-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: use seccomp on handshake test #4768
Conversation
utils/s2n_init.c
Outdated
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) | ||
CRYPTO_pre_sandbox_init(); | ||
#endif |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I debated putting this in a feature probe. I know it would be better, but it kind of seems like overkill :/ Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it depends on a few things:
- Are there versions of these libraries that don't include this API and do we want to support those?
- Do we anticipate other libcryptos adding this API in the future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wouldn't expect other libraries to add it. It's not from openssl.
The API has been in aws-lc from the beginning: aws/aws-lc@3e4dfbb (note that commit was merged in the first PR, along with the rest of the boringssl history).
But it's only been in boringssl since 2020: google/boringssl@3e4dfbb However, we don't really have an alternative, so earlier versions would just not be sandboxable. Still, not being sandboxable is better than not building at all. Let me see if I can find a reasonable place for documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since we're not testing this on boringssl (and I doubt plan to), I restricted the call to aws-lc and documented the support.
Resolved issues:
resolves #4766
Description of changes:
I've got an s2n-tls handshake + app data running with seccomp, when built with aws-lc.
I integrated the tests into our existing cmake + ctest, so if we build seccomp into our codebuild images then we could run it as part of standard testing.
Call-outs:
I'm still debugging when built with openssl: X509_verify_cert appears to be trying to open a file to determine the local time? It works if I disable x509 validation. I included that test so that it's easy to repro, but left it disabled.
Testing:
New test. From the test output, you can see that it's running with seccomp linked:
The test also produced plenty of failures before I got the allowlist right :( Here's an example: https://github.com/lrstewart/s2n/actions/runs/10853333535/job/30121385790
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.