Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add TLS1.3 support to "default" and "default_fips" policies #4916

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 12 additions & 6 deletions tests/unit/s2n_config_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
#include "tls/s2n_internal.h"
#include "tls/s2n_record.h"
#include "tls/s2n_security_policies.h"
#include "tls/s2n_tls.h"
#include "tls/s2n_tls13.h"
#include "unstable/npn.h"
#include "utils/s2n_map.h"
Expand Down Expand Up @@ -69,8 +70,7 @@ int main(int argc, char **argv)

const s2n_mode modes[] = { S2N_CLIENT, S2N_SERVER };

const struct s2n_security_policy *default_security_policy = NULL, *tls13_security_policy = NULL, *fips_security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &tls13_security_policy));
const struct s2n_security_policy *default_security_policy = NULL, *fips_security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_fips", &fips_security_policy));
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &default_security_policy));

Expand All @@ -94,9 +94,13 @@ int main(int argc, char **argv)
/* Calling s2n_fetch_default_config() repeatedly returns the same object */
EXPECT_EQUAL(default_config, s2n_fetch_default_config());

/* TLS1.3 default does not match non-TLS1.3 default */
/* TLS1.3 default matches non-TLS1.3 default
*
* `s2n_enable_tls13_in_test` and `s2n_disable_tls13_in_test` control protocol via the use
* of `s2n_highest_protocol_version`.
*/
EXPECT_SUCCESS(s2n_enable_tls13_in_test());
EXPECT_NOT_EQUAL(default_config, s2n_fetch_default_config());
EXPECT_EQUAL(default_config, s2n_fetch_default_config());
EXPECT_SUCCESS(s2n_disable_tls13_in_test());

EXPECT_SUCCESS(s2n_config_free(config));
Expand All @@ -114,6 +118,7 @@ int main(int argc, char **argv)

EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, default_security_policy);
EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS12);

EXPECT_SUCCESS(s2n_connection_free(conn));
}
Expand All @@ -128,7 +133,8 @@ int main(int argc, char **argv)
EXPECT_EQUAL(conn->config, s2n_fetch_default_config());

EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, tls13_security_policy);
EXPECT_EQUAL(security_policy, default_security_policy);
EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS13);

EXPECT_SUCCESS(s2n_connection_free(conn));
EXPECT_SUCCESS(s2n_disable_tls13_in_test());
Expand Down Expand Up @@ -160,7 +166,7 @@ int main(int argc, char **argv)

EXPECT_SUCCESS(s2n_enable_tls13_in_test());
EXPECT_NOT_NULL(config = s2n_config_new());
EXPECT_EQUAL(config->security_policy, tls13_security_policy);
EXPECT_EQUAL(config->security_policy, default_security_policy);
EXPECT_SUCCESS(s2n_config_free(config));
EXPECT_SUCCESS(s2n_disable_tls13_in_test());
}
Expand Down
17 changes: 8 additions & 9 deletions tests/unit/s2n_connection_preferences_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,11 @@ int main(int argc, char **argv)
BEGIN_TEST();
EXPECT_SUCCESS(s2n_disable_tls13_in_test());

const struct s2n_security_policy *default_security_policy = NULL, *tls13_security_policy = NULL, *fips_security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &tls13_security_policy));
const struct s2n_security_policy *default_security_policy = NULL, *fips_security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_fips", &fips_security_policy));
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default", &default_security_policy));

/* Test default TLS1.2 */
/* Test default TLS 1.3 */
if (!s2n_is_in_fips_mode()) {
struct s2n_connection *conn = NULL;
const struct s2n_cipher_preferences *cipher_preferences = NULL;
Expand Down Expand Up @@ -86,7 +85,7 @@ int main(int argc, char **argv)
EXPECT_SUCCESS(s2n_connection_free(conn));
}

/* Test TLS1.3 */
/* Test TLS1.3 and s2n_enable_tls13_in_test behavior */
{
EXPECT_SUCCESS(s2n_enable_tls13_in_test());
struct s2n_connection *conn = NULL;
Expand All @@ -100,19 +99,19 @@ int main(int argc, char **argv)
EXPECT_NULL(conn->security_policy_override);

EXPECT_SUCCESS(s2n_connection_get_cipher_preferences(conn, &cipher_preferences));
EXPECT_EQUAL(cipher_preferences, tls13_security_policy->cipher_preferences);
EXPECT_EQUAL(cipher_preferences, default_security_policy->cipher_preferences);

EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_EQUAL(security_policy, tls13_security_policy);
EXPECT_EQUAL(security_policy, default_security_policy);

EXPECT_SUCCESS(s2n_connection_get_kem_preferences(conn, &kem_preferences));
EXPECT_EQUAL(kem_preferences, tls13_security_policy->kem_preferences);
EXPECT_EQUAL(kem_preferences, default_security_policy->kem_preferences);

