Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: disallow explict use of "default" policy in tests #4750

Merged
merged 14 commits into from
Sep 23, 2024
Merged

test: disallow explict use of "default" policy in tests #4750

merged 14 commits into from
Sep 23, 2024

Conversation

toidiu
Copy link
Contributor

@toidiu toidiu commented Sep 4, 2024
edited
Loading

Description of changes:

As a modern TLS library, s2n-tls aims to provide sane default. To uphold this promise, we are planning to add TLS1.3 support to the "default" and "default_fips" policies. However, making this change can result in broken tests since connections will now negotiate TLS1.3 and we have to assume that old tests were written to assume that TLS1.2 would be negotiated.

To prevent this regression, this PR attempts to find "explicit" usage of the "default" policy (implicit detection will be a followup)("default_fips" will be a followup) and replace it with the immutable numbered policy 20240501. I audited both the C and Rust codebase for "default" security policy usage, allowing for exceptions for tests which didnt care about the protocol.

Call-outs:

The detection logic can be viewed by looking at the detection logic cleanup commit.

  • Detection logic was done in function s2n_find_security_policy_from_version in file s2n_security_policies.c
    • matches_default: bail if code attempted to use the "default" security policy
    • dbg_bail: allow exception for test that really do want to test the "default" policy
    • dbg_config_init: allow exceptions when creating a new s2n_config_new()
    • s2n_is_initialized: allow exception for s2n_init() to create the default static config
      The PR also adds an additional check to grep_simple_mistakes.sh
  • simple grep: prevent future explicit use of "default" in C code and DEFAULT in Rust code

Testing:

Tests should continue to pass.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Sep 4, 2024
@toidiu toidiu force-pushed the ak-explicitDefaultPolicy branch 3 times, most recently from 704982e to 7b2b48f Compare September 10, 2024 23:23
@toidiu toidiu mentioned this pull request Sep 11, 2024
Open
9 tasks
@toidiu toidiu marked this pull request as ready for review September 11, 2024 16:39
@toidiu toidiu requested a review from dougch as a code owner September 11, 2024 16:39
goatgoose
goatgoose reviewed Sep 11, 2024
View reviewed changes
codebuild/bin/grep_simple_mistakes.sh Outdated Show resolved Hide resolved
codebuild/bin/grep_simple_mistakes.sh Outdated Show resolved Hide resolved
codebuild/bin/grep_simple_mistakes.sh Outdated Show resolved Hide resolved
@lrstewart lrstewart self-requested a review September 11, 2024 18:46
goatgoose
goatgoose approved these changes Sep 16, 2024
View reviewed changes
bindings/rust/s2n-tls-tokio/tests/common/mod.rs Show resolved Hide resolved
codebuild/bin/grep_simple_mistakes.sh Outdated Show resolved Hide resolved
lrstewart
lrstewart approved these changes Sep 19, 2024
View reviewed changes
bindings/rust/s2n-tls/src/testing/s2n_tls.rs Outdated Show resolved Hide resolved
@toidiu toidiu enabled auto-merge (squash) September 20, 2024 01:46
@toidiu toidiu mentioned this pull request Sep 23, 2024
Closed
@toidiu toidiu merged commit 360feb2 into aws:main Sep 23, 2024
37 checks passed
toidiu added a commit to toidiu/s2n-tls that referenced this pull request Oct 1, 2024
@toidiu
Revert "test: disallow explict use of "default" policy in tests (aws#…
34d7b84 
…4750)"

This reverts commit 360feb2.
toidiu added a commit that referenced this pull request Oct 1, 2024
@toidiu
Revert "test: disallow explict use of "default" policy in tests (#4750)…
a29068a 
…" (#4812)
@BrewTestBot BrewTestBot mentioned this pull request Oct 4, 2024
Merged
@toidiu toidiu deleted the ak-explicitDefaultPolicy branch October 30, 2024 17:38
@toidiu toidiu restored the ak-explicitDefaultPolicy branch October 30, 2024 17:38
@toidiu toidiu deleted the ak-explicitDefaultPolicy branch November 6, 2024 00:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dougch dougch dougch approved these changes

@goatgoose goatgoose goatgoose approved these changes

@lrstewart lrstewart Awaiting requested review from lrstewart

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@toidiu @goatgoose @lrstewart @dougch