Merge branch 'main' into ja4_update

lrstewart · Sep 19, 2024 · e6abeb7 · e6abeb7
2 parents 137587a + e896037
commit e6abeb7
Show file tree

Hide file tree

Showing 12 changed files with 363 additions and 21 deletions.
diff --git a/.github/workflows/seccomp.yml b/.github/workflows/seccomp.yml
@@ -0,0 +1,67 @@
+name: seccomp
+on:
+  pull_request:
+    branches: [main]
+  merge_group:
+    types: [checks_requested]
+    branches: [main]
+
+jobs:
+  ubuntu:
+    runs-on: ubuntu-latest
+    steps:
+      - name: install dependencies
+        run: |
+          sudo apt update
+          sudo apt install cmake
+          # For default libcrypto
+          sudo apt install libssl-dev
+          # For seccomp
+          sudo apt install libseccomp-dev
+          # For aws-lc
+          sudo apt install clang golang
+          
+      - name: checkout s2n-tls
+        uses: actions/checkout@v4
+
+      - name: checkout aws-lc
+        uses: actions/checkout@v4
+        with:
+          repository: aws/aws-lc
+          path: awslc
+
+      - name: build awslc
+        # See https://github.com/aws/aws-lc/blob/main/BUILDING.md#building
+        working-directory: awslc
+        run: |
+          cmake -B build
+          make -C build
+          cmake --install build --prefix install
+
+      - name: seccomp with default libcrypto
+        # TODO: There are still issues with openssl running with seccomp.
+        # Disable for now.
+        if: false
+        run: |
+          cmake -Bbuild \
+            -DSECCOMP=1 \
+            -DCMAKE_BUILD_TYPE=Release \
+            -DCMAKE_INSTALL_PREFIX=install
+          cmake --build build -j $(nproc)
+          CTEST_PARALLEL_LEVEL=$(nproc) ctest --test-dir build
+          cmake --install build
+          ./build/bin/s2nc localhost 8000 | grep "libcrypto" | grep -v "AWS-LC"
+          rm -rf build
+
+      - name: seccomp with aws-lc
+        run: |
+          cmake -Bbuild \
+            -DSECCOMP=1 \
+            -DCMAKE_BUILD_TYPE=Release \
+            -DCMAKE_PREFIX_PATH=awslc/install \
+            -DCMAKE_INSTALL_PREFIX=install
+          cmake --build build -j $(nproc)
+          CTEST_PARALLEL_LEVEL=$(nproc) ctest --test-dir build
+          cmake --install build
+          ./build/bin/s2nc localhost 8000 | grep "libcrypto" | grep "AWS-LC"
+          rm -rf build
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -39,6 +39,7 @@ option(S2N_INSTALL_S2NC_S2ND "Install the binaries s2nc and s2nd" OFF)
 option(S2N_USE_CRYPTO_SHARED_LIBS "For S2N to use shared libs in Findcrypto" OFF)
 option(TSAN "Enable ThreadSanitizer to test thread safety" OFF)
 option(ASAN "Enable AddressSanitizer to test memory safety" OFF)
+option(SECCOMP "Link with seccomp and run seccomp tests" OFF)
 
 # Turn BUILD_TESTING=ON by default
 include(CTest)
@@ -452,6 +453,11 @@ if (BUILD_TESTING)
     target_include_directories(testss2n PUBLIC tests)
     target_compile_options(testss2n PRIVATE -std=gnu99)
     target_link_libraries(testss2n PUBLIC ${PROJECT_NAME})
+    if (SECCOMP)
+        message(STATUS "Linking tests with seccomp")
+        target_link_libraries(testss2n PRIVATE seccomp)
+        target_compile_definitions(testss2n PRIVATE SECCOMP)
+    endif()
 
     if (S2N_INTERN_LIBCRYPTO)
         # if libcrypto was interned, rewrite libcrypto symbols so use of internal functions will link correctly

diff --git a/bindings/rust/s2n-tls/src/security.rs b/bindings/rust/s2n-tls/src/security.rs
@@ -29,8 +29,29 @@ impl Policy {
         }
     }
 
