fix: remove unnecessary RC4 restriction

crypto/s2n_stream_cipher_rc4.c

@@ -32,9 +32,6 @@ static const EVP_CIPHER *s2n_evp_rc4()
 
 static bool s2n_stream_cipher_rc4_available(void)
 {
-    if (s2n_is_in_fips_mode()) {
-        return false;
-    }
     /* RC4 MIGHT be available in Openssl-3.0, depending on whether or not the
      * "legacy" provider is loaded. However, for simplicity, assume that RC4
      * is unavailable.

tests/integrationv2/common.py

@@ -511,6 +511,13 @@ class Ciphers(object):
         "PQ-TLS-1-3-2023-06-01", Protocols.TLS12, False, False, s2n=True, pq=True
     )
 
+    SECURITY_POLICY_DEFAULT = Cipher(
+        "default", Protocols.TLS12, False, False, s2n=True, pq=False
+    )
+    SECURITY_POLICY_DEFAULT_TLS13 = Cipher(
+        "default_tls13", Protocols.TLS12, False, False, s2n=True, pq=False
+    )
+
     SECURITY_POLICY_20210816 = Cipher(
         "20210816", Protocols.TLS12, False, False, s2n=True, pq=False
     )

tests/integrationv2/providers.py

@@ -171,13 +171,13 @@ def supports_certificate(cls, cert: Cert):
 
     @classmethod
     def supports_protocol(cls, protocol):
-        if not cls._pss_supported() and protocol == Protocols.TLS13:
+        if not cls._pss_supported() and protocol and protocol == Protocols.TLS13:
             return False
 
         # SSLv3 cannot be negotiated in FIPS mode with libcryptos other than AWS-LC.
         if all(
             [
-                protocol == Protocols.SSLv3,
+                protocol and protocol == Protocols.SSLv3,
                 get_flag(S2N_FIPS_MODE),
                 "awslc" not in get_flag(S2N_PROVIDER_VERSION),
             ]

tests/integrationv2/test_cross_compatibility.py

@@ -10,11 +10,16 @@
     ALL_TEST_CURVES,
     ALL_TEST_CERTS,
 )
-from common import ProviderOptions, Protocols, data_bytes
+from common import Ciphers, ProviderOptions, Protocols, data_bytes
 from fixtures import managed_process  # lgtm [py/unused-import]
 from providers import Provider, S2N, OpenSSL
 from utils import invalid_test_parameters, get_parameter_name, to_bytes
 
+S2N_TEST_POLICIES = [
+    Ciphers.SECURITY_POLICY_DEFAULT,
+    Ciphers.SECURITY_POLICY_DEFAULT_TLS13,
+]
+
 S2N_RESUMPTION_MARKER = to_bytes("Resumed session")
 CLOSE_MARKER_BYTES = data_bytes(10)
 
@@ -177,19 +182,15 @@ def test_s2n_new_server_old_ticket(
 
 
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
-@pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
-@pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
+@pytest.mark.parametrize("cipher", S2N_TEST_POLICIES, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
-@pytest.mark.parametrize("protocol", RESUMPTION_PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 def test_s2n_old_client_new_ticket(
     managed_process,
     tmp_path,
     cipher,
-    curve,
     certificate,
-    protocol,
     provider,
     other_provider,
 ):
@@ -199,8 +200,6 @@ def test_s2n_old_client_new_ticket(
     options = ProviderOptions(
         port=next(available_ports),
         cipher=cipher,
-        curve=curve,
-        protocol=protocol,
         insecure=True,
         use_session_ticket=True,
     )
@@ -246,19 +245,15 @@ def test_s2n_old_client_new_ticket(
 
 
 @pytest.mark.uncollect_if(func=invalid_test_parameters)
-@pytest.mark.parametrize("cipher", ALL_TEST_CIPHERS, ids=get_parameter_name)
-@pytest.mark.parametrize("curve", ALL_TEST_CURVES, ids=get_parameter_name)
+@pytest.mark.parametrize("cipher", S2N_TEST_POLICIES, ids=get_parameter_name)
 @pytest.mark.parametrize("certificate", ALL_TEST_CERTS, ids=get_parameter_name)
-@pytest.mark.parametrize("protocol", RESUMPTION_PROTOCOLS, ids=get_parameter_name)
 @pytest.mark.parametrize("provider", [S2N], ids=get_parameter_name)
 @pytest.mark.parametrize("other_provider", [S2N], ids=get_parameter_name)
 def test_s2n_new_client_old_ticket(
     managed_process,
     tmp_path,
     cipher,
-    curve,
     certificate,
-    protocol,
     provider,
     other_provider,
 ):
@@ -268,8 +263,6 @@ def test_s2n_new_client_old_ticket(
     options = ProviderOptions(
         port=next(available_ports),
         cipher=cipher,
-        curve=curve,
-        protocol=protocol,
         insecure=True,
         use_session_ticket=True,
     )

tests/unit/s2n_rc4_test.c

@@ -38,11 +38,6 @@ int main(int argc, char **argv)
         EXPECT_FALSE(s2n_rc4.is_available());
     }
 
-    /* Test FIPS does not support RC4 */
-    if (s2n_is_in_fips_mode()) {
-        EXPECT_FALSE(s2n_rc4.is_available());
-    }
-
     struct s2n_connection *conn = NULL;
     uint8_t mac_key[] = "sample mac key";
     uint8_t rc4_key[] = "123456789012345";
@@ -54,11 +49,6 @@ int main(int argc, char **argv)
 
     EXPECT_SUCCESS(s2n_disable_tls13_in_test());
 
-    if (s2n_is_in_fips_mode()) {
-        /* Skip when FIPS mode is set as FIPS mode does not support RC4 */
-        END_TEST();
-    }
-
     EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
     EXPECT_OK(s2n_get_public_random_data(&r));