feat(s2n-tls): X509 asn1 refactor (aws#4011)

dougch · May 31, 2023 · a0959f2 · a0959f2
1 parent 998f8e0
commit a0959f2
Show file tree

Hide file tree

Showing 9 changed files with 127 additions and 606 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -654,16 +654,6 @@ if (BUILD_TESTING)
 
     endforeach(test_case)
 
-    if(CMAKE_SIZEOF_VOID_P EQUAL 4)
-        # these tests have 2038 time_t issues
-        set(CTEST_CUSTOM_TESTS_IGNORE
-            s2n_cert_status_extension_test
-            s2n_x509_validator_test
-        )
-        message(STATUS "Detected 32-Bit system - disabling the following tests - ${CTEST_CUSTOM_TESTS_IGNORE}")
-        file(WRITE "${CMAKE_BINARY_DIR}/CTestCustom.cmake" "SET(CTEST_CUSTOM_TESTS_IGNORE ${CTEST_CUSTOM_TESTS_IGNORE})")
-    endif()
-
     add_executable(s2nc "bin/s2nc.c" "bin/echo.c" "bin/https.c" "bin/common.c")
     target_link_libraries(s2nc ${PROJECT_NAME})
 

diff --git a/codebuild/bin/clang_format_changed_files.sh b/codebuild/bin/clang_format_changed_files.sh
@@ -13,12 +13,13 @@
 # permissions and limitations under the License.
 
 # Get a list of changed files
-changed_files=$(git diff --name-only)
+changed_files=$(git diff origin/main --name-only )
 
 # Run clang-format on each changed file
 for file in $changed_files
 do
     if [[ $file == *.c || $file == *.h ]]; then # Only run on .c and .h files
+        echo "clang formatting ${file}"
         clang-format -i $file
     fi
 done
diff --git a/crypto/s2n_openssl_x509.c b/crypto/s2n_openssl_x509.c
@@ -17,10 +17,25 @@
 
 #include "api/s2n.h"
 
-int s2n_openssl_x509_stack_pop_free(STACK_OF(X509) **cert_chain)
+S2N_CLEANUP_RESULT s2n_openssl_x509_stack_pop_free(STACK_OF(X509) **cert_chain)
 {
-    if (*cert_chain != NULL) {
-        sk_X509_pop_free(*cert_chain, X509_free);
-    }
-    return S2N_SUCCESS;
+    RESULT_ENSURE_REF(*cert_chain);
+    sk_X509_pop_free(*cert_chain, X509_free);
+    *cert_chain = NULL;
+    return S2N_RESULT_OK;
+}
+
+S2N_CLEANUP_RESULT s2n_openssl_asn1_time_free_pointer(ASN1_GENERALIZEDTIME **time)
+{
+    /* The ANS1_*TIME structs are just typedef wrappers around ASN1_STRING
+     *
+     * The ASN1_TIME, ASN1_UTCTIME and ASN1_GENERALIZEDTIME structures are
+     * represented as an ASN1_STRING internally and can be freed up using
+     * ASN1_STRING_free().
+     * https://www.openssl.org/docs/man1.1.1/man3/ASN1_TIME_to_tm.html
+     */
+    RESULT_ENSURE_REF(*time);
+    ASN1_STRING_free((ASN1_STRING *) *time);
+    *time = NULL;
+    return S2N_RESULT_OK;
 }
diff --git a/crypto/s2n_openssl_x509.h b/crypto/s2n_openssl_x509.h
@@ -15,11 +15,14 @@
 
 #pragma once
 
+#include <openssl/asn1.h>
 #include <openssl/x509.h>
 #include <stdint.h>
 
 #include "utils/s2n_safety.h"
 
 DEFINE_POINTER_CLEANUP_FUNC(X509 *, X509_free);
 