+    /// Construct a numbered security policy.
+    ///
+    /// Numbered security policies are stable and will not change, in comparison
+    /// to default security policies: [DEFAULT] and [DEFAULT_TLS13].
+    ///
     /// See the s2n-tls usage guide for details on available policies:
     /// <https://aws.github.io/s2n-tls/usage-guide/ch06-security-policies.html>
+    /// ```
+    /// use s2n_tls::{config, security};
+    ///
+    /// let mut config = config::Builder::new();
+    ///
+    /// // "20240501" is a numbered security policy. More information can be found
+    /// // in the linked s2n-tls usage guide.
+    /// let security_policy = match security::Policy::from_version("20240501") {
+    ///     Ok(policy) => policy,
+    ///     Err(e) => {
+    ///         eprintln!("unable to construct the policy: {}", e);
+    ///         return;
+    ///     }
+    /// };
+    /// config.set_security_policy(&security_policy);
+    /// ```
     pub fn from_version(version: &str) -> Result<Policy, Error> {
         let cstr = CString::new(version).map_err(|_| Error::INVALID_INPUT)?;
         let context = Context::Owned(cstr);

diff --git a/docs/BUILD.md b/docs/BUILD.md
@@ -110,6 +110,8 @@ cmake . -LH
 
 s2n-tls has a dependency on a libcrypto library. A supported libcrypto must be linked to s2n-tls when building. The following libcrypto libraries are currently supported:
 - [AWS-LC](https://github.com/aws/aws-lc)
+  - Limited ["Sandboxing"](https://github.com/aws/aws-lc/blob/main/SANDBOXING.md) is only supported and tested with AWS-LC.
+  - [PQ key exchange](https://aws.github.io/s2n-tls/usage-guide/ch15-post-quantum.html) is only supported with AWS-LC.
 - [OpenSSL](https://www.openssl.org/) (versions 1.0.2 - 3.0)
   - ChaChaPoly is not supported before Openssl-1.1.1.
   - RSA-PSS is not supported before Openssl-1.1.1.

diff --git a/tests/pcap/Cargo.toml b/tests/pcap/Cargo.toml
@@ -14,11 +14,12 @@ bytes = "1.7.1"
 hex = "0.4.3"
 reqwest = { version = "0.12.7", features = ["blocking"] }
 semver = "1.0.23"
+rtshark = "2.9.0"
 
 [dependencies]
 anyhow = "1.0.86"
 hex = "0.4.3"
-rtshark = "2.7.1"
+rtshark = "2.9.0"
 
 [dev-dependencies]
 # We want to test against the latest, local version of s2n

diff --git a/tests/pcap/build.rs b/tests/pcap/build.rs
@@ -4,12 +4,12 @@
 use anyhow::*;
 use bytes::Buf;
 use bytes::Bytes;
+use rtshark::RTSharkBuilder;
 use semver::Version;
 use std::collections::HashMap;
 use std::fs::File;
 use std::io::copy;
 use std::path::Path;
-use std::process::Command;
 use std::thread;
 use std::time::Duration;
 
@@ -101,12 +101,8 @@ fn download(url: &str) -> Result<Bytes> {
 }
 
 fn assert_tshark_version() -> Result<()> {
-    let output = Command::new("tshark").args(["--version"]).output();
-    let version = output.ok().and_then(|output| {
-        let message = std::str::from_utf8(&output.stdout).ok();
-        message.and_then(|msg| msg.split_whitespace().find_map(|s| Version::parse(s).ok()))
-    });
-
+    let version_info = RTSharkBuilder::builder().version()?;
+    let version = version_info.version();
     // Version requirements:
     // 1. tshark >= 3.7.0 is required for JA3 support
     //    JA3 support was added to earlier versions, but did not correctly ignore grease values.
@@ -117,17 +113,13 @@ fn assert_tshark_version() -> Result<()> {
     // 3. tshark >= 4.2.0 is required for JA4 support.
     //    See https://gitlab.com/wireshark/wireshark/-/commit/fd19f0d06f96b9934e3cd5b9889b2f83d3567fce
     let min_version = Version::new(4, 2, 0);
-    if let Some(version) = version {
-        assert!(
-            version >= min_version,
-            "tshark {} required. tshark {} found",
-            min_version,
-            version
-        );
-        println!("tshark version: {}", version);
-    } else {
-        println!("cargo:warning=Unable to determine tshark version");
-    }
+    assert!(
+        version >= &min_version,
+        "tshark {} required. tshark {} found.",
+        min_version,
+        version
+    );
+    println!("tshark version: {}", version);
     Ok(())
 }
 

