From 8e54829ef5a359e293ae41f47b7a6e23402a2824 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Tue, 25 Jun 2024 20:24:48 +0000 Subject: [PATCH 1/7] modify cipher structs to return s2n_result and use output variable --- crypto/s2n_aead_cipher_aes_gcm.c | 20 ++++++++++---- crypto/s2n_aead_cipher_chacha20_poly1305.c | 9 ++++-- crypto/s2n_cbc_cipher_3des.c | 8 ++++-- crypto/s2n_cbc_cipher_aes.c | 16 ++++++++--- crypto/s2n_cipher.h | 2 +- crypto/s2n_composite_cipher_aes_sha.c | 32 ++++++++++++++++------ crypto/s2n_stream_cipher_null.c | 8 ++++-- crypto/s2n_stream_cipher_rc4.c | 20 ++++++++------ 8 files changed, 81 insertions(+), 34 deletions(-) diff --git a/crypto/s2n_aead_cipher_aes_gcm.c b/crypto/s2n_aead_cipher_aes_gcm.c index 6fea5a30080..eed3d6800ed 100644 --- a/crypto/s2n_aead_cipher_aes_gcm.c +++ b/crypto/s2n_aead_cipher_aes_gcm.c @@ -26,22 +26,30 @@ #define S2N_AEAD_AES_GCM_AVAILABLE #endif -static uint8_t s2n_aead_cipher_aes128_gcm_available() +static S2N_RESULT s2n_aead_cipher_aes128_gcm_available(bool *available) { + RESULT_ENSURE_REF(available); + #if defined(S2N_AEAD_AES_GCM_AVAILABLE) - return (EVP_aead_aes_128_gcm() ? 1 : 0); + *available = (EVP_aead_aes_128_gcm() ? 1 : 0); #else - return (EVP_aes_128_gcm() ? 1 : 0); + *available =(EVP_aes_128_gcm() ? 1 : 0); #endif + + return S2N_RESULT_OK; } -static uint8_t s2n_aead_cipher_aes256_gcm_available() +static S2N_RESULT s2n_aead_cipher_aes256_gcm_available(bool *available) { + RESULT_ENSURE_REF(available); + #if defined(S2N_AEAD_AES_GCM_AVAILABLE) - return (EVP_aead_aes_256_gcm() ? 1 : 0); + *available = (EVP_aead_aes_256_gcm() ? 1 : 0); #else - return (EVP_aes_256_gcm() ? 1 : 0); + *available = (EVP_aes_256_gcm() ? 1 : 0); #endif + + return S2N_RESULT_OK; } #if defined(S2N_AEAD_AES_GCM_AVAILABLE) /* BoringSSL and AWS-LC AEAD API implementation */ diff --git a/crypto/s2n_aead_cipher_chacha20_poly1305.c b/crypto/s2n_aead_cipher_chacha20_poly1305.c index 55f12908f12..041895d8257 100644 --- a/crypto/s2n_aead_cipher_chacha20_poly1305.c +++ b/crypto/s2n_aead_cipher_chacha20_poly1305.c @@ -34,13 +34,16 @@ #define S2N_CHACHA20_POLY1305_AVAILABLE_OSSL #endif -static uint8_t s2n_aead_chacha20_poly1305_available(void) +static S2N_RESULT s2n_aead_chacha20_poly1305_available(bool *available) { + RESULT_ENSURE_REF(available); + #if defined(S2N_CHACHA20_POLY1305_AVAILABLE_OSSL) || defined(S2N_CHACHA20_POLY1305_AVAILABLE_BSSL_AWSLC) - return 1; + *available = 1; #else - return 0; + *available = 0; #endif + return S2N_RESULT_OK; } #if defined(S2N_CHACHA20_POLY1305_AVAILABLE_OSSL) /* OpenSSL implementation */ diff --git a/crypto/s2n_cbc_cipher_3des.c b/crypto/s2n_cbc_cipher_3des.c index c2460efe9ab..52401ae3b81 100644 --- a/crypto/s2n_cbc_cipher_3des.c +++ b/crypto/s2n_cbc_cipher_3des.c @@ -21,9 +21,13 @@ #include "utils/s2n_blob.h" #include "utils/s2n_safety.h" -static uint8_t s2n_cbc_cipher_3des_available() +static S2N_RESULT s2n_cbc_cipher_3des_available(bool *available) { - return (EVP_des_ede3_cbc() ? 1 : 0); + RESULT_ENSURE_REF(available); + + *available = (EVP_des_ede3_cbc() ? 1 : 0); + + return S2N_RESULT_OK; } static int s2n_cbc_cipher_3des_encrypt(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *in, struct s2n_blob *out) diff --git a/crypto/s2n_cbc_cipher_aes.c b/crypto/s2n_cbc_cipher_aes.c index da09a118734..89f1b96dffa 100644 --- a/crypto/s2n_cbc_cipher_aes.c +++ b/crypto/s2n_cbc_cipher_aes.c @@ -21,14 +21,22 @@ #include "utils/s2n_blob.h" #include "utils/s2n_safety.h" -static uint8_t s2n_cbc_cipher_aes128_available() +static S2N_RESULT s2n_cbc_cipher_aes128_available(bool *available) { - return (EVP_aes_128_cbc() ? 1 : 0); + RESULT_ENSURE_REF(available); + + *available = (EVP_aes_128_cbc() ? 1 : 0); + + return S2N_RESULT_OK; } -static uint8_t s2n_cbc_cipher_aes256_available() +static S2N_RESULT s2n_cbc_cipher_aes256_available(bool *available) { - return (EVP_aes_256_cbc() ? 1 : 0); + RESULT_ENSURE_REF(available); + + *available = (EVP_aes_256_cbc() ? 1 : 0); + + return S2N_RESULT_OK; } static int s2n_cbc_cipher_aes_encrypt(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *in, struct s2n_blob *out) diff --git a/crypto/s2n_cipher.h b/crypto/s2n_cipher.h index 47c724ea637..2405ad950bb 100644 --- a/crypto/s2n_cipher.h +++ b/crypto/s2n_cipher.h @@ -82,7 +82,7 @@ struct s2n_cipher { struct s2n_composite_cipher comp; } io; uint8_t key_material_size; - uint8_t (*is_available)(void); + S2N_RESULT (*is_available)(bool *available); int (*init)(struct s2n_session_key *key); int (*set_decryption_key)(struct s2n_session_key *key, struct s2n_blob *in); int (*set_encryption_key)(struct s2n_session_key *key, struct s2n_blob *in); diff --git a/crypto/s2n_composite_cipher_aes_sha.c b/crypto/s2n_composite_cipher_aes_sha.c index 6db71912cef..53e065039f9 100644 --- a/crypto/s2n_composite_cipher_aes_sha.c +++ b/crypto/s2n_composite_cipher_aes_sha.c @@ -86,7 +86,7 @@ static const EVP_CIPHER *s2n_evp_aes_256_cbc_hmac_sha256(void) #endif } -static uint8_t s2n_composite_cipher_aes128_sha_available(void) +static S2N_RESULT s2n_composite_cipher_aes128_sha_available(bool *available) { /* EVP_aes_128_cbc_hmac_sha1() returns NULL if the implementations aren't available. * See https://github.com/openssl/openssl/blob/master/crypto/evp/e_aes_cbc_hmac_sha1.c#L952 @@ -95,34 +95,50 @@ static uint8_t s2n_composite_cipher_aes128_sha_available(void) * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite * ciphers cause OpenSSL errors due to the lack of the flag. */ - return (!s2n_is_in_fips_mode() && s2n_evp_aes_128_cbc_hmac_sha1() ? 