Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test: disallow explict use of "default" policy in tests #4750

Merged
merged 14 commits into from
Sep 23, 2024

Conversation

toidiu
Copy link
Contributor

@toidiu toidiu commented Sep 4, 2024

Description of changes:

As a modern TLS library, s2n-tls aims to provide sane default. To uphold this promise, we are planning to add TLS1.3 support to the "default" and "default_fips" policies. However, making this change can result in broken tests since connections will now negotiate TLS1.3 and we have to assume that old tests were written to assume that TLS1.2 would be negotiated.

To prevent this regression, this PR attempts to find "explicit" usage of the "default" policy (implicit detection will be a followup)("default_fips" will be a followup) and replace it with the immutable numbered policy 20240501. I audited both the C and Rust codebase for "default" security policy usage, allowing for exceptions for tests which didnt care about the protocol.

Call-outs:

The detection logic can be viewed by looking at the detection logic cleanup commit.

  • Detection logic was done in function s2n_find_security_policy_from_version in file s2n_security_policies.c
    • matches_default: bail if code attempted to use the "default" security policy
    • dbg_bail: allow exception for test that really do want to test the "default" policy
    • dbg_config_init: allow exceptions when creating a new s2n_config_new()
    • s2n_is_initialized: allow exception for s2n_init() to create the default static config
      The PR also adds an additional check to grep_simple_mistakes.sh
  • simple grep: prevent future explicit use of "default" in C code and DEFAULT in Rust code

Testing:

Tests should continue to pass.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Sep 4, 2024
@toidiu toidiu force-pushed the ak-explicitDefaultPolicy branch 3 times, most recently from 704982e to 7b2b48f Compare September 10, 2024 23:23
@toidiu toidiu marked this pull request as ready for review September 11, 2024 16:39
@toidiu toidiu requested a review from dougch as a code owner September 11, 2024 16:39
@toidiu toidiu requested a review from goatgoose September 11, 2024 17:11
@toidiu toidiu force-pushed the ak-explicitDefaultPolicy branch from 7b2b48f to 6d0a465 Compare September 11, 2024 17:15
codebuild/bin/grep_simple_mistakes.sh Outdated Show resolved Hide resolved
codebuild/bin/grep_simple_mistakes.sh Outdated Show resolved Hide resolved
codebuild/bin/grep_simple_mistakes.sh Outdated Show resolved Hide resolved
@lrstewart lrstewart self-requested a review September 11, 2024 18:46
codebuild/bin/grep_simple_mistakes.sh Outdated Show resolved Hide resolved
@toidiu toidiu force-pushed the ak-explicitDefaultPolicy branch from fd5c82d to e6f3b28 Compare September 17, 2024 19:20
bindings/rust/s2n-tls/src/testing/s2n_tls.rs Outdated Show resolved Hide resolved
@toidiu toidiu force-pushed the ak-explicitDefaultPolicy branch from e6f3b28 to d45d31d Compare September 20, 2024 01:45
@toidiu toidiu enabled auto-merge (squash) September 20, 2024 01:46
@toidiu toidiu merged commit 360feb2 into aws:main Sep 23, 2024
37 checks passed
toidiu added a commit to toidiu/s2n-tls that referenced this pull request Oct 1, 2024
@toidiu toidiu deleted the ak-explicitDefaultPolicy branch October 30, 2024 17:38
@toidiu toidiu restored the ak-explicitDefaultPolicy branch October 30, 2024 17:38
@toidiu toidiu deleted the ak-explicitDefaultPolicy branch November 6, 2024 00:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants