@@ -25,6 +25,11 @@ int main(int argc, char *argv[])
2525{
2626 BEGIN_TEST ();
2727
28+ DEFER_CLEANUP (struct s2n_cert_chain_and_key * chain_and_key = NULL ,
29+ s2n_cert_chain_and_key_ptr_free );
30+ EXPECT_SUCCESS (s2n_test_cert_chain_and_key_new (& chain_and_key ,
31+ S2N_DEFAULT_TEST_CERT_CHAIN , S2N_DEFAULT_TEST_PRIVATE_KEY ));
32+
2833 /* Test s2n_sslv2_record_header_parse */
2934 {
3035 const struct {
@@ -159,5 +164,52 @@ int main(int argc, char *argv[])
159164 };
160165 };
161166
167+ /* Ensure that the input buffer is wiped after failing to read a record */
168+ {
169+ DEFER_CLEANUP (struct s2n_config * config = s2n_config_new_minimal (), s2n_config_ptr_free );
170+ EXPECT_NOT_NULL (config );
171+ EXPECT_SUCCESS (s2n_config_add_cert_chain_and_key_to_store (config , chain_and_key ));
172+ EXPECT_SUCCESS (s2n_config_disable_x509_verification (config ));
173+
174+ DEFER_CLEANUP (struct s2n_connection * client = s2n_connection_new (S2N_CLIENT ),
175+ s2n_connection_ptr_free );
176+ EXPECT_NOT_NULL (client );
177+ DEFER_CLEANUP (struct s2n_connection * server = s2n_connection_new (S2N_SERVER ),
178+ s2n_connection_ptr_free );
179+ EXPECT_NOT_NULL (server );
180+
181+ EXPECT_SUCCESS (s2n_connection_set_config (client , config ));
182+ EXPECT_SUCCESS (s2n_connection_set_config (server , config ));
183+
184+ EXPECT_SUCCESS (s2n_connection_set_blinding (server , S2N_SELF_SERVICE_BLINDING ));
185+
186+ DEFER_CLEANUP (struct s2n_test_io_stuffer_pair stuffer_pair = { 0 },
187+ s2n_io_stuffer_pair_free );
188+ EXPECT_OK (s2n_io_stuffer_pair_init (& stuffer_pair ));
189+ EXPECT_OK (s2n_connections_set_io_stuffer_pair (client , server , & stuffer_pair ));
190+
191+ EXPECT_SUCCESS (s2n_negotiate_test_server_and_client (server , client ));
192+
193+ /* Send some test data to the server. */
194+ uint8_t test_data [] = "hello world" ;
195+ s2n_blocked_status blocked = S2N_NOT_BLOCKED ;
196+ ssize_t send_size = s2n_send (client , test_data , sizeof (test_data ), & blocked );
197+ EXPECT_EQUAL (send_size , sizeof (test_data ));
198+
199+ /* Invalidate an encrypted byte to cause decryption to fail. */
200+ struct s2n_stuffer invalidation_stuffer = stuffer_pair .server_in ;
201+ uint8_t * first_byte = s2n_stuffer_raw_read (& invalidation_stuffer , 1 );
202+ EXPECT_NOT_NULL (first_byte );
203+ * first_byte += 1 ;
204+
205+ /* Receive the invalid data. */
206+ uint8_t buffer [sizeof (test_data )] = { 0 };
207+ ssize_t ret = s2n_recv (server , buffer , sizeof (buffer ), & blocked );
208+ EXPECT_FAILURE_WITH_ERRNO (ret , S2N_ERR_DECRYPT );
209+
210+ /* Ensure that the invalid data has been wiped from the input buffer. */
211+ EXPECT_TRUE (s2n_stuffer_is_wiped (& server -> in ));
212+ }
213+
162214 END_TEST ();
163215}
0 commit comments