1 : 0); + RESULT_ENSURE_REF(available); + + *available = (!s2n_is_in_fips_mode() && s2n_evp_aes_128_cbc_hmac_sha1() ? 1 : 0); + + return S2N_RESULT_OK; } -static uint8_t s2n_composite_cipher_aes256_sha_available(void) +static S2N_RESULT s2n_composite_cipher_aes256_sha_available(bool *available) { /* Composite ciphers cannot be used when FIPS mode is set. Ciphers require the * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite * ciphers cause OpenSSL errors due to the lack of the flag. */ - return (!s2n_is_in_fips_mode() && s2n_evp_aes_256_cbc_hmac_sha1() ? 1 : 0); + RESULT_ENSURE_REF(available); + + *available = (!s2n_is_in_fips_mode() && s2n_evp_aes_256_cbc_hmac_sha1() ? 1 : 0); + + return S2N_RESULT_OK; } -static uint8_t s2n_composite_cipher_aes128_sha256_available(void) +static S2N_RESULT s2n_composite_cipher_aes128_sha256_available(bool *available) { /* Composite ciphers cannot be used when FIPS mode is set. Ciphers require the * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite * ciphers cause OpenSSL errors due to the lack of the flag. */ - return (!s2n_is_in_fips_mode() && s2n_evp_aes_128_cbc_hmac_sha256() ? 1 : 0); + RESULT_ENSURE_REF(available); + + *available = (!s2n_is_in_fips_mode() && s2n_evp_aes_128_cbc_hmac_sha256() ? 1 : 0); + + return S2N_RESULT_OK; } -static uint8_t s2n_composite_cipher_aes256_sha256_available(void) +static S2N_RESULT s2n_composite_cipher_aes256_sha256_available(bool *available) { /* Composite ciphers cannot be used when FIPS mode is set. Ciphers require the * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite * ciphers cause OpenSSL errors due to the lack of the flag. */ - return (!s2n_is_in_fips_mode() && s2n_evp_aes_256_cbc_hmac_sha256() ? 1 : 0); + RESULT_ENSURE_REF(available); + + *available = (!s2n_is_in_fips_mode() && s2n_evp_aes_256_cbc_hmac_sha256() ? 1 : 0); + + return S2N_RESULT_OK; } static int s2n_composite_cipher_aes_sha_initial_hmac(struct s2n_session_key *key, uint8_t *sequence_number, uint8_t content_type, diff --git a/crypto/s2n_stream_cipher_null.c b/crypto/s2n_stream_cipher_null.c index 6550ed07cb9..1590c17c19e 100644 --- a/crypto/s2n_stream_cipher_null.c +++ b/crypto/s2n_stream_cipher_null.c @@ -18,9 +18,13 @@ #include "utils/s2n_blob.h" #include "utils/s2n_safety.h" -static uint8_t s2n_stream_cipher_null_available() +static S2N_RESULT s2n_stream_cipher_null_available(bool *available) { - return 1; + RESULT_ENSURE_REF(available); + + *available = 1; + + return S2N_RESULT_OK; } static int s2n_stream_cipher_null_endecrypt(struct s2n_session_key *key, struct s2n_blob *in, struct s2n_blob *out) diff --git a/crypto/s2n_stream_cipher_rc4.c b/crypto/s2n_stream_cipher_rc4.c index 30be7e6a432..c673c229b2d 100644 --- a/crypto/s2n_stream_cipher_rc4.c +++ b/crypto/s2n_stream_cipher_rc4.c @@ -30,19 +30,23 @@ static const EVP_CIPHER *s2n_evp_rc4() #endif } -static uint8_t s2n_stream_cipher_rc4_available() +static S2N_RESULT s2n_stream_cipher_rc4_available(bool *available) { + RESULT_ENSURE_REF(available); + if (s2n_is_in_fips_mode()) { - return 0; + *available = false; + return S2N_RESULT_OK; } - /* RC4 MIGHT be available in Openssl-3.0, depending on whether or not the - * "legacy" provider is loaded. However, for simplicity, assume that RC4 - * is unavailable. - */ + if (S2N_OPENSSL_VERSION_AT_LEAST(3, 0, 0)) { - return 0; + *available = false; + return S2N_RESULT_OK; } - return (s2n_evp_rc4() ? 1 : 0); + + *available = (s2n_evp_rc4() != NULL); + + return S2N_RESULT_OK; } static int s2n_stream_cipher_rc4_encrypt(struct s2n_session_key *key, struct s2n_blob *in, struct s2n_blob *out) From 4d2463ffccd4e959da72fefe89730f93378757ee Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Tue, 25 Jun 2024 23:12:55 +0000 Subject: [PATCH 2/7] modify tests --- crypto/s2n_aead_cipher_aes_gcm.c | 2 +- crypto/s2n_stream_cipher_rc4.c | 11 ++++++++--- tests/unit/s2n_aead_chacha20_poly1305_test.c | 4 +++- tests/unit/s2n_aes_sha_composite_test.c | 18 ++++++++++++++---- tests/unit/s2n_cbc_test.c | 4 +++- tests/unit/s2n_cipher_suite_match_test.c | 12 +++++++++--- tests/unit/s2n_rc4_test.c | 12 +++++++++--- tests/unit/s2n_record_size_test.c | 14 +++++++++++--- tests/unit/s2n_security_policies_test.c | 4 +++- tests/unit/s2n_sslv3_test.c | 4 +++- tls/s2n_cipher_suites.c | 6 ++++-- 11 files changed, 68 insertions(+), 23 deletions(-) diff --git a/crypto/s2n_aead_cipher_aes_gcm.c b/crypto/s2n_aead_cipher_aes_gcm.c index eed3d6800ed..eb38c3f6b20 100644 --- a/crypto/s2n_aead_cipher_aes_gcm.c +++ b/crypto/s2n_aead_cipher_aes_gcm.c @@ -33,7 +33,7 @@ static S2N_RESULT s2n_aead_cipher_aes128_gcm_available(bool *available) #if defined(S2N_AEAD_AES_GCM_AVAILABLE) *available = (EVP_aead_aes_128_gcm() ? 1 : 0); #else - *available =(EVP_aes_128_gcm() ? 1 : 0); + *available = (EVP_aes_128_gcm() ? 1 : 0); #endif return S2N_RESULT_OK; diff --git a/crypto/s2n_stream_cipher_rc4.c b/crypto/s2n_stream_cipher_rc4.c index c673c229b2d..f74cc24d556 100644 --- a/crypto/s2n_stream_cipher_rc4.c +++ b/crypto/s2n_stream_cipher_rc4.c @@ -35,16 +35,21 @@ static S2N_RESULT s2n_stream_cipher_rc4_available(bool *available) RESULT_ENSURE_REF(available); if (s2n_is_in_fips_mode()) { - *available = false; + *available = 0; return S2N_RESULT_OK; } + /* RC4 MIGHT be available in Openssl-3.0, depending on whether or not the + * "legacy" provider is loaded. However, for simplicity, assume that RC4 + * is unavailable. + */ if (S2N_OPENSSL_VERSION_AT_LEAST(3, 0, 0)) { - *available = false; + *available = 0; return S2N_RESULT_OK; } - *available = (s2n_evp_rc4() != NULL); + *available = (s2n_evp_rc4() ? 