explictly check the negotiated protocol

aws · Nov 19, 2024 · 0042f29 · 0042f29
1 parent 8d38317
commit 0042f29
Showing 1 changed file with 16 additions and 14 deletions.
diff --git a/tests/unit/s2n_record_read_test.c b/tests/unit/s2n_record_read_test.c
@@ -20,6 +20,8 @@
 #include "utils/s2n_safety.h"
 
 #define SSLV2_MIN_SIZE 3
+/* Record Header length for TLS1.3 and TLS1.2 protocols */
+const int S2N_TLS_RECORD_HEADER_LEN = 5;
 
 int main(int argc, char *argv[])
 {
@@ -164,20 +166,21 @@ int main(int argc, char *argv[])
         };
     };
 
-    const char *security_policy_test_cases[] = {
-        /* TLS 1.3 */
-        "20240503",
-        /* TLS 1.2 */
-        "20240501",
+    struct {
+        const char *policy;
+        uint8_t version;
+    } policy_test_cases[] = {
+        { .policy = "20240503", .version = S2N_TLS13 },
+        { .policy = "20240501", .version = S2N_TLS12 }
     };
 
     /* Ensure that the input buffer is wiped after failing to read a record */
-    for (size_t i = 0; i < s2n_array_len(security_policy_test_cases); i++) {
+    for (size_t i = 0; i < s2n_array_len(policy_test_cases); i++) {
         DEFER_CLEANUP(struct s2n_config *config = s2n_config_new_minimal(), s2n_config_ptr_free);
         EXPECT_NOT_NULL(config);
         EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
         EXPECT_SUCCESS(s2n_config_disable_x509_verification(config));
-        EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, security_policy_test_cases[i]));
+        EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, policy_test_cases[i].policy));
 
         DEFER_CLEANUP(struct s2n_connection *client = s2n_connection_new(S2N_CLIENT),
                 s2n_connection_ptr_free);
@@ -197,6 +200,7 @@ int main(int argc, char *argv[])
         EXPECT_OK(s2n_connections_set_io_stuffer_pair(client, server, &stuffer_pair));
 
         EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server, client));
+        EXPECT_EQUAL(server->actual_protocol_version, policy_test_cases[i].version);
 
         /* Send some test data to the server. */
         uint8_t test_data[] = "hello world";
@@ -206,13 +210,11 @@ int main(int argc, char *argv[])
 
         /* Invalidate an encrypted byte to cause decryption to fail. */
         struct s2n_stuffer invalidation_stuffer = stuffer_pair.server_in;
-        /* Offset and corrupt the 6th byte, which is used by both TLS 1.2 and TLS 1.3
-         * during decryption
-         */
-        EXPECT_SUCCESS(s2n_stuffer_skip_read(&invalidation_stuffer, 5));
-        uint8_t *sixth_byte = s2n_stuffer_raw_read(&invalidation_stuffer, 1);
-        EXPECT_NOT_NULL(sixth_byte);
-        *sixth_byte += 1;
+        /* Skip the TLS Record Header content, since its not used for decryption in TLS1.3. */
+        EXPECT_SUCCESS(s2n_stuffer_skip_read(&invalidation_stuffer, S2N_TLS_RECORD_HEADER_LEN));
+        uint8_t *corrupt_byte = s2n_stuffer_raw_read(&invalidation_stuffer, 1);
+        EXPECT_NOT_NULL(corrupt_byte);
+        *corrupt_byte += 1;
 
         /* Receive the invalid data. */
         uint8_t buffer[sizeof(test_data)] = { 0 };