blob_initialization_fix

aws · Jan 4, 2023 · 52ebedf · 52ebedf
1 parent 60a6667
commit 52ebedf
Show file tree

Hide file tree

Showing 15 changed files with 119 additions and 116 deletions.
diff --git a/codebuild/spec/buildspec_ubuntu_fuzz_artifacts.yml b/codebuild/spec/buildspec_ubuntu_fuzz_artifacts.yml
@@ -12,56 +12,23 @@
 # implied. See the License for the specific language governing permissions and
 # limitations under the License.
 version: 0.2
-
 env:
   variables:
     # CODEBUILD_ is a reserved namespace.
     CB_BIN_DIR: "./codebuild/bin"
 
 phases:
-  install:
-    runtime-versions:
-      python: 3.x
-    commands:
-      - echo Entered the install phase...
-      - |
-        if [ -d "third-party-src" ]; then
-          cd third-party-src;
-        fi
-      - $CB_BIN_DIR/install_ubuntu_dependencies.sh
-      - apt-key list
-      - add-apt-repository ppa:ubuntu-toolchain-r/test -y
-      - apt-get update -o Acquire::CompressionTypes::Order::=gz
-      - apt-get update -y
-      - |
-        if expr "${GCC_VERSION}" : "9" >/dev/null; then
-          apt-get install -y --no-install-recommends g++ g++-9 gcc gcc-9;
-        fi
-      - |
-        if expr "${GCC_VERSION}" : "6" >/dev/null; then
-          apt-get install -y --no-install-recommends g++ g++-6 gcc gcc-6;
-        fi
-      # Don't install old clang and llvm if LATEST_CLANG is enabled, handle it in install_clang.sh instead
-      - |
-        if expr "${LATEST_CLANG}" != "true" >/dev/null; then
-          apt-get install -y --no-install-recommends clang-3.9 llvm-3.9;
-        fi
-      - apt-get install -y --no-install-recommends indent iproute2 kwstyle lcov libssl-dev m4 make net-tools nettle-bin nettle-dev pkg-config psmisc python3-pip shellcheck sudo tcpdump unzip valgrind zlib1g-dev zlibc cmake
   pre_build:
     commands:
       - |
         if [ -d "third-party-src" ]; then
           cd third-party-src;
         fi
-      - $CB_BIN_DIR/install_default_dependencies.sh
+      - ln -s /usr/local $CODEBUILD_SRC_DIR/test-deps
       - touch tests/fuzz/placeholder_results.txt tests/fuzz/placeholder_output.txt
   build:
     commands:
-      - printenv
       - $CB_BIN_DIR/s2n_codebuild.sh
-  post_build:
-    commands:
-      - echo Build completed on `date`
 artifacts:
   files:
     - "./tests/fuzz/corpus/$FUZZ_TESTS/*"

diff --git a/codebuild/spec/buildspec_ubuntu_integ_openssl102_asanvalgrind.yml b/codebuild/spec/buildspec_ubuntu_integ_openssl102_asanvalgrind.yml
diff --git a/crypto/s2n_aead_cipher_aes_gcm.c b/crypto/s2n_aead_cipher_aes_gcm.c
@@ -210,7 +210,7 @@ static int s2n_aead_cipher_aes_gcm_destroy_key(struct s2n_session_key *key)
 
 static int s2n_aead_cipher_aes_gcm_encrypt(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *aad, struct s2n_blob *in, struct s2n_blob *out)
 {
-    /* The size of the |in| blob includes the size of the data and the size of the ChaCha20-Poly1305 tag */
+    /* The size of the |in| blob includes the size of the data and the size of the AES-GCM tag */
     POSIX_ENSURE_GTE(in->size, S2N_TLS_GCM_TAG_LEN);
     POSIX_ENSURE_GTE(out->size, in->size);
     POSIX_ENSURE_EQ(iv->size, S2N_TLS_GCM_IV_LEN);

diff --git a/tests/cbmc/proofs/Makefile.common b/tests/cbmc/proofs/Makefile.common
@@ -4,7 +4,7 @@
 # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: MIT-0
 
-CBMC_STARTER_KIT_VERSION = CBMC starter kit 2.8
+CBMC_STARTER_KIT_VERSION = CBMC starter kit 2.8.8
 
