fix: remove unnecessary RC4 restriction

crypto/s2n_stream_cipher_rc4.c

@@ -32,9 +32,6 @@ static const EVP_CIPHER *s2n_evp_rc4()
 
 static bool s2n_stream_cipher_rc4_available(void)
 {
-    if (s2n_is_in_fips_mode()) {
-        return false;
-    }
     /* RC4 MIGHT be available in Openssl-3.0, depending on whether or not the
      * "legacy" provider is loaded. However, for simplicity, assume that RC4
      * is unavailable.

tests/integrationv2/common.py

@@ -203,7 +203,7 @@ def __le__(self, other):
         return self.value <= other.value
 
     def __eq__(self, other):
-        return self.value == other.value
+        return other and self.value == other.value
 
     def __str__(self):
         return self.name
@@ -511,6 +511,13 @@ class Ciphers(object):
         "PQ-TLS-1-3-2023-06-01", Protocols.TLS12, False, False, s2n=True, pq=True
     )
 
+    SECURITY_POLICY_DEFAULT = Cipher(
+        "default", Protocols.TLS12, False, False, s2n=True, pq=False
+    )
+    SECURITY_POLICY_DEFAULT_TLS13 = Cipher(
+        "default_tls13", Protocols.TLS12, False, False, s2n=True, pq=False
+    )
+
     SECURITY_POLICY_20210816 = Cipher(
         "20210816", Protocols.TLS12, False, False, s2n=True, pq=False
     )

tests/integrationv2/test_cross_compatibility.py

@@ -10,11 +10,16 @@
     ALL_TEST_CURVES,
     ALL_TEST_CERTS,
 )
-from common import ProviderOptions, Protocols, data_bytes
+from common import Ciphers, ProviderOptions, Protocols, data_bytes
 from fixtures import managed_process  # lgtm [py/unused-import]
 from providers import Provider, S2N, OpenSSL
 from utils import invalid_test_parameters, get_parameter_name, to_bytes
 
+S2N_TEST_POLICIES = [
+    Ciphers.SECURITY_POLICY_DEFAULT,
+    Ciphers.SECURITY_POLICY_DEFAULT_TLS13,
+]
+
 S2N_RESUMPTION_MARKER = to_bytes("Resumed session")
 CLOSE_MARKER_BYTES = data_bytes(10)
 
@@ -177,19 +182,15 @@ def test_s2n_new_server_old_ticket(
 
 
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
-@pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
-@pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
+@pytest.mark.parametrize("cipher", S2N_TEST_POLICIES, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
-@pytest.mark.parametrize("protocol", RESUMPTION_PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 def test_s2n_old_client_new_ticket(
     managed_process,
     tmp_path,
     cipher,
-    curve,
     certificate,
-    protocol,
     provider,
     other_provider,
 ):
@@ -199,8 +200,6 @@ def test_s2n_old_client_new_ticket(
     options = ProviderOptions(
         port=next(available_ports),
         cipher=cipher,
-        curve=curve,
-        protocol=protocol,
         insecure=True,
         use_session_ticket=True,
     )
@@ -246,19 +245,15 @@ def test_s2n_old_client_new_ticket(
 
 
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
-@pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
-@pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
+@pytest.mark.parametrize("cipher", S2N_TEST_POLICIES, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
-@pytest.mark.parametrize("protocol", RESUMPTION_PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 def test_s2n_new_client_old_ticket(
     managed_process,
     tmp_path,
     cipher,
-    curve,
     certificate,
-    protocol,
     provider,
     other_provider,
 ):
@@ -268,8 +263,6 @@ def test_s2n_new_client_old_ticket(
     options = ProviderOptions(
         port=next(available_ports),
         cipher=cipher,
-        curve=curve,
-        protocol=protocol,
         insecure=True,
         use_session_ticket=True,
     )

tests/integrationv2/test_serialization.py

@@ -6,7 +6,7 @@
 from enum import Enum, auto
 
 from configuration import available_ports
-from common import ProviderOptions, Protocols, random_str
+from common import Ciphers, ProviderOptions, Protocols, random_str
 from fixtures import managed_process  # lgtm [py/unused-import]
 from providers import Provider, S2N
 from utils import invalid_test_parameters, get_parameter_name, to_bytes
@@ -17,6 +17,11 @@
 SERVER_DATA = f"Some random data from the server:" + random_str(10)
 CLIENT_DATA = f"Some random data from the client:" + random_str(10)
 
+S2N_TEST_POLICIES = {
+    Protocols.TLS12.value: Ciphers.SECURITY_POLICY_DEFAULT,
+    Protocols.TLS13.value: Ciphers.SECURITY_POLICY_DEFAULT_TLS13,
+}
+
 
 class MainlineRole(Enum):
     Serialize = auto()
@@ -62,7 +67,7 @@ def test_server_serialization_backwards_compat(
 
     options = ProviderOptions(
         port=next(available_ports),
-        protocol=protocol,
+        cipher=S2N_TEST_POLICIES[protocol.value],
         insecure=True,
     )
 

tests/unit/s2n_rc4_test.c

@@ -20,6 +20,7 @@
 #include "crypto/s2n_cipher.h"
 #include "crypto/s2n_fips.h"
 #include "crypto/s2n_hmac.h"
+#include "crypto/s2n_libcrypto.h"
 #include "crypto/s2n_openssl.h"
 #include "s2n_test.h"
 #include "stuffer/s2n_stuffer.h"
@@ -38,9 +39,9 @@ int main(int argc, char **argv)
         EXPECT_FALSE(s2n_rc4.is_available());
     }
 
-    /* Test FIPS does not support RC4 */
-    if (s2n_is_in_fips_mode()) {
-        EXPECT_FALSE(s2n_rc4.is_available());
+    /* awslc does support RC4 */
+    if (s2n_libcrypto_is_awslc()) {
+        EXPECT_TRUE(s2n_rc4.is_available());
     }
 
     struct s2n_connection *conn = NULL;
@@ -54,11 +55,6 @@ int main(int argc, char **argv)
 
     EXPECT_SUCCESS(s2n_disable_tls13_in_test());
 
-    if (s2n_is_in_fips_mode()) {
-        /* Skip when FIPS mode is set as FIPS mode does not support RC4 */
-        END_TEST();
-    }
-
     EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
     EXPECT_OK(s2n_get_public_random_data(&r));