1 : 0); + ; return S2N_RESULT_OK; } diff --git a/tests/unit/s2n_aead_chacha20_poly1305_test.c b/tests/unit/s2n_aead_chacha20_poly1305_test.c index 5f4aaf667cc..c9500eb5c8f 100644 --- a/tests/unit/s2n_aead_chacha20_poly1305_test.c +++ b/tests/unit/s2n_aead_chacha20_poly1305_test.c @@ -60,7 +60,9 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_disable_tls13_in_test()); /* Skip test if librcrypto doesn't support the cipher */ - if (!s2n_chacha20_poly1305.is_available()) { + bool is_chacha20_poly1305_available = false; + EXPECT_OK(s2n_chacha20_poly1305.is_available(&is_chacha20_poly1305_available)); + if (!is_chacha20_poly1305_available) { END_TEST(); } diff --git a/tests/unit/s2n_aes_sha_composite_test.c b/tests/unit/s2n_aes_sha_composite_test.c index a8b8d5b6aaf..0862d6e8819 100644 --- a/tests/unit/s2n_aes_sha_composite_test.c +++ b/tests/unit/s2n_aes_sha_composite_test.c @@ -66,10 +66,20 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_disable_tls13_in_test()); /* Skip test if we can't use the ciphers */ - if (!s2n_aes128_sha.is_available() - || !s2n_aes256_sha.is_available() - || !s2n_aes128_sha256.is_available() - || !s2n_aes256_sha256.is_available()) { + bool is_aes128_sha_available = false; + bool is_aes256_sha_available = false; + bool is_aes128_sha256_available = false; + bool is_aes256_sha256_available = false; + + EXPECT_OK(s2n_aes128_sha.is_available(&is_aes128_sha_available)); + EXPECT_OK(s2n_aes256_sha.is_available(&is_aes256_sha_available)); + EXPECT_OK(s2n_aes128_sha256.is_available(&is_aes128_sha256_available)); + EXPECT_OK(s2n_aes256_sha256.is_available(&is_aes256_sha256_available)); + + if (!is_aes128_sha_available + || !is_aes256_sha_available + || !is_aes128_sha256_available + || !is_aes256_sha256_available) { END_TEST(); } diff --git a/tests/unit/s2n_cbc_test.c b/tests/unit/s2n_cbc_test.c index 31f8a174851..ed60655b8dd 100644 --- a/tests/unit/s2n_cbc_test.c +++ b/tests/unit/s2n_cbc_test.c @@ -57,7 +57,9 @@ int main(int argc, char **argv) } /* Skip unsupported ciphers. */ - if (!test_cipher_suite.record_alg->cipher->is_available()) { + bool is_cipher_available = false; + EXPECT_OK(test_cipher_suite.record_alg->cipher->is_available(&is_cipher_available)); + if (!is_cipher_available) { continue; } diff --git a/tests/unit/s2n_cipher_suite_match_test.c b/tests/unit/s2n_cipher_suite_match_test.c index ff05d7de578..cc6bcb5dc5f 100644 --- a/tests/unit/s2n_cipher_suite_match_test.c +++ b/tests/unit/s2n_cipher_suite_match_test.c @@ -684,7 +684,9 @@ int main(int argc, char **argv) conn->actual_protocol_version = S2N_TLS13; conn->server_protocol_version = S2N_TLS13; - if (s2n_chacha20_poly1305.is_available()) { + bool is_chacha20_poly1305_available = false; + EXPECT_OK(s2n_chacha20_poly1305.is_available(&is_chacha20_poly1305_available)); + if (is_chacha20_poly1305_available) { EXPECT_SUCCESS(s2n_set_cipher_as_tls_server(conn, wire_ciphers2, count)); EXPECT_EQUAL(conn->secure->cipher_suite, &s2n_tls13_chacha20_poly1305_sha256); } else { @@ -910,7 +912,9 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, ecdsa_cert)); EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "test_all")); - if (s2n_chacha20_poly1305.is_available()) { + bool is_chacha20_poly1305_available = false; + EXPECT_OK(s2n_chacha20_poly1305.is_available(&is_chacha20_poly1305_available)); + if (is_chacha20_poly1305_available) { /* Test chacha20 boosting when ciphersuites fail auth validation */ { DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_SERVER), s2n_connection_ptr_free); @@ -1372,7 +1376,9 @@ int main(int argc, char **argv) }; } - if (!s2n_chacha20_poly1305.is_available()) { + is_chacha20_poly1305_available = false; + EXPECT_OK(s2n_chacha20_poly1305.is_available(&is_chacha20_poly1305_available)); + if (!is_chacha20_poly1305_available) { /* Chacha20 can't be negotiated when it's not available in libcrypto */ DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_SERVER), s2n_connection_ptr_free); EXPECT_NOT_NULL(connection); diff --git a/tests/unit/s2n_rc4_test.c b/tests/unit/s2n_rc4_test.c index a1d42238ab9..eaa3921639a 100644 --- a/tests/unit/s2n_rc4_test.c +++ b/tests/unit/s2n_rc4_test.c @@ -35,12 +35,16 @@ int main(int argc, char **argv) /* Test Openssl-3.0 does not support RC4 */ if (S2N_OPENSSL_VERSION_AT_LEAST(3, 0, 0)) { - EXPECT_FALSE(s2n_rc4.is_available()); + bool is_rc4_available = false; + EXPECT_OK(s2n_rc4.is_available(&is_rc4_available)); + EXPECT_FALSE(is_rc4_available); } /* Test FIPS does not support RC4 */ if (s2n_is_in_fips_mode()) { - EXPECT_FALSE(s2n_rc4.is_available()); + bool is_rc4_available = false; + EXPECT_OK(s2n_rc4.is_available(&is_rc4_available)); + EXPECT_FALSE(is_rc4_available); } struct s2n_connection *conn = NULL; @@ -70,7 +74,9 @@ int main(int argc, char **argv) conn->secure->cipher_suite->record_alg = &s2n_record_alg_rc4_sha; EXPECT_SUCCESS(conn->secure->cipher_suite->record_alg->cipher->init(&conn->secure->server_key)); EXPECT_SUCCESS(conn->secure->cipher_suite->record_alg->cipher->init(&conn->secure->client_key)); - if (conn->secure->cipher_suite->record_alg->cipher->is_available()) { + bool cipher_available = false; + EXPECT_OK(conn->secure->cipher_suite->record_alg->cipher->is_available(&cipher_available)); + if (cipher_available) { EXPECT_SUCCESS(conn->secure->cipher_suite->record_alg->cipher->set_decryption_key(&conn->secure->client_key, &key_iv)); EXPECT_SUCCESS(conn->secure->cipher_suite->record_alg->cipher->set_encryption_key(&conn->secure->server_key, &key_iv)); EXPECT_SUCCESS(s2n_hmac_init(&conn->secure->client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); diff --git a/tests/unit/s2n_record_size_test.c b/tests/unit/s2n_record_size_test.c index cd144809cd7..1f9b9f8dd1f 100644 --- a/tests/unit/s2n_record_size_test.c +++ b/tests/unit/s2n_record_size_test.c @@ -315,7 +315,9 @@ int main(int argc, char **argv) }; /* chacha20 */ - if (s2n_chacha20_poly1305.is_available()) { + bool cipher_available = false; + EXPECT_OK(s2n_chacha20_poly1305.is_available(&cipher_available)); + if (cipher_available) { EXPECT_SUCCESS(destroy_server_keys(server_conn)); EXPECT_SUCCESS(s2n_connection_wipe(server_conn)); @@ -338,7 +340,9 @@ int main(int argc, char **argv) } /* TLS1.3 chacha20 */ - if (s2n_chacha20_poly1305.is_available()) { + cipher_available = false; + EXPECT_OK(s2n_chacha20_poly1305.is_available(&cipher_available)); + if (cipher_available) { EXPECT_SUCCESS(destroy_server_keys(server_conn)); EXPECT_SUCCESS(s2n_connection_wipe(server_conn)); @@ -362,7 +366,11 @@ int main(int argc, char **argv) } /* composite */ - if (s2n_aes128_sha.is_available() && s2n_aes128_sha256.is_available()) { + bool aes128_sha_available = false; + bool aes128_sha256_available = false; + EXPECT_OK(s2n_aes128_sha.is_available(&aes128_sha_available)); + EXPECT_OK(s2n_aes128_sha256.is_available(&aes128_sha256_available)); + if (aes128_sha_available && aes128_sha256_available) { EXPECT_SUCCESS(destroy_server_keys(server_conn)); EXPECT_SUCCESS(s2n_connection_wipe(server_conn)); EXPECT_SUCCESS(s2n_stuffer_wipe(&server_conn->out)); diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c index 6f3e2b27ced..4a245e003d6 100644 --- a/tests/unit/s2n_security_policies_test.c +++ b/tests/unit/s2n_security_policies_test.c @@ -567,7 +567,9 @@ int main(int argc, char **argv) } /* Test that security policies have valid chacha20 boosting configurations when chacha20 is available */ - if (s2n_chacha20_poly1305.is_available()) { + bool cipher_available = false; + EXPECT_OK(s2n_chacha20_poly1305.is_available(&cipher_available)); + if (cipher_available) { for (size_t i = 0; security_policy_selection[i].version != NULL; i++) { const struct s2n_security_policy *sec_policy = security_policy_selection[i].security_policy; EXPECT_NOT_NULL(sec_policy); diff --git a/tests/unit/s2n_sslv3_test.c b/tests/unit/s2n_sslv3_test.c index 58b194ac83e..3bb6020b98c 100644 --- a/tests/unit/s2n_sslv3_test.c +++ b/tests/unit/s2n_sslv3_test.c @@ -85,7 +85,9 @@ int main(int argc, char **argv) } /* Skip unsupported record algorithms. */ - if (!cipher_suite->sslv3_record_alg->cipher->is_available()) { + bool cipher_available = false; + EXPECT_OK(cipher_suite->sslv3_record_alg->cipher->is_available(&cipher_available)); + if (!cipher_available) { continue; } supported_record_alg_count += 1; diff --git a/tls/s2n_cipher_suites.c b/tls/s2n_cipher_suites.c index 4c32e680147..548988cb31d 100644 --- a/tls/s2n_cipher_suites.c +++ b/tls/s2n_cipher_suites.c @@ -1021,7 +1021,8 @@ int s2n_cipher_suites_init(void) /* Can we use the record algorithm's cipher? Won't be available if the system CPU architecture * doesn't support it or if the libcrypto lacks the feature. All hmac_algs are supported. */ - if (cur_suite->all_record_algs[j]->cipher->is_available()) { + bool cipher_available = false; + if (s2n_result_is_ok(cur_suite->all_record_algs[j]->cipher->is_available(&cipher_available)) && cipher_available) { /* Found a supported record algorithm. Use it. */ cur_suite->available = 1; cur_suite->record_alg = cur_suite->all_record_algs[j]; @@ -1036,7 +1037,8 @@ int s2n_cipher_suites_init(void) } /* Initialize SSLv3 cipher suite if SSLv3 utilizes a different record algorithm */ - if (cur_suite->sslv3_record_alg && cur_suite->sslv3_record_alg->cipher->is_available()) { + bool cipher_available = false; + if (cur_suite->sslv3_record_alg && s2n_result_is_ok(cur_suite->sslv3_record_alg->cipher->is_available(&cipher_available)) && cipher_available) { struct s2n_blob cur_suite_mem = { 0 }; POSIX_GUARD(s2n_blob_init(&cur_suite_mem, (uint8_t *) cur_suite, sizeof(struct s2n_cipher_suite))); struct s2n_blob new_suite_mem = { 0 }; From 68633b88e0d7a6b49730409859f7c939dfafdd17 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Tue, 25 Jun 2024 23:35:44 +0000 Subject: [PATCH 3/7] remove extra semicolon --- crypto/s2n_stream_cipher_rc4.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/s2n_stream_cipher_rc4.c b/crypto/s2n_stream_cipher_rc4.c index f74cc24d556..934b4c7bd15 100644 --- a/crypto/s2n_stream_cipher_rc4.c +++ b/crypto/s2n_stream_cipher_rc4.c @@ -49,7 +49,6 @@ static S2N_RESULT s2n_stream_cipher_rc4_available(bool *available) } *available = (s2n_evp_rc4() ? 1 : 0); - ; return S2N_RESULT_OK; } From efb5a5a891c63d3fbe189df820f0694e3f67c1db Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Mon, 1 Jul 2024 19:18:49 +0000 Subject: [PATCH 4/7] change return type to bool --- crypto/s2n_aead_cipher_aes_gcm.c | 20 +++++--------- crypto/s2n_aead_cipher_chacha20_poly1305.c | 9 +++---- crypto/s2n_cbc_cipher_3des.c | 8 ++---- crypto/s2n_cbc_cipher_aes.c | 16 +++-------- crypto/s2n_cipher.h | 2 +- crypto/s2n_composite_cipher_aes_sha.c | 28 ++++++-------------- crypto/s2n_stream_cipher_null.c | 8 ++---- crypto/s2n_stream_cipher_rc4.c | 14 +++------- tests/unit/s2n_aead_chacha20_poly1305_test.c | 4 +-- tests/unit/s2n_aes_sha_composite_test.c | 18 +++---------- tests/unit/s2n_cbc_test.c | 4 +-- tests/unit/s2n_cipher_suite_match_test.c | 12 +++------ tests/unit/s2n_rc4_test.c | 12 +++------ tests/unit/s2n_record_size_test.c | 14 +++------- tests/unit/s2n_security_policies_test.c | 4 +-- tests/unit/s2n_sslv3_test.c | 4 +-- tls/s2n_cipher_suites.c | 6 ++--- 17 files changed, 49 insertions(+), 134 deletions(-) diff --git a/crypto/s2n_aead_cipher_aes_gcm.c b/crypto/s2n_aead_cipher_aes_gcm.c index eb38c3f6b20..2f9f93a4dfb 100644 --- a/crypto/s2n_aead_cipher_aes_gcm.c +++ b/crypto/s2n_aead_cipher_aes_gcm.c @@ -26,30 +26,22 @@ #define S2N_AEAD_AES_GCM_AVAILABLE #endif -static S2N_RESULT s2n_aead_cipher_aes128_gcm_available(bool *available) +static bool s2n_aead_cipher_aes128_gcm_available(void) { - RESULT_ENSURE_REF(available); - #if defined(S2N_AEAD_AES_GCM_AVAILABLE) - *available = (EVP_aead_aes_128_gcm() ? 