 ################################################################
 # The CBMC Starter Kit depends on the files Makefile.common and

diff --git a/tests/cbmc/proofs/lib/print_tool_versions.py b/tests/cbmc/proofs/lib/print_tool_versions.py
@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+#
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+
+
+import logging
+import pathlib
+import shutil
+import subprocess
+
+
+_TOOLS = [
+    "cadical",
+    "cbmc",
+    "cbmc-viewer",
+    "cbmc-starter-kit-update",
+    "kissat",
+    "litani",
+]
+
+
+def _format_versions(table):
+    lines = [
+        "<table>",
+        '<tr><td colspan="2" style="font-weight: bold">Tool Versions</td></tr>',
+    ]
+    for tool, version in table.items():
+        if version:
+            v_str = f'<code><pre style="margin: 0">{version}</pre></code>'
+        else:
+            v_str = '<em>not found</em>'
+        lines.append(
+            f'<tr><td style="font-weight: bold; padding-right: 1em; '
+            f'text-align: right;">{tool}:</td>'
+            f'<td>{v_str}</td></tr>')
+    lines.append("</table>")
+    return "\n".join(lines)
+
+
+def _get_tool_versions():
+    ret = {}
+    for tool in _TOOLS:
+        err = f"Could not determine version of {tool}: "
+        ret[tool] = None
+        if not shutil.which(tool):
+            logging.error("%s'%s' not found on $PATH", err, tool)
+            continue
+        cmd = [tool, "--version"]
+        proc = subprocess.Popen(cmd, text=True, stdout=subprocess.PIPE)
+        try:
+            out, _ = proc.communicate(timeout=10)
+        except subprocess.TimeoutExpired:
+            logging.error("%s'%s --version' timed out", err, tool)
+            continue
+        if proc.returncode:
+            logging.error(
+                "%s'%s --version' returned %s", err, tool, str(proc.returncode))
+            continue
+        ret[tool] = out.strip()
+    return ret
+
+
+def main():
+    exe_name = pathlib.Path(__file__).name
+    logging.basicConfig(format=f"{exe_name}: %(message)s")
+
+    table = _get_tool_versions()
+    out = _format_versions(table)
+    print(out)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/tests/cbmc/proofs/run-cbmc-proofs.py b/tests/cbmc/proofs/run-cbmc-proofs.py
@@ -154,7 +154,7 @@ def get_args():
     }, {
             "flags": ["--version"],
             "action": "version",
-            "version": "CBMC starter kit 2.8",
+            "version": "CBMC starter kit 2.8.8",
             "help": "display version and exit"
     }, {
             "flags": ["--no-coverage"],
@@ -337,7 +337,7 @@ async def configure_proof_dirs( # pylint: disable=too-many-arguments
 def add_tool_version_job():
     cmd = [
         "litani", "add-job",
-        "--command", "cbmc-starter-kit-print-tool-versions .",
+        "--command", "./lib/print_tool_versions.py .",
         "--description", "printing out tool versions",
         "--phony-outputs", str(uuid.uuid4()),
         "--pipeline-name", "print_tool_versions",

diff --git a/tls/s2n_alerts.c b/tls/s2n_alerts.c
@@ -253,7 +253,8 @@ int s2n_queue_writer_close_alert_warning(struct s2n_connection *conn)
     alert[0] = S2N_TLS_ALERT_LEVEL_WARNING;
     alert[1] = S2N_TLS_ALERT_CLOSE_NOTIFY;
 
-    struct s2n_blob out = { .data = alert, .size = sizeof(alert) };
+    struct s2n_blob out = { 0 };
+    s2n_blob_init(&out, alert, sizeof(alert));
 
     /* If there is an alert pending or we've already sent a close_notify, do nothing */
     if (s2n_stuffer_data_available(&conn->writer_alert_out) || conn->close_notify_queued) {
@@ -278,7 +279,8 @@ static int s2n_queue_reader_alert(struct s2n_connection *conn, uint8_t level, ui
     alert[0] = level;
     alert[1] = error_code;
 
-    struct s2n_blob out = { .data = alert, .size = sizeof(alert) };
+    struct s2n_blob out = { 0 };
+    s2n_blob_init(&out, alert, sizeof(alert));
 
     /* If there is an alert pending, do nothing */
     if (s2n_stuffer_data_available(&conn->reader_alert_out)) {

diff --git a/tls/s2n_change_cipher_spec.c b/tls/s2n_change_cipher_spec.c
@@ -43,7 +43,8 @@ int s2n_client_ccs_recv(struct s2n_connection *conn)
     POSIX_GUARD(s2n_basic_ccs_recv(conn));
 
     /* Zero the sequence number */
-    struct s2n_blob seq = { .data = conn->secure->client_sequence_number, .size = sizeof(conn->secure->client_sequence_number) };
+    struct s2n_blob seq = { 0 };
+    s2n_blob_init(&seq, conn->secure->client_sequence_number, sizeof(conn->secure->client_sequence_number));
     POSIX_GUARD(s2n_blob_zero(&seq));
 
     /* Update the client to use the cipher-suite */
@@ -65,7 +66,8 @@ int s2n_server_ccs_recv(struct s2n_connection *conn)
     POSIX_GUARD(s2n_basic_ccs_recv(conn));
 
