aws · toidiu · Oct 15, 2024 · goatgoose · Oct 22, 2024 · goatgoose
diff --git a/tests/fuzz/s2n_certificate_extensions_parse_test.c b/tests/fuzz/s2n_certificate_extensions_parse_test.c
@@ -52,7 +52,6 @@ static const uint8_t TLS_VERSIONS[] = {S2N_TLS13};
 int s2n_fuzz_init(int *argc, char **argv[])
 {
     /* Initialize the trust store */
-    POSIX_GUARD_RESULT(s2n_config_testing_defaults_init_tls13_certs());
     POSIX_GUARD(s2n_enable_tls13_in_test());
     return S2N_SUCCESS;
 }
@@ -69,6 +68,7 @@ int s2n_fuzz_test(const uint8_t *buf, size_t len)
 
     struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT);
     POSIX_ENSURE_REF(client_conn);
+    POSIX_GUARD(s2n_connection_set_cipher_preferences(client_conn, "20240503"));
 
     /* Pull a byte off the libfuzzer input and use it to set parameters */
     uint8_t randval = 0;

diff --git a/tests/unit/s2n_config_test.c b/tests/unit/s2n_config_test.c
@@ -69,10 +69,14 @@ int main(int argc, char **argv)
 
     const s2n_mode modes[] = { S2N_CLIENT, S2N_SERVER };
 
-    const struct s2n_security_policy *default_security_policy = NULL, *tls13_security_policy = NULL, *fips_security_policy = NULL;
-    EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &tls13_security_policy));
+    const struct s2n_security_policy *default_security_policy = NULL, *fips_security_policy = NULL,
+                                     *tls12_security_policy = NULL, *tls12_fips_security_policy = NULL,
+                                     *tls13_security_policy = NULL;
     EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_fips", &fips_security_policy));
     EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &default_security_policy));
+    EXPECT_SUCCESS(s2n_find_security_policy_from_version("20240501", &tls12_security_policy));
+    EXPECT_SUCCESS(s2n_find_security_policy_from_version("20240502", &tls12_fips_security_policy));
+    EXPECT_SUCCESS(s2n_find_security_policy_from_version("20240503", &tls13_security_policy));
 
     char cert[S2N_MAX_TEST_PEM_SIZE] = { 0 };
     EXPECT_SUCCESS(s2n_read_test_pem(S2N_DEFAULT_TEST_CERT_CHAIN, cert, S2N_MAX_TEST_PEM_SIZE));
@@ -102,9 +106,11 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(s2n_config_free(config));
     };
 
-    /* Connections created with default configs */
+    /* Connections created with default settings */
     {
-        /* For TLS1.2 */
+        EXPECT_SUCCESS(s2n_reset_tls13_in_test());
+
+        /* Not fips */
         if (!s2n_is_in_fips_mode()) {
             struct s2n_connection *conn = NULL;
             const struct s2n_security_policy *security_policy = NULL;
@@ -118,6 +124,41 @@ int main(int argc, char **argv)
             EXPECT_SUCCESS(s2n_connection_free(conn));
         }
 
+        /* For fips */
+        if (s2n_is_in_fips_mode()) {
+            struct s2n_connection *conn = NULL;
-            struct s2n_connection *conn = NULL;
+            DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
-            struct s2n_connection *conn = NULL;
+            DEFER_CLEANUP(struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free);
+            const struct s2n_security_policy *security_policy = NULL;
+            EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
+
+            EXPECT_EQUAL(conn->config, s2n_fetch_default_config());
+
+            EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
+            EXPECT_EQUAL(security_policy, fips_security_policy);
+
+            EXPECT_SUCCESS(s2n_connection_free(conn));
+        }
+
+        EXPECT_SUCCESS(s2n_disable_tls13_in_test());
+    };
+
+    /* Connections created with testing overrides */
+    {
+        /* For TLS1.2 */
+        if (!s2n_is_in_fips_mode()) {
+            EXPECT_SUCCESS(s2n_disable_tls13_in_test());
+            struct s2n_connection *conn = NULL;
+            const struct s2n_security_policy *security_policy = NULL;
+            EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
+
+            EXPECT_EQUAL(conn->config, s2n_fetch_default_config());
+
+            EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
+            EXPECT_EQUAL(security_policy, tls12_security_policy);
+
+            EXPECT_SUCCESS(s2n_connection_free(conn));
+            EXPECT_SUCCESS(s2n_disable_tls13_in_test());
+        }
+
         /* For TLS1.3 */
         {
             EXPECT_SUCCESS(s2n_enable_tls13_in_test());
@@ -136,14 +177,15 @@ int main(int argc, char **argv)
 