1 : 0); + return (EVP_aead_aes_128_gcm() ? true : false); #else - *available = (EVP_aes_128_gcm() ? 1 : 0); + return (EVP_aes_128_gcm() ? true : false); #endif - - return S2N_RESULT_OK; } -static S2N_RESULT s2n_aead_cipher_aes256_gcm_available(bool *available) +static bool s2n_aead_cipher_aes256_gcm_available(void) { - RESULT_ENSURE_REF(available); - #if defined(S2N_AEAD_AES_GCM_AVAILABLE) - *available = (EVP_aead_aes_256_gcm() ? 1 : 0); + return (EVP_aead_aes_256_gcm() ? true : false); #else - *available = (EVP_aes_256_gcm() ? 1 : 0); + return (EVP_aes_256_gcm() ? true : false); #endif - - return S2N_RESULT_OK; } #if defined(S2N_AEAD_AES_GCM_AVAILABLE) /* BoringSSL and AWS-LC AEAD API implementation */ diff --git a/crypto/s2n_aead_cipher_chacha20_poly1305.c b/crypto/s2n_aead_cipher_chacha20_poly1305.c index 041895d8257..8927b9a6cf3 100644 --- a/crypto/s2n_aead_cipher_chacha20_poly1305.c +++ b/crypto/s2n_aead_cipher_chacha20_poly1305.c @@ -34,16 +34,13 @@ #define S2N_CHACHA20_POLY1305_AVAILABLE_OSSL #endif -static S2N_RESULT s2n_aead_chacha20_poly1305_available(bool *available) +static bool s2n_aead_chacha20_poly1305_available(void) { - RESULT_ENSURE_REF(available); - #if defined(S2N_CHACHA20_POLY1305_AVAILABLE_OSSL) || defined(S2N_CHACHA20_POLY1305_AVAILABLE_BSSL_AWSLC) - *available = 1; + return true; #else - *available = 0; + return false; #endif - return S2N_RESULT_OK; } #if defined(S2N_CHACHA20_POLY1305_AVAILABLE_OSSL) /* OpenSSL implementation */ diff --git a/crypto/s2n_cbc_cipher_3des.c b/crypto/s2n_cbc_cipher_3des.c index 52401ae3b81..4f84417b12b 100644 --- a/crypto/s2n_cbc_cipher_3des.c +++ b/crypto/s2n_cbc_cipher_3des.c @@ -21,13 +21,9 @@ #include "utils/s2n_blob.h" #include "utils/s2n_safety.h" -static S2N_RESULT s2n_cbc_cipher_3des_available(bool *available) +static bool s2n_cbc_cipher_3des_available(void) { - RESULT_ENSURE_REF(available); - - *available = (EVP_des_ede3_cbc() ? 1 : 0); - - return S2N_RESULT_OK; + return (EVP_des_ede3_cbc() ? true : false); } static int s2n_cbc_cipher_3des_encrypt(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *in, struct s2n_blob *out) diff --git a/crypto/s2n_cbc_cipher_aes.c b/crypto/s2n_cbc_cipher_aes.c index 89f1b96dffa..402e8a780c7 100644 --- a/crypto/s2n_cbc_cipher_aes.c +++ b/crypto/s2n_cbc_cipher_aes.c @@ -21,22 +21,14 @@ #include "utils/s2n_blob.h" #include "utils/s2n_safety.h" -static S2N_RESULT s2n_cbc_cipher_aes128_available(bool *available) +static bool s2n_cbc_cipher_aes128_available(void) { - RESULT_ENSURE_REF(available); - - *available = (EVP_aes_128_cbc() ? 1 : 0); - - return S2N_RESULT_OK; + return (EVP_aes_128_cbc() ? true : false); } -static S2N_RESULT s2n_cbc_cipher_aes256_available(bool *available) +static bool s2n_cbc_cipher_aes256_available(void) { - RESULT_ENSURE_REF(available); - - *available = (EVP_aes_256_cbc() ? 1 : 0); - - return S2N_RESULT_OK; + return (EVP_aes_256_cbc() ? true : false); } static int s2n_cbc_cipher_aes_encrypt(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *in, struct s2n_blob *out) diff --git a/crypto/s2n_cipher.h b/crypto/s2n_cipher.h index 2405ad950bb..fb138db2428 100644 --- a/crypto/s2n_cipher.h +++ b/crypto/s2n_cipher.h @@ -82,7 +82,7 @@ struct s2n_cipher { struct s2n_composite_cipher comp; } io; uint8_t key_material_size; - S2N_RESULT (*is_available)(bool *available); + bool (*is_available)(void); int (*init)(struct s2n_session_key *key); int (*set_decryption_key)(struct s2n_session_key *key, struct s2n_blob *in); int (*set_encryption_key)(struct s2n_session_key *key, struct s2n_blob *in); diff --git a/crypto/s2n_composite_cipher_aes_sha.c b/crypto/s2n_composite_cipher_aes_sha.c index 53e065039f9..591c92f506f 100644 --- a/crypto/s2n_composite_cipher_aes_sha.c +++ b/crypto/s2n_composite_cipher_aes_sha.c @@ -86,7 +86,7 @@ static const EVP_CIPHER *s2n_evp_aes_256_cbc_hmac_sha256(void) #endif } -static S2N_RESULT s2n_composite_cipher_aes128_sha_available(bool *available) +static bool s2n_composite_cipher_aes128_sha_available(void) { /* EVP_aes_128_cbc_hmac_sha1() returns NULL if the implementations aren't available. * See https://github.com/openssl/openssl/blob/master/crypto/evp/e_aes_cbc_hmac_sha1.c#L952 @@ -95,50 +95,38 @@ static S2N_RESULT s2n_composite_cipher_aes128_sha_available(bool *available) * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite * ciphers cause OpenSSL errors due to the lack of the flag. */ - RESULT_ENSURE_REF(available); - *available = (!s2n_is_in_fips_mode() && s2n_evp_aes_128_cbc_hmac_sha1() ? 1 : 0); - - return S2N_RESULT_OK; + return (!s2n_is_in_fips_mode() && s2n_evp_aes_128_cbc_hmac_sha1() ? true : false); } -static S2N_RESULT s2n_composite_cipher_aes256_sha_available(bool *available) +static bool s2n_composite_cipher_aes256_sha_available(void) { /* Composite ciphers cannot be used when FIPS mode is set. Ciphers require the * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite * ciphers cause OpenSSL errors due to the lack of the flag. */ - RESULT_ENSURE_REF(available); - - *available = (!s2n_is_in_fips_mode() && s2n_evp_aes_256_cbc_hmac_sha1() ? 