-int s2n_openssl_x509_stack_pop_free(STACK_OF(X509) **cert_chain);
+S2N_CLEANUP_RESULT s2n_openssl_x509_stack_pop_free(STACK_OF(X509) **cert_chain);
+
+S2N_CLEANUP_RESULT s2n_openssl_asn1_time_free_pointer(ASN1_GENERALIZEDTIME **time);
diff --git a/tests/unit/s2n_asn1_time_test.c b/tests/unit/s2n_asn1_time_test.c
diff --git a/tests/unit/s2n_x509_validator_test.c b/tests/unit/s2n_x509_validator_test.c
@@ -444,7 +444,7 @@ int main(int argc, char **argv)
      * platforms where time_t is 4 bytes because representing dates past 2038 as
      * unix seconds overflows the time_t.
      */
-    if (s2n_supports_large_time_t()) {
+    {
         struct s2n_x509_trust_store trust_store;
         s2n_x509_trust_store_init_empty(&trust_store);
         EXPECT_SUCCESS(s2n_x509_trust_store_from_ca_file(&trust_store, S2N_DEFAULT_TEST_CERT_CHAIN, NULL));
@@ -473,10 +473,21 @@ int main(int argc, char **argv)
         struct s2n_pkey public_key_out;
         EXPECT_SUCCESS(s2n_pkey_zero_init(&public_key_out));
         s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
-        EXPECT_ERROR_WITH_ERRNO(
-                s2n_x509_validator_validate_cert_chain(&validator, connection,
-                        chain_data, chain_len, &pkey_type, &public_key_out),
-                S2N_ERR_CERT_EXPIRED);
+
+        if (s2n_supports_large_time_t()) {
+            EXPECT_ERROR_WITH_ERRNO(
+                    s2n_x509_validator_validate_cert_chain(&validator, connection,
+                            chain_data, chain_len, &pkey_type, &public_key_out),
+                    S2N_ERR_CERT_EXPIRED);
+        } else {
+            /* fetch_expired_after_ocsp_timestamp is in 2200 which is not
+             * representable for 32 bit time_t's.
+             */
+            EXPECT_ERROR_WITH_ERRNO(
+                    s2n_x509_validator_validate_cert_chain(&validator, connection,
+                            chain_data, chain_len, &pkey_type, &public_key_out),
+                    S2N_ERR_SAFETY);
+        }
 
         EXPECT_EQUAL(1, verify_data.callback_invoked);
         s2n_config_set_wall_clock(connection->config, old_clock, NULL);
@@ -1021,7 +1032,7 @@ int main(int argc, char **argv)
      * After the "Next Update" time in the OCSP response, the certificate should
      * fail as expired.
      */
-    if (s2n_supports_large_time_t()) {
+    {
         struct s2n_x509_trust_store trust_store;
         s2n_x509_trust_store_init_empty(&trust_store);
         EXPECT_SUCCESS(s2n_x509_trust_store_from_ca_file(&trust_store, S2N_OCSP_CA_CERT, NULL));
@@ -1054,9 +1065,19 @@ int main(int argc, char **argv)
         EXPECT_SUCCESS(read_file(&ocsp_data_stuffer, S2N_OCSP_RESPONSE_DER, S2N_MAX_TEST_PEM_SIZE));
         uint32_t ocsp_data_len = s2n_stuffer_data_available(&ocsp_data_stuffer);
         EXPECT_TRUE(ocsp_data_len > 0);
-        EXPECT_ERROR_WITH_ERRNO(s2n_x509_validator_validate_cert_stapled_ocsp_response(&validator, connection,
-                                        s2n_stuffer_raw_read(&ocsp_data_stuffer, ocsp_data_len), ocsp_data_len),
-                S2N_ERR_CERT_EXPIRED);
+
+        if (s2n_supports_large_time_t()) {
+            EXPECT_ERROR_WITH_ERRNO(s2n_x509_validator_validate_cert_stapled_ocsp_response(&validator, connection,
+                                            s2n_stuffer_raw_read(&ocsp_data_stuffer, ocsp_data_len), ocsp_data_len),
+                    S2N_ERR_CERT_EXPIRED);
+        } else {
+            /* fetch_expired_after_ocsp_timestamp is in 2200 which is not
+             * representable for 32 bit time_t's.
+             */
+            EXPECT_ERROR_WITH_ERRNO(s2n_x509_validator_validate_cert_stapled_ocsp_response(&validator, connection,
+                                            s2n_stuffer_raw_read(&ocsp_data_stuffer, ocsp_data_len), ocsp_data_len),
+                    S2N_ERR_SAFETY);
+        }
 
         s2n_config_set_wall_clock(connection->config, old_clock, NULL);
         s2n_stuffer_free(&ocsp_data_stuffer);