         /* For fips */
         if (s2n_is_in_fips_mode()) {
+            EXPECT_SUCCESS(s2n_disable_tls13_in_test());
             struct s2n_connection *conn = NULL;
             const struct s2n_security_policy *security_policy = NULL;
             EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
 
             EXPECT_EQUAL(conn->config, s2n_fetch_default_config());
 
             EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
-            EXPECT_EQUAL(security_policy, fips_security_policy);
+            EXPECT_EQUAL(security_policy, tls12_fips_security_policy);
 
             EXPECT_SUCCESS(s2n_connection_free(conn));
             EXPECT_SUCCESS(s2n_disable_tls13_in_test());
@@ -153,15 +195,18 @@ int main(int argc, char **argv)
     /* Test for s2n_config_new() and tls 1.3 behavior */
     {
         if (!s2n_is_in_fips_mode()) {
+            EXPECT_SUCCESS(s2n_disable_tls13_in_test());
+
             struct s2n_config *config = NULL;
             EXPECT_NOT_NULL(config = s2n_config_new());
-            EXPECT_EQUAL(config->security_policy, default_security_policy);
+            EXPECT_EQUAL(config->security_policy, tls12_security_policy);
             EXPECT_SUCCESS(s2n_config_free(config));
 
             EXPECT_SUCCESS(s2n_enable_tls13_in_test());
             EXPECT_NOT_NULL(config = s2n_config_new());
             EXPECT_EQUAL(config->security_policy, tls13_security_policy);
             EXPECT_SUCCESS(s2n_config_free(config));
+
             EXPECT_SUCCESS(s2n_disable_tls13_in_test());
         }
     };

diff --git a/tests/unit/s2n_connection_preferences_test.c b/tests/unit/s2n_connection_preferences_test.c
@@ -23,176 +23,122 @@
 #include "tls/s2n_security_policies.h"
 #include "tls/s2n_tls13.h"
 
-int main(int argc, char **argv)
+S2N_RESULT test_policy_behavior(const struct s2n_security_policy *policy,
-S2N_RESULT test_policy_behavior(const struct s2n_security_policy *policy,
+S2N_RESULT s2n_test_policy_behavior(const struct s2n_security_policy *policy,
-S2N_RESULT test_policy_behavior(const struct s2n_security_policy *policy,
+S2N_RESULT s2n_test_policy_behavior(const struct s2n_security_policy *policy,
+        const struct s2n_security_policy *compare_policy, const char *compare_policy_name)
 {
-    BEGIN_TEST();
-    EXPECT_SUCCESS(s2n_disable_tls13_in_test());
-
-    const struct s2n_security_policy *default_security_policy = NULL, *tls13_security_policy = NULL, *fips_security_policy = NULL;
-    EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &tls13_security_policy));
-    EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_fips", &fips_security_policy));
-    EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &default_security_policy));
-
-    /* Test default TLS1.2 */
-    if (!s2n_is_in_fips_mode()) {
-        struct s2n_connection *conn = NULL;
-        const struct s2n_cipher_preferences *cipher_preferences = NULL;
-        const struct s2n_security_policy *security_policy = NULL;
-        const struct s2n_kem_preferences *kem_preferences = NULL;
-        const struct s2n_signature_preferences *signature_preferences = NULL;
-        const struct s2n_ecc_preferences *ecc_preferences = NULL;
-
-        EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
-        EXPECT_NULL(conn->security_policy_override);
-
-        EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
-        EXPECT_EQUAL(cipher_preferences, default_security_policy->cipher_preferences);
-
-        EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
-        EXPECT_EQUAL(security_policy, default_security_policy);
-
-        EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
-        EXPECT_EQUAL(kem_preferences, default_security_policy->kem_preferences);
-
-        EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
-        EXPECT_EQUAL(signature_preferences, default_security_policy->signature_preferences);
+    RESULT_ENSURE_REF(policy);
 
-        EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
-        EXPECT_EQUAL(ecc_preferences, default_security_policy->ecc_preferences);
-
-        EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "20170328"));
-        EXPECT_NOT_NULL(conn->security_policy_override);
+    struct s2n_connection *conn = NULL;
+    const struct s2n_cipher_preferences *cipher_preferences = NULL;
+    const struct s2n_security_policy *security_policy = NULL;
+    const struct s2n_kem_preferences *kem_preferences = NULL;
+    const struct s2n_signature_preferences *signature_preferences = NULL;
+    const struct s2n_ecc_preferences *ecc_preferences = NULL;
 
