e2:3e:0a:ab:68:cc:fe:0a:36:97:51:74:35:
        f4:18:44:b1:c5:41:c3:a9:63:2f:d2:44:ad:8a:b9:3e:75:fd:
        5e:59:5c:77:3e:3c:1d:ec:68:79:8f:07:cd:01:d4:dc:c4:cf:
        ee:90:6a:1e:a0:b3:3a:9e:a1:11:60:a6:f6:3b:f1:53:13:88:
        76:a8:c1:b2:3f:ba:39:bb:d2:8a:9f:fa:ef:a9:6e:04:ad:e7:
        db:50:f6:5f:73:e2:05:8e:d9:74:7d:d5:73:c5:e4:d5:fa:75:
        ea:66:0a:2b:17:79:8c:30:84:85:6e:ad:4e:2e:e1:6f:2f:7a:
        07:7e:fb:f9:e6:10:df:6d:39:ed:31:97:08:bb:83:b2:72:c2:
        97:2c:5a:40:80:ad:2c:33:6d:be:0d:ac:f0:bd:ff:2b:9c:b9:
        ec:ee:51:19:51:91:a4:2d:bc:74:bb:61:5e:93:56:8e:40:1b:
        4b:85:af:12:80:7f:7a:22:59:93:2d:0c:ce:a5:98:11:46:53:
        4e:2d:79:3d:4d:9f:41:a2:81:be:fc:25:00:50:9f:32:f9:e8:
        27:0a:91:85:d7:48:d8:d8:d7:7b:bc:00:3b:12:7f:b4:36:d1:
        9c:57:39:fa:85:92:85:16:ff:58:10:e4:b7:1a:a1:b9:3d:94:
        59:2b:b8:20:26:3c:fd:a6:8e:60:a0:9e:b9:b3:77:1b:7d:bc:
        c4:71:f3:2e:3f:eb:e8:3c:cf:3d:19:ed:b6:0f:36:46:ae:39:
        99:4b:ff:fc:14:3a:58:f5:82:6f:4f:64:9e:62:20:13:64:4e:
        58:f3:92:f1:ed:8f:28:fd:77:04:8a:34:bb:e6:59:95:eb:9f:
        b1:fe:07:64:11:05:be:e8

In order to fix this the OCSP response file needs to be updated to not use SHA1

@jouho
Copy link
Contributor Author

jouho commented Jun 11, 2024

It seems that we currently only use sha1 for cert_id and therefore the test fails even with an OCSP response generated with sha256:

/* sha1 is the only supported OCSP digest */
OCSP_CERTID *cert_id = OCSP_cert_to_id(EVP_sha1(), subject, issuer);
RESULT_ENSURE_REF(cert_id);

To move forward, we should still update the default cert chain with sha256, but we do not plan to support sha256 for cert_id digest for now without sufficient investigations on why/why not. @wombelix you might just need to modify or turn this test off for now.

tests/unit/s2n_mem_usage_test.c Show resolved Hide resolved
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));

/* alter a random byte in the certificate to make it invalid */
chain_data[500] = (uint8_t) (chain_data[500] << 2);
chain_data[200] = (uint8_t) (chain_data[200] << 2);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we use chain_len - 1 or something here to make sure we're not writing past chain_data?

Copy link
Contributor Author

@jouho jouho Jun 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test is trying to alter the "end-entity certificate" to make it invalid. I believe that is stored earlier in the chain_data[] array so using chain_len - 1 does not work. If I use smaller values like 5, it then throws error decoding certificate presumably because it messes up the header information and now doesn't know how to decode the cert. I'm not sure if there is a good way to skip this header bytes accurately

Copy link
Contributor

@goatgoose goatgoose Jun 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it okay. In that case, could we at least assert that 200 doesn't index past chain_data?

Suggested change
chain_data[200] = (uint8_t) (chain_data[200] << 2);
size_t corrupt_index = 200;
EXPECT_TRUE(chain_len > corrupt_index);
chain_data[corrupt_index] = (uint8_t) (chain_data[corrupt_index] << 2);

@jouho
Copy link
Contributor Author

jouho commented Jun 13, 2024

Actually, sha1 used on cert_id may not matter. What matters is sha1 used for signature algorithm. I updated the oscp response file to use sha256 with rsa encryption. @wombelix can you apply this patch on top of the previous patch to see if it resolves the error?

