Open
Description
Security issue notifications
If you discover a potential security issue in s2n we ask that you notify
AWS Security via our vulnerability reporting page. Please do not create a public github issue.
Problem:
#4020 adds the libcrypto TLS PRF implementation to s2n-tls, which is used in some scenarios rather than the custom s2n-tls implementation. The PRF unit tests contain known-value tests that ensure both the TLS and libcrypto implementations are correct. However, now that two different implementations exist, we should additionally add a fuzz test that provides both versions a bunch of random input and makes sure they produce the same results.
The same should also be done for HKDF after it's added, and also HMAC potentially.
Activity