diff --git a/.github/workflows/ci_linting.yml b/.github/workflows/ci_linting.yml index f98170a937b..83b9a1ceef6 100644 --- a/.github/workflows/ci_linting.yml +++ b/.github/workflows/ci_linting.yml @@ -101,7 +101,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - uses: nixbuild/nix-quick-install-action@v21 + - uses: nixbuild/nix-quick-install-action@v29 with: nix_conf: experimental-features = nix-command flakes - name: nix flake check @@ -110,7 +110,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - uses: nixbuild/nix-quick-install-action@v21 + - uses: nixbuild/nix-quick-install-action@v29 with: nix_conf: experimental-features = nix-command flakes - name: nix fmt diff --git a/.github/workflows/team_label.yml b/.github/workflows/team_label.yml index 1547418cf18..19a35b2cf4a 100644 --- a/.github/workflows/team_label.yml +++ b/.github/workflows/team_label.yml @@ -11,7 +11,7 @@ jobs: team-labeler: runs-on: ubuntu-latest steps: - - uses: JulienKode/team-labeler-action@v0.1.1 + - uses: JulienKode/team-labeler-action@v1.3 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/bindings/rust/s2n-tls-hyper/tests/common/echo.rs b/bindings/rust/s2n-tls-hyper/tests/common/echo.rs index 044a99d775d..36ce865ca7d 100644 --- a/bindings/rust/s2n-tls-hyper/tests/common/echo.rs +++ b/bindings/rust/s2n-tls-hyper/tests/common/echo.rs @@ -17,7 +17,7 @@ async fn echo( Ok(Response::new(req.into_body().boxed())) } -async fn serve_echo( +pub async fn serve_echo( tcp_listener: TcpListener, builder: B, ) -> Result<(), Box> diff --git a/bindings/rust/s2n-tls-hyper/tests/common/mod.rs b/bindings/rust/s2n-tls-hyper/tests/common/mod.rs index 148462d2d12..2da6cdace69 100644 --- a/bindings/rust/s2n-tls-hyper/tests/common/mod.rs +++ b/bindings/rust/s2n-tls-hyper/tests/common/mod.rs @@ -6,10 +6,9 @@ use s2n_tls::{callbacks::VerifyHostNameCallback, config, error::Error, security: pub mod echo; /// NOTE: this certificate and key are used for testing purposes only! -pub static CERT_PEM: &[u8] = +pub const CERT_PEM: &[u8] = include_bytes!(concat!(env!("CARGO_MANIFEST_DIR"), "/../certs/cert.pem")); -pub static KEY_PEM: &[u8] = - include_bytes!(concat!(env!("CARGO_MANIFEST_DIR"), "/../certs/key.pem")); +pub const KEY_PEM: &[u8] = include_bytes!(concat!(env!("CARGO_MANIFEST_DIR"), "/../certs/key.pem")); pub fn config() -> Result { let mut builder = config::Config::builder(); diff --git a/bindings/rust/s2n-tls-hyper/tests/http.rs b/bindings/rust/s2n-tls-hyper/tests/http.rs index 0a5469b45de..8a1a8a37243 100644 --- a/bindings/rust/s2n-tls-hyper/tests/http.rs +++ b/bindings/rust/s2n-tls-hyper/tests/http.rs @@ -3,15 +3,19 @@ use crate::common::InsecureAcceptAllCertificatesHandler; use bytes::Bytes; +use common::echo::serve_echo; use http::{Method, Request, Uri}; use http_body_util::{BodyExt, Empty, Full}; use hyper_util::{client::legacy::Client, rt::TokioExecutor}; use s2n_tls::{ callbacks::{ClientHelloCallback, ConnectionFuture}, + config, connection::Connection, + security::DEFAULT_TLS13, }; use s2n_tls_hyper::connector::HttpsConnector; use std::{error::Error, pin::Pin, str::FromStr}; +use tokio::{net::TcpListener, task::JoinHandle}; pub mod common; @@ -138,3 +142,76 @@ async fn test_sni() -> Result<(), Box> { Ok(()) } + +/// This test covers the general customer TLS Error experience. We want to +/// confirm that s2n-tls errors are correctly bubbled up and that details can be +/// extracted/matched on. +#[tokio::test] +async fn error_matching() -> Result<(), Box> { + let (server_task, addr) = { + let listener = TcpListener::bind("127.0.0.1:0").await?; + let addr = listener.local_addr()?; + let server_task = tokio::spawn(serve_echo(listener, common::config()?.build()?)); + (server_task, addr) + }; + + let client_task: JoinHandle>> = + tokio::spawn(async move { + // the client config won't trust the self-signed cert that the server + // uses. + let client_config = { + let mut builder = config::Config::builder(); + builder.set_security_policy(&DEFAULT_TLS13)?; + builder.set_max_blinding_delay(0)?; + builder.build()? + }; + + let connector = HttpsConnector::new(client_config); + let client: Client<_, Empty> = + Client::builder(TokioExecutor::new()).build(connector); + + let uri = Uri::from_str(format!