From f4b351ddbf6205448d7dd066d3c260d41441df65 Mon Sep 17 00:00:00 2001 From: Apoorv Kothari Date: Thu, 14 Nov 2024 21:08:18 -0800 Subject: [PATCH] tests: pin tests to a numbered TLS1.2 policy --- tests/unit/s2n_alerts_protocol_test.c | 4 ++-- tests/unit/s2n_client_hello_request_test.c | 6 +++--- tests/unit/s2n_client_hello_test.c | 2 +- tests/unit/s2n_connection_serialize_test.c | 2 ++ tests/unit/s2n_extended_master_secret_test.c | 6 +++--- tests/unit/s2n_renegotiate_io_test.c | 2 +- tests/unit/s2n_renegotiate_test.c | 6 +++--- tests/unit/s2n_self_talk_alerts_test.c | 3 ++- tests/unit/s2n_self_talk_broken_pipe_test.c | 2 +- tests/unit/s2n_self_talk_key_log_test.c | 4 ++-- tests/unit/s2n_self_talk_npn_test.c | 6 +++--- tests/unit/s2n_self_talk_session_id_test.c | 3 ++- tests/unit/s2n_session_ticket_test.c | 4 +++- 13 files changed, 28 insertions(+), 22 deletions(-) diff --git a/tests/unit/s2n_alerts_protocol_test.c b/tests/unit/s2n_alerts_protocol_test.c index 4e50f552835..d566448b092 100644 --- a/tests/unit/s2n_alerts_protocol_test.c +++ b/tests/unit/s2n_alerts_protocol_test.c @@ -479,13 +479,13 @@ int main(int argc, char **argv) s2n_connection_ptr_free); EXPECT_SUCCESS(s2n_connection_set_blinding(server, S2N_SELF_SERVICE_BLINDING)); EXPECT_SUCCESS(s2n_connection_set_config(server, config)); - EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server, "default")); + EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server, "20240501")); DEFER_CLEANUP(struct s2n_connection *client = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free); EXPECT_SUCCESS(s2n_connection_set_blinding(client, S2N_SELF_SERVICE_BLINDING)); EXPECT_SUCCESS(s2n_connection_set_config(client, config)); - EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client, "default")); + EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client, "20240501")); DEFER_CLEANUP(struct s2n_test_io_stuffer_pair io_pair = { 0 }, s2n_io_stuffer_pair_free); EXPECT_OK(s2n_io_stuffer_pair_init(&io_pair)); diff --git a/tests/unit/s2n_client_hello_request_test.c b/tests/unit/s2n_client_hello_request_test.c index 7d6cb8d594c..695de79c1c0 100644 --- a/tests/unit/s2n_client_hello_request_test.c +++ b/tests/unit/s2n_client_hello_request_test.c @@ -76,13 +76,13 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key)); DEFER_CLEANUP(struct s2n_config *config_with_reneg_cb = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config_with_reneg_cb); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_reneg_cb, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_reneg_cb, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config_with_reneg_cb)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config_with_reneg_cb, chain_and_key)); EXPECT_SUCCESS(s2n_config_set_renegotiate_request_cb(config_with_reneg_cb, s2n_test_reneg_req_cb, NULL)); @@ -167,7 +167,7 @@ int main(int argc, char **argv) { DEFER_CLEANUP(struct s2n_config *config_with_warns = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config_with_warns); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_warns, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_warns, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config_with_warns)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config_with_warns, chain_and_key)); EXPECT_SUCCESS(s2n_config_set_alert_behavior(config_with_warns, S2N_ALERT_IGNORE_WARNINGS)); diff --git a/tests/unit/s2n_client_hello_test.c b/tests/unit/s2n_client_hello_test.c index ab6fbaac832..9ec93c4dc9c 100644 --- a/tests/unit/s2n_client_hello_test.c +++ b/tests/unit/s2n_client_hello_test.c @@ -759,7 +759,7 @@ int main(int argc, char **argv) struct s2n_connection *conn = NULL; EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT)); EXPECT_SUCCESS(s2n_connection_set_config(conn, config)); - EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "default")); + EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "20240501")); const