EXPECT_SUCCESS(s2n_connection_get_signature_preferences(conn, &signature_preferences));
EXPECT_EQUAL(signature_preferences, tls13_security_policy->signature_preferences);
EXPECT_EQUAL(signature_preferences, default_security_policy->signature_preferences);

EXPECT_SUCCESS(s2n_connection_get_ecc_preferences(conn, &ecc_preferences));
EXPECT_EQUAL(ecc_preferences, tls13_security_policy->ecc_preferences);
EXPECT_EQUAL(ecc_preferences, default_security_policy->ecc_preferences);

EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(conn, "test_all_tls13"));
EXPECT_NOT_NULL(conn->security_policy_override);
Expand Down
8 changes: 5 additions & 3 deletions tests/unit/s2n_security_policies_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,7 @@ int main(int argc, char **argv)
EXPECT_EQUAL(0, security_policy->kem_preferences->kem_count);
EXPECT_NULL(security_policy->kem_preferences->tls13_kem_groups);
EXPECT_EQUAL(0, security_policy->kem_preferences->tls13_kem_group_count);
EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy));
EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy));

security_policy = NULL;
EXPECT_SUCCESS(s2n_find_security_policy_from_version("default_tls13", &security_policy));
Expand Down Expand Up @@ -452,8 +452,6 @@ int main(int argc, char **argv)

{
char tls12_only_security_policy_strings[][255] = {
"default",
"default_fips",
"ELBSecurityPolicy-TLS-1-0-2015-04",
"ELBSecurityPolicy-TLS-1-0-2015-05",
"ELBSecurityPolicy-2016-08",
Expand Down Expand Up @@ -512,6 +510,8 @@ int main(int argc, char **argv)
}

char tls13_security_policy_strings[][255] = {
"default",
"default_fips",
"default_tls13",
"test_all",
"test_all_tls13",
Expand Down Expand Up @@ -1042,6 +1042,7 @@ int main(int argc, char **argv)
const struct s2n_security_policy *versioned_policies[] = {
&security_policy_20170210,
&security_policy_20240501,
&security_policy_20240701,
};

const struct s2n_supported_cert supported_certs[] = {
Expand Down Expand Up @@ -1077,6 +1078,7 @@ int main(int argc, char **argv)
const struct s2n_security_policy *versioned_policies[] = {
&security_policy_20240416,
&security_policy_20240502,
&security_policy_20240702,
};

const struct s2n_supported_cert supported_certs[] = {
Expand Down
26 changes: 15 additions & 11 deletions tests/unit/s2n_tls13_support_test.c
Original file line number Diff line number Diff line change
Expand Up @@ -28,14 +28,18 @@
int main(int argc, char **argv)
{
BEGIN_TEST();

/* TLS 1.3 is used by default */
EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS13);

EXPECT_SUCCESS(s2n_disable_tls13_in_test());

/* TLS 1.3 is not used by default */
EXPECT_FALSE(s2n_use_default_tls13_config());
/* `s2n_disable_tls13_in_test` disables TLS 1.3 */
EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS12);

/* TLS1.3 is not supported or configured by default */
/* TLS1.3 is supported and configured by default */
{
/* Client does not support or configure TLS 1.3 */
/* Client does support and configure TLS 1.3 */
{
struct s2n_connection *conn = NULL;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
Expand All @@ -44,12 +48,12 @@ int main(int argc, char **argv)

const struct s2n_security_policy *security_policy = NULL;
EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy));
EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy));

EXPECT_SUCCESS(s2n_connection_free(conn));
};

/* Server does not support or configure TLS 1.3 */
/* Server does support and configure TLS 1.3 */
{
struct s2n_connection *conn = NULL;
EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
Expand All @@ -58,18 +62,18 @@ int main(int argc, char **argv)

const struct s2n_security_policy *security_policy = NULL;
EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy));
EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy));
EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy));

EXPECT_SUCCESS(s2n_connection_free(conn));
};
};

EXPECT_SUCCESS(s2n_enable_tls13_in_test());
EXPECT_TRUE(s2n_use_default_tls13_config());
EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS13);

/* Re-enabling has no effect */
EXPECT_SUCCESS(s2n_enable_tls13_in_test());
EXPECT_TRUE(s2n_use_default_tls13_config());
EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS13);

/* If "enabled", TLS1.3 is supported and configured */
{
Expand Down Expand Up @@ -103,11 +107,11 @@ int main(int argc, char **argv)
};

EXPECT_SUCCESS(s2n_disable_tls13_in_test());
EXPECT_FALSE(s2n_use_default_tls13_config());
EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS12);

/* Re-disabling has no effect */
EXPECT_SUCCESS(s2n_disable_tls13_in_test());
EXPECT_FALSE(s2n_use_default_tls13_config());
EXPECT_EQUAL(s2n_highest_protocol_version, S2N_TLS12);