("https://localhost:{}", addr.port()).as_str())?; + client.get(uri).await?; + + panic!("the client request should fail"); + }); + + // expected error: + // hyper_util::client::legacy::Error( + // Connect, + // TlsError( + // Error { + // code: 335544366, + // name: "S2N_ERR_CERT_UNTRUSTED", + // message: "Certificate is untrusted", + // kind: ProtocolError, + // source: Library, + // debug: "Error encountered in lib/tls/s2n_x509_validator.c:721", + // errno: "No such file or directory", + // }, + // ), + // ) + let client_response = client_task.await?; + let client_error = client_response.unwrap_err(); + let hyper_error: &hyper_util::client::legacy::Error = client_error.downcast_ref().unwrap(); + + // the error happened when attempting to connect to the endpoint. + assert!(hyper_error.is_connect()); + + let error_source = hyper_error.source().unwrap(); + let s2n_tls_hyper_error: &s2n_tls_hyper::error::Error = error_source.downcast_ref().unwrap(); + + let s2n_tls_error = match s2n_tls_hyper_error { + s2n_tls_hyper::error::Error::TlsError(s2n_tls_error) => s2n_tls_error, + _ => panic!("unexpected error type"), + }; + + assert_eq!( + s2n_tls_error.kind(), + s2n_tls::error::ErrorType::ProtocolError + ); + assert_eq!(s2n_tls_error.name(), "S2N_ERR_CERT_UNTRUSTED"); + + server_task.abort(); + Ok(()) +} diff --git a/tests/fuzz/s2n_certificate_extensions_parse_test.c b/tests/fuzz/s2n_certificate_extensions_parse_test.c index bf9d8a13fe2..c6a8401666b 100644 --- a/tests/fuzz/s2n_certificate_extensions_parse_test.c +++ b/tests/fuzz/s2n_certificate_extensions_parse_test.c @@ -49,14 +49,6 @@ static uint8_t verify_host_accept_everything(const char *host_name, size_t host_ /* This test is for TLS versions 1.3 and up only */ static const uint8_t TLS_VERSIONS[] = {S2N_TLS13}; -int s2n_fuzz_init(int *argc, char **argv[]) -{ - /* Initialize the trust store */ - POSIX_GUARD_RESULT(s2n_config_testing_defaults_init_tls13_certs()); - POSIX_GUARD(s2n_enable_tls13_in_test()); - return S2N_SUCCESS; -} - int s2n_fuzz_test(const uint8_t *buf, size_t len) { /* We need at least one byte of input to set parameters */ @@ -67,8 +59,13 @@ int s2n_fuzz_test(const uint8_t *buf, size_t len) POSIX_GUARD(s2n_stuffer_alloc(&fuzz_stuffer, len)); POSIX_GUARD(s2n_stuffer_write_bytes(&fuzz_stuffer, buf, len)); + DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_NOT_NULL(config); + POSIX_GUARD(s2n_config_set_cipher_preferences(config, "20240503")); + struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT); POSIX_ENSURE_REF(client_conn); + POSIX_GUARD(s2n_connection_set_config(client_conn, config)); /* Pull a byte off the libfuzzer input and use it to set parameters */ uint8_t randval = 0; @@ -115,4 +112,4 @@ int s2n_fuzz_test(const uint8_t *buf, size_t len) return S2N_SUCCESS; } -S2N_FUZZ_TARGET(s2n_fuzz_init, s2n_fuzz_test, NULL) +S2N_FUZZ_TARGET(NULL, s2n_fuzz_test, NULL) diff --git a/tests/unit/s2n_alerts_protocol_test.c b/tests/unit/s2n_alerts_protocol_test.c index 4e50f552835..d566448b092 100644 --- a/tests/unit/s2n_alerts_protocol_test.c +++ b/tests/unit/s2n_alerts_protocol_test.c @@ -479,13 +479,13 @@ int main(int argc, char **argv) s2n_connection_ptr_free); EXPECT_SUCCESS(s2n_connection_set_blinding(server, S2N_SELF_SERVICE_BLINDING)); EXPECT_SUCCESS(s2n_connection_set_config(server, config)); - EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server, "default")); + EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server, "20240501")); DEFER_CLEANUP(struct