struct s2n_security_policy *security_policy = NULL; POSIX_GUARD(s2n_connection_get_security_policy(conn, &security_policy)); diff --git a/tests/unit/s2n_connection_serialize_test.c b/tests/unit/s2n_connection_serialize_test.c index 1f661eda220..2d793d242da 100644 --- a/tests/unit/s2n_connection_serialize_test.c +++ b/tests/unit/s2n_connection_serialize_test.c @@ -78,6 +78,7 @@ int main(int argc, char **argv) S2N_DEFAULT_TEST_CERT_CHAIN, S2N_DEFAULT_TEST_PRIVATE_KEY)); DEFER_CLEANUP(struct s2n_config *tls12_config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(tls12_config, "20240501")); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(tls12_config, chain_and_key)); EXPECT_SUCCESS(s2n_config_disable_x509_verification(tls12_config)); EXPECT_SUCCESS(s2n_config_set_serialization_version(tls12_config, S2N_SERIALIZED_CONN_V1)); @@ -594,6 +595,7 @@ int main(int argc, char **argv) /* Self-talk: Test interaction between TLS1.2 session resumption and serialization */ { DEFER_CLEANUP(struct s2n_config *resumption_config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(resumption_config, "20240501")); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(resumption_config, chain_and_key)); EXPECT_SUCCESS(s2n_config_disable_x509_verification(resumption_config)); EXPECT_SUCCESS(s2n_config_set_serialization_version(resumption_config, S2N_SERIALIZED_CONN_V1)); diff --git a/tests/unit/s2n_extended_master_secret_test.c b/tests/unit/s2n_extended_master_secret_test.c index 3f1b1ff4415..ff608e80525 100644 --- a/tests/unit/s2n_extended_master_secret_test.c +++ b/tests/unit/s2n_extended_master_secret_test.c @@ -157,7 +157,7 @@ int main(int argc, char **argv) EXPECT_NOT_NULL(config); /* TLS1.2 cipher preferences */ - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); struct s2n_cert_chain_and_key *chain_and_key = NULL; EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key, @@ -208,7 +208,7 @@ int main(int argc, char **argv) struct s2n_config *config = s2n_config_new(); EXPECT_NOT_NULL(config); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); struct s2n_cert_chain_and_key *chain_and_key = NULL; EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key, @@ -253,7 +253,7 @@ int main(int argc, char **argv) struct s2n_config *config = s2n_config_new(); EXPECT_NOT_NULL(config); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); struct s2n_cert_chain_and_key *chain_and_key = NULL; EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key, diff --git a/tests/unit/s2n_renegotiate_io_test.c b/tests/unit/s2n_renegotiate_io_test.c index ab11fd0ae39..275a990ecd0 100644 --- a/tests/unit/s2n_renegotiate_io_test.c +++ b/tests/unit/s2n_renegotiate_io_test.c @@ -61,7 +61,7 @@ int main(int argc, char *argv[]) EXPECT_NOT_NULL(config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); uint8_t app_data[] = "test application data"; diff --git a/tests/unit/s2n_renegotiate_test.c b/tests/unit/s2n_renegotiate_test.c index 80a880daadc..b85c9599054 100644 --- a/tests/unit/s2n_renegotiate_test.c +++ b/tests/unit/s2n_renegotiate_test.c @@ -80,7 +80,7 @@ int main(int argc, char *argv[]) EXPECT_NOT_NULL(config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); uint8_t app_data[] = "smaller hello world"; uint8_t large_app_data[S2N_TLS_MAXIMUM_FRAGMENT_LENGTH] = "hello world and a lot of zeroes"; @@ -275,7 +275,7 @@ int main(int argc, char *argv[]) EXPECT_NOT_NULL(small_frag_config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(small_frag_config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(small_frag_config, chain_and_key)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(small_frag_config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(small_frag_config, "20240501")); EXPECT_SUCCESS(s2n_config_accept_max_fragment_length(small_frag_config)); EXPECT_SUCCESS(s2n_config_send_max_fragment_length(small_frag_config, S2N_TLS_MAX_FRAG_LEN_512)); @@ -283,7 +283,7 @@ int main(int argc, char *argv[]) EXPECT_NOT_NULL(larger_frag_config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(larger_frag_config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(larger_frag_config, chain_and_key)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(larger_frag_config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(larger_frag_config, "20240501")); EXPECT_SUCCESS(s2n_config_accept_max_fragment_length(larger_frag_config)); EXPECT_SUCCESS(s2n_config_send_max_fragment_length(larger_frag_config, S2N_TLS_MAX_FRAG_LEN_4096)); diff --git a/tests/unit/s2n_self_talk_alerts_test.c b/tests/unit/s2n_self_talk_alerts_test.c index e3d6f9bb0a7..f9bbb6c158c 100644 --- a/tests/unit/s2n_self_talk_alerts_test.c +++ b/tests/unit/s2n_self_talk_alerts_test.c @@ -55,6 +55,7 @@ int mock_client(struct s2n_test_io_pair *io_pair, s2n_alert_behavior alert_behav conn = s2n_connection_new(S2N_CLIENT); config = s2n_config_new(); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); s2n_config_disable_x509_verification(config); s2n_config_set_alert_behavior(config, alert_behavior); s2n_connection_set_config(conn, config); @@ -177,7 +178,7 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); /* Set up the callback to send an alert after receiving ClientHello */ struct alert_ctx warning_alert = { .write_fd = io_pair.server, .invoked = 0, .count = 2, .level = TLS_ALERT_LEVEL_WARNING, .code = TLS_ALERT_UNRECOGNIZED_NAME }; diff --git a/tests/unit/s2n_self_talk_broken_pipe_test.c b/tests/unit/s2n_self_talk_broken_pipe_test.c index 3ce82af75c4..b81959e00c7 100644 --- a/tests/unit/s2n_self_talk_broken_pipe_test.c +++ b/tests/unit/s2n_self_talk_broken_pipe_test.c @@ -122,7 +122,7 @@ int main(int argc, char **argv) EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); EXPECT_NOT_NULL(config = s2n_config_new()); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); for (int cert = 0; cert < SUPPORTED_CERTIFICATE_FORMATS; cert++) { EXPECT_SUCCESS(s2n_read_test_pem(certificate_paths[cert], cert_chain_pem, S2N_MAX_TEST_PEM_SIZE)); EXPECT_SUCCESS(s2n_read_test_pem(private_key_paths[cert], private_key_pem, S2N_MAX_TEST_PEM_SIZE)); diff --git a/tests/unit/s2n_self_talk_key_log_test.c b/tests/unit/s2n_self_talk_key_log_test.c index 22e30920ab2..b0a221d541c 100644 --- a/tests/unit/s2n_self_talk_key_log_test.c +++ b/tests/unit/s2n_self_talk_key_log_test.c @@ -77,7 +77,7 @@ int main(int argc, char **argv) S2N_DEFAULT_TEST_CERT_CHAIN, S2N_DEFAULT_TEST_PRIVATE_KEY)); struct s2n_config *client_config = NULL; EXPECT_NOT_NULL(client_config = s2n_config_new()); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(client_config, chain_and_key)); DEFER_CLEANUP(struct s2n_stuffer client_key_log, s2n_stuffer_free); @@ -87,7 +87,7 @@ int main(int argc, char **argv) struct s2n_config *server_config = NULL; EXPECT_NOT_NULL(server_config = s2n_config_new()); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(server_config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key)); DEFER_CLEANUP(struct s2n_stuffer server_key_log, s2n_stuffer_free); diff --git a/tests/unit/s2n_self_talk_npn_test.c b/tests/unit/s2n_self_talk_npn_test.c index 1234b68a868..8ccedb7a782 100644 --- a/tests/unit/s2n_self_talk_npn_test.c +++ b/tests/unit/s2n_self_talk_npn_test.c @@ -50,7 +50,7 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); struct s2n_cert_chain_and_key *chain_and_key = NULL; EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key, S2N_DEFAULT_TEST_CERT_CHAIN, S2N_DEFAULT_TEST_PRIVATE_KEY)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key)); @@ -61,7 +61,7 