-        cipher_preferences = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
-        EXPECT_EQUAL(cipher_preferences, security_policy_20170328.cipher_preferences);
+    EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
+    EXPECT_NULL(conn->security_policy_override);
 
-        security_policy = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
-        EXPECT_EQUAL(security_policy, &security_policy_20170328);
+    EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
+    EXPECT_EQUAL(cipher_preferences, policy->cipher_preferences);
 
-        kem_preferences = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
-        EXPECT_EQUAL(kem_preferences, security_policy_20170328.kem_preferences);
+    EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
+    EXPECT_EQUAL(security_policy, policy);
 
-        signature_preferences = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
-        EXPECT_EQUAL(signature_preferences, security_policy_20170328.signature_preferences);
+    EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
+    EXPECT_EQUAL(kem_preferences, policy->kem_preferences);
 
-        ecc_preferences = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
-        EXPECT_EQUAL(ecc_preferences, security_policy_20170328.ecc_preferences);
+    EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
+    EXPECT_EQUAL(signature_preferences, policy->signature_preferences);
 
-        EXPECT_SUCCESS(s2n_connection_free(conn));
-    }
+    EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
+    EXPECT_EQUAL(ecc_preferences, policy->ecc_preferences);
 
-    /* Test TLS1.3 */
-    {
-        EXPECT_SUCCESS(s2n_enable_tls13_in_test());
-        struct s2n_connection *conn = NULL;
-        const struct s2n_cipher_preferences *cipher_preferences = NULL;
-        const struct s2n_security_policy *security_policy = NULL;
-        const struct s2n_kem_preferences *kem_preferences = NULL;
-        const struct s2n_signature_preferences *signature_preferences = NULL;
-        const struct s2n_ecc_preferences *ecc_preferences = NULL;
+    /* Load a security_policy with the `compare_policy_name` and confirm it is equal
+     * to the `compare_policy`.
+     */
+    EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, compare_policy_name));
+    EXPECT_NOT_NULL(conn->security_policy_override);
 
-        EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
-        EXPECT_NULL(conn->security_policy_override);
+    cipher_preferences = NULL;
+    EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
+    EXPECT_EQUAL(cipher_preferences, compare_policy->cipher_preferences);
 
-        EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
-        EXPECT_EQUAL(cipher_preferences, tls13_security_policy->cipher_preferences);
+    security_policy = NULL;
+    EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
+    EXPECT_EQUAL(security_policy, compare_policy);
 
-        EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
-        EXPECT_EQUAL(security_policy, tls13_security_policy);
+    kem_preferences = NULL;
+    EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
+    EXPECT_EQUAL(kem_preferences, compare_policy->kem_preferences);
 
-        EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
-        EXPECT_EQUAL(kem_preferences, tls13_security_policy->kem_preferences);
+    signature_preferences = NULL;
+    EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
+    EXPECT_EQUAL(signature_preferences, compare_policy->signature_preferences);
 
-        EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
-        EXPECT_EQUAL(signature_preferences, tls13_security_policy->signature_preferences);
+    ecc_preferences = NULL;
+    EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
+    EXPECT_EQUAL(ecc_preferences, compare_policy->ecc_preferences);
 
-        EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
-        EXPECT_EQUAL(ecc_preferences, tls13_security_policy->ecc_preferences);
+    EXPECT_SUCCESS(s2n_connection_free(conn));
 
-        EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "test_all_tls13"));
-        EXPECT_NOT_NULL(conn->security_policy_override);
+    return S2N_RESULT_OK;
+}
 
-        cipher_preferences = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
-        EXPECT_EQUAL(cipher_preferences, security_policy_test_all_tls13.cipher_preferences);
+int main(int argc, char **argv)
+{
+    BEGIN_TEST();
+    EXPECT_SUCCESS(s2n_disable_tls13_in_test());
 
-        security_policy = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
-        EXPECT_EQUAL(security_policy, &security_policy_test_all_tls13);
+    const struct s2n_security_policy *default_security_policy = NULL, *fips_security_policy = NULL,
+                                     *tls12_security_policy = NULL, *tls12_fips_security_policy = NULL,
+                                     *tls13_security_policy = NULL;
+    EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_fips", &fips_security_policy));
+    EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &default_security_policy));
+    EXPECT_SUCCESS(s2n_find_security_policy_from_version("20240501", &tls12_security_policy));
+    EXPECT_SUCCESS(s2n_find_security_policy_from_version("20240502", &tls12_fips_security_policy));
+    EXPECT_SUCCESS(s2n_find_security_policy_from_version("20240503", &tls13_security_policy));
 