1 : 0); - return S2N_RESULT_OK; + return (!s2n_is_in_fips_mode() && s2n_evp_aes_256_cbc_hmac_sha1() ? true : false); } -static S2N_RESULT s2n_composite_cipher_aes128_sha256_available(bool *available) +static bool s2n_composite_cipher_aes128_sha256_available(void) { /* Composite ciphers cannot be used when FIPS mode is set. Ciphers require the * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite * ciphers cause OpenSSL errors due to the lack of the flag. */ - RESULT_ENSURE_REF(available); - *available = (!s2n_is_in_fips_mode() && s2n_evp_aes_128_cbc_hmac_sha256() ? 1 : 0); - - return S2N_RESULT_OK; + return (!s2n_is_in_fips_mode() && s2n_evp_aes_128_cbc_hmac_sha256() ? true : false); } -static S2N_RESULT s2n_composite_cipher_aes256_sha256_available(bool *available) +static bool s2n_composite_cipher_aes256_sha256_available(void) { /* Composite ciphers cannot be used when FIPS mode is set. Ciphers require the * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite * ciphers cause OpenSSL errors due to the lack of the flag. */ - RESULT_ENSURE_REF(available); - - *available = (!s2n_is_in_fips_mode() && s2n_evp_aes_256_cbc_hmac_sha256() ? 1 : 0); - return S2N_RESULT_OK; + return (!s2n_is_in_fips_mode() && s2n_evp_aes_256_cbc_hmac_sha256() ? true : false); } static int s2n_composite_cipher_aes_sha_initial_hmac(struct s2n_session_key *key, uint8_t *sequence_number, uint8_t content_type, diff --git a/crypto/s2n_stream_cipher_null.c b/crypto/s2n_stream_cipher_null.c index 1590c17c19e..d9a128cd643 100644 --- a/crypto/s2n_stream_cipher_null.c +++ b/crypto/s2n_stream_cipher_null.c @@ -18,13 +18,9 @@ #include "utils/s2n_blob.h" #include "utils/s2n_safety.h" -static S2N_RESULT s2n_stream_cipher_null_available(bool *available) +static bool s2n_stream_cipher_null_available(void) { - RESULT_ENSURE_REF(available); - - *available = 1; - - return S2N_RESULT_OK; + return true; } static int s2n_stream_cipher_null_endecrypt(struct s2n_session_key *key, struct s2n_blob *in, struct s2n_blob *out) diff --git a/crypto/s2n_stream_cipher_rc4.c b/crypto/s2n_stream_cipher_rc4.c index 934b4c7bd15..35c7b21b0c9 100644 --- a/crypto/s2n_stream_cipher_rc4.c +++ b/crypto/s2n_stream_cipher_rc4.c @@ -30,13 +30,10 @@ static const EVP_CIPHER *s2n_evp_rc4() #endif } -static S2N_RESULT s2n_stream_cipher_rc4_available(bool *available) +static bool s2n_stream_cipher_rc4_available(void) { - RESULT_ENSURE_REF(available); - if (s2n_is_in_fips_mode()) { - *available = 0; - return S2N_RESULT_OK; + return false; } /* RC4 MIGHT be available in Openssl-3.0, depending on whether or not the @@ -44,13 +41,10 @@ static S2N_RESULT s2n_stream_cipher_rc4_available(bool *available) * is unavailable. */ if (S2N_OPENSSL_VERSION_AT_LEAST(3, 0, 0)) { - *available = 0; - return S2N_RESULT_OK; + return false; } - *available = (s2n_evp_rc4() ? 1 : 0); - - return S2N_RESULT_OK; + return (s2n_evp_rc4() ? true : false); } static int s2n_stream_cipher_rc4_encrypt(struct s2n_session_key *key, struct s2n_blob *in, struct s2n_blob *out) diff --git a/tests/unit/s2n_aead_chacha20_poly1305_test.c b/tests/unit/s2n_aead_chacha20_poly1305_test.c index c9500eb5c8f..5f4aaf667cc 100644 --- a/tests/unit/s2n_aead_chacha20_poly1305_test.c +++ b/tests/unit/s2n_aead_chacha20_poly1305_test.c @@ -60,9 +60,7 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_disable_tls13_in_test()); /* Skip test if librcrypto doesn't support the cipher */ - bool is_chacha20_poly1305_available = false; - EXPECT_OK(s2n_chacha20_poly1305.is_available(&is_chacha20_poly1305_available)); - if (!is_chacha20_poly1305_available) { + if (!s2n_chacha20_poly1305.is_available()) { END_TEST(); } diff --git a/tests/unit/s2n_aes_sha_composite_test.c b/tests/unit/s2n_aes_sha_composite_test.c index 0862d6e8819..a8b8d5b6aaf 100644 --- a/tests/unit/s2n_aes_sha_composite_test.c +++ b/tests/unit/s2n_aes_sha_composite_test.c @@ -66,20 +66,10 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_disable_tls13_in_test()); /* Skip test if we can't use the ciphers */ - bool is_aes128_sha_available = false; - bool is_aes256_sha_available = false; - bool is_aes128_sha256_available = false; - bool is_aes256_sha256_available = false; - - EXPECT_OK(s2n_aes128_sha.is_available(&is_aes128_sha_available)); - EXPECT_OK(s2n_aes256_sha.is_available(&is_aes256_sha_available)); - EXPECT_OK(s2n_aes128_sha256.is_available(&is_aes128_sha256_available)); - EXPECT_OK(s2n_aes256_sha256.is_available(&is_aes256_sha256_available)); - - if (!is_aes128_sha_available - || !is_aes256_sha_available - || !is_aes128_sha256_available - || !is_aes256_sha256_available) { + if (!s2n_aes128_sha.is_available() + || !s2n_aes256_sha.is_available() + || !s2n_aes128_sha256.is_available() + || !s2n_aes256_sha256.is_available()) { END_TEST(); } diff --git a/tests/unit/s2n_cbc_test.c b/tests/unit/s2n_cbc_test.c index ed60655b8dd..31f8a174851 100644 --- a/tests/unit/s2n_cbc_test.c +++ b/tests/unit/s2n_cbc_test.c @@ -57,9 +57,7 @@ int main(int argc, char **argv) } /* Skip unsupported ciphers. */ - bool is_cipher_available = false; - EXPECT_OK(test_cipher_suite.record_alg->cipher->is_available(&is_cipher_available)); - if (!is_cipher_available) { + if (!test_cipher_suite.record_alg->cipher->is_available()) { continue; } diff --git a/tests/unit/s2n_cipher_suite_match_test.c b/tests/unit/s2n_cipher_suite_match_test.c index cc6bcb5dc5f..ff05d7de578 100644 --- a/tests/unit/s2n_cipher_suite_match_test.c +++ b/tests/unit/s2n_cipher_suite_match_test.c @@ -684,9 +684,7 @@ int main(int argc, char **argv) conn->actual_protocol_version = S2N_TLS13; conn->server_protocol_version = S2N_TLS13; - bool is_chacha20_poly1305_available = false; - EXPECT_OK(s2n_chacha20_poly1305.is_available(&is_chacha20_poly1305_available)); - if (is_chacha20_poly1305_available) { + if (s2n_chacha20_poly1305.is_available()) { EXPECT_SUCCESS(s2n_set_cipher_as_tls_server(conn, wire_ciphers2, count)); EXPECT_EQUAL(conn->secure->cipher_suite, &s2n_tls13_chacha20_poly1305_sha256); } else { @@ -912,9 +910,7 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, ecdsa_cert)); EXPECT_SUCCESS(s2n_config_set_cipher_preferences(server_config, "test_all")); - bool is_chacha20_poly1305_available = false; - EXPECT_OK(s2n_chacha20_poly1305.is_available(&is_chacha20_poly1305_available)); - if (is_chacha20_poly1305_available) { + if (s2n_chacha20_poly1305.is_available()) { /* Test chacha20 boosting when ciphersuites fail auth validation */ { DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_SERVER), s2n_connection_ptr_free); @@ -1376,9 +1372,7 @@ int main(int argc, char **argv) }; } - is_chacha20_poly1305_available = false; - EXPECT_OK(s2n_chacha20_poly1305.is_available(&is_chacha20_poly1305_available)); - if (!is_chacha20_poly1305_available) { + if (!s2n_chacha20_poly1305.is_available()) { /* Chacha20 can't be negotiated when it's not available in libcrypto */ DEFER_CLEANUP(struct s2n_connection *connection = s2n_connection_new(S2N_SERVER), s2n_connection_ptr_free); EXPECT_NOT_NULL(connection); diff --git a/tests/unit/s2n_rc4_test.c b/tests/unit/s2n_rc4_test.c index eaa3921639a..a1d42238ab9 100644 --- a/tests/unit/s2n_rc4_test.c +++ b/tests/unit/s2n_rc4_test.c @@ -35,16 +35,12 @@ int main(int argc, char **argv) /* Test Openssl-3.0 does not support RC4 */ if (S2N_OPENSSL_VERSION_AT_LEAST(3, 0, 0)) { - bool is_rc4_available = false; - EXPECT_OK(s2n_rc4.is_available(&is_rc4_available)); - EXPECT_FALSE(is_rc4_available); + EXPECT_FALSE(s2n_rc4.is_available()); } /* Test FIPS does not support RC4 */ if (s2n_is_in_fips_mode()) { - bool is_rc4_available = false; - EXPECT_OK(s2n_rc4.is_available(&is_rc4_available)); - EXPECT_FALSE(is_rc4_available); + EXPECT_FALSE(s2n_rc4.is_available()); } struct s2n_connection *conn = NULL; @@ -74,9 +70,7 @@ int main(int argc, char **argv) conn->secure->cipher_suite->record_alg = &s2n_record_alg_rc4_sha; EXPECT_SUCCESS(conn->secure->cipher_suite->record_alg->cipher->init(&conn->secure->server_key)); EXPECT_SUCCESS(conn->secure->cipher_suite->record_alg->cipher->init(&conn->secure->client_key)); - bool cipher_available = false; - EXPECT_OK(conn->secure->cipher_suite->record_alg->cipher->is_available(&cipher_available)); - if (cipher_available) { + if (conn->secure->cipher_suite->record_alg->cipher->is_available()) { EXPECT_SUCCESS(conn->secure->cipher_suite->record_alg->cipher->set_decryption_key(&conn->secure->client_key, &key_iv)); EXPECT_SUCCESS(conn->secure->cipher_suite->record_alg->cipher->set_encryption_key(&conn->secure->server_key, &key_iv)); EXPECT_SUCCESS(s2n_hmac_init(&conn->secure->client_record_mac, S2N_HMAC_SHA1, mac_key, sizeof(mac_key))); diff --git a/tests/unit/s2n_record_size_test.c b/tests/unit/s2n_record_size_test.c index 1f9b9f8dd1f..cd144809cd7 100644 --- a/tests/unit/s2n_record_size_test.c +++ b/tests/unit/s2n_record_size_test.c @@ -315,9 +315,7 @@ int main(int argc, char **argv) }; /* chacha20 */ - bool cipher_available = false; - EXPECT_OK(s2n_chacha20_poly1305.is_available(&cipher_available)); - if (cipher_available) { + if (s2n_chacha20_poly1305.is_available()) { EXPECT_SUCCESS(destroy_server_keys(server_conn)); EXPECT_SUCCESS(s2n_connection_wipe(server_conn)); @@ -340,9 +338,7 @@ int main(int argc, char **argv) } /* TLS1.3 chacha20 */ - cipher_available = false; - EXPECT_OK(s2n_chacha20_poly1305.is_available(&cipher_available)); - if (cipher_available) { + if (s2n_chacha20_poly1305.is_available()) { EXPECT_SUCCESS(destroy_server_keys(server_conn)); EXPECT_SUCCESS(s2n_connection_wipe(server_conn)); @@ -366,11 +362,7 @@ int main(int argc, char **argv) } /* composite */ - bool aes128_sha_available = false; - bool aes128_sha256_available = false; - EXPECT_OK(s2n_aes128_sha.is_available(&aes128_sha_available)); - EXPECT_OK(s2n_aes128_sha256.is_available(&aes128_sha256_available)); - if (aes128_sha_available && aes128_sha256_available) { + if (s2n_aes128_sha.is_available() && s2n_aes128_sha256.is_available()) { EXPECT_SUCCESS(destroy_server_keys(server_conn)); EXPECT_SUCCESS(s2n_connection_wipe(server_conn)); EXPECT_SUCCESS(s2n_stuffer_wipe(&server_conn->out)); diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c index 4a245e003d6..6f3e2b27ced 100644 --- a/tests/unit/s2n_security_policies_test.c +++ b/tests/unit/s2n_security_policies_test.c @@ -567,9 +567,7 @@ int main(int argc, char **argv) } /* Test that security policies have valid chacha20 boosting configurations when chacha20 is available */ - bool cipher_available = false; - EXPECT_OK(s2n_chacha20_poly1305.is_available(&cipher_available)); - if (cipher_available) { + if (s2n_chacha20_poly1305.is_available()) { for (size_t i = 0; security_policy_selection[i].version != NULL; i++) { const struct s2n_security_policy *sec_policy = security_policy_selection[i].security_policy; EXPECT_NOT_NULL(sec_policy); diff --git a/tests/unit/s2n_sslv3_test.c b/tests/unit/s2n_sslv3_test.c index 3bb6020b98c..58b194ac83e 100644 --- a/tests/unit/s2n_sslv3_test.c +++ b/tests/unit/s2n_sslv3_test.c @@ -85,9 +85,7 @@ int main(int argc, char **argv) } /* Skip unsupported record