s2n_connection *client = s2n_connection_new(S2N_CLIENT), s2n_connection_ptr_free); EXPECT_SUCCESS(s2n_connection_set_blinding(client, S2N_SELF_SERVICE_BLINDING)); EXPECT_SUCCESS(s2n_connection_set_config(client, config)); - EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client, "default")); + EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client, "20240501")); DEFER_CLEANUP(struct s2n_test_io_stuffer_pair io_pair = { 0 }, s2n_io_stuffer_pair_free); EXPECT_OK(s2n_io_stuffer_pair_init(&io_pair)); diff --git a/tests/unit/s2n_client_hello_request_test.c b/tests/unit/s2n_client_hello_request_test.c index 7d6cb8d594c..695de79c1c0 100644 --- a/tests/unit/s2n_client_hello_request_test.c +++ b/tests/unit/s2n_client_hello_request_test.c @@ -76,13 +76,13 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key)); DEFER_CLEANUP(struct s2n_config *config_with_reneg_cb = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config_with_reneg_cb); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_reneg_cb, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_reneg_cb, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config_with_reneg_cb)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config_with_reneg_cb, chain_and_key)); EXPECT_SUCCESS(s2n_config_set_renegotiate_request_cb(config_with_reneg_cb, s2n_test_reneg_req_cb, NULL)); @@ -167,7 +167,7 @@ int main(int argc, char **argv) { DEFER_CLEANUP(struct s2n_config *config_with_warns = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config_with_warns); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_warns, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config_with_warns, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config_with_warns)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config_with_warns, chain_and_key)); EXPECT_SUCCESS(s2n_config_set_alert_behavior(config_with_warns, S2N_ALERT_IGNORE_WARNINGS)); diff --git a/tests/unit/s2n_client_hello_test.c b/tests/unit/s2n_client_hello_test.c index ab6fbaac832..9ec93c4dc9c 100644 --- a/tests/unit/s2n_client_hello_test.c +++ b/tests/unit/s2n_client_hello_test.c @@ -759,7 +759,7 @@ int main(int argc, char **argv) struct s2n_connection *conn = NULL; EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT)); EXPECT_SUCCESS(s2n_connection_set_config(conn, config)); - EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "default")); + EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "20240501")); const struct s2n_security_policy *security_policy = NULL; POSIX_GUARD(s2n_connection_get_security_policy(conn, &security_policy)); diff --git a/tests/unit/s2n_connection_serialize_test.c b/tests/unit/s2n_connection_serialize_test.c index 1f661eda220..2d793d242da 100644 --- a/tests/unit/s2n_connection_serialize_test.c +++ b/tests/unit/s2n_connection_serialize_test.c @@ -78,6 +78,7 @@ int main(int argc, char **argv) S2N_DEFAULT_TEST_CERT_CHAIN, S2N_DEFAULT_TEST_PRIVATE_KEY)); DEFER_CLEANUP(struct s2n_config *tls12_config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(tls12_config, "20240501")); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(tls12_config, chain_and_key)); EXPECT_SUCCESS(s2n_config_disable_x509_verification(tls12_config)); EXPECT_SUCCESS(s2n_config_set_serialization_version(tls12_config, S2N_SERIALIZED_CONN_V1)); @@ -594,6 +595,7 @@ int main(int argc, char **argv) /* Self-talk: Test interaction between TLS1.2 session resumption and serialization */ { DEFER_CLEANUP(struct s2n_config *resumption_config = s2n_config_new(), s2n_config_ptr_free); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(resumption_config, "20240501")); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(resumption_config, chain_and_key)); EXPECT_SUCCESS(s2n_config_disable_x509_verification(resumption_config)); EXPECT_SUCCESS(s2n_config_set_serialization_version(resumption_config, S2N_SERIALIZED_CONN_V1)); diff --git a/tests/unit/s2n_extended_master_secret_test.c b/tests/unit/s2n_extended_master_secret_test.c index 3f1b1ff4415..ff608e80525 100644 --- a/tests/unit/s2n_extended_master_secret_test.c +++ b/tests/unit/s2n_extended_master_secret_test.c @@ -157,7 +157,7 @@ int main(int argc, char **argv) EXPECT_NOT_NULL(config); /* TLS1.2 cipher preferences */ - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); struct s2n_cert_chain_and_key *chain_and_key = NULL; EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key, @@ -208,7 +208,7 @@ int main(int argc, char **argv) struct s2n_config *config = s2n_config_new(); EXPECT_NOT_NULL(config); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); struct s2n_cert_chain_and_key *chain_and_key = NULL; EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key, @@ -253,7 +253,7 @@ int main(int argc, char **argv) struct s2n_config *config = s2n_config_new(); EXPECT_NOT_NULL(config); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); struct s2n_cert_chain_and_key *chain_and_key = NULL; EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key, diff --git a/tests/unit/s2n_renegotiate_io_test.c b/tests/unit/s2n_renegotiate_io_test.c index ab11fd0ae39..275a990ecd0 100644 --- a/tests/unit/s2n_renegotiate_io_test.c +++ b/tests/unit/s2n_renegotiate_io_test.c @@ -61,7 +61,7 @@ int main(int argc, char *argv[]) EXPECT_NOT_NULL(config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); uint8_t app_data[] = "test application data"; diff --git a/tests/unit/s2n_renegotiate_test.c b/tests/unit/s2n_renegotiate_test.c index 80a880daadc..b85c9599054 100644 --- a/tests/unit/s2n_renegotiate_test.c +++ b/tests/unit/s2n_renegotiate_test.c @@ -80,7 +80,7 @@ int main(int argc, char *argv[]) EXPECT_NOT_NULL(config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); uint8_t app_data[] = "smaller hello world"; uint8_t large_app_data[S2N_TLS_MAXIMUM_FRAGMENT_LENGTH] = "hello world and a lot of zeroes"; @@ -275,7 +275,7 @@ int main(int argc, char *argv[]) EXPECT_NOT_NULL(small_frag_config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(small_frag_config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(small_frag_config, chain_and_key)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(small_frag_config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(small_frag_config, "20240501")); EXPECT_SUCCESS(s2n_config_accept_max_fragment_length(small_frag_config)); EXPECT_SUCCESS(s2n_config_send_max_fragment_length(small_frag_config, S2N_TLS_MAX_FRAG_LEN_512)); @@ -283,7 +283,7 @@ int main(int argc, char *argv[]) EXPECT_NOT_NULL(larger_frag_config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(larger_frag_config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(larger_frag_config, chain_and_key)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(larger_frag_config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(larger_frag_config, "20240501")); EXPECT_SUCCESS(s2n_config_accept_max_fragment_length(larger_frag_config)); EXPECT_SUCCESS(s2n_config_send_max_fragment_length(larger_frag_config, S2N_TLS_MAX_FRAG_LEN_4096)); diff --git a/tests/unit/s2n_self_talk_alerts_test.c b/tests/unit/s2n_self_talk_alerts_test.c index e3d6f9bb0a7..f9bbb6c158c 100644 --- a/tests/unit/s2n_self_talk_alerts_test.c +++ b/tests/unit/s2n_self_talk_alerts_test.c @@ -55,6 +55,7 @@ int mock_client(struct s2n_test_io_pair *io_pair, s2n_alert_behavior alert_behav conn = s2n_connection_new(S2N_CLIENT); config = s2n_config_new(); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); s2n_config_disable_x509_verification(config); s2n_config_set_alert_behavior(config, alert_behavior); s2n_connection_set_config(conn, config); @@ -177,7 +178,7 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); /* Set up the callback to send an alert after receiving ClientHello */ struct alert_ctx warning_alert = { .write_fd = io_pair.server, .invoked = 0, .count = 2, .level = TLS_ALERT_LEVEL_WARNING, .code = TLS_ALERT_UNRECOGNIZED_NAME }; diff --git a/tests/unit/s2n_self_talk_broken_pipe_test.c b/tests/unit/s2n_self_talk_broken_pipe_test.c index 3ce82af75c4..b81959e00c7 100644 --- a/tests/unit/s2n_self_talk_broken_pipe_test.c +++ b/tests/unit/s2n_self_talk_broken_pipe_test.c @@ -122,7 +122,7 @@ int main(int argc, char **argv) EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); EXPECT_NOT_NULL(config = s2n_config_new()); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); for (int cert = 0; cert < SUPPORTED_CERTIFICATE_FORMATS; cert++) { EXPECT_SUCCESS(s2n_read_test_pem(certificate_paths[cert], cert_chain_pem, S2N_MAX_TEST_PEM_SIZE)); EXPECT_SUCCESS(s2n_read_test_pem(private_key_paths[cert], private_key_pem, S2N_MAX_TEST_PEM_SIZE)); diff --git a/tests/unit/s2n_self_talk_key_log_test.c b/tests/unit/s2n_self_talk_key_log_test.c index 22e30920ab2..b0a221d541c 100644 --- a/tests/unit/s2n_self_talk_key_log_test.c +++ b/tests/unit/s2n_self_talk_key_log_test.c @@ -77,7 +77,7 @@ int main(int argc, char **argv) S2N_DEFAULT_TEST_CERT_CHAIN, S2N_DEFAULT_TEST_PRIVATE_KEY)); struct s2n_config *client_config = NULL; EXPECT_NOT_NULL(client_config = s2n_config_new()); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_config, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(client_config, chain_and_key)); DEFER_CLEANUP(struct s2n_stuffer client_key_log, s2n_stuffer_free); @@ -87,7 +87,7 @@ int main(int argc, char **argv) struct s2n_config *server_config = NULL; EXPECT_NOT_NULL(server_config = s2n_config_new()); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "20240501")); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(server_config)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key)); DEFER_CLEANUP(struct s2n_stuffer server_key_log, s2n_stuffer_free); diff --git a/tests/unit/s2n_self_talk_npn_test.c b/tests/unit/s2n_self_talk_npn_test.c index 1234b68a868..8ccedb7a782 100644 --- a/tests/unit/s2n_self_talk_npn_test.c +++ b/tests/unit/s2n_self_talk_npn_test.c @@ -50,7 +50,7 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); struct s2n_cert_chain_and_key *chain_and_key = NULL; EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key, S2N_DEFAULT_TEST_CERT_CHAIN, S2N_DEFAULT_TEST_PRIVATE_KEY)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key)); @@ -61,7 +61,7 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_config *npn_config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(npn_config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(npn_config)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(npn_config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(npn_config, "20240501")); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(npn_config, chain_and_key)); EXPECT_SUCCESS(s2n_config_set_protocol_preferences(npn_config, protocols, protocols_count)); EXPECT_SUCCESS(s2n_config_set_client_hello_cb(npn_config, s2n_wipe_alpn_ext, NULL)); @@ -135,7 +135,7 @@ int main(int argc, char **argv) DEFER_CLEANUP(struct s2n_config *different_config = s2n_config_new(), s2n_config_ptr_free); EXPECT_NOT_NULL(different_config); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(different_config)); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(different_config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(different_config, "20240501")); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(different_config, chain_and_key)); EXPECT_SUCCESS(s2n_config_set_protocol_preferences(different_config, server_protocols, server_protocols_count)); EXPECT_SUCCESS(s2n_config_set_client_hello_cb(different_config, s2n_wipe_alpn_ext, NULL)); diff --git a/tests/unit/s2n_self_talk_session_id_test.c b/tests/unit/s2n_self_talk_session_id_test.c index 933ccc16a20..d783d97865f 100644 --- a/tests/unit/s2n_self_talk_session_id_test.c +++ b/tests/unit/s2n_self_talk_session_id_test.c @@ -153,6 +153,7 @@ void mock_client(struct s2n_test_io_pair *io_pair) /* Initial handshake */ conn = s2n_connection_new(S2N_CLIENT); config = s2n_config_new(); + s2n_config_set_cipher_preferences(config, "20240501"); s2n_config_disable_x509_verification(config); s2n_connection_set_config(conn, config); @@ -338,7 +339,7 @@ int main(int argc, char **argv) initialize_cache(); EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); EXPECT_NOT_NULL(config = s2n_config_new()); - EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default")); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "20240501")); EXPECT_SUCCESS(s2n_read_test_pem(S2N_DEFAULT_TEST_CERT_CHAIN, cert_chain_pem, S2N_MAX_TEST_PEM_SIZE)); EXPECT_SUCCESS(s2n_read_test_pem(S2N_DEFAULT_TEST_PRIVATE_KEY, private_key_pem, S2N_MAX_TEST_PEM_SIZE)); diff --git a/tests/unit/s2n_session_ticket_test.c b/tests/unit/s2n_session_ticket_test.c index dde2c244e78..2e4e17c37bd 100644 --- a/tests/unit/s2n_session_ticket_test.c +++ b/tests/unit/s2n_session_ticket_test.c @@ -1342,7 +1342,7 @@ int main(int argc, char **argv) EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER)); EXPECT_SUCCESS(s2n_connection_set_blinding(server_conn, S2N_SELF_SERVICE_BLINDING)); EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config)); - EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server_conn, "default")); + EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server_conn, "20240501")); EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair)); EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn)); @@ -1446,6 +1446,7 @@ int main(int argc, char **argv) EXPECT_NOT_NULL(client_configuration); EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_configuration, 1)); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(client_configuration)); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(client_configuration, "20240501")); DEFER_CLEANUP(struct s2n_config *server_configuration = s2n_config_new(), s2n_config_ptr_free); @@ -1453,6 +1454,7 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_configuration, 1)); EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_configuration, chain_and_key)); + EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_configuration, "20240501")); EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_configuration, ticket_key_name1, s2n_array_len(ticket_key_name1), ticket_key1, s2n_array_len(ticket_key1), 0)); diff --git a/tls/s2n_config.c b/tls/s2n_config.c index ccc1940c0ac..f0bbb623266 100644 --- a/tls/s2n_config.c +++ b/tls/s2n_config.c @@ -251,12 +251,6 @@ int s2n_config_defaults_init(void) return S2N_SUCCESS; } -S2N_RESULT s2n_config_testing_defaults_init_tls13_certs(void) -{ - RESULT_GUARD_POSIX(s2n_config_load_system_certs(&s2n_default_tls13_config)); - return S2N_RESULT_OK; -} - void s2n_wipe_static_configs(void) { s2n_config_cleanup(&s2n_default_fips_config); diff --git a/tls/s2n_config.h b/tls/s2n_config.h index 801777281e2..07d6166d762 100644 --- a/tls/s2n_config.h +++ b/tls/s2n_config.h @@ -239,7 +239,6 @@ struct s2n_config { S2N_CLEANUP_RESULT s2n_config_ptr_free(struct s2n_config **config); int s2n_config_defaults_init(void); -S2N_RESULT s2n_config_testing_defaults_init_tls13_certs(void); struct s2n_config *s2n_fetch_default_config(void); int s2n_config_set_unsafe_for_testing(struct s2n_config *config);