     /* Zero the sequence number */
-    struct s2n_blob seq = { .data = conn->secure->server_sequence_number, .size = sizeof(conn->secure->server_sequence_number) };
+    struct s2n_blob seq = { 0 };
+    s2n_blob_init(&seq, conn->secure->server_sequence_number, sizeof(conn->secure->server_sequence_number));
     POSIX_GUARD(s2n_blob_zero(&seq));
 
     /* Compute the finished message */

diff --git a/tls/s2n_cipher_suites.c b/tls/s2n_cipher_suites.c
@@ -998,7 +998,8 @@ int s2n_cipher_suites_init(void)
 
         /* Initialize SSLv3 cipher suite if SSLv3 utilizes a different record algorithm */
         if (cur_suite->sslv3_record_alg && cur_suite->sslv3_record_alg->cipher->is_available()) {
-            struct s2n_blob cur_suite_mem = { .data = (uint8_t *) cur_suite, .size = sizeof(struct s2n_cipher_suite) };
+            struct s2n_blob cur_suite_mem = { 0 };
+            s2n_blob_init(&cur_suite_mem, (uint8_t *) cur_suite, sizeof(struct s2n_cipher_suite));
             struct s2n_blob new_suite_mem = { 0 };
             POSIX_GUARD(s2n_dup(&cur_suite_mem, &new_suite_mem));
 

diff --git a/tls/s2n_config.c b/tls/s2n_config.c
@@ -841,10 +841,14 @@ int s2n_config_add_ticket_crypto_key(struct s2n_config *config,
     POSIX_ENSURE(s2n_find_ticket_key(config, name_data) == NULL, S2N_ERR_INVALID_TICKET_KEY_NAME_OR_NAME_LENGTH);
 
     uint8_t output_pad[S2N_AES256_KEY_LEN + S2N_TICKET_AAD_IMPLICIT_LEN] = { 0 };
-    struct s2n_blob out_key = { .data = output_pad, .size = s2n_array_len(output_pad) };
-    struct s2n_blob in_key = { .data = key, .size = key_len };
-    struct s2n_blob salt = { .size = 0 };
-    struct s2n_blob info = { .size = 0 };
+    struct s2n_blob out_key = { 0 };
+    s2n_blob_init(&out_key, output_pad, s2n_array_len(output_pad));
+    struct s2n_blob in_key = { 0 };
+    s2n_blob_init(&in_key, key, key_len);
+    struct s2n_blob salt = { 0 };
+    s2n_blob_init(&salt, NULL, 0);
+    struct s2n_blob info = { 0 };
+    s2n_blob_init(&info, NULL, 0);
 
     struct s2n_ticket_key *session_ticket_key = { 0 };
     DEFER_CLEANUP(struct s2n_blob allocator = { 0 }, s2n_free);

diff --git a/tls/s2n_handshake.c b/tls/s2n_handshake.c
@@ -251,11 +251,13 @@ int s2n_conn_find_name_matching_certs(struct s2n_connection *conn)
         return S2N_SUCCESS;
     }
     const char *name = conn->server_name;
-    struct s2n_blob hostname_blob = { .data = (uint8_t *) (uintptr_t) name, .size = strlen(name) };
+    struct s2n_blob hostname_blob = { 0 };
+    s2n_blob_init(&hostname_blob, (uint8_t *) (uintptr_t) name, strlen(name));
     POSIX_ENSURE_LTE(hostname_blob.size, S2N_MAX_SERVER_NAME);
     char normalized_hostname[S2N_MAX_SERVER_NAME + 1] = { 0 };
     POSIX_CHECKED_MEMCPY(normalized_hostname, hostname_blob.data, hostname_blob.size);
-    struct s2n_blob normalized_name = { .data = (uint8_t *) normalized_hostname, .size = hostname_blob.size };
+    struct s2n_blob normalized_name = { 0 };
+    s2n_blob_init(&normalized_name, (uint8_t *) normalized_hostname, hostname_blob.size);
     POSIX_GUARD(s2n_blob_char_to_lower(&normalized_name));
     struct s2n_stuffer normalized_hostname_stuffer;
     POSIX_GUARD(s2n_stuffer_init(&normalized_hostname_stuffer, &normalized_name));
@@ -270,7 +272,8 @@ int s2n_conn_find_name_matching_certs(struct s2n_connection *conn)
     if (!conn->handshake_params.exact_sni_match_exists) {
         /* We have not yet found an exact domain match. Try to find wildcard matches. */
         char wildcard_hostname[S2N_MAX_SERVER_NAME + 1] = { 0 };
-        struct s2n_blob wildcard_blob = { .data = (uint8_t *) wildcard_hostname, .size = sizeof(wildcard_hostname) };
+        struct s2n_blob wildcard_blob = { 0 };
+        s2n_blob_init(&wildcard_blob, (uint8_t *) wildcard_hostname, sizeof(wildcard_hostname));
         struct s2n_stuffer wildcard_stuffer;
         POSIX_GUARD(s2n_stuffer_init(&wildcard_stuffer, &wildcard_blob));
         POSIX_GUARD(s2n_create_wildcard_hostname(&normalized_hostname_stuffer, &wildcard_stuffer));

