aws · lrstewart · Aug 2, 2024 · Jul 29, 2024 · Aug 2, 2024 · Aug 2, 2024
diff --git a/bin/common.c b/bin/common.c
@@ -314,6 +314,9 @@ int s2n_setup_external_psk_list(struct s2n_connection *conn, char *psk_optarg_li
 
 int s2n_set_common_server_config(int max_early_data, struct s2n_config *config, struct conn_settings conn_settings, const char *cipher_prefs, const char *session_ticket_key_file_path)
 {
+    /* The s2n-tls blinding security feature is disabled for testing purposes to make debugging easier. */
+    GUARD_EXIT(s2n_config_set_max_blinding_delay(config, 0), "Error setting blinding delay");
+
     GUARD_EXIT(s2n_config_set_server_max_early_data_size(config, max_early_data), "Error setting max early data");
 
     GUARD_EXIT(s2n_config_add_dhparams(config, dhparams), "Error adding DH parameters");

diff --git a/bin/s2nc.c b/bin/s2nc.c
@@ -76,6 +76,9 @@ const char default_trusted_cert[] =
 void usage()
 {
     /* clang-format off */
+    fprintf(stderr, "s2nc is an s2n-tls client testing utility.\n");
+    fprintf(stderr, "It is not intended for production use.\n");
+    fprintf(stderr, "\n");
     fprintf(stderr, "usage: s2nc [options] host [port]\n");
     fprintf(stderr, " host: hostname or IP address to connect to\n");
     fprintf(stderr, " port: port to connect to\n");
@@ -201,6 +204,9 @@ static void setup_s2n_config(struct s2n_config *config, const char *cipher_prefs
         exit(1);
     }
 
+    /* The s2n-tls blinding security feature is disabled for testing purposes to make debugging easier. */
+    GUARD_EXIT(s2n_config_set_max_blinding_delay(config, 0), "Error setting blinding delay");
+
     GUARD_EXIT(s2n_config_set_cipher_preferences(config, cipher_prefs), "Error setting cipher prefs");
 
     GUARD_EXIT(s2n_config_set_status_request_type(config, type), "OCSP validation is not supported by the linked libCrypto implementation. It cannot be set.");

diff --git a/bin/s2nd.c b/bin/s2nd.c
@@ -138,6 +138,9 @@ static char default_private_key[] =
 void usage()
 {
     /* clang-format off */
+    fprintf(stderr, "s2nd is an s2n-tls server testing utility.\n");
+    fprintf(stderr, "It is not intended for production use.\n");
+    fprintf(stderr, "\n");
     fprintf(stderr, "usage: s2nd [options] host port\n");
     fprintf(stderr, " host: hostname or IP address to listen on\n");
     fprintf(stderr, " port: port to listen on\n");

diff --git a/tests/unit/s2n_safety_blinding_test.c b/tests/unit/s2n_safety_blinding_test.c
@@ -151,6 +151,26 @@ int main(int argc, char **argv)
             EXPECT_BLINDING(conn);
         };
 
+        /* Skips blinding if set to 0 */
+        {
+            SETUP_TEST(conn);
+            s2n_errno = S2N_ERR_UNIMPLEMENTED;
+
+            DEFER_CLEANUP(struct s2n_config *config = s2n_config_new(), s2n_config_ptr_free);
+            EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
+
+            /* No blinding delay, but closed connection */
+            EXPECT_SUCCESS(s2n_config_set_max_blinding_delay(config, 0));
+            EXPECT_OK(s2n_connection_apply_error_blinding(&conn));
+            EXPECT_EQUAL(s2n_connection_get_delay(conn), 0);
+            EXPECT_TRUE(s2n_connection_check_io_status(conn, S2N_IO_CLOSED));
+
+            /* Any non-zero blinding delay still causes blinding */
+            EXPECT_SUCCESS(s2n_config_set_max_blinding_delay(config, 1));
+            EXPECT_OK(s2n_connection_apply_error_blinding(&conn));
+            EXPECT_BLINDING(conn);
+        }
+
         EXPECT_SUCCESS(s2n_connection_free(conn));
     };
 

diff --git a/tls/s2n_connection.c b/tls/s2n_connection.c
@@ -1238,6 +1238,9 @@ static S2N_RESULT s2n_connection_kill(struct s2n_connection *conn)
 
     int64_t min = 0, max = 0;
     RESULT_GUARD(s2n_connection_calculate_blinding(conn, &min, &max));
+    if (max == 0) {
+        return S2N_RESULT_OK;
+    }
 
     /* Keep track of the delay so that it can be enforced */
     uint64_t rand_delay = 0;