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_config *npn_config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(npn_config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(npn_config)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(npn_config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(npn_config, "20240501")); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(npn_config, chain_and_key)); EXPECT_SUCCESS(s2n_config_set_protocol_preferences(npn_config, protocols, protocols_count)); EXPECT_SUCCESS(s2n_config_set_client_hello_cb(npn_config, s2n_wipe_alpn_ext, NULL)); @@ -135,7 +135,7 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_config *different_config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(different_config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(different_config)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(different_config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(different_config, "20240501")); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(different_config, chain_and_key)); EXPECT_SUCCESS(s2n_config_set_protocol_preferences(different_config, server_protocols, server_protocols_count)); EXPECT_SUCCESS(s2n_config_set_client_hello_cb(different_config, s2n_wipe_alpn_ext, NULL)); diff --git a/tests/unit/s2n_self_talk_session_id_test.c b/tests/unit/s2n_self_talk_session_id_test.c index 933ccc16a20..d783d97865f 100644 --- a/tests/unit/s2n_self_talk_session_id_test.c +++ b/tests/unit/s2n_self_talk_session_id_test.c @@ -153,6 +153,7 @@ void mock_client(struct s2n_test_io_pair *io_pair) /* Initial handshake */ conn = s2n_connection_new(S2N_CLIENT); config = s2n_config_new(); + s2n_config_set_cipher_preferences(config, "20240501"); s2n_config_disable_x509_verification(config); s2n_connection_set_config(conn, config); @@ -338,7 +339,7 @@ int main(int argc, char **argv) initialize_cache(); EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); EXPECT_NOT_NULL(config = s2n_config_new()); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); EXPECT_SUCCESS(s2n_read_test_pem(S2N_DEFAULT_TEST_CERT_CHAIN, cert_chain_pem, S2N_MAX_TEST_PEM_SIZE)); EXPECT_SUCCESS(s2n_read_test_pem(S2N_DEFAULT_TEST_PRIVATE_KEY, private_key_pem, S2N_MAX_TEST_PEM_SIZE)); diff --git a/tests/unit/s2n_session_ticket_test.c b/tests/unit/s2n_session_ticket_test.c index dde2c244e78..2e4e17c37bd 100644 --- a/tests/unit/s2n_session_ticket_test.c +++ b/tests/unit/s2n_session_ticket_test.c @@ -1342,7 +1342,7 @@ int main(int argc, char **argv) EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER)); EXPECT_SUCCESS(s2n_connection_set_blinding(server_conn, S2N_SELF_SERVICE_BLINDING)); EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config)); - EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server_conn, "default")); + EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server_conn, "20240501")); EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair)); EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn)); @@ -1446,6 +1446,7 @@ int main(int argc, char **argv) EXPECT_NOT_NULL(client_configuration); EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_configuration, 1)); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_configuration)); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_configuration, "20240501")); DEFER_CLEANUP(struct s2n_config *server_configuration = s2n_config_new(), s2n_config_ptr_free); @@ -1453,6 +1454,7 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_configuration, 1)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_configuration, chain_and_key)); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_configuration, "20240501")); EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_configuration, ticket_key_name1, s2n_array_len(ticket_key_name1), ticket_key1, s2n_array_len(ticket_key1), 0));