/* Test s2n_is_valid_tls13_cipher() */
{
Expand Down
26 changes: 26 additions & 0 deletions tls/s2n_cipher_preferences.c
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,32 @@ const struct s2n_cipher_preferences cipher_preferences_20240331 = {
.allow_chacha20_boosting = false,
};

/*
* TLS1.3 support.
* FIPS compliant.
* No DHE (would require extra setup with s2n_config_add_dhparams)
*/
struct s2n_cipher_suite *cipher_suites_20240701[] = {
&s2n_tls13_aes_256_gcm_sha384,
&s2n_tls13_aes_128_gcm_sha256,
/* TLS1.2 with ECDSA */
&s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256,
&s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384,
&s2n_ecdhe_ecdsa_with_aes_128_cbc_sha256,
&s2n_ecdhe_ecdsa_with_aes_256_cbc_sha384,
/* TLS1.2 with RSA */
&s2n_ecdhe_rsa_with_aes_128_gcm_sha256,
&s2n_ecdhe_rsa_with_aes_256_gcm_sha384,
&s2n_ecdhe_rsa_with_aes_128_cbc_sha256,
&s2n_ecdhe_rsa_with_aes_256_cbc_sha384,
};

const struct s2n_cipher_preferences cipher_preferences_20240701 = {
.count = s2n_array_len(cipher_suites_20240701),
.suites = cipher_suites_20240701,
.allow_chacha20_boosting = false,
};

/* Same as 20160411, but with ChaCha20 added as 1st in Preference List */
struct s2n_cipher_suite *cipher_suites_20190122[] = {
&s2n_ecdhe_rsa_with_chacha20_poly1305_sha256,
Expand Down
1 change: 1 addition & 0 deletions tls/s2n_cipher_preferences.h
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ struct s2n_cipher_preferences {
bool allow_chacha20_boosting;
};

extern const struct s2n_cipher_preferences cipher_preferences_20240701;
extern const struct s2n_cipher_preferences cipher_preferences_20230317;
extern const struct s2n_cipher_preferences cipher_preferences_20240331;
extern const struct s2n_cipher_preferences cipher_preferences_20140601;
Expand Down
22 changes: 3 additions & 19 deletions tls/s2n_config.c
Original file line number Diff line number Diff line change
Expand Up @@ -70,20 +70,13 @@ static int wall_clock(void *data, uint64_t *nanoseconds)

static struct s2n_config s2n_default_config = { 0 };
static struct s2n_config s2n_default_fips_config = { 0 };
static struct s2n_config s2n_default_tls13_config = { 0 };

static int s2n_config_setup_default(struct s2n_config *config)
{
POSIX_GUARD(s2n_config_set_cipher_preferences(config, "default"));
return S2N_SUCCESS;
}

static int s2n_config_setup_tls13(struct s2n_config *config)
{
POSIX_GUARD(s2n_config_set_cipher_preferences(config, "default_tls13"));
return S2N_SUCCESS;
}

static int s2n_config_setup_fips(struct s2n_config *config)
{
POSIX_GUARD(s2n_config_set_cipher_preferences(config, "default_fips"));
Expand All @@ -105,11 +98,10 @@ static int s2n_config_init(struct s2n_config *config)

config->client_hello_cb_mode = S2N_CLIENT_HELLO_CB_BLOCKING;

POSIX_GUARD(s2n_config_setup_default(config));
if (s2n_use_default_tls13_config()) {
POSIX_GUARD(s2n_config_setup_tls13(config));
} else if (s2n_is_in_fips_mode()) {
if (s2n_is_in_fips_mode()) {
POSIX_GUARD(s2n_config_setup_fips(config));
} else {
POSIX_GUARD(s2n_config_setup_default(config));
}

POSIX_GUARD_PTR(config->domain_name_to_cert_map = s2n_map_new_with_initial_capacity(1));
Expand Down Expand Up @@ -212,9 +204,6 @@ int s2n_config_build_domain_name_to_cert_map(struct s2n_config *config, struct s

struct s2n_config *s2n_fetch_default_config(void)
{
if (s2n_use_default_tls13_config()) {
return &s2n_default_tls13_config;
}
if (s2n_is_in_fips_mode()) {
return &s2n_default_fips_config;
}
Expand Down Expand Up @@ -244,18 +233,13 @@ int s2n_config_defaults_init(void)
POSIX_GUARD(s2n_config_load_system_certs(&s2n_default_config));
}

/* TLS 1.3 default config is only used in tests so avoid initialization costs in applications */
POSIX_GUARD(s2n_config_init(&s2n_default_tls13_config));
POSIX_GUARD(s2n_config_setup_tls13(&s2n_default_tls13_config));

return S2N_SUCCESS;
}

void s2n_wipe_static_configs(void)
{
s2n_config_cleanup(&s2n_default_fips_config);
s2n_config_cleanup(&s2n_default_config);
s2n_config_cleanup(&s2n_default_tls13_config);
}

int s2n_config_load_system_certs(struct s2n_config *config)
Expand Down
Loading
Loading