-        kem_preferences = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
-        EXPECT_EQUAL(kem_preferences, security_policy_test_all_tls13.kem_preferences);
+    /* Test default */
+    {
+        EXPECT_SUCCESS(s2n_reset_tls13_in_test());
 
-        signature_preferences = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
-        EXPECT_EQUAL(signature_preferences, security_policy_test_all_tls13.signature_preferences);
+        /* TLS 1.2 */
+        if (!s2n_is_in_fips_mode()) {
+            EXPECT_OK(test_policy_behavior(default_security_policy, &security_policy_20240501, "20240501"));
+        }
 
-        ecc_preferences = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
-        EXPECT_EQUAL(ecc_preferences, security_policy_test_all_tls13.ecc_preferences);
+        /* TLS 1.2 FIPS */
+        if (s2n_is_in_fips_mode()) {
+            EXPECT_OK(test_policy_behavior(fips_security_policy, &security_policy_20240502, "20240502"));
+        }
 
-        EXPECT_SUCCESS(s2n_connection_free(conn));
         EXPECT_SUCCESS(s2n_disable_tls13_in_test());
-    };
-
-    /* Test default fips */
-
-    if (s2n_is_in_fips_mode()) {
-        struct s2n_connection *conn = NULL;
-        const struct s2n_cipher_preferences *cipher_preferences = NULL;
-        const struct s2n_security_policy *security_policy = NULL;
-        const struct s2n_kem_preferences *kem_preferences = NULL;
-        const struct s2n_signature_preferences *signature_preferences = NULL;
-        const struct s2n_ecc_preferences *ecc_preferences = NULL;
-
-        EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
-        EXPECT_NULL(conn->security_policy_override);
-
-        EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
-        EXPECT_EQUAL(cipher_preferences, fips_security_policy->cipher_preferences);
-
-        EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
-        EXPECT_EQUAL(security_policy, fips_security_policy);
-
-        EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
-        EXPECT_EQUAL(kem_preferences, fips_security_policy->kem_preferences);
-
-        EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
-        EXPECT_EQUAL(signature_preferences, fips_security_policy->signature_preferences);
-
-        EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
-        EXPECT_EQUAL(ecc_preferences, fips_security_policy->ecc_preferences);
+    }
 
-        EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "test_all_fips"));
-        EXPECT_NOT_NULL(conn->security_policy_override);
+    /* Test override */
+    {
+        /* Test override TLS1.2 */
+        if (!s2n_is_in_fips_mode()) {
+            EXPECT_SUCCESS(s2n_disable_tls13_in_test());
 
-        cipher_preferences = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
-        EXPECT_EQUAL(cipher_preferences, security_policy_test_all_fips.cipher_preferences);
+            EXPECT_OK(test_policy_behavior(tls12_security_policy, &security_policy_20170328, "20170328"));
+        }
 
-        security_policy = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
-        EXPECT_EQUAL(security_policy, &security_policy_test_all_fips);
+        /* Test override TLS1.3 */
+        {
+            EXPECT_SUCCESS(s2n_enable_tls13_in_test());
 
-        kem_preferences = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
-        EXPECT_EQUAL(kem_preferences, security_policy_test_all_fips.kem_preferences);
+            EXPECT_OK(test_policy_behavior(tls13_security_policy, &security_policy_test_all_tls13, "test_all_tls13"));
+        };
 
-        signature_preferences = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
-        EXPECT_EQUAL(signature_preferences, security_policy_test_all_fips.signature_preferences);
+        /* Test override default fips */
+        if (s2n_is_in_fips_mode()) {
+            EXPECT_SUCCESS(s2n_disable_tls13_in_test());
 
-        ecc_preferences = NULL;
-        EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
-        EXPECT_EQUAL(ecc_preferences, security_policy_test_all_fips.ecc_preferences);
+            EXPECT_OK(test_policy_behavior(fips_security_policy, &security_policy_test_all_fips, "test_all_fips"));
+        }
 
-        EXPECT_SUCCESS(s2n_connection_free(conn));
+        EXPECT_SUCCESS(s2n_disable_tls13_in_test());
     }
 
     /* Test for NULL */