diff --git a/tls/s2n_handshake_io.c b/tls/s2n_handshake_io.c
@@ -900,7 +900,8 @@ static int s2n_advance_message(struct s2n_connection *conn)
 int s2n_generate_new_client_session_id(struct s2n_connection *conn)
 {
     if (conn->mode == S2N_SERVER) {
-        struct s2n_blob session_id = { .data = conn->session_id, .size = S2N_TLS_SESSION_ID_MAX_LEN };
+        struct s2n_blob session_id = { 0 };
+        s2n_blob_init(&session_id, conn->session_id, S2N_TLS_SESSION_ID_MAX_LEN);
 
         /* Generate a new session id */
         POSIX_GUARD_RESULT(s2n_get_public_random_data(&session_id));
@@ -1297,7 +1298,8 @@ static int s2n_handshake_handle_sslv2(struct s2n_connection *conn)
     S2N_ERROR_IF(ACTIVE_MESSAGE(conn) != CLIENT_HELLO, S2N_ERR_BAD_MESSAGE);
 
     /* Add the message to our handshake hashes */
-    struct s2n_blob hashed = { .data = conn->header_in.blob.data + 2, .size = 3 };
+    struct s2n_blob hashed = { 0 };
+    s2n_blob_init(&hashed, conn->header_in.blob.data + 2, 3);
     POSIX_GUARD(s2n_conn_update_handshake_hashes(conn, &hashed));
 
     hashed.data = conn->in.blob.data;

diff --git a/tls/s2n_kem.c b/tls/s2n_kem.c
@@ -338,7 +338,8 @@ int s2n_kem_send_ciphertext(struct s2n_stuffer *out, struct s2n_kem_params *kem_
     POSIX_GUARD(s2n_stuffer_write_uint16(out, kem->ciphertext_length));
 
     /* Ciphertext will get written to *out */
-    struct s2n_blob ciphertext = { .data = s2n_stuffer_raw_write(out, kem->ciphertext_length), .size = kem->ciphertext_length };
+    struct s2n_blob ciphertext = { 0 };
+    s2n_blob_init(&ciphertext, s2n_stuffer_raw_write(out, kem->ciphertext_length), kem->ciphertext_length);
     POSIX_ENSURE_REF(ciphertext.data);
 
     /* Saves the shared secret in kem_params */

diff --git a/tls/s2n_record_read_aead.c b/tls/s2n_record_read_aead.c
@@ -41,13 +41,15 @@ int s2n_record_parse_aead(
     /* TLS 1.3 record protection uses a different 5 byte associated data than TLS 1.2's */
     s2n_stack_blob(aad, is_tls13_record ? S2N_TLS13_AAD_LEN : S2N_TLS_MAX_AAD_LEN, S2N_TLS_MAX_AAD_LEN);
 
-    struct s2n_blob en = { .size = encrypted_length, .data = s2n_stuffer_raw_read(&conn->in, encrypted_length) };
+    struct s2n_blob en = { 0 };
+    s2n_blob_init(&en, s2n_stuffer_raw_read(&conn->in, encrypted_length), encrypted_length);
     POSIX_ENSURE_REF(en.data);
     /* In AEAD mode, the explicit IV is in the record */
     POSIX_ENSURE_GTE(en.size, cipher_suite->record_alg->cipher->io.aead.record_iv_size);
 
     uint8_t aad_iv[S2N_TLS_MAX_IV_LEN] = { 0 };
-    struct s2n_blob iv = { .data = aad_iv, .size = sizeof(aad_iv) };
+    struct s2n_blob iv = { 0 };
+    s2n_blob_init(&iv, aad_iv, sizeof(aad_iv));
     struct s2n_stuffer iv_stuffer = { 0 };
     POSIX_GUARD(s2n_stuffer_init(&iv_stuffer, &iv));
 
@@ -98,7 +100,8 @@ int s2n_record_parse_aead(
     POSIX_ENSURE_NE(en.size, 0);
 
     POSIX_GUARD(cipher_suite->record_alg->cipher->io.aead.decrypt(session_key, &iv, &aad, &en, &en));
-    struct s2n_blob seq = { .data = sequence_number, .size = S2N_TLS_SEQUENCE_NUM_LEN };
+    struct s2n_blob seq = { 0 };
+    s2n_blob_init(&seq, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN);
     POSIX_GUARD(s2n_increment_sequence_number(&seq));
 
     /* O.k., we've successfully read and decrypted the record, now we need to align the stuffer