split out cipher info test

aws · Feb 2, 2021 · 0251053 · 0251053
1 parent 7e136ef
commit 0251053
Show file tree

Hide file tree

Showing 5 changed files with 90 additions and 8 deletions.
diff --git a/error/s2n_errno.h b/error/s2n_errno.h
@@ -197,7 +197,6 @@ typedef enum {
     S2N_ERR_INVALID_PARSED_EXTENSIONS,
     S2N_ERR_ASYNC_CALLBACK_FAILED,
     S2N_ERR_ASYNC_MORE_THAN_ONE,
-    S2N_ERR_INVALID_STATE,
     S2N_ERR_PQ_CRYPTO,
     S2N_ERR_PQ_DISABLED,
     S2N_ERR_T_INTERNAL_END,
@@ -263,6 +262,7 @@ typedef enum {
     S2N_ERR_UNSUPPORTED_WITH_QUIC,
     S2N_ERR_DUPLICATE_PSK_IDENTITIES,
     S2N_ERR_REENTRANCY,
+    S2N_ERR_INVALID_STATE,
     S2N_ERR_T_USAGE_END,
 } s2n_error;
 

diff --git a/tests/unit/s2n_cipher_info_test.c b/tests/unit/s2n_cipher_info_test.c
@@ -0,0 +1,80 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+#include "s2n_test.h"
+
+#include "testlib/s2n_testlib.h"
+
+#include <unistd.h>
+#include <stdint.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <stdlib.h>
+
+#include <s2n.h>
+
+#include "crypto/s2n_fips.h"
+#include "crypto/s2n_rsa_pss.h"
+
+#include "tls/s2n_connection.h"
+#include "tls/s2n_handshake.h"
+#include "tls/s2n_security_policies.h"
+#include "tls/s2n_cipher_suites.h"
+#include "tls/s2n_tls13.h"
+#include "utils/s2n_safety.h"
+
+int main(int argc, char **argv)
+{
+    BEGIN_TEST();
+    EXPECT_SUCCESS(s2n_enable_tls13());
+
+    struct s2n_config *config = NULL;
+    EXPECT_NOT_NULL(config = s2n_config_new());
+    EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "test_all"));
+    EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
+
+    struct s2n_connection *conn = NULL;
+    EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
+    EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
+
+    uint8_t iana_value[2] = { 0, 0 };
+
+    /* Make sure the call fails before the connection has negotiated the cipher suite */
+    EXPECT_NULL(s2n_connection_get_cipher(conn));
+    EXPECT_FAILURE(s2n_connection_get_cipher_iana_value(conn, &iana_value[0], &iana_value[1]));
+
+    const struct s2n_security_policy *security_policy = config->security_policy;
+    EXPECT_NOT_NULL(security_policy);
+
+    const struct s2n_cipher_preferences *cipher_preferences = security_policy->cipher_preferences;
+    EXPECT_NOT_NULL(cipher_preferences);
+
+    /* Verify the cipher info functions work for every cipher suite */
+    for (size_t cipher_idx = 0; cipher_idx < cipher_preferences->count; cipher_idx++) {
+        struct s2n_cipher_suite *expected_cipher = cipher_preferences->suites[cipher_idx];
+        conn->secure.cipher_suite = expected_cipher;
+
+        EXPECT_STRING_EQUAL(s2n_connection_get_cipher(conn), expected_cipher->name);
+        EXPECT_SUCCESS(s2n_connection_get_cipher_iana_value(conn, &iana_value[0], &iana_value[1]));
+        EXPECT_EQUAL(memcmp(expected_cipher->iana_value, iana_value, sizeof(iana_value)), 0);
+    }
+
+    EXPECT_SUCCESS(s2n_connection_free(conn));
+    EXPECT_SUCCESS(s2n_config_free(config));
+
+    END_TEST();
+    return 0;
+}
+
diff --git a/tests/unit/s2n_handshake_test.c b/tests/unit/s2n_handshake_test.c
@@ -188,9 +188,6 @@ int test_cipher_preferences(struct s2n_config *server_config, struct s2n_config
             GUARD(try_handshake(server_conn, client_conn));
 