diff --git a/tests/s2n_test.h b/tests/s2n_test.h
@@ -30,6 +30,8 @@
 
 int test_count;
 
+bool s2n_use_color_in_output = true;
+
 /* Macro definitions for calls that occur within BEGIN_TEST() and END_TEST() to preserve the SKIPPED test behavior
  * by ignoring the test_count, keeping it as 0 to indicate that a test was skipped. */
 #define EXPECT_TRUE_WITHOUT_COUNT( condition )    do { if ( !(condition) ) { FAIL_MSG( #condition " is not true "); } } while(0)
@@ -40,7 +42,7 @@ int test_count;
 #define EXPECT_SUCCESS_WITHOUT_COUNT( function_call )  EXPECT_NOT_EQUAL_WITHOUT_COUNT( (function_call) ,  -1 )
 
 #define END_TEST_PRINT()                                                            \
-    if (isatty(fileno(stdout))) {                                                   \
+    if (s2n_use_color_in_output && isatty(fileno(stdout))) {                                                   \
         if (test_count) {                                                           \
             fprintf(stdout, "\033[32;1mPASSED\033[0m %10d tests\n", test_count );   \
         }                                                                           \
@@ -105,7 +107,7 @@ int test_count;
                           /* isatty and s2n_print_stacktrace will overwrite errno on failure */ \
                           int real_errno = errno; \
                           s2n_print_stacktrace(stderr); \
-                          if (isatty(fileno(stderr))) { \
+                          if (s2n_use_color_in_output && isatty(fileno(stderr))) { \
                             errno = real_errno; \
                             fprintf(stderr, "\033[31;1mFAILED test %d\033[0m\n%s (%s:%d)\nError Message: '%s'\n Debug String: '%s'\n System Error: %s (%d)\n", test_count, (msg), __FILE__, __LINE__, s2n_strerror(s2n_errno, "EN"), s2n_strerror_debug(s2n_errno, "EN"), strerror(errno), errno); \
                           } \