diff --git a/tests/pems/ocsp/ocsp_response_revoked.der b/tests/pems/ocsp/ocsp_response_revoked.der
index 6a9adcd2420d702701504185f0a26b1bb51597f1..d721d02ccc7fe4a3ae42438b751e3db4e5e59f2c 100644
GIT binary patch
delta 631
zcmV--0*L*|5y=sdiVHL_HZd|XGc`3ZFp-s7e>5;QF)}hUH8n6WTA&da4>B<_G%z(W
zIWjXfH83z*p(8LMFdqg9D+U1t1qUzz0t6BS5Px8fLMQUYn=-AEx}WIvs4xu%2`Yw2
zhW8Bt0Sg5H1A+np0E`R8+yH76`0$1K&?)wezsh;zPP%{oYtF3Fu4s*(8Vz3Rj@SDU
zf39`(|I#d%nMU<a2%ltwrfWh_shF{dmI1gvshrEB^X)K-v#voIF%Dyddv6(NjDLF4
zPfmjG)*QPSP5`=252N)<{l&1d_V;98{PeBChMH3KTKeHnO>`PCu|PZ#LoLFX$X{5@
zZrFSRP<^Y~jbN?*eH`cEz*&JkR<%g0f0O9nbY63HwoG$UuYQ{RZ|Mpur5YI2)YNez
zaP-oKa6N9U7!-`Yn1OjCcf>=UD}>(LTp9O4R<551sjiAt(Ji9u37jr<PpJ{#`+#}?
zp>*W3W4g2a4TIwfrz!26j`6pqjvEHrP^b7)JK<e48%nWE;Ry(YpxNYg4g>yFe~T3E
z4eIGo6CWvuOT%3TO@g_Me`75JWWbo#?9K(Sv%Z2hhk;C!KquE7?2MEouDBe{-wC(|
zjb|X|BSfVE3|3i*5p7xzW0gkMuZrh-nct3Y_?1~_9{h|QfC8~neV%mOPK-zqyB}w7
z<Vg8*T=164cq}BkQXw?+o$zNNT;$u|!cauBH^{0@i^F02wiIm8_S%OJfb?V><q%5<
zzBvLAeB4?4a3aLLSfEhRdGO(0)V7WUh(ukn=255i=!pMG%b{}0u+SsYP4ZUzJdyxO
RB8u(Aae(a82eU^5f(0?GC!GKQ

delta 631
zcmV--0*L*|5y=sdiVH9>HZn3YF)}hTHIbECe=smMGBPqTGBPqXTA&da4>B+~FfcYS
zH!?9YGBPz<p(8LMFdqg9D+U1t1qUzz0t6BS5Z>wN2ER$<M1v{91a^sFnlKFp2`Yw2
zhW8Bt0R;sB1A+np0H2wd8{W@*HK|QY1Tz1Y>4PZ`qad&b`Bq`BWGto$lm%03stto-
ze`T&y*((T!1D-(~8)t0o7!MT+bR?NF=BR0uj{=FRPaZrS@F4{|xq^T-??Qhmf5%_A
zBH~2W<_wwhh%x^vxJzxS(sHDpo&M$hmABrzdCAb*Tsrurx+&O?^4wMK)i0|;hr}Lz
z3fLjs@8BnjrFud)d2~5*kwhTD?B3Eof6TSV7?}Gk%c=pn*3gPfi_Mu$;ywziXw3c!
zHkVO!HS`!nvBg2dsbeqFM6HUsK6U+GSzLEMJRR(4d5;Ip0o2^Y&+d?F9-y;2o}m$7
zruIAWQxk}GsKK&7x;eYjil6%Lscr<V=i5;BUvuIGj@fj5)pNz<)%tbnW(q48e|d~B
zgoSRcPA=hZFM0=l`}yV&-)%YVF_#FtgR*kMmn>R9fUPVuZN3ex@V);loVo1oQ5jK@
zq%FL3yJ23FR*pa$ONFlzfPZ=-S(7ac&ZU?UMpI5Lc|A>^L85`a{3QTTpECLACkl~;
z*GSmd*L%DGI}(4iHqo3{Ir@c?T!j|@SP<m58lky8lvyjdASOKhrjB5sp1HGk8-2XQ
zaq})e>*zesJsIt`4>m@wIhjlU{1iG^^@49tWS(Lm6J$<U^OEuHk0||j1d24f=2?~N
RpRxW2WDy0v=(9%yf(7!r9$f$c



@jouho
Copy link
Contributor Author

jouho commented Jun 14, 2024

I was able to replicate RHEL9 build issues thanks to @maddeleine's help. Steps to recreate the issue:

  1. apply patch 44, 45, and 49 in that order to openssl 3.2.1
  2. build openssl with the applied patches
  3. build s2n-tls with openssl 3.2.1

The updated cert and ocsp response file seem to be passing the unit test, so I can conform this change will fix the RHEL9 build issue.

@jouho jouho requested review from goatgoose and maddeleine June 14, 2024 21:06
EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(connection, "default"));

/* alter a random byte in the certificate to make it invalid */
chain_data[500] = (uint8_t) (chain_data[500] << 2);
chain_data[200] = (uint8_t) (chain_data[200] << 2);
Copy link
Contributor

@goatgoose goatgoose Jun 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it okay. In that case, could we at least assert that 200 doesn't index past chain_data?

Suggested change
chain_data[200] = (uint8_t) (chain_data[200] << 2);
size_t corrupt_index = 200;
EXPECT_TRUE(chain_len > corrupt_index);
chain_data[corrupt_index] = (uint8_t) (chain_data[corrupt_index] << 2);

@jouho jouho enabled auto-merge (squash) June 17, 2024 16:59
@jouho jouho merged commit c8a0444 into main Jun 17, 2024
36 checks passed
@jouho jouho deleted the update_default_test_cert branch June 17, 2024 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 tests failing with Error Message: 'Certificate is untrusted' when compiling on RHEL 9
4 participants