             EXPECT_STRING_EQUAL(s2n_connection_get_cipher(server_conn), expected_cipher->name);
-            uint8_t iana_value[2] = { 0, 0 };
-            EXPECT_SUCCESS(s2n_connection_get_cipher_iana_value(server_conn, &iana_value[0], &iana_value[1]));
-            EXPECT_EQUAL(memcmp(expected_cipher->iana_value, iana_value, sizeof(iana_value)), 0);
 
             EXPECT_EQUAL(server_conn->handshake_params.our_chain_and_key, expected_cert_chain);
             EXPECT_EQUAL(server_conn->secure.conn_sig_scheme.sig_alg, expected_sig_alg);

diff --git a/tls/s2n_connection.c b/tls/s2n_connection.c
@@ -977,17 +977,22 @@ const char *s2n_connection_get_cipher(struct s2n_connection *conn)
     notnull_check_ptr(conn);
     notnull_check_ptr(conn->secure.cipher_suite);
 
+    /* ensure we've negotiated a cipher suite */
+    ENSURE_PTR(memcmp(conn->secure.cipher_suite->iana_value, s2n_null_cipher_suite.iana_value, sizeof(s2n_null_cipher_suite.iana_value)) != 0, S2N_ERR_INVALID_STATE);
+
     return conn->secure.cipher_suite->name;
 }
 
 int s2n_connection_get_cipher_iana_value(struct s2n_connection *conn, uint8_t *first, uint8_t *second)
 {
     ENSURE_POSIX_REF(conn);
-    /* ensure we've negotiated a cipher suite */
-    ENSURE_POSIX(conn->secure.cipher_suite != NULL, S2N_ERR_INVALID_STATE);
+    ENSURE_POSIX_REF(conn->secure.cipher_suite);
     ENSURE_POSIX_MUT(first);
     ENSURE_POSIX_MUT(second);
 
+    /* ensure we've negotiated a cipher suite */
+    ENSURE_POSIX(memcmp(conn->secure.cipher_suite->iana_value, s2n_null_cipher_suite.iana_value, sizeof(s2n_null_cipher_suite.iana_value)) != 0, S2N_ERR_INVALID_STATE);
+
     const uint8_t *iana_value = conn->secure.cipher_suite->iana_value;
     *first = iana_value[0];
     *second = iana_value[1];

diff --git a/tls/s2n_x509_validator.c b/tls/s2n_x509_validator.c
@@ -291,7 +291,7 @@ static uint8_t s2n_verify_host_information(struct s2n_x509_validator *validator,
 s2n_cert_validation_code s2n_x509_validator_validate_cert_chain(struct s2n_x509_validator *validator, struct s2n_connection *conn,
         uint8_t *cert_chain_in, uint32_t cert_chain_len, s2n_pkey_type *pkey_type, struct s2n_pkey *public_key_out) {
     S2N_ERROR_IF(!validator->skip_cert_validation && !s2n_x509_trust_store_has_certs(validator->trust_store), S2N_ERR_CERT_UNTRUSTED);
-    S2N_ERROR_IF(validator->state != INIT, S2N_ERR_INVALID_STATE);
+    S2N_ERROR_IF(validator->state != INIT, S2N_ERR_SAFETY);
 
     struct s2n_blob cert_chain_blob = {.data = cert_chain_in, .size = cert_chain_len};
     DEFER_CLEANUP(struct s2n_stuffer cert_chain_in_stuffer = {0}, s2n_stuffer_free);
@@ -398,7 +398,7 @@ s2n_cert_validation_code s2n_x509_validator_validate_cert_stapled_ocsp_response(
         return S2N_CERT_OK;
     }
 
-    S2N_ERROR_IF(validator->state != VALIDATED, S2N_ERR_INVALID_STATE);
+    S2N_ERROR_IF(validator->state != VALIDATED, S2N_ERR_SAFETY);
 
 #if !S2N_OCSP_STAPLING_SUPPORTED
     /* Default to safety */