diff --git a/tests/testlib/s2n_seccomp.c b/tests/testlib/s2n_seccomp.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+#include "testlib/s2n_testlib.h"
+#include "utils/s2n_safety.h"
+
+#ifdef SECCOMP
+
+    #include <seccomp.h>
+
+DEFINE_POINTER_CLEANUP_FUNC(scmp_filter_ctx, seccomp_release);
+
+extern bool s2n_use_color_in_output;
+
+bool s2n_is_seccomp_supported()
+{
+    return true;
+}
+
+/* "seccomp" allows the kernel to control what system calls an application
+ * is allowed to make based on a provided filter.
+ *
+ * seccomp is commonly used for "sandboxing" programs for security reasons.
+ */
+S2N_RESULT s2n_seccomp_init()
+{
+    /* Using SCMP_ACT_TRAP instead of SCMP_ACT_KILL as the default action
+     * makes this test easier to debug. GDB can be used to debug failures caused
+     * by SCMP_ACT_TRAP, but not caused by SCMP_ACT_KILL.
+     */
+    DEFER_CLEANUP(scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP),
+            seccomp_release_pointer);
+    RESULT_ENSURE_REF(ctx);
+
+    /* Basic requirements: s2n-tls is known to need these system calls in order
+     * to operate. Adding a new system call to this list means that any application
+     * using s2n-tls with seccomp will potentially also need to update its filter rules.
+     *
+     * Do not add any variation of "open" to this list. One of the primary reasons
+     * that an application would choose to use seccomp is to prevent opening files,
+     * similar to chroot.
+     */
+    RESULT_GUARD_POSIX(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0));
+    RESULT_GUARD_POSIX(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0));
+    RESULT_GUARD_POSIX(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime), 0));
+    RESULT_GUARD_POSIX(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0));
+    RESULT_GUARD_POSIX(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0));
+    RESULT_GUARD_POSIX(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0));
+    RESULT_GUARD_POSIX(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 0));
+    RESULT_GUARD_POSIX(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getrandom), 0));
+    RESULT_GUARD_POSIX(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0));
+    RESULT_GUARD_POSIX(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0));
+
+    /* Ubuntu22 uses "newfstatat" instead of "fstat" */
+    RESULT_GUARD_POSIX(seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(newfstatat), 0));
+
+    /* See https://github.com/aws/aws-lc/blob/main/SANDBOXING.md#fork-protection:
+     * We can just cause the madavise call to fail rather than blocking it entirely. */
+    RESULT_GUARD_POSIX(seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EINVAL), SCMP_SYS(madvise), 0));
+
+    /* Checking whether the terminal supports color requires an additional
+     * system call. Preemptively disable color.
+     */
+    s2n_use_color_in_output = false;
+
+    RESULT_GUARD_POSIX(seccomp_load(ctx));
+    return S2N_RESULT_OK;
+}
+
+#else
+
+bool s2n_is_seccomp_supported()
+{
+    return false;
+}
+
+S2N_RESULT s2n_seccomp_init()
+{
+    return S2N_RESULT_OK;
+}
+
+#endif
diff --git a/tests/testlib/s2n_testlib.h b/tests/testlib/s2n_testlib.h
@@ -298,3 +298,6 @@ S2N_RESULT s2n_resumption_test_ticket_key_setup(struct s2n_config *config);
 #define S2N_CHECKED_BLOB_FROM_HEX(name, check, hex)        \
     DEFER_CLEANUP(struct s2n_blob name = { 0 }, s2n_free); \
     check(s2n_blob_alloc_from_hex_with_whitespace(&name, (const char *) hex));
+
+bool s2n_is_seccomp_supported();
+S2N_RESULT s2n_seccomp_init();
diff --git a/tests/unit/s2n_seccomp_failure_test.c b/tests/unit/s2n_seccomp_failure_test.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+#include <signal.h>
+#include <stdio.h>
+#include <sys/stat.h>
+
+#include "s2n_test.h"
+#include "testlib/s2n_testlib.h"
+
+bool s2n_fstat_success = false;
+bool s2n_open_success = false;
+
+void s2n_detect_open_violation(int sig)
+{
+    EXPECT_EQUAL(sig, SIGSYS);
+
+    EXPECT_TRUE(s2n_fstat_success);
+    EXPECT_FALSE(s2n_open_success);
+
+    END_TEST_PRINT();
+    exit(0);
+}
+
+int main(int argc, char **argv)
+{
+    BEGIN_TEST();
+
+    if (!s2n_is_seccomp_supported()) {
+        END_TEST();
+    }
+
+    const struct sigaction action = {
+        .sa_handler = s2n_detect_open_violation,
+    };
+    EXPECT_EQUAL(sigaction(SIGSYS, &action, NULL), 0);
+
+    EXPECT_OK(s2n_seccomp_init());
+
+    /* The seccomp filter allows fstat */
+    struct stat st = { 0 };
+    EXPECT_SUCCESS(fstat(0, &st));
+    s2n_fstat_success = true;
+
+    /* The seccomp filter does NOT allow open */
+    FILE *file = fopen(S2N_DEFAULT_TEST_CERT_CHAIN, "r");
+    s2n_open_success = true;
+    EXPECT_NOT_NULL(file);
+
+    FAIL_MSG("test unexpectedly succeeded");
+}