algorithms. */ - bool cipher_available = false; - EXPECT_OK(cipher_suite->sslv3_record_alg->cipher->is_available(&cipher_available)); - if (!cipher_available) { + if (!cipher_suite->sslv3_record_alg->cipher->is_available()) { continue; } supported_record_alg_count += 1; diff --git a/tls/s2n_cipher_suites.c b/tls/s2n_cipher_suites.c index 548988cb31d..4c32e680147 100644 --- a/tls/s2n_cipher_suites.c +++ b/tls/s2n_cipher_suites.c @@ -1021,8 +1021,7 @@ int s2n_cipher_suites_init(void) /* Can we use the record algorithm's cipher? Won't be available if the system CPU architecture * doesn't support it or if the libcrypto lacks the feature. All hmac_algs are supported. */ - bool cipher_available = false; - if (s2n_result_is_ok(cur_suite->all_record_algs[j]->cipher->is_available(&cipher_available)) && cipher_available) { + if (cur_suite->all_record_algs[j]->cipher->is_available()) { /* Found a supported record algorithm. Use it. */ cur_suite->available = 1; cur_suite->record_alg = cur_suite->all_record_algs[j]; @@ -1037,8 +1036,7 @@ int s2n_cipher_suites_init(void) } /* Initialize SSLv3 cipher suite if SSLv3 utilizes a different record algorithm */ - bool cipher_available = false; - if (cur_suite->sslv3_record_alg && s2n_result_is_ok(cur_suite->sslv3_record_alg->cipher->is_available(&cipher_available)) && cipher_available) { + if (cur_suite->sslv3_record_alg && cur_suite->sslv3_record_alg->cipher->is_available()) { struct s2n_blob cur_suite_mem = { 0 }; POSIX_GUARD(s2n_blob_init(&cur_suite_mem, (uint8_t *) cur_suite, sizeof(struct s2n_cipher_suite))); struct s2n_blob new_suite_mem = { 0 }; From 27eb90e2515b7ba30d44b159c59061b899fb97f8 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Mon, 1 Jul 2024 19:21:51 +0000 Subject: [PATCH 5/7] remove extra spaces --- crypto/s2n_composite_cipher_aes_sha.c | 4 ---- crypto/s2n_stream_cipher_rc4.c | 2 -- 2 files changed, 6 deletions(-) diff --git a/crypto/s2n_composite_cipher_aes_sha.c b/crypto/s2n_composite_cipher_aes_sha.c index 591c92f506f..a3cb3d0b673 100644 --- a/crypto/s2n_composite_cipher_aes_sha.c +++ b/crypto/s2n_composite_cipher_aes_sha.c @@ -95,7 +95,6 @@ static bool s2n_composite_cipher_aes128_sha_available(void) * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite * ciphers cause OpenSSL errors due to the lack of the flag. */ - return (!s2n_is_in_fips_mode() && s2n_evp_aes_128_cbc_hmac_sha1() ? true : false); } @@ -105,7 +104,6 @@ static bool s2n_composite_cipher_aes256_sha_available(void) * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite * ciphers cause OpenSSL errors due to the lack of the flag. */ - return (!s2n_is_in_fips_mode() && s2n_evp_aes_256_cbc_hmac_sha1() ? true : false); } @@ -115,7 +113,6 @@ static bool s2n_composite_cipher_aes128_sha256_available(void) * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite * ciphers cause OpenSSL errors due to the lack of the flag. */ - return (!s2n_is_in_fips_mode() && s2n_evp_aes_128_cbc_hmac_sha256() ? true : false); } @@ -125,7 +122,6 @@ static bool s2n_composite_cipher_aes256_sha256_available(void) * EVP_CIPH_FLAG_FIPS OpenSSL flag to be set for use when in FIPS mode, and composite * ciphers cause OpenSSL errors due to the lack of the flag. */ - return (!s2n_is_in_fips_mode() && s2n_evp_aes_256_cbc_hmac_sha256() ? true : false); } diff --git a/crypto/s2n_stream_cipher_rc4.c b/crypto/s2n_stream_cipher_rc4.c index 35c7b21b0c9..124458ee1be 100644 --- a/crypto/s2n_stream_cipher_rc4.c +++ b/crypto/s2n_stream_cipher_rc4.c @@ -35,7 +35,6 @@ static bool s2n_stream_cipher_rc4_available(void) if (s2n_is_in_fips_mode()) { return false; } - /* RC4 MIGHT be available in Openssl-3.0, depending on whether or not the * "legacy" provider is loaded. However, for simplicity, assume that RC4 * is unavailable. @@ -43,7 +42,6 @@ static bool s2n_stream_cipher_rc4_available(void) if (S2N_OPENSSL_VERSION_AT_LEAST(3, 0, 0)) { return false; } - return (s2n_evp_rc4() ? true : false); } From d1db70eb5c2b59ce4c98096f2ccd5085c5ede1bf Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Wed, 10 Jul 2024 17:45:07 +0000 Subject: [PATCH 6/7] resolve merge conflict --- crypto/s2n_aead_cipher_aes_gcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/s2n_aead_cipher_aes_gcm.c b/crypto/s2n_aead_cipher_aes_gcm.c index 2f9f93a4dfb..44bdeff762c 100644 --- a/crypto/s2n_aead_cipher_aes_gcm.c +++ b/crypto/s2n_aead_cipher_aes_gcm.c @@ -28,7 +28,7 @@ static bool s2n_aead_cipher_aes128_gcm_available(void) { -#if defined(S2N_AEAD_AES_GCM_AVAILABLE) +#if defined(S2N_LIBCRYPTO_SUPPORTS_EVP_AEAD_TLS) return (EVP_aead_aes_128_gcm() ? true : false); #else return (EVP_aes_128_gcm() ? true : false); @@ -37,7 +37,7 @@ static bool s2n_aead_cipher_aes128_gcm_available(void) static bool s2n_aead_cipher_aes256_gcm_available(void) { -#if defined(S2N_AEAD_AES_GCM_AVAILABLE) +#if defined(S2N_LIBCRYPTO_SUPPORTS_EVP_AEAD_TLS) return (EVP_aead_aes_256_gcm() ? true : false); #else return (EVP_aes_256_gcm() ? true : false); From 2bbdc0ceb7b80a6bbdd7b659dae43967f22df0c6 Mon Sep 17 00:00:00 2001 From: Jou Ho Date: Wed, 10 Jul 2024 17:55:08 +0000 Subject: [PATCH 7/7] apply clang format --- crypto/s2n_aead_cipher_aes_gcm.c | 1 - 1 file changed, 1 deletion(-) diff --git a/crypto/s2n_aead_cipher_aes_gcm.c b/crypto/s2n_aead_cipher_aes_gcm.c index fecbecfa4eb..58ec7c2af54 100644 --- a/crypto/s2n_aead_cipher_aes_gcm.c +++ b/crypto/s2n_aead_cipher_aes_gcm.c @@ -22,7 +22,6 @@ #include "utils/s2n_blob.h" #include "utils/s2n_safety.h" - static bool s2n_aead_cipher_aes128_gcm_available(void) { #if defined(S2N_LIBCRYPTO_SUPPORTS_EVP_AEAD_TLS)